]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.32.46-201110061013.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.32.46-201110061013.patch
1 diff -urNp linux-2.6.32.46/arch/alpha/include/asm/elf.h linux-2.6.32.46/arch/alpha/include/asm/elf.h
2 --- linux-2.6.32.46/arch/alpha/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3 +++ linux-2.6.32.46/arch/alpha/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
4 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10 +
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13 +#endif
14 +
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.32.46/arch/alpha/include/asm/pgtable.h linux-2.6.32.46/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.32.46/arch/alpha/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
20 +++ linux-2.6.32.46/arch/alpha/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25 +
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30 +#else
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
34 +#endif
35 +
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.32.46/arch/alpha/kernel/module.c linux-2.6.32.46/arch/alpha/kernel/module.c
40 --- linux-2.6.32.46/arch/alpha/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
41 +++ linux-2.6.32.46/arch/alpha/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.32.46/arch/alpha/kernel/osf_sys.c linux-2.6.32.46/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.32.46/arch/alpha/kernel/osf_sys.c 2011-08-09 18:35:28.000000000 -0400
53 +++ linux-2.6.32.46/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:47.000000000 -0400
54 @@ -1172,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
57 return -ENOMEM;
58 - if (!vma || addr + len <= vma->vm_start)
59 + if (check_heap_stack_gap(vma, addr, len))
60 return addr;
61 addr = vma->vm_end;
62 vma = vma->vm_next;
63 @@ -1208,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
66
67 +#ifdef CONFIG_PAX_RANDMMAP
68 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
69 +#endif
70 +
71 if (addr) {
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74 @@ -1215,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
75 }
76
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
79 - len, limit);
80 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
81 +
82 if (addr != (unsigned long) -ENOMEM)
83 return addr;
84
85 diff -urNp linux-2.6.32.46/arch/alpha/mm/fault.c linux-2.6.32.46/arch/alpha/mm/fault.c
86 --- linux-2.6.32.46/arch/alpha/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
87 +++ linux-2.6.32.46/arch/alpha/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
88 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
89 __reload_thread(pcb);
90 }
91
92 +#ifdef CONFIG_PAX_PAGEEXEC
93 +/*
94 + * PaX: decide what to do with offenders (regs->pc = fault address)
95 + *
96 + * returns 1 when task should be killed
97 + * 2 when patched PLT trampoline was detected
98 + * 3 when unpatched PLT trampoline was detected
99 + */
100 +static int pax_handle_fetch_fault(struct pt_regs *regs)
101 +{
102 +
103 +#ifdef CONFIG_PAX_EMUPLT
104 + int err;
105 +
106 + do { /* PaX: patched PLT emulation #1 */
107 + unsigned int ldah, ldq, jmp;
108 +
109 + err = get_user(ldah, (unsigned int *)regs->pc);
110 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
112 +
113 + if (err)
114 + break;
115 +
116 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118 + jmp == 0x6BFB0000U)
119 + {
120 + unsigned long r27, addr;
121 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
123 +
124 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125 + err = get_user(r27, (unsigned long *)addr);
126 + if (err)
127 + break;
128 +
129 + regs->r27 = r27;
130 + regs->pc = r27;
131 + return 2;
132 + }
133 + } while (0);
134 +
135 + do { /* PaX: patched PLT emulation #2 */
136 + unsigned int ldah, lda, br;
137 +
138 + err = get_user(ldah, (unsigned int *)regs->pc);
139 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
140 + err |= get_user(br, (unsigned int *)(regs->pc+8));
141 +
142 + if (err)
143 + break;
144 +
145 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
147 + (br & 0xFFE00000U) == 0xC3E00000U)
148 + {
149 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
152 +
153 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
155 + return 2;
156 + }
157 + } while (0);
158 +
159 + do { /* PaX: unpatched PLT emulation */
160 + unsigned int br;
161 +
162 + err = get_user(br, (unsigned int *)regs->pc);
163 +
164 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165 + unsigned int br2, ldq, nop, jmp;
166 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
167 +
168 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169 + err = get_user(br2, (unsigned int *)addr);
170 + err |= get_user(ldq, (unsigned int *)(addr+4));
171 + err |= get_user(nop, (unsigned int *)(addr+8));
172 + err |= get_user(jmp, (unsigned int *)(addr+12));
173 + err |= get_user(resolver, (unsigned long *)(addr+16));
174 +
175 + if (err)
176 + break;
177 +
178 + if (br2 == 0xC3600000U &&
179 + ldq == 0xA77B000CU &&
180 + nop == 0x47FF041FU &&
181 + jmp == 0x6B7B0000U)
182 + {
183 + regs->r28 = regs->pc+4;
184 + regs->r27 = addr+16;
185 + regs->pc = resolver;
186 + return 3;
187 + }
188 + }
189 + } while (0);
190 +#endif
191 +
192 + return 1;
193 +}
194 +
195 +void pax_report_insns(void *pc, void *sp)
196 +{
197 + unsigned long i;
198 +
199 + printk(KERN_ERR "PAX: bytes at PC: ");
200 + for (i = 0; i < 5; i++) {
201 + unsigned int c;
202 + if (get_user(c, (unsigned int *)pc+i))
203 + printk(KERN_CONT "???????? ");
204 + else
205 + printk(KERN_CONT "%08x ", c);
206 + }
207 + printk("\n");
208 +}
209 +#endif
210
211 /*
212 * This routine handles page faults. It determines the address,
213 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
214 good_area:
215 si_code = SEGV_ACCERR;
216 if (cause < 0) {
217 - if (!(vma->vm_flags & VM_EXEC))
218 + if (!(vma->vm_flags & VM_EXEC)) {
219 +
220 +#ifdef CONFIG_PAX_PAGEEXEC
221 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
222 + goto bad_area;
223 +
224 + up_read(&mm->mmap_sem);
225 + switch (pax_handle_fetch_fault(regs)) {
226 +
227 +#ifdef CONFIG_PAX_EMUPLT
228 + case 2:
229 + case 3:
230 + return;
231 +#endif
232 +
233 + }
234 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235 + do_group_exit(SIGKILL);
236 +#else
237 goto bad_area;
238 +#endif
239 +
240 + }
241 } else if (!cause) {
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244 diff -urNp linux-2.6.32.46/arch/arm/include/asm/elf.h linux-2.6.32.46/arch/arm/include/asm/elf.h
245 --- linux-2.6.32.46/arch/arm/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
246 +++ linux-2.6.32.46/arch/arm/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
247 @@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
250
251 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
253 +
254 +#ifdef CONFIG_PAX_ASLR
255 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
256 +
257 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
259 +#endif
260
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263 diff -urNp linux-2.6.32.46/arch/arm/include/asm/kmap_types.h linux-2.6.32.46/arch/arm/include/asm/kmap_types.h
264 --- linux-2.6.32.46/arch/arm/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
265 +++ linux-2.6.32.46/arch/arm/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
266 @@ -19,6 +19,7 @@ enum km_type {
267 KM_SOFTIRQ0,
268 KM_SOFTIRQ1,
269 KM_L2_CACHE,
270 + KM_CLEARPAGE,
271 KM_TYPE_NR
272 };
273
274 diff -urNp linux-2.6.32.46/arch/arm/include/asm/uaccess.h linux-2.6.32.46/arch/arm/include/asm/uaccess.h
275 --- linux-2.6.32.46/arch/arm/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
276 +++ linux-2.6.32.46/arch/arm/include/asm/uaccess.h 2011-06-29 21:02:24.000000000 -0400
277 @@ -22,6 +22,8 @@
278 #define VERIFY_READ 0
279 #define VERIFY_WRITE 1
280
281 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
282 +
283 /*
284 * The exception table consists of pairs of addresses: the first is the
285 * address of an instruction that is allowed to fault, and the second is
286 @@ -387,8 +389,23 @@ do { \
287
288
289 #ifdef CONFIG_MMU
290 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
291 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
292 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
293 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
294 +
295 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
296 +{
297 + if (!__builtin_constant_p(n))
298 + check_object_size(to, n, false);
299 + return ___copy_from_user(to, from, n);
300 +}
301 +
302 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
303 +{
304 + if (!__builtin_constant_p(n))
305 + check_object_size(from, n, true);
306 + return ___copy_to_user(to, from, n);
307 +}
308 +
309 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
310 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
311 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
312 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
313
314 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
315 {
316 + if ((long)n < 0)
317 + return n;
318 +
319 if (access_ok(VERIFY_READ, from, n))
320 n = __copy_from_user(to, from, n);
321 else /* security hole - plug it */
322 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
323
324 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
325 {
326 + if ((long)n < 0)
327 + return n;
328 +
329 if (access_ok(VERIFY_WRITE, to, n))
330 n = __copy_to_user(to, from, n);
331 return n;
332 diff -urNp linux-2.6.32.46/arch/arm/kernel/armksyms.c linux-2.6.32.46/arch/arm/kernel/armksyms.c
333 --- linux-2.6.32.46/arch/arm/kernel/armksyms.c 2011-03-27 14:31:47.000000000 -0400
334 +++ linux-2.6.32.46/arch/arm/kernel/armksyms.c 2011-07-06 19:51:50.000000000 -0400
335 @@ -118,8 +118,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
336 #ifdef CONFIG_MMU
337 EXPORT_SYMBOL(copy_page);
338
339 -EXPORT_SYMBOL(__copy_from_user);
340 -EXPORT_SYMBOL(__copy_to_user);
341 +EXPORT_SYMBOL(___copy_from_user);
342 +EXPORT_SYMBOL(___copy_to_user);
343 EXPORT_SYMBOL(__clear_user);
344
345 EXPORT_SYMBOL(__get_user_1);
346 diff -urNp linux-2.6.32.46/arch/arm/kernel/kgdb.c linux-2.6.32.46/arch/arm/kernel/kgdb.c
347 --- linux-2.6.32.46/arch/arm/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
348 +++ linux-2.6.32.46/arch/arm/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
349 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
350 * and we handle the normal undef case within the do_undefinstr
351 * handler.
352 */
353 -struct kgdb_arch arch_kgdb_ops = {
354 +const struct kgdb_arch arch_kgdb_ops = {
355 #ifndef __ARMEB__
356 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
357 #else /* ! __ARMEB__ */
358 diff -urNp linux-2.6.32.46/arch/arm/kernel/traps.c linux-2.6.32.46/arch/arm/kernel/traps.c
359 --- linux-2.6.32.46/arch/arm/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
360 +++ linux-2.6.32.46/arch/arm/kernel/traps.c 2011-06-13 21:31:18.000000000 -0400
361 @@ -247,6 +247,8 @@ static void __die(const char *str, int e
362
363 DEFINE_SPINLOCK(die_lock);
364
365 +extern void gr_handle_kernel_exploit(void);
366 +
367 /*
368 * This function is protected against re-entrancy.
369 */
370 @@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
371 if (panic_on_oops)
372 panic("Fatal exception");
373
374 + gr_handle_kernel_exploit();
375 +
376 do_exit(SIGSEGV);
377 }
378
379 diff -urNp linux-2.6.32.46/arch/arm/lib/copy_from_user.S linux-2.6.32.46/arch/arm/lib/copy_from_user.S
380 --- linux-2.6.32.46/arch/arm/lib/copy_from_user.S 2011-03-27 14:31:47.000000000 -0400
381 +++ linux-2.6.32.46/arch/arm/lib/copy_from_user.S 2011-06-29 20:48:38.000000000 -0400
382 @@ -16,7 +16,7 @@
383 /*
384 * Prototype:
385 *
386 - * size_t __copy_from_user(void *to, const void *from, size_t n)
387 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
388 *
389 * Purpose:
390 *
391 @@ -84,11 +84,11 @@
392
393 .text
394
395 -ENTRY(__copy_from_user)
396 +ENTRY(___copy_from_user)
397
398 #include "copy_template.S"
399
400 -ENDPROC(__copy_from_user)
401 +ENDPROC(___copy_from_user)
402
403 .section .fixup,"ax"
404 .align 0
405 diff -urNp linux-2.6.32.46/arch/arm/lib/copy_to_user.S linux-2.6.32.46/arch/arm/lib/copy_to_user.S
406 --- linux-2.6.32.46/arch/arm/lib/copy_to_user.S 2011-03-27 14:31:47.000000000 -0400
407 +++ linux-2.6.32.46/arch/arm/lib/copy_to_user.S 2011-06-29 20:46:49.000000000 -0400
408 @@ -16,7 +16,7 @@
409 /*
410 * Prototype:
411 *
412 - * size_t __copy_to_user(void *to, const void *from, size_t n)
413 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
414 *
415 * Purpose:
416 *
417 @@ -88,11 +88,11 @@
418 .text
419
420 ENTRY(__copy_to_user_std)
421 -WEAK(__copy_to_user)
422 +WEAK(___copy_to_user)
423
424 #include "copy_template.S"
425
426 -ENDPROC(__copy_to_user)
427 +ENDPROC(___copy_to_user)
428
429 .section .fixup,"ax"
430 .align 0
431 diff -urNp linux-2.6.32.46/arch/arm/lib/uaccess.S linux-2.6.32.46/arch/arm/lib/uaccess.S
432 --- linux-2.6.32.46/arch/arm/lib/uaccess.S 2011-03-27 14:31:47.000000000 -0400
433 +++ linux-2.6.32.46/arch/arm/lib/uaccess.S 2011-06-29 20:48:53.000000000 -0400
434 @@ -19,7 +19,7 @@
435
436 #define PAGE_SHIFT 12
437
438 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
439 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
440 * Purpose : copy a block to user memory from kernel memory
441 * Params : to - user memory
442 * : from - kernel memory
443 @@ -39,7 +39,7 @@ USER( strgtbt r3, [r0], #1) @ May fau
444 sub r2, r2, ip
445 b .Lc2u_dest_aligned
446
447 -ENTRY(__copy_to_user)
448 +ENTRY(___copy_to_user)
449 stmfd sp!, {r2, r4 - r7, lr}
450 cmp r2, #4
451 blt .Lc2u_not_enough
452 @@ -277,14 +277,14 @@ USER( strgebt r3, [r0], #1) @ May fau
453 ldrgtb r3, [r1], #0
454 USER( strgtbt r3, [r0], #1) @ May fault
455 b .Lc2u_finished
456 -ENDPROC(__copy_to_user)
457 +ENDPROC(___copy_to_user)
458
459 .section .fixup,"ax"
460 .align 0
461 9001: ldmfd sp!, {r0, r4 - r7, pc}
462 .previous
463
464 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
465 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
466 * Purpose : copy a block from user memory to kernel memory
467 * Params : to - kernel memory
468 * : from - user memory
469 @@ -303,7 +303,7 @@ USER( ldrgtbt r3, [r1], #1) @ May fau
470 sub r2, r2, ip
471 b .Lcfu_dest_aligned
472
473 -ENTRY(__copy_from_user)
474 +ENTRY(___copy_from_user)
475 stmfd sp!, {r0, r2, r4 - r7, lr}
476 cmp r2, #4
477 blt .Lcfu_not_enough
478 @@ -543,7 +543,7 @@ USER( ldrgebt r3, [r1], #1) @ May fau
479 USER( ldrgtbt r3, [r1], #1) @ May fault
480 strgtb r3, [r0], #1
481 b .Lcfu_finished
482 -ENDPROC(__copy_from_user)
483 +ENDPROC(___copy_from_user)
484
485 .section .fixup,"ax"
486 .align 0
487 diff -urNp linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c
488 --- linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c 2011-03-27 14:31:47.000000000 -0400
489 +++ linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:44:35.000000000 -0400
490 @@ -97,7 +97,7 @@ out:
491 }
492
493 unsigned long
494 -__copy_to_user(void __user *to, const void *from, unsigned long n)
495 +___copy_to_user(void __user *to, const void *from, unsigned long n)
496 {
497 /*
498 * This test is stubbed out of the main function above to keep
499 diff -urNp linux-2.6.32.46/arch/arm/mach-at91/pm.c linux-2.6.32.46/arch/arm/mach-at91/pm.c
500 --- linux-2.6.32.46/arch/arm/mach-at91/pm.c 2011-03-27 14:31:47.000000000 -0400
501 +++ linux-2.6.32.46/arch/arm/mach-at91/pm.c 2011-04-17 15:56:45.000000000 -0400
502 @@ -348,7 +348,7 @@ static void at91_pm_end(void)
503 }
504
505
506 -static struct platform_suspend_ops at91_pm_ops ={
507 +static const struct platform_suspend_ops at91_pm_ops ={
508 .valid = at91_pm_valid_state,
509 .begin = at91_pm_begin,
510 .enter = at91_pm_enter,
511 diff -urNp linux-2.6.32.46/arch/arm/mach-omap1/pm.c linux-2.6.32.46/arch/arm/mach-omap1/pm.c
512 --- linux-2.6.32.46/arch/arm/mach-omap1/pm.c 2011-03-27 14:31:47.000000000 -0400
513 +++ linux-2.6.32.46/arch/arm/mach-omap1/pm.c 2011-04-17 15:56:45.000000000 -0400
514 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
515
516
517
518 -static struct platform_suspend_ops omap_pm_ops ={
519 +static const struct platform_suspend_ops omap_pm_ops ={
520 .prepare = omap_pm_prepare,
521 .enter = omap_pm_enter,
522 .finish = omap_pm_finish,
523 diff -urNp linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c
524 --- linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c 2011-03-27 14:31:47.000000000 -0400
525 +++ linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c 2011-04-17 15:56:45.000000000 -0400
526 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
527 enable_hlt();
528 }
529
530 -static struct platform_suspend_ops omap_pm_ops = {
531 +static const struct platform_suspend_ops omap_pm_ops = {
532 .prepare = omap2_pm_prepare,
533 .enter = omap2_pm_enter,
534 .finish = omap2_pm_finish,
535 diff -urNp linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c
536 --- linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c 2011-03-27 14:31:47.000000000 -0400
537 +++ linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c 2011-04-17 15:56:45.000000000 -0400
538 @@ -401,7 +401,7 @@ static void omap3_pm_end(void)
539 return;
540 }
541
542 -static struct platform_suspend_ops omap_pm_ops = {
543 +static const struct platform_suspend_ops omap_pm_ops = {
544 .begin = omap3_pm_begin,
545 .end = omap3_pm_end,
546 .prepare = omap3_pm_prepare,
547 diff -urNp linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c
548 --- linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c 2011-03-27 14:31:47.000000000 -0400
549 +++ linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c 2011-04-17 15:56:45.000000000 -0400
550 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
551 (state == PM_SUSPEND_MEM);
552 }
553
554 -static struct platform_suspend_ops pnx4008_pm_ops = {
555 +static const struct platform_suspend_ops pnx4008_pm_ops = {
556 .enter = pnx4008_pm_enter,
557 .valid = pnx4008_pm_valid,
558 };
559 diff -urNp linux-2.6.32.46/arch/arm/mach-pxa/pm.c linux-2.6.32.46/arch/arm/mach-pxa/pm.c
560 --- linux-2.6.32.46/arch/arm/mach-pxa/pm.c 2011-03-27 14:31:47.000000000 -0400
561 +++ linux-2.6.32.46/arch/arm/mach-pxa/pm.c 2011-04-17 15:56:45.000000000 -0400
562 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
563 pxa_cpu_pm_fns->finish();
564 }
565
566 -static struct platform_suspend_ops pxa_pm_ops = {
567 +static const struct platform_suspend_ops pxa_pm_ops = {
568 .valid = pxa_pm_valid,
569 .enter = pxa_pm_enter,
570 .prepare = pxa_pm_prepare,
571 diff -urNp linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c
572 --- linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c 2011-03-27 14:31:47.000000000 -0400
573 +++ linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c 2011-04-17 15:56:45.000000000 -0400
574 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
575 }
576
577 #ifdef CONFIG_PM
578 -static struct platform_suspend_ops sharpsl_pm_ops = {
579 +static const struct platform_suspend_ops sharpsl_pm_ops = {
580 .prepare = pxa_pm_prepare,
581 .finish = pxa_pm_finish,
582 .enter = corgi_pxa_pm_enter,
583 diff -urNp linux-2.6.32.46/arch/arm/mach-sa1100/pm.c linux-2.6.32.46/arch/arm/mach-sa1100/pm.c
584 --- linux-2.6.32.46/arch/arm/mach-sa1100/pm.c 2011-03-27 14:31:47.000000000 -0400
585 +++ linux-2.6.32.46/arch/arm/mach-sa1100/pm.c 2011-04-17 15:56:45.000000000 -0400
586 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
587 return virt_to_phys(sp);
588 }
589
590 -static struct platform_suspend_ops sa11x0_pm_ops = {
591 +static const struct platform_suspend_ops sa11x0_pm_ops = {
592 .enter = sa11x0_pm_enter,
593 .valid = suspend_valid_only_mem,
594 };
595 diff -urNp linux-2.6.32.46/arch/arm/mm/fault.c linux-2.6.32.46/arch/arm/mm/fault.c
596 --- linux-2.6.32.46/arch/arm/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
597 +++ linux-2.6.32.46/arch/arm/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
598 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
599 }
600 #endif
601
602 +#ifdef CONFIG_PAX_PAGEEXEC
603 + if (fsr & FSR_LNX_PF) {
604 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
605 + do_group_exit(SIGKILL);
606 + }
607 +#endif
608 +
609 tsk->thread.address = addr;
610 tsk->thread.error_code = fsr;
611 tsk->thread.trap_no = 14;
612 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
613 }
614 #endif /* CONFIG_MMU */
615
616 +#ifdef CONFIG_PAX_PAGEEXEC
617 +void pax_report_insns(void *pc, void *sp)
618 +{
619 + long i;
620 +
621 + printk(KERN_ERR "PAX: bytes at PC: ");
622 + for (i = 0; i < 20; i++) {
623 + unsigned char c;
624 + if (get_user(c, (__force unsigned char __user *)pc+i))
625 + printk(KERN_CONT "?? ");
626 + else
627 + printk(KERN_CONT "%02x ", c);
628 + }
629 + printk("\n");
630 +
631 + printk(KERN_ERR "PAX: bytes at SP-4: ");
632 + for (i = -1; i < 20; i++) {
633 + unsigned long c;
634 + if (get_user(c, (__force unsigned long __user *)sp+i))
635 + printk(KERN_CONT "???????? ");
636 + else
637 + printk(KERN_CONT "%08lx ", c);
638 + }
639 + printk("\n");
640 +}
641 +#endif
642 +
643 /*
644 * First Level Translation Fault Handler
645 *
646 diff -urNp linux-2.6.32.46/arch/arm/mm/mmap.c linux-2.6.32.46/arch/arm/mm/mmap.c
647 --- linux-2.6.32.46/arch/arm/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
648 +++ linux-2.6.32.46/arch/arm/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
649 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
650 if (len > TASK_SIZE)
651 return -ENOMEM;
652
653 +#ifdef CONFIG_PAX_RANDMMAP
654 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
655 +#endif
656 +
657 if (addr) {
658 if (do_align)
659 addr = COLOUR_ALIGN(addr, pgoff);
660 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
661 addr = PAGE_ALIGN(addr);
662
663 vma = find_vma(mm, addr);
664 - if (TASK_SIZE - len >= addr &&
665 - (!vma || addr + len <= vma->vm_start))
666 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
667 return addr;
668 }
669 if (len > mm->cached_hole_size) {
670 - start_addr = addr = mm->free_area_cache;
671 + start_addr = addr = mm->free_area_cache;
672 } else {
673 - start_addr = addr = TASK_UNMAPPED_BASE;
674 - mm->cached_hole_size = 0;
675 + start_addr = addr = mm->mmap_base;
676 + mm->cached_hole_size = 0;
677 }
678
679 full_search:
680 @@ -94,14 +97,14 @@ full_search:
681 * Start a new search - just in case we missed
682 * some holes.
683 */
684 - if (start_addr != TASK_UNMAPPED_BASE) {
685 - start_addr = addr = TASK_UNMAPPED_BASE;
686 + if (start_addr != mm->mmap_base) {
687 + start_addr = addr = mm->mmap_base;
688 mm->cached_hole_size = 0;
689 goto full_search;
690 }
691 return -ENOMEM;
692 }
693 - if (!vma || addr + len <= vma->vm_start) {
694 + if (check_heap_stack_gap(vma, addr, len)) {
695 /*
696 * Remember the place where we stopped the search:
697 */
698 diff -urNp linux-2.6.32.46/arch/arm/plat-s3c/pm.c linux-2.6.32.46/arch/arm/plat-s3c/pm.c
699 --- linux-2.6.32.46/arch/arm/plat-s3c/pm.c 2011-03-27 14:31:47.000000000 -0400
700 +++ linux-2.6.32.46/arch/arm/plat-s3c/pm.c 2011-04-17 15:56:45.000000000 -0400
701 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
702 s3c_pm_check_cleanup();
703 }
704
705 -static struct platform_suspend_ops s3c_pm_ops = {
706 +static const struct platform_suspend_ops s3c_pm_ops = {
707 .enter = s3c_pm_enter,
708 .prepare = s3c_pm_prepare,
709 .finish = s3c_pm_finish,
710 diff -urNp linux-2.6.32.46/arch/avr32/include/asm/elf.h linux-2.6.32.46/arch/avr32/include/asm/elf.h
711 --- linux-2.6.32.46/arch/avr32/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
712 +++ linux-2.6.32.46/arch/avr32/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
713 @@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
714 the loader. We need to make sure that it is out of the way of the program
715 that it will "exec", and that there is sufficient room for the brk. */
716
717 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
718 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
719
720 +#ifdef CONFIG_PAX_ASLR
721 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
722 +
723 +#define PAX_DELTA_MMAP_LEN 15
724 +#define PAX_DELTA_STACK_LEN 15
725 +#endif
726
727 /* This yields a mask that user programs can use to figure out what
728 instruction set this CPU supports. This could be done in user space,
729 diff -urNp linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h
730 --- linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
731 +++ linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
732 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
733 D(11) KM_IRQ1,
734 D(12) KM_SOFTIRQ0,
735 D(13) KM_SOFTIRQ1,
736 -D(14) KM_TYPE_NR
737 +D(14) KM_CLEARPAGE,
738 +D(15) KM_TYPE_NR
739 };
740
741 #undef D
742 diff -urNp linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c
743 --- linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c 2011-03-27 14:31:47.000000000 -0400
744 +++ linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c 2011-04-17 15:56:45.000000000 -0400
745 @@ -176,7 +176,7 @@ out:
746 return 0;
747 }
748
749 -static struct platform_suspend_ops avr32_pm_ops = {
750 +static const struct platform_suspend_ops avr32_pm_ops = {
751 .valid = avr32_pm_valid_state,
752 .enter = avr32_pm_enter,
753 };
754 diff -urNp linux-2.6.32.46/arch/avr32/mm/fault.c linux-2.6.32.46/arch/avr32/mm/fault.c
755 --- linux-2.6.32.46/arch/avr32/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
756 +++ linux-2.6.32.46/arch/avr32/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
757 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
758
759 int exception_trace = 1;
760
761 +#ifdef CONFIG_PAX_PAGEEXEC
762 +void pax_report_insns(void *pc, void *sp)
763 +{
764 + unsigned long i;
765 +
766 + printk(KERN_ERR "PAX: bytes at PC: ");
767 + for (i = 0; i < 20; i++) {
768 + unsigned char c;
769 + if (get_user(c, (unsigned char *)pc+i))
770 + printk(KERN_CONT "???????? ");
771 + else
772 + printk(KERN_CONT "%02x ", c);
773 + }
774 + printk("\n");
775 +}
776 +#endif
777 +
778 /*
779 * This routine handles page faults. It determines the address and the
780 * problem, and then passes it off to one of the appropriate routines.
781 @@ -157,6 +174,16 @@ bad_area:
782 up_read(&mm->mmap_sem);
783
784 if (user_mode(regs)) {
785 +
786 +#ifdef CONFIG_PAX_PAGEEXEC
787 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
788 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
789 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
790 + do_group_exit(SIGKILL);
791 + }
792 + }
793 +#endif
794 +
795 if (exception_trace && printk_ratelimit())
796 printk("%s%s[%d]: segfault at %08lx pc %08lx "
797 "sp %08lx ecr %lu\n",
798 diff -urNp linux-2.6.32.46/arch/blackfin/kernel/kgdb.c linux-2.6.32.46/arch/blackfin/kernel/kgdb.c
799 --- linux-2.6.32.46/arch/blackfin/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
800 +++ linux-2.6.32.46/arch/blackfin/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
801 @@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
802 return -1; /* this means that we do not want to exit from the handler */
803 }
804
805 -struct kgdb_arch arch_kgdb_ops = {
806 +const struct kgdb_arch arch_kgdb_ops = {
807 .gdb_bpt_instr = {0xa1},
808 #ifdef CONFIG_SMP
809 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
810 diff -urNp linux-2.6.32.46/arch/blackfin/mach-common/pm.c linux-2.6.32.46/arch/blackfin/mach-common/pm.c
811 --- linux-2.6.32.46/arch/blackfin/mach-common/pm.c 2011-03-27 14:31:47.000000000 -0400
812 +++ linux-2.6.32.46/arch/blackfin/mach-common/pm.c 2011-04-17 15:56:45.000000000 -0400
813 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
814 return 0;
815 }
816
817 -struct platform_suspend_ops bfin_pm_ops = {
818 +const struct platform_suspend_ops bfin_pm_ops = {
819 .enter = bfin_pm_enter,
820 .valid = bfin_pm_valid,
821 };
822 diff -urNp linux-2.6.32.46/arch/frv/include/asm/kmap_types.h linux-2.6.32.46/arch/frv/include/asm/kmap_types.h
823 --- linux-2.6.32.46/arch/frv/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
824 +++ linux-2.6.32.46/arch/frv/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
825 @@ -23,6 +23,7 @@ enum km_type {
826 KM_IRQ1,
827 KM_SOFTIRQ0,
828 KM_SOFTIRQ1,
829 + KM_CLEARPAGE,
830 KM_TYPE_NR
831 };
832
833 diff -urNp linux-2.6.32.46/arch/frv/mm/elf-fdpic.c linux-2.6.32.46/arch/frv/mm/elf-fdpic.c
834 --- linux-2.6.32.46/arch/frv/mm/elf-fdpic.c 2011-03-27 14:31:47.000000000 -0400
835 +++ linux-2.6.32.46/arch/frv/mm/elf-fdpic.c 2011-04-17 15:56:45.000000000 -0400
836 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
837 if (addr) {
838 addr = PAGE_ALIGN(addr);
839 vma = find_vma(current->mm, addr);
840 - if (TASK_SIZE - len >= addr &&
841 - (!vma || addr + len <= vma->vm_start))
842 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
843 goto success;
844 }
845
846 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
847 for (; vma; vma = vma->vm_next) {
848 if (addr > limit)
849 break;
850 - if (addr + len <= vma->vm_start)
851 + if (check_heap_stack_gap(vma, addr, len))
852 goto success;
853 addr = vma->vm_end;
854 }
855 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
856 for (; vma; vma = vma->vm_next) {
857 if (addr > limit)
858 break;
859 - if (addr + len <= vma->vm_start)
860 + if (check_heap_stack_gap(vma, addr, len))
861 goto success;
862 addr = vma->vm_end;
863 }
864 diff -urNp linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c
865 --- linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c 2011-03-27 14:31:47.000000000 -0400
866 +++ linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:56:45.000000000 -0400
867 @@ -17,7 +17,7 @@
868 #include <linux/swiotlb.h>
869 #include <asm/machvec.h>
870
871 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
872 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
873
874 /* swiotlb declarations & definitions: */
875 extern int swiotlb_late_init_with_default_size (size_t size);
876 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
877 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
878 }
879
880 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
881 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
882 {
883 if (use_swiotlb(dev))
884 return &swiotlb_dma_ops;
885 diff -urNp linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c
886 --- linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c 2011-03-27 14:31:47.000000000 -0400
887 +++ linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:56:45.000000000 -0400
888 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
889 },
890 };
891
892 -extern struct dma_map_ops swiotlb_dma_ops;
893 +extern const struct dma_map_ops swiotlb_dma_ops;
894
895 static int __init
896 sba_init(void)
897 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
898
899 __setup("sbapagesize=",sba_page_override);
900
901 -struct dma_map_ops sba_dma_ops = {
902 +const struct dma_map_ops sba_dma_ops = {
903 .alloc_coherent = sba_alloc_coherent,
904 .free_coherent = sba_free_coherent,
905 .map_page = sba_map_page,
906 diff -urNp linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c
907 --- linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c 2011-03-27 14:31:47.000000000 -0400
908 +++ linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c 2011-04-17 15:56:45.000000000 -0400
909 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
910
911 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
912
913 +#ifdef CONFIG_PAX_ASLR
914 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
915 +
916 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
917 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
918 +#endif
919 +
920 /* Ugly but avoids duplication */
921 #include "../../../fs/binfmt_elf.c"
922
923 diff -urNp linux-2.6.32.46/arch/ia64/ia32/ia32priv.h linux-2.6.32.46/arch/ia64/ia32/ia32priv.h
924 --- linux-2.6.32.46/arch/ia64/ia32/ia32priv.h 2011-03-27 14:31:47.000000000 -0400
925 +++ linux-2.6.32.46/arch/ia64/ia32/ia32priv.h 2011-04-17 15:56:45.000000000 -0400
926 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
927 #define ELF_DATA ELFDATA2LSB
928 #define ELF_ARCH EM_386
929
930 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
931 +#ifdef CONFIG_PAX_RANDUSTACK
932 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
933 +#else
934 +#define __IA32_DELTA_STACK 0UL
935 +#endif
936 +
937 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
938 +
939 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
940 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
941
942 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h
943 --- linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
944 +++ linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
945 @@ -12,7 +12,7 @@
946
947 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
948
949 -extern struct dma_map_ops *dma_ops;
950 +extern const struct dma_map_ops *dma_ops;
951 extern struct ia64_machine_vector ia64_mv;
952 extern void set_iommu_machvec(void);
953
954 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
955 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
956 dma_addr_t *daddr, gfp_t gfp)
957 {
958 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
959 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
960 void *caddr;
961
962 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
963 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
964 static inline void dma_free_coherent(struct device *dev, size_t size,
965 void *caddr, dma_addr_t daddr)
966 {
967 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
968 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
969 debug_dma_free_coherent(dev, size, caddr, daddr);
970 ops->free_coherent(dev, size, caddr, daddr);
971 }
972 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
973
974 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
975 {
976 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
977 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
978 return ops->mapping_error(dev, daddr);
979 }
980
981 static inline int dma_supported(struct device *dev, u64 mask)
982 {
983 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
984 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
985 return ops->dma_supported(dev, mask);
986 }
987
988 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/elf.h linux-2.6.32.46/arch/ia64/include/asm/elf.h
989 --- linux-2.6.32.46/arch/ia64/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
990 +++ linux-2.6.32.46/arch/ia64/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
991 @@ -43,6 +43,13 @@
992 */
993 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
994
995 +#ifdef CONFIG_PAX_ASLR
996 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
997 +
998 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
999 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1000 +#endif
1001 +
1002 #define PT_IA_64_UNWIND 0x70000001
1003
1004 /* IA-64 relocations: */
1005 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/machvec.h linux-2.6.32.46/arch/ia64/include/asm/machvec.h
1006 --- linux-2.6.32.46/arch/ia64/include/asm/machvec.h 2011-03-27 14:31:47.000000000 -0400
1007 +++ linux-2.6.32.46/arch/ia64/include/asm/machvec.h 2011-04-17 15:56:45.000000000 -0400
1008 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1009 /* DMA-mapping interface: */
1010 typedef void ia64_mv_dma_init (void);
1011 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1012 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1013 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1014
1015 /*
1016 * WARNING: The legacy I/O space is _architected_. Platforms are
1017 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1018 # endif /* CONFIG_IA64_GENERIC */
1019
1020 extern void swiotlb_dma_init(void);
1021 -extern struct dma_map_ops *dma_get_ops(struct device *);
1022 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1023
1024 /*
1025 * Define default versions so we can extend machvec for new platforms without having
1026 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/pgtable.h linux-2.6.32.46/arch/ia64/include/asm/pgtable.h
1027 --- linux-2.6.32.46/arch/ia64/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1028 +++ linux-2.6.32.46/arch/ia64/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1029 @@ -12,7 +12,7 @@
1030 * David Mosberger-Tang <davidm@hpl.hp.com>
1031 */
1032
1033 -
1034 +#include <linux/const.h>
1035 #include <asm/mman.h>
1036 #include <asm/page.h>
1037 #include <asm/processor.h>
1038 @@ -143,6 +143,17 @@
1039 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1040 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1041 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1042 +
1043 +#ifdef CONFIG_PAX_PAGEEXEC
1044 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1045 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1046 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1047 +#else
1048 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1049 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1050 +# define PAGE_COPY_NOEXEC PAGE_COPY
1051 +#endif
1052 +
1053 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1054 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1055 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1056 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/spinlock.h linux-2.6.32.46/arch/ia64/include/asm/spinlock.h
1057 --- linux-2.6.32.46/arch/ia64/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
1058 +++ linux-2.6.32.46/arch/ia64/include/asm/spinlock.h 2011-04-17 15:56:45.000000000 -0400
1059 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1060 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1061
1062 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1063 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1064 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1065 }
1066
1067 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
1068 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/uaccess.h linux-2.6.32.46/arch/ia64/include/asm/uaccess.h
1069 --- linux-2.6.32.46/arch/ia64/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
1070 +++ linux-2.6.32.46/arch/ia64/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
1071 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1072 const void *__cu_from = (from); \
1073 long __cu_len = (n); \
1074 \
1075 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1076 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1077 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1078 __cu_len; \
1079 })
1080 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1081 long __cu_len = (n); \
1082 \
1083 __chk_user_ptr(__cu_from); \
1084 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1085 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1086 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1087 __cu_len; \
1088 })
1089 diff -urNp linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c
1090 --- linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c 2011-03-27 14:31:47.000000000 -0400
1091 +++ linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:56:45.000000000 -0400
1092 @@ -3,7 +3,7 @@
1093 /* Set this to 1 if there is a HW IOMMU in the system */
1094 int iommu_detected __read_mostly;
1095
1096 -struct dma_map_ops *dma_ops;
1097 +const struct dma_map_ops *dma_ops;
1098 EXPORT_SYMBOL(dma_ops);
1099
1100 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1101 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1102 }
1103 fs_initcall(dma_init);
1104
1105 -struct dma_map_ops *dma_get_ops(struct device *dev)
1106 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1107 {
1108 return dma_ops;
1109 }
1110 diff -urNp linux-2.6.32.46/arch/ia64/kernel/module.c linux-2.6.32.46/arch/ia64/kernel/module.c
1111 --- linux-2.6.32.46/arch/ia64/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1112 +++ linux-2.6.32.46/arch/ia64/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1113 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1114 void
1115 module_free (struct module *mod, void *module_region)
1116 {
1117 - if (mod && mod->arch.init_unw_table &&
1118 - module_region == mod->module_init) {
1119 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1120 unw_remove_unwind_table(mod->arch.init_unw_table);
1121 mod->arch.init_unw_table = NULL;
1122 }
1123 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1124 }
1125
1126 static inline int
1127 +in_init_rx (const struct module *mod, uint64_t addr)
1128 +{
1129 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1130 +}
1131 +
1132 +static inline int
1133 +in_init_rw (const struct module *mod, uint64_t addr)
1134 +{
1135 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1136 +}
1137 +
1138 +static inline int
1139 in_init (const struct module *mod, uint64_t addr)
1140 {
1141 - return addr - (uint64_t) mod->module_init < mod->init_size;
1142 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1143 +}
1144 +
1145 +static inline int
1146 +in_core_rx (const struct module *mod, uint64_t addr)
1147 +{
1148 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1149 +}
1150 +
1151 +static inline int
1152 +in_core_rw (const struct module *mod, uint64_t addr)
1153 +{
1154 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1155 }
1156
1157 static inline int
1158 in_core (const struct module *mod, uint64_t addr)
1159 {
1160 - return addr - (uint64_t) mod->module_core < mod->core_size;
1161 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1162 }
1163
1164 static inline int
1165 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1166 break;
1167
1168 case RV_BDREL:
1169 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1170 + if (in_init_rx(mod, val))
1171 + val -= (uint64_t) mod->module_init_rx;
1172 + else if (in_init_rw(mod, val))
1173 + val -= (uint64_t) mod->module_init_rw;
1174 + else if (in_core_rx(mod, val))
1175 + val -= (uint64_t) mod->module_core_rx;
1176 + else if (in_core_rw(mod, val))
1177 + val -= (uint64_t) mod->module_core_rw;
1178 break;
1179
1180 case RV_LTV:
1181 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1182 * addresses have been selected...
1183 */
1184 uint64_t gp;
1185 - if (mod->core_size > MAX_LTOFF)
1186 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1187 /*
1188 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1189 * at the end of the module.
1190 */
1191 - gp = mod->core_size - MAX_LTOFF / 2;
1192 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1193 else
1194 - gp = mod->core_size / 2;
1195 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1196 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1197 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1198 mod->arch.gp = gp;
1199 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1200 }
1201 diff -urNp linux-2.6.32.46/arch/ia64/kernel/pci-dma.c linux-2.6.32.46/arch/ia64/kernel/pci-dma.c
1202 --- linux-2.6.32.46/arch/ia64/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
1203 +++ linux-2.6.32.46/arch/ia64/kernel/pci-dma.c 2011-04-17 15:56:45.000000000 -0400
1204 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1205 .dma_mask = &fallback_dev.coherent_dma_mask,
1206 };
1207
1208 -extern struct dma_map_ops intel_dma_ops;
1209 +extern const struct dma_map_ops intel_dma_ops;
1210
1211 static int __init pci_iommu_init(void)
1212 {
1213 @@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1214 }
1215 EXPORT_SYMBOL(iommu_dma_supported);
1216
1217 +extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1218 +extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1219 +extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1220 +extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1221 +extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1222 +extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1223 +extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1224 +
1225 +static const struct dma_map_ops intel_iommu_dma_ops = {
1226 + /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1227 + .alloc_coherent = intel_alloc_coherent,
1228 + .free_coherent = intel_free_coherent,
1229 + .map_sg = intel_map_sg,
1230 + .unmap_sg = intel_unmap_sg,
1231 + .map_page = intel_map_page,
1232 + .unmap_page = intel_unmap_page,
1233 + .mapping_error = intel_mapping_error,
1234 +
1235 + .sync_single_for_cpu = machvec_dma_sync_single,
1236 + .sync_sg_for_cpu = machvec_dma_sync_sg,
1237 + .sync_single_for_device = machvec_dma_sync_single,
1238 + .sync_sg_for_device = machvec_dma_sync_sg,
1239 + .dma_supported = iommu_dma_supported,
1240 +};
1241 +
1242 void __init pci_iommu_alloc(void)
1243 {
1244 - dma_ops = &intel_dma_ops;
1245 -
1246 - dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1247 - dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1248 - dma_ops->sync_single_for_device = machvec_dma_sync_single;
1249 - dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1250 - dma_ops->dma_supported = iommu_dma_supported;
1251 + dma_ops = &intel_iommu_dma_ops;
1252
1253 /*
1254 * The order of these functions is important for
1255 diff -urNp linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c
1256 --- linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
1257 +++ linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
1258 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1259 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1260 }
1261
1262 -struct dma_map_ops swiotlb_dma_ops = {
1263 +const struct dma_map_ops swiotlb_dma_ops = {
1264 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1265 .free_coherent = swiotlb_free_coherent,
1266 .map_page = swiotlb_map_page,
1267 diff -urNp linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c
1268 --- linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c 2011-03-27 14:31:47.000000000 -0400
1269 +++ linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:56:45.000000000 -0400
1270 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1271 if (REGION_NUMBER(addr) == RGN_HPAGE)
1272 addr = 0;
1273 #endif
1274 +
1275 +#ifdef CONFIG_PAX_RANDMMAP
1276 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1277 + addr = mm->free_area_cache;
1278 + else
1279 +#endif
1280 +
1281 if (!addr)
1282 addr = mm->free_area_cache;
1283
1284 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1285 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1286 /* At this point: (!vma || addr < vma->vm_end). */
1287 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1288 - if (start_addr != TASK_UNMAPPED_BASE) {
1289 + if (start_addr != mm->mmap_base) {
1290 /* Start a new search --- just in case we missed some holes. */
1291 - addr = TASK_UNMAPPED_BASE;
1292 + addr = mm->mmap_base;
1293 goto full_search;
1294 }
1295 return -ENOMEM;
1296 }
1297 - if (!vma || addr + len <= vma->vm_start) {
1298 + if (check_heap_stack_gap(vma, addr, len)) {
1299 /* Remember the address where we stopped this search: */
1300 mm->free_area_cache = addr + len;
1301 return addr;
1302 diff -urNp linux-2.6.32.46/arch/ia64/kernel/topology.c linux-2.6.32.46/arch/ia64/kernel/topology.c
1303 --- linux-2.6.32.46/arch/ia64/kernel/topology.c 2011-03-27 14:31:47.000000000 -0400
1304 +++ linux-2.6.32.46/arch/ia64/kernel/topology.c 2011-04-17 15:56:45.000000000 -0400
1305 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1306 return ret;
1307 }
1308
1309 -static struct sysfs_ops cache_sysfs_ops = {
1310 +static const struct sysfs_ops cache_sysfs_ops = {
1311 .show = cache_show
1312 };
1313
1314 diff -urNp linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S
1315 --- linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
1316 +++ linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:56:45.000000000 -0400
1317 @@ -190,7 +190,7 @@ SECTIONS
1318 /* Per-cpu data: */
1319 . = ALIGN(PERCPU_PAGE_SIZE);
1320 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1321 - __phys_per_cpu_start = __per_cpu_load;
1322 + __phys_per_cpu_start = per_cpu_load;
1323 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1324 * into percpu page size
1325 */
1326 diff -urNp linux-2.6.32.46/arch/ia64/mm/fault.c linux-2.6.32.46/arch/ia64/mm/fault.c
1327 --- linux-2.6.32.46/arch/ia64/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1328 +++ linux-2.6.32.46/arch/ia64/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1329 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1330 return pte_present(pte);
1331 }
1332
1333 +#ifdef CONFIG_PAX_PAGEEXEC
1334 +void pax_report_insns(void *pc, void *sp)
1335 +{
1336 + unsigned long i;
1337 +
1338 + printk(KERN_ERR "PAX: bytes at PC: ");
1339 + for (i = 0; i < 8; i++) {
1340 + unsigned int c;
1341 + if (get_user(c, (unsigned int *)pc+i))
1342 + printk(KERN_CONT "???????? ");
1343 + else
1344 + printk(KERN_CONT "%08x ", c);
1345 + }
1346 + printk("\n");
1347 +}
1348 +#endif
1349 +
1350 void __kprobes
1351 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1352 {
1353 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1354 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1355 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1356
1357 - if ((vma->vm_flags & mask) != mask)
1358 + if ((vma->vm_flags & mask) != mask) {
1359 +
1360 +#ifdef CONFIG_PAX_PAGEEXEC
1361 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1362 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1363 + goto bad_area;
1364 +
1365 + up_read(&mm->mmap_sem);
1366 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1367 + do_group_exit(SIGKILL);
1368 + }
1369 +#endif
1370 +
1371 goto bad_area;
1372
1373 + }
1374 +
1375 survive:
1376 /*
1377 * If for any reason at all we couldn't handle the fault, make
1378 diff -urNp linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c
1379 --- linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
1380 +++ linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:56:45.000000000 -0400
1381 @@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
1382 /* At this point: (!vmm || addr < vmm->vm_end). */
1383 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1384 return -ENOMEM;
1385 - if (!vmm || (addr + len) <= vmm->vm_start)
1386 + if (check_heap_stack_gap(vmm, addr, len))
1387 return addr;
1388 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1389 }
1390 diff -urNp linux-2.6.32.46/arch/ia64/mm/init.c linux-2.6.32.46/arch/ia64/mm/init.c
1391 --- linux-2.6.32.46/arch/ia64/mm/init.c 2011-03-27 14:31:47.000000000 -0400
1392 +++ linux-2.6.32.46/arch/ia64/mm/init.c 2011-04-17 15:56:45.000000000 -0400
1393 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1394 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1395 vma->vm_end = vma->vm_start + PAGE_SIZE;
1396 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1397 +
1398 +#ifdef CONFIG_PAX_PAGEEXEC
1399 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1400 + vma->vm_flags &= ~VM_EXEC;
1401 +
1402 +#ifdef CONFIG_PAX_MPROTECT
1403 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1404 + vma->vm_flags &= ~VM_MAYEXEC;
1405 +#endif
1406 +
1407 + }
1408 +#endif
1409 +
1410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1411 down_write(&current->mm->mmap_sem);
1412 if (insert_vm_struct(current->mm, vma)) {
1413 diff -urNp linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c
1414 --- linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c 2011-03-27 14:31:47.000000000 -0400
1415 +++ linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:56:45.000000000 -0400
1416 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1417 return ret;
1418 }
1419
1420 -static struct dma_map_ops sn_dma_ops = {
1421 +static const struct dma_map_ops sn_dma_ops = {
1422 .alloc_coherent = sn_dma_alloc_coherent,
1423 .free_coherent = sn_dma_free_coherent,
1424 .map_page = sn_dma_map_page,
1425 diff -urNp linux-2.6.32.46/arch/m32r/lib/usercopy.c linux-2.6.32.46/arch/m32r/lib/usercopy.c
1426 --- linux-2.6.32.46/arch/m32r/lib/usercopy.c 2011-03-27 14:31:47.000000000 -0400
1427 +++ linux-2.6.32.46/arch/m32r/lib/usercopy.c 2011-04-17 15:56:45.000000000 -0400
1428 @@ -14,6 +14,9 @@
1429 unsigned long
1430 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1431 {
1432 + if ((long)n < 0)
1433 + return n;
1434 +
1435 prefetch(from);
1436 if (access_ok(VERIFY_WRITE, to, n))
1437 __copy_user(to,from,n);
1438 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1439 unsigned long
1440 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1441 {
1442 + if ((long)n < 0)
1443 + return n;
1444 +
1445 prefetchw(to);
1446 if (access_ok(VERIFY_READ, from, n))
1447 __copy_user_zeroing(to,from,n);
1448 diff -urNp linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c
1449 --- linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c 2011-03-27 14:31:47.000000000 -0400
1450 +++ linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c 2011-04-17 15:56:45.000000000 -0400
1451 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1452
1453 }
1454
1455 -static struct platform_suspend_ops db1x_pm_ops = {
1456 +static const struct platform_suspend_ops db1x_pm_ops = {
1457 .valid = suspend_valid_only_mem,
1458 .begin = db1x_pm_begin,
1459 .enter = db1x_pm_enter,
1460 diff -urNp linux-2.6.32.46/arch/mips/include/asm/elf.h linux-2.6.32.46/arch/mips/include/asm/elf.h
1461 --- linux-2.6.32.46/arch/mips/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1462 +++ linux-2.6.32.46/arch/mips/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1463 @@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1464 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1465 #endif
1466
1467 +#ifdef CONFIG_PAX_ASLR
1468 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1469 +
1470 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472 +#endif
1473 +
1474 #endif /* _ASM_ELF_H */
1475 diff -urNp linux-2.6.32.46/arch/mips/include/asm/page.h linux-2.6.32.46/arch/mips/include/asm/page.h
1476 --- linux-2.6.32.46/arch/mips/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
1477 +++ linux-2.6.32.46/arch/mips/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
1478 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1479 #ifdef CONFIG_CPU_MIPS32
1480 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1481 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1482 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1483 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1484 #else
1485 typedef struct { unsigned long long pte; } pte_t;
1486 #define pte_val(x) ((x).pte)
1487 diff -urNp linux-2.6.32.46/arch/mips/include/asm/reboot.h linux-2.6.32.46/arch/mips/include/asm/reboot.h
1488 --- linux-2.6.32.46/arch/mips/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
1489 +++ linux-2.6.32.46/arch/mips/include/asm/reboot.h 2011-08-21 17:35:02.000000000 -0400
1490 @@ -9,7 +9,7 @@
1491 #ifndef _ASM_REBOOT_H
1492 #define _ASM_REBOOT_H
1493
1494 -extern void (*_machine_restart)(char *command);
1495 -extern void (*_machine_halt)(void);
1496 +extern void (*__noreturn _machine_restart)(char *command);
1497 +extern void (*__noreturn _machine_halt)(void);
1498
1499 #endif /* _ASM_REBOOT_H */
1500 diff -urNp linux-2.6.32.46/arch/mips/include/asm/system.h linux-2.6.32.46/arch/mips/include/asm/system.h
1501 --- linux-2.6.32.46/arch/mips/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
1502 +++ linux-2.6.32.46/arch/mips/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
1503 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1504 */
1505 #define __ARCH_WANT_UNLOCKED_CTXSW
1506
1507 -extern unsigned long arch_align_stack(unsigned long sp);
1508 +#define arch_align_stack(x) ((x) & ~0xfUL)
1509
1510 #endif /* _ASM_SYSTEM_H */
1511 diff -urNp linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c
1512 --- linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c 2011-03-27 14:31:47.000000000 -0400
1513 +++ linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:56:45.000000000 -0400
1514 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1515 #undef ELF_ET_DYN_BASE
1516 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1517
1518 +#ifdef CONFIG_PAX_ASLR
1519 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1520 +
1521 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1522 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1523 +#endif
1524 +
1525 #include <asm/processor.h>
1526 #include <linux/module.h>
1527 #include <linux/elfcore.h>
1528 diff -urNp linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c
1529 --- linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c 2011-03-27 14:31:47.000000000 -0400
1530 +++ linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:56:45.000000000 -0400
1531 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1532 #undef ELF_ET_DYN_BASE
1533 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1534
1535 +#ifdef CONFIG_PAX_ASLR
1536 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1537 +
1538 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1539 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1540 +#endif
1541 +
1542 #include <asm/processor.h>
1543
1544 /*
1545 diff -urNp linux-2.6.32.46/arch/mips/kernel/kgdb.c linux-2.6.32.46/arch/mips/kernel/kgdb.c
1546 --- linux-2.6.32.46/arch/mips/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
1547 +++ linux-2.6.32.46/arch/mips/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
1548 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1549 return -1;
1550 }
1551
1552 +/* cannot be const */
1553 struct kgdb_arch arch_kgdb_ops;
1554
1555 /*
1556 diff -urNp linux-2.6.32.46/arch/mips/kernel/process.c linux-2.6.32.46/arch/mips/kernel/process.c
1557 --- linux-2.6.32.46/arch/mips/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
1558 +++ linux-2.6.32.46/arch/mips/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
1559 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1560 out:
1561 return pc;
1562 }
1563 -
1564 -/*
1565 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1566 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1567 - */
1568 -unsigned long arch_align_stack(unsigned long sp)
1569 -{
1570 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1571 - sp -= get_random_int() & ~PAGE_MASK;
1572 -
1573 - return sp & ALMASK;
1574 -}
1575 diff -urNp linux-2.6.32.46/arch/mips/kernel/reset.c linux-2.6.32.46/arch/mips/kernel/reset.c
1576 --- linux-2.6.32.46/arch/mips/kernel/reset.c 2011-03-27 14:31:47.000000000 -0400
1577 +++ linux-2.6.32.46/arch/mips/kernel/reset.c 2011-08-21 17:35:26.000000000 -0400
1578 @@ -19,8 +19,8 @@
1579 * So handle all using function pointers to machine specific
1580 * functions.
1581 */
1582 -void (*_machine_restart)(char *command);
1583 -void (*_machine_halt)(void);
1584 +void (*__noreturn _machine_restart)(char *command);
1585 +void (*__noreturn _machine_halt)(void);
1586 void (*pm_power_off)(void);
1587
1588 EXPORT_SYMBOL(pm_power_off);
1589 @@ -29,16 +29,19 @@ void machine_restart(char *command)
1590 {
1591 if (_machine_restart)
1592 _machine_restart(command);
1593 + BUG();
1594 }
1595
1596 void machine_halt(void)
1597 {
1598 if (_machine_halt)
1599 _machine_halt();
1600 + BUG();
1601 }
1602
1603 void machine_power_off(void)
1604 {
1605 if (pm_power_off)
1606 pm_power_off();
1607 + BUG();
1608 }
1609 diff -urNp linux-2.6.32.46/arch/mips/kernel/syscall.c linux-2.6.32.46/arch/mips/kernel/syscall.c
1610 --- linux-2.6.32.46/arch/mips/kernel/syscall.c 2011-03-27 14:31:47.000000000 -0400
1611 +++ linux-2.6.32.46/arch/mips/kernel/syscall.c 2011-04-17 15:56:45.000000000 -0400
1612 @@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
1613 do_color_align = 0;
1614 if (filp || (flags & MAP_SHARED))
1615 do_color_align = 1;
1616 +
1617 +#ifdef CONFIG_PAX_RANDMMAP
1618 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1619 +#endif
1620 +
1621 if (addr) {
1622 if (do_color_align)
1623 addr = COLOUR_ALIGN(addr, pgoff);
1624 else
1625 addr = PAGE_ALIGN(addr);
1626 vmm = find_vma(current->mm, addr);
1627 - if (task_size - len >= addr &&
1628 - (!vmm || addr + len <= vmm->vm_start))
1629 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1630 return addr;
1631 }
1632 - addr = TASK_UNMAPPED_BASE;
1633 + addr = current->mm->mmap_base;
1634 if (do_color_align)
1635 addr = COLOUR_ALIGN(addr, pgoff);
1636 else
1637 @@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
1638 /* At this point: (!vmm || addr < vmm->vm_end). */
1639 if (task_size - len < addr)
1640 return -ENOMEM;
1641 - if (!vmm || addr + len <= vmm->vm_start)
1642 + if (check_heap_stack_gap(vmm, addr, len))
1643 return addr;
1644 addr = vmm->vm_end;
1645 if (do_color_align)
1646 diff -urNp linux-2.6.32.46/arch/mips/Makefile linux-2.6.32.46/arch/mips/Makefile
1647 --- linux-2.6.32.46/arch/mips/Makefile 2011-03-27 14:31:47.000000000 -0400
1648 +++ linux-2.6.32.46/arch/mips/Makefile 2011-08-21 19:26:52.000000000 -0400
1649 @@ -51,6 +51,8 @@ endif
1650 cflags-y := -ffunction-sections
1651 cflags-y += $(call cc-option, -mno-check-zero-division)
1652
1653 +cflags-y += -Wno-sign-compare -Wno-extra
1654 +
1655 ifdef CONFIG_32BIT
1656 ld-emul = $(32bit-emul)
1657 vmlinux-32 = vmlinux
1658 diff -urNp linux-2.6.32.46/arch/mips/mm/fault.c linux-2.6.32.46/arch/mips/mm/fault.c
1659 --- linux-2.6.32.46/arch/mips/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1660 +++ linux-2.6.32.46/arch/mips/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1661 @@ -26,6 +26,23 @@
1662 #include <asm/ptrace.h>
1663 #include <asm/highmem.h> /* For VMALLOC_END */
1664
1665 +#ifdef CONFIG_PAX_PAGEEXEC
1666 +void pax_report_insns(void *pc, void *sp)
1667 +{
1668 + unsigned long i;
1669 +
1670 + printk(KERN_ERR "PAX: bytes at PC: ");
1671 + for (i = 0; i < 5; i++) {
1672 + unsigned int c;
1673 + if (get_user(c, (unsigned int *)pc+i))
1674 + printk(KERN_CONT "???????? ");
1675 + else
1676 + printk(KERN_CONT "%08x ", c);
1677 + }
1678 + printk("\n");
1679 +}
1680 +#endif
1681 +
1682 /*
1683 * This routine handles page faults. It determines the address,
1684 * and the problem, and then passes it off to one of the appropriate
1685 diff -urNp linux-2.6.32.46/arch/parisc/include/asm/elf.h linux-2.6.32.46/arch/parisc/include/asm/elf.h
1686 --- linux-2.6.32.46/arch/parisc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1687 +++ linux-2.6.32.46/arch/parisc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1688 @@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1689
1690 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1691
1692 +#ifdef CONFIG_PAX_ASLR
1693 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1694 +
1695 +#define PAX_DELTA_MMAP_LEN 16
1696 +#define PAX_DELTA_STACK_LEN 16
1697 +#endif
1698 +
1699 /* This yields a mask that user programs can use to figure out what
1700 instruction set this CPU supports. This could be done in user space,
1701 but it's not easy, and we've already done it here. */
1702 diff -urNp linux-2.6.32.46/arch/parisc/include/asm/pgtable.h linux-2.6.32.46/arch/parisc/include/asm/pgtable.h
1703 --- linux-2.6.32.46/arch/parisc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1704 +++ linux-2.6.32.46/arch/parisc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1705 @@ -207,6 +207,17 @@
1706 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1707 #define PAGE_COPY PAGE_EXECREAD
1708 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1709 +
1710 +#ifdef CONFIG_PAX_PAGEEXEC
1711 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1712 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1713 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1714 +#else
1715 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1716 +# define PAGE_COPY_NOEXEC PAGE_COPY
1717 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1718 +#endif
1719 +
1720 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1721 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1722 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1723 diff -urNp linux-2.6.32.46/arch/parisc/kernel/module.c linux-2.6.32.46/arch/parisc/kernel/module.c
1724 --- linux-2.6.32.46/arch/parisc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1725 +++ linux-2.6.32.46/arch/parisc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1726 @@ -95,16 +95,38 @@
1727
1728 /* three functions to determine where in the module core
1729 * or init pieces the location is */
1730 +static inline int in_init_rx(struct module *me, void *loc)
1731 +{
1732 + return (loc >= me->module_init_rx &&
1733 + loc < (me->module_init_rx + me->init_size_rx));
1734 +}
1735 +
1736 +static inline int in_init_rw(struct module *me, void *loc)
1737 +{
1738 + return (loc >= me->module_init_rw &&
1739 + loc < (me->module_init_rw + me->init_size_rw));
1740 +}
1741 +
1742 static inline int in_init(struct module *me, void *loc)
1743 {
1744 - return (loc >= me->module_init &&
1745 - loc <= (me->module_init + me->init_size));
1746 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1747 +}
1748 +
1749 +static inline int in_core_rx(struct module *me, void *loc)
1750 +{
1751 + return (loc >= me->module_core_rx &&
1752 + loc < (me->module_core_rx + me->core_size_rx));
1753 +}
1754 +
1755 +static inline int in_core_rw(struct module *me, void *loc)
1756 +{
1757 + return (loc >= me->module_core_rw &&
1758 + loc < (me->module_core_rw + me->core_size_rw));
1759 }
1760
1761 static inline int in_core(struct module *me, void *loc)
1762 {
1763 - return (loc >= me->module_core &&
1764 - loc <= (me->module_core + me->core_size));
1765 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1766 }
1767
1768 static inline int in_local(struct module *me, void *loc)
1769 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1770 }
1771
1772 /* align things a bit */
1773 - me->core_size = ALIGN(me->core_size, 16);
1774 - me->arch.got_offset = me->core_size;
1775 - me->core_size += gots * sizeof(struct got_entry);
1776 -
1777 - me->core_size = ALIGN(me->core_size, 16);
1778 - me->arch.fdesc_offset = me->core_size;
1779 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1780 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1781 + me->arch.got_offset = me->core_size_rw;
1782 + me->core_size_rw += gots * sizeof(struct got_entry);
1783 +
1784 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1785 + me->arch.fdesc_offset = me->core_size_rw;
1786 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1787
1788 me->arch.got_max = gots;
1789 me->arch.fdesc_max = fdescs;
1790 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1791
1792 BUG_ON(value == 0);
1793
1794 - got = me->module_core + me->arch.got_offset;
1795 + got = me->module_core_rw + me->arch.got_offset;
1796 for (i = 0; got[i].addr; i++)
1797 if (got[i].addr == value)
1798 goto out;
1799 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1800 #ifdef CONFIG_64BIT
1801 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1802 {
1803 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1804 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1805
1806 if (!value) {
1807 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1808 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1809
1810 /* Create new one */
1811 fdesc->addr = value;
1812 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1813 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1814 return (Elf_Addr)fdesc;
1815 }
1816 #endif /* CONFIG_64BIT */
1817 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1818
1819 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1820 end = table + sechdrs[me->arch.unwind_section].sh_size;
1821 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1822 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1823
1824 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1825 me->arch.unwind_section, table, end, gp);
1826 diff -urNp linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c
1827 --- linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c 2011-03-27 14:31:47.000000000 -0400
1828 +++ linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:56:45.000000000 -0400
1829 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1830 /* At this point: (!vma || addr < vma->vm_end). */
1831 if (TASK_SIZE - len < addr)
1832 return -ENOMEM;
1833 - if (!vma || addr + len <= vma->vm_start)
1834 + if (check_heap_stack_gap(vma, addr, len))
1835 return addr;
1836 addr = vma->vm_end;
1837 }
1838 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1839 /* At this point: (!vma || addr < vma->vm_end). */
1840 if (TASK_SIZE - len < addr)
1841 return -ENOMEM;
1842 - if (!vma || addr + len <= vma->vm_start)
1843 + if (check_heap_stack_gap(vma, addr, len))
1844 return addr;
1845 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1846 if (addr < vma->vm_end) /* handle wraparound */
1847 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1848 if (flags & MAP_FIXED)
1849 return addr;
1850 if (!addr)
1851 - addr = TASK_UNMAPPED_BASE;
1852 + addr = current->mm->mmap_base;
1853
1854 if (filp) {
1855 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1856 diff -urNp linux-2.6.32.46/arch/parisc/kernel/traps.c linux-2.6.32.46/arch/parisc/kernel/traps.c
1857 --- linux-2.6.32.46/arch/parisc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
1858 +++ linux-2.6.32.46/arch/parisc/kernel/traps.c 2011-04-17 15:56:45.000000000 -0400
1859 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1860
1861 down_read(&current->mm->mmap_sem);
1862 vma = find_vma(current->mm,regs->iaoq[0]);
1863 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1864 - && (vma->vm_flags & VM_EXEC)) {
1865 -
1866 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1867 fault_address = regs->iaoq[0];
1868 fault_space = regs->iasq[0];
1869
1870 diff -urNp linux-2.6.32.46/arch/parisc/mm/fault.c linux-2.6.32.46/arch/parisc/mm/fault.c
1871 --- linux-2.6.32.46/arch/parisc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1872 +++ linux-2.6.32.46/arch/parisc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1873 @@ -15,6 +15,7 @@
1874 #include <linux/sched.h>
1875 #include <linux/interrupt.h>
1876 #include <linux/module.h>
1877 +#include <linux/unistd.h>
1878
1879 #include <asm/uaccess.h>
1880 #include <asm/traps.h>
1881 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1882 static unsigned long
1883 parisc_acctyp(unsigned long code, unsigned int inst)
1884 {
1885 - if (code == 6 || code == 16)
1886 + if (code == 6 || code == 7 || code == 16)
1887 return VM_EXEC;
1888
1889 switch (inst & 0xf0000000) {
1890 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1891 }
1892 #endif
1893
1894 +#ifdef CONFIG_PAX_PAGEEXEC
1895 +/*
1896 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1897 + *
1898 + * returns 1 when task should be killed
1899 + * 2 when rt_sigreturn trampoline was detected
1900 + * 3 when unpatched PLT trampoline was detected
1901 + */
1902 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1903 +{
1904 +
1905 +#ifdef CONFIG_PAX_EMUPLT
1906 + int err;
1907 +
1908 + do { /* PaX: unpatched PLT emulation */
1909 + unsigned int bl, depwi;
1910 +
1911 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1912 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1913 +
1914 + if (err)
1915 + break;
1916 +
1917 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1918 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1919 +
1920 + err = get_user(ldw, (unsigned int *)addr);
1921 + err |= get_user(bv, (unsigned int *)(addr+4));
1922 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1923 +
1924 + if (err)
1925 + break;
1926 +
1927 + if (ldw == 0x0E801096U &&
1928 + bv == 0xEAC0C000U &&
1929 + ldw2 == 0x0E881095U)
1930 + {
1931 + unsigned int resolver, map;
1932 +
1933 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1934 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1935 + if (err)
1936 + break;
1937 +
1938 + regs->gr[20] = instruction_pointer(regs)+8;
1939 + regs->gr[21] = map;
1940 + regs->gr[22] = resolver;
1941 + regs->iaoq[0] = resolver | 3UL;
1942 + regs->iaoq[1] = regs->iaoq[0] + 4;
1943 + return 3;
1944 + }
1945 + }
1946 + } while (0);
1947 +#endif
1948 +
1949 +#ifdef CONFIG_PAX_EMUTRAMP
1950 +
1951 +#ifndef CONFIG_PAX_EMUSIGRT
1952 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1953 + return 1;
1954 +#endif
1955 +
1956 + do { /* PaX: rt_sigreturn emulation */
1957 + unsigned int ldi1, ldi2, bel, nop;
1958 +
1959 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1960 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1961 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1962 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1963 +
1964 + if (err)
1965 + break;
1966 +
1967 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1968 + ldi2 == 0x3414015AU &&
1969 + bel == 0xE4008200U &&
1970 + nop == 0x08000240U)
1971 + {
1972 + regs->gr[25] = (ldi1 & 2) >> 1;
1973 + regs->gr[20] = __NR_rt_sigreturn;
1974 + regs->gr[31] = regs->iaoq[1] + 16;
1975 + regs->sr[0] = regs->iasq[1];
1976 + regs->iaoq[0] = 0x100UL;
1977 + regs->iaoq[1] = regs->iaoq[0] + 4;
1978 + regs->iasq[0] = regs->sr[2];
1979 + regs->iasq[1] = regs->sr[2];
1980 + return 2;
1981 + }
1982 + } while (0);
1983 +#endif
1984 +
1985 + return 1;
1986 +}
1987 +
1988 +void pax_report_insns(void *pc, void *sp)
1989 +{
1990 + unsigned long i;
1991 +
1992 + printk(KERN_ERR "PAX: bytes at PC: ");
1993 + for (i = 0; i < 5; i++) {
1994 + unsigned int c;
1995 + if (get_user(c, (unsigned int *)pc+i))
1996 + printk(KERN_CONT "???????? ");
1997 + else
1998 + printk(KERN_CONT "%08x ", c);
1999 + }
2000 + printk("\n");
2001 +}
2002 +#endif
2003 +
2004 int fixup_exception(struct pt_regs *regs)
2005 {
2006 const struct exception_table_entry *fix;
2007 @@ -192,8 +303,33 @@ good_area:
2008
2009 acc_type = parisc_acctyp(code,regs->iir);
2010
2011 - if ((vma->vm_flags & acc_type) != acc_type)
2012 + if ((vma->vm_flags & acc_type) != acc_type) {
2013 +
2014 +#ifdef CONFIG_PAX_PAGEEXEC
2015 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2016 + (address & ~3UL) == instruction_pointer(regs))
2017 + {
2018 + up_read(&mm->mmap_sem);
2019 + switch (pax_handle_fetch_fault(regs)) {
2020 +
2021 +#ifdef CONFIG_PAX_EMUPLT
2022 + case 3:
2023 + return;
2024 +#endif
2025 +
2026 +#ifdef CONFIG_PAX_EMUTRAMP
2027 + case 2:
2028 + return;
2029 +#endif
2030 +
2031 + }
2032 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2033 + do_group_exit(SIGKILL);
2034 + }
2035 +#endif
2036 +
2037 goto bad_area;
2038 + }
2039
2040 /*
2041 * If for any reason at all we couldn't handle the fault, make
2042 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/device.h linux-2.6.32.46/arch/powerpc/include/asm/device.h
2043 --- linux-2.6.32.46/arch/powerpc/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
2044 +++ linux-2.6.32.46/arch/powerpc/include/asm/device.h 2011-04-17 15:56:45.000000000 -0400
2045 @@ -14,7 +14,7 @@ struct dev_archdata {
2046 struct device_node *of_node;
2047
2048 /* DMA operations on that device */
2049 - struct dma_map_ops *dma_ops;
2050 + const struct dma_map_ops *dma_ops;
2051
2052 /*
2053 * When an iommu is in use, dma_data is used as a ptr to the base of the
2054 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h
2055 --- linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
2056 +++ linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
2057 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
2058 #ifdef CONFIG_PPC64
2059 extern struct dma_map_ops dma_iommu_ops;
2060 #endif
2061 -extern struct dma_map_ops dma_direct_ops;
2062 +extern const struct dma_map_ops dma_direct_ops;
2063
2064 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2065 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2066 {
2067 /* We don't handle the NULL dev case for ISA for now. We could
2068 * do it via an out of line call but it is not needed for now. The
2069 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
2070 return dev->archdata.dma_ops;
2071 }
2072
2073 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2074 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2075 {
2076 dev->archdata.dma_ops = ops;
2077 }
2078 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
2079
2080 static inline int dma_supported(struct device *dev, u64 mask)
2081 {
2082 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2083 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2084
2085 if (unlikely(dma_ops == NULL))
2086 return 0;
2087 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
2088
2089 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2090 {
2091 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2092 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2093
2094 if (unlikely(dma_ops == NULL))
2095 return -EIO;
2096 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
2097 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2098 dma_addr_t *dma_handle, gfp_t flag)
2099 {
2100 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2101 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2102 void *cpu_addr;
2103
2104 BUG_ON(!dma_ops);
2105 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
2106 static inline void dma_free_coherent(struct device *dev, size_t size,
2107 void *cpu_addr, dma_addr_t dma_handle)
2108 {
2109 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2110 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2111
2112 BUG_ON(!dma_ops);
2113
2114 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
2115
2116 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2117 {
2118 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2119 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2120
2121 if (dma_ops->mapping_error)
2122 return dma_ops->mapping_error(dev, dma_addr);
2123 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/elf.h linux-2.6.32.46/arch/powerpc/include/asm/elf.h
2124 --- linux-2.6.32.46/arch/powerpc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
2125 +++ linux-2.6.32.46/arch/powerpc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
2126 @@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2127 the loader. We need to make sure that it is out of the way of the program
2128 that it will "exec", and that there is sufficient room for the brk. */
2129
2130 -extern unsigned long randomize_et_dyn(unsigned long base);
2131 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2132 +#define ELF_ET_DYN_BASE (0x20000000)
2133 +
2134 +#ifdef CONFIG_PAX_ASLR
2135 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2136 +
2137 +#ifdef __powerpc64__
2138 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2139 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2140 +#else
2141 +#define PAX_DELTA_MMAP_LEN 15
2142 +#define PAX_DELTA_STACK_LEN 15
2143 +#endif
2144 +#endif
2145
2146 /*
2147 * Our registers are always unsigned longs, whether we're a 32 bit
2148 @@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
2149 (0x7ff >> (PAGE_SHIFT - 12)) : \
2150 (0x3ffff >> (PAGE_SHIFT - 12)))
2151
2152 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2153 -#define arch_randomize_brk arch_randomize_brk
2154 -
2155 #endif /* __KERNEL__ */
2156
2157 /*
2158 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/iommu.h linux-2.6.32.46/arch/powerpc/include/asm/iommu.h
2159 --- linux-2.6.32.46/arch/powerpc/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
2160 +++ linux-2.6.32.46/arch/powerpc/include/asm/iommu.h 2011-04-17 15:56:45.000000000 -0400
2161 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2162 extern void iommu_init_early_dart(void);
2163 extern void iommu_init_early_pasemi(void);
2164
2165 +/* dma-iommu.c */
2166 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2167 +
2168 #ifdef CONFIG_PCI
2169 extern void pci_iommu_init(void);
2170 extern void pci_direct_iommu_init(void);
2171 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h
2172 --- linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
2173 +++ linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
2174 @@ -26,6 +26,7 @@ enum km_type {
2175 KM_SOFTIRQ1,
2176 KM_PPC_SYNC_PAGE,
2177 KM_PPC_SYNC_ICACHE,
2178 + KM_CLEARPAGE,
2179 KM_TYPE_NR
2180 };
2181
2182 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/page_64.h linux-2.6.32.46/arch/powerpc/include/asm/page_64.h
2183 --- linux-2.6.32.46/arch/powerpc/include/asm/page_64.h 2011-03-27 14:31:47.000000000 -0400
2184 +++ linux-2.6.32.46/arch/powerpc/include/asm/page_64.h 2011-04-17 15:56:45.000000000 -0400
2185 @@ -180,15 +180,18 @@ do { \
2186 * stack by default, so in the absense of a PT_GNU_STACK program header
2187 * we turn execute permission off.
2188 */
2189 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2190 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2191 +#define VM_STACK_DEFAULT_FLAGS32 \
2192 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2193 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2194
2195 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2196 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2197
2198 +#ifndef CONFIG_PAX_PAGEEXEC
2199 #define VM_STACK_DEFAULT_FLAGS \
2200 (test_thread_flag(TIF_32BIT) ? \
2201 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2202 +#endif
2203
2204 #include <asm-generic/getorder.h>
2205
2206 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/page.h linux-2.6.32.46/arch/powerpc/include/asm/page.h
2207 --- linux-2.6.32.46/arch/powerpc/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
2208 +++ linux-2.6.32.46/arch/powerpc/include/asm/page.h 2011-08-21 16:07:39.000000000 -0400
2209 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2210 * and needs to be executable. This means the whole heap ends
2211 * up being executable.
2212 */
2213 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2214 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2215 +#define VM_DATA_DEFAULT_FLAGS32 \
2216 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2217 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2218
2219 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2220 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2221 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2222 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2223 #endif
2224
2225 +#define ktla_ktva(addr) (addr)
2226 +#define ktva_ktla(addr) (addr)
2227 +
2228 #ifndef __ASSEMBLY__
2229
2230 #undef STRICT_MM_TYPECHECKS
2231 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pci.h linux-2.6.32.46/arch/powerpc/include/asm/pci.h
2232 --- linux-2.6.32.46/arch/powerpc/include/asm/pci.h 2011-03-27 14:31:47.000000000 -0400
2233 +++ linux-2.6.32.46/arch/powerpc/include/asm/pci.h 2011-04-17 15:56:45.000000000 -0400
2234 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2235 }
2236
2237 #ifdef CONFIG_PCI
2238 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2239 -extern struct dma_map_ops *get_pci_dma_ops(void);
2240 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2241 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2242 #else /* CONFIG_PCI */
2243 #define set_pci_dma_ops(d)
2244 #define get_pci_dma_ops() NULL
2245 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h
2246 --- linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
2247 +++ linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
2248 @@ -2,6 +2,7 @@
2249 #define _ASM_POWERPC_PGTABLE_H
2250 #ifdef __KERNEL__
2251
2252 +#include <linux/const.h>
2253 #ifndef __ASSEMBLY__
2254 #include <asm/processor.h> /* For TASK_SIZE */
2255 #include <asm/mmu.h>
2256 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h
2257 --- linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h 2011-03-27 14:31:47.000000000 -0400
2258 +++ linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:56:45.000000000 -0400
2259 @@ -21,6 +21,7 @@
2260 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2261 #define _PAGE_USER 0x004 /* usermode access allowed */
2262 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2263 +#define _PAGE_EXEC _PAGE_GUARDED
2264 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2265 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2266 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2267 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h
2268 --- linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
2269 +++ linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h 2011-08-21 15:53:58.000000000 -0400
2270 @@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p
2271 } while(0)
2272
2273 struct task_struct;
2274 -extern unsigned long ptrace_get_reg(struct task_struct *task, int regno);
2275 +extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno);
2276 extern int ptrace_put_reg(struct task_struct *task, int regno,
2277 unsigned long data);
2278
2279 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/reg.h linux-2.6.32.46/arch/powerpc/include/asm/reg.h
2280 --- linux-2.6.32.46/arch/powerpc/include/asm/reg.h 2011-03-27 14:31:47.000000000 -0400
2281 +++ linux-2.6.32.46/arch/powerpc/include/asm/reg.h 2011-04-17 15:56:45.000000000 -0400
2282 @@ -191,6 +191,7 @@
2283 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2284 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2285 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2286 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2287 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2288 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2289 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2290 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h
2291 --- linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h 2011-03-27 14:31:47.000000000 -0400
2292 +++ linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:56:45.000000000 -0400
2293 @@ -13,7 +13,7 @@
2294
2295 #include <linux/swiotlb.h>
2296
2297 -extern struct dma_map_ops swiotlb_dma_ops;
2298 +extern const struct dma_map_ops swiotlb_dma_ops;
2299
2300 static inline void dma_mark_clean(void *addr, size_t size) {}
2301
2302 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/system.h linux-2.6.32.46/arch/powerpc/include/asm/system.h
2303 --- linux-2.6.32.46/arch/powerpc/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
2304 +++ linux-2.6.32.46/arch/powerpc/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
2305 @@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2306 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2307 #endif
2308
2309 -extern unsigned long arch_align_stack(unsigned long sp);
2310 +#define arch_align_stack(x) ((x) & ~0xfUL)
2311
2312 /* Used in very early kernel initialization. */
2313 extern unsigned long reloc_offset(void);
2314 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h
2315 --- linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
2316 +++ linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
2317 @@ -13,6 +13,8 @@
2318 #define VERIFY_READ 0
2319 #define VERIFY_WRITE 1
2320
2321 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2322 +
2323 /*
2324 * The fs value determines whether argument validity checking should be
2325 * performed or not. If get_fs() == USER_DS, checking is performed, with
2326 @@ -327,52 +329,6 @@ do { \
2327 extern unsigned long __copy_tofrom_user(void __user *to,
2328 const void __user *from, unsigned long size);
2329
2330 -#ifndef __powerpc64__
2331 -
2332 -static inline unsigned long copy_from_user(void *to,
2333 - const void __user *from, unsigned long n)
2334 -{
2335 - unsigned long over;
2336 -
2337 - if (access_ok(VERIFY_READ, from, n))
2338 - return __copy_tofrom_user((__force void __user *)to, from, n);
2339 - if ((unsigned long)from < TASK_SIZE) {
2340 - over = (unsigned long)from + n - TASK_SIZE;
2341 - return __copy_tofrom_user((__force void __user *)to, from,
2342 - n - over) + over;
2343 - }
2344 - return n;
2345 -}
2346 -
2347 -static inline unsigned long copy_to_user(void __user *to,
2348 - const void *from, unsigned long n)
2349 -{
2350 - unsigned long over;
2351 -
2352 - if (access_ok(VERIFY_WRITE, to, n))
2353 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2354 - if ((unsigned long)to < TASK_SIZE) {
2355 - over = (unsigned long)to + n - TASK_SIZE;
2356 - return __copy_tofrom_user(to, (__force void __user *)from,
2357 - n - over) + over;
2358 - }
2359 - return n;
2360 -}
2361 -
2362 -#else /* __powerpc64__ */
2363 -
2364 -#define __copy_in_user(to, from, size) \
2365 - __copy_tofrom_user((to), (from), (size))
2366 -
2367 -extern unsigned long copy_from_user(void *to, const void __user *from,
2368 - unsigned long n);
2369 -extern unsigned long copy_to_user(void __user *to, const void *from,
2370 - unsigned long n);
2371 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2372 - unsigned long n);
2373 -
2374 -#endif /* __powerpc64__ */
2375 -
2376 static inline unsigned long __copy_from_user_inatomic(void *to,
2377 const void __user *from, unsigned long n)
2378 {
2379 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2380 if (ret == 0)
2381 return 0;
2382 }
2383 +
2384 + if (!__builtin_constant_p(n))
2385 + check_object_size(to, n, false);
2386 +
2387 return __copy_tofrom_user((__force void __user *)to, from, n);
2388 }
2389
2390 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2391 if (ret == 0)
2392 return 0;
2393 }
2394 +
2395 + if (!__builtin_constant_p(n))
2396 + check_object_size(from, n, true);
2397 +
2398 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2399 }
2400
2401 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2402 return __copy_to_user_inatomic(to, from, size);
2403 }
2404
2405 +#ifndef __powerpc64__
2406 +
2407 +static inline unsigned long __must_check copy_from_user(void *to,
2408 + const void __user *from, unsigned long n)
2409 +{
2410 + unsigned long over;
2411 +
2412 + if ((long)n < 0)
2413 + return n;
2414 +
2415 + if (access_ok(VERIFY_READ, from, n)) {
2416 + if (!__builtin_constant_p(n))
2417 + check_object_size(to, n, false);
2418 + return __copy_tofrom_user((__force void __user *)to, from, n);
2419 + }
2420 + if ((unsigned long)from < TASK_SIZE) {
2421 + over = (unsigned long)from + n - TASK_SIZE;
2422 + if (!__builtin_constant_p(n - over))
2423 + check_object_size(to, n - over, false);
2424 + return __copy_tofrom_user((__force void __user *)to, from,
2425 + n - over) + over;
2426 + }
2427 + return n;
2428 +}
2429 +
2430 +static inline unsigned long __must_check copy_to_user(void __user *to,
2431 + const void *from, unsigned long n)
2432 +{
2433 + unsigned long over;
2434 +
2435 + if ((long)n < 0)
2436 + return n;
2437 +
2438 + if (access_ok(VERIFY_WRITE, to, n)) {
2439 + if (!__builtin_constant_p(n))
2440 + check_object_size(from, n, true);
2441 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2442 + }
2443 + if ((unsigned long)to < TASK_SIZE) {
2444 + over = (unsigned long)to + n - TASK_SIZE;
2445 + if (!__builtin_constant_p(n))
2446 + check_object_size(from, n - over, true);
2447 + return __copy_tofrom_user(to, (__force void __user *)from,
2448 + n - over) + over;
2449 + }
2450 + return n;
2451 +}
2452 +
2453 +#else /* __powerpc64__ */
2454 +
2455 +#define __copy_in_user(to, from, size) \
2456 + __copy_tofrom_user((to), (from), (size))
2457 +
2458 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2459 +{
2460 + if ((long)n < 0 || n > INT_MAX)
2461 + return n;
2462 +
2463 + if (!__builtin_constant_p(n))
2464 + check_object_size(to, n, false);
2465 +
2466 + if (likely(access_ok(VERIFY_READ, from, n)))
2467 + n = __copy_from_user(to, from, n);
2468 + else
2469 + memset(to, 0, n);
2470 + return n;
2471 +}
2472 +
2473 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2474 +{
2475 + if ((long)n < 0 || n > INT_MAX)
2476 + return n;
2477 +
2478 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2479 + if (!__builtin_constant_p(n))
2480 + check_object_size(from, n, true);
2481 + n = __copy_to_user(to, from, n);
2482 + }
2483 + return n;
2484 +}
2485 +
2486 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2487 + unsigned long n);
2488 +
2489 +#endif /* __powerpc64__ */
2490 +
2491 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2492
2493 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2494 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c
2495 --- linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
2496 +++ linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c 2011-04-17 15:56:45.000000000 -0400
2497 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2498 &cache_assoc_attr,
2499 };
2500
2501 -static struct sysfs_ops cache_index_ops = {
2502 +static const struct sysfs_ops cache_index_ops = {
2503 .show = cache_index_show,
2504 };
2505
2506 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma.c linux-2.6.32.46/arch/powerpc/kernel/dma.c
2507 --- linux-2.6.32.46/arch/powerpc/kernel/dma.c 2011-03-27 14:31:47.000000000 -0400
2508 +++ linux-2.6.32.46/arch/powerpc/kernel/dma.c 2011-04-17 15:56:45.000000000 -0400
2509 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2510 }
2511 #endif
2512
2513 -struct dma_map_ops dma_direct_ops = {
2514 +const struct dma_map_ops dma_direct_ops = {
2515 .alloc_coherent = dma_direct_alloc_coherent,
2516 .free_coherent = dma_direct_free_coherent,
2517 .map_sg = dma_direct_map_sg,
2518 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c
2519 --- linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c 2011-03-27 14:31:47.000000000 -0400
2520 +++ linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:56:45.000000000 -0400
2521 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2522 }
2523
2524 /* We support DMA to/from any memory page via the iommu */
2525 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2526 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2527 {
2528 struct iommu_table *tbl = get_iommu_table_base(dev);
2529
2530 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c
2531 --- linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
2532 +++ linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
2533 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2534 * map_page, and unmap_page on highmem, use normal dma_ops
2535 * for everything else.
2536 */
2537 -struct dma_map_ops swiotlb_dma_ops = {
2538 +const struct dma_map_ops swiotlb_dma_ops = {
2539 .alloc_coherent = dma_direct_alloc_coherent,
2540 .free_coherent = dma_direct_free_coherent,
2541 .map_sg = swiotlb_map_sg_attrs,
2542 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S
2543 --- linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S 2011-03-27 14:31:47.000000000 -0400
2544 +++ linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:56:45.000000000 -0400
2545 @@ -455,6 +455,7 @@ storage_fault_common:
2546 std r14,_DAR(r1)
2547 std r15,_DSISR(r1)
2548 addi r3,r1,STACK_FRAME_OVERHEAD
2549 + bl .save_nvgprs
2550 mr r4,r14
2551 mr r5,r15
2552 ld r14,PACA_EXGEN+EX_R14(r13)
2553 @@ -464,8 +465,7 @@ storage_fault_common:
2554 cmpdi r3,0
2555 bne- 1f
2556 b .ret_from_except_lite
2557 -1: bl .save_nvgprs
2558 - mr r5,r3
2559 +1: mr r5,r3
2560 addi r3,r1,STACK_FRAME_OVERHEAD
2561 ld r4,_DAR(r1)
2562 bl .bad_page_fault
2563 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S
2564 --- linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S 2011-03-27 14:31:47.000000000 -0400
2565 +++ linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:56:45.000000000 -0400
2566 @@ -818,10 +818,10 @@ handle_page_fault:
2567 11: ld r4,_DAR(r1)
2568 ld r5,_DSISR(r1)
2569 addi r3,r1,STACK_FRAME_OVERHEAD
2570 + bl .save_nvgprs
2571 bl .do_page_fault
2572 cmpdi r3,0
2573 beq+ 13f
2574 - bl .save_nvgprs
2575 mr r5,r3
2576 addi r3,r1,STACK_FRAME_OVERHEAD
2577 lwz r4,_DAR(r1)
2578 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c
2579 --- linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c 2011-03-27 14:31:47.000000000 -0400
2580 +++ linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:56:45.000000000 -0400
2581 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2582 return 1;
2583 }
2584
2585 -static struct dma_map_ops ibmebus_dma_ops = {
2586 +static const struct dma_map_ops ibmebus_dma_ops = {
2587 .alloc_coherent = ibmebus_alloc_coherent,
2588 .free_coherent = ibmebus_free_coherent,
2589 .map_sg = ibmebus_map_sg,
2590 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/kgdb.c linux-2.6.32.46/arch/powerpc/kernel/kgdb.c
2591 --- linux-2.6.32.46/arch/powerpc/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
2592 +++ linux-2.6.32.46/arch/powerpc/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
2593 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2594 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2595 return 0;
2596
2597 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2598 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2599 regs->nip += 4;
2600
2601 return 1;
2602 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2603 /*
2604 * Global data
2605 */
2606 -struct kgdb_arch arch_kgdb_ops = {
2607 +const struct kgdb_arch arch_kgdb_ops = {
2608 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2609 };
2610
2611 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/module_32.c linux-2.6.32.46/arch/powerpc/kernel/module_32.c
2612 --- linux-2.6.32.46/arch/powerpc/kernel/module_32.c 2011-03-27 14:31:47.000000000 -0400
2613 +++ linux-2.6.32.46/arch/powerpc/kernel/module_32.c 2011-04-17 15:56:45.000000000 -0400
2614 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2615 me->arch.core_plt_section = i;
2616 }
2617 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2618 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2619 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2620 return -ENOEXEC;
2621 }
2622
2623 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2624
2625 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2626 /* Init, or core PLT? */
2627 - if (location >= mod->module_core
2628 - && location < mod->module_core + mod->core_size)
2629 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2630 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2631 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2632 - else
2633 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2634 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2635 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2636 + else {
2637 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2638 + return ~0UL;
2639 + }
2640
2641 /* Find this entry, or if that fails, the next avail. entry */
2642 while (entry->jump[0]) {
2643 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/module.c linux-2.6.32.46/arch/powerpc/kernel/module.c
2644 --- linux-2.6.32.46/arch/powerpc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
2645 +++ linux-2.6.32.46/arch/powerpc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
2646 @@ -31,11 +31,24 @@
2647
2648 LIST_HEAD(module_bug_list);
2649
2650 +#ifdef CONFIG_PAX_KERNEXEC
2651 void *module_alloc(unsigned long size)
2652 {
2653 if (size == 0)
2654 return NULL;
2655
2656 + return vmalloc(size);
2657 +}
2658 +
2659 +void *module_alloc_exec(unsigned long size)
2660 +#else
2661 +void *module_alloc(unsigned long size)
2662 +#endif
2663 +
2664 +{
2665 + if (size == 0)
2666 + return NULL;
2667 +
2668 return vmalloc_exec(size);
2669 }
2670
2671 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2672 vfree(module_region);
2673 }
2674
2675 +#ifdef CONFIG_PAX_KERNEXEC
2676 +void module_free_exec(struct module *mod, void *module_region)
2677 +{
2678 + module_free(mod, module_region);
2679 +}
2680 +#endif
2681 +
2682 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2683 const Elf_Shdr *sechdrs,
2684 const char *name)
2685 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/pci-common.c linux-2.6.32.46/arch/powerpc/kernel/pci-common.c
2686 --- linux-2.6.32.46/arch/powerpc/kernel/pci-common.c 2011-03-27 14:31:47.000000000 -0400
2687 +++ linux-2.6.32.46/arch/powerpc/kernel/pci-common.c 2011-04-17 15:56:45.000000000 -0400
2688 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2689 unsigned int ppc_pci_flags = 0;
2690
2691
2692 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2693 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2694
2695 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2696 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2697 {
2698 pci_dma_ops = dma_ops;
2699 }
2700
2701 -struct dma_map_ops *get_pci_dma_ops(void)
2702 +const struct dma_map_ops *get_pci_dma_ops(void)
2703 {
2704 return pci_dma_ops;
2705 }
2706 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/process.c linux-2.6.32.46/arch/powerpc/kernel/process.c
2707 --- linux-2.6.32.46/arch/powerpc/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
2708 +++ linux-2.6.32.46/arch/powerpc/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
2709 @@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
2710 * Lookup NIP late so we have the best change of getting the
2711 * above info out without failing
2712 */
2713 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2714 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2715 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2716 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2717 #endif
2718 show_stack(current, (unsigned long *) regs->gpr[1]);
2719 if (!user_mode(regs))
2720 @@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
2721 newsp = stack[0];
2722 ip = stack[STACK_FRAME_LR_SAVE];
2723 if (!firstframe || ip != lr) {
2724 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2725 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2726 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2727 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2728 - printk(" (%pS)",
2729 + printk(" (%pA)",
2730 (void *)current->ret_stack[curr_frame].ret);
2731 curr_frame--;
2732 }
2733 @@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
2734 struct pt_regs *regs = (struct pt_regs *)
2735 (sp + STACK_FRAME_OVERHEAD);
2736 lr = regs->link;
2737 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2738 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2739 regs->trap, (void *)regs->nip, (void *)lr);
2740 firstframe = 1;
2741 }
2742 @@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
2743 }
2744
2745 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2746 -
2747 -unsigned long arch_align_stack(unsigned long sp)
2748 -{
2749 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2750 - sp -= get_random_int() & ~PAGE_MASK;
2751 - return sp & ~0xf;
2752 -}
2753 -
2754 -static inline unsigned long brk_rnd(void)
2755 -{
2756 - unsigned long rnd = 0;
2757 -
2758 - /* 8MB for 32bit, 1GB for 64bit */
2759 - if (is_32bit_task())
2760 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2761 - else
2762 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2763 -
2764 - return rnd << PAGE_SHIFT;
2765 -}
2766 -
2767 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2768 -{
2769 - unsigned long base = mm->brk;
2770 - unsigned long ret;
2771 -
2772 -#ifdef CONFIG_PPC_STD_MMU_64
2773 - /*
2774 - * If we are using 1TB segments and we are allowed to randomise
2775 - * the heap, we can put it above 1TB so it is backed by a 1TB
2776 - * segment. Otherwise the heap will be in the bottom 1TB
2777 - * which always uses 256MB segments and this may result in a
2778 - * performance penalty.
2779 - */
2780 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2781 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2782 -#endif
2783 -
2784 - ret = PAGE_ALIGN(base + brk_rnd());
2785 -
2786 - if (ret < mm->brk)
2787 - return mm->brk;
2788 -
2789 - return ret;
2790 -}
2791 -
2792 -unsigned long randomize_et_dyn(unsigned long base)
2793 -{
2794 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2795 -
2796 - if (ret < base)
2797 - return base;
2798 -
2799 - return ret;
2800 -}
2801 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/ptrace.c linux-2.6.32.46/arch/powerpc/kernel/ptrace.c
2802 --- linux-2.6.32.46/arch/powerpc/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
2803 +++ linux-2.6.32.46/arch/powerpc/kernel/ptrace.c 2011-08-21 15:53:39.000000000 -0400
2804 @@ -86,7 +86,7 @@ static int set_user_trap(struct task_str
2805 /*
2806 * Get contents of register REGNO in task TASK.
2807 */
2808 -unsigned long ptrace_get_reg(struct task_struct *task, int regno)
2809 +unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno)
2810 {
2811 if (task->thread.regs == NULL)
2812 return -EIO;
2813 @@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi
2814
2815 CHECK_FULL_REGS(child->thread.regs);
2816 if (index < PT_FPR0) {
2817 - tmp = ptrace_get_reg(child, (int) index);
2818 + tmp = ptrace_get_reg(child, index);
2819 } else {
2820 flush_fp_to_thread(child);
2821 tmp = ((unsigned long *)child->thread.fpr)
2822 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/signal_32.c linux-2.6.32.46/arch/powerpc/kernel/signal_32.c
2823 --- linux-2.6.32.46/arch/powerpc/kernel/signal_32.c 2011-03-27 14:31:47.000000000 -0400
2824 +++ linux-2.6.32.46/arch/powerpc/kernel/signal_32.c 2011-04-17 15:56:45.000000000 -0400
2825 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2826 /* Save user registers on the stack */
2827 frame = &rt_sf->uc.uc_mcontext;
2828 addr = frame;
2829 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2830 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2831 if (save_user_regs(regs, frame, 0, 1))
2832 goto badframe;
2833 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2834 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/signal_64.c linux-2.6.32.46/arch/powerpc/kernel/signal_64.c
2835 --- linux-2.6.32.46/arch/powerpc/kernel/signal_64.c 2011-03-27 14:31:47.000000000 -0400
2836 +++ linux-2.6.32.46/arch/powerpc/kernel/signal_64.c 2011-04-17 15:56:45.000000000 -0400
2837 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2838 current->thread.fpscr.val = 0;
2839
2840 /* Set up to return from userspace. */
2841 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2842 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2843 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2844 } else {
2845 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2846 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c
2847 --- linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c 2011-03-27 14:31:47.000000000 -0400
2848 +++ linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c 2011-04-17 15:56:45.000000000 -0400
2849 @@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2850 if (oldlenp) {
2851 if (!error) {
2852 if (get_user(oldlen, oldlenp) ||
2853 - put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2854 + put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2855 + copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2856 error = -EFAULT;
2857 }
2858 - copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2859 }
2860 return error;
2861 }
2862 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/traps.c linux-2.6.32.46/arch/powerpc/kernel/traps.c
2863 --- linux-2.6.32.46/arch/powerpc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
2864 +++ linux-2.6.32.46/arch/powerpc/kernel/traps.c 2011-06-13 21:33:37.000000000 -0400
2865 @@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
2866 static inline void pmac_backlight_unblank(void) { }
2867 #endif
2868
2869 +extern void gr_handle_kernel_exploit(void);
2870 +
2871 int die(const char *str, struct pt_regs *regs, long err)
2872 {
2873 static struct {
2874 @@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
2875 if (panic_on_oops)
2876 panic("Fatal exception");
2877
2878 + gr_handle_kernel_exploit();
2879 +
2880 oops_exit();
2881 do_exit(err);
2882
2883 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/vdso.c linux-2.6.32.46/arch/powerpc/kernel/vdso.c
2884 --- linux-2.6.32.46/arch/powerpc/kernel/vdso.c 2011-03-27 14:31:47.000000000 -0400
2885 +++ linux-2.6.32.46/arch/powerpc/kernel/vdso.c 2011-04-17 15:56:45.000000000 -0400
2886 @@ -36,6 +36,7 @@
2887 #include <asm/firmware.h>
2888 #include <asm/vdso.h>
2889 #include <asm/vdso_datapage.h>
2890 +#include <asm/mman.h>
2891
2892 #include "setup.h"
2893
2894 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2895 vdso_base = VDSO32_MBASE;
2896 #endif
2897
2898 - current->mm->context.vdso_base = 0;
2899 + current->mm->context.vdso_base = ~0UL;
2900
2901 /* vDSO has a problem and was disabled, just don't "enable" it for the
2902 * process
2903 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2904 vdso_base = get_unmapped_area(NULL, vdso_base,
2905 (vdso_pages << PAGE_SHIFT) +
2906 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2907 - 0, 0);
2908 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2909 if (IS_ERR_VALUE(vdso_base)) {
2910 rc = vdso_base;
2911 goto fail_mmapsem;
2912 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/vio.c linux-2.6.32.46/arch/powerpc/kernel/vio.c
2913 --- linux-2.6.32.46/arch/powerpc/kernel/vio.c 2011-03-27 14:31:47.000000000 -0400
2914 +++ linux-2.6.32.46/arch/powerpc/kernel/vio.c 2011-04-17 15:56:45.000000000 -0400
2915 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2916 vio_cmo_dealloc(viodev, alloc_size);
2917 }
2918
2919 -struct dma_map_ops vio_dma_mapping_ops = {
2920 +static const struct dma_map_ops vio_dma_mapping_ops = {
2921 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2922 .free_coherent = vio_dma_iommu_free_coherent,
2923 .map_sg = vio_dma_iommu_map_sg,
2924 .unmap_sg = vio_dma_iommu_unmap_sg,
2925 + .dma_supported = dma_iommu_dma_supported,
2926 .map_page = vio_dma_iommu_map_page,
2927 .unmap_page = vio_dma_iommu_unmap_page,
2928
2929 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2930
2931 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2932 {
2933 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2934 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2935 }
2936
2937 diff -urNp linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c
2938 --- linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
2939 +++ linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:56:45.000000000 -0400
2940 @@ -9,22 +9,6 @@
2941 #include <linux/module.h>
2942 #include <asm/uaccess.h>
2943
2944 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2945 -{
2946 - if (likely(access_ok(VERIFY_READ, from, n)))
2947 - n = __copy_from_user(to, from, n);
2948 - else
2949 - memset(to, 0, n);
2950 - return n;
2951 -}
2952 -
2953 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2954 -{
2955 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2956 - n = __copy_to_user(to, from, n);
2957 - return n;
2958 -}
2959 -
2960 unsigned long copy_in_user(void __user *to, const void __user *from,
2961 unsigned long n)
2962 {
2963 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2964 return n;
2965 }
2966
2967 -EXPORT_SYMBOL(copy_from_user);
2968 -EXPORT_SYMBOL(copy_to_user);
2969 EXPORT_SYMBOL(copy_in_user);
2970
2971 diff -urNp linux-2.6.32.46/arch/powerpc/Makefile linux-2.6.32.46/arch/powerpc/Makefile
2972 --- linux-2.6.32.46/arch/powerpc/Makefile 2011-03-27 14:31:47.000000000 -0400
2973 +++ linux-2.6.32.46/arch/powerpc/Makefile 2011-08-21 19:27:08.000000000 -0400
2974 @@ -74,6 +74,8 @@ KBUILD_AFLAGS += -Iarch/$(ARCH)
2975 KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
2976 CPP = $(CC) -E $(KBUILD_CFLAGS)
2977
2978 +cflags-y += -Wno-sign-compare -Wno-extra
2979 +
2980 CHECKFLAGS += -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__
2981
2982 ifeq ($(CONFIG_PPC64),y)
2983 diff -urNp linux-2.6.32.46/arch/powerpc/mm/fault.c linux-2.6.32.46/arch/powerpc/mm/fault.c
2984 --- linux-2.6.32.46/arch/powerpc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2985 +++ linux-2.6.32.46/arch/powerpc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2986 @@ -30,6 +30,10 @@
2987 #include <linux/kprobes.h>
2988 #include <linux/kdebug.h>
2989 #include <linux/perf_event.h>
2990 +#include <linux/slab.h>
2991 +#include <linux/pagemap.h>
2992 +#include <linux/compiler.h>
2993 +#include <linux/unistd.h>
2994
2995 #include <asm/firmware.h>
2996 #include <asm/page.h>
2997 @@ -40,6 +44,7 @@
2998 #include <asm/uaccess.h>
2999 #include <asm/tlbflush.h>
3000 #include <asm/siginfo.h>
3001 +#include <asm/ptrace.h>
3002
3003
3004 #ifdef CONFIG_KPROBES
3005 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
3006 }
3007 #endif
3008
3009 +#ifdef CONFIG_PAX_PAGEEXEC
3010 +/*
3011 + * PaX: decide what to do with offenders (regs->nip = fault address)
3012 + *
3013 + * returns 1 when task should be killed
3014 + */
3015 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3016 +{
3017 + return 1;
3018 +}
3019 +
3020 +void pax_report_insns(void *pc, void *sp)
3021 +{
3022 + unsigned long i;
3023 +
3024 + printk(KERN_ERR "PAX: bytes at PC: ");
3025 + for (i = 0; i < 5; i++) {
3026 + unsigned int c;
3027 + if (get_user(c, (unsigned int __user *)pc+i))
3028 + printk(KERN_CONT "???????? ");
3029 + else
3030 + printk(KERN_CONT "%08x ", c);
3031 + }
3032 + printk("\n");
3033 +}
3034 +#endif
3035 +
3036 /*
3037 * Check whether the instruction at regs->nip is a store using
3038 * an update addressing form which will update r1.
3039 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
3040 * indicate errors in DSISR but can validly be set in SRR1.
3041 */
3042 if (trap == 0x400)
3043 - error_code &= 0x48200000;
3044 + error_code &= 0x58200000;
3045 else
3046 is_write = error_code & DSISR_ISSTORE;
3047 #else
3048 @@ -250,7 +282,7 @@ good_area:
3049 * "undefined". Of those that can be set, this is the only
3050 * one which seems bad.
3051 */
3052 - if (error_code & 0x10000000)
3053 + if (error_code & DSISR_GUARDED)
3054 /* Guarded storage error. */
3055 goto bad_area;
3056 #endif /* CONFIG_8xx */
3057 @@ -265,7 +297,7 @@ good_area:
3058 * processors use the same I/D cache coherency mechanism
3059 * as embedded.
3060 */
3061 - if (error_code & DSISR_PROTFAULT)
3062 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3063 goto bad_area;
3064 #endif /* CONFIG_PPC_STD_MMU */
3065
3066 @@ -335,6 +367,23 @@ bad_area:
3067 bad_area_nosemaphore:
3068 /* User mode accesses cause a SIGSEGV */
3069 if (user_mode(regs)) {
3070 +
3071 +#ifdef CONFIG_PAX_PAGEEXEC
3072 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3073 +#ifdef CONFIG_PPC_STD_MMU
3074 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3075 +#else
3076 + if (is_exec && regs->nip == address) {
3077 +#endif
3078 + switch (pax_handle_fetch_fault(regs)) {
3079 + }
3080 +
3081 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3082 + do_group_exit(SIGKILL);
3083 + }
3084 + }
3085 +#endif
3086 +
3087 _exception(SIGSEGV, regs, code, address);
3088 return 0;
3089 }
3090 diff -urNp linux-2.6.32.46/arch/powerpc/mm/mem.c linux-2.6.32.46/arch/powerpc/mm/mem.c
3091 --- linux-2.6.32.46/arch/powerpc/mm/mem.c 2011-03-27 14:31:47.000000000 -0400
3092 +++ linux-2.6.32.46/arch/powerpc/mm/mem.c 2011-08-21 15:50:39.000000000 -0400
3093 @@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi
3094 {
3095 unsigned long lmb_next_region_start_pfn,
3096 lmb_region_max_pfn;
3097 - int i;
3098 + unsigned int i;
3099
3100 for (i = 0; i < lmb.memory.cnt - 1; i++) {
3101 lmb_region_max_pfn =
3102 diff -urNp linux-2.6.32.46/arch/powerpc/mm/mmap_64.c linux-2.6.32.46/arch/powerpc/mm/mmap_64.c
3103 --- linux-2.6.32.46/arch/powerpc/mm/mmap_64.c 2011-03-27 14:31:47.000000000 -0400
3104 +++ linux-2.6.32.46/arch/powerpc/mm/mmap_64.c 2011-04-17 15:56:45.000000000 -0400
3105 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3106 */
3107 if (mmap_is_legacy()) {
3108 mm->mmap_base = TASK_UNMAPPED_BASE;
3109 +
3110 +#ifdef CONFIG_PAX_RANDMMAP
3111 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3112 + mm->mmap_base += mm->delta_mmap;
3113 +#endif
3114 +
3115 mm->get_unmapped_area = arch_get_unmapped_area;
3116 mm->unmap_area = arch_unmap_area;
3117 } else {
3118 mm->mmap_base = mmap_base();
3119 +
3120 +#ifdef CONFIG_PAX_RANDMMAP
3121 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3122 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3123 +#endif
3124 +
3125 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3126 mm->unmap_area = arch_unmap_area_topdown;
3127 }
3128 diff -urNp linux-2.6.32.46/arch/powerpc/mm/slice.c linux-2.6.32.46/arch/powerpc/mm/slice.c
3129 --- linux-2.6.32.46/arch/powerpc/mm/slice.c 2011-03-27 14:31:47.000000000 -0400
3130 +++ linux-2.6.32.46/arch/powerpc/mm/slice.c 2011-04-17 15:56:45.000000000 -0400
3131 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3132 if ((mm->task_size - len) < addr)
3133 return 0;
3134 vma = find_vma(mm, addr);
3135 - return (!vma || (addr + len) <= vma->vm_start);
3136 + return check_heap_stack_gap(vma, addr, len);
3137 }
3138
3139 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3140 @@ -256,7 +256,7 @@ full_search:
3141 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3142 continue;
3143 }
3144 - if (!vma || addr + len <= vma->vm_start) {
3145 + if (check_heap_stack_gap(vma, addr, len)) {
3146 /*
3147 * Remember the place where we stopped the search:
3148 */
3149 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3150 }
3151 }
3152
3153 - addr = mm->mmap_base;
3154 - while (addr > len) {
3155 + if (mm->mmap_base < len)
3156 + addr = -ENOMEM;
3157 + else
3158 + addr = mm->mmap_base - len;
3159 +
3160 + while (!IS_ERR_VALUE(addr)) {
3161 /* Go down by chunk size */
3162 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3163 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3164
3165 /* Check for hit with different page size */
3166 mask = slice_range_to_mask(addr, len);
3167 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3168 * return with success:
3169 */
3170 vma = find_vma(mm, addr);
3171 - if (!vma || (addr + len) <= vma->vm_start) {
3172 + if (check_heap_stack_gap(vma, addr, len)) {
3173 /* remember the address as a hint for next time */
3174 if (use_cache)
3175 mm->free_area_cache = addr;
3176 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3177 mm->cached_hole_size = vma->vm_start - addr;
3178
3179 /* try just below the current vma->vm_start */
3180 - addr = vma->vm_start;
3181 + addr = skip_heap_stack_gap(vma, len);
3182 }
3183
3184 /*
3185 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3186 if (fixed && addr > (mm->task_size - len))
3187 return -EINVAL;
3188
3189 +#ifdef CONFIG_PAX_RANDMMAP
3190 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3191 + addr = 0;
3192 +#endif
3193 +
3194 /* If hint, make sure it matches our alignment restrictions */
3195 if (!fixed && addr) {
3196 addr = _ALIGN_UP(addr, 1ul << pshift);
3197 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c
3198 --- linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-03-27 14:31:47.000000000 -0400
3199 +++ linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-04-17 15:56:45.000000000 -0400
3200 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
3201 lite5200_pm_target_state = PM_SUSPEND_ON;
3202 }
3203
3204 -static struct platform_suspend_ops lite5200_pm_ops = {
3205 +static const struct platform_suspend_ops lite5200_pm_ops = {
3206 .valid = lite5200_pm_valid,
3207 .begin = lite5200_pm_begin,
3208 .prepare = lite5200_pm_prepare,
3209 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3210 --- linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-03-27 14:31:47.000000000 -0400
3211 +++ linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-04-17 15:56:45.000000000 -0400
3212 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
3213 iounmap(mbar);
3214 }
3215
3216 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3217 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3218 .valid = mpc52xx_pm_valid,
3219 .prepare = mpc52xx_pm_prepare,
3220 .enter = mpc52xx_pm_enter,
3221 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c
3222 --- linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c 2011-03-27 14:31:47.000000000 -0400
3223 +++ linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c 2011-04-17 15:56:45.000000000 -0400
3224 @@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
3225 return ret;
3226 }
3227
3228 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3229 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3230 .valid = mpc83xx_suspend_valid,
3231 .begin = mpc83xx_suspend_begin,
3232 .enter = mpc83xx_suspend_enter,
3233 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c
3234 --- linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c 2011-03-27 14:31:47.000000000 -0400
3235 +++ linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:56:45.000000000 -0400
3236 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3237
3238 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3239
3240 -struct dma_map_ops dma_iommu_fixed_ops = {
3241 +const struct dma_map_ops dma_iommu_fixed_ops = {
3242 .alloc_coherent = dma_fixed_alloc_coherent,
3243 .free_coherent = dma_fixed_free_coherent,
3244 .map_sg = dma_fixed_map_sg,
3245 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c
3246 --- linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c 2011-03-27 14:31:47.000000000 -0400
3247 +++ linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:56:45.000000000 -0400
3248 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3249 return mask >= DMA_BIT_MASK(32);
3250 }
3251
3252 -static struct dma_map_ops ps3_sb_dma_ops = {
3253 +static const struct dma_map_ops ps3_sb_dma_ops = {
3254 .alloc_coherent = ps3_alloc_coherent,
3255 .free_coherent = ps3_free_coherent,
3256 .map_sg = ps3_sb_map_sg,
3257 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3258 .unmap_page = ps3_unmap_page,
3259 };
3260
3261 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3262 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3263 .alloc_coherent = ps3_alloc_coherent,
3264 .free_coherent = ps3_free_coherent,
3265 .map_sg = ps3_ioc0_map_sg,
3266 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig
3267 --- linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig 2011-03-27 14:31:47.000000000 -0400
3268 +++ linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig 2011-04-17 15:56:45.000000000 -0400
3269 @@ -2,6 +2,8 @@ config PPC_PSERIES
3270 depends on PPC64 && PPC_BOOK3S
3271 bool "IBM pSeries & new (POWER5-based) iSeries"
3272 select MPIC
3273 + select PCI_MSI
3274 + select XICS
3275 select PPC_I8259
3276 select PPC_RTAS
3277 select RTAS_ERROR_LOGGING
3278 diff -urNp linux-2.6.32.46/arch/s390/include/asm/elf.h linux-2.6.32.46/arch/s390/include/asm/elf.h
3279 --- linux-2.6.32.46/arch/s390/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3280 +++ linux-2.6.32.46/arch/s390/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
3281 @@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
3282 that it will "exec", and that there is sufficient room for the brk. */
3283 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3284
3285 +#ifdef CONFIG_PAX_ASLR
3286 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3287 +
3288 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3289 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3290 +#endif
3291 +
3292 /* This yields a mask that user programs can use to figure out what
3293 instruction set this CPU supports. */
3294
3295 diff -urNp linux-2.6.32.46/arch/s390/include/asm/setup.h linux-2.6.32.46/arch/s390/include/asm/setup.h
3296 --- linux-2.6.32.46/arch/s390/include/asm/setup.h 2011-03-27 14:31:47.000000000 -0400
3297 +++ linux-2.6.32.46/arch/s390/include/asm/setup.h 2011-04-17 15:56:45.000000000 -0400
3298 @@ -50,13 +50,13 @@ extern unsigned long memory_end;
3299 void detect_memory_layout(struct mem_chunk chunk[]);
3300
3301 #ifdef CONFIG_S390_SWITCH_AMODE
3302 -extern unsigned int switch_amode;
3303 +#define switch_amode (1)
3304 #else
3305 #define switch_amode (0)
3306 #endif
3307
3308 #ifdef CONFIG_S390_EXEC_PROTECT
3309 -extern unsigned int s390_noexec;
3310 +#define s390_noexec (1)
3311 #else
3312 #define s390_noexec (0)
3313 #endif
3314 diff -urNp linux-2.6.32.46/arch/s390/include/asm/uaccess.h linux-2.6.32.46/arch/s390/include/asm/uaccess.h
3315 --- linux-2.6.32.46/arch/s390/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
3316 +++ linux-2.6.32.46/arch/s390/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
3317 @@ -232,6 +232,10 @@ static inline unsigned long __must_check
3318 copy_to_user(void __user *to, const void *from, unsigned long n)
3319 {
3320 might_fault();
3321 +
3322 + if ((long)n < 0)
3323 + return n;
3324 +
3325 if (access_ok(VERIFY_WRITE, to, n))
3326 n = __copy_to_user(to, from, n);
3327 return n;
3328 @@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
3329 static inline unsigned long __must_check
3330 __copy_from_user(void *to, const void __user *from, unsigned long n)
3331 {
3332 + if ((long)n < 0)
3333 + return n;
3334 +
3335 if (__builtin_constant_p(n) && (n <= 256))
3336 return uaccess.copy_from_user_small(n, from, to);
3337 else
3338 @@ -283,6 +290,10 @@ static inline unsigned long __must_check
3339 copy_from_user(void *to, const void __user *from, unsigned long n)
3340 {
3341 might_fault();
3342 +
3343 + if ((long)n < 0)
3344 + return n;
3345 +
3346 if (access_ok(VERIFY_READ, from, n))
3347 n = __copy_from_user(to, from, n);
3348 else
3349 diff -urNp linux-2.6.32.46/arch/s390/Kconfig linux-2.6.32.46/arch/s390/Kconfig
3350 --- linux-2.6.32.46/arch/s390/Kconfig 2011-03-27 14:31:47.000000000 -0400
3351 +++ linux-2.6.32.46/arch/s390/Kconfig 2011-04-17 15:56:45.000000000 -0400
3352 @@ -194,28 +194,26 @@ config AUDIT_ARCH
3353
3354 config S390_SWITCH_AMODE
3355 bool "Switch kernel/user addressing modes"
3356 + default y
3357 help
3358 This option allows to switch the addressing modes of kernel and user
3359 - space. The kernel parameter switch_amode=on will enable this feature,
3360 - default is disabled. Enabling this (via kernel parameter) on machines
3361 - earlier than IBM System z9-109 EC/BC will reduce system performance.
3362 + space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3363 + will reduce system performance.
3364
3365 Note that this option will also be selected by selecting the execute
3366 - protection option below. Enabling the execute protection via the
3367 - noexec kernel parameter will also switch the addressing modes,
3368 - independent of the switch_amode kernel parameter.
3369 + protection option below. Enabling the execute protection will also
3370 + switch the addressing modes, independent of this option.
3371
3372
3373 config S390_EXEC_PROTECT
3374 bool "Data execute protection"
3375 + default y
3376 select S390_SWITCH_AMODE
3377 help
3378 This option allows to enable a buffer overflow protection for user
3379 space programs and it also selects the addressing mode option above.
3380 - The kernel parameter noexec=on will enable this feature and also
3381 - switch the addressing modes, default is disabled. Enabling this (via
3382 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3383 - will reduce system performance.
3384 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3385 + reduce system performance.
3386
3387 comment "Code generation options"
3388
3389 diff -urNp linux-2.6.32.46/arch/s390/kernel/module.c linux-2.6.32.46/arch/s390/kernel/module.c
3390 --- linux-2.6.32.46/arch/s390/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
3391 +++ linux-2.6.32.46/arch/s390/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
3392 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3393
3394 /* Increase core size by size of got & plt and set start
3395 offsets for got and plt. */
3396 - me->core_size = ALIGN(me->core_size, 4);
3397 - me->arch.got_offset = me->core_size;
3398 - me->core_size += me->arch.got_size;
3399 - me->arch.plt_offset = me->core_size;
3400 - me->core_size += me->arch.plt_size;
3401 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3402 + me->arch.got_offset = me->core_size_rw;
3403 + me->core_size_rw += me->arch.got_size;
3404 + me->arch.plt_offset = me->core_size_rx;
3405 + me->core_size_rx += me->arch.plt_size;
3406 return 0;
3407 }
3408
3409 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3410 if (info->got_initialized == 0) {
3411 Elf_Addr *gotent;
3412
3413 - gotent = me->module_core + me->arch.got_offset +
3414 + gotent = me->module_core_rw + me->arch.got_offset +
3415 info->got_offset;
3416 *gotent = val;
3417 info->got_initialized = 1;
3418 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3419 else if (r_type == R_390_GOTENT ||
3420 r_type == R_390_GOTPLTENT)
3421 *(unsigned int *) loc =
3422 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3423 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3424 else if (r_type == R_390_GOT64 ||
3425 r_type == R_390_GOTPLT64)
3426 *(unsigned long *) loc = val;
3427 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3428 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3429 if (info->plt_initialized == 0) {
3430 unsigned int *ip;
3431 - ip = me->module_core + me->arch.plt_offset +
3432 + ip = me->module_core_rx + me->arch.plt_offset +
3433 info->plt_offset;
3434 #ifndef CONFIG_64BIT
3435 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3436 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3437 val - loc + 0xffffUL < 0x1ffffeUL) ||
3438 (r_type == R_390_PLT32DBL &&
3439 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3440 - val = (Elf_Addr) me->module_core +
3441 + val = (Elf_Addr) me->module_core_rx +
3442 me->arch.plt_offset +
3443 info->plt_offset;
3444 val += rela->r_addend - loc;
3445 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3446 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3447 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3448 val = val + rela->r_addend -
3449 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3450 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3451 if (r_type == R_390_GOTOFF16)
3452 *(unsigned short *) loc = val;
3453 else if (r_type == R_390_GOTOFF32)
3454 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3455 break;
3456 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3457 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3458 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3459 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3460 rela->r_addend - loc;
3461 if (r_type == R_390_GOTPC)
3462 *(unsigned int *) loc = val;
3463 diff -urNp linux-2.6.32.46/arch/s390/kernel/setup.c linux-2.6.32.46/arch/s390/kernel/setup.c
3464 --- linux-2.6.32.46/arch/s390/kernel/setup.c 2011-03-27 14:31:47.000000000 -0400
3465 +++ linux-2.6.32.46/arch/s390/kernel/setup.c 2011-04-17 15:56:45.000000000 -0400
3466 @@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
3467 early_param("mem", early_parse_mem);
3468
3469 #ifdef CONFIG_S390_SWITCH_AMODE
3470 -unsigned int switch_amode = 0;
3471 -EXPORT_SYMBOL_GPL(switch_amode);
3472 -
3473 static int set_amode_and_uaccess(unsigned long user_amode,
3474 unsigned long user32_amode)
3475 {
3476 @@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
3477 return 0;
3478 }
3479 }
3480 -
3481 -/*
3482 - * Switch kernel/user addressing modes?
3483 - */
3484 -static int __init early_parse_switch_amode(char *p)
3485 -{
3486 - switch_amode = 1;
3487 - return 0;
3488 -}
3489 -early_param("switch_amode", early_parse_switch_amode);
3490 -
3491 #else /* CONFIG_S390_SWITCH_AMODE */
3492 static inline int set_amode_and_uaccess(unsigned long user_amode,
3493 unsigned long user32_amode)
3494 @@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
3495 }
3496 #endif /* CONFIG_S390_SWITCH_AMODE */
3497
3498 -#ifdef CONFIG_S390_EXEC_PROTECT
3499 -unsigned int s390_noexec = 0;
3500 -EXPORT_SYMBOL_GPL(s390_noexec);
3501 -
3502 -/*
3503 - * Enable execute protection?
3504 - */
3505 -static int __init early_parse_noexec(char *p)
3506 -{
3507 - if (!strncmp(p, "off", 3))
3508 - return 0;
3509 - switch_amode = 1;
3510 - s390_noexec = 1;
3511 - return 0;
3512 -}
3513 -early_param("noexec", early_parse_noexec);
3514 -#endif /* CONFIG_S390_EXEC_PROTECT */
3515 -
3516 static void setup_addressing_mode(void)
3517 {
3518 if (s390_noexec) {
3519 diff -urNp linux-2.6.32.46/arch/s390/mm/mmap.c linux-2.6.32.46/arch/s390/mm/mmap.c
3520 --- linux-2.6.32.46/arch/s390/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3521 +++ linux-2.6.32.46/arch/s390/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
3522 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3523 */
3524 if (mmap_is_legacy()) {
3525 mm->mmap_base = TASK_UNMAPPED_BASE;
3526 +
3527 +#ifdef CONFIG_PAX_RANDMMAP
3528 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3529 + mm->mmap_base += mm->delta_mmap;
3530 +#endif
3531 +
3532 mm->get_unmapped_area = arch_get_unmapped_area;
3533 mm->unmap_area = arch_unmap_area;
3534 } else {
3535 mm->mmap_base = mmap_base();
3536 +
3537 +#ifdef CONFIG_PAX_RANDMMAP
3538 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3539 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3540 +#endif
3541 +
3542 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3543 mm->unmap_area = arch_unmap_area_topdown;
3544 }
3545 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3546 */
3547 if (mmap_is_legacy()) {
3548 mm->mmap_base = TASK_UNMAPPED_BASE;
3549 +
3550 +#ifdef CONFIG_PAX_RANDMMAP
3551 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3552 + mm->mmap_base += mm->delta_mmap;
3553 +#endif
3554 +
3555 mm->get_unmapped_area = s390_get_unmapped_area;
3556 mm->unmap_area = arch_unmap_area;
3557 } else {
3558 mm->mmap_base = mmap_base();
3559 +
3560 +#ifdef CONFIG_PAX_RANDMMAP
3561 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3562 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3563 +#endif
3564 +
3565 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3566 mm->unmap_area = arch_unmap_area_topdown;
3567 }
3568 diff -urNp linux-2.6.32.46/arch/score/include/asm/system.h linux-2.6.32.46/arch/score/include/asm/system.h
3569 --- linux-2.6.32.46/arch/score/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
3570 +++ linux-2.6.32.46/arch/score/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
3571 @@ -17,7 +17,7 @@ do { \
3572 #define finish_arch_switch(prev) do {} while (0)
3573
3574 typedef void (*vi_handler_t)(void);
3575 -extern unsigned long arch_align_stack(unsigned long sp);
3576 +#define arch_align_stack(x) (x)
3577
3578 #define mb() barrier()
3579 #define rmb() barrier()
3580 diff -urNp linux-2.6.32.46/arch/score/kernel/process.c linux-2.6.32.46/arch/score/kernel/process.c
3581 --- linux-2.6.32.46/arch/score/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
3582 +++ linux-2.6.32.46/arch/score/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
3583 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3584
3585 return task_pt_regs(task)->cp0_epc;
3586 }
3587 -
3588 -unsigned long arch_align_stack(unsigned long sp)
3589 -{
3590 - return sp;
3591 -}
3592 diff -urNp linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c
3593 --- linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c 2011-03-27 14:31:47.000000000 -0400
3594 +++ linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c 2011-04-17 15:56:45.000000000 -0400
3595 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3596 return 0;
3597 }
3598
3599 -static struct platform_suspend_ops hp6x0_pm_ops = {
3600 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3601 .enter = hp6x0_pm_enter,
3602 .valid = suspend_valid_only_mem,
3603 };
3604 diff -urNp linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c
3605 --- linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c 2011-03-27 14:31:47.000000000 -0400
3606 +++ linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c 2011-04-17 15:56:46.000000000 -0400
3607 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3608 NULL,
3609 };
3610
3611 -static struct sysfs_ops sq_sysfs_ops = {
3612 +static const struct sysfs_ops sq_sysfs_ops = {
3613 .show = sq_sysfs_show,
3614 .store = sq_sysfs_store,
3615 };
3616 diff -urNp linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c
3617 --- linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c 2011-03-27 14:31:47.000000000 -0400
3618 +++ linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c 2011-04-17 15:56:46.000000000 -0400
3619 @@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
3620 return 0;
3621 }
3622
3623 -static struct platform_suspend_ops sh_pm_ops = {
3624 +static const struct platform_suspend_ops sh_pm_ops = {
3625 .enter = sh_pm_enter,
3626 .valid = suspend_valid_only_mem,
3627 };
3628 diff -urNp linux-2.6.32.46/arch/sh/kernel/kgdb.c linux-2.6.32.46/arch/sh/kernel/kgdb.c
3629 --- linux-2.6.32.46/arch/sh/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
3630 +++ linux-2.6.32.46/arch/sh/kernel/kgdb.c 2011-04-17 15:56:46.000000000 -0400
3631 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3632 {
3633 }
3634
3635 -struct kgdb_arch arch_kgdb_ops = {
3636 +const struct kgdb_arch arch_kgdb_ops = {
3637 /* Breakpoint instruction: trapa #0x3c */
3638 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3639 .gdb_bpt_instr = { 0x3c, 0xc3 },
3640 diff -urNp linux-2.6.32.46/arch/sh/mm/mmap.c linux-2.6.32.46/arch/sh/mm/mmap.c
3641 --- linux-2.6.32.46/arch/sh/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3642 +++ linux-2.6.32.46/arch/sh/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
3643 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3644 addr = PAGE_ALIGN(addr);
3645
3646 vma = find_vma(mm, addr);
3647 - if (TASK_SIZE - len >= addr &&
3648 - (!vma || addr + len <= vma->vm_start))
3649 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3650 return addr;
3651 }
3652
3653 @@ -106,7 +105,7 @@ full_search:
3654 }
3655 return -ENOMEM;
3656 }
3657 - if (likely(!vma || addr + len <= vma->vm_start)) {
3658 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3659 /*
3660 * Remember the place where we stopped the search:
3661 */
3662 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3663 addr = PAGE_ALIGN(addr);
3664
3665 vma = find_vma(mm, addr);
3666 - if (TASK_SIZE - len >= addr &&
3667 - (!vma || addr + len <= vma->vm_start))
3668 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3669 return addr;
3670 }
3671
3672 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3673 /* make sure it can fit in the remaining address space */
3674 if (likely(addr > len)) {
3675 vma = find_vma(mm, addr-len);
3676 - if (!vma || addr <= vma->vm_start) {
3677 + if (check_heap_stack_gap(vma, addr - len, len)) {
3678 /* remember the address as a hint for next time */
3679 return (mm->free_area_cache = addr-len);
3680 }
3681 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3682 if (unlikely(mm->mmap_base < len))
3683 goto bottomup;
3684
3685 - addr = mm->mmap_base-len;
3686 - if (do_colour_align)
3687 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3688 + addr = mm->mmap_base - len;
3689
3690 do {
3691 + if (do_colour_align)
3692 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3693 /*
3694 * Lookup failure means no vma is above this address,
3695 * else if new region fits below vma->vm_start,
3696 * return with success:
3697 */
3698 vma = find_vma(mm, addr);
3699 - if (likely(!vma || addr+len <= vma->vm_start)) {
3700 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3701 /* remember the address as a hint for next time */
3702 return (mm->free_area_cache = addr);
3703 }
3704 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3705 mm->cached_hole_size = vma->vm_start - addr;
3706
3707 /* try just below the current vma->vm_start */
3708 - addr = vma->vm_start-len;
3709 - if (do_colour_align)
3710 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3711 - } while (likely(len < vma->vm_start));
3712 + addr = skip_heap_stack_gap(vma, len);
3713 + } while (!IS_ERR_VALUE(addr));
3714
3715 bottomup:
3716 /*
3717 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h
3718 --- linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
3719 +++ linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h 2011-08-18 23:11:34.000000000 -0400
3720 @@ -14,18 +14,40 @@
3721 #define ATOMIC64_INIT(i) { (i) }
3722
3723 #define atomic_read(v) ((v)->counter)
3724 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3725 +{
3726 + return v->counter;
3727 +}
3728 #define atomic64_read(v) ((v)->counter)
3729 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3730 +{
3731 + return v->counter;
3732 +}
3733
3734 #define atomic_set(v, i) (((v)->counter) = i)
3735 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3736 +{
3737 + v->counter = i;
3738 +}
3739 #define atomic64_set(v, i) (((v)->counter) = i)
3740 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3741 +{
3742 + v->counter = i;
3743 +}
3744
3745 extern void atomic_add(int, atomic_t *);
3746 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3747 extern void atomic64_add(long, atomic64_t *);
3748 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3749 extern void atomic_sub(int, atomic_t *);
3750 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3751 extern void atomic64_sub(long, atomic64_t *);
3752 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3753
3754 extern int atomic_add_ret(int, atomic_t *);
3755 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3756 extern long atomic64_add_ret(long, atomic64_t *);
3757 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3758 extern int atomic_sub_ret(int, atomic_t *);
3759 extern long atomic64_sub_ret(long, atomic64_t *);
3760
3761 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
3762 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3763
3764 #define atomic_inc_return(v) atomic_add_ret(1, v)
3765 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3766 +{
3767 + return atomic_add_ret_unchecked(1, v);
3768 +}
3769 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3770 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3771 +{
3772 + return atomic64_add_ret_unchecked(1, v);
3773 +}
3774
3775 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3776 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3777
3778 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3779 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3780 +{
3781 + return atomic_add_ret_unchecked(i, v);
3782 +}
3783 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3784 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
3785 +{
3786 + return atomic64_add_ret_unchecked(i, v);
3787 +}
3788
3789 /*
3790 * atomic_inc_and_test - increment and test
3791 @@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
3792 * other cases.
3793 */
3794 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3795 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
3796 +{
3797 + return atomic_inc_return_unchecked(v) == 0;
3798 +}
3799 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3800
3801 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3802 @@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
3803 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3804
3805 #define atomic_inc(v) atomic_add(1, v)
3806 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3807 +{
3808 + atomic_add_unchecked(1, v);
3809 +}
3810 #define atomic64_inc(v) atomic64_add(1, v)
3811 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3812 +{
3813 + atomic64_add_unchecked(1, v);
3814 +}
3815
3816 #define atomic_dec(v) atomic_sub(1, v)
3817 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3818 +{
3819 + atomic_sub_unchecked(1, v);
3820 +}
3821 #define atomic64_dec(v) atomic64_sub(1, v)
3822 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3823 +{
3824 + atomic64_sub_unchecked(1, v);
3825 +}
3826
3827 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3828 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3829
3830 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3831 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
3832 +{
3833 + return cmpxchg(&v->counter, old, new);
3834 +}
3835 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3836 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
3837 +{
3838 + return xchg(&v->counter, new);
3839 +}
3840
3841 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3842 {
3843 - int c, old;
3844 + int c, old, new;
3845 c = atomic_read(v);
3846 for (;;) {
3847 - if (unlikely(c == (u)))
3848 + if (unlikely(c == u))
3849 break;
3850 - old = atomic_cmpxchg((v), c, c + (a));
3851 +
3852 + asm volatile("addcc %2, %0, %0\n"
3853 +
3854 +#ifdef CONFIG_PAX_REFCOUNT
3855 + "tvs %%icc, 6\n"
3856 +#endif
3857 +
3858 + : "=r" (new)
3859 + : "0" (c), "ir" (a)
3860 + : "cc");
3861 +
3862 + old = atomic_cmpxchg(v, c, new);
3863 if (likely(old == c))
3864 break;
3865 c = old;
3866 }
3867 - return c != (u);
3868 + return c != u;
3869 }
3870
3871 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3872 @@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
3873 #define atomic64_cmpxchg(v, o, n) \
3874 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
3875 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
3876 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
3877 +{
3878 + return xchg(&v->counter, new);
3879 +}
3880
3881 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3882 {
3883 - long c, old;
3884 + long c, old, new;
3885 c = atomic64_read(v);
3886 for (;;) {
3887 - if (unlikely(c == (u)))
3888 + if (unlikely(c == u))
3889 break;
3890 - old = atomic64_cmpxchg((v), c, c + (a));
3891 +
3892 + asm volatile("addcc %2, %0, %0\n"
3893 +
3894 +#ifdef CONFIG_PAX_REFCOUNT
3895 + "tvs %%xcc, 6\n"
3896 +#endif
3897 +
3898 + : "=r" (new)
3899 + : "0" (c), "ir" (a)
3900 + : "cc");
3901 +
3902 + old = atomic64_cmpxchg(v, c, new);
3903 if (likely(old == c))
3904 break;
3905 c = old;
3906 }
3907 - return c != (u);
3908 + return c != u;
3909 }
3910
3911 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3912 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/cache.h linux-2.6.32.46/arch/sparc/include/asm/cache.h
3913 --- linux-2.6.32.46/arch/sparc/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
3914 +++ linux-2.6.32.46/arch/sparc/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
3915 @@ -8,7 +8,7 @@
3916 #define _SPARC_CACHE_H
3917
3918 #define L1_CACHE_SHIFT 5
3919 -#define L1_CACHE_BYTES 32
3920 +#define L1_CACHE_BYTES 32UL
3921 #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
3922
3923 #ifdef CONFIG_SPARC32
3924 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h
3925 --- linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
3926 +++ linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
3927 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3928 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3929 #define dma_is_consistent(d, h) (1)
3930
3931 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3932 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3933 extern struct bus_type pci_bus_type;
3934
3935 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3936 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3937 {
3938 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3939 if (dev->bus == &pci_bus_type)
3940 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3941 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3942 dma_addr_t *dma_handle, gfp_t flag)
3943 {
3944 - struct dma_map_ops *ops = get_dma_ops(dev);
3945 + const struct dma_map_ops *ops = get_dma_ops(dev);
3946 void *cpu_addr;
3947
3948 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3949 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3950 static inline void dma_free_coherent(struct device *dev, size_t size,
3951 void *cpu_addr, dma_addr_t dma_handle)
3952 {
3953 - struct dma_map_ops *ops = get_dma_ops(dev);
3954 + const struct dma_map_ops *ops = get_dma_ops(dev);
3955
3956 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3957 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3958 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/elf_32.h linux-2.6.32.46/arch/sparc/include/asm/elf_32.h
3959 --- linux-2.6.32.46/arch/sparc/include/asm/elf_32.h 2011-03-27 14:31:47.000000000 -0400
3960 +++ linux-2.6.32.46/arch/sparc/include/asm/elf_32.h 2011-04-17 15:56:46.000000000 -0400
3961 @@ -116,6 +116,13 @@ typedef struct {
3962
3963 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3964
3965 +#ifdef CONFIG_PAX_ASLR
3966 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3967 +
3968 +#define PAX_DELTA_MMAP_LEN 16
3969 +#define PAX_DELTA_STACK_LEN 16
3970 +#endif
3971 +
3972 /* This yields a mask that user programs can use to figure out what
3973 instruction set this cpu supports. This can NOT be done in userspace
3974 on Sparc. */
3975 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/elf_64.h linux-2.6.32.46/arch/sparc/include/asm/elf_64.h
3976 --- linux-2.6.32.46/arch/sparc/include/asm/elf_64.h 2011-03-27 14:31:47.000000000 -0400
3977 +++ linux-2.6.32.46/arch/sparc/include/asm/elf_64.h 2011-04-17 15:56:46.000000000 -0400
3978 @@ -163,6 +163,12 @@ typedef struct {
3979 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3980 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3981
3982 +#ifdef CONFIG_PAX_ASLR
3983 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3984 +
3985 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3986 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3987 +#endif
3988
3989 /* This yields a mask that user programs can use to figure out what
3990 instruction set this cpu supports. */
3991 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h
3992 --- linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
3993 +++ linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
3994 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3995 BTFIXUPDEF_INT(page_none)
3996 BTFIXUPDEF_INT(page_copy)
3997 BTFIXUPDEF_INT(page_readonly)
3998 +
3999 +#ifdef CONFIG_PAX_PAGEEXEC
4000 +BTFIXUPDEF_INT(page_shared_noexec)
4001 +BTFIXUPDEF_INT(page_copy_noexec)
4002 +BTFIXUPDEF_INT(page_readonly_noexec)
4003 +#endif
4004 +
4005 BTFIXUPDEF_INT(page_kernel)
4006
4007 #define PMD_SHIFT SUN4C_PMD_SHIFT
4008 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
4009 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
4010 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
4011
4012 +#ifdef CONFIG_PAX_PAGEEXEC
4013 +extern pgprot_t PAGE_SHARED_NOEXEC;
4014 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
4015 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
4016 +#else
4017 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
4018 +# define PAGE_COPY_NOEXEC PAGE_COPY
4019 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
4020 +#endif
4021 +
4022 extern unsigned long page_kernel;
4023
4024 #ifdef MODULE
4025 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h
4026 --- linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h 2011-03-27 14:31:47.000000000 -0400
4027 +++ linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:56:46.000000000 -0400
4028 @@ -115,6 +115,13 @@
4029 SRMMU_EXEC | SRMMU_REF)
4030 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4031 SRMMU_EXEC | SRMMU_REF)
4032 +
4033 +#ifdef CONFIG_PAX_PAGEEXEC
4034 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4035 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4036 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4037 +#endif
4038 +
4039 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4040 SRMMU_DIRTY | SRMMU_REF)
4041
4042 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h
4043 --- linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h 2011-03-27 14:31:47.000000000 -0400
4044 +++ linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h 2011-08-18 23:19:30.000000000 -0400
4045 @@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
4046
4047 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
4048
4049 -static void inline arch_read_lock(raw_rwlock_t *lock)
4050 +static inline void arch_read_lock(raw_rwlock_t *lock)
4051 {
4052 unsigned long tmp1, tmp2;
4053
4054 __asm__ __volatile__ (
4055 "1: ldsw [%2], %0\n"
4056 " brlz,pn %0, 2f\n"
4057 -"4: add %0, 1, %1\n"
4058 +"4: addcc %0, 1, %1\n"
4059 +
4060 +#ifdef CONFIG_PAX_REFCOUNT
4061 +" tvs %%icc, 6\n"
4062 +#endif
4063 +
4064 " cas [%2], %0, %1\n"
4065 " cmp %0, %1\n"
4066 " bne,pn %%icc, 1b\n"
4067 @@ -112,10 +117,10 @@ static void inline arch_read_lock(raw_rw
4068 " .previous"
4069 : "=&r" (tmp1), "=&r" (tmp2)
4070 : "r" (lock)
4071 - : "memory");
4072 + : "memory", "cc");
4073 }
4074
4075 -static int inline arch_read_trylock(raw_rwlock_t *lock)
4076 +static inline int arch_read_trylock(raw_rwlock_t *lock)
4077 {
4078 int tmp1, tmp2;
4079
4080 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
4081 "1: ldsw [%2], %0\n"
4082 " brlz,a,pn %0, 2f\n"
4083 " mov 0, %0\n"
4084 -" add %0, 1, %1\n"
4085 +" addcc %0, 1, %1\n"
4086 +
4087 +#ifdef CONFIG_PAX_REFCOUNT
4088 +" tvs %%icc, 6\n"
4089 +#endif
4090 +
4091 " cas [%2], %0, %1\n"
4092 " cmp %0, %1\n"
4093 " bne,pn %%icc, 1b\n"
4094 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
4095 return tmp1;
4096 }
4097
4098 -static void inline arch_read_unlock(raw_rwlock_t *lock)
4099 +static inline void arch_read_unlock(raw_rwlock_t *lock)
4100 {
4101 unsigned long tmp1, tmp2;
4102
4103 __asm__ __volatile__(
4104 "1: lduw [%2], %0\n"
4105 -" sub %0, 1, %1\n"
4106 +" subcc %0, 1, %1\n"
4107 +
4108 +#ifdef CONFIG_PAX_REFCOUNT
4109 +" tvs %%icc, 6\n"
4110 +#endif
4111 +
4112 " cas [%2], %0, %1\n"
4113 " cmp %0, %1\n"
4114 " bne,pn %%xcc, 1b\n"
4115 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
4116 : "memory");
4117 }
4118
4119 -static void inline arch_write_lock(raw_rwlock_t *lock)
4120 +static inline void arch_write_lock(raw_rwlock_t *lock)
4121 {
4122 unsigned long mask, tmp1, tmp2;
4123
4124 @@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
4125 : "memory");
4126 }
4127
4128 -static void inline arch_write_unlock(raw_rwlock_t *lock)
4129 +static inline void arch_write_unlock(raw_rwlock_t *lock)
4130 {
4131 __asm__ __volatile__(
4132 " stw %%g0, [%0]"
4133 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(raw
4134 : "memory");
4135 }
4136
4137 -static int inline arch_write_trylock(raw_rwlock_t *lock)
4138 +static inline int arch_write_trylock(raw_rwlock_t *lock)
4139 {
4140 unsigned long mask, tmp1, tmp2, result;
4141
4142 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h
4143 --- linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h 2011-03-27 14:31:47.000000000 -0400
4144 +++ linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h 2011-06-04 20:46:01.000000000 -0400
4145 @@ -50,6 +50,8 @@ struct thread_info {
4146 unsigned long w_saved;
4147
4148 struct restart_block restart_block;
4149 +
4150 + unsigned long lowest_stack;
4151 };
4152
4153 /*
4154 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h
4155 --- linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h 2011-03-27 14:31:47.000000000 -0400
4156 +++ linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h 2011-06-04 20:46:21.000000000 -0400
4157 @@ -68,6 +68,8 @@ struct thread_info {
4158 struct pt_regs *kern_una_regs;
4159 unsigned int kern_una_insn;
4160
4161 + unsigned long lowest_stack;
4162 +
4163 unsigned long fpregs[0] __attribute__ ((aligned(64)));
4164 };
4165
4166 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h
4167 --- linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
4168 +++ linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:56:46.000000000 -0400
4169 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4170
4171 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4172 {
4173 - if (n && __access_ok((unsigned long) to, n))
4174 + if ((long)n < 0)
4175 + return n;
4176 +
4177 + if (n && __access_ok((unsigned long) to, n)) {
4178 + if (!__builtin_constant_p(n))
4179 + check_object_size(from, n, true);
4180 return __copy_user(to, (__force void __user *) from, n);
4181 - else
4182 + } else
4183 return n;
4184 }
4185
4186 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4187 {
4188 + if ((long)n < 0)
4189 + return n;
4190 +
4191 + if (!__builtin_constant_p(n))
4192 + check_object_size(from, n, true);
4193 +
4194 return __copy_user(to, (__force void __user *) from, n);
4195 }
4196
4197 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4198 {
4199 - if (n && __access_ok((unsigned long) from, n))
4200 + if ((long)n < 0)
4201 + return n;
4202 +
4203 + if (n && __access_ok((unsigned long) from, n)) {
4204 + if (!__builtin_constant_p(n))
4205 + check_object_size(to, n, false);
4206 return __copy_user((__force void __user *) to, from, n);
4207 - else
4208 + } else
4209 return n;
4210 }
4211
4212 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4213 {
4214 + if ((long)n < 0)
4215 + return n;
4216 +
4217 return __copy_user((__force void __user *) to, from, n);
4218 }
4219
4220 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h
4221 --- linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
4222 +++ linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:56:46.000000000 -0400
4223 @@ -9,6 +9,7 @@
4224 #include <linux/compiler.h>
4225 #include <linux/string.h>
4226 #include <linux/thread_info.h>
4227 +#include <linux/kernel.h>
4228 #include <asm/asi.h>
4229 #include <asm/system.h>
4230 #include <asm/spitfire.h>
4231 @@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
4232 static inline unsigned long __must_check
4233 copy_from_user(void *to, const void __user *from, unsigned long size)
4234 {
4235 - unsigned long ret = ___copy_from_user(to, from, size);
4236 + unsigned long ret;
4237
4238 + if ((long)size < 0 || size > INT_MAX)
4239 + return size;
4240 +
4241 + if (!__builtin_constant_p(size))
4242 + check_object_size(to, size, false);
4243 +
4244 + ret = ___copy_from_user(to, from, size);
4245 if (unlikely(ret))
4246 ret = copy_from_user_fixup(to, from, size);
4247 return ret;
4248 @@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
4249 static inline unsigned long __must_check
4250 copy_to_user(void __user *to, const void *from, unsigned long size)
4251 {
4252 - unsigned long ret = ___copy_to_user(to, from, size);
4253 + unsigned long ret;
4254 +
4255 + if ((long)size < 0 || size > INT_MAX)
4256 + return size;
4257 +
4258 + if (!__builtin_constant_p(size))
4259 + check_object_size(from, size, true);
4260
4261 + ret = ___copy_to_user(to, from, size);
4262 if (unlikely(ret))
4263 ret = copy_to_user_fixup(to, from, size);
4264 return ret;
4265 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess.h linux-2.6.32.46/arch/sparc/include/asm/uaccess.h
4266 --- linux-2.6.32.46/arch/sparc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
4267 +++ linux-2.6.32.46/arch/sparc/include/asm/uaccess.h 2011-04-17 15:56:46.000000000 -0400
4268 @@ -1,5 +1,13 @@
4269 #ifndef ___ASM_SPARC_UACCESS_H
4270 #define ___ASM_SPARC_UACCESS_H
4271 +
4272 +#ifdef __KERNEL__
4273 +#ifndef __ASSEMBLY__
4274 +#include <linux/types.h>
4275 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4276 +#endif
4277 +#endif
4278 +
4279 #if defined(__sparc__) && defined(__arch64__)
4280 #include <asm/uaccess_64.h>
4281 #else
4282 diff -urNp linux-2.6.32.46/arch/sparc/kernel/iommu.c linux-2.6.32.46/arch/sparc/kernel/iommu.c
4283 --- linux-2.6.32.46/arch/sparc/kernel/iommu.c 2011-03-27 14:31:47.000000000 -0400
4284 +++ linux-2.6.32.46/arch/sparc/kernel/iommu.c 2011-04-17 15:56:46.000000000 -0400
4285 @@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4286 spin_unlock_irqrestore(&iommu->lock, flags);
4287 }
4288
4289 -static struct dma_map_ops sun4u_dma_ops = {
4290 +static const struct dma_map_ops sun4u_dma_ops = {
4291 .alloc_coherent = dma_4u_alloc_coherent,
4292 .free_coherent = dma_4u_free_coherent,
4293 .map_page = dma_4u_map_page,
4294 @@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
4295 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4296 };
4297
4298 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4299 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4300 EXPORT_SYMBOL(dma_ops);
4301
4302 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4303 diff -urNp linux-2.6.32.46/arch/sparc/kernel/ioport.c linux-2.6.32.46/arch/sparc/kernel/ioport.c
4304 --- linux-2.6.32.46/arch/sparc/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
4305 +++ linux-2.6.32.46/arch/sparc/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
4306 @@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
4307 BUG();
4308 }
4309
4310 -struct dma_map_ops sbus_dma_ops = {
4311 +const struct dma_map_ops sbus_dma_ops = {
4312 .alloc_coherent = sbus_alloc_coherent,
4313 .free_coherent = sbus_free_coherent,
4314 .map_page = sbus_map_page,
4315 @@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
4316 .sync_sg_for_device = sbus_sync_sg_for_device,
4317 };
4318
4319 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4320 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4321 EXPORT_SYMBOL(dma_ops);
4322
4323 static int __init sparc_register_ioport(void)
4324 @@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
4325 }
4326 }
4327
4328 -struct dma_map_ops pci32_dma_ops = {
4329 +const struct dma_map_ops pci32_dma_ops = {
4330 .alloc_coherent = pci32_alloc_coherent,
4331 .free_coherent = pci32_free_coherent,
4332 .map_page = pci32_map_page,
4333 diff -urNp linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c
4334 --- linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c 2011-03-27 14:31:47.000000000 -0400
4335 +++ linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:56:46.000000000 -0400
4336 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
4337 {
4338 }
4339
4340 -struct kgdb_arch arch_kgdb_ops = {
4341 +const struct kgdb_arch arch_kgdb_ops = {
4342 /* Breakpoint instruction: ta 0x7d */
4343 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4344 };
4345 diff -urNp linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c
4346 --- linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c 2011-03-27 14:31:47.000000000 -0400
4347 +++ linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:56:46.000000000 -0400
4348 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
4349 {
4350 }
4351
4352 -struct kgdb_arch arch_kgdb_ops = {
4353 +const struct kgdb_arch arch_kgdb_ops = {
4354 /* Breakpoint instruction: ta 0x72 */
4355 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4356 };
4357 diff -urNp linux-2.6.32.46/arch/sparc/kernel/Makefile linux-2.6.32.46/arch/sparc/kernel/Makefile
4358 --- linux-2.6.32.46/arch/sparc/kernel/Makefile 2011-03-27 14:31:47.000000000 -0400
4359 +++ linux-2.6.32.46/arch/sparc/kernel/Makefile 2011-04-17 15:56:46.000000000 -0400
4360 @@ -3,7 +3,7 @@
4361 #
4362
4363 asflags-y := -ansi
4364 -ccflags-y := -Werror
4365 +#ccflags-y := -Werror
4366
4367 extra-y := head_$(BITS).o
4368 extra-y += init_task.o
4369 diff -urNp linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c
4370 --- linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c 2011-03-27 14:31:47.000000000 -0400
4371 +++ linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c 2011-04-17 15:56:46.000000000 -0400
4372 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4373 spin_unlock_irqrestore(&iommu->lock, flags);
4374 }
4375
4376 -static struct dma_map_ops sun4v_dma_ops = {
4377 +static const struct dma_map_ops sun4v_dma_ops = {
4378 .alloc_coherent = dma_4v_alloc_coherent,
4379 .free_coherent = dma_4v_free_coherent,
4380 .map_page = dma_4v_map_page,
4381 diff -urNp linux-2.6.32.46/arch/sparc/kernel/process_32.c linux-2.6.32.46/arch/sparc/kernel/process_32.c
4382 --- linux-2.6.32.46/arch/sparc/kernel/process_32.c 2011-03-27 14:31:47.000000000 -0400
4383 +++ linux-2.6.32.46/arch/sparc/kernel/process_32.c 2011-04-17 15:56:46.000000000 -0400
4384 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4385 rw->ins[4], rw->ins[5],
4386 rw->ins[6],
4387 rw->ins[7]);
4388 - printk("%pS\n", (void *) rw->ins[7]);
4389 + printk("%pA\n", (void *) rw->ins[7]);
4390 rw = (struct reg_window32 *) rw->ins[6];
4391 }
4392 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4393 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4394
4395 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4396 r->psr, r->pc, r->npc, r->y, print_tainted());
4397 - printk("PC: <%pS>\n", (void *) r->pc);
4398 + printk("PC: <%pA>\n", (void *) r->pc);
4399 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4400 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4401 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4402 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4403 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4404 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4405 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4406 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4407
4408 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4409 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4410 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4411 rw = (struct reg_window32 *) fp;
4412 pc = rw->ins[7];
4413 printk("[%08lx : ", pc);
4414 - printk("%pS ] ", (void *) pc);
4415 + printk("%pA ] ", (void *) pc);
4416 fp = rw->ins[6];
4417 } while (++count < 16);
4418 printk("\n");
4419 diff -urNp linux-2.6.32.46/arch/sparc/kernel/process_64.c linux-2.6.32.46/arch/sparc/kernel/process_64.c
4420 --- linux-2.6.32.46/arch/sparc/kernel/process_64.c 2011-03-27 14:31:47.000000000 -0400
4421 +++ linux-2.6.32.46/arch/sparc/kernel/process_64.c 2011-04-17 15:56:46.000000000 -0400
4422 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4423 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4424 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4425 if (regs->tstate & TSTATE_PRIV)
4426 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4427 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4428 }
4429
4430 void show_regs(struct pt_regs *regs)
4431 {
4432 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4433 regs->tpc, regs->tnpc, regs->y, print_tainted());
4434 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4435 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4436 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4437 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4438 regs->u_regs[3]);
4439 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4440 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4441 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4442 regs->u_regs[15]);
4443 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4444 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4445 show_regwindow(regs);
4446 }
4447
4448 @@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
4449 ((tp && tp->task) ? tp->task->pid : -1));
4450
4451 if (gp->tstate & TSTATE_PRIV) {
4452 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4453 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4454 (void *) gp->tpc,
4455 (void *) gp->o7,
4456 (void *) gp->i7,
4457 diff -urNp linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c
4458 --- linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c 2011-03-27 14:31:47.000000000 -0400
4459 +++ linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:56:46.000000000 -0400
4460 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4461 if (ARCH_SUN4C && len > 0x20000000)
4462 return -ENOMEM;
4463 if (!addr)
4464 - addr = TASK_UNMAPPED_BASE;
4465 + addr = current->mm->mmap_base;
4466
4467 if (flags & MAP_SHARED)
4468 addr = COLOUR_ALIGN(addr);
4469 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4470 }
4471 if (TASK_SIZE - PAGE_SIZE - len < addr)
4472 return -ENOMEM;
4473 - if (!vmm || addr + len <= vmm->vm_start)
4474 + if (check_heap_stack_gap(vmm, addr, len))
4475 return addr;
4476 addr = vmm->vm_end;
4477 if (flags & MAP_SHARED)
4478 diff -urNp linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c
4479 --- linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c 2011-03-27 14:31:47.000000000 -0400
4480 +++ linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:56:46.000000000 -0400
4481 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
4482 /* We do not accept a shared mapping if it would violate
4483 * cache aliasing constraints.
4484 */
4485 - if ((flags & MAP_SHARED) &&
4486 + if ((filp || (flags & MAP_SHARED)) &&
4487 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4488 return -EINVAL;
4489 return addr;
4490 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
4491 if (filp || (flags & MAP_SHARED))
4492 do_color_align = 1;
4493
4494 +#ifdef CONFIG_PAX_RANDMMAP
4495 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4496 +#endif
4497 +
4498 if (addr) {
4499 if (do_color_align)
4500 addr = COLOUR_ALIGN(addr, pgoff);
4501 @@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
4502 addr = PAGE_ALIGN(addr);
4503
4504 vma = find_vma(mm, addr);
4505 - if (task_size - len >= addr &&
4506 - (!vma || addr + len <= vma->vm_start))
4507 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4508 return addr;
4509 }
4510
4511 if (len > mm->cached_hole_size) {
4512 - start_addr = addr = mm->free_area_cache;
4513 + start_addr = addr = mm->free_area_cache;
4514 } else {
4515 - start_addr = addr = TASK_UNMAPPED_BASE;
4516 + start_addr = addr = mm->mmap_base;
4517 mm->cached_hole_size = 0;
4518 }
4519
4520 @@ -175,14 +178,14 @@ full_search:
4521 vma = find_vma(mm, VA_EXCLUDE_END);
4522 }
4523 if (unlikely(task_size < addr)) {
4524 - if (start_addr != TASK_UNMAPPED_BASE) {
4525 - start_addr = addr = TASK_UNMAPPED_BASE;
4526 + if (start_addr != mm->mmap_base) {
4527 + start_addr = addr = mm->mmap_base;
4528 mm->cached_hole_size = 0;
4529 goto full_search;
4530 }
4531 return -ENOMEM;
4532 }
4533 - if (likely(!vma || addr + len <= vma->vm_start)) {
4534 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4535 /*
4536 * Remember the place where we stopped the search:
4537 */
4538 @@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
4539 /* We do not accept a shared mapping if it would violate
4540 * cache aliasing constraints.
4541 */
4542 - if ((flags & MAP_SHARED) &&
4543 + if ((filp || (flags & MAP_SHARED)) &&
4544 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4545 return -EINVAL;
4546 return addr;
4547 @@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
4548 addr = PAGE_ALIGN(addr);
4549
4550 vma = find_vma(mm, addr);
4551 - if (task_size - len >= addr &&
4552 - (!vma || addr + len <= vma->vm_start))
4553 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4554 return addr;
4555 }
4556
4557 @@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
4558 /* make sure it can fit in the remaining address space */
4559 if (likely(addr > len)) {
4560 vma = find_vma(mm, addr-len);
4561 - if (!vma || addr <= vma->vm_start) {
4562 + if (check_heap_stack_gap(vma, addr - len, len)) {
4563 /* remember the address as a hint for next time */
4564 return (mm->free_area_cache = addr-len);
4565 }
4566 @@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
4567 if (unlikely(mm->mmap_base < len))
4568 goto bottomup;
4569
4570 - addr = mm->mmap_base-len;
4571 - if (do_color_align)
4572 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4573 + addr = mm->mmap_base - len;
4574
4575 do {
4576 + if (do_color_align)
4577 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4578 /*
4579 * Lookup failure means no vma is above this address,
4580 * else if new region fits below vma->vm_start,
4581 * return with success:
4582 */
4583 vma = find_vma(mm, addr);
4584 - if (likely(!vma || addr+len <= vma->vm_start)) {
4585 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4586 /* remember the address as a hint for next time */
4587 return (mm->free_area_cache = addr);
4588 }
4589 @@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
4590 mm->cached_hole_size = vma->vm_start - addr;
4591
4592 /* try just below the current vma->vm_start */
4593 - addr = vma->vm_start-len;
4594 - if (do_color_align)
4595 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4596 - } while (likely(len < vma->vm_start));
4597 + addr = skip_heap_stack_gap(vma, len);
4598 + } while (!IS_ERR_VALUE(addr));
4599
4600 bottomup:
4601 /*
4602 @@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
4603 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
4604 sysctl_legacy_va_layout) {
4605 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4606 +
4607 +#ifdef CONFIG_PAX_RANDMMAP
4608 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4609 + mm->mmap_base += mm->delta_mmap;
4610 +#endif
4611 +
4612 mm->get_unmapped_area = arch_get_unmapped_area;
4613 mm->unmap_area = arch_unmap_area;
4614 } else {
4615 @@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
4616 gap = (task_size / 6 * 5);
4617
4618 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4619 +
4620 +#ifdef CONFIG_PAX_RANDMMAP
4621 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4622 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4623 +#endif
4624 +
4625 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4626 mm->unmap_area = arch_unmap_area_topdown;
4627 }
4628 diff -urNp linux-2.6.32.46/arch/sparc/kernel/traps_32.c linux-2.6.32.46/arch/sparc/kernel/traps_32.c
4629 --- linux-2.6.32.46/arch/sparc/kernel/traps_32.c 2011-03-27 14:31:47.000000000 -0400
4630 +++ linux-2.6.32.46/arch/sparc/kernel/traps_32.c 2011-06-13 21:25:39.000000000 -0400
4631 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
4632 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
4633 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
4634
4635 +extern void gr_handle_kernel_exploit(void);
4636 +
4637 void die_if_kernel(char *str, struct pt_regs *regs)
4638 {
4639 static int die_counter;
4640 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
4641 count++ < 30 &&
4642 (((unsigned long) rw) >= PAGE_OFFSET) &&
4643 !(((unsigned long) rw) & 0x7)) {
4644 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4645 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4646 (void *) rw->ins[7]);
4647 rw = (struct reg_window32 *)rw->ins[6];
4648 }
4649 }
4650 printk("Instruction DUMP:");
4651 instruction_dump ((unsigned long *) regs->pc);
4652 - if(regs->psr & PSR_PS)
4653 + if(regs->psr & PSR_PS) {
4654 + gr_handle_kernel_exploit();
4655 do_exit(SIGKILL);
4656 + }
4657 do_exit(SIGSEGV);
4658 }
4659
4660 diff -urNp linux-2.6.32.46/arch/sparc/kernel/traps_64.c linux-2.6.32.46/arch/sparc/kernel/traps_64.c
4661 --- linux-2.6.32.46/arch/sparc/kernel/traps_64.c 2011-03-27 14:31:47.000000000 -0400
4662 +++ linux-2.6.32.46/arch/sparc/kernel/traps_64.c 2011-06-13 21:24:11.000000000 -0400
4663 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
4664 i + 1,
4665 p->trapstack[i].tstate, p->trapstack[i].tpc,
4666 p->trapstack[i].tnpc, p->trapstack[i].tt);
4667 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4668 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4669 }
4670 }
4671
4672 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
4673
4674 lvl -= 0x100;
4675 if (regs->tstate & TSTATE_PRIV) {
4676 +
4677 +#ifdef CONFIG_PAX_REFCOUNT
4678 + if (lvl == 6)
4679 + pax_report_refcount_overflow(regs);
4680 +#endif
4681 +
4682 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4683 die_if_kernel(buffer, regs);
4684 }
4685 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
4686 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4687 {
4688 char buffer[32];
4689 -
4690 +
4691 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4692 0, lvl, SIGTRAP) == NOTIFY_STOP)
4693 return;
4694
4695 +#ifdef CONFIG_PAX_REFCOUNT
4696 + if (lvl == 6)
4697 + pax_report_refcount_overflow(regs);
4698 +#endif
4699 +
4700 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4701
4702 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4703 @@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
4704 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4705 printk("%s" "ERROR(%d): ",
4706 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4707 - printk("TPC<%pS>\n", (void *) regs->tpc);
4708 + printk("TPC<%pA>\n", (void *) regs->tpc);
4709 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4710 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4711 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4712 @@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
4713 smp_processor_id(),
4714 (type & 0x1) ? 'I' : 'D',
4715 regs->tpc);
4716 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4717 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4718 panic("Irrecoverable Cheetah+ parity error.");
4719 }
4720
4721 @@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
4722 smp_processor_id(),
4723 (type & 0x1) ? 'I' : 'D',
4724 regs->tpc);
4725 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4726 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4727 }
4728
4729 struct sun4v_error_entry {
4730 @@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
4731
4732 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4733 regs->tpc, tl);
4734 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4735 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4736 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4737 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4738 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4739 (void *) regs->u_regs[UREG_I7]);
4740 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4741 "pte[%lx] error[%lx]\n",
4742 @@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
4743
4744 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4745 regs->tpc, tl);
4746 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4747 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4748 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4749 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4750 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4751 (void *) regs->u_regs[UREG_I7]);
4752 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4753 "pte[%lx] error[%lx]\n",
4754 @@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
4755 fp = (unsigned long)sf->fp + STACK_BIAS;
4756 }
4757
4758 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4759 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4760 } while (++count < 16);
4761 }
4762
4763 @@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
4764 return (struct reg_window *) (fp + STACK_BIAS);
4765 }
4766
4767 +extern void gr_handle_kernel_exploit(void);
4768 +
4769 void die_if_kernel(char *str, struct pt_regs *regs)
4770 {
4771 static int die_counter;
4772 @@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
4773 while (rw &&
4774 count++ < 30&&
4775 is_kernel_stack(current, rw)) {
4776 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4777 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4778 (void *) rw->ins[7]);
4779
4780 rw = kernel_stack_up(rw);
4781 @@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
4782 }
4783 user_instruction_dump ((unsigned int __user *) regs->tpc);
4784 }
4785 - if (regs->tstate & TSTATE_PRIV)
4786 + if (regs->tstate & TSTATE_PRIV) {
4787 + gr_handle_kernel_exploit();
4788 do_exit(SIGKILL);
4789 + }
4790 +
4791 do_exit(SIGSEGV);
4792 }
4793 EXPORT_SYMBOL(die_if_kernel);
4794 diff -urNp linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S
4795 --- linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S 2011-03-27 14:31:47.000000000 -0400
4796 +++ linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S 2011-07-13 22:20:05.000000000 -0400
4797 @@ -127,7 +127,7 @@ do_int_load:
4798 wr %o5, 0x0, %asi
4799 retl
4800 mov 0, %o0
4801 - .size __do_int_load, .-__do_int_load
4802 + .size do_int_load, .-do_int_load
4803
4804 .section __ex_table,"a"
4805 .word 4b, __retl_efault
4806 diff -urNp linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c
4807 --- linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c 2011-03-27 14:31:47.000000000 -0400
4808 +++ linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:56:46.000000000 -0400
4809 @@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
4810 if (count < 5) {
4811 last_time = jiffies;
4812 count++;
4813 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4814 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4815 regs->tpc, (void *) regs->tpc);
4816 }
4817 }
4818 diff -urNp linux-2.6.32.46/arch/sparc/lib/atomic_64.S linux-2.6.32.46/arch/sparc/lib/atomic_64.S
4819 --- linux-2.6.32.46/arch/sparc/lib/atomic_64.S 2011-03-27 14:31:47.000000000 -0400
4820 +++ linux-2.6.32.46/arch/sparc/lib/atomic_64.S 2011-04-17 15:56:46.000000000 -0400
4821 @@ -18,7 +18,12 @@
4822 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4823 BACKOFF_SETUP(%o2)
4824 1: lduw [%o1], %g1
4825 - add %g1, %o0, %g7
4826 + addcc %g1, %o0, %g7
4827 +
4828 +#ifdef CONFIG_PAX_REFCOUNT
4829 + tvs %icc, 6
4830 +#endif
4831 +
4832 cas [%o1], %g1, %g7
4833 cmp %g1, %g7
4834 bne,pn %icc, 2f
4835 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4836 2: BACKOFF_SPIN(%o2, %o3, 1b)
4837 .size atomic_add, .-atomic_add
4838
4839 + .globl atomic_add_unchecked
4840 + .type atomic_add_unchecked,#function
4841 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4842 + BACKOFF_SETUP(%o2)
4843 +1: lduw [%o1], %g1
4844 + add %g1, %o0, %g7
4845 + cas [%o1], %g1, %g7
4846 + cmp %g1, %g7
4847 + bne,pn %icc, 2f
4848 + nop
4849 + retl
4850 + nop
4851 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4852 + .size atomic_add_unchecked, .-atomic_add_unchecked
4853 +
4854 .globl atomic_sub
4855 .type atomic_sub,#function
4856 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4857 BACKOFF_SETUP(%o2)
4858 1: lduw [%o1], %g1
4859 - sub %g1, %o0, %g7
4860 + subcc %g1, %o0, %g7
4861 +
4862 +#ifdef CONFIG_PAX_REFCOUNT
4863 + tvs %icc, 6
4864 +#endif
4865 +
4866 cas [%o1], %g1, %g7
4867 cmp %g1, %g7
4868 bne,pn %icc, 2f
4869 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4870 2: BACKOFF_SPIN(%o2, %o3, 1b)
4871 .size atomic_sub, .-atomic_sub
4872
4873 + .globl atomic_sub_unchecked
4874 + .type atomic_sub_unchecked,#function
4875 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4876 + BACKOFF_SETUP(%o2)
4877 +1: lduw [%o1], %g1
4878 + sub %g1, %o0, %g7
4879 + cas [%o1], %g1, %g7
4880 + cmp %g1, %g7
4881 + bne,pn %icc, 2f
4882 + nop
4883 + retl
4884 + nop
4885 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4886 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4887 +
4888 .globl atomic_add_ret
4889 .type atomic_add_ret,#function
4890 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4891 BACKOFF_SETUP(%o2)
4892 1: lduw [%o1], %g1
4893 - add %g1, %o0, %g7
4894 + addcc %g1, %o0, %g7
4895 +
4896 +#ifdef CONFIG_PAX_REFCOUNT
4897 + tvs %icc, 6
4898 +#endif
4899 +
4900 cas [%o1], %g1, %g7
4901 cmp %g1, %g7
4902 bne,pn %icc, 2f
4903 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4904 2: BACKOFF_SPIN(%o2, %o3, 1b)
4905 .size atomic_add_ret, .-atomic_add_ret
4906
4907 + .globl atomic_add_ret_unchecked
4908 + .type atomic_add_ret_unchecked,#function
4909 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4910 + BACKOFF_SETUP(%o2)
4911 +1: lduw [%o1], %g1
4912 + addcc %g1, %o0, %g7
4913 + cas [%o1], %g1, %g7
4914 + cmp %g1, %g7
4915 + bne,pn %icc, 2f
4916 + add %g7, %o0, %g7
4917 + sra %g7, 0, %o0
4918 + retl
4919 + nop
4920 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4921 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4922 +
4923 .globl atomic_sub_ret
4924 .type atomic_sub_ret,#function
4925 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4926 BACKOFF_SETUP(%o2)
4927 1: lduw [%o1], %g1
4928 - sub %g1, %o0, %g7
4929 + subcc %g1, %o0, %g7
4930 +
4931 +#ifdef CONFIG_PAX_REFCOUNT
4932 + tvs %icc, 6
4933 +#endif
4934 +
4935 cas [%o1], %g1, %g7
4936 cmp %g1, %g7
4937 bne,pn %icc, 2f
4938 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4939 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4940 BACKOFF_SETUP(%o2)
4941 1: ldx [%o1], %g1
4942 - add %g1, %o0, %g7
4943 + addcc %g1, %o0, %g7
4944 +
4945 +#ifdef CONFIG_PAX_REFCOUNT
4946 + tvs %xcc, 6
4947 +#endif
4948 +
4949 casx [%o1], %g1, %g7
4950 cmp %g1, %g7
4951 bne,pn %xcc, 2f
4952 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4953 2: BACKOFF_SPIN(%o2, %o3, 1b)
4954 .size atomic64_add, .-atomic64_add
4955
4956 + .globl atomic64_add_unchecked
4957 + .type atomic64_add_unchecked,#function
4958 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4959 + BACKOFF_SETUP(%o2)
4960 +1: ldx [%o1], %g1
4961 + addcc %g1, %o0, %g7
4962 + casx [%o1], %g1, %g7
4963 + cmp %g1, %g7
4964 + bne,pn %xcc, 2f
4965 + nop
4966 + retl
4967 + nop
4968 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4969 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4970 +
4971 .globl atomic64_sub
4972 .type atomic64_sub,#function
4973 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4974 BACKOFF_SETUP(%o2)
4975 1: ldx [%o1], %g1
4976 - sub %g1, %o0, %g7
4977 + subcc %g1, %o0, %g7
4978 +
4979 +#ifdef CONFIG_PAX_REFCOUNT
4980 + tvs %xcc, 6
4981 +#endif
4982 +
4983 casx [%o1], %g1, %g7
4984 cmp %g1, %g7
4985 bne,pn %xcc, 2f
4986 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4987 2: BACKOFF_SPIN(%o2, %o3, 1b)
4988 .size atomic64_sub, .-atomic64_sub
4989
4990 + .globl atomic64_sub_unchecked
4991 + .type atomic64_sub_unchecked,#function
4992 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4993 + BACKOFF_SETUP(%o2)
4994 +1: ldx [%o1], %g1
4995 + subcc %g1, %o0, %g7
4996 + casx [%o1], %g1, %g7
4997 + cmp %g1, %g7
4998 + bne,pn %xcc, 2f
4999 + nop
5000 + retl
5001 + nop
5002 +2: BACKOFF_SPIN(%o2, %o3, 1b)
5003 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
5004 +
5005 .globl atomic64_add_ret
5006 .type atomic64_add_ret,#function
5007 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
5008 BACKOFF_SETUP(%o2)
5009 1: ldx [%o1], %g1
5010 - add %g1, %o0, %g7
5011 + addcc %g1, %o0, %g7
5012 +
5013 +#ifdef CONFIG_PAX_REFCOUNT
5014 + tvs %xcc, 6
5015 +#endif
5016 +
5017 casx [%o1], %g1, %g7
5018 cmp %g1, %g7
5019 bne,pn %xcc, 2f
5020 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
5021 2: BACKOFF_SPIN(%o2, %o3, 1b)
5022 .size atomic64_add_ret, .-atomic64_add_ret
5023
5024 + .globl atomic64_add_ret_unchecked
5025 + .type atomic64_add_ret_unchecked,#function
5026 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5027 + BACKOFF_SETUP(%o2)
5028 +1: ldx [%o1], %g1
5029 + addcc %g1, %o0, %g7
5030 + casx [%o1], %g1, %g7
5031 + cmp %g1, %g7
5032 + bne,pn %xcc, 2f
5033 + add %g7, %o0, %g7
5034 + mov %g7, %o0
5035 + retl
5036 + nop
5037 +2: BACKOFF_SPIN(%o2, %o3, 1b)
5038 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
5039 +
5040 .globl atomic64_sub_ret
5041 .type atomic64_sub_ret,#function
5042 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
5043 BACKOFF_SETUP(%o2)
5044 1: ldx [%o1], %g1
5045 - sub %g1, %o0, %g7
5046 + subcc %g1, %o0, %g7
5047 +
5048 +#ifdef CONFIG_PAX_REFCOUNT
5049 + tvs %xcc, 6
5050 +#endif
5051 +
5052 casx [%o1], %g1, %g7
5053 cmp %g1, %g7
5054 bne,pn %xcc, 2f
5055 diff -urNp linux-2.6.32.46/arch/sparc/lib/ksyms.c linux-2.6.32.46/arch/sparc/lib/ksyms.c
5056 --- linux-2.6.32.46/arch/sparc/lib/ksyms.c 2011-03-27 14:31:47.000000000 -0400
5057 +++ linux-2.6.32.46/arch/sparc/lib/ksyms.c 2011-08-19 23:05:14.000000000 -0400
5058 @@ -144,12 +144,18 @@ EXPORT_SYMBOL(__downgrade_write);
5059
5060 /* Atomic counter implementation. */
5061 EXPORT_SYMBOL(atomic_add);
5062 +EXPORT_SYMBOL(atomic_add_unchecked);
5063 EXPORT_SYMBOL(atomic_add_ret);
5064 +EXPORT_SYMBOL(atomic_add_ret_unchecked);
5065 EXPORT_SYMBOL(atomic_sub);
5066 +EXPORT_SYMBOL(atomic_sub_unchecked);
5067 EXPORT_SYMBOL(atomic_sub_ret);
5068 EXPORT_SYMBOL(atomic64_add);
5069 +EXPORT_SYMBOL(atomic64_add_unchecked);
5070 EXPORT_SYMBOL(atomic64_add_ret);
5071 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
5072 EXPORT_SYMBOL(atomic64_sub);
5073 +EXPORT_SYMBOL(atomic64_sub_unchecked);
5074 EXPORT_SYMBOL(atomic64_sub_ret);
5075
5076 /* Atomic bit operations. */
5077 diff -urNp linux-2.6.32.46/arch/sparc/lib/Makefile linux-2.6.32.46/arch/sparc/lib/Makefile
5078 --- linux-2.6.32.46/arch/sparc/lib/Makefile 2011-03-27 14:31:47.000000000 -0400
5079 +++ linux-2.6.32.46/arch/sparc/lib/Makefile 2011-05-17 19:26:34.000000000 -0400
5080 @@ -2,7 +2,7 @@
5081 #
5082
5083 asflags-y := -ansi -DST_DIV0=0x02
5084 -ccflags-y := -Werror
5085 +#ccflags-y := -Werror
5086
5087 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
5088 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
5089 diff -urNp linux-2.6.32.46/arch/sparc/lib/rwsem_64.S linux-2.6.32.46/arch/sparc/lib/rwsem_64.S
5090 --- linux-2.6.32.46/arch/sparc/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
5091 +++ linux-2.6.32.46/arch/sparc/lib/rwsem_64.S 2011-04-17 15:56:46.000000000 -0400
5092 @@ -11,7 +11,12 @@
5093 .globl __down_read
5094 __down_read:
5095 1: lduw [%o0], %g1
5096 - add %g1, 1, %g7
5097 + addcc %g1, 1, %g7
5098 +
5099 +#ifdef CONFIG_PAX_REFCOUNT
5100 + tvs %icc, 6
5101 +#endif
5102 +
5103 cas [%o0], %g1, %g7
5104 cmp %g1, %g7
5105 bne,pn %icc, 1b
5106 @@ -33,7 +38,12 @@ __down_read:
5107 .globl __down_read_trylock
5108 __down_read_trylock:
5109 1: lduw [%o0], %g1
5110 - add %g1, 1, %g7
5111 + addcc %g1, 1, %g7
5112 +
5113 +#ifdef CONFIG_PAX_REFCOUNT
5114 + tvs %icc, 6
5115 +#endif
5116 +
5117 cmp %g7, 0
5118 bl,pn %icc, 2f
5119 mov 0, %o1
5120 @@ -51,7 +61,12 @@ __down_write:
5121 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5122 1:
5123 lduw [%o0], %g3
5124 - add %g3, %g1, %g7
5125 + addcc %g3, %g1, %g7
5126 +
5127 +#ifdef CONFIG_PAX_REFCOUNT
5128 + tvs %icc, 6
5129 +#endif
5130 +
5131 cas [%o0], %g3, %g7
5132 cmp %g3, %g7
5133 bne,pn %icc, 1b
5134 @@ -77,7 +92,12 @@ __down_write_trylock:
5135 cmp %g3, 0
5136 bne,pn %icc, 2f
5137 mov 0, %o1
5138 - add %g3, %g1, %g7
5139 + addcc %g3, %g1, %g7
5140 +
5141 +#ifdef CONFIG_PAX_REFCOUNT
5142 + tvs %icc, 6
5143 +#endif
5144 +
5145 cas [%o0], %g3, %g7
5146 cmp %g3, %g7
5147 bne,pn %icc, 1b
5148 @@ -90,7 +110,12 @@ __down_write_trylock:
5149 __up_read:
5150 1:
5151 lduw [%o0], %g1
5152 - sub %g1, 1, %g7
5153 + subcc %g1, 1, %g7
5154 +
5155 +#ifdef CONFIG_PAX_REFCOUNT
5156 + tvs %icc, 6
5157 +#endif
5158 +
5159 cas [%o0], %g1, %g7
5160 cmp %g1, %g7
5161 bne,pn %icc, 1b
5162 @@ -118,7 +143,12 @@ __up_write:
5163 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5164 1:
5165 lduw [%o0], %g3
5166 - sub %g3, %g1, %g7
5167 + subcc %g3, %g1, %g7
5168 +
5169 +#ifdef CONFIG_PAX_REFCOUNT
5170 + tvs %icc, 6
5171 +#endif
5172 +
5173 cas [%o0], %g3, %g7
5174 cmp %g3, %g7
5175 bne,pn %icc, 1b
5176 @@ -143,7 +173,12 @@ __downgrade_write:
5177 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
5178 1:
5179 lduw [%o0], %g3
5180 - sub %g3, %g1, %g7
5181 + subcc %g3, %g1, %g7
5182 +
5183 +#ifdef CONFIG_PAX_REFCOUNT
5184 + tvs %icc, 6
5185 +#endif
5186 +
5187 cas [%o0], %g3, %g7
5188 cmp %g3, %g7
5189 bne,pn %icc, 1b
5190 diff -urNp linux-2.6.32.46/arch/sparc/Makefile linux-2.6.32.46/arch/sparc/Makefile
5191 --- linux-2.6.32.46/arch/sparc/Makefile 2011-03-27 14:31:47.000000000 -0400
5192 +++ linux-2.6.32.46/arch/sparc/Makefile 2011-04-17 15:56:46.000000000 -0400
5193 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5194 # Export what is needed by arch/sparc/boot/Makefile
5195 export VMLINUX_INIT VMLINUX_MAIN
5196 VMLINUX_INIT := $(head-y) $(init-y)
5197 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
5198 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
5199 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
5200 VMLINUX_MAIN += $(drivers-y) $(net-y)
5201
5202 diff -urNp linux-2.6.32.46/arch/sparc/mm/fault_32.c linux-2.6.32.46/arch/sparc/mm/fault_32.c
5203 --- linux-2.6.32.46/arch/sparc/mm/fault_32.c 2011-03-27 14:31:47.000000000 -0400
5204 +++ linux-2.6.32.46/arch/sparc/mm/fault_32.c 2011-04-17 15:56:46.000000000 -0400
5205 @@ -21,6 +21,9 @@
5206 #include <linux/interrupt.h>
5207 #include <linux/module.h>
5208 #include <linux/kdebug.h>
5209 +#include <linux/slab.h>
5210 +#include <linux/pagemap.h>
5211 +#include <linux/compiler.h>
5212
5213 #include <asm/system.h>
5214 #include <asm/page.h>
5215 @@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
5216 return safe_compute_effective_address(regs, insn);
5217 }
5218
5219 +#ifdef CONFIG_PAX_PAGEEXEC
5220 +#ifdef CONFIG_PAX_DLRESOLVE
5221 +static void pax_emuplt_close(struct vm_area_struct *vma)
5222 +{
5223 + vma->vm_mm->call_dl_resolve = 0UL;
5224 +}
5225 +
5226 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5227 +{
5228 + unsigned int *kaddr;
5229 +
5230 + vmf->page = alloc_page(GFP_HIGHUSER);
5231 + if (!vmf->page)
5232 + return VM_FAULT_OOM;
5233 +
5234 + kaddr = kmap(vmf->page);
5235 + memset(kaddr, 0, PAGE_SIZE);
5236 + kaddr[0] = 0x9DE3BFA8U; /* save */
5237 + flush_dcache_page(vmf->page);
5238 + kunmap(vmf->page);
5239 + return VM_FAULT_MAJOR;
5240 +}
5241 +
5242 +static const struct vm_operations_struct pax_vm_ops = {
5243 + .close = pax_emuplt_close,
5244 + .fault = pax_emuplt_fault
5245 +};
5246 +
5247 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5248 +{
5249 + int ret;
5250 +
5251 + vma->vm_mm = current->mm;
5252 + vma->vm_start = addr;
5253 + vma->vm_end = addr + PAGE_SIZE;
5254 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5255 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5256 + vma->vm_ops = &pax_vm_ops;
5257 +
5258 + ret = insert_vm_struct(current->mm, vma);
5259 + if (ret)
5260 + return ret;
5261 +
5262 + ++current->mm->total_vm;
5263 + return 0;
5264 +}
5265 +#endif
5266 +
5267 +/*
5268 + * PaX: decide what to do with offenders (regs->pc = fault address)
5269 + *
5270 + * returns 1 when task should be killed
5271 + * 2 when patched PLT trampoline was detected
5272 + * 3 when unpatched PLT trampoline was detected
5273 + */
5274 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5275 +{
5276 +
5277 +#ifdef CONFIG_PAX_EMUPLT
5278 + int err;
5279 +
5280 + do { /* PaX: patched PLT emulation #1 */
5281 + unsigned int sethi1, sethi2, jmpl;
5282 +
5283 + err = get_user(sethi1, (unsigned int *)regs->pc);
5284 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5285 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5286 +
5287 + if (err)
5288 + break;
5289 +
5290 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5291 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5292 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5293 + {
5294 + unsigned int addr;
5295 +
5296 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5297 + addr = regs->u_regs[UREG_G1];
5298 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5299 + regs->pc = addr;
5300 + regs->npc = addr+4;
5301 + return 2;
5302 + }
5303 + } while (0);
5304 +
5305 + { /* PaX: patched PLT emulation #2 */
5306 + unsigned int ba;
5307 +
5308 + err = get_user(ba, (unsigned int *)regs->pc);
5309 +
5310 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5311 + unsigned int addr;
5312 +
5313 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5314 + regs->pc = addr;
5315 + regs->npc = addr+4;
5316 + return 2;
5317 + }
5318 + }
5319 +
5320 + do { /* PaX: patched PLT emulation #3 */
5321 + unsigned int sethi, jmpl, nop;
5322 +
5323 + err = get_user(sethi, (unsigned int *)regs->pc);
5324 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5325 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5326 +
5327 + if (err)
5328 + break;
5329 +
5330 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5331 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5332 + nop == 0x01000000U)
5333 + {
5334 + unsigned int addr;
5335 +
5336 + addr = (sethi & 0x003FFFFFU) << 10;
5337 + regs->u_regs[UREG_G1] = addr;
5338 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5339 + regs->pc = addr;
5340 + regs->npc = addr+4;
5341 + return 2;
5342 + }
5343 + } while (0);
5344 +
5345 + do { /* PaX: unpatched PLT emulation step 1 */
5346 + unsigned int sethi, ba, nop;
5347 +
5348 + err = get_user(sethi, (unsigned int *)regs->pc);
5349 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5350 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5351 +
5352 + if (err)
5353 + break;
5354 +
5355 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5356 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5357 + nop == 0x01000000U)
5358 + {
5359 + unsigned int addr, save, call;
5360 +
5361 + if ((ba & 0xFFC00000U) == 0x30800000U)
5362 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5363 + else
5364 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5365 +
5366 + err = get_user(save, (unsigned int *)addr);
5367 + err |= get_user(call, (unsigned int *)(addr+4));
5368 + err |= get_user(nop, (unsigned int *)(addr+8));
5369 + if (err)
5370 + break;
5371 +
5372 +#ifdef CONFIG_PAX_DLRESOLVE
5373 + if (save == 0x9DE3BFA8U &&
5374 + (call & 0xC0000000U) == 0x40000000U &&
5375 + nop == 0x01000000U)
5376 + {
5377 + struct vm_area_struct *vma;
5378 + unsigned long call_dl_resolve;
5379 +
5380 + down_read(&current->mm->mmap_sem);
5381 + call_dl_resolve = current->mm->call_dl_resolve;
5382 + up_read(&current->mm->mmap_sem);
5383 + if (likely(call_dl_resolve))
5384 + goto emulate;
5385 +
5386 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5387 +
5388 + down_write(&current->mm->mmap_sem);
5389 + if (current->mm->call_dl_resolve) {
5390 + call_dl_resolve = current->mm->call_dl_resolve;
5391 + up_write(&current->mm->mmap_sem);
5392 + if (vma)
5393 + kmem_cache_free(vm_area_cachep, vma);
5394 + goto emulate;
5395 + }
5396 +
5397 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5398 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5399 + up_write(&current->mm->mmap_sem);
5400 + if (vma)
5401 + kmem_cache_free(vm_area_cachep, vma);
5402 + return 1;
5403 + }
5404 +
5405 + if (pax_insert_vma(vma, call_dl_resolve)) {
5406 + up_write(&current->mm->mmap_sem);
5407 + kmem_cache_free(vm_area_cachep, vma);
5408 + return 1;
5409 + }
5410 +
5411 + current->mm->call_dl_resolve = call_dl_resolve;
5412 + up_write(&current->mm->mmap_sem);
5413 +
5414 +emulate:
5415 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5416 + regs->pc = call_dl_resolve;
5417 + regs->npc = addr+4;
5418 + return 3;
5419 + }
5420 +#endif
5421 +
5422 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5423 + if ((save & 0xFFC00000U) == 0x05000000U &&
5424 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5425 + nop == 0x01000000U)
5426 + {
5427 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5428 + regs->u_regs[UREG_G2] = addr + 4;
5429 + addr = (save & 0x003FFFFFU) << 10;
5430 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5431 + regs->pc = addr;
5432 + regs->npc = addr+4;
5433 + return 3;
5434 + }
5435 + }
5436 + } while (0);
5437 +
5438 + do { /* PaX: unpatched PLT emulation step 2 */
5439 + unsigned int save, call, nop;
5440 +
5441 + err = get_user(save, (unsigned int *)(regs->pc-4));
5442 + err |= get_user(call, (unsigned int *)regs->pc);
5443 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5444 + if (err)
5445 + break;
5446 +
5447 + if (save == 0x9DE3BFA8U &&
5448 + (call & 0xC0000000U) == 0x40000000U &&
5449 + nop == 0x01000000U)
5450 + {
5451 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5452 +
5453 + regs->u_regs[UREG_RETPC] = regs->pc;
5454 + regs->pc = dl_resolve;
5455 + regs->npc = dl_resolve+4;
5456 + return 3;
5457 + }
5458 + } while (0);
5459 +#endif
5460 +
5461 + return 1;
5462 +}
5463 +
5464 +void pax_report_insns(void *pc, void *sp)
5465 +{
5466 + unsigned long i;
5467 +
5468 + printk(KERN_ERR "PAX: bytes at PC: ");
5469 + for (i = 0; i < 8; i++) {
5470 + unsigned int c;
5471 + if (get_user(c, (unsigned int *)pc+i))
5472 + printk(KERN_CONT "???????? ");
5473 + else
5474 + printk(KERN_CONT "%08x ", c);
5475 + }
5476 + printk("\n");
5477 +}
5478 +#endif
5479 +
5480 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5481 unsigned long address)
5482 {
5483 @@ -231,6 +495,24 @@ good_area:
5484 if(!(vma->vm_flags & VM_WRITE))
5485 goto bad_area;
5486 } else {
5487 +
5488 +#ifdef CONFIG_PAX_PAGEEXEC
5489 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5490 + up_read(&mm->mmap_sem);
5491 + switch (pax_handle_fetch_fault(regs)) {
5492 +
5493 +#ifdef CONFIG_PAX_EMUPLT
5494 + case 2:
5495 + case 3:
5496 + return;
5497 +#endif
5498 +
5499 + }
5500 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5501 + do_group_exit(SIGKILL);
5502 + }
5503 +#endif
5504 +
5505 /* Allow reads even for write-only mappings */
5506 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5507 goto bad_area;
5508 diff -urNp linux-2.6.32.46/arch/sparc/mm/fault_64.c linux-2.6.32.46/arch/sparc/mm/fault_64.c
5509 --- linux-2.6.32.46/arch/sparc/mm/fault_64.c 2011-03-27 14:31:47.000000000 -0400
5510 +++ linux-2.6.32.46/arch/sparc/mm/fault_64.c 2011-04-17 15:56:46.000000000 -0400
5511 @@ -20,6 +20,9 @@
5512 #include <linux/kprobes.h>
5513 #include <linux/kdebug.h>
5514 #include <linux/percpu.h>
5515 +#include <linux/slab.h>
5516 +#include <linux/pagemap.h>
5517 +#include <linux/compiler.h>
5518
5519 #include <asm/page.h>
5520 #include <asm/pgtable.h>
5521 @@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
5522 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5523 regs->tpc);
5524 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5525 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5526 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5527 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5528 dump_stack();
5529 unhandled_fault(regs->tpc, current, regs);
5530 @@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
5531 show_regs(regs);
5532 }
5533
5534 +#ifdef CONFIG_PAX_PAGEEXEC
5535 +#ifdef CONFIG_PAX_DLRESOLVE
5536 +static void pax_emuplt_close(struct vm_area_struct *vma)
5537 +{
5538 + vma->vm_mm->call_dl_resolve = 0UL;
5539 +}
5540 +
5541 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5542 +{
5543 + unsigned int *kaddr;
5544 +
5545 + vmf->page = alloc_page(GFP_HIGHUSER);
5546 + if (!vmf->page)
5547 + return VM_FAULT_OOM;
5548 +
5549 + kaddr = kmap(vmf->page);
5550 + memset(kaddr, 0, PAGE_SIZE);
5551 + kaddr[0] = 0x9DE3BFA8U; /* save */
5552 + flush_dcache_page(vmf->page);
5553 + kunmap(vmf->page);
5554 + return VM_FAULT_MAJOR;
5555 +}
5556 +
5557 +static const struct vm_operations_struct pax_vm_ops = {
5558 + .close = pax_emuplt_close,
5559 + .fault = pax_emuplt_fault
5560 +};
5561 +
5562 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5563 +{
5564 + int ret;
5565 +
5566 + vma->vm_mm = current->mm;
5567 + vma->vm_start = addr;
5568 + vma->vm_end = addr + PAGE_SIZE;
5569 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5570 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5571 + vma->vm_ops = &pax_vm_ops;
5572 +
5573 + ret = insert_vm_struct(current->mm, vma);
5574 + if (ret)
5575 + return ret;
5576 +
5577 + ++current->mm->total_vm;
5578 + return 0;
5579 +}
5580 +#endif
5581 +
5582 +/*
5583 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5584 + *
5585 + * returns 1 when task should be killed
5586 + * 2 when patched PLT trampoline was detected
5587 + * 3 when unpatched PLT trampoline was detected
5588 + */
5589 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5590 +{
5591 +
5592 +#ifdef CONFIG_PAX_EMUPLT
5593 + int err;
5594 +
5595 + do { /* PaX: patched PLT emulation #1 */
5596 + unsigned int sethi1, sethi2, jmpl;
5597 +
5598 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5599 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5600 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5601 +
5602 + if (err)
5603 + break;
5604 +
5605 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5606 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5607 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5608 + {
5609 + unsigned long addr;
5610 +
5611 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5612 + addr = regs->u_regs[UREG_G1];
5613 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5614 +
5615 + if (test_thread_flag(TIF_32BIT))
5616 + addr &= 0xFFFFFFFFUL;
5617 +
5618 + regs->tpc = addr;
5619 + regs->tnpc = addr+4;
5620 + return 2;
5621 + }
5622 + } while (0);
5623 +
5624 + { /* PaX: patched PLT emulation #2 */
5625 + unsigned int ba;
5626 +
5627 + err = get_user(ba, (unsigned int *)regs->tpc);
5628 +
5629 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5630 + unsigned long addr;
5631 +
5632 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5633 +
5634 + if (test_thread_flag(TIF_32BIT))
5635 + addr &= 0xFFFFFFFFUL;
5636 +
5637 + regs->tpc = addr;
5638 + regs->tnpc = addr+4;
5639 + return 2;
5640 + }
5641 + }
5642 +
5643 + do { /* PaX: patched PLT emulation #3 */
5644 + unsigned int sethi, jmpl, nop;
5645 +
5646 + err = get_user(sethi, (unsigned int *)regs->tpc);
5647 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5648 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5649 +
5650 + if (err)
5651 + break;
5652 +
5653 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5654 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5655 + nop == 0x01000000U)
5656 + {
5657 + unsigned long addr;
5658 +
5659 + addr = (sethi & 0x003FFFFFU) << 10;
5660 + regs->u_regs[UREG_G1] = addr;
5661 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5662 +
5663 + if (test_thread_flag(TIF_32BIT))
5664 + addr &= 0xFFFFFFFFUL;
5665 +
5666 + regs->tpc = addr;
5667 + regs->tnpc = addr+4;
5668 + return 2;
5669 + }
5670 + } while (0);
5671 +
5672 + do { /* PaX: patched PLT emulation #4 */
5673 + unsigned int sethi, mov1, call, mov2;
5674 +
5675 + err = get_user(sethi, (unsigned int *)regs->tpc);
5676 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5677 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5678 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5679 +
5680 + if (err)
5681 + break;
5682 +
5683 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5684 + mov1 == 0x8210000FU &&
5685 + (call & 0xC0000000U) == 0x40000000U &&
5686 + mov2 == 0x9E100001U)
5687 + {
5688 + unsigned long addr;
5689 +
5690 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5691 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5692 +
5693 + if (test_thread_flag(TIF_32BIT))
5694 + addr &= 0xFFFFFFFFUL;
5695 +
5696 + regs->tpc = addr;
5697 + regs->tnpc = addr+4;
5698 + return 2;
5699 + }
5700 + } while (0);
5701 +
5702 + do { /* PaX: patched PLT emulation #5 */
5703 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5704 +
5705 + err = get_user(sethi, (unsigned int *)regs->tpc);
5706 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5707 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5708 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5709 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5710 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5711 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5712 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5713 +
5714 + if (err)
5715 + break;
5716 +
5717 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5718 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5719 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5720 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5721 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5722 + sllx == 0x83287020U &&
5723 + jmpl == 0x81C04005U &&
5724 + nop == 0x01000000U)
5725 + {
5726 + unsigned long addr;
5727 +
5728 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5729 + regs->u_regs[UREG_G1] <<= 32;
5730 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5731 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5732 + regs->tpc = addr;
5733 + regs->tnpc = addr+4;
5734 + return 2;
5735 + }
5736 + } while (0);
5737 +
5738 + do { /* PaX: patched PLT emulation #6 */
5739 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5740 +
5741 + err = get_user(sethi, (unsigned int *)regs->tpc);
5742 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5743 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5744 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5745 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5746 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5747 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5748 +
5749 + if (err)
5750 + break;
5751 +
5752 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5753 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5754 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5755 + sllx == 0x83287020U &&
5756 + (or & 0xFFFFE000U) == 0x8A116000U &&
5757 + jmpl == 0x81C04005U &&
5758 + nop == 0x01000000U)
5759 + {
5760 + unsigned long addr;
5761 +
5762 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5763 + regs->u_regs[UREG_G1] <<= 32;
5764 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5765 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5766 + regs->tpc = addr;
5767 + regs->tnpc = addr+4;
5768 + return 2;
5769 + }
5770 + } while (0);
5771 +
5772 + do { /* PaX: unpatched PLT emulation step 1 */
5773 + unsigned int sethi, ba, nop;
5774 +
5775 + err = get_user(sethi, (unsigned int *)regs->tpc);
5776 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5777 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5778 +
5779 + if (err)
5780 + break;
5781 +
5782 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5783 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5784 + nop == 0x01000000U)
5785 + {
5786 + unsigned long addr;
5787 + unsigned int save, call;
5788 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5789 +
5790 + if ((ba & 0xFFC00000U) == 0x30800000U)
5791 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5792 + else
5793 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5794 +
5795 + if (test_thread_flag(TIF_32BIT))
5796 + addr &= 0xFFFFFFFFUL;
5797 +
5798 + err = get_user(save, (unsigned int *)addr);
5799 + err |= get_user(call, (unsigned int *)(addr+4));
5800 + err |= get_user(nop, (unsigned int *)(addr+8));
5801 + if (err)
5802 + break;
5803 +
5804 +#ifdef CONFIG_PAX_DLRESOLVE
5805 + if (save == 0x9DE3BFA8U &&
5806 + (call & 0xC0000000U) == 0x40000000U &&
5807 + nop == 0x01000000U)
5808 + {
5809 + struct vm_area_struct *vma;
5810 + unsigned long call_dl_resolve;
5811 +
5812 + down_read(&current->mm->mmap_sem);
5813 + call_dl_resolve = current->mm->call_dl_resolve;
5814 + up_read(&current->mm->mmap_sem);
5815 + if (likely(call_dl_resolve))
5816 + goto emulate;
5817 +
5818 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5819 +
5820 + down_write(&current->mm->mmap_sem);
5821 + if (current->mm->call_dl_resolve) {
5822 + call_dl_resolve = current->mm->call_dl_resolve;
5823 + up_write(&current->mm->mmap_sem);
5824 + if (vma)
5825 + kmem_cache_free(vm_area_cachep, vma);
5826 + goto emulate;
5827 + }
5828 +
5829 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5830 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5831 + up_write(&current->mm->mmap_sem);
5832 + if (vma)
5833 + kmem_cache_free(vm_area_cachep, vma);
5834 + return 1;
5835 + }
5836 +
5837 + if (pax_insert_vma(vma, call_dl_resolve)) {
5838 + up_write(&current->mm->mmap_sem);
5839 + kmem_cache_free(vm_area_cachep, vma);
5840 + return 1;
5841 + }
5842 +
5843 + current->mm->call_dl_resolve = call_dl_resolve;
5844 + up_write(&current->mm->mmap_sem);
5845 +
5846 +emulate:
5847 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5848 + regs->tpc = call_dl_resolve;
5849 + regs->tnpc = addr+4;
5850 + return 3;
5851 + }
5852 +#endif
5853 +
5854 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5855 + if ((save & 0xFFC00000U) == 0x05000000U &&
5856 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5857 + nop == 0x01000000U)
5858 + {
5859 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5860 + regs->u_regs[UREG_G2] = addr + 4;
5861 + addr = (save & 0x003FFFFFU) << 10;
5862 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5863 +
5864 + if (test_thread_flag(TIF_32BIT))
5865 + addr &= 0xFFFFFFFFUL;
5866 +
5867 + regs->tpc = addr;
5868 + regs->tnpc = addr+4;
5869 + return 3;
5870 + }
5871 +
5872 + /* PaX: 64-bit PLT stub */
5873 + err = get_user(sethi1, (unsigned int *)addr);
5874 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5875 + err |= get_user(or1, (unsigned int *)(addr+8));
5876 + err |= get_user(or2, (unsigned int *)(addr+12));
5877 + err |= get_user(sllx, (unsigned int *)(addr+16));
5878 + err |= get_user(add, (unsigned int *)(addr+20));
5879 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5880 + err |= get_user(nop, (unsigned int *)(addr+28));
5881 + if (err)
5882 + break;
5883 +
5884 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5885 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5886 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5887 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5888 + sllx == 0x89293020U &&
5889 + add == 0x8A010005U &&
5890 + jmpl == 0x89C14000U &&
5891 + nop == 0x01000000U)
5892 + {
5893 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5894 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5895 + regs->u_regs[UREG_G4] <<= 32;
5896 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5897 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5898 + regs->u_regs[UREG_G4] = addr + 24;
5899 + addr = regs->u_regs[UREG_G5];
5900 + regs->tpc = addr;
5901 + regs->tnpc = addr+4;
5902 + return 3;
5903 + }
5904 + }
5905 + } while (0);
5906 +
5907 +#ifdef CONFIG_PAX_DLRESOLVE
5908 + do { /* PaX: unpatched PLT emulation step 2 */
5909 + unsigned int save, call, nop;
5910 +
5911 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5912 + err |= get_user(call, (unsigned int *)regs->tpc);
5913 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5914 + if (err)
5915 + break;
5916 +
5917 + if (save == 0x9DE3BFA8U &&
5918 + (call & 0xC0000000U) == 0x40000000U &&
5919 + nop == 0x01000000U)
5920 + {
5921 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5922 +
5923 + if (test_thread_flag(TIF_32BIT))
5924 + dl_resolve &= 0xFFFFFFFFUL;
5925 +
5926 + regs->u_regs[UREG_RETPC] = regs->tpc;
5927 + regs->tpc = dl_resolve;
5928 + regs->tnpc = dl_resolve+4;
5929 + return 3;
5930 + }
5931 + } while (0);
5932 +#endif
5933 +
5934 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5935 + unsigned int sethi, ba, nop;
5936 +
5937 + err = get_user(sethi, (unsigned int *)regs->tpc);
5938 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5939 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5940 +
5941 + if (err)
5942 + break;
5943 +
5944 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5945 + (ba & 0xFFF00000U) == 0x30600000U &&
5946 + nop == 0x01000000U)
5947 + {
5948 + unsigned long addr;
5949 +
5950 + addr = (sethi & 0x003FFFFFU) << 10;
5951 + regs->u_regs[UREG_G1] = addr;
5952 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5953 +
5954 + if (test_thread_flag(TIF_32BIT))
5955 + addr &= 0xFFFFFFFFUL;
5956 +
5957 + regs->tpc = addr;
5958 + regs->tnpc = addr+4;
5959 + return 2;
5960 + }
5961 + } while (0);
5962 +
5963 +#endif
5964 +
5965 + return 1;
5966 +}
5967 +
5968 +void pax_report_insns(void *pc, void *sp)
5969 +{
5970 + unsigned long i;
5971 +
5972 + printk(KERN_ERR "PAX: bytes at PC: ");
5973 + for (i = 0; i < 8; i++) {
5974 + unsigned int c;
5975 + if (get_user(c, (unsigned int *)pc+i))
5976 + printk(KERN_CONT "???????? ");
5977 + else
5978 + printk(KERN_CONT "%08x ", c);
5979 + }
5980 + printk("\n");
5981 +}
5982 +#endif
5983 +
5984 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5985 {
5986 struct mm_struct *mm = current->mm;
5987 @@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
5988 if (!vma)
5989 goto bad_area;
5990
5991 +#ifdef CONFIG_PAX_PAGEEXEC
5992 + /* PaX: detect ITLB misses on non-exec pages */
5993 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5994 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5995 + {
5996 + if (address != regs->tpc)
5997 + goto good_area;
5998 +
5999 + up_read(&mm->mmap_sem);
6000 + switch (pax_handle_fetch_fault(regs)) {
6001 +
6002 +#ifdef CONFIG_PAX_EMUPLT
6003 + case 2:
6004 + case 3:
6005 + return;
6006 +#endif
6007 +
6008 + }
6009 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
6010 + do_group_exit(SIGKILL);
6011 + }
6012 +#endif
6013 +
6014 /* Pure DTLB misses do not tell us whether the fault causing
6015 * load/store/atomic was a write or not, it only says that there
6016 * was no match. So in such a case we (carefully) read the
6017 diff -urNp linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c
6018 --- linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
6019 +++ linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
6020 @@ -69,7 +69,7 @@ full_search:
6021 }
6022 return -ENOMEM;
6023 }
6024 - if (likely(!vma || addr + len <= vma->vm_start)) {
6025 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6026 /*
6027 * Remember the place where we stopped the search:
6028 */
6029 @@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
6030 /* make sure it can fit in the remaining address space */
6031 if (likely(addr > len)) {
6032 vma = find_vma(mm, addr-len);
6033 - if (!vma || addr <= vma->vm_start) {
6034 + if (check_heap_stack_gap(vma, addr - len, len)) {
6035 /* remember the address as a hint for next time */
6036 return (mm->free_area_cache = addr-len);
6037 }
6038 @@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
6039 if (unlikely(mm->mmap_base < len))
6040 goto bottomup;
6041
6042 - addr = (mm->mmap_base-len) & HPAGE_MASK;
6043 + addr = mm->mmap_base - len;
6044
6045 do {
6046 + addr &= HPAGE_MASK;
6047 /*
6048 * Lookup failure means no vma is above this address,
6049 * else if new region fits below vma->vm_start,
6050 * return with success:
6051 */
6052 vma = find_vma(mm, addr);
6053 - if (likely(!vma || addr+len <= vma->vm_start)) {
6054 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6055 /* remember the address as a hint for next time */
6056 return (mm->free_area_cache = addr);
6057 }
6058 @@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
6059 mm->cached_hole_size = vma->vm_start - addr;
6060
6061 /* try just below the current vma->vm_start */
6062 - addr = (vma->vm_start-len) & HPAGE_MASK;
6063 - } while (likely(len < vma->vm_start));
6064 + addr = skip_heap_stack_gap(vma, len);
6065 + } while (!IS_ERR_VALUE(addr));
6066
6067 bottomup:
6068 /*
6069 @@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
6070 if (addr) {
6071 addr = ALIGN(addr, HPAGE_SIZE);
6072 vma = find_vma(mm, addr);
6073 - if (task_size - len >= addr &&
6074 - (!vma || addr + len <= vma->vm_start))
6075 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6076 return addr;
6077 }
6078 if (mm->get_unmapped_area == arch_get_unmapped_area)
6079 diff -urNp linux-2.6.32.46/arch/sparc/mm/init_32.c linux-2.6.32.46/arch/sparc/mm/init_32.c
6080 --- linux-2.6.32.46/arch/sparc/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
6081 +++ linux-2.6.32.46/arch/sparc/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
6082 @@ -317,6 +317,9 @@ extern void device_scan(void);
6083 pgprot_t PAGE_SHARED __read_mostly;
6084 EXPORT_SYMBOL(PAGE_SHARED);
6085
6086 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
6087 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
6088 +
6089 void __init paging_init(void)
6090 {
6091 switch(sparc_cpu_model) {
6092 @@ -345,17 +348,17 @@ void __init paging_init(void)
6093
6094 /* Initialize the protection map with non-constant, MMU dependent values. */
6095 protection_map[0] = PAGE_NONE;
6096 - protection_map[1] = PAGE_READONLY;
6097 - protection_map[2] = PAGE_COPY;
6098 - protection_map[3] = PAGE_COPY;
6099 + protection_map[1] = PAGE_READONLY_NOEXEC;
6100 + protection_map[2] = PAGE_COPY_NOEXEC;
6101 + protection_map[3] = PAGE_COPY_NOEXEC;
6102 protection_map[4] = PAGE_READONLY;
6103 protection_map[5] = PAGE_READONLY;
6104 protection_map[6] = PAGE_COPY;
6105 protection_map[7] = PAGE_COPY;
6106 protection_map[8] = PAGE_NONE;
6107 - protection_map[9] = PAGE_READONLY;
6108 - protection_map[10] = PAGE_SHARED;
6109 - protection_map[11] = PAGE_SHARED;
6110 + protection_map[9] = PAGE_READONLY_NOEXEC;
6111 + protection_map[10] = PAGE_SHARED_NOEXEC;
6112 + protection_map[11] = PAGE_SHARED_NOEXEC;
6113 protection_map[12] = PAGE_READONLY;
6114 protection_map[13] = PAGE_READONLY;
6115 protection_map[14] = PAGE_SHARED;
6116 diff -urNp linux-2.6.32.46/arch/sparc/mm/Makefile linux-2.6.32.46/arch/sparc/mm/Makefile
6117 --- linux-2.6.32.46/arch/sparc/mm/Makefile 2011-03-27 14:31:47.000000000 -0400
6118 +++ linux-2.6.32.46/arch/sparc/mm/Makefile 2011-04-17 15:56:46.000000000 -0400
6119 @@ -2,7 +2,7 @@
6120 #
6121
6122 asflags-y := -ansi
6123 -ccflags-y := -Werror
6124 +#ccflags-y := -Werror
6125
6126 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
6127 obj-y += fault_$(BITS).o
6128 diff -urNp linux-2.6.32.46/arch/sparc/mm/srmmu.c linux-2.6.32.46/arch/sparc/mm/srmmu.c
6129 --- linux-2.6.32.46/arch/sparc/mm/srmmu.c 2011-03-27 14:31:47.000000000 -0400
6130 +++ linux-2.6.32.46/arch/sparc/mm/srmmu.c 2011-04-17 15:56:46.000000000 -0400
6131 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
6132 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
6133 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
6134 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
6135 +
6136 +#ifdef CONFIG_PAX_PAGEEXEC
6137 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
6138 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
6139 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
6140 +#endif
6141 +
6142 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
6143 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
6144
6145 diff -urNp linux-2.6.32.46/arch/um/include/asm/kmap_types.h linux-2.6.32.46/arch/um/include/asm/kmap_types.h
6146 --- linux-2.6.32.46/arch/um/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
6147 +++ linux-2.6.32.46/arch/um/include/asm/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
6148 @@ -23,6 +23,7 @@ enum km_type {
6149 KM_IRQ1,
6150 KM_SOFTIRQ0,
6151 KM_SOFTIRQ1,
6152 + KM_CLEARPAGE,
6153 KM_TYPE_NR
6154 };
6155
6156 diff -urNp linux-2.6.32.46/arch/um/include/asm/page.h linux-2.6.32.46/arch/um/include/asm/page.h
6157 --- linux-2.6.32.46/arch/um/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
6158 +++ linux-2.6.32.46/arch/um/include/asm/page.h 2011-04-17 15:56:46.000000000 -0400
6159 @@ -14,6 +14,9 @@
6160 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
6161 #define PAGE_MASK (~(PAGE_SIZE-1))
6162
6163 +#define ktla_ktva(addr) (addr)
6164 +#define ktva_ktla(addr) (addr)
6165 +
6166 #ifndef __ASSEMBLY__
6167
6168 struct page;
6169 diff -urNp linux-2.6.32.46/arch/um/kernel/process.c linux-2.6.32.46/arch/um/kernel/process.c
6170 --- linux-2.6.32.46/arch/um/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
6171 +++ linux-2.6.32.46/arch/um/kernel/process.c 2011-04-17 15:56:46.000000000 -0400
6172 @@ -393,22 +393,6 @@ int singlestepping(void * t)
6173 return 2;
6174 }
6175
6176 -/*
6177 - * Only x86 and x86_64 have an arch_align_stack().
6178 - * All other arches have "#define arch_align_stack(x) (x)"
6179 - * in their asm/system.h
6180 - * As this is included in UML from asm-um/system-generic.h,
6181 - * we can use it to behave as the subarch does.
6182 - */
6183 -#ifndef arch_align_stack
6184 -unsigned long arch_align_stack(unsigned long sp)
6185 -{
6186 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6187 - sp -= get_random_int() % 8192;
6188 - return sp & ~0xf;
6189 -}
6190 -#endif
6191 -
6192 unsigned long get_wchan(struct task_struct *p)
6193 {
6194 unsigned long stack_page, sp, ip;
6195 diff -urNp linux-2.6.32.46/arch/um/sys-i386/syscalls.c linux-2.6.32.46/arch/um/sys-i386/syscalls.c
6196 --- linux-2.6.32.46/arch/um/sys-i386/syscalls.c 2011-03-27 14:31:47.000000000 -0400
6197 +++ linux-2.6.32.46/arch/um/sys-i386/syscalls.c 2011-04-17 15:56:46.000000000 -0400
6198 @@ -11,6 +11,21 @@
6199 #include "asm/uaccess.h"
6200 #include "asm/unistd.h"
6201
6202 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
6203 +{
6204 + unsigned long pax_task_size = TASK_SIZE;
6205 +
6206 +#ifdef CONFIG_PAX_SEGMEXEC
6207 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6208 + pax_task_size = SEGMEXEC_TASK_SIZE;
6209 +#endif
6210 +
6211 + if (len > pax_task_size || addr > pax_task_size - len)
6212 + return -EINVAL;
6213 +
6214 + return 0;
6215 +}
6216 +
6217 /*
6218 * Perform the select(nd, in, out, ex, tv) and mmap() system
6219 * calls. Linux/i386 didn't use to be able to handle more than
6220 diff -urNp linux-2.6.32.46/arch/x86/boot/bitops.h linux-2.6.32.46/arch/x86/boot/bitops.h
6221 --- linux-2.6.32.46/arch/x86/boot/bitops.h 2011-03-27 14:31:47.000000000 -0400
6222 +++ linux-2.6.32.46/arch/x86/boot/bitops.h 2011-04-17 15:56:46.000000000 -0400
6223 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
6224 u8 v;
6225 const u32 *p = (const u32 *)addr;
6226
6227 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6228 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6229 return v;
6230 }
6231
6232 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
6233
6234 static inline void set_bit(int nr, void *addr)
6235 {
6236 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6237 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6238 }
6239
6240 #endif /* BOOT_BITOPS_H */
6241 diff -urNp linux-2.6.32.46/arch/x86/boot/boot.h linux-2.6.32.46/arch/x86/boot/boot.h
6242 --- linux-2.6.32.46/arch/x86/boot/boot.h 2011-03-27 14:31:47.000000000 -0400
6243 +++ linux-2.6.32.46/arch/x86/boot/boot.h 2011-04-17 15:56:46.000000000 -0400
6244 @@ -82,7 +82,7 @@ static inline void io_delay(void)
6245 static inline u16 ds(void)
6246 {
6247 u16 seg;
6248 - asm("movw %%ds,%0" : "=rm" (seg));
6249 + asm volatile("movw %%ds,%0" : "=rm" (seg));
6250 return seg;
6251 }
6252
6253 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
6254 static inline int memcmp(const void *s1, const void *s2, size_t len)
6255 {
6256 u8 diff;
6257 - asm("repe; cmpsb; setnz %0"
6258 + asm volatile("repe; cmpsb; setnz %0"
6259 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
6260 return diff;
6261 }
6262 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/head_32.S linux-2.6.32.46/arch/x86/boot/compressed/head_32.S
6263 --- linux-2.6.32.46/arch/x86/boot/compressed/head_32.S 2011-03-27 14:31:47.000000000 -0400
6264 +++ linux-2.6.32.46/arch/x86/boot/compressed/head_32.S 2011-04-17 15:56:46.000000000 -0400
6265 @@ -76,7 +76,7 @@ ENTRY(startup_32)
6266 notl %eax
6267 andl %eax, %ebx
6268 #else
6269 - movl $LOAD_PHYSICAL_ADDR, %ebx
6270 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6271 #endif
6272
6273 /* Target address to relocate to for decompression */
6274 @@ -149,7 +149,7 @@ relocated:
6275 * and where it was actually loaded.
6276 */
6277 movl %ebp, %ebx
6278 - subl $LOAD_PHYSICAL_ADDR, %ebx
6279 + subl $____LOAD_PHYSICAL_ADDR, %ebx
6280 jz 2f /* Nothing to be done if loaded at compiled addr. */
6281 /*
6282 * Process relocations.
6283 @@ -157,8 +157,7 @@ relocated:
6284
6285 1: subl $4, %edi
6286 movl (%edi), %ecx
6287 - testl %ecx, %ecx
6288 - jz 2f
6289 + jecxz 2f
6290 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
6291 jmp 1b
6292 2:
6293 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/head_64.S linux-2.6.32.46/arch/x86/boot/compressed/head_64.S
6294 --- linux-2.6.32.46/arch/x86/boot/compressed/head_64.S 2011-03-27 14:31:47.000000000 -0400
6295 +++ linux-2.6.32.46/arch/x86/boot/compressed/head_64.S 2011-07-01 18:53:00.000000000 -0400
6296 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6297 notl %eax
6298 andl %eax, %ebx
6299 #else
6300 - movl $LOAD_PHYSICAL_ADDR, %ebx
6301 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6302 #endif
6303
6304 /* Target address to relocate to for decompression */
6305 @@ -183,7 +183,7 @@ no_longmode:
6306 hlt
6307 jmp 1b
6308
6309 -#include "../../kernel/verify_cpu_64.S"
6310 +#include "../../kernel/verify_cpu.S"
6311
6312 /*
6313 * Be careful here startup_64 needs to be at a predictable
6314 @@ -234,7 +234,7 @@ ENTRY(startup_64)
6315 notq %rax
6316 andq %rax, %rbp
6317 #else
6318 - movq $LOAD_PHYSICAL_ADDR, %rbp
6319 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6320 #endif
6321
6322 /* Target address to relocate to for decompression */
6323 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/Makefile linux-2.6.32.46/arch/x86/boot/compressed/Makefile
6324 --- linux-2.6.32.46/arch/x86/boot/compressed/Makefile 2011-03-27 14:31:47.000000000 -0400
6325 +++ linux-2.6.32.46/arch/x86/boot/compressed/Makefile 2011-08-07 14:38:34.000000000 -0400
6326 @@ -13,6 +13,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
6327 KBUILD_CFLAGS += $(cflags-y)
6328 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
6329 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
6330 +ifdef CONSTIFY_PLUGIN
6331 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6332 +endif
6333
6334 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6335 GCOV_PROFILE := n
6336 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/misc.c linux-2.6.32.46/arch/x86/boot/compressed/misc.c
6337 --- linux-2.6.32.46/arch/x86/boot/compressed/misc.c 2011-03-27 14:31:47.000000000 -0400
6338 +++ linux-2.6.32.46/arch/x86/boot/compressed/misc.c 2011-04-17 15:56:46.000000000 -0400
6339 @@ -288,7 +288,7 @@ static void parse_elf(void *output)
6340 case PT_LOAD:
6341 #ifdef CONFIG_RELOCATABLE
6342 dest = output;
6343 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6344 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6345 #else
6346 dest = (void *)(phdr->p_paddr);
6347 #endif
6348 @@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
6349 error("Destination address too large");
6350 #endif
6351 #ifndef CONFIG_RELOCATABLE
6352 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6353 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6354 error("Wrong destination address");
6355 #endif
6356
6357 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c
6358 --- linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c 2011-03-27 14:31:47.000000000 -0400
6359 +++ linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c 2011-04-17 15:56:46.000000000 -0400
6360 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6361
6362 offs = (olen > ilen) ? olen - ilen : 0;
6363 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6364 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6365 + offs += 64*1024; /* Add 64K bytes slack */
6366 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6367
6368 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
6369 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/relocs.c linux-2.6.32.46/arch/x86/boot/compressed/relocs.c
6370 --- linux-2.6.32.46/arch/x86/boot/compressed/relocs.c 2011-03-27 14:31:47.000000000 -0400
6371 +++ linux-2.6.32.46/arch/x86/boot/compressed/relocs.c 2011-04-17 15:56:46.000000000 -0400
6372 @@ -10,8 +10,11 @@
6373 #define USE_BSD
6374 #include <endian.h>
6375
6376 +#include "../../../../include/linux/autoconf.h"
6377 +
6378 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6379 static Elf32_Ehdr ehdr;
6380 +static Elf32_Phdr *phdr;
6381 static unsigned long reloc_count, reloc_idx;
6382 static unsigned long *relocs;
6383
6384 @@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
6385
6386 static int is_safe_abs_reloc(const char* sym_name)
6387 {
6388 - int i;
6389 + unsigned int i;
6390
6391 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
6392 if (!strcmp(sym_name, safe_abs_relocs[i]))
6393 @@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
6394 }
6395 }
6396
6397 +static void read_phdrs(FILE *fp)
6398 +{
6399 + unsigned int i;
6400 +
6401 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6402 + if (!phdr) {
6403 + die("Unable to allocate %d program headers\n",
6404 + ehdr.e_phnum);
6405 + }
6406 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6407 + die("Seek to %d failed: %s\n",
6408 + ehdr.e_phoff, strerror(errno));
6409 + }
6410 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6411 + die("Cannot read ELF program headers: %s\n",
6412 + strerror(errno));
6413 + }
6414 + for(i = 0; i < ehdr.e_phnum; i++) {
6415 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6416 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6417 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6418 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6419 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6420 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6421 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6422 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6423 + }
6424 +
6425 +}
6426 +
6427 static void read_shdrs(FILE *fp)
6428 {
6429 - int i;
6430 + unsigned int i;
6431 Elf32_Shdr shdr;
6432
6433 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6434 @@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
6435
6436 static void read_strtabs(FILE *fp)
6437 {
6438 - int i;
6439 + unsigned int i;
6440 for (i = 0; i < ehdr.e_shnum; i++) {
6441 struct section *sec = &secs[i];
6442 if (sec->shdr.sh_type != SHT_STRTAB) {
6443 @@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
6444
6445 static void read_symtabs(FILE *fp)
6446 {
6447 - int i,j;
6448 + unsigned int i,j;
6449 for (i = 0; i < ehdr.e_shnum; i++) {
6450 struct section *sec = &secs[i];
6451 if (sec->shdr.sh_type != SHT_SYMTAB) {
6452 @@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
6453
6454 static void read_relocs(FILE *fp)
6455 {
6456 - int i,j;
6457 + unsigned int i,j;
6458 + uint32_t base;
6459 +
6460 for (i = 0; i < ehdr.e_shnum; i++) {
6461 struct section *sec = &secs[i];
6462 if (sec->shdr.sh_type != SHT_REL) {
6463 @@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
6464 die("Cannot read symbol table: %s\n",
6465 strerror(errno));
6466 }
6467 + base = 0;
6468 + for (j = 0; j < ehdr.e_phnum; j++) {
6469 + if (phdr[j].p_type != PT_LOAD )
6470 + continue;
6471 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6472 + continue;
6473 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6474 + break;
6475 + }
6476 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6477 Elf32_Rel *rel = &sec->reltab[j];
6478 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6479 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6480 rel->r_info = elf32_to_cpu(rel->r_info);
6481 }
6482 }
6483 @@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
6484
6485 static void print_absolute_symbols(void)
6486 {
6487 - int i;
6488 + unsigned int i;
6489 printf("Absolute symbols\n");
6490 printf(" Num: Value Size Type Bind Visibility Name\n");
6491 for (i = 0; i < ehdr.e_shnum; i++) {
6492 struct section *sec = &secs[i];
6493 char *sym_strtab;
6494 Elf32_Sym *sh_symtab;
6495 - int j;
6496 + unsigned int j;
6497
6498 if (sec->shdr.sh_type != SHT_SYMTAB) {
6499 continue;
6500 @@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
6501
6502 static void print_absolute_relocs(void)
6503 {
6504 - int i, printed = 0;
6505 + unsigned int i, printed = 0;
6506
6507 for (i = 0; i < ehdr.e_shnum; i++) {
6508 struct section *sec = &secs[i];
6509 struct section *sec_applies, *sec_symtab;
6510 char *sym_strtab;
6511 Elf32_Sym *sh_symtab;
6512 - int j;
6513 + unsigned int j;
6514 if (sec->shdr.sh_type != SHT_REL) {
6515 continue;
6516 }
6517 @@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
6518
6519 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6520 {
6521 - int i;
6522 + unsigned int i;
6523 /* Walk through the relocations */
6524 for (i = 0; i < ehdr.e_shnum; i++) {
6525 char *sym_strtab;
6526 Elf32_Sym *sh_symtab;
6527 struct section *sec_applies, *sec_symtab;
6528 - int j;
6529 + unsigned int j;
6530 struct section *sec = &secs[i];
6531
6532 if (sec->shdr.sh_type != SHT_REL) {
6533 @@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
6534 if (sym->st_shndx == SHN_ABS) {
6535 continue;
6536 }
6537 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6538 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6539 + continue;
6540 +
6541 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6542 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6543 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6544 + continue;
6545 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6546 + continue;
6547 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6548 + continue;
6549 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6550 + continue;
6551 +#endif
6552 if (r_type == R_386_NONE || r_type == R_386_PC32) {
6553 /*
6554 * NONE can be ignored and and PC relative
6555 @@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
6556
6557 static void emit_relocs(int as_text)
6558 {
6559 - int i;
6560 + unsigned int i;
6561 /* Count how many relocations I have and allocate space for them. */
6562 reloc_count = 0;
6563 walk_relocs(count_reloc);
6564 @@ -634,6 +693,7 @@ int main(int argc, char **argv)
6565 fname, strerror(errno));
6566 }
6567 read_ehdr(fp);
6568 + read_phdrs(fp);
6569 read_shdrs(fp);
6570 read_strtabs(fp);
6571 read_symtabs(fp);
6572 diff -urNp linux-2.6.32.46/arch/x86/boot/cpucheck.c linux-2.6.32.46/arch/x86/boot/cpucheck.c
6573 --- linux-2.6.32.46/arch/x86/boot/cpucheck.c 2011-03-27 14:31:47.000000000 -0400
6574 +++ linux-2.6.32.46/arch/x86/boot/cpucheck.c 2011-04-17 15:56:46.000000000 -0400
6575 @@ -74,7 +74,7 @@ static int has_fpu(void)
6576 u16 fcw = -1, fsw = -1;
6577 u32 cr0;
6578
6579 - asm("movl %%cr0,%0" : "=r" (cr0));
6580 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6581 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6582 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6583 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6584 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6585 {
6586 u32 f0, f1;
6587
6588 - asm("pushfl ; "
6589 + asm volatile("pushfl ; "
6590 "pushfl ; "
6591 "popl %0 ; "
6592 "movl %0,%1 ; "
6593 @@ -115,7 +115,7 @@ static void get_flags(void)
6594 set_bit(X86_FEATURE_FPU, cpu.flags);
6595
6596 if (has_eflag(X86_EFLAGS_ID)) {
6597 - asm("cpuid"
6598 + asm volatile("cpuid"
6599 : "=a" (max_intel_level),
6600 "=b" (cpu_vendor[0]),
6601 "=d" (cpu_vendor[1]),
6602 @@ -124,7 +124,7 @@ static void get_flags(void)
6603
6604 if (max_intel_level >= 0x00000001 &&
6605 max_intel_level <= 0x0000ffff) {
6606 - asm("cpuid"
6607 + asm volatile("cpuid"
6608 : "=a" (tfms),
6609 "=c" (cpu.flags[4]),
6610 "=d" (cpu.flags[0])
6611 @@ -136,7 +136,7 @@ static void get_flags(void)
6612 cpu.model += ((tfms >> 16) & 0xf) << 4;
6613 }
6614
6615 - asm("cpuid"
6616 + asm volatile("cpuid"
6617 : "=a" (max_amd_level)
6618 : "a" (0x80000000)
6619 : "ebx", "ecx", "edx");
6620 @@ -144,7 +144,7 @@ static void get_flags(void)
6621 if (max_amd_level >= 0x80000001 &&
6622 max_amd_level <= 0x8000ffff) {
6623 u32 eax = 0x80000001;
6624 - asm("cpuid"
6625 + asm volatile("cpuid"
6626 : "+a" (eax),
6627 "=c" (cpu.flags[6]),
6628 "=d" (cpu.flags[1])
6629 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6630 u32 ecx = MSR_K7_HWCR;
6631 u32 eax, edx;
6632
6633 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6634 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6635 eax &= ~(1 << 15);
6636 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6637 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6638
6639 get_flags(); /* Make sure it really did something */
6640 err = check_flags();
6641 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6642 u32 ecx = MSR_VIA_FCR;
6643 u32 eax, edx;
6644
6645 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6646 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6647 eax |= (1<<1)|(1<<7);
6648 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6649 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6650
6651 set_bit(X86_FEATURE_CX8, cpu.flags);
6652 err = check_flags();
6653 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6654 u32 eax, edx;
6655 u32 level = 1;
6656
6657 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6658 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6659 - asm("cpuid"
6660 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6661 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6662 + asm volatile("cpuid"
6663 : "+a" (level), "=d" (cpu.flags[0])
6664 : : "ecx", "ebx");
6665 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6666 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6667
6668 err = check_flags();
6669 }
6670 diff -urNp linux-2.6.32.46/arch/x86/boot/header.S linux-2.6.32.46/arch/x86/boot/header.S
6671 --- linux-2.6.32.46/arch/x86/boot/header.S 2011-03-27 14:31:47.000000000 -0400
6672 +++ linux-2.6.32.46/arch/x86/boot/header.S 2011-04-17 15:56:46.000000000 -0400
6673 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6674 # single linked list of
6675 # struct setup_data
6676
6677 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6678 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6679
6680 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6681 #define VO_INIT_SIZE (VO__end - VO__text)
6682 diff -urNp linux-2.6.32.46/arch/x86/boot/Makefile linux-2.6.32.46/arch/x86/boot/Makefile
6683 --- linux-2.6.32.46/arch/x86/boot/Makefile 2011-03-27 14:31:47.000000000 -0400
6684 +++ linux-2.6.32.46/arch/x86/boot/Makefile 2011-08-07 14:38:13.000000000 -0400
6685 @@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
6686 $(call cc-option, -fno-stack-protector) \
6687 $(call cc-option, -mpreferred-stack-boundary=2)
6688 KBUILD_CFLAGS += $(call cc-option, -m32)
6689 +ifdef CONSTIFY_PLUGIN
6690 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6691 +endif
6692 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6693 GCOV_PROFILE := n
6694
6695 diff -urNp linux-2.6.32.46/arch/x86/boot/memory.c linux-2.6.32.46/arch/x86/boot/memory.c
6696 --- linux-2.6.32.46/arch/x86/boot/memory.c 2011-03-27 14:31:47.000000000 -0400
6697 +++ linux-2.6.32.46/arch/x86/boot/memory.c 2011-04-17 15:56:46.000000000 -0400
6698 @@ -19,7 +19,7 @@
6699
6700 static int detect_memory_e820(void)
6701 {
6702 - int count = 0;
6703 + unsigned int count = 0;
6704 struct biosregs ireg, oreg;
6705 struct e820entry *desc = boot_params.e820_map;
6706 static struct e820entry buf; /* static so it is zeroed */
6707 diff -urNp linux-2.6.32.46/arch/x86/boot/video.c linux-2.6.32.46/arch/x86/boot/video.c
6708 --- linux-2.6.32.46/arch/x86/boot/video.c 2011-03-27 14:31:47.000000000 -0400
6709 +++ linux-2.6.32.46/arch/x86/boot/video.c 2011-04-17 15:56:46.000000000 -0400
6710 @@ -90,7 +90,7 @@ static void store_mode_params(void)
6711 static unsigned int get_entry(void)
6712 {
6713 char entry_buf[4];
6714 - int i, len = 0;
6715 + unsigned int i, len = 0;
6716 int key;
6717 unsigned int v;
6718
6719 diff -urNp linux-2.6.32.46/arch/x86/boot/video-vesa.c linux-2.6.32.46/arch/x86/boot/video-vesa.c
6720 --- linux-2.6.32.46/arch/x86/boot/video-vesa.c 2011-03-27 14:31:47.000000000 -0400
6721 +++ linux-2.6.32.46/arch/x86/boot/video-vesa.c 2011-04-17 15:56:46.000000000 -0400
6722 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6723
6724 boot_params.screen_info.vesapm_seg = oreg.es;
6725 boot_params.screen_info.vesapm_off = oreg.di;
6726 + boot_params.screen_info.vesapm_size = oreg.cx;
6727 }
6728
6729 /*
6730 diff -urNp linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S
6731 --- linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400
6732 +++ linux-2.6.32.46/arch/x86/crypto/aes-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400
6733 @@ -8,6 +8,8 @@
6734 * including this sentence is retained in full.
6735 */
6736
6737 +#include <asm/alternative-asm.h>
6738 +
6739 .extern crypto_ft_tab
6740 .extern crypto_it_tab
6741 .extern crypto_fl_tab
6742 @@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
6743 je B192; \
6744 leaq 32(r9),r9;
6745
6746 +#define ret pax_force_retaddr; ret
6747 +
6748 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
6749 movq r1,r2; \
6750 movq r3,r4; \
6751 diff -urNp linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S
6752 --- linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400
6753 +++ linux-2.6.32.46/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400
6754 @@ -1,3 +1,5 @@
6755 +#include <asm/alternative-asm.h>
6756 +
6757 # enter ECRYPT_encrypt_bytes
6758 .text
6759 .p2align 5
6760 @@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
6761 add %r11,%rsp
6762 mov %rdi,%rax
6763 mov %rsi,%rdx
6764 + pax_force_retaddr
6765 ret
6766 # bytesatleast65:
6767 ._bytesatleast65:
6768 @@ -891,6 +894,7 @@ ECRYPT_keysetup:
6769 add %r11,%rsp
6770 mov %rdi,%rax
6771 mov %rsi,%rdx
6772 + pax_force_retaddr
6773 ret
6774 # enter ECRYPT_ivsetup
6775 .text
6776 @@ -917,4 +921,5 @@ ECRYPT_ivsetup:
6777 add %r11,%rsp
6778 mov %rdi,%rax
6779 mov %rsi,%rdx
6780 + pax_force_retaddr
6781 ret
6782 diff -urNp linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S
6783 --- linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-03-27 14:31:47.000000000 -0400
6784 +++ linux-2.6.32.46/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-10-06 09:37:14.000000000 -0400
6785 @@ -21,6 +21,7 @@
6786 .text
6787
6788 #include <asm/asm-offsets.h>
6789 +#include <asm/alternative-asm.h>
6790
6791 #define a_offset 0
6792 #define b_offset 4
6793 @@ -269,6 +270,7 @@ twofish_enc_blk:
6794
6795 popq R1
6796 movq $1,%rax
6797 + pax_force_retaddr
6798 ret
6799
6800 twofish_dec_blk:
6801 @@ -321,4 +323,5 @@ twofish_dec_blk:
6802
6803 popq R1
6804 movq $1,%rax
6805 + pax_force_retaddr
6806 ret
6807 diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_aout.c linux-2.6.32.46/arch/x86/ia32/ia32_aout.c
6808 --- linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-03-27 14:31:47.000000000 -0400
6809 +++ linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-04-17 15:56:46.000000000 -0400
6810 @@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
6811 unsigned long dump_start, dump_size;
6812 struct user32 dump;
6813
6814 + memset(&dump, 0, sizeof(dump));
6815 +
6816 fs = get_fs();
6817 set_fs(KERNEL_DS);
6818 has_dumped = 1;
6819 @@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
6820 dump_size = dump.u_ssize << PAGE_SHIFT;
6821 DUMP_WRITE(dump_start, dump_size);
6822 }
6823 - /*
6824 - * Finally dump the task struct. Not be used by gdb, but
6825 - * could be useful
6826 - */
6827 - set_fs(KERNEL_DS);
6828 - DUMP_WRITE(current, sizeof(*current));
6829 end_coredump:
6830 set_fs(fs);
6831 return has_dumped;
6832 diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32entry.S linux-2.6.32.46/arch/x86/ia32/ia32entry.S
6833 --- linux-2.6.32.46/arch/x86/ia32/ia32entry.S 2011-03-27 14:31:47.000000000 -0400
6834 +++ linux-2.6.32.46/arch/x86/ia32/ia32entry.S 2011-08-25 17:42:18.000000000 -0400
6835 @@ -13,6 +13,7 @@
6836 #include <asm/thread_info.h>
6837 #include <asm/segment.h>
6838 #include <asm/irqflags.h>
6839 +#include <asm/pgtable.h>
6840 #include <linux/linkage.h>
6841
6842 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6843 @@ -93,6 +94,29 @@ ENTRY(native_irq_enable_sysexit)
6844 ENDPROC(native_irq_enable_sysexit)
6845 #endif
6846
6847 + .macro pax_enter_kernel_user
6848 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6849 + call pax_enter_kernel_user
6850 +#endif
6851 + .endm
6852 +
6853 + .macro pax_exit_kernel_user
6854 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6855 + call pax_exit_kernel_user
6856 +#endif
6857 +#ifdef CONFIG_PAX_RANDKSTACK
6858 + pushq %rax
6859 + call pax_randomize_kstack
6860 + popq %rax
6861 +#endif
6862 + .endm
6863 +
6864 +.macro pax_erase_kstack
6865 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6866 + call pax_erase_kstack
6867 +#endif
6868 +.endm
6869 +
6870 /*
6871 * 32bit SYSENTER instruction entry.
6872 *
6873 @@ -119,7 +143,7 @@ ENTRY(ia32_sysenter_target)
6874 CFI_REGISTER rsp,rbp
6875 SWAPGS_UNSAFE_STACK
6876 movq PER_CPU_VAR(kernel_stack), %rsp
6877 - addq $(KERNEL_STACK_OFFSET),%rsp
6878 + pax_enter_kernel_user
6879 /*
6880 * No need to follow this irqs on/off section: the syscall
6881 * disabled irqs, here we enable it straight after entry:
6882 @@ -135,7 +159,8 @@ ENTRY(ia32_sysenter_target)
6883 pushfq
6884 CFI_ADJUST_CFA_OFFSET 8
6885 /*CFI_REL_OFFSET rflags,0*/
6886 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6887 + GET_THREAD_INFO(%r10)
6888 + movl TI_sysenter_return(%r10), %r10d
6889 CFI_REGISTER rip,r10
6890 pushq $__USER32_CS
6891 CFI_ADJUST_CFA_OFFSET 8
6892 @@ -150,6 +175,12 @@ ENTRY(ia32_sysenter_target)
6893 SAVE_ARGS 0,0,1
6894 /* no need to do an access_ok check here because rbp has been
6895 32bit zero extended */
6896 +
6897 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6898 + mov $PAX_USER_SHADOW_BASE,%r10
6899 + add %r10,%rbp
6900 +#endif
6901 +
6902 1: movl (%rbp),%ebp
6903 .section __ex_table,"a"
6904 .quad 1b,ia32_badarg
6905 @@ -172,6 +203,8 @@ sysenter_dispatch:
6906 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6907 jnz sysexit_audit
6908 sysexit_from_sys_call:
6909 + pax_exit_kernel_user
6910 + pax_erase_kstack
6911 andl $~TS_COMPAT,TI_status(%r10)
6912 /* clear IF, that popfq doesn't enable interrupts early */
6913 andl $~0x200,EFLAGS-R11(%rsp)
6914 @@ -200,6 +233,9 @@ sysexit_from_sys_call:
6915 movl %eax,%esi /* 2nd arg: syscall number */
6916 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6917 call audit_syscall_entry
6918 +
6919 + pax_erase_kstack
6920 +
6921 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6922 cmpq $(IA32_NR_syscalls-1),%rax
6923 ja ia32_badsys
6924 @@ -252,6 +288,9 @@ sysenter_tracesys:
6925 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6926 movq %rsp,%rdi /* &pt_regs -> arg1 */
6927 call syscall_trace_enter
6928 +
6929 + pax_erase_kstack
6930 +
6931 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6932 RESTORE_REST
6933 cmpq $(IA32_NR_syscalls-1),%rax
6934 @@ -283,19 +322,24 @@ ENDPROC(ia32_sysenter_target)
6935 ENTRY(ia32_cstar_target)
6936 CFI_STARTPROC32 simple
6937 CFI_SIGNAL_FRAME
6938 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6939 + CFI_DEF_CFA rsp,0
6940 CFI_REGISTER rip,rcx
6941 /*CFI_REGISTER rflags,r11*/
6942 SWAPGS_UNSAFE_STACK
6943 movl %esp,%r8d
6944 CFI_REGISTER rsp,r8
6945 movq PER_CPU_VAR(kernel_stack),%rsp
6946 +
6947 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6948 + pax_enter_kernel_user
6949 +#endif
6950 +
6951 /*
6952 * No need to follow this irqs on/off section: the syscall
6953 * disabled irqs and here we enable it straight after entry:
6954 */
6955 ENABLE_INTERRUPTS(CLBR_NONE)
6956 - SAVE_ARGS 8,1,1
6957 + SAVE_ARGS 8*6,1,1
6958 movl %eax,%eax /* zero extension */
6959 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6960 movq %rcx,RIP-ARGOFFSET(%rsp)
6961 @@ -311,6 +355,12 @@ ENTRY(ia32_cstar_target)
6962 /* no need to do an access_ok check here because r8 has been
6963 32bit zero extended */
6964 /* hardware stack frame is complete now */
6965 +
6966 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6967 + mov $PAX_USER_SHADOW_BASE,%r10
6968 + add %r10,%r8
6969 +#endif
6970 +
6971 1: movl (%r8),%r9d
6972 .section __ex_table,"a"
6973 .quad 1b,ia32_badarg
6974 @@ -333,6 +383,8 @@ cstar_dispatch:
6975 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6976 jnz sysretl_audit
6977 sysretl_from_sys_call:
6978 + pax_exit_kernel_user
6979 + pax_erase_kstack
6980 andl $~TS_COMPAT,TI_status(%r10)
6981 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6982 movl RIP-ARGOFFSET(%rsp),%ecx
6983 @@ -370,6 +422,9 @@ cstar_tracesys:
6984 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6985 movq %rsp,%rdi /* &pt_regs -> arg1 */
6986 call syscall_trace_enter
6987 +
6988 + pax_erase_kstack
6989 +
6990 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6991 RESTORE_REST
6992 xchgl %ebp,%r9d
6993 @@ -415,6 +470,7 @@ ENTRY(ia32_syscall)
6994 CFI_REL_OFFSET rip,RIP-RIP
6995 PARAVIRT_ADJUST_EXCEPTION_FRAME
6996 SWAPGS
6997 + pax_enter_kernel_user
6998 /*
6999 * No need to follow this irqs on/off section: the syscall
7000 * disabled irqs and here we enable it straight after entry:
7001 @@ -448,6 +504,9 @@ ia32_tracesys:
7002 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7003 movq %rsp,%rdi /* &pt_regs -> arg1 */
7004 call syscall_trace_enter
7005 +
7006 + pax_erase_kstack
7007 +
7008 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
7009 RESTORE_REST
7010 cmpq $(IA32_NR_syscalls-1),%rax
7011 diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_signal.c linux-2.6.32.46/arch/x86/ia32/ia32_signal.c
7012 --- linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-03-27 14:31:47.000000000 -0400
7013 +++ linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-10-06 09:37:08.000000000 -0400
7014 @@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const
7015 }
7016 seg = get_fs();
7017 set_fs(KERNEL_DS);
7018 - ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
7019 + ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
7020 set_fs(seg);
7021 if (ret >= 0 && uoss_ptr) {
7022 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
7023 @@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct
7024 */
7025 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
7026 size_t frame_size,
7027 - void **fpstate)
7028 + void __user **fpstate)
7029 {
7030 unsigned long sp;
7031
7032 @@ -395,7 +395,7 @@ static void __user *get_sigframe(struct
7033
7034 if (used_math()) {
7035 sp = sp - sig_xstate_ia32_size;
7036 - *fpstate = (struct _fpstate_ia32 *) sp;
7037 + *fpstate = (struct _fpstate_ia32 __user *) sp;
7038 if (save_i387_xstate_ia32(*fpstate) < 0)
7039 return (void __user *) -1L;
7040 }
7041 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
7042 sp -= frame_size;
7043 /* Align the stack pointer according to the i386 ABI,
7044 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
7045 - sp = ((sp + 4) & -16ul) - 4;
7046 + sp = ((sp - 12) & -16ul) - 4;
7047 return (void __user *) sp;
7048 }
7049
7050 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
7051 * These are actually not used anymore, but left because some
7052 * gdb versions depend on them as a marker.
7053 */
7054 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7055 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7056 } put_user_catch(err);
7057
7058 if (err)
7059 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
7060 0xb8,
7061 __NR_ia32_rt_sigreturn,
7062 0x80cd,
7063 - 0,
7064 + 0
7065 };
7066
7067 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
7068 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
7069
7070 if (ka->sa.sa_flags & SA_RESTORER)
7071 restorer = ka->sa.sa_restorer;
7072 + else if (current->mm->context.vdso)
7073 + /* Return stub is in 32bit vsyscall page */
7074 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
7075 else
7076 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
7077 - rt_sigreturn);
7078 + restorer = &frame->retcode;
7079 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
7080
7081 /*
7082 * Not actually used anymore, but left because some gdb
7083 * versions need it.
7084 */
7085 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7086 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7087 } put_user_catch(err);
7088
7089 if (err)
7090 diff -urNp linux-2.6.32.46/arch/x86/ia32/sys_ia32.c linux-2.6.32.46/arch/x86/ia32/sys_ia32.c
7091 --- linux-2.6.32.46/arch/x86/ia32/sys_ia32.c 2011-03-27 14:31:47.000000000 -0400
7092 +++ linux-2.6.32.46/arch/x86/ia32/sys_ia32.c 2011-10-06 09:37:14.000000000 -0400
7093 @@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
7094 */
7095 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
7096 {
7097 - typeof(ubuf->st_uid) uid = 0;
7098 - typeof(ubuf->st_gid) gid = 0;
7099 + typeof(((struct stat64 *)0)->st_uid) uid = 0;
7100 + typeof(((struct stat64 *)0)->st_gid) gid = 0;
7101 SET_UID(uid, stat->uid);
7102 SET_GID(gid, stat->gid);
7103 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
7104 @@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
7105 }
7106 set_fs(KERNEL_DS);
7107 ret = sys_rt_sigprocmask(how,
7108 - set ? (sigset_t __user *)&s : NULL,
7109 - oset ? (sigset_t __user *)&s : NULL,
7110 + set ? (sigset_t __force_user *)&s : NULL,
7111 + oset ? (sigset_t __force_user *)&s : NULL,
7112 sigsetsize);
7113 set_fs(old_fs);
7114 if (ret)
7115 @@ -371,7 +371,7 @@ asmlinkage long sys32_sched_rr_get_inter
7116 mm_segment_t old_fs = get_fs();
7117
7118 set_fs(KERNEL_DS);
7119 - ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
7120 + ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
7121 set_fs(old_fs);
7122 if (put_compat_timespec(&t, interval))
7123 return -EFAULT;
7124 @@ -387,7 +387,7 @@ asmlinkage long sys32_rt_sigpending(comp
7125 mm_segment_t old_fs = get_fs();
7126
7127 set_fs(KERNEL_DS);
7128 - ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
7129 + ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
7130 set_fs(old_fs);
7131 if (!ret) {
7132 switch (_NSIG_WORDS) {
7133 @@ -412,7 +412,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
7134 if (copy_siginfo_from_user32(&info, uinfo))
7135 return -EFAULT;
7136 set_fs(KERNEL_DS);
7137 - ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
7138 + ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
7139 set_fs(old_fs);
7140 return ret;
7141 }
7142 @@ -513,7 +513,7 @@ asmlinkage long sys32_sendfile(int out_f
7143 return -EFAULT;
7144
7145 set_fs(KERNEL_DS);
7146 - ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
7147 + ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
7148 count);
7149 set_fs(old_fs);
7150
7151 diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h
7152 --- linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h 2011-03-27 14:31:47.000000000 -0400
7153 +++ linux-2.6.32.46/arch/x86/include/asm/alternative-asm.h 2011-10-06 09:37:14.000000000 -0400
7154 @@ -19,4 +19,13 @@
7155 .endm
7156 #endif
7157
7158 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
7159 + .macro pax_force_retaddr rip=0
7160 + btsq $63,\rip(%rsp)
7161 + .endm
7162 +#else
7163 + .macro pax_force_retaddr rip=0
7164 + .endm
7165 +#endif
7166 +
7167 #endif /* __ASSEMBLY__ */
7168 diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative.h linux-2.6.32.46/arch/x86/include/asm/alternative.h
7169 --- linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-03-27 14:31:47.000000000 -0400
7170 +++ linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-04-17 15:56:46.000000000 -0400
7171 @@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
7172 " .byte 662b-661b\n" /* sourcelen */ \
7173 " .byte 664f-663f\n" /* replacementlen */ \
7174 ".previous\n" \
7175 - ".section .altinstr_replacement, \"ax\"\n" \
7176 + ".section .altinstr_replacement, \"a\"\n" \
7177 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
7178 ".previous"
7179
7180 diff -urNp linux-2.6.32.46/arch/x86/include/asm/apic.h linux-2.6.32.46/arch/x86/include/asm/apic.h
7181 --- linux-2.6.32.46/arch/x86/include/asm/apic.h 2011-03-27 14:31:47.000000000 -0400
7182 +++ linux-2.6.32.46/arch/x86/include/asm/apic.h 2011-08-17 20:01:15.000000000 -0400
7183 @@ -46,7 +46,7 @@ static inline void generic_apic_probe(vo
7184
7185 #ifdef CONFIG_X86_LOCAL_APIC
7186
7187 -extern unsigned int apic_verbosity;
7188 +extern int apic_verbosity;
7189 extern int local_apic_timer_c2_ok;
7190
7191 extern int disable_apic;
7192 diff -urNp linux-2.6.32.46/arch/x86/include/asm/apm.h linux-2.6.32.46/arch/x86/include/asm/apm.h
7193 --- linux-2.6.32.46/arch/x86/include/asm/apm.h 2011-03-27 14:31:47.000000000 -0400
7194 +++ linux-2.6.32.46/arch/x86/include/asm/apm.h 2011-04-17 15:56:46.000000000 -0400
7195 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
7196 __asm__ __volatile__(APM_DO_ZERO_SEGS
7197 "pushl %%edi\n\t"
7198 "pushl %%ebp\n\t"
7199 - "lcall *%%cs:apm_bios_entry\n\t"
7200 + "lcall *%%ss:apm_bios_entry\n\t"
7201 "setc %%al\n\t"
7202 "popl %%ebp\n\t"
7203 "popl %%edi\n\t"
7204 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
7205 __asm__ __volatile__(APM_DO_ZERO_SEGS
7206 "pushl %%edi\n\t"
7207 "pushl %%ebp\n\t"
7208 - "lcall *%%cs:apm_bios_entry\n\t"
7209 + "lcall *%%ss:apm_bios_entry\n\t"
7210 "setc %%bl\n\t"
7211 "popl %%ebp\n\t"
7212 "popl %%edi\n\t"
7213 diff -urNp linux-2.6.32.46/arch/x86/include/asm/atomic_32.h linux-2.6.32.46/arch/x86/include/asm/atomic_32.h
7214 --- linux-2.6.32.46/arch/x86/include/asm/atomic_32.h 2011-03-27 14:31:47.000000000 -0400
7215 +++ linux-2.6.32.46/arch/x86/include/asm/atomic_32.h 2011-05-04 17:56:20.000000000 -0400
7216 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
7217 }
7218
7219 /**
7220 + * atomic_read_unchecked - read atomic variable
7221 + * @v: pointer of type atomic_unchecked_t
7222 + *
7223 + * Atomically reads the value of @v.
7224 + */
7225 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7226 +{
7227 + return v->counter;
7228 +}
7229 +
7230 +/**
7231 * atomic_set - set atomic variable
7232 * @v: pointer of type atomic_t
7233 * @i: required value
7234 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
7235 }
7236
7237 /**
7238 + * atomic_set_unchecked - set atomic variable
7239 + * @v: pointer of type atomic_unchecked_t
7240 + * @i: required value
7241 + *
7242 + * Atomically sets the value of @v to @i.
7243 + */
7244 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7245 +{
7246 + v->counter = i;
7247 +}
7248 +
7249 +/**
7250 * atomic_add - add integer to atomic variable
7251 * @i: integer value to add
7252 * @v: pointer of type atomic_t
7253 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
7254 */
7255 static inline void atomic_add(int i, atomic_t *v)
7256 {
7257 - asm volatile(LOCK_PREFIX "addl %1,%0"
7258 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7259 +
7260 +#ifdef CONFIG_PAX_REFCOUNT
7261 + "jno 0f\n"
7262 + LOCK_PREFIX "subl %1,%0\n"
7263 + "int $4\n0:\n"
7264 + _ASM_EXTABLE(0b, 0b)
7265 +#endif
7266 +
7267 + : "+m" (v->counter)
7268 + : "ir" (i));
7269 +}
7270 +
7271 +/**
7272 + * atomic_add_unchecked - add integer to atomic variable
7273 + * @i: integer value to add
7274 + * @v: pointer of type atomic_unchecked_t
7275 + *
7276 + * Atomically adds @i to @v.
7277 + */
7278 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7279 +{
7280 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7281 : "+m" (v->counter)
7282 : "ir" (i));
7283 }
7284 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
7285 */
7286 static inline void atomic_sub(int i, atomic_t *v)
7287 {
7288 - asm volatile(LOCK_PREFIX "subl %1,%0"
7289 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7290 +
7291 +#ifdef CONFIG_PAX_REFCOUNT
7292 + "jno 0f\n"
7293 + LOCK_PREFIX "addl %1,%0\n"
7294 + "int $4\n0:\n"
7295 + _ASM_EXTABLE(0b, 0b)
7296 +#endif
7297 +
7298 + : "+m" (v->counter)
7299 + : "ir" (i));
7300 +}
7301 +
7302 +/**
7303 + * atomic_sub_unchecked - subtract integer from atomic variable
7304 + * @i: integer value to subtract
7305 + * @v: pointer of type atomic_unchecked_t
7306 + *
7307 + * Atomically subtracts @i from @v.
7308 + */
7309 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7310 +{
7311 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7312 : "+m" (v->counter)
7313 : "ir" (i));
7314 }
7315 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
7316 {
7317 unsigned char c;
7318
7319 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7320 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7321 +
7322 +#ifdef CONFIG_PAX_REFCOUNT
7323 + "jno 0f\n"
7324 + LOCK_PREFIX "addl %2,%0\n"
7325 + "int $4\n0:\n"
7326 + _ASM_EXTABLE(0b, 0b)
7327 +#endif
7328 +
7329 + "sete %1\n"
7330 : "+m" (v->counter), "=qm" (c)
7331 : "ir" (i) : "memory");
7332 return c;
7333 @@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
7334 */
7335 static inline void atomic_inc(atomic_t *v)
7336 {
7337 - asm volatile(LOCK_PREFIX "incl %0"
7338 + asm volatile(LOCK_PREFIX "incl %0\n"
7339 +
7340 +#ifdef CONFIG_PAX_REFCOUNT
7341 + "jno 0f\n"
7342 + LOCK_PREFIX "decl %0\n"
7343 + "int $4\n0:\n"
7344 + _ASM_EXTABLE(0b, 0b)
7345 +#endif
7346 +
7347 + : "+m" (v->counter));
7348 +}
7349 +
7350 +/**
7351 + * atomic_inc_unchecked - increment atomic variable
7352 + * @v: pointer of type atomic_unchecked_t
7353 + *
7354 + * Atomically increments @v by 1.
7355 + */
7356 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7357 +{
7358 + asm volatile(LOCK_PREFIX "incl %0\n"
7359 : "+m" (v->counter));
7360 }
7361
7362 @@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
7363 */
7364 static inline void atomic_dec(atomic_t *v)
7365 {
7366 - asm volatile(LOCK_PREFIX "decl %0"
7367 + asm volatile(LOCK_PREFIX "decl %0\n"
7368 +
7369 +#ifdef CONFIG_PAX_REFCOUNT
7370 + "jno 0f\n"
7371 + LOCK_PREFIX "incl %0\n"
7372 + "int $4\n0:\n"
7373 + _ASM_EXTABLE(0b, 0b)
7374 +#endif
7375 +
7376 + : "+m" (v->counter));
7377 +}
7378 +
7379 +/**
7380 + * atomic_dec_unchecked - decrement atomic variable
7381 + * @v: pointer of type atomic_unchecked_t
7382 + *
7383 + * Atomically decrements @v by 1.
7384 + */
7385 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7386 +{
7387 + asm volatile(LOCK_PREFIX "decl %0\n"
7388 : "+m" (v->counter));
7389 }
7390
7391 @@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
7392 {
7393 unsigned char c;
7394
7395 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7396 + asm volatile(LOCK_PREFIX "decl %0\n"
7397 +
7398 +#ifdef CONFIG_PAX_REFCOUNT
7399 + "jno 0f\n"
7400 + LOCK_PREFIX "incl %0\n"
7401 + "int $4\n0:\n"
7402 + _ASM_EXTABLE(0b, 0b)
7403 +#endif
7404 +
7405 + "sete %1\n"
7406 : "+m" (v->counter), "=qm" (c)
7407 : : "memory");
7408 return c != 0;
7409 @@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
7410 {
7411 unsigned char c;
7412
7413 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7414 + asm volatile(LOCK_PREFIX "incl %0\n"
7415 +
7416 +#ifdef CONFIG_PAX_REFCOUNT
7417 + "jno 0f\n"
7418 + LOCK_PREFIX "decl %0\n"
7419 + "into\n0:\n"
7420 + _ASM_EXTABLE(0b, 0b)
7421 +#endif
7422 +
7423 + "sete %1\n"
7424 + : "+m" (v->counter), "=qm" (c)
7425 + : : "memory");
7426 + return c != 0;
7427 +}
7428 +
7429 +/**
7430 + * atomic_inc_and_test_unchecked - increment and test
7431 + * @v: pointer of type atomic_unchecked_t
7432 + *
7433 + * Atomically increments @v by 1
7434 + * and returns true if the result is zero, or false for all
7435 + * other cases.
7436 + */
7437 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7438 +{
7439 + unsigned char c;
7440 +
7441 + asm volatile(LOCK_PREFIX "incl %0\n"
7442 + "sete %1\n"
7443 : "+m" (v->counter), "=qm" (c)
7444 : : "memory");
7445 return c != 0;
7446 @@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
7447 {
7448 unsigned char c;
7449
7450 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7451 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7452 +
7453 +#ifdef CONFIG_PAX_REFCOUNT
7454 + "jno 0f\n"
7455 + LOCK_PREFIX "subl %2,%0\n"
7456 + "int $4\n0:\n"
7457 + _ASM_EXTABLE(0b, 0b)
7458 +#endif
7459 +
7460 + "sets %1\n"
7461 : "+m" (v->counter), "=qm" (c)
7462 : "ir" (i) : "memory");
7463 return c;
7464 @@ -179,6 +341,46 @@ static inline int atomic_add_return(int
7465 #endif
7466 /* Modern 486+ processor */
7467 __i = i;
7468 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7469 +
7470 +#ifdef CONFIG_PAX_REFCOUNT
7471 + "jno 0f\n"
7472 + "movl %0, %1\n"
7473 + "int $4\n0:\n"
7474 + _ASM_EXTABLE(0b, 0b)
7475 +#endif
7476 +
7477 + : "+r" (i), "+m" (v->counter)
7478 + : : "memory");
7479 + return i + __i;
7480 +
7481 +#ifdef CONFIG_M386
7482 +no_xadd: /* Legacy 386 processor */
7483 + local_irq_save(flags);
7484 + __i = atomic_read(v);
7485 + atomic_set(v, i + __i);
7486 + local_irq_restore(flags);
7487 + return i + __i;
7488 +#endif
7489 +}
7490 +
7491 +/**
7492 + * atomic_add_return_unchecked - add integer and return
7493 + * @v: pointer of type atomic_unchecked_t
7494 + * @i: integer value to add
7495 + *
7496 + * Atomically adds @i to @v and returns @i + @v
7497 + */
7498 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7499 +{
7500 + int __i;
7501 +#ifdef CONFIG_M386
7502 + unsigned long flags;
7503 + if (unlikely(boot_cpu_data.x86 <= 3))
7504 + goto no_xadd;
7505 +#endif
7506 + /* Modern 486+ processor */
7507 + __i = i;
7508 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7509 : "+r" (i), "+m" (v->counter)
7510 : : "memory");
7511 @@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
7512 return cmpxchg(&v->counter, old, new);
7513 }
7514
7515 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7516 +{
7517 + return cmpxchg(&v->counter, old, new);
7518 +}
7519 +
7520 static inline int atomic_xchg(atomic_t *v, int new)
7521 {
7522 return xchg(&v->counter, new);
7523 }
7524
7525 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7526 +{
7527 + return xchg(&v->counter, new);
7528 +}
7529 +
7530 /**
7531 * atomic_add_unless - add unless the number is already a given value
7532 * @v: pointer of type atomic_t
7533 @@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
7534 */
7535 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7536 {
7537 - int c, old;
7538 + int c, old, new;
7539 c = atomic_read(v);
7540 for (;;) {
7541 - if (unlikely(c == (u)))
7542 + if (unlikely(c == u))
7543 break;
7544 - old = atomic_cmpxchg((v), c, c + (a));
7545 +
7546 + asm volatile("addl %2,%0\n"
7547 +
7548 +#ifdef CONFIG_PAX_REFCOUNT
7549 + "jno 0f\n"
7550 + "subl %2,%0\n"
7551 + "int $4\n0:\n"
7552 + _ASM_EXTABLE(0b, 0b)
7553 +#endif
7554 +
7555 + : "=r" (new)
7556 + : "0" (c), "ir" (a));
7557 +
7558 + old = atomic_cmpxchg(v, c, new);
7559 if (likely(old == c))
7560 break;
7561 c = old;
7562 }
7563 - return c != (u);
7564 + return c != u;
7565 }
7566
7567 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7568
7569 #define atomic_inc_return(v) (atomic_add_return(1, v))
7570 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7571 +{
7572 + return atomic_add_return_unchecked(1, v);
7573 +}
7574 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7575
7576 /* These are x86-specific, used by some header files */
7577 @@ -266,9 +495,18 @@ typedef struct {
7578 u64 __aligned(8) counter;
7579 } atomic64_t;
7580
7581 +#ifdef CONFIG_PAX_REFCOUNT
7582 +typedef struct {
7583 + u64 __aligned(8) counter;
7584 +} atomic64_unchecked_t;
7585 +#else
7586 +typedef atomic64_t atomic64_unchecked_t;
7587 +#endif
7588 +
7589 #define ATOMIC64_INIT(val) { (val) }
7590
7591 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
7592 +extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
7593
7594 /**
7595 * atomic64_xchg - xchg atomic64 variable
7596 @@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
7597 * the old value.
7598 */
7599 extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
7600 +extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7601
7602 /**
7603 * atomic64_set - set atomic64 variable
7604 @@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
7605 extern void atomic64_set(atomic64_t *ptr, u64 new_val);
7606
7607 /**
7608 + * atomic64_unchecked_set - set atomic64 variable
7609 + * @ptr: pointer to type atomic64_unchecked_t
7610 + * @new_val: value to assign
7611 + *
7612 + * Atomically sets the value of @ptr to @new_val.
7613 + */
7614 +extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7615 +
7616 +/**
7617 * atomic64_read - read atomic64 variable
7618 * @ptr: pointer to type atomic64_t
7619 *
7620 @@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
7621 return res;
7622 }
7623
7624 -extern u64 atomic64_read(atomic64_t *ptr);
7625 +/**
7626 + * atomic64_read_unchecked - read atomic64 variable
7627 + * @ptr: pointer to type atomic64_unchecked_t
7628 + *
7629 + * Atomically reads the value of @ptr and returns it.
7630 + */
7631 +static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
7632 +{
7633 + u64 res;
7634 +
7635 + /*
7636 + * Note, we inline this atomic64_unchecked_t primitive because
7637 + * it only clobbers EAX/EDX and leaves the others
7638 + * untouched. We also (somewhat subtly) rely on the
7639 + * fact that cmpxchg8b returns the current 64-bit value
7640 + * of the memory location we are touching:
7641 + */
7642 + asm volatile(
7643 + "mov %%ebx, %%eax\n\t"
7644 + "mov %%ecx, %%edx\n\t"
7645 + LOCK_PREFIX "cmpxchg8b %1\n"
7646 + : "=&A" (res)
7647 + : "m" (*ptr)
7648 + );
7649 +
7650 + return res;
7651 +}
7652
7653 /**
7654 * atomic64_add_return - add and return
7655 @@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
7656 * Other variants with different arithmetic operators:
7657 */
7658 extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
7659 +extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7660 extern u64 atomic64_inc_return(atomic64_t *ptr);
7661 +extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
7662 extern u64 atomic64_dec_return(atomic64_t *ptr);
7663 +extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
7664
7665 /**
7666 * atomic64_add - add integer to atomic64 variable
7667 @@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
7668 extern void atomic64_add(u64 delta, atomic64_t *ptr);
7669
7670 /**
7671 + * atomic64_add_unchecked - add integer to atomic64 variable
7672 + * @delta: integer value to add
7673 + * @ptr: pointer to type atomic64_unchecked_t
7674 + *
7675 + * Atomically adds @delta to @ptr.
7676 + */
7677 +extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7678 +
7679 +/**
7680 * atomic64_sub - subtract the atomic64 variable
7681 * @delta: integer value to subtract
7682 * @ptr: pointer to type atomic64_t
7683 @@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
7684 extern void atomic64_sub(u64 delta, atomic64_t *ptr);
7685
7686 /**
7687 + * atomic64_sub_unchecked - subtract the atomic64 variable
7688 + * @delta: integer value to subtract
7689 + * @ptr: pointer to type atomic64_unchecked_t
7690 + *
7691 + * Atomically subtracts @delta from @ptr.
7692 + */
7693 +extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7694 +
7695 +/**
7696 * atomic64_sub_and_test - subtract value from variable and test result
7697 * @delta: integer value to subtract
7698 * @ptr: pointer to type atomic64_t
7699 @@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
7700 extern void atomic64_inc(atomic64_t *ptr);
7701
7702 /**
7703 + * atomic64_inc_unchecked - increment atomic64 variable
7704 + * @ptr: pointer to type atomic64_unchecked_t
7705 + *
7706 + * Atomically increments @ptr by 1.
7707 + */
7708 +extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
7709 +
7710 +/**
7711 * atomic64_dec - decrement atomic64 variable
7712 * @ptr: pointer to type atomic64_t
7713 *
7714 @@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
7715 extern void atomic64_dec(atomic64_t *ptr);
7716
7717 /**
7718 + * atomic64_dec_unchecked - decrement atomic64 variable
7719 + * @ptr: pointer to type atomic64_unchecked_t
7720 + *
7721 + * Atomically decrements @ptr by 1.
7722 + */
7723 +extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
7724 +
7725 +/**
7726 * atomic64_dec_and_test - decrement and test
7727 * @ptr: pointer to type atomic64_t
7728 *
7729 diff -urNp linux-2.6.32.46/arch/x86/include/asm/atomic_64.h linux-2.6.32.46/arch/x86/include/asm/atomic_64.h
7730 --- linux-2.6.32.46/arch/x86/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
7731 +++ linux-2.6.32.46/arch/x86/include/asm/atomic_64.h 2011-05-04 18:35:31.000000000 -0400
7732 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
7733 }
7734
7735 /**
7736 + * atomic_read_unchecked - read atomic variable
7737 + * @v: pointer of type atomic_unchecked_t
7738 + *
7739 + * Atomically reads the value of @v.
7740 + */
7741 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7742 +{
7743 + return v->counter;
7744 +}
7745 +
7746 +/**
7747 * atomic_set - set atomic variable
7748 * @v: pointer of type atomic_t
7749 * @i: required value
7750 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
7751 }
7752
7753 /**
7754 + * atomic_set_unchecked - set atomic variable
7755 + * @v: pointer of type atomic_unchecked_t
7756 + * @i: required value
7757 + *
7758 + * Atomically sets the value of @v to @i.
7759 + */
7760 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7761 +{
7762 + v->counter = i;
7763 +}
7764 +
7765 +/**
7766 * atomic_add - add integer to atomic variable
7767 * @i: integer value to add
7768 * @v: pointer of type atomic_t
7769 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
7770 */
7771 static inline void atomic_add(int i, atomic_t *v)
7772 {
7773 - asm volatile(LOCK_PREFIX "addl %1,%0"
7774 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7775 +
7776 +#ifdef CONFIG_PAX_REFCOUNT
7777 + "jno 0f\n"
7778 + LOCK_PREFIX "subl %1,%0\n"
7779 + "int $4\n0:\n"
7780 + _ASM_EXTABLE(0b, 0b)
7781 +#endif
7782 +
7783 + : "=m" (v->counter)
7784 + : "ir" (i), "m" (v->counter));
7785 +}
7786 +
7787 +/**
7788 + * atomic_add_unchecked - add integer to atomic variable
7789 + * @i: integer value to add
7790 + * @v: pointer of type atomic_unchecked_t
7791 + *
7792 + * Atomically adds @i to @v.
7793 + */
7794 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7795 +{
7796 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7797 : "=m" (v->counter)
7798 : "ir" (i), "m" (v->counter));
7799 }
7800 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
7801 */
7802 static inline void atomic_sub(int i, atomic_t *v)
7803 {
7804 - asm volatile(LOCK_PREFIX "subl %1,%0"
7805 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7806 +
7807 +#ifdef CONFIG_PAX_REFCOUNT
7808 + "jno 0f\n"
7809 + LOCK_PREFIX "addl %1,%0\n"
7810 + "int $4\n0:\n"
7811 + _ASM_EXTABLE(0b, 0b)
7812 +#endif
7813 +
7814 + : "=m" (v->counter)
7815 + : "ir" (i), "m" (v->counter));
7816 +}
7817 +
7818 +/**
7819 + * atomic_sub_unchecked - subtract the atomic variable
7820 + * @i: integer value to subtract
7821 + * @v: pointer of type atomic_unchecked_t
7822 + *
7823 + * Atomically subtracts @i from @v.
7824 + */
7825 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7826 +{
7827 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7828 : "=m" (v->counter)
7829 : "ir" (i), "m" (v->counter));
7830 }
7831 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
7832 {
7833 unsigned char c;
7834
7835 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7836 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7837 +
7838 +#ifdef CONFIG_PAX_REFCOUNT
7839 + "jno 0f\n"
7840 + LOCK_PREFIX "addl %2,%0\n"
7841 + "int $4\n0:\n"
7842 + _ASM_EXTABLE(0b, 0b)
7843 +#endif
7844 +
7845 + "sete %1\n"
7846 : "=m" (v->counter), "=qm" (c)
7847 : "ir" (i), "m" (v->counter) : "memory");
7848 return c;
7849 @@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
7850 */
7851 static inline void atomic_inc(atomic_t *v)
7852 {
7853 - asm volatile(LOCK_PREFIX "incl %0"
7854 + asm volatile(LOCK_PREFIX "incl %0\n"
7855 +
7856 +#ifdef CONFIG_PAX_REFCOUNT
7857 + "jno 0f\n"
7858 + LOCK_PREFIX "decl %0\n"
7859 + "int $4\n0:\n"
7860 + _ASM_EXTABLE(0b, 0b)
7861 +#endif
7862 +
7863 + : "=m" (v->counter)
7864 + : "m" (v->counter));
7865 +}
7866 +
7867 +/**
7868 + * atomic_inc_unchecked - increment atomic variable
7869 + * @v: pointer of type atomic_unchecked_t
7870 + *
7871 + * Atomically increments @v by 1.
7872 + */
7873 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7874 +{
7875 + asm volatile(LOCK_PREFIX "incl %0\n"
7876 : "=m" (v->counter)
7877 : "m" (v->counter));
7878 }
7879 @@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
7880 */
7881 static inline void atomic_dec(atomic_t *v)
7882 {
7883 - asm volatile(LOCK_PREFIX "decl %0"
7884 + asm volatile(LOCK_PREFIX "decl %0\n"
7885 +
7886 +#ifdef CONFIG_PAX_REFCOUNT
7887 + "jno 0f\n"
7888 + LOCK_PREFIX "incl %0\n"
7889 + "int $4\n0:\n"
7890 + _ASM_EXTABLE(0b, 0b)
7891 +#endif
7892 +
7893 + : "=m" (v->counter)
7894 + : "m" (v->counter));
7895 +}
7896 +
7897 +/**
7898 + * atomic_dec_unchecked - decrement atomic variable
7899 + * @v: pointer of type atomic_unchecked_t
7900 + *
7901 + * Atomically decrements @v by 1.
7902 + */
7903 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7904 +{
7905 + asm volatile(LOCK_PREFIX "decl %0\n"
7906 : "=m" (v->counter)
7907 : "m" (v->counter));
7908 }
7909 @@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
7910 {
7911 unsigned char c;
7912
7913 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7914 + asm volatile(LOCK_PREFIX "decl %0\n"
7915 +
7916 +#ifdef CONFIG_PAX_REFCOUNT
7917 + "jno 0f\n"
7918 + LOCK_PREFIX "incl %0\n"
7919 + "int $4\n0:\n"
7920 + _ASM_EXTABLE(0b, 0b)
7921 +#endif
7922 +
7923 + "sete %1\n"
7924 : "=m" (v->counter), "=qm" (c)
7925 : "m" (v->counter) : "memory");
7926 return c != 0;
7927 @@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
7928 {
7929 unsigned char c;
7930
7931 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7932 + asm volatile(LOCK_PREFIX "incl %0\n"
7933 +
7934 +#ifdef CONFIG_PAX_REFCOUNT
7935 + "jno 0f\n"
7936 + LOCK_PREFIX "decl %0\n"
7937 + "int $4\n0:\n"
7938 + _ASM_EXTABLE(0b, 0b)
7939 +#endif
7940 +
7941 + "sete %1\n"
7942 + : "=m" (v->counter), "=qm" (c)
7943 + : "m" (v->counter) : "memory");
7944 + return c != 0;
7945 +}
7946 +
7947 +/**
7948 + * atomic_inc_and_test_unchecked - increment and test
7949 + * @v: pointer of type atomic_unchecked_t
7950 + *
7951 + * Atomically increments @v by 1
7952 + * and returns true if the result is zero, or false for all
7953 + * other cases.
7954 + */
7955 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7956 +{
7957 + unsigned char c;
7958 +
7959 + asm volatile(LOCK_PREFIX "incl %0\n"
7960 + "sete %1\n"
7961 : "=m" (v->counter), "=qm" (c)
7962 : "m" (v->counter) : "memory");
7963 return c != 0;
7964 @@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
7965 {
7966 unsigned char c;
7967
7968 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7969 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7970 +
7971 +#ifdef CONFIG_PAX_REFCOUNT
7972 + "jno 0f\n"
7973 + LOCK_PREFIX "subl %2,%0\n"
7974 + "int $4\n0:\n"
7975 + _ASM_EXTABLE(0b, 0b)
7976 +#endif
7977 +
7978 + "sets %1\n"
7979 : "=m" (v->counter), "=qm" (c)
7980 : "ir" (i), "m" (v->counter) : "memory");
7981 return c;
7982 @@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
7983 static inline int atomic_add_return(int i, atomic_t *v)
7984 {
7985 int __i = i;
7986 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
7987 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7988 +
7989 +#ifdef CONFIG_PAX_REFCOUNT
7990 + "jno 0f\n"
7991 + "movl %0, %1\n"
7992 + "int $4\n0:\n"
7993 + _ASM_EXTABLE(0b, 0b)
7994 +#endif
7995 +
7996 + : "+r" (i), "+m" (v->counter)
7997 + : : "memory");
7998 + return i + __i;
7999 +}
8000 +
8001 +/**
8002 + * atomic_add_return_unchecked - add and return
8003 + * @i: integer value to add
8004 + * @v: pointer of type atomic_unchecked_t
8005 + *
8006 + * Atomically adds @i to @v and returns @i + @v
8007 + */
8008 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
8009 +{
8010 + int __i = i;
8011 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8012 : "+r" (i), "+m" (v->counter)
8013 : : "memory");
8014 return i + __i;
8015 @@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
8016 }
8017
8018 #define atomic_inc_return(v) (atomic_add_return(1, v))
8019 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8020 +{
8021 + return atomic_add_return_unchecked(1, v);
8022 +}
8023 #define atomic_dec_return(v) (atomic_sub_return(1, v))
8024
8025 /* The 64-bit atomic type */
8026 @@ -204,6 +396,18 @@ static inline long atomic64_read(const a
8027 }
8028
8029 /**
8030 + * atomic64_read_unchecked - read atomic64 variable
8031 + * @v: pointer of type atomic64_unchecked_t
8032 + *
8033 + * Atomically reads the value of @v.
8034 + * Doesn't imply a read memory barrier.
8035 + */
8036 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8037 +{
8038 + return v->counter;
8039 +}
8040 +
8041 +/**
8042 * atomic64_set - set atomic64 variable
8043 * @v: pointer to type atomic64_t
8044 * @i: required value
8045 @@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
8046 }
8047
8048 /**
8049 + * atomic64_set_unchecked - set atomic64 variable
8050 + * @v: pointer to type atomic64_unchecked_t
8051 + * @i: required value
8052 + *
8053 + * Atomically sets the value of @v to @i.
8054 + */
8055 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8056 +{
8057 + v->counter = i;
8058 +}
8059 +
8060 +/**
8061 * atomic64_add - add integer to atomic64 variable
8062 * @i: integer value to add
8063 * @v: pointer to type atomic64_t
8064 @@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
8065 */
8066 static inline void atomic64_add(long i, atomic64_t *v)
8067 {
8068 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8069 +
8070 +#ifdef CONFIG_PAX_REFCOUNT
8071 + "jno 0f\n"
8072 + LOCK_PREFIX "subq %1,%0\n"
8073 + "int $4\n0:\n"
8074 + _ASM_EXTABLE(0b, 0b)
8075 +#endif
8076 +
8077 + : "=m" (v->counter)
8078 + : "er" (i), "m" (v->counter));
8079 +}
8080 +
8081 +/**
8082 + * atomic64_add_unchecked - add integer to atomic64 variable
8083 + * @i: integer value to add
8084 + * @v: pointer to type atomic64_unchecked_t
8085 + *
8086 + * Atomically adds @i to @v.
8087 + */
8088 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8089 +{
8090 asm volatile(LOCK_PREFIX "addq %1,%0"
8091 : "=m" (v->counter)
8092 : "er" (i), "m" (v->counter));
8093 @@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
8094 */
8095 static inline void atomic64_sub(long i, atomic64_t *v)
8096 {
8097 - asm volatile(LOCK_PREFIX "subq %1,%0"
8098 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8099 +
8100 +#ifdef CONFIG_PAX_REFCOUNT
8101 + "jno 0f\n"
8102 + LOCK_PREFIX "addq %1,%0\n"
8103 + "int $4\n0:\n"
8104 + _ASM_EXTABLE(0b, 0b)
8105 +#endif
8106 +
8107 : "=m" (v->counter)
8108 : "er" (i), "m" (v->counter));
8109 }
8110 @@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
8111 {
8112 unsigned char c;
8113
8114 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8115 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8116 +
8117 +#ifdef CONFIG_PAX_REFCOUNT
8118 + "jno 0f\n"
8119 + LOCK_PREFIX "addq %2,%0\n"
8120 + "int $4\n0:\n"
8121 + _ASM_EXTABLE(0b, 0b)
8122 +#endif
8123 +
8124 + "sete %1\n"
8125 : "=m" (v->counter), "=qm" (c)
8126 : "er" (i), "m" (v->counter) : "memory");
8127 return c;
8128 @@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
8129 */
8130 static inline void atomic64_inc(atomic64_t *v)
8131 {
8132 + asm volatile(LOCK_PREFIX "incq %0\n"
8133 +
8134 +#ifdef CONFIG_PAX_REFCOUNT
8135 + "jno 0f\n"
8136 + LOCK_PREFIX "decq %0\n"
8137 + "int $4\n0:\n"
8138 + _ASM_EXTABLE(0b, 0b)
8139 +#endif
8140 +
8141 + : "=m" (v->counter)
8142 + : "m" (v->counter));
8143 +}
8144 +
8145 +/**
8146 + * atomic64_inc_unchecked - increment atomic64 variable
8147 + * @v: pointer to type atomic64_unchecked_t
8148 + *
8149 + * Atomically increments @v by 1.
8150 + */
8151 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8152 +{
8153 asm volatile(LOCK_PREFIX "incq %0"
8154 : "=m" (v->counter)
8155 : "m" (v->counter));
8156 @@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
8157 */
8158 static inline void atomic64_dec(atomic64_t *v)
8159 {
8160 - asm volatile(LOCK_PREFIX "decq %0"
8161 + asm volatile(LOCK_PREFIX "decq %0\n"
8162 +
8163 +#ifdef CONFIG_PAX_REFCOUNT
8164 + "jno 0f\n"
8165 + LOCK_PREFIX "incq %0\n"
8166 + "int $4\n0:\n"
8167 + _ASM_EXTABLE(0b, 0b)
8168 +#endif
8169 +
8170 + : "=m" (v->counter)
8171 + : "m" (v->counter));
8172 +}
8173 +
8174 +/**
8175 + * atomic64_dec_unchecked - decrement atomic64 variable
8176 + * @v: pointer to type atomic64_t
8177 + *
8178 + * Atomically decrements @v by 1.
8179 + */
8180 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8181 +{
8182 + asm volatile(LOCK_PREFIX "decq %0\n"
8183 : "=m" (v->counter)
8184 : "m" (v->counter));
8185 }
8186 @@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
8187 {
8188 unsigned char c;
8189
8190 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8191 + asm volatile(LOCK_PREFIX "decq %0\n"
8192 +
8193 +#ifdef CONFIG_PAX_REFCOUNT
8194 + "jno 0f\n"
8195 + LOCK_PREFIX "incq %0\n"
8196 + "int $4\n0:\n"
8197 + _ASM_EXTABLE(0b, 0b)
8198 +#endif
8199 +
8200 + "sete %1\n"
8201 : "=m" (v->counter), "=qm" (c)
8202 : "m" (v->counter) : "memory");
8203 return c != 0;
8204 @@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
8205 {
8206 unsigned char c;
8207
8208 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8209 + asm volatile(LOCK_PREFIX "incq %0\n"
8210 +
8211 +#ifdef CONFIG_PAX_REFCOUNT
8212 + "jno 0f\n"
8213 + LOCK_PREFIX "decq %0\n"
8214 + "int $4\n0:\n"
8215 + _ASM_EXTABLE(0b, 0b)
8216 +#endif
8217 +
8218 + "sete %1\n"
8219 : "=m" (v->counter), "=qm" (c)
8220 : "m" (v->counter) : "memory");
8221 return c != 0;
8222 @@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
8223 {
8224 unsigned char c;
8225
8226 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8227 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8228 +
8229 +#ifdef CONFIG_PAX_REFCOUNT
8230 + "jno 0f\n"
8231 + LOCK_PREFIX "subq %2,%0\n"
8232 + "int $4\n0:\n"
8233 + _ASM_EXTABLE(0b, 0b)
8234 +#endif
8235 +
8236 + "sets %1\n"
8237 : "=m" (v->counter), "=qm" (c)
8238 : "er" (i), "m" (v->counter) : "memory");
8239 return c;
8240 @@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
8241 static inline long atomic64_add_return(long i, atomic64_t *v)
8242 {
8243 long __i = i;
8244 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8245 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8246 +
8247 +#ifdef CONFIG_PAX_REFCOUNT
8248 + "jno 0f\n"
8249 + "movq %0, %1\n"
8250 + "int $4\n0:\n"
8251 + _ASM_EXTABLE(0b, 0b)
8252 +#endif
8253 +
8254 + : "+r" (i), "+m" (v->counter)
8255 + : : "memory");
8256 + return i + __i;
8257 +}
8258 +
8259 +/**
8260 + * atomic64_add_return_unchecked - add and return
8261 + * @i: integer value to add
8262 + * @v: pointer to type atomic64_unchecked_t
8263 + *
8264 + * Atomically adds @i to @v and returns @i + @v
8265 + */
8266 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8267 +{
8268 + long __i = i;
8269 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8270 : "+r" (i), "+m" (v->counter)
8271 : : "memory");
8272 return i + __i;
8273 @@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
8274 }
8275
8276 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8277 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8278 +{
8279 + return atomic64_add_return_unchecked(1, v);
8280 +}
8281 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8282
8283 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8284 @@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
8285 return cmpxchg(&v->counter, old, new);
8286 }
8287
8288 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8289 +{
8290 + return cmpxchg(&v->counter, old, new);
8291 +}
8292 +
8293 static inline long atomic64_xchg(atomic64_t *v, long new)
8294 {
8295 return xchg(&v->counter, new);
8296 }
8297
8298 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8299 +{
8300 + return xchg(&v->counter, new);
8301 +}
8302 +
8303 static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
8304 {
8305 return cmpxchg(&v->counter, old, new);
8306 }
8307
8308 +static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8309 +{
8310 + return cmpxchg(&v->counter, old, new);
8311 +}
8312 +
8313 static inline long atomic_xchg(atomic_t *v, int new)
8314 {
8315 return xchg(&v->counter, new);
8316 }
8317
8318 +static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8319 +{
8320 + return xchg(&v->counter, new);
8321 +}
8322 +
8323 /**
8324 * atomic_add_unless - add unless the number is a given value
8325 * @v: pointer of type atomic_t
8326 @@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
8327 */
8328 static inline int atomic_add_unless(atomic_t *v, int a, int u)
8329 {
8330 - int c, old;
8331 + int c, old, new;
8332 c = atomic_read(v);
8333 for (;;) {
8334 - if (unlikely(c == (u)))
8335 + if (unlikely(c == u))
8336 break;
8337 - old = atomic_cmpxchg((v), c, c + (a));
8338 +
8339 + asm volatile("addl %2,%0\n"
8340 +
8341 +#ifdef CONFIG_PAX_REFCOUNT
8342 + "jno 0f\n"
8343 + "subl %2,%0\n"
8344 + "int $4\n0:\n"
8345 + _ASM_EXTABLE(0b, 0b)
8346 +#endif
8347 +
8348 + : "=r" (new)
8349 + : "0" (c), "ir" (a));
8350 +
8351 + old = atomic_cmpxchg(v, c, new);
8352 if (likely(old == c))
8353 break;
8354 c = old;
8355 }
8356 - return c != (u);
8357 + return c != u;
8358 }
8359
8360 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
8361 @@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
8362 */
8363 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8364 {
8365 - long c, old;
8366 + long c, old, new;
8367 c = atomic64_read(v);
8368 for (;;) {
8369 - if (unlikely(c == (u)))
8370 + if (unlikely(c == u))
8371 break;
8372 - old = atomic64_cmpxchg((v), c, c + (a));
8373 +
8374 + asm volatile("addq %2,%0\n"
8375 +
8376 +#ifdef CONFIG_PAX_REFCOUNT
8377 + "jno 0f\n"
8378 + "subq %2,%0\n"
8379 + "int $4\n0:\n"
8380 + _ASM_EXTABLE(0b, 0b)
8381 +#endif
8382 +
8383 + : "=r" (new)
8384 + : "0" (c), "er" (a));
8385 +
8386 + old = atomic64_cmpxchg(v, c, new);
8387 if (likely(old == c))
8388 break;
8389 c = old;
8390 }
8391 - return c != (u);
8392 + return c != u;
8393 }
8394
8395 /**
8396 diff -urNp linux-2.6.32.46/arch/x86/include/asm/bitops.h linux-2.6.32.46/arch/x86/include/asm/bitops.h
8397 --- linux-2.6.32.46/arch/x86/include/asm/bitops.h 2011-03-27 14:31:47.000000000 -0400
8398 +++ linux-2.6.32.46/arch/x86/include/asm/bitops.h 2011-04-17 15:56:46.000000000 -0400
8399 @@ -38,7 +38,7 @@
8400 * a mask operation on a byte.
8401 */
8402 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
8403 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
8404 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
8405 #define CONST_MASK(nr) (1 << ((nr) & 7))
8406
8407 /**
8408 diff -urNp linux-2.6.32.46/arch/x86/include/asm/boot.h linux-2.6.32.46/arch/x86/include/asm/boot.h
8409 --- linux-2.6.32.46/arch/x86/include/asm/boot.h 2011-03-27 14:31:47.000000000 -0400
8410 +++ linux-2.6.32.46/arch/x86/include/asm/boot.h 2011-04-17 15:56:46.000000000 -0400
8411 @@ -11,10 +11,15 @@
8412 #include <asm/pgtable_types.h>
8413
8414 /* Physical address where kernel should be loaded. */
8415 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8416 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8417 + (CONFIG_PHYSICAL_ALIGN - 1)) \
8418 & ~(CONFIG_PHYSICAL_ALIGN - 1))
8419
8420 +#ifndef __ASSEMBLY__
8421 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
8422 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
8423 +#endif
8424 +
8425 /* Minimum kernel alignment, as a power of two */
8426 #ifdef CONFIG_X86_64
8427 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
8428 diff -urNp linux-2.6.32.46/arch/x86/include/asm/cacheflush.h linux-2.6.32.46/arch/x86/include/asm/cacheflush.h
8429 --- linux-2.6.32.46/arch/x86/include/asm/cacheflush.h 2011-03-27 14:31:47.000000000 -0400
8430 +++ linux-2.6.32.46/arch/x86/include/asm/cacheflush.h 2011-04-17 15:56:46.000000000 -0400
8431 @@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
8432 static inline unsigned long get_page_memtype(struct page *pg)
8433 {
8434 if (!PageUncached(pg) && !PageWC(pg))
8435 - return -1;
8436 + return ~0UL;
8437 else if (!PageUncached(pg) && PageWC(pg))
8438 return _PAGE_CACHE_WC;
8439 else if (PageUncached(pg) && !PageWC(pg))
8440 @@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
8441 SetPageWC(pg);
8442 break;
8443 default:
8444 - case -1:
8445 + case ~0UL:
8446 ClearPageUncached(pg);
8447 ClearPageWC(pg);
8448 break;
8449 diff -urNp linux-2.6.32.46/arch/x86/include/asm/cache.h linux-2.6.32.46/arch/x86/include/asm/cache.h
8450 --- linux-2.6.32.46/arch/x86/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
8451 +++ linux-2.6.32.46/arch/x86/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
8452 @@ -5,9 +5,10 @@
8453
8454 /* L1 cache line size */
8455 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
8456 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8457 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8458
8459 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
8460 +#define __read_only __attribute__((__section__(".data.read_only")))
8461
8462 #ifdef CONFIG_X86_VSMP
8463 /* vSMP Internode cacheline shift */
8464 diff -urNp linux-2.6.32.46/arch/x86/include/asm/calling.h linux-2.6.32.46/arch/x86/include/asm/calling.h
8465 --- linux-2.6.32.46/arch/x86/include/asm/calling.h 2011-03-27 14:31:47.000000000 -0400
8466 +++ linux-2.6.32.46/arch/x86/include/asm/calling.h 2011-10-06 10:08:42.000000000 -0400
8467 @@ -52,32 +52,32 @@ For 32-bit we have the following convent
8468 * for assembly code:
8469 */
8470
8471 -#define R15 0
8472 -#define R14 8
8473 -#define R13 16
8474 -#define R12 24
8475 -#define RBP 32
8476 -#define RBX 40
8477 +#define R15 (0)
8478 +#define R14 (8)
8479 +#define R13 (16)
8480 +#define R12 (24)
8481 +#define RBP (32)
8482 +#define RBX (40)
8483
8484 /* arguments: interrupts/non tracing syscalls only save up to here: */
8485 -#define R11 48
8486 -#define R10 56
8487 -#define R9 64
8488 -#define R8 72
8489 -#define RAX 80
8490 -#define RCX 88
8491 -#define RDX 96
8492 -#define RSI 104
8493 -#define RDI 112
8494 -#define ORIG_RAX 120 /* + error_code */
8495 +#define R11 (48)
8496 +#define R10 (56)
8497 +#define R9 (64)
8498 +#define R8 (72)
8499 +#define RAX (80)
8500 +#define RCX (88)
8501 +#define RDX (96)
8502 +#define RSI (104)
8503 +#define RDI (112)
8504 +#define ORIG_RAX (120) /* + error_code */
8505 /* end of arguments */
8506
8507 /* cpu exception frame or undefined in case of fast syscall: */
8508 -#define RIP 128
8509 -#define CS 136
8510 -#define EFLAGS 144
8511 -#define RSP 152
8512 -#define SS 160
8513 +#define RIP (128)
8514 +#define CS (136)
8515 +#define EFLAGS (144)
8516 +#define RSP (152)
8517 +#define SS (160)
8518
8519 #define ARGOFFSET R11
8520 #define SWFRAME ORIG_RAX
8521 diff -urNp linux-2.6.32.46/arch/x86/include/asm/checksum_32.h linux-2.6.32.46/arch/x86/include/asm/checksum_32.h
8522 --- linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-03-27 14:31:47.000000000 -0400
8523 +++ linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-04-17 15:56:46.000000000 -0400
8524 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
8525 int len, __wsum sum,
8526 int *src_err_ptr, int *dst_err_ptr);
8527
8528 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
8529 + int len, __wsum sum,
8530 + int *src_err_ptr, int *dst_err_ptr);
8531 +
8532 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
8533 + int len, __wsum sum,
8534 + int *src_err_ptr, int *dst_err_ptr);
8535 +
8536 /*
8537 * Note: when you get a NULL pointer exception here this means someone
8538 * passed in an incorrect kernel address to one of these functions.
8539 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
8540 int *err_ptr)
8541 {
8542 might_sleep();
8543 - return csum_partial_copy_generic((__force void *)src, dst,
8544 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
8545 len, sum, err_ptr, NULL);
8546 }
8547
8548 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
8549 {
8550 might_sleep();
8551 if (access_ok(VERIFY_WRITE, dst, len))
8552 - return csum_partial_copy_generic(src, (__force void *)dst,
8553 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
8554 len, sum, NULL, err_ptr);
8555
8556 if (len)
8557 diff -urNp linux-2.6.32.46/arch/x86/include/asm/desc_defs.h linux-2.6.32.46/arch/x86/include/asm/desc_defs.h
8558 --- linux-2.6.32.46/arch/x86/include/asm/desc_defs.h 2011-03-27 14:31:47.000000000 -0400
8559 +++ linux-2.6.32.46/arch/x86/include/asm/desc_defs.h 2011-04-17 15:56:46.000000000 -0400
8560 @@ -31,6 +31,12 @@ struct desc_struct {
8561 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
8562 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
8563 };
8564 + struct {
8565 + u16 offset_low;
8566 + u16 seg;
8567 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
8568 + unsigned offset_high: 16;
8569 + } gate;
8570 };
8571 } __attribute__((packed));
8572
8573 diff -urNp linux-2.6.32.46/arch/x86/include/asm/desc.h linux-2.6.32.46/arch/x86/include/asm/desc.h
8574 --- linux-2.6.32.46/arch/x86/include/asm/desc.h 2011-03-27 14:31:47.000000000 -0400
8575 +++ linux-2.6.32.46/arch/x86/include/asm/desc.h 2011-04-23 12:56:10.000000000 -0400
8576 @@ -4,6 +4,7 @@
8577 #include <asm/desc_defs.h>
8578 #include <asm/ldt.h>
8579 #include <asm/mmu.h>
8580 +#include <asm/pgtable.h>
8581 #include <linux/smp.h>
8582
8583 static inline void fill_ldt(struct desc_struct *desc,
8584 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
8585 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
8586 desc->type = (info->read_exec_only ^ 1) << 1;
8587 desc->type |= info->contents << 2;
8588 + desc->type |= info->seg_not_present ^ 1;
8589 desc->s = 1;
8590 desc->dpl = 0x3;
8591 desc->p = info->seg_not_present ^ 1;
8592 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
8593 }
8594
8595 extern struct desc_ptr idt_descr;
8596 -extern gate_desc idt_table[];
8597 -
8598 -struct gdt_page {
8599 - struct desc_struct gdt[GDT_ENTRIES];
8600 -} __attribute__((aligned(PAGE_SIZE)));
8601 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
8602 +extern gate_desc idt_table[256];
8603
8604 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
8605 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
8606 {
8607 - return per_cpu(gdt_page, cpu).gdt;
8608 + return cpu_gdt_table[cpu];
8609 }
8610
8611 #ifdef CONFIG_X86_64
8612 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
8613 unsigned long base, unsigned dpl, unsigned flags,
8614 unsigned short seg)
8615 {
8616 - gate->a = (seg << 16) | (base & 0xffff);
8617 - gate->b = (base & 0xffff0000) |
8618 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
8619 + gate->gate.offset_low = base;
8620 + gate->gate.seg = seg;
8621 + gate->gate.reserved = 0;
8622 + gate->gate.type = type;
8623 + gate->gate.s = 0;
8624 + gate->gate.dpl = dpl;
8625 + gate->gate.p = 1;
8626 + gate->gate.offset_high = base >> 16;
8627 }
8628
8629 #endif
8630 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
8631 static inline void native_write_idt_entry(gate_desc *idt, int entry,
8632 const gate_desc *gate)
8633 {
8634 + pax_open_kernel();
8635 memcpy(&idt[entry], gate, sizeof(*gate));
8636 + pax_close_kernel();
8637 }
8638
8639 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
8640 const void *desc)
8641 {
8642 + pax_open_kernel();
8643 memcpy(&ldt[entry], desc, 8);
8644 + pax_close_kernel();
8645 }
8646
8647 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
8648 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
8649 size = sizeof(struct desc_struct);
8650 break;
8651 }
8652 +
8653 + pax_open_kernel();
8654 memcpy(&gdt[entry], desc, size);
8655 + pax_close_kernel();
8656 }
8657
8658 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
8659 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
8660
8661 static inline void native_load_tr_desc(void)
8662 {
8663 + pax_open_kernel();
8664 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
8665 + pax_close_kernel();
8666 }
8667
8668 static inline void native_load_gdt(const struct desc_ptr *dtr)
8669 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
8670 unsigned int i;
8671 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8672
8673 + pax_open_kernel();
8674 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
8675 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
8676 + pax_close_kernel();
8677 }
8678
8679 #define _LDT_empty(info) \
8680 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
8681 desc->limit = (limit >> 16) & 0xf;
8682 }
8683
8684 -static inline void _set_gate(int gate, unsigned type, void *addr,
8685 +static inline void _set_gate(int gate, unsigned type, const void *addr,
8686 unsigned dpl, unsigned ist, unsigned seg)
8687 {
8688 gate_desc s;
8689 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
8690 * Pentium F0 0F bugfix can have resulted in the mapped
8691 * IDT being write-protected.
8692 */
8693 -static inline void set_intr_gate(unsigned int n, void *addr)
8694 +static inline void set_intr_gate(unsigned int n, const void *addr)
8695 {
8696 BUG_ON((unsigned)n > 0xFF);
8697 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
8698 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
8699 /*
8700 * This routine sets up an interrupt gate at directory privilege level 3.
8701 */
8702 -static inline void set_system_intr_gate(unsigned int n, void *addr)
8703 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
8704 {
8705 BUG_ON((unsigned)n > 0xFF);
8706 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
8707 }
8708
8709 -static inline void set_system_trap_gate(unsigned int n, void *addr)
8710 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
8711 {
8712 BUG_ON((unsigned)n > 0xFF);
8713 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
8714 }
8715
8716 -static inline void set_trap_gate(unsigned int n, void *addr)
8717 +static inline void set_trap_gate(unsigned int n, const void *addr)
8718 {
8719 BUG_ON((unsigned)n > 0xFF);
8720 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
8721 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
8722 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
8723 {
8724 BUG_ON((unsigned)n > 0xFF);
8725 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
8726 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
8727 }
8728
8729 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
8730 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
8731 {
8732 BUG_ON((unsigned)n > 0xFF);
8733 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
8734 }
8735
8736 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
8737 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
8738 {
8739 BUG_ON((unsigned)n > 0xFF);
8740 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
8741 }
8742
8743 +#ifdef CONFIG_X86_32
8744 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
8745 +{
8746 + struct desc_struct d;
8747 +
8748 + if (likely(limit))
8749 + limit = (limit - 1UL) >> PAGE_SHIFT;
8750 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
8751 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
8752 +}
8753 +#endif
8754 +
8755 #endif /* _ASM_X86_DESC_H */
8756 diff -urNp linux-2.6.32.46/arch/x86/include/asm/device.h linux-2.6.32.46/arch/x86/include/asm/device.h
8757 --- linux-2.6.32.46/arch/x86/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
8758 +++ linux-2.6.32.46/arch/x86/include/asm/device.h 2011-04-17 15:56:46.000000000 -0400
8759 @@ -6,7 +6,7 @@ struct dev_archdata {
8760 void *acpi_handle;
8761 #endif
8762 #ifdef CONFIG_X86_64
8763 -struct dma_map_ops *dma_ops;
8764 + const struct dma_map_ops *dma_ops;
8765 #endif
8766 #ifdef CONFIG_DMAR
8767 void *iommu; /* hook for IOMMU specific extension */
8768 diff -urNp linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h
8769 --- linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
8770 +++ linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
8771 @@ -25,9 +25,9 @@ extern int iommu_merge;
8772 extern struct device x86_dma_fallback_dev;
8773 extern int panic_on_overflow;
8774
8775 -extern struct dma_map_ops *dma_ops;
8776 +extern const struct dma_map_ops *dma_ops;
8777
8778 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
8779 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
8780 {
8781 #ifdef CONFIG_X86_32
8782 return dma_ops;
8783 @@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
8784 /* Make sure we keep the same behaviour */
8785 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
8786 {
8787 - struct dma_map_ops *ops = get_dma_ops(dev);
8788 + const struct dma_map_ops *ops = get_dma_ops(dev);
8789 if (ops->mapping_error)
8790 return ops->mapping_error(dev, dma_addr);
8791
8792 @@ -122,7 +122,7 @@ static inline void *
8793 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
8794 gfp_t gfp)
8795 {
8796 - struct dma_map_ops *ops = get_dma_ops(dev);
8797 + const struct dma_map_ops *ops = get_dma_ops(dev);
8798 void *memory;
8799
8800 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
8801 @@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
8802 static inline void dma_free_coherent(struct device *dev, size_t size,
8803 void *vaddr, dma_addr_t bus)
8804 {
8805 - struct dma_map_ops *ops = get_dma_ops(dev);
8806 + const struct dma_map_ops *ops = get_dma_ops(dev);
8807
8808 WARN_ON(irqs_disabled()); /* for portability */
8809
8810 diff -urNp linux-2.6.32.46/arch/x86/include/asm/e820.h linux-2.6.32.46/arch/x86/include/asm/e820.h
8811 --- linux-2.6.32.46/arch/x86/include/asm/e820.h 2011-03-27 14:31:47.000000000 -0400
8812 +++ linux-2.6.32.46/arch/x86/include/asm/e820.h 2011-04-17 15:56:46.000000000 -0400
8813 @@ -133,7 +133,7 @@ extern char *default_machine_specific_me
8814 #define ISA_END_ADDRESS 0x100000
8815 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
8816
8817 -#define BIOS_BEGIN 0x000a0000
8818 +#define BIOS_BEGIN 0x000c0000
8819 #define BIOS_END 0x00100000
8820
8821 #ifdef __KERNEL__
8822 diff -urNp linux-2.6.32.46/arch/x86/include/asm/elf.h linux-2.6.32.46/arch/x86/include/asm/elf.h
8823 --- linux-2.6.32.46/arch/x86/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
8824 +++ linux-2.6.32.46/arch/x86/include/asm/elf.h 2011-08-23 20:24:19.000000000 -0400
8825 @@ -257,7 +257,25 @@ extern int force_personality32;
8826 the loader. We need to make sure that it is out of the way of the program
8827 that it will "exec", and that there is sufficient room for the brk. */
8828
8829 +#ifdef CONFIG_PAX_SEGMEXEC
8830 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
8831 +#else
8832 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
8833 +#endif
8834 +
8835 +#ifdef CONFIG_PAX_ASLR
8836 +#ifdef CONFIG_X86_32
8837 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
8838 +
8839 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8840 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8841 +#else
8842 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
8843 +
8844 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8845 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8846 +#endif
8847 +#endif
8848
8849 /* This yields a mask that user programs can use to figure out what
8850 instruction set this CPU supports. This could be done in user space,
8851 @@ -310,9 +328,7 @@ do { \
8852
8853 #define ARCH_DLINFO \
8854 do { \
8855 - if (vdso_enabled) \
8856 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
8857 - (unsigned long)current->mm->context.vdso); \
8858 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
8859 } while (0)
8860
8861 #define AT_SYSINFO 32
8862 @@ -323,7 +339,7 @@ do { \
8863
8864 #endif /* !CONFIG_X86_32 */
8865
8866 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
8867 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
8868
8869 #define VDSO_ENTRY \
8870 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
8871 @@ -337,7 +353,4 @@ extern int arch_setup_additional_pages(s
8872 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
8873 #define compat_arch_setup_additional_pages syscall32_setup_pages
8874
8875 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
8876 -#define arch_randomize_brk arch_randomize_brk
8877 -
8878 #endif /* _ASM_X86_ELF_H */
8879 diff -urNp linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h
8880 --- linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
8881 +++ linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h 2011-05-22 23:02:06.000000000 -0400
8882 @@ -15,6 +15,6 @@ enum reboot_type {
8883
8884 extern enum reboot_type reboot_type;
8885
8886 -extern void machine_emergency_restart(void);
8887 +extern void machine_emergency_restart(void) __noreturn;
8888
8889 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
8890 diff -urNp linux-2.6.32.46/arch/x86/include/asm/futex.h linux-2.6.32.46/arch/x86/include/asm/futex.h
8891 --- linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-03-27 14:31:47.000000000 -0400
8892 +++ linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-10-06 09:37:08.000000000 -0400
8893 @@ -12,16 +12,18 @@
8894 #include <asm/system.h>
8895
8896 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
8897 + typecheck(u32 __user *, uaddr); \
8898 asm volatile("1:\t" insn "\n" \
8899 "2:\t.section .fixup,\"ax\"\n" \
8900 "3:\tmov\t%3, %1\n" \
8901 "\tjmp\t2b\n" \
8902 "\t.previous\n" \
8903 _ASM_EXTABLE(1b, 3b) \
8904 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
8905 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
8906 : "i" (-EFAULT), "0" (oparg), "1" (0))
8907
8908 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
8909 + typecheck(u32 __user *, uaddr); \
8910 asm volatile("1:\tmovl %2, %0\n" \
8911 "\tmovl\t%0, %3\n" \
8912 "\t" insn "\n" \
8913 @@ -34,10 +36,10 @@
8914 _ASM_EXTABLE(1b, 4b) \
8915 _ASM_EXTABLE(2b, 4b) \
8916 : "=&a" (oldval), "=&r" (ret), \
8917 - "+m" (*uaddr), "=&r" (tem) \
8918 + "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
8919 : "r" (oparg), "i" (-EFAULT), "1" (0))
8920
8921 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
8922 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
8923 {
8924 int op = (encoded_op >> 28) & 7;
8925 int cmp = (encoded_op >> 24) & 15;
8926 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
8927
8928 switch (op) {
8929 case FUTEX_OP_SET:
8930 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
8931 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
8932 break;
8933 case FUTEX_OP_ADD:
8934 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
8935 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
8936 uaddr, oparg);
8937 break;
8938 case FUTEX_OP_OR:
8939 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
8940 return ret;
8941 }
8942
8943 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
8944 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
8945 int newval)
8946 {
8947
8948 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
8949 return -ENOSYS;
8950 #endif
8951
8952 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
8953 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
8954 return -EFAULT;
8955
8956 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
8957 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
8958 "2:\t.section .fixup, \"ax\"\n"
8959 "3:\tmov %2, %0\n"
8960 "\tjmp 2b\n"
8961 "\t.previous\n"
8962 _ASM_EXTABLE(1b, 3b)
8963 - : "=a" (oldval), "+m" (*uaddr)
8964 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
8965 : "i" (-EFAULT), "r" (newval), "0" (oldval)
8966 : "memory"
8967 );
8968 diff -urNp linux-2.6.32.46/arch/x86/include/asm/hw_irq.h linux-2.6.32.46/arch/x86/include/asm/hw_irq.h
8969 --- linux-2.6.32.46/arch/x86/include/asm/hw_irq.h 2011-03-27 14:31:47.000000000 -0400
8970 +++ linux-2.6.32.46/arch/x86/include/asm/hw_irq.h 2011-05-04 17:56:28.000000000 -0400
8971 @@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
8972 extern void enable_IO_APIC(void);
8973
8974 /* Statistics */
8975 -extern atomic_t irq_err_count;
8976 -extern atomic_t irq_mis_count;
8977 +extern atomic_unchecked_t irq_err_count;
8978 +extern atomic_unchecked_t irq_mis_count;
8979
8980 /* EISA */
8981 extern void eisa_set_level_irq(unsigned int irq);
8982 diff -urNp linux-2.6.32.46/arch/x86/include/asm/i387.h linux-2.6.32.46/arch/x86/include/asm/i387.h
8983 --- linux-2.6.32.46/arch/x86/include/asm/i387.h 2011-03-27 14:31:47.000000000 -0400
8984 +++ linux-2.6.32.46/arch/x86/include/asm/i387.h 2011-04-17 15:56:46.000000000 -0400
8985 @@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
8986 {
8987 int err;
8988
8989 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8990 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8991 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
8992 +#endif
8993 +
8994 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
8995 "2:\n"
8996 ".section .fixup,\"ax\"\n"
8997 @@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
8998 {
8999 int err;
9000
9001 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9002 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9003 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9004 +#endif
9005 +
9006 asm volatile("1: rex64/fxsave (%[fx])\n\t"
9007 "2:\n"
9008 ".section .fixup,\"ax\"\n"
9009 @@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
9010 }
9011
9012 /* We need a safe address that is cheap to find and that is already
9013 - in L1 during context switch. The best choices are unfortunately
9014 - different for UP and SMP */
9015 -#ifdef CONFIG_SMP
9016 -#define safe_address (__per_cpu_offset[0])
9017 -#else
9018 -#define safe_address (kstat_cpu(0).cpustat.user)
9019 -#endif
9020 + in L1 during context switch. */
9021 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9022
9023 /*
9024 * These must be called with preempt disabled
9025 @@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
9026 struct thread_info *me = current_thread_info();
9027 preempt_disable();
9028 if (me->status & TS_USEDFPU)
9029 - __save_init_fpu(me->task);
9030 + __save_init_fpu(current);
9031 else
9032 clts();
9033 }
9034 diff -urNp linux-2.6.32.46/arch/x86/include/asm/io_32.h linux-2.6.32.46/arch/x86/include/asm/io_32.h
9035 --- linux-2.6.32.46/arch/x86/include/asm/io_32.h 2011-03-27 14:31:47.000000000 -0400
9036 +++ linux-2.6.32.46/arch/x86/include/asm/io_32.h 2011-04-17 15:56:46.000000000 -0400
9037 @@ -3,6 +3,7 @@
9038
9039 #include <linux/string.h>
9040 #include <linux/compiler.h>
9041 +#include <asm/processor.h>
9042
9043 /*
9044 * This file contains the definitions for the x86 IO instructions
9045 @@ -42,6 +43,17 @@
9046
9047 #ifdef __KERNEL__
9048
9049 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9050 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9051 +{
9052 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9053 +}
9054 +
9055 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9056 +{
9057 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9058 +}
9059 +
9060 #include <asm-generic/iomap.h>
9061
9062 #include <linux/vmalloc.h>
9063 diff -urNp linux-2.6.32.46/arch/x86/include/asm/io_64.h linux-2.6.32.46/arch/x86/include/asm/io_64.h
9064 --- linux-2.6.32.46/arch/x86/include/asm/io_64.h 2011-03-27 14:31:47.000000000 -0400
9065 +++ linux-2.6.32.46/arch/x86/include/asm/io_64.h 2011-04-17 15:56:46.000000000 -0400
9066 @@ -140,6 +140,17 @@ __OUTS(l)
9067
9068 #include <linux/vmalloc.h>
9069
9070 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9071 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9072 +{
9073 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9074 +}
9075 +
9076 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9077 +{
9078 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9079 +}
9080 +
9081 #include <asm-generic/iomap.h>
9082
9083 void __memcpy_fromio(void *, unsigned long, unsigned);
9084 diff -urNp linux-2.6.32.46/arch/x86/include/asm/iommu.h linux-2.6.32.46/arch/x86/include/asm/iommu.h
9085 --- linux-2.6.32.46/arch/x86/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
9086 +++ linux-2.6.32.46/arch/x86/include/asm/iommu.h 2011-04-17 15:56:46.000000000 -0400
9087 @@ -3,7 +3,7 @@
9088
9089 extern void pci_iommu_shutdown(void);
9090 extern void no_iommu_init(void);
9091 -extern struct dma_map_ops nommu_dma_ops;
9092 +extern const struct dma_map_ops nommu_dma_ops;
9093 extern int force_iommu, no_iommu;
9094 extern int iommu_detected;
9095 extern int iommu_pass_through;
9096 diff -urNp linux-2.6.32.46/arch/x86/include/asm/irqflags.h linux-2.6.32.46/arch/x86/include/asm/irqflags.h
9097 --- linux-2.6.32.46/arch/x86/include/asm/irqflags.h 2011-03-27 14:31:47.000000000 -0400
9098 +++ linux-2.6.32.46/arch/x86/include/asm/irqflags.h 2011-04-17 15:56:46.000000000 -0400
9099 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
9100 sti; \
9101 sysexit
9102
9103 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
9104 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
9105 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
9106 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
9107 +
9108 #else
9109 #define INTERRUPT_RETURN iret
9110 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
9111 diff -urNp linux-2.6.32.46/arch/x86/include/asm/kprobes.h linux-2.6.32.46/arch/x86/include/asm/kprobes.h
9112 --- linux-2.6.32.46/arch/x86/include/asm/kprobes.h 2011-03-27 14:31:47.000000000 -0400
9113 +++ linux-2.6.32.46/arch/x86/include/asm/kprobes.h 2011-04-23 12:56:12.000000000 -0400
9114 @@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
9115 #define BREAKPOINT_INSTRUCTION 0xcc
9116 #define RELATIVEJUMP_INSTRUCTION 0xe9
9117 #define MAX_INSN_SIZE 16
9118 -#define MAX_STACK_SIZE 64
9119 -#define MIN_STACK_SIZE(ADDR) \
9120 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
9121 - THREAD_SIZE - (unsigned long)(ADDR))) \
9122 - ? (MAX_STACK_SIZE) \
9123 - : (((unsigned long)current_thread_info()) + \
9124 - THREAD_SIZE - (unsigned long)(ADDR)))
9125 +#define MAX_STACK_SIZE 64UL
9126 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
9127
9128 #define flush_insn_slot(p) do { } while (0)
9129
9130 diff -urNp linux-2.6.32.46/arch/x86/include/asm/kvm_host.h linux-2.6.32.46/arch/x86/include/asm/kvm_host.h
9131 --- linux-2.6.32.46/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:01.000000000 -0400
9132 +++ linux-2.6.32.46/arch/x86/include/asm/kvm_host.h 2011-08-26 20:19:09.000000000 -0400
9133 @@ -534,9 +534,9 @@ struct kvm_x86_ops {
9134 bool (*gb_page_enable)(void);
9135
9136 const struct trace_print_flags *exit_reasons_str;
9137 -};
9138 +} __do_const;
9139
9140 -extern struct kvm_x86_ops *kvm_x86_ops;
9141 +extern const struct kvm_x86_ops *kvm_x86_ops;
9142
9143 int kvm_mmu_module_init(void);
9144 void kvm_mmu_module_exit(void);
9145 diff -urNp linux-2.6.32.46/arch/x86/include/asm/local.h linux-2.6.32.46/arch/x86/include/asm/local.h
9146 --- linux-2.6.32.46/arch/x86/include/asm/local.h 2011-03-27 14:31:47.000000000 -0400
9147 +++ linux-2.6.32.46/arch/x86/include/asm/local.h 2011-04-17 15:56:46.000000000 -0400
9148 @@ -18,26 +18,58 @@ typedef struct {
9149
9150 static inline void local_inc(local_t *l)
9151 {
9152 - asm volatile(_ASM_INC "%0"
9153 + asm volatile(_ASM_INC "%0\n"
9154 +
9155 +#ifdef CONFIG_PAX_REFCOUNT
9156 + "jno 0f\n"
9157 + _ASM_DEC "%0\n"
9158 + "int $4\n0:\n"
9159 + _ASM_EXTABLE(0b, 0b)
9160 +#endif
9161 +
9162 : "+m" (l->a.counter));
9163 }
9164
9165 static inline void local_dec(local_t *l)
9166 {
9167 - asm volatile(_ASM_DEC "%0"
9168 + asm volatile(_ASM_DEC "%0\n"
9169 +
9170 +#ifdef CONFIG_PAX_REFCOUNT
9171 + "jno 0f\n"
9172 + _ASM_INC "%0\n"
9173 + "int $4\n0:\n"
9174 + _ASM_EXTABLE(0b, 0b)
9175 +#endif
9176 +
9177 : "+m" (l->a.counter));
9178 }
9179
9180 static inline void local_add(long i, local_t *l)
9181 {
9182 - asm volatile(_ASM_ADD "%1,%0"
9183 + asm volatile(_ASM_ADD "%1,%0\n"
9184 +
9185 +#ifdef CONFIG_PAX_REFCOUNT
9186 + "jno 0f\n"
9187 + _ASM_SUB "%1,%0\n"
9188 + "int $4\n0:\n"
9189 + _ASM_EXTABLE(0b, 0b)
9190 +#endif
9191 +
9192 : "+m" (l->a.counter)
9193 : "ir" (i));
9194 }
9195
9196 static inline void local_sub(long i, local_t *l)
9197 {
9198 - asm volatile(_ASM_SUB "%1,%0"
9199 + asm volatile(_ASM_SUB "%1,%0\n"
9200 +
9201 +#ifdef CONFIG_PAX_REFCOUNT
9202 + "jno 0f\n"
9203 + _ASM_ADD "%1,%0\n"
9204 + "int $4\n0:\n"
9205 + _ASM_EXTABLE(0b, 0b)
9206 +#endif
9207 +
9208 : "+m" (l->a.counter)
9209 : "ir" (i));
9210 }
9211 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
9212 {
9213 unsigned char c;
9214
9215 - asm volatile(_ASM_SUB "%2,%0; sete %1"
9216 + asm volatile(_ASM_SUB "%2,%0\n"
9217 +
9218 +#ifdef CONFIG_PAX_REFCOUNT
9219 + "jno 0f\n"
9220 + _ASM_ADD "%2,%0\n"
9221 + "int $4\n0:\n"
9222 + _ASM_EXTABLE(0b, 0b)
9223 +#endif
9224 +
9225 + "sete %1\n"
9226 : "+m" (l->a.counter), "=qm" (c)
9227 : "ir" (i) : "memory");
9228 return c;
9229 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
9230 {
9231 unsigned char c;
9232
9233 - asm volatile(_ASM_DEC "%0; sete %1"
9234 + asm volatile(_ASM_DEC "%0\n"
9235 +
9236 +#ifdef CONFIG_PAX_REFCOUNT
9237 + "jno 0f\n"
9238 + _ASM_INC "%0\n"
9239 + "int $4\n0:\n"
9240 + _ASM_EXTABLE(0b, 0b)
9241 +#endif
9242 +
9243 + "sete %1\n"
9244 : "+m" (l->a.counter), "=qm" (c)
9245 : : "memory");
9246 return c != 0;
9247 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
9248 {
9249 unsigned char c;
9250
9251 - asm volatile(_ASM_INC "%0; sete %1"
9252 + asm volatile(_ASM_INC "%0\n"
9253 +
9254 +#ifdef CONFIG_PAX_REFCOUNT
9255 + "jno 0f\n"
9256 + _ASM_DEC "%0\n"
9257 + "int $4\n0:\n"
9258 + _ASM_EXTABLE(0b, 0b)
9259 +#endif
9260 +
9261 + "sete %1\n"
9262 : "+m" (l->a.counter), "=qm" (c)
9263 : : "memory");
9264 return c != 0;
9265 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
9266 {
9267 unsigned char c;
9268
9269 - asm volatile(_ASM_ADD "%2,%0; sets %1"
9270 + asm volatile(_ASM_ADD "%2,%0\n"
9271 +
9272 +#ifdef CONFIG_PAX_REFCOUNT
9273 + "jno 0f\n"
9274 + _ASM_SUB "%2,%0\n"
9275 + "int $4\n0:\n"
9276 + _ASM_EXTABLE(0b, 0b)
9277 +#endif
9278 +
9279 + "sets %1\n"
9280 : "+m" (l->a.counter), "=qm" (c)
9281 : "ir" (i) : "memory");
9282 return c;
9283 @@ -133,7 +201,15 @@ static inline long local_add_return(long
9284 #endif
9285 /* Modern 486+ processor */
9286 __i = i;
9287 - asm volatile(_ASM_XADD "%0, %1;"
9288 + asm volatile(_ASM_XADD "%0, %1\n"
9289 +
9290 +#ifdef CONFIG_PAX_REFCOUNT
9291 + "jno 0f\n"
9292 + _ASM_MOV "%0,%1\n"
9293 + "int $4\n0:\n"
9294 + _ASM_EXTABLE(0b, 0b)
9295 +#endif
9296 +
9297 : "+r" (i), "+m" (l->a.counter)
9298 : : "memory");
9299 return i + __i;
9300 diff -urNp linux-2.6.32.46/arch/x86/include/asm/microcode.h linux-2.6.32.46/arch/x86/include/asm/microcode.h
9301 --- linux-2.6.32.46/arch/x86/include/asm/microcode.h 2011-03-27 14:31:47.000000000 -0400
9302 +++ linux-2.6.32.46/arch/x86/include/asm/microcode.h 2011-04-17 15:56:46.000000000 -0400
9303 @@ -12,13 +12,13 @@ struct device;
9304 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
9305
9306 struct microcode_ops {
9307 - enum ucode_state (*request_microcode_user) (int cpu,
9308 + enum ucode_state (* const request_microcode_user) (int cpu,
9309 const void __user *buf, size_t size);
9310
9311 - enum ucode_state (*request_microcode_fw) (int cpu,
9312 + enum ucode_state (* const request_microcode_fw) (int cpu,
9313 struct device *device);
9314
9315 - void (*microcode_fini_cpu) (int cpu);
9316 + void (* const microcode_fini_cpu) (int cpu);
9317
9318 /*
9319 * The generic 'microcode_core' part guarantees that
9320 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
9321 extern struct ucode_cpu_info ucode_cpu_info[];
9322
9323 #ifdef CONFIG_MICROCODE_INTEL
9324 -extern struct microcode_ops * __init init_intel_microcode(void);
9325 +extern const struct microcode_ops * __init init_intel_microcode(void);
9326 #else
9327 -static inline struct microcode_ops * __init init_intel_microcode(void)
9328 +static inline const struct microcode_ops * __init init_intel_microcode(void)
9329 {
9330 return NULL;
9331 }
9332 #endif /* CONFIG_MICROCODE_INTEL */
9333
9334 #ifdef CONFIG_MICROCODE_AMD
9335 -extern struct microcode_ops * __init init_amd_microcode(void);
9336 +extern const struct microcode_ops * __init init_amd_microcode(void);
9337 #else
9338 -static inline struct microcode_ops * __init init_amd_microcode(void)
9339 +static inline const struct microcode_ops * __init init_amd_microcode(void)
9340 {
9341 return NULL;
9342 }
9343 diff -urNp linux-2.6.32.46/arch/x86/include/asm/mman.h linux-2.6.32.46/arch/x86/include/asm/mman.h
9344 --- linux-2.6.32.46/arch/x86/include/asm/mman.h 2011-03-27 14:31:47.000000000 -0400
9345 +++ linux-2.6.32.46/arch/x86/include/asm/mman.h 2011-04-17 15:56:46.000000000 -0400
9346 @@ -5,4 +5,14 @@
9347
9348 #include <asm-generic/mman.h>
9349
9350 +#ifdef __KERNEL__
9351 +#ifndef __ASSEMBLY__
9352 +#ifdef CONFIG_X86_32
9353 +#define arch_mmap_check i386_mmap_check
9354 +int i386_mmap_check(unsigned long addr, unsigned long len,
9355 + unsigned long flags);
9356 +#endif
9357 +#endif
9358 +#endif
9359 +
9360 #endif /* _ASM_X86_MMAN_H */
9361 diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu_context.h linux-2.6.32.46/arch/x86/include/asm/mmu_context.h
9362 --- linux-2.6.32.46/arch/x86/include/asm/mmu_context.h 2011-03-27 14:31:47.000000000 -0400
9363 +++ linux-2.6.32.46/arch/x86/include/asm/mmu_context.h 2011-08-23 20:24:19.000000000 -0400
9364 @@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
9365
9366 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
9367 {
9368 +
9369 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9370 + unsigned int i;
9371 + pgd_t *pgd;
9372 +
9373 + pax_open_kernel();
9374 + pgd = get_cpu_pgd(smp_processor_id());
9375 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
9376 + set_pgd_batched(pgd+i, native_make_pgd(0));
9377 + pax_close_kernel();
9378 +#endif
9379 +
9380 #ifdef CONFIG_SMP
9381 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
9382 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
9383 @@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
9384 struct task_struct *tsk)
9385 {
9386 unsigned cpu = smp_processor_id();
9387 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) && defined(CONFIG_SMP)
9388 + int tlbstate = TLBSTATE_OK;
9389 +#endif
9390
9391 if (likely(prev != next)) {
9392 #ifdef CONFIG_SMP
9393 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9394 + tlbstate = percpu_read(cpu_tlbstate.state);
9395 +#endif
9396 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9397 percpu_write(cpu_tlbstate.active_mm, next);
9398 #endif
9399 cpumask_set_cpu(cpu, mm_cpumask(next));
9400
9401 /* Re-load page tables */
9402 +#ifdef CONFIG_PAX_PER_CPU_PGD
9403 + pax_open_kernel();
9404 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9405 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9406 + pax_close_kernel();
9407 + load_cr3(get_cpu_pgd(cpu));
9408 +#else
9409 load_cr3(next->pgd);
9410 +#endif
9411
9412 /* stop flush ipis for the previous mm */
9413 cpumask_clear_cpu(cpu, mm_cpumask(prev));
9414 @@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
9415 */
9416 if (unlikely(prev->context.ldt != next->context.ldt))
9417 load_LDT_nolock(&next->context);
9418 - }
9419 +
9420 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9421 + if (!nx_enabled) {
9422 + smp_mb__before_clear_bit();
9423 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
9424 + smp_mb__after_clear_bit();
9425 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9426 + }
9427 +#endif
9428 +
9429 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9430 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
9431 + prev->context.user_cs_limit != next->context.user_cs_limit))
9432 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9433 #ifdef CONFIG_SMP
9434 + else if (unlikely(tlbstate != TLBSTATE_OK))
9435 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9436 +#endif
9437 +#endif
9438 +
9439 + }
9440 else {
9441 +
9442 +#ifdef CONFIG_PAX_PER_CPU_PGD
9443 + pax_open_kernel();
9444 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9445 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9446 + pax_close_kernel();
9447 + load_cr3(get_cpu_pgd(cpu));
9448 +#endif
9449 +
9450 +#ifdef CONFIG_SMP
9451 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9452 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
9453
9454 @@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
9455 * tlb flush IPI delivery. We must reload CR3
9456 * to make sure to use no freed page tables.
9457 */
9458 +
9459 +#ifndef CONFIG_PAX_PER_CPU_PGD
9460 load_cr3(next->pgd);
9461 +#endif
9462 +
9463 load_LDT_nolock(&next->context);
9464 +
9465 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
9466 + if (!nx_enabled)
9467 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9468 +#endif
9469 +
9470 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9471 +#ifdef CONFIG_PAX_PAGEEXEC
9472 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
9473 +#endif
9474 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9475 +#endif
9476 +
9477 }
9478 - }
9479 #endif
9480 + }
9481 }
9482
9483 #define activate_mm(prev, next) \
9484 diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu.h linux-2.6.32.46/arch/x86/include/asm/mmu.h
9485 --- linux-2.6.32.46/arch/x86/include/asm/mmu.h 2011-03-27 14:31:47.000000000 -0400
9486 +++ linux-2.6.32.46/arch/x86/include/asm/mmu.h 2011-04-17 15:56:46.000000000 -0400
9487 @@ -9,10 +9,23 @@
9488 * we put the segment information here.
9489 */
9490 typedef struct {
9491 - void *ldt;
9492 + struct desc_struct *ldt;
9493 int size;
9494 struct mutex lock;
9495 - void *vdso;
9496 + unsigned long vdso;
9497 +
9498 +#ifdef CONFIG_X86_32
9499 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
9500 + unsigned long user_cs_base;
9501 + unsigned long user_cs_limit;
9502 +
9503 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9504 + cpumask_t cpu_user_cs_mask;
9505 +#endif
9506 +
9507 +#endif
9508 +#endif
9509 +
9510 } mm_context_t;
9511
9512 #ifdef CONFIG_SMP
9513 diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x86/include/asm/module.h
9514 --- linux-2.6.32.46/arch/x86/include/asm/module.h 2011-03-27 14:31:47.000000000 -0400
9515 +++ linux-2.6.32.46/arch/x86/include/asm/module.h 2011-10-06 09:45:50.000000000 -0400
9516 @@ -5,6 +5,7 @@
9517
9518 #ifdef CONFIG_X86_64
9519 /* X86_64 does not define MODULE_PROC_FAMILY */
9520 +#define MODULE_PROC_FAMILY ""
9521 #elif defined CONFIG_M386
9522 #define MODULE_PROC_FAMILY "386 "
9523 #elif defined CONFIG_M486
9524 @@ -59,13 +60,42 @@
9525 #error unknown processor family
9526 #endif
9527
9528 -#ifdef CONFIG_X86_32
9529 -# ifdef CONFIG_4KSTACKS
9530 -# define MODULE_STACKSIZE "4KSTACKS "
9531 -# else
9532 -# define MODULE_STACKSIZE ""
9533 -# endif
9534 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
9535 +#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
9536 +#define MODULE_STACKSIZE "4KSTACKS "
9537 +#else
9538 +#define MODULE_STACKSIZE ""
9539 #endif
9540
9541 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9542 +#define MODULE_PAX_UDEREF "UDEREF "
9543 +#else
9544 +#define MODULE_PAX_UDEREF ""
9545 +#endif
9546 +
9547 +#ifdef CONFIG_PAX_KERNEXEC
9548 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
9549 +#else
9550 +#define MODULE_PAX_KERNEXEC ""
9551 +#endif
9552 +
9553 +#ifdef CONFIG_PAX_REFCOUNT
9554 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
9555 +#else
9556 +#define MODULE_PAX_REFCOUNT ""
9557 +#endif
9558 +
9559 +#ifdef CONSTIFY_PLUGIN
9560 +#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
9561 +#else
9562 +#define MODULE_CONSTIFY_PLUGIN ""
9563 +#endif
9564 +
9565 +#ifdef CONFIG_GRKERNSEC
9566 +#define MODULE_GRSEC "GRSECURITY "
9567 +#else
9568 +#define MODULE_GRSEC ""
9569 +#endif
9570 +
9571 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN
9572 +
9573 #endif /* _ASM_X86_MODULE_H */
9574 diff -urNp linux-2.6.32.46/arch/x86/include/asm/page_64_types.h linux-2.6.32.46/arch/x86/include/asm/page_64_types.h
9575 --- linux-2.6.32.46/arch/x86/include/asm/page_64_types.h 2011-03-27 14:31:47.000000000 -0400
9576 +++ linux-2.6.32.46/arch/x86/include/asm/page_64_types.h 2011-04-17 15:56:46.000000000 -0400
9577 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
9578
9579 /* duplicated to the one in bootmem.h */
9580 extern unsigned long max_pfn;
9581 -extern unsigned long phys_base;
9582 +extern const unsigned long phys_base;
9583
9584 extern unsigned long __phys_addr(unsigned long);
9585 #define __phys_reloc_hide(x) (x)
9586 diff -urNp linux-2.6.32.46/arch/x86/include/asm/paravirt.h linux-2.6.32.46/arch/x86/include/asm/paravirt.h
9587 --- linux-2.6.32.46/arch/x86/include/asm/paravirt.h 2011-03-27 14:31:47.000000000 -0400
9588 +++ linux-2.6.32.46/arch/x86/include/asm/paravirt.h 2011-08-23 21:36:48.000000000 -0400
9589 @@ -648,6 +648,18 @@ static inline void set_pgd(pgd_t *pgdp,
9590 val);
9591 }
9592
9593 +static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9594 +{
9595 + pgdval_t val = native_pgd_val(pgd);
9596 +
9597 + if (sizeof(pgdval_t) > sizeof(long))
9598 + PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
9599 + val, (u64)val >> 32);
9600 + else
9601 + PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
9602 + val);
9603 +}
9604 +
9605 static inline void pgd_clear(pgd_t *pgdp)
9606 {
9607 set_pgd(pgdp, __pgd(0));
9608 @@ -729,6 +741,21 @@ static inline void __set_fixmap(unsigned
9609 pv_mmu_ops.set_fixmap(idx, phys, flags);
9610 }
9611
9612 +#ifdef CONFIG_PAX_KERNEXEC
9613 +static inline unsigned long pax_open_kernel(void)
9614 +{
9615 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
9616 +}
9617 +
9618 +static inline unsigned long pax_close_kernel(void)
9619 +{
9620 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
9621 +}
9622 +#else
9623 +static inline unsigned long pax_open_kernel(void) { return 0; }
9624 +static inline unsigned long pax_close_kernel(void) { return 0; }
9625 +#endif
9626 +
9627 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
9628
9629 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
9630 @@ -945,7 +972,7 @@ extern void default_banner(void);
9631
9632 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
9633 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
9634 -#define PARA_INDIRECT(addr) *%cs:addr
9635 +#define PARA_INDIRECT(addr) *%ss:addr
9636 #endif
9637
9638 #define INTERRUPT_RETURN \
9639 @@ -1022,6 +1049,21 @@ extern void default_banner(void);
9640 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
9641 CLBR_NONE, \
9642 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
9643 +
9644 +#define GET_CR0_INTO_RDI \
9645 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
9646 + mov %rax,%rdi
9647 +
9648 +#define SET_RDI_INTO_CR0 \
9649 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
9650 +
9651 +#define GET_CR3_INTO_RDI \
9652 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
9653 + mov %rax,%rdi
9654 +
9655 +#define SET_RDI_INTO_CR3 \
9656 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
9657 +
9658 #endif /* CONFIG_X86_32 */
9659
9660 #endif /* __ASSEMBLY__ */
9661 diff -urNp linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h
9662 --- linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h 2011-03-27 14:31:47.000000000 -0400
9663 +++ linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h 2011-08-23 20:24:19.000000000 -0400
9664 @@ -78,19 +78,19 @@ struct pv_init_ops {
9665 */
9666 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
9667 unsigned long addr, unsigned len);
9668 -};
9669 +} __no_const;
9670
9671
9672 struct pv_lazy_ops {
9673 /* Set deferred update mode, used for batching operations. */
9674 void (*enter)(void);
9675 void (*leave)(void);
9676 -};
9677 +} __no_const;
9678
9679 struct pv_time_ops {
9680 unsigned long long (*sched_clock)(void);
9681 unsigned long (*get_tsc_khz)(void);
9682 -};
9683 +} __no_const;
9684
9685 struct pv_cpu_ops {
9686 /* hooks for various privileged instructions */
9687 @@ -186,7 +186,7 @@ struct pv_cpu_ops {
9688
9689 void (*start_context_switch)(struct task_struct *prev);
9690 void (*end_context_switch)(struct task_struct *next);
9691 -};
9692 +} __no_const;
9693
9694 struct pv_irq_ops {
9695 /*
9696 @@ -217,7 +217,7 @@ struct pv_apic_ops {
9697 unsigned long start_eip,
9698 unsigned long start_esp);
9699 #endif
9700 -};
9701 +} __no_const;
9702
9703 struct pv_mmu_ops {
9704 unsigned long (*read_cr2)(void);
9705 @@ -301,6 +301,7 @@ struct pv_mmu_ops {
9706 struct paravirt_callee_save make_pud;
9707
9708 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
9709 + void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
9710 #endif /* PAGETABLE_LEVELS == 4 */
9711 #endif /* PAGETABLE_LEVELS >= 3 */
9712
9713 @@ -316,6 +317,12 @@ struct pv_mmu_ops {
9714 an mfn. We can tell which is which from the index. */
9715 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
9716 phys_addr_t phys, pgprot_t flags);
9717 +
9718 +#ifdef CONFIG_PAX_KERNEXEC
9719 + unsigned long (*pax_open_kernel)(void);
9720 + unsigned long (*pax_close_kernel)(void);
9721 +#endif
9722 +
9723 };
9724
9725 struct raw_spinlock;
9726 @@ -326,7 +333,7 @@ struct pv_lock_ops {
9727 void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags);
9728 int (*spin_trylock)(struct raw_spinlock *lock);
9729 void (*spin_unlock)(struct raw_spinlock *lock);
9730 -};
9731 +} __no_const;
9732
9733 /* This contains all the paravirt structures: we get a convenient
9734 * number for each function using the offset which we use to indicate
9735 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pci_x86.h linux-2.6.32.46/arch/x86/include/asm/pci_x86.h
9736 --- linux-2.6.32.46/arch/x86/include/asm/pci_x86.h 2011-03-27 14:31:47.000000000 -0400
9737 +++ linux-2.6.32.46/arch/x86/include/asm/pci_x86.h 2011-04-17 15:56:46.000000000 -0400
9738 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
9739 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
9740
9741 struct pci_raw_ops {
9742 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9743 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9744 int reg, int len, u32 *val);
9745 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9746 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9747 int reg, int len, u32 val);
9748 };
9749
9750 -extern struct pci_raw_ops *raw_pci_ops;
9751 -extern struct pci_raw_ops *raw_pci_ext_ops;
9752 +extern const struct pci_raw_ops *raw_pci_ops;
9753 +extern const struct pci_raw_ops *raw_pci_ext_ops;
9754
9755 -extern struct pci_raw_ops pci_direct_conf1;
9756 +extern const struct pci_raw_ops pci_direct_conf1;
9757 extern bool port_cf9_safe;
9758
9759 /* arch_initcall level */
9760 diff -urNp linux-2.6.32.46/arch/x86/include/asm/percpu.h linux-2.6.32.46/arch/x86/include/asm/percpu.h
9761 --- linux-2.6.32.46/arch/x86/include/asm/percpu.h 2011-03-27 14:31:47.000000000 -0400
9762 +++ linux-2.6.32.46/arch/x86/include/asm/percpu.h 2011-08-17 19:33:59.000000000 -0400
9763 @@ -78,6 +78,7 @@ do { \
9764 if (0) { \
9765 T__ tmp__; \
9766 tmp__ = (val); \
9767 + (void)tmp__; \
9768 } \
9769 switch (sizeof(var)) { \
9770 case 1: \
9771 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgalloc.h linux-2.6.32.46/arch/x86/include/asm/pgalloc.h
9772 --- linux-2.6.32.46/arch/x86/include/asm/pgalloc.h 2011-03-27 14:31:47.000000000 -0400
9773 +++ linux-2.6.32.46/arch/x86/include/asm/pgalloc.h 2011-04-17 15:56:46.000000000 -0400
9774 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
9775 pmd_t *pmd, pte_t *pte)
9776 {
9777 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9778 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
9779 +}
9780 +
9781 +static inline void pmd_populate_user(struct mm_struct *mm,
9782 + pmd_t *pmd, pte_t *pte)
9783 +{
9784 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9785 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
9786 }
9787
9788 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h
9789 --- linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h 2011-03-27 14:31:47.000000000 -0400
9790 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:56:46.000000000 -0400
9791 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
9792
9793 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9794 {
9795 + pax_open_kernel();
9796 *pmdp = pmd;
9797 + pax_close_kernel();
9798 }
9799
9800 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
9801 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h
9802 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
9803 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
9804 @@ -26,9 +26,6 @@
9805 struct mm_struct;
9806 struct vm_area_struct;
9807
9808 -extern pgd_t swapper_pg_dir[1024];
9809 -extern pgd_t trampoline_pg_dir[1024];
9810 -
9811 static inline void pgtable_cache_init(void) { }
9812 static inline void check_pgt_cache(void) { }
9813 void paging_init(void);
9814 @@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
9815 # include <asm/pgtable-2level.h>
9816 #endif
9817
9818 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
9819 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
9820 +#ifdef CONFIG_X86_PAE
9821 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
9822 +#endif
9823 +
9824 #if defined(CONFIG_HIGHPTE)
9825 #define __KM_PTE \
9826 (in_nmi() ? KM_NMI_PTE : \
9827 @@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
9828 /* Clear a kernel PTE and flush it from the TLB */
9829 #define kpte_clear_flush(ptep, vaddr) \
9830 do { \
9831 + pax_open_kernel(); \
9832 pte_clear(&init_mm, (vaddr), (ptep)); \
9833 + pax_close_kernel(); \
9834 __flush_tlb_one((vaddr)); \
9835 } while (0)
9836
9837 @@ -85,6 +90,9 @@ do { \
9838
9839 #endif /* !__ASSEMBLY__ */
9840
9841 +#define HAVE_ARCH_UNMAPPED_AREA
9842 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
9843 +
9844 /*
9845 * kern_addr_valid() is (1) for FLATMEM and (0) for
9846 * SPARSEMEM and DISCONTIGMEM
9847 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h
9848 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h 2011-03-27 14:31:47.000000000 -0400
9849 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:56:46.000000000 -0400
9850 @@ -8,7 +8,7 @@
9851 */
9852 #ifdef CONFIG_X86_PAE
9853 # include <asm/pgtable-3level_types.h>
9854 -# define PMD_SIZE (1UL << PMD_SHIFT)
9855 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
9856 # define PMD_MASK (~(PMD_SIZE - 1))
9857 #else
9858 # include <asm/pgtable-2level_types.h>
9859 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
9860 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
9861 #endif
9862
9863 +#ifdef CONFIG_PAX_KERNEXEC
9864 +#ifndef __ASSEMBLY__
9865 +extern unsigned char MODULES_EXEC_VADDR[];
9866 +extern unsigned char MODULES_EXEC_END[];
9867 +#endif
9868 +#include <asm/boot.h>
9869 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
9870 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
9871 +#else
9872 +#define ktla_ktva(addr) (addr)
9873 +#define ktva_ktla(addr) (addr)
9874 +#endif
9875 +
9876 #define MODULES_VADDR VMALLOC_START
9877 #define MODULES_END VMALLOC_END
9878 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
9879 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h
9880 --- linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h 2011-03-27 14:31:47.000000000 -0400
9881 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:56:46.000000000 -0400
9882 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
9883
9884 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9885 {
9886 + pax_open_kernel();
9887 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
9888 + pax_close_kernel();
9889 }
9890
9891 static inline void native_set_pud(pud_t *pudp, pud_t pud)
9892 {
9893 + pax_open_kernel();
9894 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
9895 + pax_close_kernel();
9896 }
9897
9898 /*
9899 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h
9900 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h 2011-03-27 14:31:47.000000000 -0400
9901 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h 2011-08-23 20:24:19.000000000 -0400
9902 @@ -16,10 +16,13 @@
9903
9904 extern pud_t level3_kernel_pgt[512];
9905 extern pud_t level3_ident_pgt[512];
9906 +extern pud_t level3_vmalloc_pgt[512];
9907 +extern pud_t level3_vmemmap_pgt[512];
9908 +extern pud_t level2_vmemmap_pgt[512];
9909 extern pmd_t level2_kernel_pgt[512];
9910 extern pmd_t level2_fixmap_pgt[512];
9911 -extern pmd_t level2_ident_pgt[512];
9912 -extern pgd_t init_level4_pgt[];
9913 +extern pmd_t level2_ident_pgt[512*2];
9914 +extern pgd_t init_level4_pgt[512];
9915
9916 #define swapper_pg_dir init_level4_pgt
9917
9918 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
9919
9920 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9921 {
9922 + pax_open_kernel();
9923 *pmdp = pmd;
9924 + pax_close_kernel();
9925 }
9926
9927 static inline void native_pmd_clear(pmd_t *pmd)
9928 @@ -94,6 +99,13 @@ static inline void native_pud_clear(pud_
9929
9930 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
9931 {
9932 + pax_open_kernel();
9933 + *pgdp = pgd;
9934 + pax_close_kernel();
9935 +}
9936 +
9937 +static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9938 +{
9939 *pgdp = pgd;
9940 }
9941
9942 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h
9943 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h 2011-03-27 14:31:47.000000000 -0400
9944 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:56:46.000000000 -0400
9945 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
9946 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
9947 #define MODULES_END _AC(0xffffffffff000000, UL)
9948 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
9949 +#define MODULES_EXEC_VADDR MODULES_VADDR
9950 +#define MODULES_EXEC_END MODULES_END
9951 +
9952 +#define ktla_ktva(addr) (addr)
9953 +#define ktva_ktla(addr) (addr)
9954
9955 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
9956 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable.h linux-2.6.32.46/arch/x86/include/asm/pgtable.h
9957 --- linux-2.6.32.46/arch/x86/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
9958 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable.h 2011-08-23 20:24:19.000000000 -0400
9959 @@ -39,6 +39,7 @@ extern struct list_head pgd_list;
9960
9961 #ifndef __PAGETABLE_PUD_FOLDED
9962 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
9963 +#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
9964 #define pgd_clear(pgd) native_pgd_clear(pgd)
9965 #endif
9966
9967 @@ -74,12 +75,51 @@ extern struct list_head pgd_list;
9968
9969 #define arch_end_context_switch(prev) do {} while(0)
9970
9971 +#define pax_open_kernel() native_pax_open_kernel()
9972 +#define pax_close_kernel() native_pax_close_kernel()
9973 #endif /* CONFIG_PARAVIRT */
9974
9975 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
9976 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
9977 +
9978 +#ifdef CONFIG_PAX_KERNEXEC
9979 +static inline unsigned long native_pax_open_kernel(void)
9980 +{
9981 + unsigned long cr0;
9982 +
9983 + preempt_disable();
9984 + barrier();
9985 + cr0 = read_cr0() ^ X86_CR0_WP;
9986 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
9987 + write_cr0(cr0);
9988 + return cr0 ^ X86_CR0_WP;
9989 +}
9990 +
9991 +static inline unsigned long native_pax_close_kernel(void)
9992 +{
9993 + unsigned long cr0;
9994 +
9995 + cr0 = read_cr0() ^ X86_CR0_WP;
9996 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
9997 + write_cr0(cr0);
9998 + barrier();
9999 + preempt_enable_no_resched();
10000 + return cr0 ^ X86_CR0_WP;
10001 +}
10002 +#else
10003 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10004 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10005 +#endif
10006 +
10007 /*
10008 * The following only work if pte_present() is true.
10009 * Undefined behaviour if not..
10010 */
10011 +static inline int pte_user(pte_t pte)
10012 +{
10013 + return pte_val(pte) & _PAGE_USER;
10014 +}
10015 +
10016 static inline int pte_dirty(pte_t pte)
10017 {
10018 return pte_flags(pte) & _PAGE_DIRTY;
10019 @@ -167,9 +207,29 @@ static inline pte_t pte_wrprotect(pte_t
10020 return pte_clear_flags(pte, _PAGE_RW);
10021 }
10022
10023 +static inline pte_t pte_mkread(pte_t pte)
10024 +{
10025 + return __pte(pte_val(pte) | _PAGE_USER);
10026 +}
10027 +
10028 static inline pte_t pte_mkexec(pte_t pte)
10029 {
10030 - return pte_clear_flags(pte, _PAGE_NX);
10031 +#ifdef CONFIG_X86_PAE
10032 + if (__supported_pte_mask & _PAGE_NX)
10033 + return pte_clear_flags(pte, _PAGE_NX);
10034 + else
10035 +#endif
10036 + return pte_set_flags(pte, _PAGE_USER);
10037 +}
10038 +
10039 +static inline pte_t pte_exprotect(pte_t pte)
10040 +{
10041 +#ifdef CONFIG_X86_PAE
10042 + if (__supported_pte_mask & _PAGE_NX)
10043 + return pte_set_flags(pte, _PAGE_NX);
10044 + else
10045 +#endif
10046 + return pte_clear_flags(pte, _PAGE_USER);
10047 }
10048
10049 static inline pte_t pte_mkdirty(pte_t pte)
10050 @@ -302,6 +362,15 @@ pte_t *populate_extra_pte(unsigned long
10051 #endif
10052
10053 #ifndef __ASSEMBLY__
10054 +
10055 +#ifdef CONFIG_PAX_PER_CPU_PGD
10056 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10057 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10058 +{
10059 + return cpu_pgd[cpu];
10060 +}
10061 +#endif
10062 +
10063 #include <linux/mm_types.h>
10064
10065 static inline int pte_none(pte_t pte)
10066 @@ -472,7 +541,7 @@ static inline pud_t *pud_offset(pgd_t *p
10067
10068 static inline int pgd_bad(pgd_t pgd)
10069 {
10070 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10071 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10072 }
10073
10074 static inline int pgd_none(pgd_t pgd)
10075 @@ -495,7 +564,12 @@ static inline int pgd_none(pgd_t pgd)
10076 * pgd_offset() returns a (pgd_t *)
10077 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10078 */
10079 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10080 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10081 +
10082 +#ifdef CONFIG_PAX_PER_CPU_PGD
10083 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10084 +#endif
10085 +
10086 /*
10087 * a shortcut which implies the use of the kernel's pgd, instead
10088 * of a process's
10089 @@ -506,6 +580,20 @@ static inline int pgd_none(pgd_t pgd)
10090 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10091 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10092
10093 +#ifdef CONFIG_X86_32
10094 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10095 +#else
10096 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10097 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10098 +
10099 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10100 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10101 +#else
10102 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10103 +#endif
10104 +
10105 +#endif
10106 +
10107 #ifndef __ASSEMBLY__
10108
10109 extern int direct_gbpages;
10110 @@ -611,11 +699,23 @@ static inline void ptep_set_wrprotect(st
10111 * dst and src can be on the same page, but the range must not overlap,
10112 * and must not cross a page boundary.
10113 */
10114 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10115 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10116 {
10117 - memcpy(dst, src, count * sizeof(pgd_t));
10118 + pax_open_kernel();
10119 + while (count--)
10120 + *dst++ = *src++;
10121 + pax_close_kernel();
10122 }
10123
10124 +#ifdef CONFIG_PAX_PER_CPU_PGD
10125 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10126 +#endif
10127 +
10128 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10129 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10130 +#else
10131 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10132 +#endif
10133
10134 #include <asm-generic/pgtable.h>
10135 #endif /* __ASSEMBLY__ */
10136 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h
10137 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h 2011-03-27 14:31:47.000000000 -0400
10138 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:56:46.000000000 -0400
10139 @@ -16,12 +16,11 @@
10140 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10141 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10142 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10143 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10144 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10145 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10146 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10147 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10148 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10149 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10150 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10151 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10152
10153 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10154 @@ -39,7 +38,6 @@
10155 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10156 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10157 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10158 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10159 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10160 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10161 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10162 @@ -55,8 +53,10 @@
10163
10164 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10165 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10166 -#else
10167 +#elif defined(CONFIG_KMEMCHECK)
10168 #define _PAGE_NX (_AT(pteval_t, 0))
10169 +#else
10170 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10171 #endif
10172
10173 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10174 @@ -93,6 +93,9 @@
10175 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
10176 _PAGE_ACCESSED)
10177
10178 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
10179 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
10180 +
10181 #define __PAGE_KERNEL_EXEC \
10182 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
10183 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
10184 @@ -103,8 +106,8 @@
10185 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
10186 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
10187 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
10188 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
10189 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
10190 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
10191 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
10192 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
10193 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
10194 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
10195 @@ -163,8 +166,8 @@
10196 * bits are combined, this will alow user to access the high address mapped
10197 * VDSO in the presence of CONFIG_COMPAT_VDSO
10198 */
10199 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
10200 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
10201 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10202 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10203 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
10204 #endif
10205
10206 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
10207 {
10208 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
10209 }
10210 +#endif
10211
10212 +#if PAGETABLE_LEVELS == 3
10213 +#include <asm-generic/pgtable-nopud.h>
10214 +#endif
10215 +
10216 +#if PAGETABLE_LEVELS == 2
10217 +#include <asm-generic/pgtable-nopmd.h>
10218 +#endif
10219 +
10220 +#ifndef __ASSEMBLY__
10221 #if PAGETABLE_LEVELS > 3
10222 typedef struct { pudval_t pud; } pud_t;
10223
10224 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
10225 return pud.pud;
10226 }
10227 #else
10228 -#include <asm-generic/pgtable-nopud.h>
10229 -
10230 static inline pudval_t native_pud_val(pud_t pud)
10231 {
10232 return native_pgd_val(pud.pgd);
10233 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
10234 return pmd.pmd;
10235 }
10236 #else
10237 -#include <asm-generic/pgtable-nopmd.h>
10238 -
10239 static inline pmdval_t native_pmd_val(pmd_t pmd)
10240 {
10241 return native_pgd_val(pmd.pud.pgd);
10242 @@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
10243
10244 extern pteval_t __supported_pte_mask;
10245 extern void set_nx(void);
10246 +
10247 +#ifdef CONFIG_X86_32
10248 +#ifdef CONFIG_X86_PAE
10249 extern int nx_enabled;
10250 +#else
10251 +#define nx_enabled (0)
10252 +#endif
10253 +#else
10254 +#define nx_enabled (1)
10255 +#endif
10256
10257 #define pgprot_writecombine pgprot_writecombine
10258 extern pgprot_t pgprot_writecombine(pgprot_t prot);
10259 diff -urNp linux-2.6.32.46/arch/x86/include/asm/processor.h linux-2.6.32.46/arch/x86/include/asm/processor.h
10260 --- linux-2.6.32.46/arch/x86/include/asm/processor.h 2011-04-22 19:16:29.000000000 -0400
10261 +++ linux-2.6.32.46/arch/x86/include/asm/processor.h 2011-05-11 18:25:15.000000000 -0400
10262 @@ -272,7 +272,7 @@ struct tss_struct {
10263
10264 } ____cacheline_aligned;
10265
10266 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
10267 +extern struct tss_struct init_tss[NR_CPUS];
10268
10269 /*
10270 * Save the original ist values for checking stack pointers during debugging
10271 @@ -888,11 +888,18 @@ static inline void spin_lock_prefetch(co
10272 */
10273 #define TASK_SIZE PAGE_OFFSET
10274 #define TASK_SIZE_MAX TASK_SIZE
10275 +
10276 +#ifdef CONFIG_PAX_SEGMEXEC
10277 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
10278 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
10279 +#else
10280 #define STACK_TOP TASK_SIZE
10281 -#define STACK_TOP_MAX STACK_TOP
10282 +#endif
10283 +
10284 +#define STACK_TOP_MAX TASK_SIZE
10285
10286 #define INIT_THREAD { \
10287 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10288 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10289 .vm86_info = NULL, \
10290 .sysenter_cs = __KERNEL_CS, \
10291 .io_bitmap_ptr = NULL, \
10292 @@ -906,7 +913,7 @@ static inline void spin_lock_prefetch(co
10293 */
10294 #define INIT_TSS { \
10295 .x86_tss = { \
10296 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10297 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10298 .ss0 = __KERNEL_DS, \
10299 .ss1 = __KERNEL_CS, \
10300 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
10301 @@ -917,11 +924,7 @@ static inline void spin_lock_prefetch(co
10302 extern unsigned long thread_saved_pc(struct task_struct *tsk);
10303
10304 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
10305 -#define KSTK_TOP(info) \
10306 -({ \
10307 - unsigned long *__ptr = (unsigned long *)(info); \
10308 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
10309 -})
10310 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
10311
10312 /*
10313 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
10314 @@ -936,7 +939,7 @@ extern unsigned long thread_saved_pc(str
10315 #define task_pt_regs(task) \
10316 ({ \
10317 struct pt_regs *__regs__; \
10318 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
10319 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
10320 __regs__ - 1; \
10321 })
10322
10323 @@ -946,13 +949,13 @@ extern unsigned long thread_saved_pc(str
10324 /*
10325 * User space process size. 47bits minus one guard page.
10326 */
10327 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
10328 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
10329
10330 /* This decides where the kernel will search for a free chunk of vm
10331 * space during mmap's.
10332 */
10333 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
10334 - 0xc0000000 : 0xFFFFe000)
10335 + 0xc0000000 : 0xFFFFf000)
10336
10337 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
10338 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
10339 @@ -963,11 +966,11 @@ extern unsigned long thread_saved_pc(str
10340 #define STACK_TOP_MAX TASK_SIZE_MAX
10341
10342 #define INIT_THREAD { \
10343 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10344 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10345 }
10346
10347 #define INIT_TSS { \
10348 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10349 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10350 }
10351
10352 /*
10353 @@ -989,6 +992,10 @@ extern void start_thread(struct pt_regs
10354 */
10355 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
10356
10357 +#ifdef CONFIG_PAX_SEGMEXEC
10358 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
10359 +#endif
10360 +
10361 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
10362
10363 /* Get/set a process' ability to use the timestamp counter instruction */
10364 diff -urNp linux-2.6.32.46/arch/x86/include/asm/ptrace.h linux-2.6.32.46/arch/x86/include/asm/ptrace.h
10365 --- linux-2.6.32.46/arch/x86/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
10366 +++ linux-2.6.32.46/arch/x86/include/asm/ptrace.h 2011-04-17 15:56:46.000000000 -0400
10367 @@ -151,28 +151,29 @@ static inline unsigned long regs_return_
10368 }
10369
10370 /*
10371 - * user_mode_vm(regs) determines whether a register set came from user mode.
10372 + * user_mode(regs) determines whether a register set came from user mode.
10373 * This is true if V8086 mode was enabled OR if the register set was from
10374 * protected mode with RPL-3 CS value. This tricky test checks that with
10375 * one comparison. Many places in the kernel can bypass this full check
10376 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
10377 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
10378 + * be used.
10379 */
10380 -static inline int user_mode(struct pt_regs *regs)
10381 +static inline int user_mode_novm(struct pt_regs *regs)
10382 {
10383 #ifdef CONFIG_X86_32
10384 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
10385 #else
10386 - return !!(regs->cs & 3);
10387 + return !!(regs->cs & SEGMENT_RPL_MASK);
10388 #endif
10389 }
10390
10391 -static inline int user_mode_vm(struct pt_regs *regs)
10392 +static inline int user_mode(struct pt_regs *regs)
10393 {
10394 #ifdef CONFIG_X86_32
10395 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
10396 USER_RPL;
10397 #else
10398 - return user_mode(regs);
10399 + return user_mode_novm(regs);
10400 #endif
10401 }
10402
10403 diff -urNp linux-2.6.32.46/arch/x86/include/asm/reboot.h linux-2.6.32.46/arch/x86/include/asm/reboot.h
10404 --- linux-2.6.32.46/arch/x86/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
10405 +++ linux-2.6.32.46/arch/x86/include/asm/reboot.h 2011-08-05 20:33:55.000000000 -0400
10406 @@ -6,19 +6,19 @@
10407 struct pt_regs;
10408
10409 struct machine_ops {
10410 - void (*restart)(char *cmd);
10411 - void (*halt)(void);
10412 - void (*power_off)(void);
10413 + void (* __noreturn restart)(char *cmd);
10414 + void (* __noreturn halt)(void);
10415 + void (* __noreturn power_off)(void);
10416 void (*shutdown)(void);
10417 void (*crash_shutdown)(struct pt_regs *);
10418 - void (*emergency_restart)(void);
10419 -};
10420 + void (* __noreturn emergency_restart)(void);
10421 +} __no_const;
10422
10423 extern struct machine_ops machine_ops;
10424
10425 void native_machine_crash_shutdown(struct pt_regs *regs);
10426 void native_machine_shutdown(void);
10427 -void machine_real_restart(const unsigned char *code, int length);
10428 +void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
10429
10430 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
10431 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
10432 diff -urNp linux-2.6.32.46/arch/x86/include/asm/rwsem.h linux-2.6.32.46/arch/x86/include/asm/rwsem.h
10433 --- linux-2.6.32.46/arch/x86/include/asm/rwsem.h 2011-03-27 14:31:47.000000000 -0400
10434 +++ linux-2.6.32.46/arch/x86/include/asm/rwsem.h 2011-04-17 15:56:46.000000000 -0400
10435 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
10436 {
10437 asm volatile("# beginning down_read\n\t"
10438 LOCK_PREFIX _ASM_INC "(%1)\n\t"
10439 +
10440 +#ifdef CONFIG_PAX_REFCOUNT
10441 + "jno 0f\n"
10442 + LOCK_PREFIX _ASM_DEC "(%1)\n\t"
10443 + "int $4\n0:\n"
10444 + _ASM_EXTABLE(0b, 0b)
10445 +#endif
10446 +
10447 /* adds 0x00000001, returns the old value */
10448 " jns 1f\n"
10449 " call call_rwsem_down_read_failed\n"
10450 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
10451 "1:\n\t"
10452 " mov %1,%2\n\t"
10453 " add %3,%2\n\t"
10454 +
10455 +#ifdef CONFIG_PAX_REFCOUNT
10456 + "jno 0f\n"
10457 + "sub %3,%2\n"
10458 + "int $4\n0:\n"
10459 + _ASM_EXTABLE(0b, 0b)
10460 +#endif
10461 +
10462 " jle 2f\n\t"
10463 LOCK_PREFIX " cmpxchg %2,%0\n\t"
10464 " jnz 1b\n\t"
10465 @@ -160,6 +176,14 @@ static inline void __down_write_nested(s
10466 tmp = RWSEM_ACTIVE_WRITE_BIAS;
10467 asm volatile("# beginning down_write\n\t"
10468 LOCK_PREFIX " xadd %1,(%2)\n\t"
10469 +
10470 +#ifdef CONFIG_PAX_REFCOUNT
10471 + "jno 0f\n"
10472 + "mov %1,(%2)\n"
10473 + "int $4\n0:\n"
10474 + _ASM_EXTABLE(0b, 0b)
10475 +#endif
10476 +
10477 /* subtract 0x0000ffff, returns the old value */
10478 " test %1,%1\n\t"
10479 /* was the count 0 before? */
10480 @@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
10481 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
10482 asm volatile("# beginning __up_read\n\t"
10483 LOCK_PREFIX " xadd %1,(%2)\n\t"
10484 +
10485 +#ifdef CONFIG_PAX_REFCOUNT
10486 + "jno 0f\n"
10487 + "mov %1,(%2)\n"
10488 + "int $4\n0:\n"
10489 + _ASM_EXTABLE(0b, 0b)
10490 +#endif
10491 +
10492 /* subtracts 1, returns the old value */
10493 " jns 1f\n\t"
10494 " call call_rwsem_wake\n"
10495 @@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
10496 rwsem_count_t tmp;
10497 asm volatile("# beginning __up_write\n\t"
10498 LOCK_PREFIX " xadd %1,(%2)\n\t"
10499 +
10500 +#ifdef CONFIG_PAX_REFCOUNT
10501 + "jno 0f\n"
10502 + "mov %1,(%2)\n"
10503 + "int $4\n0:\n"
10504 + _ASM_EXTABLE(0b, 0b)
10505 +#endif
10506 +
10507 /* tries to transition
10508 0xffff0001 -> 0x00000000 */
10509 " jz 1f\n"
10510 @@ -234,6 +274,14 @@ static inline void __downgrade_write(str
10511 {
10512 asm volatile("# beginning __downgrade_write\n\t"
10513 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
10514 +
10515 +#ifdef CONFIG_PAX_REFCOUNT
10516 + "jno 0f\n"
10517 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
10518 + "int $4\n0:\n"
10519 + _ASM_EXTABLE(0b, 0b)
10520 +#endif
10521 +
10522 /*
10523 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
10524 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
10525 @@ -253,7 +301,15 @@ static inline void __downgrade_write(str
10526 static inline void rwsem_atomic_add(rwsem_count_t delta,
10527 struct rw_semaphore *sem)
10528 {
10529 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
10530 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
10531 +
10532 +#ifdef CONFIG_PAX_REFCOUNT
10533 + "jno 0f\n"
10534 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
10535 + "int $4\n0:\n"
10536 + _ASM_EXTABLE(0b, 0b)
10537 +#endif
10538 +
10539 : "+m" (sem->count)
10540 : "er" (delta));
10541 }
10542 @@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
10543 {
10544 rwsem_count_t tmp = delta;
10545
10546 - asm volatile(LOCK_PREFIX "xadd %0,%1"
10547 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
10548 +
10549 +#ifdef CONFIG_PAX_REFCOUNT
10550 + "jno 0f\n"
10551 + "mov %0,%1\n"
10552 + "int $4\n0:\n"
10553 + _ASM_EXTABLE(0b, 0b)
10554 +#endif
10555 +
10556 : "+r" (tmp), "+m" (sem->count)
10557 : : "memory");
10558
10559 diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x86/include/asm/segment.h
10560 --- linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-03-27 14:31:47.000000000 -0400
10561 +++ linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-10-06 09:37:08.000000000 -0400
10562 @@ -62,10 +62,15 @@
10563 * 26 - ESPFIX small SS
10564 * 27 - per-cpu [ offset to per-cpu data area ]
10565 * 28 - stack_canary-20 [ for stack protector ]
10566 - * 29 - unused
10567 - * 30 - unused
10568 + * 29 - PCI BIOS CS
10569 + * 30 - PCI BIOS DS
10570 * 31 - TSS for double fault handler
10571 */
10572 +#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
10573 +#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
10574 +#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
10575 +#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
10576 +
10577 #define GDT_ENTRY_TLS_MIN 6
10578 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
10579
10580 @@ -77,6 +82,8 @@
10581
10582 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
10583
10584 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
10585 +
10586 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
10587
10588 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
10589 @@ -88,7 +95,7 @@
10590 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
10591 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
10592
10593 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10594 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10595 #ifdef CONFIG_SMP
10596 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
10597 #else
10598 @@ -102,6 +109,12 @@
10599 #define __KERNEL_STACK_CANARY 0
10600 #endif
10601
10602 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
10603 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
10604 +
10605 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
10606 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
10607 +
10608 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
10609
10610 /*
10611 @@ -139,7 +152,7 @@
10612 */
10613
10614 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
10615 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
10616 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
10617
10618
10619 #else
10620 @@ -163,6 +176,8 @@
10621 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
10622 #define __USER32_DS __USER_DS
10623
10624 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
10625 +
10626 #define GDT_ENTRY_TSS 8 /* needs two entries */
10627 #define GDT_ENTRY_LDT 10 /* needs two entries */
10628 #define GDT_ENTRY_TLS_MIN 12
10629 @@ -183,6 +198,7 @@
10630 #endif
10631
10632 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
10633 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
10634 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
10635 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
10636 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
10637 diff -urNp linux-2.6.32.46/arch/x86/include/asm/smp.h linux-2.6.32.46/arch/x86/include/asm/smp.h
10638 --- linux-2.6.32.46/arch/x86/include/asm/smp.h 2011-03-27 14:31:47.000000000 -0400
10639 +++ linux-2.6.32.46/arch/x86/include/asm/smp.h 2011-08-05 20:33:55.000000000 -0400
10640 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
10641 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
10642 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
10643 DECLARE_PER_CPU(u16, cpu_llc_id);
10644 -DECLARE_PER_CPU(int, cpu_number);
10645 +DECLARE_PER_CPU(unsigned int, cpu_number);
10646
10647 static inline struct cpumask *cpu_sibling_mask(int cpu)
10648 {
10649 @@ -40,10 +40,7 @@ DECLARE_EARLY_PER_CPU(u16, x86_cpu_to_ap
10650 DECLARE_EARLY_PER_CPU(u16, x86_bios_cpu_apicid);
10651
10652 /* Static state in head.S used to set up a CPU */
10653 -extern struct {
10654 - void *sp;
10655 - unsigned short ss;
10656 -} stack_start;
10657 +extern unsigned long stack_start; /* Initial stack pointer address */
10658
10659 struct smp_ops {
10660 void (*smp_prepare_boot_cpu)(void);
10661 @@ -60,7 +57,7 @@ struct smp_ops {
10662
10663 void (*send_call_func_ipi)(const struct cpumask *mask);
10664 void (*send_call_func_single_ipi)(int cpu);
10665 -};
10666 +} __no_const;
10667
10668 /* Globals due to paravirt */
10669 extern void set_cpu_sibling_map(int cpu);
10670 @@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
10671 extern int safe_smp_processor_id(void);
10672
10673 #elif defined(CONFIG_X86_64_SMP)
10674 -#define raw_smp_processor_id() (percpu_read(cpu_number))
10675 -
10676 -#define stack_smp_processor_id() \
10677 -({ \
10678 - struct thread_info *ti; \
10679 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
10680 - ti->cpu; \
10681 -})
10682 +#define raw_smp_processor_id() (percpu_read(cpu_number))
10683 +#define stack_smp_processor_id() raw_smp_processor_id()
10684 #define safe_smp_processor_id() smp_processor_id()
10685
10686 #endif
10687 diff -urNp linux-2.6.32.46/arch/x86/include/asm/spinlock.h linux-2.6.32.46/arch/x86/include/asm/spinlock.h
10688 --- linux-2.6.32.46/arch/x86/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
10689 +++ linux-2.6.32.46/arch/x86/include/asm/spinlock.h 2011-04-17 15:56:46.000000000 -0400
10690 @@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
10691 static inline void __raw_read_lock(raw_rwlock_t *rw)
10692 {
10693 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
10694 +
10695 +#ifdef CONFIG_PAX_REFCOUNT
10696 + "jno 0f\n"
10697 + LOCK_PREFIX " addl $1,(%0)\n"
10698 + "int $4\n0:\n"
10699 + _ASM_EXTABLE(0b, 0b)
10700 +#endif
10701 +
10702 "jns 1f\n"
10703 "call __read_lock_failed\n\t"
10704 "1:\n"
10705 @@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
10706 static inline void __raw_write_lock(raw_rwlock_t *rw)
10707 {
10708 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
10709 +
10710 +#ifdef CONFIG_PAX_REFCOUNT
10711 + "jno 0f\n"
10712 + LOCK_PREFIX " addl %1,(%0)\n"
10713 + "int $4\n0:\n"
10714 + _ASM_EXTABLE(0b, 0b)
10715 +#endif
10716 +
10717 "jz 1f\n"
10718 "call __write_lock_failed\n\t"
10719 "1:\n"
10720 @@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
10721
10722 static inline void __raw_read_unlock(raw_rwlock_t *rw)
10723 {
10724 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
10725 + asm volatile(LOCK_PREFIX "incl %0\n"
10726 +
10727 +#ifdef CONFIG_PAX_REFCOUNT
10728 + "jno 0f\n"
10729 + LOCK_PREFIX "decl %0\n"
10730 + "int $4\n0:\n"
10731 + _ASM_EXTABLE(0b, 0b)
10732 +#endif
10733 +
10734 + :"+m" (rw->lock) : : "memory");
10735 }
10736
10737 static inline void __raw_write_unlock(raw_rwlock_t *rw)
10738 {
10739 - asm volatile(LOCK_PREFIX "addl %1, %0"
10740 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
10741 +
10742 +#ifdef CONFIG_PAX_REFCOUNT
10743 + "jno 0f\n"
10744 + LOCK_PREFIX "subl %1, %0\n"
10745 + "int $4\n0:\n"
10746 + _ASM_EXTABLE(0b, 0b)
10747 +#endif
10748 +
10749 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
10750 }
10751
10752 diff -urNp linux-2.6.32.46/arch/x86/include/asm/stackprotector.h linux-2.6.32.46/arch/x86/include/asm/stackprotector.h
10753 --- linux-2.6.32.46/arch/x86/include/asm/stackprotector.h 2011-03-27 14:31:47.000000000 -0400
10754 +++ linux-2.6.32.46/arch/x86/include/asm/stackprotector.h 2011-07-06 19:53:33.000000000 -0400
10755 @@ -48,7 +48,7 @@
10756 * head_32 for boot CPU and setup_per_cpu_areas() for others.
10757 */
10758 #define GDT_STACK_CANARY_INIT \
10759 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
10760 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
10761
10762 /*
10763 * Initialize the stackprotector canary value.
10764 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
10765
10766 static inline void load_stack_canary_segment(void)
10767 {
10768 -#ifdef CONFIG_X86_32
10769 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
10770 asm volatile ("mov %0, %%gs" : : "r" (0));
10771 #endif
10772 }
10773 diff -urNp linux-2.6.32.46/arch/x86/include/asm/system.h linux-2.6.32.46/arch/x86/include/asm/system.h
10774 --- linux-2.6.32.46/arch/x86/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
10775 +++ linux-2.6.32.46/arch/x86/include/asm/system.h 2011-05-22 23:02:03.000000000 -0400
10776 @@ -132,7 +132,7 @@ do { \
10777 "thread_return:\n\t" \
10778 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
10779 __switch_canary \
10780 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
10781 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
10782 "movq %%rax,%%rdi\n\t" \
10783 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
10784 "jnz ret_from_fork\n\t" \
10785 @@ -143,7 +143,7 @@ do { \
10786 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
10787 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
10788 [_tif_fork] "i" (_TIF_FORK), \
10789 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
10790 + [thread_info] "m" (per_cpu_var(current_tinfo)), \
10791 [current_task] "m" (per_cpu_var(current_task)) \
10792 __switch_canary_iparam \
10793 : "memory", "cc" __EXTRA_CLOBBER)
10794 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
10795 {
10796 unsigned long __limit;
10797 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
10798 - return __limit + 1;
10799 + return __limit;
10800 }
10801
10802 static inline void native_clts(void)
10803 @@ -340,12 +340,12 @@ void enable_hlt(void);
10804
10805 void cpu_idle_wait(void);
10806
10807 -extern unsigned long arch_align_stack(unsigned long sp);
10808 +#define arch_align_stack(x) ((x) & ~0xfUL)
10809 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
10810
10811 void default_idle(void);
10812
10813 -void stop_this_cpu(void *dummy);
10814 +void stop_this_cpu(void *dummy) __noreturn;
10815
10816 /*
10817 * Force strict CPU ordering.
10818 diff -urNp linux-2.6.32.46/arch/x86/include/asm/thread_info.h linux-2.6.32.46/arch/x86/include/asm/thread_info.h
10819 --- linux-2.6.32.46/arch/x86/include/asm/thread_info.h 2011-03-27 14:31:47.000000000 -0400
10820 +++ linux-2.6.32.46/arch/x86/include/asm/thread_info.h 2011-05-17 19:26:34.000000000 -0400
10821 @@ -10,6 +10,7 @@
10822 #include <linux/compiler.h>
10823 #include <asm/page.h>
10824 #include <asm/types.h>
10825 +#include <asm/percpu.h>
10826
10827 /*
10828 * low level task data that entry.S needs immediate access to
10829 @@ -24,7 +25,6 @@ struct exec_domain;
10830 #include <asm/atomic.h>
10831
10832 struct thread_info {
10833 - struct task_struct *task; /* main task structure */
10834 struct exec_domain *exec_domain; /* execution domain */
10835 __u32 flags; /* low level flags */
10836 __u32 status; /* thread synchronous flags */
10837 @@ -34,18 +34,12 @@ struct thread_info {
10838 mm_segment_t addr_limit;
10839 struct restart_block restart_block;
10840 void __user *sysenter_return;
10841 -#ifdef CONFIG_X86_32
10842 - unsigned long previous_esp; /* ESP of the previous stack in
10843 - case of nested (IRQ) stacks
10844 - */
10845 - __u8 supervisor_stack[0];
10846 -#endif
10847 + unsigned long lowest_stack;
10848 int uaccess_err;
10849 };
10850
10851 -#define INIT_THREAD_INFO(tsk) \
10852 +#define INIT_THREAD_INFO \
10853 { \
10854 - .task = &tsk, \
10855 .exec_domain = &default_exec_domain, \
10856 .flags = 0, \
10857 .cpu = 0, \
10858 @@ -56,7 +50,7 @@ struct thread_info {
10859 }, \
10860 }
10861
10862 -#define init_thread_info (init_thread_union.thread_info)
10863 +#define init_thread_info (init_thread_union.stack)
10864 #define init_stack (init_thread_union.stack)
10865
10866 #else /* !__ASSEMBLY__ */
10867 @@ -163,6 +157,23 @@ struct thread_info {
10868 #define alloc_thread_info(tsk) \
10869 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
10870
10871 +#ifdef __ASSEMBLY__
10872 +/* how to get the thread information struct from ASM */
10873 +#define GET_THREAD_INFO(reg) \
10874 + mov PER_CPU_VAR(current_tinfo), reg
10875 +
10876 +/* use this one if reg already contains %esp */
10877 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
10878 +#else
10879 +/* how to get the thread information struct from C */
10880 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
10881 +
10882 +static __always_inline struct thread_info *current_thread_info(void)
10883 +{
10884 + return percpu_read_stable(current_tinfo);
10885 +}
10886 +#endif
10887 +
10888 #ifdef CONFIG_X86_32
10889
10890 #define STACK_WARN (THREAD_SIZE/8)
10891 @@ -173,35 +184,13 @@ struct thread_info {
10892 */
10893 #ifndef __ASSEMBLY__
10894
10895 -
10896 /* how to get the current stack pointer from C */
10897 register unsigned long current_stack_pointer asm("esp") __used;
10898
10899 -/* how to get the thread information struct from C */
10900 -static inline struct thread_info *current_thread_info(void)
10901 -{
10902 - return (struct thread_info *)
10903 - (current_stack_pointer & ~(THREAD_SIZE - 1));
10904 -}
10905 -
10906 -#else /* !__ASSEMBLY__ */
10907 -
10908 -/* how to get the thread information struct from ASM */
10909 -#define GET_THREAD_INFO(reg) \
10910 - movl $-THREAD_SIZE, reg; \
10911 - andl %esp, reg
10912 -
10913 -/* use this one if reg already contains %esp */
10914 -#define GET_THREAD_INFO_WITH_ESP(reg) \
10915 - andl $-THREAD_SIZE, reg
10916 -
10917 #endif
10918
10919 #else /* X86_32 */
10920
10921 -#include <asm/percpu.h>
10922 -#define KERNEL_STACK_OFFSET (5*8)
10923 -
10924 /*
10925 * macros/functions for gaining access to the thread information structure
10926 * preempt_count needs to be 1 initially, until the scheduler is functional.
10927 @@ -209,21 +198,8 @@ static inline struct thread_info *curren
10928 #ifndef __ASSEMBLY__
10929 DECLARE_PER_CPU(unsigned long, kernel_stack);
10930
10931 -static inline struct thread_info *current_thread_info(void)
10932 -{
10933 - struct thread_info *ti;
10934 - ti = (void *)(percpu_read_stable(kernel_stack) +
10935 - KERNEL_STACK_OFFSET - THREAD_SIZE);
10936 - return ti;
10937 -}
10938 -
10939 -#else /* !__ASSEMBLY__ */
10940 -
10941 -/* how to get the thread information struct from ASM */
10942 -#define GET_THREAD_INFO(reg) \
10943 - movq PER_CPU_VAR(kernel_stack),reg ; \
10944 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
10945 -
10946 +/* how to get the current stack pointer from C */
10947 +register unsigned long current_stack_pointer asm("rsp") __used;
10948 #endif
10949
10950 #endif /* !X86_32 */
10951 @@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
10952 extern void free_thread_info(struct thread_info *ti);
10953 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
10954 #define arch_task_cache_init arch_task_cache_init
10955 +
10956 +#define __HAVE_THREAD_FUNCTIONS
10957 +#define task_thread_info(task) (&(task)->tinfo)
10958 +#define task_stack_page(task) ((task)->stack)
10959 +#define setup_thread_stack(p, org) do {} while (0)
10960 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
10961 +
10962 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
10963 +extern struct task_struct *alloc_task_struct(void);
10964 +extern void free_task_struct(struct task_struct *);
10965 +
10966 #endif
10967 #endif /* _ASM_X86_THREAD_INFO_H */
10968 diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h
10969 --- linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
10970 +++ linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h 2011-05-16 21:46:57.000000000 -0400
10971 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
10972 static __always_inline unsigned long __must_check
10973 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
10974 {
10975 + pax_track_stack();
10976 +
10977 + if ((long)n < 0)
10978 + return n;
10979 +
10980 if (__builtin_constant_p(n)) {
10981 unsigned long ret;
10982
10983 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
10984 return ret;
10985 }
10986 }
10987 + if (!__builtin_constant_p(n))
10988 + check_object_size(from, n, true);
10989 return __copy_to_user_ll(to, from, n);
10990 }
10991
10992 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
10993 __copy_to_user(void __user *to, const void *from, unsigned long n)
10994 {
10995 might_fault();
10996 +
10997 return __copy_to_user_inatomic(to, from, n);
10998 }
10999
11000 static __always_inline unsigned long
11001 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11002 {
11003 + if ((long)n < 0)
11004 + return n;
11005 +
11006 /* Avoid zeroing the tail if the copy fails..
11007 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11008 * but as the zeroing behaviour is only significant when n is not
11009 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11010 __copy_from_user(void *to, const void __user *from, unsigned long n)
11011 {
11012 might_fault();
11013 +
11014 + pax_track_stack();
11015 +
11016 + if ((long)n < 0)
11017 + return n;
11018 +
11019 if (__builtin_constant_p(n)) {
11020 unsigned long ret;
11021
11022 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11023 return ret;
11024 }
11025 }
11026 + if (!__builtin_constant_p(n))
11027 + check_object_size(to, n, false);
11028 return __copy_from_user_ll(to, from, n);
11029 }
11030
11031 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11032 const void __user *from, unsigned long n)
11033 {
11034 might_fault();
11035 +
11036 + if ((long)n < 0)
11037 + return n;
11038 +
11039 if (__builtin_constant_p(n)) {
11040 unsigned long ret;
11041
11042 @@ -182,14 +205,62 @@ static __always_inline unsigned long
11043 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11044 unsigned long n)
11045 {
11046 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11047 + if ((long)n < 0)
11048 + return n;
11049 +
11050 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11051 +}
11052 +
11053 +/**
11054 + * copy_to_user: - Copy a block of data into user space.
11055 + * @to: Destination address, in user space.
11056 + * @from: Source address, in kernel space.
11057 + * @n: Number of bytes to copy.
11058 + *
11059 + * Context: User context only. This function may sleep.
11060 + *
11061 + * Copy data from kernel space to user space.
11062 + *
11063 + * Returns number of bytes that could not be copied.
11064 + * On success, this will be zero.
11065 + */
11066 +static __always_inline unsigned long __must_check
11067 +copy_to_user(void __user *to, const void *from, unsigned long n)
11068 +{
11069 + if (access_ok(VERIFY_WRITE, to, n))
11070 + n = __copy_to_user(to, from, n);
11071 + return n;
11072 +}
11073 +
11074 +/**
11075 + * copy_from_user: - Copy a block of data from user space.
11076 + * @to: Destination address, in kernel space.
11077 + * @from: Source address, in user space.
11078 + * @n: Number of bytes to copy.
11079 + *
11080 + * Context: User context only. This function may sleep.
11081 + *
11082 + * Copy data from user space to kernel space.
11083 + *
11084 + * Returns number of bytes that could not be copied.
11085 + * On success, this will be zero.
11086 + *
11087 + * If some data could not be copied, this function will pad the copied
11088 + * data to the requested size using zero bytes.
11089 + */
11090 +static __always_inline unsigned long __must_check
11091 +copy_from_user(void *to, const void __user *from, unsigned long n)
11092 +{
11093 + if (access_ok(VERIFY_READ, from, n))
11094 + n = __copy_from_user(to, from, n);
11095 + else if ((long)n > 0) {
11096 + if (!__builtin_constant_p(n))
11097 + check_object_size(to, n, false);
11098 + memset(to, 0, n);
11099 + }
11100 + return n;
11101 }
11102
11103 -unsigned long __must_check copy_to_user(void __user *to,
11104 - const void *from, unsigned long n);
11105 -unsigned long __must_check copy_from_user(void *to,
11106 - const void __user *from,
11107 - unsigned long n);
11108 long __must_check strncpy_from_user(char *dst, const char __user *src,
11109 long count);
11110 long __must_check __strncpy_from_user(char *dst,
11111 diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h
11112 --- linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
11113 +++ linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-10-06 09:37:08.000000000 -0400
11114 @@ -9,6 +9,9 @@
11115 #include <linux/prefetch.h>
11116 #include <linux/lockdep.h>
11117 #include <asm/page.h>
11118 +#include <asm/pgtable.h>
11119 +
11120 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11121
11122 /*
11123 * Copy To/From Userspace
11124 @@ -19,113 +22,203 @@ __must_check unsigned long
11125 copy_user_generic(void *to, const void *from, unsigned len);
11126
11127 __must_check unsigned long
11128 -copy_to_user(void __user *to, const void *from, unsigned len);
11129 -__must_check unsigned long
11130 -copy_from_user(void *to, const void __user *from, unsigned len);
11131 -__must_check unsigned long
11132 copy_in_user(void __user *to, const void __user *from, unsigned len);
11133
11134 static __always_inline __must_check
11135 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
11136 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
11137 {
11138 - int ret = 0;
11139 + unsigned ret = 0;
11140
11141 might_fault();
11142 - if (!__builtin_constant_p(size))
11143 - return copy_user_generic(dst, (__force void *)src, size);
11144 +
11145 + if ((int)size < 0)
11146 + return size;
11147 +
11148 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11149 + if (!__access_ok(VERIFY_READ, src, size))
11150 + return size;
11151 +#endif
11152 +
11153 + if (!__builtin_constant_p(size)) {
11154 + check_object_size(dst, size, false);
11155 +
11156 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11157 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11158 + src += PAX_USER_SHADOW_BASE;
11159 +#endif
11160 +
11161 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
11162 + }
11163 switch (size) {
11164 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
11165 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
11166 ret, "b", "b", "=q", 1);
11167 return ret;
11168 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
11169 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
11170 ret, "w", "w", "=r", 2);
11171 return ret;
11172 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
11173 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
11174 ret, "l", "k", "=r", 4);
11175 return ret;
11176 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
11177 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11178 ret, "q", "", "=r", 8);
11179 return ret;
11180 case 10:
11181 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11182 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11183 ret, "q", "", "=r", 10);
11184 if (unlikely(ret))
11185 return ret;
11186 __get_user_asm(*(u16 *)(8 + (char *)dst),
11187 - (u16 __user *)(8 + (char __user *)src),
11188 + (const u16 __user *)(8 + (const char __user *)src),
11189 ret, "w", "w", "=r", 2);
11190 return ret;
11191 case 16:
11192 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11193 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11194 ret, "q", "", "=r", 16);
11195 if (unlikely(ret))
11196 return ret;
11197 __get_user_asm(*(u64 *)(8 + (char *)dst),
11198 - (u64 __user *)(8 + (char __user *)src),
11199 + (const u64 __user *)(8 + (const char __user *)src),
11200 ret, "q", "", "=r", 8);
11201 return ret;
11202 default:
11203 - return copy_user_generic(dst, (__force void *)src, size);
11204 +
11205 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11206 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11207 + src += PAX_USER_SHADOW_BASE;
11208 +#endif
11209 +
11210 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
11211 }
11212 }
11213
11214 static __always_inline __must_check
11215 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
11216 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
11217 {
11218 - int ret = 0;
11219 + unsigned ret = 0;
11220
11221 might_fault();
11222 - if (!__builtin_constant_p(size))
11223 - return copy_user_generic((__force void *)dst, src, size);
11224 +
11225 + pax_track_stack();
11226 +
11227 + if ((int)size < 0)
11228 + return size;
11229 +
11230 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11231 + if (!__access_ok(VERIFY_WRITE, dst, size))
11232 + return size;
11233 +#endif
11234 +
11235 + if (!__builtin_constant_p(size)) {
11236 + check_object_size(src, size, true);
11237 +
11238 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11239 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11240 + dst += PAX_USER_SHADOW_BASE;
11241 +#endif
11242 +
11243 + return copy_user_generic((__force_kernel void *)dst, src, size);
11244 + }
11245 switch (size) {
11246 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
11247 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
11248 ret, "b", "b", "iq", 1);
11249 return ret;
11250 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
11251 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
11252 ret, "w", "w", "ir", 2);
11253 return ret;
11254 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
11255 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
11256 ret, "l", "k", "ir", 4);
11257 return ret;
11258 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
11259 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11260 ret, "q", "", "er", 8);
11261 return ret;
11262 case 10:
11263 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11264 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11265 ret, "q", "", "er", 10);
11266 if (unlikely(ret))
11267 return ret;
11268 asm("":::"memory");
11269 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
11270 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
11271 ret, "w", "w", "ir", 2);
11272 return ret;
11273 case 16:
11274 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11275 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11276 ret, "q", "", "er", 16);
11277 if (unlikely(ret))
11278 return ret;
11279 asm("":::"memory");
11280 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
11281 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
11282 ret, "q", "", "er", 8);
11283 return ret;
11284 default:
11285 - return copy_user_generic((__force void *)dst, src, size);
11286 +
11287 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11288 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11289 + dst += PAX_USER_SHADOW_BASE;
11290 +#endif
11291 +
11292 + return copy_user_generic((__force_kernel void *)dst, src, size);
11293 + }
11294 +}
11295 +
11296 +static __always_inline __must_check
11297 +unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
11298 +{
11299 + if (access_ok(VERIFY_WRITE, to, len))
11300 + len = __copy_to_user(to, from, len);
11301 + return len;
11302 +}
11303 +
11304 +static __always_inline __must_check
11305 +unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
11306 +{
11307 + if ((int)len < 0)
11308 + return len;
11309 +
11310 + if (access_ok(VERIFY_READ, from, len))
11311 + len = __copy_from_user(to, from, len);
11312 + else if ((int)len > 0) {
11313 + if (!__builtin_constant_p(len))
11314 + check_object_size(to, len, false);
11315 + memset(to, 0, len);
11316 }
11317 + return len;
11318 }
11319
11320 static __always_inline __must_check
11321 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11322 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11323 {
11324 - int ret = 0;
11325 + unsigned ret = 0;
11326
11327 might_fault();
11328 - if (!__builtin_constant_p(size))
11329 - return copy_user_generic((__force void *)dst,
11330 - (__force void *)src, size);
11331 +
11332 + pax_track_stack();
11333 +
11334 + if ((int)size < 0)
11335 + return size;
11336 +
11337 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11338 + if (!__access_ok(VERIFY_READ, src, size))
11339 + return size;
11340 + if (!__access_ok(VERIFY_WRITE, dst, size))
11341 + return size;
11342 +#endif
11343 +
11344 + if (!__builtin_constant_p(size)) {
11345 +
11346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11347 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11348 + src += PAX_USER_SHADOW_BASE;
11349 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11350 + dst += PAX_USER_SHADOW_BASE;
11351 +#endif
11352 +
11353 + return copy_user_generic((__force_kernel void *)dst,
11354 + (__force_kernel const void *)src, size);
11355 + }
11356 switch (size) {
11357 case 1: {
11358 u8 tmp;
11359 - __get_user_asm(tmp, (u8 __user *)src,
11360 + __get_user_asm(tmp, (const u8 __user *)src,
11361 ret, "b", "b", "=q", 1);
11362 if (likely(!ret))
11363 __put_user_asm(tmp, (u8 __user *)dst,
11364 @@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
11365 }
11366 case 2: {
11367 u16 tmp;
11368 - __get_user_asm(tmp, (u16 __user *)src,
11369 + __get_user_asm(tmp, (const u16 __user *)src,
11370 ret, "w", "w", "=r", 2);
11371 if (likely(!ret))
11372 __put_user_asm(tmp, (u16 __user *)dst,
11373 @@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
11374
11375 case 4: {
11376 u32 tmp;
11377 - __get_user_asm(tmp, (u32 __user *)src,
11378 + __get_user_asm(tmp, (const u32 __user *)src,
11379 ret, "l", "k", "=r", 4);
11380 if (likely(!ret))
11381 __put_user_asm(tmp, (u32 __user *)dst,
11382 @@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
11383 }
11384 case 8: {
11385 u64 tmp;
11386 - __get_user_asm(tmp, (u64 __user *)src,
11387 + __get_user_asm(tmp, (const u64 __user *)src,
11388 ret, "q", "", "=r", 8);
11389 if (likely(!ret))
11390 __put_user_asm(tmp, (u64 __user *)dst,
11391 @@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
11392 return ret;
11393 }
11394 default:
11395 - return copy_user_generic((__force void *)dst,
11396 - (__force void *)src, size);
11397 +
11398 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11399 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11400 + src += PAX_USER_SHADOW_BASE;
11401 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11402 + dst += PAX_USER_SHADOW_BASE;
11403 +#endif
11404 +
11405 + return copy_user_generic((__force_kernel void *)dst,
11406 + (__force_kernel const void *)src, size);
11407 }
11408 }
11409
11410 @@ -176,33 +277,75 @@ __must_check long strlen_user(const char
11411 __must_check unsigned long clear_user(void __user *mem, unsigned long len);
11412 __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
11413
11414 -__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
11415 - unsigned size);
11416 +static __must_check __always_inline unsigned long
11417 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
11418 +{
11419 + pax_track_stack();
11420 +
11421 + if ((int)size < 0)
11422 + return size;
11423 +
11424 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11425 + if (!__access_ok(VERIFY_READ, src, size))
11426 + return size;
11427 +
11428 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11429 + src += PAX_USER_SHADOW_BASE;
11430 +#endif
11431
11432 -static __must_check __always_inline int
11433 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
11434 +}
11435 +
11436 +static __must_check __always_inline unsigned long
11437 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
11438 {
11439 - return copy_user_generic((__force void *)dst, src, size);
11440 + if ((int)size < 0)
11441 + return size;
11442 +
11443 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11444 + if (!__access_ok(VERIFY_WRITE, dst, size))
11445 + return size;
11446 +
11447 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11448 + dst += PAX_USER_SHADOW_BASE;
11449 +#endif
11450 +
11451 + return copy_user_generic((__force_kernel void *)dst, src, size);
11452 }
11453
11454 -extern long __copy_user_nocache(void *dst, const void __user *src,
11455 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
11456 unsigned size, int zerorest);
11457
11458 -static inline int
11459 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11460 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11461 {
11462 might_sleep();
11463 +
11464 + if ((int)size < 0)
11465 + return size;
11466 +
11467 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11468 + if (!__access_ok(VERIFY_READ, src, size))
11469 + return size;
11470 +#endif
11471 +
11472 return __copy_user_nocache(dst, src, size, 1);
11473 }
11474
11475 -static inline int
11476 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11477 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11478 unsigned size)
11479 {
11480 + if ((int)size < 0)
11481 + return size;
11482 +
11483 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11484 + if (!__access_ok(VERIFY_READ, src, size))
11485 + return size;
11486 +#endif
11487 +
11488 return __copy_user_nocache(dst, src, size, 0);
11489 }
11490
11491 -unsigned long
11492 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
11493 +extern unsigned long
11494 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
11495
11496 #endif /* _ASM_X86_UACCESS_64_H */
11497 diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess.h linux-2.6.32.46/arch/x86/include/asm/uaccess.h
11498 --- linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-06-25 12:55:34.000000000 -0400
11499 +++ linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-10-06 09:37:08.000000000 -0400
11500 @@ -8,12 +8,15 @@
11501 #include <linux/thread_info.h>
11502 #include <linux/prefetch.h>
11503 #include <linux/string.h>
11504 +#include <linux/sched.h>
11505 #include <asm/asm.h>
11506 #include <asm/page.h>
11507
11508 #define VERIFY_READ 0
11509 #define VERIFY_WRITE 1
11510
11511 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
11512 +
11513 /*
11514 * The fs value determines whether argument validity checking should be
11515 * performed or not. If get_fs() == USER_DS, checking is performed, with
11516 @@ -29,7 +32,12 @@
11517
11518 #define get_ds() (KERNEL_DS)
11519 #define get_fs() (current_thread_info()->addr_limit)
11520 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11521 +void __set_fs(mm_segment_t x);
11522 +void set_fs(mm_segment_t x);
11523 +#else
11524 #define set_fs(x) (current_thread_info()->addr_limit = (x))
11525 +#endif
11526
11527 #define segment_eq(a, b) ((a).seg == (b).seg)
11528
11529 @@ -77,7 +85,33 @@
11530 * checks that the pointer is in the user space range - after calling
11531 * this function, memory access functions may still return -EFAULT.
11532 */
11533 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11534 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11535 +#define access_ok(type, addr, size) \
11536 +({ \
11537 + long __size = size; \
11538 + unsigned long __addr = (unsigned long)addr; \
11539 + unsigned long __addr_ao = __addr & PAGE_MASK; \
11540 + unsigned long __end_ao = __addr + __size - 1; \
11541 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
11542 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
11543 + while(__addr_ao <= __end_ao) { \
11544 + char __c_ao; \
11545 + __addr_ao += PAGE_SIZE; \
11546 + if (__size > PAGE_SIZE) \
11547 + cond_resched(); \
11548 + if (__get_user(__c_ao, (char __user *)__addr)) \
11549 + break; \
11550 + if (type != VERIFY_WRITE) { \
11551 + __addr = __addr_ao; \
11552 + continue; \
11553 + } \
11554 + if (__put_user(__c_ao, (char __user *)__addr)) \
11555 + break; \
11556 + __addr = __addr_ao; \
11557 + } \
11558 + } \
11559 + __ret_ao; \
11560 +})
11561
11562 /*
11563 * The exception table consists of pairs of addresses: the first is the
11564 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
11565 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
11566 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
11567
11568 -
11569 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11570 +#define __copyuser_seg "gs;"
11571 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
11572 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
11573 +#else
11574 +#define __copyuser_seg
11575 +#define __COPYUSER_SET_ES
11576 +#define __COPYUSER_RESTORE_ES
11577 +#endif
11578
11579 #ifdef CONFIG_X86_32
11580 #define __put_user_asm_u64(x, addr, err, errret) \
11581 - asm volatile("1: movl %%eax,0(%2)\n" \
11582 - "2: movl %%edx,4(%2)\n" \
11583 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
11584 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
11585 "3:\n" \
11586 ".section .fixup,\"ax\"\n" \
11587 "4: movl %3,%0\n" \
11588 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
11589 : "A" (x), "r" (addr), "i" (errret), "0" (err))
11590
11591 #define __put_user_asm_ex_u64(x, addr) \
11592 - asm volatile("1: movl %%eax,0(%1)\n" \
11593 - "2: movl %%edx,4(%1)\n" \
11594 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
11595 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
11596 "3:\n" \
11597 _ASM_EXTABLE(1b, 2b - 1b) \
11598 _ASM_EXTABLE(2b, 3b - 2b) \
11599 @@ -253,7 +295,7 @@ extern void __put_user_8(void);
11600 __typeof__(*(ptr)) __pu_val; \
11601 __chk_user_ptr(ptr); \
11602 might_fault(); \
11603 - __pu_val = x; \
11604 + __pu_val = (x); \
11605 switch (sizeof(*(ptr))) { \
11606 case 1: \
11607 __put_user_x(1, __pu_val, ptr, __ret_pu); \
11608 @@ -374,7 +416,7 @@ do { \
11609 } while (0)
11610
11611 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11612 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
11613 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
11614 "2:\n" \
11615 ".section .fixup,\"ax\"\n" \
11616 "3: mov %3,%0\n" \
11617 @@ -382,7 +424,7 @@ do { \
11618 " jmp 2b\n" \
11619 ".previous\n" \
11620 _ASM_EXTABLE(1b, 3b) \
11621 - : "=r" (err), ltype(x) \
11622 + : "=r" (err), ltype (x) \
11623 : "m" (__m(addr)), "i" (errret), "0" (err))
11624
11625 #define __get_user_size_ex(x, ptr, size) \
11626 @@ -407,7 +449,7 @@ do { \
11627 } while (0)
11628
11629 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
11630 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
11631 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
11632 "2:\n" \
11633 _ASM_EXTABLE(1b, 2b - 1b) \
11634 : ltype(x) : "m" (__m(addr)))
11635 @@ -424,13 +466,24 @@ do { \
11636 int __gu_err; \
11637 unsigned long __gu_val; \
11638 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
11639 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
11640 + (x) = (__typeof__(*(ptr)))__gu_val; \
11641 __gu_err; \
11642 })
11643
11644 /* FIXME: this hack is definitely wrong -AK */
11645 struct __large_struct { unsigned long buf[100]; };
11646 -#define __m(x) (*(struct __large_struct __user *)(x))
11647 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11648 +#define ____m(x) \
11649 +({ \
11650 + unsigned long ____x = (unsigned long)(x); \
11651 + if (____x < PAX_USER_SHADOW_BASE) \
11652 + ____x += PAX_USER_SHADOW_BASE; \
11653 + (void __user *)____x; \
11654 +})
11655 +#else
11656 +#define ____m(x) (x)
11657 +#endif
11658 +#define __m(x) (*(struct __large_struct __user *)____m(x))
11659
11660 /*
11661 * Tell gcc we read from memory instead of writing: this is because
11662 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
11663 * aliasing issues.
11664 */
11665 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11666 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
11667 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
11668 "2:\n" \
11669 ".section .fixup,\"ax\"\n" \
11670 "3: mov %3,%0\n" \
11671 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
11672 ".previous\n" \
11673 _ASM_EXTABLE(1b, 3b) \
11674 : "=r"(err) \
11675 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
11676 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
11677
11678 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
11679 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
11680 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
11681 "2:\n" \
11682 _ASM_EXTABLE(1b, 2b - 1b) \
11683 : : ltype(x), "m" (__m(addr)))
11684 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
11685 * On error, the variable @x is set to zero.
11686 */
11687
11688 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11689 +#define __get_user(x, ptr) get_user((x), (ptr))
11690 +#else
11691 #define __get_user(x, ptr) \
11692 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
11693 +#endif
11694
11695 /**
11696 * __put_user: - Write a simple value into user space, with less checking.
11697 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
11698 * Returns zero on success, or -EFAULT on error.
11699 */
11700
11701 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11702 +#define __put_user(x, ptr) put_user((x), (ptr))
11703 +#else
11704 #define __put_user(x, ptr) \
11705 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
11706 +#endif
11707
11708 #define __get_user_unaligned __get_user
11709 #define __put_user_unaligned __put_user
11710 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
11711 #define get_user_ex(x, ptr) do { \
11712 unsigned long __gue_val; \
11713 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
11714 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
11715 + (x) = (__typeof__(*(ptr)))__gue_val; \
11716 } while (0)
11717
11718 #ifdef CONFIG_X86_WP_WORKS_OK
11719 @@ -567,6 +628,7 @@ extern struct movsl_mask {
11720
11721 #define ARCH_HAS_NOCACHE_UACCESS 1
11722
11723 +#define ARCH_HAS_SORT_EXTABLE
11724 #ifdef CONFIG_X86_32
11725 # include "uaccess_32.h"
11726 #else
11727 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vdso.h linux-2.6.32.46/arch/x86/include/asm/vdso.h
11728 --- linux-2.6.32.46/arch/x86/include/asm/vdso.h 2011-03-27 14:31:47.000000000 -0400
11729 +++ linux-2.6.32.46/arch/x86/include/asm/vdso.h 2011-10-06 09:37:14.000000000 -0400
11730 @@ -25,7 +25,7 @@ extern const char VDSO32_PRELINK[];
11731 #define VDSO32_SYMBOL(base, name) \
11732 ({ \
11733 extern const char VDSO32_##name[]; \
11734 - (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
11735 + (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
11736 })
11737 #endif
11738
11739 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vgtod.h linux-2.6.32.46/arch/x86/include/asm/vgtod.h
11740 --- linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-03-27 14:31:47.000000000 -0400
11741 +++ linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-04-17 15:56:46.000000000 -0400
11742 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
11743 int sysctl_enabled;
11744 struct timezone sys_tz;
11745 struct { /* extract of a clocksource struct */
11746 + char name[8];
11747 cycle_t (*vread)(void);
11748 cycle_t cycle_last;
11749 cycle_t mask;
11750 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vmi.h linux-2.6.32.46/arch/x86/include/asm/vmi.h
11751 --- linux-2.6.32.46/arch/x86/include/asm/vmi.h 2011-03-27 14:31:47.000000000 -0400
11752 +++ linux-2.6.32.46/arch/x86/include/asm/vmi.h 2011-04-17 15:56:46.000000000 -0400
11753 @@ -191,6 +191,7 @@ struct vrom_header {
11754 u8 reserved[96]; /* Reserved for headers */
11755 char vmi_init[8]; /* VMI_Init jump point */
11756 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
11757 + char rom_data[8048]; /* rest of the option ROM */
11758 } __attribute__((packed));
11759
11760 struct pnp_header {
11761 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vmi_time.h linux-2.6.32.46/arch/x86/include/asm/vmi_time.h
11762 --- linux-2.6.32.46/arch/x86/include/asm/vmi_time.h 2011-03-27 14:31:47.000000000 -0400
11763 +++ linux-2.6.32.46/arch/x86/include/asm/vmi_time.h 2011-08-05 20:33:55.000000000 -0400
11764 @@ -43,7 +43,7 @@ extern struct vmi_timer_ops {
11765 int (*wallclock_updated)(void);
11766 void (*set_alarm)(u32 flags, u64 expiry, u64 period);
11767 void (*cancel_alarm)(u32 flags);
11768 -} vmi_timer_ops;
11769 +} __no_const vmi_timer_ops;
11770
11771 /* Prototypes */
11772 extern void __init vmi_time_init(void);
11773 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vsyscall.h linux-2.6.32.46/arch/x86/include/asm/vsyscall.h
11774 --- linux-2.6.32.46/arch/x86/include/asm/vsyscall.h 2011-03-27 14:31:47.000000000 -0400
11775 +++ linux-2.6.32.46/arch/x86/include/asm/vsyscall.h 2011-04-17 15:56:46.000000000 -0400
11776 @@ -15,9 +15,10 @@ enum vsyscall_num {
11777
11778 #ifdef __KERNEL__
11779 #include <linux/seqlock.h>
11780 +#include <linux/getcpu.h>
11781 +#include <linux/time.h>
11782
11783 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
11784 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
11785
11786 /* Definitions for CONFIG_GENERIC_TIME definitions */
11787 #define __section_vsyscall_gtod_data __attribute__ \
11788 @@ -31,7 +32,6 @@ enum vsyscall_num {
11789 #define VGETCPU_LSL 2
11790
11791 extern int __vgetcpu_mode;
11792 -extern volatile unsigned long __jiffies;
11793
11794 /* kernel space (writeable) */
11795 extern int vgetcpu_mode;
11796 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
11797
11798 extern void map_vsyscall(void);
11799
11800 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
11801 +extern time_t vtime(time_t *t);
11802 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
11803 #endif /* __KERNEL__ */
11804
11805 #endif /* _ASM_X86_VSYSCALL_H */
11806 diff -urNp linux-2.6.32.46/arch/x86/include/asm/x86_init.h linux-2.6.32.46/arch/x86/include/asm/x86_init.h
11807 --- linux-2.6.32.46/arch/x86/include/asm/x86_init.h 2011-03-27 14:31:47.000000000 -0400
11808 +++ linux-2.6.32.46/arch/x86/include/asm/x86_init.h 2011-08-05 20:33:55.000000000 -0400
11809 @@ -28,7 +28,7 @@ struct x86_init_mpparse {
11810 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
11811 void (*find_smp_config)(unsigned int reserve);
11812 void (*get_smp_config)(unsigned int early);
11813 -};
11814 +} __no_const;
11815
11816 /**
11817 * struct x86_init_resources - platform specific resource related ops
11818 @@ -42,7 +42,7 @@ struct x86_init_resources {
11819 void (*probe_roms)(void);
11820 void (*reserve_resources)(void);
11821 char *(*memory_setup)(void);
11822 -};
11823 +} __no_const;
11824
11825 /**
11826 * struct x86_init_irqs - platform specific interrupt setup
11827 @@ -55,7 +55,7 @@ struct x86_init_irqs {
11828 void (*pre_vector_init)(void);
11829 void (*intr_init)(void);
11830 void (*trap_init)(void);
11831 -};
11832 +} __no_const;
11833
11834 /**
11835 * struct x86_init_oem - oem platform specific customizing functions
11836 @@ -65,7 +65,7 @@ struct x86_init_irqs {
11837 struct x86_init_oem {
11838 void (*arch_setup)(void);
11839 void (*banner)(void);
11840 -};
11841 +} __no_const;
11842
11843 /**
11844 * struct x86_init_paging - platform specific paging functions
11845 @@ -75,7 +75,7 @@ struct x86_init_oem {
11846 struct x86_init_paging {
11847 void (*pagetable_setup_start)(pgd_t *base);
11848 void (*pagetable_setup_done)(pgd_t *base);
11849 -};
11850 +} __no_const;
11851
11852 /**
11853 * struct x86_init_timers - platform specific timer setup
11854 @@ -88,7 +88,7 @@ struct x86_init_timers {
11855 void (*setup_percpu_clockev)(void);
11856 void (*tsc_pre_init)(void);
11857 void (*timer_init)(void);
11858 -};
11859 +} __no_const;
11860
11861 /**
11862 * struct x86_init_ops - functions for platform specific setup
11863 @@ -101,7 +101,7 @@ struct x86_init_ops {
11864 struct x86_init_oem oem;
11865 struct x86_init_paging paging;
11866 struct x86_init_timers timers;
11867 -};
11868 +} __no_const;
11869
11870 /**
11871 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
11872 @@ -109,7 +109,7 @@ struct x86_init_ops {
11873 */
11874 struct x86_cpuinit_ops {
11875 void (*setup_percpu_clockev)(void);
11876 -};
11877 +} __no_const;
11878
11879 /**
11880 * struct x86_platform_ops - platform specific runtime functions
11881 @@ -121,7 +121,7 @@ struct x86_platform_ops {
11882 unsigned long (*calibrate_tsc)(void);
11883 unsigned long (*get_wallclock)(void);
11884 int (*set_wallclock)(unsigned long nowtime);
11885 -};
11886 +} __no_const;
11887
11888 extern struct x86_init_ops x86_init;
11889 extern struct x86_cpuinit_ops x86_cpuinit;
11890 diff -urNp linux-2.6.32.46/arch/x86/include/asm/xsave.h linux-2.6.32.46/arch/x86/include/asm/xsave.h
11891 --- linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-03-27 14:31:47.000000000 -0400
11892 +++ linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-10-06 09:37:08.000000000 -0400
11893 @@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
11894 static inline int xsave_user(struct xsave_struct __user *buf)
11895 {
11896 int err;
11897 +
11898 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11899 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
11900 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
11901 +#endif
11902 +
11903 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
11904 "2:\n"
11905 ".section .fixup,\"ax\"\n"
11906 @@ -78,10 +84,15 @@ static inline int xsave_user(struct xsav
11907 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
11908 {
11909 int err;
11910 - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
11911 + struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
11912 u32 lmask = mask;
11913 u32 hmask = mask >> 32;
11914
11915 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11916 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
11917 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
11918 +#endif
11919 +
11920 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
11921 "2:\n"
11922 ".section .fixup,\"ax\"\n"
11923 diff -urNp linux-2.6.32.46/arch/x86/Kconfig linux-2.6.32.46/arch/x86/Kconfig
11924 --- linux-2.6.32.46/arch/x86/Kconfig 2011-03-27 14:31:47.000000000 -0400
11925 +++ linux-2.6.32.46/arch/x86/Kconfig 2011-04-17 15:56:46.000000000 -0400
11926 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
11927
11928 config X86_32_LAZY_GS
11929 def_bool y
11930 - depends on X86_32 && !CC_STACKPROTECTOR
11931 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
11932
11933 config KTIME_SCALAR
11934 def_bool X86_32
11935 @@ -1008,7 +1008,7 @@ choice
11936
11937 config NOHIGHMEM
11938 bool "off"
11939 - depends on !X86_NUMAQ
11940 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11941 ---help---
11942 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
11943 However, the address space of 32-bit x86 processors is only 4
11944 @@ -1045,7 +1045,7 @@ config NOHIGHMEM
11945
11946 config HIGHMEM4G
11947 bool "4GB"
11948 - depends on !X86_NUMAQ
11949 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11950 ---help---
11951 Select this if you have a 32-bit processor and between 1 and 4
11952 gigabytes of physical RAM.
11953 @@ -1099,7 +1099,7 @@ config PAGE_OFFSET
11954 hex
11955 default 0xB0000000 if VMSPLIT_3G_OPT
11956 default 0x80000000 if VMSPLIT_2G
11957 - default 0x78000000 if VMSPLIT_2G_OPT
11958 + default 0x70000000 if VMSPLIT_2G_OPT
11959 default 0x40000000 if VMSPLIT_1G
11960 default 0xC0000000
11961 depends on X86_32
11962 @@ -1430,7 +1430,7 @@ config ARCH_USES_PG_UNCACHED
11963
11964 config EFI
11965 bool "EFI runtime service support"
11966 - depends on ACPI
11967 + depends on ACPI && !PAX_KERNEXEC
11968 ---help---
11969 This enables the kernel to use EFI runtime services that are
11970 available (such as the EFI variable services).
11971 @@ -1460,6 +1460,7 @@ config SECCOMP
11972
11973 config CC_STACKPROTECTOR
11974 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
11975 + depends on X86_64 || !PAX_MEMORY_UDEREF
11976 ---help---
11977 This option turns on the -fstack-protector GCC feature. This
11978 feature puts, at the beginning of functions, a canary value on
11979 @@ -1517,6 +1518,7 @@ config KEXEC_JUMP
11980 config PHYSICAL_START
11981 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
11982 default "0x1000000"
11983 + range 0x400000 0x40000000
11984 ---help---
11985 This gives the physical address where the kernel is loaded.
11986
11987 @@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
11988 hex
11989 prompt "Alignment value to which kernel should be aligned" if X86_32
11990 default "0x1000000"
11991 + range 0x400000 0x1000000 if PAX_KERNEXEC
11992 range 0x2000 0x1000000
11993 ---help---
11994 This value puts the alignment restrictions on physical address
11995 @@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
11996 Say N if you want to disable CPU hotplug.
11997
11998 config COMPAT_VDSO
11999 - def_bool y
12000 + def_bool n
12001 prompt "Compat VDSO support"
12002 depends on X86_32 || IA32_EMULATION
12003 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12004 ---help---
12005 Map the 32-bit VDSO to the predictable old-style address too.
12006 ---help---
12007 diff -urNp linux-2.6.32.46/arch/x86/Kconfig.cpu linux-2.6.32.46/arch/x86/Kconfig.cpu
12008 --- linux-2.6.32.46/arch/x86/Kconfig.cpu 2011-03-27 14:31:47.000000000 -0400
12009 +++ linux-2.6.32.46/arch/x86/Kconfig.cpu 2011-04-17 15:56:46.000000000 -0400
12010 @@ -340,7 +340,7 @@ config X86_PPRO_FENCE
12011
12012 config X86_F00F_BUG
12013 def_bool y
12014 - depends on M586MMX || M586TSC || M586 || M486 || M386
12015 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12016
12017 config X86_WP_WORKS_OK
12018 def_bool y
12019 @@ -360,7 +360,7 @@ config X86_POPAD_OK
12020
12021 config X86_ALIGNMENT_16
12022 def_bool y
12023 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12024 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12025
12026 config X86_INTEL_USERCOPY
12027 def_bool y
12028 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
12029 # generates cmov.
12030 config X86_CMOV
12031 def_bool y
12032 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
12033 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
12034
12035 config X86_MINIMUM_CPU_FAMILY
12036 int
12037 diff -urNp linux-2.6.32.46/arch/x86/Kconfig.debug linux-2.6.32.46/arch/x86/Kconfig.debug
12038 --- linux-2.6.32.46/arch/x86/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
12039 +++ linux-2.6.32.46/arch/x86/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
12040 @@ -99,7 +99,7 @@ config X86_PTDUMP
12041 config DEBUG_RODATA
12042 bool "Write protect kernel read-only data structures"
12043 default y
12044 - depends on DEBUG_KERNEL
12045 + depends on DEBUG_KERNEL && BROKEN
12046 ---help---
12047 Mark the kernel read-only data as write-protected in the pagetables,
12048 in order to catch accidental (and incorrect) writes to such const
12049 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile
12050 --- linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile 2011-03-27 14:31:47.000000000 -0400
12051 +++ linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile 2011-08-07 14:38:58.000000000 -0400
12052 @@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
12053 $(call cc-option, -fno-stack-protector) \
12054 $(call cc-option, -mpreferred-stack-boundary=2)
12055 KBUILD_CFLAGS += $(call cc-option, -m32)
12056 +ifdef CONSTIFY_PLUGIN
12057 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
12058 +endif
12059 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12060 GCOV_PROFILE := n
12061
12062 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S
12063 --- linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S 2011-03-27 14:31:47.000000000 -0400
12064 +++ linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-01 18:53:40.000000000 -0400
12065 @@ -91,6 +91,9 @@ _start:
12066 /* Do any other stuff... */
12067
12068 #ifndef CONFIG_64BIT
12069 + /* Recheck NX bit overrides (64bit path does this in trampoline) */
12070 + call verify_cpu
12071 +
12072 /* This could also be done in C code... */
12073 movl pmode_cr3, %eax
12074 movl %eax, %cr3
12075 @@ -104,7 +107,7 @@ _start:
12076 movl %eax, %ecx
12077 orl %edx, %ecx
12078 jz 1f
12079 - movl $0xc0000080, %ecx
12080 + mov $MSR_EFER, %ecx
12081 wrmsr
12082 1:
12083
12084 @@ -114,6 +117,7 @@ _start:
12085 movl pmode_cr0, %eax
12086 movl %eax, %cr0
12087 jmp pmode_return
12088 +# include "../../verify_cpu.S"
12089 #else
12090 pushw $0
12091 pushw trampoline_segment
12092 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c
12093 --- linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
12094 +++ linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c 2011-07-01 19:01:34.000000000 -0400
12095 @@ -11,11 +11,12 @@
12096 #include <linux/cpumask.h>
12097 #include <asm/segment.h>
12098 #include <asm/desc.h>
12099 +#include <asm/e820.h>
12100
12101 #include "realmode/wakeup.h"
12102 #include "sleep.h"
12103
12104 -unsigned long acpi_wakeup_address;
12105 +unsigned long acpi_wakeup_address = 0x2000;
12106 unsigned long acpi_realmode_flags;
12107
12108 /* address in low memory of the wakeup routine. */
12109 @@ -98,9 +99,13 @@ int acpi_save_state_mem(void)
12110 #else /* CONFIG_64BIT */
12111 header->trampoline_segment = setup_trampoline() >> 4;
12112 #ifdef CONFIG_SMP
12113 - stack_start.sp = temp_stack + sizeof(temp_stack);
12114 + stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12115 +
12116 + pax_open_kernel();
12117 early_gdt_descr.address =
12118 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12119 + pax_close_kernel();
12120 +
12121 initial_gs = per_cpu_offset(smp_processor_id());
12122 #endif
12123 initial_code = (unsigned long)wakeup_long64;
12124 @@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
12125 return;
12126 }
12127
12128 - acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
12129 -
12130 - if (!acpi_realmode) {
12131 - printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
12132 - return;
12133 - }
12134 -
12135 - acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
12136 + reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
12137 + acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
12138 }
12139
12140
12141 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S
12142 --- linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S 2011-03-27 14:31:47.000000000 -0400
12143 +++ linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:56:46.000000000 -0400
12144 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12145 # and restore the stack ... but you need gdt for this to work
12146 movl saved_context_esp, %esp
12147
12148 - movl %cs:saved_magic, %eax
12149 - cmpl $0x12345678, %eax
12150 + cmpl $0x12345678, saved_magic
12151 jne bogus_magic
12152
12153 # jump to place where we left off
12154 - movl saved_eip, %eax
12155 - jmp *%eax
12156 + jmp *(saved_eip)
12157
12158 bogus_magic:
12159 jmp bogus_magic
12160 diff -urNp linux-2.6.32.46/arch/x86/kernel/alternative.c linux-2.6.32.46/arch/x86/kernel/alternative.c
12161 --- linux-2.6.32.46/arch/x86/kernel/alternative.c 2011-03-27 14:31:47.000000000 -0400
12162 +++ linux-2.6.32.46/arch/x86/kernel/alternative.c 2011-04-17 15:56:46.000000000 -0400
12163 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
12164
12165 BUG_ON(p->len > MAX_PATCH_LEN);
12166 /* prep the buffer with the original instructions */
12167 - memcpy(insnbuf, p->instr, p->len);
12168 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12169 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12170 (unsigned long)p->instr, p->len);
12171
12172 @@ -475,7 +475,7 @@ void __init alternative_instructions(voi
12173 if (smp_alt_once)
12174 free_init_pages("SMP alternatives",
12175 (unsigned long)__smp_locks,
12176 - (unsigned long)__smp_locks_end);
12177 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12178
12179 restart_nmi();
12180 }
12181 @@ -492,13 +492,17 @@ void __init alternative_instructions(voi
12182 * instructions. And on the local CPU you need to be protected again NMI or MCE
12183 * handlers seeing an inconsistent instruction while you patch.
12184 */
12185 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
12186 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
12187 size_t len)
12188 {
12189 unsigned long flags;
12190 local_irq_save(flags);
12191 - memcpy(addr, opcode, len);
12192 +
12193 + pax_open_kernel();
12194 + memcpy(ktla_ktva(addr), opcode, len);
12195 sync_core();
12196 + pax_close_kernel();
12197 +
12198 local_irq_restore(flags);
12199 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12200 that causes hangs on some VIA CPUs. */
12201 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
12202 */
12203 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12204 {
12205 - unsigned long flags;
12206 - char *vaddr;
12207 + unsigned char *vaddr = ktla_ktva(addr);
12208 struct page *pages[2];
12209 - int i;
12210 + size_t i;
12211
12212 if (!core_kernel_text((unsigned long)addr)) {
12213 - pages[0] = vmalloc_to_page(addr);
12214 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12215 + pages[0] = vmalloc_to_page(vaddr);
12216 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12217 } else {
12218 - pages[0] = virt_to_page(addr);
12219 + pages[0] = virt_to_page(vaddr);
12220 WARN_ON(!PageReserved(pages[0]));
12221 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12222 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12223 }
12224 BUG_ON(!pages[0]);
12225 - local_irq_save(flags);
12226 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12227 - if (pages[1])
12228 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12229 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12230 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12231 - clear_fixmap(FIX_TEXT_POKE0);
12232 - if (pages[1])
12233 - clear_fixmap(FIX_TEXT_POKE1);
12234 - local_flush_tlb();
12235 - sync_core();
12236 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12237 - that causes hangs on some VIA CPUs. */
12238 + text_poke_early(addr, opcode, len);
12239 for (i = 0; i < len; i++)
12240 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12241 - local_irq_restore(flags);
12242 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12243 return addr;
12244 }
12245 diff -urNp linux-2.6.32.46/arch/x86/kernel/amd_iommu.c linux-2.6.32.46/arch/x86/kernel/amd_iommu.c
12246 --- linux-2.6.32.46/arch/x86/kernel/amd_iommu.c 2011-03-27 14:31:47.000000000 -0400
12247 +++ linux-2.6.32.46/arch/x86/kernel/amd_iommu.c 2011-04-17 15:56:46.000000000 -0400
12248 @@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
12249 }
12250 }
12251
12252 -static struct dma_map_ops amd_iommu_dma_ops = {
12253 +static const struct dma_map_ops amd_iommu_dma_ops = {
12254 .alloc_coherent = alloc_coherent,
12255 .free_coherent = free_coherent,
12256 .map_page = map_page,
12257 diff -urNp linux-2.6.32.46/arch/x86/kernel/apic/apic.c linux-2.6.32.46/arch/x86/kernel/apic/apic.c
12258 --- linux-2.6.32.46/arch/x86/kernel/apic/apic.c 2011-03-27 14:31:47.000000000 -0400
12259 +++ linux-2.6.32.46/arch/x86/kernel/apic/apic.c 2011-08-17 20:00:16.000000000 -0400
12260 @@ -170,7 +170,7 @@ int first_system_vector = 0xfe;
12261 /*
12262 * Debug level, exported for io_apic.c
12263 */
12264 -unsigned int apic_verbosity;
12265 +int apic_verbosity;
12266
12267 int pic_mode;
12268
12269 @@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
12270 apic_write(APIC_ESR, 0);
12271 v1 = apic_read(APIC_ESR);
12272 ack_APIC_irq();
12273 - atomic_inc(&irq_err_count);
12274 + atomic_inc_unchecked(&irq_err_count);
12275
12276 /*
12277 * Here is what the APIC error bits mean:
12278 @@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
12279 u16 *bios_cpu_apicid;
12280 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
12281
12282 + pax_track_stack();
12283 +
12284 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12285 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12286
12287 diff -urNp linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c
12288 --- linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c 2011-03-27 14:31:47.000000000 -0400
12289 +++ linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c 2011-05-04 17:56:20.000000000 -0400
12290 @@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12291 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12292 GFP_ATOMIC);
12293 if (!ioapic_entries)
12294 - return 0;
12295 + return NULL;
12296
12297 for (apic = 0; apic < nr_ioapics; apic++) {
12298 ioapic_entries[apic] =
12299 @@ -733,7 +733,7 @@ nomem:
12300 kfree(ioapic_entries[apic]);
12301 kfree(ioapic_entries);
12302
12303 - return 0;
12304 + return NULL;
12305 }
12306
12307 /*
12308 @@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
12309 }
12310 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
12311
12312 -void lock_vector_lock(void)
12313 +void lock_vector_lock(void) __acquires(vector_lock)
12314 {
12315 /* Used to the online set of cpus does not change
12316 * during assign_irq_vector.
12317 @@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
12318 spin_lock(&vector_lock);
12319 }
12320
12321 -void unlock_vector_lock(void)
12322 +void unlock_vector_lock(void) __releases(vector_lock)
12323 {
12324 spin_unlock(&vector_lock);
12325 }
12326 @@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
12327 ack_APIC_irq();
12328 }
12329
12330 -atomic_t irq_mis_count;
12331 +atomic_unchecked_t irq_mis_count;
12332
12333 static void ack_apic_level(unsigned int irq)
12334 {
12335 @@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
12336
12337 /* Tail end of version 0x11 I/O APIC bug workaround */
12338 if (!(v & (1 << (i & 0x1f)))) {
12339 - atomic_inc(&irq_mis_count);
12340 + atomic_inc_unchecked(&irq_mis_count);
12341 spin_lock(&ioapic_lock);
12342 __mask_and_edge_IO_APIC_irq(cfg);
12343 __unmask_and_level_IO_APIC_irq(cfg);
12344 diff -urNp linux-2.6.32.46/arch/x86/kernel/apm_32.c linux-2.6.32.46/arch/x86/kernel/apm_32.c
12345 --- linux-2.6.32.46/arch/x86/kernel/apm_32.c 2011-03-27 14:31:47.000000000 -0400
12346 +++ linux-2.6.32.46/arch/x86/kernel/apm_32.c 2011-04-23 12:56:10.000000000 -0400
12347 @@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
12348 * This is for buggy BIOS's that refer to (real mode) segment 0x40
12349 * even though they are called in protected mode.
12350 */
12351 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
12352 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
12353 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
12354
12355 static const char driver_version[] = "1.16ac"; /* no spaces */
12356 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
12357 BUG_ON(cpu != 0);
12358 gdt = get_cpu_gdt_table(cpu);
12359 save_desc_40 = gdt[0x40 / 8];
12360 +
12361 + pax_open_kernel();
12362 gdt[0x40 / 8] = bad_bios_desc;
12363 + pax_close_kernel();
12364
12365 apm_irq_save(flags);
12366 APM_DO_SAVE_SEGS;
12367 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
12368 &call->esi);
12369 APM_DO_RESTORE_SEGS;
12370 apm_irq_restore(flags);
12371 +
12372 + pax_open_kernel();
12373 gdt[0x40 / 8] = save_desc_40;
12374 + pax_close_kernel();
12375 +
12376 put_cpu();
12377
12378 return call->eax & 0xff;
12379 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
12380 BUG_ON(cpu != 0);
12381 gdt = get_cpu_gdt_table(cpu);
12382 save_desc_40 = gdt[0x40 / 8];
12383 +
12384 + pax_open_kernel();
12385 gdt[0x40 / 8] = bad_bios_desc;
12386 + pax_close_kernel();
12387
12388 apm_irq_save(flags);
12389 APM_DO_SAVE_SEGS;
12390 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
12391 &call->eax);
12392 APM_DO_RESTORE_SEGS;
12393 apm_irq_restore(flags);
12394 +
12395 + pax_open_kernel();
12396 gdt[0x40 / 8] = save_desc_40;
12397 + pax_close_kernel();
12398 +
12399 put_cpu();
12400 return error;
12401 }
12402 @@ -975,7 +989,7 @@ recalc:
12403
12404 static void apm_power_off(void)
12405 {
12406 - unsigned char po_bios_call[] = {
12407 + const unsigned char po_bios_call[] = {
12408 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
12409 0x8e, 0xd0, /* movw ax,ss */
12410 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
12411 @@ -2357,12 +2371,15 @@ static int __init apm_init(void)
12412 * code to that CPU.
12413 */
12414 gdt = get_cpu_gdt_table(0);
12415 +
12416 + pax_open_kernel();
12417 set_desc_base(&gdt[APM_CS >> 3],
12418 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
12419 set_desc_base(&gdt[APM_CS_16 >> 3],
12420 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
12421 set_desc_base(&gdt[APM_DS >> 3],
12422 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
12423 + pax_close_kernel();
12424
12425 proc_create("apm", 0, NULL, &apm_file_ops);
12426
12427 diff -urNp linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c
12428 --- linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c 2011-03-27 14:31:47.000000000 -0400
12429 +++ linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c 2011-05-16 21:46:57.000000000 -0400
12430 @@ -51,7 +51,6 @@ void foo(void)
12431 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
12432 BLANK();
12433
12434 - OFFSET(TI_task, thread_info, task);
12435 OFFSET(TI_exec_domain, thread_info, exec_domain);
12436 OFFSET(TI_flags, thread_info, flags);
12437 OFFSET(TI_status, thread_info, status);
12438 @@ -60,6 +59,8 @@ void foo(void)
12439 OFFSET(TI_restart_block, thread_info, restart_block);
12440 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
12441 OFFSET(TI_cpu, thread_info, cpu);
12442 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
12443 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12444 BLANK();
12445
12446 OFFSET(GDS_size, desc_ptr, size);
12447 @@ -99,6 +100,7 @@ void foo(void)
12448
12449 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12450 DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
12451 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12452 DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
12453 DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
12454 DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
12455 @@ -115,6 +117,11 @@ void foo(void)
12456 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
12457 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12458 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12459 +
12460 +#ifdef CONFIG_PAX_KERNEXEC
12461 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12462 +#endif
12463 +
12464 #endif
12465
12466 #ifdef CONFIG_XEN
12467 diff -urNp linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c
12468 --- linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c 2011-03-27 14:31:47.000000000 -0400
12469 +++ linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c 2011-08-23 20:24:19.000000000 -0400
12470 @@ -44,6 +44,8 @@ int main(void)
12471 ENTRY(addr_limit);
12472 ENTRY(preempt_count);
12473 ENTRY(status);
12474 + ENTRY(lowest_stack);
12475 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12476 #ifdef CONFIG_IA32_EMULATION
12477 ENTRY(sysenter_return);
12478 #endif
12479 @@ -63,6 +65,18 @@ int main(void)
12480 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12481 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
12482 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
12483 +
12484 +#ifdef CONFIG_PAX_KERNEXEC
12485 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12486 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12487 +#endif
12488 +
12489 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12490 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
12491 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
12492 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
12493 +#endif
12494 +
12495 #endif
12496
12497
12498 @@ -115,6 +129,7 @@ int main(void)
12499 ENTRY(cr8);
12500 BLANK();
12501 #undef ENTRY
12502 + DEFINE(TSS_size, sizeof(struct tss_struct));
12503 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
12504 BLANK();
12505 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
12506 @@ -130,6 +145,7 @@ int main(void)
12507
12508 BLANK();
12509 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12510 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12511 #ifdef CONFIG_XEN
12512 BLANK();
12513 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
12514 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/amd.c linux-2.6.32.46/arch/x86/kernel/cpu/amd.c
12515 --- linux-2.6.32.46/arch/x86/kernel/cpu/amd.c 2011-06-25 12:55:34.000000000 -0400
12516 +++ linux-2.6.32.46/arch/x86/kernel/cpu/amd.c 2011-06-25 12:56:37.000000000 -0400
12517 @@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
12518 unsigned int size)
12519 {
12520 /* AMD errata T13 (order #21922) */
12521 - if ((c->x86 == 6)) {
12522 + if (c->x86 == 6) {
12523 /* Duron Rev A0 */
12524 if (c->x86_model == 3 && c->x86_mask == 0)
12525 size = 64;
12526 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/common.c linux-2.6.32.46/arch/x86/kernel/cpu/common.c
12527 --- linux-2.6.32.46/arch/x86/kernel/cpu/common.c 2011-03-27 14:31:47.000000000 -0400
12528 +++ linux-2.6.32.46/arch/x86/kernel/cpu/common.c 2011-05-11 18:25:15.000000000 -0400
12529 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
12530
12531 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
12532
12533 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
12534 -#ifdef CONFIG_X86_64
12535 - /*
12536 - * We need valid kernel segments for data and code in long mode too
12537 - * IRET will check the segment types kkeil 2000/10/28
12538 - * Also sysret mandates a special GDT layout
12539 - *
12540 - * TLS descriptors are currently at a different place compared to i386.
12541 - * Hopefully nobody expects them at a fixed place (Wine?)
12542 - */
12543 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
12544 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
12545 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
12546 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
12547 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
12548 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
12549 -#else
12550 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
12551 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12552 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
12553 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
12554 - /*
12555 - * Segments used for calling PnP BIOS have byte granularity.
12556 - * They code segments and data segments have fixed 64k limits,
12557 - * the transfer segment sizes are set at run time.
12558 - */
12559 - /* 32-bit code */
12560 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12561 - /* 16-bit code */
12562 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12563 - /* 16-bit data */
12564 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
12565 - /* 16-bit data */
12566 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
12567 - /* 16-bit data */
12568 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
12569 - /*
12570 - * The APM segments have byte granularity and their bases
12571 - * are set at run time. All have 64k limits.
12572 - */
12573 - /* 32-bit code */
12574 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12575 - /* 16-bit code */
12576 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12577 - /* data */
12578 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
12579 -
12580 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12581 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12582 - GDT_STACK_CANARY_INIT
12583 -#endif
12584 -} };
12585 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
12586 -
12587 static int __init x86_xsave_setup(char *s)
12588 {
12589 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
12590 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
12591 {
12592 struct desc_ptr gdt_descr;
12593
12594 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
12595 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12596 gdt_descr.size = GDT_SIZE - 1;
12597 load_gdt(&gdt_descr);
12598 /* Reload the per-cpu base */
12599 @@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
12600 /* Filter out anything that depends on CPUID levels we don't have */
12601 filter_cpuid_features(c, true);
12602
12603 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
12604 + setup_clear_cpu_cap(X86_FEATURE_SEP);
12605 +#endif
12606 +
12607 /* If the model name is still unset, do table lookup. */
12608 if (!c->x86_model_id[0]) {
12609 const char *p;
12610 @@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
12611 }
12612 __setup("clearcpuid=", setup_disablecpuid);
12613
12614 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
12615 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
12616 +
12617 #ifdef CONFIG_X86_64
12618 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
12619
12620 @@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
12621 EXPORT_PER_CPU_SYMBOL(current_task);
12622
12623 DEFINE_PER_CPU(unsigned long, kernel_stack) =
12624 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
12625 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
12626 EXPORT_PER_CPU_SYMBOL(kernel_stack);
12627
12628 DEFINE_PER_CPU(char *, irq_stack_ptr) =
12629 @@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
12630 {
12631 memset(regs, 0, sizeof(struct pt_regs));
12632 regs->fs = __KERNEL_PERCPU;
12633 - regs->gs = __KERNEL_STACK_CANARY;
12634 + savesegment(gs, regs->gs);
12635
12636 return regs;
12637 }
12638 @@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
12639 int i;
12640
12641 cpu = stack_smp_processor_id();
12642 - t = &per_cpu(init_tss, cpu);
12643 + t = init_tss + cpu;
12644 orig_ist = &per_cpu(orig_ist, cpu);
12645
12646 #ifdef CONFIG_NUMA
12647 @@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
12648 switch_to_new_gdt(cpu);
12649 loadsegment(fs, 0);
12650
12651 - load_idt((const struct desc_ptr *)&idt_descr);
12652 + load_idt(&idt_descr);
12653
12654 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
12655 syscall_init();
12656 @@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
12657 wrmsrl(MSR_KERNEL_GS_BASE, 0);
12658 barrier();
12659
12660 - check_efer();
12661 if (cpu != 0)
12662 enable_x2apic();
12663
12664 @@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
12665 {
12666 int cpu = smp_processor_id();
12667 struct task_struct *curr = current;
12668 - struct tss_struct *t = &per_cpu(init_tss, cpu);
12669 + struct tss_struct *t = init_tss + cpu;
12670 struct thread_struct *thread = &curr->thread;
12671
12672 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
12673 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/intel.c linux-2.6.32.46/arch/x86/kernel/cpu/intel.c
12674 --- linux-2.6.32.46/arch/x86/kernel/cpu/intel.c 2011-03-27 14:31:47.000000000 -0400
12675 +++ linux-2.6.32.46/arch/x86/kernel/cpu/intel.c 2011-04-17 15:56:46.000000000 -0400
12676 @@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
12677 * Update the IDT descriptor and reload the IDT so that
12678 * it uses the read-only mapped virtual address.
12679 */
12680 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
12681 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
12682 load_idt(&idt_descr);
12683 }
12684 #endif
12685 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c
12686 --- linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
12687 +++ linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-04-17 15:56:46.000000000 -0400
12688 @@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
12689 return ret;
12690 }
12691
12692 -static struct sysfs_ops sysfs_ops = {
12693 +static const struct sysfs_ops sysfs_ops = {
12694 .show = show,
12695 .store = store,
12696 };
12697 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/Makefile linux-2.6.32.46/arch/x86/kernel/cpu/Makefile
12698 --- linux-2.6.32.46/arch/x86/kernel/cpu/Makefile 2011-03-27 14:31:47.000000000 -0400
12699 +++ linux-2.6.32.46/arch/x86/kernel/cpu/Makefile 2011-04-17 15:56:46.000000000 -0400
12700 @@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
12701 CFLAGS_REMOVE_common.o = -pg
12702 endif
12703
12704 -# Make sure load_percpu_segment has no stackprotector
12705 -nostackp := $(call cc-option, -fno-stack-protector)
12706 -CFLAGS_common.o := $(nostackp)
12707 -
12708 obj-y := intel_cacheinfo.o addon_cpuid_features.o
12709 obj-y += proc.o capflags.o powerflags.o common.o
12710 obj-y += vmware.o hypervisor.o sched.o
12711 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c
12712 --- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:56:59.000000000 -0400
12713 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:57:13.000000000 -0400
12714 @@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
12715 return ret;
12716 }
12717
12718 -static struct sysfs_ops threshold_ops = {
12719 +static const struct sysfs_ops threshold_ops = {
12720 .show = show,
12721 .store = store,
12722 };
12723 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c
12724 --- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-27 14:31:47.000000000 -0400
12725 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-04 17:56:20.000000000 -0400
12726 @@ -43,6 +43,7 @@
12727 #include <asm/ipi.h>
12728 #include <asm/mce.h>
12729 #include <asm/msr.h>
12730 +#include <asm/local.h>
12731
12732 #include "mce-internal.h"
12733
12734 @@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
12735 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
12736 m->cs, m->ip);
12737
12738 - if (m->cs == __KERNEL_CS)
12739 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
12740 print_symbol("{%s}", m->ip);
12741 pr_cont("\n");
12742 }
12743 @@ -221,10 +222,10 @@ static void print_mce_tail(void)
12744
12745 #define PANIC_TIMEOUT 5 /* 5 seconds */
12746
12747 -static atomic_t mce_paniced;
12748 +static atomic_unchecked_t mce_paniced;
12749
12750 static int fake_panic;
12751 -static atomic_t mce_fake_paniced;
12752 +static atomic_unchecked_t mce_fake_paniced;
12753
12754 /* Panic in progress. Enable interrupts and wait for final IPI */
12755 static void wait_for_panic(void)
12756 @@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
12757 /*
12758 * Make sure only one CPU runs in machine check panic
12759 */
12760 - if (atomic_inc_return(&mce_paniced) > 1)
12761 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
12762 wait_for_panic();
12763 barrier();
12764
12765 @@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
12766 console_verbose();
12767 } else {
12768 /* Don't log too much for fake panic */
12769 - if (atomic_inc_return(&mce_fake_paniced) > 1)
12770 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
12771 return;
12772 }
12773 print_mce_head();
12774 @@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
12775 * might have been modified by someone else.
12776 */
12777 rmb();
12778 - if (atomic_read(&mce_paniced))
12779 + if (atomic_read_unchecked(&mce_paniced))
12780 wait_for_panic();
12781 if (!monarch_timeout)
12782 goto out;
12783 @@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
12784 */
12785
12786 static DEFINE_SPINLOCK(mce_state_lock);
12787 -static int open_count; /* #times opened */
12788 +static local_t open_count; /* #times opened */
12789 static int open_exclu; /* already open exclusive? */
12790
12791 static int mce_open(struct inode *inode, struct file *file)
12792 {
12793 spin_lock(&mce_state_lock);
12794
12795 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
12796 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
12797 spin_unlock(&mce_state_lock);
12798
12799 return -EBUSY;
12800 @@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
12801
12802 if (file->f_flags & O_EXCL)
12803 open_exclu = 1;
12804 - open_count++;
12805 + local_inc(&open_count);
12806
12807 spin_unlock(&mce_state_lock);
12808
12809 @@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
12810 {
12811 spin_lock(&mce_state_lock);
12812
12813 - open_count--;
12814 + local_dec(&open_count);
12815 open_exclu = 0;
12816
12817 spin_unlock(&mce_state_lock);
12818 @@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
12819 static void mce_reset(void)
12820 {
12821 cpu_missing = 0;
12822 - atomic_set(&mce_fake_paniced, 0);
12823 + atomic_set_unchecked(&mce_fake_paniced, 0);
12824 atomic_set(&mce_executing, 0);
12825 atomic_set(&mce_callin, 0);
12826 atomic_set(&global_nwo, 0);
12827 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c
12828 --- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-03-27 14:31:47.000000000 -0400
12829 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-08-05 20:33:55.000000000 -0400
12830 @@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *fi
12831 static int inject_init(void)
12832 {
12833 printk(KERN_INFO "Machine check injector initialized\n");
12834 - mce_chrdev_ops.write = mce_write;
12835 + pax_open_kernel();
12836 + *(void **)&mce_chrdev_ops.write = mce_write;
12837 + pax_close_kernel();
12838 register_die_notifier(&mce_raise_nb);
12839 return 0;
12840 }
12841 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c
12842 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c 2011-03-27 14:31:47.000000000 -0400
12843 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c 2011-04-17 15:56:46.000000000 -0400
12844 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
12845 return 0;
12846 }
12847
12848 -static struct mtrr_ops amd_mtrr_ops = {
12849 +static const struct mtrr_ops amd_mtrr_ops = {
12850 .vendor = X86_VENDOR_AMD,
12851 .set = amd_set_mtrr,
12852 .get = amd_get_mtrr,
12853 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c
12854 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c 2011-03-27 14:31:47.000000000 -0400
12855 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c 2011-04-17 15:56:46.000000000 -0400
12856 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
12857 return 0;
12858 }
12859
12860 -static struct mtrr_ops centaur_mtrr_ops = {
12861 +static const struct mtrr_ops centaur_mtrr_ops = {
12862 .vendor = X86_VENDOR_CENTAUR,
12863 .set = centaur_set_mcr,
12864 .get = centaur_get_mcr,
12865 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c
12866 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-03-27 14:31:47.000000000 -0400
12867 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-04-17 15:56:46.000000000 -0400
12868 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
12869 post_set();
12870 }
12871
12872 -static struct mtrr_ops cyrix_mtrr_ops = {
12873 +static const struct mtrr_ops cyrix_mtrr_ops = {
12874 .vendor = X86_VENDOR_CYRIX,
12875 .set_all = cyrix_set_all,
12876 .set = cyrix_set_arr,
12877 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c
12878 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-27 14:31:47.000000000 -0400
12879 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-23 12:56:10.000000000 -0400
12880 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
12881 /*
12882 * Generic structure...
12883 */
12884 -struct mtrr_ops generic_mtrr_ops = {
12885 +const struct mtrr_ops generic_mtrr_ops = {
12886 .use_intel_if = 1,
12887 .set_all = generic_set_all,
12888 .get = generic_get_mtrr,
12889 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c
12890 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:00:52.000000000 -0400
12891 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:03:05.000000000 -0400
12892 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
12893 u64 size_or_mask, size_and_mask;
12894 static bool mtrr_aps_delayed_init;
12895
12896 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
12897 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
12898
12899 -struct mtrr_ops *mtrr_if;
12900 +const struct mtrr_ops *mtrr_if;
12901
12902 static void set_mtrr(unsigned int reg, unsigned long base,
12903 unsigned long size, mtrr_type type);
12904
12905 -void set_mtrr_ops(struct mtrr_ops *ops)
12906 +void set_mtrr_ops(const struct mtrr_ops *ops)
12907 {
12908 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
12909 mtrr_ops[ops->vendor] = ops;
12910 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h
12911 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-27 14:31:47.000000000 -0400
12912 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-08-26 20:23:57.000000000 -0400
12913 @@ -25,14 +25,14 @@ struct mtrr_ops {
12914 int (*validate_add_page)(unsigned long base, unsigned long size,
12915 unsigned int type);
12916 int (*have_wrcomb)(void);
12917 -};
12918 +} __do_const;
12919
12920 extern int generic_get_free_region(unsigned long base, unsigned long size,
12921 int replace_reg);
12922 extern int generic_validate_add_page(unsigned long base, unsigned long size,
12923 unsigned int type);
12924
12925 -extern struct mtrr_ops generic_mtrr_ops;
12926 +extern const struct mtrr_ops generic_mtrr_ops;
12927
12928 extern int positive_have_wrcomb(void);
12929
12930 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
12931 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
12932 void get_mtrr_state(void);
12933
12934 -extern void set_mtrr_ops(struct mtrr_ops *ops);
12935 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
12936
12937 extern u64 size_or_mask, size_and_mask;
12938 -extern struct mtrr_ops *mtrr_if;
12939 +extern const struct mtrr_ops *mtrr_if;
12940
12941 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
12942 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
12943 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c
12944 --- linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-03-27 14:31:47.000000000 -0400
12945 +++ linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-04-17 15:56:46.000000000 -0400
12946 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
12947
12948 /* Interface defining a CPU specific perfctr watchdog */
12949 struct wd_ops {
12950 - int (*reserve)(void);
12951 - void (*unreserve)(void);
12952 - int (*setup)(unsigned nmi_hz);
12953 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12954 - void (*stop)(void);
12955 + int (* const reserve)(void);
12956 + void (* const unreserve)(void);
12957 + int (* const setup)(unsigned nmi_hz);
12958 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12959 + void (* const stop)(void);
12960 unsigned perfctr;
12961 unsigned evntsel;
12962 u64 checkbit;
12963 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
12964 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
12965 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
12966
12967 +/* cannot be const */
12968 static struct wd_ops intel_arch_wd_ops;
12969
12970 static int setup_intel_arch_watchdog(unsigned nmi_hz)
12971 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
12972 return 1;
12973 }
12974
12975 +/* cannot be const */
12976 static struct wd_ops intel_arch_wd_ops __read_mostly = {
12977 .reserve = single_msr_reserve,
12978 .unreserve = single_msr_unreserve,
12979 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c
12980 --- linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c 2011-03-27 14:31:47.000000000 -0400
12981 +++ linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c 2011-05-04 17:56:20.000000000 -0400
12982 @@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
12983 * count to the generic event atomically:
12984 */
12985 again:
12986 - prev_raw_count = atomic64_read(&hwc->prev_count);
12987 + prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
12988 rdmsrl(hwc->event_base + idx, new_raw_count);
12989
12990 - if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
12991 + if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
12992 new_raw_count) != prev_raw_count)
12993 goto again;
12994
12995 @@ -741,7 +741,7 @@ again:
12996 delta = (new_raw_count << shift) - (prev_raw_count << shift);
12997 delta >>= shift;
12998
12999 - atomic64_add(delta, &event->count);
13000 + atomic64_add_unchecked(delta, &event->count);
13001 atomic64_sub(delta, &hwc->period_left);
13002
13003 return new_raw_count;
13004 @@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
13005 * The hw event starts counting from this event offset,
13006 * mark it to be able to extra future deltas:
13007 */
13008 - atomic64_set(&hwc->prev_count, (u64)-left);
13009 + atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
13010
13011 err = checking_wrmsrl(hwc->event_base + idx,
13012 (u64)(-left) & x86_pmu.event_mask);
13013 @@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
13014 break;
13015
13016 callchain_store(entry, frame.return_address);
13017 - fp = frame.next_frame;
13018 + fp = (__force const void __user *)frame.next_frame;
13019 }
13020 }
13021
13022 diff -urNp linux-2.6.32.46/arch/x86/kernel/crash.c linux-2.6.32.46/arch/x86/kernel/crash.c
13023 --- linux-2.6.32.46/arch/x86/kernel/crash.c 2011-03-27 14:31:47.000000000 -0400
13024 +++ linux-2.6.32.46/arch/x86/kernel/crash.c 2011-04-17 15:56:46.000000000 -0400
13025 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
13026 regs = args->regs;
13027
13028 #ifdef CONFIG_X86_32
13029 - if (!user_mode_vm(regs)) {
13030 + if (!user_mode(regs)) {
13031 crash_fixup_ss_esp(&fixed_regs, regs);
13032 regs = &fixed_regs;
13033 }
13034 diff -urNp linux-2.6.32.46/arch/x86/kernel/doublefault_32.c linux-2.6.32.46/arch/x86/kernel/doublefault_32.c
13035 --- linux-2.6.32.46/arch/x86/kernel/doublefault_32.c 2011-03-27 14:31:47.000000000 -0400
13036 +++ linux-2.6.32.46/arch/x86/kernel/doublefault_32.c 2011-04-17 15:56:46.000000000 -0400
13037 @@ -11,7 +11,7 @@
13038
13039 #define DOUBLEFAULT_STACKSIZE (1024)
13040 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13041 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13042 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13043
13044 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13045
13046 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13047 unsigned long gdt, tss;
13048
13049 store_gdt(&gdt_desc);
13050 - gdt = gdt_desc.address;
13051 + gdt = (unsigned long)gdt_desc.address;
13052
13053 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13054
13055 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13056 /* 0x2 bit is always set */
13057 .flags = X86_EFLAGS_SF | 0x2,
13058 .sp = STACK_START,
13059 - .es = __USER_DS,
13060 + .es = __KERNEL_DS,
13061 .cs = __KERNEL_CS,
13062 .ss = __KERNEL_DS,
13063 - .ds = __USER_DS,
13064 + .ds = __KERNEL_DS,
13065 .fs = __KERNEL_PERCPU,
13066
13067 .__cr3 = __pa_nodebug(swapper_pg_dir),
13068 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c
13069 --- linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c 2011-03-27 14:31:47.000000000 -0400
13070 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:56:46.000000000 -0400
13071 @@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
13072 #endif
13073
13074 for (;;) {
13075 - struct thread_info *context;
13076 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13077 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13078
13079 - context = (struct thread_info *)
13080 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13081 - bp = print_context_stack(context, stack, bp, ops,
13082 - data, NULL, &graph);
13083 -
13084 - stack = (unsigned long *)context->previous_esp;
13085 - if (!stack)
13086 + if (stack_start == task_stack_page(task))
13087 break;
13088 + stack = *(unsigned long **)stack_start;
13089 if (ops->stack(data, "IRQ") < 0)
13090 break;
13091 touch_nmi_watchdog();
13092 @@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
13093 * When in-kernel, we also print out the stack and code at the
13094 * time of the fault..
13095 */
13096 - if (!user_mode_vm(regs)) {
13097 + if (!user_mode(regs)) {
13098 unsigned int code_prologue = code_bytes * 43 / 64;
13099 unsigned int code_len = code_bytes;
13100 unsigned char c;
13101 u8 *ip;
13102 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13103
13104 printk(KERN_EMERG "Stack:\n");
13105 show_stack_log_lvl(NULL, regs, &regs->sp,
13106 @@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
13107
13108 printk(KERN_EMERG "Code: ");
13109
13110 - ip = (u8 *)regs->ip - code_prologue;
13111 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13112 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13113 /* try starting at IP */
13114 - ip = (u8 *)regs->ip;
13115 + ip = (u8 *)regs->ip + cs_base;
13116 code_len = code_len - code_prologue + 1;
13117 }
13118 for (i = 0; i < code_len; i++, ip++) {
13119 @@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
13120 printk(" Bad EIP value.");
13121 break;
13122 }
13123 - if (ip == (u8 *)regs->ip)
13124 + if (ip == (u8 *)regs->ip + cs_base)
13125 printk("<%02x> ", c);
13126 else
13127 printk("%02x ", c);
13128 @@ -149,6 +146,7 @@ int is_valid_bugaddr(unsigned long ip)
13129 {
13130 unsigned short ud2;
13131
13132 + ip = ktla_ktva(ip);
13133 if (ip < PAGE_OFFSET)
13134 return 0;
13135 if (probe_kernel_address((unsigned short *)ip, ud2))
13136 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c
13137 --- linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c 2011-03-27 14:31:47.000000000 -0400
13138 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:56:46.000000000 -0400
13139 @@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
13140 unsigned long *irq_stack_end =
13141 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13142 unsigned used = 0;
13143 - struct thread_info *tinfo;
13144 int graph = 0;
13145 + void *stack_start;
13146
13147 if (!task)
13148 task = current;
13149 @@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
13150 * current stack address. If the stacks consist of nested
13151 * exceptions
13152 */
13153 - tinfo = task_thread_info(task);
13154 for (;;) {
13155 char *id;
13156 unsigned long *estack_end;
13157 +
13158 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13159 &used, &id);
13160
13161 @@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
13162 if (ops->stack(data, id) < 0)
13163 break;
13164
13165 - bp = print_context_stack(tinfo, stack, bp, ops,
13166 + bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13167 data, estack_end, &graph);
13168 ops->stack(data, "<EOE>");
13169 /*
13170 @@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
13171 if (stack >= irq_stack && stack < irq_stack_end) {
13172 if (ops->stack(data, "IRQ") < 0)
13173 break;
13174 - bp = print_context_stack(tinfo, stack, bp,
13175 + bp = print_context_stack(task, irq_stack, stack, bp,
13176 ops, data, irq_stack_end, &graph);
13177 /*
13178 * We link to the next stack (which would be
13179 @@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
13180 /*
13181 * This handles the process stack:
13182 */
13183 - bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13184 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13185 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13186 put_cpu();
13187 }
13188 EXPORT_SYMBOL(dump_trace);
13189 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack.c linux-2.6.32.46/arch/x86/kernel/dumpstack.c
13190 --- linux-2.6.32.46/arch/x86/kernel/dumpstack.c 2011-03-27 14:31:47.000000000 -0400
13191 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack.c 2011-04-17 15:56:46.000000000 -0400
13192 @@ -2,6 +2,9 @@
13193 * Copyright (C) 1991, 1992 Linus Torvalds
13194 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13195 */
13196 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13197 +#define __INCLUDED_BY_HIDESYM 1
13198 +#endif
13199 #include <linux/kallsyms.h>
13200 #include <linux/kprobes.h>
13201 #include <linux/uaccess.h>
13202 @@ -28,7 +31,7 @@ static int die_counter;
13203
13204 void printk_address(unsigned long address, int reliable)
13205 {
13206 - printk(" [<%p>] %s%pS\n", (void *) address,
13207 + printk(" [<%p>] %s%pA\n", (void *) address,
13208 reliable ? "" : "? ", (void *) address);
13209 }
13210
13211 @@ -36,9 +39,8 @@ void printk_address(unsigned long addres
13212 static void
13213 print_ftrace_graph_addr(unsigned long addr, void *data,
13214 const struct stacktrace_ops *ops,
13215 - struct thread_info *tinfo, int *graph)
13216 + struct task_struct *task, int *graph)
13217 {
13218 - struct task_struct *task = tinfo->task;
13219 unsigned long ret_addr;
13220 int index = task->curr_ret_stack;
13221
13222 @@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
13223 static inline void
13224 print_ftrace_graph_addr(unsigned long addr, void *data,
13225 const struct stacktrace_ops *ops,
13226 - struct thread_info *tinfo, int *graph)
13227 + struct task_struct *task, int *graph)
13228 { }
13229 #endif
13230
13231 @@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
13232 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13233 */
13234
13235 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13236 - void *p, unsigned int size, void *end)
13237 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13238 {
13239 - void *t = tinfo;
13240 if (end) {
13241 if (p < end && p >= (end-THREAD_SIZE))
13242 return 1;
13243 @@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
13244 }
13245
13246 unsigned long
13247 -print_context_stack(struct thread_info *tinfo,
13248 +print_context_stack(struct task_struct *task, void *stack_start,
13249 unsigned long *stack, unsigned long bp,
13250 const struct stacktrace_ops *ops, void *data,
13251 unsigned long *end, int *graph)
13252 {
13253 struct stack_frame *frame = (struct stack_frame *)bp;
13254
13255 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13256 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13257 unsigned long addr;
13258
13259 addr = *stack;
13260 @@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
13261 } else {
13262 ops->address(data, addr, 0);
13263 }
13264 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13265 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13266 }
13267 stack++;
13268 }
13269 @@ -180,7 +180,7 @@ void dump_stack(void)
13270 #endif
13271
13272 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13273 - current->pid, current->comm, print_tainted(),
13274 + task_pid_nr(current), current->comm, print_tainted(),
13275 init_utsname()->release,
13276 (int)strcspn(init_utsname()->version, " "),
13277 init_utsname()->version);
13278 @@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
13279 return flags;
13280 }
13281
13282 +extern void gr_handle_kernel_exploit(void);
13283 +
13284 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13285 {
13286 if (regs && kexec_should_crash(current))
13287 @@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
13288 panic("Fatal exception in interrupt");
13289 if (panic_on_oops)
13290 panic("Fatal exception");
13291 - do_exit(signr);
13292 +
13293 + gr_handle_kernel_exploit();
13294 +
13295 + do_group_exit(signr);
13296 }
13297
13298 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13299 @@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
13300 unsigned long flags = oops_begin();
13301 int sig = SIGSEGV;
13302
13303 - if (!user_mode_vm(regs))
13304 + if (!user_mode(regs))
13305 report_bug(regs->ip, regs);
13306
13307 if (__die(str, regs, err))
13308 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack.h linux-2.6.32.46/arch/x86/kernel/dumpstack.h
13309 --- linux-2.6.32.46/arch/x86/kernel/dumpstack.h 2011-03-27 14:31:47.000000000 -0400
13310 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack.h 2011-04-23 13:25:26.000000000 -0400
13311 @@ -15,7 +15,7 @@
13312 #endif
13313
13314 extern unsigned long
13315 -print_context_stack(struct thread_info *tinfo,
13316 +print_context_stack(struct task_struct *task, void *stack_start,
13317 unsigned long *stack, unsigned long bp,
13318 const struct stacktrace_ops *ops, void *data,
13319 unsigned long *end, int *graph);
13320 diff -urNp linux-2.6.32.46/arch/x86/kernel/e820.c linux-2.6.32.46/arch/x86/kernel/e820.c
13321 --- linux-2.6.32.46/arch/x86/kernel/e820.c 2011-03-27 14:31:47.000000000 -0400
13322 +++ linux-2.6.32.46/arch/x86/kernel/e820.c 2011-04-17 15:56:46.000000000 -0400
13323 @@ -733,7 +733,7 @@ struct early_res {
13324 };
13325 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
13326 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
13327 - {}
13328 + { 0, 0, {0}, 0 }
13329 };
13330
13331 static int __init find_overlapped_early(u64 start, u64 end)
13332 diff -urNp linux-2.6.32.46/arch/x86/kernel/early_printk.c linux-2.6.32.46/arch/x86/kernel/early_printk.c
13333 --- linux-2.6.32.46/arch/x86/kernel/early_printk.c 2011-03-27 14:31:47.000000000 -0400
13334 +++ linux-2.6.32.46/arch/x86/kernel/early_printk.c 2011-05-16 21:46:57.000000000 -0400
13335 @@ -7,6 +7,7 @@
13336 #include <linux/pci_regs.h>
13337 #include <linux/pci_ids.h>
13338 #include <linux/errno.h>
13339 +#include <linux/sched.h>
13340 #include <asm/io.h>
13341 #include <asm/processor.h>
13342 #include <asm/fcntl.h>
13343 @@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
13344 int n;
13345 va_list ap;
13346
13347 + pax_track_stack();
13348 +
13349 va_start(ap, fmt);
13350 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13351 early_console->write(early_console, buf, n);
13352 diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/kernel/efi_32.c
13353 --- linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-03-27 14:31:47.000000000 -0400
13354 +++ linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-10-06 09:37:08.000000000 -0400
13355 @@ -38,70 +38,56 @@
13356 */
13357
13358 static unsigned long efi_rt_eflags;
13359 -static pgd_t efi_bak_pg_dir_pointer[2];
13360 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
13361
13362 -void efi_call_phys_prelog(void)
13363 +void __init efi_call_phys_prelog(void)
13364 {
13365 - unsigned long cr4;
13366 - unsigned long temp;
13367 struct desc_ptr gdt_descr;
13368
13369 - local_irq_save(efi_rt_eflags);
13370 +#ifdef CONFIG_PAX_KERNEXEC
13371 + struct desc_struct d;
13372 +#endif
13373
13374 - /*
13375 - * If I don't have PAE, I should just duplicate two entries in page
13376 - * directory. If I have PAE, I just need to duplicate one entry in
13377 - * page directory.
13378 - */
13379 - cr4 = read_cr4_safe();
13380 + local_irq_save(efi_rt_eflags);
13381
13382 - if (cr4 & X86_CR4_PAE) {
13383 - efi_bak_pg_dir_pointer[0].pgd =
13384 - swapper_pg_dir[pgd_index(0)].pgd;
13385 - swapper_pg_dir[0].pgd =
13386 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13387 - } else {
13388 - efi_bak_pg_dir_pointer[0].pgd =
13389 - swapper_pg_dir[pgd_index(0)].pgd;
13390 - efi_bak_pg_dir_pointer[1].pgd =
13391 - swapper_pg_dir[pgd_index(0x400000)].pgd;
13392 - swapper_pg_dir[pgd_index(0)].pgd =
13393 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13394 - temp = PAGE_OFFSET + 0x400000;
13395 - swapper_pg_dir[pgd_index(0x400000)].pgd =
13396 - swapper_pg_dir[pgd_index(temp)].pgd;
13397 - }
13398 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
13399 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13400 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13401
13402 /*
13403 * After the lock is released, the original page table is restored.
13404 */
13405 __flush_tlb_all();
13406
13407 +#ifdef CONFIG_PAX_KERNEXEC
13408 + pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
13409 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
13410 + pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
13411 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
13412 +#endif
13413 +
13414 gdt_descr.address = __pa(get_cpu_gdt_table(0));
13415 gdt_descr.size = GDT_SIZE - 1;
13416 load_gdt(&gdt_descr);
13417 }
13418
13419 -void efi_call_phys_epilog(void)
13420 +void __init efi_call_phys_epilog(void)
13421 {
13422 - unsigned long cr4;
13423 struct desc_ptr gdt_descr;
13424
13425 +#ifdef CONFIG_PAX_KERNEXEC
13426 + struct desc_struct d;
13427 +
13428 + memset(&d, 0, sizeof d);
13429 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
13430 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
13431 +#endif
13432 +
13433 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
13434 gdt_descr.size = GDT_SIZE - 1;
13435 load_gdt(&gdt_descr);
13436
13437 - cr4 = read_cr4_safe();
13438 -
13439 - if (cr4 & X86_CR4_PAE) {
13440 - swapper_pg_dir[pgd_index(0)].pgd =
13441 - efi_bak_pg_dir_pointer[0].pgd;
13442 - } else {
13443 - swapper_pg_dir[pgd_index(0)].pgd =
13444 - efi_bak_pg_dir_pointer[0].pgd;
13445 - swapper_pg_dir[pgd_index(0x400000)].pgd =
13446 - efi_bak_pg_dir_pointer[1].pgd;
13447 - }
13448 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
13449
13450 /*
13451 * After the lock is released, the original page table is restored.
13452 diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S
13453 --- linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-03-27 14:31:47.000000000 -0400
13454 +++ linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-10-06 09:37:08.000000000 -0400
13455 @@ -6,7 +6,9 @@
13456 */
13457
13458 #include <linux/linkage.h>
13459 +#include <linux/init.h>
13460 #include <asm/page_types.h>
13461 +#include <asm/segment.h>
13462
13463 /*
13464 * efi_call_phys(void *, ...) is a function with variable parameters.
13465 @@ -20,7 +22,7 @@
13466 * service functions will comply with gcc calling convention, too.
13467 */
13468
13469 -.text
13470 +__INIT
13471 ENTRY(efi_call_phys)
13472 /*
13473 * 0. The function can only be called in Linux kernel. So CS has been
13474 @@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
13475 * The mapping of lower virtual memory has been created in prelog and
13476 * epilog.
13477 */
13478 - movl $1f, %edx
13479 - subl $__PAGE_OFFSET, %edx
13480 - jmp *%edx
13481 + movl $(__KERNEXEC_EFI_DS), %edx
13482 + mov %edx, %ds
13483 + mov %edx, %es
13484 + mov %edx, %ss
13485 + ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
13486 1:
13487
13488 /*
13489 @@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
13490 * parameter 2, ..., param n. To make things easy, we save the return
13491 * address of efi_call_phys in a global variable.
13492 */
13493 - popl %edx
13494 - movl %edx, saved_return_addr
13495 - /* get the function pointer into ECX*/
13496 - popl %ecx
13497 - movl %ecx, efi_rt_function_ptr
13498 - movl $2f, %edx
13499 - subl $__PAGE_OFFSET, %edx
13500 - pushl %edx
13501 + popl (saved_return_addr)
13502 + popl (efi_rt_function_ptr)
13503
13504 /*
13505 * 3. Clear PG bit in %CR0.
13506 @@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
13507 /*
13508 * 5. Call the physical function.
13509 */
13510 - jmp *%ecx
13511 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
13512
13513 -2:
13514 /*
13515 * 6. After EFI runtime service returns, control will return to
13516 * following instruction. We'd better readjust stack pointer first.
13517 @@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
13518 movl %cr0, %edx
13519 orl $0x80000000, %edx
13520 movl %edx, %cr0
13521 - jmp 1f
13522 -1:
13523 +
13524 /*
13525 * 8. Now restore the virtual mode from flat mode by
13526 * adding EIP with PAGE_OFFSET.
13527 */
13528 - movl $1f, %edx
13529 - jmp *%edx
13530 + ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
13531 1:
13532 + movl $(__KERNEL_DS), %edx
13533 + mov %edx, %ds
13534 + mov %edx, %es
13535 + mov %edx, %ss
13536
13537 /*
13538 * 9. Balance the stack. And because EAX contain the return value,
13539 * we'd better not clobber it.
13540 */
13541 - leal efi_rt_function_ptr, %edx
13542 - movl (%edx), %ecx
13543 - pushl %ecx
13544 + pushl (efi_rt_function_ptr)
13545
13546 /*
13547 - * 10. Push the saved return address onto the stack and return.
13548 + * 10. Return to the saved return address.
13549 */
13550 - leal saved_return_addr, %edx
13551 - movl (%edx), %ecx
13552 - pushl %ecx
13553 - ret
13554 + jmpl *(saved_return_addr)
13555 ENDPROC(efi_call_phys)
13556 .previous
13557
13558 -.data
13559 +__INITDATA
13560 saved_return_addr:
13561 .long 0
13562 efi_rt_function_ptr:
13563 diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S
13564 --- linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S 2011-03-27 14:31:47.000000000 -0400
13565 +++ linux-2.6.32.46/arch/x86/kernel/efi_stub_64.S 2011-10-06 09:37:14.000000000 -0400
13566 @@ -7,6 +7,7 @@
13567 */
13568
13569 #include <linux/linkage.h>
13570 +#include <asm/alternative-asm.h>
13571
13572 #define SAVE_XMM \
13573 mov %rsp, %rax; \
13574 @@ -40,6 +41,7 @@ ENTRY(efi_call0)
13575 call *%rdi
13576 addq $32, %rsp
13577 RESTORE_XMM
13578 + pax_force_retaddr
13579 ret
13580 ENDPROC(efi_call0)
13581
13582 @@ -50,6 +52,7 @@ ENTRY(efi_call1)
13583 call *%rdi
13584 addq $32, %rsp
13585 RESTORE_XMM
13586 + pax_force_retaddr
13587 ret
13588 ENDPROC(efi_call1)
13589
13590 @@ -60,6 +63,7 @@ ENTRY(efi_call2)
13591 call *%rdi
13592 addq $32, %rsp
13593 RESTORE_XMM
13594 + pax_force_retaddr
13595 ret
13596 ENDPROC(efi_call2)
13597
13598 @@ -71,6 +75,7 @@ ENTRY(efi_call3)
13599 call *%rdi
13600 addq $32, %rsp
13601 RESTORE_XMM
13602 + pax_force_retaddr
13603 ret
13604 ENDPROC(efi_call3)
13605
13606 @@ -83,6 +88,7 @@ ENTRY(efi_call4)
13607 call *%rdi
13608 addq $32, %rsp
13609 RESTORE_XMM
13610 + pax_force_retaddr
13611 ret
13612 ENDPROC(efi_call4)
13613
13614 @@ -96,6 +102,7 @@ ENTRY(efi_call5)
13615 call *%rdi
13616 addq $48, %rsp
13617 RESTORE_XMM
13618 + pax_force_retaddr
13619 ret
13620 ENDPROC(efi_call5)
13621
13622 @@ -112,5 +119,6 @@ ENTRY(efi_call6)
13623 call *%rdi
13624 addq $48, %rsp
13625 RESTORE_XMM
13626 + pax_force_retaddr
13627 ret
13628 ENDPROC(efi_call6)
13629 diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_32.S linux-2.6.32.46/arch/x86/kernel/entry_32.S
13630 --- linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-03-27 14:31:47.000000000 -0400
13631 +++ linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-08-30 18:19:52.000000000 -0400
13632 @@ -185,13 +185,146 @@
13633 /*CFI_REL_OFFSET gs, PT_GS*/
13634 .endm
13635 .macro SET_KERNEL_GS reg
13636 +
13637 +#ifdef CONFIG_CC_STACKPROTECTOR
13638 movl $(__KERNEL_STACK_CANARY), \reg
13639 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13640 + movl $(__USER_DS), \reg
13641 +#else
13642 + xorl \reg, \reg
13643 +#endif
13644 +
13645 movl \reg, %gs
13646 .endm
13647
13648 #endif /* CONFIG_X86_32_LAZY_GS */
13649
13650 -.macro SAVE_ALL
13651 +.macro pax_enter_kernel
13652 +#ifdef CONFIG_PAX_KERNEXEC
13653 + call pax_enter_kernel
13654 +#endif
13655 +.endm
13656 +
13657 +.macro pax_exit_kernel
13658 +#ifdef CONFIG_PAX_KERNEXEC
13659 + call pax_exit_kernel
13660 +#endif
13661 +.endm
13662 +
13663 +#ifdef CONFIG_PAX_KERNEXEC
13664 +ENTRY(pax_enter_kernel)
13665 +#ifdef CONFIG_PARAVIRT
13666 + pushl %eax
13667 + pushl %ecx
13668 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13669 + mov %eax, %esi
13670 +#else
13671 + mov %cr0, %esi
13672 +#endif
13673 + bts $16, %esi
13674 + jnc 1f
13675 + mov %cs, %esi
13676 + cmp $__KERNEL_CS, %esi
13677 + jz 3f
13678 + ljmp $__KERNEL_CS, $3f
13679 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13680 +2:
13681 +#ifdef CONFIG_PARAVIRT
13682 + mov %esi, %eax
13683 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13684 +#else
13685 + mov %esi, %cr0
13686 +#endif
13687 +3:
13688 +#ifdef CONFIG_PARAVIRT
13689 + popl %ecx
13690 + popl %eax
13691 +#endif
13692 + ret
13693 +ENDPROC(pax_enter_kernel)
13694 +
13695 +ENTRY(pax_exit_kernel)
13696 +#ifdef CONFIG_PARAVIRT
13697 + pushl %eax
13698 + pushl %ecx
13699 +#endif
13700 + mov %cs, %esi
13701 + cmp $__KERNEXEC_KERNEL_CS, %esi
13702 + jnz 2f
13703 +#ifdef CONFIG_PARAVIRT
13704 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13705 + mov %eax, %esi
13706 +#else
13707 + mov %cr0, %esi
13708 +#endif
13709 + btr $16, %esi
13710 + ljmp $__KERNEL_CS, $1f
13711 +1:
13712 +#ifdef CONFIG_PARAVIRT
13713 + mov %esi, %eax
13714 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13715 +#else
13716 + mov %esi, %cr0
13717 +#endif
13718 +2:
13719 +#ifdef CONFIG_PARAVIRT
13720 + popl %ecx
13721 + popl %eax
13722 +#endif
13723 + ret
13724 +ENDPROC(pax_exit_kernel)
13725 +#endif
13726 +
13727 +.macro pax_erase_kstack
13728 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13729 + call pax_erase_kstack
13730 +#endif
13731 +.endm
13732 +
13733 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13734 +/*
13735 + * ebp: thread_info
13736 + * ecx, edx: can be clobbered
13737 + */
13738 +ENTRY(pax_erase_kstack)
13739 + pushl %edi
13740 + pushl %eax
13741 +
13742 + mov TI_lowest_stack(%ebp), %edi
13743 + mov $-0xBEEF, %eax
13744 + std
13745 +
13746 +1: mov %edi, %ecx
13747 + and $THREAD_SIZE_asm - 1, %ecx
13748 + shr $2, %ecx
13749 + repne scasl
13750 + jecxz 2f
13751 +
13752 + cmp $2*16, %ecx
13753 + jc 2f
13754 +
13755 + mov $2*16, %ecx
13756 + repe scasl
13757 + jecxz 2f
13758 + jne 1b
13759 +
13760 +2: cld
13761 + mov %esp, %ecx
13762 + sub %edi, %ecx
13763 + shr $2, %ecx
13764 + rep stosl
13765 +
13766 + mov TI_task_thread_sp0(%ebp), %edi
13767 + sub $128, %edi
13768 + mov %edi, TI_lowest_stack(%ebp)
13769 +
13770 + popl %eax
13771 + popl %edi
13772 + ret
13773 +ENDPROC(pax_erase_kstack)
13774 +#endif
13775 +
13776 +.macro __SAVE_ALL _DS
13777 cld
13778 PUSH_GS
13779 pushl %fs
13780 @@ -224,7 +357,7 @@
13781 pushl %ebx
13782 CFI_ADJUST_CFA_OFFSET 4
13783 CFI_REL_OFFSET ebx, 0
13784 - movl $(__USER_DS), %edx
13785 + movl $\_DS, %edx
13786 movl %edx, %ds
13787 movl %edx, %es
13788 movl $(__KERNEL_PERCPU), %edx
13789 @@ -232,6 +365,15 @@
13790 SET_KERNEL_GS %edx
13791 .endm
13792
13793 +.macro SAVE_ALL
13794 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
13795 + __SAVE_ALL __KERNEL_DS
13796 + pax_enter_kernel
13797 +#else
13798 + __SAVE_ALL __USER_DS
13799 +#endif
13800 +.endm
13801 +
13802 .macro RESTORE_INT_REGS
13803 popl %ebx
13804 CFI_ADJUST_CFA_OFFSET -4
13805 @@ -352,7 +494,15 @@ check_userspace:
13806 movb PT_CS(%esp), %al
13807 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
13808 cmpl $USER_RPL, %eax
13809 +
13810 +#ifdef CONFIG_PAX_KERNEXEC
13811 + jae resume_userspace
13812 +
13813 + PAX_EXIT_KERNEL
13814 + jmp resume_kernel
13815 +#else
13816 jb resume_kernel # not returning to v8086 or userspace
13817 +#endif
13818
13819 ENTRY(resume_userspace)
13820 LOCKDEP_SYS_EXIT
13821 @@ -364,7 +514,7 @@ ENTRY(resume_userspace)
13822 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
13823 # int/exception return?
13824 jne work_pending
13825 - jmp restore_all
13826 + jmp restore_all_pax
13827 END(ret_from_exception)
13828
13829 #ifdef CONFIG_PREEMPT
13830 @@ -414,25 +564,36 @@ sysenter_past_esp:
13831 /*CFI_REL_OFFSET cs, 0*/
13832 /*
13833 * Push current_thread_info()->sysenter_return to the stack.
13834 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
13835 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
13836 */
13837 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
13838 + pushl $0
13839 CFI_ADJUST_CFA_OFFSET 4
13840 CFI_REL_OFFSET eip, 0
13841
13842 pushl %eax
13843 CFI_ADJUST_CFA_OFFSET 4
13844 SAVE_ALL
13845 + GET_THREAD_INFO(%ebp)
13846 + movl TI_sysenter_return(%ebp),%ebp
13847 + movl %ebp,PT_EIP(%esp)
13848 ENABLE_INTERRUPTS(CLBR_NONE)
13849
13850 /*
13851 * Load the potential sixth argument from user stack.
13852 * Careful about security.
13853 */
13854 + movl PT_OLDESP(%esp),%ebp
13855 +
13856 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13857 + mov PT_OLDSS(%esp),%ds
13858 +1: movl %ds:(%ebp),%ebp
13859 + push %ss
13860 + pop %ds
13861 +#else
13862 cmpl $__PAGE_OFFSET-3,%ebp
13863 jae syscall_fault
13864 1: movl (%ebp),%ebp
13865 +#endif
13866 +
13867 movl %ebp,PT_EBP(%esp)
13868 .section __ex_table,"a"
13869 .align 4
13870 @@ -455,12 +616,24 @@ sysenter_do_call:
13871 testl $_TIF_ALLWORK_MASK, %ecx
13872 jne sysexit_audit
13873 sysenter_exit:
13874 +
13875 +#ifdef CONFIG_PAX_RANDKSTACK
13876 + pushl_cfi %eax
13877 + movl %esp, %eax
13878 + call pax_randomize_kstack
13879 + popl_cfi %eax
13880 +#endif
13881 +
13882 + pax_erase_kstack
13883 +
13884 /* if something modifies registers it must also disable sysexit */
13885 movl PT_EIP(%esp), %edx
13886 movl PT_OLDESP(%esp), %ecx
13887 xorl %ebp,%ebp
13888 TRACE_IRQS_ON
13889 1: mov PT_FS(%esp), %fs
13890 +2: mov PT_DS(%esp), %ds
13891 +3: mov PT_ES(%esp), %es
13892 PTGS_TO_GS
13893 ENABLE_INTERRUPTS_SYSEXIT
13894
13895 @@ -477,6 +650,9 @@ sysenter_audit:
13896 movl %eax,%edx /* 2nd arg: syscall number */
13897 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
13898 call audit_syscall_entry
13899 +
13900 + pax_erase_kstack
13901 +
13902 pushl %ebx
13903 CFI_ADJUST_CFA_OFFSET 4
13904 movl PT_EAX(%esp),%eax /* reload syscall number */
13905 @@ -504,11 +680,17 @@ sysexit_audit:
13906
13907 CFI_ENDPROC
13908 .pushsection .fixup,"ax"
13909 -2: movl $0,PT_FS(%esp)
13910 +4: movl $0,PT_FS(%esp)
13911 + jmp 1b
13912 +5: movl $0,PT_DS(%esp)
13913 + jmp 1b
13914 +6: movl $0,PT_ES(%esp)
13915 jmp 1b
13916 .section __ex_table,"a"
13917 .align 4
13918 - .long 1b,2b
13919 + .long 1b,4b
13920 + .long 2b,5b
13921 + .long 3b,6b
13922 .popsection
13923 PTGS_TO_GS_EX
13924 ENDPROC(ia32_sysenter_target)
13925 @@ -538,6 +720,15 @@ syscall_exit:
13926 testl $_TIF_ALLWORK_MASK, %ecx # current->work
13927 jne syscall_exit_work
13928
13929 +restore_all_pax:
13930 +
13931 +#ifdef CONFIG_PAX_RANDKSTACK
13932 + movl %esp, %eax
13933 + call pax_randomize_kstack
13934 +#endif
13935 +
13936 + pax_erase_kstack
13937 +
13938 restore_all:
13939 TRACE_IRQS_IRET
13940 restore_all_notrace:
13941 @@ -602,10 +793,29 @@ ldt_ss:
13942 mov PT_OLDESP(%esp), %eax /* load userspace esp */
13943 mov %dx, %ax /* eax: new kernel esp */
13944 sub %eax, %edx /* offset (low word is 0) */
13945 - PER_CPU(gdt_page, %ebx)
13946 +#ifdef CONFIG_SMP
13947 + movl PER_CPU_VAR(cpu_number), %ebx
13948 + shll $PAGE_SHIFT_asm, %ebx
13949 + addl $cpu_gdt_table, %ebx
13950 +#else
13951 + movl $cpu_gdt_table, %ebx
13952 +#endif
13953 shr $16, %edx
13954 +
13955 +#ifdef CONFIG_PAX_KERNEXEC
13956 + mov %cr0, %esi
13957 + btr $16, %esi
13958 + mov %esi, %cr0
13959 +#endif
13960 +
13961 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
13962 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
13963 +
13964 +#ifdef CONFIG_PAX_KERNEXEC
13965 + bts $16, %esi
13966 + mov %esi, %cr0
13967 +#endif
13968 +
13969 pushl $__ESPFIX_SS
13970 CFI_ADJUST_CFA_OFFSET 4
13971 push %eax /* new kernel esp */
13972 @@ -636,31 +846,25 @@ work_resched:
13973 movl TI_flags(%ebp), %ecx
13974 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
13975 # than syscall tracing?
13976 - jz restore_all
13977 + jz restore_all_pax
13978 testb $_TIF_NEED_RESCHED, %cl
13979 jnz work_resched
13980
13981 work_notifysig: # deal with pending signals and
13982 # notify-resume requests
13983 + movl %esp, %eax
13984 #ifdef CONFIG_VM86
13985 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
13986 - movl %esp, %eax
13987 - jne work_notifysig_v86 # returning to kernel-space or
13988 + jz 1f # returning to kernel-space or
13989 # vm86-space
13990 - xorl %edx, %edx
13991 - call do_notify_resume
13992 - jmp resume_userspace_sig
13993
13994 - ALIGN
13995 -work_notifysig_v86:
13996 pushl %ecx # save ti_flags for do_notify_resume
13997 CFI_ADJUST_CFA_OFFSET 4
13998 call save_v86_state # %eax contains pt_regs pointer
13999 popl %ecx
14000 CFI_ADJUST_CFA_OFFSET -4
14001 movl %eax, %esp
14002 -#else
14003 - movl %esp, %eax
14004 +1:
14005 #endif
14006 xorl %edx, %edx
14007 call do_notify_resume
14008 @@ -673,6 +877,9 @@ syscall_trace_entry:
14009 movl $-ENOSYS,PT_EAX(%esp)
14010 movl %esp, %eax
14011 call syscall_trace_enter
14012 +
14013 + pax_erase_kstack
14014 +
14015 /* What it returned is what we'll actually use. */
14016 cmpl $(nr_syscalls), %eax
14017 jnae syscall_call
14018 @@ -695,6 +902,10 @@ END(syscall_exit_work)
14019
14020 RING0_INT_FRAME # can't unwind into user space anyway
14021 syscall_fault:
14022 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14023 + push %ss
14024 + pop %ds
14025 +#endif
14026 GET_THREAD_INFO(%ebp)
14027 movl $-EFAULT,PT_EAX(%esp)
14028 jmp resume_userspace
14029 @@ -726,6 +937,33 @@ PTREGSCALL(rt_sigreturn)
14030 PTREGSCALL(vm86)
14031 PTREGSCALL(vm86old)
14032
14033 + ALIGN;
14034 +ENTRY(kernel_execve)
14035 + push %ebp
14036 + sub $PT_OLDSS+4,%esp
14037 + push %edi
14038 + push %ecx
14039 + push %eax
14040 + lea 3*4(%esp),%edi
14041 + mov $PT_OLDSS/4+1,%ecx
14042 + xorl %eax,%eax
14043 + rep stosl
14044 + pop %eax
14045 + pop %ecx
14046 + pop %edi
14047 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14048 + mov %eax,PT_EBX(%esp)
14049 + mov %edx,PT_ECX(%esp)
14050 + mov %ecx,PT_EDX(%esp)
14051 + mov %esp,%eax
14052 + call sys_execve
14053 + GET_THREAD_INFO(%ebp)
14054 + test %eax,%eax
14055 + jz syscall_exit
14056 + add $PT_OLDSS+4,%esp
14057 + pop %ebp
14058 + ret
14059 +
14060 .macro FIXUP_ESPFIX_STACK
14061 /*
14062 * Switch back for ESPFIX stack to the normal zerobased stack
14063 @@ -735,7 +973,13 @@ PTREGSCALL(vm86old)
14064 * normal stack and adjusts ESP with the matching offset.
14065 */
14066 /* fixup the stack */
14067 - PER_CPU(gdt_page, %ebx)
14068 +#ifdef CONFIG_SMP
14069 + movl PER_CPU_VAR(cpu_number), %ebx
14070 + shll $PAGE_SHIFT_asm, %ebx
14071 + addl $cpu_gdt_table, %ebx
14072 +#else
14073 + movl $cpu_gdt_table, %ebx
14074 +#endif
14075 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
14076 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
14077 shl $16, %eax
14078 @@ -1198,7 +1442,6 @@ return_to_handler:
14079 ret
14080 #endif
14081
14082 -.section .rodata,"a"
14083 #include "syscall_table_32.S"
14084
14085 syscall_table_size=(.-sys_call_table)
14086 @@ -1255,9 +1498,12 @@ error_code:
14087 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14088 REG_TO_PTGS %ecx
14089 SET_KERNEL_GS %ecx
14090 - movl $(__USER_DS), %ecx
14091 + movl $(__KERNEL_DS), %ecx
14092 movl %ecx, %ds
14093 movl %ecx, %es
14094 +
14095 + pax_enter_kernel
14096 +
14097 TRACE_IRQS_OFF
14098 movl %esp,%eax # pt_regs pointer
14099 call *%edi
14100 @@ -1351,6 +1597,9 @@ nmi_stack_correct:
14101 xorl %edx,%edx # zero error code
14102 movl %esp,%eax # pt_regs pointer
14103 call do_nmi
14104 +
14105 + pax_exit_kernel
14106 +
14107 jmp restore_all_notrace
14108 CFI_ENDPROC
14109
14110 @@ -1391,6 +1640,9 @@ nmi_espfix_stack:
14111 FIXUP_ESPFIX_STACK # %eax == %esp
14112 xorl %edx,%edx # zero error code
14113 call do_nmi
14114 +
14115 + pax_exit_kernel
14116 +
14117 RESTORE_REGS
14118 lss 12+4(%esp), %esp # back to espfix stack
14119 CFI_ADJUST_CFA_OFFSET -24
14120 diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/kernel/entry_64.S
14121 --- linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-03-27 14:31:47.000000000 -0400
14122 +++ linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-10-06 10:06:40.000000000 -0400
14123 @@ -53,6 +53,8 @@
14124 #include <asm/paravirt.h>
14125 #include <asm/ftrace.h>
14126 #include <asm/percpu.h>
14127 +#include <asm/pgtable.h>
14128 +#include <asm/alternative-asm.h>
14129
14130 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14131 #include <linux/elf-em.h>
14132 @@ -174,6 +176,264 @@ ENTRY(native_usergs_sysret64)
14133 ENDPROC(native_usergs_sysret64)
14134 #endif /* CONFIG_PARAVIRT */
14135
14136 + .macro ljmpq sel, off
14137 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14138 + .byte 0x48; ljmp *1234f(%rip)
14139 + .pushsection .rodata
14140 + .align 16
14141 + 1234: .quad \off; .word \sel
14142 + .popsection
14143 +#else
14144 + pushq $\sel
14145 + pushq $\off
14146 + lretq
14147 +#endif
14148 + .endm
14149 +
14150 + .macro pax_enter_kernel
14151 +#ifdef CONFIG_PAX_KERNEXEC
14152 + call pax_enter_kernel
14153 +#endif
14154 + .endm
14155 +
14156 + .macro pax_exit_kernel
14157 +#ifdef CONFIG_PAX_KERNEXEC
14158 + call pax_exit_kernel
14159 +#endif
14160 + .endm
14161 +
14162 +#ifdef CONFIG_PAX_KERNEXEC
14163 +ENTRY(pax_enter_kernel)
14164 + pushq %rdi
14165 +
14166 +#ifdef CONFIG_PARAVIRT
14167 + PV_SAVE_REGS(CLBR_RDI)
14168 +#endif
14169 +
14170 + GET_CR0_INTO_RDI
14171 + bts $16,%rdi
14172 + jnc 1f
14173 + mov %cs,%edi
14174 + cmp $__KERNEL_CS,%edi
14175 + jz 3f
14176 + ljmpq __KERNEL_CS,3f
14177 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14178 +2: SET_RDI_INTO_CR0
14179 +3:
14180 +
14181 +#ifdef CONFIG_PARAVIRT
14182 + PV_RESTORE_REGS(CLBR_RDI)
14183 +#endif
14184 +
14185 + popq %rdi
14186 + retq
14187 +ENDPROC(pax_enter_kernel)
14188 +
14189 +ENTRY(pax_exit_kernel)
14190 + pushq %rdi
14191 +
14192 +#ifdef CONFIG_PARAVIRT
14193 + PV_SAVE_REGS(CLBR_RDI)
14194 +#endif
14195 +
14196 + mov %cs,%rdi
14197 + cmp $__KERNEXEC_KERNEL_CS,%edi
14198 + jnz 2f
14199 + GET_CR0_INTO_RDI
14200 + btr $16,%rdi
14201 + ljmpq __KERNEL_CS,1f
14202 +1: SET_RDI_INTO_CR0
14203 +2:
14204 +
14205 +#ifdef CONFIG_PARAVIRT
14206 + PV_RESTORE_REGS(CLBR_RDI);
14207 +#endif
14208 +
14209 + popq %rdi
14210 + retq
14211 +ENDPROC(pax_exit_kernel)
14212 +#endif
14213 +
14214 + .macro pax_enter_kernel_user
14215 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14216 + call pax_enter_kernel_user
14217 +#endif
14218 + .endm
14219 +
14220 + .macro pax_exit_kernel_user
14221 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14222 + call pax_exit_kernel_user
14223 +#endif
14224 +#ifdef CONFIG_PAX_RANDKSTACK
14225 + push %rax
14226 + call pax_randomize_kstack
14227 + pop %rax
14228 +#endif
14229 + .endm
14230 +
14231 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14232 +ENTRY(pax_enter_kernel_user)
14233 + pushq %rdi
14234 + pushq %rbx
14235 +
14236 +#ifdef CONFIG_PARAVIRT
14237 + PV_SAVE_REGS(CLBR_RDI)
14238 +#endif
14239 +
14240 + GET_CR3_INTO_RDI
14241 + mov %rdi,%rbx
14242 + add $__START_KERNEL_map,%rbx
14243 + sub phys_base(%rip),%rbx
14244 +
14245 +#ifdef CONFIG_PARAVIRT
14246 + pushq %rdi
14247 + cmpl $0, pv_info+PARAVIRT_enabled
14248 + jz 1f
14249 + i = 0
14250 + .rept USER_PGD_PTRS
14251 + mov i*8(%rbx),%rsi
14252 + mov $0,%sil
14253 + lea i*8(%rbx),%rdi
14254 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
14255 + i = i + 1
14256 + .endr
14257 + jmp 2f
14258 +1:
14259 +#endif
14260 +
14261 + i = 0
14262 + .rept USER_PGD_PTRS
14263 + movb $0,i*8(%rbx)
14264 + i = i + 1
14265 + .endr
14266 +
14267 +#ifdef CONFIG_PARAVIRT
14268 +2: popq %rdi
14269 +#endif
14270 + SET_RDI_INTO_CR3
14271 +
14272 +#ifdef CONFIG_PAX_KERNEXEC
14273 + GET_CR0_INTO_RDI
14274 + bts $16,%rdi
14275 + SET_RDI_INTO_CR0
14276 +#endif
14277 +
14278 +#ifdef CONFIG_PARAVIRT
14279 + PV_RESTORE_REGS(CLBR_RDI)
14280 +#endif
14281 +
14282 + popq %rbx
14283 + popq %rdi
14284 + retq
14285 +ENDPROC(pax_enter_kernel_user)
14286 +
14287 +ENTRY(pax_exit_kernel_user)
14288 + push %rdi
14289 +
14290 +#ifdef CONFIG_PARAVIRT
14291 + pushq %rbx
14292 + PV_SAVE_REGS(CLBR_RDI)
14293 +#endif
14294 +
14295 +#ifdef CONFIG_PAX_KERNEXEC
14296 + GET_CR0_INTO_RDI
14297 + btr $16,%rdi
14298 + SET_RDI_INTO_CR0
14299 +#endif
14300 +
14301 + GET_CR3_INTO_RDI
14302 + add $__START_KERNEL_map,%rdi
14303 + sub phys_base(%rip),%rdi
14304 +
14305 +#ifdef CONFIG_PARAVIRT
14306 + cmpl $0, pv_info+PARAVIRT_enabled
14307 + jz 1f
14308 + mov %rdi,%rbx
14309 + i = 0
14310 + .rept USER_PGD_PTRS
14311 + mov i*8(%rbx),%rsi
14312 + mov $0x67,%sil
14313 + lea i*8(%rbx),%rdi
14314 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
14315 + i = i + 1
14316 + .endr
14317 + jmp 2f
14318 +1:
14319 +#endif
14320 +
14321 + i = 0
14322 + .rept USER_PGD_PTRS
14323 + movb $0x67,i*8(%rdi)
14324 + i = i + 1
14325 + .endr
14326 +
14327 +#ifdef CONFIG_PARAVIRT
14328 +2: PV_RESTORE_REGS(CLBR_RDI)
14329 + popq %rbx
14330 +#endif
14331 +
14332 + popq %rdi
14333 + retq
14334 +ENDPROC(pax_exit_kernel_user)
14335 +#endif
14336 +
14337 +.macro pax_erase_kstack
14338 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14339 + call pax_erase_kstack
14340 +#endif
14341 +.endm
14342 +
14343 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14344 +/*
14345 + * r10: thread_info
14346 + * rcx, rdx: can be clobbered
14347 + */
14348 +ENTRY(pax_erase_kstack)
14349 + pushq %rdi
14350 + pushq %rax
14351 + pushq %r10
14352 +
14353 + GET_THREAD_INFO(%r10)
14354 + mov TI_lowest_stack(%r10), %rdi
14355 + mov $-0xBEEF, %rax
14356 + std
14357 +
14358 +1: mov %edi, %ecx
14359 + and $THREAD_SIZE_asm - 1, %ecx
14360 + shr $3, %ecx
14361 + repne scasq
14362 + jecxz 2f
14363 +
14364 + cmp $2*8, %ecx
14365 + jc 2f
14366 +
14367 + mov $2*8, %ecx
14368 + repe scasq
14369 + jecxz 2f
14370 + jne 1b
14371 +
14372 +2: cld
14373 + mov %esp, %ecx
14374 + sub %edi, %ecx
14375 +
14376 + cmp $THREAD_SIZE_asm, %rcx
14377 + jb 3f
14378 + ud2
14379 +3:
14380 +
14381 + shr $3, %ecx
14382 + rep stosq
14383 +
14384 + mov TI_task_thread_sp0(%r10), %rdi
14385 + sub $256, %rdi
14386 + mov %rdi, TI_lowest_stack(%r10)
14387 +
14388 + popq %r10
14389 + popq %rax
14390 + popq %rdi
14391 + ret
14392 +ENDPROC(pax_erase_kstack)
14393 +#endif
14394
14395 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14396 #ifdef CONFIG_TRACE_IRQFLAGS
14397 @@ -317,7 +577,7 @@ ENTRY(save_args)
14398 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
14399 movq_cfi rbp, 8 /* push %rbp */
14400 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14401 - testl $3, CS(%rdi)
14402 + testb $3, CS(%rdi)
14403 je 1f
14404 SWAPGS
14405 /*
14406 @@ -409,7 +669,7 @@ ENTRY(ret_from_fork)
14407
14408 RESTORE_REST
14409
14410 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14411 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14412 je int_ret_from_sys_call
14413
14414 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14415 @@ -455,7 +715,7 @@ END(ret_from_fork)
14416 ENTRY(system_call)
14417 CFI_STARTPROC simple
14418 CFI_SIGNAL_FRAME
14419 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14420 + CFI_DEF_CFA rsp,0
14421 CFI_REGISTER rip,rcx
14422 /*CFI_REGISTER rflags,r11*/
14423 SWAPGS_UNSAFE_STACK
14424 @@ -468,12 +728,13 @@ ENTRY(system_call_after_swapgs)
14425
14426 movq %rsp,PER_CPU_VAR(old_rsp)
14427 movq PER_CPU_VAR(kernel_stack),%rsp
14428 + pax_enter_kernel_user
14429 /*
14430 * No need to follow this irqs off/on section - it's straight
14431 * and short:
14432 */
14433 ENABLE_INTERRUPTS(CLBR_NONE)
14434 - SAVE_ARGS 8,1
14435 + SAVE_ARGS 8*6,1
14436 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14437 movq %rcx,RIP-ARGOFFSET(%rsp)
14438 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14439 @@ -502,6 +763,8 @@ sysret_check:
14440 andl %edi,%edx
14441 jnz sysret_careful
14442 CFI_REMEMBER_STATE
14443 + pax_exit_kernel_user
14444 + pax_erase_kstack
14445 /*
14446 * sysretq will re-enable interrupts:
14447 */
14448 @@ -562,6 +825,9 @@ auditsys:
14449 movq %rax,%rsi /* 2nd arg: syscall number */
14450 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14451 call audit_syscall_entry
14452 +
14453 + pax_erase_kstack
14454 +
14455 LOAD_ARGS 0 /* reload call-clobbered registers */
14456 jmp system_call_fastpath
14457
14458 @@ -592,6 +858,9 @@ tracesys:
14459 FIXUP_TOP_OF_STACK %rdi
14460 movq %rsp,%rdi
14461 call syscall_trace_enter
14462 +
14463 + pax_erase_kstack
14464 +
14465 /*
14466 * Reload arg registers from stack in case ptrace changed them.
14467 * We don't reload %rax because syscall_trace_enter() returned
14468 @@ -613,7 +882,7 @@ tracesys:
14469 GLOBAL(int_ret_from_sys_call)
14470 DISABLE_INTERRUPTS(CLBR_NONE)
14471 TRACE_IRQS_OFF
14472 - testl $3,CS-ARGOFFSET(%rsp)
14473 + testb $3,CS-ARGOFFSET(%rsp)
14474 je retint_restore_args
14475 movl $_TIF_ALLWORK_MASK,%edi
14476 /* edi: mask to check */
14477 @@ -800,6 +1069,16 @@ END(interrupt)
14478 CFI_ADJUST_CFA_OFFSET 10*8
14479 call save_args
14480 PARTIAL_FRAME 0
14481 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14482 + testb $3, CS(%rdi)
14483 + jnz 1f
14484 + pax_enter_kernel
14485 + jmp 2f
14486 +1: pax_enter_kernel_user
14487 +2:
14488 +#else
14489 + pax_enter_kernel
14490 +#endif
14491 call \func
14492 .endm
14493
14494 @@ -822,7 +1101,7 @@ ret_from_intr:
14495 CFI_ADJUST_CFA_OFFSET -8
14496 exit_intr:
14497 GET_THREAD_INFO(%rcx)
14498 - testl $3,CS-ARGOFFSET(%rsp)
14499 + testb $3,CS-ARGOFFSET(%rsp)
14500 je retint_kernel
14501
14502 /* Interrupt came from user space */
14503 @@ -844,12 +1123,16 @@ retint_swapgs: /* return to user-space
14504 * The iretq could re-enable interrupts:
14505 */
14506 DISABLE_INTERRUPTS(CLBR_ANY)
14507 + pax_exit_kernel_user
14508 + pax_erase_kstack
14509 TRACE_IRQS_IRETQ
14510 SWAPGS
14511 jmp restore_args
14512
14513 retint_restore_args: /* return to kernel space */
14514 DISABLE_INTERRUPTS(CLBR_ANY)
14515 + pax_exit_kernel
14516 + pax_force_retaddr RIP-ARGOFFSET
14517 /*
14518 * The iretq could re-enable interrupts:
14519 */
14520 @@ -1032,6 +1315,16 @@ ENTRY(\sym)
14521 CFI_ADJUST_CFA_OFFSET 15*8
14522 call error_entry
14523 DEFAULT_FRAME 0
14524 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14525 + testb $3, CS(%rsp)
14526 + jnz 1f
14527 + pax_enter_kernel
14528 + jmp 2f
14529 +1: pax_enter_kernel_user
14530 +2:
14531 +#else
14532 + pax_enter_kernel
14533 +#endif
14534 movq %rsp,%rdi /* pt_regs pointer */
14535 xorl %esi,%esi /* no error code */
14536 call \do_sym
14537 @@ -1049,6 +1342,16 @@ ENTRY(\sym)
14538 subq $15*8, %rsp
14539 call save_paranoid
14540 TRACE_IRQS_OFF
14541 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14542 + testb $3, CS(%rsp)
14543 + jnz 1f
14544 + pax_enter_kernel
14545 + jmp 2f
14546 +1: pax_enter_kernel_user
14547 +2:
14548 +#else
14549 + pax_enter_kernel
14550 +#endif
14551 movq %rsp,%rdi /* pt_regs pointer */
14552 xorl %esi,%esi /* no error code */
14553 call \do_sym
14554 @@ -1066,9 +1369,24 @@ ENTRY(\sym)
14555 subq $15*8, %rsp
14556 call save_paranoid
14557 TRACE_IRQS_OFF
14558 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14559 + testb $3, CS(%rsp)
14560 + jnz 1f
14561 + pax_enter_kernel
14562 + jmp 2f
14563 +1: pax_enter_kernel_user
14564 +2:
14565 +#else
14566 + pax_enter_kernel
14567 +#endif
14568 movq %rsp,%rdi /* pt_regs pointer */
14569 xorl %esi,%esi /* no error code */
14570 - PER_CPU(init_tss, %rbp)
14571 +#ifdef CONFIG_SMP
14572 + imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
14573 + lea init_tss(%rbp), %rbp
14574 +#else
14575 + lea init_tss(%rip), %rbp
14576 +#endif
14577 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
14578 call \do_sym
14579 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
14580 @@ -1085,6 +1403,16 @@ ENTRY(\sym)
14581 CFI_ADJUST_CFA_OFFSET 15*8
14582 call error_entry
14583 DEFAULT_FRAME 0
14584 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14585 + testb $3, CS(%rsp)
14586 + jnz 1f
14587 + pax_enter_kernel
14588 + jmp 2f
14589 +1: pax_enter_kernel_user
14590 +2:
14591 +#else
14592 + pax_enter_kernel
14593 +#endif
14594 movq %rsp,%rdi /* pt_regs pointer */
14595 movq ORIG_RAX(%rsp),%rsi /* get error code */
14596 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14597 @@ -1104,6 +1432,16 @@ ENTRY(\sym)
14598 call save_paranoid
14599 DEFAULT_FRAME 0
14600 TRACE_IRQS_OFF
14601 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14602 + testb $3, CS(%rsp)
14603 + jnz 1f
14604 + pax_enter_kernel
14605 + jmp 2f
14606 +1: pax_enter_kernel_user
14607 +2:
14608 +#else
14609 + pax_enter_kernel
14610 +#endif
14611 movq %rsp,%rdi /* pt_regs pointer */
14612 movq ORIG_RAX(%rsp),%rsi /* get error code */
14613 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14614 @@ -1405,16 +1743,31 @@ ENTRY(paranoid_exit)
14615 TRACE_IRQS_OFF
14616 testl %ebx,%ebx /* swapgs needed? */
14617 jnz paranoid_restore
14618 - testl $3,CS(%rsp)
14619 + testb $3,CS(%rsp)
14620 jnz paranoid_userspace
14621 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14622 + pax_exit_kernel
14623 + TRACE_IRQS_IRETQ 0
14624 + SWAPGS_UNSAFE_STACK
14625 + RESTORE_ALL 8
14626 + pax_force_retaddr
14627 + jmp irq_return
14628 +#endif
14629 paranoid_swapgs:
14630 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14631 + pax_exit_kernel_user
14632 +#else
14633 + pax_exit_kernel
14634 +#endif
14635 TRACE_IRQS_IRETQ 0
14636 SWAPGS_UNSAFE_STACK
14637 RESTORE_ALL 8
14638 jmp irq_return
14639 paranoid_restore:
14640 + pax_exit_kernel
14641 TRACE_IRQS_IRETQ 0
14642 RESTORE_ALL 8
14643 + pax_force_retaddr
14644 jmp irq_return
14645 paranoid_userspace:
14646 GET_THREAD_INFO(%rcx)
14647 @@ -1470,7 +1823,7 @@ ENTRY(error_entry)
14648 movq_cfi r14, R14+8
14649 movq_cfi r15, R15+8
14650 xorl %ebx,%ebx
14651 - testl $3,CS+8(%rsp)
14652 + testb $3,CS+8(%rsp)
14653 je error_kernelspace
14654 error_swapgs:
14655 SWAPGS
14656 @@ -1529,6 +1882,16 @@ ENTRY(nmi)
14657 CFI_ADJUST_CFA_OFFSET 15*8
14658 call save_paranoid
14659 DEFAULT_FRAME 0
14660 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14661 + testb $3, CS(%rsp)
14662 + jnz 1f
14663 + pax_enter_kernel
14664 + jmp 2f
14665 +1: pax_enter_kernel_user
14666 +2:
14667 +#else
14668 + pax_enter_kernel
14669 +#endif
14670 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14671 movq %rsp,%rdi
14672 movq $-1,%rsi
14673 @@ -1539,12 +1902,28 @@ ENTRY(nmi)
14674 DISABLE_INTERRUPTS(CLBR_NONE)
14675 testl %ebx,%ebx /* swapgs needed? */
14676 jnz nmi_restore
14677 - testl $3,CS(%rsp)
14678 + testb $3,CS(%rsp)
14679 jnz nmi_userspace
14680 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14681 + pax_exit_kernel
14682 + SWAPGS_UNSAFE_STACK
14683 + RESTORE_ALL 8
14684 + pax_force_retaddr
14685 + jmp irq_return
14686 +#endif
14687 nmi_swapgs:
14688 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14689 + pax_exit_kernel_user
14690 +#else
14691 + pax_exit_kernel
14692 +#endif
14693 SWAPGS_UNSAFE_STACK
14694 + RESTORE_ALL 8
14695 + jmp irq_return
14696 nmi_restore:
14697 + pax_exit_kernel
14698 RESTORE_ALL 8
14699 + pax_force_retaddr
14700 jmp irq_return
14701 nmi_userspace:
14702 GET_THREAD_INFO(%rcx)
14703 diff -urNp linux-2.6.32.46/arch/x86/kernel/ftrace.c linux-2.6.32.46/arch/x86/kernel/ftrace.c
14704 --- linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-03-27 14:31:47.000000000 -0400
14705 +++ linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-05-04 17:56:20.000000000 -0400
14706 @@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
14707 static void *mod_code_newcode; /* holds the text to write to the IP */
14708
14709 static unsigned nmi_wait_count;
14710 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14711 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14712
14713 int ftrace_arch_read_dyn_info(char *buf, int size)
14714 {
14715 @@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14716
14717 r = snprintf(buf, size, "%u %u",
14718 nmi_wait_count,
14719 - atomic_read(&nmi_update_count));
14720 + atomic_read_unchecked(&nmi_update_count));
14721 return r;
14722 }
14723
14724 @@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
14725 {
14726 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14727 smp_rmb();
14728 + pax_open_kernel();
14729 ftrace_mod_code();
14730 - atomic_inc(&nmi_update_count);
14731 + pax_close_kernel();
14732 + atomic_inc_unchecked(&nmi_update_count);
14733 }
14734 /* Must have previous changes seen before executions */
14735 smp_mb();
14736 @@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
14737
14738
14739
14740 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
14741 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
14742
14743 static unsigned char *ftrace_nop_replace(void)
14744 {
14745 @@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
14746 {
14747 unsigned char replaced[MCOUNT_INSN_SIZE];
14748
14749 + ip = ktla_ktva(ip);
14750 +
14751 /*
14752 * Note: Due to modules and __init, code can
14753 * disappear and change, we need to protect against faulting
14754 @@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
14755 unsigned char old[MCOUNT_INSN_SIZE], *new;
14756 int ret;
14757
14758 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
14759 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
14760 new = ftrace_call_replace(ip, (unsigned long)func);
14761 ret = ftrace_modify_code(ip, old, new);
14762
14763 @@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
14764 switch (faulted) {
14765 case 0:
14766 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
14767 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
14768 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
14769 break;
14770 case 1:
14771 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
14772 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
14773 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
14774 break;
14775 case 2:
14776 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
14777 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
14778 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
14779 break;
14780 }
14781
14782 @@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
14783 {
14784 unsigned char code[MCOUNT_INSN_SIZE];
14785
14786 + ip = ktla_ktva(ip);
14787 +
14788 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
14789 return -EFAULT;
14790
14791 diff -urNp linux-2.6.32.46/arch/x86/kernel/head32.c linux-2.6.32.46/arch/x86/kernel/head32.c
14792 --- linux-2.6.32.46/arch/x86/kernel/head32.c 2011-03-27 14:31:47.000000000 -0400
14793 +++ linux-2.6.32.46/arch/x86/kernel/head32.c 2011-04-17 15:56:46.000000000 -0400
14794 @@ -16,6 +16,7 @@
14795 #include <asm/apic.h>
14796 #include <asm/io_apic.h>
14797 #include <asm/bios_ebda.h>
14798 +#include <asm/boot.h>
14799
14800 static void __init i386_default_early_setup(void)
14801 {
14802 @@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
14803 {
14804 reserve_trampoline_memory();
14805
14806 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14807 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14808
14809 #ifdef CONFIG_BLK_DEV_INITRD
14810 /* Reserve INITRD */
14811 diff -urNp linux-2.6.32.46/arch/x86/kernel/head_32.S linux-2.6.32.46/arch/x86/kernel/head_32.S
14812 --- linux-2.6.32.46/arch/x86/kernel/head_32.S 2011-03-27 14:31:47.000000000 -0400
14813 +++ linux-2.6.32.46/arch/x86/kernel/head_32.S 2011-07-06 19:53:33.000000000 -0400
14814 @@ -19,10 +19,17 @@
14815 #include <asm/setup.h>
14816 #include <asm/processor-flags.h>
14817 #include <asm/percpu.h>
14818 +#include <asm/msr-index.h>
14819
14820 /* Physical address */
14821 #define pa(X) ((X) - __PAGE_OFFSET)
14822
14823 +#ifdef CONFIG_PAX_KERNEXEC
14824 +#define ta(X) (X)
14825 +#else
14826 +#define ta(X) ((X) - __PAGE_OFFSET)
14827 +#endif
14828 +
14829 /*
14830 * References to members of the new_cpu_data structure.
14831 */
14832 @@ -52,11 +59,7 @@
14833 * and small than max_low_pfn, otherwise will waste some page table entries
14834 */
14835
14836 -#if PTRS_PER_PMD > 1
14837 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
14838 -#else
14839 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
14840 -#endif
14841 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
14842
14843 /* Enough space to fit pagetables for the low memory linear map */
14844 MAPPING_BEYOND_END = \
14845 @@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
14846 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14847
14848 /*
14849 + * Real beginning of normal "text" segment
14850 + */
14851 +ENTRY(stext)
14852 +ENTRY(_stext)
14853 +
14854 +/*
14855 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
14856 * %esi points to the real-mode code as a 32-bit pointer.
14857 * CS and DS must be 4 GB flat segments, but we don't depend on
14858 @@ -80,7 +89,16 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14859 * can.
14860 */
14861 __HEAD
14862 +
14863 +#ifdef CONFIG_PAX_KERNEXEC
14864 + jmp startup_32
14865 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
14866 +.fill PAGE_SIZE-5,1,0xcc
14867 +#endif
14868 +
14869 ENTRY(startup_32)
14870 + movl pa(stack_start),%ecx
14871 +
14872 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
14873 us to not reload segments */
14874 testb $(1<<6), BP_loadflags(%esi)
14875 @@ -95,7 +113,60 @@ ENTRY(startup_32)
14876 movl %eax,%es
14877 movl %eax,%fs
14878 movl %eax,%gs
14879 + movl %eax,%ss
14880 2:
14881 + leal -__PAGE_OFFSET(%ecx),%esp
14882 +
14883 +#ifdef CONFIG_SMP
14884 + movl $pa(cpu_gdt_table),%edi
14885 + movl $__per_cpu_load,%eax
14886 + movw %ax,__KERNEL_PERCPU + 2(%edi)
14887 + rorl $16,%eax
14888 + movb %al,__KERNEL_PERCPU + 4(%edi)
14889 + movb %ah,__KERNEL_PERCPU + 7(%edi)
14890 + movl $__per_cpu_end - 1,%eax
14891 + subl $__per_cpu_start,%eax
14892 + movw %ax,__KERNEL_PERCPU + 0(%edi)
14893 +#endif
14894 +
14895 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14896 + movl $NR_CPUS,%ecx
14897 + movl $pa(cpu_gdt_table),%edi
14898 +1:
14899 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
14900 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
14901 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
14902 + addl $PAGE_SIZE_asm,%edi
14903 + loop 1b
14904 +#endif
14905 +
14906 +#ifdef CONFIG_PAX_KERNEXEC
14907 + movl $pa(boot_gdt),%edi
14908 + movl $__LOAD_PHYSICAL_ADDR,%eax
14909 + movw %ax,__BOOT_CS + 2(%edi)
14910 + rorl $16,%eax
14911 + movb %al,__BOOT_CS + 4(%edi)
14912 + movb %ah,__BOOT_CS + 7(%edi)
14913 + rorl $16,%eax
14914 +
14915 + ljmp $(__BOOT_CS),$1f
14916 +1:
14917 +
14918 + movl $NR_CPUS,%ecx
14919 + movl $pa(cpu_gdt_table),%edi
14920 + addl $__PAGE_OFFSET,%eax
14921 +1:
14922 + movw %ax,__KERNEL_CS + 2(%edi)
14923 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
14924 + rorl $16,%eax
14925 + movb %al,__KERNEL_CS + 4(%edi)
14926 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
14927 + movb %ah,__KERNEL_CS + 7(%edi)
14928 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
14929 + rorl $16,%eax
14930 + addl $PAGE_SIZE_asm,%edi
14931 + loop 1b
14932 +#endif
14933
14934 /*
14935 * Clear BSS first so that there are no surprises...
14936 @@ -140,9 +211,7 @@ ENTRY(startup_32)
14937 cmpl $num_subarch_entries, %eax
14938 jae bad_subarch
14939
14940 - movl pa(subarch_entries)(,%eax,4), %eax
14941 - subl $__PAGE_OFFSET, %eax
14942 - jmp *%eax
14943 + jmp *pa(subarch_entries)(,%eax,4)
14944
14945 bad_subarch:
14946 WEAK(lguest_entry)
14947 @@ -154,10 +223,10 @@ WEAK(xen_entry)
14948 __INITDATA
14949
14950 subarch_entries:
14951 - .long default_entry /* normal x86/PC */
14952 - .long lguest_entry /* lguest hypervisor */
14953 - .long xen_entry /* Xen hypervisor */
14954 - .long default_entry /* Moorestown MID */
14955 + .long ta(default_entry) /* normal x86/PC */
14956 + .long ta(lguest_entry) /* lguest hypervisor */
14957 + .long ta(xen_entry) /* Xen hypervisor */
14958 + .long ta(default_entry) /* Moorestown MID */
14959 num_subarch_entries = (. - subarch_entries) / 4
14960 .previous
14961 #endif /* CONFIG_PARAVIRT */
14962 @@ -218,8 +287,11 @@ default_entry:
14963 movl %eax, pa(max_pfn_mapped)
14964
14965 /* Do early initialization of the fixmap area */
14966 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
14967 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14968 +#ifdef CONFIG_COMPAT_VDSO
14969 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14970 +#else
14971 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14972 +#endif
14973 #else /* Not PAE */
14974
14975 page_pde_offset = (__PAGE_OFFSET >> 20);
14976 @@ -249,8 +321,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
14977 movl %eax, pa(max_pfn_mapped)
14978
14979 /* Do early initialization of the fixmap area */
14980 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
14981 - movl %eax,pa(swapper_pg_dir+0xffc)
14982 +#ifdef CONFIG_COMPAT_VDSO
14983 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
14984 +#else
14985 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
14986 +#endif
14987 #endif
14988 jmp 3f
14989 /*
14990 @@ -272,6 +347,9 @@ ENTRY(startup_32_smp)
14991 movl %eax,%es
14992 movl %eax,%fs
14993 movl %eax,%gs
14994 + movl pa(stack_start),%ecx
14995 + movl %eax,%ss
14996 + leal -__PAGE_OFFSET(%ecx),%esp
14997 #endif /* CONFIG_SMP */
14998 3:
14999
15000 @@ -297,6 +375,7 @@ ENTRY(startup_32_smp)
15001 orl %edx,%eax
15002 movl %eax,%cr4
15003
15004 +#ifdef CONFIG_X86_PAE
15005 btl $5, %eax # check if PAE is enabled
15006 jnc 6f
15007
15008 @@ -305,6 +384,10 @@ ENTRY(startup_32_smp)
15009 cpuid
15010 cmpl $0x80000000, %eax
15011 jbe 6f
15012 +
15013 + /* Clear bogus XD_DISABLE bits */
15014 + call verify_cpu
15015 +
15016 mov $0x80000001, %eax
15017 cpuid
15018 /* Execute Disable bit supported? */
15019 @@ -312,13 +395,17 @@ ENTRY(startup_32_smp)
15020 jnc 6f
15021
15022 /* Setup EFER (Extended Feature Enable Register) */
15023 - movl $0xc0000080, %ecx
15024 + movl $MSR_EFER, %ecx
15025 rdmsr
15026
15027 btsl $11, %eax
15028 /* Make changes effective */
15029 wrmsr
15030
15031 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15032 + movl $1,pa(nx_enabled)
15033 +#endif
15034 +
15035 6:
15036
15037 /*
15038 @@ -331,8 +418,8 @@ ENTRY(startup_32_smp)
15039 movl %eax,%cr0 /* ..and set paging (PG) bit */
15040 ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
15041 1:
15042 - /* Set up the stack pointer */
15043 - lss stack_start,%esp
15044 + /* Shift the stack pointer to a virtual address */
15045 + addl $__PAGE_OFFSET, %esp
15046
15047 /*
15048 * Initialize eflags. Some BIOS's leave bits like NT set. This would
15049 @@ -344,9 +431,7 @@ ENTRY(startup_32_smp)
15050
15051 #ifdef CONFIG_SMP
15052 cmpb $0, ready
15053 - jz 1f /* Initial CPU cleans BSS */
15054 - jmp checkCPUtype
15055 -1:
15056 + jnz checkCPUtype
15057 #endif /* CONFIG_SMP */
15058
15059 /*
15060 @@ -424,7 +509,7 @@ is386: movl $2,%ecx # set MP
15061 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15062 movl %eax,%ss # after changing gdt.
15063
15064 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
15065 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15066 movl %eax,%ds
15067 movl %eax,%es
15068
15069 @@ -438,15 +523,22 @@ is386: movl $2,%ecx # set MP
15070 */
15071 cmpb $0,ready
15072 jne 1f
15073 - movl $per_cpu__gdt_page,%eax
15074 + movl $cpu_gdt_table,%eax
15075 movl $per_cpu__stack_canary,%ecx
15076 +#ifdef CONFIG_SMP
15077 + addl $__per_cpu_load,%ecx
15078 +#endif
15079 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15080 shrl $16, %ecx
15081 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15082 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15083 1:
15084 -#endif
15085 movl $(__KERNEL_STACK_CANARY),%eax
15086 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15087 + movl $(__USER_DS),%eax
15088 +#else
15089 + xorl %eax,%eax
15090 +#endif
15091 movl %eax,%gs
15092
15093 xorl %eax,%eax # Clear LDT
15094 @@ -454,14 +546,7 @@ is386: movl $2,%ecx # set MP
15095
15096 cld # gcc2 wants the direction flag cleared at all times
15097 pushl $0 # fake return address for unwinder
15098 -#ifdef CONFIG_SMP
15099 - movb ready, %cl
15100 movb $1, ready
15101 - cmpb $0,%cl # the first CPU calls start_kernel
15102 - je 1f
15103 - movl (stack_start), %esp
15104 -1:
15105 -#endif /* CONFIG_SMP */
15106 jmp *(initial_code)
15107
15108 /*
15109 @@ -546,22 +631,22 @@ early_page_fault:
15110 jmp early_fault
15111
15112 early_fault:
15113 - cld
15114 #ifdef CONFIG_PRINTK
15115 + cmpl $1,%ss:early_recursion_flag
15116 + je hlt_loop
15117 + incl %ss:early_recursion_flag
15118 + cld
15119 pusha
15120 movl $(__KERNEL_DS),%eax
15121 movl %eax,%ds
15122 movl %eax,%es
15123 - cmpl $2,early_recursion_flag
15124 - je hlt_loop
15125 - incl early_recursion_flag
15126 movl %cr2,%eax
15127 pushl %eax
15128 pushl %edx /* trapno */
15129 pushl $fault_msg
15130 call printk
15131 +; call dump_stack
15132 #endif
15133 - call dump_stack
15134 hlt_loop:
15135 hlt
15136 jmp hlt_loop
15137 @@ -569,8 +654,11 @@ hlt_loop:
15138 /* This is the default interrupt "handler" :-) */
15139 ALIGN
15140 ignore_int:
15141 - cld
15142 #ifdef CONFIG_PRINTK
15143 + cmpl $2,%ss:early_recursion_flag
15144 + je hlt_loop
15145 + incl %ss:early_recursion_flag
15146 + cld
15147 pushl %eax
15148 pushl %ecx
15149 pushl %edx
15150 @@ -579,9 +667,6 @@ ignore_int:
15151 movl $(__KERNEL_DS),%eax
15152 movl %eax,%ds
15153 movl %eax,%es
15154 - cmpl $2,early_recursion_flag
15155 - je hlt_loop
15156 - incl early_recursion_flag
15157 pushl 16(%esp)
15158 pushl 24(%esp)
15159 pushl 32(%esp)
15160 @@ -600,6 +685,8 @@ ignore_int:
15161 #endif
15162 iret
15163
15164 +#include "verify_cpu.S"
15165 +
15166 __REFDATA
15167 .align 4
15168 ENTRY(initial_code)
15169 @@ -610,31 +697,47 @@ ENTRY(initial_page_table)
15170 /*
15171 * BSS section
15172 */
15173 -__PAGE_ALIGNED_BSS
15174 - .align PAGE_SIZE_asm
15175 #ifdef CONFIG_X86_PAE
15176 +.section .swapper_pg_pmd,"a",@progbits
15177 swapper_pg_pmd:
15178 .fill 1024*KPMDS,4,0
15179 #else
15180 +.section .swapper_pg_dir,"a",@progbits
15181 ENTRY(swapper_pg_dir)
15182 .fill 1024,4,0
15183 #endif
15184 +.section .swapper_pg_fixmap,"a",@progbits
15185 swapper_pg_fixmap:
15186 .fill 1024,4,0
15187 #ifdef CONFIG_X86_TRAMPOLINE
15188 +.section .trampoline_pg_dir,"a",@progbits
15189 ENTRY(trampoline_pg_dir)
15190 +#ifdef CONFIG_X86_PAE
15191 + .fill 4,8,0
15192 +#else
15193 .fill 1024,4,0
15194 #endif
15195 +#endif
15196 +
15197 +.section .empty_zero_page,"a",@progbits
15198 ENTRY(empty_zero_page)
15199 .fill 4096,1,0
15200
15201 /*
15202 + * The IDT has to be page-aligned to simplify the Pentium
15203 + * F0 0F bug workaround.. We have a special link segment
15204 + * for this.
15205 + */
15206 +.section .idt,"a",@progbits
15207 +ENTRY(idt_table)
15208 + .fill 256,8,0
15209 +
15210 +/*
15211 * This starts the data section.
15212 */
15213 #ifdef CONFIG_X86_PAE
15214 -__PAGE_ALIGNED_DATA
15215 - /* Page-aligned for the benefit of paravirt? */
15216 - .align PAGE_SIZE_asm
15217 +.section .swapper_pg_dir,"a",@progbits
15218 +
15219 ENTRY(swapper_pg_dir)
15220 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15221 # if KPMDS == 3
15222 @@ -653,15 +756,24 @@ ENTRY(swapper_pg_dir)
15223 # error "Kernel PMDs should be 1, 2 or 3"
15224 # endif
15225 .align PAGE_SIZE_asm /* needs to be page-sized too */
15226 +
15227 +#ifdef CONFIG_PAX_PER_CPU_PGD
15228 +ENTRY(cpu_pgd)
15229 + .rept NR_CPUS
15230 + .fill 4,8,0
15231 + .endr
15232 +#endif
15233 +
15234 #endif
15235
15236 .data
15237 +.balign 4
15238 ENTRY(stack_start)
15239 - .long init_thread_union+THREAD_SIZE
15240 - .long __BOOT_DS
15241 + .long init_thread_union+THREAD_SIZE-8
15242
15243 ready: .byte 0
15244
15245 +.section .rodata,"a",@progbits
15246 early_recursion_flag:
15247 .long 0
15248
15249 @@ -697,7 +809,7 @@ fault_msg:
15250 .word 0 # 32 bit align gdt_desc.address
15251 boot_gdt_descr:
15252 .word __BOOT_DS+7
15253 - .long boot_gdt - __PAGE_OFFSET
15254 + .long pa(boot_gdt)
15255
15256 .word 0 # 32-bit align idt_desc.address
15257 idt_descr:
15258 @@ -708,7 +820,7 @@ idt_descr:
15259 .word 0 # 32 bit align gdt_desc.address
15260 ENTRY(early_gdt_descr)
15261 .word GDT_ENTRIES*8-1
15262 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
15263 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
15264
15265 /*
15266 * The boot_gdt must mirror the equivalent in setup.S and is
15267 @@ -717,5 +829,65 @@ ENTRY(early_gdt_descr)
15268 .align L1_CACHE_BYTES
15269 ENTRY(boot_gdt)
15270 .fill GDT_ENTRY_BOOT_CS,8,0
15271 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
15272 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
15273 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
15274 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
15275 +
15276 + .align PAGE_SIZE_asm
15277 +ENTRY(cpu_gdt_table)
15278 + .rept NR_CPUS
15279 + .quad 0x0000000000000000 /* NULL descriptor */
15280 + .quad 0x0000000000000000 /* 0x0b reserved */
15281 + .quad 0x0000000000000000 /* 0x13 reserved */
15282 + .quad 0x0000000000000000 /* 0x1b reserved */
15283 +
15284 +#ifdef CONFIG_PAX_KERNEXEC
15285 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
15286 +#else
15287 + .quad 0x0000000000000000 /* 0x20 unused */
15288 +#endif
15289 +
15290 + .quad 0x0000000000000000 /* 0x28 unused */
15291 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
15292 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
15293 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
15294 + .quad 0x0000000000000000 /* 0x4b reserved */
15295 + .quad 0x0000000000000000 /* 0x53 reserved */
15296 + .quad 0x0000000000000000 /* 0x5b reserved */
15297 +
15298 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
15299 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
15300 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
15301 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
15302 +
15303 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
15304 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
15305 +
15306 + /*
15307 + * Segments used for calling PnP BIOS have byte granularity.
15308 + * The code segments and data segments have fixed 64k limits,
15309 + * the transfer segment sizes are set at run time.
15310 + */
15311 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
15312 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
15313 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
15314 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
15315 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
15316 +
15317 + /*
15318 + * The APM segments have byte granularity and their bases
15319 + * are set at run time. All have 64k limits.
15320 + */
15321 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
15322 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
15323 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
15324 +
15325 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
15326 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
15327 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
15328 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
15329 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
15330 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
15331 +
15332 + /* Be sure this is zeroed to avoid false validations in Xen */
15333 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
15334 + .endr
15335 diff -urNp linux-2.6.32.46/arch/x86/kernel/head_64.S linux-2.6.32.46/arch/x86/kernel/head_64.S
15336 --- linux-2.6.32.46/arch/x86/kernel/head_64.S 2011-03-27 14:31:47.000000000 -0400
15337 +++ linux-2.6.32.46/arch/x86/kernel/head_64.S 2011-04-17 15:56:46.000000000 -0400
15338 @@ -19,6 +19,7 @@
15339 #include <asm/cache.h>
15340 #include <asm/processor-flags.h>
15341 #include <asm/percpu.h>
15342 +#include <asm/cpufeature.h>
15343
15344 #ifdef CONFIG_PARAVIRT
15345 #include <asm/asm-offsets.h>
15346 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
15347 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
15348 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
15349 L3_START_KERNEL = pud_index(__START_KERNEL_map)
15350 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
15351 +L3_VMALLOC_START = pud_index(VMALLOC_START)
15352 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
15353 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
15354
15355 .text
15356 __HEAD
15357 @@ -85,35 +90,22 @@ startup_64:
15358 */
15359 addq %rbp, init_level4_pgt + 0(%rip)
15360 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
15361 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
15362 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
15363 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
15364
15365 addq %rbp, level3_ident_pgt + 0(%rip)
15366 +#ifndef CONFIG_XEN
15367 + addq %rbp, level3_ident_pgt + 8(%rip)
15368 +#endif
15369
15370 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
15371 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
15372 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
15373
15374 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15375 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
15376 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
15377
15378 - /* Add an Identity mapping if I am above 1G */
15379 - leaq _text(%rip), %rdi
15380 - andq $PMD_PAGE_MASK, %rdi
15381 -
15382 - movq %rdi, %rax
15383 - shrq $PUD_SHIFT, %rax
15384 - andq $(PTRS_PER_PUD - 1), %rax
15385 - jz ident_complete
15386 -
15387 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15388 - leaq level3_ident_pgt(%rip), %rbx
15389 - movq %rdx, 0(%rbx, %rax, 8)
15390 -
15391 - movq %rdi, %rax
15392 - shrq $PMD_SHIFT, %rax
15393 - andq $(PTRS_PER_PMD - 1), %rax
15394 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15395 - leaq level2_spare_pgt(%rip), %rbx
15396 - movq %rdx, 0(%rbx, %rax, 8)
15397 -ident_complete:
15398 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15399 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15400
15401 /*
15402 * Fixup the kernel text+data virtual addresses. Note that
15403 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
15404 * after the boot processor executes this code.
15405 */
15406
15407 - /* Enable PAE mode and PGE */
15408 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15409 + /* Enable PAE mode and PSE/PGE */
15410 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15411 movq %rax, %cr4
15412
15413 /* Setup early boot stage 4 level pagetables. */
15414 @@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
15415 movl $MSR_EFER, %ecx
15416 rdmsr
15417 btsl $_EFER_SCE, %eax /* Enable System Call */
15418 - btl $20,%edi /* No Execute supported? */
15419 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15420 jnc 1f
15421 btsl $_EFER_NX, %eax
15422 + leaq init_level4_pgt(%rip), %rdi
15423 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15424 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15425 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15426 1: wrmsr /* Make changes effective */
15427
15428 /* Setup cr0 */
15429 @@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
15430 .quad x86_64_start_kernel
15431 ENTRY(initial_gs)
15432 .quad INIT_PER_CPU_VAR(irq_stack_union)
15433 - __FINITDATA
15434
15435 ENTRY(stack_start)
15436 .quad init_thread_union+THREAD_SIZE-8
15437 .word 0
15438 + __FINITDATA
15439
15440 bad_address:
15441 jmp bad_address
15442
15443 - .section ".init.text","ax"
15444 + __INIT
15445 #ifdef CONFIG_EARLY_PRINTK
15446 .globl early_idt_handlers
15447 early_idt_handlers:
15448 @@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
15449 #endif /* EARLY_PRINTK */
15450 1: hlt
15451 jmp 1b
15452 + .previous
15453
15454 #ifdef CONFIG_EARLY_PRINTK
15455 + __INITDATA
15456 early_recursion_flag:
15457 .long 0
15458 + .previous
15459
15460 + .section .rodata,"a",@progbits
15461 early_idt_msg:
15462 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15463 early_idt_ripmsg:
15464 .asciz "RIP %s\n"
15465 -#endif /* CONFIG_EARLY_PRINTK */
15466 .previous
15467 +#endif /* CONFIG_EARLY_PRINTK */
15468
15469 + .section .rodata,"a",@progbits
15470 #define NEXT_PAGE(name) \
15471 .balign PAGE_SIZE; \
15472 ENTRY(name)
15473 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
15474 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15475 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15476 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15477 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15478 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15479 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15480 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15481 .org init_level4_pgt + L4_START_KERNEL*8, 0
15482 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15483 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15484
15485 +#ifdef CONFIG_PAX_PER_CPU_PGD
15486 +NEXT_PAGE(cpu_pgd)
15487 + .rept NR_CPUS
15488 + .fill 512,8,0
15489 + .endr
15490 +#endif
15491 +
15492 NEXT_PAGE(level3_ident_pgt)
15493 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15494 +#ifdef CONFIG_XEN
15495 .fill 511,8,0
15496 +#else
15497 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15498 + .fill 510,8,0
15499 +#endif
15500 +
15501 +NEXT_PAGE(level3_vmalloc_pgt)
15502 + .fill 512,8,0
15503 +
15504 +NEXT_PAGE(level3_vmemmap_pgt)
15505 + .fill L3_VMEMMAP_START,8,0
15506 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15507
15508 NEXT_PAGE(level3_kernel_pgt)
15509 .fill L3_START_KERNEL,8,0
15510 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
15511 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15512 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15513
15514 +NEXT_PAGE(level2_vmemmap_pgt)
15515 + .fill 512,8,0
15516 +
15517 NEXT_PAGE(level2_fixmap_pgt)
15518 - .fill 506,8,0
15519 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15520 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15521 - .fill 5,8,0
15522 + .fill 507,8,0
15523 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15524 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15525 + .fill 4,8,0
15526
15527 -NEXT_PAGE(level1_fixmap_pgt)
15528 +NEXT_PAGE(level1_vsyscall_pgt)
15529 .fill 512,8,0
15530
15531 -NEXT_PAGE(level2_ident_pgt)
15532 - /* Since I easily can, map the first 1G.
15533 + /* Since I easily can, map the first 2G.
15534 * Don't set NX because code runs from these pages.
15535 */
15536 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15537 +NEXT_PAGE(level2_ident_pgt)
15538 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15539
15540 NEXT_PAGE(level2_kernel_pgt)
15541 /*
15542 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
15543 * If you want to increase this then increase MODULES_VADDR
15544 * too.)
15545 */
15546 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15547 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15548 -
15549 -NEXT_PAGE(level2_spare_pgt)
15550 - .fill 512, 8, 0
15551 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15552
15553 #undef PMDS
15554 #undef NEXT_PAGE
15555
15556 - .data
15557 + .align PAGE_SIZE
15558 +ENTRY(cpu_gdt_table)
15559 + .rept NR_CPUS
15560 + .quad 0x0000000000000000 /* NULL descriptor */
15561 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15562 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15563 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15564 + .quad 0x00cffb000000ffff /* __USER32_CS */
15565 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15566 + .quad 0x00affb000000ffff /* __USER_CS */
15567 +
15568 +#ifdef CONFIG_PAX_KERNEXEC
15569 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15570 +#else
15571 + .quad 0x0 /* unused */
15572 +#endif
15573 +
15574 + .quad 0,0 /* TSS */
15575 + .quad 0,0 /* LDT */
15576 + .quad 0,0,0 /* three TLS descriptors */
15577 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15578 + /* asm/segment.h:GDT_ENTRIES must match this */
15579 +
15580 + /* zero the remaining page */
15581 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15582 + .endr
15583 +
15584 .align 16
15585 .globl early_gdt_descr
15586 early_gdt_descr:
15587 .word GDT_ENTRIES*8-1
15588 early_gdt_descr_base:
15589 - .quad INIT_PER_CPU_VAR(gdt_page)
15590 + .quad cpu_gdt_table
15591
15592 ENTRY(phys_base)
15593 /* This must match the first entry in level2_kernel_pgt */
15594 .quad 0x0000000000000000
15595
15596 #include "../../x86/xen/xen-head.S"
15597 -
15598 - .section .bss, "aw", @nobits
15599 +
15600 + .section .rodata,"a",@progbits
15601 .align L1_CACHE_BYTES
15602 ENTRY(idt_table)
15603 - .skip IDT_ENTRIES * 16
15604 + .fill 512,8,0
15605
15606 __PAGE_ALIGNED_BSS
15607 .align PAGE_SIZE
15608 diff -urNp linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c
15609 --- linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c 2011-03-27 14:31:47.000000000 -0400
15610 +++ linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:56:46.000000000 -0400
15611 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15612 EXPORT_SYMBOL(cmpxchg8b_emu);
15613 #endif
15614
15615 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15616 +
15617 /* Networking helper routines. */
15618 EXPORT_SYMBOL(csum_partial_copy_generic);
15619 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15620 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15621
15622 EXPORT_SYMBOL(__get_user_1);
15623 EXPORT_SYMBOL(__get_user_2);
15624 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15625
15626 EXPORT_SYMBOL(csum_partial);
15627 EXPORT_SYMBOL(empty_zero_page);
15628 +
15629 +#ifdef CONFIG_PAX_KERNEXEC
15630 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15631 +#endif
15632 diff -urNp linux-2.6.32.46/arch/x86/kernel/i8259.c linux-2.6.32.46/arch/x86/kernel/i8259.c
15633 --- linux-2.6.32.46/arch/x86/kernel/i8259.c 2011-03-27 14:31:47.000000000 -0400
15634 +++ linux-2.6.32.46/arch/x86/kernel/i8259.c 2011-05-04 17:56:28.000000000 -0400
15635 @@ -208,7 +208,7 @@ spurious_8259A_irq:
15636 "spurious 8259A interrupt: IRQ%d.\n", irq);
15637 spurious_irq_mask |= irqmask;
15638 }
15639 - atomic_inc(&irq_err_count);
15640 + atomic_inc_unchecked(&irq_err_count);
15641 /*
15642 * Theoretically we do not have to handle this IRQ,
15643 * but in Linux this does not cause problems and is
15644 diff -urNp linux-2.6.32.46/arch/x86/kernel/init_task.c linux-2.6.32.46/arch/x86/kernel/init_task.c
15645 --- linux-2.6.32.46/arch/x86/kernel/init_task.c 2011-03-27 14:31:47.000000000 -0400
15646 +++ linux-2.6.32.46/arch/x86/kernel/init_task.c 2011-04-17 15:56:46.000000000 -0400
15647 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15648 * way process stacks are handled. This is done by having a special
15649 * "init_task" linker map entry..
15650 */
15651 -union thread_union init_thread_union __init_task_data =
15652 - { INIT_THREAD_INFO(init_task) };
15653 +union thread_union init_thread_union __init_task_data;
15654
15655 /*
15656 * Initial task structure.
15657 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15658 * section. Since TSS's are completely CPU-local, we want them
15659 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15660 */
15661 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15662 -
15663 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15664 +EXPORT_SYMBOL(init_tss);
15665 diff -urNp linux-2.6.32.46/arch/x86/kernel/ioport.c linux-2.6.32.46/arch/x86/kernel/ioport.c
15666 --- linux-2.6.32.46/arch/x86/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
15667 +++ linux-2.6.32.46/arch/x86/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
15668 @@ -6,6 +6,7 @@
15669 #include <linux/sched.h>
15670 #include <linux/kernel.h>
15671 #include <linux/capability.h>
15672 +#include <linux/security.h>
15673 #include <linux/errno.h>
15674 #include <linux/types.h>
15675 #include <linux/ioport.h>
15676 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
15677
15678 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15679 return -EINVAL;
15680 +#ifdef CONFIG_GRKERNSEC_IO
15681 + if (turn_on && grsec_disable_privio) {
15682 + gr_handle_ioperm();
15683 + return -EPERM;
15684 + }
15685 +#endif
15686 if (turn_on && !capable(CAP_SYS_RAWIO))
15687 return -EPERM;
15688
15689 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
15690 * because the ->io_bitmap_max value must match the bitmap
15691 * contents:
15692 */
15693 - tss = &per_cpu(init_tss, get_cpu());
15694 + tss = init_tss + get_cpu();
15695
15696 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
15697
15698 @@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
15699 return -EINVAL;
15700 /* Trying to gain more privileges? */
15701 if (level > old) {
15702 +#ifdef CONFIG_GRKERNSEC_IO
15703 + if (grsec_disable_privio) {
15704 + gr_handle_iopl();
15705 + return -EPERM;
15706 + }
15707 +#endif
15708 if (!capable(CAP_SYS_RAWIO))
15709 return -EPERM;
15710 }
15711 diff -urNp linux-2.6.32.46/arch/x86/kernel/irq_32.c linux-2.6.32.46/arch/x86/kernel/irq_32.c
15712 --- linux-2.6.32.46/arch/x86/kernel/irq_32.c 2011-03-27 14:31:47.000000000 -0400
15713 +++ linux-2.6.32.46/arch/x86/kernel/irq_32.c 2011-07-06 19:53:33.000000000 -0400
15714 @@ -35,7 +35,7 @@ static int check_stack_overflow(void)
15715 __asm__ __volatile__("andl %%esp,%0" :
15716 "=r" (sp) : "0" (THREAD_SIZE - 1));
15717
15718 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15719 + return sp < STACK_WARN;
15720 }
15721
15722 static void print_stack_overflow(void)
15723 @@ -54,9 +54,9 @@ static inline void print_stack_overflow(
15724 * per-CPU IRQ handling contexts (thread information and stack)
15725 */
15726 union irq_ctx {
15727 - struct thread_info tinfo;
15728 - u32 stack[THREAD_SIZE/sizeof(u32)];
15729 -} __attribute__((aligned(PAGE_SIZE)));
15730 + unsigned long previous_esp;
15731 + u32 stack[THREAD_SIZE/sizeof(u32)];
15732 +} __attribute__((aligned(THREAD_SIZE)));
15733
15734 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15735 static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
15736 @@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
15737 static inline int
15738 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15739 {
15740 - union irq_ctx *curctx, *irqctx;
15741 + union irq_ctx *irqctx;
15742 u32 *isp, arg1, arg2;
15743
15744 - curctx = (union irq_ctx *) current_thread_info();
15745 irqctx = __get_cpu_var(hardirq_ctx);
15746
15747 /*
15748 @@ -90,21 +89,16 @@ execute_on_irq_stack(int overflow, struc
15749 * handler) we can't do that and just have to keep using the
15750 * current stack (which is the irq stack already after all)
15751 */
15752 - if (unlikely(curctx == irqctx))
15753 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15754 return 0;
15755
15756 /* build the stack frame on the IRQ stack */
15757 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15758 - irqctx->tinfo.task = curctx->tinfo.task;
15759 - irqctx->tinfo.previous_esp = current_stack_pointer;
15760 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15761 + irqctx->previous_esp = current_stack_pointer;
15762
15763 - /*
15764 - * Copy the softirq bits in preempt_count so that the
15765 - * softirq checks work in the hardirq context.
15766 - */
15767 - irqctx->tinfo.preempt_count =
15768 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15769 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15770 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15771 + __set_fs(MAKE_MM_SEG(0));
15772 +#endif
15773
15774 if (unlikely(overflow))
15775 call_on_stack(print_stack_overflow, isp);
15776 @@ -116,6 +110,11 @@ execute_on_irq_stack(int overflow, struc
15777 : "0" (irq), "1" (desc), "2" (isp),
15778 "D" (desc->handle_irq)
15779 : "memory", "cc", "ecx");
15780 +
15781 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15782 + __set_fs(current_thread_info()->addr_limit);
15783 +#endif
15784 +
15785 return 1;
15786 }
15787
15788 @@ -124,28 +123,11 @@ execute_on_irq_stack(int overflow, struc
15789 */
15790 void __cpuinit irq_ctx_init(int cpu)
15791 {
15792 - union irq_ctx *irqctx;
15793 -
15794 if (per_cpu(hardirq_ctx, cpu))
15795 return;
15796
15797 - irqctx = &per_cpu(hardirq_stack, cpu);
15798 - irqctx->tinfo.task = NULL;
15799 - irqctx->tinfo.exec_domain = NULL;
15800 - irqctx->tinfo.cpu = cpu;
15801 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15802 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15803 -
15804 - per_cpu(hardirq_ctx, cpu) = irqctx;
15805 -
15806 - irqctx = &per_cpu(softirq_stack, cpu);
15807 - irqctx->tinfo.task = NULL;
15808 - irqctx->tinfo.exec_domain = NULL;
15809 - irqctx->tinfo.cpu = cpu;
15810 - irqctx->tinfo.preempt_count = 0;
15811 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15812 -
15813 - per_cpu(softirq_ctx, cpu) = irqctx;
15814 + per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
15815 + per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
15816
15817 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15818 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15819 @@ -159,7 +141,6 @@ void irq_ctx_exit(int cpu)
15820 asmlinkage void do_softirq(void)
15821 {
15822 unsigned long flags;
15823 - struct thread_info *curctx;
15824 union irq_ctx *irqctx;
15825 u32 *isp;
15826
15827 @@ -169,15 +150,22 @@ asmlinkage void do_softirq(void)
15828 local_irq_save(flags);
15829
15830 if (local_softirq_pending()) {
15831 - curctx = current_thread_info();
15832 irqctx = __get_cpu_var(softirq_ctx);
15833 - irqctx->tinfo.task = curctx->task;
15834 - irqctx->tinfo.previous_esp = current_stack_pointer;
15835 + irqctx->previous_esp = current_stack_pointer;
15836
15837 /* build the stack frame on the softirq stack */
15838 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15839 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15840 +
15841 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15842 + __set_fs(MAKE_MM_SEG(0));
15843 +#endif
15844
15845 call_on_stack(__do_softirq, isp);
15846 +
15847 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15848 + __set_fs(current_thread_info()->addr_limit);
15849 +#endif
15850 +
15851 /*
15852 * Shouldnt happen, we returned above if in_interrupt():
15853 */
15854 diff -urNp linux-2.6.32.46/arch/x86/kernel/irq.c linux-2.6.32.46/arch/x86/kernel/irq.c
15855 --- linux-2.6.32.46/arch/x86/kernel/irq.c 2011-03-27 14:31:47.000000000 -0400
15856 +++ linux-2.6.32.46/arch/x86/kernel/irq.c 2011-05-04 17:56:28.000000000 -0400
15857 @@ -15,7 +15,7 @@
15858 #include <asm/mce.h>
15859 #include <asm/hw_irq.h>
15860
15861 -atomic_t irq_err_count;
15862 +atomic_unchecked_t irq_err_count;
15863
15864 /* Function pointer for generic interrupt vector handling */
15865 void (*generic_interrupt_extension)(void) = NULL;
15866 @@ -114,9 +114,9 @@ static int show_other_interrupts(struct
15867 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
15868 seq_printf(p, " Machine check polls\n");
15869 #endif
15870 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
15871 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
15872 #if defined(CONFIG_X86_IO_APIC)
15873 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
15874 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
15875 #endif
15876 return 0;
15877 }
15878 @@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
15879
15880 u64 arch_irq_stat(void)
15881 {
15882 - u64 sum = atomic_read(&irq_err_count);
15883 + u64 sum = atomic_read_unchecked(&irq_err_count);
15884
15885 #ifdef CONFIG_X86_IO_APIC
15886 - sum += atomic_read(&irq_mis_count);
15887 + sum += atomic_read_unchecked(&irq_mis_count);
15888 #endif
15889 return sum;
15890 }
15891 diff -urNp linux-2.6.32.46/arch/x86/kernel/kgdb.c linux-2.6.32.46/arch/x86/kernel/kgdb.c
15892 --- linux-2.6.32.46/arch/x86/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
15893 +++ linux-2.6.32.46/arch/x86/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
15894 @@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
15895
15896 /* clear the trace bit */
15897 linux_regs->flags &= ~X86_EFLAGS_TF;
15898 - atomic_set(&kgdb_cpu_doing_single_step, -1);
15899 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
15900
15901 /* set the trace bit if we're stepping */
15902 if (remcomInBuffer[0] == 's') {
15903 linux_regs->flags |= X86_EFLAGS_TF;
15904 kgdb_single_step = 1;
15905 - atomic_set(&kgdb_cpu_doing_single_step,
15906 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
15907 raw_smp_processor_id());
15908 }
15909
15910 @@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
15911 break;
15912
15913 case DIE_DEBUG:
15914 - if (atomic_read(&kgdb_cpu_doing_single_step) ==
15915 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
15916 raw_smp_processor_id()) {
15917 if (user_mode(regs))
15918 return single_step_cont(regs, args);
15919 @@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
15920 return instruction_pointer(regs);
15921 }
15922
15923 -struct kgdb_arch arch_kgdb_ops = {
15924 +const struct kgdb_arch arch_kgdb_ops = {
15925 /* Breakpoint instruction: */
15926 .gdb_bpt_instr = { 0xcc },
15927 .flags = KGDB_HW_BREAKPOINT,
15928 diff -urNp linux-2.6.32.46/arch/x86/kernel/kprobes.c linux-2.6.32.46/arch/x86/kernel/kprobes.c
15929 --- linux-2.6.32.46/arch/x86/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
15930 +++ linux-2.6.32.46/arch/x86/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
15931 @@ -166,9 +166,13 @@ static void __kprobes set_jmp_op(void *f
15932 char op;
15933 s32 raddr;
15934 } __attribute__((packed)) * jop;
15935 - jop = (struct __arch_jmp_op *)from;
15936 +
15937 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
15938 +
15939 + pax_open_kernel();
15940 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
15941 jop->op = RELATIVEJUMP_INSTRUCTION;
15942 + pax_close_kernel();
15943 }
15944
15945 /*
15946 @@ -193,7 +197,7 @@ static int __kprobes can_boost(kprobe_op
15947 kprobe_opcode_t opcode;
15948 kprobe_opcode_t *orig_opcodes = opcodes;
15949
15950 - if (search_exception_tables((unsigned long)opcodes))
15951 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
15952 return 0; /* Page fault may occur on this address. */
15953
15954 retry:
15955 @@ -337,7 +341,9 @@ static void __kprobes fix_riprel(struct
15956 disp = (u8 *) p->addr + *((s32 *) insn) -
15957 (u8 *) p->ainsn.insn;
15958 BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
15959 + pax_open_kernel();
15960 *(s32 *)insn = (s32) disp;
15961 + pax_close_kernel();
15962 }
15963 }
15964 #endif
15965 @@ -345,16 +351,18 @@ static void __kprobes fix_riprel(struct
15966
15967 static void __kprobes arch_copy_kprobe(struct kprobe *p)
15968 {
15969 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
15970 + pax_open_kernel();
15971 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
15972 + pax_close_kernel();
15973
15974 fix_riprel(p);
15975
15976 - if (can_boost(p->addr))
15977 + if (can_boost(ktla_ktva(p->addr)))
15978 p->ainsn.boostable = 0;
15979 else
15980 p->ainsn.boostable = -1;
15981
15982 - p->opcode = *p->addr;
15983 + p->opcode = *(ktla_ktva(p->addr));
15984 }
15985
15986 int __kprobes arch_prepare_kprobe(struct kprobe *p)
15987 @@ -432,7 +440,7 @@ static void __kprobes prepare_singlestep
15988 if (p->opcode == BREAKPOINT_INSTRUCTION)
15989 regs->ip = (unsigned long)p->addr;
15990 else
15991 - regs->ip = (unsigned long)p->ainsn.insn;
15992 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15993 }
15994
15995 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
15996 @@ -453,7 +461,7 @@ static void __kprobes setup_singlestep(s
15997 if (p->ainsn.boostable == 1 && !p->post_handler) {
15998 /* Boost up -- we can execute copied instructions directly */
15999 reset_current_kprobe();
16000 - regs->ip = (unsigned long)p->ainsn.insn;
16001 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16002 preempt_enable_no_resched();
16003 return;
16004 }
16005 @@ -523,7 +531,7 @@ static int __kprobes kprobe_handler(stru
16006 struct kprobe_ctlblk *kcb;
16007
16008 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
16009 - if (*addr != BREAKPOINT_INSTRUCTION) {
16010 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16011 /*
16012 * The breakpoint instruction was removed right
16013 * after we hit it. Another cpu has removed
16014 @@ -775,7 +783,7 @@ static void __kprobes resume_execution(s
16015 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16016 {
16017 unsigned long *tos = stack_addr(regs);
16018 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16019 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16020 unsigned long orig_ip = (unsigned long)p->addr;
16021 kprobe_opcode_t *insn = p->ainsn.insn;
16022
16023 @@ -958,7 +966,7 @@ int __kprobes kprobe_exceptions_notify(s
16024 struct die_args *args = data;
16025 int ret = NOTIFY_DONE;
16026
16027 - if (args->regs && user_mode_vm(args->regs))
16028 + if (args->regs && user_mode(args->regs))
16029 return ret;
16030
16031 switch (val) {
16032 diff -urNp linux-2.6.32.46/arch/x86/kernel/kvm.c linux-2.6.32.46/arch/x86/kernel/kvm.c
16033 --- linux-2.6.32.46/arch/x86/kernel/kvm.c 2011-03-27 14:31:47.000000000 -0400
16034 +++ linux-2.6.32.46/arch/x86/kernel/kvm.c 2011-08-24 18:35:52.000000000 -0400
16035 @@ -216,6 +216,7 @@ static void __init paravirt_ops_setup(vo
16036 pv_mmu_ops.set_pud = kvm_set_pud;
16037 #if PAGETABLE_LEVELS == 4
16038 pv_mmu_ops.set_pgd = kvm_set_pgd;
16039 + pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
16040 #endif
16041 #endif
16042 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
16043 diff -urNp linux-2.6.32.46/arch/x86/kernel/ldt.c linux-2.6.32.46/arch/x86/kernel/ldt.c
16044 --- linux-2.6.32.46/arch/x86/kernel/ldt.c 2011-03-27 14:31:47.000000000 -0400
16045 +++ linux-2.6.32.46/arch/x86/kernel/ldt.c 2011-04-17 15:56:46.000000000 -0400
16046 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
16047 if (reload) {
16048 #ifdef CONFIG_SMP
16049 preempt_disable();
16050 - load_LDT(pc);
16051 + load_LDT_nolock(pc);
16052 if (!cpumask_equal(mm_cpumask(current->mm),
16053 cpumask_of(smp_processor_id())))
16054 smp_call_function(flush_ldt, current->mm, 1);
16055 preempt_enable();
16056 #else
16057 - load_LDT(pc);
16058 + load_LDT_nolock(pc);
16059 #endif
16060 }
16061 if (oldsize) {
16062 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
16063 return err;
16064
16065 for (i = 0; i < old->size; i++)
16066 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16067 + write_ldt_entry(new->ldt, i, old->ldt + i);
16068 return 0;
16069 }
16070
16071 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
16072 retval = copy_ldt(&mm->context, &old_mm->context);
16073 mutex_unlock(&old_mm->context.lock);
16074 }
16075 +
16076 + if (tsk == current) {
16077 + mm->context.vdso = 0;
16078 +
16079 +#ifdef CONFIG_X86_32
16080 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16081 + mm->context.user_cs_base = 0UL;
16082 + mm->context.user_cs_limit = ~0UL;
16083 +
16084 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16085 + cpus_clear(mm->context.cpu_user_cs_mask);
16086 +#endif
16087 +
16088 +#endif
16089 +#endif
16090 +
16091 + }
16092 +
16093 return retval;
16094 }
16095
16096 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
16097 }
16098 }
16099
16100 +#ifdef CONFIG_PAX_SEGMEXEC
16101 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16102 + error = -EINVAL;
16103 + goto out_unlock;
16104 + }
16105 +#endif
16106 +
16107 fill_ldt(&ldt, &ldt_info);
16108 if (oldmode)
16109 ldt.avl = 0;
16110 diff -urNp linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c
16111 --- linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c 2011-03-27 14:31:47.000000000 -0400
16112 +++ linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:56:46.000000000 -0400
16113 @@ -26,7 +26,7 @@
16114 #include <asm/system.h>
16115 #include <asm/cacheflush.h>
16116
16117 -static void set_idt(void *newidt, __u16 limit)
16118 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16119 {
16120 struct desc_ptr curidt;
16121
16122 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
16123 }
16124
16125
16126 -static void set_gdt(void *newgdt, __u16 limit)
16127 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16128 {
16129 struct desc_ptr curgdt;
16130
16131 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16132 }
16133
16134 control_page = page_address(image->control_code_page);
16135 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16136 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16137
16138 relocate_kernel_ptr = control_page;
16139 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16140 diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_amd.c linux-2.6.32.46/arch/x86/kernel/microcode_amd.c
16141 --- linux-2.6.32.46/arch/x86/kernel/microcode_amd.c 2011-04-17 17:00:52.000000000 -0400
16142 +++ linux-2.6.32.46/arch/x86/kernel/microcode_amd.c 2011-04-17 17:03:05.000000000 -0400
16143 @@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
16144 uci->mc = NULL;
16145 }
16146
16147 -static struct microcode_ops microcode_amd_ops = {
16148 +static const struct microcode_ops microcode_amd_ops = {
16149 .request_microcode_user = request_microcode_user,
16150 .request_microcode_fw = request_microcode_fw,
16151 .collect_cpu_info = collect_cpu_info_amd,
16152 @@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
16153 .microcode_fini_cpu = microcode_fini_cpu_amd,
16154 };
16155
16156 -struct microcode_ops * __init init_amd_microcode(void)
16157 +const struct microcode_ops * __init init_amd_microcode(void)
16158 {
16159 return &microcode_amd_ops;
16160 }
16161 diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_core.c linux-2.6.32.46/arch/x86/kernel/microcode_core.c
16162 --- linux-2.6.32.46/arch/x86/kernel/microcode_core.c 2011-03-27 14:31:47.000000000 -0400
16163 +++ linux-2.6.32.46/arch/x86/kernel/microcode_core.c 2011-04-17 15:56:46.000000000 -0400
16164 @@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
16165
16166 #define MICROCODE_VERSION "2.00"
16167
16168 -static struct microcode_ops *microcode_ops;
16169 +static const struct microcode_ops *microcode_ops;
16170
16171 /*
16172 * Synchronization.
16173 diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_intel.c linux-2.6.32.46/arch/x86/kernel/microcode_intel.c
16174 --- linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-03-27 14:31:47.000000000 -0400
16175 +++ linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-10-06 09:37:08.000000000 -0400
16176 @@ -443,13 +443,13 @@ static enum ucode_state request_microcod
16177
16178 static int get_ucode_user(void *to, const void *from, size_t n)
16179 {
16180 - return copy_from_user(to, from, n);
16181 + return copy_from_user(to, (const void __force_user *)from, n);
16182 }
16183
16184 static enum ucode_state
16185 request_microcode_user(int cpu, const void __user *buf, size_t size)
16186 {
16187 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16188 + return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
16189 }
16190
16191 static void microcode_fini_cpu(int cpu)
16192 @@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
16193 uci->mc = NULL;
16194 }
16195
16196 -static struct microcode_ops microcode_intel_ops = {
16197 +static const struct microcode_ops microcode_intel_ops = {
16198 .request_microcode_user = request_microcode_user,
16199 .request_microcode_fw = request_microcode_fw,
16200 .collect_cpu_info = collect_cpu_info,
16201 @@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
16202 .microcode_fini_cpu = microcode_fini_cpu,
16203 };
16204
16205 -struct microcode_ops * __init init_intel_microcode(void)
16206 +const struct microcode_ops * __init init_intel_microcode(void)
16207 {
16208 return &microcode_intel_ops;
16209 }
16210 diff -urNp linux-2.6.32.46/arch/x86/kernel/module.c linux-2.6.32.46/arch/x86/kernel/module.c
16211 --- linux-2.6.32.46/arch/x86/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
16212 +++ linux-2.6.32.46/arch/x86/kernel/module.c 2011-04-17 15:56:46.000000000 -0400
16213 @@ -34,7 +34,7 @@
16214 #define DEBUGP(fmt...)
16215 #endif
16216
16217 -void *module_alloc(unsigned long size)
16218 +static void *__module_alloc(unsigned long size, pgprot_t prot)
16219 {
16220 struct vm_struct *area;
16221
16222 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
16223 if (!area)
16224 return NULL;
16225
16226 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
16227 - PAGE_KERNEL_EXEC);
16228 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
16229 +}
16230 +
16231 +void *module_alloc(unsigned long size)
16232 +{
16233 +
16234 +#ifdef CONFIG_PAX_KERNEXEC
16235 + return __module_alloc(size, PAGE_KERNEL);
16236 +#else
16237 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16238 +#endif
16239 +
16240 }
16241
16242 /* Free memory returned from module_alloc */
16243 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
16244 vfree(module_region);
16245 }
16246
16247 +#ifdef CONFIG_PAX_KERNEXEC
16248 +#ifdef CONFIG_X86_32
16249 +void *module_alloc_exec(unsigned long size)
16250 +{
16251 + struct vm_struct *area;
16252 +
16253 + if (size == 0)
16254 + return NULL;
16255 +
16256 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16257 + return area ? area->addr : NULL;
16258 +}
16259 +EXPORT_SYMBOL(module_alloc_exec);
16260 +
16261 +void module_free_exec(struct module *mod, void *module_region)
16262 +{
16263 + vunmap(module_region);
16264 +}
16265 +EXPORT_SYMBOL(module_free_exec);
16266 +#else
16267 +void module_free_exec(struct module *mod, void *module_region)
16268 +{
16269 + module_free(mod, module_region);
16270 +}
16271 +EXPORT_SYMBOL(module_free_exec);
16272 +
16273 +void *module_alloc_exec(unsigned long size)
16274 +{
16275 + return __module_alloc(size, PAGE_KERNEL_RX);
16276 +}
16277 +EXPORT_SYMBOL(module_alloc_exec);
16278 +#endif
16279 +#endif
16280 +
16281 /* We don't need anything special. */
16282 int module_frob_arch_sections(Elf_Ehdr *hdr,
16283 Elf_Shdr *sechdrs,
16284 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16285 unsigned int i;
16286 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
16287 Elf32_Sym *sym;
16288 - uint32_t *location;
16289 + uint32_t *plocation, location;
16290
16291 DEBUGP("Applying relocate section %u to %u\n", relsec,
16292 sechdrs[relsec].sh_info);
16293 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
16294 /* This is where to make the change */
16295 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
16296 - + rel[i].r_offset;
16297 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
16298 + location = (uint32_t)plocation;
16299 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
16300 + plocation = ktla_ktva((void *)plocation);
16301 /* This is the symbol it is referring to. Note that all
16302 undefined symbols have been resolved. */
16303 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
16304 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
16305 switch (ELF32_R_TYPE(rel[i].r_info)) {
16306 case R_386_32:
16307 /* We add the value into the location given */
16308 - *location += sym->st_value;
16309 + pax_open_kernel();
16310 + *plocation += sym->st_value;
16311 + pax_close_kernel();
16312 break;
16313 case R_386_PC32:
16314 /* Add the value, subtract its postition */
16315 - *location += sym->st_value - (uint32_t)location;
16316 + pax_open_kernel();
16317 + *plocation += sym->st_value - location;
16318 + pax_close_kernel();
16319 break;
16320 default:
16321 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
16322 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
16323 case R_X86_64_NONE:
16324 break;
16325 case R_X86_64_64:
16326 + pax_open_kernel();
16327 *(u64 *)loc = val;
16328 + pax_close_kernel();
16329 break;
16330 case R_X86_64_32:
16331 + pax_open_kernel();
16332 *(u32 *)loc = val;
16333 + pax_close_kernel();
16334 if (val != *(u32 *)loc)
16335 goto overflow;
16336 break;
16337 case R_X86_64_32S:
16338 + pax_open_kernel();
16339 *(s32 *)loc = val;
16340 + pax_close_kernel();
16341 if ((s64)val != *(s32 *)loc)
16342 goto overflow;
16343 break;
16344 case R_X86_64_PC32:
16345 val -= (u64)loc;
16346 + pax_open_kernel();
16347 *(u32 *)loc = val;
16348 + pax_close_kernel();
16349 +
16350 #if 0
16351 if ((s64)val != *(s32 *)loc)
16352 goto overflow;
16353 diff -urNp linux-2.6.32.46/arch/x86/kernel/paravirt.c linux-2.6.32.46/arch/x86/kernel/paravirt.c
16354 --- linux-2.6.32.46/arch/x86/kernel/paravirt.c 2011-03-27 14:31:47.000000000 -0400
16355 +++ linux-2.6.32.46/arch/x86/kernel/paravirt.c 2011-08-23 20:24:19.000000000 -0400
16356 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
16357 {
16358 return x;
16359 }
16360 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
16361 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
16362 +#endif
16363
16364 void __init default_banner(void)
16365 {
16366 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
16367 * corresponding structure. */
16368 static void *get_call_destination(u8 type)
16369 {
16370 - struct paravirt_patch_template tmpl = {
16371 + const struct paravirt_patch_template tmpl = {
16372 .pv_init_ops = pv_init_ops,
16373 .pv_time_ops = pv_time_ops,
16374 .pv_cpu_ops = pv_cpu_ops,
16375 @@ -133,6 +136,8 @@ static void *get_call_destination(u8 typ
16376 .pv_lock_ops = pv_lock_ops,
16377 #endif
16378 };
16379 +
16380 + pax_track_stack();
16381 return *((void **)&tmpl + type);
16382 }
16383
16384 @@ -145,15 +150,19 @@ unsigned paravirt_patch_default(u8 type,
16385 if (opfunc == NULL)
16386 /* If there's no function, patch it with a ud2a (BUG) */
16387 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16388 - else if (opfunc == _paravirt_nop)
16389 + else if (opfunc == (void *)_paravirt_nop)
16390 /* If the operation is a nop, then nop the callsite */
16391 ret = paravirt_patch_nop();
16392
16393 /* identity functions just return their single argument */
16394 - else if (opfunc == _paravirt_ident_32)
16395 + else if (opfunc == (void *)_paravirt_ident_32)
16396 ret = paravirt_patch_ident_32(insnbuf, len);
16397 - else if (opfunc == _paravirt_ident_64)
16398 + else if (opfunc == (void *)_paravirt_ident_64)
16399 + ret = paravirt_patch_ident_64(insnbuf, len);
16400 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
16401 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
16402 ret = paravirt_patch_ident_64(insnbuf, len);
16403 +#endif
16404
16405 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16406 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
16407 @@ -178,7 +187,7 @@ unsigned paravirt_patch_insns(void *insn
16408 if (insn_len > len || start == NULL)
16409 insn_len = len;
16410 else
16411 - memcpy(insnbuf, start, insn_len);
16412 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16413
16414 return insn_len;
16415 }
16416 @@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void)
16417 preempt_enable();
16418 }
16419
16420 -struct pv_info pv_info = {
16421 +struct pv_info pv_info __read_only = {
16422 .name = "bare hardware",
16423 .paravirt_enabled = 0,
16424 .kernel_rpl = 0,
16425 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16426 };
16427
16428 -struct pv_init_ops pv_init_ops = {
16429 +struct pv_init_ops pv_init_ops __read_only = {
16430 .patch = native_patch,
16431 };
16432
16433 -struct pv_time_ops pv_time_ops = {
16434 +struct pv_time_ops pv_time_ops __read_only = {
16435 .sched_clock = native_sched_clock,
16436 };
16437
16438 -struct pv_irq_ops pv_irq_ops = {
16439 +struct pv_irq_ops pv_irq_ops __read_only = {
16440 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16441 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16442 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16443 @@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = {
16444 #endif
16445 };
16446
16447 -struct pv_cpu_ops pv_cpu_ops = {
16448 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16449 .cpuid = native_cpuid,
16450 .get_debugreg = native_get_debugreg,
16451 .set_debugreg = native_set_debugreg,
16452 @@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = {
16453 .end_context_switch = paravirt_nop,
16454 };
16455
16456 -struct pv_apic_ops pv_apic_ops = {
16457 +struct pv_apic_ops pv_apic_ops __read_only = {
16458 #ifdef CONFIG_X86_LOCAL_APIC
16459 .startup_ipi_hook = paravirt_nop,
16460 #endif
16461 };
16462
16463 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
16464 +#ifdef CONFIG_X86_32
16465 +#ifdef CONFIG_X86_PAE
16466 +/* 64-bit pagetable entries */
16467 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
16468 +#else
16469 /* 32-bit pagetable entries */
16470 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
16471 +#endif
16472 #else
16473 /* 64-bit pagetable entries */
16474 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16475 #endif
16476
16477 -struct pv_mmu_ops pv_mmu_ops = {
16478 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16479
16480 .read_cr2 = native_read_cr2,
16481 .write_cr2 = native_write_cr2,
16482 @@ -448,6 +462,7 @@ struct pv_mmu_ops pv_mmu_ops = {
16483 .make_pud = PTE_IDENT,
16484
16485 .set_pgd = native_set_pgd,
16486 + .set_pgd_batched = native_set_pgd_batched,
16487 #endif
16488 #endif /* PAGETABLE_LEVELS >= 3 */
16489
16490 @@ -467,6 +482,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16491 },
16492
16493 .set_fixmap = native_set_fixmap,
16494 +
16495 +#ifdef CONFIG_PAX_KERNEXEC
16496 + .pax_open_kernel = native_pax_open_kernel,
16497 + .pax_close_kernel = native_pax_close_kernel,
16498 +#endif
16499 +
16500 };
16501
16502 EXPORT_SYMBOL_GPL(pv_time_ops);
16503 diff -urNp linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c
16504 --- linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c 2011-03-27 14:31:47.000000000 -0400
16505 +++ linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:56:46.000000000 -0400
16506 @@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
16507 __raw_spin_lock(lock);
16508 }
16509
16510 -struct pv_lock_ops pv_lock_ops = {
16511 +struct pv_lock_ops pv_lock_ops __read_only = {
16512 #ifdef CONFIG_SMP
16513 .spin_is_locked = __ticket_spin_is_locked,
16514 .spin_is_contended = __ticket_spin_is_contended,
16515 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c
16516 --- linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c 2011-03-27 14:31:47.000000000 -0400
16517 +++ linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:56:46.000000000 -0400
16518 @@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
16519 free_pages((unsigned long)vaddr, get_order(size));
16520 }
16521
16522 -static struct dma_map_ops calgary_dma_ops = {
16523 +static const struct dma_map_ops calgary_dma_ops = {
16524 .alloc_coherent = calgary_alloc_coherent,
16525 .free_coherent = calgary_free_coherent,
16526 .map_sg = calgary_map_sg,
16527 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-dma.c linux-2.6.32.46/arch/x86/kernel/pci-dma.c
16528 --- linux-2.6.32.46/arch/x86/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
16529 +++ linux-2.6.32.46/arch/x86/kernel/pci-dma.c 2011-04-17 15:56:46.000000000 -0400
16530 @@ -14,7 +14,7 @@
16531
16532 static int forbid_dac __read_mostly;
16533
16534 -struct dma_map_ops *dma_ops;
16535 +const struct dma_map_ops *dma_ops;
16536 EXPORT_SYMBOL(dma_ops);
16537
16538 static int iommu_sac_force __read_mostly;
16539 @@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
16540
16541 int dma_supported(struct device *dev, u64 mask)
16542 {
16543 - struct dma_map_ops *ops = get_dma_ops(dev);
16544 + const struct dma_map_ops *ops = get_dma_ops(dev);
16545
16546 #ifdef CONFIG_PCI
16547 if (mask > 0xffffffff && forbid_dac > 0) {
16548 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c
16549 --- linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c 2011-03-27 14:31:47.000000000 -0400
16550 +++ linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:56:46.000000000 -0400
16551 @@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
16552 return -1;
16553 }
16554
16555 -static struct dma_map_ops gart_dma_ops = {
16556 +static const struct dma_map_ops gart_dma_ops = {
16557 .map_sg = gart_map_sg,
16558 .unmap_sg = gart_unmap_sg,
16559 .map_page = gart_map_page,
16560 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-nommu.c linux-2.6.32.46/arch/x86/kernel/pci-nommu.c
16561 --- linux-2.6.32.46/arch/x86/kernel/pci-nommu.c 2011-03-27 14:31:47.000000000 -0400
16562 +++ linux-2.6.32.46/arch/x86/kernel/pci-nommu.c 2011-04-17 15:56:46.000000000 -0400
16563 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
16564 flush_write_buffers();
16565 }
16566
16567 -struct dma_map_ops nommu_dma_ops = {
16568 +const struct dma_map_ops nommu_dma_ops = {
16569 .alloc_coherent = dma_generic_alloc_coherent,
16570 .free_coherent = nommu_free_coherent,
16571 .map_sg = nommu_map_sg,
16572 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c
16573 --- linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
16574 +++ linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:56:46.000000000 -0400
16575 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
16576 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16577 }
16578
16579 -static struct dma_map_ops swiotlb_dma_ops = {
16580 +static const struct dma_map_ops swiotlb_dma_ops = {
16581 .mapping_error = swiotlb_dma_mapping_error,
16582 .alloc_coherent = x86_swiotlb_alloc_coherent,
16583 .free_coherent = swiotlb_free_coherent,
16584 diff -urNp linux-2.6.32.46/arch/x86/kernel/process_32.c linux-2.6.32.46/arch/x86/kernel/process_32.c
16585 --- linux-2.6.32.46/arch/x86/kernel/process_32.c 2011-06-25 12:55:34.000000000 -0400
16586 +++ linux-2.6.32.46/arch/x86/kernel/process_32.c 2011-06-25 12:56:37.000000000 -0400
16587 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
16588 unsigned long thread_saved_pc(struct task_struct *tsk)
16589 {
16590 return ((unsigned long *)tsk->thread.sp)[3];
16591 +//XXX return tsk->thread.eip;
16592 }
16593
16594 #ifndef CONFIG_SMP
16595 @@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
16596 unsigned short ss, gs;
16597 const char *board;
16598
16599 - if (user_mode_vm(regs)) {
16600 + if (user_mode(regs)) {
16601 sp = regs->sp;
16602 ss = regs->ss & 0xffff;
16603 - gs = get_user_gs(regs);
16604 } else {
16605 sp = (unsigned long) (&regs->sp);
16606 savesegment(ss, ss);
16607 - savesegment(gs, gs);
16608 }
16609 + gs = get_user_gs(regs);
16610
16611 printk("\n");
16612
16613 @@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
16614 regs.bx = (unsigned long) fn;
16615 regs.dx = (unsigned long) arg;
16616
16617 - regs.ds = __USER_DS;
16618 - regs.es = __USER_DS;
16619 + regs.ds = __KERNEL_DS;
16620 + regs.es = __KERNEL_DS;
16621 regs.fs = __KERNEL_PERCPU;
16622 - regs.gs = __KERNEL_STACK_CANARY;
16623 + savesegment(gs, regs.gs);
16624 regs.orig_ax = -1;
16625 regs.ip = (unsigned long) kernel_thread_helper;
16626 regs.cs = __KERNEL_CS | get_kernel_rpl();
16627 @@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
16628 struct task_struct *tsk;
16629 int err;
16630
16631 - childregs = task_pt_regs(p);
16632 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16633 *childregs = *regs;
16634 childregs->ax = 0;
16635 childregs->sp = sp;
16636
16637 p->thread.sp = (unsigned long) childregs;
16638 p->thread.sp0 = (unsigned long) (childregs+1);
16639 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16640
16641 p->thread.ip = (unsigned long) ret_from_fork;
16642
16643 @@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
16644 struct thread_struct *prev = &prev_p->thread,
16645 *next = &next_p->thread;
16646 int cpu = smp_processor_id();
16647 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16648 + struct tss_struct *tss = init_tss + cpu;
16649 bool preload_fpu;
16650
16651 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16652 @@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
16653 */
16654 lazy_save_gs(prev->gs);
16655
16656 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16657 + __set_fs(task_thread_info(next_p)->addr_limit);
16658 +#endif
16659 +
16660 /*
16661 * Load the per-thread Thread-Local Storage descriptor.
16662 */
16663 @@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
16664 */
16665 arch_end_context_switch(next_p);
16666
16667 + percpu_write(current_task, next_p);
16668 + percpu_write(current_tinfo, &next_p->tinfo);
16669 +
16670 if (preload_fpu)
16671 __math_state_restore();
16672
16673 @@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
16674 if (prev->gs | next->gs)
16675 lazy_load_gs(next->gs);
16676
16677 - percpu_write(current_task, next_p);
16678 -
16679 return prev_p;
16680 }
16681
16682 @@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
16683 } while (count++ < 16);
16684 return 0;
16685 }
16686 -
16687 diff -urNp linux-2.6.32.46/arch/x86/kernel/process_64.c linux-2.6.32.46/arch/x86/kernel/process_64.c
16688 --- linux-2.6.32.46/arch/x86/kernel/process_64.c 2011-06-25 12:55:34.000000000 -0400
16689 +++ linux-2.6.32.46/arch/x86/kernel/process_64.c 2011-06-25 12:56:37.000000000 -0400
16690 @@ -91,7 +91,7 @@ static void __exit_idle(void)
16691 void exit_idle(void)
16692 {
16693 /* idle loop has pid 0 */
16694 - if (current->pid)
16695 + if (task_pid_nr(current))
16696 return;
16697 __exit_idle();
16698 }
16699 @@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
16700 if (!board)
16701 board = "";
16702 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
16703 - current->pid, current->comm, print_tainted(),
16704 + task_pid_nr(current), current->comm, print_tainted(),
16705 init_utsname()->release,
16706 (int)strcspn(init_utsname()->version, " "),
16707 init_utsname()->version, board);
16708 @@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
16709 struct pt_regs *childregs;
16710 struct task_struct *me = current;
16711
16712 - childregs = ((struct pt_regs *)
16713 - (THREAD_SIZE + task_stack_page(p))) - 1;
16714 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16715 *childregs = *regs;
16716
16717 childregs->ax = 0;
16718 @@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
16719 p->thread.sp = (unsigned long) childregs;
16720 p->thread.sp0 = (unsigned long) (childregs+1);
16721 p->thread.usersp = me->thread.usersp;
16722 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16723
16724 set_tsk_thread_flag(p, TIF_FORK);
16725
16726 @@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
16727 struct thread_struct *prev = &prev_p->thread;
16728 struct thread_struct *next = &next_p->thread;
16729 int cpu = smp_processor_id();
16730 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16731 + struct tss_struct *tss = init_tss + cpu;
16732 unsigned fsindex, gsindex;
16733 bool preload_fpu;
16734
16735 @@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
16736 prev->usersp = percpu_read(old_rsp);
16737 percpu_write(old_rsp, next->usersp);
16738 percpu_write(current_task, next_p);
16739 + percpu_write(current_tinfo, &next_p->tinfo);
16740
16741 - percpu_write(kernel_stack,
16742 - (unsigned long)task_stack_page(next_p) +
16743 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16744 + percpu_write(kernel_stack, next->sp0);
16745
16746 /*
16747 * Now maybe reload the debug registers and handle I/O bitmaps
16748 @@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
16749 if (!p || p == current || p->state == TASK_RUNNING)
16750 return 0;
16751 stack = (unsigned long)task_stack_page(p);
16752 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16753 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16754 return 0;
16755 fp = *(u64 *)(p->thread.sp);
16756 do {
16757 - if (fp < (unsigned long)stack ||
16758 - fp >= (unsigned long)stack+THREAD_SIZE)
16759 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16760 return 0;
16761 ip = *(u64 *)(fp+8);
16762 if (!in_sched_functions(ip))
16763 diff -urNp linux-2.6.32.46/arch/x86/kernel/process.c linux-2.6.32.46/arch/x86/kernel/process.c
16764 --- linux-2.6.32.46/arch/x86/kernel/process.c 2011-04-22 19:16:29.000000000 -0400
16765 +++ linux-2.6.32.46/arch/x86/kernel/process.c 2011-08-30 18:19:52.000000000 -0400
16766 @@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
16767
16768 void free_thread_info(struct thread_info *ti)
16769 {
16770 - free_thread_xstate(ti->task);
16771 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16772 }
16773
16774 +static struct kmem_cache *task_struct_cachep;
16775 +
16776 void arch_task_cache_init(void)
16777 {
16778 - task_xstate_cachep =
16779 - kmem_cache_create("task_xstate", xstate_size,
16780 + /* create a slab on which task_structs can be allocated */
16781 + task_struct_cachep =
16782 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16783 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16784 +
16785 + task_xstate_cachep =
16786 + kmem_cache_create("task_xstate", xstate_size,
16787 __alignof__(union thread_xstate),
16788 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16789 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16790 +}
16791 +
16792 +struct task_struct *alloc_task_struct(void)
16793 +{
16794 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
16795 +}
16796 +
16797 +void free_task_struct(struct task_struct *task)
16798 +{
16799 + free_thread_xstate(task);
16800 + kmem_cache_free(task_struct_cachep, task);
16801 }
16802
16803 /*
16804 @@ -73,7 +90,7 @@ void exit_thread(void)
16805 unsigned long *bp = t->io_bitmap_ptr;
16806
16807 if (bp) {
16808 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16809 + struct tss_struct *tss = init_tss + get_cpu();
16810
16811 t->io_bitmap_ptr = NULL;
16812 clear_thread_flag(TIF_IO_BITMAP);
16813 @@ -93,6 +110,9 @@ void flush_thread(void)
16814
16815 clear_tsk_thread_flag(tsk, TIF_DEBUG);
16816
16817 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16818 + loadsegment(gs, 0);
16819 +#endif
16820 tsk->thread.debugreg0 = 0;
16821 tsk->thread.debugreg1 = 0;
16822 tsk->thread.debugreg2 = 0;
16823 @@ -307,7 +327,7 @@ void default_idle(void)
16824 EXPORT_SYMBOL(default_idle);
16825 #endif
16826
16827 -void stop_this_cpu(void *dummy)
16828 +__noreturn void stop_this_cpu(void *dummy)
16829 {
16830 local_irq_disable();
16831 /*
16832 @@ -568,16 +588,38 @@ static int __init idle_setup(char *str)
16833 }
16834 early_param("idle", idle_setup);
16835
16836 -unsigned long arch_align_stack(unsigned long sp)
16837 +#ifdef CONFIG_PAX_RANDKSTACK
16838 +void pax_randomize_kstack(struct pt_regs *regs)
16839 {
16840 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
16841 - sp -= get_random_int() % 8192;
16842 - return sp & ~0xf;
16843 -}
16844 + struct thread_struct *thread = &current->thread;
16845 + unsigned long time;
16846
16847 -unsigned long arch_randomize_brk(struct mm_struct *mm)
16848 -{
16849 - unsigned long range_end = mm->brk + 0x02000000;
16850 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
16851 + if (!randomize_va_space)
16852 + return;
16853 +
16854 + if (v8086_mode(regs))
16855 + return;
16856 +
16857 + rdtscl(time);
16858 +
16859 + /* P4 seems to return a 0 LSB, ignore it */
16860 +#ifdef CONFIG_MPENTIUM4
16861 + time &= 0x3EUL;
16862 + time <<= 2;
16863 +#elif defined(CONFIG_X86_64)
16864 + time &= 0xFUL;
16865 + time <<= 4;
16866 +#else
16867 + time &= 0x1FUL;
16868 + time <<= 3;
16869 +#endif
16870 +
16871 + thread->sp0 ^= time;
16872 + load_sp0(init_tss + smp_processor_id(), thread);
16873 +
16874 +#ifdef CONFIG_X86_64
16875 + percpu_write(kernel_stack, thread->sp0);
16876 +#endif
16877 }
16878 +#endif
16879
16880 diff -urNp linux-2.6.32.46/arch/x86/kernel/ptrace.c linux-2.6.32.46/arch/x86/kernel/ptrace.c
16881 --- linux-2.6.32.46/arch/x86/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
16882 +++ linux-2.6.32.46/arch/x86/kernel/ptrace.c 2011-04-17 15:56:46.000000000 -0400
16883 @@ -925,7 +925,7 @@ static const struct user_regset_view use
16884 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
16885 {
16886 int ret;
16887 - unsigned long __user *datap = (unsigned long __user *)data;
16888 + unsigned long __user *datap = (__force unsigned long __user *)data;
16889
16890 switch (request) {
16891 /* read the word at location addr in the USER area. */
16892 @@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
16893 if (addr < 0)
16894 return -EIO;
16895 ret = do_get_thread_area(child, addr,
16896 - (struct user_desc __user *) data);
16897 + (__force struct user_desc __user *) data);
16898 break;
16899
16900 case PTRACE_SET_THREAD_AREA:
16901 if (addr < 0)
16902 return -EIO;
16903 ret = do_set_thread_area(child, addr,
16904 - (struct user_desc __user *) data, 0);
16905 + (__force struct user_desc __user *) data, 0);
16906 break;
16907 #endif
16908
16909 @@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
16910 #ifdef CONFIG_X86_PTRACE_BTS
16911 case PTRACE_BTS_CONFIG:
16912 ret = ptrace_bts_config
16913 - (child, data, (struct ptrace_bts_config __user *)addr);
16914 + (child, data, (__force struct ptrace_bts_config __user *)addr);
16915 break;
16916
16917 case PTRACE_BTS_STATUS:
16918 ret = ptrace_bts_status
16919 - (child, data, (struct ptrace_bts_config __user *)addr);
16920 + (child, data, (__force struct ptrace_bts_config __user *)addr);
16921 break;
16922
16923 case PTRACE_BTS_SIZE:
16924 @@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
16925
16926 case PTRACE_BTS_GET:
16927 ret = ptrace_bts_read_record
16928 - (child, data, (struct bts_struct __user *) addr);
16929 + (child, data, (__force struct bts_struct __user *) addr);
16930 break;
16931
16932 case PTRACE_BTS_CLEAR:
16933 @@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
16934
16935 case PTRACE_BTS_DRAIN:
16936 ret = ptrace_bts_drain
16937 - (child, data, (struct bts_struct __user *) addr);
16938 + (child, data, (__force struct bts_struct __user *) addr);
16939 break;
16940 #endif /* CONFIG_X86_PTRACE_BTS */
16941
16942 @@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
16943 info.si_code = si_code;
16944
16945 /* User-mode ip? */
16946 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
16947 + info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
16948
16949 /* Send us the fake SIGTRAP */
16950 force_sig_info(SIGTRAP, &info, tsk);
16951 @@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
16952 * We must return the syscall number to actually look up in the table.
16953 * This can be -1L to skip running any syscall at all.
16954 */
16955 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
16956 +long syscall_trace_enter(struct pt_regs *regs)
16957 {
16958 long ret = 0;
16959
16960 @@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
16961 return ret ?: regs->orig_ax;
16962 }
16963
16964 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
16965 +void syscall_trace_leave(struct pt_regs *regs)
16966 {
16967 if (unlikely(current->audit_context))
16968 audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
16969 diff -urNp linux-2.6.32.46/arch/x86/kernel/reboot.c linux-2.6.32.46/arch/x86/kernel/reboot.c
16970 --- linux-2.6.32.46/arch/x86/kernel/reboot.c 2011-08-09 18:35:28.000000000 -0400
16971 +++ linux-2.6.32.46/arch/x86/kernel/reboot.c 2011-08-09 18:33:59.000000000 -0400
16972 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
16973 EXPORT_SYMBOL(pm_power_off);
16974
16975 static const struct desc_ptr no_idt = {};
16976 -static int reboot_mode;
16977 +static unsigned short reboot_mode;
16978 enum reboot_type reboot_type = BOOT_KBD;
16979 int reboot_force;
16980
16981 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
16982 controller to pulse the CPU reset line, which is more thorough, but
16983 doesn't work with at least one type of 486 motherboard. It is easy
16984 to stop this code working; hence the copious comments. */
16985 -static const unsigned long long
16986 -real_mode_gdt_entries [3] =
16987 +static struct desc_struct
16988 +real_mode_gdt_entries [3] __read_only =
16989 {
16990 - 0x0000000000000000ULL, /* Null descriptor */
16991 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
16992 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
16993 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
16994 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
16995 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
16996 };
16997
16998 static const struct desc_ptr
16999 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
17000 * specified by the code and length parameters.
17001 * We assume that length will aways be less that 100!
17002 */
17003 -void machine_real_restart(const unsigned char *code, int length)
17004 +__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
17005 {
17006 local_irq_disable();
17007
17008 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
17009 /* Remap the kernel at virtual address zero, as well as offset zero
17010 from the kernel segment. This assumes the kernel segment starts at
17011 virtual address PAGE_OFFSET. */
17012 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17013 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
17014 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17015 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
17016
17017 /*
17018 * Use `swapper_pg_dir' as our page directory.
17019 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
17020 boot)". This seems like a fairly standard thing that gets set by
17021 REBOOT.COM programs, and the previous reset routine did this
17022 too. */
17023 - *((unsigned short *)0x472) = reboot_mode;
17024 + *(unsigned short *)(__va(0x472)) = reboot_mode;
17025
17026 /* For the switch to real mode, copy some code to low memory. It has
17027 to be in the first 64k because it is running in 16-bit mode, and it
17028 has to have the same physical and virtual address, because it turns
17029 off paging. Copy it near the end of the first page, out of the way
17030 of BIOS variables. */
17031 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
17032 - real_mode_switch, sizeof (real_mode_switch));
17033 - memcpy((void *)(0x1000 - 100), code, length);
17034 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
17035 + memcpy(__va(0x1000 - 100), code, length);
17036
17037 /* Set up the IDT for real mode. */
17038 load_idt(&real_mode_idt);
17039 @@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
17040 __asm__ __volatile__ ("ljmp $0x0008,%0"
17041 :
17042 : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
17043 + do { } while (1);
17044 }
17045 #ifdef CONFIG_APM_MODULE
17046 EXPORT_SYMBOL(machine_real_restart);
17047 @@ -544,7 +544,7 @@ void __attribute__((weak)) mach_reboot_f
17048 {
17049 }
17050
17051 -static void native_machine_emergency_restart(void)
17052 +__noreturn static void native_machine_emergency_restart(void)
17053 {
17054 int i;
17055
17056 @@ -659,13 +659,13 @@ void native_machine_shutdown(void)
17057 #endif
17058 }
17059
17060 -static void __machine_emergency_restart(int emergency)
17061 +static __noreturn void __machine_emergency_restart(int emergency)
17062 {
17063 reboot_emergency = emergency;
17064 machine_ops.emergency_restart();
17065 }
17066
17067 -static void native_machine_restart(char *__unused)
17068 +static __noreturn void native_machine_restart(char *__unused)
17069 {
17070 printk("machine restart\n");
17071
17072 @@ -674,7 +674,7 @@ static void native_machine_restart(char
17073 __machine_emergency_restart(0);
17074 }
17075
17076 -static void native_machine_halt(void)
17077 +static __noreturn void native_machine_halt(void)
17078 {
17079 /* stop other cpus and apics */
17080 machine_shutdown();
17081 @@ -685,7 +685,7 @@ static void native_machine_halt(void)
17082 stop_this_cpu(NULL);
17083 }
17084
17085 -static void native_machine_power_off(void)
17086 +__noreturn static void native_machine_power_off(void)
17087 {
17088 if (pm_power_off) {
17089 if (!reboot_force)
17090 @@ -694,6 +694,7 @@ static void native_machine_power_off(voi
17091 }
17092 /* a fallback in case there is no PM info available */
17093 tboot_shutdown(TB_SHUTDOWN_HALT);
17094 + do { } while (1);
17095 }
17096
17097 struct machine_ops machine_ops = {
17098 diff -urNp linux-2.6.32.46/arch/x86/kernel/setup.c linux-2.6.32.46/arch/x86/kernel/setup.c
17099 --- linux-2.6.32.46/arch/x86/kernel/setup.c 2011-04-17 17:00:52.000000000 -0400
17100 +++ linux-2.6.32.46/arch/x86/kernel/setup.c 2011-04-17 17:03:05.000000000 -0400
17101 @@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
17102
17103 if (!boot_params.hdr.root_flags)
17104 root_mountflags &= ~MS_RDONLY;
17105 - init_mm.start_code = (unsigned long) _text;
17106 - init_mm.end_code = (unsigned long) _etext;
17107 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17108 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17109 init_mm.end_data = (unsigned long) _edata;
17110 init_mm.brk = _brk_end;
17111
17112 - code_resource.start = virt_to_phys(_text);
17113 - code_resource.end = virt_to_phys(_etext)-1;
17114 - data_resource.start = virt_to_phys(_etext);
17115 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17116 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17117 + data_resource.start = virt_to_phys(_sdata);
17118 data_resource.end = virt_to_phys(_edata)-1;
17119 bss_resource.start = virt_to_phys(&__bss_start);
17120 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17121 diff -urNp linux-2.6.32.46/arch/x86/kernel/setup_percpu.c linux-2.6.32.46/arch/x86/kernel/setup_percpu.c
17122 --- linux-2.6.32.46/arch/x86/kernel/setup_percpu.c 2011-03-27 14:31:47.000000000 -0400
17123 +++ linux-2.6.32.46/arch/x86/kernel/setup_percpu.c 2011-06-04 20:36:29.000000000 -0400
17124 @@ -25,19 +25,17 @@
17125 # define DBG(x...)
17126 #endif
17127
17128 -DEFINE_PER_CPU(int, cpu_number);
17129 +#ifdef CONFIG_SMP
17130 +DEFINE_PER_CPU(unsigned int, cpu_number);
17131 EXPORT_PER_CPU_SYMBOL(cpu_number);
17132 +#endif
17133
17134 -#ifdef CONFIG_X86_64
17135 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17136 -#else
17137 -#define BOOT_PERCPU_OFFSET 0
17138 -#endif
17139
17140 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17141 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17142
17143 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17144 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17145 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17146 };
17147 EXPORT_SYMBOL(__per_cpu_offset);
17148 @@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
17149 {
17150 #ifdef CONFIG_X86_32
17151 struct desc_struct gdt;
17152 + unsigned long base = per_cpu_offset(cpu);
17153
17154 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17155 - 0x2 | DESCTYPE_S, 0x8);
17156 - gdt.s = 1;
17157 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17158 + 0x83 | DESCTYPE_S, 0xC);
17159 write_gdt_entry(get_cpu_gdt_table(cpu),
17160 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17161 #endif
17162 @@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
17163 /* alrighty, percpu areas up and running */
17164 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17165 for_each_possible_cpu(cpu) {
17166 +#ifdef CONFIG_CC_STACKPROTECTOR
17167 +#ifdef CONFIG_X86_32
17168 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17169 +#endif
17170 +#endif
17171 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17172 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17173 per_cpu(cpu_number, cpu) = cpu;
17174 @@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
17175 early_per_cpu_map(x86_cpu_to_node_map, cpu);
17176 #endif
17177 #endif
17178 +#ifdef CONFIG_CC_STACKPROTECTOR
17179 +#ifdef CONFIG_X86_32
17180 + if (!cpu)
17181 + per_cpu(stack_canary.canary, cpu) = canary;
17182 +#endif
17183 +#endif
17184 /*
17185 * Up to this point, the boot CPU has been using .data.init
17186 * area. Reload any changed state for the boot CPU.
17187 diff -urNp linux-2.6.32.46/arch/x86/kernel/signal.c linux-2.6.32.46/arch/x86/kernel/signal.c
17188 --- linux-2.6.32.46/arch/x86/kernel/signal.c 2011-03-27 14:31:47.000000000 -0400
17189 +++ linux-2.6.32.46/arch/x86/kernel/signal.c 2011-05-22 23:02:03.000000000 -0400
17190 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
17191 * Align the stack pointer according to the i386 ABI,
17192 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17193 */
17194 - sp = ((sp + 4) & -16ul) - 4;
17195 + sp = ((sp - 12) & -16ul) - 4;
17196 #else /* !CONFIG_X86_32 */
17197 sp = round_down(sp, 16) - 8;
17198 #endif
17199 @@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
17200 * Return an always-bogus address instead so we will die with SIGSEGV.
17201 */
17202 if (onsigstack && !likely(on_sig_stack(sp)))
17203 - return (void __user *)-1L;
17204 + return (__force void __user *)-1L;
17205
17206 /* save i387 state */
17207 if (used_math() && save_i387_xstate(*fpstate) < 0)
17208 - return (void __user *)-1L;
17209 + return (__force void __user *)-1L;
17210
17211 return (void __user *)sp;
17212 }
17213 @@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
17214 }
17215
17216 if (current->mm->context.vdso)
17217 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17218 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17219 else
17220 - restorer = &frame->retcode;
17221 + restorer = (void __user *)&frame->retcode;
17222 if (ka->sa.sa_flags & SA_RESTORER)
17223 restorer = ka->sa.sa_restorer;
17224
17225 @@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
17226 * reasons and because gdb uses it as a signature to notice
17227 * signal handler stack frames.
17228 */
17229 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17230 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17231
17232 if (err)
17233 return -EFAULT;
17234 @@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
17235 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17236
17237 /* Set up to return from userspace. */
17238 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17239 + if (current->mm->context.vdso)
17240 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17241 + else
17242 + restorer = (void __user *)&frame->retcode;
17243 if (ka->sa.sa_flags & SA_RESTORER)
17244 restorer = ka->sa.sa_restorer;
17245 put_user_ex(restorer, &frame->pretcode);
17246 @@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
17247 * reasons and because gdb uses it as a signature to notice
17248 * signal handler stack frames.
17249 */
17250 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17251 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17252 } put_user_catch(err);
17253
17254 if (err)
17255 @@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
17256 int signr;
17257 sigset_t *oldset;
17258
17259 + pax_track_stack();
17260 +
17261 /*
17262 * We want the common case to go fast, which is why we may in certain
17263 * cases get here from kernel mode. Just return without doing anything
17264 @@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
17265 * X86_32: vm86 regs switched out by assembly code before reaching
17266 * here, so testing against kernel CS suffices.
17267 */
17268 - if (!user_mode(regs))
17269 + if (!user_mode_novm(regs))
17270 return;
17271
17272 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
17273 diff -urNp linux-2.6.32.46/arch/x86/kernel/smpboot.c linux-2.6.32.46/arch/x86/kernel/smpboot.c
17274 --- linux-2.6.32.46/arch/x86/kernel/smpboot.c 2011-03-27 14:31:47.000000000 -0400
17275 +++ linux-2.6.32.46/arch/x86/kernel/smpboot.c 2011-07-01 19:10:03.000000000 -0400
17276 @@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
17277 */
17278 static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
17279
17280 -void cpu_hotplug_driver_lock()
17281 +void cpu_hotplug_driver_lock(void)
17282 {
17283 - mutex_lock(&x86_cpu_hotplug_driver_mutex);
17284 + mutex_lock(&x86_cpu_hotplug_driver_mutex);
17285 }
17286
17287 -void cpu_hotplug_driver_unlock()
17288 +void cpu_hotplug_driver_unlock(void)
17289 {
17290 - mutex_unlock(&x86_cpu_hotplug_driver_mutex);
17291 + mutex_unlock(&x86_cpu_hotplug_driver_mutex);
17292 }
17293
17294 ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
17295 @@ -625,7 +625,7 @@ wakeup_secondary_cpu_via_init(int phys_a
17296 * target processor state.
17297 */
17298 startup_ipi_hook(phys_apicid, (unsigned long) start_secondary,
17299 - (unsigned long)stack_start.sp);
17300 + stack_start);
17301
17302 /*
17303 * Run STARTUP IPI loop.
17304 @@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
17305 set_idle_for_cpu(cpu, c_idle.idle);
17306 do_rest:
17307 per_cpu(current_task, cpu) = c_idle.idle;
17308 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
17309 #ifdef CONFIG_X86_32
17310 /* Stack for startup_32 can be just as for start_secondary onwards */
17311 irq_ctx_init(cpu);
17312 @@ -750,13 +751,15 @@ do_rest:
17313 #else
17314 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
17315 initial_gs = per_cpu_offset(cpu);
17316 - per_cpu(kernel_stack, cpu) =
17317 - (unsigned long)task_stack_page(c_idle.idle) -
17318 - KERNEL_STACK_OFFSET + THREAD_SIZE;
17319 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
17320 #endif
17321 +
17322 + pax_open_kernel();
17323 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
17324 + pax_close_kernel();
17325 +
17326 initial_code = (unsigned long)start_secondary;
17327 - stack_start.sp = (void *) c_idle.idle->thread.sp;
17328 + stack_start = c_idle.idle->thread.sp;
17329
17330 /* start_ip had better be page-aligned! */
17331 start_ip = setup_trampoline();
17332 @@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
17333
17334 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
17335
17336 +#ifdef CONFIG_PAX_PER_CPU_PGD
17337 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
17338 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17339 + KERNEL_PGD_PTRS);
17340 +#endif
17341 +
17342 err = do_boot_cpu(apicid, cpu);
17343
17344 if (err) {
17345 diff -urNp linux-2.6.32.46/arch/x86/kernel/step.c linux-2.6.32.46/arch/x86/kernel/step.c
17346 --- linux-2.6.32.46/arch/x86/kernel/step.c 2011-03-27 14:31:47.000000000 -0400
17347 +++ linux-2.6.32.46/arch/x86/kernel/step.c 2011-04-17 15:56:46.000000000 -0400
17348 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
17349 struct desc_struct *desc;
17350 unsigned long base;
17351
17352 - seg &= ~7UL;
17353 + seg >>= 3;
17354
17355 mutex_lock(&child->mm->context.lock);
17356 - if (unlikely((seg >> 3) >= child->mm->context.size))
17357 + if (unlikely(seg >= child->mm->context.size))
17358 addr = -1L; /* bogus selector, access would fault */
17359 else {
17360 desc = child->mm->context.ldt + seg;
17361 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
17362 addr += base;
17363 }
17364 mutex_unlock(&child->mm->context.lock);
17365 - }
17366 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
17367 + addr = ktla_ktva(addr);
17368
17369 return addr;
17370 }
17371 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
17372 unsigned char opcode[15];
17373 unsigned long addr = convert_ip_to_linear(child, regs);
17374
17375 + if (addr == -EINVAL)
17376 + return 0;
17377 +
17378 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
17379 for (i = 0; i < copied; i++) {
17380 switch (opcode[i]) {
17381 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
17382
17383 #ifdef CONFIG_X86_64
17384 case 0x40 ... 0x4f:
17385 - if (regs->cs != __USER_CS)
17386 + if ((regs->cs & 0xffff) != __USER_CS)
17387 /* 32-bit mode: register increment */
17388 return 0;
17389 /* 64-bit mode: REX prefix */
17390 diff -urNp linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S
17391 --- linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S 2011-03-27 14:31:47.000000000 -0400
17392 +++ linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:56:46.000000000 -0400
17393 @@ -1,3 +1,4 @@
17394 +.section .rodata,"a",@progbits
17395 ENTRY(sys_call_table)
17396 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17397 .long sys_exit
17398 diff -urNp linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c
17399 --- linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c 2011-03-27 14:31:47.000000000 -0400
17400 +++ linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:56:46.000000000 -0400
17401 @@ -24,6 +24,21 @@
17402
17403 #include <asm/syscalls.h>
17404
17405 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17406 +{
17407 + unsigned long pax_task_size = TASK_SIZE;
17408 +
17409 +#ifdef CONFIG_PAX_SEGMEXEC
17410 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17411 + pax_task_size = SEGMEXEC_TASK_SIZE;
17412 +#endif
17413 +
17414 + if (len > pax_task_size || addr > pax_task_size - len)
17415 + return -EINVAL;
17416 +
17417 + return 0;
17418 +}
17419 +
17420 /*
17421 * Perform the select(nd, in, out, ex, tv) and mmap() system
17422 * calls. Linux/i386 didn't use to be able to handle more than
17423 @@ -58,6 +73,212 @@ out:
17424 return err;
17425 }
17426
17427 +unsigned long
17428 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17429 + unsigned long len, unsigned long pgoff, unsigned long flags)
17430 +{
17431 + struct mm_struct *mm = current->mm;
17432 + struct vm_area_struct *vma;
17433 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17434 +
17435 +#ifdef CONFIG_PAX_SEGMEXEC
17436 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17437 + pax_task_size = SEGMEXEC_TASK_SIZE;
17438 +#endif
17439 +
17440 + pax_task_size -= PAGE_SIZE;
17441 +
17442 + if (len > pax_task_size)
17443 + return -ENOMEM;
17444 +
17445 + if (flags & MAP_FIXED)
17446 + return addr;
17447 +
17448 +#ifdef CONFIG_PAX_RANDMMAP
17449 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17450 +#endif
17451 +
17452 + if (addr) {
17453 + addr = PAGE_ALIGN(addr);
17454 + if (pax_task_size - len >= addr) {
17455 + vma = find_vma(mm, addr);
17456 + if (check_heap_stack_gap(vma, addr, len))
17457 + return addr;
17458 + }
17459 + }
17460 + if (len > mm->cached_hole_size) {
17461 + start_addr = addr = mm->free_area_cache;
17462 + } else {
17463 + start_addr = addr = mm->mmap_base;
17464 + mm->cached_hole_size = 0;
17465 + }
17466 +
17467 +#ifdef CONFIG_PAX_PAGEEXEC
17468 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17469 + start_addr = 0x00110000UL;
17470 +
17471 +#ifdef CONFIG_PAX_RANDMMAP
17472 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17473 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17474 +#endif
17475 +
17476 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17477 + start_addr = addr = mm->mmap_base;
17478 + else
17479 + addr = start_addr;
17480 + }
17481 +#endif
17482 +
17483 +full_search:
17484 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17485 + /* At this point: (!vma || addr < vma->vm_end). */
17486 + if (pax_task_size - len < addr) {
17487 + /*
17488 + * Start a new search - just in case we missed
17489 + * some holes.
17490 + */
17491 + if (start_addr != mm->mmap_base) {
17492 + start_addr = addr = mm->mmap_base;
17493 + mm->cached_hole_size = 0;
17494 + goto full_search;
17495 + }
17496 + return -ENOMEM;
17497 + }
17498 + if (check_heap_stack_gap(vma, addr, len))
17499 + break;
17500 + if (addr + mm->cached_hole_size < vma->vm_start)
17501 + mm->cached_hole_size = vma->vm_start - addr;
17502 + addr = vma->vm_end;
17503 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17504 + start_addr = addr = mm->mmap_base;
17505 + mm->cached_hole_size = 0;
17506 + goto full_search;
17507 + }
17508 + }
17509 +
17510 + /*
17511 + * Remember the place where we stopped the search:
17512 + */
17513 + mm->free_area_cache = addr + len;
17514 + return addr;
17515 +}
17516 +
17517 +unsigned long
17518 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17519 + const unsigned long len, const unsigned long pgoff,
17520 + const unsigned long flags)
17521 +{
17522 + struct vm_area_struct *vma;
17523 + struct mm_struct *mm = current->mm;
17524 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17525 +
17526 +#ifdef CONFIG_PAX_SEGMEXEC
17527 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17528 + pax_task_size = SEGMEXEC_TASK_SIZE;
17529 +#endif
17530 +
17531 + pax_task_size -= PAGE_SIZE;
17532 +
17533 + /* requested length too big for entire address space */
17534 + if (len > pax_task_size)
17535 + return -ENOMEM;
17536 +
17537 + if (flags & MAP_FIXED)
17538 + return addr;
17539 +
17540 +#ifdef CONFIG_PAX_PAGEEXEC
17541 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17542 + goto bottomup;
17543 +#endif
17544 +
17545 +#ifdef CONFIG_PAX_RANDMMAP
17546 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17547 +#endif
17548 +
17549 + /* requesting a specific address */
17550 + if (addr) {
17551 + addr = PAGE_ALIGN(addr);
17552 + if (pax_task_size - len >= addr) {
17553 + vma = find_vma(mm, addr);
17554 + if (check_heap_stack_gap(vma, addr, len))
17555 + return addr;
17556 + }
17557 + }
17558 +
17559 + /* check if free_area_cache is useful for us */
17560 + if (len <= mm->cached_hole_size) {
17561 + mm->cached_hole_size = 0;
17562 + mm->free_area_cache = mm->mmap_base;
17563 + }
17564 +
17565 + /* either no address requested or can't fit in requested address hole */
17566 + addr = mm->free_area_cache;
17567 +
17568 + /* make sure it can fit in the remaining address space */
17569 + if (addr > len) {
17570 + vma = find_vma(mm, addr-len);
17571 + if (check_heap_stack_gap(vma, addr - len, len))
17572 + /* remember the address as a hint for next time */
17573 + return (mm->free_area_cache = addr-len);
17574 + }
17575 +
17576 + if (mm->mmap_base < len)
17577 + goto bottomup;
17578 +
17579 + addr = mm->mmap_base-len;
17580 +
17581 + do {
17582 + /*
17583 + * Lookup failure means no vma is above this address,
17584 + * else if new region fits below vma->vm_start,
17585 + * return with success:
17586 + */
17587 + vma = find_vma(mm, addr);
17588 + if (check_heap_stack_gap(vma, addr, len))
17589 + /* remember the address as a hint for next time */
17590 + return (mm->free_area_cache = addr);
17591 +
17592 + /* remember the largest hole we saw so far */
17593 + if (addr + mm->cached_hole_size < vma->vm_start)
17594 + mm->cached_hole_size = vma->vm_start - addr;
17595 +
17596 + /* try just below the current vma->vm_start */
17597 + addr = skip_heap_stack_gap(vma, len);
17598 + } while (!IS_ERR_VALUE(addr));
17599 +
17600 +bottomup:
17601 + /*
17602 + * A failed mmap() very likely causes application failure,
17603 + * so fall back to the bottom-up function here. This scenario
17604 + * can happen with large stack limits and large mmap()
17605 + * allocations.
17606 + */
17607 +
17608 +#ifdef CONFIG_PAX_SEGMEXEC
17609 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17610 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17611 + else
17612 +#endif
17613 +
17614 + mm->mmap_base = TASK_UNMAPPED_BASE;
17615 +
17616 +#ifdef CONFIG_PAX_RANDMMAP
17617 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17618 + mm->mmap_base += mm->delta_mmap;
17619 +#endif
17620 +
17621 + mm->free_area_cache = mm->mmap_base;
17622 + mm->cached_hole_size = ~0UL;
17623 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17624 + /*
17625 + * Restore the topdown base:
17626 + */
17627 + mm->mmap_base = base;
17628 + mm->free_area_cache = base;
17629 + mm->cached_hole_size = ~0UL;
17630 +
17631 + return addr;
17632 +}
17633
17634 struct sel_arg_struct {
17635 unsigned long n;
17636 @@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
17637 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
17638 case SEMTIMEDOP:
17639 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
17640 - (const struct timespec __user *)fifth);
17641 + (__force const struct timespec __user *)fifth);
17642
17643 case SEMGET:
17644 return sys_semget(first, second, third);
17645 @@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
17646 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
17647 if (ret)
17648 return ret;
17649 - return put_user(raddr, (ulong __user *) third);
17650 + return put_user(raddr, (__force ulong __user *) third);
17651 }
17652 case 1: /* iBCS2 emulator entry point */
17653 if (!segment_eq(get_fs(), get_ds()))
17654 @@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
17655
17656 return error;
17657 }
17658 -
17659 -
17660 -/*
17661 - * Do a system call from kernel instead of calling sys_execve so we
17662 - * end up with proper pt_regs.
17663 - */
17664 -int kernel_execve(const char *filename, char *const argv[], char *const envp[])
17665 -{
17666 - long __res;
17667 - asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
17668 - : "=a" (__res)
17669 - : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
17670 - return __res;
17671 -}
17672 diff -urNp linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c
17673 --- linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c 2011-03-27 14:31:47.000000000 -0400
17674 +++ linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:56:46.000000000 -0400
17675 @@ -32,8 +32,8 @@ out:
17676 return error;
17677 }
17678
17679 -static void find_start_end(unsigned long flags, unsigned long *begin,
17680 - unsigned long *end)
17681 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17682 + unsigned long *begin, unsigned long *end)
17683 {
17684 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17685 unsigned long new_begin;
17686 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17687 *begin = new_begin;
17688 }
17689 } else {
17690 - *begin = TASK_UNMAPPED_BASE;
17691 + *begin = mm->mmap_base;
17692 *end = TASK_SIZE;
17693 }
17694 }
17695 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17696 if (flags & MAP_FIXED)
17697 return addr;
17698
17699 - find_start_end(flags, &begin, &end);
17700 + find_start_end(mm, flags, &begin, &end);
17701
17702 if (len > end)
17703 return -ENOMEM;
17704
17705 +#ifdef CONFIG_PAX_RANDMMAP
17706 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17707 +#endif
17708 +
17709 if (addr) {
17710 addr = PAGE_ALIGN(addr);
17711 vma = find_vma(mm, addr);
17712 - if (end - len >= addr &&
17713 - (!vma || addr + len <= vma->vm_start))
17714 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17715 return addr;
17716 }
17717 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17718 @@ -106,7 +109,7 @@ full_search:
17719 }
17720 return -ENOMEM;
17721 }
17722 - if (!vma || addr + len <= vma->vm_start) {
17723 + if (check_heap_stack_gap(vma, addr, len)) {
17724 /*
17725 * Remember the place where we stopped the search:
17726 */
17727 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17728 {
17729 struct vm_area_struct *vma;
17730 struct mm_struct *mm = current->mm;
17731 - unsigned long addr = addr0;
17732 + unsigned long base = mm->mmap_base, addr = addr0;
17733
17734 /* requested length too big for entire address space */
17735 if (len > TASK_SIZE)
17736 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17737 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17738 goto bottomup;
17739
17740 +#ifdef CONFIG_PAX_RANDMMAP
17741 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17742 +#endif
17743 +
17744 /* requesting a specific address */
17745 if (addr) {
17746 addr = PAGE_ALIGN(addr);
17747 - vma = find_vma(mm, addr);
17748 - if (TASK_SIZE - len >= addr &&
17749 - (!vma || addr + len <= vma->vm_start))
17750 - return addr;
17751 + if (TASK_SIZE - len >= addr) {
17752 + vma = find_vma(mm, addr);
17753 + if (check_heap_stack_gap(vma, addr, len))
17754 + return addr;
17755 + }
17756 }
17757
17758 /* check if free_area_cache is useful for us */
17759 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17760 /* make sure it can fit in the remaining address space */
17761 if (addr > len) {
17762 vma = find_vma(mm, addr-len);
17763 - if (!vma || addr <= vma->vm_start)
17764 + if (check_heap_stack_gap(vma, addr - len, len))
17765 /* remember the address as a hint for next time */
17766 return mm->free_area_cache = addr-len;
17767 }
17768 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17769 * return with success:
17770 */
17771 vma = find_vma(mm, addr);
17772 - if (!vma || addr+len <= vma->vm_start)
17773 + if (check_heap_stack_gap(vma, addr, len))
17774 /* remember the address as a hint for next time */
17775 return mm->free_area_cache = addr;
17776
17777 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17778 mm->cached_hole_size = vma->vm_start - addr;
17779
17780 /* try just below the current vma->vm_start */
17781 - addr = vma->vm_start-len;
17782 - } while (len < vma->vm_start);
17783 + addr = skip_heap_stack_gap(vma, len);
17784 + } while (!IS_ERR_VALUE(addr));
17785
17786 bottomup:
17787 /*
17788 @@ -198,13 +206,21 @@ bottomup:
17789 * can happen with large stack limits and large mmap()
17790 * allocations.
17791 */
17792 + mm->mmap_base = TASK_UNMAPPED_BASE;
17793 +
17794 +#ifdef CONFIG_PAX_RANDMMAP
17795 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17796 + mm->mmap_base += mm->delta_mmap;
17797 +#endif
17798 +
17799 + mm->free_area_cache = mm->mmap_base;
17800 mm->cached_hole_size = ~0UL;
17801 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17802 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17803 /*
17804 * Restore the topdown base:
17805 */
17806 - mm->free_area_cache = mm->mmap_base;
17807 + mm->mmap_base = base;
17808 + mm->free_area_cache = base;
17809 mm->cached_hole_size = ~0UL;
17810
17811 return addr;
17812 diff -urNp linux-2.6.32.46/arch/x86/kernel/tboot.c linux-2.6.32.46/arch/x86/kernel/tboot.c
17813 --- linux-2.6.32.46/arch/x86/kernel/tboot.c 2011-03-27 14:31:47.000000000 -0400
17814 +++ linux-2.6.32.46/arch/x86/kernel/tboot.c 2011-05-22 23:02:03.000000000 -0400
17815 @@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
17816
17817 void tboot_shutdown(u32 shutdown_type)
17818 {
17819 - void (*shutdown)(void);
17820 + void (* __noreturn shutdown)(void);
17821
17822 if (!tboot_enabled())
17823 return;
17824 @@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
17825
17826 switch_to_tboot_pt();
17827
17828 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17829 + shutdown = (void *)tboot->shutdown_entry;
17830 shutdown();
17831
17832 /* should not reach here */
17833 @@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17834 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17835 }
17836
17837 -static atomic_t ap_wfs_count;
17838 +static atomic_unchecked_t ap_wfs_count;
17839
17840 static int tboot_wait_for_aps(int num_aps)
17841 {
17842 @@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
17843 {
17844 switch (action) {
17845 case CPU_DYING:
17846 - atomic_inc(&ap_wfs_count);
17847 + atomic_inc_unchecked(&ap_wfs_count);
17848 if (num_online_cpus() == 1)
17849 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17850 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17851 return NOTIFY_BAD;
17852 break;
17853 }
17854 @@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
17855
17856 tboot_create_trampoline();
17857
17858 - atomic_set(&ap_wfs_count, 0);
17859 + atomic_set_unchecked(&ap_wfs_count, 0);
17860 register_hotcpu_notifier(&tboot_cpu_notifier);
17861 return 0;
17862 }
17863 diff -urNp linux-2.6.32.46/arch/x86/kernel/time.c linux-2.6.32.46/arch/x86/kernel/time.c
17864 --- linux-2.6.32.46/arch/x86/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
17865 +++ linux-2.6.32.46/arch/x86/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
17866 @@ -26,17 +26,13 @@
17867 int timer_ack;
17868 #endif
17869
17870 -#ifdef CONFIG_X86_64
17871 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17872 -#endif
17873 -
17874 unsigned long profile_pc(struct pt_regs *regs)
17875 {
17876 unsigned long pc = instruction_pointer(regs);
17877
17878 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
17879 + if (!user_mode(regs) && in_lock_functions(pc)) {
17880 #ifdef CONFIG_FRAME_POINTER
17881 - return *(unsigned long *)(regs->bp + sizeof(long));
17882 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
17883 #else
17884 unsigned long *sp =
17885 (unsigned long *)kernel_stack_pointer(regs);
17886 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
17887 * or above a saved flags. Eflags has bits 22-31 zero,
17888 * kernel addresses don't.
17889 */
17890 +
17891 +#ifdef CONFIG_PAX_KERNEXEC
17892 + return ktla_ktva(sp[0]);
17893 +#else
17894 if (sp[0] >> 22)
17895 return sp[0];
17896 if (sp[1] >> 22)
17897 return sp[1];
17898 #endif
17899 +
17900 +#endif
17901 }
17902 return pc;
17903 }
17904 diff -urNp linux-2.6.32.46/arch/x86/kernel/tls.c linux-2.6.32.46/arch/x86/kernel/tls.c
17905 --- linux-2.6.32.46/arch/x86/kernel/tls.c 2011-03-27 14:31:47.000000000 -0400
17906 +++ linux-2.6.32.46/arch/x86/kernel/tls.c 2011-04-17 15:56:46.000000000 -0400
17907 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
17908 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
17909 return -EINVAL;
17910
17911 +#ifdef CONFIG_PAX_SEGMEXEC
17912 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
17913 + return -EINVAL;
17914 +#endif
17915 +
17916 set_tls_desc(p, idx, &info, 1);
17917
17918 return 0;
17919 diff -urNp linux-2.6.32.46/arch/x86/kernel/trampoline_32.S linux-2.6.32.46/arch/x86/kernel/trampoline_32.S
17920 --- linux-2.6.32.46/arch/x86/kernel/trampoline_32.S 2011-03-27 14:31:47.000000000 -0400
17921 +++ linux-2.6.32.46/arch/x86/kernel/trampoline_32.S 2011-04-17 15:56:46.000000000 -0400
17922 @@ -32,6 +32,12 @@
17923 #include <asm/segment.h>
17924 #include <asm/page_types.h>
17925
17926 +#ifdef CONFIG_PAX_KERNEXEC
17927 +#define ta(X) (X)
17928 +#else
17929 +#define ta(X) ((X) - __PAGE_OFFSET)
17930 +#endif
17931 +
17932 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
17933 __CPUINITRODATA
17934 .code16
17935 @@ -60,7 +66,7 @@ r_base = .
17936 inc %ax # protected mode (PE) bit
17937 lmsw %ax # into protected mode
17938 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
17939 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
17940 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
17941
17942 # These need to be in the same 64K segment as the above;
17943 # hence we don't use the boot_gdt_descr defined in head.S
17944 diff -urNp linux-2.6.32.46/arch/x86/kernel/trampoline_64.S linux-2.6.32.46/arch/x86/kernel/trampoline_64.S
17945 --- linux-2.6.32.46/arch/x86/kernel/trampoline_64.S 2011-03-27 14:31:47.000000000 -0400
17946 +++ linux-2.6.32.46/arch/x86/kernel/trampoline_64.S 2011-07-01 18:53:26.000000000 -0400
17947 @@ -91,7 +91,7 @@ startup_32:
17948 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
17949 movl %eax, %ds
17950
17951 - movl $X86_CR4_PAE, %eax
17952 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
17953 movl %eax, %cr4 # Enable PAE mode
17954
17955 # Setup trampoline 4 level pagetables
17956 @@ -127,7 +127,7 @@ startup_64:
17957 no_longmode:
17958 hlt
17959 jmp no_longmode
17960 -#include "verify_cpu_64.S"
17961 +#include "verify_cpu.S"
17962
17963 # Careful these need to be in the same 64K segment as the above;
17964 tidt:
17965 @@ -138,7 +138,7 @@ tidt:
17966 # so the kernel can live anywhere
17967 .balign 4
17968 tgdt:
17969 - .short tgdt_end - tgdt # gdt limit
17970 + .short tgdt_end - tgdt - 1 # gdt limit
17971 .long tgdt - r_base
17972 .short 0
17973 .quad 0x00cf9b000000ffff # __KERNEL32_CS
17974 diff -urNp linux-2.6.32.46/arch/x86/kernel/traps.c linux-2.6.32.46/arch/x86/kernel/traps.c
17975 --- linux-2.6.32.46/arch/x86/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
17976 +++ linux-2.6.32.46/arch/x86/kernel/traps.c 2011-07-06 19:53:33.000000000 -0400
17977 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
17978
17979 /* Do we ignore FPU interrupts ? */
17980 char ignore_fpu_irq;
17981 -
17982 -/*
17983 - * The IDT has to be page-aligned to simplify the Pentium
17984 - * F0 0F bug workaround.
17985 - */
17986 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
17987 #endif
17988
17989 DECLARE_BITMAP(used_vectors, NR_VECTORS);
17990 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
17991 static inline void
17992 die_if_kernel(const char *str, struct pt_regs *regs, long err)
17993 {
17994 - if (!user_mode_vm(regs))
17995 + if (!user_mode(regs))
17996 die(str, regs, err);
17997 }
17998 #endif
17999
18000 static void __kprobes
18001 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18002 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18003 long error_code, siginfo_t *info)
18004 {
18005 struct task_struct *tsk = current;
18006
18007 #ifdef CONFIG_X86_32
18008 - if (regs->flags & X86_VM_MASK) {
18009 + if (v8086_mode(regs)) {
18010 /*
18011 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18012 * On nmi (interrupt 2), do_trap should not be called.
18013 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
18014 }
18015 #endif
18016
18017 - if (!user_mode(regs))
18018 + if (!user_mode_novm(regs))
18019 goto kernel_trap;
18020
18021 #ifdef CONFIG_X86_32
18022 @@ -158,7 +152,7 @@ trap_signal:
18023 printk_ratelimit()) {
18024 printk(KERN_INFO
18025 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18026 - tsk->comm, tsk->pid, str,
18027 + tsk->comm, task_pid_nr(tsk), str,
18028 regs->ip, regs->sp, error_code);
18029 print_vma_addr(" in ", regs->ip);
18030 printk("\n");
18031 @@ -175,8 +169,20 @@ kernel_trap:
18032 if (!fixup_exception(regs)) {
18033 tsk->thread.error_code = error_code;
18034 tsk->thread.trap_no = trapnr;
18035 +
18036 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18037 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18038 + str = "PAX: suspicious stack segment fault";
18039 +#endif
18040 +
18041 die(str, regs, error_code);
18042 }
18043 +
18044 +#ifdef CONFIG_PAX_REFCOUNT
18045 + if (trapnr == 4)
18046 + pax_report_refcount_overflow(regs);
18047 +#endif
18048 +
18049 return;
18050
18051 #ifdef CONFIG_X86_32
18052 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
18053 conditional_sti(regs);
18054
18055 #ifdef CONFIG_X86_32
18056 - if (regs->flags & X86_VM_MASK)
18057 + if (v8086_mode(regs))
18058 goto gp_in_vm86;
18059 #endif
18060
18061 tsk = current;
18062 - if (!user_mode(regs))
18063 + if (!user_mode_novm(regs))
18064 goto gp_in_kernel;
18065
18066 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18067 + if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18068 + struct mm_struct *mm = tsk->mm;
18069 + unsigned long limit;
18070 +
18071 + down_write(&mm->mmap_sem);
18072 + limit = mm->context.user_cs_limit;
18073 + if (limit < TASK_SIZE) {
18074 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18075 + up_write(&mm->mmap_sem);
18076 + return;
18077 + }
18078 + up_write(&mm->mmap_sem);
18079 + }
18080 +#endif
18081 +
18082 tsk->thread.error_code = error_code;
18083 tsk->thread.trap_no = 13;
18084
18085 @@ -305,6 +327,13 @@ gp_in_kernel:
18086 if (notify_die(DIE_GPF, "general protection fault", regs,
18087 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18088 return;
18089 +
18090 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18091 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18092 + die("PAX: suspicious general protection fault", regs, error_code);
18093 + else
18094 +#endif
18095 +
18096 die("general protection fault", regs, error_code);
18097 }
18098
18099 @@ -435,6 +464,17 @@ static notrace __kprobes void default_do
18100 dotraplinkage notrace __kprobes void
18101 do_nmi(struct pt_regs *regs, long error_code)
18102 {
18103 +
18104 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18105 + if (!user_mode(regs)) {
18106 + unsigned long cs = regs->cs & 0xFFFF;
18107 + unsigned long ip = ktva_ktla(regs->ip);
18108 +
18109 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18110 + regs->ip = ip;
18111 + }
18112 +#endif
18113 +
18114 nmi_enter();
18115
18116 inc_irq_stat(__nmi_count);
18117 @@ -558,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
18118 }
18119
18120 #ifdef CONFIG_X86_32
18121 - if (regs->flags & X86_VM_MASK)
18122 + if (v8086_mode(regs))
18123 goto debug_vm86;
18124 #endif
18125
18126 @@ -570,7 +610,7 @@ dotraplinkage void __kprobes do_debug(st
18127 * kernel space (but re-enable TF when returning to user mode).
18128 */
18129 if (condition & DR_STEP) {
18130 - if (!user_mode(regs))
18131 + if (!user_mode_novm(regs))
18132 goto clear_TF_reenable;
18133 }
18134
18135 @@ -757,7 +797,7 @@ do_simd_coprocessor_error(struct pt_regs
18136 * Handle strange cache flush from user space exception
18137 * in all other cases. This is undocumented behaviour.
18138 */
18139 - if (regs->flags & X86_VM_MASK) {
18140 + if (v8086_mode(regs)) {
18141 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
18142 return;
18143 }
18144 @@ -798,7 +838,7 @@ asmlinkage void __attribute__((weak)) sm
18145 void __math_state_restore(void)
18146 {
18147 struct thread_info *thread = current_thread_info();
18148 - struct task_struct *tsk = thread->task;
18149 + struct task_struct *tsk = current;
18150
18151 /*
18152 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18153 @@ -825,8 +865,7 @@ void __math_state_restore(void)
18154 */
18155 asmlinkage void math_state_restore(void)
18156 {
18157 - struct thread_info *thread = current_thread_info();
18158 - struct task_struct *tsk = thread->task;
18159 + struct task_struct *tsk = current;
18160
18161 if (!tsk_used_math(tsk)) {
18162 local_irq_enable();
18163 diff -urNp linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S
18164 --- linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S 2011-03-27 14:31:47.000000000 -0400
18165 +++ linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S 1969-12-31 19:00:00.000000000 -0500
18166 @@ -1,105 +0,0 @@
18167 -/*
18168 - *
18169 - * verify_cpu.S - Code for cpu long mode and SSE verification. This
18170 - * code has been borrowed from boot/setup.S and was introduced by
18171 - * Andi Kleen.
18172 - *
18173 - * Copyright (c) 2007 Andi Kleen (ak@suse.de)
18174 - * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
18175 - * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
18176 - *
18177 - * This source code is licensed under the GNU General Public License,
18178 - * Version 2. See the file COPYING for more details.
18179 - *
18180 - * This is a common code for verification whether CPU supports
18181 - * long mode and SSE or not. It is not called directly instead this
18182 - * file is included at various places and compiled in that context.
18183 - * Following are the current usage.
18184 - *
18185 - * This file is included by both 16bit and 32bit code.
18186 - *
18187 - * arch/x86_64/boot/setup.S : Boot cpu verification (16bit)
18188 - * arch/x86_64/boot/compressed/head.S: Boot cpu verification (32bit)
18189 - * arch/x86_64/kernel/trampoline.S: secondary processor verfication (16bit)
18190 - * arch/x86_64/kernel/acpi/wakeup.S:Verfication at resume (16bit)
18191 - *
18192 - * verify_cpu, returns the status of cpu check in register %eax.
18193 - * 0: Success 1: Failure
18194 - *
18195 - * The caller needs to check for the error code and take the action
18196 - * appropriately. Either display a message or halt.
18197 - */
18198 -
18199 -#include <asm/cpufeature.h>
18200 -
18201 -verify_cpu:
18202 - pushfl # Save caller passed flags
18203 - pushl $0 # Kill any dangerous flags
18204 - popfl
18205 -
18206 - pushfl # standard way to check for cpuid
18207 - popl %eax
18208 - movl %eax,%ebx
18209 - xorl $0x200000,%eax
18210 - pushl %eax
18211 - popfl
18212 - pushfl
18213 - popl %eax
18214 - cmpl %eax,%ebx
18215 - jz verify_cpu_no_longmode # cpu has no cpuid
18216 -
18217 - movl $0x0,%eax # See if cpuid 1 is implemented
18218 - cpuid
18219 - cmpl $0x1,%eax
18220 - jb verify_cpu_no_longmode # no cpuid 1
18221 -
18222 - xor %di,%di
18223 - cmpl $0x68747541,%ebx # AuthenticAMD
18224 - jnz verify_cpu_noamd
18225 - cmpl $0x69746e65,%edx
18226 - jnz verify_cpu_noamd
18227 - cmpl $0x444d4163,%ecx
18228 - jnz verify_cpu_noamd
18229 - mov $1,%di # cpu is from AMD
18230 -
18231 -verify_cpu_noamd:
18232 - movl $0x1,%eax # Does the cpu have what it takes
18233 - cpuid
18234 - andl $REQUIRED_MASK0,%edx
18235 - xorl $REQUIRED_MASK0,%edx
18236 - jnz verify_cpu_no_longmode
18237 -
18238 - movl $0x80000000,%eax # See if extended cpuid is implemented
18239 - cpuid
18240 - cmpl $0x80000001,%eax
18241 - jb verify_cpu_no_longmode # no extended cpuid
18242 -
18243 - movl $0x80000001,%eax # Does the cpu have what it takes
18244 - cpuid
18245 - andl $REQUIRED_MASK1,%edx
18246 - xorl $REQUIRED_MASK1,%edx
18247 - jnz verify_cpu_no_longmode
18248 -
18249 -verify_cpu_sse_test:
18250 - movl $1,%eax
18251 - cpuid
18252 - andl $SSE_MASK,%edx
18253 - cmpl $SSE_MASK,%edx
18254 - je verify_cpu_sse_ok
18255 - test %di,%di
18256 - jz verify_cpu_no_longmode # only try to force SSE on AMD
18257 - movl $0xc0010015,%ecx # HWCR
18258 - rdmsr
18259 - btr $15,%eax # enable SSE
18260 - wrmsr
18261 - xor %di,%di # don't loop
18262 - jmp verify_cpu_sse_test # try again
18263 -
18264 -verify_cpu_no_longmode:
18265 - popfl # Restore caller passed flags
18266 - movl $1,%eax
18267 - ret
18268 -verify_cpu_sse_ok:
18269 - popfl # Restore caller passed flags
18270 - xorl %eax, %eax
18271 - ret
18272 diff -urNp linux-2.6.32.46/arch/x86/kernel/verify_cpu.S linux-2.6.32.46/arch/x86/kernel/verify_cpu.S
18273 --- linux-2.6.32.46/arch/x86/kernel/verify_cpu.S 1969-12-31 19:00:00.000000000 -0500
18274 +++ linux-2.6.32.46/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:42.000000000 -0400
18275 @@ -0,0 +1,140 @@
18276 +/*
18277 + *
18278 + * verify_cpu.S - Code for cpu long mode and SSE verification. This
18279 + * code has been borrowed from boot/setup.S and was introduced by
18280 + * Andi Kleen.
18281 + *
18282 + * Copyright (c) 2007 Andi Kleen (ak@suse.de)
18283 + * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
18284 + * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
18285 + * Copyright (c) 2010 Kees Cook (kees.cook@canonical.com)
18286 + *
18287 + * This source code is licensed under the GNU General Public License,
18288 + * Version 2. See the file COPYING for more details.
18289 + *
18290 + * This is a common code for verification whether CPU supports
18291 + * long mode and SSE or not. It is not called directly instead this
18292 + * file is included at various places and compiled in that context.
18293 + * This file is expected to run in 32bit code. Currently:
18294 + *
18295 + * arch/x86/boot/compressed/head_64.S: Boot cpu verification
18296 + * arch/x86/kernel/trampoline_64.S: secondary processor verification
18297 + * arch/x86/kernel/head_32.S: processor startup
18298 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
18299 + *
18300 + * verify_cpu, returns the status of longmode and SSE in register %eax.
18301 + * 0: Success 1: Failure
18302 + *
18303 + * On Intel, the XD_DISABLE flag will be cleared as a side-effect.
18304 + *
18305 + * The caller needs to check for the error code and take the action
18306 + * appropriately. Either display a message or halt.
18307 + */
18308 +
18309 +#include <asm/cpufeature.h>
18310 +#include <asm/msr-index.h>
18311 +
18312 +verify_cpu:
18313 + pushfl # Save caller passed flags
18314 + pushl $0 # Kill any dangerous flags
18315 + popfl
18316 +
18317 + pushfl # standard way to check for cpuid
18318 + popl %eax
18319 + movl %eax,%ebx
18320 + xorl $0x200000,%eax
18321 + pushl %eax
18322 + popfl
18323 + pushfl
18324 + popl %eax
18325 + cmpl %eax,%ebx
18326 + jz verify_cpu_no_longmode # cpu has no cpuid
18327 +
18328 + movl $0x0,%eax # See if cpuid 1 is implemented
18329 + cpuid
18330 + cmpl $0x1,%eax
18331 + jb verify_cpu_no_longmode # no cpuid 1
18332 +
18333 + xor %di,%di
18334 + cmpl $0x68747541,%ebx # AuthenticAMD
18335 + jnz verify_cpu_noamd
18336 + cmpl $0x69746e65,%edx
18337 + jnz verify_cpu_noamd
18338 + cmpl $0x444d4163,%ecx
18339 + jnz verify_cpu_noamd
18340 + mov $1,%di # cpu is from AMD
18341 + jmp verify_cpu_check
18342 +
18343 +verify_cpu_noamd:
18344 + cmpl $0x756e6547,%ebx # GenuineIntel?
18345 + jnz verify_cpu_check
18346 + cmpl $0x49656e69,%edx
18347 + jnz verify_cpu_check
18348 + cmpl $0x6c65746e,%ecx
18349 + jnz verify_cpu_check
18350 +
18351 + # only call IA32_MISC_ENABLE when:
18352 + # family > 6 || (family == 6 && model >= 0xd)
18353 + movl $0x1, %eax # check CPU family and model
18354 + cpuid
18355 + movl %eax, %ecx
18356 +
18357 + andl $0x0ff00f00, %eax # mask family and extended family
18358 + shrl $8, %eax
18359 + cmpl $6, %eax
18360 + ja verify_cpu_clear_xd # family > 6, ok
18361 + jb verify_cpu_check # family < 6, skip
18362 +
18363 + andl $0x000f00f0, %ecx # mask model and extended model
18364 + shrl $4, %ecx
18365 + cmpl $0xd, %ecx
18366 + jb verify_cpu_check # family == 6, model < 0xd, skip
18367 +
18368 +verify_cpu_clear_xd:
18369 + movl $MSR_IA32_MISC_ENABLE, %ecx
18370 + rdmsr
18371 + btrl $2, %edx # clear MSR_IA32_MISC_ENABLE_XD_DISABLE
18372 + jnc verify_cpu_check # only write MSR if bit was changed
18373 + wrmsr
18374 +
18375 +verify_cpu_check:
18376 + movl $0x1,%eax # Does the cpu have what it takes
18377 + cpuid
18378 + andl $REQUIRED_MASK0,%edx
18379 + xorl $REQUIRED_MASK0,%edx
18380 + jnz verify_cpu_no_longmode
18381 +
18382 + movl $0x80000000,%eax # See if extended cpuid is implemented
18383 + cpuid
18384 + cmpl $0x80000001,%eax
18385 + jb verify_cpu_no_longmode # no extended cpuid
18386 +
18387 + movl $0x80000001,%eax # Does the cpu have what it takes
18388 + cpuid
18389 + andl $REQUIRED_MASK1,%edx
18390 + xorl $REQUIRED_MASK1,%edx
18391 + jnz verify_cpu_no_longmode
18392 +
18393 +verify_cpu_sse_test:
18394 + movl $1,%eax
18395 + cpuid
18396 + andl $SSE_MASK,%edx
18397 + cmpl $SSE_MASK,%edx
18398 + je verify_cpu_sse_ok
18399 + test %di,%di
18400 + jz verify_cpu_no_longmode # only try to force SSE on AMD
18401 + movl $MSR_K7_HWCR,%ecx
18402 + rdmsr
18403 + btr $15,%eax # enable SSE
18404 + wrmsr
18405 + xor %di,%di # don't loop
18406 + jmp verify_cpu_sse_test # try again
18407 +
18408 +verify_cpu_no_longmode:
18409 + popfl # Restore caller passed flags
18410 + movl $1,%eax
18411 + ret
18412 +verify_cpu_sse_ok:
18413 + popfl # Restore caller passed flags
18414 + xorl %eax, %eax
18415 + ret
18416 diff -urNp linux-2.6.32.46/arch/x86/kernel/vm86_32.c linux-2.6.32.46/arch/x86/kernel/vm86_32.c
18417 --- linux-2.6.32.46/arch/x86/kernel/vm86_32.c 2011-03-27 14:31:47.000000000 -0400
18418 +++ linux-2.6.32.46/arch/x86/kernel/vm86_32.c 2011-04-17 15:56:46.000000000 -0400
18419 @@ -41,6 +41,7 @@
18420 #include <linux/ptrace.h>
18421 #include <linux/audit.h>
18422 #include <linux/stddef.h>
18423 +#include <linux/grsecurity.h>
18424
18425 #include <asm/uaccess.h>
18426 #include <asm/io.h>
18427 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
18428 do_exit(SIGSEGV);
18429 }
18430
18431 - tss = &per_cpu(init_tss, get_cpu());
18432 + tss = init_tss + get_cpu();
18433 current->thread.sp0 = current->thread.saved_sp0;
18434 current->thread.sysenter_cs = __KERNEL_CS;
18435 load_sp0(tss, &current->thread);
18436 @@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
18437 struct task_struct *tsk;
18438 int tmp, ret = -EPERM;
18439
18440 +#ifdef CONFIG_GRKERNSEC_VM86
18441 + if (!capable(CAP_SYS_RAWIO)) {
18442 + gr_handle_vm86();
18443 + goto out;
18444 + }
18445 +#endif
18446 +
18447 tsk = current;
18448 if (tsk->thread.saved_sp0)
18449 goto out;
18450 @@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
18451 int tmp, ret;
18452 struct vm86plus_struct __user *v86;
18453
18454 +#ifdef CONFIG_GRKERNSEC_VM86
18455 + if (!capable(CAP_SYS_RAWIO)) {
18456 + gr_handle_vm86();
18457 + ret = -EPERM;
18458 + goto out;
18459 + }
18460 +#endif
18461 +
18462 tsk = current;
18463 switch (regs->bx) {
18464 case VM86_REQUEST_IRQ:
18465 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18466 tsk->thread.saved_fs = info->regs32->fs;
18467 tsk->thread.saved_gs = get_user_gs(info->regs32);
18468
18469 - tss = &per_cpu(init_tss, get_cpu());
18470 + tss = init_tss + get_cpu();
18471 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18472 if (cpu_has_sep)
18473 tsk->thread.sysenter_cs = 0;
18474 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18475 goto cannot_handle;
18476 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18477 goto cannot_handle;
18478 - intr_ptr = (unsigned long __user *) (i << 2);
18479 + intr_ptr = (__force unsigned long __user *) (i << 2);
18480 if (get_user(segoffs, intr_ptr))
18481 goto cannot_handle;
18482 if ((segoffs >> 16) == BIOSSEG)
18483 diff -urNp linux-2.6.32.46/arch/x86/kernel/vmi_32.c linux-2.6.32.46/arch/x86/kernel/vmi_32.c
18484 --- linux-2.6.32.46/arch/x86/kernel/vmi_32.c 2011-03-27 14:31:47.000000000 -0400
18485 +++ linux-2.6.32.46/arch/x86/kernel/vmi_32.c 2011-08-05 20:33:55.000000000 -0400
18486 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
18487 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
18488
18489 #define call_vrom_func(rom,func) \
18490 - (((VROMFUNC *)(rom->func))())
18491 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
18492
18493 #define call_vrom_long_func(rom,func,arg) \
18494 - (((VROMLONGFUNC *)(rom->func)) (arg))
18495 +({\
18496 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
18497 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
18498 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
18499 + __reloc;\
18500 +})
18501
18502 -static struct vrom_header *vmi_rom;
18503 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
18504 static int disable_pge;
18505 static int disable_pse;
18506 static int disable_sep;
18507 @@ -76,10 +81,10 @@ static struct {
18508 void (*set_initial_ap_state)(int, int);
18509 void (*halt)(void);
18510 void (*set_lazy_mode)(int mode);
18511 -} vmi_ops;
18512 +} __no_const vmi_ops __read_only;
18513
18514 /* Cached VMI operations */
18515 -struct vmi_timer_ops vmi_timer_ops;
18516 +struct vmi_timer_ops vmi_timer_ops __read_only;
18517
18518 /*
18519 * VMI patching routines.
18520 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
18521 static inline void patch_offset(void *insnbuf,
18522 unsigned long ip, unsigned long dest)
18523 {
18524 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
18525 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
18526 }
18527
18528 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
18529 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
18530 {
18531 u64 reloc;
18532 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
18533 +
18534 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
18535 switch(rel->type) {
18536 case VMI_RELOCATION_CALL_REL:
18537 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
18538
18539 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
18540 {
18541 - const pte_t pte = { .pte = 0 };
18542 + const pte_t pte = __pte(0ULL);
18543 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
18544 }
18545
18546 static void vmi_pmd_clear(pmd_t *pmd)
18547 {
18548 - const pte_t pte = { .pte = 0 };
18549 + const pte_t pte = __pte(0ULL);
18550 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
18551 }
18552 #endif
18553 @@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
18554 ap.ss = __KERNEL_DS;
18555 ap.esp = (unsigned long) start_esp;
18556
18557 - ap.ds = __USER_DS;
18558 - ap.es = __USER_DS;
18559 + ap.ds = __KERNEL_DS;
18560 + ap.es = __KERNEL_DS;
18561 ap.fs = __KERNEL_PERCPU;
18562 - ap.gs = __KERNEL_STACK_CANARY;
18563 + savesegment(gs, ap.gs);
18564
18565 ap.eflags = 0;
18566
18567 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
18568 paravirt_leave_lazy_mmu();
18569 }
18570
18571 +#ifdef CONFIG_PAX_KERNEXEC
18572 +static unsigned long vmi_pax_open_kernel(void)
18573 +{
18574 + return 0;
18575 +}
18576 +
18577 +static unsigned long vmi_pax_close_kernel(void)
18578 +{
18579 + return 0;
18580 +}
18581 +#endif
18582 +
18583 static inline int __init check_vmi_rom(struct vrom_header *rom)
18584 {
18585 struct pci_header *pci;
18586 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
18587 return 0;
18588 if (rom->vrom_signature != VMI_SIGNATURE)
18589 return 0;
18590 + if (rom->rom_length * 512 > sizeof(*rom)) {
18591 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
18592 + return 0;
18593 + }
18594 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
18595 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
18596 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
18597 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
18598 struct vrom_header *romstart;
18599 romstart = (struct vrom_header *)isa_bus_to_virt(base);
18600 if (check_vmi_rom(romstart)) {
18601 - vmi_rom = romstart;
18602 + vmi_rom = *romstart;
18603 return 1;
18604 }
18605 }
18606 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
18607
18608 para_fill(pv_irq_ops.safe_halt, Halt);
18609
18610 +#ifdef CONFIG_PAX_KERNEXEC
18611 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
18612 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
18613 +#endif
18614 +
18615 /*
18616 * Alternative instruction rewriting doesn't happen soon enough
18617 * to convert VMI_IRET to a call instead of a jump; so we have
18618 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
18619
18620 void __init vmi_init(void)
18621 {
18622 - if (!vmi_rom)
18623 + if (!vmi_rom.rom_signature)
18624 probe_vmi_rom();
18625 else
18626 - check_vmi_rom(vmi_rom);
18627 + check_vmi_rom(&vmi_rom);
18628
18629 /* In case probing for or validating the ROM failed, basil */
18630 - if (!vmi_rom)
18631 + if (!vmi_rom.rom_signature)
18632 return;
18633
18634 - reserve_top_address(-vmi_rom->virtual_top);
18635 + reserve_top_address(-vmi_rom.virtual_top);
18636
18637 #ifdef CONFIG_X86_IO_APIC
18638 /* This is virtual hardware; timer routing is wired correctly */
18639 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
18640 {
18641 unsigned long flags;
18642
18643 - if (!vmi_rom)
18644 + if (!vmi_rom.rom_signature)
18645 return;
18646
18647 local_irq_save(flags);
18648 diff -urNp linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S
18649 --- linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
18650 +++ linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:56:46.000000000 -0400
18651 @@ -26,6 +26,13 @@
18652 #include <asm/page_types.h>
18653 #include <asm/cache.h>
18654 #include <asm/boot.h>
18655 +#include <asm/segment.h>
18656 +
18657 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18658 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18659 +#else
18660 +#define __KERNEL_TEXT_OFFSET 0
18661 +#endif
18662
18663 #undef i386 /* in case the preprocessor is a 32bit one */
18664
18665 @@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18666 #ifdef CONFIG_X86_32
18667 OUTPUT_ARCH(i386)
18668 ENTRY(phys_startup_32)
18669 -jiffies = jiffies_64;
18670 #else
18671 OUTPUT_ARCH(i386:x86-64)
18672 ENTRY(phys_startup_64)
18673 -jiffies_64 = jiffies;
18674 #endif
18675
18676 PHDRS {
18677 text PT_LOAD FLAGS(5); /* R_E */
18678 - data PT_LOAD FLAGS(7); /* RWE */
18679 +#ifdef CONFIG_X86_32
18680 + module PT_LOAD FLAGS(5); /* R_E */
18681 +#endif
18682 +#ifdef CONFIG_XEN
18683 + rodata PT_LOAD FLAGS(5); /* R_E */
18684 +#else
18685 + rodata PT_LOAD FLAGS(4); /* R__ */
18686 +#endif
18687 + data PT_LOAD FLAGS(6); /* RW_ */
18688 #ifdef CONFIG_X86_64
18689 user PT_LOAD FLAGS(5); /* R_E */
18690 +#endif
18691 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18692 #ifdef CONFIG_SMP
18693 percpu PT_LOAD FLAGS(6); /* RW_ */
18694 #endif
18695 + text.init PT_LOAD FLAGS(5); /* R_E */
18696 + text.exit PT_LOAD FLAGS(5); /* R_E */
18697 init PT_LOAD FLAGS(7); /* RWE */
18698 -#endif
18699 note PT_NOTE FLAGS(0); /* ___ */
18700 }
18701
18702 SECTIONS
18703 {
18704 #ifdef CONFIG_X86_32
18705 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18706 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18707 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18708 #else
18709 - . = __START_KERNEL;
18710 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18711 + . = __START_KERNEL;
18712 #endif
18713
18714 /* Text and read-only data */
18715 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18716 - _text = .;
18717 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18718 /* bootstrapping code */
18719 +#ifdef CONFIG_X86_32
18720 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18721 +#else
18722 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18723 +#endif
18724 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18725 + _text = .;
18726 HEAD_TEXT
18727 #ifdef CONFIG_X86_32
18728 . = ALIGN(PAGE_SIZE);
18729 @@ -82,28 +102,71 @@ SECTIONS
18730 IRQENTRY_TEXT
18731 *(.fixup)
18732 *(.gnu.warning)
18733 - /* End of text section */
18734 - _etext = .;
18735 } :text = 0x9090
18736
18737 - NOTES :text :note
18738 + . += __KERNEL_TEXT_OFFSET;
18739 +
18740 +#ifdef CONFIG_X86_32
18741 + . = ALIGN(PAGE_SIZE);
18742 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
18743 + *(.vmi.rom)
18744 + } :module
18745 +
18746 + . = ALIGN(PAGE_SIZE);
18747 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18748 +
18749 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18750 + MODULES_EXEC_VADDR = .;
18751 + BYTE(0)
18752 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18753 + . = ALIGN(HPAGE_SIZE);
18754 + MODULES_EXEC_END = . - 1;
18755 +#endif
18756 +
18757 + } :module
18758 +#endif
18759
18760 - EXCEPTION_TABLE(16) :text = 0x9090
18761 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18762 + /* End of text section */
18763 + _etext = . - __KERNEL_TEXT_OFFSET;
18764 + }
18765 +
18766 +#ifdef CONFIG_X86_32
18767 + . = ALIGN(PAGE_SIZE);
18768 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18769 + *(.idt)
18770 + . = ALIGN(PAGE_SIZE);
18771 + *(.empty_zero_page)
18772 + *(.swapper_pg_fixmap)
18773 + *(.swapper_pg_pmd)
18774 + *(.swapper_pg_dir)
18775 + *(.trampoline_pg_dir)
18776 + } :rodata
18777 +#endif
18778 +
18779 + . = ALIGN(PAGE_SIZE);
18780 + NOTES :rodata :note
18781 +
18782 + EXCEPTION_TABLE(16) :rodata
18783
18784 RO_DATA(PAGE_SIZE)
18785
18786 /* Data */
18787 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18788 +
18789 +#ifdef CONFIG_PAX_KERNEXEC
18790 + . = ALIGN(HPAGE_SIZE);
18791 +#else
18792 + . = ALIGN(PAGE_SIZE);
18793 +#endif
18794 +
18795 /* Start of data section */
18796 _sdata = .;
18797
18798 /* init_task */
18799 INIT_TASK_DATA(THREAD_SIZE)
18800
18801 -#ifdef CONFIG_X86_32
18802 - /* 32 bit has nosave before _edata */
18803 NOSAVE_DATA
18804 -#endif
18805
18806 PAGE_ALIGNED_DATA(PAGE_SIZE)
18807
18808 @@ -112,6 +175,8 @@ SECTIONS
18809 DATA_DATA
18810 CONSTRUCTORS
18811
18812 + jiffies = jiffies_64;
18813 +
18814 /* rarely changed data like cpu maps */
18815 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
18816
18817 @@ -166,12 +231,6 @@ SECTIONS
18818 }
18819 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18820
18821 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
18822 - .jiffies : AT(VLOAD(.jiffies)) {
18823 - *(.jiffies)
18824 - }
18825 - jiffies = VVIRT(.jiffies);
18826 -
18827 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18828 *(.vsyscall_3)
18829 }
18830 @@ -187,12 +246,19 @@ SECTIONS
18831 #endif /* CONFIG_X86_64 */
18832
18833 /* Init code and data - will be freed after init */
18834 - . = ALIGN(PAGE_SIZE);
18835 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18836 + BYTE(0)
18837 +
18838 +#ifdef CONFIG_PAX_KERNEXEC
18839 + . = ALIGN(HPAGE_SIZE);
18840 +#else
18841 + . = ALIGN(PAGE_SIZE);
18842 +#endif
18843 +
18844 __init_begin = .; /* paired with __init_end */
18845 - }
18846 + } :init.begin
18847
18848 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18849 +#ifdef CONFIG_SMP
18850 /*
18851 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18852 * output PHDR, so the next output section - .init.text - should
18853 @@ -201,12 +267,27 @@ SECTIONS
18854 PERCPU_VADDR(0, :percpu)
18855 #endif
18856
18857 - INIT_TEXT_SECTION(PAGE_SIZE)
18858 -#ifdef CONFIG_X86_64
18859 - :init
18860 -#endif
18861 + . = ALIGN(PAGE_SIZE);
18862 + init_begin = .;
18863 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18864 + VMLINUX_SYMBOL(_sinittext) = .;
18865 + INIT_TEXT
18866 + VMLINUX_SYMBOL(_einittext) = .;
18867 + . = ALIGN(PAGE_SIZE);
18868 + } :text.init
18869
18870 - INIT_DATA_SECTION(16)
18871 + /*
18872 + * .exit.text is discard at runtime, not link time, to deal with
18873 + * references from .altinstructions and .eh_frame
18874 + */
18875 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18876 + EXIT_TEXT
18877 + . = ALIGN(16);
18878 + } :text.exit
18879 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18880 +
18881 + . = ALIGN(PAGE_SIZE);
18882 + INIT_DATA_SECTION(16) :init
18883
18884 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
18885 __x86_cpu_dev_start = .;
18886 @@ -232,19 +313,11 @@ SECTIONS
18887 *(.altinstr_replacement)
18888 }
18889
18890 - /*
18891 - * .exit.text is discard at runtime, not link time, to deal with
18892 - * references from .altinstructions and .eh_frame
18893 - */
18894 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18895 - EXIT_TEXT
18896 - }
18897 -
18898 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18899 EXIT_DATA
18900 }
18901
18902 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18903 +#ifndef CONFIG_SMP
18904 PERCPU(PAGE_SIZE)
18905 #endif
18906
18907 @@ -267,12 +340,6 @@ SECTIONS
18908 . = ALIGN(PAGE_SIZE);
18909 }
18910
18911 -#ifdef CONFIG_X86_64
18912 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18913 - NOSAVE_DATA
18914 - }
18915 -#endif
18916 -
18917 /* BSS */
18918 . = ALIGN(PAGE_SIZE);
18919 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18920 @@ -288,6 +355,7 @@ SECTIONS
18921 __brk_base = .;
18922 . += 64 * 1024; /* 64k alignment slop space */
18923 *(.brk_reservation) /* areas brk users have reserved */
18924 + . = ALIGN(HPAGE_SIZE);
18925 __brk_limit = .;
18926 }
18927
18928 @@ -316,13 +384,12 @@ SECTIONS
18929 * for the boot processor.
18930 */
18931 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
18932 -INIT_PER_CPU(gdt_page);
18933 INIT_PER_CPU(irq_stack_union);
18934
18935 /*
18936 * Build-time check on the image size:
18937 */
18938 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18939 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18940 "kernel image bigger than KERNEL_IMAGE_SIZE");
18941
18942 #ifdef CONFIG_SMP
18943 diff -urNp linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c
18944 --- linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c 2011-03-27 14:31:47.000000000 -0400
18945 +++ linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c 2011-04-23 12:56:10.000000000 -0400
18946 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18947
18948 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18949 /* copy vsyscall data */
18950 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18951 vsyscall_gtod_data.clock.vread = clock->vread;
18952 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18953 vsyscall_gtod_data.clock.mask = clock->mask;
18954 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18955 We do this here because otherwise user space would do it on
18956 its own in a likely inferior way (no access to jiffies).
18957 If you don't like it pass NULL. */
18958 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18959 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18960 p = tcache->blob[1];
18961 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18962 /* Load per CPU data from RDTSCP */
18963 diff -urNp linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c
18964 --- linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c 2011-03-27 14:31:47.000000000 -0400
18965 +++ linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:56:46.000000000 -0400
18966 @@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
18967
18968 EXPORT_SYMBOL(copy_user_generic);
18969 EXPORT_SYMBOL(__copy_user_nocache);
18970 -EXPORT_SYMBOL(copy_from_user);
18971 -EXPORT_SYMBOL(copy_to_user);
18972 EXPORT_SYMBOL(__copy_from_user_inatomic);
18973
18974 EXPORT_SYMBOL(copy_page);
18975 diff -urNp linux-2.6.32.46/arch/x86/kernel/xsave.c linux-2.6.32.46/arch/x86/kernel/xsave.c
18976 --- linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-03-27 14:31:47.000000000 -0400
18977 +++ linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-10-06 09:37:08.000000000 -0400
18978 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
18979 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18980 return -1;
18981
18982 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18983 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18984 fx_sw_user->extended_size -
18985 FP_XSTATE_MAGIC2_SIZE));
18986 /*
18987 @@ -196,7 +196,7 @@ fx_only:
18988 * the other extended state.
18989 */
18990 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18991 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18992 + return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
18993 }
18994
18995 /*
18996 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
18997 if (task_thread_info(tsk)->status & TS_XSAVE)
18998 err = restore_user_xstate(buf);
18999 else
19000 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
19001 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
19002 buf);
19003 if (unlikely(err)) {
19004 /*
19005 diff -urNp linux-2.6.32.46/arch/x86/kvm/emulate.c linux-2.6.32.46/arch/x86/kvm/emulate.c
19006 --- linux-2.6.32.46/arch/x86/kvm/emulate.c 2011-03-27 14:31:47.000000000 -0400
19007 +++ linux-2.6.32.46/arch/x86/kvm/emulate.c 2011-04-17 15:56:46.000000000 -0400
19008 @@ -81,8 +81,8 @@
19009 #define Src2CL (1<<29)
19010 #define Src2ImmByte (2<<29)
19011 #define Src2One (3<<29)
19012 -#define Src2Imm16 (4<<29)
19013 -#define Src2Mask (7<<29)
19014 +#define Src2Imm16 (4U<<29)
19015 +#define Src2Mask (7U<<29)
19016
19017 enum {
19018 Group1_80, Group1_81, Group1_82, Group1_83,
19019 @@ -411,6 +411,7 @@ static u32 group2_table[] = {
19020
19021 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
19022 do { \
19023 + unsigned long _tmp; \
19024 __asm__ __volatile__ ( \
19025 _PRE_EFLAGS("0", "4", "2") \
19026 _op _suffix " %"_x"3,%1; " \
19027 @@ -424,8 +425,6 @@ static u32 group2_table[] = {
19028 /* Raw emulation: instruction has two explicit operands. */
19029 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
19030 do { \
19031 - unsigned long _tmp; \
19032 - \
19033 switch ((_dst).bytes) { \
19034 case 2: \
19035 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
19036 @@ -441,7 +440,6 @@ static u32 group2_table[] = {
19037
19038 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
19039 do { \
19040 - unsigned long _tmp; \
19041 switch ((_dst).bytes) { \
19042 case 1: \
19043 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
19044 diff -urNp linux-2.6.32.46/arch/x86/kvm/lapic.c linux-2.6.32.46/arch/x86/kvm/lapic.c
19045 --- linux-2.6.32.46/arch/x86/kvm/lapic.c 2011-03-27 14:31:47.000000000 -0400
19046 +++ linux-2.6.32.46/arch/x86/kvm/lapic.c 2011-04-17 15:56:46.000000000 -0400
19047 @@ -52,7 +52,7 @@
19048 #define APIC_BUS_CYCLE_NS 1
19049
19050 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
19051 -#define apic_debug(fmt, arg...)
19052 +#define apic_debug(fmt, arg...) do {} while (0)
19053
19054 #define APIC_LVT_NUM 6
19055 /* 14 is the version for Xeon and Pentium 8.4.8*/
19056 diff -urNp linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h
19057 --- linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h 2011-03-27 14:31:47.000000000 -0400
19058 +++ linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h 2011-05-16 21:46:57.000000000 -0400
19059 @@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
19060 int level = PT_PAGE_TABLE_LEVEL;
19061 unsigned long mmu_seq;
19062
19063 + pax_track_stack();
19064 +
19065 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
19066 kvm_mmu_audit(vcpu, "pre page fault");
19067
19068 diff -urNp linux-2.6.32.46/arch/x86/kvm/svm.c linux-2.6.32.46/arch/x86/kvm/svm.c
19069 --- linux-2.6.32.46/arch/x86/kvm/svm.c 2011-03-27 14:31:47.000000000 -0400
19070 +++ linux-2.6.32.46/arch/x86/kvm/svm.c 2011-08-05 20:33:55.000000000 -0400
19071 @@ -2485,7 +2485,11 @@ static void reload_tss(struct kvm_vcpu *
19072 int cpu = raw_smp_processor_id();
19073
19074 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
19075 +
19076 + pax_open_kernel();
19077 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
19078 + pax_close_kernel();
19079 +
19080 load_TR_desc();
19081 }
19082
19083 @@ -2946,7 +2950,7 @@ static bool svm_gb_page_enable(void)
19084 return true;
19085 }
19086
19087 -static struct kvm_x86_ops svm_x86_ops = {
19088 +static const struct kvm_x86_ops svm_x86_ops = {
19089 .cpu_has_kvm_support = has_svm,
19090 .disabled_by_bios = is_disabled,
19091 .hardware_setup = svm_hardware_setup,
19092 diff -urNp linux-2.6.32.46/arch/x86/kvm/vmx.c linux-2.6.32.46/arch/x86/kvm/vmx.c
19093 --- linux-2.6.32.46/arch/x86/kvm/vmx.c 2011-03-27 14:31:47.000000000 -0400
19094 +++ linux-2.6.32.46/arch/x86/kvm/vmx.c 2011-05-04 17:56:20.000000000 -0400
19095 @@ -570,7 +570,11 @@ static void reload_tss(void)
19096
19097 kvm_get_gdt(&gdt);
19098 descs = (void *)gdt.base;
19099 +
19100 + pax_open_kernel();
19101 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
19102 + pax_close_kernel();
19103 +
19104 load_TR_desc();
19105 }
19106
19107 @@ -1409,8 +1413,11 @@ static __init int hardware_setup(void)
19108 if (!cpu_has_vmx_flexpriority())
19109 flexpriority_enabled = 0;
19110
19111 - if (!cpu_has_vmx_tpr_shadow())
19112 - kvm_x86_ops->update_cr8_intercept = NULL;
19113 + if (!cpu_has_vmx_tpr_shadow()) {
19114 + pax_open_kernel();
19115 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
19116 + pax_close_kernel();
19117 + }
19118
19119 if (enable_ept && !cpu_has_vmx_ept_2m_page())
19120 kvm_disable_largepages();
19121 @@ -2361,7 +2368,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
19122 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
19123
19124 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
19125 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
19126 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
19127 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
19128 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
19129 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
19130 @@ -3717,6 +3724,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
19131 "jmp .Lkvm_vmx_return \n\t"
19132 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
19133 ".Lkvm_vmx_return: "
19134 +
19135 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19136 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
19137 + ".Lkvm_vmx_return2: "
19138 +#endif
19139 +
19140 /* Save guest registers, load host registers, keep flags */
19141 "xchg %0, (%%"R"sp) \n\t"
19142 "mov %%"R"ax, %c[rax](%0) \n\t"
19143 @@ -3763,8 +3776,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
19144 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
19145 #endif
19146 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
19147 +
19148 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19149 + ,[cs]"i"(__KERNEL_CS)
19150 +#endif
19151 +
19152 : "cc", "memory"
19153 - , R"bx", R"di", R"si"
19154 + , R"ax", R"bx", R"di", R"si"
19155 #ifdef CONFIG_X86_64
19156 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
19157 #endif
19158 @@ -3781,7 +3799,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
19159 if (vmx->rmode.irq.pending)
19160 fixup_rmode_irq(vmx);
19161
19162 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
19163 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
19164 +
19165 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19166 + loadsegment(fs, __KERNEL_PERCPU);
19167 +#endif
19168 +
19169 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19170 + __set_fs(current_thread_info()->addr_limit);
19171 +#endif
19172 +
19173 vmx->launched = 1;
19174
19175 vmx_complete_interrupts(vmx);
19176 @@ -3956,7 +3983,7 @@ static bool vmx_gb_page_enable(void)
19177 return false;
19178 }
19179
19180 -static struct kvm_x86_ops vmx_x86_ops = {
19181 +static const struct kvm_x86_ops vmx_x86_ops = {
19182 .cpu_has_kvm_support = cpu_has_kvm_support,
19183 .disabled_by_bios = vmx_disabled_by_bios,
19184 .hardware_setup = hardware_setup,
19185 diff -urNp linux-2.6.32.46/arch/x86/kvm/x86.c linux-2.6.32.46/arch/x86/kvm/x86.c
19186 --- linux-2.6.32.46/arch/x86/kvm/x86.c 2011-05-10 22:12:01.000000000 -0400
19187 +++ linux-2.6.32.46/arch/x86/kvm/x86.c 2011-05-10 22:12:26.000000000 -0400
19188 @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
19189 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
19190 struct kvm_cpuid_entry2 __user *entries);
19191
19192 -struct kvm_x86_ops *kvm_x86_ops;
19193 +const struct kvm_x86_ops *kvm_x86_ops;
19194 EXPORT_SYMBOL_GPL(kvm_x86_ops);
19195
19196 int ignore_msrs = 0;
19197 @@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
19198 struct kvm_cpuid2 *cpuid,
19199 struct kvm_cpuid_entry2 __user *entries)
19200 {
19201 - int r;
19202 + int r, i;
19203
19204 r = -E2BIG;
19205 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
19206 goto out;
19207 r = -EFAULT;
19208 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
19209 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
19210 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
19211 goto out;
19212 + for (i = 0; i < cpuid->nent; ++i) {
19213 + struct kvm_cpuid_entry2 cpuid_entry;
19214 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
19215 + goto out;
19216 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
19217 + }
19218 vcpu->arch.cpuid_nent = cpuid->nent;
19219 kvm_apic_set_version(vcpu);
19220 return 0;
19221 @@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
19222 struct kvm_cpuid2 *cpuid,
19223 struct kvm_cpuid_entry2 __user *entries)
19224 {
19225 - int r;
19226 + int r, i;
19227
19228 vcpu_load(vcpu);
19229 r = -E2BIG;
19230 if (cpuid->nent < vcpu->arch.cpuid_nent)
19231 goto out;
19232 r = -EFAULT;
19233 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
19234 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19235 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19236 goto out;
19237 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
19238 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
19239 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
19240 + goto out;
19241 + }
19242 return 0;
19243
19244 out:
19245 @@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
19246 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
19247 struct kvm_interrupt *irq)
19248 {
19249 - if (irq->irq < 0 || irq->irq >= 256)
19250 + if (irq->irq >= 256)
19251 return -EINVAL;
19252 if (irqchip_in_kernel(vcpu->kvm))
19253 return -ENXIO;
19254 @@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
19255 .notifier_call = kvmclock_cpufreq_notifier
19256 };
19257
19258 -int kvm_arch_init(void *opaque)
19259 +int kvm_arch_init(const void *opaque)
19260 {
19261 int r, cpu;
19262 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
19263 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
19264
19265 if (kvm_x86_ops) {
19266 printk(KERN_ERR "kvm: already loaded the other module\n");
19267 diff -urNp linux-2.6.32.46/arch/x86/lguest/boot.c linux-2.6.32.46/arch/x86/lguest/boot.c
19268 --- linux-2.6.32.46/arch/x86/lguest/boot.c 2011-03-27 14:31:47.000000000 -0400
19269 +++ linux-2.6.32.46/arch/x86/lguest/boot.c 2011-08-05 20:33:55.000000000 -0400
19270 @@ -1172,9 +1172,10 @@ static __init int early_put_chars(u32 vt
19271 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
19272 * Launcher to reboot us.
19273 */
19274 -static void lguest_restart(char *reason)
19275 +static __noreturn void lguest_restart(char *reason)
19276 {
19277 kvm_hypercall2(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART);
19278 + BUG();
19279 }
19280
19281 /*G:050
19282 diff -urNp linux-2.6.32.46/arch/x86/lib/atomic64_32.c linux-2.6.32.46/arch/x86/lib/atomic64_32.c
19283 --- linux-2.6.32.46/arch/x86/lib/atomic64_32.c 2011-03-27 14:31:47.000000000 -0400
19284 +++ linux-2.6.32.46/arch/x86/lib/atomic64_32.c 2011-05-04 17:56:28.000000000 -0400
19285 @@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
19286 }
19287 EXPORT_SYMBOL(atomic64_cmpxchg);
19288
19289 +u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
19290 +{
19291 + return cmpxchg8b(&ptr->counter, old_val, new_val);
19292 +}
19293 +EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
19294 +
19295 /**
19296 * atomic64_xchg - xchg atomic64 variable
19297 * @ptr: pointer to type atomic64_t
19298 @@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
19299 EXPORT_SYMBOL(atomic64_xchg);
19300
19301 /**
19302 + * atomic64_xchg_unchecked - xchg atomic64 variable
19303 + * @ptr: pointer to type atomic64_unchecked_t
19304 + * @new_val: value to assign
19305 + *
19306 + * Atomically xchgs the value of @ptr to @new_val and returns
19307 + * the old value.
19308 + */
19309 +u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
19310 +{
19311 + /*
19312 + * Try first with a (possibly incorrect) assumption about
19313 + * what we have there. We'll do two loops most likely,
19314 + * but we'll get an ownership MESI transaction straight away
19315 + * instead of a read transaction followed by a
19316 + * flush-for-ownership transaction:
19317 + */
19318 + u64 old_val, real_val = 0;
19319 +
19320 + do {
19321 + old_val = real_val;
19322 +
19323 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
19324 +
19325 + } while (real_val != old_val);
19326 +
19327 + return old_val;
19328 +}
19329 +EXPORT_SYMBOL(atomic64_xchg_unchecked);
19330 +
19331 +/**
19332 * atomic64_set - set atomic64 variable
19333 * @ptr: pointer to type atomic64_t
19334 * @new_val: value to assign
19335 @@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
19336 EXPORT_SYMBOL(atomic64_set);
19337
19338 /**
19339 -EXPORT_SYMBOL(atomic64_read);
19340 + * atomic64_unchecked_set - set atomic64 variable
19341 + * @ptr: pointer to type atomic64_unchecked_t
19342 + * @new_val: value to assign
19343 + *
19344 + * Atomically sets the value of @ptr to @new_val.
19345 + */
19346 +void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
19347 +{
19348 + atomic64_xchg_unchecked(ptr, new_val);
19349 +}
19350 +EXPORT_SYMBOL(atomic64_set_unchecked);
19351 +
19352 +/**
19353 * atomic64_add_return - add and return
19354 * @delta: integer value to add
19355 * @ptr: pointer to type atomic64_t
19356 @@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
19357 }
19358 EXPORT_SYMBOL(atomic64_add_return);
19359
19360 +/**
19361 + * atomic64_add_return_unchecked - add and return
19362 + * @delta: integer value to add
19363 + * @ptr: pointer to type atomic64_unchecked_t
19364 + *
19365 + * Atomically adds @delta to @ptr and returns @delta + *@ptr
19366 + */
19367 +noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19368 +{
19369 + /*
19370 + * Try first with a (possibly incorrect) assumption about
19371 + * what we have there. We'll do two loops most likely,
19372 + * but we'll get an ownership MESI transaction straight away
19373 + * instead of a read transaction followed by a
19374 + * flush-for-ownership transaction:
19375 + */
19376 + u64 old_val, new_val, real_val = 0;
19377 +
19378 + do {
19379 + old_val = real_val;
19380 + new_val = old_val + delta;
19381 +
19382 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
19383 +
19384 + } while (real_val != old_val);
19385 +
19386 + return new_val;
19387 +}
19388 +EXPORT_SYMBOL(atomic64_add_return_unchecked);
19389 +
19390 u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
19391 {
19392 return atomic64_add_return(-delta, ptr);
19393 }
19394 EXPORT_SYMBOL(atomic64_sub_return);
19395
19396 +u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19397 +{
19398 + return atomic64_add_return_unchecked(-delta, ptr);
19399 +}
19400 +EXPORT_SYMBOL(atomic64_sub_return_unchecked);
19401 +
19402 u64 atomic64_inc_return(atomic64_t *ptr)
19403 {
19404 return atomic64_add_return(1, ptr);
19405 }
19406 EXPORT_SYMBOL(atomic64_inc_return);
19407
19408 +u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
19409 +{
19410 + return atomic64_add_return_unchecked(1, ptr);
19411 +}
19412 +EXPORT_SYMBOL(atomic64_inc_return_unchecked);
19413 +
19414 u64 atomic64_dec_return(atomic64_t *ptr)
19415 {
19416 return atomic64_sub_return(1, ptr);
19417 }
19418 EXPORT_SYMBOL(atomic64_dec_return);
19419
19420 +u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
19421 +{
19422 + return atomic64_sub_return_unchecked(1, ptr);
19423 +}
19424 +EXPORT_SYMBOL(atomic64_dec_return_unchecked);
19425 +
19426 /**
19427 * atomic64_add - add integer to atomic64 variable
19428 * @delta: integer value to add
19429 @@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
19430 EXPORT_SYMBOL(atomic64_add);
19431
19432 /**
19433 + * atomic64_add_unchecked - add integer to atomic64 variable
19434 + * @delta: integer value to add
19435 + * @ptr: pointer to type atomic64_unchecked_t
19436 + *
19437 + * Atomically adds @delta to @ptr.
19438 + */
19439 +void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19440 +{
19441 + atomic64_add_return_unchecked(delta, ptr);
19442 +}
19443 +EXPORT_SYMBOL(atomic64_add_unchecked);
19444 +
19445 +/**
19446 * atomic64_sub - subtract the atomic64 variable
19447 * @delta: integer value to subtract
19448 * @ptr: pointer to type atomic64_t
19449 @@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
19450 EXPORT_SYMBOL(atomic64_sub);
19451
19452 /**
19453 + * atomic64_sub_unchecked - subtract the atomic64 variable
19454 + * @delta: integer value to subtract
19455 + * @ptr: pointer to type atomic64_unchecked_t
19456 + *
19457 + * Atomically subtracts @delta from @ptr.
19458 + */
19459 +void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19460 +{
19461 + atomic64_add_unchecked(-delta, ptr);
19462 +}
19463 +EXPORT_SYMBOL(atomic64_sub_unchecked);
19464 +
19465 +/**
19466 * atomic64_sub_and_test - subtract value from variable and test result
19467 * @delta: integer value to subtract
19468 * @ptr: pointer to type atomic64_t
19469 @@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
19470 EXPORT_SYMBOL(atomic64_inc);
19471
19472 /**
19473 + * atomic64_inc_unchecked - increment atomic64 variable
19474 + * @ptr: pointer to type atomic64_unchecked_t
19475 + *
19476 + * Atomically increments @ptr by 1.
19477 + */
19478 +void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
19479 +{
19480 + atomic64_add_unchecked(1, ptr);
19481 +}
19482 +EXPORT_SYMBOL(atomic64_inc_unchecked);
19483 +
19484 +/**
19485 * atomic64_dec - decrement atomic64 variable
19486 * @ptr: pointer to type atomic64_t
19487 *
19488 @@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
19489 EXPORT_SYMBOL(atomic64_dec);
19490
19491 /**
19492 + * atomic64_dec_unchecked - decrement atomic64 variable
19493 + * @ptr: pointer to type atomic64_unchecked_t
19494 + *
19495 + * Atomically decrements @ptr by 1.
19496 + */
19497 +void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
19498 +{
19499 + atomic64_sub_unchecked(1, ptr);
19500 +}
19501 +EXPORT_SYMBOL(atomic64_dec_unchecked);
19502 +
19503 +/**
19504 * atomic64_dec_and_test - decrement and test
19505 * @ptr: pointer to type atomic64_t
19506 *
19507 diff -urNp linux-2.6.32.46/arch/x86/lib/checksum_32.S linux-2.6.32.46/arch/x86/lib/checksum_32.S
19508 --- linux-2.6.32.46/arch/x86/lib/checksum_32.S 2011-03-27 14:31:47.000000000 -0400
19509 +++ linux-2.6.32.46/arch/x86/lib/checksum_32.S 2011-04-17 15:56:46.000000000 -0400
19510 @@ -28,7 +28,8 @@
19511 #include <linux/linkage.h>
19512 #include <asm/dwarf2.h>
19513 #include <asm/errno.h>
19514 -
19515 +#include <asm/segment.h>
19516 +
19517 /*
19518 * computes a partial checksum, e.g. for TCP/UDP fragments
19519 */
19520 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
19521
19522 #define ARGBASE 16
19523 #define FP 12
19524 -
19525 -ENTRY(csum_partial_copy_generic)
19526 +
19527 +ENTRY(csum_partial_copy_generic_to_user)
19528 CFI_STARTPROC
19529 +
19530 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19531 + pushl %gs
19532 + CFI_ADJUST_CFA_OFFSET 4
19533 + popl %es
19534 + CFI_ADJUST_CFA_OFFSET -4
19535 + jmp csum_partial_copy_generic
19536 +#endif
19537 +
19538 +ENTRY(csum_partial_copy_generic_from_user)
19539 +
19540 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19541 + pushl %gs
19542 + CFI_ADJUST_CFA_OFFSET 4
19543 + popl %ds
19544 + CFI_ADJUST_CFA_OFFSET -4
19545 +#endif
19546 +
19547 +ENTRY(csum_partial_copy_generic)
19548 subl $4,%esp
19549 CFI_ADJUST_CFA_OFFSET 4
19550 pushl %edi
19551 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
19552 jmp 4f
19553 SRC(1: movw (%esi), %bx )
19554 addl $2, %esi
19555 -DST( movw %bx, (%edi) )
19556 +DST( movw %bx, %es:(%edi) )
19557 addl $2, %edi
19558 addw %bx, %ax
19559 adcl $0, %eax
19560 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
19561 SRC(1: movl (%esi), %ebx )
19562 SRC( movl 4(%esi), %edx )
19563 adcl %ebx, %eax
19564 -DST( movl %ebx, (%edi) )
19565 +DST( movl %ebx, %es:(%edi) )
19566 adcl %edx, %eax
19567 -DST( movl %edx, 4(%edi) )
19568 +DST( movl %edx, %es:4(%edi) )
19569
19570 SRC( movl 8(%esi), %ebx )
19571 SRC( movl 12(%esi), %edx )
19572 adcl %ebx, %eax
19573 -DST( movl %ebx, 8(%edi) )
19574 +DST( movl %ebx, %es:8(%edi) )
19575 adcl %edx, %eax
19576 -DST( movl %edx, 12(%edi) )
19577 +DST( movl %edx, %es:12(%edi) )
19578
19579 SRC( movl 16(%esi), %ebx )
19580 SRC( movl 20(%esi), %edx )
19581 adcl %ebx, %eax
19582 -DST( movl %ebx, 16(%edi) )
19583 +DST( movl %ebx, %es:16(%edi) )
19584 adcl %edx, %eax
19585 -DST( movl %edx, 20(%edi) )
19586 +DST( movl %edx, %es:20(%edi) )
19587
19588 SRC( movl 24(%esi), %ebx )
19589 SRC( movl 28(%esi), %edx )
19590 adcl %ebx, %eax
19591 -DST( movl %ebx, 24(%edi) )
19592 +DST( movl %ebx, %es:24(%edi) )
19593 adcl %edx, %eax
19594 -DST( movl %edx, 28(%edi) )
19595 +DST( movl %edx, %es:28(%edi) )
19596
19597 lea 32(%esi), %esi
19598 lea 32(%edi), %edi
19599 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
19600 shrl $2, %edx # This clears CF
19601 SRC(3: movl (%esi), %ebx )
19602 adcl %ebx, %eax
19603 -DST( movl %ebx, (%edi) )
19604 +DST( movl %ebx, %es:(%edi) )
19605 lea 4(%esi), %esi
19606 lea 4(%edi), %edi
19607 dec %edx
19608 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
19609 jb 5f
19610 SRC( movw (%esi), %cx )
19611 leal 2(%esi), %esi
19612 -DST( movw %cx, (%edi) )
19613 +DST( movw %cx, %es:(%edi) )
19614 leal 2(%edi), %edi
19615 je 6f
19616 shll $16,%ecx
19617 SRC(5: movb (%esi), %cl )
19618 -DST( movb %cl, (%edi) )
19619 +DST( movb %cl, %es:(%edi) )
19620 6: addl %ecx, %eax
19621 adcl $0, %eax
19622 7:
19623 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
19624
19625 6001:
19626 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19627 - movl $-EFAULT, (%ebx)
19628 + movl $-EFAULT, %ss:(%ebx)
19629
19630 # zero the complete destination - computing the rest
19631 # is too much work
19632 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
19633
19634 6002:
19635 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19636 - movl $-EFAULT,(%ebx)
19637 + movl $-EFAULT,%ss:(%ebx)
19638 jmp 5000b
19639
19640 .previous
19641
19642 + pushl %ss
19643 + CFI_ADJUST_CFA_OFFSET 4
19644 + popl %ds
19645 + CFI_ADJUST_CFA_OFFSET -4
19646 + pushl %ss
19647 + CFI_ADJUST_CFA_OFFSET 4
19648 + popl %es
19649 + CFI_ADJUST_CFA_OFFSET -4
19650 popl %ebx
19651 CFI_ADJUST_CFA_OFFSET -4
19652 CFI_RESTORE ebx
19653 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
19654 CFI_ADJUST_CFA_OFFSET -4
19655 ret
19656 CFI_ENDPROC
19657 -ENDPROC(csum_partial_copy_generic)
19658 +ENDPROC(csum_partial_copy_generic_to_user)
19659
19660 #else
19661
19662 /* Version for PentiumII/PPro */
19663
19664 #define ROUND1(x) \
19665 + nop; nop; nop; \
19666 SRC(movl x(%esi), %ebx ) ; \
19667 addl %ebx, %eax ; \
19668 - DST(movl %ebx, x(%edi) ) ;
19669 + DST(movl %ebx, %es:x(%edi)) ;
19670
19671 #define ROUND(x) \
19672 + nop; nop; nop; \
19673 SRC(movl x(%esi), %ebx ) ; \
19674 adcl %ebx, %eax ; \
19675 - DST(movl %ebx, x(%edi) ) ;
19676 + DST(movl %ebx, %es:x(%edi)) ;
19677
19678 #define ARGBASE 12
19679 -
19680 -ENTRY(csum_partial_copy_generic)
19681 +
19682 +ENTRY(csum_partial_copy_generic_to_user)
19683 CFI_STARTPROC
19684 +
19685 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19686 + pushl %gs
19687 + CFI_ADJUST_CFA_OFFSET 4
19688 + popl %es
19689 + CFI_ADJUST_CFA_OFFSET -4
19690 + jmp csum_partial_copy_generic
19691 +#endif
19692 +
19693 +ENTRY(csum_partial_copy_generic_from_user)
19694 +
19695 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19696 + pushl %gs
19697 + CFI_ADJUST_CFA_OFFSET 4
19698 + popl %ds
19699 + CFI_ADJUST_CFA_OFFSET -4
19700 +#endif
19701 +
19702 +ENTRY(csum_partial_copy_generic)
19703 pushl %ebx
19704 CFI_ADJUST_CFA_OFFSET 4
19705 CFI_REL_OFFSET ebx, 0
19706 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
19707 subl %ebx, %edi
19708 lea -1(%esi),%edx
19709 andl $-32,%edx
19710 - lea 3f(%ebx,%ebx), %ebx
19711 + lea 3f(%ebx,%ebx,2), %ebx
19712 testl %esi, %esi
19713 jmp *%ebx
19714 1: addl $64,%esi
19715 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
19716 jb 5f
19717 SRC( movw (%esi), %dx )
19718 leal 2(%esi), %esi
19719 -DST( movw %dx, (%edi) )
19720 +DST( movw %dx, %es:(%edi) )
19721 leal 2(%edi), %edi
19722 je 6f
19723 shll $16,%edx
19724 5:
19725 SRC( movb (%esi), %dl )
19726 -DST( movb %dl, (%edi) )
19727 +DST( movb %dl, %es:(%edi) )
19728 6: addl %edx, %eax
19729 adcl $0, %eax
19730 7:
19731 .section .fixup, "ax"
19732 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19733 - movl $-EFAULT, (%ebx)
19734 + movl $-EFAULT, %ss:(%ebx)
19735 # zero the complete destination (computing the rest is too much work)
19736 movl ARGBASE+8(%esp),%edi # dst
19737 movl ARGBASE+12(%esp),%ecx # len
19738 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
19739 rep; stosb
19740 jmp 7b
19741 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19742 - movl $-EFAULT, (%ebx)
19743 + movl $-EFAULT, %ss:(%ebx)
19744 jmp 7b
19745 .previous
19746
19747 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19748 + pushl %ss
19749 + CFI_ADJUST_CFA_OFFSET 4
19750 + popl %ds
19751 + CFI_ADJUST_CFA_OFFSET -4
19752 + pushl %ss
19753 + CFI_ADJUST_CFA_OFFSET 4
19754 + popl %es
19755 + CFI_ADJUST_CFA_OFFSET -4
19756 +#endif
19757 +
19758 popl %esi
19759 CFI_ADJUST_CFA_OFFSET -4
19760 CFI_RESTORE esi
19761 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
19762 CFI_RESTORE ebx
19763 ret
19764 CFI_ENDPROC
19765 -ENDPROC(csum_partial_copy_generic)
19766 +ENDPROC(csum_partial_copy_generic_to_user)
19767
19768 #undef ROUND
19769 #undef ROUND1
19770 diff -urNp linux-2.6.32.46/arch/x86/lib/clear_page_64.S linux-2.6.32.46/arch/x86/lib/clear_page_64.S
19771 --- linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-03-27 14:31:47.000000000 -0400
19772 +++ linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-10-06 09:37:08.000000000 -0400
19773 @@ -1,5 +1,6 @@
19774 #include <linux/linkage.h>
19775 #include <asm/dwarf2.h>
19776 +#include <asm/alternative-asm.h>
19777
19778 /*
19779 * Zero a page.
19780 @@ -10,6 +11,7 @@ ENTRY(clear_page_c)
19781 movl $4096/8,%ecx
19782 xorl %eax,%eax
19783 rep stosq
19784 + pax_force_retaddr
19785 ret
19786 CFI_ENDPROC
19787 ENDPROC(clear_page_c)
19788 @@ -33,6 +35,7 @@ ENTRY(clear_page)
19789 leaq 64(%rdi),%rdi
19790 jnz .Lloop
19791 nop
19792 + pax_force_retaddr
19793 ret
19794 CFI_ENDPROC
19795 .Lclear_page_end:
19796 @@ -43,7 +46,7 @@ ENDPROC(clear_page)
19797
19798 #include <asm/cpufeature.h>
19799
19800 - .section .altinstr_replacement,"ax"
19801 + .section .altinstr_replacement,"a"
19802 1: .byte 0xeb /* jmp <disp8> */
19803 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19804 2:
19805 diff -urNp linux-2.6.32.46/arch/x86/lib/copy_page_64.S linux-2.6.32.46/arch/x86/lib/copy_page_64.S
19806 --- linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-03-27 14:31:47.000000000 -0400
19807 +++ linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-10-06 09:37:08.000000000 -0400
19808 @@ -2,12 +2,14 @@
19809
19810 #include <linux/linkage.h>
19811 #include <asm/dwarf2.h>
19812 +#include <asm/alternative-asm.h>
19813
19814 ALIGN
19815 copy_page_c:
19816 CFI_STARTPROC
19817 movl $4096/8,%ecx
19818 rep movsq
19819 + pax_force_retaddr
19820 ret
19821 CFI_ENDPROC
19822 ENDPROC(copy_page_c)
19823 @@ -94,6 +96,7 @@ ENTRY(copy_page)
19824 CFI_RESTORE r13
19825 addq $3*8,%rsp
19826 CFI_ADJUST_CFA_OFFSET -3*8
19827 + pax_force_retaddr
19828 ret
19829 .Lcopy_page_end:
19830 CFI_ENDPROC
19831 @@ -104,7 +107,7 @@ ENDPROC(copy_page)
19832
19833 #include <asm/cpufeature.h>
19834
19835 - .section .altinstr_replacement,"ax"
19836 + .section .altinstr_replacement,"a"
19837 1: .byte 0xeb /* jmp <disp8> */
19838 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19839 2:
19840 diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_64.S linux-2.6.32.46/arch/x86/lib/copy_user_64.S
19841 --- linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-06-25 12:55:34.000000000 -0400
19842 +++ linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-10-06 10:12:52.000000000 -0400
19843 @@ -15,13 +15,15 @@
19844 #include <asm/asm-offsets.h>
19845 #include <asm/thread_info.h>
19846 #include <asm/cpufeature.h>
19847 +#include <asm/pgtable.h>
19848 +#include <asm/alternative-asm.h>
19849
19850 .macro ALTERNATIVE_JUMP feature,orig,alt
19851 0:
19852 .byte 0xe9 /* 32bit jump */
19853 .long \orig-1f /* by default jump to orig */
19854 1:
19855 - .section .altinstr_replacement,"ax"
19856 + .section .altinstr_replacement,"a"
19857 2: .byte 0xe9 /* near jump with 32bit immediate */
19858 .long \alt-1b /* offset */ /* or alternatively to alt */
19859 .previous
19860 @@ -64,55 +66,26 @@
19861 #endif
19862 .endm
19863
19864 -/* Standard copy_to_user with segment limit checking */
19865 -ENTRY(copy_to_user)
19866 - CFI_STARTPROC
19867 - GET_THREAD_INFO(%rax)
19868 - movq %rdi,%rcx
19869 - addq %rdx,%rcx
19870 - jc bad_to_user
19871 - cmpq TI_addr_limit(%rax),%rcx
19872 - ja bad_to_user
19873 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19874 - CFI_ENDPROC
19875 -ENDPROC(copy_to_user)
19876 -
19877 -/* Standard copy_from_user with segment limit checking */
19878 -ENTRY(copy_from_user)
19879 - CFI_STARTPROC
19880 - GET_THREAD_INFO(%rax)
19881 - movq %rsi,%rcx
19882 - addq %rdx,%rcx
19883 - jc bad_from_user
19884 - cmpq TI_addr_limit(%rax),%rcx
19885 - ja bad_from_user
19886 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19887 - CFI_ENDPROC
19888 -ENDPROC(copy_from_user)
19889 -
19890 ENTRY(copy_user_generic)
19891 CFI_STARTPROC
19892 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19893 CFI_ENDPROC
19894 ENDPROC(copy_user_generic)
19895
19896 -ENTRY(__copy_from_user_inatomic)
19897 - CFI_STARTPROC
19898 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19899 - CFI_ENDPROC
19900 -ENDPROC(__copy_from_user_inatomic)
19901 -
19902 .section .fixup,"ax"
19903 /* must zero dest */
19904 ENTRY(bad_from_user)
19905 bad_from_user:
19906 CFI_STARTPROC
19907 + testl %edx,%edx
19908 + js bad_to_user
19909 movl %edx,%ecx
19910 xorl %eax,%eax
19911 rep
19912 stosb
19913 bad_to_user:
19914 movl %edx,%eax
19915 + pax_force_retaddr
19916 ret
19917 CFI_ENDPROC
19918 ENDPROC(bad_from_user)
19919 @@ -180,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
19920 decl %ecx
19921 jnz 21b
19922 23: xor %eax,%eax
19923 + pax_force_retaddr
19924 ret
19925
19926 .section .fixup,"ax"
19927 @@ -252,6 +226,7 @@ ENTRY(copy_user_generic_string)
19928 3: rep
19929 movsb
19930 4: xorl %eax,%eax
19931 + pax_force_retaddr
19932 ret
19933
19934 .section .fixup,"ax"
19935 diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S
19936 --- linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-03-27 14:31:47.000000000 -0400
19937 +++ linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-10-06 09:37:08.000000000 -0400
19938 @@ -8,12 +8,14 @@
19939
19940 #include <linux/linkage.h>
19941 #include <asm/dwarf2.h>
19942 +#include <asm/alternative-asm.h>
19943
19944 #define FIX_ALIGNMENT 1
19945
19946 #include <asm/current.h>
19947 #include <asm/asm-offsets.h>
19948 #include <asm/thread_info.h>
19949 +#include <asm/pgtable.h>
19950
19951 .macro ALIGN_DESTINATION
19952 #ifdef FIX_ALIGNMENT
19953 @@ -50,6 +52,15 @@
19954 */
19955 ENTRY(__copy_user_nocache)
19956 CFI_STARTPROC
19957 +
19958 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19959 + mov $PAX_USER_SHADOW_BASE,%rcx
19960 + cmp %rcx,%rsi
19961 + jae 1f
19962 + add %rcx,%rsi
19963 +1:
19964 +#endif
19965 +
19966 cmpl $8,%edx
19967 jb 20f /* less then 8 bytes, go to byte copy loop */
19968 ALIGN_DESTINATION
19969 @@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
19970 jnz 21b
19971 23: xorl %eax,%eax
19972 sfence
19973 + pax_force_retaddr
19974 ret
19975
19976 .section .fixup,"ax"
19977 diff -urNp linux-2.6.32.46/arch/x86/lib/csum-copy_64.S linux-2.6.32.46/arch/x86/lib/csum-copy_64.S
19978 --- linux-2.6.32.46/arch/x86/lib/csum-copy_64.S 2011-03-27 14:31:47.000000000 -0400
19979 +++ linux-2.6.32.46/arch/x86/lib/csum-copy_64.S 2011-10-06 09:37:14.000000000 -0400
19980 @@ -8,6 +8,7 @@
19981 #include <linux/linkage.h>
19982 #include <asm/dwarf2.h>
19983 #include <asm/errno.h>
19984 +#include <asm/alternative-asm.h>
19985
19986 /*
19987 * Checksum copy with exception handling.
19988 @@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
19989 CFI_RESTORE rbp
19990 addq $7*8,%rsp
19991 CFI_ADJUST_CFA_OFFSET -7*8
19992 + pax_force_retaddr
19993 ret
19994 CFI_RESTORE_STATE
19995
19996 diff -urNp linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c
19997 --- linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-03-27 14:31:47.000000000 -0400
19998 +++ linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-10-06 09:37:08.000000000 -0400
19999 @@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
20000 len -= 2;
20001 }
20002 }
20003 - isum = csum_partial_copy_generic((__force const void *)src,
20004 +
20005 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20006 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20007 + src += PAX_USER_SHADOW_BASE;
20008 +#endif
20009 +
20010 + isum = csum_partial_copy_generic((const void __force_kernel *)src,
20011 dst, len, isum, errp, NULL);
20012 if (unlikely(*errp))
20013 goto out_err;
20014 @@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
20015 }
20016
20017 *errp = 0;
20018 - return csum_partial_copy_generic(src, (void __force *)dst,
20019 +
20020 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20021 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
20022 + dst += PAX_USER_SHADOW_BASE;
20023 +#endif
20024 +
20025 + return csum_partial_copy_generic(src, (void __force_kernel *)dst,
20026 len, isum, NULL, errp);
20027 }
20028 EXPORT_SYMBOL(csum_partial_copy_to_user);
20029 diff -urNp linux-2.6.32.46/arch/x86/lib/getuser.S linux-2.6.32.46/arch/x86/lib/getuser.S
20030 --- linux-2.6.32.46/arch/x86/lib/getuser.S 2011-03-27 14:31:47.000000000 -0400
20031 +++ linux-2.6.32.46/arch/x86/lib/getuser.S 2011-04-17 15:56:46.000000000 -0400
20032 @@ -33,14 +33,35 @@
20033 #include <asm/asm-offsets.h>
20034 #include <asm/thread_info.h>
20035 #include <asm/asm.h>
20036 +#include <asm/segment.h>
20037 +#include <asm/pgtable.h>
20038 +
20039 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20040 +#define __copyuser_seg gs;
20041 +#else
20042 +#define __copyuser_seg
20043 +#endif
20044
20045 .text
20046 ENTRY(__get_user_1)
20047 CFI_STARTPROC
20048 +
20049 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20050 GET_THREAD_INFO(%_ASM_DX)
20051 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20052 jae bad_get_user
20053 -1: movzb (%_ASM_AX),%edx
20054 +
20055 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20056 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20057 + cmp %_ASM_DX,%_ASM_AX
20058 + jae 1234f
20059 + add %_ASM_DX,%_ASM_AX
20060 +1234:
20061 +#endif
20062 +
20063 +#endif
20064 +
20065 +1: __copyuser_seg movzb (%_ASM_AX),%edx
20066 xor %eax,%eax
20067 ret
20068 CFI_ENDPROC
20069 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
20070 ENTRY(__get_user_2)
20071 CFI_STARTPROC
20072 add $1,%_ASM_AX
20073 +
20074 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20075 jc bad_get_user
20076 GET_THREAD_INFO(%_ASM_DX)
20077 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20078 jae bad_get_user
20079 -2: movzwl -1(%_ASM_AX),%edx
20080 +
20081 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20082 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20083 + cmp %_ASM_DX,%_ASM_AX
20084 + jae 1234f
20085 + add %_ASM_DX,%_ASM_AX
20086 +1234:
20087 +#endif
20088 +
20089 +#endif
20090 +
20091 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
20092 xor %eax,%eax
20093 ret
20094 CFI_ENDPROC
20095 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
20096 ENTRY(__get_user_4)
20097 CFI_STARTPROC
20098 add $3,%_ASM_AX
20099 +
20100 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20101 jc bad_get_user
20102 GET_THREAD_INFO(%_ASM_DX)
20103 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20104 jae bad_get_user
20105 -3: mov -3(%_ASM_AX),%edx
20106 +
20107 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20108 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20109 + cmp %_ASM_DX,%_ASM_AX
20110 + jae 1234f
20111 + add %_ASM_DX,%_ASM_AX
20112 +1234:
20113 +#endif
20114 +
20115 +#endif
20116 +
20117 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
20118 xor %eax,%eax
20119 ret
20120 CFI_ENDPROC
20121 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
20122 GET_THREAD_INFO(%_ASM_DX)
20123 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20124 jae bad_get_user
20125 +
20126 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20127 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20128 + cmp %_ASM_DX,%_ASM_AX
20129 + jae 1234f
20130 + add %_ASM_DX,%_ASM_AX
20131 +1234:
20132 +#endif
20133 +
20134 4: movq -7(%_ASM_AX),%_ASM_DX
20135 xor %eax,%eax
20136 ret
20137 diff -urNp linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S
20138 --- linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S 2011-03-27 14:31:47.000000000 -0400
20139 +++ linux-2.6.32.46/arch/x86/lib/iomap_copy_64.S 2011-10-06 09:37:14.000000000 -0400
20140 @@ -17,6 +17,7 @@
20141
20142 #include <linux/linkage.h>
20143 #include <asm/dwarf2.h>
20144 +#include <asm/alternative-asm.h>
20145
20146 /*
20147 * override generic version in lib/iomap_copy.c
20148 @@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
20149 CFI_STARTPROC
20150 movl %edx,%ecx
20151 rep movsd
20152 + pax_force_retaddr
20153 ret
20154 CFI_ENDPROC
20155 ENDPROC(__iowrite32_copy)
20156 diff -urNp linux-2.6.32.46/arch/x86/lib/memcpy_64.S linux-2.6.32.46/arch/x86/lib/memcpy_64.S
20157 --- linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-03-27 14:31:47.000000000 -0400
20158 +++ linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-10-06 10:13:49.000000000 -0400
20159 @@ -4,6 +4,7 @@
20160
20161 #include <asm/cpufeature.h>
20162 #include <asm/dwarf2.h>
20163 +#include <asm/alternative-asm.h>
20164
20165 /*
20166 * memcpy - Copy a memory block.
20167 @@ -34,6 +35,7 @@ memcpy_c:
20168 rep movsq
20169 movl %edx, %ecx
20170 rep movsb
20171 + pax_force_retaddr
20172 ret
20173 CFI_ENDPROC
20174 ENDPROC(memcpy_c)
20175 @@ -118,6 +120,7 @@ ENTRY(memcpy)
20176 jnz .Lloop_1
20177
20178 .Lend:
20179 + pax_force_retaddr
20180 ret
20181 CFI_ENDPROC
20182 ENDPROC(memcpy)
20183 @@ -128,7 +131,7 @@ ENDPROC(__memcpy)
20184 * It is also a lot simpler. Use this when possible:
20185 */
20186
20187 - .section .altinstr_replacement, "ax"
20188 + .section .altinstr_replacement, "a"
20189 1: .byte 0xeb /* jmp <disp8> */
20190 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
20191 2:
20192 diff -urNp linux-2.6.32.46/arch/x86/lib/memset_64.S linux-2.6.32.46/arch/x86/lib/memset_64.S
20193 --- linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-03-27 14:31:47.000000000 -0400
20194 +++ linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-10-06 09:37:08.000000000 -0400
20195 @@ -2,6 +2,7 @@
20196
20197 #include <linux/linkage.h>
20198 #include <asm/dwarf2.h>
20199 +#include <asm/alternative-asm.h>
20200
20201 /*
20202 * ISO C memset - set a memory block to a byte value.
20203 @@ -28,6 +29,7 @@ memset_c:
20204 movl %r8d,%ecx
20205 rep stosb
20206 movq %r9,%rax
20207 + pax_force_retaddr
20208 ret
20209 CFI_ENDPROC
20210 ENDPROC(memset_c)
20211 @@ -96,6 +98,7 @@ ENTRY(__memset)
20212
20213 .Lende:
20214 movq %r10,%rax
20215 + pax_force_retaddr
20216 ret
20217
20218 CFI_RESTORE_STATE
20219 @@ -118,7 +121,7 @@ ENDPROC(__memset)
20220
20221 #include <asm/cpufeature.h>
20222
20223 - .section .altinstr_replacement,"ax"
20224 + .section .altinstr_replacement,"a"
20225 1: .byte 0xeb /* jmp <disp8> */
20226 .byte (memset_c - memset) - (2f - 1b) /* offset */
20227 2:
20228 diff -urNp linux-2.6.32.46/arch/x86/lib/mmx_32.c linux-2.6.32.46/arch/x86/lib/mmx_32.c
20229 --- linux-2.6.32.46/arch/x86/lib/mmx_32.c 2011-03-27 14:31:47.000000000 -0400
20230 +++ linux-2.6.32.46/arch/x86/lib/mmx_32.c 2011-04-17 15:56:46.000000000 -0400
20231 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
20232 {
20233 void *p;
20234 int i;
20235 + unsigned long cr0;
20236
20237 if (unlikely(in_interrupt()))
20238 return __memcpy(to, from, len);
20239 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
20240 kernel_fpu_begin();
20241
20242 __asm__ __volatile__ (
20243 - "1: prefetch (%0)\n" /* This set is 28 bytes */
20244 - " prefetch 64(%0)\n"
20245 - " prefetch 128(%0)\n"
20246 - " prefetch 192(%0)\n"
20247 - " prefetch 256(%0)\n"
20248 + "1: prefetch (%1)\n" /* This set is 28 bytes */
20249 + " prefetch 64(%1)\n"
20250 + " prefetch 128(%1)\n"
20251 + " prefetch 192(%1)\n"
20252 + " prefetch 256(%1)\n"
20253 "2: \n"
20254 ".section .fixup, \"ax\"\n"
20255 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20256 + "3: \n"
20257 +
20258 +#ifdef CONFIG_PAX_KERNEXEC
20259 + " movl %%cr0, %0\n"
20260 + " movl %0, %%eax\n"
20261 + " andl $0xFFFEFFFF, %%eax\n"
20262 + " movl %%eax, %%cr0\n"
20263 +#endif
20264 +
20265 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20266 +
20267 +#ifdef CONFIG_PAX_KERNEXEC
20268 + " movl %0, %%cr0\n"
20269 +#endif
20270 +
20271 " jmp 2b\n"
20272 ".previous\n"
20273 _ASM_EXTABLE(1b, 3b)
20274 - : : "r" (from));
20275 + : "=&r" (cr0) : "r" (from) : "ax");
20276
20277 for ( ; i > 5; i--) {
20278 __asm__ __volatile__ (
20279 - "1: prefetch 320(%0)\n"
20280 - "2: movq (%0), %%mm0\n"
20281 - " movq 8(%0), %%mm1\n"
20282 - " movq 16(%0), %%mm2\n"
20283 - " movq 24(%0), %%mm3\n"
20284 - " movq %%mm0, (%1)\n"
20285 - " movq %%mm1, 8(%1)\n"
20286 - " movq %%mm2, 16(%1)\n"
20287 - " movq %%mm3, 24(%1)\n"
20288 - " movq 32(%0), %%mm0\n"
20289 - " movq 40(%0), %%mm1\n"
20290 - " movq 48(%0), %%mm2\n"
20291 - " movq 56(%0), %%mm3\n"
20292 - " movq %%mm0, 32(%1)\n"
20293 - " movq %%mm1, 40(%1)\n"
20294 - " movq %%mm2, 48(%1)\n"
20295 - " movq %%mm3, 56(%1)\n"
20296 + "1: prefetch 320(%1)\n"
20297 + "2: movq (%1), %%mm0\n"
20298 + " movq 8(%1), %%mm1\n"
20299 + " movq 16(%1), %%mm2\n"
20300 + " movq 24(%1), %%mm3\n"
20301 + " movq %%mm0, (%2)\n"
20302 + " movq %%mm1, 8(%2)\n"
20303 + " movq %%mm2, 16(%2)\n"
20304 + " movq %%mm3, 24(%2)\n"
20305 + " movq 32(%1), %%mm0\n"
20306 + " movq 40(%1), %%mm1\n"
20307 + " movq 48(%1), %%mm2\n"
20308 + " movq 56(%1), %%mm3\n"
20309 + " movq %%mm0, 32(%2)\n"
20310 + " movq %%mm1, 40(%2)\n"
20311 + " movq %%mm2, 48(%2)\n"
20312 + " movq %%mm3, 56(%2)\n"
20313 ".section .fixup, \"ax\"\n"
20314 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20315 + "3:\n"
20316 +
20317 +#ifdef CONFIG_PAX_KERNEXEC
20318 + " movl %%cr0, %0\n"
20319 + " movl %0, %%eax\n"
20320 + " andl $0xFFFEFFFF, %%eax\n"
20321 + " movl %%eax, %%cr0\n"
20322 +#endif
20323 +
20324 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20325 +
20326 +#ifdef CONFIG_PAX_KERNEXEC
20327 + " movl %0, %%cr0\n"
20328 +#endif
20329 +
20330 " jmp 2b\n"
20331 ".previous\n"
20332 _ASM_EXTABLE(1b, 3b)
20333 - : : "r" (from), "r" (to) : "memory");
20334 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20335
20336 from += 64;
20337 to += 64;
20338 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
20339 static void fast_copy_page(void *to, void *from)
20340 {
20341 int i;
20342 + unsigned long cr0;
20343
20344 kernel_fpu_begin();
20345
20346 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
20347 * but that is for later. -AV
20348 */
20349 __asm__ __volatile__(
20350 - "1: prefetch (%0)\n"
20351 - " prefetch 64(%0)\n"
20352 - " prefetch 128(%0)\n"
20353 - " prefetch 192(%0)\n"
20354 - " prefetch 256(%0)\n"
20355 + "1: prefetch (%1)\n"
20356 + " prefetch 64(%1)\n"
20357 + " prefetch 128(%1)\n"
20358 + " prefetch 192(%1)\n"
20359 + " prefetch 256(%1)\n"
20360 "2: \n"
20361 ".section .fixup, \"ax\"\n"
20362 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20363 + "3: \n"
20364 +
20365 +#ifdef CONFIG_PAX_KERNEXEC
20366 + " movl %%cr0, %0\n"
20367 + " movl %0, %%eax\n"
20368 + " andl $0xFFFEFFFF, %%eax\n"
20369 + " movl %%eax, %%cr0\n"
20370 +#endif
20371 +
20372 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20373 +
20374 +#ifdef CONFIG_PAX_KERNEXEC
20375 + " movl %0, %%cr0\n"
20376 +#endif
20377 +
20378 " jmp 2b\n"
20379 ".previous\n"
20380 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20381 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20382
20383 for (i = 0; i < (4096-320)/64; i++) {
20384 __asm__ __volatile__ (
20385 - "1: prefetch 320(%0)\n"
20386 - "2: movq (%0), %%mm0\n"
20387 - " movntq %%mm0, (%1)\n"
20388 - " movq 8(%0), %%mm1\n"
20389 - " movntq %%mm1, 8(%1)\n"
20390 - " movq 16(%0), %%mm2\n"
20391 - " movntq %%mm2, 16(%1)\n"
20392 - " movq 24(%0), %%mm3\n"
20393 - " movntq %%mm3, 24(%1)\n"
20394 - " movq 32(%0), %%mm4\n"
20395 - " movntq %%mm4, 32(%1)\n"
20396 - " movq 40(%0), %%mm5\n"
20397 - " movntq %%mm5, 40(%1)\n"
20398 - " movq 48(%0), %%mm6\n"
20399 - " movntq %%mm6, 48(%1)\n"
20400 - " movq 56(%0), %%mm7\n"
20401 - " movntq %%mm7, 56(%1)\n"
20402 + "1: prefetch 320(%1)\n"
20403 + "2: movq (%1), %%mm0\n"
20404 + " movntq %%mm0, (%2)\n"
20405 + " movq 8(%1), %%mm1\n"
20406 + " movntq %%mm1, 8(%2)\n"
20407 + " movq 16(%1), %%mm2\n"
20408 + " movntq %%mm2, 16(%2)\n"
20409 + " movq 24(%1), %%mm3\n"
20410 + " movntq %%mm3, 24(%2)\n"
20411 + " movq 32(%1), %%mm4\n"
20412 + " movntq %%mm4, 32(%2)\n"
20413 + " movq 40(%1), %%mm5\n"
20414 + " movntq %%mm5, 40(%2)\n"
20415 + " movq 48(%1), %%mm6\n"
20416 + " movntq %%mm6, 48(%2)\n"
20417 + " movq 56(%1), %%mm7\n"
20418 + " movntq %%mm7, 56(%2)\n"
20419 ".section .fixup, \"ax\"\n"
20420 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20421 + "3:\n"
20422 +
20423 +#ifdef CONFIG_PAX_KERNEXEC
20424 + " movl %%cr0, %0\n"
20425 + " movl %0, %%eax\n"
20426 + " andl $0xFFFEFFFF, %%eax\n"
20427 + " movl %%eax, %%cr0\n"
20428 +#endif
20429 +
20430 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20431 +
20432 +#ifdef CONFIG_PAX_KERNEXEC
20433 + " movl %0, %%cr0\n"
20434 +#endif
20435 +
20436 " jmp 2b\n"
20437 ".previous\n"
20438 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
20439 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20440
20441 from += 64;
20442 to += 64;
20443 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
20444 static void fast_copy_page(void *to, void *from)
20445 {
20446 int i;
20447 + unsigned long cr0;
20448
20449 kernel_fpu_begin();
20450
20451 __asm__ __volatile__ (
20452 - "1: prefetch (%0)\n"
20453 - " prefetch 64(%0)\n"
20454 - " prefetch 128(%0)\n"
20455 - " prefetch 192(%0)\n"
20456 - " prefetch 256(%0)\n"
20457 + "1: prefetch (%1)\n"
20458 + " prefetch 64(%1)\n"
20459 + " prefetch 128(%1)\n"
20460 + " prefetch 192(%1)\n"
20461 + " prefetch 256(%1)\n"
20462 "2: \n"
20463 ".section .fixup, \"ax\"\n"
20464 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20465 + "3: \n"
20466 +
20467 +#ifdef CONFIG_PAX_KERNEXEC
20468 + " movl %%cr0, %0\n"
20469 + " movl %0, %%eax\n"
20470 + " andl $0xFFFEFFFF, %%eax\n"
20471 + " movl %%eax, %%cr0\n"
20472 +#endif
20473 +
20474 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
20475 +
20476 +#ifdef CONFIG_PAX_KERNEXEC
20477 + " movl %0, %%cr0\n"
20478 +#endif
20479 +
20480 " jmp 2b\n"
20481 ".previous\n"
20482 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
20483 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
20484
20485 for (i = 0; i < 4096/64; i++) {
20486 __asm__ __volatile__ (
20487 - "1: prefetch 320(%0)\n"
20488 - "2: movq (%0), %%mm0\n"
20489 - " movq 8(%0), %%mm1\n"
20490 - " movq 16(%0), %%mm2\n"
20491 - " movq 24(%0), %%mm3\n"
20492 - " movq %%mm0, (%1)\n"
20493 - " movq %%mm1, 8(%1)\n"
20494 - " movq %%mm2, 16(%1)\n"
20495 - " movq %%mm3, 24(%1)\n"
20496 - " movq 32(%0), %%mm0\n"
20497 - " movq 40(%0), %%mm1\n"
20498 - " movq 48(%0), %%mm2\n"
20499 - " movq 56(%0), %%mm3\n"
20500 - " movq %%mm0, 32(%1)\n"
20501 - " movq %%mm1, 40(%1)\n"
20502 - " movq %%mm2, 48(%1)\n"
20503 - " movq %%mm3, 56(%1)\n"
20504 + "1: prefetch 320(%1)\n"
20505 + "2: movq (%1), %%mm0\n"
20506 + " movq 8(%1), %%mm1\n"
20507 + " movq 16(%1), %%mm2\n"
20508 + " movq 24(%1), %%mm3\n"
20509 + " movq %%mm0, (%2)\n"
20510 + " movq %%mm1, 8(%2)\n"
20511 + " movq %%mm2, 16(%2)\n"
20512 + " movq %%mm3, 24(%2)\n"
20513 + " movq 32(%1), %%mm0\n"
20514 + " movq 40(%1), %%mm1\n"
20515 + " movq 48(%1), %%mm2\n"
20516 + " movq 56(%1), %%mm3\n"
20517 + " movq %%mm0, 32(%2)\n"
20518 + " movq %%mm1, 40(%2)\n"
20519 + " movq %%mm2, 48(%2)\n"
20520 + " movq %%mm3, 56(%2)\n"
20521 ".section .fixup, \"ax\"\n"
20522 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20523 + "3:\n"
20524 +
20525 +#ifdef CONFIG_PAX_KERNEXEC
20526 + " movl %%cr0, %0\n"
20527 + " movl %0, %%eax\n"
20528 + " andl $0xFFFEFFFF, %%eax\n"
20529 + " movl %%eax, %%cr0\n"
20530 +#endif
20531 +
20532 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
20533 +
20534 +#ifdef CONFIG_PAX_KERNEXEC
20535 + " movl %0, %%cr0\n"
20536 +#endif
20537 +
20538 " jmp 2b\n"
20539 ".previous\n"
20540 _ASM_EXTABLE(1b, 3b)
20541 - : : "r" (from), "r" (to) : "memory");
20542 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
20543
20544 from += 64;
20545 to += 64;
20546 diff -urNp linux-2.6.32.46/arch/x86/lib/putuser.S linux-2.6.32.46/arch/x86/lib/putuser.S
20547 --- linux-2.6.32.46/arch/x86/lib/putuser.S 2011-03-27 14:31:47.000000000 -0400
20548 +++ linux-2.6.32.46/arch/x86/lib/putuser.S 2011-04-17 15:56:46.000000000 -0400
20549 @@ -15,7 +15,8 @@
20550 #include <asm/thread_info.h>
20551 #include <asm/errno.h>
20552 #include <asm/asm.h>
20553 -
20554 +#include <asm/segment.h>
20555 +#include <asm/pgtable.h>
20556
20557 /*
20558 * __put_user_X
20559 @@ -29,52 +30,119 @@
20560 * as they get called from within inline assembly.
20561 */
20562
20563 -#define ENTER CFI_STARTPROC ; \
20564 - GET_THREAD_INFO(%_ASM_BX)
20565 +#define ENTER CFI_STARTPROC
20566 #define EXIT ret ; \
20567 CFI_ENDPROC
20568
20569 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20570 +#define _DEST %_ASM_CX,%_ASM_BX
20571 +#else
20572 +#define _DEST %_ASM_CX
20573 +#endif
20574 +
20575 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20576 +#define __copyuser_seg gs;
20577 +#else
20578 +#define __copyuser_seg
20579 +#endif
20580 +
20581 .text
20582 ENTRY(__put_user_1)
20583 ENTER
20584 +
20585 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20586 + GET_THREAD_INFO(%_ASM_BX)
20587 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20588 jae bad_put_user
20589 -1: movb %al,(%_ASM_CX)
20590 +
20591 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20592 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20593 + cmp %_ASM_BX,%_ASM_CX
20594 + jb 1234f
20595 + xor %ebx,%ebx
20596 +1234:
20597 +#endif
20598 +
20599 +#endif
20600 +
20601 +1: __copyuser_seg movb %al,(_DEST)
20602 xor %eax,%eax
20603 EXIT
20604 ENDPROC(__put_user_1)
20605
20606 ENTRY(__put_user_2)
20607 ENTER
20608 +
20609 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20610 + GET_THREAD_INFO(%_ASM_BX)
20611 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20612 sub $1,%_ASM_BX
20613 cmp %_ASM_BX,%_ASM_CX
20614 jae bad_put_user
20615 -2: movw %ax,(%_ASM_CX)
20616 +
20617 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20618 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20619 + cmp %_ASM_BX,%_ASM_CX
20620 + jb 1234f
20621 + xor %ebx,%ebx
20622 +1234:
20623 +#endif
20624 +
20625 +#endif
20626 +
20627 +2: __copyuser_seg movw %ax,(_DEST)
20628 xor %eax,%eax
20629 EXIT
20630 ENDPROC(__put_user_2)
20631
20632 ENTRY(__put_user_4)
20633 ENTER
20634 +
20635 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20636 + GET_THREAD_INFO(%_ASM_BX)
20637 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20638 sub $3,%_ASM_BX
20639 cmp %_ASM_BX,%_ASM_CX
20640 jae bad_put_user
20641 -3: movl %eax,(%_ASM_CX)
20642 +
20643 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20644 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20645 + cmp %_ASM_BX,%_ASM_CX
20646 + jb 1234f
20647 + xor %ebx,%ebx
20648 +1234:
20649 +#endif
20650 +
20651 +#endif
20652 +
20653 +3: __copyuser_seg movl %eax,(_DEST)
20654 xor %eax,%eax
20655 EXIT
20656 ENDPROC(__put_user_4)
20657
20658 ENTRY(__put_user_8)
20659 ENTER
20660 +
20661 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20662 + GET_THREAD_INFO(%_ASM_BX)
20663 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20664 sub $7,%_ASM_BX
20665 cmp %_ASM_BX,%_ASM_CX
20666 jae bad_put_user
20667 -4: mov %_ASM_AX,(%_ASM_CX)
20668 +
20669 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20670 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20671 + cmp %_ASM_BX,%_ASM_CX
20672 + jb 1234f
20673 + xor %ebx,%ebx
20674 +1234:
20675 +#endif
20676 +
20677 +#endif
20678 +
20679 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20680 #ifdef CONFIG_X86_32
20681 -5: movl %edx,4(%_ASM_CX)
20682 +5: __copyuser_seg movl %edx,4(_DEST)
20683 #endif
20684 xor %eax,%eax
20685 EXIT
20686 diff -urNp linux-2.6.32.46/arch/x86/lib/rwlock_64.S linux-2.6.32.46/arch/x86/lib/rwlock_64.S
20687 --- linux-2.6.32.46/arch/x86/lib/rwlock_64.S 2011-03-27 14:31:47.000000000 -0400
20688 +++ linux-2.6.32.46/arch/x86/lib/rwlock_64.S 2011-10-06 09:37:14.000000000 -0400
20689 @@ -17,6 +17,7 @@ ENTRY(__write_lock_failed)
20690 LOCK_PREFIX
20691 subl $RW_LOCK_BIAS,(%rdi)
20692 jnz __write_lock_failed
20693 + pax_force_retaddr
20694 ret
20695 CFI_ENDPROC
20696 END(__write_lock_failed)
20697 @@ -33,6 +34,7 @@ ENTRY(__read_lock_failed)
20698 LOCK_PREFIX
20699 decl (%rdi)
20700 js __read_lock_failed
20701 + pax_force_retaddr
20702 ret
20703 CFI_ENDPROC
20704 END(__read_lock_failed)
20705 diff -urNp linux-2.6.32.46/arch/x86/lib/rwsem_64.S linux-2.6.32.46/arch/x86/lib/rwsem_64.S
20706 --- linux-2.6.32.46/arch/x86/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
20707 +++ linux-2.6.32.46/arch/x86/lib/rwsem_64.S 2011-10-06 09:37:14.000000000 -0400
20708 @@ -48,6 +48,7 @@ ENTRY(call_rwsem_down_read_failed)
20709 call rwsem_down_read_failed
20710 popq %rdx
20711 restore_common_regs
20712 + pax_force_retaddr
20713 ret
20714 ENDPROC(call_rwsem_down_read_failed)
20715
20716 @@ -56,6 +57,7 @@ ENTRY(call_rwsem_down_write_failed)
20717 movq %rax,%rdi
20718 call rwsem_down_write_failed
20719 restore_common_regs
20720 + pax_force_retaddr
20721 ret
20722 ENDPROC(call_rwsem_down_write_failed)
20723
20724 @@ -66,7 +68,8 @@ ENTRY(call_rwsem_wake)
20725 movq %rax,%rdi
20726 call rwsem_wake
20727 restore_common_regs
20728 -1: ret
20729 +1: pax_force_retaddr
20730 + ret
20731 ENDPROC(call_rwsem_wake)
20732
20733 /* Fix up special calling conventions */
20734 @@ -77,5 +80,6 @@ ENTRY(call_rwsem_downgrade_wake)
20735 call rwsem_downgrade_wake
20736 popq %rdx
20737 restore_common_regs
20738 + pax_force_retaddr
20739 ret
20740 ENDPROC(call_rwsem_downgrade_wake)
20741 diff -urNp linux-2.6.32.46/arch/x86/lib/thunk_64.S linux-2.6.32.46/arch/x86/lib/thunk_64.S
20742 --- linux-2.6.32.46/arch/x86/lib/thunk_64.S 2011-03-27 14:31:47.000000000 -0400
20743 +++ linux-2.6.32.46/arch/x86/lib/thunk_64.S 2011-10-06 09:37:14.000000000 -0400
20744 @@ -10,7 +10,8 @@
20745 #include <asm/dwarf2.h>
20746 #include <asm/calling.h>
20747 #include <asm/rwlock.h>
20748 -
20749 + #include <asm/alternative-asm.h>
20750 +
20751 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
20752 .macro thunk name,func
20753 .globl \name
20754 @@ -70,6 +71,7 @@
20755 SAVE_ARGS
20756 restore:
20757 RESTORE_ARGS
20758 + pax_force_retaddr
20759 ret
20760 CFI_ENDPROC
20761
20762 @@ -77,5 +79,6 @@ restore:
20763 SAVE_ARGS
20764 restore_norax:
20765 RESTORE_ARGS 1
20766 + pax_force_retaddr
20767 ret
20768 CFI_ENDPROC
20769 diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_32.c linux-2.6.32.46/arch/x86/lib/usercopy_32.c
20770 --- linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-03-27 14:31:47.000000000 -0400
20771 +++ linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-04-23 21:12:28.000000000 -0400
20772 @@ -43,7 +43,7 @@ do { \
20773 __asm__ __volatile__( \
20774 " testl %1,%1\n" \
20775 " jz 2f\n" \
20776 - "0: lodsb\n" \
20777 + "0: "__copyuser_seg"lodsb\n" \
20778 " stosb\n" \
20779 " testb %%al,%%al\n" \
20780 " jz 1f\n" \
20781 @@ -128,10 +128,12 @@ do { \
20782 int __d0; \
20783 might_fault(); \
20784 __asm__ __volatile__( \
20785 + __COPYUSER_SET_ES \
20786 "0: rep; stosl\n" \
20787 " movl %2,%0\n" \
20788 "1: rep; stosb\n" \
20789 "2:\n" \
20790 + __COPYUSER_RESTORE_ES \
20791 ".section .fixup,\"ax\"\n" \
20792 "3: lea 0(%2,%0,4),%0\n" \
20793 " jmp 2b\n" \
20794 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20795 might_fault();
20796
20797 __asm__ __volatile__(
20798 + __COPYUSER_SET_ES
20799 " testl %0, %0\n"
20800 " jz 3f\n"
20801 " andl %0,%%ecx\n"
20802 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20803 " subl %%ecx,%0\n"
20804 " addl %0,%%eax\n"
20805 "1:\n"
20806 + __COPYUSER_RESTORE_ES
20807 ".section .fixup,\"ax\"\n"
20808 "2: xorl %%eax,%%eax\n"
20809 " jmp 1b\n"
20810 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20811
20812 #ifdef CONFIG_X86_INTEL_USERCOPY
20813 static unsigned long
20814 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20815 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20816 {
20817 int d0, d1;
20818 __asm__ __volatile__(
20819 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20820 " .align 2,0x90\n"
20821 "3: movl 0(%4), %%eax\n"
20822 "4: movl 4(%4), %%edx\n"
20823 - "5: movl %%eax, 0(%3)\n"
20824 - "6: movl %%edx, 4(%3)\n"
20825 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20826 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20827 "7: movl 8(%4), %%eax\n"
20828 "8: movl 12(%4),%%edx\n"
20829 - "9: movl %%eax, 8(%3)\n"
20830 - "10: movl %%edx, 12(%3)\n"
20831 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20832 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20833 "11: movl 16(%4), %%eax\n"
20834 "12: movl 20(%4), %%edx\n"
20835 - "13: movl %%eax, 16(%3)\n"
20836 - "14: movl %%edx, 20(%3)\n"
20837 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20838 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20839 "15: movl 24(%4), %%eax\n"
20840 "16: movl 28(%4), %%edx\n"
20841 - "17: movl %%eax, 24(%3)\n"
20842 - "18: movl %%edx, 28(%3)\n"
20843 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20844 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20845 "19: movl 32(%4), %%eax\n"
20846 "20: movl 36(%4), %%edx\n"
20847 - "21: movl %%eax, 32(%3)\n"
20848 - "22: movl %%edx, 36(%3)\n"
20849 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20850 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20851 "23: movl 40(%4), %%eax\n"
20852 "24: movl 44(%4), %%edx\n"
20853 - "25: movl %%eax, 40(%3)\n"
20854 - "26: movl %%edx, 44(%3)\n"
20855 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20856 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20857 "27: movl 48(%4), %%eax\n"
20858 "28: movl 52(%4), %%edx\n"
20859 - "29: movl %%eax, 48(%3)\n"
20860 - "30: movl %%edx, 52(%3)\n"
20861 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20862 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20863 "31: movl 56(%4), %%eax\n"
20864 "32: movl 60(%4), %%edx\n"
20865 - "33: movl %%eax, 56(%3)\n"
20866 - "34: movl %%edx, 60(%3)\n"
20867 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20868 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20869 " addl $-64, %0\n"
20870 " addl $64, %4\n"
20871 " addl $64, %3\n"
20872 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20873 " shrl $2, %0\n"
20874 " andl $3, %%eax\n"
20875 " cld\n"
20876 + __COPYUSER_SET_ES
20877 "99: rep; movsl\n"
20878 "36: movl %%eax, %0\n"
20879 "37: rep; movsb\n"
20880 "100:\n"
20881 + __COPYUSER_RESTORE_ES
20882 + ".section .fixup,\"ax\"\n"
20883 + "101: lea 0(%%eax,%0,4),%0\n"
20884 + " jmp 100b\n"
20885 + ".previous\n"
20886 + ".section __ex_table,\"a\"\n"
20887 + " .align 4\n"
20888 + " .long 1b,100b\n"
20889 + " .long 2b,100b\n"
20890 + " .long 3b,100b\n"
20891 + " .long 4b,100b\n"
20892 + " .long 5b,100b\n"
20893 + " .long 6b,100b\n"
20894 + " .long 7b,100b\n"
20895 + " .long 8b,100b\n"
20896 + " .long 9b,100b\n"
20897 + " .long 10b,100b\n"
20898 + " .long 11b,100b\n"
20899 + " .long 12b,100b\n"
20900 + " .long 13b,100b\n"
20901 + " .long 14b,100b\n"
20902 + " .long 15b,100b\n"
20903 + " .long 16b,100b\n"
20904 + " .long 17b,100b\n"
20905 + " .long 18b,100b\n"
20906 + " .long 19b,100b\n"
20907 + " .long 20b,100b\n"
20908 + " .long 21b,100b\n"
20909 + " .long 22b,100b\n"
20910 + " .long 23b,100b\n"
20911 + " .long 24b,100b\n"
20912 + " .long 25b,100b\n"
20913 + " .long 26b,100b\n"
20914 + " .long 27b,100b\n"
20915 + " .long 28b,100b\n"
20916 + " .long 29b,100b\n"
20917 + " .long 30b,100b\n"
20918 + " .long 31b,100b\n"
20919 + " .long 32b,100b\n"
20920 + " .long 33b,100b\n"
20921 + " .long 34b,100b\n"
20922 + " .long 35b,100b\n"
20923 + " .long 36b,100b\n"
20924 + " .long 37b,100b\n"
20925 + " .long 99b,101b\n"
20926 + ".previous"
20927 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20928 + : "1"(to), "2"(from), "0"(size)
20929 + : "eax", "edx", "memory");
20930 + return size;
20931 +}
20932 +
20933 +static unsigned long
20934 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20935 +{
20936 + int d0, d1;
20937 + __asm__ __volatile__(
20938 + " .align 2,0x90\n"
20939 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20940 + " cmpl $67, %0\n"
20941 + " jbe 3f\n"
20942 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20943 + " .align 2,0x90\n"
20944 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20945 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20946 + "5: movl %%eax, 0(%3)\n"
20947 + "6: movl %%edx, 4(%3)\n"
20948 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20949 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20950 + "9: movl %%eax, 8(%3)\n"
20951 + "10: movl %%edx, 12(%3)\n"
20952 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20953 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20954 + "13: movl %%eax, 16(%3)\n"
20955 + "14: movl %%edx, 20(%3)\n"
20956 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20957 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20958 + "17: movl %%eax, 24(%3)\n"
20959 + "18: movl %%edx, 28(%3)\n"
20960 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20961 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20962 + "21: movl %%eax, 32(%3)\n"
20963 + "22: movl %%edx, 36(%3)\n"
20964 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20965 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20966 + "25: movl %%eax, 40(%3)\n"
20967 + "26: movl %%edx, 44(%3)\n"
20968 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20969 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20970 + "29: movl %%eax, 48(%3)\n"
20971 + "30: movl %%edx, 52(%3)\n"
20972 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20973 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20974 + "33: movl %%eax, 56(%3)\n"
20975 + "34: movl %%edx, 60(%3)\n"
20976 + " addl $-64, %0\n"
20977 + " addl $64, %4\n"
20978 + " addl $64, %3\n"
20979 + " cmpl $63, %0\n"
20980 + " ja 1b\n"
20981 + "35: movl %0, %%eax\n"
20982 + " shrl $2, %0\n"
20983 + " andl $3, %%eax\n"
20984 + " cld\n"
20985 + "99: rep; "__copyuser_seg" movsl\n"
20986 + "36: movl %%eax, %0\n"
20987 + "37: rep; "__copyuser_seg" movsb\n"
20988 + "100:\n"
20989 ".section .fixup,\"ax\"\n"
20990 "101: lea 0(%%eax,%0,4),%0\n"
20991 " jmp 100b\n"
20992 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20993 int d0, d1;
20994 __asm__ __volatile__(
20995 " .align 2,0x90\n"
20996 - "0: movl 32(%4), %%eax\n"
20997 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20998 " cmpl $67, %0\n"
20999 " jbe 2f\n"
21000 - "1: movl 64(%4), %%eax\n"
21001 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21002 " .align 2,0x90\n"
21003 - "2: movl 0(%4), %%eax\n"
21004 - "21: movl 4(%4), %%edx\n"
21005 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21006 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21007 " movl %%eax, 0(%3)\n"
21008 " movl %%edx, 4(%3)\n"
21009 - "3: movl 8(%4), %%eax\n"
21010 - "31: movl 12(%4),%%edx\n"
21011 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21012 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21013 " movl %%eax, 8(%3)\n"
21014 " movl %%edx, 12(%3)\n"
21015 - "4: movl 16(%4), %%eax\n"
21016 - "41: movl 20(%4), %%edx\n"
21017 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21018 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21019 " movl %%eax, 16(%3)\n"
21020 " movl %%edx, 20(%3)\n"
21021 - "10: movl 24(%4), %%eax\n"
21022 - "51: movl 28(%4), %%edx\n"
21023 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21024 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21025 " movl %%eax, 24(%3)\n"
21026 " movl %%edx, 28(%3)\n"
21027 - "11: movl 32(%4), %%eax\n"
21028 - "61: movl 36(%4), %%edx\n"
21029 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21030 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21031 " movl %%eax, 32(%3)\n"
21032 " movl %%edx, 36(%3)\n"
21033 - "12: movl 40(%4), %%eax\n"
21034 - "71: movl 44(%4), %%edx\n"
21035 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21036 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21037 " movl %%eax, 40(%3)\n"
21038 " movl %%edx, 44(%3)\n"
21039 - "13: movl 48(%4), %%eax\n"
21040 - "81: movl 52(%4), %%edx\n"
21041 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21042 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21043 " movl %%eax, 48(%3)\n"
21044 " movl %%edx, 52(%3)\n"
21045 - "14: movl 56(%4), %%eax\n"
21046 - "91: movl 60(%4), %%edx\n"
21047 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21048 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21049 " movl %%eax, 56(%3)\n"
21050 " movl %%edx, 60(%3)\n"
21051 " addl $-64, %0\n"
21052 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
21053 " shrl $2, %0\n"
21054 " andl $3, %%eax\n"
21055 " cld\n"
21056 - "6: rep; movsl\n"
21057 + "6: rep; "__copyuser_seg" movsl\n"
21058 " movl %%eax,%0\n"
21059 - "7: rep; movsb\n"
21060 + "7: rep; "__copyuser_seg" movsb\n"
21061 "8:\n"
21062 ".section .fixup,\"ax\"\n"
21063 "9: lea 0(%%eax,%0,4),%0\n"
21064 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
21065
21066 __asm__ __volatile__(
21067 " .align 2,0x90\n"
21068 - "0: movl 32(%4), %%eax\n"
21069 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21070 " cmpl $67, %0\n"
21071 " jbe 2f\n"
21072 - "1: movl 64(%4), %%eax\n"
21073 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21074 " .align 2,0x90\n"
21075 - "2: movl 0(%4), %%eax\n"
21076 - "21: movl 4(%4), %%edx\n"
21077 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21078 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21079 " movnti %%eax, 0(%3)\n"
21080 " movnti %%edx, 4(%3)\n"
21081 - "3: movl 8(%4), %%eax\n"
21082 - "31: movl 12(%4),%%edx\n"
21083 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21084 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21085 " movnti %%eax, 8(%3)\n"
21086 " movnti %%edx, 12(%3)\n"
21087 - "4: movl 16(%4), %%eax\n"
21088 - "41: movl 20(%4), %%edx\n"
21089 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21090 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21091 " movnti %%eax, 16(%3)\n"
21092 " movnti %%edx, 20(%3)\n"
21093 - "10: movl 24(%4), %%eax\n"
21094 - "51: movl 28(%4), %%edx\n"
21095 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21096 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21097 " movnti %%eax, 24(%3)\n"
21098 " movnti %%edx, 28(%3)\n"
21099 - "11: movl 32(%4), %%eax\n"
21100 - "61: movl 36(%4), %%edx\n"
21101 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21102 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21103 " movnti %%eax, 32(%3)\n"
21104 " movnti %%edx, 36(%3)\n"
21105 - "12: movl 40(%4), %%eax\n"
21106 - "71: movl 44(%4), %%edx\n"
21107 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21108 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21109 " movnti %%eax, 40(%3)\n"
21110 " movnti %%edx, 44(%3)\n"
21111 - "13: movl 48(%4), %%eax\n"
21112 - "81: movl 52(%4), %%edx\n"
21113 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21114 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21115 " movnti %%eax, 48(%3)\n"
21116 " movnti %%edx, 52(%3)\n"
21117 - "14: movl 56(%4), %%eax\n"
21118 - "91: movl 60(%4), %%edx\n"
21119 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21120 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21121 " movnti %%eax, 56(%3)\n"
21122 " movnti %%edx, 60(%3)\n"
21123 " addl $-64, %0\n"
21124 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
21125 " shrl $2, %0\n"
21126 " andl $3, %%eax\n"
21127 " cld\n"
21128 - "6: rep; movsl\n"
21129 + "6: rep; "__copyuser_seg" movsl\n"
21130 " movl %%eax,%0\n"
21131 - "7: rep; movsb\n"
21132 + "7: rep; "__copyuser_seg" movsb\n"
21133 "8:\n"
21134 ".section .fixup,\"ax\"\n"
21135 "9: lea 0(%%eax,%0,4),%0\n"
21136 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
21137
21138 __asm__ __volatile__(
21139 " .align 2,0x90\n"
21140 - "0: movl 32(%4), %%eax\n"
21141 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21142 " cmpl $67, %0\n"
21143 " jbe 2f\n"
21144 - "1: movl 64(%4), %%eax\n"
21145 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21146 " .align 2,0x90\n"
21147 - "2: movl 0(%4), %%eax\n"
21148 - "21: movl 4(%4), %%edx\n"
21149 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21150 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21151 " movnti %%eax, 0(%3)\n"
21152 " movnti %%edx, 4(%3)\n"
21153 - "3: movl 8(%4), %%eax\n"
21154 - "31: movl 12(%4),%%edx\n"
21155 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21156 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21157 " movnti %%eax, 8(%3)\n"
21158 " movnti %%edx, 12(%3)\n"
21159 - "4: movl 16(%4), %%eax\n"
21160 - "41: movl 20(%4), %%edx\n"
21161 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21162 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21163 " movnti %%eax, 16(%3)\n"
21164 " movnti %%edx, 20(%3)\n"
21165 - "10: movl 24(%4), %%eax\n"
21166 - "51: movl 28(%4), %%edx\n"
21167 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21168 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21169 " movnti %%eax, 24(%3)\n"
21170 " movnti %%edx, 28(%3)\n"
21171 - "11: movl 32(%4), %%eax\n"
21172 - "61: movl 36(%4), %%edx\n"
21173 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21174 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21175 " movnti %%eax, 32(%3)\n"
21176 " movnti %%edx, 36(%3)\n"
21177 - "12: movl 40(%4), %%eax\n"
21178 - "71: movl 44(%4), %%edx\n"
21179 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21180 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21181 " movnti %%eax, 40(%3)\n"
21182 " movnti %%edx, 44(%3)\n"
21183 - "13: movl 48(%4), %%eax\n"
21184 - "81: movl 52(%4), %%edx\n"
21185 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21186 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21187 " movnti %%eax, 48(%3)\n"
21188 " movnti %%edx, 52(%3)\n"
21189 - "14: movl 56(%4), %%eax\n"
21190 - "91: movl 60(%4), %%edx\n"
21191 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21192 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21193 " movnti %%eax, 56(%3)\n"
21194 " movnti %%edx, 60(%3)\n"
21195 " addl $-64, %0\n"
21196 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
21197 " shrl $2, %0\n"
21198 " andl $3, %%eax\n"
21199 " cld\n"
21200 - "6: rep; movsl\n"
21201 + "6: rep; "__copyuser_seg" movsl\n"
21202 " movl %%eax,%0\n"
21203 - "7: rep; movsb\n"
21204 + "7: rep; "__copyuser_seg" movsb\n"
21205 "8:\n"
21206 ".section .fixup,\"ax\"\n"
21207 "9: lea 0(%%eax,%0,4),%0\n"
21208 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
21209 */
21210 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
21211 unsigned long size);
21212 -unsigned long __copy_user_intel(void __user *to, const void *from,
21213 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
21214 + unsigned long size);
21215 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
21216 unsigned long size);
21217 unsigned long __copy_user_zeroing_intel_nocache(void *to,
21218 const void __user *from, unsigned long size);
21219 #endif /* CONFIG_X86_INTEL_USERCOPY */
21220
21221 /* Generic arbitrary sized copy. */
21222 -#define __copy_user(to, from, size) \
21223 +#define __copy_user(to, from, size, prefix, set, restore) \
21224 do { \
21225 int __d0, __d1, __d2; \
21226 __asm__ __volatile__( \
21227 + set \
21228 " cmp $7,%0\n" \
21229 " jbe 1f\n" \
21230 " movl %1,%0\n" \
21231 " negl %0\n" \
21232 " andl $7,%0\n" \
21233 " subl %0,%3\n" \
21234 - "4: rep; movsb\n" \
21235 + "4: rep; "prefix"movsb\n" \
21236 " movl %3,%0\n" \
21237 " shrl $2,%0\n" \
21238 " andl $3,%3\n" \
21239 " .align 2,0x90\n" \
21240 - "0: rep; movsl\n" \
21241 + "0: rep; "prefix"movsl\n" \
21242 " movl %3,%0\n" \
21243 - "1: rep; movsb\n" \
21244 + "1: rep; "prefix"movsb\n" \
21245 "2:\n" \
21246 + restore \
21247 ".section .fixup,\"ax\"\n" \
21248 "5: addl %3,%0\n" \
21249 " jmp 2b\n" \
21250 @@ -682,14 +799,14 @@ do { \
21251 " negl %0\n" \
21252 " andl $7,%0\n" \
21253 " subl %0,%3\n" \
21254 - "4: rep; movsb\n" \
21255 + "4: rep; "__copyuser_seg"movsb\n" \
21256 " movl %3,%0\n" \
21257 " shrl $2,%0\n" \
21258 " andl $3,%3\n" \
21259 " .align 2,0x90\n" \
21260 - "0: rep; movsl\n" \
21261 + "0: rep; "__copyuser_seg"movsl\n" \
21262 " movl %3,%0\n" \
21263 - "1: rep; movsb\n" \
21264 + "1: rep; "__copyuser_seg"movsb\n" \
21265 "2:\n" \
21266 ".section .fixup,\"ax\"\n" \
21267 "5: addl %3,%0\n" \
21268 @@ -775,9 +892,9 @@ survive:
21269 }
21270 #endif
21271 if (movsl_is_ok(to, from, n))
21272 - __copy_user(to, from, n);
21273 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
21274 else
21275 - n = __copy_user_intel(to, from, n);
21276 + n = __generic_copy_to_user_intel(to, from, n);
21277 return n;
21278 }
21279 EXPORT_SYMBOL(__copy_to_user_ll);
21280 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
21281 unsigned long n)
21282 {
21283 if (movsl_is_ok(to, from, n))
21284 - __copy_user(to, from, n);
21285 + __copy_user(to, from, n, __copyuser_seg, "", "");
21286 else
21287 - n = __copy_user_intel((void __user *)to,
21288 - (const void *)from, n);
21289 + n = __generic_copy_from_user_intel(to, from, n);
21290 return n;
21291 }
21292 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
21293 @@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
21294 if (n > 64 && cpu_has_xmm2)
21295 n = __copy_user_intel_nocache(to, from, n);
21296 else
21297 - __copy_user(to, from, n);
21298 + __copy_user(to, from, n, __copyuser_seg, "", "");
21299 #else
21300 - __copy_user(to, from, n);
21301 + __copy_user(to, from, n, __copyuser_seg, "", "");
21302 #endif
21303 return n;
21304 }
21305 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
21306
21307 -/**
21308 - * copy_to_user: - Copy a block of data into user space.
21309 - * @to: Destination address, in user space.
21310 - * @from: Source address, in kernel space.
21311 - * @n: Number of bytes to copy.
21312 - *
21313 - * Context: User context only. This function may sleep.
21314 - *
21315 - * Copy data from kernel space to user space.
21316 - *
21317 - * Returns number of bytes that could not be copied.
21318 - * On success, this will be zero.
21319 - */
21320 -unsigned long
21321 -copy_to_user(void __user *to, const void *from, unsigned long n)
21322 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21323 +void __set_fs(mm_segment_t x)
21324 {
21325 - if (access_ok(VERIFY_WRITE, to, n))
21326 - n = __copy_to_user(to, from, n);
21327 - return n;
21328 + switch (x.seg) {
21329 + case 0:
21330 + loadsegment(gs, 0);
21331 + break;
21332 + case TASK_SIZE_MAX:
21333 + loadsegment(gs, __USER_DS);
21334 + break;
21335 + case -1UL:
21336 + loadsegment(gs, __KERNEL_DS);
21337 + break;
21338 + default:
21339 + BUG();
21340 + }
21341 + return;
21342 }
21343 -EXPORT_SYMBOL(copy_to_user);
21344 +EXPORT_SYMBOL(__set_fs);
21345
21346 -/**
21347 - * copy_from_user: - Copy a block of data from user space.
21348 - * @to: Destination address, in kernel space.
21349 - * @from: Source address, in user space.
21350 - * @n: Number of bytes to copy.
21351 - *
21352 - * Context: User context only. This function may sleep.
21353 - *
21354 - * Copy data from user space to kernel space.
21355 - *
21356 - * Returns number of bytes that could not be copied.
21357 - * On success, this will be zero.
21358 - *
21359 - * If some data could not be copied, this function will pad the copied
21360 - * data to the requested size using zero bytes.
21361 - */
21362 -unsigned long
21363 -copy_from_user(void *to, const void __user *from, unsigned long n)
21364 +void set_fs(mm_segment_t x)
21365 {
21366 - if (access_ok(VERIFY_READ, from, n))
21367 - n = __copy_from_user(to, from, n);
21368 - else
21369 - memset(to, 0, n);
21370 - return n;
21371 + current_thread_info()->addr_limit = x;
21372 + __set_fs(x);
21373 }
21374 -EXPORT_SYMBOL(copy_from_user);
21375 +EXPORT_SYMBOL(set_fs);
21376 +#endif
21377 diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_64.c linux-2.6.32.46/arch/x86/lib/usercopy_64.c
21378 --- linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
21379 +++ linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-10-06 09:37:08.000000000 -0400
21380 @@ -42,6 +42,12 @@ long
21381 __strncpy_from_user(char *dst, const char __user *src, long count)
21382 {
21383 long res;
21384 +
21385 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21386 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
21387 + src += PAX_USER_SHADOW_BASE;
21388 +#endif
21389 +
21390 __do_strncpy_from_user(dst, src, count, res);
21391 return res;
21392 }
21393 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
21394 {
21395 long __d0;
21396 might_fault();
21397 +
21398 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21399 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
21400 + addr += PAX_USER_SHADOW_BASE;
21401 +#endif
21402 +
21403 /* no memory constraint because it doesn't change any memory gcc knows
21404 about */
21405 asm volatile(
21406 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
21407
21408 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
21409 {
21410 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21411 - return copy_user_generic((__force void *)to, (__force void *)from, len);
21412 - }
21413 - return len;
21414 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
21415 +
21416 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21417 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
21418 + to += PAX_USER_SHADOW_BASE;
21419 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
21420 + from += PAX_USER_SHADOW_BASE;
21421 +#endif
21422 +
21423 + return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
21424 + }
21425 + return len;
21426 }
21427 EXPORT_SYMBOL(copy_in_user);
21428
21429 @@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
21430 * it is not necessary to optimize tail handling.
21431 */
21432 unsigned long
21433 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
21434 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
21435 {
21436 char c;
21437 unsigned zero_len;
21438 diff -urNp linux-2.6.32.46/arch/x86/Makefile linux-2.6.32.46/arch/x86/Makefile
21439 --- linux-2.6.32.46/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -0400
21440 +++ linux-2.6.32.46/arch/x86/Makefile 2011-07-19 18:16:02.000000000 -0400
21441 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
21442 else
21443 BITS := 64
21444 UTS_MACHINE := x86_64
21445 + biarch := $(call cc-option,-m64)
21446 CHECKFLAGS += -D__x86_64__ -m64
21447
21448 KBUILD_AFLAGS += -m64
21449 @@ -189,3 +190,12 @@ define archhelp
21450 echo ' FDARGS="..." arguments for the booted kernel'
21451 echo ' FDINITRD=file initrd for the booted kernel'
21452 endef
21453 +
21454 +define OLD_LD
21455 +
21456 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
21457 +*** Please upgrade your binutils to 2.18 or newer
21458 +endef
21459 +
21460 +archprepare:
21461 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
21462 diff -urNp linux-2.6.32.46/arch/x86/mm/extable.c linux-2.6.32.46/arch/x86/mm/extable.c
21463 --- linux-2.6.32.46/arch/x86/mm/extable.c 2011-03-27 14:31:47.000000000 -0400
21464 +++ linux-2.6.32.46/arch/x86/mm/extable.c 2011-04-17 15:56:46.000000000 -0400
21465 @@ -1,14 +1,71 @@
21466 #include <linux/module.h>
21467 #include <linux/spinlock.h>
21468 +#include <linux/sort.h>
21469 #include <asm/uaccess.h>
21470 +#include <asm/pgtable.h>
21471
21472 +/*
21473 + * The exception table needs to be sorted so that the binary
21474 + * search that we use to find entries in it works properly.
21475 + * This is used both for the kernel exception table and for
21476 + * the exception tables of modules that get loaded.
21477 + */
21478 +static int cmp_ex(const void *a, const void *b)
21479 +{
21480 + const struct exception_table_entry *x = a, *y = b;
21481 +
21482 + /* avoid overflow */
21483 + if (x->insn > y->insn)
21484 + return 1;
21485 + if (x->insn < y->insn)
21486 + return -1;
21487 + return 0;
21488 +}
21489 +
21490 +static void swap_ex(void *a, void *b, int size)
21491 +{
21492 + struct exception_table_entry t, *x = a, *y = b;
21493 +
21494 + t = *x;
21495 +
21496 + pax_open_kernel();
21497 + *x = *y;
21498 + *y = t;
21499 + pax_close_kernel();
21500 +}
21501 +
21502 +void sort_extable(struct exception_table_entry *start,
21503 + struct exception_table_entry *finish)
21504 +{
21505 + sort(start, finish - start, sizeof(struct exception_table_entry),
21506 + cmp_ex, swap_ex);
21507 +}
21508 +
21509 +#ifdef CONFIG_MODULES
21510 +/*
21511 + * If the exception table is sorted, any referring to the module init
21512 + * will be at the beginning or the end.
21513 + */
21514 +void trim_init_extable(struct module *m)
21515 +{
21516 + /*trim the beginning*/
21517 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
21518 + m->extable++;
21519 + m->num_exentries--;
21520 + }
21521 + /*trim the end*/
21522 + while (m->num_exentries &&
21523 + within_module_init(m->extable[m->num_exentries-1].insn, m))
21524 + m->num_exentries--;
21525 +}
21526 +#endif /* CONFIG_MODULES */
21527
21528 int fixup_exception(struct pt_regs *regs)
21529 {
21530 const struct exception_table_entry *fixup;
21531
21532 #ifdef CONFIG_PNPBIOS
21533 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
21534 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
21535 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
21536 extern u32 pnp_bios_is_utter_crap;
21537 pnp_bios_is_utter_crap = 1;
21538 diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault.c
21539 --- linux-2.6.32.46/arch/x86/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
21540 +++ linux-2.6.32.46/arch/x86/mm/fault.c 2011-10-06 09:37:08.000000000 -0400
21541 @@ -11,10 +11,19 @@
21542 #include <linux/kprobes.h> /* __kprobes, ... */
21543 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
21544 #include <linux/perf_event.h> /* perf_sw_event */
21545 +#include <linux/unistd.h>
21546 +#include <linux/compiler.h>
21547
21548 #include <asm/traps.h> /* dotraplinkage, ... */
21549 #include <asm/pgalloc.h> /* pgd_*(), ... */
21550 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
21551 +#include <asm/vsyscall.h>
21552 +#include <asm/tlbflush.h>
21553 +
21554 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21555 +#include <asm/stacktrace.h>
21556 +#include "../kernel/dumpstack.h"
21557 +#endif
21558
21559 /*
21560 * Page fault error code bits:
21561 @@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
21562 int ret = 0;
21563
21564 /* kprobe_running() needs smp_processor_id() */
21565 - if (kprobes_built_in() && !user_mode_vm(regs)) {
21566 + if (kprobes_built_in() && !user_mode(regs)) {
21567 preempt_disable();
21568 if (kprobe_running() && kprobe_fault_handler(regs, 14))
21569 ret = 1;
21570 @@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
21571 return !instr_lo || (instr_lo>>1) == 1;
21572 case 0x00:
21573 /* Prefetch instruction is 0x0F0D or 0x0F18 */
21574 - if (probe_kernel_address(instr, opcode))
21575 + if (user_mode(regs)) {
21576 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
21577 + return 0;
21578 + } else if (probe_kernel_address(instr, opcode))
21579 return 0;
21580
21581 *prefetch = (instr_lo == 0xF) &&
21582 @@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
21583 while (instr < max_instr) {
21584 unsigned char opcode;
21585
21586 - if (probe_kernel_address(instr, opcode))
21587 + if (user_mode(regs)) {
21588 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
21589 + break;
21590 + } else if (probe_kernel_address(instr, opcode))
21591 break;
21592
21593 instr++;
21594 @@ -172,6 +187,30 @@ force_sig_info_fault(int si_signo, int s
21595 force_sig_info(si_signo, &info, tsk);
21596 }
21597
21598 +#ifdef CONFIG_PAX_EMUTRAMP
21599 +static int pax_handle_fetch_fault(struct pt_regs *regs);
21600 +#endif
21601 +
21602 +#ifdef CONFIG_PAX_PAGEEXEC
21603 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
21604 +{
21605 + pgd_t *pgd;
21606 + pud_t *pud;
21607 + pmd_t *pmd;
21608 +
21609 + pgd = pgd_offset(mm, address);
21610 + if (!pgd_present(*pgd))
21611 + return NULL;
21612 + pud = pud_offset(pgd, address);
21613 + if (!pud_present(*pud))
21614 + return NULL;
21615 + pmd = pmd_offset(pud, address);
21616 + if (!pmd_present(*pmd))
21617 + return NULL;
21618 + return pmd;
21619 +}
21620 +#endif
21621 +
21622 DEFINE_SPINLOCK(pgd_lock);
21623 LIST_HEAD(pgd_list);
21624
21625 @@ -224,11 +263,24 @@ void vmalloc_sync_all(void)
21626 address += PMD_SIZE) {
21627
21628 unsigned long flags;
21629 +
21630 +#ifdef CONFIG_PAX_PER_CPU_PGD
21631 + unsigned long cpu;
21632 +#else
21633 struct page *page;
21634 +#endif
21635
21636 spin_lock_irqsave(&pgd_lock, flags);
21637 +
21638 +#ifdef CONFIG_PAX_PER_CPU_PGD
21639 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21640 + pgd_t *pgd = get_cpu_pgd(cpu);
21641 +#else
21642 list_for_each_entry(page, &pgd_list, lru) {
21643 - if (!vmalloc_sync_one(page_address(page), address))
21644 + pgd_t *pgd = page_address(page);
21645 +#endif
21646 +
21647 + if (!vmalloc_sync_one(pgd, address))
21648 break;
21649 }
21650 spin_unlock_irqrestore(&pgd_lock, flags);
21651 @@ -258,6 +310,11 @@ static noinline int vmalloc_fault(unsign
21652 * an interrupt in the middle of a task switch..
21653 */
21654 pgd_paddr = read_cr3();
21655 +
21656 +#ifdef CONFIG_PAX_PER_CPU_PGD
21657 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
21658 +#endif
21659 +
21660 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21661 if (!pmd_k)
21662 return -1;
21663 @@ -332,15 +389,27 @@ void vmalloc_sync_all(void)
21664
21665 const pgd_t *pgd_ref = pgd_offset_k(address);
21666 unsigned long flags;
21667 +
21668 +#ifdef CONFIG_PAX_PER_CPU_PGD
21669 + unsigned long cpu;
21670 +#else
21671 struct page *page;
21672 +#endif
21673
21674 if (pgd_none(*pgd_ref))
21675 continue;
21676
21677 spin_lock_irqsave(&pgd_lock, flags);
21678 +
21679 +#ifdef CONFIG_PAX_PER_CPU_PGD
21680 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21681 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
21682 +#else
21683 list_for_each_entry(page, &pgd_list, lru) {
21684 pgd_t *pgd;
21685 pgd = (pgd_t *)page_address(page) + pgd_index(address);
21686 +#endif
21687 +
21688 if (pgd_none(*pgd))
21689 set_pgd(pgd, *pgd_ref);
21690 else
21691 @@ -373,7 +442,14 @@ static noinline int vmalloc_fault(unsign
21692 * happen within a race in page table update. In the later
21693 * case just flush:
21694 */
21695 +
21696 +#ifdef CONFIG_PAX_PER_CPU_PGD
21697 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21698 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21699 +#else
21700 pgd = pgd_offset(current->active_mm, address);
21701 +#endif
21702 +
21703 pgd_ref = pgd_offset_k(address);
21704 if (pgd_none(*pgd_ref))
21705 return -1;
21706 @@ -535,7 +611,7 @@ static int is_errata93(struct pt_regs *r
21707 static int is_errata100(struct pt_regs *regs, unsigned long address)
21708 {
21709 #ifdef CONFIG_X86_64
21710 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21711 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21712 return 1;
21713 #endif
21714 return 0;
21715 @@ -562,7 +638,7 @@ static int is_f00f_bug(struct pt_regs *r
21716 }
21717
21718 static const char nx_warning[] = KERN_CRIT
21719 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21720 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21721
21722 static void
21723 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21724 @@ -571,15 +647,26 @@ show_fault_oops(struct pt_regs *regs, un
21725 if (!oops_may_print())
21726 return;
21727
21728 - if (error_code & PF_INSTR) {
21729 + if (nx_enabled && (error_code & PF_INSTR)) {
21730 unsigned int level;
21731
21732 pte_t *pte = lookup_address(address, &level);
21733
21734 if (pte && pte_present(*pte) && !pte_exec(*pte))
21735 - printk(nx_warning, current_uid());
21736 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21737 }
21738
21739 +#ifdef CONFIG_PAX_KERNEXEC
21740 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21741 + if (current->signal->curr_ip)
21742 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21743 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21744 + else
21745 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21746 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21747 + }
21748 +#endif
21749 +
21750 printk(KERN_ALERT "BUG: unable to handle kernel ");
21751 if (address < PAGE_SIZE)
21752 printk(KERN_CONT "NULL pointer dereference");
21753 @@ -704,6 +791,70 @@ __bad_area_nosemaphore(struct pt_regs *r
21754 unsigned long address, int si_code)
21755 {
21756 struct task_struct *tsk = current;
21757 +#if defined(CONFIG_X86_64) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21758 + struct mm_struct *mm = tsk->mm;
21759 +#endif
21760 +
21761 +#ifdef CONFIG_X86_64
21762 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21763 + if (regs->ip == (unsigned long)vgettimeofday) {
21764 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21765 + return;
21766 + } else if (regs->ip == (unsigned long)vtime) {
21767 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21768 + return;
21769 + } else if (regs->ip == (unsigned long)vgetcpu) {
21770 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21771 + return;
21772 + }
21773 + }
21774 +#endif
21775 +
21776 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21777 + if (mm && (error_code & PF_USER)) {
21778 + unsigned long ip = regs->ip;
21779 +
21780 + if (v8086_mode(regs))
21781 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21782 +
21783 + /*
21784 + * It's possible to have interrupts off here:
21785 + */
21786 + local_irq_enable();
21787 +
21788 +#ifdef CONFIG_PAX_PAGEEXEC
21789 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21790 + ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21791 +
21792 +#ifdef CONFIG_PAX_EMUTRAMP
21793 + switch (pax_handle_fetch_fault(regs)) {
21794 + case 2:
21795 + return;
21796 + }
21797 +#endif
21798 +
21799 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21800 + do_group_exit(SIGKILL);
21801 + }
21802 +#endif
21803 +
21804 +#ifdef CONFIG_PAX_SEGMEXEC
21805 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21806 +
21807 +#ifdef CONFIG_PAX_EMUTRAMP
21808 + switch (pax_handle_fetch_fault(regs)) {
21809 + case 2:
21810 + return;
21811 + }
21812 +#endif
21813 +
21814 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21815 + do_group_exit(SIGKILL);
21816 + }
21817 +#endif
21818 +
21819 + }
21820 +#endif
21821
21822 /* User mode accesses just cause a SIGSEGV */
21823 if (error_code & PF_USER) {
21824 @@ -857,6 +1008,99 @@ static int spurious_fault_check(unsigned
21825 return 1;
21826 }
21827
21828 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21829 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21830 +{
21831 + pte_t *pte;
21832 + pmd_t *pmd;
21833 + spinlock_t *ptl;
21834 + unsigned char pte_mask;
21835 +
21836 + if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21837 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21838 + return 0;
21839 +
21840 + /* PaX: it's our fault, let's handle it if we can */
21841 +
21842 + /* PaX: take a look at read faults before acquiring any locks */
21843 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21844 + /* instruction fetch attempt from a protected page in user mode */
21845 + up_read(&mm->mmap_sem);
21846 +
21847 +#ifdef CONFIG_PAX_EMUTRAMP
21848 + switch (pax_handle_fetch_fault(regs)) {
21849 + case 2:
21850 + return 1;
21851 + }
21852 +#endif
21853 +
21854 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21855 + do_group_exit(SIGKILL);
21856 + }
21857 +
21858 + pmd = pax_get_pmd(mm, address);
21859 + if (unlikely(!pmd))
21860 + return 0;
21861 +
21862 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21863 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21864 + pte_unmap_unlock(pte, ptl);
21865 + return 0;
21866 + }
21867 +
21868 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21869 + /* write attempt to a protected page in user mode */
21870 + pte_unmap_unlock(pte, ptl);
21871 + return 0;
21872 + }
21873 +
21874 +#ifdef CONFIG_SMP
21875 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21876 +#else
21877 + if (likely(address > get_limit(regs->cs)))
21878 +#endif
21879 + {
21880 + set_pte(pte, pte_mkread(*pte));
21881 + __flush_tlb_one(address);
21882 + pte_unmap_unlock(pte, ptl);
21883 + up_read(&mm->mmap_sem);
21884 + return 1;
21885 + }
21886 +
21887 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21888 +
21889 + /*
21890 + * PaX: fill DTLB with user rights and retry
21891 + */
21892 + __asm__ __volatile__ (
21893 + "orb %2,(%1)\n"
21894 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21895 +/*
21896 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21897 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21898 + * page fault when examined during a TLB load attempt. this is true not only
21899 + * for PTEs holding a non-present entry but also present entries that will
21900 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21901 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21902 + * for our target pages since their PTEs are simply not in the TLBs at all.
21903 +
21904 + * the best thing in omitting it is that we gain around 15-20% speed in the
21905 + * fast path of the page fault handler and can get rid of tracing since we
21906 + * can no longer flush unintended entries.
21907 + */
21908 + "invlpg (%0)\n"
21909 +#endif
21910 + __copyuser_seg"testb $0,(%0)\n"
21911 + "xorb %3,(%1)\n"
21912 + :
21913 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21914 + : "memory", "cc");
21915 + pte_unmap_unlock(pte, ptl);
21916 + up_read(&mm->mmap_sem);
21917 + return 1;
21918 +}
21919 +#endif
21920 +
21921 /*
21922 * Handle a spurious fault caused by a stale TLB entry.
21923 *
21924 @@ -923,6 +1167,9 @@ int show_unhandled_signals = 1;
21925 static inline int
21926 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
21927 {
21928 + if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21929 + return 1;
21930 +
21931 if (write) {
21932 /* write, present and write, not present: */
21933 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21934 @@ -956,17 +1203,31 @@ do_page_fault(struct pt_regs *regs, unsi
21935 {
21936 struct vm_area_struct *vma;
21937 struct task_struct *tsk;
21938 - unsigned long address;
21939 struct mm_struct *mm;
21940 int write;
21941 int fault;
21942
21943 + /* Get the faulting address: */
21944 + unsigned long address = read_cr2();
21945 +
21946 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21947 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21948 + if (!search_exception_tables(regs->ip)) {
21949 + bad_area_nosemaphore(regs, error_code, address);
21950 + return;
21951 + }
21952 + if (address < PAX_USER_SHADOW_BASE) {
21953 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21954 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21955 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21956 + } else
21957 + address -= PAX_USER_SHADOW_BASE;
21958 + }
21959 +#endif
21960 +
21961 tsk = current;
21962 mm = tsk->mm;
21963
21964 - /* Get the faulting address: */
21965 - address = read_cr2();
21966 -
21967 /*
21968 * Detect and handle instructions that would cause a page fault for
21969 * both a tracked kernel page and a userspace page.
21970 @@ -1026,7 +1287,7 @@ do_page_fault(struct pt_regs *regs, unsi
21971 * User-mode registers count as a user access even for any
21972 * potential system fault or CPU buglet:
21973 */
21974 - if (user_mode_vm(regs)) {
21975 + if (user_mode(regs)) {
21976 local_irq_enable();
21977 error_code |= PF_USER;
21978 } else {
21979 @@ -1080,6 +1341,11 @@ do_page_fault(struct pt_regs *regs, unsi
21980 might_sleep();
21981 }
21982
21983 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21984 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21985 + return;
21986 +#endif
21987 +
21988 vma = find_vma(mm, address);
21989 if (unlikely(!vma)) {
21990 bad_area(regs, error_code, address);
21991 @@ -1091,18 +1357,24 @@ do_page_fault(struct pt_regs *regs, unsi
21992 bad_area(regs, error_code, address);
21993 return;
21994 }
21995 - if (error_code & PF_USER) {
21996 - /*
21997 - * Accessing the stack below %sp is always a bug.
21998 - * The large cushion allows instructions like enter
21999 - * and pusha to work. ("enter $65535, $31" pushes
22000 - * 32 pointers and then decrements %sp by 65535.)
22001 - */
22002 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
22003 - bad_area(regs, error_code, address);
22004 - return;
22005 - }
22006 + /*
22007 + * Accessing the stack below %sp is always a bug.
22008 + * The large cushion allows instructions like enter
22009 + * and pusha to work. ("enter $65535, $31" pushes
22010 + * 32 pointers and then decrements %sp by 65535.)
22011 + */
22012 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
22013 + bad_area(regs, error_code, address);
22014 + return;
22015 }
22016 +
22017 +#ifdef CONFIG_PAX_SEGMEXEC
22018 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
22019 + bad_area(regs, error_code, address);
22020 + return;
22021 + }
22022 +#endif
22023 +
22024 if (unlikely(expand_stack(vma, address))) {
22025 bad_area(regs, error_code, address);
22026 return;
22027 @@ -1146,3 +1418,199 @@ good_area:
22028
22029 up_read(&mm->mmap_sem);
22030 }
22031 +
22032 +#ifdef CONFIG_PAX_EMUTRAMP
22033 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
22034 +{
22035 + int err;
22036 +
22037 + do { /* PaX: gcc trampoline emulation #1 */
22038 + unsigned char mov1, mov2;
22039 + unsigned short jmp;
22040 + unsigned int addr1, addr2;
22041 +
22042 +#ifdef CONFIG_X86_64
22043 + if ((regs->ip + 11) >> 32)
22044 + break;
22045 +#endif
22046 +
22047 + err = get_user(mov1, (unsigned char __user *)regs->ip);
22048 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22049 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
22050 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22051 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
22052 +
22053 + if (err)
22054 + break;
22055 +
22056 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
22057 + regs->cx = addr1;
22058 + regs->ax = addr2;
22059 + regs->ip = addr2;
22060 + return 2;
22061 + }
22062 + } while (0);
22063 +
22064 + do { /* PaX: gcc trampoline emulation #2 */
22065 + unsigned char mov, jmp;
22066 + unsigned int addr1, addr2;
22067 +
22068 +#ifdef CONFIG_X86_64
22069 + if ((regs->ip + 9) >> 32)
22070 + break;
22071 +#endif
22072 +
22073 + err = get_user(mov, (unsigned char __user *)regs->ip);
22074 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22075 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
22076 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22077 +
22078 + if (err)
22079 + break;
22080 +
22081 + if (mov == 0xB9 && jmp == 0xE9) {
22082 + regs->cx = addr1;
22083 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
22084 + return 2;
22085 + }
22086 + } while (0);
22087 +
22088 + return 1; /* PaX in action */
22089 +}
22090 +
22091 +#ifdef CONFIG_X86_64
22092 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
22093 +{
22094 + int err;
22095 +
22096 + do { /* PaX: gcc trampoline emulation #1 */
22097 + unsigned short mov1, mov2, jmp1;
22098 + unsigned char jmp2;
22099 + unsigned int addr1;
22100 + unsigned long addr2;
22101 +
22102 + err = get_user(mov1, (unsigned short __user *)regs->ip);
22103 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
22104 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
22105 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
22106 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
22107 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
22108 +
22109 + if (err)
22110 + break;
22111 +
22112 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22113 + regs->r11 = addr1;
22114 + regs->r10 = addr2;
22115 + regs->ip = addr1;
22116 + return 2;
22117 + }
22118 + } while (0);
22119 +
22120 + do { /* PaX: gcc trampoline emulation #2 */
22121 + unsigned short mov1, mov2, jmp1;
22122 + unsigned char jmp2;
22123 + unsigned long addr1, addr2;
22124 +
22125 + err = get_user(mov1, (unsigned short __user *)regs->ip);
22126 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
22127 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
22128 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
22129 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
22130 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
22131 +
22132 + if (err)
22133 + break;
22134 +
22135 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22136 + regs->r11 = addr1;
22137 + regs->r10 = addr2;
22138 + regs->ip = addr1;
22139 + return 2;
22140 + }
22141 + } while (0);
22142 +
22143 + return 1; /* PaX in action */
22144 +}
22145 +#endif
22146 +
22147 +/*
22148 + * PaX: decide what to do with offenders (regs->ip = fault address)
22149 + *
22150 + * returns 1 when task should be killed
22151 + * 2 when gcc trampoline was detected
22152 + */
22153 +static int pax_handle_fetch_fault(struct pt_regs *regs)
22154 +{
22155 + if (v8086_mode(regs))
22156 + return 1;
22157 +
22158 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
22159 + return 1;
22160 +
22161 +#ifdef CONFIG_X86_32
22162 + return pax_handle_fetch_fault_32(regs);
22163 +#else
22164 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
22165 + return pax_handle_fetch_fault_32(regs);
22166 + else
22167 + return pax_handle_fetch_fault_64(regs);
22168 +#endif
22169 +}
22170 +#endif
22171 +
22172 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22173 +void pax_report_insns(void *pc, void *sp)
22174 +{
22175 + long i;
22176 +
22177 + printk(KERN_ERR "PAX: bytes at PC: ");
22178 + for (i = 0; i < 20; i++) {
22179 + unsigned char c;
22180 + if (get_user(c, (unsigned char __force_user *)pc+i))
22181 + printk(KERN_CONT "?? ");
22182 + else
22183 + printk(KERN_CONT "%02x ", c);
22184 + }
22185 + printk("\n");
22186 +
22187 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
22188 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
22189 + unsigned long c;
22190 + if (get_user(c, (unsigned long __force_user *)sp+i))
22191 +#ifdef CONFIG_X86_32
22192 + printk(KERN_CONT "???????? ");
22193 +#else
22194 + printk(KERN_CONT "???????????????? ");
22195 +#endif
22196 + else
22197 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
22198 + }
22199 + printk("\n");
22200 +}
22201 +#endif
22202 +
22203 +/**
22204 + * probe_kernel_write(): safely attempt to write to a location
22205 + * @dst: address to write to
22206 + * @src: pointer to the data that shall be written
22207 + * @size: size of the data chunk
22208 + *
22209 + * Safely write to address @dst from the buffer at @src. If a kernel fault
22210 + * happens, handle that and return -EFAULT.
22211 + */
22212 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
22213 +{
22214 + long ret;
22215 + mm_segment_t old_fs = get_fs();
22216 +
22217 + set_fs(KERNEL_DS);
22218 + pagefault_disable();
22219 + pax_open_kernel();
22220 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
22221 + pax_close_kernel();
22222 + pagefault_enable();
22223 + set_fs(old_fs);
22224 +
22225 + return ret ? -EFAULT : 0;
22226 +}
22227 diff -urNp linux-2.6.32.46/arch/x86/mm/gup.c linux-2.6.32.46/arch/x86/mm/gup.c
22228 --- linux-2.6.32.46/arch/x86/mm/gup.c 2011-03-27 14:31:47.000000000 -0400
22229 +++ linux-2.6.32.46/arch/x86/mm/gup.c 2011-04-17 15:56:46.000000000 -0400
22230 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
22231 addr = start;
22232 len = (unsigned long) nr_pages << PAGE_SHIFT;
22233 end = start + len;
22234 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
22235 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
22236 (void __user *)start, len)))
22237 return 0;
22238
22239 diff -urNp linux-2.6.32.46/arch/x86/mm/highmem_32.c linux-2.6.32.46/arch/x86/mm/highmem_32.c
22240 --- linux-2.6.32.46/arch/x86/mm/highmem_32.c 2011-03-27 14:31:47.000000000 -0400
22241 +++ linux-2.6.32.46/arch/x86/mm/highmem_32.c 2011-04-17 15:56:46.000000000 -0400
22242 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
22243 idx = type + KM_TYPE_NR*smp_processor_id();
22244 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22245 BUG_ON(!pte_none(*(kmap_pte-idx)));
22246 +
22247 + pax_open_kernel();
22248 set_pte(kmap_pte-idx, mk_pte(page, prot));
22249 + pax_close_kernel();
22250
22251 return (void *)vaddr;
22252 }
22253 diff -urNp linux-2.6.32.46/arch/x86/mm/hugetlbpage.c linux-2.6.32.46/arch/x86/mm/hugetlbpage.c
22254 --- linux-2.6.32.46/arch/x86/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
22255 +++ linux-2.6.32.46/arch/x86/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
22256 @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
22257 struct hstate *h = hstate_file(file);
22258 struct mm_struct *mm = current->mm;
22259 struct vm_area_struct *vma;
22260 - unsigned long start_addr;
22261 + unsigned long start_addr, pax_task_size = TASK_SIZE;
22262 +
22263 +#ifdef CONFIG_PAX_SEGMEXEC
22264 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22265 + pax_task_size = SEGMEXEC_TASK_SIZE;
22266 +#endif
22267 +
22268 + pax_task_size -= PAGE_SIZE;
22269
22270 if (len > mm->cached_hole_size) {
22271 - start_addr = mm->free_area_cache;
22272 + start_addr = mm->free_area_cache;
22273 } else {
22274 - start_addr = TASK_UNMAPPED_BASE;
22275 - mm->cached_hole_size = 0;
22276 + start_addr = mm->mmap_base;
22277 + mm->cached_hole_size = 0;
22278 }
22279
22280 full_search:
22281 @@ -281,26 +288,27 @@ full_search:
22282
22283 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
22284 /* At this point: (!vma || addr < vma->vm_end). */
22285 - if (TASK_SIZE - len < addr) {
22286 + if (pax_task_size - len < addr) {
22287 /*
22288 * Start a new search - just in case we missed
22289 * some holes.
22290 */
22291 - if (start_addr != TASK_UNMAPPED_BASE) {
22292 - start_addr = TASK_UNMAPPED_BASE;
22293 + if (start_addr != mm->mmap_base) {
22294 + start_addr = mm->mmap_base;
22295 mm->cached_hole_size = 0;
22296 goto full_search;
22297 }
22298 return -ENOMEM;
22299 }
22300 - if (!vma || addr + len <= vma->vm_start) {
22301 - mm->free_area_cache = addr + len;
22302 - return addr;
22303 - }
22304 + if (check_heap_stack_gap(vma, addr, len))
22305 + break;
22306 if (addr + mm->cached_hole_size < vma->vm_start)
22307 mm->cached_hole_size = vma->vm_start - addr;
22308 addr = ALIGN(vma->vm_end, huge_page_size(h));
22309 }
22310 +
22311 + mm->free_area_cache = addr + len;
22312 + return addr;
22313 }
22314
22315 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
22316 @@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
22317 {
22318 struct hstate *h = hstate_file(file);
22319 struct mm_struct *mm = current->mm;
22320 - struct vm_area_struct *vma, *prev_vma;
22321 - unsigned long base = mm->mmap_base, addr = addr0;
22322 + struct vm_area_struct *vma;
22323 + unsigned long base = mm->mmap_base, addr;
22324 unsigned long largest_hole = mm->cached_hole_size;
22325 - int first_time = 1;
22326
22327 /* don't allow allocations above current base */
22328 if (mm->free_area_cache > base)
22329 @@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
22330 largest_hole = 0;
22331 mm->free_area_cache = base;
22332 }
22333 -try_again:
22334 +
22335 /* make sure it can fit in the remaining address space */
22336 if (mm->free_area_cache < len)
22337 goto fail;
22338
22339 /* either no address requested or cant fit in requested address hole */
22340 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
22341 + addr = (mm->free_area_cache - len);
22342 do {
22343 + addr &= huge_page_mask(h);
22344 + vma = find_vma(mm, addr);
22345 /*
22346 * Lookup failure means no vma is above this address,
22347 * i.e. return with success:
22348 - */
22349 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
22350 - return addr;
22351 -
22352 - /*
22353 * new region fits between prev_vma->vm_end and
22354 * vma->vm_start, use it:
22355 */
22356 - if (addr + len <= vma->vm_start &&
22357 - (!prev_vma || (addr >= prev_vma->vm_end))) {
22358 + if (check_heap_stack_gap(vma, addr, len)) {
22359 /* remember the address as a hint for next time */
22360 - mm->cached_hole_size = largest_hole;
22361 - return (mm->free_area_cache = addr);
22362 - } else {
22363 - /* pull free_area_cache down to the first hole */
22364 - if (mm->free_area_cache == vma->vm_end) {
22365 - mm->free_area_cache = vma->vm_start;
22366 - mm->cached_hole_size = largest_hole;
22367 - }
22368 + mm->cached_hole_size = largest_hole;
22369 + return (mm->free_area_cache = addr);
22370 + }
22371 + /* pull free_area_cache down to the first hole */
22372 + if (mm->free_area_cache == vma->vm_end) {
22373 + mm->free_area_cache = vma->vm_start;
22374 + mm->cached_hole_size = largest_hole;
22375 }
22376
22377 /* remember the largest hole we saw so far */
22378 if (addr + largest_hole < vma->vm_start)
22379 - largest_hole = vma->vm_start - addr;
22380 + largest_hole = vma->vm_start - addr;
22381
22382 /* try just below the current vma->vm_start */
22383 - addr = (vma->vm_start - len) & huge_page_mask(h);
22384 - } while (len <= vma->vm_start);
22385 + addr = skip_heap_stack_gap(vma, len);
22386 + } while (!IS_ERR_VALUE(addr));
22387
22388 fail:
22389 /*
22390 - * if hint left us with no space for the requested
22391 - * mapping then try again:
22392 - */
22393 - if (first_time) {
22394 - mm->free_area_cache = base;
22395 - largest_hole = 0;
22396 - first_time = 0;
22397 - goto try_again;
22398 - }
22399 - /*
22400 * A failed mmap() very likely causes application failure,
22401 * so fall back to the bottom-up function here. This scenario
22402 * can happen with large stack limits and large mmap()
22403 * allocations.
22404 */
22405 - mm->free_area_cache = TASK_UNMAPPED_BASE;
22406 +
22407 +#ifdef CONFIG_PAX_SEGMEXEC
22408 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22409 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
22410 + else
22411 +#endif
22412 +
22413 + mm->mmap_base = TASK_UNMAPPED_BASE;
22414 +
22415 +#ifdef CONFIG_PAX_RANDMMAP
22416 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22417 + mm->mmap_base += mm->delta_mmap;
22418 +#endif
22419 +
22420 + mm->free_area_cache = mm->mmap_base;
22421 mm->cached_hole_size = ~0UL;
22422 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
22423 len, pgoff, flags);
22424 @@ -387,6 +393,7 @@ fail:
22425 /*
22426 * Restore the topdown base:
22427 */
22428 + mm->mmap_base = base;
22429 mm->free_area_cache = base;
22430 mm->cached_hole_size = ~0UL;
22431
22432 @@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
22433 struct hstate *h = hstate_file(file);
22434 struct mm_struct *mm = current->mm;
22435 struct vm_area_struct *vma;
22436 + unsigned long pax_task_size = TASK_SIZE;
22437
22438 if (len & ~huge_page_mask(h))
22439 return -EINVAL;
22440 - if (len > TASK_SIZE)
22441 +
22442 +#ifdef CONFIG_PAX_SEGMEXEC
22443 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22444 + pax_task_size = SEGMEXEC_TASK_SIZE;
22445 +#endif
22446 +
22447 + pax_task_size -= PAGE_SIZE;
22448 +
22449 + if (len > pax_task_size)
22450 return -ENOMEM;
22451
22452 if (flags & MAP_FIXED) {
22453 @@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
22454 if (addr) {
22455 addr = ALIGN(addr, huge_page_size(h));
22456 vma = find_vma(mm, addr);
22457 - if (TASK_SIZE - len >= addr &&
22458 - (!vma || addr + len <= vma->vm_start))
22459 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
22460 return addr;
22461 }
22462 if (mm->get_unmapped_area == arch_get_unmapped_area)
22463 diff -urNp linux-2.6.32.46/arch/x86/mm/init_32.c linux-2.6.32.46/arch/x86/mm/init_32.c
22464 --- linux-2.6.32.46/arch/x86/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
22465 +++ linux-2.6.32.46/arch/x86/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
22466 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
22467 }
22468
22469 /*
22470 - * Creates a middle page table and puts a pointer to it in the
22471 - * given global directory entry. This only returns the gd entry
22472 - * in non-PAE compilation mode, since the middle layer is folded.
22473 - */
22474 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
22475 -{
22476 - pud_t *pud;
22477 - pmd_t *pmd_table;
22478 -
22479 -#ifdef CONFIG_X86_PAE
22480 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
22481 - if (after_bootmem)
22482 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
22483 - else
22484 - pmd_table = (pmd_t *)alloc_low_page();
22485 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
22486 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
22487 - pud = pud_offset(pgd, 0);
22488 - BUG_ON(pmd_table != pmd_offset(pud, 0));
22489 -
22490 - return pmd_table;
22491 - }
22492 -#endif
22493 - pud = pud_offset(pgd, 0);
22494 - pmd_table = pmd_offset(pud, 0);
22495 -
22496 - return pmd_table;
22497 -}
22498 -
22499 -/*
22500 * Create a page table and place a pointer to it in a middle page
22501 * directory entry:
22502 */
22503 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
22504 page_table = (pte_t *)alloc_low_page();
22505
22506 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
22507 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22508 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
22509 +#else
22510 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
22511 +#endif
22512 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
22513 }
22514
22515 return pte_offset_kernel(pmd, 0);
22516 }
22517
22518 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
22519 +{
22520 + pud_t *pud;
22521 + pmd_t *pmd_table;
22522 +
22523 + pud = pud_offset(pgd, 0);
22524 + pmd_table = pmd_offset(pud, 0);
22525 +
22526 + return pmd_table;
22527 +}
22528 +
22529 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
22530 {
22531 int pgd_idx = pgd_index(vaddr);
22532 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
22533 int pgd_idx, pmd_idx;
22534 unsigned long vaddr;
22535 pgd_t *pgd;
22536 + pud_t *pud;
22537 pmd_t *pmd;
22538 pte_t *pte = NULL;
22539
22540 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
22541 pgd = pgd_base + pgd_idx;
22542
22543 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
22544 - pmd = one_md_table_init(pgd);
22545 - pmd = pmd + pmd_index(vaddr);
22546 + pud = pud_offset(pgd, vaddr);
22547 + pmd = pmd_offset(pud, vaddr);
22548 +
22549 +#ifdef CONFIG_X86_PAE
22550 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22551 +#endif
22552 +
22553 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
22554 pmd++, pmd_idx++) {
22555 pte = page_table_kmap_check(one_page_table_init(pmd),
22556 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
22557 }
22558 }
22559
22560 -static inline int is_kernel_text(unsigned long addr)
22561 +static inline int is_kernel_text(unsigned long start, unsigned long end)
22562 {
22563 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
22564 - return 1;
22565 - return 0;
22566 + if ((start > ktla_ktva((unsigned long)_etext) ||
22567 + end <= ktla_ktva((unsigned long)_stext)) &&
22568 + (start > ktla_ktva((unsigned long)_einittext) ||
22569 + end <= ktla_ktva((unsigned long)_sinittext)) &&
22570 +
22571 +#ifdef CONFIG_ACPI_SLEEP
22572 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
22573 +#endif
22574 +
22575 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
22576 + return 0;
22577 + return 1;
22578 }
22579
22580 /*
22581 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
22582 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
22583 unsigned long start_pfn, end_pfn;
22584 pgd_t *pgd_base = swapper_pg_dir;
22585 - int pgd_idx, pmd_idx, pte_ofs;
22586 + unsigned int pgd_idx, pmd_idx, pte_ofs;
22587 unsigned long pfn;
22588 pgd_t *pgd;
22589 + pud_t *pud;
22590 pmd_t *pmd;
22591 pte_t *pte;
22592 unsigned pages_2m, pages_4k;
22593 @@ -278,8 +279,13 @@ repeat:
22594 pfn = start_pfn;
22595 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22596 pgd = pgd_base + pgd_idx;
22597 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
22598 - pmd = one_md_table_init(pgd);
22599 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
22600 + pud = pud_offset(pgd, 0);
22601 + pmd = pmd_offset(pud, 0);
22602 +
22603 +#ifdef CONFIG_X86_PAE
22604 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
22605 +#endif
22606
22607 if (pfn >= end_pfn)
22608 continue;
22609 @@ -291,14 +297,13 @@ repeat:
22610 #endif
22611 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
22612 pmd++, pmd_idx++) {
22613 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
22614 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
22615
22616 /*
22617 * Map with big pages if possible, otherwise
22618 * create normal page tables:
22619 */
22620 if (use_pse) {
22621 - unsigned int addr2;
22622 pgprot_t prot = PAGE_KERNEL_LARGE;
22623 /*
22624 * first pass will use the same initial
22625 @@ -308,11 +313,7 @@ repeat:
22626 __pgprot(PTE_IDENT_ATTR |
22627 _PAGE_PSE);
22628
22629 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
22630 - PAGE_OFFSET + PAGE_SIZE-1;
22631 -
22632 - if (is_kernel_text(addr) ||
22633 - is_kernel_text(addr2))
22634 + if (is_kernel_text(address, address + PMD_SIZE))
22635 prot = PAGE_KERNEL_LARGE_EXEC;
22636
22637 pages_2m++;
22638 @@ -329,7 +330,7 @@ repeat:
22639 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
22640 pte += pte_ofs;
22641 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
22642 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
22643 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
22644 pgprot_t prot = PAGE_KERNEL;
22645 /*
22646 * first pass will use the same initial
22647 @@ -337,7 +338,7 @@ repeat:
22648 */
22649 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
22650
22651 - if (is_kernel_text(addr))
22652 + if (is_kernel_text(address, address + PAGE_SIZE))
22653 prot = PAGE_KERNEL_EXEC;
22654
22655 pages_4k++;
22656 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
22657
22658 pud = pud_offset(pgd, va);
22659 pmd = pmd_offset(pud, va);
22660 - if (!pmd_present(*pmd))
22661 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22662 break;
22663
22664 pte = pte_offset_kernel(pmd, va);
22665 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
22666
22667 static void __init pagetable_init(void)
22668 {
22669 - pgd_t *pgd_base = swapper_pg_dir;
22670 -
22671 - permanent_kmaps_init(pgd_base);
22672 + permanent_kmaps_init(swapper_pg_dir);
22673 }
22674
22675 #ifdef CONFIG_ACPI_SLEEP
22676 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
22677 * ACPI suspend needs this for resume, because things like the intel-agp
22678 * driver might have split up a kernel 4MB mapping.
22679 */
22680 -char swsusp_pg_dir[PAGE_SIZE]
22681 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
22682 __attribute__ ((aligned(PAGE_SIZE)));
22683
22684 static inline void save_pg_dir(void)
22685 {
22686 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
22687 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
22688 }
22689 #else /* !CONFIG_ACPI_SLEEP */
22690 static inline void save_pg_dir(void)
22691 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
22692 flush_tlb_all();
22693 }
22694
22695 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22696 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22697 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22698
22699 /* user-defined highmem size */
22700 @@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
22701 * Initialize the boot-time allocator (with low memory only):
22702 */
22703 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
22704 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
22705 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
22706 PAGE_SIZE);
22707 if (bootmap == -1L)
22708 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
22709 @@ -864,6 +863,12 @@ void __init mem_init(void)
22710
22711 pci_iommu_alloc();
22712
22713 +#ifdef CONFIG_PAX_PER_CPU_PGD
22714 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22715 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22716 + KERNEL_PGD_PTRS);
22717 +#endif
22718 +
22719 #ifdef CONFIG_FLATMEM
22720 BUG_ON(!mem_map);
22721 #endif
22722 @@ -881,7 +886,7 @@ void __init mem_init(void)
22723 set_highmem_pages_init();
22724
22725 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22726 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22727 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22728 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22729
22730 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22731 @@ -923,10 +928,10 @@ void __init mem_init(void)
22732 ((unsigned long)&__init_end -
22733 (unsigned long)&__init_begin) >> 10,
22734
22735 - (unsigned long)&_etext, (unsigned long)&_edata,
22736 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22737 + (unsigned long)&_sdata, (unsigned long)&_edata,
22738 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22739
22740 - (unsigned long)&_text, (unsigned long)&_etext,
22741 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22742 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22743
22744 /*
22745 @@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
22746 if (!kernel_set_to_readonly)
22747 return;
22748
22749 + start = ktla_ktva(start);
22750 pr_debug("Set kernel text: %lx - %lx for read write\n",
22751 start, start+size);
22752
22753 @@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
22754 if (!kernel_set_to_readonly)
22755 return;
22756
22757 + start = ktla_ktva(start);
22758 pr_debug("Set kernel text: %lx - %lx for read only\n",
22759 start, start+size);
22760
22761 @@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
22762 unsigned long start = PFN_ALIGN(_text);
22763 unsigned long size = PFN_ALIGN(_etext) - start;
22764
22765 + start = ktla_ktva(start);
22766 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22767 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22768 size >> 10);
22769 diff -urNp linux-2.6.32.46/arch/x86/mm/init_64.c linux-2.6.32.46/arch/x86/mm/init_64.c
22770 --- linux-2.6.32.46/arch/x86/mm/init_64.c 2011-04-17 17:00:52.000000000 -0400
22771 +++ linux-2.6.32.46/arch/x86/mm/init_64.c 2011-04-17 17:03:05.000000000 -0400
22772 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22773 pmd = fill_pmd(pud, vaddr);
22774 pte = fill_pte(pmd, vaddr);
22775
22776 + pax_open_kernel();
22777 set_pte(pte, new_pte);
22778 + pax_close_kernel();
22779
22780 /*
22781 * It's enough to flush this one mapping.
22782 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
22783 pgd = pgd_offset_k((unsigned long)__va(phys));
22784 if (pgd_none(*pgd)) {
22785 pud = (pud_t *) spp_getpage();
22786 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22787 - _PAGE_USER));
22788 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22789 }
22790 pud = pud_offset(pgd, (unsigned long)__va(phys));
22791 if (pud_none(*pud)) {
22792 pmd = (pmd_t *) spp_getpage();
22793 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22794 - _PAGE_USER));
22795 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22796 }
22797 pmd = pmd_offset(pud, phys);
22798 BUG_ON(!pmd_none(*pmd));
22799 @@ -675,6 +675,12 @@ void __init mem_init(void)
22800
22801 pci_iommu_alloc();
22802
22803 +#ifdef CONFIG_PAX_PER_CPU_PGD
22804 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22805 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22806 + KERNEL_PGD_PTRS);
22807 +#endif
22808 +
22809 /* clear_bss() already clear the empty_zero_page */
22810
22811 reservedpages = 0;
22812 @@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
22813 static struct vm_area_struct gate_vma = {
22814 .vm_start = VSYSCALL_START,
22815 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22816 - .vm_page_prot = PAGE_READONLY_EXEC,
22817 - .vm_flags = VM_READ | VM_EXEC
22818 + .vm_page_prot = PAGE_READONLY,
22819 + .vm_flags = VM_READ
22820 };
22821
22822 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
22823 @@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
22824
22825 const char *arch_vma_name(struct vm_area_struct *vma)
22826 {
22827 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22828 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22829 return "[vdso]";
22830 if (vma == &gate_vma)
22831 return "[vsyscall]";
22832 diff -urNp linux-2.6.32.46/arch/x86/mm/init.c linux-2.6.32.46/arch/x86/mm/init.c
22833 --- linux-2.6.32.46/arch/x86/mm/init.c 2011-04-17 17:00:52.000000000 -0400
22834 +++ linux-2.6.32.46/arch/x86/mm/init.c 2011-06-07 19:06:09.000000000 -0400
22835 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
22836 * cause a hotspot and fill up ZONE_DMA. The page tables
22837 * need roughly 0.5KB per GB.
22838 */
22839 -#ifdef CONFIG_X86_32
22840 - start = 0x7000;
22841 -#else
22842 - start = 0x8000;
22843 -#endif
22844 + start = 0x100000;
22845 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
22846 tables, PAGE_SIZE);
22847 if (e820_table_start == -1UL)
22848 @@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
22849 #endif
22850
22851 set_nx();
22852 - if (nx_enabled)
22853 + if (nx_enabled && cpu_has_nx)
22854 printk(KERN_INFO "NX (Execute Disable) protection: active\n");
22855
22856 /* Enable PSE if available */
22857 @@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
22858 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
22859 * mmio resources as well as potential bios/acpi data regions.
22860 */
22861 +
22862 int devmem_is_allowed(unsigned long pagenr)
22863 {
22864 +#ifdef CONFIG_GRKERNSEC_KMEM
22865 + /* allow BDA */
22866 + if (!pagenr)
22867 + return 1;
22868 + /* allow EBDA */
22869 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22870 + return 1;
22871 + /* allow ISA/video mem */
22872 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22873 + return 1;
22874 + /* throw out everything else below 1MB */
22875 + if (pagenr <= 256)
22876 + return 0;
22877 +#else
22878 if (pagenr <= 256)
22879 return 1;
22880 +#endif
22881 +
22882 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22883 return 0;
22884 if (!page_is_ram(pagenr))
22885 @@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
22886
22887 void free_initmem(void)
22888 {
22889 +
22890 +#ifdef CONFIG_PAX_KERNEXEC
22891 +#ifdef CONFIG_X86_32
22892 + /* PaX: limit KERNEL_CS to actual size */
22893 + unsigned long addr, limit;
22894 + struct desc_struct d;
22895 + int cpu;
22896 +
22897 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22898 + limit = (limit - 1UL) >> PAGE_SHIFT;
22899 +
22900 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22901 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22902 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22903 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22904 + }
22905 +
22906 + /* PaX: make KERNEL_CS read-only */
22907 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22908 + if (!paravirt_enabled())
22909 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22910 +/*
22911 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22912 + pgd = pgd_offset_k(addr);
22913 + pud = pud_offset(pgd, addr);
22914 + pmd = pmd_offset(pud, addr);
22915 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22916 + }
22917 +*/
22918 +#ifdef CONFIG_X86_PAE
22919 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22920 +/*
22921 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22922 + pgd = pgd_offset_k(addr);
22923 + pud = pud_offset(pgd, addr);
22924 + pmd = pmd_offset(pud, addr);
22925 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22926 + }
22927 +*/
22928 +#endif
22929 +
22930 +#ifdef CONFIG_MODULES
22931 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22932 +#endif
22933 +
22934 +#else
22935 + pgd_t *pgd;
22936 + pud_t *pud;
22937 + pmd_t *pmd;
22938 + unsigned long addr, end;
22939 +
22940 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22941 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22942 + pgd = pgd_offset_k(addr);
22943 + pud = pud_offset(pgd, addr);
22944 + pmd = pmd_offset(pud, addr);
22945 + if (!pmd_present(*pmd))
22946 + continue;
22947 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22948 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22949 + else
22950 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22951 + }
22952 +
22953 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22954 + end = addr + KERNEL_IMAGE_SIZE;
22955 + for (; addr < end; addr += PMD_SIZE) {
22956 + pgd = pgd_offset_k(addr);
22957 + pud = pud_offset(pgd, addr);
22958 + pmd = pmd_offset(pud, addr);
22959 + if (!pmd_present(*pmd))
22960 + continue;
22961 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22962 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22963 + }
22964 +#endif
22965 +
22966 + flush_tlb_all();
22967 +#endif
22968 +
22969 free_init_pages("unused kernel memory",
22970 (unsigned long)(&__init_begin),
22971 (unsigned long)(&__init_end));
22972 diff -urNp linux-2.6.32.46/arch/x86/mm/iomap_32.c linux-2.6.32.46/arch/x86/mm/iomap_32.c
22973 --- linux-2.6.32.46/arch/x86/mm/iomap_32.c 2011-03-27 14:31:47.000000000 -0400
22974 +++ linux-2.6.32.46/arch/x86/mm/iomap_32.c 2011-04-17 15:56:46.000000000 -0400
22975 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22976 debug_kmap_atomic(type);
22977 idx = type + KM_TYPE_NR * smp_processor_id();
22978 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22979 +
22980 + pax_open_kernel();
22981 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22982 + pax_close_kernel();
22983 +
22984 arch_flush_lazy_mmu_mode();
22985
22986 return (void *)vaddr;
22987 diff -urNp linux-2.6.32.46/arch/x86/mm/ioremap.c linux-2.6.32.46/arch/x86/mm/ioremap.c
22988 --- linux-2.6.32.46/arch/x86/mm/ioremap.c 2011-03-27 14:31:47.000000000 -0400
22989 +++ linux-2.6.32.46/arch/x86/mm/ioremap.c 2011-04-17 15:56:46.000000000 -0400
22990 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
22991 * Second special case: Some BIOSen report the PC BIOS
22992 * area (640->1Mb) as ram even though it is not.
22993 */
22994 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
22995 - pagenr < (BIOS_END >> PAGE_SHIFT))
22996 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
22997 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22998 return 0;
22999
23000 for (i = 0; i < e820.nr_map; i++) {
23001 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
23002 /*
23003 * Don't allow anybody to remap normal RAM that we're using..
23004 */
23005 - for (pfn = phys_addr >> PAGE_SHIFT;
23006 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
23007 - pfn++) {
23008 -
23009 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
23010 int is_ram = page_is_ram(pfn);
23011
23012 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
23013 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
23014 return NULL;
23015 WARN_ON_ONCE(is_ram);
23016 }
23017 @@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
23018 early_param("early_ioremap_debug", early_ioremap_debug_setup);
23019
23020 static __initdata int after_paging_init;
23021 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
23022 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
23023
23024 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
23025 {
23026 @@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
23027 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
23028
23029 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
23030 - memset(bm_pte, 0, sizeof(bm_pte));
23031 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
23032 + pmd_populate_user(&init_mm, pmd, bm_pte);
23033
23034 /*
23035 * The boot-ioremap range spans multiple pmds, for which
23036 diff -urNp linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c
23037 --- linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-27 14:31:47.000000000 -0400
23038 +++ linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:56:46.000000000 -0400
23039 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
23040 * memory (e.g. tracked pages)? For now, we need this to avoid
23041 * invoking kmemcheck for PnP BIOS calls.
23042 */
23043 - if (regs->flags & X86_VM_MASK)
23044 + if (v8086_mode(regs))
23045 return false;
23046 - if (regs->cs != __KERNEL_CS)
23047 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
23048 return false;
23049
23050 pte = kmemcheck_pte_lookup(address);
23051 diff -urNp linux-2.6.32.46/arch/x86/mm/mmap.c linux-2.6.32.46/arch/x86/mm/mmap.c
23052 --- linux-2.6.32.46/arch/x86/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
23053 +++ linux-2.6.32.46/arch/x86/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
23054 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
23055 * Leave an at least ~128 MB hole with possible stack randomization.
23056 */
23057 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
23058 -#define MAX_GAP (TASK_SIZE/6*5)
23059 +#define MAX_GAP (pax_task_size/6*5)
23060
23061 /*
23062 * True on X86_32 or when emulating IA32 on X86_64
23063 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
23064 return rnd << PAGE_SHIFT;
23065 }
23066
23067 -static unsigned long mmap_base(void)
23068 +static unsigned long mmap_base(struct mm_struct *mm)
23069 {
23070 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
23071 + unsigned long pax_task_size = TASK_SIZE;
23072 +
23073 +#ifdef CONFIG_PAX_SEGMEXEC
23074 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23075 + pax_task_size = SEGMEXEC_TASK_SIZE;
23076 +#endif
23077
23078 if (gap < MIN_GAP)
23079 gap = MIN_GAP;
23080 else if (gap > MAX_GAP)
23081 gap = MAX_GAP;
23082
23083 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
23084 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
23085 }
23086
23087 /*
23088 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
23089 * does, but not when emulating X86_32
23090 */
23091 -static unsigned long mmap_legacy_base(void)
23092 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
23093 {
23094 - if (mmap_is_ia32())
23095 + if (mmap_is_ia32()) {
23096 +
23097 +#ifdef CONFIG_PAX_SEGMEXEC
23098 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23099 + return SEGMEXEC_TASK_UNMAPPED_BASE;
23100 + else
23101 +#endif
23102 +
23103 return TASK_UNMAPPED_BASE;
23104 - else
23105 + } else
23106 return TASK_UNMAPPED_BASE + mmap_rnd();
23107 }
23108
23109 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
23110 void arch_pick_mmap_layout(struct mm_struct *mm)
23111 {
23112 if (mmap_is_legacy()) {
23113 - mm->mmap_base = mmap_legacy_base();
23114 + mm->mmap_base = mmap_legacy_base(mm);
23115 +
23116 +#ifdef CONFIG_PAX_RANDMMAP
23117 + if (mm->pax_flags & MF_PAX_RANDMMAP)
23118 + mm->mmap_base += mm->delta_mmap;
23119 +#endif
23120 +
23121 mm->get_unmapped_area = arch_get_unmapped_area;
23122 mm->unmap_area = arch_unmap_area;
23123 } else {
23124 - mm->mmap_base = mmap_base();
23125 + mm->mmap_base = mmap_base(mm);
23126 +
23127 +#ifdef CONFIG_PAX_RANDMMAP
23128 + if (mm->pax_flags & MF_PAX_RANDMMAP)
23129 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
23130 +#endif
23131 +
23132 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
23133 mm->unmap_area = arch_unmap_area_topdown;
23134 }
23135 diff -urNp linux-2.6.32.46/arch/x86/mm/mmio-mod.c linux-2.6.32.46/arch/x86/mm/mmio-mod.c
23136 --- linux-2.6.32.46/arch/x86/mm/mmio-mod.c 2011-03-27 14:31:47.000000000 -0400
23137 +++ linux-2.6.32.46/arch/x86/mm/mmio-mod.c 2011-07-06 19:53:33.000000000 -0400
23138 @@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, s
23139 break;
23140 default:
23141 {
23142 - unsigned char *ip = (unsigned char *)instptr;
23143 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
23144 my_trace->opcode = MMIO_UNKNOWN_OP;
23145 my_trace->width = 0;
23146 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
23147 @@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
23148 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
23149 void __iomem *addr)
23150 {
23151 - static atomic_t next_id;
23152 + static atomic_unchecked_t next_id;
23153 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
23154 /* These are page-unaligned. */
23155 struct mmiotrace_map map = {
23156 @@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
23157 .private = trace
23158 },
23159 .phys = offset,
23160 - .id = atomic_inc_return(&next_id)
23161 + .id = atomic_inc_return_unchecked(&next_id)
23162 };
23163 map.map_id = trace->id;
23164
23165 diff -urNp linux-2.6.32.46/arch/x86/mm/numa_32.c linux-2.6.32.46/arch/x86/mm/numa_32.c
23166 --- linux-2.6.32.46/arch/x86/mm/numa_32.c 2011-03-27 14:31:47.000000000 -0400
23167 +++ linux-2.6.32.46/arch/x86/mm/numa_32.c 2011-04-17 15:56:46.000000000 -0400
23168 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
23169 }
23170 #endif
23171
23172 -extern unsigned long find_max_low_pfn(void);
23173 extern unsigned long highend_pfn, highstart_pfn;
23174
23175 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
23176 diff -urNp linux-2.6.32.46/arch/x86/mm/pageattr.c linux-2.6.32.46/arch/x86/mm/pageattr.c
23177 --- linux-2.6.32.46/arch/x86/mm/pageattr.c 2011-03-27 14:31:47.000000000 -0400
23178 +++ linux-2.6.32.46/arch/x86/mm/pageattr.c 2011-04-17 15:56:46.000000000 -0400
23179 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
23180 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
23181 */
23182 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
23183 - pgprot_val(forbidden) |= _PAGE_NX;
23184 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
23185
23186 /*
23187 * The kernel text needs to be executable for obvious reasons
23188 * Does not cover __inittext since that is gone later on. On
23189 * 64bit we do not enforce !NX on the low mapping
23190 */
23191 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
23192 - pgprot_val(forbidden) |= _PAGE_NX;
23193 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
23194 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
23195
23196 +#ifdef CONFIG_DEBUG_RODATA
23197 /*
23198 * The .rodata section needs to be read-only. Using the pfn
23199 * catches all aliases.
23200 @@ -278,6 +279,14 @@ static inline pgprot_t static_protection
23201 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
23202 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
23203 pgprot_val(forbidden) |= _PAGE_RW;
23204 +#endif
23205 +
23206 +#ifdef CONFIG_PAX_KERNEXEC
23207 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
23208 + pgprot_val(forbidden) |= _PAGE_RW;
23209 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
23210 + }
23211 +#endif
23212
23213 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
23214
23215 @@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
23216 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
23217 {
23218 /* change init_mm */
23219 + pax_open_kernel();
23220 set_pte_atomic(kpte, pte);
23221 +
23222 #ifdef CONFIG_X86_32
23223 if (!SHARED_KERNEL_PMD) {
23224 +
23225 +#ifdef CONFIG_PAX_PER_CPU_PGD
23226 + unsigned long cpu;
23227 +#else
23228 struct page *page;
23229 +#endif
23230
23231 +#ifdef CONFIG_PAX_PER_CPU_PGD
23232 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
23233 + pgd_t *pgd = get_cpu_pgd(cpu);
23234 +#else
23235 list_for_each_entry(page, &pgd_list, lru) {
23236 - pgd_t *pgd;
23237 + pgd_t *pgd = (pgd_t *)page_address(page);
23238 +#endif
23239 +
23240 pud_t *pud;
23241 pmd_t *pmd;
23242
23243 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
23244 + pgd += pgd_index(address);
23245 pud = pud_offset(pgd, address);
23246 pmd = pmd_offset(pud, address);
23247 set_pte_atomic((pte_t *)pmd, pte);
23248 }
23249 }
23250 #endif
23251 + pax_close_kernel();
23252 }
23253
23254 static int
23255 diff -urNp linux-2.6.32.46/arch/x86/mm/pageattr-test.c linux-2.6.32.46/arch/x86/mm/pageattr-test.c
23256 --- linux-2.6.32.46/arch/x86/mm/pageattr-test.c 2011-03-27 14:31:47.000000000 -0400
23257 +++ linux-2.6.32.46/arch/x86/mm/pageattr-test.c 2011-04-17 15:56:46.000000000 -0400
23258 @@ -36,7 +36,7 @@ enum {
23259
23260 static int pte_testbit(pte_t pte)
23261 {
23262 - return pte_flags(pte) & _PAGE_UNUSED1;
23263 + return pte_flags(pte) & _PAGE_CPA_TEST;
23264 }
23265
23266 struct split_state {
23267 diff -urNp linux-2.6.32.46/arch/x86/mm/pat.c linux-2.6.32.46/arch/x86/mm/pat.c
23268 --- linux-2.6.32.46/arch/x86/mm/pat.c 2011-03-27 14:31:47.000000000 -0400
23269 +++ linux-2.6.32.46/arch/x86/mm/pat.c 2011-04-17 15:56:46.000000000 -0400
23270 @@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
23271
23272 conflict:
23273 printk(KERN_INFO "%s:%d conflicting memory types "
23274 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
23275 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
23276 new->end, cattr_name(new->type), cattr_name(entry->type));
23277 return -EBUSY;
23278 }
23279 @@ -559,7 +559,7 @@ unlock_ret:
23280
23281 if (err) {
23282 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
23283 - current->comm, current->pid, start, end);
23284 + current->comm, task_pid_nr(current), start, end);
23285 }
23286
23287 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
23288 @@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
23289 while (cursor < to) {
23290 if (!devmem_is_allowed(pfn)) {
23291 printk(KERN_INFO
23292 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
23293 - current->comm, from, to);
23294 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
23295 + current->comm, from, to, cursor);
23296 return 0;
23297 }
23298 cursor += PAGE_SIZE;
23299 @@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
23300 printk(KERN_INFO
23301 "%s:%d ioremap_change_attr failed %s "
23302 "for %Lx-%Lx\n",
23303 - current->comm, current->pid,
23304 + current->comm, task_pid_nr(current),
23305 cattr_name(flags),
23306 base, (unsigned long long)(base + size));
23307 return -EINVAL;
23308 @@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
23309 free_memtype(paddr, paddr + size);
23310 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
23311 " for %Lx-%Lx, got %s\n",
23312 - current->comm, current->pid,
23313 + current->comm, task_pid_nr(current),
23314 cattr_name(want_flags),
23315 (unsigned long long)paddr,
23316 (unsigned long long)(paddr + size),
23317 diff -urNp linux-2.6.32.46/arch/x86/mm/pf_in.c linux-2.6.32.46/arch/x86/mm/pf_in.c
23318 --- linux-2.6.32.46/arch/x86/mm/pf_in.c 2011-03-27 14:31:47.000000000 -0400
23319 +++ linux-2.6.32.46/arch/x86/mm/pf_in.c 2011-07-06 19:53:33.000000000 -0400
23320 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
23321 int i;
23322 enum reason_type rv = OTHERS;
23323
23324 - p = (unsigned char *)ins_addr;
23325 + p = (unsigned char *)ktla_ktva(ins_addr);
23326 p += skip_prefix(p, &prf);
23327 p += get_opcode(p, &opcode);
23328
23329 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
23330 struct prefix_bits prf;
23331 int i;
23332
23333 - p = (unsigned char *)ins_addr;
23334 + p = (unsigned char *)ktla_ktva(ins_addr);
23335 p += skip_prefix(p, &prf);
23336 p += get_opcode(p, &opcode);
23337
23338 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
23339 struct prefix_bits prf;
23340 int i;
23341
23342 - p = (unsigned char *)ins_addr;
23343 + p = (unsigned char *)ktla_ktva(ins_addr);
23344 p += skip_prefix(p, &prf);
23345 p += get_opcode(p, &opcode);
23346
23347 @@ -417,7 +417,7 @@ unsigned long get_ins_reg_val(unsigned l
23348 int i;
23349 unsigned long rv;
23350
23351 - p = (unsigned char *)ins_addr;
23352 + p = (unsigned char *)ktla_ktva(ins_addr);
23353 p += skip_prefix(p, &prf);
23354 p += get_opcode(p, &opcode);
23355 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
23356 @@ -472,7 +472,7 @@ unsigned long get_ins_imm_val(unsigned l
23357 int i;
23358 unsigned long rv;
23359
23360 - p = (unsigned char *)ins_addr;
23361 + p = (unsigned char *)ktla_ktva(ins_addr);
23362 p += skip_prefix(p, &prf);
23363 p += get_opcode(p, &opcode);
23364 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
23365 diff -urNp linux-2.6.32.46/arch/x86/mm/pgtable_32.c linux-2.6.32.46/arch/x86/mm/pgtable_32.c
23366 --- linux-2.6.32.46/arch/x86/mm/pgtable_32.c 2011-03-27 14:31:47.000000000 -0400
23367 +++ linux-2.6.32.46/arch/x86/mm/pgtable_32.c 2011-04-17 15:56:46.000000000 -0400
23368 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
23369 return;
23370 }
23371 pte = pte_offset_kernel(pmd, vaddr);
23372 +
23373 + pax_open_kernel();
23374 if (pte_val(pteval))
23375 set_pte_at(&init_mm, vaddr, pte, pteval);
23376 else
23377 pte_clear(&init_mm, vaddr, pte);
23378 + pax_close_kernel();
23379
23380 /*
23381 * It's enough to flush this one mapping.
23382 diff -urNp linux-2.6.32.46/arch/x86/mm/pgtable.c linux-2.6.32.46/arch/x86/mm/pgtable.c
23383 --- linux-2.6.32.46/arch/x86/mm/pgtable.c 2011-03-27 14:31:47.000000000 -0400
23384 +++ linux-2.6.32.46/arch/x86/mm/pgtable.c 2011-05-11 18:25:15.000000000 -0400
23385 @@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
23386 list_del(&page->lru);
23387 }
23388
23389 -#define UNSHARED_PTRS_PER_PGD \
23390 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23391 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23392 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
23393
23394 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23395 +{
23396 + while (count--)
23397 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
23398 +}
23399 +#endif
23400 +
23401 +#ifdef CONFIG_PAX_PER_CPU_PGD
23402 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
23403 +{
23404 + while (count--)
23405 +
23406 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
23407 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
23408 +#else
23409 + *dst++ = *src++;
23410 +#endif
23411 +
23412 +}
23413 +#endif
23414 +
23415 +#ifdef CONFIG_X86_64
23416 +#define pxd_t pud_t
23417 +#define pyd_t pgd_t
23418 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
23419 +#define pxd_free(mm, pud) pud_free((mm), (pud))
23420 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
23421 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
23422 +#define PYD_SIZE PGDIR_SIZE
23423 +#else
23424 +#define pxd_t pmd_t
23425 +#define pyd_t pud_t
23426 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
23427 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
23428 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
23429 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
23430 +#define PYD_SIZE PUD_SIZE
23431 +#endif
23432 +
23433 +#ifdef CONFIG_PAX_PER_CPU_PGD
23434 +static inline void pgd_ctor(pgd_t *pgd) {}
23435 +static inline void pgd_dtor(pgd_t *pgd) {}
23436 +#else
23437 static void pgd_ctor(pgd_t *pgd)
23438 {
23439 /* If the pgd points to a shared pagetable level (either the
23440 @@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
23441 pgd_list_del(pgd);
23442 spin_unlock_irqrestore(&pgd_lock, flags);
23443 }
23444 +#endif
23445
23446 /*
23447 * List of all pgd's needed for non-PAE so it can invalidate entries
23448 @@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
23449 * -- wli
23450 */
23451
23452 -#ifdef CONFIG_X86_PAE
23453 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23454 /*
23455 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
23456 * updating the top-level pagetable entries to guarantee the
23457 @@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
23458 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
23459 * and initialize the kernel pmds here.
23460 */
23461 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
23462 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
23463
23464 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
23465 {
23466 @@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
23467 */
23468 flush_tlb_mm(mm);
23469 }
23470 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
23471 +#define PREALLOCATED_PXDS USER_PGD_PTRS
23472 #else /* !CONFIG_X86_PAE */
23473
23474 /* No need to prepopulate any pagetable entries in non-PAE modes. */
23475 -#define PREALLOCATED_PMDS 0
23476 +#define PREALLOCATED_PXDS 0
23477
23478 #endif /* CONFIG_X86_PAE */
23479
23480 -static void free_pmds(pmd_t *pmds[])
23481 +static void free_pxds(pxd_t *pxds[])
23482 {
23483 int i;
23484
23485 - for(i = 0; i < PREALLOCATED_PMDS; i++)
23486 - if (pmds[i])
23487 - free_page((unsigned long)pmds[i]);
23488 + for(i = 0; i < PREALLOCATED_PXDS; i++)
23489 + if (pxds[i])
23490 + free_page((unsigned long)pxds[i]);
23491 }
23492
23493 -static int preallocate_pmds(pmd_t *pmds[])
23494 +static int preallocate_pxds(pxd_t *pxds[])
23495 {
23496 int i;
23497 bool failed = false;
23498
23499 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23500 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
23501 - if (pmd == NULL)
23502 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23503 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
23504 + if (pxd == NULL)
23505 failed = true;
23506 - pmds[i] = pmd;
23507 + pxds[i] = pxd;
23508 }
23509
23510 if (failed) {
23511 - free_pmds(pmds);
23512 + free_pxds(pxds);
23513 return -ENOMEM;
23514 }
23515
23516 @@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
23517 * preallocate which never got a corresponding vma will need to be
23518 * freed manually.
23519 */
23520 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
23521 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
23522 {
23523 int i;
23524
23525 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
23526 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
23527 pgd_t pgd = pgdp[i];
23528
23529 if (pgd_val(pgd) != 0) {
23530 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
23531 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
23532
23533 - pgdp[i] = native_make_pgd(0);
23534 + set_pgd(pgdp + i, native_make_pgd(0));
23535
23536 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
23537 - pmd_free(mm, pmd);
23538 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
23539 + pxd_free(mm, pxd);
23540 }
23541 }
23542 }
23543
23544 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
23545 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
23546 {
23547 - pud_t *pud;
23548 + pyd_t *pyd;
23549 unsigned long addr;
23550 int i;
23551
23552 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
23553 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
23554 return;
23555
23556 - pud = pud_offset(pgd, 0);
23557 +#ifdef CONFIG_X86_64
23558 + pyd = pyd_offset(mm, 0L);
23559 +#else
23560 + pyd = pyd_offset(pgd, 0L);
23561 +#endif
23562
23563 - for (addr = i = 0; i < PREALLOCATED_PMDS;
23564 - i++, pud++, addr += PUD_SIZE) {
23565 - pmd_t *pmd = pmds[i];
23566 + for (addr = i = 0; i < PREALLOCATED_PXDS;
23567 + i++, pyd++, addr += PYD_SIZE) {
23568 + pxd_t *pxd = pxds[i];
23569
23570 if (i >= KERNEL_PGD_BOUNDARY)
23571 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23572 - sizeof(pmd_t) * PTRS_PER_PMD);
23573 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
23574 + sizeof(pxd_t) * PTRS_PER_PMD);
23575
23576 - pud_populate(mm, pud, pmd);
23577 + pyd_populate(mm, pyd, pxd);
23578 }
23579 }
23580
23581 pgd_t *pgd_alloc(struct mm_struct *mm)
23582 {
23583 pgd_t *pgd;
23584 - pmd_t *pmds[PREALLOCATED_PMDS];
23585 + pxd_t *pxds[PREALLOCATED_PXDS];
23586 +
23587 unsigned long flags;
23588
23589 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
23590 @@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23591
23592 mm->pgd = pgd;
23593
23594 - if (preallocate_pmds(pmds) != 0)
23595 + if (preallocate_pxds(pxds) != 0)
23596 goto out_free_pgd;
23597
23598 if (paravirt_pgd_alloc(mm) != 0)
23599 - goto out_free_pmds;
23600 + goto out_free_pxds;
23601
23602 /*
23603 * Make sure that pre-populating the pmds is atomic with
23604 @@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
23605 spin_lock_irqsave(&pgd_lock, flags);
23606
23607 pgd_ctor(pgd);
23608 - pgd_prepopulate_pmd(mm, pgd, pmds);
23609 + pgd_prepopulate_pxd(mm, pgd, pxds);
23610
23611 spin_unlock_irqrestore(&pgd_lock, flags);
23612
23613 return pgd;
23614
23615 -out_free_pmds:
23616 - free_pmds(pmds);
23617 +out_free_pxds:
23618 + free_pxds(pxds);
23619 out_free_pgd:
23620 free_page((unsigned long)pgd);
23621 out:
23622 @@ -287,7 +338,7 @@ out:
23623
23624 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
23625 {
23626 - pgd_mop_up_pmds(mm, pgd);
23627 + pgd_mop_up_pxds(mm, pgd);
23628 pgd_dtor(pgd);
23629 paravirt_pgd_free(mm, pgd);
23630 free_page((unsigned long)pgd);
23631 diff -urNp linux-2.6.32.46/arch/x86/mm/setup_nx.c linux-2.6.32.46/arch/x86/mm/setup_nx.c
23632 --- linux-2.6.32.46/arch/x86/mm/setup_nx.c 2011-03-27 14:31:47.000000000 -0400
23633 +++ linux-2.6.32.46/arch/x86/mm/setup_nx.c 2011-04-17 15:56:46.000000000 -0400
23634 @@ -4,11 +4,10 @@
23635
23636 #include <asm/pgtable.h>
23637
23638 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23639 int nx_enabled;
23640
23641 -#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23642 -static int disable_nx __cpuinitdata;
23643 -
23644 +#ifndef CONFIG_PAX_PAGEEXEC
23645 /*
23646 * noexec = on|off
23647 *
23648 @@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
23649 if (!str)
23650 return -EINVAL;
23651 if (!strncmp(str, "on", 2)) {
23652 - __supported_pte_mask |= _PAGE_NX;
23653 - disable_nx = 0;
23654 + nx_enabled = 1;
23655 } else if (!strncmp(str, "off", 3)) {
23656 - disable_nx = 1;
23657 - __supported_pte_mask &= ~_PAGE_NX;
23658 + nx_enabled = 0;
23659 }
23660 return 0;
23661 }
23662 early_param("noexec", noexec_setup);
23663 #endif
23664 +#endif
23665
23666 #ifdef CONFIG_X86_PAE
23667 void __init set_nx(void)
23668 {
23669 - unsigned int v[4], l, h;
23670 + if (!nx_enabled && cpu_has_nx) {
23671 + unsigned l, h;
23672
23673 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
23674 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
23675 -
23676 - if ((v[3] & (1 << 20)) && !disable_nx) {
23677 - rdmsr(MSR_EFER, l, h);
23678 - l |= EFER_NX;
23679 - wrmsr(MSR_EFER, l, h);
23680 - nx_enabled = 1;
23681 - __supported_pte_mask |= _PAGE_NX;
23682 - }
23683 + __supported_pte_mask &= ~_PAGE_NX;
23684 + rdmsr(MSR_EFER, l, h);
23685 + l &= ~EFER_NX;
23686 + wrmsr(MSR_EFER, l, h);
23687 }
23688 }
23689 #else
23690 @@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
23691 unsigned long efer;
23692
23693 rdmsrl(MSR_EFER, efer);
23694 - if (!(efer & EFER_NX) || disable_nx)
23695 + if (!(efer & EFER_NX) || !nx_enabled)
23696 __supported_pte_mask &= ~_PAGE_NX;
23697 }
23698 #endif
23699 diff -urNp linux-2.6.32.46/arch/x86/mm/tlb.c linux-2.6.32.46/arch/x86/mm/tlb.c
23700 --- linux-2.6.32.46/arch/x86/mm/tlb.c 2011-03-27 14:31:47.000000000 -0400
23701 +++ linux-2.6.32.46/arch/x86/mm/tlb.c 2011-04-23 12:56:10.000000000 -0400
23702 @@ -61,7 +61,11 @@ void leave_mm(int cpu)
23703 BUG();
23704 cpumask_clear_cpu(cpu,
23705 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23706 +
23707 +#ifndef CONFIG_PAX_PER_CPU_PGD
23708 load_cr3(swapper_pg_dir);
23709 +#endif
23710 +
23711 }
23712 EXPORT_SYMBOL_GPL(leave_mm);
23713
23714 diff -urNp linux-2.6.32.46/arch/x86/oprofile/backtrace.c linux-2.6.32.46/arch/x86/oprofile/backtrace.c
23715 --- linux-2.6.32.46/arch/x86/oprofile/backtrace.c 2011-03-27 14:31:47.000000000 -0400
23716 +++ linux-2.6.32.46/arch/x86/oprofile/backtrace.c 2011-04-17 15:56:46.000000000 -0400
23717 @@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
23718 struct frame_head bufhead[2];
23719
23720 /* Also check accessibility of one struct frame_head beyond */
23721 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23722 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23723 return NULL;
23724 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23725 return NULL;
23726 @@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
23727 {
23728 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
23729
23730 - if (!user_mode_vm(regs)) {
23731 + if (!user_mode(regs)) {
23732 unsigned long stack = kernel_stack_pointer(regs);
23733 if (depth)
23734 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23735 diff -urNp linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c
23736 --- linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c 2011-03-27 14:31:47.000000000 -0400
23737 +++ linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:56:46.000000000 -0400
23738 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
23739 #endif
23740 }
23741
23742 -static int inline addr_increment(void)
23743 +static inline int addr_increment(void)
23744 {
23745 #ifdef CONFIG_SMP
23746 return smp_num_siblings == 2 ? 2 : 1;
23747 diff -urNp linux-2.6.32.46/arch/x86/pci/common.c linux-2.6.32.46/arch/x86/pci/common.c
23748 --- linux-2.6.32.46/arch/x86/pci/common.c 2011-03-27 14:31:47.000000000 -0400
23749 +++ linux-2.6.32.46/arch/x86/pci/common.c 2011-04-23 12:56:10.000000000 -0400
23750 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
23751 int pcibios_last_bus = -1;
23752 unsigned long pirq_table_addr;
23753 struct pci_bus *pci_root_bus;
23754 -struct pci_raw_ops *raw_pci_ops;
23755 -struct pci_raw_ops *raw_pci_ext_ops;
23756 +const struct pci_raw_ops *raw_pci_ops;
23757 +const struct pci_raw_ops *raw_pci_ext_ops;
23758
23759 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23760 int reg, int len, u32 *val)
23761 diff -urNp linux-2.6.32.46/arch/x86/pci/direct.c linux-2.6.32.46/arch/x86/pci/direct.c
23762 --- linux-2.6.32.46/arch/x86/pci/direct.c 2011-03-27 14:31:47.000000000 -0400
23763 +++ linux-2.6.32.46/arch/x86/pci/direct.c 2011-04-17 15:56:46.000000000 -0400
23764 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23765
23766 #undef PCI_CONF1_ADDRESS
23767
23768 -struct pci_raw_ops pci_direct_conf1 = {
23769 +const struct pci_raw_ops pci_direct_conf1 = {
23770 .read = pci_conf1_read,
23771 .write = pci_conf1_write,
23772 };
23773 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23774
23775 #undef PCI_CONF2_ADDRESS
23776
23777 -struct pci_raw_ops pci_direct_conf2 = {
23778 +const struct pci_raw_ops pci_direct_conf2 = {
23779 .read = pci_conf2_read,
23780 .write = pci_conf2_write,
23781 };
23782 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23783 * This should be close to trivial, but it isn't, because there are buggy
23784 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23785 */
23786 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23787 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23788 {
23789 u32 x = 0;
23790 int year, devfn;
23791 diff -urNp linux-2.6.32.46/arch/x86/pci/mmconfig_32.c linux-2.6.32.46/arch/x86/pci/mmconfig_32.c
23792 --- linux-2.6.32.46/arch/x86/pci/mmconfig_32.c 2011-03-27 14:31:47.000000000 -0400
23793 +++ linux-2.6.32.46/arch/x86/pci/mmconfig_32.c 2011-04-17 15:56:46.000000000 -0400
23794 @@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
23795 return 0;
23796 }
23797
23798 -static struct pci_raw_ops pci_mmcfg = {
23799 +static const struct pci_raw_ops pci_mmcfg = {
23800 .read = pci_mmcfg_read,
23801 .write = pci_mmcfg_write,
23802 };
23803 diff -urNp linux-2.6.32.46/arch/x86/pci/mmconfig_64.c linux-2.6.32.46/arch/x86/pci/mmconfig_64.c
23804 --- linux-2.6.32.46/arch/x86/pci/mmconfig_64.c 2011-03-27 14:31:47.000000000 -0400
23805 +++ linux-2.6.32.46/arch/x86/pci/mmconfig_64.c 2011-04-17 15:56:46.000000000 -0400
23806 @@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
23807 return 0;
23808 }
23809
23810 -static struct pci_raw_ops pci_mmcfg = {
23811 +static const struct pci_raw_ops pci_mmcfg = {
23812 .read = pci_mmcfg_read,
23813 .write = pci_mmcfg_write,
23814 };
23815 diff -urNp linux-2.6.32.46/arch/x86/pci/numaq_32.c linux-2.6.32.46/arch/x86/pci/numaq_32.c
23816 --- linux-2.6.32.46/arch/x86/pci/numaq_32.c 2011-03-27 14:31:47.000000000 -0400
23817 +++ linux-2.6.32.46/arch/x86/pci/numaq_32.c 2011-04-17 15:56:46.000000000 -0400
23818 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
23819
23820 #undef PCI_CONF1_MQ_ADDRESS
23821
23822 -static struct pci_raw_ops pci_direct_conf1_mq = {
23823 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23824 .read = pci_conf1_mq_read,
23825 .write = pci_conf1_mq_write
23826 };
23827 diff -urNp linux-2.6.32.46/arch/x86/pci/olpc.c linux-2.6.32.46/arch/x86/pci/olpc.c
23828 --- linux-2.6.32.46/arch/x86/pci/olpc.c 2011-03-27 14:31:47.000000000 -0400
23829 +++ linux-2.6.32.46/arch/x86/pci/olpc.c 2011-04-17 15:56:46.000000000 -0400
23830 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23831 return 0;
23832 }
23833
23834 -static struct pci_raw_ops pci_olpc_conf = {
23835 +static const struct pci_raw_ops pci_olpc_conf = {
23836 .read = pci_olpc_read,
23837 .write = pci_olpc_write,
23838 };
23839 diff -urNp linux-2.6.32.46/arch/x86/pci/pcbios.c linux-2.6.32.46/arch/x86/pci/pcbios.c
23840 --- linux-2.6.32.46/arch/x86/pci/pcbios.c 2011-03-27 14:31:47.000000000 -0400
23841 +++ linux-2.6.32.46/arch/x86/pci/pcbios.c 2011-04-17 15:56:46.000000000 -0400
23842 @@ -56,50 +56,93 @@ union bios32 {
23843 static struct {
23844 unsigned long address;
23845 unsigned short segment;
23846 -} bios32_indirect = { 0, __KERNEL_CS };
23847 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23848
23849 /*
23850 * Returns the entry point for the given service, NULL on error
23851 */
23852
23853 -static unsigned long bios32_service(unsigned long service)
23854 +static unsigned long __devinit bios32_service(unsigned long service)
23855 {
23856 unsigned char return_code; /* %al */
23857 unsigned long address; /* %ebx */
23858 unsigned long length; /* %ecx */
23859 unsigned long entry; /* %edx */
23860 unsigned long flags;
23861 + struct desc_struct d, *gdt;
23862
23863 local_irq_save(flags);
23864 - __asm__("lcall *(%%edi); cld"
23865 +
23866 + gdt = get_cpu_gdt_table(smp_processor_id());
23867 +
23868 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23869 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23870 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23871 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23872 +
23873 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23874 : "=a" (return_code),
23875 "=b" (address),
23876 "=c" (length),
23877 "=d" (entry)
23878 : "0" (service),
23879 "1" (0),
23880 - "D" (&bios32_indirect));
23881 + "D" (&bios32_indirect),
23882 + "r"(__PCIBIOS_DS)
23883 + : "memory");
23884 +
23885 + pax_open_kernel();
23886 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23887 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23888 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23889 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23890 + pax_close_kernel();
23891 +
23892 local_irq_restore(flags);
23893
23894 switch (return_code) {
23895 - case 0:
23896 - return address + entry;
23897 - case 0x80: /* Not present */
23898 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23899 - return 0;
23900 - default: /* Shouldn't happen */
23901 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23902 - service, return_code);
23903 + case 0: {
23904 + int cpu;
23905 + unsigned char flags;
23906 +
23907 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23908 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23909 + printk(KERN_WARNING "bios32_service: not valid\n");
23910 return 0;
23911 + }
23912 + address = address + PAGE_OFFSET;
23913 + length += 16UL; /* some BIOSs underreport this... */
23914 + flags = 4;
23915 + if (length >= 64*1024*1024) {
23916 + length >>= PAGE_SHIFT;
23917 + flags |= 8;
23918 + }
23919 +
23920 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23921 + gdt = get_cpu_gdt_table(cpu);
23922 + pack_descriptor(&d, address, length, 0x9b, flags);
23923 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23924 + pack_descriptor(&d, address, length, 0x93, flags);
23925 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23926 + }
23927 + return entry;
23928 + }
23929 + case 0x80: /* Not present */
23930 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23931 + return 0;
23932 + default: /* Shouldn't happen */
23933 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23934 + service, return_code);
23935 + return 0;
23936 }
23937 }
23938
23939 static struct {
23940 unsigned long address;
23941 unsigned short segment;
23942 -} pci_indirect = { 0, __KERNEL_CS };
23943 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23944
23945 -static int pci_bios_present;
23946 +static int pci_bios_present __read_only;
23947
23948 static int __devinit check_pcibios(void)
23949 {
23950 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
23951 unsigned long flags, pcibios_entry;
23952
23953 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23954 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23955 + pci_indirect.address = pcibios_entry;
23956
23957 local_irq_save(flags);
23958 - __asm__(
23959 - "lcall *(%%edi); cld\n\t"
23960 + __asm__("movw %w6, %%ds\n\t"
23961 + "lcall *%%ss:(%%edi); cld\n\t"
23962 + "push %%ss\n\t"
23963 + "pop %%ds\n\t"
23964 "jc 1f\n\t"
23965 "xor %%ah, %%ah\n"
23966 "1:"
23967 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
23968 "=b" (ebx),
23969 "=c" (ecx)
23970 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23971 - "D" (&pci_indirect)
23972 + "D" (&pci_indirect),
23973 + "r" (__PCIBIOS_DS)
23974 : "memory");
23975 local_irq_restore(flags);
23976
23977 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
23978
23979 switch (len) {
23980 case 1:
23981 - __asm__("lcall *(%%esi); cld\n\t"
23982 + __asm__("movw %w6, %%ds\n\t"
23983 + "lcall *%%ss:(%%esi); cld\n\t"
23984 + "push %%ss\n\t"
23985 + "pop %%ds\n\t"
23986 "jc 1f\n\t"
23987 "xor %%ah, %%ah\n"
23988 "1:"
23989 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
23990 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23991 "b" (bx),
23992 "D" ((long)reg),
23993 - "S" (&pci_indirect));
23994 + "S" (&pci_indirect),
23995 + "r" (__PCIBIOS_DS));
23996 /*
23997 * Zero-extend the result beyond 8 bits, do not trust the
23998 * BIOS having done it:
23999 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
24000 *value &= 0xff;
24001 break;
24002 case 2:
24003 - __asm__("lcall *(%%esi); cld\n\t"
24004 + __asm__("movw %w6, %%ds\n\t"
24005 + "lcall *%%ss:(%%esi); cld\n\t"
24006 + "push %%ss\n\t"
24007 + "pop %%ds\n\t"
24008 "jc 1f\n\t"
24009 "xor %%ah, %%ah\n"
24010 "1:"
24011 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
24012 : "1" (PCIBIOS_READ_CONFIG_WORD),
24013 "b" (bx),
24014 "D" ((long)reg),
24015 - "S" (&pci_indirect));
24016 + "S" (&pci_indirect),
24017 + "r" (__PCIBIOS_DS));
24018 /*
24019 * Zero-extend the result beyond 16 bits, do not trust the
24020 * BIOS having done it:
24021 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
24022 *value &= 0xffff;
24023 break;
24024 case 4:
24025 - __asm__("lcall *(%%esi); cld\n\t"
24026 + __asm__("movw %w6, %%ds\n\t"
24027 + "lcall *%%ss:(%%esi); cld\n\t"
24028 + "push %%ss\n\t"
24029 + "pop %%ds\n\t"
24030 "jc 1f\n\t"
24031 "xor %%ah, %%ah\n"
24032 "1:"
24033 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
24034 : "1" (PCIBIOS_READ_CONFIG_DWORD),
24035 "b" (bx),
24036 "D" ((long)reg),
24037 - "S" (&pci_indirect));
24038 + "S" (&pci_indirect),
24039 + "r" (__PCIBIOS_DS));
24040 break;
24041 }
24042
24043 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
24044
24045 switch (len) {
24046 case 1:
24047 - __asm__("lcall *(%%esi); cld\n\t"
24048 + __asm__("movw %w6, %%ds\n\t"
24049 + "lcall *%%ss:(%%esi); cld\n\t"
24050 + "push %%ss\n\t"
24051 + "pop %%ds\n\t"
24052 "jc 1f\n\t"
24053 "xor %%ah, %%ah\n"
24054 "1:"
24055 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
24056 "c" (value),
24057 "b" (bx),
24058 "D" ((long)reg),
24059 - "S" (&pci_indirect));
24060 + "S" (&pci_indirect),
24061 + "r" (__PCIBIOS_DS));
24062 break;
24063 case 2:
24064 - __asm__("lcall *(%%esi); cld\n\t"
24065 + __asm__("movw %w6, %%ds\n\t"
24066 + "lcall *%%ss:(%%esi); cld\n\t"
24067 + "push %%ss\n\t"
24068 + "pop %%ds\n\t"
24069 "jc 1f\n\t"
24070 "xor %%ah, %%ah\n"
24071 "1:"
24072 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
24073 "c" (value),
24074 "b" (bx),
24075 "D" ((long)reg),
24076 - "S" (&pci_indirect));
24077 + "S" (&pci_indirect),
24078 + "r" (__PCIBIOS_DS));
24079 break;
24080 case 4:
24081 - __asm__("lcall *(%%esi); cld\n\t"
24082 + __asm__("movw %w6, %%ds\n\t"
24083 + "lcall *%%ss:(%%esi); cld\n\t"
24084 + "push %%ss\n\t"
24085 + "pop %%ds\n\t"
24086 "jc 1f\n\t"
24087 "xor %%ah, %%ah\n"
24088 "1:"
24089 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
24090 "c" (value),
24091 "b" (bx),
24092 "D" ((long)reg),
24093 - "S" (&pci_indirect));
24094 + "S" (&pci_indirect),
24095 + "r" (__PCIBIOS_DS));
24096 break;
24097 }
24098
24099 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
24100 * Function table for BIOS32 access
24101 */
24102
24103 -static struct pci_raw_ops pci_bios_access = {
24104 +static const struct pci_raw_ops pci_bios_access = {
24105 .read = pci_bios_read,
24106 .write = pci_bios_write
24107 };
24108 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
24109 * Try to find PCI BIOS.
24110 */
24111
24112 -static struct pci_raw_ops * __devinit pci_find_bios(void)
24113 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
24114 {
24115 union bios32 *check;
24116 unsigned char sum;
24117 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
24118
24119 DBG("PCI: Fetching IRQ routing table... ");
24120 __asm__("push %%es\n\t"
24121 + "movw %w8, %%ds\n\t"
24122 "push %%ds\n\t"
24123 "pop %%es\n\t"
24124 - "lcall *(%%esi); cld\n\t"
24125 + "lcall *%%ss:(%%esi); cld\n\t"
24126 "pop %%es\n\t"
24127 + "push %%ss\n\t"
24128 + "pop %%ds\n"
24129 "jc 1f\n\t"
24130 "xor %%ah, %%ah\n"
24131 "1:"
24132 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
24133 "1" (0),
24134 "D" ((long) &opt),
24135 "S" (&pci_indirect),
24136 - "m" (opt)
24137 + "m" (opt),
24138 + "r" (__PCIBIOS_DS)
24139 : "memory");
24140 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
24141 if (ret & 0xff00)
24142 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
24143 {
24144 int ret;
24145
24146 - __asm__("lcall *(%%esi); cld\n\t"
24147 + __asm__("movw %w5, %%ds\n\t"
24148 + "lcall *%%ss:(%%esi); cld\n\t"
24149 + "push %%ss\n\t"
24150 + "pop %%ds\n"
24151 "jc 1f\n\t"
24152 "xor %%ah, %%ah\n"
24153 "1:"
24154 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
24155 : "0" (PCIBIOS_SET_PCI_HW_INT),
24156 "b" ((dev->bus->number << 8) | dev->devfn),
24157 "c" ((irq << 8) | (pin + 10)),
24158 - "S" (&pci_indirect));
24159 + "S" (&pci_indirect),
24160 + "r" (__PCIBIOS_DS));
24161 return !(ret & 0xff00);
24162 }
24163 EXPORT_SYMBOL(pcibios_set_irq_routing);
24164 diff -urNp linux-2.6.32.46/arch/x86/power/cpu.c linux-2.6.32.46/arch/x86/power/cpu.c
24165 --- linux-2.6.32.46/arch/x86/power/cpu.c 2011-03-27 14:31:47.000000000 -0400
24166 +++ linux-2.6.32.46/arch/x86/power/cpu.c 2011-04-17 15:56:46.000000000 -0400
24167 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
24168 static void fix_processor_context(void)
24169 {
24170 int cpu = smp_processor_id();
24171 - struct tss_struct *t = &per_cpu(init_tss, cpu);
24172 + struct tss_struct *t = init_tss + cpu;
24173
24174 set_tss_desc(cpu, t); /*
24175 * This just modifies memory; should not be
24176 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
24177 */
24178
24179 #ifdef CONFIG_X86_64
24180 + pax_open_kernel();
24181 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
24182 + pax_close_kernel();
24183
24184 syscall_init(); /* This sets MSR_*STAR and related */
24185 #endif
24186 diff -urNp linux-2.6.32.46/arch/x86/vdso/Makefile linux-2.6.32.46/arch/x86/vdso/Makefile
24187 --- linux-2.6.32.46/arch/x86/vdso/Makefile 2011-03-27 14:31:47.000000000 -0400
24188 +++ linux-2.6.32.46/arch/x86/vdso/Makefile 2011-04-17 15:56:46.000000000 -0400
24189 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
24190 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
24191 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
24192
24193 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24194 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
24195 GCOV_PROFILE := n
24196
24197 #
24198 diff -urNp linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c
24199 --- linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c 2011-03-27 14:31:47.000000000 -0400
24200 +++ linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:56:46.000000000 -0400
24201 @@ -22,24 +22,48 @@
24202 #include <asm/hpet.h>
24203 #include <asm/unistd.h>
24204 #include <asm/io.h>
24205 +#include <asm/fixmap.h>
24206 #include "vextern.h"
24207
24208 #define gtod vdso_vsyscall_gtod_data
24209
24210 +notrace noinline long __vdso_fallback_time(long *t)
24211 +{
24212 + long secs;
24213 + asm volatile("syscall"
24214 + : "=a" (secs)
24215 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
24216 + return secs;
24217 +}
24218 +
24219 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
24220 {
24221 long ret;
24222 asm("syscall" : "=a" (ret) :
24223 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
24224 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
24225 return ret;
24226 }
24227
24228 +notrace static inline cycle_t __vdso_vread_hpet(void)
24229 +{
24230 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
24231 +}
24232 +
24233 +notrace static inline cycle_t __vdso_vread_tsc(void)
24234 +{
24235 + cycle_t ret = (cycle_t)vget_cycles();
24236 +
24237 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
24238 +}
24239 +
24240 notrace static inline long vgetns(void)
24241 {
24242 long v;
24243 - cycles_t (*vread)(void);
24244 - vread = gtod->clock.vread;
24245 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
24246 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
24247 + v = __vdso_vread_tsc();
24248 + else
24249 + v = __vdso_vread_hpet();
24250 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
24251 return (v * gtod->clock.mult) >> gtod->clock.shift;
24252 }
24253
24254 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
24255
24256 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
24257 {
24258 - if (likely(gtod->sysctl_enabled))
24259 + if (likely(gtod->sysctl_enabled &&
24260 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24261 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24262 switch (clock) {
24263 case CLOCK_REALTIME:
24264 if (likely(gtod->clock.vread))
24265 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
24266 int clock_gettime(clockid_t, struct timespec *)
24267 __attribute__((weak, alias("__vdso_clock_gettime")));
24268
24269 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24270 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
24271 {
24272 long ret;
24273 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
24274 + asm("syscall" : "=a" (ret) :
24275 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
24276 + return ret;
24277 +}
24278 +
24279 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
24280 +{
24281 + if (likely(gtod->sysctl_enabled &&
24282 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
24283 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
24284 + {
24285 if (likely(tv != NULL)) {
24286 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
24287 offsetof(struct timespec, tv_nsec) ||
24288 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
24289 }
24290 return 0;
24291 }
24292 - asm("syscall" : "=a" (ret) :
24293 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
24294 - return ret;
24295 + return __vdso_fallback_gettimeofday(tv, tz);
24296 }
24297 int gettimeofday(struct timeval *, struct timezone *)
24298 __attribute__((weak, alias("__vdso_gettimeofday")));
24299 diff -urNp linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c
24300 --- linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c 2011-03-27 14:31:47.000000000 -0400
24301 +++ linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c 2011-04-23 12:56:10.000000000 -0400
24302 @@ -25,6 +25,7 @@
24303 #include <asm/tlbflush.h>
24304 #include <asm/vdso.h>
24305 #include <asm/proto.h>
24306 +#include <asm/mman.h>
24307
24308 enum {
24309 VDSO_DISABLED = 0,
24310 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
24311 void enable_sep_cpu(void)
24312 {
24313 int cpu = get_cpu();
24314 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
24315 + struct tss_struct *tss = init_tss + cpu;
24316
24317 if (!boot_cpu_has(X86_FEATURE_SEP)) {
24318 put_cpu();
24319 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
24320 gate_vma.vm_start = FIXADDR_USER_START;
24321 gate_vma.vm_end = FIXADDR_USER_END;
24322 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
24323 - gate_vma.vm_page_prot = __P101;
24324 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
24325 /*
24326 * Make sure the vDSO gets into every core dump.
24327 * Dumping its contents makes post-mortem fully interpretable later
24328 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
24329 if (compat)
24330 addr = VDSO_HIGH_BASE;
24331 else {
24332 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
24333 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
24334 if (IS_ERR_VALUE(addr)) {
24335 ret = addr;
24336 goto up_fail;
24337 }
24338 }
24339
24340 - current->mm->context.vdso = (void *)addr;
24341 + current->mm->context.vdso = addr;
24342
24343 if (compat_uses_vma || !compat) {
24344 /*
24345 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
24346 }
24347
24348 current_thread_info()->sysenter_return =
24349 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24350 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
24351
24352 up_fail:
24353 if (ret)
24354 - current->mm->context.vdso = NULL;
24355 + current->mm->context.vdso = 0;
24356
24357 up_write(&mm->mmap_sem);
24358
24359 @@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
24360
24361 const char *arch_vma_name(struct vm_area_struct *vma)
24362 {
24363 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
24364 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
24365 return "[vdso]";
24366 +
24367 +#ifdef CONFIG_PAX_SEGMEXEC
24368 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
24369 + return "[vdso]";
24370 +#endif
24371 +
24372 return NULL;
24373 }
24374
24375 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
24376 struct mm_struct *mm = tsk->mm;
24377
24378 /* Check to see if this task was created in compat vdso mode */
24379 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
24380 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
24381 return &gate_vma;
24382 return NULL;
24383 }
24384 diff -urNp linux-2.6.32.46/arch/x86/vdso/vdso.lds.S linux-2.6.32.46/arch/x86/vdso/vdso.lds.S
24385 --- linux-2.6.32.46/arch/x86/vdso/vdso.lds.S 2011-03-27 14:31:47.000000000 -0400
24386 +++ linux-2.6.32.46/arch/x86/vdso/vdso.lds.S 2011-06-06 17:35:35.000000000 -0400
24387 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
24388 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
24389 #include "vextern.h"
24390 #undef VEXTERN
24391 +
24392 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
24393 +VEXTERN(fallback_gettimeofday)
24394 +VEXTERN(fallback_time)
24395 +VEXTERN(getcpu)
24396 +#undef VEXTERN
24397 diff -urNp linux-2.6.32.46/arch/x86/vdso/vextern.h linux-2.6.32.46/arch/x86/vdso/vextern.h
24398 --- linux-2.6.32.46/arch/x86/vdso/vextern.h 2011-03-27 14:31:47.000000000 -0400
24399 +++ linux-2.6.32.46/arch/x86/vdso/vextern.h 2011-04-17 15:56:46.000000000 -0400
24400 @@ -11,6 +11,5 @@
24401 put into vextern.h and be referenced as a pointer with vdso prefix.
24402 The main kernel later fills in the values. */
24403
24404 -VEXTERN(jiffies)
24405 VEXTERN(vgetcpu_mode)
24406 VEXTERN(vsyscall_gtod_data)
24407 diff -urNp linux-2.6.32.46/arch/x86/vdso/vma.c linux-2.6.32.46/arch/x86/vdso/vma.c
24408 --- linux-2.6.32.46/arch/x86/vdso/vma.c 2011-03-27 14:31:47.000000000 -0400
24409 +++ linux-2.6.32.46/arch/x86/vdso/vma.c 2011-08-23 20:24:19.000000000 -0400
24410 @@ -17,8 +17,6 @@
24411 #include "vextern.h" /* Just for VMAGIC. */
24412 #undef VEXTERN
24413
24414 -unsigned int __read_mostly vdso_enabled = 1;
24415 -
24416 extern char vdso_start[], vdso_end[];
24417 extern unsigned short vdso_sync_cpuid;
24418
24419 @@ -27,10 +25,8 @@ static unsigned vdso_size;
24420
24421 static inline void *var_ref(void *p, char *name)
24422 {
24423 - if (*(void **)p != (void *)VMAGIC) {
24424 - printk("VDSO: variable %s broken\n", name);
24425 - vdso_enabled = 0;
24426 - }
24427 + if (*(void **)p != (void *)VMAGIC)
24428 + panic("VDSO: variable %s broken\n", name);
24429 return p;
24430 }
24431
24432 @@ -57,21 +53,18 @@ static int __init init_vdso_vars(void)
24433 if (!vbase)
24434 goto oom;
24435
24436 - if (memcmp(vbase, "\177ELF", 4)) {
24437 - printk("VDSO: I'm broken; not ELF\n");
24438 - vdso_enabled = 0;
24439 - }
24440 + if (memcmp(vbase, ELFMAG, SELFMAG))
24441 + panic("VDSO: I'm broken; not ELF\n");
24442
24443 #define VEXTERN(x) \
24444 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
24445 #include "vextern.h"
24446 #undef VEXTERN
24447 + vunmap(vbase);
24448 return 0;
24449
24450 oom:
24451 - printk("Cannot allocate vdso\n");
24452 - vdso_enabled = 0;
24453 - return -ENOMEM;
24454 + panic("Cannot allocate vdso\n");
24455 }
24456 __initcall(init_vdso_vars);
24457
24458 @@ -105,9 +98,6 @@ int arch_setup_additional_pages(struct l
24459 unsigned long addr;
24460 int ret;
24461
24462 - if (!vdso_enabled)
24463 - return 0;
24464 -
24465 down_write(&mm->mmap_sem);
24466 addr = vdso_addr(mm->start_stack, vdso_size);
24467 addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
24468 @@ -116,7 +106,7 @@ int arch_setup_additional_pages(struct l
24469 goto up_fail;
24470 }
24471
24472 - current->mm->context.vdso = (void *)addr;
24473 + current->mm->context.vdso = addr;
24474
24475 ret = install_special_mapping(mm, addr, vdso_size,
24476 VM_READ|VM_EXEC|
24477 @@ -124,7 +114,7 @@ int arch_setup_additional_pages(struct l
24478 VM_ALWAYSDUMP,
24479 vdso_pages);
24480 if (ret) {
24481 - current->mm->context.vdso = NULL;
24482 + current->mm->context.vdso = 0;
24483 goto up_fail;
24484 }
24485
24486 @@ -132,10 +122,3 @@ up_fail:
24487 up_write(&mm->mmap_sem);
24488 return ret;
24489 }
24490 -
24491 -static __init int vdso_setup(char *s)
24492 -{
24493 - vdso_enabled = simple_strtoul(s, NULL, 0);
24494 - return 0;
24495 -}
24496 -__setup("vdso=", vdso_setup);
24497 diff -urNp linux-2.6.32.46/arch/x86/xen/enlighten.c linux-2.6.32.46/arch/x86/xen/enlighten.c
24498 --- linux-2.6.32.46/arch/x86/xen/enlighten.c 2011-03-27 14:31:47.000000000 -0400
24499 +++ linux-2.6.32.46/arch/x86/xen/enlighten.c 2011-05-22 23:02:03.000000000 -0400
24500 @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
24501
24502 struct shared_info xen_dummy_shared_info;
24503
24504 -void *xen_initial_gdt;
24505 -
24506 /*
24507 * Point at some empty memory to start with. We map the real shared_info
24508 * page as soon as fixmap is up and running.
24509 @@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
24510
24511 preempt_disable();
24512
24513 - start = __get_cpu_var(idt_desc).address;
24514 + start = (unsigned long)__get_cpu_var(idt_desc).address;
24515 end = start + __get_cpu_var(idt_desc).size + 1;
24516
24517 xen_mc_flush();
24518 @@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
24519 #endif
24520 };
24521
24522 -static void xen_reboot(int reason)
24523 +static __noreturn void xen_reboot(int reason)
24524 {
24525 struct sched_shutdown r = { .reason = reason };
24526
24527 @@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
24528 BUG();
24529 }
24530
24531 -static void xen_restart(char *msg)
24532 +static __noreturn void xen_restart(char *msg)
24533 {
24534 xen_reboot(SHUTDOWN_reboot);
24535 }
24536
24537 -static void xen_emergency_restart(void)
24538 +static __noreturn void xen_emergency_restart(void)
24539 {
24540 xen_reboot(SHUTDOWN_reboot);
24541 }
24542
24543 -static void xen_machine_halt(void)
24544 +static __noreturn void xen_machine_halt(void)
24545 {
24546 xen_reboot(SHUTDOWN_poweroff);
24547 }
24548 @@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
24549 */
24550 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
24551
24552 -#ifdef CONFIG_X86_64
24553 /* Work out if we support NX */
24554 - check_efer();
24555 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24556 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
24557 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
24558 + unsigned l, h;
24559 +
24560 +#ifdef CONFIG_X86_PAE
24561 + nx_enabled = 1;
24562 +#endif
24563 + __supported_pte_mask |= _PAGE_NX;
24564 + rdmsr(MSR_EFER, l, h);
24565 + l |= EFER_NX;
24566 + wrmsr(MSR_EFER, l, h);
24567 + }
24568 #endif
24569
24570 xen_setup_features();
24571 @@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
24572
24573 machine_ops = xen_machine_ops;
24574
24575 - /*
24576 - * The only reliable way to retain the initial address of the
24577 - * percpu gdt_page is to remember it here, so we can go and
24578 - * mark it RW later, when the initial percpu area is freed.
24579 - */
24580 - xen_initial_gdt = &per_cpu(gdt_page, 0);
24581 -
24582 xen_smp_init();
24583
24584 pgd = (pgd_t *)xen_start_info->pt_base;
24585 diff -urNp linux-2.6.32.46/arch/x86/xen/mmu.c linux-2.6.32.46/arch/x86/xen/mmu.c
24586 --- linux-2.6.32.46/arch/x86/xen/mmu.c 2011-07-13 17:23:04.000000000 -0400
24587 +++ linux-2.6.32.46/arch/x86/xen/mmu.c 2011-08-24 18:35:52.000000000 -0400
24588 @@ -1719,6 +1719,8 @@ __init pgd_t *xen_setup_kernel_pagetable
24589 convert_pfn_mfn(init_level4_pgt);
24590 convert_pfn_mfn(level3_ident_pgt);
24591 convert_pfn_mfn(level3_kernel_pgt);
24592 + convert_pfn_mfn(level3_vmalloc_pgt);
24593 + convert_pfn_mfn(level3_vmemmap_pgt);
24594
24595 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
24596 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
24597 @@ -1737,7 +1739,10 @@ __init pgd_t *xen_setup_kernel_pagetable
24598 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
24599 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
24600 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
24601 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
24602 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
24603 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
24604 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
24605 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
24606 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
24607
24608 @@ -1860,6 +1865,7 @@ static __init void xen_post_allocator_in
24609 pv_mmu_ops.set_pud = xen_set_pud;
24610 #if PAGETABLE_LEVELS == 4
24611 pv_mmu_ops.set_pgd = xen_set_pgd;
24612 + pv_mmu_ops.set_pgd_batched = xen_set_pgd;
24613 #endif
24614
24615 /* This will work as long as patching hasn't happened yet
24616 @@ -1946,6 +1952,7 @@ static const struct pv_mmu_ops xen_mmu_o
24617 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
24618 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
24619 .set_pgd = xen_set_pgd_hyper,
24620 + .set_pgd_batched = xen_set_pgd_hyper,
24621
24622 .alloc_pud = xen_alloc_pmd_init,
24623 .release_pud = xen_release_pmd_init,
24624 diff -urNp linux-2.6.32.46/arch/x86/xen/smp.c linux-2.6.32.46/arch/x86/xen/smp.c
24625 --- linux-2.6.32.46/arch/x86/xen/smp.c 2011-03-27 14:31:47.000000000 -0400
24626 +++ linux-2.6.32.46/arch/x86/xen/smp.c 2011-05-11 18:25:15.000000000 -0400
24627 @@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
24628 {
24629 BUG_ON(smp_processor_id() != 0);
24630 native_smp_prepare_boot_cpu();
24631 -
24632 - /* We've switched to the "real" per-cpu gdt, so make sure the
24633 - old memory can be recycled */
24634 - make_lowmem_page_readwrite(xen_initial_gdt);
24635 -
24636 xen_setup_vcpu_info_placement();
24637 }
24638
24639 @@ -231,12 +226,12 @@ cpu_initialize_context(unsigned int cpu,
24640 gdt = get_cpu_gdt_table(cpu);
24641
24642 ctxt->flags = VGCF_IN_KERNEL;
24643 - ctxt->user_regs.ds = __USER_DS;
24644 - ctxt->user_regs.es = __USER_DS;
24645 + ctxt->user_regs.ds = __KERNEL_DS;
24646 + ctxt->user_regs.es = __KERNEL_DS;
24647 ctxt->user_regs.ss = __KERNEL_DS;
24648 #ifdef CONFIG_X86_32
24649 ctxt->user_regs.fs = __KERNEL_PERCPU;
24650 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
24651 + savesegment(gs, ctxt->user_regs.gs);
24652 #else
24653 ctxt->gs_base_kernel = per_cpu_offset(cpu);
24654 #endif
24655 @@ -287,13 +282,12 @@ static int __cpuinit xen_cpu_up(unsigned
24656 int rc;
24657
24658 per_cpu(current_task, cpu) = idle;
24659 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24660 #ifdef CONFIG_X86_32
24661 irq_ctx_init(cpu);
24662 #else
24663 clear_tsk_thread_flag(idle, TIF_FORK);
24664 - per_cpu(kernel_stack, cpu) =
24665 - (unsigned long)task_stack_page(idle) -
24666 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24667 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24668 #endif
24669 xen_setup_runstate_info(cpu);
24670 xen_setup_timer(cpu);
24671 diff -urNp linux-2.6.32.46/arch/x86/xen/xen-asm_32.S linux-2.6.32.46/arch/x86/xen/xen-asm_32.S
24672 --- linux-2.6.32.46/arch/x86/xen/xen-asm_32.S 2011-03-27 14:31:47.000000000 -0400
24673 +++ linux-2.6.32.46/arch/x86/xen/xen-asm_32.S 2011-04-22 19:13:13.000000000 -0400
24674 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24675 ESP_OFFSET=4 # bytes pushed onto stack
24676
24677 /*
24678 - * Store vcpu_info pointer for easy access. Do it this way to
24679 - * avoid having to reload %fs
24680 + * Store vcpu_info pointer for easy access.
24681 */
24682 #ifdef CONFIG_SMP
24683 - GET_THREAD_INFO(%eax)
24684 - movl TI_cpu(%eax), %eax
24685 - movl __per_cpu_offset(,%eax,4), %eax
24686 - mov per_cpu__xen_vcpu(%eax), %eax
24687 + push %fs
24688 + mov $(__KERNEL_PERCPU), %eax
24689 + mov %eax, %fs
24690 + mov PER_CPU_VAR(xen_vcpu), %eax
24691 + pop %fs
24692 #else
24693 movl per_cpu__xen_vcpu, %eax
24694 #endif
24695 diff -urNp linux-2.6.32.46/arch/x86/xen/xen-head.S linux-2.6.32.46/arch/x86/xen/xen-head.S
24696 --- linux-2.6.32.46/arch/x86/xen/xen-head.S 2011-03-27 14:31:47.000000000 -0400
24697 +++ linux-2.6.32.46/arch/x86/xen/xen-head.S 2011-04-17 15:56:46.000000000 -0400
24698 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24699 #ifdef CONFIG_X86_32
24700 mov %esi,xen_start_info
24701 mov $init_thread_union+THREAD_SIZE,%esp
24702 +#ifdef CONFIG_SMP
24703 + movl $cpu_gdt_table,%edi
24704 + movl $__per_cpu_load,%eax
24705 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24706 + rorl $16,%eax
24707 + movb %al,__KERNEL_PERCPU + 4(%edi)
24708 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24709 + movl $__per_cpu_end - 1,%eax
24710 + subl $__per_cpu_start,%eax
24711 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24712 +#endif
24713 #else
24714 mov %rsi,xen_start_info
24715 mov $init_thread_union+THREAD_SIZE,%rsp
24716 diff -urNp linux-2.6.32.46/arch/x86/xen/xen-ops.h linux-2.6.32.46/arch/x86/xen/xen-ops.h
24717 --- linux-2.6.32.46/arch/x86/xen/xen-ops.h 2011-03-27 14:31:47.000000000 -0400
24718 +++ linux-2.6.32.46/arch/x86/xen/xen-ops.h 2011-04-17 15:56:46.000000000 -0400
24719 @@ -10,8 +10,6 @@
24720 extern const char xen_hypervisor_callback[];
24721 extern const char xen_failsafe_callback[];
24722
24723 -extern void *xen_initial_gdt;
24724 -
24725 struct trap_info;
24726 void xen_copy_trap_info(struct trap_info *traps);
24727
24728 diff -urNp linux-2.6.32.46/block/blk-integrity.c linux-2.6.32.46/block/blk-integrity.c
24729 --- linux-2.6.32.46/block/blk-integrity.c 2011-03-27 14:31:47.000000000 -0400
24730 +++ linux-2.6.32.46/block/blk-integrity.c 2011-04-17 15:56:46.000000000 -0400
24731 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
24732 NULL,
24733 };
24734
24735 -static struct sysfs_ops integrity_ops = {
24736 +static const struct sysfs_ops integrity_ops = {
24737 .show = &integrity_attr_show,
24738 .store = &integrity_attr_store,
24739 };
24740 diff -urNp linux-2.6.32.46/block/blk-iopoll.c linux-2.6.32.46/block/blk-iopoll.c
24741 --- linux-2.6.32.46/block/blk-iopoll.c 2011-03-27 14:31:47.000000000 -0400
24742 +++ linux-2.6.32.46/block/blk-iopoll.c 2011-04-17 15:56:46.000000000 -0400
24743 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24744 }
24745 EXPORT_SYMBOL(blk_iopoll_complete);
24746
24747 -static void blk_iopoll_softirq(struct softirq_action *h)
24748 +static void blk_iopoll_softirq(void)
24749 {
24750 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24751 int rearm = 0, budget = blk_iopoll_budget;
24752 diff -urNp linux-2.6.32.46/block/blk-map.c linux-2.6.32.46/block/blk-map.c
24753 --- linux-2.6.32.46/block/blk-map.c 2011-03-27 14:31:47.000000000 -0400
24754 +++ linux-2.6.32.46/block/blk-map.c 2011-04-18 16:57:33.000000000 -0400
24755 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
24756 * direct dma. else, set up kernel bounce buffers
24757 */
24758 uaddr = (unsigned long) ubuf;
24759 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
24760 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
24761 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
24762 else
24763 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
24764 @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
24765 for (i = 0; i < iov_count; i++) {
24766 unsigned long uaddr = (unsigned long)iov[i].iov_base;
24767
24768 + if (!iov[i].iov_len)
24769 + return -EINVAL;
24770 +
24771 if (uaddr & queue_dma_alignment(q)) {
24772 unaligned = 1;
24773 break;
24774 }
24775 - if (!iov[i].iov_len)
24776 - return -EINVAL;
24777 }
24778
24779 if (unaligned || (q->dma_pad_mask & len) || map_data)
24780 @@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
24781 if (!len || !kbuf)
24782 return -EINVAL;
24783
24784 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
24785 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
24786 if (do_copy)
24787 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24788 else
24789 diff -urNp linux-2.6.32.46/block/blk-softirq.c linux-2.6.32.46/block/blk-softirq.c
24790 --- linux-2.6.32.46/block/blk-softirq.c 2011-03-27 14:31:47.000000000 -0400
24791 +++ linux-2.6.32.46/block/blk-softirq.c 2011-04-17 15:56:46.000000000 -0400
24792 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24793 * Softirq action handler - move entries to local list and loop over them
24794 * while passing them to the queue registered handler.
24795 */
24796 -static void blk_done_softirq(struct softirq_action *h)
24797 +static void blk_done_softirq(void)
24798 {
24799 struct list_head *cpu_list, local_list;
24800
24801 diff -urNp linux-2.6.32.46/block/blk-sysfs.c linux-2.6.32.46/block/blk-sysfs.c
24802 --- linux-2.6.32.46/block/blk-sysfs.c 2011-05-10 22:12:01.000000000 -0400
24803 +++ linux-2.6.32.46/block/blk-sysfs.c 2011-05-10 22:12:26.000000000 -0400
24804 @@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
24805 kmem_cache_free(blk_requestq_cachep, q);
24806 }
24807
24808 -static struct sysfs_ops queue_sysfs_ops = {
24809 +static const struct sysfs_ops queue_sysfs_ops = {
24810 .show = queue_attr_show,
24811 .store = queue_attr_store,
24812 };
24813 diff -urNp linux-2.6.32.46/block/bsg.c linux-2.6.32.46/block/bsg.c
24814 --- linux-2.6.32.46/block/bsg.c 2011-03-27 14:31:47.000000000 -0400
24815 +++ linux-2.6.32.46/block/bsg.c 2011-10-06 09:37:08.000000000 -0400
24816 @@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24817 struct sg_io_v4 *hdr, struct bsg_device *bd,
24818 fmode_t has_write_perm)
24819 {
24820 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24821 + unsigned char *cmdptr;
24822 +
24823 if (hdr->request_len > BLK_MAX_CDB) {
24824 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24825 if (!rq->cmd)
24826 return -ENOMEM;
24827 - }
24828 + cmdptr = rq->cmd;
24829 + } else
24830 + cmdptr = tmpcmd;
24831
24832 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24833 + if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
24834 hdr->request_len))
24835 return -EFAULT;
24836
24837 + if (cmdptr != rq->cmd)
24838 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24839 +
24840 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24841 if (blk_verify_command(rq->cmd, has_write_perm))
24842 return -EPERM;
24843 @@ -282,7 +290,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
24844 rq->next_rq = next_rq;
24845 next_rq->cmd_type = rq->cmd_type;
24846
24847 - dxferp = (void*)(unsigned long)hdr->din_xferp;
24848 + dxferp = (void __user *)(unsigned long)hdr->din_xferp;
24849 ret = blk_rq_map_user(q, next_rq, NULL, dxferp,
24850 hdr->din_xfer_len, GFP_KERNEL);
24851 if (ret)
24852 @@ -291,10 +299,10 @@ bsg_map_hdr(struct bsg_device *bd, struc
24853
24854 if (hdr->dout_xfer_len) {
24855 dxfer_len = hdr->dout_xfer_len;
24856 - dxferp = (void*)(unsigned long)hdr->dout_xferp;
24857 + dxferp = (void __user *)(unsigned long)hdr->dout_xferp;
24858 } else if (hdr->din_xfer_len) {
24859 dxfer_len = hdr->din_xfer_len;
24860 - dxferp = (void*)(unsigned long)hdr->din_xferp;
24861 + dxferp = (void __user *)(unsigned long)hdr->din_xferp;
24862 } else
24863 dxfer_len = 0;
24864
24865 @@ -436,7 +444,7 @@ static int blk_complete_sgv4_hdr_rq(stru
24866 int len = min_t(unsigned int, hdr->max_response_len,
24867 rq->sense_len);
24868
24869 - ret = copy_to_user((void*)(unsigned long)hdr->response,
24870 + ret = copy_to_user((void __user *)(unsigned long)hdr->response,
24871 rq->sense, len);
24872 if (!ret)
24873 hdr->response_len = len;
24874 diff -urNp linux-2.6.32.46/block/compat_ioctl.c linux-2.6.32.46/block/compat_ioctl.c
24875 --- linux-2.6.32.46/block/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
24876 +++ linux-2.6.32.46/block/compat_ioctl.c 2011-10-06 09:37:14.000000000 -0400
24877 @@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_
24878 err |= __get_user(f->spec1, &uf->spec1);
24879 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
24880 err |= __get_user(name, &uf->name);
24881 - f->name = compat_ptr(name);
24882 + f->name = (void __force_kernel *)compat_ptr(name);
24883 if (err) {
24884 err = -EFAULT;
24885 goto out;
24886 diff -urNp linux-2.6.32.46/block/elevator.c linux-2.6.32.46/block/elevator.c
24887 --- linux-2.6.32.46/block/elevator.c 2011-03-27 14:31:47.000000000 -0400
24888 +++ linux-2.6.32.46/block/elevator.c 2011-04-17 15:56:46.000000000 -0400
24889 @@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
24890 return error;
24891 }
24892
24893 -static struct sysfs_ops elv_sysfs_ops = {
24894 +static const struct sysfs_ops elv_sysfs_ops = {
24895 .show = elv_attr_show,
24896 .store = elv_attr_store,
24897 };
24898 diff -urNp linux-2.6.32.46/block/scsi_ioctl.c linux-2.6.32.46/block/scsi_ioctl.c
24899 --- linux-2.6.32.46/block/scsi_ioctl.c 2011-03-27 14:31:47.000000000 -0400
24900 +++ linux-2.6.32.46/block/scsi_ioctl.c 2011-04-23 13:28:22.000000000 -0400
24901 @@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
24902 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24903 struct sg_io_hdr *hdr, fmode_t mode)
24904 {
24905 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24906 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24907 + unsigned char *cmdptr;
24908 +
24909 + if (rq->cmd != rq->__cmd)
24910 + cmdptr = rq->cmd;
24911 + else
24912 + cmdptr = tmpcmd;
24913 +
24914 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24915 return -EFAULT;
24916 +
24917 + if (cmdptr != rq->cmd)
24918 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24919 +
24920 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24921 return -EPERM;
24922
24923 @@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
24924 int err;
24925 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24926 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24927 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24928 + unsigned char *cmdptr;
24929
24930 if (!sic)
24931 return -EINVAL;
24932 @@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
24933 */
24934 err = -EFAULT;
24935 rq->cmd_len = cmdlen;
24936 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24937 +
24938 + if (rq->cmd != rq->__cmd)
24939 + cmdptr = rq->cmd;
24940 + else
24941 + cmdptr = tmpcmd;
24942 +
24943 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24944 goto error;
24945
24946 + if (rq->cmd != cmdptr)
24947 + memcpy(rq->cmd, cmdptr, cmdlen);
24948 +
24949 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24950 goto error;
24951
24952 diff -urNp linux-2.6.32.46/crypto/cryptd.c linux-2.6.32.46/crypto/cryptd.c
24953 --- linux-2.6.32.46/crypto/cryptd.c 2011-03-27 14:31:47.000000000 -0400
24954 +++ linux-2.6.32.46/crypto/cryptd.c 2011-08-23 21:22:32.000000000 -0400
24955 @@ -50,7 +50,7 @@ struct cryptd_blkcipher_ctx {
24956
24957 struct cryptd_blkcipher_request_ctx {
24958 crypto_completion_t complete;
24959 -};
24960 +} __no_const;
24961
24962 struct cryptd_hash_ctx {
24963 struct crypto_shash *child;
24964 diff -urNp linux-2.6.32.46/crypto/gf128mul.c linux-2.6.32.46/crypto/gf128mul.c
24965 --- linux-2.6.32.46/crypto/gf128mul.c 2011-03-27 14:31:47.000000000 -0400
24966 +++ linux-2.6.32.46/crypto/gf128mul.c 2011-07-06 19:53:33.000000000 -0400
24967 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
24968 for (i = 0; i < 7; ++i)
24969 gf128mul_x_lle(&p[i + 1], &p[i]);
24970
24971 - memset(r, 0, sizeof(r));
24972 + memset(r, 0, sizeof(*r));
24973 for (i = 0;;) {
24974 u8 ch = ((u8 *)b)[15 - i];
24975
24976 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
24977 for (i = 0; i < 7; ++i)
24978 gf128mul_x_bbe(&p[i + 1], &p[i]);
24979
24980 - memset(r, 0, sizeof(r));
24981 + memset(r, 0, sizeof(*r));
24982 for (i = 0;;) {
24983 u8 ch = ((u8 *)b)[i];
24984
24985 diff -urNp linux-2.6.32.46/crypto/serpent.c linux-2.6.32.46/crypto/serpent.c
24986 --- linux-2.6.32.46/crypto/serpent.c 2011-03-27 14:31:47.000000000 -0400
24987 +++ linux-2.6.32.46/crypto/serpent.c 2011-08-18 23:59:56.000000000 -0400
24988 @@ -21,6 +21,7 @@
24989 #include <asm/byteorder.h>
24990 #include <linux/crypto.h>
24991 #include <linux/types.h>
24992 +#include <linux/sched.h>
24993
24994 /* Key is padded to the maximum of 256 bits before round key generation.
24995 * Any key length <= 256 bits (32 bytes) is allowed by the algorithm.
24996 @@ -224,6 +225,8 @@ static int serpent_setkey(struct crypto_
24997 u32 r0,r1,r2,r3,r4;
24998 int i;
24999
25000 + pax_track_stack();
25001 +
25002 /* Copy key, add padding */
25003
25004 for (i = 0; i < keylen; ++i)
25005 diff -urNp linux-2.6.32.46/Documentation/dontdiff linux-2.6.32.46/Documentation/dontdiff
25006 --- linux-2.6.32.46/Documentation/dontdiff 2011-03-27 14:31:47.000000000 -0400
25007 +++ linux-2.6.32.46/Documentation/dontdiff 2011-08-21 18:59:02.000000000 -0400
25008 @@ -1,13 +1,16 @@
25009 *.a
25010 *.aux
25011 *.bin
25012 +*.cis
25013 *.cpio
25014 *.csp
25015 +*.dbg
25016 *.dsp
25017 *.dvi
25018 *.elf
25019 *.eps
25020 *.fw
25021 +*.gcno
25022 *.gen.S
25023 *.gif
25024 *.grep
25025 @@ -38,8 +41,10 @@
25026 *.tab.h
25027 *.tex
25028 *.ver
25029 +*.vim
25030 *.xml
25031 *_MODULES
25032 +*_reg_safe.h
25033 *_vga16.c
25034 *~
25035 *.9
25036 @@ -49,11 +54,16 @@
25037 53c700_d.h
25038 CVS
25039 ChangeSet
25040 +GPATH
25041 +GRTAGS
25042 +GSYMS
25043 +GTAGS
25044 Image
25045 Kerntypes
25046 Module.markers
25047 Module.symvers
25048 PENDING
25049 +PERF*
25050 SCCS
25051 System.map*
25052 TAGS
25053 @@ -76,7 +86,11 @@ btfixupprep
25054 build
25055 bvmlinux
25056 bzImage*
25057 +capability_names.h
25058 +capflags.c
25059 classlist.h*
25060 +clut_vga16.c
25061 +common-cmds.h
25062 comp*.log
25063 compile.h*
25064 conf
25065 @@ -97,19 +111,21 @@ elfconfig.h*
25066 fixdep
25067 fore200e_mkfirm
25068 fore200e_pca_fw.c*
25069 +gate.lds
25070 gconf
25071 gen-devlist
25072 gen_crc32table
25073 gen_init_cpio
25074 genksyms
25075 *_gray256.c
25076 +hash
25077 ihex2fw
25078 ikconfig.h*
25079 initramfs_data.cpio
25080 +initramfs_data.cpio.bz2
25081 initramfs_data.cpio.gz
25082 initramfs_list
25083 kallsyms
25084 -kconfig
25085 keywords.c
25086 ksym.c*
25087 ksym.h*
25088 @@ -133,7 +149,9 @@ mkboot
25089 mkbugboot
25090 mkcpustr
25091 mkdep
25092 +mkpiggy
25093 mkprep
25094 +mkregtable
25095 mktables
25096 mktree
25097 modpost
25098 @@ -149,6 +167,7 @@ patches*
25099 pca200e.bin
25100 pca200e_ecd.bin2
25101 piggy.gz
25102 +piggy.S
25103 piggyback
25104 pnmtologo
25105 ppc_defs.h*
25106 @@ -157,12 +176,15 @@ qconf
25107 raid6altivec*.c
25108 raid6int*.c
25109 raid6tables.c
25110 +regdb.c
25111 relocs
25112 +rlim_names.h
25113 series
25114 setup
25115 setup.bin
25116 setup.elf
25117 sImage
25118 +slabinfo
25119 sm_tbl*
25120 split-include
25121 syscalltab.h
25122 @@ -186,14 +208,20 @@ version.h*
25123 vmlinux
25124 vmlinux-*
25125 vmlinux.aout
25126 +vmlinux.bin.all
25127 +vmlinux.bin.bz2
25128 vmlinux.lds
25129 +vmlinux.relocs
25130 +voffset.h
25131 vsyscall.lds
25132 vsyscall_32.lds
25133 wanxlfw.inc
25134 uImage
25135 unifdef
25136 +utsrelease.h
25137 wakeup.bin
25138 wakeup.elf
25139 wakeup.lds
25140 zImage*
25141 zconf.hash.c
25142 +zoffset.h
25143 diff -urNp linux-2.6.32.46/Documentation/kernel-parameters.txt linux-2.6.32.46/Documentation/kernel-parameters.txt
25144 --- linux-2.6.32.46/Documentation/kernel-parameters.txt 2011-03-27 14:31:47.000000000 -0400
25145 +++ linux-2.6.32.46/Documentation/kernel-parameters.txt 2011-04-17 15:56:45.000000000 -0400
25146 @@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
25147 the specified number of seconds. This is to be used if
25148 your oopses keep scrolling off the screen.
25149
25150 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
25151 + virtualization environments that don't cope well with the
25152 + expand down segment used by UDEREF on X86-32 or the frequent
25153 + page table updates on X86-64.
25154 +
25155 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
25156 +
25157 pcbit= [HW,ISDN]
25158
25159 pcd. [PARIDE]
25160 diff -urNp linux-2.6.32.46/drivers/acpi/acpi_pad.c linux-2.6.32.46/drivers/acpi/acpi_pad.c
25161 --- linux-2.6.32.46/drivers/acpi/acpi_pad.c 2011-03-27 14:31:47.000000000 -0400
25162 +++ linux-2.6.32.46/drivers/acpi/acpi_pad.c 2011-04-17 15:56:46.000000000 -0400
25163 @@ -30,7 +30,7 @@
25164 #include <acpi/acpi_bus.h>
25165 #include <acpi/acpi_drivers.h>
25166
25167 -#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
25168 +#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
25169 #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
25170 #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
25171 static DEFINE_MUTEX(isolated_cpus_lock);
25172 diff -urNp linux-2.6.32.46/drivers/acpi/battery.c linux-2.6.32.46/drivers/acpi/battery.c
25173 --- linux-2.6.32.46/drivers/acpi/battery.c 2011-03-27 14:31:47.000000000 -0400
25174 +++ linux-2.6.32.46/drivers/acpi/battery.c 2011-04-17 15:56:46.000000000 -0400
25175 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
25176 }
25177
25178 static struct battery_file {
25179 - struct file_operations ops;
25180 + const struct file_operations ops;
25181 mode_t mode;
25182 const char *name;
25183 } acpi_battery_file[] = {
25184 diff -urNp linux-2.6.32.46/drivers/acpi/dock.c linux-2.6.32.46/drivers/acpi/dock.c
25185 --- linux-2.6.32.46/drivers/acpi/dock.c 2011-03-27 14:31:47.000000000 -0400
25186 +++ linux-2.6.32.46/drivers/acpi/dock.c 2011-04-17 15:56:46.000000000 -0400
25187 @@ -77,7 +77,7 @@ struct dock_dependent_device {
25188 struct list_head list;
25189 struct list_head hotplug_list;
25190 acpi_handle handle;
25191 - struct acpi_dock_ops *ops;
25192 + const struct acpi_dock_ops *ops;
25193 void *context;
25194 };
25195
25196 @@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
25197 * the dock driver after _DCK is executed.
25198 */
25199 int
25200 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
25201 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
25202 void *context)
25203 {
25204 struct dock_dependent_device *dd;
25205 diff -urNp linux-2.6.32.46/drivers/acpi/osl.c linux-2.6.32.46/drivers/acpi/osl.c
25206 --- linux-2.6.32.46/drivers/acpi/osl.c 2011-03-27 14:31:47.000000000 -0400
25207 +++ linux-2.6.32.46/drivers/acpi/osl.c 2011-04-17 15:56:46.000000000 -0400
25208 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
25209 void __iomem *virt_addr;
25210
25211 virt_addr = ioremap(phys_addr, width);
25212 + if (!virt_addr)
25213 + return AE_NO_MEMORY;
25214 if (!value)
25215 value = &dummy;
25216
25217 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
25218 void __iomem *virt_addr;
25219
25220 virt_addr = ioremap(phys_addr, width);
25221 + if (!virt_addr)
25222 + return AE_NO_MEMORY;
25223
25224 switch (width) {
25225 case 8:
25226 diff -urNp linux-2.6.32.46/drivers/acpi/power_meter.c linux-2.6.32.46/drivers/acpi/power_meter.c
25227 --- linux-2.6.32.46/drivers/acpi/power_meter.c 2011-03-27 14:31:47.000000000 -0400
25228 +++ linux-2.6.32.46/drivers/acpi/power_meter.c 2011-04-17 15:56:46.000000000 -0400
25229 @@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
25230 return res;
25231
25232 temp /= 1000;
25233 - if (temp < 0)
25234 - return -EINVAL;
25235
25236 mutex_lock(&resource->lock);
25237 resource->trip[attr->index - 7] = temp;
25238 diff -urNp linux-2.6.32.46/drivers/acpi/proc.c linux-2.6.32.46/drivers/acpi/proc.c
25239 --- linux-2.6.32.46/drivers/acpi/proc.c 2011-03-27 14:31:47.000000000 -0400
25240 +++ linux-2.6.32.46/drivers/acpi/proc.c 2011-04-17 15:56:46.000000000 -0400
25241 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
25242 size_t count, loff_t * ppos)
25243 {
25244 struct list_head *node, *next;
25245 - char strbuf[5];
25246 - char str[5] = "";
25247 - unsigned int len = count;
25248 + char strbuf[5] = {0};
25249 struct acpi_device *found_dev = NULL;
25250
25251 - if (len > 4)
25252 - len = 4;
25253 - if (len < 0)
25254 - return -EFAULT;
25255 + if (count > 4)
25256 + count = 4;
25257
25258 - if (copy_from_user(strbuf, buffer, len))
25259 + if (copy_from_user(strbuf, buffer, count))
25260 return -EFAULT;
25261 - strbuf[len] = '\0';
25262 - sscanf(strbuf, "%s", str);
25263 + strbuf[count] = '\0';
25264
25265 mutex_lock(&acpi_device_lock);
25266 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
25267 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
25268 if (!dev->wakeup.flags.valid)
25269 continue;
25270
25271 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
25272 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
25273 dev->wakeup.state.enabled =
25274 dev->wakeup.state.enabled ? 0 : 1;
25275 found_dev = dev;
25276 diff -urNp linux-2.6.32.46/drivers/acpi/processor_core.c linux-2.6.32.46/drivers/acpi/processor_core.c
25277 --- linux-2.6.32.46/drivers/acpi/processor_core.c 2011-03-27 14:31:47.000000000 -0400
25278 +++ linux-2.6.32.46/drivers/acpi/processor_core.c 2011-04-17 15:56:46.000000000 -0400
25279 @@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
25280 return 0;
25281 }
25282
25283 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
25284 + BUG_ON(pr->id >= nr_cpu_ids);
25285
25286 /*
25287 * Buggy BIOS check
25288 diff -urNp linux-2.6.32.46/drivers/acpi/sbshc.c linux-2.6.32.46/drivers/acpi/sbshc.c
25289 --- linux-2.6.32.46/drivers/acpi/sbshc.c 2011-03-27 14:31:47.000000000 -0400
25290 +++ linux-2.6.32.46/drivers/acpi/sbshc.c 2011-04-17 15:56:46.000000000 -0400
25291 @@ -17,7 +17,7 @@
25292
25293 #define PREFIX "ACPI: "
25294
25295 -#define ACPI_SMB_HC_CLASS "smbus_host_controller"
25296 +#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
25297 #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
25298
25299 struct acpi_smb_hc {
25300 diff -urNp linux-2.6.32.46/drivers/acpi/sleep.c linux-2.6.32.46/drivers/acpi/sleep.c
25301 --- linux-2.6.32.46/drivers/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
25302 +++ linux-2.6.32.46/drivers/acpi/sleep.c 2011-04-17 15:56:46.000000000 -0400
25303 @@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
25304 }
25305 }
25306
25307 -static struct platform_suspend_ops acpi_suspend_ops = {
25308 +static const struct platform_suspend_ops acpi_suspend_ops = {
25309 .valid = acpi_suspend_state_valid,
25310 .begin = acpi_suspend_begin,
25311 .prepare_late = acpi_pm_prepare,
25312 @@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
25313 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
25314 * been requested.
25315 */
25316 -static struct platform_suspend_ops acpi_suspend_ops_old = {
25317 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
25318 .valid = acpi_suspend_state_valid,
25319 .begin = acpi_suspend_begin_old,
25320 .prepare_late = acpi_pm_disable_gpes,
25321 @@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
25322 acpi_enable_all_runtime_gpes();
25323 }
25324
25325 -static struct platform_hibernation_ops acpi_hibernation_ops = {
25326 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
25327 .begin = acpi_hibernation_begin,
25328 .end = acpi_pm_end,
25329 .pre_snapshot = acpi_hibernation_pre_snapshot,
25330 @@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
25331 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
25332 * been requested.
25333 */
25334 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
25335 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
25336 .begin = acpi_hibernation_begin_old,
25337 .end = acpi_pm_end,
25338 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
25339 diff -urNp linux-2.6.32.46/drivers/acpi/video.c linux-2.6.32.46/drivers/acpi/video.c
25340 --- linux-2.6.32.46/drivers/acpi/video.c 2011-03-27 14:31:47.000000000 -0400
25341 +++ linux-2.6.32.46/drivers/acpi/video.c 2011-04-17 15:56:46.000000000 -0400
25342 @@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
25343 vd->brightness->levels[request_level]);
25344 }
25345
25346 -static struct backlight_ops acpi_backlight_ops = {
25347 +static const struct backlight_ops acpi_backlight_ops = {
25348 .get_brightness = acpi_video_get_brightness,
25349 .update_status = acpi_video_set_brightness,
25350 };
25351 diff -urNp linux-2.6.32.46/drivers/ata/ahci.c linux-2.6.32.46/drivers/ata/ahci.c
25352 --- linux-2.6.32.46/drivers/ata/ahci.c 2011-03-27 14:31:47.000000000 -0400
25353 +++ linux-2.6.32.46/drivers/ata/ahci.c 2011-04-23 12:56:10.000000000 -0400
25354 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
25355 .sdev_attrs = ahci_sdev_attrs,
25356 };
25357
25358 -static struct ata_port_operations ahci_ops = {
25359 +static const struct ata_port_operations ahci_ops = {
25360 .inherits = &sata_pmp_port_ops,
25361
25362 .qc_defer = sata_pmp_qc_defer_cmd_switch,
25363 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
25364 .port_stop = ahci_port_stop,
25365 };
25366
25367 -static struct ata_port_operations ahci_vt8251_ops = {
25368 +static const struct ata_port_operations ahci_vt8251_ops = {
25369 .inherits = &ahci_ops,
25370 .hardreset = ahci_vt8251_hardreset,
25371 };
25372
25373 -static struct ata_port_operations ahci_p5wdh_ops = {
25374 +static const struct ata_port_operations ahci_p5wdh_ops = {
25375 .inherits = &ahci_ops,
25376 .hardreset = ahci_p5wdh_hardreset,
25377 };
25378
25379 -static struct ata_port_operations ahci_sb600_ops = {
25380 +static const struct ata_port_operations ahci_sb600_ops = {
25381 .inherits = &ahci_ops,
25382 .softreset = ahci_sb600_softreset,
25383 .pmp_softreset = ahci_sb600_softreset,
25384 diff -urNp linux-2.6.32.46/drivers/ata/ata_generic.c linux-2.6.32.46/drivers/ata/ata_generic.c
25385 --- linux-2.6.32.46/drivers/ata/ata_generic.c 2011-03-27 14:31:47.000000000 -0400
25386 +++ linux-2.6.32.46/drivers/ata/ata_generic.c 2011-04-17 15:56:46.000000000 -0400
25387 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
25388 ATA_BMDMA_SHT(DRV_NAME),
25389 };
25390
25391 -static struct ata_port_operations generic_port_ops = {
25392 +static const struct ata_port_operations generic_port_ops = {
25393 .inherits = &ata_bmdma_port_ops,
25394 .cable_detect = ata_cable_unknown,
25395 .set_mode = generic_set_mode,
25396 diff -urNp linux-2.6.32.46/drivers/ata/ata_piix.c linux-2.6.32.46/drivers/ata/ata_piix.c
25397 --- linux-2.6.32.46/drivers/ata/ata_piix.c 2011-03-27 14:31:47.000000000 -0400
25398 +++ linux-2.6.32.46/drivers/ata/ata_piix.c 2011-04-23 12:56:10.000000000 -0400
25399 @@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
25400 ATA_BMDMA_SHT(DRV_NAME),
25401 };
25402
25403 -static struct ata_port_operations piix_pata_ops = {
25404 +static const struct ata_port_operations piix_pata_ops = {
25405 .inherits = &ata_bmdma32_port_ops,
25406 .cable_detect = ata_cable_40wire,
25407 .set_piomode = piix_set_piomode,
25408 @@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
25409 .prereset = piix_pata_prereset,
25410 };
25411
25412 -static struct ata_port_operations piix_vmw_ops = {
25413 +static const struct ata_port_operations piix_vmw_ops = {
25414 .inherits = &piix_pata_ops,
25415 .bmdma_status = piix_vmw_bmdma_status,
25416 };
25417
25418 -static struct ata_port_operations ich_pata_ops = {
25419 +static const struct ata_port_operations ich_pata_ops = {
25420 .inherits = &piix_pata_ops,
25421 .cable_detect = ich_pata_cable_detect,
25422 .set_dmamode = ich_set_dmamode,
25423 };
25424
25425 -static struct ata_port_operations piix_sata_ops = {
25426 +static const struct ata_port_operations piix_sata_ops = {
25427 .inherits = &ata_bmdma_port_ops,
25428 };
25429
25430 -static struct ata_port_operations piix_sidpr_sata_ops = {
25431 +static const struct ata_port_operations piix_sidpr_sata_ops = {
25432 .inherits = &piix_sata_ops,
25433 .hardreset = sata_std_hardreset,
25434 .scr_read = piix_sidpr_scr_read,
25435 diff -urNp linux-2.6.32.46/drivers/ata/libata-acpi.c linux-2.6.32.46/drivers/ata/libata-acpi.c
25436 --- linux-2.6.32.46/drivers/ata/libata-acpi.c 2011-03-27 14:31:47.000000000 -0400
25437 +++ linux-2.6.32.46/drivers/ata/libata-acpi.c 2011-04-17 15:56:46.000000000 -0400
25438 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
25439 ata_acpi_uevent(dev->link->ap, dev, event);
25440 }
25441
25442 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25443 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
25444 .handler = ata_acpi_dev_notify_dock,
25445 .uevent = ata_acpi_dev_uevent,
25446 };
25447
25448 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25449 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
25450 .handler = ata_acpi_ap_notify_dock,
25451 .uevent = ata_acpi_ap_uevent,
25452 };
25453 diff -urNp linux-2.6.32.46/drivers/ata/libata-core.c linux-2.6.32.46/drivers/ata/libata-core.c
25454 --- linux-2.6.32.46/drivers/ata/libata-core.c 2011-03-27 14:31:47.000000000 -0400
25455 +++ linux-2.6.32.46/drivers/ata/libata-core.c 2011-08-05 20:33:55.000000000 -0400
25456 @@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
25457 struct ata_port *ap;
25458 unsigned int tag;
25459
25460 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25461 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25462 ap = qc->ap;
25463
25464 qc->flags = 0;
25465 @@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
25466 struct ata_port *ap;
25467 struct ata_link *link;
25468
25469 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25470 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
25471 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
25472 ap = qc->ap;
25473 link = qc->dev->link;
25474 @@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
25475 * LOCKING:
25476 * None.
25477 */
25478 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
25479 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
25480 {
25481 static DEFINE_SPINLOCK(lock);
25482 const struct ata_port_operations *cur;
25483 @@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
25484 return;
25485
25486 spin_lock(&lock);
25487 + pax_open_kernel();
25488
25489 for (cur = ops->inherits; cur; cur = cur->inherits) {
25490 void **inherit = (void **)cur;
25491 @@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
25492 if (IS_ERR(*pp))
25493 *pp = NULL;
25494
25495 - ops->inherits = NULL;
25496 + *(struct ata_port_operations **)&ops->inherits = NULL;
25497
25498 + pax_close_kernel();
25499 spin_unlock(&lock);
25500 }
25501
25502 @@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
25503 */
25504 /* KILLME - the only user left is ipr */
25505 void ata_host_init(struct ata_host *host, struct device *dev,
25506 - unsigned long flags, struct ata_port_operations *ops)
25507 + unsigned long flags, const struct ata_port_operations *ops)
25508 {
25509 spin_lock_init(&host->lock);
25510 host->dev = dev;
25511 @@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
25512 /* truly dummy */
25513 }
25514
25515 -struct ata_port_operations ata_dummy_port_ops = {
25516 +const struct ata_port_operations ata_dummy_port_ops = {
25517 .qc_prep = ata_noop_qc_prep,
25518 .qc_issue = ata_dummy_qc_issue,
25519 .error_handler = ata_dummy_error_handler,
25520 diff -urNp linux-2.6.32.46/drivers/ata/libata-eh.c linux-2.6.32.46/drivers/ata/libata-eh.c
25521 --- linux-2.6.32.46/drivers/ata/libata-eh.c 2011-08-09 18:35:28.000000000 -0400
25522 +++ linux-2.6.32.46/drivers/ata/libata-eh.c 2011-08-09 18:33:59.000000000 -0400
25523 @@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
25524 {
25525 struct ata_link *link;
25526
25527 + pax_track_stack();
25528 +
25529 ata_for_each_link(link, ap, HOST_FIRST)
25530 ata_eh_link_report(link);
25531 }
25532 @@ -3594,7 +3596,7 @@ void ata_do_eh(struct ata_port *ap, ata_
25533 */
25534 void ata_std_error_handler(struct ata_port *ap)
25535 {
25536 - struct ata_port_operations *ops = ap->ops;
25537 + const struct ata_port_operations *ops = ap->ops;
25538 ata_reset_fn_t hardreset = ops->hardreset;
25539
25540 /* ignore built-in hardreset if SCR access is not available */
25541 diff -urNp linux-2.6.32.46/drivers/ata/libata-pmp.c linux-2.6.32.46/drivers/ata/libata-pmp.c
25542 --- linux-2.6.32.46/drivers/ata/libata-pmp.c 2011-03-27 14:31:47.000000000 -0400
25543 +++ linux-2.6.32.46/drivers/ata/libata-pmp.c 2011-04-17 15:56:46.000000000 -0400
25544 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
25545 */
25546 static int sata_pmp_eh_recover(struct ata_port *ap)
25547 {
25548 - struct ata_port_operations *ops = ap->ops;
25549 + const struct ata_port_operations *ops = ap->ops;
25550 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
25551 struct ata_link *pmp_link = &ap->link;
25552 struct ata_device *pmp_dev = pmp_link->device;
25553 diff -urNp linux-2.6.32.46/drivers/ata/pata_acpi.c linux-2.6.32.46/drivers/ata/pata_acpi.c
25554 --- linux-2.6.32.46/drivers/ata/pata_acpi.c 2011-03-27 14:31:47.000000000 -0400
25555 +++ linux-2.6.32.46/drivers/ata/pata_acpi.c 2011-04-17 15:56:46.000000000 -0400
25556 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
25557 ATA_BMDMA_SHT(DRV_NAME),
25558 };
25559
25560 -static struct ata_port_operations pacpi_ops = {
25561 +static const struct ata_port_operations pacpi_ops = {
25562 .inherits = &ata_bmdma_port_ops,
25563 .qc_issue = pacpi_qc_issue,
25564 .cable_detect = pacpi_cable_detect,
25565 diff -urNp linux-2.6.32.46/drivers/ata/pata_ali.c linux-2.6.32.46/drivers/ata/pata_ali.c
25566 --- linux-2.6.32.46/drivers/ata/pata_ali.c 2011-03-27 14:31:47.000000000 -0400
25567 +++ linux-2.6.32.46/drivers/ata/pata_ali.c 2011-04-17 15:56:46.000000000 -0400
25568 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
25569 * Port operations for PIO only ALi
25570 */
25571
25572 -static struct ata_port_operations ali_early_port_ops = {
25573 +static const struct ata_port_operations ali_early_port_ops = {
25574 .inherits = &ata_sff_port_ops,
25575 .cable_detect = ata_cable_40wire,
25576 .set_piomode = ali_set_piomode,
25577 @@ -382,7 +382,7 @@ static const struct ata_port_operations
25578 * Port operations for DMA capable ALi without cable
25579 * detect
25580 */
25581 -static struct ata_port_operations ali_20_port_ops = {
25582 +static const struct ata_port_operations ali_20_port_ops = {
25583 .inherits = &ali_dma_base_ops,
25584 .cable_detect = ata_cable_40wire,
25585 .mode_filter = ali_20_filter,
25586 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
25587 /*
25588 * Port operations for DMA capable ALi with cable detect
25589 */
25590 -static struct ata_port_operations ali_c2_port_ops = {
25591 +static const struct ata_port_operations ali_c2_port_ops = {
25592 .inherits = &ali_dma_base_ops,
25593 .check_atapi_dma = ali_check_atapi_dma,
25594 .cable_detect = ali_c2_cable_detect,
25595 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
25596 /*
25597 * Port operations for DMA capable ALi with cable detect
25598 */
25599 -static struct ata_port_operations ali_c4_port_ops = {
25600 +static const struct ata_port_operations ali_c4_port_ops = {
25601 .inherits = &ali_dma_base_ops,
25602 .check_atapi_dma = ali_check_atapi_dma,
25603 .cable_detect = ali_c2_cable_detect,
25604 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
25605 /*
25606 * Port operations for DMA capable ALi with cable detect and LBA48
25607 */
25608 -static struct ata_port_operations ali_c5_port_ops = {
25609 +static const struct ata_port_operations ali_c5_port_ops = {
25610 .inherits = &ali_dma_base_ops,
25611 .check_atapi_dma = ali_check_atapi_dma,
25612 .dev_config = ali_warn_atapi_dma,
25613 diff -urNp linux-2.6.32.46/drivers/ata/pata_amd.c linux-2.6.32.46/drivers/ata/pata_amd.c
25614 --- linux-2.6.32.46/drivers/ata/pata_amd.c 2011-03-27 14:31:47.000000000 -0400
25615 +++ linux-2.6.32.46/drivers/ata/pata_amd.c 2011-04-17 15:56:46.000000000 -0400
25616 @@ -397,28 +397,28 @@ static const struct ata_port_operations
25617 .prereset = amd_pre_reset,
25618 };
25619
25620 -static struct ata_port_operations amd33_port_ops = {
25621 +static const struct ata_port_operations amd33_port_ops = {
25622 .inherits = &amd_base_port_ops,
25623 .cable_detect = ata_cable_40wire,
25624 .set_piomode = amd33_set_piomode,
25625 .set_dmamode = amd33_set_dmamode,
25626 };
25627
25628 -static struct ata_port_operations amd66_port_ops = {
25629 +static const struct ata_port_operations amd66_port_ops = {
25630 .inherits = &amd_base_port_ops,
25631 .cable_detect = ata_cable_unknown,
25632 .set_piomode = amd66_set_piomode,
25633 .set_dmamode = amd66_set_dmamode,
25634 };
25635
25636 -static struct ata_port_operations amd100_port_ops = {
25637 +static const struct ata_port_operations amd100_port_ops = {
25638 .inherits = &amd_base_port_ops,
25639 .cable_detect = ata_cable_unknown,
25640 .set_piomode = amd100_set_piomode,
25641 .set_dmamode = amd100_set_dmamode,
25642 };
25643
25644 -static struct ata_port_operations amd133_port_ops = {
25645 +static const struct ata_port_operations amd133_port_ops = {
25646 .inherits = &amd_base_port_ops,
25647 .cable_detect = amd_cable_detect,
25648 .set_piomode = amd133_set_piomode,
25649 @@ -433,13 +433,13 @@ static const struct ata_port_operations
25650 .host_stop = nv_host_stop,
25651 };
25652
25653 -static struct ata_port_operations nv100_port_ops = {
25654 +static const struct ata_port_operations nv100_port_ops = {
25655 .inherits = &nv_base_port_ops,
25656 .set_piomode = nv100_set_piomode,
25657 .set_dmamode = nv100_set_dmamode,
25658 };
25659
25660 -static struct ata_port_operations nv133_port_ops = {
25661 +static const struct ata_port_operations nv133_port_ops = {
25662 .inherits = &nv_base_port_ops,
25663 .set_piomode = nv133_set_piomode,
25664 .set_dmamode = nv133_set_dmamode,
25665 diff -urNp linux-2.6.32.46/drivers/ata/pata_artop.c linux-2.6.32.46/drivers/ata/pata_artop.c
25666 --- linux-2.6.32.46/drivers/ata/pata_artop.c 2011-03-27 14:31:47.000000000 -0400
25667 +++ linux-2.6.32.46/drivers/ata/pata_artop.c 2011-04-17 15:56:46.000000000 -0400
25668 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
25669 ATA_BMDMA_SHT(DRV_NAME),
25670 };
25671
25672 -static struct ata_port_operations artop6210_ops = {
25673 +static const struct ata_port_operations artop6210_ops = {
25674 .inherits = &ata_bmdma_port_ops,
25675 .cable_detect = ata_cable_40wire,
25676 .set_piomode = artop6210_set_piomode,
25677 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
25678 .qc_defer = artop6210_qc_defer,
25679 };
25680
25681 -static struct ata_port_operations artop6260_ops = {
25682 +static const struct ata_port_operations artop6260_ops = {
25683 .inherits = &ata_bmdma_port_ops,
25684 .cable_detect = artop6260_cable_detect,
25685 .set_piomode = artop6260_set_piomode,
25686 diff -urNp linux-2.6.32.46/drivers/ata/pata_at32.c linux-2.6.32.46/drivers/ata/pata_at32.c
25687 --- linux-2.6.32.46/drivers/ata/pata_at32.c 2011-03-27 14:31:47.000000000 -0400
25688 +++ linux-2.6.32.46/drivers/ata/pata_at32.c 2011-04-17 15:56:46.000000000 -0400
25689 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
25690 ATA_PIO_SHT(DRV_NAME),
25691 };
25692
25693 -static struct ata_port_operations at32_port_ops = {
25694 +static const struct ata_port_operations at32_port_ops = {
25695 .inherits = &ata_sff_port_ops,
25696 .cable_detect = ata_cable_40wire,
25697 .set_piomode = pata_at32_set_piomode,
25698 diff -urNp linux-2.6.32.46/drivers/ata/pata_at91.c linux-2.6.32.46/drivers/ata/pata_at91.c
25699 --- linux-2.6.32.46/drivers/ata/pata_at91.c 2011-03-27 14:31:47.000000000 -0400
25700 +++ linux-2.6.32.46/drivers/ata/pata_at91.c 2011-04-17 15:56:46.000000000 -0400
25701 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
25702 ATA_PIO_SHT(DRV_NAME),
25703 };
25704
25705 -static struct ata_port_operations pata_at91_port_ops = {
25706 +static const struct ata_port_operations pata_at91_port_ops = {
25707 .inherits = &ata_sff_port_ops,
25708
25709 .sff_data_xfer = pata_at91_data_xfer_noirq,
25710 diff -urNp linux-2.6.32.46/drivers/ata/pata_atiixp.c linux-2.6.32.46/drivers/ata/pata_atiixp.c
25711 --- linux-2.6.32.46/drivers/ata/pata_atiixp.c 2011-03-27 14:31:47.000000000 -0400
25712 +++ linux-2.6.32.46/drivers/ata/pata_atiixp.c 2011-04-17 15:56:46.000000000 -0400
25713 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
25714 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25715 };
25716
25717 -static struct ata_port_operations atiixp_port_ops = {
25718 +static const struct ata_port_operations atiixp_port_ops = {
25719 .inherits = &ata_bmdma_port_ops,
25720
25721 .qc_prep = ata_sff_dumb_qc_prep,
25722 diff -urNp linux-2.6.32.46/drivers/ata/pata_atp867x.c linux-2.6.32.46/drivers/ata/pata_atp867x.c
25723 --- linux-2.6.32.46/drivers/ata/pata_atp867x.c 2011-03-27 14:31:47.000000000 -0400
25724 +++ linux-2.6.32.46/drivers/ata/pata_atp867x.c 2011-04-17 15:56:46.000000000 -0400
25725 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
25726 ATA_BMDMA_SHT(DRV_NAME),
25727 };
25728
25729 -static struct ata_port_operations atp867x_ops = {
25730 +static const struct ata_port_operations atp867x_ops = {
25731 .inherits = &ata_bmdma_port_ops,
25732 .cable_detect = atp867x_cable_detect,
25733 .set_piomode = atp867x_set_piomode,
25734 diff -urNp linux-2.6.32.46/drivers/ata/pata_bf54x.c linux-2.6.32.46/drivers/ata/pata_bf54x.c
25735 --- linux-2.6.32.46/drivers/ata/pata_bf54x.c 2011-03-27 14:31:47.000000000 -0400
25736 +++ linux-2.6.32.46/drivers/ata/pata_bf54x.c 2011-04-17 15:56:46.000000000 -0400
25737 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
25738 .dma_boundary = ATA_DMA_BOUNDARY,
25739 };
25740
25741 -static struct ata_port_operations bfin_pata_ops = {
25742 +static const struct ata_port_operations bfin_pata_ops = {
25743 .inherits = &ata_sff_port_ops,
25744
25745 .set_piomode = bfin_set_piomode,
25746 diff -urNp linux-2.6.32.46/drivers/ata/pata_cmd640.c linux-2.6.32.46/drivers/ata/pata_cmd640.c
25747 --- linux-2.6.32.46/drivers/ata/pata_cmd640.c 2011-03-27 14:31:47.000000000 -0400
25748 +++ linux-2.6.32.46/drivers/ata/pata_cmd640.c 2011-04-17 15:56:46.000000000 -0400
25749 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
25750 ATA_BMDMA_SHT(DRV_NAME),
25751 };
25752
25753 -static struct ata_port_operations cmd640_port_ops = {
25754 +static const struct ata_port_operations cmd640_port_ops = {
25755 .inherits = &ata_bmdma_port_ops,
25756 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25757 .sff_data_xfer = ata_sff_data_xfer_noirq,
25758 diff -urNp linux-2.6.32.46/drivers/ata/pata_cmd64x.c linux-2.6.32.46/drivers/ata/pata_cmd64x.c
25759 --- linux-2.6.32.46/drivers/ata/pata_cmd64x.c 2011-06-25 12:55:34.000000000 -0400
25760 +++ linux-2.6.32.46/drivers/ata/pata_cmd64x.c 2011-06-25 12:56:37.000000000 -0400
25761 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25762 .set_dmamode = cmd64x_set_dmamode,
25763 };
25764
25765 -static struct ata_port_operations cmd64x_port_ops = {
25766 +static const struct ata_port_operations cmd64x_port_ops = {
25767 .inherits = &cmd64x_base_ops,
25768 .cable_detect = ata_cable_40wire,
25769 };
25770
25771 -static struct ata_port_operations cmd646r1_port_ops = {
25772 +static const struct ata_port_operations cmd646r1_port_ops = {
25773 .inherits = &cmd64x_base_ops,
25774 .bmdma_stop = cmd646r1_bmdma_stop,
25775 .cable_detect = ata_cable_40wire,
25776 };
25777
25778 -static struct ata_port_operations cmd648_port_ops = {
25779 +static const struct ata_port_operations cmd648_port_ops = {
25780 .inherits = &cmd64x_base_ops,
25781 .bmdma_stop = cmd648_bmdma_stop,
25782 .cable_detect = cmd648_cable_detect,
25783 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5520.c linux-2.6.32.46/drivers/ata/pata_cs5520.c
25784 --- linux-2.6.32.46/drivers/ata/pata_cs5520.c 2011-03-27 14:31:47.000000000 -0400
25785 +++ linux-2.6.32.46/drivers/ata/pata_cs5520.c 2011-04-17 15:56:46.000000000 -0400
25786 @@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
25787 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25788 };
25789
25790 -static struct ata_port_operations cs5520_port_ops = {
25791 +static const struct ata_port_operations cs5520_port_ops = {
25792 .inherits = &ata_bmdma_port_ops,
25793 .qc_prep = ata_sff_dumb_qc_prep,
25794 .cable_detect = ata_cable_40wire,
25795 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5530.c linux-2.6.32.46/drivers/ata/pata_cs5530.c
25796 --- linux-2.6.32.46/drivers/ata/pata_cs5530.c 2011-03-27 14:31:47.000000000 -0400
25797 +++ linux-2.6.32.46/drivers/ata/pata_cs5530.c 2011-04-17 15:56:46.000000000 -0400
25798 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25799 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25800 };
25801
25802 -static struct ata_port_operations cs5530_port_ops = {
25803 +static const struct ata_port_operations cs5530_port_ops = {
25804 .inherits = &ata_bmdma_port_ops,
25805
25806 .qc_prep = ata_sff_dumb_qc_prep,
25807 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5535.c linux-2.6.32.46/drivers/ata/pata_cs5535.c
25808 --- linux-2.6.32.46/drivers/ata/pata_cs5535.c 2011-03-27 14:31:47.000000000 -0400
25809 +++ linux-2.6.32.46/drivers/ata/pata_cs5535.c 2011-04-17 15:56:46.000000000 -0400
25810 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25811 ATA_BMDMA_SHT(DRV_NAME),
25812 };
25813
25814 -static struct ata_port_operations cs5535_port_ops = {
25815 +static const struct ata_port_operations cs5535_port_ops = {
25816 .inherits = &ata_bmdma_port_ops,
25817 .cable_detect = cs5535_cable_detect,
25818 .set_piomode = cs5535_set_piomode,
25819 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5536.c linux-2.6.32.46/drivers/ata/pata_cs5536.c
25820 --- linux-2.6.32.46/drivers/ata/pata_cs5536.c 2011-03-27 14:31:47.000000000 -0400
25821 +++ linux-2.6.32.46/drivers/ata/pata_cs5536.c 2011-04-17 15:56:46.000000000 -0400
25822 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
25823 ATA_BMDMA_SHT(DRV_NAME),
25824 };
25825
25826 -static struct ata_port_operations cs5536_port_ops = {
25827 +static const struct ata_port_operations cs5536_port_ops = {
25828 .inherits = &ata_bmdma_port_ops,
25829 .cable_detect = cs5536_cable_detect,
25830 .set_piomode = cs5536_set_piomode,
25831 diff -urNp linux-2.6.32.46/drivers/ata/pata_cypress.c linux-2.6.32.46/drivers/ata/pata_cypress.c
25832 --- linux-2.6.32.46/drivers/ata/pata_cypress.c 2011-03-27 14:31:47.000000000 -0400
25833 +++ linux-2.6.32.46/drivers/ata/pata_cypress.c 2011-04-17 15:56:46.000000000 -0400
25834 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
25835 ATA_BMDMA_SHT(DRV_NAME),
25836 };
25837
25838 -static struct ata_port_operations cy82c693_port_ops = {
25839 +static const struct ata_port_operations cy82c693_port_ops = {
25840 .inherits = &ata_bmdma_port_ops,
25841 .cable_detect = ata_cable_40wire,
25842 .set_piomode = cy82c693_set_piomode,
25843 diff -urNp linux-2.6.32.46/drivers/ata/pata_efar.c linux-2.6.32.46/drivers/ata/pata_efar.c
25844 --- linux-2.6.32.46/drivers/ata/pata_efar.c 2011-03-27 14:31:47.000000000 -0400
25845 +++ linux-2.6.32.46/drivers/ata/pata_efar.c 2011-04-17 15:56:46.000000000 -0400
25846 @@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
25847 ATA_BMDMA_SHT(DRV_NAME),
25848 };
25849
25850 -static struct ata_port_operations efar_ops = {
25851 +static const struct ata_port_operations efar_ops = {
25852 .inherits = &ata_bmdma_port_ops,
25853 .cable_detect = efar_cable_detect,
25854 .set_piomode = efar_set_piomode,
25855 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt366.c linux-2.6.32.46/drivers/ata/pata_hpt366.c
25856 --- linux-2.6.32.46/drivers/ata/pata_hpt366.c 2011-06-25 12:55:34.000000000 -0400
25857 +++ linux-2.6.32.46/drivers/ata/pata_hpt366.c 2011-06-25 12:56:37.000000000 -0400
25858 @@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
25859 * Configuration for HPT366/68
25860 */
25861
25862 -static struct ata_port_operations hpt366_port_ops = {
25863 +static const struct ata_port_operations hpt366_port_ops = {
25864 .inherits = &ata_bmdma_port_ops,
25865 .cable_detect = hpt36x_cable_detect,
25866 .mode_filter = hpt366_filter,
25867 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt37x.c linux-2.6.32.46/drivers/ata/pata_hpt37x.c
25868 --- linux-2.6.32.46/drivers/ata/pata_hpt37x.c 2011-06-25 12:55:34.000000000 -0400
25869 +++ linux-2.6.32.46/drivers/ata/pata_hpt37x.c 2011-06-25 12:56:37.000000000 -0400
25870 @@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
25871 * Configuration for HPT370
25872 */
25873
25874 -static struct ata_port_operations hpt370_port_ops = {
25875 +static const struct ata_port_operations hpt370_port_ops = {
25876 .inherits = &ata_bmdma_port_ops,
25877
25878 .bmdma_stop = hpt370_bmdma_stop,
25879 @@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
25880 * Configuration for HPT370A. Close to 370 but less filters
25881 */
25882
25883 -static struct ata_port_operations hpt370a_port_ops = {
25884 +static const struct ata_port_operations hpt370a_port_ops = {
25885 .inherits = &hpt370_port_ops,
25886 .mode_filter = hpt370a_filter,
25887 };
25888 @@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
25889 * and DMA mode setting functionality.
25890 */
25891
25892 -static struct ata_port_operations hpt372_port_ops = {
25893 +static const struct ata_port_operations hpt372_port_ops = {
25894 .inherits = &ata_bmdma_port_ops,
25895
25896 .bmdma_stop = hpt37x_bmdma_stop,
25897 @@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
25898 * but we have a different cable detection procedure for function 1.
25899 */
25900
25901 -static struct ata_port_operations hpt374_fn1_port_ops = {
25902 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25903 .inherits = &hpt372_port_ops,
25904 .prereset = hpt374_fn1_pre_reset,
25905 };
25906 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c
25907 --- linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:55:34.000000000 -0400
25908 +++ linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:56:37.000000000 -0400
25909 @@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
25910 * Configuration for HPT3x2n.
25911 */
25912
25913 -static struct ata_port_operations hpt3x2n_port_ops = {
25914 +static const struct ata_port_operations hpt3x2n_port_ops = {
25915 .inherits = &ata_bmdma_port_ops,
25916
25917 .bmdma_stop = hpt3x2n_bmdma_stop,
25918 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt3x3.c linux-2.6.32.46/drivers/ata/pata_hpt3x3.c
25919 --- linux-2.6.32.46/drivers/ata/pata_hpt3x3.c 2011-03-27 14:31:47.000000000 -0400
25920 +++ linux-2.6.32.46/drivers/ata/pata_hpt3x3.c 2011-04-17 15:56:46.000000000 -0400
25921 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25922 ATA_BMDMA_SHT(DRV_NAME),
25923 };
25924
25925 -static struct ata_port_operations hpt3x3_port_ops = {
25926 +static const struct ata_port_operations hpt3x3_port_ops = {
25927 .inherits = &ata_bmdma_port_ops,
25928 .cable_detect = ata_cable_40wire,
25929 .set_piomode = hpt3x3_set_piomode,
25930 diff -urNp linux-2.6.32.46/drivers/ata/pata_icside.c linux-2.6.32.46/drivers/ata/pata_icside.c
25931 --- linux-2.6.32.46/drivers/ata/pata_icside.c 2011-03-27 14:31:47.000000000 -0400
25932 +++ linux-2.6.32.46/drivers/ata/pata_icside.c 2011-04-17 15:56:46.000000000 -0400
25933 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
25934 }
25935 }
25936
25937 -static struct ata_port_operations pata_icside_port_ops = {
25938 +static const struct ata_port_operations pata_icside_port_ops = {
25939 .inherits = &ata_sff_port_ops,
25940 /* no need to build any PRD tables for DMA */
25941 .qc_prep = ata_noop_qc_prep,
25942 diff -urNp linux-2.6.32.46/drivers/ata/pata_isapnp.c linux-2.6.32.46/drivers/ata/pata_isapnp.c
25943 --- linux-2.6.32.46/drivers/ata/pata_isapnp.c 2011-03-27 14:31:47.000000000 -0400
25944 +++ linux-2.6.32.46/drivers/ata/pata_isapnp.c 2011-04-17 15:56:46.000000000 -0400
25945 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25946 ATA_PIO_SHT(DRV_NAME),
25947 };
25948
25949 -static struct ata_port_operations isapnp_port_ops = {
25950 +static const struct ata_port_operations isapnp_port_ops = {
25951 .inherits = &ata_sff_port_ops,
25952 .cable_detect = ata_cable_40wire,
25953 };
25954
25955 -static struct ata_port_operations isapnp_noalt_port_ops = {
25956 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25957 .inherits = &ata_sff_port_ops,
25958 .cable_detect = ata_cable_40wire,
25959 /* No altstatus so we don't want to use the lost interrupt poll */
25960 diff -urNp linux-2.6.32.46/drivers/ata/pata_it8213.c linux-2.6.32.46/drivers/ata/pata_it8213.c
25961 --- linux-2.6.32.46/drivers/ata/pata_it8213.c 2011-03-27 14:31:47.000000000 -0400
25962 +++ linux-2.6.32.46/drivers/ata/pata_it8213.c 2011-04-17 15:56:46.000000000 -0400
25963 @@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
25964 };
25965
25966
25967 -static struct ata_port_operations it8213_ops = {
25968 +static const struct ata_port_operations it8213_ops = {
25969 .inherits = &ata_bmdma_port_ops,
25970 .cable_detect = it8213_cable_detect,
25971 .set_piomode = it8213_set_piomode,
25972 diff -urNp linux-2.6.32.46/drivers/ata/pata_it821x.c linux-2.6.32.46/drivers/ata/pata_it821x.c
25973 --- linux-2.6.32.46/drivers/ata/pata_it821x.c 2011-03-27 14:31:47.000000000 -0400
25974 +++ linux-2.6.32.46/drivers/ata/pata_it821x.c 2011-04-17 15:56:46.000000000 -0400
25975 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
25976 ATA_BMDMA_SHT(DRV_NAME),
25977 };
25978
25979 -static struct ata_port_operations it821x_smart_port_ops = {
25980 +static const struct ata_port_operations it821x_smart_port_ops = {
25981 .inherits = &ata_bmdma_port_ops,
25982
25983 .check_atapi_dma= it821x_check_atapi_dma,
25984 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
25985 .port_start = it821x_port_start,
25986 };
25987
25988 -static struct ata_port_operations it821x_passthru_port_ops = {
25989 +static const struct ata_port_operations it821x_passthru_port_ops = {
25990 .inherits = &ata_bmdma_port_ops,
25991
25992 .check_atapi_dma= it821x_check_atapi_dma,
25993 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
25994 .port_start = it821x_port_start,
25995 };
25996
25997 -static struct ata_port_operations it821x_rdc_port_ops = {
25998 +static const struct ata_port_operations it821x_rdc_port_ops = {
25999 .inherits = &ata_bmdma_port_ops,
26000
26001 .check_atapi_dma= it821x_check_atapi_dma,
26002 diff -urNp linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c
26003 --- linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c 2011-03-27 14:31:47.000000000 -0400
26004 +++ linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:56:46.000000000 -0400
26005 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
26006 ATA_PIO_SHT(DRV_NAME),
26007 };
26008
26009 -static struct ata_port_operations ixp4xx_port_ops = {
26010 +static const struct ata_port_operations ixp4xx_port_ops = {
26011 .inherits = &ata_sff_port_ops,
26012 .sff_data_xfer = ixp4xx_mmio_data_xfer,
26013 .cable_detect = ata_cable_40wire,
26014 diff -urNp linux-2.6.32.46/drivers/ata/pata_jmicron.c linux-2.6.32.46/drivers/ata/pata_jmicron.c
26015 --- linux-2.6.32.46/drivers/ata/pata_jmicron.c 2011-03-27 14:31:47.000000000 -0400
26016 +++ linux-2.6.32.46/drivers/ata/pata_jmicron.c 2011-04-17 15:56:46.000000000 -0400
26017 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
26018 ATA_BMDMA_SHT(DRV_NAME),
26019 };
26020
26021 -static struct ata_port_operations jmicron_ops = {
26022 +static const struct ata_port_operations jmicron_ops = {
26023 .inherits = &ata_bmdma_port_ops,
26024 .prereset = jmicron_pre_reset,
26025 };
26026 diff -urNp linux-2.6.32.46/drivers/ata/pata_legacy.c linux-2.6.32.46/drivers/ata/pata_legacy.c
26027 --- linux-2.6.32.46/drivers/ata/pata_legacy.c 2011-03-27 14:31:47.000000000 -0400
26028 +++ linux-2.6.32.46/drivers/ata/pata_legacy.c 2011-04-17 15:56:46.000000000 -0400
26029 @@ -106,7 +106,7 @@ struct legacy_probe {
26030
26031 struct legacy_controller {
26032 const char *name;
26033 - struct ata_port_operations *ops;
26034 + const struct ata_port_operations *ops;
26035 unsigned int pio_mask;
26036 unsigned int flags;
26037 unsigned int pflags;
26038 @@ -223,12 +223,12 @@ static const struct ata_port_operations
26039 * pio_mask as well.
26040 */
26041
26042 -static struct ata_port_operations simple_port_ops = {
26043 +static const struct ata_port_operations simple_port_ops = {
26044 .inherits = &legacy_base_port_ops,
26045 .sff_data_xfer = ata_sff_data_xfer_noirq,
26046 };
26047
26048 -static struct ata_port_operations legacy_port_ops = {
26049 +static const struct ata_port_operations legacy_port_ops = {
26050 .inherits = &legacy_base_port_ops,
26051 .sff_data_xfer = ata_sff_data_xfer_noirq,
26052 .set_mode = legacy_set_mode,
26053 @@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
26054 return buflen;
26055 }
26056
26057 -static struct ata_port_operations pdc20230_port_ops = {
26058 +static const struct ata_port_operations pdc20230_port_ops = {
26059 .inherits = &legacy_base_port_ops,
26060 .set_piomode = pdc20230_set_piomode,
26061 .sff_data_xfer = pdc_data_xfer_vlb,
26062 @@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
26063 ioread8(ap->ioaddr.status_addr);
26064 }
26065
26066 -static struct ata_port_operations ht6560a_port_ops = {
26067 +static const struct ata_port_operations ht6560a_port_ops = {
26068 .inherits = &legacy_base_port_ops,
26069 .set_piomode = ht6560a_set_piomode,
26070 };
26071 @@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
26072 ioread8(ap->ioaddr.status_addr);
26073 }
26074
26075 -static struct ata_port_operations ht6560b_port_ops = {
26076 +static const struct ata_port_operations ht6560b_port_ops = {
26077 .inherits = &legacy_base_port_ops,
26078 .set_piomode = ht6560b_set_piomode,
26079 };
26080 @@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
26081 }
26082
26083
26084 -static struct ata_port_operations opti82c611a_port_ops = {
26085 +static const struct ata_port_operations opti82c611a_port_ops = {
26086 .inherits = &legacy_base_port_ops,
26087 .set_piomode = opti82c611a_set_piomode,
26088 };
26089 @@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
26090 return ata_sff_qc_issue(qc);
26091 }
26092
26093 -static struct ata_port_operations opti82c46x_port_ops = {
26094 +static const struct ata_port_operations opti82c46x_port_ops = {
26095 .inherits = &legacy_base_port_ops,
26096 .set_piomode = opti82c46x_set_piomode,
26097 .qc_issue = opti82c46x_qc_issue,
26098 @@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
26099 return 0;
26100 }
26101
26102 -static struct ata_port_operations qdi6500_port_ops = {
26103 +static const struct ata_port_operations qdi6500_port_ops = {
26104 .inherits = &legacy_base_port_ops,
26105 .set_piomode = qdi6500_set_piomode,
26106 .qc_issue = qdi_qc_issue,
26107 .sff_data_xfer = vlb32_data_xfer,
26108 };
26109
26110 -static struct ata_port_operations qdi6580_port_ops = {
26111 +static const struct ata_port_operations qdi6580_port_ops = {
26112 .inherits = &legacy_base_port_ops,
26113 .set_piomode = qdi6580_set_piomode,
26114 .sff_data_xfer = vlb32_data_xfer,
26115 };
26116
26117 -static struct ata_port_operations qdi6580dp_port_ops = {
26118 +static const struct ata_port_operations qdi6580dp_port_ops = {
26119 .inherits = &legacy_base_port_ops,
26120 .set_piomode = qdi6580dp_set_piomode,
26121 .sff_data_xfer = vlb32_data_xfer,
26122 @@ -855,7 +855,7 @@ static int winbond_port(struct platform_
26123 return 0;
26124 }
26125
26126 -static struct ata_port_operations winbond_port_ops = {
26127 +static const struct ata_port_operations winbond_port_ops = {
26128 .inherits = &legacy_base_port_ops,
26129 .set_piomode = winbond_set_piomode,
26130 .sff_data_xfer = vlb32_data_xfer,
26131 @@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
26132 int pio_modes = controller->pio_mask;
26133 unsigned long io = probe->port;
26134 u32 mask = (1 << probe->slot);
26135 - struct ata_port_operations *ops = controller->ops;
26136 + const struct ata_port_operations *ops = controller->ops;
26137 struct legacy_data *ld = &legacy_data[probe->slot];
26138 struct ata_host *host = NULL;
26139 struct ata_port *ap;
26140 diff -urNp linux-2.6.32.46/drivers/ata/pata_marvell.c linux-2.6.32.46/drivers/ata/pata_marvell.c
26141 --- linux-2.6.32.46/drivers/ata/pata_marvell.c 2011-03-27 14:31:47.000000000 -0400
26142 +++ linux-2.6.32.46/drivers/ata/pata_marvell.c 2011-04-17 15:56:46.000000000 -0400
26143 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26144 ATA_BMDMA_SHT(DRV_NAME),
26145 };
26146
26147 -static struct ata_port_operations marvell_ops = {
26148 +static const struct ata_port_operations marvell_ops = {
26149 .inherits = &ata_bmdma_port_ops,
26150 .cable_detect = marvell_cable_detect,
26151 .prereset = marvell_pre_reset,
26152 diff -urNp linux-2.6.32.46/drivers/ata/pata_mpc52xx.c linux-2.6.32.46/drivers/ata/pata_mpc52xx.c
26153 --- linux-2.6.32.46/drivers/ata/pata_mpc52xx.c 2011-03-27 14:31:47.000000000 -0400
26154 +++ linux-2.6.32.46/drivers/ata/pata_mpc52xx.c 2011-04-17 15:56:46.000000000 -0400
26155 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
26156 ATA_PIO_SHT(DRV_NAME),
26157 };
26158
26159 -static struct ata_port_operations mpc52xx_ata_port_ops = {
26160 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
26161 .inherits = &ata_bmdma_port_ops,
26162 .sff_dev_select = mpc52xx_ata_dev_select,
26163 .set_piomode = mpc52xx_ata_set_piomode,
26164 diff -urNp linux-2.6.32.46/drivers/ata/pata_mpiix.c linux-2.6.32.46/drivers/ata/pata_mpiix.c
26165 --- linux-2.6.32.46/drivers/ata/pata_mpiix.c 2011-03-27 14:31:47.000000000 -0400
26166 +++ linux-2.6.32.46/drivers/ata/pata_mpiix.c 2011-04-17 15:56:46.000000000 -0400
26167 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
26168 ATA_PIO_SHT(DRV_NAME),
26169 };
26170
26171 -static struct ata_port_operations mpiix_port_ops = {
26172 +static const struct ata_port_operations mpiix_port_ops = {
26173 .inherits = &ata_sff_port_ops,
26174 .qc_issue = mpiix_qc_issue,
26175 .cable_detect = ata_cable_40wire,
26176 diff -urNp linux-2.6.32.46/drivers/ata/pata_netcell.c linux-2.6.32.46/drivers/ata/pata_netcell.c
26177 --- linux-2.6.32.46/drivers/ata/pata_netcell.c 2011-03-27 14:31:47.000000000 -0400
26178 +++ linux-2.6.32.46/drivers/ata/pata_netcell.c 2011-04-17 15:56:46.000000000 -0400
26179 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
26180 ATA_BMDMA_SHT(DRV_NAME),
26181 };
26182
26183 -static struct ata_port_operations netcell_ops = {
26184 +static const struct ata_port_operations netcell_ops = {
26185 .inherits = &ata_bmdma_port_ops,
26186 .cable_detect = ata_cable_80wire,
26187 .read_id = netcell_read_id,
26188 diff -urNp linux-2.6.32.46/drivers/ata/pata_ninja32.c linux-2.6.32.46/drivers/ata/pata_ninja32.c
26189 --- linux-2.6.32.46/drivers/ata/pata_ninja32.c 2011-03-27 14:31:47.000000000 -0400
26190 +++ linux-2.6.32.46/drivers/ata/pata_ninja32.c 2011-04-17 15:56:46.000000000 -0400
26191 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
26192 ATA_BMDMA_SHT(DRV_NAME),
26193 };
26194
26195 -static struct ata_port_operations ninja32_port_ops = {
26196 +static const struct ata_port_operations ninja32_port_ops = {
26197 .inherits = &ata_bmdma_port_ops,
26198 .sff_dev_select = ninja32_dev_select,
26199 .cable_detect = ata_cable_40wire,
26200 diff -urNp linux-2.6.32.46/drivers/ata/pata_ns87410.c linux-2.6.32.46/drivers/ata/pata_ns87410.c
26201 --- linux-2.6.32.46/drivers/ata/pata_ns87410.c 2011-03-27 14:31:47.000000000 -0400
26202 +++ linux-2.6.32.46/drivers/ata/pata_ns87410.c 2011-04-17 15:56:46.000000000 -0400
26203 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
26204 ATA_PIO_SHT(DRV_NAME),
26205 };
26206
26207 -static struct ata_port_operations ns87410_port_ops = {
26208 +static const struct ata_port_operations ns87410_port_ops = {
26209 .inherits = &ata_sff_port_ops,
26210 .qc_issue = ns87410_qc_issue,
26211 .cable_detect = ata_cable_40wire,
26212 diff -urNp linux-2.6.32.46/drivers/ata/pata_ns87415.c linux-2.6.32.46/drivers/ata/pata_ns87415.c
26213 --- linux-2.6.32.46/drivers/ata/pata_ns87415.c 2011-03-27 14:31:47.000000000 -0400
26214 +++ linux-2.6.32.46/drivers/ata/pata_ns87415.c 2011-04-17 15:56:46.000000000 -0400
26215 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
26216 }
26217 #endif /* 87560 SuperIO Support */
26218
26219 -static struct ata_port_operations ns87415_pata_ops = {
26220 +static const struct ata_port_operations ns87415_pata_ops = {
26221 .inherits = &ata_bmdma_port_ops,
26222
26223 .check_atapi_dma = ns87415_check_atapi_dma,
26224 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
26225 };
26226
26227 #if defined(CONFIG_SUPERIO)
26228 -static struct ata_port_operations ns87560_pata_ops = {
26229 +static const struct ata_port_operations ns87560_pata_ops = {
26230 .inherits = &ns87415_pata_ops,
26231 .sff_tf_read = ns87560_tf_read,
26232 .sff_check_status = ns87560_check_status,
26233 diff -urNp linux-2.6.32.46/drivers/ata/pata_octeon_cf.c linux-2.6.32.46/drivers/ata/pata_octeon_cf.c
26234 --- linux-2.6.32.46/drivers/ata/pata_octeon_cf.c 2011-03-27 14:31:47.000000000 -0400
26235 +++ linux-2.6.32.46/drivers/ata/pata_octeon_cf.c 2011-04-17 15:56:46.000000000 -0400
26236 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
26237 return 0;
26238 }
26239
26240 +/* cannot be const */
26241 static struct ata_port_operations octeon_cf_ops = {
26242 .inherits = &ata_sff_port_ops,
26243 .check_atapi_dma = octeon_cf_check_atapi_dma,
26244 diff -urNp linux-2.6.32.46/drivers/ata/pata_oldpiix.c linux-2.6.32.46/drivers/ata/pata_oldpiix.c
26245 --- linux-2.6.32.46/drivers/ata/pata_oldpiix.c 2011-03-27 14:31:47.000000000 -0400
26246 +++ linux-2.6.32.46/drivers/ata/pata_oldpiix.c 2011-04-17 15:56:46.000000000 -0400
26247 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
26248 ATA_BMDMA_SHT(DRV_NAME),
26249 };
26250
26251 -static struct ata_port_operations oldpiix_pata_ops = {
26252 +static const struct ata_port_operations oldpiix_pata_ops = {
26253 .inherits = &ata_bmdma_port_ops,
26254 .qc_issue = oldpiix_qc_issue,
26255 .cable_detect = ata_cable_40wire,
26256 diff -urNp linux-2.6.32.46/drivers/ata/pata_opti.c linux-2.6.32.46/drivers/ata/pata_opti.c
26257 --- linux-2.6.32.46/drivers/ata/pata_opti.c 2011-03-27 14:31:47.000000000 -0400
26258 +++ linux-2.6.32.46/drivers/ata/pata_opti.c 2011-04-17 15:56:46.000000000 -0400
26259 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
26260 ATA_PIO_SHT(DRV_NAME),
26261 };
26262
26263 -static struct ata_port_operations opti_port_ops = {
26264 +static const struct ata_port_operations opti_port_ops = {
26265 .inherits = &ata_sff_port_ops,
26266 .cable_detect = ata_cable_40wire,
26267 .set_piomode = opti_set_piomode,
26268 diff -urNp linux-2.6.32.46/drivers/ata/pata_optidma.c linux-2.6.32.46/drivers/ata/pata_optidma.c
26269 --- linux-2.6.32.46/drivers/ata/pata_optidma.c 2011-03-27 14:31:47.000000000 -0400
26270 +++ linux-2.6.32.46/drivers/ata/pata_optidma.c 2011-04-17 15:56:46.000000000 -0400
26271 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
26272 ATA_BMDMA_SHT(DRV_NAME),
26273 };
26274
26275 -static struct ata_port_operations optidma_port_ops = {
26276 +static const struct ata_port_operations optidma_port_ops = {
26277 .inherits = &ata_bmdma_port_ops,
26278 .cable_detect = ata_cable_40wire,
26279 .set_piomode = optidma_set_pio_mode,
26280 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
26281 .prereset = optidma_pre_reset,
26282 };
26283
26284 -static struct ata_port_operations optiplus_port_ops = {
26285 +static const struct ata_port_operations optiplus_port_ops = {
26286 .inherits = &optidma_port_ops,
26287 .set_piomode = optiplus_set_pio_mode,
26288 .set_dmamode = optiplus_set_dma_mode,
26289 diff -urNp linux-2.6.32.46/drivers/ata/pata_palmld.c linux-2.6.32.46/drivers/ata/pata_palmld.c
26290 --- linux-2.6.32.46/drivers/ata/pata_palmld.c 2011-03-27 14:31:47.000000000 -0400
26291 +++ linux-2.6.32.46/drivers/ata/pata_palmld.c 2011-04-17 15:56:46.000000000 -0400
26292 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
26293 ATA_PIO_SHT(DRV_NAME),
26294 };
26295
26296 -static struct ata_port_operations palmld_port_ops = {
26297 +static const struct ata_port_operations palmld_port_ops = {
26298 .inherits = &ata_sff_port_ops,
26299 .sff_data_xfer = ata_sff_data_xfer_noirq,
26300 .cable_detect = ata_cable_40wire,
26301 diff -urNp linux-2.6.32.46/drivers/ata/pata_pcmcia.c linux-2.6.32.46/drivers/ata/pata_pcmcia.c
26302 --- linux-2.6.32.46/drivers/ata/pata_pcmcia.c 2011-03-27 14:31:47.000000000 -0400
26303 +++ linux-2.6.32.46/drivers/ata/pata_pcmcia.c 2011-04-17 15:56:46.000000000 -0400
26304 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
26305 ATA_PIO_SHT(DRV_NAME),
26306 };
26307
26308 -static struct ata_port_operations pcmcia_port_ops = {
26309 +static const struct ata_port_operations pcmcia_port_ops = {
26310 .inherits = &ata_sff_port_ops,
26311 .sff_data_xfer = ata_sff_data_xfer_noirq,
26312 .cable_detect = ata_cable_40wire,
26313 .set_mode = pcmcia_set_mode,
26314 };
26315
26316 -static struct ata_port_operations pcmcia_8bit_port_ops = {
26317 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
26318 .inherits = &ata_sff_port_ops,
26319 .sff_data_xfer = ata_data_xfer_8bit,
26320 .cable_detect = ata_cable_40wire,
26321 @@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
26322 unsigned long io_base, ctl_base;
26323 void __iomem *io_addr, *ctl_addr;
26324 int n_ports = 1;
26325 - struct ata_port_operations *ops = &pcmcia_port_ops;
26326 + const struct ata_port_operations *ops = &pcmcia_port_ops;
26327
26328 info = kzalloc(sizeof(*info), GFP_KERNEL);
26329 if (info == NULL)
26330 diff -urNp linux-2.6.32.46/drivers/ata/pata_pdc2027x.c linux-2.6.32.46/drivers/ata/pata_pdc2027x.c
26331 --- linux-2.6.32.46/drivers/ata/pata_pdc2027x.c 2011-03-27 14:31:47.000000000 -0400
26332 +++ linux-2.6.32.46/drivers/ata/pata_pdc2027x.c 2011-04-17 15:56:46.000000000 -0400
26333 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
26334 ATA_BMDMA_SHT(DRV_NAME),
26335 };
26336
26337 -static struct ata_port_operations pdc2027x_pata100_ops = {
26338 +static const struct ata_port_operations pdc2027x_pata100_ops = {
26339 .inherits = &ata_bmdma_port_ops,
26340 .check_atapi_dma = pdc2027x_check_atapi_dma,
26341 .cable_detect = pdc2027x_cable_detect,
26342 .prereset = pdc2027x_prereset,
26343 };
26344
26345 -static struct ata_port_operations pdc2027x_pata133_ops = {
26346 +static const struct ata_port_operations pdc2027x_pata133_ops = {
26347 .inherits = &pdc2027x_pata100_ops,
26348 .mode_filter = pdc2027x_mode_filter,
26349 .set_piomode = pdc2027x_set_piomode,
26350 diff -urNp linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c
26351 --- linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c 2011-03-27 14:31:47.000000000 -0400
26352 +++ linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:56:46.000000000 -0400
26353 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
26354 ATA_BMDMA_SHT(DRV_NAME),
26355 };
26356
26357 -static struct ata_port_operations pdc2024x_port_ops = {
26358 +static const struct ata_port_operations pdc2024x_port_ops = {
26359 .inherits = &ata_bmdma_port_ops,
26360
26361 .cable_detect = ata_cable_40wire,
26362 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
26363 .sff_exec_command = pdc202xx_exec_command,
26364 };
26365
26366 -static struct ata_port_operations pdc2026x_port_ops = {
26367 +static const struct ata_port_operations pdc2026x_port_ops = {
26368 .inherits = &pdc2024x_port_ops,
26369
26370 .check_atapi_dma = pdc2026x_check_atapi_dma,
26371 diff -urNp linux-2.6.32.46/drivers/ata/pata_platform.c linux-2.6.32.46/drivers/ata/pata_platform.c
26372 --- linux-2.6.32.46/drivers/ata/pata_platform.c 2011-03-27 14:31:47.000000000 -0400
26373 +++ linux-2.6.32.46/drivers/ata/pata_platform.c 2011-04-17 15:56:46.000000000 -0400
26374 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
26375 ATA_PIO_SHT(DRV_NAME),
26376 };
26377
26378 -static struct ata_port_operations pata_platform_port_ops = {
26379 +static const struct ata_port_operations pata_platform_port_ops = {
26380 .inherits = &ata_sff_port_ops,
26381 .sff_data_xfer = ata_sff_data_xfer_noirq,
26382 .cable_detect = ata_cable_unknown,
26383 diff -urNp linux-2.6.32.46/drivers/ata/pata_qdi.c linux-2.6.32.46/drivers/ata/pata_qdi.c
26384 --- linux-2.6.32.46/drivers/ata/pata_qdi.c 2011-03-27 14:31:47.000000000 -0400
26385 +++ linux-2.6.32.46/drivers/ata/pata_qdi.c 2011-04-17 15:56:46.000000000 -0400
26386 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
26387 ATA_PIO_SHT(DRV_NAME),
26388 };
26389
26390 -static struct ata_port_operations qdi6500_port_ops = {
26391 +static const struct ata_port_operations qdi6500_port_ops = {
26392 .inherits = &ata_sff_port_ops,
26393 .qc_issue = qdi_qc_issue,
26394 .sff_data_xfer = qdi_data_xfer,
26395 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
26396 .set_piomode = qdi6500_set_piomode,
26397 };
26398
26399 -static struct ata_port_operations qdi6580_port_ops = {
26400 +static const struct ata_port_operations qdi6580_port_ops = {
26401 .inherits = &qdi6500_port_ops,
26402 .set_piomode = qdi6580_set_piomode,
26403 };
26404 diff -urNp linux-2.6.32.46/drivers/ata/pata_radisys.c linux-2.6.32.46/drivers/ata/pata_radisys.c
26405 --- linux-2.6.32.46/drivers/ata/pata_radisys.c 2011-03-27 14:31:47.000000000 -0400
26406 +++ linux-2.6.32.46/drivers/ata/pata_radisys.c 2011-04-17 15:56:46.000000000 -0400
26407 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
26408 ATA_BMDMA_SHT(DRV_NAME),
26409 };
26410
26411 -static struct ata_port_operations radisys_pata_ops = {
26412 +static const struct ata_port_operations radisys_pata_ops = {
26413 .inherits = &ata_bmdma_port_ops,
26414 .qc_issue = radisys_qc_issue,
26415 .cable_detect = ata_cable_unknown,
26416 diff -urNp linux-2.6.32.46/drivers/ata/pata_rb532_cf.c linux-2.6.32.46/drivers/ata/pata_rb532_cf.c
26417 --- linux-2.6.32.46/drivers/ata/pata_rb532_cf.c 2011-03-27 14:31:47.000000000 -0400
26418 +++ linux-2.6.32.46/drivers/ata/pata_rb532_cf.c 2011-04-17 15:56:46.000000000 -0400
26419 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
26420 return IRQ_HANDLED;
26421 }
26422
26423 -static struct ata_port_operations rb532_pata_port_ops = {
26424 +static const struct ata_port_operations rb532_pata_port_ops = {
26425 .inherits = &ata_sff_port_ops,
26426 .sff_data_xfer = ata_sff_data_xfer32,
26427 };
26428 diff -urNp linux-2.6.32.46/drivers/ata/pata_rdc.c linux-2.6.32.46/drivers/ata/pata_rdc.c
26429 --- linux-2.6.32.46/drivers/ata/pata_rdc.c 2011-03-27 14:31:47.000000000 -0400
26430 +++ linux-2.6.32.46/drivers/ata/pata_rdc.c 2011-04-17 15:56:46.000000000 -0400
26431 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
26432 pci_write_config_byte(dev, 0x48, udma_enable);
26433 }
26434
26435 -static struct ata_port_operations rdc_pata_ops = {
26436 +static const struct ata_port_operations rdc_pata_ops = {
26437 .inherits = &ata_bmdma32_port_ops,
26438 .cable_detect = rdc_pata_cable_detect,
26439 .set_piomode = rdc_set_piomode,
26440 diff -urNp linux-2.6.32.46/drivers/ata/pata_rz1000.c linux-2.6.32.46/drivers/ata/pata_rz1000.c
26441 --- linux-2.6.32.46/drivers/ata/pata_rz1000.c 2011-03-27 14:31:47.000000000 -0400
26442 +++ linux-2.6.32.46/drivers/ata/pata_rz1000.c 2011-04-17 15:56:46.000000000 -0400
26443 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
26444 ATA_PIO_SHT(DRV_NAME),
26445 };
26446
26447 -static struct ata_port_operations rz1000_port_ops = {
26448 +static const struct ata_port_operations rz1000_port_ops = {
26449 .inherits = &ata_sff_port_ops,
26450 .cable_detect = ata_cable_40wire,
26451 .set_mode = rz1000_set_mode,
26452 diff -urNp linux-2.6.32.46/drivers/ata/pata_sc1200.c linux-2.6.32.46/drivers/ata/pata_sc1200.c
26453 --- linux-2.6.32.46/drivers/ata/pata_sc1200.c 2011-03-27 14:31:47.000000000 -0400
26454 +++ linux-2.6.32.46/drivers/ata/pata_sc1200.c 2011-04-17 15:56:46.000000000 -0400
26455 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
26456 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26457 };
26458
26459 -static struct ata_port_operations sc1200_port_ops = {
26460 +static const struct ata_port_operations sc1200_port_ops = {
26461 .inherits = &ata_bmdma_port_ops,
26462 .qc_prep = ata_sff_dumb_qc_prep,
26463 .qc_issue = sc1200_qc_issue,
26464 diff -urNp linux-2.6.32.46/drivers/ata/pata_scc.c linux-2.6.32.46/drivers/ata/pata_scc.c
26465 --- linux-2.6.32.46/drivers/ata/pata_scc.c 2011-03-27 14:31:47.000000000 -0400
26466 +++ linux-2.6.32.46/drivers/ata/pata_scc.c 2011-04-17 15:56:46.000000000 -0400
26467 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
26468 ATA_BMDMA_SHT(DRV_NAME),
26469 };
26470
26471 -static struct ata_port_operations scc_pata_ops = {
26472 +static const struct ata_port_operations scc_pata_ops = {
26473 .inherits = &ata_bmdma_port_ops,
26474
26475 .set_piomode = scc_set_piomode,
26476 diff -urNp linux-2.6.32.46/drivers/ata/pata_sch.c linux-2.6.32.46/drivers/ata/pata_sch.c
26477 --- linux-2.6.32.46/drivers/ata/pata_sch.c 2011-03-27 14:31:47.000000000 -0400
26478 +++ linux-2.6.32.46/drivers/ata/pata_sch.c 2011-04-17 15:56:46.000000000 -0400
26479 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
26480 ATA_BMDMA_SHT(DRV_NAME),
26481 };
26482
26483 -static struct ata_port_operations sch_pata_ops = {
26484 +static const struct ata_port_operations sch_pata_ops = {
26485 .inherits = &ata_bmdma_port_ops,
26486 .cable_detect = ata_cable_unknown,
26487 .set_piomode = sch_set_piomode,
26488 diff -urNp linux-2.6.32.46/drivers/ata/pata_serverworks.c linux-2.6.32.46/drivers/ata/pata_serverworks.c
26489 --- linux-2.6.32.46/drivers/ata/pata_serverworks.c 2011-03-27 14:31:47.000000000 -0400
26490 +++ linux-2.6.32.46/drivers/ata/pata_serverworks.c 2011-04-17 15:56:46.000000000 -0400
26491 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
26492 ATA_BMDMA_SHT(DRV_NAME),
26493 };
26494
26495 -static struct ata_port_operations serverworks_osb4_port_ops = {
26496 +static const struct ata_port_operations serverworks_osb4_port_ops = {
26497 .inherits = &ata_bmdma_port_ops,
26498 .cable_detect = serverworks_cable_detect,
26499 .mode_filter = serverworks_osb4_filter,
26500 @@ -307,7 +307,7 @@ static struct ata_port_operations server
26501 .set_dmamode = serverworks_set_dmamode,
26502 };
26503
26504 -static struct ata_port_operations serverworks_csb_port_ops = {
26505 +static const struct ata_port_operations serverworks_csb_port_ops = {
26506 .inherits = &serverworks_osb4_port_ops,
26507 .mode_filter = serverworks_csb_filter,
26508 };
26509 diff -urNp linux-2.6.32.46/drivers/ata/pata_sil680.c linux-2.6.32.46/drivers/ata/pata_sil680.c
26510 --- linux-2.6.32.46/drivers/ata/pata_sil680.c 2011-06-25 12:55:34.000000000 -0400
26511 +++ linux-2.6.32.46/drivers/ata/pata_sil680.c 2011-06-25 12:56:37.000000000 -0400
26512 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
26513 ATA_BMDMA_SHT(DRV_NAME),
26514 };
26515
26516 -static struct ata_port_operations sil680_port_ops = {
26517 +static const struct ata_port_operations sil680_port_ops = {
26518 .inherits = &ata_bmdma32_port_ops,
26519 .cable_detect = sil680_cable_detect,
26520 .set_piomode = sil680_set_piomode,
26521 diff -urNp linux-2.6.32.46/drivers/ata/pata_sis.c linux-2.6.32.46/drivers/ata/pata_sis.c
26522 --- linux-2.6.32.46/drivers/ata/pata_sis.c 2011-03-27 14:31:47.000000000 -0400
26523 +++ linux-2.6.32.46/drivers/ata/pata_sis.c 2011-04-17 15:56:46.000000000 -0400
26524 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
26525 ATA_BMDMA_SHT(DRV_NAME),
26526 };
26527
26528 -static struct ata_port_operations sis_133_for_sata_ops = {
26529 +static const struct ata_port_operations sis_133_for_sata_ops = {
26530 .inherits = &ata_bmdma_port_ops,
26531 .set_piomode = sis_133_set_piomode,
26532 .set_dmamode = sis_133_set_dmamode,
26533 .cable_detect = sis_133_cable_detect,
26534 };
26535
26536 -static struct ata_port_operations sis_base_ops = {
26537 +static const struct ata_port_operations sis_base_ops = {
26538 .inherits = &ata_bmdma_port_ops,
26539 .prereset = sis_pre_reset,
26540 };
26541
26542 -static struct ata_port_operations sis_133_ops = {
26543 +static const struct ata_port_operations sis_133_ops = {
26544 .inherits = &sis_base_ops,
26545 .set_piomode = sis_133_set_piomode,
26546 .set_dmamode = sis_133_set_dmamode,
26547 .cable_detect = sis_133_cable_detect,
26548 };
26549
26550 -static struct ata_port_operations sis_133_early_ops = {
26551 +static const struct ata_port_operations sis_133_early_ops = {
26552 .inherits = &sis_base_ops,
26553 .set_piomode = sis_100_set_piomode,
26554 .set_dmamode = sis_133_early_set_dmamode,
26555 .cable_detect = sis_66_cable_detect,
26556 };
26557
26558 -static struct ata_port_operations sis_100_ops = {
26559 +static const struct ata_port_operations sis_100_ops = {
26560 .inherits = &sis_base_ops,
26561 .set_piomode = sis_100_set_piomode,
26562 .set_dmamode = sis_100_set_dmamode,
26563 .cable_detect = sis_66_cable_detect,
26564 };
26565
26566 -static struct ata_port_operations sis_66_ops = {
26567 +static const struct ata_port_operations sis_66_ops = {
26568 .inherits = &sis_base_ops,
26569 .set_piomode = sis_old_set_piomode,
26570 .set_dmamode = sis_66_set_dmamode,
26571 .cable_detect = sis_66_cable_detect,
26572 };
26573
26574 -static struct ata_port_operations sis_old_ops = {
26575 +static const struct ata_port_operations sis_old_ops = {
26576 .inherits = &sis_base_ops,
26577 .set_piomode = sis_old_set_piomode,
26578 .set_dmamode = sis_old_set_dmamode,
26579 diff -urNp linux-2.6.32.46/drivers/ata/pata_sl82c105.c linux-2.6.32.46/drivers/ata/pata_sl82c105.c
26580 --- linux-2.6.32.46/drivers/ata/pata_sl82c105.c 2011-03-27 14:31:47.000000000 -0400
26581 +++ linux-2.6.32.46/drivers/ata/pata_sl82c105.c 2011-04-17 15:56:46.000000000 -0400
26582 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
26583 ATA_BMDMA_SHT(DRV_NAME),
26584 };
26585
26586 -static struct ata_port_operations sl82c105_port_ops = {
26587 +static const struct ata_port_operations sl82c105_port_ops = {
26588 .inherits = &ata_bmdma_port_ops,
26589 .qc_defer = sl82c105_qc_defer,
26590 .bmdma_start = sl82c105_bmdma_start,
26591 diff -urNp linux-2.6.32.46/drivers/ata/pata_triflex.c linux-2.6.32.46/drivers/ata/pata_triflex.c
26592 --- linux-2.6.32.46/drivers/ata/pata_triflex.c 2011-03-27 14:31:47.000000000 -0400
26593 +++ linux-2.6.32.46/drivers/ata/pata_triflex.c 2011-04-17 15:56:46.000000000 -0400
26594 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
26595 ATA_BMDMA_SHT(DRV_NAME),
26596 };
26597
26598 -static struct ata_port_operations triflex_port_ops = {
26599 +static const struct ata_port_operations triflex_port_ops = {
26600 .inherits = &ata_bmdma_port_ops,
26601 .bmdma_start = triflex_bmdma_start,
26602 .bmdma_stop = triflex_bmdma_stop,
26603 diff -urNp linux-2.6.32.46/drivers/ata/pata_via.c linux-2.6.32.46/drivers/ata/pata_via.c
26604 --- linux-2.6.32.46/drivers/ata/pata_via.c 2011-03-27 14:31:47.000000000 -0400
26605 +++ linux-2.6.32.46/drivers/ata/pata_via.c 2011-04-17 15:56:46.000000000 -0400
26606 @@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
26607 ATA_BMDMA_SHT(DRV_NAME),
26608 };
26609
26610 -static struct ata_port_operations via_port_ops = {
26611 +static const struct ata_port_operations via_port_ops = {
26612 .inherits = &ata_bmdma_port_ops,
26613 .cable_detect = via_cable_detect,
26614 .set_piomode = via_set_piomode,
26615 @@ -429,7 +429,7 @@ static struct ata_port_operations via_po
26616 .port_start = via_port_start,
26617 };
26618
26619 -static struct ata_port_operations via_port_ops_noirq = {
26620 +static const struct ata_port_operations via_port_ops_noirq = {
26621 .inherits = &via_port_ops,
26622 .sff_data_xfer = ata_sff_data_xfer_noirq,
26623 };
26624 diff -urNp linux-2.6.32.46/drivers/ata/pata_winbond.c linux-2.6.32.46/drivers/ata/pata_winbond.c
26625 --- linux-2.6.32.46/drivers/ata/pata_winbond.c 2011-03-27 14:31:47.000000000 -0400
26626 +++ linux-2.6.32.46/drivers/ata/pata_winbond.c 2011-04-17 15:56:46.000000000 -0400
26627 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
26628 ATA_PIO_SHT(DRV_NAME),
26629 };
26630
26631 -static struct ata_port_operations winbond_port_ops = {
26632 +static const struct ata_port_operations winbond_port_ops = {
26633 .inherits = &ata_sff_port_ops,
26634 .sff_data_xfer = winbond_data_xfer,
26635 .cable_detect = ata_cable_40wire,
26636 diff -urNp linux-2.6.32.46/drivers/ata/pdc_adma.c linux-2.6.32.46/drivers/ata/pdc_adma.c
26637 --- linux-2.6.32.46/drivers/ata/pdc_adma.c 2011-03-27 14:31:47.000000000 -0400
26638 +++ linux-2.6.32.46/drivers/ata/pdc_adma.c 2011-04-17 15:56:46.000000000 -0400
26639 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
26640 .dma_boundary = ADMA_DMA_BOUNDARY,
26641 };
26642
26643 -static struct ata_port_operations adma_ata_ops = {
26644 +static const struct ata_port_operations adma_ata_ops = {
26645 .inherits = &ata_sff_port_ops,
26646
26647 .lost_interrupt = ATA_OP_NULL,
26648 diff -urNp linux-2.6.32.46/drivers/ata/sata_fsl.c linux-2.6.32.46/drivers/ata/sata_fsl.c
26649 --- linux-2.6.32.46/drivers/ata/sata_fsl.c 2011-03-27 14:31:47.000000000 -0400
26650 +++ linux-2.6.32.46/drivers/ata/sata_fsl.c 2011-04-17 15:56:46.000000000 -0400
26651 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
26652 .dma_boundary = ATA_DMA_BOUNDARY,
26653 };
26654
26655 -static struct ata_port_operations sata_fsl_ops = {
26656 +static const struct ata_port_operations sata_fsl_ops = {
26657 .inherits = &sata_pmp_port_ops,
26658
26659 .qc_defer = ata_std_qc_defer,
26660 diff -urNp linux-2.6.32.46/drivers/ata/sata_inic162x.c linux-2.6.32.46/drivers/ata/sata_inic162x.c
26661 --- linux-2.6.32.46/drivers/ata/sata_inic162x.c 2011-03-27 14:31:47.000000000 -0400
26662 +++ linux-2.6.32.46/drivers/ata/sata_inic162x.c 2011-04-17 15:56:46.000000000 -0400
26663 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
26664 return 0;
26665 }
26666
26667 -static struct ata_port_operations inic_port_ops = {
26668 +static const struct ata_port_operations inic_port_ops = {
26669 .inherits = &sata_port_ops,
26670
26671 .check_atapi_dma = inic_check_atapi_dma,
26672 diff -urNp linux-2.6.32.46/drivers/ata/sata_mv.c linux-2.6.32.46/drivers/ata/sata_mv.c
26673 --- linux-2.6.32.46/drivers/ata/sata_mv.c 2011-03-27 14:31:47.000000000 -0400
26674 +++ linux-2.6.32.46/drivers/ata/sata_mv.c 2011-04-17 15:56:46.000000000 -0400
26675 @@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
26676 .dma_boundary = MV_DMA_BOUNDARY,
26677 };
26678
26679 -static struct ata_port_operations mv5_ops = {
26680 +static const struct ata_port_operations mv5_ops = {
26681 .inherits = &ata_sff_port_ops,
26682
26683 .lost_interrupt = ATA_OP_NULL,
26684 @@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
26685 .port_stop = mv_port_stop,
26686 };
26687
26688 -static struct ata_port_operations mv6_ops = {
26689 +static const struct ata_port_operations mv6_ops = {
26690 .inherits = &mv5_ops,
26691 .dev_config = mv6_dev_config,
26692 .scr_read = mv_scr_read,
26693 @@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
26694 .bmdma_status = mv_bmdma_status,
26695 };
26696
26697 -static struct ata_port_operations mv_iie_ops = {
26698 +static const struct ata_port_operations mv_iie_ops = {
26699 .inherits = &mv6_ops,
26700 .dev_config = ATA_OP_NULL,
26701 .qc_prep = mv_qc_prep_iie,
26702 diff -urNp linux-2.6.32.46/drivers/ata/sata_nv.c linux-2.6.32.46/drivers/ata/sata_nv.c
26703 --- linux-2.6.32.46/drivers/ata/sata_nv.c 2011-03-27 14:31:47.000000000 -0400
26704 +++ linux-2.6.32.46/drivers/ata/sata_nv.c 2011-04-17 15:56:46.000000000 -0400
26705 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
26706 * cases. Define nv_hardreset() which only kicks in for post-boot
26707 * probing and use it for all variants.
26708 */
26709 -static struct ata_port_operations nv_generic_ops = {
26710 +static const struct ata_port_operations nv_generic_ops = {
26711 .inherits = &ata_bmdma_port_ops,
26712 .lost_interrupt = ATA_OP_NULL,
26713 .scr_read = nv_scr_read,
26714 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
26715 .hardreset = nv_hardreset,
26716 };
26717
26718 -static struct ata_port_operations nv_nf2_ops = {
26719 +static const struct ata_port_operations nv_nf2_ops = {
26720 .inherits = &nv_generic_ops,
26721 .freeze = nv_nf2_freeze,
26722 .thaw = nv_nf2_thaw,
26723 };
26724
26725 -static struct ata_port_operations nv_ck804_ops = {
26726 +static const struct ata_port_operations nv_ck804_ops = {
26727 .inherits = &nv_generic_ops,
26728 .freeze = nv_ck804_freeze,
26729 .thaw = nv_ck804_thaw,
26730 .host_stop = nv_ck804_host_stop,
26731 };
26732
26733 -static struct ata_port_operations nv_adma_ops = {
26734 +static const struct ata_port_operations nv_adma_ops = {
26735 .inherits = &nv_ck804_ops,
26736
26737 .check_atapi_dma = nv_adma_check_atapi_dma,
26738 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
26739 .host_stop = nv_adma_host_stop,
26740 };
26741
26742 -static struct ata_port_operations nv_swncq_ops = {
26743 +static const struct ata_port_operations nv_swncq_ops = {
26744 .inherits = &nv_generic_ops,
26745
26746 .qc_defer = ata_std_qc_defer,
26747 diff -urNp linux-2.6.32.46/drivers/ata/sata_promise.c linux-2.6.32.46/drivers/ata/sata_promise.c
26748 --- linux-2.6.32.46/drivers/ata/sata_promise.c 2011-03-27 14:31:47.000000000 -0400
26749 +++ linux-2.6.32.46/drivers/ata/sata_promise.c 2011-04-17 15:56:46.000000000 -0400
26750 @@ -195,7 +195,7 @@ static const struct ata_port_operations
26751 .error_handler = pdc_error_handler,
26752 };
26753
26754 -static struct ata_port_operations pdc_sata_ops = {
26755 +static const struct ata_port_operations pdc_sata_ops = {
26756 .inherits = &pdc_common_ops,
26757 .cable_detect = pdc_sata_cable_detect,
26758 .freeze = pdc_sata_freeze,
26759 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
26760
26761 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26762 and ->freeze/thaw that ignore the hotplug controls. */
26763 -static struct ata_port_operations pdc_old_sata_ops = {
26764 +static const struct ata_port_operations pdc_old_sata_ops = {
26765 .inherits = &pdc_sata_ops,
26766 .freeze = pdc_freeze,
26767 .thaw = pdc_thaw,
26768 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26769 };
26770
26771 -static struct ata_port_operations pdc_pata_ops = {
26772 +static const struct ata_port_operations pdc_pata_ops = {
26773 .inherits = &pdc_common_ops,
26774 .cable_detect = pdc_pata_cable_detect,
26775 .freeze = pdc_freeze,
26776 diff -urNp linux-2.6.32.46/drivers/ata/sata_qstor.c linux-2.6.32.46/drivers/ata/sata_qstor.c
26777 --- linux-2.6.32.46/drivers/ata/sata_qstor.c 2011-03-27 14:31:47.000000000 -0400
26778 +++ linux-2.6.32.46/drivers/ata/sata_qstor.c 2011-04-17 15:56:46.000000000 -0400
26779 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
26780 .dma_boundary = QS_DMA_BOUNDARY,
26781 };
26782
26783 -static struct ata_port_operations qs_ata_ops = {
26784 +static const struct ata_port_operations qs_ata_ops = {
26785 .inherits = &ata_sff_port_ops,
26786
26787 .check_atapi_dma = qs_check_atapi_dma,
26788 diff -urNp linux-2.6.32.46/drivers/ata/sata_sil24.c linux-2.6.32.46/drivers/ata/sata_sil24.c
26789 --- linux-2.6.32.46/drivers/ata/sata_sil24.c 2011-03-27 14:31:47.000000000 -0400
26790 +++ linux-2.6.32.46/drivers/ata/sata_sil24.c 2011-04-17 15:56:46.000000000 -0400
26791 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26792 .dma_boundary = ATA_DMA_BOUNDARY,
26793 };
26794
26795 -static struct ata_port_operations sil24_ops = {
26796 +static const struct ata_port_operations sil24_ops = {
26797 .inherits = &sata_pmp_port_ops,
26798
26799 .qc_defer = sil24_qc_defer,
26800 diff -urNp linux-2.6.32.46/drivers/ata/sata_sil.c linux-2.6.32.46/drivers/ata/sata_sil.c
26801 --- linux-2.6.32.46/drivers/ata/sata_sil.c 2011-03-27 14:31:47.000000000 -0400
26802 +++ linux-2.6.32.46/drivers/ata/sata_sil.c 2011-04-17 15:56:46.000000000 -0400
26803 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
26804 .sg_tablesize = ATA_MAX_PRD
26805 };
26806
26807 -static struct ata_port_operations sil_ops = {
26808 +static const struct ata_port_operations sil_ops = {
26809 .inherits = &ata_bmdma32_port_ops,
26810 .dev_config = sil_dev_config,
26811 .set_mode = sil_set_mode,
26812 diff -urNp linux-2.6.32.46/drivers/ata/sata_sis.c linux-2.6.32.46/drivers/ata/sata_sis.c
26813 --- linux-2.6.32.46/drivers/ata/sata_sis.c 2011-03-27 14:31:47.000000000 -0400
26814 +++ linux-2.6.32.46/drivers/ata/sata_sis.c 2011-04-17 15:56:46.000000000 -0400
26815 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26816 ATA_BMDMA_SHT(DRV_NAME),
26817 };
26818
26819 -static struct ata_port_operations sis_ops = {
26820 +static const struct ata_port_operations sis_ops = {
26821 .inherits = &ata_bmdma_port_ops,
26822 .scr_read = sis_scr_read,
26823 .scr_write = sis_scr_write,
26824 diff -urNp linux-2.6.32.46/drivers/ata/sata_svw.c linux-2.6.32.46/drivers/ata/sata_svw.c
26825 --- linux-2.6.32.46/drivers/ata/sata_svw.c 2011-03-27 14:31:47.000000000 -0400
26826 +++ linux-2.6.32.46/drivers/ata/sata_svw.c 2011-04-17 15:56:46.000000000 -0400
26827 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26828 };
26829
26830
26831 -static struct ata_port_operations k2_sata_ops = {
26832 +static const struct ata_port_operations k2_sata_ops = {
26833 .inherits = &ata_bmdma_port_ops,
26834 .sff_tf_load = k2_sata_tf_load,
26835 .sff_tf_read = k2_sata_tf_read,
26836 diff -urNp linux-2.6.32.46/drivers/ata/sata_sx4.c linux-2.6.32.46/drivers/ata/sata_sx4.c
26837 --- linux-2.6.32.46/drivers/ata/sata_sx4.c 2011-03-27 14:31:47.000000000 -0400
26838 +++ linux-2.6.32.46/drivers/ata/sata_sx4.c 2011-04-17 15:56:46.000000000 -0400
26839 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
26840 };
26841
26842 /* TODO: inherit from base port_ops after converting to new EH */
26843 -static struct ata_port_operations pdc_20621_ops = {
26844 +static const struct ata_port_operations pdc_20621_ops = {
26845 .inherits = &ata_sff_port_ops,
26846
26847 .check_atapi_dma = pdc_check_atapi_dma,
26848 diff -urNp linux-2.6.32.46/drivers/ata/sata_uli.c linux-2.6.32.46/drivers/ata/sata_uli.c
26849 --- linux-2.6.32.46/drivers/ata/sata_uli.c 2011-03-27 14:31:47.000000000 -0400
26850 +++ linux-2.6.32.46/drivers/ata/sata_uli.c 2011-04-17 15:56:46.000000000 -0400
26851 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
26852 ATA_BMDMA_SHT(DRV_NAME),
26853 };
26854
26855 -static struct ata_port_operations uli_ops = {
26856 +static const struct ata_port_operations uli_ops = {
26857 .inherits = &ata_bmdma_port_ops,
26858 .scr_read = uli_scr_read,
26859 .scr_write = uli_scr_write,
26860 diff -urNp linux-2.6.32.46/drivers/ata/sata_via.c linux-2.6.32.46/drivers/ata/sata_via.c
26861 --- linux-2.6.32.46/drivers/ata/sata_via.c 2011-05-10 22:12:01.000000000 -0400
26862 +++ linux-2.6.32.46/drivers/ata/sata_via.c 2011-05-10 22:15:08.000000000 -0400
26863 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26864 ATA_BMDMA_SHT(DRV_NAME),
26865 };
26866
26867 -static struct ata_port_operations svia_base_ops = {
26868 +static const struct ata_port_operations svia_base_ops = {
26869 .inherits = &ata_bmdma_port_ops,
26870 .sff_tf_load = svia_tf_load,
26871 };
26872
26873 -static struct ata_port_operations vt6420_sata_ops = {
26874 +static const struct ata_port_operations vt6420_sata_ops = {
26875 .inherits = &svia_base_ops,
26876 .freeze = svia_noop_freeze,
26877 .prereset = vt6420_prereset,
26878 .bmdma_start = vt6420_bmdma_start,
26879 };
26880
26881 -static struct ata_port_operations vt6421_pata_ops = {
26882 +static const struct ata_port_operations vt6421_pata_ops = {
26883 .inherits = &svia_base_ops,
26884 .cable_detect = vt6421_pata_cable_detect,
26885 .set_piomode = vt6421_set_pio_mode,
26886 .set_dmamode = vt6421_set_dma_mode,
26887 };
26888
26889 -static struct ata_port_operations vt6421_sata_ops = {
26890 +static const struct ata_port_operations vt6421_sata_ops = {
26891 .inherits = &svia_base_ops,
26892 .scr_read = svia_scr_read,
26893 .scr_write = svia_scr_write,
26894 };
26895
26896 -static struct ata_port_operations vt8251_ops = {
26897 +static const struct ata_port_operations vt8251_ops = {
26898 .inherits = &svia_base_ops,
26899 .hardreset = sata_std_hardreset,
26900 .scr_read = vt8251_scr_read,
26901 diff -urNp linux-2.6.32.46/drivers/ata/sata_vsc.c linux-2.6.32.46/drivers/ata/sata_vsc.c
26902 --- linux-2.6.32.46/drivers/ata/sata_vsc.c 2011-03-27 14:31:47.000000000 -0400
26903 +++ linux-2.6.32.46/drivers/ata/sata_vsc.c 2011-04-17 15:56:46.000000000 -0400
26904 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
26905 };
26906
26907
26908 -static struct ata_port_operations vsc_sata_ops = {
26909 +static const struct ata_port_operations vsc_sata_ops = {
26910 .inherits = &ata_bmdma_port_ops,
26911 /* The IRQ handling is not quite standard SFF behaviour so we
26912 cannot use the default lost interrupt handler */
26913 diff -urNp linux-2.6.32.46/drivers/atm/adummy.c linux-2.6.32.46/drivers/atm/adummy.c
26914 --- linux-2.6.32.46/drivers/atm/adummy.c 2011-03-27 14:31:47.000000000 -0400
26915 +++ linux-2.6.32.46/drivers/atm/adummy.c 2011-04-17 15:56:46.000000000 -0400
26916 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
26917 vcc->pop(vcc, skb);
26918 else
26919 dev_kfree_skb_any(skb);
26920 - atomic_inc(&vcc->stats->tx);
26921 + atomic_inc_unchecked(&vcc->stats->tx);
26922
26923 return 0;
26924 }
26925 diff -urNp linux-2.6.32.46/drivers/atm/ambassador.c linux-2.6.32.46/drivers/atm/ambassador.c
26926 --- linux-2.6.32.46/drivers/atm/ambassador.c 2011-03-27 14:31:47.000000000 -0400
26927 +++ linux-2.6.32.46/drivers/atm/ambassador.c 2011-04-17 15:56:46.000000000 -0400
26928 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
26929 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26930
26931 // VC layer stats
26932 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26933 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26934
26935 // free the descriptor
26936 kfree (tx_descr);
26937 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
26938 dump_skb ("<<<", vc, skb);
26939
26940 // VC layer stats
26941 - atomic_inc(&atm_vcc->stats->rx);
26942 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26943 __net_timestamp(skb);
26944 // end of our responsability
26945 atm_vcc->push (atm_vcc, skb);
26946 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
26947 } else {
26948 PRINTK (KERN_INFO, "dropped over-size frame");
26949 // should we count this?
26950 - atomic_inc(&atm_vcc->stats->rx_drop);
26951 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26952 }
26953
26954 } else {
26955 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
26956 }
26957
26958 if (check_area (skb->data, skb->len)) {
26959 - atomic_inc(&atm_vcc->stats->tx_err);
26960 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26961 return -ENOMEM; // ?
26962 }
26963
26964 diff -urNp linux-2.6.32.46/drivers/atm/atmtcp.c linux-2.6.32.46/drivers/atm/atmtcp.c
26965 --- linux-2.6.32.46/drivers/atm/atmtcp.c 2011-03-27 14:31:47.000000000 -0400
26966 +++ linux-2.6.32.46/drivers/atm/atmtcp.c 2011-04-17 15:56:46.000000000 -0400
26967 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
26968 if (vcc->pop) vcc->pop(vcc,skb);
26969 else dev_kfree_skb(skb);
26970 if (dev_data) return 0;
26971 - atomic_inc(&vcc->stats->tx_err);
26972 + atomic_inc_unchecked(&vcc->stats->tx_err);
26973 return -ENOLINK;
26974 }
26975 size = skb->len+sizeof(struct atmtcp_hdr);
26976 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
26977 if (!new_skb) {
26978 if (vcc->pop) vcc->pop(vcc,skb);
26979 else dev_kfree_skb(skb);
26980 - atomic_inc(&vcc->stats->tx_err);
26981 + atomic_inc_unchecked(&vcc->stats->tx_err);
26982 return -ENOBUFS;
26983 }
26984 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26985 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
26986 if (vcc->pop) vcc->pop(vcc,skb);
26987 else dev_kfree_skb(skb);
26988 out_vcc->push(out_vcc,new_skb);
26989 - atomic_inc(&vcc->stats->tx);
26990 - atomic_inc(&out_vcc->stats->rx);
26991 + atomic_inc_unchecked(&vcc->stats->tx);
26992 + atomic_inc_unchecked(&out_vcc->stats->rx);
26993 return 0;
26994 }
26995
26996 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
26997 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26998 read_unlock(&vcc_sklist_lock);
26999 if (!out_vcc) {
27000 - atomic_inc(&vcc->stats->tx_err);
27001 + atomic_inc_unchecked(&vcc->stats->tx_err);
27002 goto done;
27003 }
27004 skb_pull(skb,sizeof(struct atmtcp_hdr));
27005 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
27006 __net_timestamp(new_skb);
27007 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
27008 out_vcc->push(out_vcc,new_skb);
27009 - atomic_inc(&vcc->stats->tx);
27010 - atomic_inc(&out_vcc->stats->rx);
27011 + atomic_inc_unchecked(&vcc->stats->tx);
27012 + atomic_inc_unchecked(&out_vcc->stats->rx);
27013 done:
27014 if (vcc->pop) vcc->pop(vcc,skb);
27015 else dev_kfree_skb(skb);
27016 diff -urNp linux-2.6.32.46/drivers/atm/eni.c linux-2.6.32.46/drivers/atm/eni.c
27017 --- linux-2.6.32.46/drivers/atm/eni.c 2011-03-27 14:31:47.000000000 -0400
27018 +++ linux-2.6.32.46/drivers/atm/eni.c 2011-04-17 15:56:46.000000000 -0400
27019 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
27020 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
27021 vcc->dev->number);
27022 length = 0;
27023 - atomic_inc(&vcc->stats->rx_err);
27024 + atomic_inc_unchecked(&vcc->stats->rx_err);
27025 }
27026 else {
27027 length = ATM_CELL_SIZE-1; /* no HEC */
27028 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27029 size);
27030 }
27031 eff = length = 0;
27032 - atomic_inc(&vcc->stats->rx_err);
27033 + atomic_inc_unchecked(&vcc->stats->rx_err);
27034 }
27035 else {
27036 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
27037 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27038 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
27039 vcc->dev->number,vcc->vci,length,size << 2,descr);
27040 length = eff = 0;
27041 - atomic_inc(&vcc->stats->rx_err);
27042 + atomic_inc_unchecked(&vcc->stats->rx_err);
27043 }
27044 }
27045 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
27046 @@ -770,7 +770,7 @@ rx_dequeued++;
27047 vcc->push(vcc,skb);
27048 pushed++;
27049 }
27050 - atomic_inc(&vcc->stats->rx);
27051 + atomic_inc_unchecked(&vcc->stats->rx);
27052 }
27053 wake_up(&eni_dev->rx_wait);
27054 }
27055 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
27056 PCI_DMA_TODEVICE);
27057 if (vcc->pop) vcc->pop(vcc,skb);
27058 else dev_kfree_skb_irq(skb);
27059 - atomic_inc(&vcc->stats->tx);
27060 + atomic_inc_unchecked(&vcc->stats->tx);
27061 wake_up(&eni_dev->tx_wait);
27062 dma_complete++;
27063 }
27064 diff -urNp linux-2.6.32.46/drivers/atm/firestream.c linux-2.6.32.46/drivers/atm/firestream.c
27065 --- linux-2.6.32.46/drivers/atm/firestream.c 2011-03-27 14:31:47.000000000 -0400
27066 +++ linux-2.6.32.46/drivers/atm/firestream.c 2011-04-17 15:56:46.000000000 -0400
27067 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
27068 }
27069 }
27070
27071 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27072 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27073
27074 fs_dprintk (FS_DEBUG_TXMEM, "i");
27075 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27076 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
27077 #endif
27078 skb_put (skb, qe->p1 & 0xffff);
27079 ATM_SKB(skb)->vcc = atm_vcc;
27080 - atomic_inc(&atm_vcc->stats->rx);
27081 + atomic_inc_unchecked(&atm_vcc->stats->rx);
27082 __net_timestamp(skb);
27083 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27084 atm_vcc->push (atm_vcc, skb);
27085 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
27086 kfree (pe);
27087 }
27088 if (atm_vcc)
27089 - atomic_inc(&atm_vcc->stats->rx_drop);
27090 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27091 break;
27092 case 0x1f: /* Reassembly abort: no buffers. */
27093 /* Silently increment error counter. */
27094 if (atm_vcc)
27095 - atomic_inc(&atm_vcc->stats->rx_drop);
27096 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27097 break;
27098 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27099 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27100 diff -urNp linux-2.6.32.46/drivers/atm/fore200e.c linux-2.6.32.46/drivers/atm/fore200e.c
27101 --- linux-2.6.32.46/drivers/atm/fore200e.c 2011-03-27 14:31:47.000000000 -0400
27102 +++ linux-2.6.32.46/drivers/atm/fore200e.c 2011-04-17 15:56:46.000000000 -0400
27103 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
27104 #endif
27105 /* check error condition */
27106 if (*entry->status & STATUS_ERROR)
27107 - atomic_inc(&vcc->stats->tx_err);
27108 + atomic_inc_unchecked(&vcc->stats->tx_err);
27109 else
27110 - atomic_inc(&vcc->stats->tx);
27111 + atomic_inc_unchecked(&vcc->stats->tx);
27112 }
27113 }
27114
27115 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
27116 if (skb == NULL) {
27117 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27118
27119 - atomic_inc(&vcc->stats->rx_drop);
27120 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27121 return -ENOMEM;
27122 }
27123
27124 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
27125
27126 dev_kfree_skb_any(skb);
27127
27128 - atomic_inc(&vcc->stats->rx_drop);
27129 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27130 return -ENOMEM;
27131 }
27132
27133 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27134
27135 vcc->push(vcc, skb);
27136 - atomic_inc(&vcc->stats->rx);
27137 + atomic_inc_unchecked(&vcc->stats->rx);
27138
27139 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27140
27141 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
27142 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
27143 fore200e->atm_dev->number,
27144 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
27145 - atomic_inc(&vcc->stats->rx_err);
27146 + atomic_inc_unchecked(&vcc->stats->rx_err);
27147 }
27148 }
27149
27150 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
27151 goto retry_here;
27152 }
27153
27154 - atomic_inc(&vcc->stats->tx_err);
27155 + atomic_inc_unchecked(&vcc->stats->tx_err);
27156
27157 fore200e->tx_sat++;
27158 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
27159 diff -urNp linux-2.6.32.46/drivers/atm/he.c linux-2.6.32.46/drivers/atm/he.c
27160 --- linux-2.6.32.46/drivers/atm/he.c 2011-03-27 14:31:47.000000000 -0400
27161 +++ linux-2.6.32.46/drivers/atm/he.c 2011-04-17 15:56:46.000000000 -0400
27162 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27163
27164 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
27165 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
27166 - atomic_inc(&vcc->stats->rx_drop);
27167 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27168 goto return_host_buffers;
27169 }
27170
27171 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27172 RBRQ_LEN_ERR(he_dev->rbrq_head)
27173 ? "LEN_ERR" : "",
27174 vcc->vpi, vcc->vci);
27175 - atomic_inc(&vcc->stats->rx_err);
27176 + atomic_inc_unchecked(&vcc->stats->rx_err);
27177 goto return_host_buffers;
27178 }
27179
27180 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
27181 vcc->push(vcc, skb);
27182 spin_lock(&he_dev->global_lock);
27183
27184 - atomic_inc(&vcc->stats->rx);
27185 + atomic_inc_unchecked(&vcc->stats->rx);
27186
27187 return_host_buffers:
27188 ++pdus_assembled;
27189 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
27190 tpd->vcc->pop(tpd->vcc, tpd->skb);
27191 else
27192 dev_kfree_skb_any(tpd->skb);
27193 - atomic_inc(&tpd->vcc->stats->tx_err);
27194 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
27195 }
27196 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
27197 return;
27198 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27199 vcc->pop(vcc, skb);
27200 else
27201 dev_kfree_skb_any(skb);
27202 - atomic_inc(&vcc->stats->tx_err);
27203 + atomic_inc_unchecked(&vcc->stats->tx_err);
27204 return -EINVAL;
27205 }
27206
27207 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27208 vcc->pop(vcc, skb);
27209 else
27210 dev_kfree_skb_any(skb);
27211 - atomic_inc(&vcc->stats->tx_err);
27212 + atomic_inc_unchecked(&vcc->stats->tx_err);
27213 return -EINVAL;
27214 }
27215 #endif
27216 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27217 vcc->pop(vcc, skb);
27218 else
27219 dev_kfree_skb_any(skb);
27220 - atomic_inc(&vcc->stats->tx_err);
27221 + atomic_inc_unchecked(&vcc->stats->tx_err);
27222 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27223 return -ENOMEM;
27224 }
27225 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27226 vcc->pop(vcc, skb);
27227 else
27228 dev_kfree_skb_any(skb);
27229 - atomic_inc(&vcc->stats->tx_err);
27230 + atomic_inc_unchecked(&vcc->stats->tx_err);
27231 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27232 return -ENOMEM;
27233 }
27234 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
27235 __enqueue_tpd(he_dev, tpd, cid);
27236 spin_unlock_irqrestore(&he_dev->global_lock, flags);
27237
27238 - atomic_inc(&vcc->stats->tx);
27239 + atomic_inc_unchecked(&vcc->stats->tx);
27240
27241 return 0;
27242 }
27243 diff -urNp linux-2.6.32.46/drivers/atm/horizon.c linux-2.6.32.46/drivers/atm/horizon.c
27244 --- linux-2.6.32.46/drivers/atm/horizon.c 2011-03-27 14:31:47.000000000 -0400
27245 +++ linux-2.6.32.46/drivers/atm/horizon.c 2011-04-17 15:56:46.000000000 -0400
27246 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
27247 {
27248 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
27249 // VC layer stats
27250 - atomic_inc(&vcc->stats->rx);
27251 + atomic_inc_unchecked(&vcc->stats->rx);
27252 __net_timestamp(skb);
27253 // end of our responsability
27254 vcc->push (vcc, skb);
27255 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
27256 dev->tx_iovec = NULL;
27257
27258 // VC layer stats
27259 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27260 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27261
27262 // free the skb
27263 hrz_kfree_skb (skb);
27264 diff -urNp linux-2.6.32.46/drivers/atm/idt77252.c linux-2.6.32.46/drivers/atm/idt77252.c
27265 --- linux-2.6.32.46/drivers/atm/idt77252.c 2011-03-27 14:31:47.000000000 -0400
27266 +++ linux-2.6.32.46/drivers/atm/idt77252.c 2011-04-17 15:56:46.000000000 -0400
27267 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
27268 else
27269 dev_kfree_skb(skb);
27270
27271 - atomic_inc(&vcc->stats->tx);
27272 + atomic_inc_unchecked(&vcc->stats->tx);
27273 }
27274
27275 atomic_dec(&scq->used);
27276 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
27277 if ((sb = dev_alloc_skb(64)) == NULL) {
27278 printk("%s: Can't allocate buffers for aal0.\n",
27279 card->name);
27280 - atomic_add(i, &vcc->stats->rx_drop);
27281 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
27282 break;
27283 }
27284 if (!atm_charge(vcc, sb->truesize)) {
27285 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
27286 card->name);
27287 - atomic_add(i - 1, &vcc->stats->rx_drop);
27288 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
27289 dev_kfree_skb(sb);
27290 break;
27291 }
27292 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
27293 ATM_SKB(sb)->vcc = vcc;
27294 __net_timestamp(sb);
27295 vcc->push(vcc, sb);
27296 - atomic_inc(&vcc->stats->rx);
27297 + atomic_inc_unchecked(&vcc->stats->rx);
27298
27299 cell += ATM_CELL_PAYLOAD;
27300 }
27301 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
27302 "(CDC: %08x)\n",
27303 card->name, len, rpp->len, readl(SAR_REG_CDC));
27304 recycle_rx_pool_skb(card, rpp);
27305 - atomic_inc(&vcc->stats->rx_err);
27306 + atomic_inc_unchecked(&vcc->stats->rx_err);
27307 return;
27308 }
27309 if (stat & SAR_RSQE_CRC) {
27310 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
27311 recycle_rx_pool_skb(card, rpp);
27312 - atomic_inc(&vcc->stats->rx_err);
27313 + atomic_inc_unchecked(&vcc->stats->rx_err);
27314 return;
27315 }
27316 if (skb_queue_len(&rpp->queue) > 1) {
27317 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
27318 RXPRINTK("%s: Can't alloc RX skb.\n",
27319 card->name);
27320 recycle_rx_pool_skb(card, rpp);
27321 - atomic_inc(&vcc->stats->rx_err);
27322 + atomic_inc_unchecked(&vcc->stats->rx_err);
27323 return;
27324 }
27325 if (!atm_charge(vcc, skb->truesize)) {
27326 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
27327 __net_timestamp(skb);
27328
27329 vcc->push(vcc, skb);
27330 - atomic_inc(&vcc->stats->rx);
27331 + atomic_inc_unchecked(&vcc->stats->rx);
27332
27333 return;
27334 }
27335 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
27336 __net_timestamp(skb);
27337
27338 vcc->push(vcc, skb);
27339 - atomic_inc(&vcc->stats->rx);
27340 + atomic_inc_unchecked(&vcc->stats->rx);
27341
27342 if (skb->truesize > SAR_FB_SIZE_3)
27343 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
27344 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
27345 if (vcc->qos.aal != ATM_AAL0) {
27346 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
27347 card->name, vpi, vci);
27348 - atomic_inc(&vcc->stats->rx_drop);
27349 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27350 goto drop;
27351 }
27352
27353 if ((sb = dev_alloc_skb(64)) == NULL) {
27354 printk("%s: Can't allocate buffers for AAL0.\n",
27355 card->name);
27356 - atomic_inc(&vcc->stats->rx_err);
27357 + atomic_inc_unchecked(&vcc->stats->rx_err);
27358 goto drop;
27359 }
27360
27361 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
27362 ATM_SKB(sb)->vcc = vcc;
27363 __net_timestamp(sb);
27364 vcc->push(vcc, sb);
27365 - atomic_inc(&vcc->stats->rx);
27366 + atomic_inc_unchecked(&vcc->stats->rx);
27367
27368 drop:
27369 skb_pull(queue, 64);
27370 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27371
27372 if (vc == NULL) {
27373 printk("%s: NULL connection in send().\n", card->name);
27374 - atomic_inc(&vcc->stats->tx_err);
27375 + atomic_inc_unchecked(&vcc->stats->tx_err);
27376 dev_kfree_skb(skb);
27377 return -EINVAL;
27378 }
27379 if (!test_bit(VCF_TX, &vc->flags)) {
27380 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
27381 - atomic_inc(&vcc->stats->tx_err);
27382 + atomic_inc_unchecked(&vcc->stats->tx_err);
27383 dev_kfree_skb(skb);
27384 return -EINVAL;
27385 }
27386 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27387 break;
27388 default:
27389 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
27390 - atomic_inc(&vcc->stats->tx_err);
27391 + atomic_inc_unchecked(&vcc->stats->tx_err);
27392 dev_kfree_skb(skb);
27393 return -EINVAL;
27394 }
27395
27396 if (skb_shinfo(skb)->nr_frags != 0) {
27397 printk("%s: No scatter-gather yet.\n", card->name);
27398 - atomic_inc(&vcc->stats->tx_err);
27399 + atomic_inc_unchecked(&vcc->stats->tx_err);
27400 dev_kfree_skb(skb);
27401 return -EINVAL;
27402 }
27403 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
27404
27405 err = queue_skb(card, vc, skb, oam);
27406 if (err) {
27407 - atomic_inc(&vcc->stats->tx_err);
27408 + atomic_inc_unchecked(&vcc->stats->tx_err);
27409 dev_kfree_skb(skb);
27410 return err;
27411 }
27412 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
27413 skb = dev_alloc_skb(64);
27414 if (!skb) {
27415 printk("%s: Out of memory in send_oam().\n", card->name);
27416 - atomic_inc(&vcc->stats->tx_err);
27417 + atomic_inc_unchecked(&vcc->stats->tx_err);
27418 return -ENOMEM;
27419 }
27420 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
27421 diff -urNp linux-2.6.32.46/drivers/atm/iphase.c linux-2.6.32.46/drivers/atm/iphase.c
27422 --- linux-2.6.32.46/drivers/atm/iphase.c 2011-03-27 14:31:47.000000000 -0400
27423 +++ linux-2.6.32.46/drivers/atm/iphase.c 2011-04-17 15:56:46.000000000 -0400
27424 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
27425 status = (u_short) (buf_desc_ptr->desc_mode);
27426 if (status & (RX_CER | RX_PTE | RX_OFL))
27427 {
27428 - atomic_inc(&vcc->stats->rx_err);
27429 + atomic_inc_unchecked(&vcc->stats->rx_err);
27430 IF_ERR(printk("IA: bad packet, dropping it");)
27431 if (status & RX_CER) {
27432 IF_ERR(printk(" cause: packet CRC error\n");)
27433 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
27434 len = dma_addr - buf_addr;
27435 if (len > iadev->rx_buf_sz) {
27436 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
27437 - atomic_inc(&vcc->stats->rx_err);
27438 + atomic_inc_unchecked(&vcc->stats->rx_err);
27439 goto out_free_desc;
27440 }
27441
27442 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
27443 ia_vcc = INPH_IA_VCC(vcc);
27444 if (ia_vcc == NULL)
27445 {
27446 - atomic_inc(&vcc->stats->rx_err);
27447 + atomic_inc_unchecked(&vcc->stats->rx_err);
27448 dev_kfree_skb_any(skb);
27449 atm_return(vcc, atm_guess_pdu2truesize(len));
27450 goto INCR_DLE;
27451 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
27452 if ((length > iadev->rx_buf_sz) || (length >
27453 (skb->len - sizeof(struct cpcs_trailer))))
27454 {
27455 - atomic_inc(&vcc->stats->rx_err);
27456 + atomic_inc_unchecked(&vcc->stats->rx_err);
27457 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
27458 length, skb->len);)
27459 dev_kfree_skb_any(skb);
27460 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
27461
27462 IF_RX(printk("rx_dle_intr: skb push");)
27463 vcc->push(vcc,skb);
27464 - atomic_inc(&vcc->stats->rx);
27465 + atomic_inc_unchecked(&vcc->stats->rx);
27466 iadev->rx_pkt_cnt++;
27467 }
27468 INCR_DLE:
27469 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
27470 {
27471 struct k_sonet_stats *stats;
27472 stats = &PRIV(_ia_dev[board])->sonet_stats;
27473 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
27474 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
27475 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
27476 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
27477 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
27478 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
27479 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
27480 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
27481 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
27482 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
27483 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
27484 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
27485 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
27486 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
27487 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
27488 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
27489 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
27490 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
27491 }
27492 ia_cmds.status = 0;
27493 break;
27494 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
27495 if ((desc == 0) || (desc > iadev->num_tx_desc))
27496 {
27497 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
27498 - atomic_inc(&vcc->stats->tx);
27499 + atomic_inc_unchecked(&vcc->stats->tx);
27500 if (vcc->pop)
27501 vcc->pop(vcc, skb);
27502 else
27503 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
27504 ATM_DESC(skb) = vcc->vci;
27505 skb_queue_tail(&iadev->tx_dma_q, skb);
27506
27507 - atomic_inc(&vcc->stats->tx);
27508 + atomic_inc_unchecked(&vcc->stats->tx);
27509 iadev->tx_pkt_cnt++;
27510 /* Increment transaction counter */
27511 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
27512
27513 #if 0
27514 /* add flow control logic */
27515 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
27516 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
27517 if (iavcc->vc_desc_cnt > 10) {
27518 vcc->tx_quota = vcc->tx_quota * 3 / 4;
27519 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
27520 diff -urNp linux-2.6.32.46/drivers/atm/lanai.c linux-2.6.32.46/drivers/atm/lanai.c
27521 --- linux-2.6.32.46/drivers/atm/lanai.c 2011-03-27 14:31:47.000000000 -0400
27522 +++ linux-2.6.32.46/drivers/atm/lanai.c 2011-04-17 15:56:46.000000000 -0400
27523 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
27524 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
27525 lanai_endtx(lanai, lvcc);
27526 lanai_free_skb(lvcc->tx.atmvcc, skb);
27527 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
27528 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
27529 }
27530
27531 /* Try to fill the buffer - don't call unless there is backlog */
27532 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
27533 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
27534 __net_timestamp(skb);
27535 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
27536 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
27537 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
27538 out:
27539 lvcc->rx.buf.ptr = end;
27540 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
27541 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
27542 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
27543 "vcc %d\n", lanai->number, (unsigned int) s, vci);
27544 lanai->stats.service_rxnotaal5++;
27545 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27546 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27547 return 0;
27548 }
27549 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
27550 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
27551 int bytes;
27552 read_unlock(&vcc_sklist_lock);
27553 DPRINTK("got trashed rx pdu on vci %d\n", vci);
27554 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27555 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27556 lvcc->stats.x.aal5.service_trash++;
27557 bytes = (SERVICE_GET_END(s) * 16) -
27558 (((unsigned long) lvcc->rx.buf.ptr) -
27559 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
27560 }
27561 if (s & SERVICE_STREAM) {
27562 read_unlock(&vcc_sklist_lock);
27563 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27564 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27565 lvcc->stats.x.aal5.service_stream++;
27566 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
27567 "PDU on VCI %d!\n", lanai->number, vci);
27568 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
27569 return 0;
27570 }
27571 DPRINTK("got rx crc error on vci %d\n", vci);
27572 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
27573 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
27574 lvcc->stats.x.aal5.service_rxcrc++;
27575 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
27576 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
27577 diff -urNp linux-2.6.32.46/drivers/atm/nicstar.c linux-2.6.32.46/drivers/atm/nicstar.c
27578 --- linux-2.6.32.46/drivers/atm/nicstar.c 2011-03-27 14:31:47.000000000 -0400
27579 +++ linux-2.6.32.46/drivers/atm/nicstar.c 2011-04-17 15:56:46.000000000 -0400
27580 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
27581 if ((vc = (vc_map *) vcc->dev_data) == NULL)
27582 {
27583 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
27584 - atomic_inc(&vcc->stats->tx_err);
27585 + atomic_inc_unchecked(&vcc->stats->tx_err);
27586 dev_kfree_skb_any(skb);
27587 return -EINVAL;
27588 }
27589 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
27590 if (!vc->tx)
27591 {
27592 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
27593 - atomic_inc(&vcc->stats->tx_err);
27594 + atomic_inc_unchecked(&vcc->stats->tx_err);
27595 dev_kfree_skb_any(skb);
27596 return -EINVAL;
27597 }
27598 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
27599 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
27600 {
27601 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
27602 - atomic_inc(&vcc->stats->tx_err);
27603 + atomic_inc_unchecked(&vcc->stats->tx_err);
27604 dev_kfree_skb_any(skb);
27605 return -EINVAL;
27606 }
27607 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
27608 if (skb_shinfo(skb)->nr_frags != 0)
27609 {
27610 printk("nicstar%d: No scatter-gather yet.\n", card->index);
27611 - atomic_inc(&vcc->stats->tx_err);
27612 + atomic_inc_unchecked(&vcc->stats->tx_err);
27613 dev_kfree_skb_any(skb);
27614 return -EINVAL;
27615 }
27616 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
27617
27618 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
27619 {
27620 - atomic_inc(&vcc->stats->tx_err);
27621 + atomic_inc_unchecked(&vcc->stats->tx_err);
27622 dev_kfree_skb_any(skb);
27623 return -EIO;
27624 }
27625 - atomic_inc(&vcc->stats->tx);
27626 + atomic_inc_unchecked(&vcc->stats->tx);
27627
27628 return 0;
27629 }
27630 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
27631 {
27632 printk("nicstar%d: Can't allocate buffers for aal0.\n",
27633 card->index);
27634 - atomic_add(i,&vcc->stats->rx_drop);
27635 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
27636 break;
27637 }
27638 if (!atm_charge(vcc, sb->truesize))
27639 {
27640 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
27641 card->index);
27642 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
27643 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
27644 dev_kfree_skb_any(sb);
27645 break;
27646 }
27647 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
27648 ATM_SKB(sb)->vcc = vcc;
27649 __net_timestamp(sb);
27650 vcc->push(vcc, sb);
27651 - atomic_inc(&vcc->stats->rx);
27652 + atomic_inc_unchecked(&vcc->stats->rx);
27653 cell += ATM_CELL_PAYLOAD;
27654 }
27655
27656 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
27657 if (iovb == NULL)
27658 {
27659 printk("nicstar%d: Out of iovec buffers.\n", card->index);
27660 - atomic_inc(&vcc->stats->rx_drop);
27661 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27662 recycle_rx_buf(card, skb);
27663 return;
27664 }
27665 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
27666 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
27667 {
27668 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
27669 - atomic_inc(&vcc->stats->rx_err);
27670 + atomic_inc_unchecked(&vcc->stats->rx_err);
27671 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
27672 NS_SKB(iovb)->iovcnt = 0;
27673 iovb->len = 0;
27674 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
27675 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
27676 card->index);
27677 which_list(card, skb);
27678 - atomic_inc(&vcc->stats->rx_err);
27679 + atomic_inc_unchecked(&vcc->stats->rx_err);
27680 recycle_rx_buf(card, skb);
27681 vc->rx_iov = NULL;
27682 recycle_iov_buf(card, iovb);
27683 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
27684 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
27685 card->index);
27686 which_list(card, skb);
27687 - atomic_inc(&vcc->stats->rx_err);
27688 + atomic_inc_unchecked(&vcc->stats->rx_err);
27689 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
27690 NS_SKB(iovb)->iovcnt);
27691 vc->rx_iov = NULL;
27692 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
27693 printk(" - PDU size mismatch.\n");
27694 else
27695 printk(".\n");
27696 - atomic_inc(&vcc->stats->rx_err);
27697 + atomic_inc_unchecked(&vcc->stats->rx_err);
27698 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
27699 NS_SKB(iovb)->iovcnt);
27700 vc->rx_iov = NULL;
27701 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
27702 if (!atm_charge(vcc, skb->truesize))
27703 {
27704 push_rxbufs(card, skb);
27705 - atomic_inc(&vcc->stats->rx_drop);
27706 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27707 }
27708 else
27709 {
27710 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
27711 ATM_SKB(skb)->vcc = vcc;
27712 __net_timestamp(skb);
27713 vcc->push(vcc, skb);
27714 - atomic_inc(&vcc->stats->rx);
27715 + atomic_inc_unchecked(&vcc->stats->rx);
27716 }
27717 }
27718 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
27719 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
27720 if (!atm_charge(vcc, sb->truesize))
27721 {
27722 push_rxbufs(card, sb);
27723 - atomic_inc(&vcc->stats->rx_drop);
27724 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27725 }
27726 else
27727 {
27728 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
27729 ATM_SKB(sb)->vcc = vcc;
27730 __net_timestamp(sb);
27731 vcc->push(vcc, sb);
27732 - atomic_inc(&vcc->stats->rx);
27733 + atomic_inc_unchecked(&vcc->stats->rx);
27734 }
27735
27736 push_rxbufs(card, skb);
27737 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
27738 if (!atm_charge(vcc, skb->truesize))
27739 {
27740 push_rxbufs(card, skb);
27741 - atomic_inc(&vcc->stats->rx_drop);
27742 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27743 }
27744 else
27745 {
27746 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
27747 ATM_SKB(skb)->vcc = vcc;
27748 __net_timestamp(skb);
27749 vcc->push(vcc, skb);
27750 - atomic_inc(&vcc->stats->rx);
27751 + atomic_inc_unchecked(&vcc->stats->rx);
27752 }
27753
27754 push_rxbufs(card, sb);
27755 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
27756 if (hb == NULL)
27757 {
27758 printk("nicstar%d: Out of huge buffers.\n", card->index);
27759 - atomic_inc(&vcc->stats->rx_drop);
27760 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27761 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
27762 NS_SKB(iovb)->iovcnt);
27763 vc->rx_iov = NULL;
27764 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
27765 }
27766 else
27767 dev_kfree_skb_any(hb);
27768 - atomic_inc(&vcc->stats->rx_drop);
27769 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27770 }
27771 else
27772 {
27773 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
27774 #endif /* NS_USE_DESTRUCTORS */
27775 __net_timestamp(hb);
27776 vcc->push(vcc, hb);
27777 - atomic_inc(&vcc->stats->rx);
27778 + atomic_inc_unchecked(&vcc->stats->rx);
27779 }
27780 }
27781
27782 diff -urNp linux-2.6.32.46/drivers/atm/solos-pci.c linux-2.6.32.46/drivers/atm/solos-pci.c
27783 --- linux-2.6.32.46/drivers/atm/solos-pci.c 2011-04-17 17:00:52.000000000 -0400
27784 +++ linux-2.6.32.46/drivers/atm/solos-pci.c 2011-05-16 21:46:57.000000000 -0400
27785 @@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
27786 }
27787 atm_charge(vcc, skb->truesize);
27788 vcc->push(vcc, skb);
27789 - atomic_inc(&vcc->stats->rx);
27790 + atomic_inc_unchecked(&vcc->stats->rx);
27791 break;
27792
27793 case PKT_STATUS:
27794 @@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
27795 char msg[500];
27796 char item[10];
27797
27798 + pax_track_stack();
27799 +
27800 len = buf->len;
27801 for (i = 0; i < len; i++){
27802 if(i % 8 == 0)
27803 @@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
27804 vcc = SKB_CB(oldskb)->vcc;
27805
27806 if (vcc) {
27807 - atomic_inc(&vcc->stats->tx);
27808 + atomic_inc_unchecked(&vcc->stats->tx);
27809 solos_pop(vcc, oldskb);
27810 } else
27811 dev_kfree_skb_irq(oldskb);
27812 diff -urNp linux-2.6.32.46/drivers/atm/suni.c linux-2.6.32.46/drivers/atm/suni.c
27813 --- linux-2.6.32.46/drivers/atm/suni.c 2011-03-27 14:31:47.000000000 -0400
27814 +++ linux-2.6.32.46/drivers/atm/suni.c 2011-04-17 15:56:46.000000000 -0400
27815 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27816
27817
27818 #define ADD_LIMITED(s,v) \
27819 - atomic_add((v),&stats->s); \
27820 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27821 + atomic_add_unchecked((v),&stats->s); \
27822 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27823
27824
27825 static void suni_hz(unsigned long from_timer)
27826 diff -urNp linux-2.6.32.46/drivers/atm/uPD98402.c linux-2.6.32.46/drivers/atm/uPD98402.c
27827 --- linux-2.6.32.46/drivers/atm/uPD98402.c 2011-03-27 14:31:47.000000000 -0400
27828 +++ linux-2.6.32.46/drivers/atm/uPD98402.c 2011-04-17 15:56:46.000000000 -0400
27829 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
27830 struct sonet_stats tmp;
27831 int error = 0;
27832
27833 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27834 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27835 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27836 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27837 if (zero && !error) {
27838 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
27839
27840
27841 #define ADD_LIMITED(s,v) \
27842 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27843 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27844 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27845 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27846 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27847 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27848
27849
27850 static void stat_event(struct atm_dev *dev)
27851 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
27852 if (reason & uPD98402_INT_PFM) stat_event(dev);
27853 if (reason & uPD98402_INT_PCO) {
27854 (void) GET(PCOCR); /* clear interrupt cause */
27855 - atomic_add(GET(HECCT),
27856 + atomic_add_unchecked(GET(HECCT),
27857 &PRIV(dev)->sonet_stats.uncorr_hcs);
27858 }
27859 if ((reason & uPD98402_INT_RFO) &&
27860 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
27861 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27862 uPD98402_INT_LOS),PIMR); /* enable them */
27863 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27864 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27865 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27866 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27867 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27868 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27869 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27870 return 0;
27871 }
27872
27873 diff -urNp linux-2.6.32.46/drivers/atm/zatm.c linux-2.6.32.46/drivers/atm/zatm.c
27874 --- linux-2.6.32.46/drivers/atm/zatm.c 2011-03-27 14:31:47.000000000 -0400
27875 +++ linux-2.6.32.46/drivers/atm/zatm.c 2011-04-17 15:56:46.000000000 -0400
27876 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27877 }
27878 if (!size) {
27879 dev_kfree_skb_irq(skb);
27880 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27881 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27882 continue;
27883 }
27884 if (!atm_charge(vcc,skb->truesize)) {
27885 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27886 skb->len = size;
27887 ATM_SKB(skb)->vcc = vcc;
27888 vcc->push(vcc,skb);
27889 - atomic_inc(&vcc->stats->rx);
27890 + atomic_inc_unchecked(&vcc->stats->rx);
27891 }
27892 zout(pos & 0xffff,MTA(mbx));
27893 #if 0 /* probably a stupid idea */
27894 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27895 skb_queue_head(&zatm_vcc->backlog,skb);
27896 break;
27897 }
27898 - atomic_inc(&vcc->stats->tx);
27899 + atomic_inc_unchecked(&vcc->stats->tx);
27900 wake_up(&zatm_vcc->tx_wait);
27901 }
27902
27903 diff -urNp linux-2.6.32.46/drivers/base/bus.c linux-2.6.32.46/drivers/base/bus.c
27904 --- linux-2.6.32.46/drivers/base/bus.c 2011-03-27 14:31:47.000000000 -0400
27905 +++ linux-2.6.32.46/drivers/base/bus.c 2011-04-17 15:56:46.000000000 -0400
27906 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
27907 return ret;
27908 }
27909
27910 -static struct sysfs_ops driver_sysfs_ops = {
27911 +static const struct sysfs_ops driver_sysfs_ops = {
27912 .show = drv_attr_show,
27913 .store = drv_attr_store,
27914 };
27915 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
27916 return ret;
27917 }
27918
27919 -static struct sysfs_ops bus_sysfs_ops = {
27920 +static const struct sysfs_ops bus_sysfs_ops = {
27921 .show = bus_attr_show,
27922 .store = bus_attr_store,
27923 };
27924 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
27925 return 0;
27926 }
27927
27928 -static struct kset_uevent_ops bus_uevent_ops = {
27929 +static const struct kset_uevent_ops bus_uevent_ops = {
27930 .filter = bus_uevent_filter,
27931 };
27932
27933 diff -urNp linux-2.6.32.46/drivers/base/class.c linux-2.6.32.46/drivers/base/class.c
27934 --- linux-2.6.32.46/drivers/base/class.c 2011-03-27 14:31:47.000000000 -0400
27935 +++ linux-2.6.32.46/drivers/base/class.c 2011-04-17 15:56:46.000000000 -0400
27936 @@ -63,7 +63,7 @@ static void class_release(struct kobject
27937 kfree(cp);
27938 }
27939
27940 -static struct sysfs_ops class_sysfs_ops = {
27941 +static const struct sysfs_ops class_sysfs_ops = {
27942 .show = class_attr_show,
27943 .store = class_attr_store,
27944 };
27945 diff -urNp linux-2.6.32.46/drivers/base/core.c linux-2.6.32.46/drivers/base/core.c
27946 --- linux-2.6.32.46/drivers/base/core.c 2011-03-27 14:31:47.000000000 -0400
27947 +++ linux-2.6.32.46/drivers/base/core.c 2011-04-17 15:56:46.000000000 -0400
27948 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
27949 return ret;
27950 }
27951
27952 -static struct sysfs_ops dev_sysfs_ops = {
27953 +static const struct sysfs_ops dev_sysfs_ops = {
27954 .show = dev_attr_show,
27955 .store = dev_attr_store,
27956 };
27957 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
27958 return retval;
27959 }
27960
27961 -static struct kset_uevent_ops device_uevent_ops = {
27962 +static const struct kset_uevent_ops device_uevent_ops = {
27963 .filter = dev_uevent_filter,
27964 .name = dev_uevent_name,
27965 .uevent = dev_uevent,
27966 diff -urNp linux-2.6.32.46/drivers/base/memory.c linux-2.6.32.46/drivers/base/memory.c
27967 --- linux-2.6.32.46/drivers/base/memory.c 2011-03-27 14:31:47.000000000 -0400
27968 +++ linux-2.6.32.46/drivers/base/memory.c 2011-04-17 15:56:46.000000000 -0400
27969 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
27970 return retval;
27971 }
27972
27973 -static struct kset_uevent_ops memory_uevent_ops = {
27974 +static const struct kset_uevent_ops memory_uevent_ops = {
27975 .name = memory_uevent_name,
27976 .uevent = memory_uevent,
27977 };
27978 diff -urNp linux-2.6.32.46/drivers/base/sys.c linux-2.6.32.46/drivers/base/sys.c
27979 --- linux-2.6.32.46/drivers/base/sys.c 2011-03-27 14:31:47.000000000 -0400
27980 +++ linux-2.6.32.46/drivers/base/sys.c 2011-04-17 15:56:46.000000000 -0400
27981 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
27982 return -EIO;
27983 }
27984
27985 -static struct sysfs_ops sysfs_ops = {
27986 +static const struct sysfs_ops sysfs_ops = {
27987 .show = sysdev_show,
27988 .store = sysdev_store,
27989 };
27990 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
27991 return -EIO;
27992 }
27993
27994 -static struct sysfs_ops sysfs_class_ops = {
27995 +static const struct sysfs_ops sysfs_class_ops = {
27996 .show = sysdev_class_show,
27997 .store = sysdev_class_store,
27998 };
27999 diff -urNp linux-2.6.32.46/drivers/block/cciss.c linux-2.6.32.46/drivers/block/cciss.c
28000 --- linux-2.6.32.46/drivers/block/cciss.c 2011-03-27 14:31:47.000000000 -0400
28001 +++ linux-2.6.32.46/drivers/block/cciss.c 2011-08-05 20:33:55.000000000 -0400
28002 @@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
28003 int err;
28004 u32 cp;
28005
28006 + memset(&arg64, 0, sizeof(arg64));
28007 +
28008 err = 0;
28009 err |=
28010 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
28011 @@ -2852,7 +2854,7 @@ static unsigned long pollcomplete(int ct
28012 /* Wait (up to 20 seconds) for a command to complete */
28013
28014 for (i = 20 * HZ; i > 0; i--) {
28015 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
28016 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
28017 if (done == FIFO_EMPTY)
28018 schedule_timeout_uninterruptible(1);
28019 else
28020 @@ -2876,7 +2878,7 @@ static int sendcmd_core(ctlr_info_t *h,
28021 resend_cmd1:
28022
28023 /* Disable interrupt on the board. */
28024 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
28025 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
28026
28027 /* Make sure there is room in the command FIFO */
28028 /* Actually it should be completely empty at this time */
28029 @@ -2884,13 +2886,13 @@ resend_cmd1:
28030 /* tape side of the driver. */
28031 for (i = 200000; i > 0; i--) {
28032 /* if fifo isn't full go */
28033 - if (!(h->access.fifo_full(h)))
28034 + if (!(h->access->fifo_full(h)))
28035 break;
28036 udelay(10);
28037 printk(KERN_WARNING "cciss cciss%d: SendCmd FIFO full,"
28038 " waiting!\n", h->ctlr);
28039 }
28040 - h->access.submit_command(h, c); /* Send the cmd */
28041 + h->access->submit_command(h, c); /* Send the cmd */
28042 do {
28043 complete = pollcomplete(h->ctlr);
28044
28045 @@ -3023,7 +3025,7 @@ static void start_io(ctlr_info_t *h)
28046 while (!hlist_empty(&h->reqQ)) {
28047 c = hlist_entry(h->reqQ.first, CommandList_struct, list);
28048 /* can't do anything if fifo is full */
28049 - if ((h->access.fifo_full(h))) {
28050 + if ((h->access->fifo_full(h))) {
28051 printk(KERN_WARNING "cciss: fifo full\n");
28052 break;
28053 }
28054 @@ -3033,7 +3035,7 @@ static void start_io(ctlr_info_t *h)
28055 h->Qdepth--;
28056
28057 /* Tell the controller execute command */
28058 - h->access.submit_command(h, c);
28059 + h->access->submit_command(h, c);
28060
28061 /* Put job onto the completed Q */
28062 addQ(&h->cmpQ, c);
28063 @@ -3393,17 +3395,17 @@ startio:
28064
28065 static inline unsigned long get_next_completion(ctlr_info_t *h)
28066 {
28067 - return h->access.command_completed(h);
28068 + return h->access->command_completed(h);
28069 }
28070
28071 static inline int interrupt_pending(ctlr_info_t *h)
28072 {
28073 - return h->access.intr_pending(h);
28074 + return h->access->intr_pending(h);
28075 }
28076
28077 static inline long interrupt_not_for_us(ctlr_info_t *h)
28078 {
28079 - return (((h->access.intr_pending(h) == 0) ||
28080 + return (((h->access->intr_pending(h) == 0) ||
28081 (h->interrupts_enabled == 0)));
28082 }
28083
28084 @@ -3892,7 +3894,7 @@ static int __devinit cciss_pci_init(ctlr
28085 */
28086 c->max_commands = readl(&(c->cfgtable->CmdsOutMax));
28087 c->product_name = products[prod_index].product_name;
28088 - c->access = *(products[prod_index].access);
28089 + c->access = products[prod_index].access;
28090 c->nr_cmds = c->max_commands - 4;
28091 if ((readb(&c->cfgtable->Signature[0]) != 'C') ||
28092 (readb(&c->cfgtable->Signature[1]) != 'I') ||
28093 @@ -4291,7 +4293,7 @@ static int __devinit cciss_init_one(stru
28094 }
28095
28096 /* make sure the board interrupts are off */
28097 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_OFF);
28098 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_OFF);
28099 if (request_irq(hba[i]->intr[SIMPLE_MODE_INT], do_cciss_intr,
28100 IRQF_DISABLED | IRQF_SHARED, hba[i]->devname, hba[i])) {
28101 printk(KERN_ERR "cciss: Unable to get irq %d for %s\n",
28102 @@ -4341,7 +4343,7 @@ static int __devinit cciss_init_one(stru
28103 cciss_scsi_setup(i);
28104
28105 /* Turn the interrupts on so we can service requests */
28106 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_ON);
28107 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_ON);
28108
28109 /* Get the firmware version */
28110 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
28111 diff -urNp linux-2.6.32.46/drivers/block/cciss.h linux-2.6.32.46/drivers/block/cciss.h
28112 --- linux-2.6.32.46/drivers/block/cciss.h 2011-08-09 18:35:28.000000000 -0400
28113 +++ linux-2.6.32.46/drivers/block/cciss.h 2011-08-09 18:33:59.000000000 -0400
28114 @@ -90,7 +90,7 @@ struct ctlr_info
28115 // information about each logical volume
28116 drive_info_struct *drv[CISS_MAX_LUN];
28117
28118 - struct access_method access;
28119 + struct access_method *access;
28120
28121 /* queue and queue Info */
28122 struct hlist_head reqQ;
28123 diff -urNp linux-2.6.32.46/drivers/block/cpqarray.c linux-2.6.32.46/drivers/block/cpqarray.c
28124 --- linux-2.6.32.46/drivers/block/cpqarray.c 2011-03-27 14:31:47.000000000 -0400
28125 +++ linux-2.6.32.46/drivers/block/cpqarray.c 2011-08-05 20:33:55.000000000 -0400
28126 @@ -402,7 +402,7 @@ static int __init cpqarray_register_ctlr
28127 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
28128 goto Enomem4;
28129 }
28130 - hba[i]->access.set_intr_mask(hba[i], 0);
28131 + hba[i]->access->set_intr_mask(hba[i], 0);
28132 if (request_irq(hba[i]->intr, do_ida_intr,
28133 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
28134 {
28135 @@ -460,7 +460,7 @@ static int __init cpqarray_register_ctlr
28136 add_timer(&hba[i]->timer);
28137
28138 /* Enable IRQ now that spinlock and rate limit timer are set up */
28139 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
28140 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
28141
28142 for(j=0; j<NWD; j++) {
28143 struct gendisk *disk = ida_gendisk[i][j];
28144 @@ -695,7 +695,7 @@ DBGINFO(
28145 for(i=0; i<NR_PRODUCTS; i++) {
28146 if (board_id == products[i].board_id) {
28147 c->product_name = products[i].product_name;
28148 - c->access = *(products[i].access);
28149 + c->access = products[i].access;
28150 break;
28151 }
28152 }
28153 @@ -793,7 +793,7 @@ static int __init cpqarray_eisa_detect(v
28154 hba[ctlr]->intr = intr;
28155 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
28156 hba[ctlr]->product_name = products[j].product_name;
28157 - hba[ctlr]->access = *(products[j].access);
28158 + hba[ctlr]->access = products[j].access;
28159 hba[ctlr]->ctlr = ctlr;
28160 hba[ctlr]->board_id = board_id;
28161 hba[ctlr]->pci_dev = NULL; /* not PCI */
28162 @@ -896,6 +896,8 @@ static void do_ida_request(struct reques
28163 struct scatterlist tmp_sg[SG_MAX];
28164 int i, dir, seg;
28165
28166 + pax_track_stack();
28167 +
28168 if (blk_queue_plugged(q))
28169 goto startio;
28170
28171 @@ -968,7 +970,7 @@ static void start_io(ctlr_info_t *h)
28172
28173 while((c = h->reqQ) != NULL) {
28174 /* Can't do anything if we're busy */
28175 - if (h->access.fifo_full(h) == 0)
28176 + if (h->access->fifo_full(h) == 0)
28177 return;
28178
28179 /* Get the first entry from the request Q */
28180 @@ -976,7 +978,7 @@ static void start_io(ctlr_info_t *h)
28181 h->Qdepth--;
28182
28183 /* Tell the controller to do our bidding */
28184 - h->access.submit_command(h, c);
28185 + h->access->submit_command(h, c);
28186
28187 /* Get onto the completion Q */
28188 addQ(&h->cmpQ, c);
28189 @@ -1038,7 +1040,7 @@ static irqreturn_t do_ida_intr(int irq,
28190 unsigned long flags;
28191 __u32 a,a1;
28192
28193 - istat = h->access.intr_pending(h);
28194 + istat = h->access->intr_pending(h);
28195 /* Is this interrupt for us? */
28196 if (istat == 0)
28197 return IRQ_NONE;
28198 @@ -1049,7 +1051,7 @@ static irqreturn_t do_ida_intr(int irq,
28199 */
28200 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
28201 if (istat & FIFO_NOT_EMPTY) {
28202 - while((a = h->access.command_completed(h))) {
28203 + while((a = h->access->command_completed(h))) {
28204 a1 = a; a &= ~3;
28205 if ((c = h->cmpQ) == NULL)
28206 {
28207 @@ -1434,11 +1436,11 @@ static int sendcmd(
28208 /*
28209 * Disable interrupt
28210 */
28211 - info_p->access.set_intr_mask(info_p, 0);
28212 + info_p->access->set_intr_mask(info_p, 0);
28213 /* Make sure there is room in the command FIFO */
28214 /* Actually it should be completely empty at this time. */
28215 for (i = 200000; i > 0; i--) {
28216 - temp = info_p->access.fifo_full(info_p);
28217 + temp = info_p->access->fifo_full(info_p);
28218 if (temp != 0) {
28219 break;
28220 }
28221 @@ -1451,7 +1453,7 @@ DBG(
28222 /*
28223 * Send the cmd
28224 */
28225 - info_p->access.submit_command(info_p, c);
28226 + info_p->access->submit_command(info_p, c);
28227 complete = pollcomplete(ctlr);
28228
28229 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
28230 @@ -1534,9 +1536,9 @@ static int revalidate_allvol(ctlr_info_t
28231 * we check the new geometry. Then turn interrupts back on when
28232 * we're done.
28233 */
28234 - host->access.set_intr_mask(host, 0);
28235 + host->access->set_intr_mask(host, 0);
28236 getgeometry(ctlr);
28237 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
28238 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
28239
28240 for(i=0; i<NWD; i++) {
28241 struct gendisk *disk = ida_gendisk[ctlr][i];
28242 @@ -1576,7 +1578,7 @@ static int pollcomplete(int ctlr)
28243 /* Wait (up to 2 seconds) for a command to complete */
28244
28245 for (i = 200000; i > 0; i--) {
28246 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
28247 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
28248 if (done == 0) {
28249 udelay(10); /* a short fixed delay */
28250 } else
28251 diff -urNp linux-2.6.32.46/drivers/block/cpqarray.h linux-2.6.32.46/drivers/block/cpqarray.h
28252 --- linux-2.6.32.46/drivers/block/cpqarray.h 2011-03-27 14:31:47.000000000 -0400
28253 +++ linux-2.6.32.46/drivers/block/cpqarray.h 2011-08-05 20:33:55.000000000 -0400
28254 @@ -99,7 +99,7 @@ struct ctlr_info {
28255 drv_info_t drv[NWD];
28256 struct proc_dir_entry *proc;
28257
28258 - struct access_method access;
28259 + struct access_method *access;
28260
28261 cmdlist_t *reqQ;
28262 cmdlist_t *cmpQ;
28263 diff -urNp linux-2.6.32.46/drivers/block/DAC960.c linux-2.6.32.46/drivers/block/DAC960.c
28264 --- linux-2.6.32.46/drivers/block/DAC960.c 2011-03-27 14:31:47.000000000 -0400
28265 +++ linux-2.6.32.46/drivers/block/DAC960.c 2011-05-16 21:46:57.000000000 -0400
28266 @@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
28267 unsigned long flags;
28268 int Channel, TargetID;
28269
28270 + pax_track_stack();
28271 +
28272 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
28273 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
28274 sizeof(DAC960_SCSI_Inquiry_T) +
28275 diff -urNp linux-2.6.32.46/drivers/block/loop.c linux-2.6.32.46/drivers/block/loop.c
28276 --- linux-2.6.32.46/drivers/block/loop.c 2011-06-25 12:55:34.000000000 -0400
28277 +++ linux-2.6.32.46/drivers/block/loop.c 2011-10-06 09:37:14.000000000 -0400
28278 @@ -282,7 +282,7 @@ static int __do_lo_send_write(struct fil
28279 mm_segment_t old_fs = get_fs();
28280
28281 set_fs(get_ds());
28282 - bw = file->f_op->write(file, buf, len, &pos);
28283 + bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
28284 set_fs(old_fs);
28285 if (likely(bw == len))
28286 return 0;
28287 diff -urNp linux-2.6.32.46/drivers/block/nbd.c linux-2.6.32.46/drivers/block/nbd.c
28288 --- linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:55:34.000000000 -0400
28289 +++ linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:56:37.000000000 -0400
28290 @@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
28291 struct kvec iov;
28292 sigset_t blocked, oldset;
28293
28294 + pax_track_stack();
28295 +
28296 if (unlikely(!sock)) {
28297 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
28298 lo->disk->disk_name, (send ? "send" : "recv"));
28299 @@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
28300 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
28301 unsigned int cmd, unsigned long arg)
28302 {
28303 + pax_track_stack();
28304 +
28305 switch (cmd) {
28306 case NBD_DISCONNECT: {
28307 struct request sreq;
28308 diff -urNp linux-2.6.32.46/drivers/block/pktcdvd.c linux-2.6.32.46/drivers/block/pktcdvd.c
28309 --- linux-2.6.32.46/drivers/block/pktcdvd.c 2011-03-27 14:31:47.000000000 -0400
28310 +++ linux-2.6.32.46/drivers/block/pktcdvd.c 2011-04-17 15:56:46.000000000 -0400
28311 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
28312 return len;
28313 }
28314
28315 -static struct sysfs_ops kobj_pkt_ops = {
28316 +static const struct sysfs_ops kobj_pkt_ops = {
28317 .show = kobj_pkt_show,
28318 .store = kobj_pkt_store
28319 };
28320 diff -urNp linux-2.6.32.46/drivers/char/agp/frontend.c linux-2.6.32.46/drivers/char/agp/frontend.c
28321 --- linux-2.6.32.46/drivers/char/agp/frontend.c 2011-03-27 14:31:47.000000000 -0400
28322 +++ linux-2.6.32.46/drivers/char/agp/frontend.c 2011-04-17 15:56:46.000000000 -0400
28323 @@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
28324 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
28325 return -EFAULT;
28326
28327 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
28328 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
28329 return -EFAULT;
28330
28331 client = agp_find_client_by_pid(reserve.pid);
28332 diff -urNp linux-2.6.32.46/drivers/char/briq_panel.c linux-2.6.32.46/drivers/char/briq_panel.c
28333 --- linux-2.6.32.46/drivers/char/briq_panel.c 2011-03-27 14:31:47.000000000 -0400
28334 +++ linux-2.6.32.46/drivers/char/briq_panel.c 2011-04-18 19:48:57.000000000 -0400
28335 @@ -10,6 +10,7 @@
28336 #include <linux/types.h>
28337 #include <linux/errno.h>
28338 #include <linux/tty.h>
28339 +#include <linux/mutex.h>
28340 #include <linux/timer.h>
28341 #include <linux/kernel.h>
28342 #include <linux/wait.h>
28343 @@ -36,6 +37,7 @@ static int vfd_is_open;
28344 static unsigned char vfd[40];
28345 static int vfd_cursor;
28346 static unsigned char ledpb, led;
28347 +static DEFINE_MUTEX(vfd_mutex);
28348
28349 static void update_vfd(void)
28350 {
28351 @@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
28352 if (!vfd_is_open)
28353 return -EBUSY;
28354
28355 + mutex_lock(&vfd_mutex);
28356 for (;;) {
28357 char c;
28358 if (!indx)
28359 break;
28360 - if (get_user(c, buf))
28361 + if (get_user(c, buf)) {
28362 + mutex_unlock(&vfd_mutex);
28363 return -EFAULT;
28364 + }
28365 if (esc) {
28366 set_led(c);
28367 esc = 0;
28368 @@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
28369 buf++;
28370 }
28371 update_vfd();
28372 + mutex_unlock(&vfd_mutex);
28373
28374 return len;
28375 }
28376 diff -urNp linux-2.6.32.46/drivers/char/genrtc.c linux-2.6.32.46/drivers/char/genrtc.c
28377 --- linux-2.6.32.46/drivers/char/genrtc.c 2011-03-27 14:31:47.000000000 -0400
28378 +++ linux-2.6.32.46/drivers/char/genrtc.c 2011-04-18 19:45:42.000000000 -0400
28379 @@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
28380 switch (cmd) {
28381
28382 case RTC_PLL_GET:
28383 + memset(&pll, 0, sizeof(pll));
28384 if (get_rtc_pll(&pll))
28385 return -EINVAL;
28386 else
28387 diff -urNp linux-2.6.32.46/drivers/char/hpet.c linux-2.6.32.46/drivers/char/hpet.c
28388 --- linux-2.6.32.46/drivers/char/hpet.c 2011-03-27 14:31:47.000000000 -0400
28389 +++ linux-2.6.32.46/drivers/char/hpet.c 2011-04-23 12:56:11.000000000 -0400
28390 @@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
28391 return 0;
28392 }
28393
28394 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
28395 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
28396
28397 static int
28398 hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
28399 @@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
28400 }
28401
28402 static int
28403 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
28404 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
28405 {
28406 struct hpet_timer __iomem *timer;
28407 struct hpet __iomem *hpet;
28408 @@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
28409 {
28410 struct hpet_info info;
28411
28412 + memset(&info, 0, sizeof(info));
28413 +
28414 if (devp->hd_ireqfreq)
28415 info.hi_ireqfreq =
28416 hpet_time_div(hpetp, devp->hd_ireqfreq);
28417 - else
28418 - info.hi_ireqfreq = 0;
28419 info.hi_flags =
28420 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
28421 info.hi_hpet = hpetp->hp_which;
28422 diff -urNp linux-2.6.32.46/drivers/char/hvc_beat.c linux-2.6.32.46/drivers/char/hvc_beat.c
28423 --- linux-2.6.32.46/drivers/char/hvc_beat.c 2011-03-27 14:31:47.000000000 -0400
28424 +++ linux-2.6.32.46/drivers/char/hvc_beat.c 2011-04-17 15:56:46.000000000 -0400
28425 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
28426 return cnt;
28427 }
28428
28429 -static struct hv_ops hvc_beat_get_put_ops = {
28430 +static const struct hv_ops hvc_beat_get_put_ops = {
28431 .get_chars = hvc_beat_get_chars,
28432 .put_chars = hvc_beat_put_chars,
28433 };
28434 diff -urNp linux-2.6.32.46/drivers/char/hvc_console.c linux-2.6.32.46/drivers/char/hvc_console.c
28435 --- linux-2.6.32.46/drivers/char/hvc_console.c 2011-03-27 14:31:47.000000000 -0400
28436 +++ linux-2.6.32.46/drivers/char/hvc_console.c 2011-04-17 15:56:46.000000000 -0400
28437 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
28438 * console interfaces but can still be used as a tty device. This has to be
28439 * static because kmalloc will not work during early console init.
28440 */
28441 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
28442 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
28443 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
28444 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
28445
28446 @@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
28447 * vty adapters do NOT get an hvc_instantiate() callback since they
28448 * appear after early console init.
28449 */
28450 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
28451 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
28452 {
28453 struct hvc_struct *hp;
28454
28455 @@ -756,7 +756,7 @@ static const struct tty_operations hvc_o
28456 };
28457
28458 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
28459 - struct hv_ops *ops, int outbuf_size)
28460 + const struct hv_ops *ops, int outbuf_size)
28461 {
28462 struct hvc_struct *hp;
28463 int i;
28464 diff -urNp linux-2.6.32.46/drivers/char/hvc_console.h linux-2.6.32.46/drivers/char/hvc_console.h
28465 --- linux-2.6.32.46/drivers/char/hvc_console.h 2011-03-27 14:31:47.000000000 -0400
28466 +++ linux-2.6.32.46/drivers/char/hvc_console.h 2011-04-17 15:56:46.000000000 -0400
28467 @@ -55,7 +55,7 @@ struct hvc_struct {
28468 int outbuf_size;
28469 int n_outbuf;
28470 uint32_t vtermno;
28471 - struct hv_ops *ops;
28472 + const struct hv_ops *ops;
28473 int irq_requested;
28474 int data;
28475 struct winsize ws;
28476 @@ -76,11 +76,11 @@ struct hv_ops {
28477 };
28478
28479 /* Register a vterm and a slot index for use as a console (console_init) */
28480 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
28481 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
28482
28483 /* register a vterm for hvc tty operation (module_init or hotplug add) */
28484 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
28485 - struct hv_ops *ops, int outbuf_size);
28486 + const struct hv_ops *ops, int outbuf_size);
28487 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
28488 extern int hvc_remove(struct hvc_struct *hp);
28489
28490 diff -urNp linux-2.6.32.46/drivers/char/hvc_iseries.c linux-2.6.32.46/drivers/char/hvc_iseries.c
28491 --- linux-2.6.32.46/drivers/char/hvc_iseries.c 2011-03-27 14:31:47.000000000 -0400
28492 +++ linux-2.6.32.46/drivers/char/hvc_iseries.c 2011-04-17 15:56:46.000000000 -0400
28493 @@ -197,7 +197,7 @@ done:
28494 return sent;
28495 }
28496
28497 -static struct hv_ops hvc_get_put_ops = {
28498 +static const struct hv_ops hvc_get_put_ops = {
28499 .get_chars = get_chars,
28500 .put_chars = put_chars,
28501 .notifier_add = notifier_add_irq,
28502 diff -urNp linux-2.6.32.46/drivers/char/hvc_iucv.c linux-2.6.32.46/drivers/char/hvc_iucv.c
28503 --- linux-2.6.32.46/drivers/char/hvc_iucv.c 2011-03-27 14:31:47.000000000 -0400
28504 +++ linux-2.6.32.46/drivers/char/hvc_iucv.c 2011-04-17 15:56:46.000000000 -0400
28505 @@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
28506
28507
28508 /* HVC operations */
28509 -static struct hv_ops hvc_iucv_ops = {
28510 +static const struct hv_ops hvc_iucv_ops = {
28511 .get_chars = hvc_iucv_get_chars,
28512 .put_chars = hvc_iucv_put_chars,
28513 .notifier_add = hvc_iucv_notifier_add,
28514 diff -urNp linux-2.6.32.46/drivers/char/hvc_rtas.c linux-2.6.32.46/drivers/char/hvc_rtas.c
28515 --- linux-2.6.32.46/drivers/char/hvc_rtas.c 2011-03-27 14:31:47.000000000 -0400
28516 +++ linux-2.6.32.46/drivers/char/hvc_rtas.c 2011-04-17 15:56:46.000000000 -0400
28517 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
28518 return i;
28519 }
28520
28521 -static struct hv_ops hvc_rtas_get_put_ops = {
28522 +static const struct hv_ops hvc_rtas_get_put_ops = {
28523 .get_chars = hvc_rtas_read_console,
28524 .put_chars = hvc_rtas_write_console,
28525 };
28526 diff -urNp linux-2.6.32.46/drivers/char/hvcs.c linux-2.6.32.46/drivers/char/hvcs.c
28527 --- linux-2.6.32.46/drivers/char/hvcs.c 2011-03-27 14:31:47.000000000 -0400
28528 +++ linux-2.6.32.46/drivers/char/hvcs.c 2011-04-17 15:56:46.000000000 -0400
28529 @@ -82,6 +82,7 @@
28530 #include <asm/hvcserver.h>
28531 #include <asm/uaccess.h>
28532 #include <asm/vio.h>
28533 +#include <asm/local.h>
28534
28535 /*
28536 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
28537 @@ -269,7 +270,7 @@ struct hvcs_struct {
28538 unsigned int index;
28539
28540 struct tty_struct *tty;
28541 - int open_count;
28542 + local_t open_count;
28543
28544 /*
28545 * Used to tell the driver kernel_thread what operations need to take
28546 @@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
28547
28548 spin_lock_irqsave(&hvcsd->lock, flags);
28549
28550 - if (hvcsd->open_count > 0) {
28551 + if (local_read(&hvcsd->open_count) > 0) {
28552 spin_unlock_irqrestore(&hvcsd->lock, flags);
28553 printk(KERN_INFO "HVCS: vterm state unchanged. "
28554 "The hvcs device node is still in use.\n");
28555 @@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
28556 if ((retval = hvcs_partner_connect(hvcsd)))
28557 goto error_release;
28558
28559 - hvcsd->open_count = 1;
28560 + local_set(&hvcsd->open_count, 1);
28561 hvcsd->tty = tty;
28562 tty->driver_data = hvcsd;
28563
28564 @@ -1169,7 +1170,7 @@ fast_open:
28565
28566 spin_lock_irqsave(&hvcsd->lock, flags);
28567 kref_get(&hvcsd->kref);
28568 - hvcsd->open_count++;
28569 + local_inc(&hvcsd->open_count);
28570 hvcsd->todo_mask |= HVCS_SCHED_READ;
28571 spin_unlock_irqrestore(&hvcsd->lock, flags);
28572
28573 @@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
28574 hvcsd = tty->driver_data;
28575
28576 spin_lock_irqsave(&hvcsd->lock, flags);
28577 - if (--hvcsd->open_count == 0) {
28578 + if (local_dec_and_test(&hvcsd->open_count)) {
28579
28580 vio_disable_interrupts(hvcsd->vdev);
28581
28582 @@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
28583 free_irq(irq, hvcsd);
28584 kref_put(&hvcsd->kref, destroy_hvcs_struct);
28585 return;
28586 - } else if (hvcsd->open_count < 0) {
28587 + } else if (local_read(&hvcsd->open_count) < 0) {
28588 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
28589 " is missmanaged.\n",
28590 - hvcsd->vdev->unit_address, hvcsd->open_count);
28591 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
28592 }
28593
28594 spin_unlock_irqrestore(&hvcsd->lock, flags);
28595 @@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
28596
28597 spin_lock_irqsave(&hvcsd->lock, flags);
28598 /* Preserve this so that we know how many kref refs to put */
28599 - temp_open_count = hvcsd->open_count;
28600 + temp_open_count = local_read(&hvcsd->open_count);
28601
28602 /*
28603 * Don't kref put inside the spinlock because the destruction
28604 @@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
28605 hvcsd->tty->driver_data = NULL;
28606 hvcsd->tty = NULL;
28607
28608 - hvcsd->open_count = 0;
28609 + local_set(&hvcsd->open_count, 0);
28610
28611 /* This will drop any buffered data on the floor which is OK in a hangup
28612 * scenario. */
28613 @@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
28614 * the middle of a write operation? This is a crummy place to do this
28615 * but we want to keep it all in the spinlock.
28616 */
28617 - if (hvcsd->open_count <= 0) {
28618 + if (local_read(&hvcsd->open_count) <= 0) {
28619 spin_unlock_irqrestore(&hvcsd->lock, flags);
28620 return -ENODEV;
28621 }
28622 @@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
28623 {
28624 struct hvcs_struct *hvcsd = tty->driver_data;
28625
28626 - if (!hvcsd || hvcsd->open_count <= 0)
28627 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
28628 return 0;
28629
28630 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
28631 diff -urNp linux-2.6.32.46/drivers/char/hvc_udbg.c linux-2.6.32.46/drivers/char/hvc_udbg.c
28632 --- linux-2.6.32.46/drivers/char/hvc_udbg.c 2011-03-27 14:31:47.000000000 -0400
28633 +++ linux-2.6.32.46/drivers/char/hvc_udbg.c 2011-04-17 15:56:46.000000000 -0400
28634 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
28635 return i;
28636 }
28637
28638 -static struct hv_ops hvc_udbg_ops = {
28639 +static const struct hv_ops hvc_udbg_ops = {
28640 .get_chars = hvc_udbg_get,
28641 .put_chars = hvc_udbg_put,
28642 };
28643 diff -urNp linux-2.6.32.46/drivers/char/hvc_vio.c linux-2.6.32.46/drivers/char/hvc_vio.c
28644 --- linux-2.6.32.46/drivers/char/hvc_vio.c 2011-03-27 14:31:47.000000000 -0400
28645 +++ linux-2.6.32.46/drivers/char/hvc_vio.c 2011-04-17 15:56:46.000000000 -0400
28646 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
28647 return got;
28648 }
28649
28650 -static struct hv_ops hvc_get_put_ops = {
28651 +static const struct hv_ops hvc_get_put_ops = {
28652 .get_chars = filtered_get_chars,
28653 .put_chars = hvc_put_chars,
28654 .notifier_add = notifier_add_irq,
28655 diff -urNp linux-2.6.32.46/drivers/char/hvc_xen.c linux-2.6.32.46/drivers/char/hvc_xen.c
28656 --- linux-2.6.32.46/drivers/char/hvc_xen.c 2011-03-27 14:31:47.000000000 -0400
28657 +++ linux-2.6.32.46/drivers/char/hvc_xen.c 2011-04-17 15:56:46.000000000 -0400
28658 @@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
28659 return recv;
28660 }
28661
28662 -static struct hv_ops hvc_ops = {
28663 +static const struct hv_ops hvc_ops = {
28664 .get_chars = read_console,
28665 .put_chars = write_console,
28666 .notifier_add = notifier_add_irq,
28667 diff -urNp linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c
28668 --- linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c 2011-03-27 14:31:47.000000000 -0400
28669 +++ linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c 2011-05-16 21:46:57.000000000 -0400
28670 @@ -414,7 +414,7 @@ struct ipmi_smi {
28671 struct proc_dir_entry *proc_dir;
28672 char proc_dir_name[10];
28673
28674 - atomic_t stats[IPMI_NUM_STATS];
28675 + atomic_unchecked_t stats[IPMI_NUM_STATS];
28676
28677 /*
28678 * run_to_completion duplicate of smb_info, smi_info
28679 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
28680
28681
28682 #define ipmi_inc_stat(intf, stat) \
28683 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
28684 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
28685 #define ipmi_get_stat(intf, stat) \
28686 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
28687 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
28688
28689 static int is_lan_addr(struct ipmi_addr *addr)
28690 {
28691 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
28692 INIT_LIST_HEAD(&intf->cmd_rcvrs);
28693 init_waitqueue_head(&intf->waitq);
28694 for (i = 0; i < IPMI_NUM_STATS; i++)
28695 - atomic_set(&intf->stats[i], 0);
28696 + atomic_set_unchecked(&intf->stats[i], 0);
28697
28698 intf->proc_dir = NULL;
28699
28700 @@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
28701 struct ipmi_smi_msg smi_msg;
28702 struct ipmi_recv_msg recv_msg;
28703
28704 + pax_track_stack();
28705 +
28706 si = (struct ipmi_system_interface_addr *) &addr;
28707 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
28708 si->channel = IPMI_BMC_CHANNEL;
28709 diff -urNp linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c
28710 --- linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c 2011-03-27 14:31:47.000000000 -0400
28711 +++ linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:56:46.000000000 -0400
28712 @@ -277,7 +277,7 @@ struct smi_info {
28713 unsigned char slave_addr;
28714
28715 /* Counters and things for the proc filesystem. */
28716 - atomic_t stats[SI_NUM_STATS];
28717 + atomic_unchecked_t stats[SI_NUM_STATS];
28718
28719 struct task_struct *thread;
28720
28721 @@ -285,9 +285,9 @@ struct smi_info {
28722 };
28723
28724 #define smi_inc_stat(smi, stat) \
28725 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28726 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28727 #define smi_get_stat(smi, stat) \
28728 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28729 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28730
28731 #define SI_MAX_PARMS 4
28732
28733 @@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
28734 atomic_set(&new_smi->req_events, 0);
28735 new_smi->run_to_completion = 0;
28736 for (i = 0; i < SI_NUM_STATS; i++)
28737 - atomic_set(&new_smi->stats[i], 0);
28738 + atomic_set_unchecked(&new_smi->stats[i], 0);
28739
28740 new_smi->interrupt_disabled = 0;
28741 atomic_set(&new_smi->stop_operation, 0);
28742 diff -urNp linux-2.6.32.46/drivers/char/istallion.c linux-2.6.32.46/drivers/char/istallion.c
28743 --- linux-2.6.32.46/drivers/char/istallion.c 2011-03-27 14:31:47.000000000 -0400
28744 +++ linux-2.6.32.46/drivers/char/istallion.c 2011-05-16 21:46:57.000000000 -0400
28745 @@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
28746 * re-used for each stats call.
28747 */
28748 static comstats_t stli_comstats;
28749 -static combrd_t stli_brdstats;
28750 static struct asystats stli_cdkstats;
28751
28752 /*****************************************************************************/
28753 @@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
28754 {
28755 struct stlibrd *brdp;
28756 unsigned int i;
28757 + combrd_t stli_brdstats;
28758
28759 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
28760 return -EFAULT;
28761 @@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
28762 struct stliport stli_dummyport;
28763 struct stliport *portp;
28764
28765 + pax_track_stack();
28766 +
28767 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
28768 return -EFAULT;
28769 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
28770 @@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
28771 struct stlibrd stli_dummybrd;
28772 struct stlibrd *brdp;
28773
28774 + pax_track_stack();
28775 +
28776 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
28777 return -EFAULT;
28778 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
28779 diff -urNp linux-2.6.32.46/drivers/char/Kconfig linux-2.6.32.46/drivers/char/Kconfig
28780 --- linux-2.6.32.46/drivers/char/Kconfig 2011-03-27 14:31:47.000000000 -0400
28781 +++ linux-2.6.32.46/drivers/char/Kconfig 2011-04-18 19:20:15.000000000 -0400
28782 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
28783
28784 config DEVKMEM
28785 bool "/dev/kmem virtual device support"
28786 - default y
28787 + default n
28788 + depends on !GRKERNSEC_KMEM
28789 help
28790 Say Y here if you want to support the /dev/kmem device. The
28791 /dev/kmem device is rarely used, but can be used for certain
28792 @@ -1114,6 +1115,7 @@ config DEVPORT
28793 bool
28794 depends on !M68K
28795 depends on ISA || PCI
28796 + depends on !GRKERNSEC_KMEM
28797 default y
28798
28799 source "drivers/s390/char/Kconfig"
28800 diff -urNp linux-2.6.32.46/drivers/char/keyboard.c linux-2.6.32.46/drivers/char/keyboard.c
28801 --- linux-2.6.32.46/drivers/char/keyboard.c 2011-03-27 14:31:47.000000000 -0400
28802 +++ linux-2.6.32.46/drivers/char/keyboard.c 2011-04-17 15:56:46.000000000 -0400
28803 @@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
28804 kbd->kbdmode == VC_MEDIUMRAW) &&
28805 value != KVAL(K_SAK))
28806 return; /* SAK is allowed even in raw mode */
28807 +
28808 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
28809 + {
28810 + void *func = fn_handler[value];
28811 + if (func == fn_show_state || func == fn_show_ptregs ||
28812 + func == fn_show_mem)
28813 + return;
28814 + }
28815 +#endif
28816 +
28817 fn_handler[value](vc);
28818 }
28819
28820 @@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
28821 .evbit = { BIT_MASK(EV_SND) },
28822 },
28823
28824 - { }, /* Terminating entry */
28825 + { 0 }, /* Terminating entry */
28826 };
28827
28828 MODULE_DEVICE_TABLE(input, kbd_ids);
28829 diff -urNp linux-2.6.32.46/drivers/char/mem.c linux-2.6.32.46/drivers/char/mem.c
28830 --- linux-2.6.32.46/drivers/char/mem.c 2011-03-27 14:31:47.000000000 -0400
28831 +++ linux-2.6.32.46/drivers/char/mem.c 2011-04-17 15:56:46.000000000 -0400
28832 @@ -18,6 +18,7 @@
28833 #include <linux/raw.h>
28834 #include <linux/tty.h>
28835 #include <linux/capability.h>
28836 +#include <linux/security.h>
28837 #include <linux/ptrace.h>
28838 #include <linux/device.h>
28839 #include <linux/highmem.h>
28840 @@ -35,6 +36,10 @@
28841 # include <linux/efi.h>
28842 #endif
28843
28844 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28845 +extern struct file_operations grsec_fops;
28846 +#endif
28847 +
28848 static inline unsigned long size_inside_page(unsigned long start,
28849 unsigned long size)
28850 {
28851 @@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
28852
28853 while (cursor < to) {
28854 if (!devmem_is_allowed(pfn)) {
28855 +#ifdef CONFIG_GRKERNSEC_KMEM
28856 + gr_handle_mem_readwrite(from, to);
28857 +#else
28858 printk(KERN_INFO
28859 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28860 current->comm, from, to);
28861 +#endif
28862 return 0;
28863 }
28864 cursor += PAGE_SIZE;
28865 @@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
28866 }
28867 return 1;
28868 }
28869 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28870 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28871 +{
28872 + return 0;
28873 +}
28874 #else
28875 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28876 {
28877 @@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
28878 #endif
28879
28880 while (count > 0) {
28881 + char *temp;
28882 +
28883 /*
28884 * Handle first page in case it's not aligned
28885 */
28886 @@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
28887 if (!ptr)
28888 return -EFAULT;
28889
28890 - if (copy_to_user(buf, ptr, sz)) {
28891 +#ifdef CONFIG_PAX_USERCOPY
28892 + temp = kmalloc(sz, GFP_KERNEL);
28893 + if (!temp) {
28894 + unxlate_dev_mem_ptr(p, ptr);
28895 + return -ENOMEM;
28896 + }
28897 + memcpy(temp, ptr, sz);
28898 +#else
28899 + temp = ptr;
28900 +#endif
28901 +
28902 + if (copy_to_user(buf, temp, sz)) {
28903 +
28904 +#ifdef CONFIG_PAX_USERCOPY
28905 + kfree(temp);
28906 +#endif
28907 +
28908 unxlate_dev_mem_ptr(p, ptr);
28909 return -EFAULT;
28910 }
28911
28912 +#ifdef CONFIG_PAX_USERCOPY
28913 + kfree(temp);
28914 +#endif
28915 +
28916 unxlate_dev_mem_ptr(p, ptr);
28917
28918 buf += sz;
28919 @@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
28920 size_t count, loff_t *ppos)
28921 {
28922 unsigned long p = *ppos;
28923 - ssize_t low_count, read, sz;
28924 + ssize_t low_count, read, sz, err = 0;
28925 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28926 - int err = 0;
28927
28928 read = 0;
28929 if (p < (unsigned long) high_memory) {
28930 @@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
28931 }
28932 #endif
28933 while (low_count > 0) {
28934 + char *temp;
28935 +
28936 sz = size_inside_page(p, low_count);
28937
28938 /*
28939 @@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
28940 */
28941 kbuf = xlate_dev_kmem_ptr((char *)p);
28942
28943 - if (copy_to_user(buf, kbuf, sz))
28944 +#ifdef CONFIG_PAX_USERCOPY
28945 + temp = kmalloc(sz, GFP_KERNEL);
28946 + if (!temp)
28947 + return -ENOMEM;
28948 + memcpy(temp, kbuf, sz);
28949 +#else
28950 + temp = kbuf;
28951 +#endif
28952 +
28953 + err = copy_to_user(buf, temp, sz);
28954 +
28955 +#ifdef CONFIG_PAX_USERCOPY
28956 + kfree(temp);
28957 +#endif
28958 +
28959 + if (err)
28960 return -EFAULT;
28961 buf += sz;
28962 p += sz;
28963 @@ -889,6 +941,9 @@ static const struct memdev {
28964 #ifdef CONFIG_CRASH_DUMP
28965 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28966 #endif
28967 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28968 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28969 +#endif
28970 };
28971
28972 static int memory_open(struct inode *inode, struct file *filp)
28973 diff -urNp linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c
28974 --- linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c 2011-03-27 14:31:47.000000000 -0400
28975 +++ linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:56:46.000000000 -0400
28976 @@ -29,6 +29,7 @@
28977 #include <linux/tty_driver.h>
28978 #include <linux/tty_flip.h>
28979 #include <linux/uaccess.h>
28980 +#include <asm/local.h>
28981
28982 #include "tty.h"
28983 #include "network.h"
28984 @@ -51,7 +52,7 @@ struct ipw_tty {
28985 int tty_type;
28986 struct ipw_network *network;
28987 struct tty_struct *linux_tty;
28988 - int open_count;
28989 + local_t open_count;
28990 unsigned int control_lines;
28991 struct mutex ipw_tty_mutex;
28992 int tx_bytes_queued;
28993 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
28994 mutex_unlock(&tty->ipw_tty_mutex);
28995 return -ENODEV;
28996 }
28997 - if (tty->open_count == 0)
28998 + if (local_read(&tty->open_count) == 0)
28999 tty->tx_bytes_queued = 0;
29000
29001 - tty->open_count++;
29002 + local_inc(&tty->open_count);
29003
29004 tty->linux_tty = linux_tty;
29005 linux_tty->driver_data = tty;
29006 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
29007
29008 static void do_ipw_close(struct ipw_tty *tty)
29009 {
29010 - tty->open_count--;
29011 -
29012 - if (tty->open_count == 0) {
29013 + if (local_dec_return(&tty->open_count) == 0) {
29014 struct tty_struct *linux_tty = tty->linux_tty;
29015
29016 if (linux_tty != NULL) {
29017 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
29018 return;
29019
29020 mutex_lock(&tty->ipw_tty_mutex);
29021 - if (tty->open_count == 0) {
29022 + if (local_read(&tty->open_count) == 0) {
29023 mutex_unlock(&tty->ipw_tty_mutex);
29024 return;
29025 }
29026 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
29027 return;
29028 }
29029
29030 - if (!tty->open_count) {
29031 + if (!local_read(&tty->open_count)) {
29032 mutex_unlock(&tty->ipw_tty_mutex);
29033 return;
29034 }
29035 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
29036 return -ENODEV;
29037
29038 mutex_lock(&tty->ipw_tty_mutex);
29039 - if (!tty->open_count) {
29040 + if (!local_read(&tty->open_count)) {
29041 mutex_unlock(&tty->ipw_tty_mutex);
29042 return -EINVAL;
29043 }
29044 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
29045 if (!tty)
29046 return -ENODEV;
29047
29048 - if (!tty->open_count)
29049 + if (!local_read(&tty->open_count))
29050 return -EINVAL;
29051
29052 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
29053 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
29054 if (!tty)
29055 return 0;
29056
29057 - if (!tty->open_count)
29058 + if (!local_read(&tty->open_count))
29059 return 0;
29060
29061 return tty->tx_bytes_queued;
29062 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
29063 if (!tty)
29064 return -ENODEV;
29065
29066 - if (!tty->open_count)
29067 + if (!local_read(&tty->open_count))
29068 return -EINVAL;
29069
29070 return get_control_lines(tty);
29071 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
29072 if (!tty)
29073 return -ENODEV;
29074
29075 - if (!tty->open_count)
29076 + if (!local_read(&tty->open_count))
29077 return -EINVAL;
29078
29079 return set_control_lines(tty, set, clear);
29080 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
29081 if (!tty)
29082 return -ENODEV;
29083
29084 - if (!tty->open_count)
29085 + if (!local_read(&tty->open_count))
29086 return -EINVAL;
29087
29088 /* FIXME: Exactly how is the tty object locked here .. */
29089 @@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
29090 against a parallel ioctl etc */
29091 mutex_lock(&ttyj->ipw_tty_mutex);
29092 }
29093 - while (ttyj->open_count)
29094 + while (local_read(&ttyj->open_count))
29095 do_ipw_close(ttyj);
29096 ipwireless_disassociate_network_ttys(network,
29097 ttyj->channel_idx);
29098 diff -urNp linux-2.6.32.46/drivers/char/pty.c linux-2.6.32.46/drivers/char/pty.c
29099 --- linux-2.6.32.46/drivers/char/pty.c 2011-03-27 14:31:47.000000000 -0400
29100 +++ linux-2.6.32.46/drivers/char/pty.c 2011-08-05 20:33:55.000000000 -0400
29101 @@ -736,8 +736,10 @@ static void __init unix98_pty_init(void)
29102 register_sysctl_table(pty_root_table);
29103
29104 /* Now create the /dev/ptmx special device */
29105 + pax_open_kernel();
29106 tty_default_fops(&ptmx_fops);
29107 - ptmx_fops.open = ptmx_open;
29108 + *(void **)&ptmx_fops.open = ptmx_open;
29109 + pax_close_kernel();
29110
29111 cdev_init(&ptmx_cdev, &ptmx_fops);
29112 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
29113 diff -urNp linux-2.6.32.46/drivers/char/random.c linux-2.6.32.46/drivers/char/random.c
29114 --- linux-2.6.32.46/drivers/char/random.c 2011-08-16 20:37:25.000000000 -0400
29115 +++ linux-2.6.32.46/drivers/char/random.c 2011-08-16 20:43:23.000000000 -0400
29116 @@ -254,8 +254,13 @@
29117 /*
29118 * Configuration information
29119 */
29120 +#ifdef CONFIG_GRKERNSEC_RANDNET
29121 +#define INPUT_POOL_WORDS 512
29122 +#define OUTPUT_POOL_WORDS 128
29123 +#else
29124 #define INPUT_POOL_WORDS 128
29125 #define OUTPUT_POOL_WORDS 32
29126 +#endif
29127 #define SEC_XFER_SIZE 512
29128
29129 /*
29130 @@ -292,10 +297,17 @@ static struct poolinfo {
29131 int poolwords;
29132 int tap1, tap2, tap3, tap4, tap5;
29133 } poolinfo_table[] = {
29134 +#ifdef CONFIG_GRKERNSEC_RANDNET
29135 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
29136 + { 512, 411, 308, 208, 104, 1 },
29137 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
29138 + { 128, 103, 76, 51, 25, 1 },
29139 +#else
29140 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
29141 { 128, 103, 76, 51, 25, 1 },
29142 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
29143 { 32, 26, 20, 14, 7, 1 },
29144 +#endif
29145 #if 0
29146 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
29147 { 2048, 1638, 1231, 819, 411, 1 },
29148 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
29149 #include <linux/sysctl.h>
29150
29151 static int min_read_thresh = 8, min_write_thresh;
29152 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
29153 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
29154 static int max_write_thresh = INPUT_POOL_WORDS * 32;
29155 static char sysctl_bootid[16];
29156
29157 diff -urNp linux-2.6.32.46/drivers/char/rocket.c linux-2.6.32.46/drivers/char/rocket.c
29158 --- linux-2.6.32.46/drivers/char/rocket.c 2011-03-27 14:31:47.000000000 -0400
29159 +++ linux-2.6.32.46/drivers/char/rocket.c 2011-05-16 21:46:57.000000000 -0400
29160 @@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
29161 struct rocket_ports tmp;
29162 int board;
29163
29164 + pax_track_stack();
29165 +
29166 if (!retports)
29167 return -EFAULT;
29168 memset(&tmp, 0, sizeof (tmp));
29169 diff -urNp linux-2.6.32.46/drivers/char/sonypi.c linux-2.6.32.46/drivers/char/sonypi.c
29170 --- linux-2.6.32.46/drivers/char/sonypi.c 2011-03-27 14:31:47.000000000 -0400
29171 +++ linux-2.6.32.46/drivers/char/sonypi.c 2011-04-17 15:56:46.000000000 -0400
29172 @@ -55,6 +55,7 @@
29173 #include <asm/uaccess.h>
29174 #include <asm/io.h>
29175 #include <asm/system.h>
29176 +#include <asm/local.h>
29177
29178 #include <linux/sonypi.h>
29179
29180 @@ -491,7 +492,7 @@ static struct sonypi_device {
29181 spinlock_t fifo_lock;
29182 wait_queue_head_t fifo_proc_list;
29183 struct fasync_struct *fifo_async;
29184 - int open_count;
29185 + local_t open_count;
29186 int model;
29187 struct input_dev *input_jog_dev;
29188 struct input_dev *input_key_dev;
29189 @@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
29190 static int sonypi_misc_release(struct inode *inode, struct file *file)
29191 {
29192 mutex_lock(&sonypi_device.lock);
29193 - sonypi_device.open_count--;
29194 + local_dec(&sonypi_device.open_count);
29195 mutex_unlock(&sonypi_device.lock);
29196 return 0;
29197 }
29198 @@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
29199 lock_kernel();
29200 mutex_lock(&sonypi_device.lock);
29201 /* Flush input queue on first open */
29202 - if (!sonypi_device.open_count)
29203 + if (!local_read(&sonypi_device.open_count))
29204 kfifo_reset(sonypi_device.fifo);
29205 - sonypi_device.open_count++;
29206 + local_inc(&sonypi_device.open_count);
29207 mutex_unlock(&sonypi_device.lock);
29208 unlock_kernel();
29209 return 0;
29210 diff -urNp linux-2.6.32.46/drivers/char/stallion.c linux-2.6.32.46/drivers/char/stallion.c
29211 --- linux-2.6.32.46/drivers/char/stallion.c 2011-03-27 14:31:47.000000000 -0400
29212 +++ linux-2.6.32.46/drivers/char/stallion.c 2011-05-16 21:46:57.000000000 -0400
29213 @@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
29214 struct stlport stl_dummyport;
29215 struct stlport *portp;
29216
29217 + pax_track_stack();
29218 +
29219 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
29220 return -EFAULT;
29221 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
29222 diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm_bios.c linux-2.6.32.46/drivers/char/tpm/tpm_bios.c
29223 --- linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-03-27 14:31:47.000000000 -0400
29224 +++ linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-10-06 09:37:08.000000000 -0400
29225 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
29226 event = addr;
29227
29228 if ((event->event_type == 0 && event->event_size == 0) ||
29229 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
29230 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
29231 return NULL;
29232
29233 return addr;
29234 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
29235 return NULL;
29236
29237 if ((event->event_type == 0 && event->event_size == 0) ||
29238 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
29239 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
29240 return NULL;
29241
29242 (*pos)++;
29243 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
29244 int i;
29245
29246 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
29247 - seq_putc(m, data[i]);
29248 + if (!seq_putc(m, data[i]))
29249 + return -EFAULT;
29250
29251 return 0;
29252 }
29253 @@ -409,8 +410,13 @@ static int read_log(struct tpm_bios_log
29254 log->bios_event_log_end = log->bios_event_log + len;
29255
29256 virt = acpi_os_map_memory(start, len);
29257 + if (!virt) {
29258 + kfree(log->bios_event_log);
29259 + log->bios_event_log = NULL;
29260 + return -EFAULT;
29261 + }
29262
29263 - memcpy(log->bios_event_log, virt, len);
29264 + memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
29265
29266 acpi_os_unmap_memory(virt, len);
29267 return 0;
29268 diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm.c linux-2.6.32.46/drivers/char/tpm/tpm.c
29269 --- linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-04-17 17:00:52.000000000 -0400
29270 +++ linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-05-16 21:46:57.000000000 -0400
29271 @@ -402,7 +402,7 @@ static ssize_t tpm_transmit(struct tpm_c
29272 chip->vendor.req_complete_val)
29273 goto out_recv;
29274
29275 - if ((status == chip->vendor.req_canceled)) {
29276 + if (status == chip->vendor.req_canceled) {
29277 dev_err(chip->dev, "Operation Canceled\n");
29278 rc = -ECANCELED;
29279 goto out;
29280 @@ -821,6 +821,8 @@ ssize_t tpm_show_pubek(struct device *de
29281
29282 struct tpm_chip *chip = dev_get_drvdata(dev);
29283
29284 + pax_track_stack();
29285 +
29286 tpm_cmd.header.in = tpm_readpubek_header;
29287 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
29288 "attempting to read the PUBEK");
29289 diff -urNp linux-2.6.32.46/drivers/char/tty_io.c linux-2.6.32.46/drivers/char/tty_io.c
29290 --- linux-2.6.32.46/drivers/char/tty_io.c 2011-03-27 14:31:47.000000000 -0400
29291 +++ linux-2.6.32.46/drivers/char/tty_io.c 2011-08-05 20:33:55.000000000 -0400
29292 @@ -2582,8 +2582,10 @@ long tty_ioctl(struct file *file, unsign
29293 return retval;
29294 }
29295
29296 +EXPORT_SYMBOL(tty_ioctl);
29297 +
29298 #ifdef CONFIG_COMPAT
29299 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
29300 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
29301 unsigned long arg)
29302 {
29303 struct inode *inode = file->f_dentry->d_inode;
29304 @@ -2607,6 +2609,8 @@ static long tty_compat_ioctl(struct file
29305
29306 return retval;
29307 }
29308 +
29309 +EXPORT_SYMBOL(tty_compat_ioctl);
29310 #endif
29311
29312 /*
29313 @@ -3052,7 +3056,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
29314
29315 void tty_default_fops(struct file_operations *fops)
29316 {
29317 - *fops = tty_fops;
29318 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
29319 }
29320
29321 /*
29322 diff -urNp linux-2.6.32.46/drivers/char/tty_ldisc.c linux-2.6.32.46/drivers/char/tty_ldisc.c
29323 --- linux-2.6.32.46/drivers/char/tty_ldisc.c 2011-07-13 17:23:04.000000000 -0400
29324 +++ linux-2.6.32.46/drivers/char/tty_ldisc.c 2011-07-13 17:23:18.000000000 -0400
29325 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
29326 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
29327 struct tty_ldisc_ops *ldo = ld->ops;
29328
29329 - ldo->refcount--;
29330 + atomic_dec(&ldo->refcount);
29331 module_put(ldo->owner);
29332 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
29333
29334 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
29335 spin_lock_irqsave(&tty_ldisc_lock, flags);
29336 tty_ldiscs[disc] = new_ldisc;
29337 new_ldisc->num = disc;
29338 - new_ldisc->refcount = 0;
29339 + atomic_set(&new_ldisc->refcount, 0);
29340 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
29341
29342 return ret;
29343 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
29344 return -EINVAL;
29345
29346 spin_lock_irqsave(&tty_ldisc_lock, flags);
29347 - if (tty_ldiscs[disc]->refcount)
29348 + if (atomic_read(&tty_ldiscs[disc]->refcount))
29349 ret = -EBUSY;
29350 else
29351 tty_ldiscs[disc] = NULL;
29352 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
29353 if (ldops) {
29354 ret = ERR_PTR(-EAGAIN);
29355 if (try_module_get(ldops->owner)) {
29356 - ldops->refcount++;
29357 + atomic_inc(&ldops->refcount);
29358 ret = ldops;
29359 }
29360 }
29361 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
29362 unsigned long flags;
29363
29364 spin_lock_irqsave(&tty_ldisc_lock, flags);
29365 - ldops->refcount--;
29366 + atomic_dec(&ldops->refcount);
29367 module_put(ldops->owner);
29368 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
29369 }
29370 diff -urNp linux-2.6.32.46/drivers/char/virtio_console.c linux-2.6.32.46/drivers/char/virtio_console.c
29371 --- linux-2.6.32.46/drivers/char/virtio_console.c 2011-03-27 14:31:47.000000000 -0400
29372 +++ linux-2.6.32.46/drivers/char/virtio_console.c 2011-08-05 20:33:55.000000000 -0400
29373 @@ -133,7 +133,9 @@ static int get_chars(u32 vtermno, char *
29374 * virtqueue, so we let the drivers do some boutique early-output thing. */
29375 int __init virtio_cons_early_init(int (*put_chars)(u32, const char *, int))
29376 {
29377 - virtio_cons.put_chars = put_chars;
29378 + pax_open_kernel();
29379 + *(void **)&virtio_cons.put_chars = put_chars;
29380 + pax_close_kernel();
29381 return hvc_instantiate(0, 0, &virtio_cons);
29382 }
29383
29384 @@ -213,11 +215,13 @@ static int __devinit virtcons_probe(stru
29385 out_vq = vqs[1];
29386
29387 /* Start using the new console output. */
29388 - virtio_cons.get_chars = get_chars;
29389 - virtio_cons.put_chars = put_chars;
29390 - virtio_cons.notifier_add = notifier_add_vio;
29391 - virtio_cons.notifier_del = notifier_del_vio;
29392 - virtio_cons.notifier_hangup = notifier_del_vio;
29393 + pax_open_kernel();
29394 + *(void **)&virtio_cons.get_chars = get_chars;
29395 + *(void **)&virtio_cons.put_chars = put_chars;
29396 + *(void **)&virtio_cons.notifier_add = notifier_add_vio;
29397 + *(void **)&virtio_cons.notifier_del = notifier_del_vio;
29398 + *(void **)&virtio_cons.notifier_hangup = notifier_del_vio;
29399 + pax_close_kernel();
29400
29401 /* The first argument of hvc_alloc() is the virtual console number, so
29402 * we use zero. The second argument is the parameter for the
29403 diff -urNp linux-2.6.32.46/drivers/char/vt.c linux-2.6.32.46/drivers/char/vt.c
29404 --- linux-2.6.32.46/drivers/char/vt.c 2011-03-27 14:31:47.000000000 -0400
29405 +++ linux-2.6.32.46/drivers/char/vt.c 2011-04-17 15:56:46.000000000 -0400
29406 @@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
29407
29408 static void notify_write(struct vc_data *vc, unsigned int unicode)
29409 {
29410 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
29411 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
29412 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
29413 }
29414
29415 diff -urNp linux-2.6.32.46/drivers/char/vt_ioctl.c linux-2.6.32.46/drivers/char/vt_ioctl.c
29416 --- linux-2.6.32.46/drivers/char/vt_ioctl.c 2011-03-27 14:31:47.000000000 -0400
29417 +++ linux-2.6.32.46/drivers/char/vt_ioctl.c 2011-04-17 15:56:46.000000000 -0400
29418 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
29419 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
29420 return -EFAULT;
29421
29422 - if (!capable(CAP_SYS_TTY_CONFIG))
29423 - perm = 0;
29424 -
29425 switch (cmd) {
29426 case KDGKBENT:
29427 key_map = key_maps[s];
29428 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
29429 val = (i ? K_HOLE : K_NOSUCHMAP);
29430 return put_user(val, &user_kbe->kb_value);
29431 case KDSKBENT:
29432 + if (!capable(CAP_SYS_TTY_CONFIG))
29433 + perm = 0;
29434 +
29435 if (!perm)
29436 return -EPERM;
29437 +
29438 if (!i && v == K_NOSUCHMAP) {
29439 /* deallocate map */
29440 key_map = key_maps[s];
29441 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
29442 int i, j, k;
29443 int ret;
29444
29445 - if (!capable(CAP_SYS_TTY_CONFIG))
29446 - perm = 0;
29447 -
29448 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
29449 if (!kbs) {
29450 ret = -ENOMEM;
29451 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
29452 kfree(kbs);
29453 return ((p && *p) ? -EOVERFLOW : 0);
29454 case KDSKBSENT:
29455 + if (!capable(CAP_SYS_TTY_CONFIG))
29456 + perm = 0;
29457 +
29458 if (!perm) {
29459 ret = -EPERM;
29460 goto reterr;
29461 diff -urNp linux-2.6.32.46/drivers/cpufreq/cpufreq.c linux-2.6.32.46/drivers/cpufreq/cpufreq.c
29462 --- linux-2.6.32.46/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
29463 +++ linux-2.6.32.46/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
29464 @@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
29465 complete(&policy->kobj_unregister);
29466 }
29467
29468 -static struct sysfs_ops sysfs_ops = {
29469 +static const struct sysfs_ops sysfs_ops = {
29470 .show = show,
29471 .store = store,
29472 };
29473 diff -urNp linux-2.6.32.46/drivers/cpuidle/sysfs.c linux-2.6.32.46/drivers/cpuidle/sysfs.c
29474 --- linux-2.6.32.46/drivers/cpuidle/sysfs.c 2011-03-27 14:31:47.000000000 -0400
29475 +++ linux-2.6.32.46/drivers/cpuidle/sysfs.c 2011-04-17 15:56:46.000000000 -0400
29476 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
29477 return ret;
29478 }
29479
29480 -static struct sysfs_ops cpuidle_sysfs_ops = {
29481 +static const struct sysfs_ops cpuidle_sysfs_ops = {
29482 .show = cpuidle_show,
29483 .store = cpuidle_store,
29484 };
29485 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
29486 return ret;
29487 }
29488
29489 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
29490 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
29491 .show = cpuidle_state_show,
29492 };
29493
29494 @@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
29495 .release = cpuidle_state_sysfs_release,
29496 };
29497
29498 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
29499 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
29500 {
29501 kobject_put(&device->kobjs[i]->kobj);
29502 wait_for_completion(&device->kobjs[i]->kobj_unregister);
29503 diff -urNp linux-2.6.32.46/drivers/crypto/hifn_795x.c linux-2.6.32.46/drivers/crypto/hifn_795x.c
29504 --- linux-2.6.32.46/drivers/crypto/hifn_795x.c 2011-03-27 14:31:47.000000000 -0400
29505 +++ linux-2.6.32.46/drivers/crypto/hifn_795x.c 2011-05-16 21:46:57.000000000 -0400
29506 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
29507 0xCA, 0x34, 0x2B, 0x2E};
29508 struct scatterlist sg;
29509
29510 + pax_track_stack();
29511 +
29512 memset(src, 0, sizeof(src));
29513 memset(ctx.key, 0, sizeof(ctx.key));
29514
29515 diff -urNp linux-2.6.32.46/drivers/crypto/padlock-aes.c linux-2.6.32.46/drivers/crypto/padlock-aes.c
29516 --- linux-2.6.32.46/drivers/crypto/padlock-aes.c 2011-03-27 14:31:47.000000000 -0400
29517 +++ linux-2.6.32.46/drivers/crypto/padlock-aes.c 2011-05-16 21:46:57.000000000 -0400
29518 @@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
29519 struct crypto_aes_ctx gen_aes;
29520 int cpu;
29521
29522 + pax_track_stack();
29523 +
29524 if (key_len % 8) {
29525 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
29526 return -EINVAL;
29527 diff -urNp linux-2.6.32.46/drivers/dma/ioat/dma.c linux-2.6.32.46/drivers/dma/ioat/dma.c
29528 --- linux-2.6.32.46/drivers/dma/ioat/dma.c 2011-03-27 14:31:47.000000000 -0400
29529 +++ linux-2.6.32.46/drivers/dma/ioat/dma.c 2011-04-17 15:56:46.000000000 -0400
29530 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
29531 return entry->show(&chan->common, page);
29532 }
29533
29534 -struct sysfs_ops ioat_sysfs_ops = {
29535 +const struct sysfs_ops ioat_sysfs_ops = {
29536 .show = ioat_attr_show,
29537 };
29538
29539 diff -urNp linux-2.6.32.46/drivers/dma/ioat/dma.h linux-2.6.32.46/drivers/dma/ioat/dma.h
29540 --- linux-2.6.32.46/drivers/dma/ioat/dma.h 2011-03-27 14:31:47.000000000 -0400
29541 +++ linux-2.6.32.46/drivers/dma/ioat/dma.h 2011-04-17 15:56:46.000000000 -0400
29542 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
29543 unsigned long *phys_complete);
29544 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
29545 void ioat_kobject_del(struct ioatdma_device *device);
29546 -extern struct sysfs_ops ioat_sysfs_ops;
29547 +extern const struct sysfs_ops ioat_sysfs_ops;
29548 extern struct ioat_sysfs_entry ioat_version_attr;
29549 extern struct ioat_sysfs_entry ioat_cap_attr;
29550 #endif /* IOATDMA_H */
29551 diff -urNp linux-2.6.32.46/drivers/edac/edac_device_sysfs.c linux-2.6.32.46/drivers/edac/edac_device_sysfs.c
29552 --- linux-2.6.32.46/drivers/edac/edac_device_sysfs.c 2011-03-27 14:31:47.000000000 -0400
29553 +++ linux-2.6.32.46/drivers/edac/edac_device_sysfs.c 2011-04-17 15:56:46.000000000 -0400
29554 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
29555 }
29556
29557 /* edac_dev file operations for an 'ctl_info' */
29558 -static struct sysfs_ops device_ctl_info_ops = {
29559 +static const struct sysfs_ops device_ctl_info_ops = {
29560 .show = edac_dev_ctl_info_show,
29561 .store = edac_dev_ctl_info_store
29562 };
29563 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
29564 }
29565
29566 /* edac_dev file operations for an 'instance' */
29567 -static struct sysfs_ops device_instance_ops = {
29568 +static const struct sysfs_ops device_instance_ops = {
29569 .show = edac_dev_instance_show,
29570 .store = edac_dev_instance_store
29571 };
29572 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
29573 }
29574
29575 /* edac_dev file operations for a 'block' */
29576 -static struct sysfs_ops device_block_ops = {
29577 +static const struct sysfs_ops device_block_ops = {
29578 .show = edac_dev_block_show,
29579 .store = edac_dev_block_store
29580 };
29581 diff -urNp linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c
29582 --- linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c 2011-03-27 14:31:47.000000000 -0400
29583 +++ linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:56:46.000000000 -0400
29584 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
29585 return -EIO;
29586 }
29587
29588 -static struct sysfs_ops csrowfs_ops = {
29589 +static const struct sysfs_ops csrowfs_ops = {
29590 .show = csrowdev_show,
29591 .store = csrowdev_store
29592 };
29593 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
29594 }
29595
29596 /* Intermediate show/store table */
29597 -static struct sysfs_ops mci_ops = {
29598 +static const struct sysfs_ops mci_ops = {
29599 .show = mcidev_show,
29600 .store = mcidev_store
29601 };
29602 diff -urNp linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c
29603 --- linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c 2011-03-27 14:31:47.000000000 -0400
29604 +++ linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c 2011-05-04 17:56:20.000000000 -0400
29605 @@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
29606 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
29607 static int edac_pci_poll_msec = 1000; /* one second workq period */
29608
29609 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
29610 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
29611 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
29612 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
29613
29614 static struct kobject *edac_pci_top_main_kobj;
29615 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
29616 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
29617 }
29618
29619 /* fs_ops table */
29620 -static struct sysfs_ops pci_instance_ops = {
29621 +static const struct sysfs_ops pci_instance_ops = {
29622 .show = edac_pci_instance_show,
29623 .store = edac_pci_instance_store
29624 };
29625 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
29626 return -EIO;
29627 }
29628
29629 -static struct sysfs_ops edac_pci_sysfs_ops = {
29630 +static const struct sysfs_ops edac_pci_sysfs_ops = {
29631 .show = edac_pci_dev_show,
29632 .store = edac_pci_dev_store
29633 };
29634 @@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
29635 edac_printk(KERN_CRIT, EDAC_PCI,
29636 "Signaled System Error on %s\n",
29637 pci_name(dev));
29638 - atomic_inc(&pci_nonparity_count);
29639 + atomic_inc_unchecked(&pci_nonparity_count);
29640 }
29641
29642 if (status & (PCI_STATUS_PARITY)) {
29643 @@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
29644 "Master Data Parity Error on %s\n",
29645 pci_name(dev));
29646
29647 - atomic_inc(&pci_parity_count);
29648 + atomic_inc_unchecked(&pci_parity_count);
29649 }
29650
29651 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29652 @@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
29653 "Detected Parity Error on %s\n",
29654 pci_name(dev));
29655
29656 - atomic_inc(&pci_parity_count);
29657 + atomic_inc_unchecked(&pci_parity_count);
29658 }
29659 }
29660
29661 @@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
29662 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
29663 "Signaled System Error on %s\n",
29664 pci_name(dev));
29665 - atomic_inc(&pci_nonparity_count);
29666 + atomic_inc_unchecked(&pci_nonparity_count);
29667 }
29668
29669 if (status & (PCI_STATUS_PARITY)) {
29670 @@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
29671 "Master Data Parity Error on "
29672 "%s\n", pci_name(dev));
29673
29674 - atomic_inc(&pci_parity_count);
29675 + atomic_inc_unchecked(&pci_parity_count);
29676 }
29677
29678 if (status & (PCI_STATUS_DETECTED_PARITY)) {
29679 @@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
29680 "Detected Parity Error on %s\n",
29681 pci_name(dev));
29682
29683 - atomic_inc(&pci_parity_count);
29684 + atomic_inc_unchecked(&pci_parity_count);
29685 }
29686 }
29687 }
29688 @@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
29689 if (!check_pci_errors)
29690 return;
29691
29692 - before_count = atomic_read(&pci_parity_count);
29693 + before_count = atomic_read_unchecked(&pci_parity_count);
29694
29695 /* scan all PCI devices looking for a Parity Error on devices and
29696 * bridges.
29697 @@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
29698 /* Only if operator has selected panic on PCI Error */
29699 if (edac_pci_get_panic_on_pe()) {
29700 /* If the count is different 'after' from 'before' */
29701 - if (before_count != atomic_read(&pci_parity_count))
29702 + if (before_count != atomic_read_unchecked(&pci_parity_count))
29703 panic("EDAC: PCI Parity Error");
29704 }
29705 }
29706 diff -urNp linux-2.6.32.46/drivers/firewire/core-card.c linux-2.6.32.46/drivers/firewire/core-card.c
29707 --- linux-2.6.32.46/drivers/firewire/core-card.c 2011-03-27 14:31:47.000000000 -0400
29708 +++ linux-2.6.32.46/drivers/firewire/core-card.c 2011-08-23 21:22:32.000000000 -0400
29709 @@ -558,7 +558,7 @@ void fw_card_release(struct kref *kref)
29710
29711 void fw_core_remove_card(struct fw_card *card)
29712 {
29713 - struct fw_card_driver dummy_driver = dummy_driver_template;
29714 + fw_card_driver_no_const dummy_driver = dummy_driver_template;
29715
29716 card->driver->update_phy_reg(card, 4,
29717 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
29718 diff -urNp linux-2.6.32.46/drivers/firewire/core-cdev.c linux-2.6.32.46/drivers/firewire/core-cdev.c
29719 --- linux-2.6.32.46/drivers/firewire/core-cdev.c 2011-03-27 14:31:47.000000000 -0400
29720 +++ linux-2.6.32.46/drivers/firewire/core-cdev.c 2011-04-17 15:56:46.000000000 -0400
29721 @@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
29722 int ret;
29723
29724 if ((request->channels == 0 && request->bandwidth == 0) ||
29725 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
29726 - request->bandwidth < 0)
29727 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
29728 return -EINVAL;
29729
29730 r = kmalloc(sizeof(*r), GFP_KERNEL);
29731 diff -urNp linux-2.6.32.46/drivers/firewire/core.h linux-2.6.32.46/drivers/firewire/core.h
29732 --- linux-2.6.32.46/drivers/firewire/core.h 2011-03-27 14:31:47.000000000 -0400
29733 +++ linux-2.6.32.46/drivers/firewire/core.h 2011-08-23 20:24:26.000000000 -0400
29734 @@ -86,6 +86,7 @@ struct fw_card_driver {
29735
29736 int (*stop_iso)(struct fw_iso_context *ctx);
29737 };
29738 +typedef struct fw_card_driver __no_const fw_card_driver_no_const;
29739
29740 void fw_card_initialize(struct fw_card *card,
29741 const struct fw_card_driver *driver, struct device *device);
29742 diff -urNp linux-2.6.32.46/drivers/firewire/core-transaction.c linux-2.6.32.46/drivers/firewire/core-transaction.c
29743 --- linux-2.6.32.46/drivers/firewire/core-transaction.c 2011-03-27 14:31:47.000000000 -0400
29744 +++ linux-2.6.32.46/drivers/firewire/core-transaction.c 2011-05-16 21:46:57.000000000 -0400
29745 @@ -36,6 +36,7 @@
29746 #include <linux/string.h>
29747 #include <linux/timer.h>
29748 #include <linux/types.h>
29749 +#include <linux/sched.h>
29750
29751 #include <asm/byteorder.h>
29752
29753 @@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
29754 struct transaction_callback_data d;
29755 struct fw_transaction t;
29756
29757 + pax_track_stack();
29758 +
29759 init_completion(&d.done);
29760 d.payload = payload;
29761 fw_send_request(card, &t, tcode, destination_id, generation, speed,
29762 diff -urNp linux-2.6.32.46/drivers/firmware/dmi_scan.c linux-2.6.32.46/drivers/firmware/dmi_scan.c
29763 --- linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-03-27 14:31:47.000000000 -0400
29764 +++ linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-10-06 09:37:08.000000000 -0400
29765 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
29766 }
29767 }
29768 else {
29769 - /*
29770 - * no iounmap() for that ioremap(); it would be a no-op, but
29771 - * it's so early in setup that sucker gets confused into doing
29772 - * what it shouldn't if we actually call it.
29773 - */
29774 p = dmi_ioremap(0xF0000, 0x10000);
29775 if (p == NULL)
29776 goto error;
29777 @@ -667,7 +662,7 @@ int dmi_walk(void (*decode)(const struct
29778 if (buf == NULL)
29779 return -1;
29780
29781 - dmi_table(buf, dmi_len, dmi_num, decode, private_data);
29782 + dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
29783
29784 iounmap(buf);
29785 return 0;
29786 diff -urNp linux-2.6.32.46/drivers/firmware/edd.c linux-2.6.32.46/drivers/firmware/edd.c
29787 --- linux-2.6.32.46/drivers/firmware/edd.c 2011-03-27 14:31:47.000000000 -0400
29788 +++ linux-2.6.32.46/drivers/firmware/edd.c 2011-04-17 15:56:46.000000000 -0400
29789 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
29790 return ret;
29791 }
29792
29793 -static struct sysfs_ops edd_attr_ops = {
29794 +static const struct sysfs_ops edd_attr_ops = {
29795 .show = edd_attr_show,
29796 };
29797
29798 diff -urNp linux-2.6.32.46/drivers/firmware/efivars.c linux-2.6.32.46/drivers/firmware/efivars.c
29799 --- linux-2.6.32.46/drivers/firmware/efivars.c 2011-03-27 14:31:47.000000000 -0400
29800 +++ linux-2.6.32.46/drivers/firmware/efivars.c 2011-04-17 15:56:46.000000000 -0400
29801 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
29802 return ret;
29803 }
29804
29805 -static struct sysfs_ops efivar_attr_ops = {
29806 +static const struct sysfs_ops efivar_attr_ops = {
29807 .show = efivar_attr_show,
29808 .store = efivar_attr_store,
29809 };
29810 diff -urNp linux-2.6.32.46/drivers/firmware/iscsi_ibft.c linux-2.6.32.46/drivers/firmware/iscsi_ibft.c
29811 --- linux-2.6.32.46/drivers/firmware/iscsi_ibft.c 2011-03-27 14:31:47.000000000 -0400
29812 +++ linux-2.6.32.46/drivers/firmware/iscsi_ibft.c 2011-04-17 15:56:46.000000000 -0400
29813 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
29814 return ret;
29815 }
29816
29817 -static struct sysfs_ops ibft_attr_ops = {
29818 +static const struct sysfs_ops ibft_attr_ops = {
29819 .show = ibft_show_attribute,
29820 };
29821
29822 diff -urNp linux-2.6.32.46/drivers/firmware/memmap.c linux-2.6.32.46/drivers/firmware/memmap.c
29823 --- linux-2.6.32.46/drivers/firmware/memmap.c 2011-03-27 14:31:47.000000000 -0400
29824 +++ linux-2.6.32.46/drivers/firmware/memmap.c 2011-04-17 15:56:46.000000000 -0400
29825 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
29826 NULL
29827 };
29828
29829 -static struct sysfs_ops memmap_attr_ops = {
29830 +static const struct sysfs_ops memmap_attr_ops = {
29831 .show = memmap_attr_show,
29832 };
29833
29834 diff -urNp linux-2.6.32.46/drivers/gpio/vr41xx_giu.c linux-2.6.32.46/drivers/gpio/vr41xx_giu.c
29835 --- linux-2.6.32.46/drivers/gpio/vr41xx_giu.c 2011-03-27 14:31:47.000000000 -0400
29836 +++ linux-2.6.32.46/drivers/gpio/vr41xx_giu.c 2011-05-04 17:56:28.000000000 -0400
29837 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
29838 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
29839 maskl, pendl, maskh, pendh);
29840
29841 - atomic_inc(&irq_err_count);
29842 + atomic_inc_unchecked(&irq_err_count);
29843
29844 return -EINVAL;
29845 }
29846 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c
29847 --- linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c 2011-03-27 14:31:47.000000000 -0400
29848 +++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc.c 2011-10-06 09:37:14.000000000 -0400
29849 @@ -1323,7 +1323,7 @@ int drm_mode_getconnector(struct drm_dev
29850 */
29851 if ((out_resp->count_modes >= mode_count) && mode_count) {
29852 copied = 0;
29853 - mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
29854 + mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
29855 list_for_each_entry(mode, &connector->modes, head) {
29856 drm_crtc_convert_to_umode(&u_mode, mode);
29857 if (copy_to_user(mode_ptr + copied,
29858 @@ -1338,8 +1338,8 @@ int drm_mode_getconnector(struct drm_dev
29859
29860 if ((out_resp->count_props >= props_count) && props_count) {
29861 copied = 0;
29862 - prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
29863 - prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
29864 + prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
29865 + prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
29866 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
29867 if (connector->property_ids[i] != 0) {
29868 if (put_user(connector->property_ids[i],
29869 @@ -1361,7 +1361,7 @@ int drm_mode_getconnector(struct drm_dev
29870
29871 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
29872 copied = 0;
29873 - encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
29874 + encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
29875 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
29876 if (connector->encoder_ids[i] != 0) {
29877 if (put_user(connector->encoder_ids[i],
29878 @@ -1513,7 +1513,7 @@ int drm_mode_setcrtc(struct drm_device *
29879 }
29880
29881 for (i = 0; i < crtc_req->count_connectors; i++) {
29882 - set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
29883 + set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
29884 if (get_user(out_id, &set_connectors_ptr[i])) {
29885 ret = -EFAULT;
29886 goto out;
29887 @@ -2118,7 +2118,7 @@ int drm_mode_getproperty_ioctl(struct dr
29888 out_resp->flags = property->flags;
29889
29890 if ((out_resp->count_values >= value_count) && value_count) {
29891 - values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
29892 + values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
29893 for (i = 0; i < value_count; i++) {
29894 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
29895 ret = -EFAULT;
29896 @@ -2131,7 +2131,7 @@ int drm_mode_getproperty_ioctl(struct dr
29897 if (property->flags & DRM_MODE_PROP_ENUM) {
29898 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
29899 copied = 0;
29900 - enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
29901 + enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
29902 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
29903
29904 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
29905 @@ -2154,7 +2154,7 @@ int drm_mode_getproperty_ioctl(struct dr
29906 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
29907 copied = 0;
29908 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
29909 - blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
29910 + blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
29911
29912 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
29913 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
29914 @@ -2226,7 +2226,7 @@ int drm_mode_getblob_ioctl(struct drm_de
29915 blob = obj_to_blob(obj);
29916
29917 if (out_resp->length == blob->length) {
29918 - blob_ptr = (void *)(unsigned long)out_resp->data;
29919 + blob_ptr = (void __user *)(unsigned long)out_resp->data;
29920 if (copy_to_user(blob_ptr, blob->data, blob->length)){
29921 ret = -EFAULT;
29922 goto done;
29923 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c
29924 --- linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-03-27 14:31:47.000000000 -0400
29925 +++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:46:57.000000000 -0400
29926 @@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
29927 struct drm_crtc *tmp;
29928 int crtc_mask = 1;
29929
29930 - WARN(!crtc, "checking null crtc?");
29931 + BUG_ON(!crtc);
29932
29933 dev = crtc->dev;
29934
29935 @@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
29936
29937 adjusted_mode = drm_mode_duplicate(dev, mode);
29938
29939 + pax_track_stack();
29940 +
29941 crtc->enabled = drm_helper_crtc_in_use(crtc);
29942
29943 if (!crtc->enabled)
29944 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_drv.c linux-2.6.32.46/drivers/gpu/drm/drm_drv.c
29945 --- linux-2.6.32.46/drivers/gpu/drm/drm_drv.c 2011-03-27 14:31:47.000000000 -0400
29946 +++ linux-2.6.32.46/drivers/gpu/drm/drm_drv.c 2011-04-17 15:56:46.000000000 -0400
29947 @@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
29948 char *kdata = NULL;
29949
29950 atomic_inc(&dev->ioctl_count);
29951 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
29952 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
29953 ++file_priv->ioctl_count;
29954
29955 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
29956 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_fops.c linux-2.6.32.46/drivers/gpu/drm/drm_fops.c
29957 --- linux-2.6.32.46/drivers/gpu/drm/drm_fops.c 2011-03-27 14:31:47.000000000 -0400
29958 +++ linux-2.6.32.46/drivers/gpu/drm/drm_fops.c 2011-04-17 15:56:46.000000000 -0400
29959 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
29960 }
29961
29962 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
29963 - atomic_set(&dev->counts[i], 0);
29964 + atomic_set_unchecked(&dev->counts[i], 0);
29965
29966 dev->sigdata.lock = NULL;
29967
29968 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
29969
29970 retcode = drm_open_helper(inode, filp, dev);
29971 if (!retcode) {
29972 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
29973 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
29974 spin_lock(&dev->count_lock);
29975 - if (!dev->open_count++) {
29976 + if (local_inc_return(&dev->open_count) == 1) {
29977 spin_unlock(&dev->count_lock);
29978 retcode = drm_setup(dev);
29979 goto out;
29980 @@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
29981
29982 lock_kernel();
29983
29984 - DRM_DEBUG("open_count = %d\n", dev->open_count);
29985 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
29986
29987 if (dev->driver->preclose)
29988 dev->driver->preclose(dev, file_priv);
29989 @@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
29990 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
29991 task_pid_nr(current),
29992 (long)old_encode_dev(file_priv->minor->device),
29993 - dev->open_count);
29994 + local_read(&dev->open_count));
29995
29996 /* if the master has gone away we can't do anything with the lock */
29997 if (file_priv->minor->master)
29998 @@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
29999 * End inline drm_release
30000 */
30001
30002 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
30003 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
30004 spin_lock(&dev->count_lock);
30005 - if (!--dev->open_count) {
30006 + if (local_dec_and_test(&dev->open_count)) {
30007 if (atomic_read(&dev->ioctl_count)) {
30008 DRM_ERROR("Device busy: %d\n",
30009 atomic_read(&dev->ioctl_count));
30010 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_gem.c linux-2.6.32.46/drivers/gpu/drm/drm_gem.c
30011 --- linux-2.6.32.46/drivers/gpu/drm/drm_gem.c 2011-03-27 14:31:47.000000000 -0400
30012 +++ linux-2.6.32.46/drivers/gpu/drm/drm_gem.c 2011-04-17 15:56:46.000000000 -0400
30013 @@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
30014 spin_lock_init(&dev->object_name_lock);
30015 idr_init(&dev->object_name_idr);
30016 atomic_set(&dev->object_count, 0);
30017 - atomic_set(&dev->object_memory, 0);
30018 + atomic_set_unchecked(&dev->object_memory, 0);
30019 atomic_set(&dev->pin_count, 0);
30020 - atomic_set(&dev->pin_memory, 0);
30021 + atomic_set_unchecked(&dev->pin_memory, 0);
30022 atomic_set(&dev->gtt_count, 0);
30023 - atomic_set(&dev->gtt_memory, 0);
30024 + atomic_set_unchecked(&dev->gtt_memory, 0);
30025
30026 mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
30027 if (!mm) {
30028 @@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
30029 goto fput;
30030 }
30031 atomic_inc(&dev->object_count);
30032 - atomic_add(obj->size, &dev->object_memory);
30033 + atomic_add_unchecked(obj->size, &dev->object_memory);
30034 return obj;
30035 fput:
30036 fput(obj->filp);
30037 @@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
30038
30039 fput(obj->filp);
30040 atomic_dec(&dev->object_count);
30041 - atomic_sub(obj->size, &dev->object_memory);
30042 + atomic_sub_unchecked(obj->size, &dev->object_memory);
30043 kfree(obj);
30044 }
30045 EXPORT_SYMBOL(drm_gem_object_free);
30046 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_info.c linux-2.6.32.46/drivers/gpu/drm/drm_info.c
30047 --- linux-2.6.32.46/drivers/gpu/drm/drm_info.c 2011-03-27 14:31:47.000000000 -0400
30048 +++ linux-2.6.32.46/drivers/gpu/drm/drm_info.c 2011-04-17 15:56:46.000000000 -0400
30049 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
30050 struct drm_local_map *map;
30051 struct drm_map_list *r_list;
30052
30053 - /* Hardcoded from _DRM_FRAME_BUFFER,
30054 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
30055 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
30056 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
30057 + static const char * const types[] = {
30058 + [_DRM_FRAME_BUFFER] = "FB",
30059 + [_DRM_REGISTERS] = "REG",
30060 + [_DRM_SHM] = "SHM",
30061 + [_DRM_AGP] = "AGP",
30062 + [_DRM_SCATTER_GATHER] = "SG",
30063 + [_DRM_CONSISTENT] = "PCI",
30064 + [_DRM_GEM] = "GEM" };
30065 const char *type;
30066 int i;
30067
30068 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
30069 map = r_list->map;
30070 if (!map)
30071 continue;
30072 - if (map->type < 0 || map->type > 5)
30073 + if (map->type >= ARRAY_SIZE(types))
30074 type = "??";
30075 else
30076 type = types[map->type];
30077 @@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
30078 struct drm_device *dev = node->minor->dev;
30079
30080 seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
30081 - seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
30082 + seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
30083 seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
30084 - seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
30085 - seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
30086 + seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
30087 + seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
30088 seq_printf(m, "%d gtt total\n", dev->gtt_total);
30089 return 0;
30090 }
30091 @@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
30092 mutex_lock(&dev->struct_mutex);
30093 seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
30094 atomic_read(&dev->vma_count),
30095 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30096 + NULL, 0);
30097 +#else
30098 high_memory, (u64)virt_to_phys(high_memory));
30099 +#endif
30100
30101 list_for_each_entry(pt, &dev->vmalist, head) {
30102 vma = pt->vma;
30103 @@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
30104 continue;
30105 seq_printf(m,
30106 "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
30107 - pt->pid, vma->vm_start, vma->vm_end,
30108 + pt->pid,
30109 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30110 + 0, 0,
30111 +#else
30112 + vma->vm_start, vma->vm_end,
30113 +#endif
30114 vma->vm_flags & VM_READ ? 'r' : '-',
30115 vma->vm_flags & VM_WRITE ? 'w' : '-',
30116 vma->vm_flags & VM_EXEC ? 'x' : '-',
30117 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
30118 vma->vm_flags & VM_LOCKED ? 'l' : '-',
30119 vma->vm_flags & VM_IO ? 'i' : '-',
30120 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30121 + 0);
30122 +#else
30123 vma->vm_pgoff);
30124 +#endif
30125
30126 #if defined(__i386__)
30127 pgprot = pgprot_val(vma->vm_page_prot);
30128 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c
30129 --- linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c 2011-03-27 14:31:47.000000000 -0400
30130 +++ linux-2.6.32.46/drivers/gpu/drm/drm_ioc32.c 2011-10-06 09:37:14.000000000 -0400
30131 @@ -463,7 +463,7 @@ static int compat_drm_infobufs(struct fi
30132 request = compat_alloc_user_space(nbytes);
30133 if (!access_ok(VERIFY_WRITE, request, nbytes))
30134 return -EFAULT;
30135 - list = (struct drm_buf_desc *) (request + 1);
30136 + list = (struct drm_buf_desc __user *) (request + 1);
30137
30138 if (__put_user(count, &request->count)
30139 || __put_user(list, &request->list))
30140 @@ -525,7 +525,7 @@ static int compat_drm_mapbufs(struct fil
30141 request = compat_alloc_user_space(nbytes);
30142 if (!access_ok(VERIFY_WRITE, request, nbytes))
30143 return -EFAULT;
30144 - list = (struct drm_buf_pub *) (request + 1);
30145 + list = (struct drm_buf_pub __user *) (request + 1);
30146
30147 if (__put_user(count, &request->count)
30148 || __put_user(list, &request->list))
30149 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c
30150 --- linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-03-27 14:31:47.000000000 -0400
30151 +++ linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:56:46.000000000 -0400
30152 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
30153 stats->data[i].value =
30154 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
30155 else
30156 - stats->data[i].value = atomic_read(&dev->counts[i]);
30157 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
30158 stats->data[i].type = dev->types[i];
30159 }
30160
30161 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_lock.c linux-2.6.32.46/drivers/gpu/drm/drm_lock.c
30162 --- linux-2.6.32.46/drivers/gpu/drm/drm_lock.c 2011-03-27 14:31:47.000000000 -0400
30163 +++ linux-2.6.32.46/drivers/gpu/drm/drm_lock.c 2011-04-17 15:56:46.000000000 -0400
30164 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
30165 if (drm_lock_take(&master->lock, lock->context)) {
30166 master->lock.file_priv = file_priv;
30167 master->lock.lock_time = jiffies;
30168 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
30169 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
30170 break; /* Got lock */
30171 }
30172
30173 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
30174 return -EINVAL;
30175 }
30176
30177 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
30178 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
30179
30180 /* kernel_context_switch isn't used by any of the x86 drm
30181 * modules but is required by the Sparc driver.
30182 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c
30183 --- linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c 2011-03-27 14:31:47.000000000 -0400
30184 +++ linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:56:46.000000000 -0400
30185 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
30186 dma->buflist[vertex->idx],
30187 vertex->discard, vertex->used);
30188
30189 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
30190 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
30191 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
30192 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
30193 sarea_priv->last_enqueue = dev_priv->counter - 1;
30194 sarea_priv->last_dispatch = (int)hw_status[5];
30195
30196 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
30197 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
30198 mc->last_render);
30199
30200 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
30201 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
30202 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
30203 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
30204 sarea_priv->last_enqueue = dev_priv->counter - 1;
30205 sarea_priv->last_dispatch = (int)hw_status[5];
30206
30207 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h
30208 --- linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h 2011-03-27 14:31:47.000000000 -0400
30209 +++ linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h 2011-05-04 17:56:28.000000000 -0400
30210 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
30211 int page_flipping;
30212
30213 wait_queue_head_t irq_queue;
30214 - atomic_t irq_received;
30215 - atomic_t irq_emitted;
30216 + atomic_unchecked_t irq_received;
30217 + atomic_unchecked_t irq_emitted;
30218
30219 int front_offset;
30220 } drm_i810_private_t;
30221 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h
30222 --- linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h 2011-03-27 14:31:47.000000000 -0400
30223 +++ linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h 2011-05-04 17:56:28.000000000 -0400
30224 @@ -115,8 +115,8 @@ typedef struct drm_i830_private {
30225 int page_flipping;
30226
30227 wait_queue_head_t irq_queue;
30228 - atomic_t irq_received;
30229 - atomic_t irq_emitted;
30230 + atomic_unchecked_t irq_received;
30231 + atomic_unchecked_t irq_emitted;
30232
30233 int use_mi_batchbuffer_start;
30234
30235 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c
30236 --- linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c 2011-03-27 14:31:47.000000000 -0400
30237 +++ linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c 2011-05-04 17:56:28.000000000 -0400
30238 @@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
30239
30240 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
30241
30242 - atomic_inc(&dev_priv->irq_received);
30243 + atomic_inc_unchecked(&dev_priv->irq_received);
30244 wake_up_interruptible(&dev_priv->irq_queue);
30245
30246 return IRQ_HANDLED;
30247 @@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
30248
30249 DRM_DEBUG("%s\n", __func__);
30250
30251 - atomic_inc(&dev_priv->irq_emitted);
30252 + atomic_inc_unchecked(&dev_priv->irq_emitted);
30253
30254 BEGIN_LP_RING(2);
30255 OUT_RING(0);
30256 OUT_RING(GFX_OP_USER_INTERRUPT);
30257 ADVANCE_LP_RING();
30258
30259 - return atomic_read(&dev_priv->irq_emitted);
30260 + return atomic_read_unchecked(&dev_priv->irq_emitted);
30261 }
30262
30263 static int i830_wait_irq(struct drm_device * dev, int irq_nr)
30264 @@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
30265
30266 DRM_DEBUG("%s\n", __func__);
30267
30268 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
30269 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
30270 return 0;
30271
30272 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
30273 @@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
30274
30275 for (;;) {
30276 __set_current_state(TASK_INTERRUPTIBLE);
30277 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
30278 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
30279 break;
30280 if ((signed)(end - jiffies) <= 0) {
30281 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
30282 @@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
30283 I830_WRITE16(I830REG_HWSTAM, 0xffff);
30284 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
30285 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
30286 - atomic_set(&dev_priv->irq_received, 0);
30287 - atomic_set(&dev_priv->irq_emitted, 0);
30288 + atomic_set_unchecked(&dev_priv->irq_received, 0);
30289 + atomic_set_unchecked(&dev_priv->irq_emitted, 0);
30290 init_waitqueue_head(&dev_priv->irq_queue);
30291 }
30292
30293 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c
30294 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-27 14:31:47.000000000 -0400
30295 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:56:46.000000000 -0400
30296 @@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
30297 }
30298 }
30299
30300 -struct intel_dvo_dev_ops ch7017_ops = {
30301 +const struct intel_dvo_dev_ops ch7017_ops = {
30302 .init = ch7017_init,
30303 .detect = ch7017_detect,
30304 .mode_valid = ch7017_mode_valid,
30305 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c
30306 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-27 14:31:47.000000000 -0400
30307 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:56:46.000000000 -0400
30308 @@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
30309 }
30310 }
30311
30312 -struct intel_dvo_dev_ops ch7xxx_ops = {
30313 +const struct intel_dvo_dev_ops ch7xxx_ops = {
30314 .init = ch7xxx_init,
30315 .detect = ch7xxx_detect,
30316 .mode_valid = ch7xxx_mode_valid,
30317 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h
30318 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h 2011-03-27 14:31:47.000000000 -0400
30319 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:56:46.000000000 -0400
30320 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
30321 *
30322 * \return singly-linked list of modes or NULL if no modes found.
30323 */
30324 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
30325 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
30326
30327 /**
30328 * Clean up driver-specific bits of the output
30329 */
30330 - void (*destroy) (struct intel_dvo_device *dvo);
30331 + void (* const destroy) (struct intel_dvo_device *dvo);
30332
30333 /**
30334 * Debugging hook to dump device registers to log file
30335 */
30336 - void (*dump_regs)(struct intel_dvo_device *dvo);
30337 + void (* const dump_regs)(struct intel_dvo_device *dvo);
30338 };
30339
30340 -extern struct intel_dvo_dev_ops sil164_ops;
30341 -extern struct intel_dvo_dev_ops ch7xxx_ops;
30342 -extern struct intel_dvo_dev_ops ivch_ops;
30343 -extern struct intel_dvo_dev_ops tfp410_ops;
30344 -extern struct intel_dvo_dev_ops ch7017_ops;
30345 +extern const struct intel_dvo_dev_ops sil164_ops;
30346 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
30347 +extern const struct intel_dvo_dev_ops ivch_ops;
30348 +extern const struct intel_dvo_dev_ops tfp410_ops;
30349 +extern const struct intel_dvo_dev_ops ch7017_ops;
30350
30351 #endif /* _INTEL_DVO_H */
30352 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c
30353 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-27 14:31:47.000000000 -0400
30354 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:56:46.000000000 -0400
30355 @@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
30356 }
30357 }
30358
30359 -struct intel_dvo_dev_ops ivch_ops= {
30360 +const struct intel_dvo_dev_ops ivch_ops= {
30361 .init = ivch_init,
30362 .dpms = ivch_dpms,
30363 .save = ivch_save,
30364 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c
30365 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-27 14:31:47.000000000 -0400
30366 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:56:46.000000000 -0400
30367 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
30368 }
30369 }
30370
30371 -struct intel_dvo_dev_ops sil164_ops = {
30372 +const struct intel_dvo_dev_ops sil164_ops = {
30373 .init = sil164_init,
30374 .detect = sil164_detect,
30375 .mode_valid = sil164_mode_valid,
30376 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c
30377 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-27 14:31:47.000000000 -0400
30378 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:56:46.000000000 -0400
30379 @@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
30380 }
30381 }
30382
30383 -struct intel_dvo_dev_ops tfp410_ops = {
30384 +const struct intel_dvo_dev_ops tfp410_ops = {
30385 .init = tfp410_init,
30386 .detect = tfp410_detect,
30387 .mode_valid = tfp410_mode_valid,
30388 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c
30389 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c 2011-03-27 14:31:47.000000000 -0400
30390 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-04 17:56:28.000000000 -0400
30391 @@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
30392 I915_READ(GTIMR));
30393 }
30394 seq_printf(m, "Interrupts received: %d\n",
30395 - atomic_read(&dev_priv->irq_received));
30396 + atomic_read_unchecked(&dev_priv->irq_received));
30397 if (dev_priv->hw_status_page != NULL) {
30398 seq_printf(m, "Current sequence: %d\n",
30399 i915_get_gem_seqno(dev));
30400 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c
30401 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c 2011-03-27 14:31:47.000000000 -0400
30402 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:56:46.000000000 -0400
30403 @@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
30404 return i915_resume(dev);
30405 }
30406
30407 -static struct vm_operations_struct i915_gem_vm_ops = {
30408 +static const struct vm_operations_struct i915_gem_vm_ops = {
30409 .fault = i915_gem_fault,
30410 .open = drm_gem_vm_open,
30411 .close = drm_gem_vm_close,
30412 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h
30413 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h 2011-03-27 14:31:47.000000000 -0400
30414 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h 2011-08-05 20:33:55.000000000 -0400
30415 @@ -168,7 +168,7 @@ struct drm_i915_display_funcs {
30416 /* display clock increase/decrease */
30417 /* pll clock increase/decrease */
30418 /* clock gating init */
30419 -};
30420 +} __no_const;
30421
30422 typedef struct drm_i915_private {
30423 struct drm_device *dev;
30424 @@ -197,7 +197,7 @@ typedef struct drm_i915_private {
30425 int page_flipping;
30426
30427 wait_queue_head_t irq_queue;
30428 - atomic_t irq_received;
30429 + atomic_unchecked_t irq_received;
30430 /** Protects user_irq_refcount and irq_mask_reg */
30431 spinlock_t user_irq_lock;
30432 /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
30433 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c
30434 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c 2011-03-27 14:31:47.000000000 -0400
30435 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c 2011-04-17 15:56:46.000000000 -0400
30436 @@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
30437
30438 args->aper_size = dev->gtt_total;
30439 args->aper_available_size = (args->aper_size -
30440 - atomic_read(&dev->pin_memory));
30441 + atomic_read_unchecked(&dev->pin_memory));
30442
30443 return 0;
30444 }
30445 @@ -492,6 +492,11 @@ i915_gem_pread_ioctl(struct drm_device *
30446 return -EINVAL;
30447 }
30448
30449 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
30450 + drm_gem_object_unreference(obj);
30451 + return -EFAULT;
30452 + }
30453 +
30454 if (i915_gem_object_needs_bit17_swizzle(obj)) {
30455 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
30456 } else {
30457 @@ -965,6 +970,11 @@ i915_gem_pwrite_ioctl(struct drm_device
30458 return -EINVAL;
30459 }
30460
30461 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
30462 + drm_gem_object_unreference(obj);
30463 + return -EFAULT;
30464 + }
30465 +
30466 /* We can only do the GTT pwrite on untiled buffers, as otherwise
30467 * it would end up going through the fenced access, and we'll get
30468 * different detiling behavior between reading and writing.
30469 @@ -2054,7 +2064,7 @@ i915_gem_object_unbind(struct drm_gem_ob
30470
30471 if (obj_priv->gtt_space) {
30472 atomic_dec(&dev->gtt_count);
30473 - atomic_sub(obj->size, &dev->gtt_memory);
30474 + atomic_sub_unchecked(obj->size, &dev->gtt_memory);
30475
30476 drm_mm_put_block(obj_priv->gtt_space);
30477 obj_priv->gtt_space = NULL;
30478 @@ -2697,7 +2707,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
30479 goto search_free;
30480 }
30481 atomic_inc(&dev->gtt_count);
30482 - atomic_add(obj->size, &dev->gtt_memory);
30483 + atomic_add_unchecked(obj->size, &dev->gtt_memory);
30484
30485 /* Assert that the object is not currently in any GPU domain. As it
30486 * wasn't in the GTT, there shouldn't be any way it could have been in
30487 @@ -3751,9 +3761,9 @@ i915_gem_execbuffer(struct drm_device *d
30488 "%d/%d gtt bytes\n",
30489 atomic_read(&dev->object_count),
30490 atomic_read(&dev->pin_count),
30491 - atomic_read(&dev->object_memory),
30492 - atomic_read(&dev->pin_memory),
30493 - atomic_read(&dev->gtt_memory),
30494 + atomic_read_unchecked(&dev->object_memory),
30495 + atomic_read_unchecked(&dev->pin_memory),
30496 + atomic_read_unchecked(&dev->gtt_memory),
30497 dev->gtt_total);
30498 }
30499 goto err;
30500 @@ -3985,7 +3995,7 @@ i915_gem_object_pin(struct drm_gem_objec
30501 */
30502 if (obj_priv->pin_count == 1) {
30503 atomic_inc(&dev->pin_count);
30504 - atomic_add(obj->size, &dev->pin_memory);
30505 + atomic_add_unchecked(obj->size, &dev->pin_memory);
30506 if (!obj_priv->active &&
30507 (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
30508 !list_empty(&obj_priv->list))
30509 @@ -4018,7 +4028,7 @@ i915_gem_object_unpin(struct drm_gem_obj
30510 list_move_tail(&obj_priv->list,
30511 &dev_priv->mm.inactive_list);
30512 atomic_dec(&dev->pin_count);
30513 - atomic_sub(obj->size, &dev->pin_memory);
30514 + atomic_sub_unchecked(obj->size, &dev->pin_memory);
30515 }
30516 i915_verify_inactive(dev, __FILE__, __LINE__);
30517 }
30518 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c
30519 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c 2011-03-27 14:31:47.000000000 -0400
30520 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c 2011-05-04 17:56:28.000000000 -0400
30521 @@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
30522 int irq_received;
30523 int ret = IRQ_NONE;
30524
30525 - atomic_inc(&dev_priv->irq_received);
30526 + atomic_inc_unchecked(&dev_priv->irq_received);
30527
30528 if (IS_IGDNG(dev))
30529 return igdng_irq_handler(dev);
30530 @@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
30531 {
30532 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
30533
30534 - atomic_set(&dev_priv->irq_received, 0);
30535 + atomic_set_unchecked(&dev_priv->irq_received, 0);
30536
30537 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
30538 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
30539 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c
30540 --- linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c 2011-03-27 14:31:47.000000000 -0400
30541 +++ linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c 2011-08-05 20:33:55.000000000 -0400
30542 @@ -2795,7 +2795,9 @@ bool intel_sdvo_init(struct drm_device *
30543 sdvo_priv->slave_addr = intel_sdvo_get_slave_addr(dev, output_device);
30544
30545 /* Save the bit-banging i2c functionality for use by the DDC wrapper */
30546 - intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
30547 + pax_open_kernel();
30548 + *(void **)&intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
30549 + pax_close_kernel();
30550
30551 /* Read the regs to test if we can talk to the device */
30552 for (i = 0; i < 0x40; i++) {
30553 diff -urNp linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h
30554 --- linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h 2011-03-27 14:31:47.000000000 -0400
30555 +++ linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h 2011-05-04 17:56:28.000000000 -0400
30556 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
30557 u32 clear_cmd;
30558 u32 maccess;
30559
30560 - atomic_t vbl_received; /**< Number of vblanks received. */
30561 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
30562 wait_queue_head_t fence_queue;
30563 - atomic_t last_fence_retired;
30564 + atomic_unchecked_t last_fence_retired;
30565 u32 next_fence_to_post;
30566
30567 unsigned int fb_cpp;
30568 diff -urNp linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c
30569 --- linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c 2011-03-27 14:31:47.000000000 -0400
30570 +++ linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c 2011-05-04 17:56:28.000000000 -0400
30571 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
30572 if (crtc != 0)
30573 return 0;
30574
30575 - return atomic_read(&dev_priv->vbl_received);
30576 + return atomic_read_unchecked(&dev_priv->vbl_received);
30577 }
30578
30579
30580 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
30581 /* VBLANK interrupt */
30582 if (status & MGA_VLINEPEN) {
30583 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
30584 - atomic_inc(&dev_priv->vbl_received);
30585 + atomic_inc_unchecked(&dev_priv->vbl_received);
30586 drm_handle_vblank(dev, 0);
30587 handled = 1;
30588 }
30589 @@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
30590 MGA_WRITE(MGA_PRIMEND, prim_end);
30591 }
30592
30593 - atomic_inc(&dev_priv->last_fence_retired);
30594 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
30595 DRM_WAKEUP(&dev_priv->fence_queue);
30596 handled = 1;
30597 }
30598 @@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
30599 * using fences.
30600 */
30601 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
30602 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
30603 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
30604 - *sequence) <= (1 << 23)));
30605
30606 *sequence = cur_fence;
30607 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c
30608 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c 2011-03-27 14:31:47.000000000 -0400
30609 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c 2011-05-04 17:56:28.000000000 -0400
30610 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
30611
30612 /* GH: Simple idle check.
30613 */
30614 - atomic_set(&dev_priv->idle_count, 0);
30615 + atomic_set_unchecked(&dev_priv->idle_count, 0);
30616
30617 /* We don't support anything other than bus-mastering ring mode,
30618 * but the ring can be in either AGP or PCI space for the ring
30619 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h
30620 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h 2011-03-27 14:31:47.000000000 -0400
30621 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h 2011-05-04 17:56:28.000000000 -0400
30622 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
30623 int is_pci;
30624 unsigned long cce_buffers_offset;
30625
30626 - atomic_t idle_count;
30627 + atomic_unchecked_t idle_count;
30628
30629 int page_flipping;
30630 int current_page;
30631 u32 crtc_offset;
30632 u32 crtc_offset_cntl;
30633
30634 - atomic_t vbl_received;
30635 + atomic_unchecked_t vbl_received;
30636
30637 u32 color_fmt;
30638 unsigned int front_offset;
30639 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c
30640 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c 2011-03-27 14:31:47.000000000 -0400
30641 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c 2011-05-04 17:56:28.000000000 -0400
30642 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
30643 if (crtc != 0)
30644 return 0;
30645
30646 - return atomic_read(&dev_priv->vbl_received);
30647 + return atomic_read_unchecked(&dev_priv->vbl_received);
30648 }
30649
30650 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
30651 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
30652 /* VBLANK interrupt */
30653 if (status & R128_CRTC_VBLANK_INT) {
30654 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
30655 - atomic_inc(&dev_priv->vbl_received);
30656 + atomic_inc_unchecked(&dev_priv->vbl_received);
30657 drm_handle_vblank(dev, 0);
30658 return IRQ_HANDLED;
30659 }
30660 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c
30661 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c 2011-03-27 14:31:47.000000000 -0400
30662 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c 2011-05-04 17:56:28.000000000 -0400
30663 @@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
30664
30665 static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
30666 {
30667 - if (atomic_read(&dev_priv->idle_count) == 0) {
30668 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
30669 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
30670 } else {
30671 - atomic_set(&dev_priv->idle_count, 0);
30672 + atomic_set_unchecked(&dev_priv->idle_count, 0);
30673 }
30674 }
30675
30676 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c
30677 --- linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c 2011-05-10 22:12:01.000000000 -0400
30678 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c 2011-05-16 21:46:57.000000000 -0400
30679 @@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
30680 char name[512];
30681 int i;
30682
30683 + pax_track_stack();
30684 +
30685 ctx->card = card;
30686 ctx->bios = bios;
30687
30688 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c
30689 --- linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c 2011-03-27 14:31:47.000000000 -0400
30690 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:56:46.000000000 -0400
30691 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
30692 regex_t mask_rex;
30693 regmatch_t match[4];
30694 char buf[1024];
30695 - size_t end;
30696 + long end;
30697 int len;
30698 int done = 0;
30699 int r;
30700 unsigned o;
30701 struct offset *offset;
30702 char last_reg_s[10];
30703 - int last_reg;
30704 + unsigned long last_reg;
30705
30706 if (regcomp
30707 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
30708 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c
30709 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c 2011-03-27 14:31:47.000000000 -0400
30710 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-16 21:46:57.000000000 -0400
30711 @@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
30712 bool linkb;
30713 struct radeon_i2c_bus_rec ddc_bus;
30714
30715 + pax_track_stack();
30716 +
30717 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
30718
30719 if (data_offset == 0)
30720 @@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
30721 }
30722 }
30723
30724 -struct bios_connector {
30725 +static struct bios_connector {
30726 bool valid;
30727 uint16_t line_mux;
30728 uint16_t devices;
30729 int connector_type;
30730 struct radeon_i2c_bus_rec ddc_bus;
30731 -};
30732 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
30733
30734 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
30735 drm_device
30736 @@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
30737 uint8_t dac;
30738 union atom_supported_devices *supported_devices;
30739 int i, j;
30740 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
30741
30742 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
30743
30744 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c
30745 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c 2011-03-27 14:31:47.000000000 -0400
30746 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c 2011-04-17 15:56:46.000000000 -0400
30747 @@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
30748
30749 if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
30750 error = freq - current_freq;
30751 - error = error < 0 ? 0xffffffff : error;
30752 + error = (int32_t)error < 0 ? 0xffffffff : error;
30753 } else
30754 error = abs(current_freq - freq);
30755 vco_diff = abs(vco - best_vco);
30756 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h
30757 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h 2011-03-27 14:31:47.000000000 -0400
30758 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-04 17:56:28.000000000 -0400
30759 @@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
30760
30761 /* SW interrupt */
30762 wait_queue_head_t swi_queue;
30763 - atomic_t swi_emitted;
30764 + atomic_unchecked_t swi_emitted;
30765 int vblank_crtc;
30766 uint32_t irq_enable_reg;
30767 uint32_t r500_disp_irq_reg;
30768 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c
30769 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c 2011-03-27 14:31:47.000000000 -0400
30770 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-04 17:56:28.000000000 -0400
30771 @@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
30772 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
30773 return 0;
30774 }
30775 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
30776 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
30777 if (!rdev->cp.ready) {
30778 /* FIXME: cp is not running assume everythings is done right
30779 * away
30780 @@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
30781 return r;
30782 }
30783 WREG32(rdev->fence_drv.scratch_reg, 0);
30784 - atomic_set(&rdev->fence_drv.seq, 0);
30785 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
30786 INIT_LIST_HEAD(&rdev->fence_drv.created);
30787 INIT_LIST_HEAD(&rdev->fence_drv.emited);
30788 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
30789 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h
30790 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h 2011-03-27 14:31:47.000000000 -0400
30791 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h 2011-08-05 20:33:55.000000000 -0400
30792 @@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
30793 */
30794 struct radeon_fence_driver {
30795 uint32_t scratch_reg;
30796 - atomic_t seq;
30797 + atomic_unchecked_t seq;
30798 uint32_t last_seq;
30799 unsigned long count_timeout;
30800 wait_queue_head_t queue;
30801 @@ -640,7 +640,7 @@ struct radeon_asic {
30802 uint32_t offset, uint32_t obj_size);
30803 int (*clear_surface_reg)(struct radeon_device *rdev, int reg);
30804 void (*bandwidth_update)(struct radeon_device *rdev);
30805 -};
30806 +} __no_const;
30807
30808 /*
30809 * Asic structures
30810 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c
30811 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-27 14:31:47.000000000 -0400
30812 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-23 13:57:24.000000000 -0400
30813 @@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
30814 request = compat_alloc_user_space(sizeof(*request));
30815 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
30816 || __put_user(req32.param, &request->param)
30817 - || __put_user((void __user *)(unsigned long)req32.value,
30818 + || __put_user((unsigned long)req32.value,
30819 &request->value))
30820 return -EFAULT;
30821
30822 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c
30823 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c 2011-03-27 14:31:47.000000000 -0400
30824 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-04 17:56:28.000000000 -0400
30825 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
30826 unsigned int ret;
30827 RING_LOCALS;
30828
30829 - atomic_inc(&dev_priv->swi_emitted);
30830 - ret = atomic_read(&dev_priv->swi_emitted);
30831 + atomic_inc_unchecked(&dev_priv->swi_emitted);
30832 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
30833
30834 BEGIN_RING(4);
30835 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
30836 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
30837 drm_radeon_private_t *dev_priv =
30838 (drm_radeon_private_t *) dev->dev_private;
30839
30840 - atomic_set(&dev_priv->swi_emitted, 0);
30841 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
30842 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
30843
30844 dev->max_vblank_count = 0x001fffff;
30845 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c
30846 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c 2011-03-27 14:31:47.000000000 -0400
30847 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:56:46.000000000 -0400
30848 @@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
30849 {
30850 drm_radeon_private_t *dev_priv = dev->dev_private;
30851 drm_radeon_getparam_t *param = data;
30852 - int value;
30853 + int value = 0;
30854
30855 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
30856
30857 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c
30858 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-27 14:31:47.000000000 -0400
30859 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:56:46.000000000 -0400
30860 @@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
30861 DRM_INFO("radeon: ttm finalized\n");
30862 }
30863
30864 -static struct vm_operations_struct radeon_ttm_vm_ops;
30865 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
30866 -
30867 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30868 -{
30869 - struct ttm_buffer_object *bo;
30870 - int r;
30871 -
30872 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
30873 - if (bo == NULL) {
30874 - return VM_FAULT_NOPAGE;
30875 - }
30876 - r = ttm_vm_ops->fault(vma, vmf);
30877 - return r;
30878 -}
30879 -
30880 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
30881 {
30882 struct drm_file *file_priv;
30883 struct radeon_device *rdev;
30884 - int r;
30885
30886 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
30887 return drm_mmap(filp, vma);
30888 @@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
30889
30890 file_priv = (struct drm_file *)filp->private_data;
30891 rdev = file_priv->minor->dev->dev_private;
30892 - if (rdev == NULL) {
30893 + if (!rdev)
30894 return -EINVAL;
30895 - }
30896 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30897 - if (unlikely(r != 0)) {
30898 - return r;
30899 - }
30900 - if (unlikely(ttm_vm_ops == NULL)) {
30901 - ttm_vm_ops = vma->vm_ops;
30902 - radeon_ttm_vm_ops = *ttm_vm_ops;
30903 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
30904 - }
30905 - vma->vm_ops = &radeon_ttm_vm_ops;
30906 - return 0;
30907 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30908 }
30909
30910
30911 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c
30912 --- linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c 2011-03-27 14:31:47.000000000 -0400
30913 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:56:46.000000000 -0400
30914 @@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
30915 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
30916 rdev->pm.sideport_bandwidth.full)
30917 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
30918 - read_delay_latency.full = rfixed_const(370 * 800 * 1000);
30919 + read_delay_latency.full = rfixed_const(800 * 1000);
30920 read_delay_latency.full = rfixed_div(read_delay_latency,
30921 rdev->pm.igp_sideport_mclk);
30922 + a.full = rfixed_const(370);
30923 + read_delay_latency.full = rfixed_mul(read_delay_latency, a);
30924 } else {
30925 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
30926 rdev->pm.k8_bandwidth.full)
30927 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c
30928 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c 2011-08-29 22:24:44.000000000 -0400
30929 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c 2011-08-29 22:25:07.000000000 -0400
30930 @@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
30931 NULL
30932 };
30933
30934 -static struct sysfs_ops ttm_bo_global_ops = {
30935 +static const struct sysfs_ops ttm_bo_global_ops = {
30936 .show = &ttm_bo_global_show
30937 };
30938
30939 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c
30940 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-27 14:31:47.000000000 -0400
30941 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:56:46.000000000 -0400
30942 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
30943 {
30944 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
30945 vma->vm_private_data;
30946 - struct ttm_bo_device *bdev = bo->bdev;
30947 + struct ttm_bo_device *bdev;
30948 unsigned long bus_base;
30949 unsigned long bus_offset;
30950 unsigned long bus_size;
30951 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
30952 unsigned long address = (unsigned long)vmf->virtual_address;
30953 int retval = VM_FAULT_NOPAGE;
30954
30955 + if (!bo)
30956 + return VM_FAULT_NOPAGE;
30957 + bdev = bo->bdev;
30958 +
30959 /*
30960 * Work around locking order reversal in fault / nopfn
30961 * between mmap_sem and bo_reserve: Perform a trylock operation
30962 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c
30963 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c 2011-03-27 14:31:47.000000000 -0400
30964 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c 2011-04-17 15:56:46.000000000 -0400
30965 @@ -36,7 +36,7 @@
30966 struct ttm_global_item {
30967 struct mutex mutex;
30968 void *object;
30969 - int refcount;
30970 + atomic_t refcount;
30971 };
30972
30973 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
30974 @@ -49,7 +49,7 @@ void ttm_global_init(void)
30975 struct ttm_global_item *item = &glob[i];
30976 mutex_init(&item->mutex);
30977 item->object = NULL;
30978 - item->refcount = 0;
30979 + atomic_set(&item->refcount, 0);
30980 }
30981 }
30982
30983 @@ -59,7 +59,7 @@ void ttm_global_release(void)
30984 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
30985 struct ttm_global_item *item = &glob[i];
30986 BUG_ON(item->object != NULL);
30987 - BUG_ON(item->refcount != 0);
30988 + BUG_ON(atomic_read(&item->refcount) != 0);
30989 }
30990 }
30991
30992 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
30993 void *object;
30994
30995 mutex_lock(&item->mutex);
30996 - if (item->refcount == 0) {
30997 + if (atomic_read(&item->refcount) == 0) {
30998 item->object = kzalloc(ref->size, GFP_KERNEL);
30999 if (unlikely(item->object == NULL)) {
31000 ret = -ENOMEM;
31001 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
31002 goto out_err;
31003
31004 }
31005 - ++item->refcount;
31006 + atomic_inc(&item->refcount);
31007 ref->object = item->object;
31008 object = item->object;
31009 mutex_unlock(&item->mutex);
31010 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
31011 struct ttm_global_item *item = &glob[ref->global_type];
31012
31013 mutex_lock(&item->mutex);
31014 - BUG_ON(item->refcount == 0);
31015 + BUG_ON(atomic_read(&item->refcount) == 0);
31016 BUG_ON(ref->object != item->object);
31017 - if (--item->refcount == 0) {
31018 + if (atomic_dec_and_test(&item->refcount)) {
31019 ref->release(ref);
31020 item->object = NULL;
31021 }
31022 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c
31023 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c 2011-03-27 14:31:47.000000000 -0400
31024 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c 2011-04-17 15:56:46.000000000 -0400
31025 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
31026 NULL
31027 };
31028
31029 -static struct sysfs_ops ttm_mem_zone_ops = {
31030 +static const struct sysfs_ops ttm_mem_zone_ops = {
31031 .show = &ttm_mem_zone_show,
31032 .store = &ttm_mem_zone_store
31033 };
31034 diff -urNp linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h
31035 --- linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h 2011-03-27 14:31:47.000000000 -0400
31036 +++ linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h 2011-05-04 17:56:28.000000000 -0400
31037 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
31038 typedef uint32_t maskarray_t[5];
31039
31040 typedef struct drm_via_irq {
31041 - atomic_t irq_received;
31042 + atomic_unchecked_t irq_received;
31043 uint32_t pending_mask;
31044 uint32_t enable_mask;
31045 wait_queue_head_t irq_queue;
31046 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
31047 struct timeval last_vblank;
31048 int last_vblank_valid;
31049 unsigned usec_per_vblank;
31050 - atomic_t vbl_received;
31051 + atomic_unchecked_t vbl_received;
31052 drm_via_state_t hc_state;
31053 char pci_buf[VIA_PCI_BUF_SIZE];
31054 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
31055 diff -urNp linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c
31056 --- linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c 2011-03-27 14:31:47.000000000 -0400
31057 +++ linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c 2011-05-04 17:56:28.000000000 -0400
31058 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
31059 if (crtc != 0)
31060 return 0;
31061
31062 - return atomic_read(&dev_priv->vbl_received);
31063 + return atomic_read_unchecked(&dev_priv->vbl_received);
31064 }
31065
31066 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
31067 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
31068
31069 status = VIA_READ(VIA_REG_INTERRUPT);
31070 if (status & VIA_IRQ_VBLANK_PENDING) {
31071 - atomic_inc(&dev_priv->vbl_received);
31072 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
31073 + atomic_inc_unchecked(&dev_priv->vbl_received);
31074 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
31075 do_gettimeofday(&cur_vblank);
31076 if (dev_priv->last_vblank_valid) {
31077 dev_priv->usec_per_vblank =
31078 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
31079 dev_priv->last_vblank = cur_vblank;
31080 dev_priv->last_vblank_valid = 1;
31081 }
31082 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
31083 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
31084 DRM_DEBUG("US per vblank is: %u\n",
31085 dev_priv->usec_per_vblank);
31086 }
31087 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
31088
31089 for (i = 0; i < dev_priv->num_irqs; ++i) {
31090 if (status & cur_irq->pending_mask) {
31091 - atomic_inc(&cur_irq->irq_received);
31092 + atomic_inc_unchecked(&cur_irq->irq_received);
31093 DRM_WAKEUP(&cur_irq->irq_queue);
31094 handled = 1;
31095 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
31096 @@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
31097 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
31098 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
31099 masks[irq][4]));
31100 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
31101 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
31102 } else {
31103 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
31104 (((cur_irq_sequence =
31105 - atomic_read(&cur_irq->irq_received)) -
31106 + atomic_read_unchecked(&cur_irq->irq_received)) -
31107 *sequence) <= (1 << 23)));
31108 }
31109 *sequence = cur_irq_sequence;
31110 @@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
31111 }
31112
31113 for (i = 0; i < dev_priv->num_irqs; ++i) {
31114 - atomic_set(&cur_irq->irq_received, 0);
31115 + atomic_set_unchecked(&cur_irq->irq_received, 0);
31116 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
31117 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
31118 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
31119 @@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
31120 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
31121 case VIA_IRQ_RELATIVE:
31122 irqwait->request.sequence +=
31123 - atomic_read(&cur_irq->irq_received);
31124 + atomic_read_unchecked(&cur_irq->irq_received);
31125 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
31126 case VIA_IRQ_ABSOLUTE:
31127 break;
31128 diff -urNp linux-2.6.32.46/drivers/hid/hid-core.c linux-2.6.32.46/drivers/hid/hid-core.c
31129 --- linux-2.6.32.46/drivers/hid/hid-core.c 2011-05-10 22:12:01.000000000 -0400
31130 +++ linux-2.6.32.46/drivers/hid/hid-core.c 2011-05-10 22:12:32.000000000 -0400
31131 @@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
31132
31133 int hid_add_device(struct hid_device *hdev)
31134 {
31135 - static atomic_t id = ATOMIC_INIT(0);
31136 + static atomic_unchecked_t id = ATOMIC_INIT(0);
31137 int ret;
31138
31139 if (WARN_ON(hdev->status & HID_STAT_ADDED))
31140 @@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
31141 /* XXX hack, any other cleaner solution after the driver core
31142 * is converted to allow more than 20 bytes as the device name? */
31143 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
31144 - hdev->vendor, hdev->product, atomic_inc_return(&id));
31145 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
31146
31147 ret = device_add(&hdev->dev);
31148 if (!ret)
31149 diff -urNp linux-2.6.32.46/drivers/hid/usbhid/hiddev.c linux-2.6.32.46/drivers/hid/usbhid/hiddev.c
31150 --- linux-2.6.32.46/drivers/hid/usbhid/hiddev.c 2011-03-27 14:31:47.000000000 -0400
31151 +++ linux-2.6.32.46/drivers/hid/usbhid/hiddev.c 2011-04-17 15:56:46.000000000 -0400
31152 @@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
31153 return put_user(HID_VERSION, (int __user *)arg);
31154
31155 case HIDIOCAPPLICATION:
31156 - if (arg < 0 || arg >= hid->maxapplication)
31157 + if (arg >= hid->maxapplication)
31158 return -EINVAL;
31159
31160 for (i = 0; i < hid->maxcollection; i++)
31161 diff -urNp linux-2.6.32.46/drivers/hwmon/lis3lv02d.c linux-2.6.32.46/drivers/hwmon/lis3lv02d.c
31162 --- linux-2.6.32.46/drivers/hwmon/lis3lv02d.c 2011-03-27 14:31:47.000000000 -0400
31163 +++ linux-2.6.32.46/drivers/hwmon/lis3lv02d.c 2011-05-04 17:56:28.000000000 -0400
31164 @@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
31165 * the lid is closed. This leads to interrupts as soon as a little move
31166 * is done.
31167 */
31168 - atomic_inc(&lis3_dev.count);
31169 + atomic_inc_unchecked(&lis3_dev.count);
31170
31171 wake_up_interruptible(&lis3_dev.misc_wait);
31172 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
31173 @@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
31174 if (test_and_set_bit(0, &lis3_dev.misc_opened))
31175 return -EBUSY; /* already open */
31176
31177 - atomic_set(&lis3_dev.count, 0);
31178 + atomic_set_unchecked(&lis3_dev.count, 0);
31179
31180 /*
31181 * The sensor can generate interrupts for free-fall and direction
31182 @@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
31183 add_wait_queue(&lis3_dev.misc_wait, &wait);
31184 while (true) {
31185 set_current_state(TASK_INTERRUPTIBLE);
31186 - data = atomic_xchg(&lis3_dev.count, 0);
31187 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
31188 if (data)
31189 break;
31190
31191 @@ -244,7 +244,7 @@ out:
31192 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
31193 {
31194 poll_wait(file, &lis3_dev.misc_wait, wait);
31195 - if (atomic_read(&lis3_dev.count))
31196 + if (atomic_read_unchecked(&lis3_dev.count))
31197 return POLLIN | POLLRDNORM;
31198 return 0;
31199 }
31200 diff -urNp linux-2.6.32.46/drivers/hwmon/lis3lv02d.h linux-2.6.32.46/drivers/hwmon/lis3lv02d.h
31201 --- linux-2.6.32.46/drivers/hwmon/lis3lv02d.h 2011-03-27 14:31:47.000000000 -0400
31202 +++ linux-2.6.32.46/drivers/hwmon/lis3lv02d.h 2011-05-04 17:56:28.000000000 -0400
31203 @@ -201,7 +201,7 @@ struct lis3lv02d {
31204
31205 struct input_polled_dev *idev; /* input device */
31206 struct platform_device *pdev; /* platform device */
31207 - atomic_t count; /* interrupt count after last read */
31208 + atomic_unchecked_t count; /* interrupt count after last read */
31209 int xcalib; /* calibrated null value for x */
31210 int ycalib; /* calibrated null value for y */
31211 int zcalib; /* calibrated null value for z */
31212 diff -urNp linux-2.6.32.46/drivers/hwmon/sht15.c linux-2.6.32.46/drivers/hwmon/sht15.c
31213 --- linux-2.6.32.46/drivers/hwmon/sht15.c 2011-03-27 14:31:47.000000000 -0400
31214 +++ linux-2.6.32.46/drivers/hwmon/sht15.c 2011-05-04 17:56:28.000000000 -0400
31215 @@ -112,7 +112,7 @@ struct sht15_data {
31216 int supply_uV;
31217 int supply_uV_valid;
31218 struct work_struct update_supply_work;
31219 - atomic_t interrupt_handled;
31220 + atomic_unchecked_t interrupt_handled;
31221 };
31222
31223 /**
31224 @@ -245,13 +245,13 @@ static inline int sht15_update_single_va
31225 return ret;
31226
31227 gpio_direction_input(data->pdata->gpio_data);
31228 - atomic_set(&data->interrupt_handled, 0);
31229 + atomic_set_unchecked(&data->interrupt_handled, 0);
31230
31231 enable_irq(gpio_to_irq(data->pdata->gpio_data));
31232 if (gpio_get_value(data->pdata->gpio_data) == 0) {
31233 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
31234 /* Only relevant if the interrupt hasn't occured. */
31235 - if (!atomic_read(&data->interrupt_handled))
31236 + if (!atomic_read_unchecked(&data->interrupt_handled))
31237 schedule_work(&data->read_work);
31238 }
31239 ret = wait_event_timeout(data->wait_queue,
31240 @@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
31241 struct sht15_data *data = d;
31242 /* First disable the interrupt */
31243 disable_irq_nosync(irq);
31244 - atomic_inc(&data->interrupt_handled);
31245 + atomic_inc_unchecked(&data->interrupt_handled);
31246 /* Then schedule a reading work struct */
31247 if (data->flag != SHT15_READING_NOTHING)
31248 schedule_work(&data->read_work);
31249 @@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
31250 here as could have gone low in meantime so verify
31251 it hasn't!
31252 */
31253 - atomic_set(&data->interrupt_handled, 0);
31254 + atomic_set_unchecked(&data->interrupt_handled, 0);
31255 enable_irq(gpio_to_irq(data->pdata->gpio_data));
31256 /* If still not occured or another handler has been scheduled */
31257 if (gpio_get_value(data->pdata->gpio_data)
31258 - || atomic_read(&data->interrupt_handled))
31259 + || atomic_read_unchecked(&data->interrupt_handled))
31260 return;
31261 }
31262 /* Read the data back from the device */
31263 diff -urNp linux-2.6.32.46/drivers/hwmon/w83791d.c linux-2.6.32.46/drivers/hwmon/w83791d.c
31264 --- linux-2.6.32.46/drivers/hwmon/w83791d.c 2011-03-27 14:31:47.000000000 -0400
31265 +++ linux-2.6.32.46/drivers/hwmon/w83791d.c 2011-04-17 15:56:46.000000000 -0400
31266 @@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
31267 struct i2c_board_info *info);
31268 static int w83791d_remove(struct i2c_client *client);
31269
31270 -static int w83791d_read(struct i2c_client *client, u8 register);
31271 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
31272 +static int w83791d_read(struct i2c_client *client, u8 reg);
31273 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
31274 static struct w83791d_data *w83791d_update_device(struct device *dev);
31275
31276 #ifdef DEBUG
31277 diff -urNp linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c
31278 --- linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c 2011-03-27 14:31:47.000000000 -0400
31279 +++ linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c 2011-08-23 21:22:32.000000000 -0400
31280 @@ -43,7 +43,7 @@
31281 extern struct i2c_adapter amd756_smbus;
31282
31283 static struct i2c_adapter *s4882_adapter;
31284 -static struct i2c_algorithm *s4882_algo;
31285 +static i2c_algorithm_no_const *s4882_algo;
31286
31287 /* Wrapper access functions for multiplexed SMBus */
31288 static DEFINE_MUTEX(amd756_lock);
31289 diff -urNp linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c
31290 --- linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-03-27 14:31:47.000000000 -0400
31291 +++ linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-08-23 21:22:32.000000000 -0400
31292 @@ -41,7 +41,7 @@
31293 extern struct i2c_adapter *nforce2_smbus;
31294
31295 static struct i2c_adapter *s4985_adapter;
31296 -static struct i2c_algorithm *s4985_algo;
31297 +static i2c_algorithm_no_const *s4985_algo;
31298
31299 /* Wrapper access functions for multiplexed SMBus */
31300 static DEFINE_MUTEX(nforce2_lock);
31301 diff -urNp linux-2.6.32.46/drivers/ide/ide-cd.c linux-2.6.32.46/drivers/ide/ide-cd.c
31302 --- linux-2.6.32.46/drivers/ide/ide-cd.c 2011-03-27 14:31:47.000000000 -0400
31303 +++ linux-2.6.32.46/drivers/ide/ide-cd.c 2011-04-17 15:56:46.000000000 -0400
31304 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
31305 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
31306 if ((unsigned long)buf & alignment
31307 || blk_rq_bytes(rq) & q->dma_pad_mask
31308 - || object_is_on_stack(buf))
31309 + || object_starts_on_stack(buf))
31310 drive->dma = 0;
31311 }
31312 }
31313 diff -urNp linux-2.6.32.46/drivers/ide/ide-floppy.c linux-2.6.32.46/drivers/ide/ide-floppy.c
31314 --- linux-2.6.32.46/drivers/ide/ide-floppy.c 2011-03-27 14:31:47.000000000 -0400
31315 +++ linux-2.6.32.46/drivers/ide/ide-floppy.c 2011-05-16 21:46:57.000000000 -0400
31316 @@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
31317 u8 pc_buf[256], header_len, desc_cnt;
31318 int i, rc = 1, blocks, length;
31319
31320 + pax_track_stack();
31321 +
31322 ide_debug_log(IDE_DBG_FUNC, "enter");
31323
31324 drive->bios_cyl = 0;
31325 diff -urNp linux-2.6.32.46/drivers/ide/setup-pci.c linux-2.6.32.46/drivers/ide/setup-pci.c
31326 --- linux-2.6.32.46/drivers/ide/setup-pci.c 2011-03-27 14:31:47.000000000 -0400
31327 +++ linux-2.6.32.46/drivers/ide/setup-pci.c 2011-05-16 21:46:57.000000000 -0400
31328 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
31329 int ret, i, n_ports = dev2 ? 4 : 2;
31330 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
31331
31332 + pax_track_stack();
31333 +
31334 for (i = 0; i < n_ports / 2; i++) {
31335 ret = ide_setup_pci_controller(pdev[i], d, !i);
31336 if (ret < 0)
31337 diff -urNp linux-2.6.32.46/drivers/ieee1394/dv1394.c linux-2.6.32.46/drivers/ieee1394/dv1394.c
31338 --- linux-2.6.32.46/drivers/ieee1394/dv1394.c 2011-03-27 14:31:47.000000000 -0400
31339 +++ linux-2.6.32.46/drivers/ieee1394/dv1394.c 2011-04-23 12:56:11.000000000 -0400
31340 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
31341 based upon DIF section and sequence
31342 */
31343
31344 -static void inline
31345 +static inline void
31346 frame_put_packet (struct frame *f, struct packet *p)
31347 {
31348 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
31349 diff -urNp linux-2.6.32.46/drivers/ieee1394/hosts.c linux-2.6.32.46/drivers/ieee1394/hosts.c
31350 --- linux-2.6.32.46/drivers/ieee1394/hosts.c 2011-03-27 14:31:47.000000000 -0400
31351 +++ linux-2.6.32.46/drivers/ieee1394/hosts.c 2011-04-17 15:56:46.000000000 -0400
31352 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
31353 }
31354
31355 static struct hpsb_host_driver dummy_driver = {
31356 + .name = "dummy",
31357 .transmit_packet = dummy_transmit_packet,
31358 .devctl = dummy_devctl,
31359 .isoctl = dummy_isoctl
31360 diff -urNp linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c
31361 --- linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c 2011-03-27 14:31:47.000000000 -0400
31362 +++ linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c 2011-04-17 15:56:46.000000000 -0400
31363 @@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
31364 for (func = 0; func < 8; func++) {
31365 u32 class = read_pci_config(num,slot,func,
31366 PCI_CLASS_REVISION);
31367 - if ((class == 0xffffffff))
31368 + if (class == 0xffffffff)
31369 continue; /* No device at this func */
31370
31371 if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
31372 diff -urNp linux-2.6.32.46/drivers/ieee1394/ohci1394.c linux-2.6.32.46/drivers/ieee1394/ohci1394.c
31373 --- linux-2.6.32.46/drivers/ieee1394/ohci1394.c 2011-03-27 14:31:47.000000000 -0400
31374 +++ linux-2.6.32.46/drivers/ieee1394/ohci1394.c 2011-04-23 12:56:11.000000000 -0400
31375 @@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
31376 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
31377
31378 /* Module Parameters */
31379 -static int phys_dma = 1;
31380 +static int phys_dma;
31381 module_param(phys_dma, int, 0444);
31382 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
31383 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
31384
31385 static void dma_trm_tasklet(unsigned long data);
31386 static void dma_trm_reset(struct dma_trm_ctx *d);
31387 diff -urNp linux-2.6.32.46/drivers/ieee1394/sbp2.c linux-2.6.32.46/drivers/ieee1394/sbp2.c
31388 --- linux-2.6.32.46/drivers/ieee1394/sbp2.c 2011-03-27 14:31:47.000000000 -0400
31389 +++ linux-2.6.32.46/drivers/ieee1394/sbp2.c 2011-04-23 12:56:11.000000000 -0400
31390 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
31391 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
31392 MODULE_LICENSE("GPL");
31393
31394 -static int sbp2_module_init(void)
31395 +static int __init sbp2_module_init(void)
31396 {
31397 int ret;
31398
31399 diff -urNp linux-2.6.32.46/drivers/infiniband/core/cm.c linux-2.6.32.46/drivers/infiniband/core/cm.c
31400 --- linux-2.6.32.46/drivers/infiniband/core/cm.c 2011-03-27 14:31:47.000000000 -0400
31401 +++ linux-2.6.32.46/drivers/infiniband/core/cm.c 2011-04-17 15:56:46.000000000 -0400
31402 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
31403
31404 struct cm_counter_group {
31405 struct kobject obj;
31406 - atomic_long_t counter[CM_ATTR_COUNT];
31407 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
31408 };
31409
31410 struct cm_counter_attribute {
31411 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
31412 struct ib_mad_send_buf *msg = NULL;
31413 int ret;
31414
31415 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31416 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31417 counter[CM_REQ_COUNTER]);
31418
31419 /* Quick state check to discard duplicate REQs. */
31420 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
31421 if (!cm_id_priv)
31422 return;
31423
31424 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31425 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31426 counter[CM_REP_COUNTER]);
31427 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
31428 if (ret)
31429 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
31430 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
31431 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
31432 spin_unlock_irq(&cm_id_priv->lock);
31433 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31434 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31435 counter[CM_RTU_COUNTER]);
31436 goto out;
31437 }
31438 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
31439 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
31440 dreq_msg->local_comm_id);
31441 if (!cm_id_priv) {
31442 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31443 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31444 counter[CM_DREQ_COUNTER]);
31445 cm_issue_drep(work->port, work->mad_recv_wc);
31446 return -EINVAL;
31447 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
31448 case IB_CM_MRA_REP_RCVD:
31449 break;
31450 case IB_CM_TIMEWAIT:
31451 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31452 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31453 counter[CM_DREQ_COUNTER]);
31454 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
31455 goto unlock;
31456 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
31457 cm_free_msg(msg);
31458 goto deref;
31459 case IB_CM_DREQ_RCVD:
31460 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31461 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31462 counter[CM_DREQ_COUNTER]);
31463 goto unlock;
31464 default:
31465 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
31466 ib_modify_mad(cm_id_priv->av.port->mad_agent,
31467 cm_id_priv->msg, timeout)) {
31468 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
31469 - atomic_long_inc(&work->port->
31470 + atomic_long_inc_unchecked(&work->port->
31471 counter_group[CM_RECV_DUPLICATES].
31472 counter[CM_MRA_COUNTER]);
31473 goto out;
31474 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
31475 break;
31476 case IB_CM_MRA_REQ_RCVD:
31477 case IB_CM_MRA_REP_RCVD:
31478 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31479 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31480 counter[CM_MRA_COUNTER]);
31481 /* fall through */
31482 default:
31483 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
31484 case IB_CM_LAP_IDLE:
31485 break;
31486 case IB_CM_MRA_LAP_SENT:
31487 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31488 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31489 counter[CM_LAP_COUNTER]);
31490 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
31491 goto unlock;
31492 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
31493 cm_free_msg(msg);
31494 goto deref;
31495 case IB_CM_LAP_RCVD:
31496 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31497 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31498 counter[CM_LAP_COUNTER]);
31499 goto unlock;
31500 default:
31501 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
31502 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
31503 if (cur_cm_id_priv) {
31504 spin_unlock_irq(&cm.lock);
31505 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
31506 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
31507 counter[CM_SIDR_REQ_COUNTER]);
31508 goto out; /* Duplicate message. */
31509 }
31510 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
31511 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
31512 msg->retries = 1;
31513
31514 - atomic_long_add(1 + msg->retries,
31515 + atomic_long_add_unchecked(1 + msg->retries,
31516 &port->counter_group[CM_XMIT].counter[attr_index]);
31517 if (msg->retries)
31518 - atomic_long_add(msg->retries,
31519 + atomic_long_add_unchecked(msg->retries,
31520 &port->counter_group[CM_XMIT_RETRIES].
31521 counter[attr_index]);
31522
31523 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
31524 }
31525
31526 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
31527 - atomic_long_inc(&port->counter_group[CM_RECV].
31528 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
31529 counter[attr_id - CM_ATTR_ID_OFFSET]);
31530
31531 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
31532 @@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
31533 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
31534
31535 return sprintf(buf, "%ld\n",
31536 - atomic_long_read(&group->counter[cm_attr->index]));
31537 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
31538 }
31539
31540 -static struct sysfs_ops cm_counter_ops = {
31541 +static const struct sysfs_ops cm_counter_ops = {
31542 .show = cm_show_counter
31543 };
31544
31545 diff -urNp linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c
31546 --- linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c 2011-03-27 14:31:47.000000000 -0400
31547 +++ linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c 2011-05-04 17:56:28.000000000 -0400
31548 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
31549
31550 struct task_struct *thread;
31551
31552 - atomic_t req_ser;
31553 - atomic_t flush_ser;
31554 + atomic_unchecked_t req_ser;
31555 + atomic_unchecked_t flush_ser;
31556
31557 wait_queue_head_t force_wait;
31558 };
31559 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
31560 struct ib_fmr_pool *pool = pool_ptr;
31561
31562 do {
31563 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
31564 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
31565 ib_fmr_batch_release(pool);
31566
31567 - atomic_inc(&pool->flush_ser);
31568 + atomic_inc_unchecked(&pool->flush_ser);
31569 wake_up_interruptible(&pool->force_wait);
31570
31571 if (pool->flush_function)
31572 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
31573 }
31574
31575 set_current_state(TASK_INTERRUPTIBLE);
31576 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
31577 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
31578 !kthread_should_stop())
31579 schedule();
31580 __set_current_state(TASK_RUNNING);
31581 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
31582 pool->dirty_watermark = params->dirty_watermark;
31583 pool->dirty_len = 0;
31584 spin_lock_init(&pool->pool_lock);
31585 - atomic_set(&pool->req_ser, 0);
31586 - atomic_set(&pool->flush_ser, 0);
31587 + atomic_set_unchecked(&pool->req_ser, 0);
31588 + atomic_set_unchecked(&pool->flush_ser, 0);
31589 init_waitqueue_head(&pool->force_wait);
31590
31591 pool->thread = kthread_run(ib_fmr_cleanup_thread,
31592 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
31593 }
31594 spin_unlock_irq(&pool->pool_lock);
31595
31596 - serial = atomic_inc_return(&pool->req_ser);
31597 + serial = atomic_inc_return_unchecked(&pool->req_ser);
31598 wake_up_process(pool->thread);
31599
31600 if (wait_event_interruptible(pool->force_wait,
31601 - atomic_read(&pool->flush_ser) - serial >= 0))
31602 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
31603 return -EINTR;
31604
31605 return 0;
31606 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
31607 } else {
31608 list_add_tail(&fmr->list, &pool->dirty_list);
31609 if (++pool->dirty_len >= pool->dirty_watermark) {
31610 - atomic_inc(&pool->req_ser);
31611 + atomic_inc_unchecked(&pool->req_ser);
31612 wake_up_process(pool->thread);
31613 }
31614 }
31615 diff -urNp linux-2.6.32.46/drivers/infiniband/core/sysfs.c linux-2.6.32.46/drivers/infiniband/core/sysfs.c
31616 --- linux-2.6.32.46/drivers/infiniband/core/sysfs.c 2011-03-27 14:31:47.000000000 -0400
31617 +++ linux-2.6.32.46/drivers/infiniband/core/sysfs.c 2011-04-17 15:56:46.000000000 -0400
31618 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
31619 return port_attr->show(p, port_attr, buf);
31620 }
31621
31622 -static struct sysfs_ops port_sysfs_ops = {
31623 +static const struct sysfs_ops port_sysfs_ops = {
31624 .show = port_attr_show
31625 };
31626
31627 diff -urNp linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c
31628 --- linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c 2011-03-27 14:31:47.000000000 -0400
31629 +++ linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c 2011-04-17 15:56:46.000000000 -0400
31630 @@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
31631 dst->grh.sgid_index = src->grh.sgid_index;
31632 dst->grh.hop_limit = src->grh.hop_limit;
31633 dst->grh.traffic_class = src->grh.traffic_class;
31634 + memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
31635 dst->dlid = src->dlid;
31636 dst->sl = src->sl;
31637 dst->src_path_bits = src->src_path_bits;
31638 dst->static_rate = src->static_rate;
31639 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
31640 dst->port_num = src->port_num;
31641 + dst->reserved = 0;
31642 }
31643 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
31644
31645 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
31646 struct ib_qp_attr *src)
31647 {
31648 + dst->qp_state = src->qp_state;
31649 dst->cur_qp_state = src->cur_qp_state;
31650 dst->path_mtu = src->path_mtu;
31651 dst->path_mig_state = src->path_mig_state;
31652 @@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
31653 dst->rnr_retry = src->rnr_retry;
31654 dst->alt_port_num = src->alt_port_num;
31655 dst->alt_timeout = src->alt_timeout;
31656 + memset(dst->reserved, 0, sizeof(dst->reserved));
31657 }
31658 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
31659
31660 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c
31661 --- linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c 2011-03-27 14:31:47.000000000 -0400
31662 +++ linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-16 21:46:57.000000000 -0400
31663 @@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
31664 struct infinipath_counters counters;
31665 struct ipath_devdata *dd;
31666
31667 + pax_track_stack();
31668 +
31669 dd = file->f_path.dentry->d_inode->i_private;
31670 dd->ipath_f_read_counters(dd, &counters);
31671
31672 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c
31673 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c 2011-03-27 14:31:47.000000000 -0400
31674 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c 2011-05-04 17:56:28.000000000 -0400
31675 @@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
31676 LIST_HEAD(nes_adapter_list);
31677 static LIST_HEAD(nes_dev_list);
31678
31679 -atomic_t qps_destroyed;
31680 +atomic_unchecked_t qps_destroyed;
31681
31682 static unsigned int ee_flsh_adapter;
31683 static unsigned int sysfs_nonidx_addr;
31684 @@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
31685 struct nes_adapter *nesadapter = nesdev->nesadapter;
31686 u32 qp_id;
31687
31688 - atomic_inc(&qps_destroyed);
31689 + atomic_inc_unchecked(&qps_destroyed);
31690
31691 /* Free the control structures */
31692
31693 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c
31694 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c 2011-03-27 14:31:47.000000000 -0400
31695 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c 2011-05-04 17:56:28.000000000 -0400
31696 @@ -69,11 +69,11 @@ u32 cm_packets_received;
31697 u32 cm_listens_created;
31698 u32 cm_listens_destroyed;
31699 u32 cm_backlog_drops;
31700 -atomic_t cm_loopbacks;
31701 -atomic_t cm_nodes_created;
31702 -atomic_t cm_nodes_destroyed;
31703 -atomic_t cm_accel_dropped_pkts;
31704 -atomic_t cm_resets_recvd;
31705 +atomic_unchecked_t cm_loopbacks;
31706 +atomic_unchecked_t cm_nodes_created;
31707 +atomic_unchecked_t cm_nodes_destroyed;
31708 +atomic_unchecked_t cm_accel_dropped_pkts;
31709 +atomic_unchecked_t cm_resets_recvd;
31710
31711 static inline int mini_cm_accelerated(struct nes_cm_core *,
31712 struct nes_cm_node *);
31713 @@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
31714
31715 static struct nes_cm_core *g_cm_core;
31716
31717 -atomic_t cm_connects;
31718 -atomic_t cm_accepts;
31719 -atomic_t cm_disconnects;
31720 -atomic_t cm_closes;
31721 -atomic_t cm_connecteds;
31722 -atomic_t cm_connect_reqs;
31723 -atomic_t cm_rejects;
31724 +atomic_unchecked_t cm_connects;
31725 +atomic_unchecked_t cm_accepts;
31726 +atomic_unchecked_t cm_disconnects;
31727 +atomic_unchecked_t cm_closes;
31728 +atomic_unchecked_t cm_connecteds;
31729 +atomic_unchecked_t cm_connect_reqs;
31730 +atomic_unchecked_t cm_rejects;
31731
31732
31733 /**
31734 @@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
31735 cm_node->rem_mac);
31736
31737 add_hte_node(cm_core, cm_node);
31738 - atomic_inc(&cm_nodes_created);
31739 + atomic_inc_unchecked(&cm_nodes_created);
31740
31741 return cm_node;
31742 }
31743 @@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
31744 }
31745
31746 atomic_dec(&cm_core->node_cnt);
31747 - atomic_inc(&cm_nodes_destroyed);
31748 + atomic_inc_unchecked(&cm_nodes_destroyed);
31749 nesqp = cm_node->nesqp;
31750 if (nesqp) {
31751 nesqp->cm_node = NULL;
31752 @@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
31753
31754 static void drop_packet(struct sk_buff *skb)
31755 {
31756 - atomic_inc(&cm_accel_dropped_pkts);
31757 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31758 dev_kfree_skb_any(skb);
31759 }
31760
31761 @@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
31762
31763 int reset = 0; /* whether to send reset in case of err.. */
31764 int passive_state;
31765 - atomic_inc(&cm_resets_recvd);
31766 + atomic_inc_unchecked(&cm_resets_recvd);
31767 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
31768 " refcnt=%d\n", cm_node, cm_node->state,
31769 atomic_read(&cm_node->ref_count));
31770 @@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
31771 rem_ref_cm_node(cm_node->cm_core, cm_node);
31772 return NULL;
31773 }
31774 - atomic_inc(&cm_loopbacks);
31775 + atomic_inc_unchecked(&cm_loopbacks);
31776 loopbackremotenode->loopbackpartner = cm_node;
31777 loopbackremotenode->tcp_cntxt.rcv_wscale =
31778 NES_CM_DEFAULT_RCV_WND_SCALE;
31779 @@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
31780 add_ref_cm_node(cm_node);
31781 } else if (cm_node->state == NES_CM_STATE_TSA) {
31782 rem_ref_cm_node(cm_core, cm_node);
31783 - atomic_inc(&cm_accel_dropped_pkts);
31784 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
31785 dev_kfree_skb_any(skb);
31786 break;
31787 }
31788 @@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
31789
31790 if ((cm_id) && (cm_id->event_handler)) {
31791 if (issue_disconn) {
31792 - atomic_inc(&cm_disconnects);
31793 + atomic_inc_unchecked(&cm_disconnects);
31794 cm_event.event = IW_CM_EVENT_DISCONNECT;
31795 cm_event.status = disconn_status;
31796 cm_event.local_addr = cm_id->local_addr;
31797 @@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
31798 }
31799
31800 if (issue_close) {
31801 - atomic_inc(&cm_closes);
31802 + atomic_inc_unchecked(&cm_closes);
31803 nes_disconnect(nesqp, 1);
31804
31805 cm_id->provider_data = nesqp;
31806 @@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
31807
31808 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
31809 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
31810 - atomic_inc(&cm_accepts);
31811 + atomic_inc_unchecked(&cm_accepts);
31812
31813 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
31814 atomic_read(&nesvnic->netdev->refcnt));
31815 @@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
31816
31817 struct nes_cm_core *cm_core;
31818
31819 - atomic_inc(&cm_rejects);
31820 + atomic_inc_unchecked(&cm_rejects);
31821 cm_node = (struct nes_cm_node *) cm_id->provider_data;
31822 loopback = cm_node->loopbackpartner;
31823 cm_core = cm_node->cm_core;
31824 @@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
31825 ntohl(cm_id->local_addr.sin_addr.s_addr),
31826 ntohs(cm_id->local_addr.sin_port));
31827
31828 - atomic_inc(&cm_connects);
31829 + atomic_inc_unchecked(&cm_connects);
31830 nesqp->active_conn = 1;
31831
31832 /* cache the cm_id in the qp */
31833 @@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
31834 if (nesqp->destroyed) {
31835 return;
31836 }
31837 - atomic_inc(&cm_connecteds);
31838 + atomic_inc_unchecked(&cm_connecteds);
31839 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
31840 " local port 0x%04X. jiffies = %lu.\n",
31841 nesqp->hwqp.qp_id,
31842 @@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
31843
31844 ret = cm_id->event_handler(cm_id, &cm_event);
31845 cm_id->add_ref(cm_id);
31846 - atomic_inc(&cm_closes);
31847 + atomic_inc_unchecked(&cm_closes);
31848 cm_event.event = IW_CM_EVENT_CLOSE;
31849 cm_event.status = IW_CM_EVENT_STATUS_OK;
31850 cm_event.provider_data = cm_id->provider_data;
31851 @@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
31852 return;
31853 cm_id = cm_node->cm_id;
31854
31855 - atomic_inc(&cm_connect_reqs);
31856 + atomic_inc_unchecked(&cm_connect_reqs);
31857 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31858 cm_node, cm_id, jiffies);
31859
31860 @@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
31861 return;
31862 cm_id = cm_node->cm_id;
31863
31864 - atomic_inc(&cm_connect_reqs);
31865 + atomic_inc_unchecked(&cm_connect_reqs);
31866 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31867 cm_node, cm_id, jiffies);
31868
31869 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h
31870 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h 2011-03-27 14:31:47.000000000 -0400
31871 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h 2011-05-04 17:56:28.000000000 -0400
31872 @@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
31873 extern unsigned int wqm_quanta;
31874 extern struct list_head nes_adapter_list;
31875
31876 -extern atomic_t cm_connects;
31877 -extern atomic_t cm_accepts;
31878 -extern atomic_t cm_disconnects;
31879 -extern atomic_t cm_closes;
31880 -extern atomic_t cm_connecteds;
31881 -extern atomic_t cm_connect_reqs;
31882 -extern atomic_t cm_rejects;
31883 -extern atomic_t mod_qp_timouts;
31884 -extern atomic_t qps_created;
31885 -extern atomic_t qps_destroyed;
31886 -extern atomic_t sw_qps_destroyed;
31887 +extern atomic_unchecked_t cm_connects;
31888 +extern atomic_unchecked_t cm_accepts;
31889 +extern atomic_unchecked_t cm_disconnects;
31890 +extern atomic_unchecked_t cm_closes;
31891 +extern atomic_unchecked_t cm_connecteds;
31892 +extern atomic_unchecked_t cm_connect_reqs;
31893 +extern atomic_unchecked_t cm_rejects;
31894 +extern atomic_unchecked_t mod_qp_timouts;
31895 +extern atomic_unchecked_t qps_created;
31896 +extern atomic_unchecked_t qps_destroyed;
31897 +extern atomic_unchecked_t sw_qps_destroyed;
31898 extern u32 mh_detected;
31899 extern u32 mh_pauses_sent;
31900 extern u32 cm_packets_sent;
31901 @@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
31902 extern u32 cm_listens_created;
31903 extern u32 cm_listens_destroyed;
31904 extern u32 cm_backlog_drops;
31905 -extern atomic_t cm_loopbacks;
31906 -extern atomic_t cm_nodes_created;
31907 -extern atomic_t cm_nodes_destroyed;
31908 -extern atomic_t cm_accel_dropped_pkts;
31909 -extern atomic_t cm_resets_recvd;
31910 +extern atomic_unchecked_t cm_loopbacks;
31911 +extern atomic_unchecked_t cm_nodes_created;
31912 +extern atomic_unchecked_t cm_nodes_destroyed;
31913 +extern atomic_unchecked_t cm_accel_dropped_pkts;
31914 +extern atomic_unchecked_t cm_resets_recvd;
31915
31916 extern u32 int_mod_timer_init;
31917 extern u32 int_mod_cq_depth_256;
31918 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c
31919 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c 2011-03-27 14:31:47.000000000 -0400
31920 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c 2011-05-04 17:56:28.000000000 -0400
31921 @@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
31922 target_stat_values[++index] = mh_detected;
31923 target_stat_values[++index] = mh_pauses_sent;
31924 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
31925 - target_stat_values[++index] = atomic_read(&cm_connects);
31926 - target_stat_values[++index] = atomic_read(&cm_accepts);
31927 - target_stat_values[++index] = atomic_read(&cm_disconnects);
31928 - target_stat_values[++index] = atomic_read(&cm_connecteds);
31929 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
31930 - target_stat_values[++index] = atomic_read(&cm_rejects);
31931 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
31932 - target_stat_values[++index] = atomic_read(&qps_created);
31933 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
31934 - target_stat_values[++index] = atomic_read(&qps_destroyed);
31935 - target_stat_values[++index] = atomic_read(&cm_closes);
31936 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
31937 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
31938 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
31939 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
31940 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
31941 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
31942 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
31943 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
31944 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
31945 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
31946 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
31947 target_stat_values[++index] = cm_packets_sent;
31948 target_stat_values[++index] = cm_packets_bounced;
31949 target_stat_values[++index] = cm_packets_created;
31950 @@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
31951 target_stat_values[++index] = cm_listens_created;
31952 target_stat_values[++index] = cm_listens_destroyed;
31953 target_stat_values[++index] = cm_backlog_drops;
31954 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
31955 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
31956 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
31957 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
31958 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
31959 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
31960 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
31961 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
31962 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
31963 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
31964 target_stat_values[++index] = int_mod_timer_init;
31965 target_stat_values[++index] = int_mod_cq_depth_1;
31966 target_stat_values[++index] = int_mod_cq_depth_4;
31967 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c
31968 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c 2011-03-27 14:31:47.000000000 -0400
31969 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-04 17:56:28.000000000 -0400
31970 @@ -45,9 +45,9 @@
31971
31972 #include <rdma/ib_umem.h>
31973
31974 -atomic_t mod_qp_timouts;
31975 -atomic_t qps_created;
31976 -atomic_t sw_qps_destroyed;
31977 +atomic_unchecked_t mod_qp_timouts;
31978 +atomic_unchecked_t qps_created;
31979 +atomic_unchecked_t sw_qps_destroyed;
31980
31981 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31982
31983 @@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
31984 if (init_attr->create_flags)
31985 return ERR_PTR(-EINVAL);
31986
31987 - atomic_inc(&qps_created);
31988 + atomic_inc_unchecked(&qps_created);
31989 switch (init_attr->qp_type) {
31990 case IB_QPT_RC:
31991 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31992 @@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
31993 struct iw_cm_event cm_event;
31994 int ret;
31995
31996 - atomic_inc(&sw_qps_destroyed);
31997 + atomic_inc_unchecked(&sw_qps_destroyed);
31998 nesqp->destroyed = 1;
31999
32000 /* Blow away the connection if it exists. */
32001 diff -urNp linux-2.6.32.46/drivers/input/gameport/gameport.c linux-2.6.32.46/drivers/input/gameport/gameport.c
32002 --- linux-2.6.32.46/drivers/input/gameport/gameport.c 2011-03-27 14:31:47.000000000 -0400
32003 +++ linux-2.6.32.46/drivers/input/gameport/gameport.c 2011-05-04 17:56:28.000000000 -0400
32004 @@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
32005 */
32006 static void gameport_init_port(struct gameport *gameport)
32007 {
32008 - static atomic_t gameport_no = ATOMIC_INIT(0);
32009 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
32010
32011 __module_get(THIS_MODULE);
32012
32013 mutex_init(&gameport->drv_mutex);
32014 device_initialize(&gameport->dev);
32015 - dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
32016 + dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
32017 gameport->dev.bus = &gameport_bus;
32018 gameport->dev.release = gameport_release_port;
32019 if (gameport->parent)
32020 diff -urNp linux-2.6.32.46/drivers/input/input.c linux-2.6.32.46/drivers/input/input.c
32021 --- linux-2.6.32.46/drivers/input/input.c 2011-03-27 14:31:47.000000000 -0400
32022 +++ linux-2.6.32.46/drivers/input/input.c 2011-05-04 17:56:28.000000000 -0400
32023 @@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
32024 */
32025 int input_register_device(struct input_dev *dev)
32026 {
32027 - static atomic_t input_no = ATOMIC_INIT(0);
32028 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
32029 struct input_handler *handler;
32030 const char *path;
32031 int error;
32032 @@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
32033 dev->setkeycode = input_default_setkeycode;
32034
32035 dev_set_name(&dev->dev, "input%ld",
32036 - (unsigned long) atomic_inc_return(&input_no) - 1);
32037 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
32038
32039 error = device_add(&dev->dev);
32040 if (error)
32041 diff -urNp linux-2.6.32.46/drivers/input/joystick/sidewinder.c linux-2.6.32.46/drivers/input/joystick/sidewinder.c
32042 --- linux-2.6.32.46/drivers/input/joystick/sidewinder.c 2011-03-27 14:31:47.000000000 -0400
32043 +++ linux-2.6.32.46/drivers/input/joystick/sidewinder.c 2011-05-18 20:09:36.000000000 -0400
32044 @@ -30,6 +30,7 @@
32045 #include <linux/kernel.h>
32046 #include <linux/module.h>
32047 #include <linux/slab.h>
32048 +#include <linux/sched.h>
32049 #include <linux/init.h>
32050 #include <linux/input.h>
32051 #include <linux/gameport.h>
32052 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
32053 unsigned char buf[SW_LENGTH];
32054 int i;
32055
32056 + pax_track_stack();
32057 +
32058 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
32059
32060 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
32061 diff -urNp linux-2.6.32.46/drivers/input/joystick/xpad.c linux-2.6.32.46/drivers/input/joystick/xpad.c
32062 --- linux-2.6.32.46/drivers/input/joystick/xpad.c 2011-03-27 14:31:47.000000000 -0400
32063 +++ linux-2.6.32.46/drivers/input/joystick/xpad.c 2011-05-04 17:56:28.000000000 -0400
32064 @@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
32065
32066 static int xpad_led_probe(struct usb_xpad *xpad)
32067 {
32068 - static atomic_t led_seq = ATOMIC_INIT(0);
32069 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
32070 long led_no;
32071 struct xpad_led *led;
32072 struct led_classdev *led_cdev;
32073 @@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
32074 if (!led)
32075 return -ENOMEM;
32076
32077 - led_no = (long)atomic_inc_return(&led_seq) - 1;
32078 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
32079
32080 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
32081 led->xpad = xpad;
32082 diff -urNp linux-2.6.32.46/drivers/input/serio/serio.c linux-2.6.32.46/drivers/input/serio/serio.c
32083 --- linux-2.6.32.46/drivers/input/serio/serio.c 2011-03-27 14:31:47.000000000 -0400
32084 +++ linux-2.6.32.46/drivers/input/serio/serio.c 2011-05-04 17:56:28.000000000 -0400
32085 @@ -527,7 +527,7 @@ static void serio_release_port(struct de
32086 */
32087 static void serio_init_port(struct serio *serio)
32088 {
32089 - static atomic_t serio_no = ATOMIC_INIT(0);
32090 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
32091
32092 __module_get(THIS_MODULE);
32093
32094 @@ -536,7 +536,7 @@ static void serio_init_port(struct serio
32095 mutex_init(&serio->drv_mutex);
32096 device_initialize(&serio->dev);
32097 dev_set_name(&serio->dev, "serio%ld",
32098 - (long)atomic_inc_return(&serio_no) - 1);
32099 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
32100 serio->dev.bus = &serio_bus;
32101 serio->dev.release = serio_release_port;
32102 if (serio->parent) {
32103 diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/common.c linux-2.6.32.46/drivers/isdn/gigaset/common.c
32104 --- linux-2.6.32.46/drivers/isdn/gigaset/common.c 2011-03-27 14:31:47.000000000 -0400
32105 +++ linux-2.6.32.46/drivers/isdn/gigaset/common.c 2011-04-17 15:56:46.000000000 -0400
32106 @@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
32107 cs->commands_pending = 0;
32108 cs->cur_at_seq = 0;
32109 cs->gotfwver = -1;
32110 - cs->open_count = 0;
32111 + local_set(&cs->open_count, 0);
32112 cs->dev = NULL;
32113 cs->tty = NULL;
32114 cs->tty_dev = NULL;
32115 diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h
32116 --- linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h 2011-03-27 14:31:47.000000000 -0400
32117 +++ linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:56:46.000000000 -0400
32118 @@ -34,6 +34,7 @@
32119 #include <linux/tty_driver.h>
32120 #include <linux/list.h>
32121 #include <asm/atomic.h>
32122 +#include <asm/local.h>
32123
32124 #define GIG_VERSION {0,5,0,0}
32125 #define GIG_COMPAT {0,4,0,0}
32126 @@ -446,7 +447,7 @@ struct cardstate {
32127 spinlock_t cmdlock;
32128 unsigned curlen, cmdbytes;
32129
32130 - unsigned open_count;
32131 + local_t open_count;
32132 struct tty_struct *tty;
32133 struct tasklet_struct if_wake_tasklet;
32134 unsigned control_state;
32135 diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/interface.c linux-2.6.32.46/drivers/isdn/gigaset/interface.c
32136 --- linux-2.6.32.46/drivers/isdn/gigaset/interface.c 2011-03-27 14:31:47.000000000 -0400
32137 +++ linux-2.6.32.46/drivers/isdn/gigaset/interface.c 2011-04-17 15:56:46.000000000 -0400
32138 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
32139 return -ERESTARTSYS; // FIXME -EINTR?
32140 tty->driver_data = cs;
32141
32142 - ++cs->open_count;
32143 -
32144 - if (cs->open_count == 1) {
32145 + if (local_inc_return(&cs->open_count) == 1) {
32146 spin_lock_irqsave(&cs->lock, flags);
32147 cs->tty = tty;
32148 spin_unlock_irqrestore(&cs->lock, flags);
32149 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
32150
32151 if (!cs->connected)
32152 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
32153 - else if (!cs->open_count)
32154 + else if (!local_read(&cs->open_count))
32155 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32156 else {
32157 - if (!--cs->open_count) {
32158 + if (!local_dec_return(&cs->open_count)) {
32159 spin_lock_irqsave(&cs->lock, flags);
32160 cs->tty = NULL;
32161 spin_unlock_irqrestore(&cs->lock, flags);
32162 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
32163 if (!cs->connected) {
32164 gig_dbg(DEBUG_IF, "not connected");
32165 retval = -ENODEV;
32166 - } else if (!cs->open_count)
32167 + } else if (!local_read(&cs->open_count))
32168 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32169 else {
32170 retval = 0;
32171 @@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
32172 if (!cs->connected) {
32173 gig_dbg(DEBUG_IF, "not connected");
32174 retval = -ENODEV;
32175 - } else if (!cs->open_count)
32176 + } else if (!local_read(&cs->open_count))
32177 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32178 else if (cs->mstate != MS_LOCKED) {
32179 dev_warn(cs->dev, "can't write to unlocked device\n");
32180 @@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
32181 if (!cs->connected) {
32182 gig_dbg(DEBUG_IF, "not connected");
32183 retval = -ENODEV;
32184 - } else if (!cs->open_count)
32185 + } else if (!local_read(&cs->open_count))
32186 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32187 else if (cs->mstate != MS_LOCKED) {
32188 dev_warn(cs->dev, "can't write to unlocked device\n");
32189 @@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
32190
32191 if (!cs->connected)
32192 gig_dbg(DEBUG_IF, "not connected");
32193 - else if (!cs->open_count)
32194 + else if (!local_read(&cs->open_count))
32195 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32196 else if (cs->mstate != MS_LOCKED)
32197 dev_warn(cs->dev, "can't write to unlocked device\n");
32198 @@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
32199
32200 if (!cs->connected)
32201 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
32202 - else if (!cs->open_count)
32203 + else if (!local_read(&cs->open_count))
32204 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32205 else {
32206 //FIXME
32207 @@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
32208
32209 if (!cs->connected)
32210 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
32211 - else if (!cs->open_count)
32212 + else if (!local_read(&cs->open_count))
32213 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32214 else {
32215 //FIXME
32216 @@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
32217 goto out;
32218 }
32219
32220 - if (!cs->open_count) {
32221 + if (!local_read(&cs->open_count)) {
32222 dev_warn(cs->dev, "%s: device not opened\n", __func__);
32223 goto out;
32224 }
32225 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c
32226 --- linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c 2011-03-27 14:31:47.000000000 -0400
32227 +++ linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:56:46.000000000 -0400
32228 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
32229 }
32230 if (left) {
32231 if (t4file->user) {
32232 - if (copy_from_user(buf, dp, left))
32233 + if (left > sizeof buf || copy_from_user(buf, dp, left))
32234 return -EFAULT;
32235 } else {
32236 memcpy(buf, dp, left);
32237 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
32238 }
32239 if (left) {
32240 if (config->user) {
32241 - if (copy_from_user(buf, dp, left))
32242 + if (left > sizeof buf || copy_from_user(buf, dp, left))
32243 return -EFAULT;
32244 } else {
32245 memcpy(buf, dp, left);
32246 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c
32247 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c 2011-03-27 14:31:47.000000000 -0400
32248 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-16 21:46:57.000000000 -0400
32249 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
32250 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
32251 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
32252
32253 + pax_track_stack();
32254
32255 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
32256 {
32257 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c
32258 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c 2011-03-27 14:31:47.000000000 -0400
32259 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c 2011-05-16 21:46:57.000000000 -0400
32260 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
32261 IDI_SYNC_REQ req;
32262 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32263
32264 + pax_track_stack();
32265 +
32266 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
32267
32268 for (x = 0; x < MAX_DESCRIPTORS; x++) {
32269 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c
32270 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c 2011-03-27 14:31:47.000000000 -0400
32271 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-16 21:46:57.000000000 -0400
32272 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
32273 IDI_SYNC_REQ req;
32274 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32275
32276 + pax_track_stack();
32277 +
32278 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
32279
32280 for (x = 0; x < MAX_DESCRIPTORS; x++) {
32281 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c
32282 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c 2011-03-27 14:31:47.000000000 -0400
32283 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-16 21:46:57.000000000 -0400
32284 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
32285 IDI_SYNC_REQ req;
32286 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32287
32288 + pax_track_stack();
32289 +
32290 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
32291
32292 for (x = 0; x < MAX_DESCRIPTORS; x++) {
32293 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h
32294 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h 2011-03-27 14:31:47.000000000 -0400
32295 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h 2011-08-05 20:33:55.000000000 -0400
32296 @@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
32297 } diva_didd_add_adapter_t;
32298 typedef struct _diva_didd_remove_adapter {
32299 IDI_CALL p_request;
32300 -} diva_didd_remove_adapter_t;
32301 +} __no_const diva_didd_remove_adapter_t;
32302 typedef struct _diva_didd_read_adapter_array {
32303 void * buffer;
32304 dword length;
32305 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c
32306 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c 2011-03-27 14:31:47.000000000 -0400
32307 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c 2011-05-16 21:46:57.000000000 -0400
32308 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
32309 IDI_SYNC_REQ req;
32310 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32311
32312 + pax_track_stack();
32313 +
32314 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
32315
32316 for (x = 0; x < MAX_DESCRIPTORS; x++) {
32317 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c
32318 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c 2011-03-27 14:31:47.000000000 -0400
32319 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c 2011-05-16 21:46:57.000000000 -0400
32320 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
32321 dword d;
32322 word w;
32323
32324 + pax_track_stack();
32325 +
32326 a = plci->adapter;
32327 Id = ((word)plci->Id<<8)|a->Id;
32328 PUT_WORD(&SS_Ind[4],0x0000);
32329 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
32330 word j, n, w;
32331 dword d;
32332
32333 + pax_track_stack();
32334 +
32335
32336 for(i=0;i<8;i++) bp_parms[i].length = 0;
32337 for(i=0;i<2;i++) global_config[i].length = 0;
32338 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
32339 const byte llc3[] = {4,3,2,2,6,6,0};
32340 const byte header[] = {0,2,3,3,0,0,0};
32341
32342 + pax_track_stack();
32343 +
32344 for(i=0;i<8;i++) bp_parms[i].length = 0;
32345 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
32346 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
32347 @@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
32348 word appl_number_group_type[MAX_APPL];
32349 PLCI *auxplci;
32350
32351 + pax_track_stack();
32352 +
32353 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
32354
32355 if(!a->group_optimization_enabled)
32356 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c
32357 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c 2011-03-27 14:31:47.000000000 -0400
32358 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-16 21:46:57.000000000 -0400
32359 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
32360 IDI_SYNC_REQ req;
32361 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
32362
32363 + pax_track_stack();
32364 +
32365 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
32366
32367 for (x = 0; x < MAX_DESCRIPTORS; x++) {
32368 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h
32369 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-03-27 14:31:47.000000000 -0400
32370 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-08-05 20:33:55.000000000 -0400
32371 @@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
32372 typedef struct _diva_os_idi_adapter_interface {
32373 diva_init_card_proc_t cleanup_adapter_proc;
32374 diva_cmd_card_proc_t cmd_proc;
32375 -} diva_os_idi_adapter_interface_t;
32376 +} __no_const diva_os_idi_adapter_interface_t;
32377
32378 typedef struct _diva_os_xdi_adapter {
32379 struct list_head link;
32380 diff -urNp linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c
32381 --- linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c 2011-03-27 14:31:47.000000000 -0400
32382 +++ linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c 2011-05-16 21:46:57.000000000 -0400
32383 @@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
32384 } iocpar;
32385 void __user *argp = (void __user *)arg;
32386
32387 + pax_track_stack();
32388 +
32389 #define name iocpar.name
32390 #define bname iocpar.bname
32391 #define iocts iocpar.iocts
32392 diff -urNp linux-2.6.32.46/drivers/isdn/icn/icn.c linux-2.6.32.46/drivers/isdn/icn/icn.c
32393 --- linux-2.6.32.46/drivers/isdn/icn/icn.c 2011-03-27 14:31:47.000000000 -0400
32394 +++ linux-2.6.32.46/drivers/isdn/icn/icn.c 2011-04-17 15:56:46.000000000 -0400
32395 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
32396 if (count > len)
32397 count = len;
32398 if (user) {
32399 - if (copy_from_user(msg, buf, count))
32400 + if (count > sizeof msg || copy_from_user(msg, buf, count))
32401 return -EFAULT;
32402 } else
32403 memcpy(msg, buf, count);
32404 diff -urNp linux-2.6.32.46/drivers/isdn/mISDN/socket.c linux-2.6.32.46/drivers/isdn/mISDN/socket.c
32405 --- linux-2.6.32.46/drivers/isdn/mISDN/socket.c 2011-03-27 14:31:47.000000000 -0400
32406 +++ linux-2.6.32.46/drivers/isdn/mISDN/socket.c 2011-04-17 15:56:46.000000000 -0400
32407 @@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
32408 if (dev) {
32409 struct mISDN_devinfo di;
32410
32411 + memset(&di, 0, sizeof(di));
32412 di.id = dev->id;
32413 di.Dprotocols = dev->Dprotocols;
32414 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
32415 @@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
32416 if (dev) {
32417 struct mISDN_devinfo di;
32418
32419 + memset(&di, 0, sizeof(di));
32420 di.id = dev->id;
32421 di.Dprotocols = dev->Dprotocols;
32422 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
32423 diff -urNp linux-2.6.32.46/drivers/isdn/sc/interrupt.c linux-2.6.32.46/drivers/isdn/sc/interrupt.c
32424 --- linux-2.6.32.46/drivers/isdn/sc/interrupt.c 2011-03-27 14:31:47.000000000 -0400
32425 +++ linux-2.6.32.46/drivers/isdn/sc/interrupt.c 2011-04-17 15:56:46.000000000 -0400
32426 @@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
32427 }
32428 else if(callid>=0x0000 && callid<=0x7FFF)
32429 {
32430 + int len;
32431 +
32432 pr_debug("%s: Got Incoming Call\n",
32433 sc_adapter[card]->devicename);
32434 - strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
32435 - strcpy(setup.eazmsn,
32436 - sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
32437 + len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
32438 + sizeof(setup.phone));
32439 + if (len >= sizeof(setup.phone))
32440 + continue;
32441 + len = strlcpy(setup.eazmsn,
32442 + sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
32443 + sizeof(setup.eazmsn));
32444 + if (len >= sizeof(setup.eazmsn))
32445 + continue;
32446 setup.si1 = 7;
32447 setup.si2 = 0;
32448 setup.plan = 0;
32449 @@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
32450 * Handle a GetMyNumber Rsp
32451 */
32452 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
32453 - strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
32454 + strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
32455 + rcvmsg.msg_data.byte_array,
32456 + sizeof(rcvmsg.msg_data.byte_array));
32457 continue;
32458 }
32459
32460 diff -urNp linux-2.6.32.46/drivers/lguest/core.c linux-2.6.32.46/drivers/lguest/core.c
32461 --- linux-2.6.32.46/drivers/lguest/core.c 2011-03-27 14:31:47.000000000 -0400
32462 +++ linux-2.6.32.46/drivers/lguest/core.c 2011-04-17 15:56:46.000000000 -0400
32463 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
32464 * it's worked so far. The end address needs +1 because __get_vm_area
32465 * allocates an extra guard page, so we need space for that.
32466 */
32467 +
32468 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32469 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
32470 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
32471 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
32472 +#else
32473 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
32474 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
32475 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
32476 +#endif
32477 +
32478 if (!switcher_vma) {
32479 err = -ENOMEM;
32480 printk("lguest: could not map switcher pages high\n");
32481 @@ -118,7 +126,7 @@ static __init int map_switcher(void)
32482 * Now the Switcher is mapped at the right address, we can't fail!
32483 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
32484 */
32485 - memcpy(switcher_vma->addr, start_switcher_text,
32486 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
32487 end_switcher_text - start_switcher_text);
32488
32489 printk(KERN_INFO "lguest: mapped switcher at %p\n",
32490 diff -urNp linux-2.6.32.46/drivers/lguest/x86/core.c linux-2.6.32.46/drivers/lguest/x86/core.c
32491 --- linux-2.6.32.46/drivers/lguest/x86/core.c 2011-03-27 14:31:47.000000000 -0400
32492 +++ linux-2.6.32.46/drivers/lguest/x86/core.c 2011-04-17 15:56:46.000000000 -0400
32493 @@ -59,7 +59,7 @@ static struct {
32494 /* Offset from where switcher.S was compiled to where we've copied it */
32495 static unsigned long switcher_offset(void)
32496 {
32497 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
32498 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
32499 }
32500
32501 /* This cpu's struct lguest_pages. */
32502 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
32503 * These copies are pretty cheap, so we do them unconditionally: */
32504 /* Save the current Host top-level page directory.
32505 */
32506 +
32507 +#ifdef CONFIG_PAX_PER_CPU_PGD
32508 + pages->state.host_cr3 = read_cr3();
32509 +#else
32510 pages->state.host_cr3 = __pa(current->mm->pgd);
32511 +#endif
32512 +
32513 /*
32514 * Set up the Guest's page tables to see this CPU's pages (and no
32515 * other CPU's pages).
32516 @@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
32517 * compiled-in switcher code and the high-mapped copy we just made.
32518 */
32519 for (i = 0; i < IDT_ENTRIES; i++)
32520 - default_idt_entries[i] += switcher_offset();
32521 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
32522
32523 /*
32524 * Set up the Switcher's per-cpu areas.
32525 @@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
32526 * it will be undisturbed when we switch. To change %cs and jump we
32527 * need this structure to feed to Intel's "lcall" instruction.
32528 */
32529 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
32530 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
32531 lguest_entry.segment = LGUEST_CS;
32532
32533 /*
32534 diff -urNp linux-2.6.32.46/drivers/lguest/x86/switcher_32.S linux-2.6.32.46/drivers/lguest/x86/switcher_32.S
32535 --- linux-2.6.32.46/drivers/lguest/x86/switcher_32.S 2011-03-27 14:31:47.000000000 -0400
32536 +++ linux-2.6.32.46/drivers/lguest/x86/switcher_32.S 2011-04-17 15:56:46.000000000 -0400
32537 @@ -87,6 +87,7 @@
32538 #include <asm/page.h>
32539 #include <asm/segment.h>
32540 #include <asm/lguest.h>
32541 +#include <asm/processor-flags.h>
32542
32543 // We mark the start of the code to copy
32544 // It's placed in .text tho it's never run here
32545 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
32546 // Changes type when we load it: damn Intel!
32547 // For after we switch over our page tables
32548 // That entry will be read-only: we'd crash.
32549 +
32550 +#ifdef CONFIG_PAX_KERNEXEC
32551 + mov %cr0, %edx
32552 + xor $X86_CR0_WP, %edx
32553 + mov %edx, %cr0
32554 +#endif
32555 +
32556 movl $(GDT_ENTRY_TSS*8), %edx
32557 ltr %dx
32558
32559 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
32560 // Let's clear it again for our return.
32561 // The GDT descriptor of the Host
32562 // Points to the table after two "size" bytes
32563 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
32564 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
32565 // Clear "used" from type field (byte 5, bit 2)
32566 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
32567 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
32568 +
32569 +#ifdef CONFIG_PAX_KERNEXEC
32570 + mov %cr0, %eax
32571 + xor $X86_CR0_WP, %eax
32572 + mov %eax, %cr0
32573 +#endif
32574
32575 // Once our page table's switched, the Guest is live!
32576 // The Host fades as we run this final step.
32577 @@ -295,13 +309,12 @@ deliver_to_host:
32578 // I consulted gcc, and it gave
32579 // These instructions, which I gladly credit:
32580 leal (%edx,%ebx,8), %eax
32581 - movzwl (%eax),%edx
32582 - movl 4(%eax), %eax
32583 - xorw %ax, %ax
32584 - orl %eax, %edx
32585 + movl 4(%eax), %edx
32586 + movw (%eax), %dx
32587 // Now the address of the handler's in %edx
32588 // We call it now: its "iret" drops us home.
32589 - jmp *%edx
32590 + ljmp $__KERNEL_CS, $1f
32591 +1: jmp *%edx
32592
32593 // Every interrupt can come to us here
32594 // But we must truly tell each apart.
32595 diff -urNp linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c
32596 --- linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c 2011-03-27 14:31:47.000000000 -0400
32597 +++ linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c 2011-04-17 15:56:46.000000000 -0400
32598 @@ -15,7 +15,7 @@
32599
32600 #define MAX_PMU_LEVEL 0xFF
32601
32602 -static struct backlight_ops pmu_backlight_data;
32603 +static const struct backlight_ops pmu_backlight_data;
32604 static DEFINE_SPINLOCK(pmu_backlight_lock);
32605 static int sleeping, uses_pmu_bl;
32606 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
32607 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
32608 return bd->props.brightness;
32609 }
32610
32611 -static struct backlight_ops pmu_backlight_data = {
32612 +static const struct backlight_ops pmu_backlight_data = {
32613 .get_brightness = pmu_backlight_get_brightness,
32614 .update_status = pmu_backlight_update_status,
32615
32616 diff -urNp linux-2.6.32.46/drivers/macintosh/via-pmu.c linux-2.6.32.46/drivers/macintosh/via-pmu.c
32617 --- linux-2.6.32.46/drivers/macintosh/via-pmu.c 2011-03-27 14:31:47.000000000 -0400
32618 +++ linux-2.6.32.46/drivers/macintosh/via-pmu.c 2011-04-17 15:56:46.000000000 -0400
32619 @@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
32620 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
32621 }
32622
32623 -static struct platform_suspend_ops pmu_pm_ops = {
32624 +static const struct platform_suspend_ops pmu_pm_ops = {
32625 .enter = powerbook_sleep,
32626 .valid = pmu_sleep_valid,
32627 };
32628 diff -urNp linux-2.6.32.46/drivers/md/dm.c linux-2.6.32.46/drivers/md/dm.c
32629 --- linux-2.6.32.46/drivers/md/dm.c 2011-08-09 18:35:29.000000000 -0400
32630 +++ linux-2.6.32.46/drivers/md/dm.c 2011-08-09 18:33:59.000000000 -0400
32631 @@ -165,9 +165,9 @@ struct mapped_device {
32632 /*
32633 * Event handling.
32634 */
32635 - atomic_t event_nr;
32636 + atomic_unchecked_t event_nr;
32637 wait_queue_head_t eventq;
32638 - atomic_t uevent_seq;
32639 + atomic_unchecked_t uevent_seq;
32640 struct list_head uevent_list;
32641 spinlock_t uevent_lock; /* Protect access to uevent_list */
32642
32643 @@ -1776,8 +1776,8 @@ static struct mapped_device *alloc_dev(i
32644 rwlock_init(&md->map_lock);
32645 atomic_set(&md->holders, 1);
32646 atomic_set(&md->open_count, 0);
32647 - atomic_set(&md->event_nr, 0);
32648 - atomic_set(&md->uevent_seq, 0);
32649 + atomic_set_unchecked(&md->event_nr, 0);
32650 + atomic_set_unchecked(&md->uevent_seq, 0);
32651 INIT_LIST_HEAD(&md->uevent_list);
32652 spin_lock_init(&md->uevent_lock);
32653
32654 @@ -1927,7 +1927,7 @@ static void event_callback(void *context
32655
32656 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
32657
32658 - atomic_inc(&md->event_nr);
32659 + atomic_inc_unchecked(&md->event_nr);
32660 wake_up(&md->eventq);
32661 }
32662
32663 @@ -2562,18 +2562,18 @@ void dm_kobject_uevent(struct mapped_dev
32664
32665 uint32_t dm_next_uevent_seq(struct mapped_device *md)
32666 {
32667 - return atomic_add_return(1, &md->uevent_seq);
32668 + return atomic_add_return_unchecked(1, &md->uevent_seq);
32669 }
32670
32671 uint32_t dm_get_event_nr(struct mapped_device *md)
32672 {
32673 - return atomic_read(&md->event_nr);
32674 + return atomic_read_unchecked(&md->event_nr);
32675 }
32676
32677 int dm_wait_event(struct mapped_device *md, int event_nr)
32678 {
32679 return wait_event_interruptible(md->eventq,
32680 - (event_nr != atomic_read(&md->event_nr)));
32681 + (event_nr != atomic_read_unchecked(&md->event_nr)));
32682 }
32683
32684 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
32685 diff -urNp linux-2.6.32.46/drivers/md/dm-ioctl.c linux-2.6.32.46/drivers/md/dm-ioctl.c
32686 --- linux-2.6.32.46/drivers/md/dm-ioctl.c 2011-03-27 14:31:47.000000000 -0400
32687 +++ linux-2.6.32.46/drivers/md/dm-ioctl.c 2011-04-17 15:56:46.000000000 -0400
32688 @@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
32689 cmd == DM_LIST_VERSIONS_CMD)
32690 return 0;
32691
32692 - if ((cmd == DM_DEV_CREATE_CMD)) {
32693 + if (cmd == DM_DEV_CREATE_CMD) {
32694 if (!*param->name) {
32695 DMWARN("name not supplied when creating device");
32696 return -EINVAL;
32697 diff -urNp linux-2.6.32.46/drivers/md/dm-raid1.c linux-2.6.32.46/drivers/md/dm-raid1.c
32698 --- linux-2.6.32.46/drivers/md/dm-raid1.c 2011-03-27 14:31:47.000000000 -0400
32699 +++ linux-2.6.32.46/drivers/md/dm-raid1.c 2011-05-04 17:56:28.000000000 -0400
32700 @@ -41,7 +41,7 @@ enum dm_raid1_error {
32701
32702 struct mirror {
32703 struct mirror_set *ms;
32704 - atomic_t error_count;
32705 + atomic_unchecked_t error_count;
32706 unsigned long error_type;
32707 struct dm_dev *dev;
32708 sector_t offset;
32709 @@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
32710 * simple way to tell if a device has encountered
32711 * errors.
32712 */
32713 - atomic_inc(&m->error_count);
32714 + atomic_inc_unchecked(&m->error_count);
32715
32716 if (test_and_set_bit(error_type, &m->error_type))
32717 return;
32718 @@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
32719 }
32720
32721 for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
32722 - if (!atomic_read(&new->error_count)) {
32723 + if (!atomic_read_unchecked(&new->error_count)) {
32724 set_default_mirror(new);
32725 break;
32726 }
32727 @@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
32728 struct mirror *m = get_default_mirror(ms);
32729
32730 do {
32731 - if (likely(!atomic_read(&m->error_count)))
32732 + if (likely(!atomic_read_unchecked(&m->error_count)))
32733 return m;
32734
32735 if (m-- == ms->mirror)
32736 @@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
32737 {
32738 struct mirror *default_mirror = get_default_mirror(m->ms);
32739
32740 - return !atomic_read(&default_mirror->error_count);
32741 + return !atomic_read_unchecked(&default_mirror->error_count);
32742 }
32743
32744 static int mirror_available(struct mirror_set *ms, struct bio *bio)
32745 @@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
32746 */
32747 if (likely(region_in_sync(ms, region, 1)))
32748 m = choose_mirror(ms, bio->bi_sector);
32749 - else if (m && atomic_read(&m->error_count))
32750 + else if (m && atomic_read_unchecked(&m->error_count))
32751 m = NULL;
32752
32753 if (likely(m))
32754 @@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
32755 }
32756
32757 ms->mirror[mirror].ms = ms;
32758 - atomic_set(&(ms->mirror[mirror].error_count), 0);
32759 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
32760 ms->mirror[mirror].error_type = 0;
32761 ms->mirror[mirror].offset = offset;
32762
32763 @@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
32764 */
32765 static char device_status_char(struct mirror *m)
32766 {
32767 - if (!atomic_read(&(m->error_count)))
32768 + if (!atomic_read_unchecked(&(m->error_count)))
32769 return 'A';
32770
32771 return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
32772 diff -urNp linux-2.6.32.46/drivers/md/dm-stripe.c linux-2.6.32.46/drivers/md/dm-stripe.c
32773 --- linux-2.6.32.46/drivers/md/dm-stripe.c 2011-03-27 14:31:47.000000000 -0400
32774 +++ linux-2.6.32.46/drivers/md/dm-stripe.c 2011-05-04 17:56:28.000000000 -0400
32775 @@ -20,7 +20,7 @@ struct stripe {
32776 struct dm_dev *dev;
32777 sector_t physical_start;
32778
32779 - atomic_t error_count;
32780 + atomic_unchecked_t error_count;
32781 };
32782
32783 struct stripe_c {
32784 @@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
32785 kfree(sc);
32786 return r;
32787 }
32788 - atomic_set(&(sc->stripe[i].error_count), 0);
32789 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
32790 }
32791
32792 ti->private = sc;
32793 @@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
32794 DMEMIT("%d ", sc->stripes);
32795 for (i = 0; i < sc->stripes; i++) {
32796 DMEMIT("%s ", sc->stripe[i].dev->name);
32797 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
32798 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
32799 'D' : 'A';
32800 }
32801 buffer[i] = '\0';
32802 @@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
32803 */
32804 for (i = 0; i < sc->stripes; i++)
32805 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
32806 - atomic_inc(&(sc->stripe[i].error_count));
32807 - if (atomic_read(&(sc->stripe[i].error_count)) <
32808 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
32809 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
32810 DM_IO_ERROR_THRESHOLD)
32811 queue_work(kstriped, &sc->kstriped_ws);
32812 }
32813 diff -urNp linux-2.6.32.46/drivers/md/dm-sysfs.c linux-2.6.32.46/drivers/md/dm-sysfs.c
32814 --- linux-2.6.32.46/drivers/md/dm-sysfs.c 2011-03-27 14:31:47.000000000 -0400
32815 +++ linux-2.6.32.46/drivers/md/dm-sysfs.c 2011-04-17 15:56:46.000000000 -0400
32816 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
32817 NULL,
32818 };
32819
32820 -static struct sysfs_ops dm_sysfs_ops = {
32821 +static const struct sysfs_ops dm_sysfs_ops = {
32822 .show = dm_attr_show,
32823 };
32824
32825 diff -urNp linux-2.6.32.46/drivers/md/dm-table.c linux-2.6.32.46/drivers/md/dm-table.c
32826 --- linux-2.6.32.46/drivers/md/dm-table.c 2011-06-25 12:55:34.000000000 -0400
32827 +++ linux-2.6.32.46/drivers/md/dm-table.c 2011-06-25 12:56:37.000000000 -0400
32828 @@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
32829 if (!dev_size)
32830 return 0;
32831
32832 - if ((start >= dev_size) || (start + len > dev_size)) {
32833 + if ((start >= dev_size) || (len > dev_size - start)) {
32834 DMWARN("%s: %s too small for target: "
32835 "start=%llu, len=%llu, dev_size=%llu",
32836 dm_device_name(ti->table->md), bdevname(bdev, b),
32837 diff -urNp linux-2.6.32.46/drivers/md/md.c linux-2.6.32.46/drivers/md/md.c
32838 --- linux-2.6.32.46/drivers/md/md.c 2011-07-13 17:23:04.000000000 -0400
32839 +++ linux-2.6.32.46/drivers/md/md.c 2011-07-13 17:23:18.000000000 -0400
32840 @@ -153,10 +153,10 @@ static int start_readonly;
32841 * start build, activate spare
32842 */
32843 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
32844 -static atomic_t md_event_count;
32845 +static atomic_unchecked_t md_event_count;
32846 void md_new_event(mddev_t *mddev)
32847 {
32848 - atomic_inc(&md_event_count);
32849 + atomic_inc_unchecked(&md_event_count);
32850 wake_up(&md_event_waiters);
32851 }
32852 EXPORT_SYMBOL_GPL(md_new_event);
32853 @@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
32854 */
32855 static void md_new_event_inintr(mddev_t *mddev)
32856 {
32857 - atomic_inc(&md_event_count);
32858 + atomic_inc_unchecked(&md_event_count);
32859 wake_up(&md_event_waiters);
32860 }
32861
32862 @@ -1218,7 +1218,7 @@ static int super_1_load(mdk_rdev_t *rdev
32863
32864 rdev->preferred_minor = 0xffff;
32865 rdev->data_offset = le64_to_cpu(sb->data_offset);
32866 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32867 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32868
32869 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
32870 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
32871 @@ -1392,7 +1392,7 @@ static void super_1_sync(mddev_t *mddev,
32872 else
32873 sb->resync_offset = cpu_to_le64(0);
32874
32875 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
32876 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
32877
32878 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
32879 sb->size = cpu_to_le64(mddev->dev_sectors);
32880 @@ -2214,7 +2214,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
32881 static ssize_t
32882 errors_show(mdk_rdev_t *rdev, char *page)
32883 {
32884 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
32885 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32886 }
32887
32888 static ssize_t
32889 @@ -2223,7 +2223,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32890 char *e;
32891 unsigned long n = simple_strtoul(buf, &e, 10);
32892 if (*buf && (*e == 0 || *e == '\n')) {
32893 - atomic_set(&rdev->corrected_errors, n);
32894 + atomic_set_unchecked(&rdev->corrected_errors, n);
32895 return len;
32896 }
32897 return -EINVAL;
32898 @@ -2517,7 +2517,7 @@ static void rdev_free(struct kobject *ko
32899 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
32900 kfree(rdev);
32901 }
32902 -static struct sysfs_ops rdev_sysfs_ops = {
32903 +static const struct sysfs_ops rdev_sysfs_ops = {
32904 .show = rdev_attr_show,
32905 .store = rdev_attr_store,
32906 };
32907 @@ -2566,8 +2566,8 @@ static mdk_rdev_t *md_import_device(dev_
32908 rdev->data_offset = 0;
32909 rdev->sb_events = 0;
32910 atomic_set(&rdev->nr_pending, 0);
32911 - atomic_set(&rdev->read_errors, 0);
32912 - atomic_set(&rdev->corrected_errors, 0);
32913 + atomic_set_unchecked(&rdev->read_errors, 0);
32914 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32915
32916 size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
32917 if (!size) {
32918 @@ -3887,7 +3887,7 @@ static void md_free(struct kobject *ko)
32919 kfree(mddev);
32920 }
32921
32922 -static struct sysfs_ops md_sysfs_ops = {
32923 +static const struct sysfs_ops md_sysfs_ops = {
32924 .show = md_attr_show,
32925 .store = md_attr_store,
32926 };
32927 @@ -4474,7 +4474,8 @@ out:
32928 err = 0;
32929 blk_integrity_unregister(disk);
32930 md_new_event(mddev);
32931 - sysfs_notify_dirent(mddev->sysfs_state);
32932 + if (mddev->sysfs_state)
32933 + sysfs_notify_dirent(mddev->sysfs_state);
32934 return err;
32935 }
32936
32937 @@ -5954,7 +5955,7 @@ static int md_seq_show(struct seq_file *
32938
32939 spin_unlock(&pers_lock);
32940 seq_printf(seq, "\n");
32941 - mi->event = atomic_read(&md_event_count);
32942 + mi->event = atomic_read_unchecked(&md_event_count);
32943 return 0;
32944 }
32945 if (v == (void*)2) {
32946 @@ -6043,7 +6044,7 @@ static int md_seq_show(struct seq_file *
32947 chunk_kb ? "KB" : "B");
32948 if (bitmap->file) {
32949 seq_printf(seq, ", file: ");
32950 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32951 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32952 }
32953
32954 seq_printf(seq, "\n");
32955 @@ -6077,7 +6078,7 @@ static int md_seq_open(struct inode *ino
32956 else {
32957 struct seq_file *p = file->private_data;
32958 p->private = mi;
32959 - mi->event = atomic_read(&md_event_count);
32960 + mi->event = atomic_read_unchecked(&md_event_count);
32961 }
32962 return error;
32963 }
32964 @@ -6093,7 +6094,7 @@ static unsigned int mdstat_poll(struct f
32965 /* always allow read */
32966 mask = POLLIN | POLLRDNORM;
32967
32968 - if (mi->event != atomic_read(&md_event_count))
32969 + if (mi->event != atomic_read_unchecked(&md_event_count))
32970 mask |= POLLERR | POLLPRI;
32971 return mask;
32972 }
32973 @@ -6137,7 +6138,7 @@ static int is_mddev_idle(mddev_t *mddev,
32974 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32975 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32976 (int)part_stat_read(&disk->part0, sectors[1]) -
32977 - atomic_read(&disk->sync_io);
32978 + atomic_read_unchecked(&disk->sync_io);
32979 /* sync IO will cause sync_io to increase before the disk_stats
32980 * as sync_io is counted when a request starts, and
32981 * disk_stats is counted when it completes.
32982 diff -urNp linux-2.6.32.46/drivers/md/md.h linux-2.6.32.46/drivers/md/md.h
32983 --- linux-2.6.32.46/drivers/md/md.h 2011-03-27 14:31:47.000000000 -0400
32984 +++ linux-2.6.32.46/drivers/md/md.h 2011-05-04 17:56:20.000000000 -0400
32985 @@ -94,10 +94,10 @@ struct mdk_rdev_s
32986 * only maintained for arrays that
32987 * support hot removal
32988 */
32989 - atomic_t read_errors; /* number of consecutive read errors that
32990 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32991 * we have tried to ignore.
32992 */
32993 - atomic_t corrected_errors; /* number of corrected read errors,
32994 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32995 * for reporting to userspace and storing
32996 * in superblock.
32997 */
32998 @@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
32999
33000 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
33001 {
33002 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
33003 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
33004 }
33005
33006 struct mdk_personality
33007 diff -urNp linux-2.6.32.46/drivers/md/raid10.c linux-2.6.32.46/drivers/md/raid10.c
33008 --- linux-2.6.32.46/drivers/md/raid10.c 2011-03-27 14:31:47.000000000 -0400
33009 +++ linux-2.6.32.46/drivers/md/raid10.c 2011-05-04 17:56:28.000000000 -0400
33010 @@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
33011 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
33012 set_bit(R10BIO_Uptodate, &r10_bio->state);
33013 else {
33014 - atomic_add(r10_bio->sectors,
33015 + atomic_add_unchecked(r10_bio->sectors,
33016 &conf->mirrors[d].rdev->corrected_errors);
33017 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
33018 md_error(r10_bio->mddev,
33019 @@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
33020 test_bit(In_sync, &rdev->flags)) {
33021 atomic_inc(&rdev->nr_pending);
33022 rcu_read_unlock();
33023 - atomic_add(s, &rdev->corrected_errors);
33024 + atomic_add_unchecked(s, &rdev->corrected_errors);
33025 if (sync_page_io(rdev->bdev,
33026 r10_bio->devs[sl].addr +
33027 sect + rdev->data_offset,
33028 diff -urNp linux-2.6.32.46/drivers/md/raid1.c linux-2.6.32.46/drivers/md/raid1.c
33029 --- linux-2.6.32.46/drivers/md/raid1.c 2011-03-27 14:31:47.000000000 -0400
33030 +++ linux-2.6.32.46/drivers/md/raid1.c 2011-05-04 17:56:28.000000000 -0400
33031 @@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
33032 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
33033 continue;
33034 rdev = conf->mirrors[d].rdev;
33035 - atomic_add(s, &rdev->corrected_errors);
33036 + atomic_add_unchecked(s, &rdev->corrected_errors);
33037 if (sync_page_io(rdev->bdev,
33038 sect + rdev->data_offset,
33039 s<<9,
33040 @@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
33041 /* Well, this device is dead */
33042 md_error(mddev, rdev);
33043 else {
33044 - atomic_add(s, &rdev->corrected_errors);
33045 + atomic_add_unchecked(s, &rdev->corrected_errors);
33046 printk(KERN_INFO
33047 "raid1:%s: read error corrected "
33048 "(%d sectors at %llu on %s)\n",
33049 diff -urNp linux-2.6.32.46/drivers/md/raid5.c linux-2.6.32.46/drivers/md/raid5.c
33050 --- linux-2.6.32.46/drivers/md/raid5.c 2011-06-25 12:55:34.000000000 -0400
33051 +++ linux-2.6.32.46/drivers/md/raid5.c 2011-06-25 12:58:39.000000000 -0400
33052 @@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
33053 bi->bi_next = NULL;
33054 if ((rw & WRITE) &&
33055 test_bit(R5_ReWrite, &sh->dev[i].flags))
33056 - atomic_add(STRIPE_SECTORS,
33057 + atomic_add_unchecked(STRIPE_SECTORS,
33058 &rdev->corrected_errors);
33059 generic_make_request(bi);
33060 } else {
33061 @@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
33062 clear_bit(R5_ReadError, &sh->dev[i].flags);
33063 clear_bit(R5_ReWrite, &sh->dev[i].flags);
33064 }
33065 - if (atomic_read(&conf->disks[i].rdev->read_errors))
33066 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
33067 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
33068 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
33069 } else {
33070 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
33071 int retry = 0;
33072 rdev = conf->disks[i].rdev;
33073
33074 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
33075 - atomic_inc(&rdev->read_errors);
33076 + atomic_inc_unchecked(&rdev->read_errors);
33077 if (conf->mddev->degraded >= conf->max_degraded)
33078 printk_rl(KERN_WARNING
33079 "raid5:%s: read error not correctable "
33080 @@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
33081 (unsigned long long)(sh->sector
33082 + rdev->data_offset),
33083 bdn);
33084 - else if (atomic_read(&rdev->read_errors)
33085 + else if (atomic_read_unchecked(&rdev->read_errors)
33086 > conf->max_nr_stripes)
33087 printk(KERN_WARNING
33088 "raid5:%s: Too many read errors, failing device %s.\n",
33089 @@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
33090 sector_t r_sector;
33091 struct stripe_head sh2;
33092
33093 + pax_track_stack();
33094
33095 chunk_offset = sector_div(new_sector, sectors_per_chunk);
33096 stripe = new_sector;
33097 diff -urNp linux-2.6.32.46/drivers/media/common/saa7146_hlp.c linux-2.6.32.46/drivers/media/common/saa7146_hlp.c
33098 --- linux-2.6.32.46/drivers/media/common/saa7146_hlp.c 2011-03-27 14:31:47.000000000 -0400
33099 +++ linux-2.6.32.46/drivers/media/common/saa7146_hlp.c 2011-05-16 21:46:57.000000000 -0400
33100 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
33101
33102 int x[32], y[32], w[32], h[32];
33103
33104 + pax_track_stack();
33105 +
33106 /* clear out memory */
33107 memset(&line_list[0], 0x00, sizeof(u32)*32);
33108 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
33109 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
33110 --- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-03-27 14:31:47.000000000 -0400
33111 +++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-16 21:46:57.000000000 -0400
33112 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
33113 u8 buf[HOST_LINK_BUF_SIZE];
33114 int i;
33115
33116 + pax_track_stack();
33117 +
33118 dprintk("%s\n", __func__);
33119
33120 /* check if we have space for a link buf in the rx_buffer */
33121 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
33122 unsigned long timeout;
33123 int written;
33124
33125 + pax_track_stack();
33126 +
33127 dprintk("%s\n", __func__);
33128
33129 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
33130 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h
33131 --- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h 2011-03-27 14:31:47.000000000 -0400
33132 +++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h 2011-08-05 20:33:55.000000000 -0400
33133 @@ -71,7 +71,7 @@ struct dvb_demux_feed {
33134 union {
33135 dmx_ts_cb ts;
33136 dmx_section_cb sec;
33137 - } cb;
33138 + } __no_const cb;
33139
33140 struct dvb_demux *demux;
33141 void *priv;
33142 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c
33143 --- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-27 14:31:47.000000000 -0400
33144 +++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c 2011-08-23 21:22:32.000000000 -0400
33145 @@ -191,7 +191,7 @@ int dvb_register_device(struct dvb_adapt
33146 const struct dvb_device *template, void *priv, int type)
33147 {
33148 struct dvb_device *dvbdev;
33149 - struct file_operations *dvbdevfops;
33150 + file_operations_no_const *dvbdevfops;
33151 struct device *clsdev;
33152 int minor;
33153 int id;
33154 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c
33155 --- linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c 2011-03-27 14:31:47.000000000 -0400
33156 +++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c 2011-08-05 20:33:55.000000000 -0400
33157 @@ -1040,7 +1040,7 @@ static struct dib0070_config dib7070p_di
33158 struct dib0700_adapter_state {
33159 int (*set_param_save) (struct dvb_frontend *,
33160 struct dvb_frontend_parameters *);
33161 -};
33162 +} __no_const;
33163
33164 static int dib7070_set_param_override(struct dvb_frontend *fe,
33165 struct dvb_frontend_parameters *fep)
33166 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c
33167 --- linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-03-27 14:31:47.000000000 -0400
33168 +++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-16 21:46:57.000000000 -0400
33169 @@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
33170
33171 u8 buf[260];
33172
33173 + pax_track_stack();
33174 +
33175 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
33176 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
33177
33178 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c
33179 --- linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-05-10 22:12:01.000000000 -0400
33180 +++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-08-05 20:33:55.000000000 -0400
33181 @@ -28,7 +28,7 @@ MODULE_PARM_DESC(force_lna_activation, "
33182
33183 struct dib0700_adapter_state {
33184 int (*set_param_save) (struct dvb_frontend *, struct dvb_frontend_parameters *);
33185 -};
33186 +} __no_const;
33187
33188 /* Hauppauge Nova-T 500 (aka Bristol)
33189 * has a LNA on GPIO0 which is enabled by setting 1 */
33190 diff -urNp linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h
33191 --- linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h 2011-03-27 14:31:47.000000000 -0400
33192 +++ linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h 2011-08-05 20:33:55.000000000 -0400
33193 @@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
33194 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
33195 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
33196 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
33197 -};
33198 +} __no_const;
33199
33200 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
33201 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
33202 diff -urNp linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c
33203 --- linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c 2011-03-27 14:31:47.000000000 -0400
33204 +++ linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c 2011-05-16 21:46:57.000000000 -0400
33205 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
33206 u8 tudata[585];
33207 int i;
33208
33209 + pax_track_stack();
33210 +
33211 dprintk("Firmware is %zd bytes\n",fw->size);
33212
33213 /* Get eprom data */
33214 diff -urNp linux-2.6.32.46/drivers/media/radio/radio-cadet.c linux-2.6.32.46/drivers/media/radio/radio-cadet.c
33215 --- linux-2.6.32.46/drivers/media/radio/radio-cadet.c 2011-03-27 14:31:47.000000000 -0400
33216 +++ linux-2.6.32.46/drivers/media/radio/radio-cadet.c 2011-04-17 15:56:46.000000000 -0400
33217 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
33218 while (i < count && dev->rdsin != dev->rdsout)
33219 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
33220
33221 - if (copy_to_user(data, readbuf, i))
33222 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
33223 return -EFAULT;
33224 return i;
33225 }
33226 diff -urNp linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c
33227 --- linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c 2011-03-27 14:31:47.000000000 -0400
33228 +++ linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c 2011-05-16 21:46:57.000000000 -0400
33229 @@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
33230
33231 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
33232
33233 -static atomic_t cx18_instance = ATOMIC_INIT(0);
33234 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
33235
33236 /* Parameter declarations */
33237 static int cardtype[CX18_MAX_CARDS];
33238 @@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
33239 struct i2c_client c;
33240 u8 eedata[256];
33241
33242 + pax_track_stack();
33243 +
33244 memset(&c, 0, sizeof(c));
33245 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
33246 c.adapter = &cx->i2c_adap[0];
33247 @@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
33248 struct cx18 *cx;
33249
33250 /* FIXME - module parameter arrays constrain max instances */
33251 - i = atomic_inc_return(&cx18_instance) - 1;
33252 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
33253 if (i >= CX18_MAX_CARDS) {
33254 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
33255 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
33256 diff -urNp linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c
33257 --- linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c 2011-03-27 14:31:47.000000000 -0400
33258 +++ linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c 2011-05-04 17:56:28.000000000 -0400
33259 @@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
33260 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
33261
33262 /* ivtv instance counter */
33263 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
33264 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
33265
33266 /* Parameter declarations */
33267 static int cardtype[IVTV_MAX_CARDS];
33268 diff -urNp linux-2.6.32.46/drivers/media/video/omap24xxcam.c linux-2.6.32.46/drivers/media/video/omap24xxcam.c
33269 --- linux-2.6.32.46/drivers/media/video/omap24xxcam.c 2011-03-27 14:31:47.000000000 -0400
33270 +++ linux-2.6.32.46/drivers/media/video/omap24xxcam.c 2011-05-04 17:56:28.000000000 -0400
33271 @@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
33272 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
33273
33274 do_gettimeofday(&vb->ts);
33275 - vb->field_count = atomic_add_return(2, &fh->field_count);
33276 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
33277 if (csr & csr_error) {
33278 vb->state = VIDEOBUF_ERROR;
33279 if (!atomic_read(&fh->cam->in_reset)) {
33280 diff -urNp linux-2.6.32.46/drivers/media/video/omap24xxcam.h linux-2.6.32.46/drivers/media/video/omap24xxcam.h
33281 --- linux-2.6.32.46/drivers/media/video/omap24xxcam.h 2011-03-27 14:31:47.000000000 -0400
33282 +++ linux-2.6.32.46/drivers/media/video/omap24xxcam.h 2011-05-04 17:56:28.000000000 -0400
33283 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
33284 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
33285 struct videobuf_queue vbq;
33286 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
33287 - atomic_t field_count; /* field counter for videobuf_buffer */
33288 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
33289 /* accessing cam here doesn't need serialisation: it's constant */
33290 struct omap24xxcam_device *cam;
33291 };
33292 diff -urNp linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
33293 --- linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-03-27 14:31:47.000000000 -0400
33294 +++ linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-16 21:46:57.000000000 -0400
33295 @@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
33296 u8 *eeprom;
33297 struct tveeprom tvdata;
33298
33299 + pax_track_stack();
33300 +
33301 memset(&tvdata,0,sizeof(tvdata));
33302
33303 eeprom = pvr2_eeprom_fetch(hdw);
33304 diff -urNp linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
33305 --- linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-03-27 14:31:47.000000000 -0400
33306 +++ linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-08-23 21:22:38.000000000 -0400
33307 @@ -195,7 +195,7 @@ struct pvr2_hdw {
33308
33309 /* I2C stuff */
33310 struct i2c_adapter i2c_adap;
33311 - struct i2c_algorithm i2c_algo;
33312 + i2c_algorithm_no_const i2c_algo;
33313 pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
33314 int i2c_cx25840_hack_state;
33315 int i2c_linked;
33316 diff -urNp linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c
33317 --- linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c 2011-03-27 14:31:47.000000000 -0400
33318 +++ linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c 2011-05-16 21:46:57.000000000 -0400
33319 @@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
33320 unsigned char localPAT[256];
33321 unsigned char localPMT[256];
33322
33323 + pax_track_stack();
33324 +
33325 /* Set video format - must be done first as it resets other settings */
33326 set_reg8(client, 0x41, h->video_format);
33327
33328 diff -urNp linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c
33329 --- linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c 2011-03-27 14:31:47.000000000 -0400
33330 +++ linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-16 21:46:57.000000000 -0400
33331 @@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
33332 wait_queue_head_t *q = 0;
33333 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33334
33335 + pax_track_stack();
33336 +
33337 /* While any outstand message on the bus exists... */
33338 do {
33339
33340 @@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
33341 u8 tmp[512];
33342 dprintk(DBGLVL_CMD, "%s()\n", __func__);
33343
33344 + pax_track_stack();
33345 +
33346 while (loop) {
33347
33348 tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
33349 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c
33350 --- linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c 2011-03-27 14:31:47.000000000 -0400
33351 +++ linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c 2011-08-05 20:33:55.000000000 -0400
33352 @@ -3947,15 +3947,15 @@ static struct usb_device_id id_table[] =
33353 static int __init ibmcam_init(void)
33354 {
33355 struct usbvideo_cb cbTbl;
33356 - memset(&cbTbl, 0, sizeof(cbTbl));
33357 - cbTbl.probe = ibmcam_probe;
33358 - cbTbl.setupOnOpen = ibmcam_setup_on_open;
33359 - cbTbl.videoStart = ibmcam_video_start;
33360 - cbTbl.videoStop = ibmcam_video_stop;
33361 - cbTbl.processData = ibmcam_ProcessIsocData;
33362 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
33363 - cbTbl.adjustPicture = ibmcam_adjust_picture;
33364 - cbTbl.getFPS = ibmcam_calculate_fps;
33365 + memset((void *)&cbTbl, 0, sizeof(cbTbl));
33366 + *(void **)&cbTbl.probe = ibmcam_probe;
33367 + *(void **)&cbTbl.setupOnOpen = ibmcam_setup_on_open;
33368 + *(void **)&cbTbl.videoStart = ibmcam_video_start;
33369 + *(void **)&cbTbl.videoStop = ibmcam_video_stop;
33370 + *(void **)&cbTbl.processData = ibmcam_ProcessIsocData;
33371 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
33372 + *(void **)&cbTbl.adjustPicture = ibmcam_adjust_picture;
33373 + *(void **)&cbTbl.getFPS = ibmcam_calculate_fps;
33374 return usbvideo_register(
33375 &cams,
33376 MAX_IBMCAM,
33377 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c
33378 --- linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c 2011-03-27 14:31:47.000000000 -0400
33379 +++ linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c 2011-08-05 20:33:55.000000000 -0400
33380 @@ -225,7 +225,7 @@ static void konicawc_register_input(stru
33381 int error;
33382
33383 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
33384 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
33385 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
33386
33387 cam->input = input_dev = input_allocate_device();
33388 if (!input_dev) {
33389 @@ -935,16 +935,16 @@ static int __init konicawc_init(void)
33390 struct usbvideo_cb cbTbl;
33391 printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION ":"
33392 DRIVER_DESC "\n");
33393 - memset(&cbTbl, 0, sizeof(cbTbl));
33394 - cbTbl.probe = konicawc_probe;
33395 - cbTbl.setupOnOpen = konicawc_setup_on_open;
33396 - cbTbl.processData = konicawc_process_isoc;
33397 - cbTbl.getFPS = konicawc_calculate_fps;
33398 - cbTbl.setVideoMode = konicawc_set_video_mode;
33399 - cbTbl.startDataPump = konicawc_start_data;
33400 - cbTbl.stopDataPump = konicawc_stop_data;
33401 - cbTbl.adjustPicture = konicawc_adjust_picture;
33402 - cbTbl.userFree = konicawc_free_uvd;
33403 + memset((void * )&cbTbl, 0, sizeof(cbTbl));
33404 + *(void **)&cbTbl.probe = konicawc_probe;
33405 + *(void **)&cbTbl.setupOnOpen = konicawc_setup_on_open;
33406 + *(void **)&cbTbl.processData = konicawc_process_isoc;
33407 + *(void **)&cbTbl.getFPS = konicawc_calculate_fps;
33408 + *(void **)&cbTbl.setVideoMode = konicawc_set_video_mode;
33409 + *(void **)&cbTbl.startDataPump = konicawc_start_data;
33410 + *(void **)&cbTbl.stopDataPump = konicawc_stop_data;
33411 + *(void **)&cbTbl.adjustPicture = konicawc_adjust_picture;
33412 + *(void **)&cbTbl.userFree = konicawc_free_uvd;
33413 return usbvideo_register(
33414 &cams,
33415 MAX_CAMERAS,
33416 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c
33417 --- linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c 2011-03-27 14:31:47.000000000 -0400
33418 +++ linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c 2011-04-17 15:56:46.000000000 -0400
33419 @@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
33420 int error;
33421
33422 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
33423 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
33424 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
33425
33426 cam->input = input_dev = input_allocate_device();
33427 if (!input_dev) {
33428 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c
33429 --- linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c 2011-03-27 14:31:47.000000000 -0400
33430 +++ linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c 2011-08-05 20:33:55.000000000 -0400
33431 @@ -655,14 +655,14 @@ static int __init ultracam_init(void)
33432 {
33433 struct usbvideo_cb cbTbl;
33434 memset(&cbTbl, 0, sizeof(cbTbl));
33435 - cbTbl.probe = ultracam_probe;
33436 - cbTbl.setupOnOpen = ultracam_setup_on_open;
33437 - cbTbl.videoStart = ultracam_video_start;
33438 - cbTbl.videoStop = ultracam_video_stop;
33439 - cbTbl.processData = ultracam_ProcessIsocData;
33440 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
33441 - cbTbl.adjustPicture = ultracam_adjust_picture;
33442 - cbTbl.getFPS = ultracam_calculate_fps;
33443 + *(void **)&cbTbl.probe = ultracam_probe;
33444 + *(void **)&cbTbl.setupOnOpen = ultracam_setup_on_open;
33445 + *(void **)&cbTbl.videoStart = ultracam_video_start;
33446 + *(void **)&cbTbl.videoStop = ultracam_video_stop;
33447 + *(void **)&cbTbl.processData = ultracam_ProcessIsocData;
33448 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
33449 + *(void **)&cbTbl.adjustPicture = ultracam_adjust_picture;
33450 + *(void **)&cbTbl.getFPS = ultracam_calculate_fps;
33451 return usbvideo_register(
33452 &cams,
33453 MAX_CAMERAS,
33454 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c
33455 --- linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c 2011-03-27 14:31:47.000000000 -0400
33456 +++ linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c 2011-08-05 20:33:55.000000000 -0400
33457 @@ -697,15 +697,15 @@ int usbvideo_register(
33458 __func__, cams, base_size, num_cams);
33459
33460 /* Copy callbacks, apply defaults for those that are not set */
33461 - memmove(&cams->cb, cbTbl, sizeof(cams->cb));
33462 + memmove((void *)&cams->cb, cbTbl, sizeof(cams->cb));
33463 if (cams->cb.getFrame == NULL)
33464 - cams->cb.getFrame = usbvideo_GetFrame;
33465 + *(void **)&cams->cb.getFrame = usbvideo_GetFrame;
33466 if (cams->cb.disconnect == NULL)
33467 - cams->cb.disconnect = usbvideo_Disconnect;
33468 + *(void **)&cams->cb.disconnect = usbvideo_Disconnect;
33469 if (cams->cb.startDataPump == NULL)
33470 - cams->cb.startDataPump = usbvideo_StartDataPump;
33471 + *(void **)&cams->cb.startDataPump = usbvideo_StartDataPump;
33472 if (cams->cb.stopDataPump == NULL)
33473 - cams->cb.stopDataPump = usbvideo_StopDataPump;
33474 + *(void **)&cams->cb.stopDataPump = usbvideo_StopDataPump;
33475
33476 cams->num_cameras = num_cams;
33477 cams->cam = (struct uvd *) &cams[1];
33478 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h
33479 --- linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h 2011-03-27 14:31:47.000000000 -0400
33480 +++ linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.h 2011-08-30 18:20:06.000000000 -0400
33481 @@ -268,7 +268,7 @@ struct usbvideo_cb {
33482 int (*startDataPump)(struct uvd *uvd);
33483 void (*stopDataPump)(struct uvd *uvd);
33484 int (*setVideoMode)(struct uvd *uvd, struct video_window *vw);
33485 -};
33486 +} __no_const;
33487
33488 struct usbvideo {
33489 int num_cameras; /* As allocated */
33490 diff -urNp linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c
33491 --- linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c 2011-03-27 14:31:47.000000000 -0400
33492 +++ linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c 2011-05-16 21:46:57.000000000 -0400
33493 @@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
33494 unsigned char rv, gv, bv;
33495 static unsigned char *Y, *U, *V;
33496
33497 + pax_track_stack();
33498 +
33499 frame = usbvision->curFrame;
33500 imageSize = frame->frmwidth * frame->frmheight;
33501 if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
33502 diff -urNp linux-2.6.32.46/drivers/media/video/v4l2-device.c linux-2.6.32.46/drivers/media/video/v4l2-device.c
33503 --- linux-2.6.32.46/drivers/media/video/v4l2-device.c 2011-03-27 14:31:47.000000000 -0400
33504 +++ linux-2.6.32.46/drivers/media/video/v4l2-device.c 2011-05-04 17:56:28.000000000 -0400
33505 @@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
33506 EXPORT_SYMBOL_GPL(v4l2_device_register);
33507
33508 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
33509 - atomic_t *instance)
33510 + atomic_unchecked_t *instance)
33511 {
33512 - int num = atomic_inc_return(instance) - 1;
33513 + int num = atomic_inc_return_unchecked(instance) - 1;
33514 int len = strlen(basename);
33515
33516 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
33517 diff -urNp linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c
33518 --- linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c 2011-03-27 14:31:47.000000000 -0400
33519 +++ linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c 2011-05-16 21:46:57.000000000 -0400
33520 @@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
33521 {
33522 struct videobuf_queue q;
33523
33524 + pax_track_stack();
33525 +
33526 /* Required to make generic handler to call __videobuf_alloc */
33527 q.int_ops = &sg_ops;
33528
33529 diff -urNp linux-2.6.32.46/drivers/message/fusion/mptbase.c linux-2.6.32.46/drivers/message/fusion/mptbase.c
33530 --- linux-2.6.32.46/drivers/message/fusion/mptbase.c 2011-03-27 14:31:47.000000000 -0400
33531 +++ linux-2.6.32.46/drivers/message/fusion/mptbase.c 2011-04-17 15:56:46.000000000 -0400
33532 @@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
33533 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
33534 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
33535
33536 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33537 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33538 + NULL, NULL);
33539 +#else
33540 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
33541 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
33542 +#endif
33543 +
33544 /*
33545 * Rounding UP to nearest 4-kB boundary here...
33546 */
33547 diff -urNp linux-2.6.32.46/drivers/message/fusion/mptsas.c linux-2.6.32.46/drivers/message/fusion/mptsas.c
33548 --- linux-2.6.32.46/drivers/message/fusion/mptsas.c 2011-03-27 14:31:47.000000000 -0400
33549 +++ linux-2.6.32.46/drivers/message/fusion/mptsas.c 2011-04-17 15:56:46.000000000 -0400
33550 @@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
33551 return 0;
33552 }
33553
33554 +static inline void
33555 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33556 +{
33557 + if (phy_info->port_details) {
33558 + phy_info->port_details->rphy = rphy;
33559 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33560 + ioc->name, rphy));
33561 + }
33562 +
33563 + if (rphy) {
33564 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33565 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33566 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33567 + ioc->name, rphy, rphy->dev.release));
33568 + }
33569 +}
33570 +
33571 /* no mutex */
33572 static void
33573 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
33574 @@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
33575 return NULL;
33576 }
33577
33578 -static inline void
33579 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
33580 -{
33581 - if (phy_info->port_details) {
33582 - phy_info->port_details->rphy = rphy;
33583 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
33584 - ioc->name, rphy));
33585 - }
33586 -
33587 - if (rphy) {
33588 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
33589 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
33590 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
33591 - ioc->name, rphy, rphy->dev.release));
33592 - }
33593 -}
33594 -
33595 static inline struct sas_port *
33596 mptsas_get_port(struct mptsas_phyinfo *phy_info)
33597 {
33598 diff -urNp linux-2.6.32.46/drivers/message/fusion/mptscsih.c linux-2.6.32.46/drivers/message/fusion/mptscsih.c
33599 --- linux-2.6.32.46/drivers/message/fusion/mptscsih.c 2011-03-27 14:31:47.000000000 -0400
33600 +++ linux-2.6.32.46/drivers/message/fusion/mptscsih.c 2011-04-17 15:56:46.000000000 -0400
33601 @@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
33602
33603 h = shost_priv(SChost);
33604
33605 - if (h) {
33606 - if (h->info_kbuf == NULL)
33607 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33608 - return h->info_kbuf;
33609 - h->info_kbuf[0] = '\0';
33610 + if (!h)
33611 + return NULL;
33612
33613 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33614 - h->info_kbuf[size-1] = '\0';
33615 - }
33616 + if (h->info_kbuf == NULL)
33617 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
33618 + return h->info_kbuf;
33619 + h->info_kbuf[0] = '\0';
33620 +
33621 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
33622 + h->info_kbuf[size-1] = '\0';
33623
33624 return h->info_kbuf;
33625 }
33626 diff -urNp linux-2.6.32.46/drivers/message/i2o/i2o_config.c linux-2.6.32.46/drivers/message/i2o/i2o_config.c
33627 --- linux-2.6.32.46/drivers/message/i2o/i2o_config.c 2011-03-27 14:31:47.000000000 -0400
33628 +++ linux-2.6.32.46/drivers/message/i2o/i2o_config.c 2011-05-16 21:46:57.000000000 -0400
33629 @@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
33630 struct i2o_message *msg;
33631 unsigned int iop;
33632
33633 + pax_track_stack();
33634 +
33635 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
33636 return -EFAULT;
33637
33638 diff -urNp linux-2.6.32.46/drivers/message/i2o/i2o_proc.c linux-2.6.32.46/drivers/message/i2o/i2o_proc.c
33639 --- linux-2.6.32.46/drivers/message/i2o/i2o_proc.c 2011-03-27 14:31:47.000000000 -0400
33640 +++ linux-2.6.32.46/drivers/message/i2o/i2o_proc.c 2011-04-17 15:56:46.000000000 -0400
33641 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
33642 "Array Controller Device"
33643 };
33644
33645 -static char *chtostr(u8 * chars, int n)
33646 -{
33647 - char tmp[256];
33648 - tmp[0] = 0;
33649 - return strncat(tmp, (char *)chars, n);
33650 -}
33651 -
33652 static int i2o_report_query_status(struct seq_file *seq, int block_status,
33653 char *group)
33654 {
33655 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
33656
33657 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
33658 seq_printf(seq, "%-#8x", ddm_table.module_id);
33659 - seq_printf(seq, "%-29s",
33660 - chtostr(ddm_table.module_name_version, 28));
33661 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
33662 seq_printf(seq, "%9d ", ddm_table.data_size);
33663 seq_printf(seq, "%8d", ddm_table.code_size);
33664
33665 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
33666
33667 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
33668 seq_printf(seq, "%-#8x", dst->module_id);
33669 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
33670 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
33671 + seq_printf(seq, "%-.28s", dst->module_name_version);
33672 + seq_printf(seq, "%-.8s", dst->date);
33673 seq_printf(seq, "%8d ", dst->module_size);
33674 seq_printf(seq, "%8d ", dst->mpb_size);
33675 seq_printf(seq, "0x%04x", dst->module_flags);
33676 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
33677 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
33678 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
33679 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
33680 - seq_printf(seq, "Vendor info : %s\n",
33681 - chtostr((u8 *) (work32 + 2), 16));
33682 - seq_printf(seq, "Product info : %s\n",
33683 - chtostr((u8 *) (work32 + 6), 16));
33684 - seq_printf(seq, "Description : %s\n",
33685 - chtostr((u8 *) (work32 + 10), 16));
33686 - seq_printf(seq, "Product rev. : %s\n",
33687 - chtostr((u8 *) (work32 + 14), 8));
33688 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
33689 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
33690 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
33691 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
33692
33693 seq_printf(seq, "Serial number : ");
33694 print_serial_number(seq, (u8 *) (work32 + 16),
33695 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
33696 }
33697
33698 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
33699 - seq_printf(seq, "Module name : %s\n",
33700 - chtostr(result.module_name, 24));
33701 - seq_printf(seq, "Module revision : %s\n",
33702 - chtostr(result.module_rev, 8));
33703 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
33704 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
33705
33706 seq_printf(seq, "Serial number : ");
33707 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
33708 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
33709 return 0;
33710 }
33711
33712 - seq_printf(seq, "Device name : %s\n",
33713 - chtostr(result.device_name, 64));
33714 - seq_printf(seq, "Service name : %s\n",
33715 - chtostr(result.service_name, 64));
33716 - seq_printf(seq, "Physical name : %s\n",
33717 - chtostr(result.physical_location, 64));
33718 - seq_printf(seq, "Instance number : %s\n",
33719 - chtostr(result.instance_number, 4));
33720 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
33721 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
33722 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
33723 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
33724
33725 return 0;
33726 }
33727 diff -urNp linux-2.6.32.46/drivers/message/i2o/iop.c linux-2.6.32.46/drivers/message/i2o/iop.c
33728 --- linux-2.6.32.46/drivers/message/i2o/iop.c 2011-03-27 14:31:47.000000000 -0400
33729 +++ linux-2.6.32.46/drivers/message/i2o/iop.c 2011-05-04 17:56:28.000000000 -0400
33730 @@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
33731
33732 spin_lock_irqsave(&c->context_list_lock, flags);
33733
33734 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
33735 - atomic_inc(&c->context_list_counter);
33736 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
33737 + atomic_inc_unchecked(&c->context_list_counter);
33738
33739 - entry->context = atomic_read(&c->context_list_counter);
33740 + entry->context = atomic_read_unchecked(&c->context_list_counter);
33741
33742 list_add(&entry->list, &c->context_list);
33743
33744 @@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
33745
33746 #if BITS_PER_LONG == 64
33747 spin_lock_init(&c->context_list_lock);
33748 - atomic_set(&c->context_list_counter, 0);
33749 + atomic_set_unchecked(&c->context_list_counter, 0);
33750 INIT_LIST_HEAD(&c->context_list);
33751 #endif
33752
33753 diff -urNp linux-2.6.32.46/drivers/mfd/wm8350-i2c.c linux-2.6.32.46/drivers/mfd/wm8350-i2c.c
33754 --- linux-2.6.32.46/drivers/mfd/wm8350-i2c.c 2011-03-27 14:31:47.000000000 -0400
33755 +++ linux-2.6.32.46/drivers/mfd/wm8350-i2c.c 2011-05-16 21:46:57.000000000 -0400
33756 @@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
33757 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
33758 int ret;
33759
33760 + pax_track_stack();
33761 +
33762 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
33763 return -EINVAL;
33764
33765 diff -urNp linux-2.6.32.46/drivers/misc/kgdbts.c linux-2.6.32.46/drivers/misc/kgdbts.c
33766 --- linux-2.6.32.46/drivers/misc/kgdbts.c 2011-03-27 14:31:47.000000000 -0400
33767 +++ linux-2.6.32.46/drivers/misc/kgdbts.c 2011-04-17 15:56:46.000000000 -0400
33768 @@ -118,7 +118,7 @@
33769 } while (0)
33770 #define MAX_CONFIG_LEN 40
33771
33772 -static struct kgdb_io kgdbts_io_ops;
33773 +static const struct kgdb_io kgdbts_io_ops;
33774 static char get_buf[BUFMAX];
33775 static int get_buf_cnt;
33776 static char put_buf[BUFMAX];
33777 @@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
33778 module_put(THIS_MODULE);
33779 }
33780
33781 -static struct kgdb_io kgdbts_io_ops = {
33782 +static const struct kgdb_io kgdbts_io_ops = {
33783 .name = "kgdbts",
33784 .read_char = kgdbts_get_char,
33785 .write_char = kgdbts_put_char,
33786 diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c
33787 --- linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c 2011-03-27 14:31:47.000000000 -0400
33788 +++ linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:56:46.000000000 -0400
33789 @@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
33790
33791 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
33792 {
33793 - atomic_long_inc(&mcs_op_statistics[op].count);
33794 - atomic_long_add(clks, &mcs_op_statistics[op].total);
33795 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
33796 + atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
33797 if (mcs_op_statistics[op].max < clks)
33798 mcs_op_statistics[op].max = clks;
33799 }
33800 diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c
33801 --- linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c 2011-03-27 14:31:47.000000000 -0400
33802 +++ linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:56:46.000000000 -0400
33803 @@ -32,9 +32,9 @@
33804
33805 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
33806
33807 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
33808 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
33809 {
33810 - unsigned long val = atomic_long_read(v);
33811 + unsigned long val = atomic_long_read_unchecked(v);
33812
33813 if (val)
33814 seq_printf(s, "%16lu %s\n", val, id);
33815 @@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
33816 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
33817
33818 for (op = 0; op < mcsop_last; op++) {
33819 - count = atomic_long_read(&mcs_op_statistics[op].count);
33820 - total = atomic_long_read(&mcs_op_statistics[op].total);
33821 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
33822 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
33823 max = mcs_op_statistics[op].max;
33824 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
33825 count ? total / count : 0, max);
33826 diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h
33827 --- linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h 2011-03-27 14:31:47.000000000 -0400
33828 +++ linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:56:46.000000000 -0400
33829 @@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
33830 * GRU statistics.
33831 */
33832 struct gru_stats_s {
33833 - atomic_long_t vdata_alloc;
33834 - atomic_long_t vdata_free;
33835 - atomic_long_t gts_alloc;
33836 - atomic_long_t gts_free;
33837 - atomic_long_t vdata_double_alloc;
33838 - atomic_long_t gts_double_allocate;
33839 - atomic_long_t assign_context;
33840 - atomic_long_t assign_context_failed;
33841 - atomic_long_t free_context;
33842 - atomic_long_t load_user_context;
33843 - atomic_long_t load_kernel_context;
33844 - atomic_long_t lock_kernel_context;
33845 - atomic_long_t unlock_kernel_context;
33846 - atomic_long_t steal_user_context;
33847 - atomic_long_t steal_kernel_context;
33848 - atomic_long_t steal_context_failed;
33849 - atomic_long_t nopfn;
33850 - atomic_long_t break_cow;
33851 - atomic_long_t asid_new;
33852 - atomic_long_t asid_next;
33853 - atomic_long_t asid_wrap;
33854 - atomic_long_t asid_reuse;
33855 - atomic_long_t intr;
33856 - atomic_long_t intr_mm_lock_failed;
33857 - atomic_long_t call_os;
33858 - atomic_long_t call_os_offnode_reference;
33859 - atomic_long_t call_os_check_for_bug;
33860 - atomic_long_t call_os_wait_queue;
33861 - atomic_long_t user_flush_tlb;
33862 - atomic_long_t user_unload_context;
33863 - atomic_long_t user_exception;
33864 - atomic_long_t set_context_option;
33865 - atomic_long_t migrate_check;
33866 - atomic_long_t migrated_retarget;
33867 - atomic_long_t migrated_unload;
33868 - atomic_long_t migrated_unload_delay;
33869 - atomic_long_t migrated_nopfn_retarget;
33870 - atomic_long_t migrated_nopfn_unload;
33871 - atomic_long_t tlb_dropin;
33872 - atomic_long_t tlb_dropin_fail_no_asid;
33873 - atomic_long_t tlb_dropin_fail_upm;
33874 - atomic_long_t tlb_dropin_fail_invalid;
33875 - atomic_long_t tlb_dropin_fail_range_active;
33876 - atomic_long_t tlb_dropin_fail_idle;
33877 - atomic_long_t tlb_dropin_fail_fmm;
33878 - atomic_long_t tlb_dropin_fail_no_exception;
33879 - atomic_long_t tlb_dropin_fail_no_exception_war;
33880 - atomic_long_t tfh_stale_on_fault;
33881 - atomic_long_t mmu_invalidate_range;
33882 - atomic_long_t mmu_invalidate_page;
33883 - atomic_long_t mmu_clear_flush_young;
33884 - atomic_long_t flush_tlb;
33885 - atomic_long_t flush_tlb_gru;
33886 - atomic_long_t flush_tlb_gru_tgh;
33887 - atomic_long_t flush_tlb_gru_zero_asid;
33888 -
33889 - atomic_long_t copy_gpa;
33890 -
33891 - atomic_long_t mesq_receive;
33892 - atomic_long_t mesq_receive_none;
33893 - atomic_long_t mesq_send;
33894 - atomic_long_t mesq_send_failed;
33895 - atomic_long_t mesq_noop;
33896 - atomic_long_t mesq_send_unexpected_error;
33897 - atomic_long_t mesq_send_lb_overflow;
33898 - atomic_long_t mesq_send_qlimit_reached;
33899 - atomic_long_t mesq_send_amo_nacked;
33900 - atomic_long_t mesq_send_put_nacked;
33901 - atomic_long_t mesq_qf_not_full;
33902 - atomic_long_t mesq_qf_locked;
33903 - atomic_long_t mesq_qf_noop_not_full;
33904 - atomic_long_t mesq_qf_switch_head_failed;
33905 - atomic_long_t mesq_qf_unexpected_error;
33906 - atomic_long_t mesq_noop_unexpected_error;
33907 - atomic_long_t mesq_noop_lb_overflow;
33908 - atomic_long_t mesq_noop_qlimit_reached;
33909 - atomic_long_t mesq_noop_amo_nacked;
33910 - atomic_long_t mesq_noop_put_nacked;
33911 + atomic_long_unchecked_t vdata_alloc;
33912 + atomic_long_unchecked_t vdata_free;
33913 + atomic_long_unchecked_t gts_alloc;
33914 + atomic_long_unchecked_t gts_free;
33915 + atomic_long_unchecked_t vdata_double_alloc;
33916 + atomic_long_unchecked_t gts_double_allocate;
33917 + atomic_long_unchecked_t assign_context;
33918 + atomic_long_unchecked_t assign_context_failed;
33919 + atomic_long_unchecked_t free_context;
33920 + atomic_long_unchecked_t load_user_context;
33921 + atomic_long_unchecked_t load_kernel_context;
33922 + atomic_long_unchecked_t lock_kernel_context;
33923 + atomic_long_unchecked_t unlock_kernel_context;
33924 + atomic_long_unchecked_t steal_user_context;
33925 + atomic_long_unchecked_t steal_kernel_context;
33926 + atomic_long_unchecked_t steal_context_failed;
33927 + atomic_long_unchecked_t nopfn;
33928 + atomic_long_unchecked_t break_cow;
33929 + atomic_long_unchecked_t asid_new;
33930 + atomic_long_unchecked_t asid_next;
33931 + atomic_long_unchecked_t asid_wrap;
33932 + atomic_long_unchecked_t asid_reuse;
33933 + atomic_long_unchecked_t intr;
33934 + atomic_long_unchecked_t intr_mm_lock_failed;
33935 + atomic_long_unchecked_t call_os;
33936 + atomic_long_unchecked_t call_os_offnode_reference;
33937 + atomic_long_unchecked_t call_os_check_for_bug;
33938 + atomic_long_unchecked_t call_os_wait_queue;
33939 + atomic_long_unchecked_t user_flush_tlb;
33940 + atomic_long_unchecked_t user_unload_context;
33941 + atomic_long_unchecked_t user_exception;
33942 + atomic_long_unchecked_t set_context_option;
33943 + atomic_long_unchecked_t migrate_check;
33944 + atomic_long_unchecked_t migrated_retarget;
33945 + atomic_long_unchecked_t migrated_unload;
33946 + atomic_long_unchecked_t migrated_unload_delay;
33947 + atomic_long_unchecked_t migrated_nopfn_retarget;
33948 + atomic_long_unchecked_t migrated_nopfn_unload;
33949 + atomic_long_unchecked_t tlb_dropin;
33950 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
33951 + atomic_long_unchecked_t tlb_dropin_fail_upm;
33952 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
33953 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
33954 + atomic_long_unchecked_t tlb_dropin_fail_idle;
33955 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
33956 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
33957 + atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
33958 + atomic_long_unchecked_t tfh_stale_on_fault;
33959 + atomic_long_unchecked_t mmu_invalidate_range;
33960 + atomic_long_unchecked_t mmu_invalidate_page;
33961 + atomic_long_unchecked_t mmu_clear_flush_young;
33962 + atomic_long_unchecked_t flush_tlb;
33963 + atomic_long_unchecked_t flush_tlb_gru;
33964 + atomic_long_unchecked_t flush_tlb_gru_tgh;
33965 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
33966 +
33967 + atomic_long_unchecked_t copy_gpa;
33968 +
33969 + atomic_long_unchecked_t mesq_receive;
33970 + atomic_long_unchecked_t mesq_receive_none;
33971 + atomic_long_unchecked_t mesq_send;
33972 + atomic_long_unchecked_t mesq_send_failed;
33973 + atomic_long_unchecked_t mesq_noop;
33974 + atomic_long_unchecked_t mesq_send_unexpected_error;
33975 + atomic_long_unchecked_t mesq_send_lb_overflow;
33976 + atomic_long_unchecked_t mesq_send_qlimit_reached;
33977 + atomic_long_unchecked_t mesq_send_amo_nacked;
33978 + atomic_long_unchecked_t mesq_send_put_nacked;
33979 + atomic_long_unchecked_t mesq_qf_not_full;
33980 + atomic_long_unchecked_t mesq_qf_locked;
33981 + atomic_long_unchecked_t mesq_qf_noop_not_full;
33982 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
33983 + atomic_long_unchecked_t mesq_qf_unexpected_error;
33984 + atomic_long_unchecked_t mesq_noop_unexpected_error;
33985 + atomic_long_unchecked_t mesq_noop_lb_overflow;
33986 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
33987 + atomic_long_unchecked_t mesq_noop_amo_nacked;
33988 + atomic_long_unchecked_t mesq_noop_put_nacked;
33989
33990 };
33991
33992 @@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
33993 cchop_deallocate, tghop_invalidate, mcsop_last};
33994
33995 struct mcs_op_statistic {
33996 - atomic_long_t count;
33997 - atomic_long_t total;
33998 + atomic_long_unchecked_t count;
33999 + atomic_long_unchecked_t total;
34000 unsigned long max;
34001 };
34002
34003 @@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
34004
34005 #define STAT(id) do { \
34006 if (gru_options & OPT_STATS) \
34007 - atomic_long_inc(&gru_stats.id); \
34008 + atomic_long_inc_unchecked(&gru_stats.id); \
34009 } while (0)
34010
34011 #ifdef CONFIG_SGI_GRU_DEBUG
34012 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h
34013 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h 2011-03-27 14:31:47.000000000 -0400
34014 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h 2011-08-05 20:33:55.000000000 -0400
34015 @@ -876,7 +876,7 @@ extern struct xpc_registration xpc_regis
34016 /* found in xpc_main.c */
34017 extern struct device *xpc_part;
34018 extern struct device *xpc_chan;
34019 -extern struct xpc_arch_operations xpc_arch_ops;
34020 +extern const struct xpc_arch_operations xpc_arch_ops;
34021 extern int xpc_disengage_timelimit;
34022 extern int xpc_disengage_timedout;
34023 extern int xpc_activate_IRQ_rcvd;
34024 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c
34025 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c 2011-03-27 14:31:47.000000000 -0400
34026 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c 2011-08-05 20:33:55.000000000 -0400
34027 @@ -169,7 +169,7 @@ static struct notifier_block xpc_die_not
34028 .notifier_call = xpc_system_die,
34029 };
34030
34031 -struct xpc_arch_operations xpc_arch_ops;
34032 +const struct xpc_arch_operations xpc_arch_ops;
34033
34034 /*
34035 * Timer function to enforce the timelimit on the partition disengage.
34036 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c
34037 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c 2011-03-27 14:31:47.000000000 -0400
34038 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c 2011-08-05 20:33:55.000000000 -0400
34039 @@ -2350,7 +2350,7 @@ xpc_received_payload_sn2(struct xpc_chan
34040 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
34041 }
34042
34043 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
34044 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
34045 .setup_partitions = xpc_setup_partitions_sn2,
34046 .teardown_partitions = xpc_teardown_partitions_sn2,
34047 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
34048 @@ -2413,7 +2413,9 @@ xpc_init_sn2(void)
34049 int ret;
34050 size_t buf_size;
34051
34052 - xpc_arch_ops = xpc_arch_ops_sn2;
34053 + pax_open_kernel();
34054 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_sn2, sizeof(xpc_arch_ops_sn2));
34055 + pax_close_kernel();
34056
34057 if (offsetof(struct xpc_msg_sn2, payload) > XPC_MSG_HDR_MAX_SIZE) {
34058 dev_err(xpc_part, "header portion of struct xpc_msg_sn2 is "
34059 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c
34060 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c 2011-03-27 14:31:47.000000000 -0400
34061 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c 2011-08-05 20:33:55.000000000 -0400
34062 @@ -1669,7 +1669,7 @@ xpc_received_payload_uv(struct xpc_chann
34063 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
34064 }
34065
34066 -static struct xpc_arch_operations xpc_arch_ops_uv = {
34067 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
34068 .setup_partitions = xpc_setup_partitions_uv,
34069 .teardown_partitions = xpc_teardown_partitions_uv,
34070 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
34071 @@ -1729,7 +1729,9 @@ static struct xpc_arch_operations xpc_ar
34072 int
34073 xpc_init_uv(void)
34074 {
34075 - xpc_arch_ops = xpc_arch_ops_uv;
34076 + pax_open_kernel();
34077 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_uv, sizeof(xpc_arch_ops_uv));
34078 + pax_close_kernel();
34079
34080 if (sizeof(struct xpc_notify_mq_msghdr_uv) > XPC_MSG_HDR_MAX_SIZE) {
34081 dev_err(xpc_part, "xpc_notify_mq_msghdr_uv is larger than %d\n",
34082 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xp.h linux-2.6.32.46/drivers/misc/sgi-xp/xp.h
34083 --- linux-2.6.32.46/drivers/misc/sgi-xp/xp.h 2011-03-27 14:31:47.000000000 -0400
34084 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xp.h 2011-08-05 20:33:55.000000000 -0400
34085 @@ -289,7 +289,7 @@ struct xpc_interface {
34086 xpc_notify_func, void *);
34087 void (*received) (short, int, void *);
34088 enum xp_retval (*partid_to_nasids) (short, void *);
34089 -};
34090 +} __no_const;
34091
34092 extern struct xpc_interface xpc_interface;
34093
34094 diff -urNp linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c
34095 --- linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c 2011-03-27 14:31:47.000000000 -0400
34096 +++ linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-16 21:46:57.000000000 -0400
34097 @@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
34098 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
34099 unsigned long timeo = jiffies + HZ;
34100
34101 + pax_track_stack();
34102 +
34103 /* Prevent setting state FL_SYNCING for chip in suspended state. */
34104 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
34105 goto sleep;
34106 @@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
34107 unsigned long initial_adr;
34108 int initial_len = len;
34109
34110 + pax_track_stack();
34111 +
34112 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
34113 adr += chip->start;
34114 initial_adr = adr;
34115 @@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
34116 int retries = 3;
34117 int ret;
34118
34119 + pax_track_stack();
34120 +
34121 adr += chip->start;
34122
34123 retry:
34124 diff -urNp linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c
34125 --- linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c 2011-03-27 14:31:47.000000000 -0400
34126 +++ linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-16 21:46:57.000000000 -0400
34127 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
34128 unsigned long cmd_addr;
34129 struct cfi_private *cfi = map->fldrv_priv;
34130
34131 + pax_track_stack();
34132 +
34133 adr += chip->start;
34134
34135 /* Ensure cmd read/writes are aligned. */
34136 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
34137 DECLARE_WAITQUEUE(wait, current);
34138 int wbufsize, z;
34139
34140 + pax_track_stack();
34141 +
34142 /* M58LW064A requires bus alignment for buffer wriets -- saw */
34143 if (adr & (map_bankwidth(map)-1))
34144 return -EINVAL;
34145 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
34146 DECLARE_WAITQUEUE(wait, current);
34147 int ret = 0;
34148
34149 + pax_track_stack();
34150 +
34151 adr += chip->start;
34152
34153 /* Let's determine this according to the interleave only once */
34154 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
34155 unsigned long timeo = jiffies + HZ;
34156 DECLARE_WAITQUEUE(wait, current);
34157
34158 + pax_track_stack();
34159 +
34160 adr += chip->start;
34161
34162 /* Let's determine this according to the interleave only once */
34163 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
34164 unsigned long timeo = jiffies + HZ;
34165 DECLARE_WAITQUEUE(wait, current);
34166
34167 + pax_track_stack();
34168 +
34169 adr += chip->start;
34170
34171 /* Let's determine this according to the interleave only once */
34172 diff -urNp linux-2.6.32.46/drivers/mtd/devices/doc2000.c linux-2.6.32.46/drivers/mtd/devices/doc2000.c
34173 --- linux-2.6.32.46/drivers/mtd/devices/doc2000.c 2011-03-27 14:31:47.000000000 -0400
34174 +++ linux-2.6.32.46/drivers/mtd/devices/doc2000.c 2011-04-17 15:56:46.000000000 -0400
34175 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
34176
34177 /* The ECC will not be calculated correctly if less than 512 is written */
34178 /* DBB-
34179 - if (len != 0x200 && eccbuf)
34180 + if (len != 0x200)
34181 printk(KERN_WARNING
34182 "ECC needs a full sector write (adr: %lx size %lx)\n",
34183 (long) to, (long) len);
34184 diff -urNp linux-2.6.32.46/drivers/mtd/devices/doc2001.c linux-2.6.32.46/drivers/mtd/devices/doc2001.c
34185 --- linux-2.6.32.46/drivers/mtd/devices/doc2001.c 2011-03-27 14:31:47.000000000 -0400
34186 +++ linux-2.6.32.46/drivers/mtd/devices/doc2001.c 2011-04-17 15:56:46.000000000 -0400
34187 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
34188 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
34189
34190 /* Don't allow read past end of device */
34191 - if (from >= this->totlen)
34192 + if (from >= this->totlen || !len)
34193 return -EINVAL;
34194
34195 /* Don't allow a single read to cross a 512-byte block boundary */
34196 diff -urNp linux-2.6.32.46/drivers/mtd/ftl.c linux-2.6.32.46/drivers/mtd/ftl.c
34197 --- linux-2.6.32.46/drivers/mtd/ftl.c 2011-03-27 14:31:47.000000000 -0400
34198 +++ linux-2.6.32.46/drivers/mtd/ftl.c 2011-05-16 21:46:57.000000000 -0400
34199 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
34200 loff_t offset;
34201 uint16_t srcunitswap = cpu_to_le16(srcunit);
34202
34203 + pax_track_stack();
34204 +
34205 eun = &part->EUNInfo[srcunit];
34206 xfer = &part->XferInfo[xferunit];
34207 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
34208 diff -urNp linux-2.6.32.46/drivers/mtd/inftlcore.c linux-2.6.32.46/drivers/mtd/inftlcore.c
34209 --- linux-2.6.32.46/drivers/mtd/inftlcore.c 2011-03-27 14:31:47.000000000 -0400
34210 +++ linux-2.6.32.46/drivers/mtd/inftlcore.c 2011-05-16 21:46:57.000000000 -0400
34211 @@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
34212 struct inftl_oob oob;
34213 size_t retlen;
34214
34215 + pax_track_stack();
34216 +
34217 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
34218 "pending=%d)\n", inftl, thisVUC, pendingblock);
34219
34220 diff -urNp linux-2.6.32.46/drivers/mtd/inftlmount.c linux-2.6.32.46/drivers/mtd/inftlmount.c
34221 --- linux-2.6.32.46/drivers/mtd/inftlmount.c 2011-03-27 14:31:47.000000000 -0400
34222 +++ linux-2.6.32.46/drivers/mtd/inftlmount.c 2011-05-16 21:46:57.000000000 -0400
34223 @@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
34224 struct INFTLPartition *ip;
34225 size_t retlen;
34226
34227 + pax_track_stack();
34228 +
34229 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
34230
34231 /*
34232 diff -urNp linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c
34233 --- linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c 2011-03-27 14:31:47.000000000 -0400
34234 +++ linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c 2011-05-16 21:46:57.000000000 -0400
34235 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
34236 {
34237 map_word pfow_val[4];
34238
34239 + pax_track_stack();
34240 +
34241 /* Check identification string */
34242 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
34243 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
34244 diff -urNp linux-2.6.32.46/drivers/mtd/mtdchar.c linux-2.6.32.46/drivers/mtd/mtdchar.c
34245 --- linux-2.6.32.46/drivers/mtd/mtdchar.c 2011-03-27 14:31:47.000000000 -0400
34246 +++ linux-2.6.32.46/drivers/mtd/mtdchar.c 2011-05-16 21:46:57.000000000 -0400
34247 @@ -460,6 +460,8 @@ static int mtd_ioctl(struct inode *inode
34248 u_long size;
34249 struct mtd_info_user info;
34250
34251 + pax_track_stack();
34252 +
34253 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
34254
34255 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
34256 diff -urNp linux-2.6.32.46/drivers/mtd/nftlcore.c linux-2.6.32.46/drivers/mtd/nftlcore.c
34257 --- linux-2.6.32.46/drivers/mtd/nftlcore.c 2011-03-27 14:31:47.000000000 -0400
34258 +++ linux-2.6.32.46/drivers/mtd/nftlcore.c 2011-05-16 21:46:57.000000000 -0400
34259 @@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
34260 int inplace = 1;
34261 size_t retlen;
34262
34263 + pax_track_stack();
34264 +
34265 memset(BlockMap, 0xff, sizeof(BlockMap));
34266 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
34267
34268 diff -urNp linux-2.6.32.46/drivers/mtd/nftlmount.c linux-2.6.32.46/drivers/mtd/nftlmount.c
34269 --- linux-2.6.32.46/drivers/mtd/nftlmount.c 2011-03-27 14:31:47.000000000 -0400
34270 +++ linux-2.6.32.46/drivers/mtd/nftlmount.c 2011-05-18 20:09:37.000000000 -0400
34271 @@ -23,6 +23,7 @@
34272 #include <asm/errno.h>
34273 #include <linux/delay.h>
34274 #include <linux/slab.h>
34275 +#include <linux/sched.h>
34276 #include <linux/mtd/mtd.h>
34277 #include <linux/mtd/nand.h>
34278 #include <linux/mtd/nftl.h>
34279 @@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
34280 struct mtd_info *mtd = nftl->mbd.mtd;
34281 unsigned int i;
34282
34283 + pax_track_stack();
34284 +
34285 /* Assume logical EraseSize == physical erasesize for starting the scan.
34286 We'll sort it out later if we find a MediaHeader which says otherwise */
34287 /* Actually, we won't. The new DiskOnChip driver has already scanned
34288 diff -urNp linux-2.6.32.46/drivers/mtd/ubi/build.c linux-2.6.32.46/drivers/mtd/ubi/build.c
34289 --- linux-2.6.32.46/drivers/mtd/ubi/build.c 2011-03-27 14:31:47.000000000 -0400
34290 +++ linux-2.6.32.46/drivers/mtd/ubi/build.c 2011-04-17 15:56:46.000000000 -0400
34291 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
34292 static int __init bytes_str_to_int(const char *str)
34293 {
34294 char *endp;
34295 - unsigned long result;
34296 + unsigned long result, scale = 1;
34297
34298 result = simple_strtoul(str, &endp, 0);
34299 if (str == endp || result >= INT_MAX) {
34300 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
34301
34302 switch (*endp) {
34303 case 'G':
34304 - result *= 1024;
34305 + scale *= 1024;
34306 case 'M':
34307 - result *= 1024;
34308 + scale *= 1024;
34309 case 'K':
34310 - result *= 1024;
34311 + scale *= 1024;
34312 if (endp[1] == 'i' && endp[2] == 'B')
34313 endp += 2;
34314 case '\0':
34315 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
34316 return -EINVAL;
34317 }
34318
34319 - return result;
34320 + if ((intoverflow_t)result*scale >= INT_MAX) {
34321 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
34322 + str);
34323 + return -EINVAL;
34324 + }
34325 +
34326 + return result*scale;
34327 }
34328
34329 /**
34330 diff -urNp linux-2.6.32.46/drivers/net/bnx2.c linux-2.6.32.46/drivers/net/bnx2.c
34331 --- linux-2.6.32.46/drivers/net/bnx2.c 2011-03-27 14:31:47.000000000 -0400
34332 +++ linux-2.6.32.46/drivers/net/bnx2.c 2011-05-16 21:46:57.000000000 -0400
34333 @@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
34334 int rc = 0;
34335 u32 magic, csum;
34336
34337 + pax_track_stack();
34338 +
34339 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
34340 goto test_nvram_done;
34341
34342 diff -urNp linux-2.6.32.46/drivers/net/cxgb3/l2t.h linux-2.6.32.46/drivers/net/cxgb3/l2t.h
34343 --- linux-2.6.32.46/drivers/net/cxgb3/l2t.h 2011-03-27 14:31:47.000000000 -0400
34344 +++ linux-2.6.32.46/drivers/net/cxgb3/l2t.h 2011-08-05 20:33:55.000000000 -0400
34345 @@ -86,7 +86,7 @@ typedef void (*arp_failure_handler_func)
34346 */
34347 struct l2t_skb_cb {
34348 arp_failure_handler_func arp_failure_handler;
34349 -};
34350 +} __no_const;
34351
34352 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
34353
34354 diff -urNp linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c
34355 --- linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c 2011-03-27 14:31:47.000000000 -0400
34356 +++ linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c 2011-05-16 21:46:57.000000000 -0400
34357 @@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
34358 int i, addr, ret;
34359 struct t3_vpd vpd;
34360
34361 + pax_track_stack();
34362 +
34363 /*
34364 * Card information is normally at VPD_BASE but some early cards had
34365 * it at 0.
34366 diff -urNp linux-2.6.32.46/drivers/net/e1000e/82571.c linux-2.6.32.46/drivers/net/e1000e/82571.c
34367 --- linux-2.6.32.46/drivers/net/e1000e/82571.c 2011-03-27 14:31:47.000000000 -0400
34368 +++ linux-2.6.32.46/drivers/net/e1000e/82571.c 2011-08-23 21:22:32.000000000 -0400
34369 @@ -212,7 +212,7 @@ static s32 e1000_init_mac_params_82571(s
34370 {
34371 struct e1000_hw *hw = &adapter->hw;
34372 struct e1000_mac_info *mac = &hw->mac;
34373 - struct e1000_mac_operations *func = &mac->ops;
34374 + e1000_mac_operations_no_const *func = &mac->ops;
34375 u32 swsm = 0;
34376 u32 swsm2 = 0;
34377 bool force_clear_smbi = false;
34378 @@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(s
34379 temp = er32(ICRXDMTC);
34380 }
34381
34382 -static struct e1000_mac_operations e82571_mac_ops = {
34383 +static const struct e1000_mac_operations e82571_mac_ops = {
34384 /* .check_mng_mode: mac type dependent */
34385 /* .check_for_link: media type dependent */
34386 .id_led_init = e1000e_id_led_init,
34387 @@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e8257
34388 .setup_led = e1000e_setup_led_generic,
34389 };
34390
34391 -static struct e1000_phy_operations e82_phy_ops_igp = {
34392 +static const struct e1000_phy_operations e82_phy_ops_igp = {
34393 .acquire_phy = e1000_get_hw_semaphore_82571,
34394 .check_reset_block = e1000e_check_reset_block_generic,
34395 .commit_phy = NULL,
34396 @@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_p
34397 .cfg_on_link_up = NULL,
34398 };
34399
34400 -static struct e1000_phy_operations e82_phy_ops_m88 = {
34401 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
34402 .acquire_phy = e1000_get_hw_semaphore_82571,
34403 .check_reset_block = e1000e_check_reset_block_generic,
34404 .commit_phy = e1000e_phy_sw_reset,
34405 @@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_p
34406 .cfg_on_link_up = NULL,
34407 };
34408
34409 -static struct e1000_phy_operations e82_phy_ops_bm = {
34410 +static const struct e1000_phy_operations e82_phy_ops_bm = {
34411 .acquire_phy = e1000_get_hw_semaphore_82571,
34412 .check_reset_block = e1000e_check_reset_block_generic,
34413 .commit_phy = e1000e_phy_sw_reset,
34414 @@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_p
34415 .cfg_on_link_up = NULL,
34416 };
34417
34418 -static struct e1000_nvm_operations e82571_nvm_ops = {
34419 +static const struct e1000_nvm_operations e82571_nvm_ops = {
34420 .acquire_nvm = e1000_acquire_nvm_82571,
34421 .read_nvm = e1000e_read_nvm_eerd,
34422 .release_nvm = e1000_release_nvm_82571,
34423 diff -urNp linux-2.6.32.46/drivers/net/e1000e/e1000.h linux-2.6.32.46/drivers/net/e1000e/e1000.h
34424 --- linux-2.6.32.46/drivers/net/e1000e/e1000.h 2011-03-27 14:31:47.000000000 -0400
34425 +++ linux-2.6.32.46/drivers/net/e1000e/e1000.h 2011-04-17 15:56:46.000000000 -0400
34426 @@ -375,9 +375,9 @@ struct e1000_info {
34427 u32 pba;
34428 u32 max_hw_frame_size;
34429 s32 (*get_variants)(struct e1000_adapter *);
34430 - struct e1000_mac_operations *mac_ops;
34431 - struct e1000_phy_operations *phy_ops;
34432 - struct e1000_nvm_operations *nvm_ops;
34433 + const struct e1000_mac_operations *mac_ops;
34434 + const struct e1000_phy_operations *phy_ops;
34435 + const struct e1000_nvm_operations *nvm_ops;
34436 };
34437
34438 /* hardware capability, feature, and workaround flags */
34439 diff -urNp linux-2.6.32.46/drivers/net/e1000e/es2lan.c linux-2.6.32.46/drivers/net/e1000e/es2lan.c
34440 --- linux-2.6.32.46/drivers/net/e1000e/es2lan.c 2011-03-27 14:31:47.000000000 -0400
34441 +++ linux-2.6.32.46/drivers/net/e1000e/es2lan.c 2011-08-23 21:22:32.000000000 -0400
34442 @@ -207,7 +207,7 @@ static s32 e1000_init_mac_params_80003es
34443 {
34444 struct e1000_hw *hw = &adapter->hw;
34445 struct e1000_mac_info *mac = &hw->mac;
34446 - struct e1000_mac_operations *func = &mac->ops;
34447 + e1000_mac_operations_no_const *func = &mac->ops;
34448
34449 /* Set media type */
34450 switch (adapter->pdev->device) {
34451 @@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es
34452 temp = er32(ICRXDMTC);
34453 }
34454
34455 -static struct e1000_mac_operations es2_mac_ops = {
34456 +static const struct e1000_mac_operations es2_mac_ops = {
34457 .id_led_init = e1000e_id_led_init,
34458 .check_mng_mode = e1000e_check_mng_mode_generic,
34459 /* check_for_link dependent on media type */
34460 @@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_m
34461 .setup_led = e1000e_setup_led_generic,
34462 };
34463
34464 -static struct e1000_phy_operations es2_phy_ops = {
34465 +static const struct e1000_phy_operations es2_phy_ops = {
34466 .acquire_phy = e1000_acquire_phy_80003es2lan,
34467 .check_reset_block = e1000e_check_reset_block_generic,
34468 .commit_phy = e1000e_phy_sw_reset,
34469 @@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_p
34470 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
34471 };
34472
34473 -static struct e1000_nvm_operations es2_nvm_ops = {
34474 +static const struct e1000_nvm_operations es2_nvm_ops = {
34475 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
34476 .read_nvm = e1000e_read_nvm_eerd,
34477 .release_nvm = e1000_release_nvm_80003es2lan,
34478 diff -urNp linux-2.6.32.46/drivers/net/e1000e/hw.h linux-2.6.32.46/drivers/net/e1000e/hw.h
34479 --- linux-2.6.32.46/drivers/net/e1000e/hw.h 2011-03-27 14:31:47.000000000 -0400
34480 +++ linux-2.6.32.46/drivers/net/e1000e/hw.h 2011-08-23 21:27:38.000000000 -0400
34481 @@ -753,6 +753,7 @@ struct e1000_mac_operations {
34482 s32 (*setup_physical_interface)(struct e1000_hw *);
34483 s32 (*setup_led)(struct e1000_hw *);
34484 };
34485 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
34486
34487 /* Function pointers for the PHY. */
34488 struct e1000_phy_operations {
34489 @@ -774,6 +775,7 @@ struct e1000_phy_operations {
34490 s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
34491 s32 (*cfg_on_link_up)(struct e1000_hw *);
34492 };
34493 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
34494
34495 /* Function pointers for the NVM. */
34496 struct e1000_nvm_operations {
34497 @@ -785,9 +787,10 @@ struct e1000_nvm_operations {
34498 s32 (*validate_nvm)(struct e1000_hw *);
34499 s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
34500 };
34501 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
34502
34503 struct e1000_mac_info {
34504 - struct e1000_mac_operations ops;
34505 + e1000_mac_operations_no_const ops;
34506
34507 u8 addr[6];
34508 u8 perm_addr[6];
34509 @@ -823,7 +826,7 @@ struct e1000_mac_info {
34510 };
34511
34512 struct e1000_phy_info {
34513 - struct e1000_phy_operations ops;
34514 + e1000_phy_operations_no_const ops;
34515
34516 enum e1000_phy_type type;
34517
34518 @@ -857,7 +860,7 @@ struct e1000_phy_info {
34519 };
34520
34521 struct e1000_nvm_info {
34522 - struct e1000_nvm_operations ops;
34523 + e1000_nvm_operations_no_const ops;
34524
34525 enum e1000_nvm_type type;
34526 enum e1000_nvm_override override;
34527 diff -urNp linux-2.6.32.46/drivers/net/e1000e/ich8lan.c linux-2.6.32.46/drivers/net/e1000e/ich8lan.c
34528 --- linux-2.6.32.46/drivers/net/e1000e/ich8lan.c 2011-05-10 22:12:01.000000000 -0400
34529 +++ linux-2.6.32.46/drivers/net/e1000e/ich8lan.c 2011-08-23 21:22:32.000000000 -0400
34530 @@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
34531 }
34532 }
34533
34534 -static struct e1000_mac_operations ich8_mac_ops = {
34535 +static const struct e1000_mac_operations ich8_mac_ops = {
34536 .id_led_init = e1000e_id_led_init,
34537 .check_mng_mode = e1000_check_mng_mode_ich8lan,
34538 .check_for_link = e1000_check_for_copper_link_ich8lan,
34539 @@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
34540 /* id_led_init dependent on mac type */
34541 };
34542
34543 -static struct e1000_phy_operations ich8_phy_ops = {
34544 +static const struct e1000_phy_operations ich8_phy_ops = {
34545 .acquire_phy = e1000_acquire_swflag_ich8lan,
34546 .check_reset_block = e1000_check_reset_block_ich8lan,
34547 .commit_phy = NULL,
34548 @@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
34549 .write_phy_reg = e1000e_write_phy_reg_igp,
34550 };
34551
34552 -static struct e1000_nvm_operations ich8_nvm_ops = {
34553 +static const struct e1000_nvm_operations ich8_nvm_ops = {
34554 .acquire_nvm = e1000_acquire_nvm_ich8lan,
34555 .read_nvm = e1000_read_nvm_ich8lan,
34556 .release_nvm = e1000_release_nvm_ich8lan,
34557 diff -urNp linux-2.6.32.46/drivers/net/hamradio/6pack.c linux-2.6.32.46/drivers/net/hamradio/6pack.c
34558 --- linux-2.6.32.46/drivers/net/hamradio/6pack.c 2011-07-13 17:23:04.000000000 -0400
34559 +++ linux-2.6.32.46/drivers/net/hamradio/6pack.c 2011-07-13 17:23:18.000000000 -0400
34560 @@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
34561 unsigned char buf[512];
34562 int count1;
34563
34564 + pax_track_stack();
34565 +
34566 if (!count)
34567 return;
34568
34569 diff -urNp linux-2.6.32.46/drivers/net/ibmveth.c linux-2.6.32.46/drivers/net/ibmveth.c
34570 --- linux-2.6.32.46/drivers/net/ibmveth.c 2011-03-27 14:31:47.000000000 -0400
34571 +++ linux-2.6.32.46/drivers/net/ibmveth.c 2011-04-17 15:56:46.000000000 -0400
34572 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
34573 NULL,
34574 };
34575
34576 -static struct sysfs_ops veth_pool_ops = {
34577 +static const struct sysfs_ops veth_pool_ops = {
34578 .show = veth_pool_show,
34579 .store = veth_pool_store,
34580 };
34581 diff -urNp linux-2.6.32.46/drivers/net/igb/e1000_82575.c linux-2.6.32.46/drivers/net/igb/e1000_82575.c
34582 --- linux-2.6.32.46/drivers/net/igb/e1000_82575.c 2011-08-29 22:24:44.000000000 -0400
34583 +++ linux-2.6.32.46/drivers/net/igb/e1000_82575.c 2011-08-29 22:25:07.000000000 -0400
34584 @@ -1411,7 +1411,7 @@ void igb_vmdq_set_replication_pf(struct
34585 wr32(E1000_VT_CTL, vt_ctl);
34586 }
34587
34588 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
34589 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
34590 .reset_hw = igb_reset_hw_82575,
34591 .init_hw = igb_init_hw_82575,
34592 .check_for_link = igb_check_for_link_82575,
34593 @@ -1420,13 +1420,13 @@ static struct e1000_mac_operations e1000
34594 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
34595 };
34596
34597 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
34598 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
34599 .acquire = igb_acquire_phy_82575,
34600 .get_cfg_done = igb_get_cfg_done_82575,
34601 .release = igb_release_phy_82575,
34602 };
34603
34604 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
34605 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
34606 .acquire = igb_acquire_nvm_82575,
34607 .read = igb_read_nvm_eerd,
34608 .release = igb_release_nvm_82575,
34609 diff -urNp linux-2.6.32.46/drivers/net/igb/e1000_hw.h linux-2.6.32.46/drivers/net/igb/e1000_hw.h
34610 --- linux-2.6.32.46/drivers/net/igb/e1000_hw.h 2011-03-27 14:31:47.000000000 -0400
34611 +++ linux-2.6.32.46/drivers/net/igb/e1000_hw.h 2011-08-23 21:28:01.000000000 -0400
34612 @@ -288,6 +288,7 @@ struct e1000_mac_operations {
34613 s32 (*read_mac_addr)(struct e1000_hw *);
34614 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
34615 };
34616 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
34617
34618 struct e1000_phy_operations {
34619 s32 (*acquire)(struct e1000_hw *);
34620 @@ -303,6 +304,7 @@ struct e1000_phy_operations {
34621 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
34622 s32 (*write_reg)(struct e1000_hw *, u32, u16);
34623 };
34624 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
34625
34626 struct e1000_nvm_operations {
34627 s32 (*acquire)(struct e1000_hw *);
34628 @@ -310,6 +312,7 @@ struct e1000_nvm_operations {
34629 void (*release)(struct e1000_hw *);
34630 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
34631 };
34632 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
34633
34634 struct e1000_info {
34635 s32 (*get_invariants)(struct e1000_hw *);
34636 @@ -321,7 +324,7 @@ struct e1000_info {
34637 extern const struct e1000_info e1000_82575_info;
34638
34639 struct e1000_mac_info {
34640 - struct e1000_mac_operations ops;
34641 + e1000_mac_operations_no_const ops;
34642
34643 u8 addr[6];
34644 u8 perm_addr[6];
34645 @@ -365,7 +368,7 @@ struct e1000_mac_info {
34646 };
34647
34648 struct e1000_phy_info {
34649 - struct e1000_phy_operations ops;
34650 + e1000_phy_operations_no_const ops;
34651
34652 enum e1000_phy_type type;
34653
34654 @@ -400,7 +403,7 @@ struct e1000_phy_info {
34655 };
34656
34657 struct e1000_nvm_info {
34658 - struct e1000_nvm_operations ops;
34659 + e1000_nvm_operations_no_const ops;
34660
34661 enum e1000_nvm_type type;
34662 enum e1000_nvm_override override;
34663 @@ -446,6 +449,7 @@ struct e1000_mbx_operations {
34664 s32 (*check_for_ack)(struct e1000_hw *, u16);
34665 s32 (*check_for_rst)(struct e1000_hw *, u16);
34666 };
34667 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
34668
34669 struct e1000_mbx_stats {
34670 u32 msgs_tx;
34671 @@ -457,7 +461,7 @@ struct e1000_mbx_stats {
34672 };
34673
34674 struct e1000_mbx_info {
34675 - struct e1000_mbx_operations ops;
34676 + e1000_mbx_operations_no_const ops;
34677 struct e1000_mbx_stats stats;
34678 u32 timeout;
34679 u32 usec_delay;
34680 diff -urNp linux-2.6.32.46/drivers/net/igbvf/vf.h linux-2.6.32.46/drivers/net/igbvf/vf.h
34681 --- linux-2.6.32.46/drivers/net/igbvf/vf.h 2011-03-27 14:31:47.000000000 -0400
34682 +++ linux-2.6.32.46/drivers/net/igbvf/vf.h 2011-08-23 21:22:38.000000000 -0400
34683 @@ -187,9 +187,10 @@ struct e1000_mac_operations {
34684 s32 (*read_mac_addr)(struct e1000_hw *);
34685 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
34686 };
34687 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
34688
34689 struct e1000_mac_info {
34690 - struct e1000_mac_operations ops;
34691 + e1000_mac_operations_no_const ops;
34692 u8 addr[6];
34693 u8 perm_addr[6];
34694
34695 @@ -211,6 +212,7 @@ struct e1000_mbx_operations {
34696 s32 (*check_for_ack)(struct e1000_hw *);
34697 s32 (*check_for_rst)(struct e1000_hw *);
34698 };
34699 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
34700
34701 struct e1000_mbx_stats {
34702 u32 msgs_tx;
34703 @@ -222,7 +224,7 @@ struct e1000_mbx_stats {
34704 };
34705
34706 struct e1000_mbx_info {
34707 - struct e1000_mbx_operations ops;
34708 + e1000_mbx_operations_no_const ops;
34709 struct e1000_mbx_stats stats;
34710 u32 timeout;
34711 u32 usec_delay;
34712 diff -urNp linux-2.6.32.46/drivers/net/iseries_veth.c linux-2.6.32.46/drivers/net/iseries_veth.c
34713 --- linux-2.6.32.46/drivers/net/iseries_veth.c 2011-03-27 14:31:47.000000000 -0400
34714 +++ linux-2.6.32.46/drivers/net/iseries_veth.c 2011-04-17 15:56:46.000000000 -0400
34715 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
34716 NULL
34717 };
34718
34719 -static struct sysfs_ops veth_cnx_sysfs_ops = {
34720 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
34721 .show = veth_cnx_attribute_show
34722 };
34723
34724 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
34725 NULL
34726 };
34727
34728 -static struct sysfs_ops veth_port_sysfs_ops = {
34729 +static const struct sysfs_ops veth_port_sysfs_ops = {
34730 .show = veth_port_attribute_show
34731 };
34732
34733 diff -urNp linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c
34734 --- linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c 2011-03-27 14:31:47.000000000 -0400
34735 +++ linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c 2011-05-16 21:46:57.000000000 -0400
34736 @@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
34737 u32 rctl;
34738 int i;
34739
34740 + pax_track_stack();
34741 +
34742 /* Check for Promiscuous and All Multicast modes */
34743
34744 rctl = IXGB_READ_REG(hw, RCTL);
34745 diff -urNp linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c
34746 --- linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c 2011-03-27 14:31:47.000000000 -0400
34747 +++ linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c 2011-05-16 21:46:57.000000000 -0400
34748 @@ -260,6 +260,9 @@ void __devinit
34749 ixgb_check_options(struct ixgb_adapter *adapter)
34750 {
34751 int bd = adapter->bd_number;
34752 +
34753 + pax_track_stack();
34754 +
34755 if (bd >= IXGB_MAX_NIC) {
34756 printk(KERN_NOTICE
34757 "Warning: no configuration for board #%i\n", bd);
34758 diff -urNp linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h
34759 --- linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h 2011-03-27 14:31:47.000000000 -0400
34760 +++ linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h 2011-08-23 21:22:38.000000000 -0400
34761 @@ -2327,6 +2327,7 @@ struct ixgbe_eeprom_operations {
34762 s32 (*validate_checksum)(struct ixgbe_hw *, u16 *);
34763 s32 (*update_checksum)(struct ixgbe_hw *);
34764 };
34765 +typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
34766
34767 struct ixgbe_mac_operations {
34768 s32 (*init_hw)(struct ixgbe_hw *);
34769 @@ -2376,6 +2377,7 @@ struct ixgbe_mac_operations {
34770 /* Flow Control */
34771 s32 (*fc_enable)(struct ixgbe_hw *, s32);
34772 };
34773 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
34774
34775 struct ixgbe_phy_operations {
34776 s32 (*identify)(struct ixgbe_hw *);
34777 @@ -2394,9 +2396,10 @@ struct ixgbe_phy_operations {
34778 s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *);
34779 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
34780 };
34781 +typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
34782
34783 struct ixgbe_eeprom_info {
34784 - struct ixgbe_eeprom_operations ops;
34785 + ixgbe_eeprom_operations_no_const ops;
34786 enum ixgbe_eeprom_type type;
34787 u32 semaphore_delay;
34788 u16 word_size;
34789 @@ -2404,7 +2407,7 @@ struct ixgbe_eeprom_info {
34790 };
34791
34792 struct ixgbe_mac_info {
34793 - struct ixgbe_mac_operations ops;
34794 + ixgbe_mac_operations_no_const ops;
34795 enum ixgbe_mac_type type;
34796 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
34797 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
34798 @@ -2423,7 +2426,7 @@ struct ixgbe_mac_info {
34799 };
34800
34801 struct ixgbe_phy_info {
34802 - struct ixgbe_phy_operations ops;
34803 + ixgbe_phy_operations_no_const ops;
34804 struct mdio_if_info mdio;
34805 enum ixgbe_phy_type type;
34806 u32 id;
34807 diff -urNp linux-2.6.32.46/drivers/net/mlx4/main.c linux-2.6.32.46/drivers/net/mlx4/main.c
34808 --- linux-2.6.32.46/drivers/net/mlx4/main.c 2011-03-27 14:31:47.000000000 -0400
34809 +++ linux-2.6.32.46/drivers/net/mlx4/main.c 2011-05-18 20:09:37.000000000 -0400
34810 @@ -38,6 +38,7 @@
34811 #include <linux/errno.h>
34812 #include <linux/pci.h>
34813 #include <linux/dma-mapping.h>
34814 +#include <linux/sched.h>
34815
34816 #include <linux/mlx4/device.h>
34817 #include <linux/mlx4/doorbell.h>
34818 @@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
34819 u64 icm_size;
34820 int err;
34821
34822 + pax_track_stack();
34823 +
34824 err = mlx4_QUERY_FW(dev);
34825 if (err) {
34826 if (err == -EACCES)
34827 diff -urNp linux-2.6.32.46/drivers/net/niu.c linux-2.6.32.46/drivers/net/niu.c
34828 --- linux-2.6.32.46/drivers/net/niu.c 2011-05-10 22:12:01.000000000 -0400
34829 +++ linux-2.6.32.46/drivers/net/niu.c 2011-05-16 21:46:57.000000000 -0400
34830 @@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
34831 int i, num_irqs, err;
34832 u8 first_ldg;
34833
34834 + pax_track_stack();
34835 +
34836 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
34837 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
34838 ldg_num_map[i] = first_ldg + i;
34839 diff -urNp linux-2.6.32.46/drivers/net/pcnet32.c linux-2.6.32.46/drivers/net/pcnet32.c
34840 --- linux-2.6.32.46/drivers/net/pcnet32.c 2011-03-27 14:31:47.000000000 -0400
34841 +++ linux-2.6.32.46/drivers/net/pcnet32.c 2011-08-05 20:33:55.000000000 -0400
34842 @@ -79,7 +79,7 @@ static int cards_found;
34843 /*
34844 * VLB I/O addresses
34845 */
34846 -static unsigned int pcnet32_portlist[] __initdata =
34847 +static unsigned int pcnet32_portlist[] __devinitdata =
34848 { 0x300, 0x320, 0x340, 0x360, 0 };
34849
34850 static int pcnet32_debug = 0;
34851 @@ -267,7 +267,7 @@ struct pcnet32_private {
34852 struct sk_buff **rx_skbuff;
34853 dma_addr_t *tx_dma_addr;
34854 dma_addr_t *rx_dma_addr;
34855 - struct pcnet32_access a;
34856 + struct pcnet32_access *a;
34857 spinlock_t lock; /* Guard lock */
34858 unsigned int cur_rx, cur_tx; /* The next free ring entry */
34859 unsigned int rx_ring_size; /* current rx ring size */
34860 @@ -457,9 +457,9 @@ static void pcnet32_netif_start(struct n
34861 u16 val;
34862
34863 netif_wake_queue(dev);
34864 - val = lp->a.read_csr(ioaddr, CSR3);
34865 + val = lp->a->read_csr(ioaddr, CSR3);
34866 val &= 0x00ff;
34867 - lp->a.write_csr(ioaddr, CSR3, val);
34868 + lp->a->write_csr(ioaddr, CSR3, val);
34869 napi_enable(&lp->napi);
34870 }
34871
34872 @@ -744,7 +744,7 @@ static u32 pcnet32_get_link(struct net_d
34873 r = mii_link_ok(&lp->mii_if);
34874 } else if (lp->chip_version >= PCNET32_79C970A) {
34875 ulong ioaddr = dev->base_addr; /* card base I/O address */
34876 - r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
34877 + r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
34878 } else { /* can not detect link on really old chips */
34879 r = 1;
34880 }
34881 @@ -806,7 +806,7 @@ static int pcnet32_set_ringparam(struct
34882 pcnet32_netif_stop(dev);
34883
34884 spin_lock_irqsave(&lp->lock, flags);
34885 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34886 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34887
34888 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
34889
34890 @@ -886,7 +886,7 @@ static void pcnet32_ethtool_test(struct
34891 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
34892 {
34893 struct pcnet32_private *lp = netdev_priv(dev);
34894 - struct pcnet32_access *a = &lp->a; /* access to registers */
34895 + struct pcnet32_access *a = lp->a; /* access to registers */
34896 ulong ioaddr = dev->base_addr; /* card base I/O address */
34897 struct sk_buff *skb; /* sk buff */
34898 int x, i; /* counters */
34899 @@ -906,21 +906,21 @@ static int pcnet32_loopback_test(struct
34900 pcnet32_netif_stop(dev);
34901
34902 spin_lock_irqsave(&lp->lock, flags);
34903 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34904 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34905
34906 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
34907
34908 /* Reset the PCNET32 */
34909 - lp->a.reset(ioaddr);
34910 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34911 + lp->a->reset(ioaddr);
34912 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34913
34914 /* switch pcnet32 to 32bit mode */
34915 - lp->a.write_bcr(ioaddr, 20, 2);
34916 + lp->a->write_bcr(ioaddr, 20, 2);
34917
34918 /* purge & init rings but don't actually restart */
34919 pcnet32_restart(dev, 0x0000);
34920
34921 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34922 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34923
34924 /* Initialize Transmit buffers. */
34925 size = data_len + 15;
34926 @@ -966,10 +966,10 @@ static int pcnet32_loopback_test(struct
34927
34928 /* set int loopback in CSR15 */
34929 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
34930 - lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
34931 + lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
34932
34933 teststatus = cpu_to_le16(0x8000);
34934 - lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
34935 + lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
34936
34937 /* Check status of descriptors */
34938 for (x = 0; x < numbuffs; x++) {
34939 @@ -990,7 +990,7 @@ static int pcnet32_loopback_test(struct
34940 }
34941 }
34942
34943 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34944 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34945 wmb();
34946 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
34947 printk(KERN_DEBUG "%s: RX loopback packets:\n", dev->name);
34948 @@ -1039,7 +1039,7 @@ static int pcnet32_loopback_test(struct
34949 pcnet32_restart(dev, CSR0_NORMAL);
34950 } else {
34951 pcnet32_purge_rx_ring(dev);
34952 - lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
34953 + lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
34954 }
34955 spin_unlock_irqrestore(&lp->lock, flags);
34956
34957 @@ -1049,7 +1049,7 @@ static int pcnet32_loopback_test(struct
34958 static void pcnet32_led_blink_callback(struct net_device *dev)
34959 {
34960 struct pcnet32_private *lp = netdev_priv(dev);
34961 - struct pcnet32_access *a = &lp->a;
34962 + struct pcnet32_access *a = lp->a;
34963 ulong ioaddr = dev->base_addr;
34964 unsigned long flags;
34965 int i;
34966 @@ -1066,7 +1066,7 @@ static void pcnet32_led_blink_callback(s
34967 static int pcnet32_phys_id(struct net_device *dev, u32 data)
34968 {
34969 struct pcnet32_private *lp = netdev_priv(dev);
34970 - struct pcnet32_access *a = &lp->a;
34971 + struct pcnet32_access *a = lp->a;
34972 ulong ioaddr = dev->base_addr;
34973 unsigned long flags;
34974 int i, regs[4];
34975 @@ -1112,7 +1112,7 @@ static int pcnet32_suspend(struct net_de
34976 {
34977 int csr5;
34978 struct pcnet32_private *lp = netdev_priv(dev);
34979 - struct pcnet32_access *a = &lp->a;
34980 + struct pcnet32_access *a = lp->a;
34981 ulong ioaddr = dev->base_addr;
34982 int ticks;
34983
34984 @@ -1388,8 +1388,8 @@ static int pcnet32_poll(struct napi_stru
34985 spin_lock_irqsave(&lp->lock, flags);
34986 if (pcnet32_tx(dev)) {
34987 /* reset the chip to clear the error condition, then restart */
34988 - lp->a.reset(ioaddr);
34989 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34990 + lp->a->reset(ioaddr);
34991 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34992 pcnet32_restart(dev, CSR0_START);
34993 netif_wake_queue(dev);
34994 }
34995 @@ -1401,12 +1401,12 @@ static int pcnet32_poll(struct napi_stru
34996 __napi_complete(napi);
34997
34998 /* clear interrupt masks */
34999 - val = lp->a.read_csr(ioaddr, CSR3);
35000 + val = lp->a->read_csr(ioaddr, CSR3);
35001 val &= 0x00ff;
35002 - lp->a.write_csr(ioaddr, CSR3, val);
35003 + lp->a->write_csr(ioaddr, CSR3, val);
35004
35005 /* Set interrupt enable. */
35006 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
35007 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
35008
35009 spin_unlock_irqrestore(&lp->lock, flags);
35010 }
35011 @@ -1429,7 +1429,7 @@ static void pcnet32_get_regs(struct net_
35012 int i, csr0;
35013 u16 *buff = ptr;
35014 struct pcnet32_private *lp = netdev_priv(dev);
35015 - struct pcnet32_access *a = &lp->a;
35016 + struct pcnet32_access *a = lp->a;
35017 ulong ioaddr = dev->base_addr;
35018 unsigned long flags;
35019
35020 @@ -1466,9 +1466,9 @@ static void pcnet32_get_regs(struct net_
35021 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
35022 if (lp->phymask & (1 << j)) {
35023 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
35024 - lp->a.write_bcr(ioaddr, 33,
35025 + lp->a->write_bcr(ioaddr, 33,
35026 (j << 5) | i);
35027 - *buff++ = lp->a.read_bcr(ioaddr, 34);
35028 + *buff++ = lp->a->read_bcr(ioaddr, 34);
35029 }
35030 }
35031 }
35032 @@ -1858,7 +1858,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35033 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
35034 lp->options |= PCNET32_PORT_FD;
35035
35036 - lp->a = *a;
35037 + lp->a = a;
35038
35039 /* prior to register_netdev, dev->name is not yet correct */
35040 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
35041 @@ -1917,7 +1917,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35042 if (lp->mii) {
35043 /* lp->phycount and lp->phymask are set to 0 by memset above */
35044
35045 - lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
35046 + lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
35047 /* scan for PHYs */
35048 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
35049 unsigned short id1, id2;
35050 @@ -1938,7 +1938,7 @@ pcnet32_probe1(unsigned long ioaddr, int
35051 "Found PHY %04x:%04x at address %d.\n",
35052 id1, id2, i);
35053 }
35054 - lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
35055 + lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
35056 if (lp->phycount > 1) {
35057 lp->options |= PCNET32_PORT_MII;
35058 }
35059 @@ -2109,10 +2109,10 @@ static int pcnet32_open(struct net_devic
35060 }
35061
35062 /* Reset the PCNET32 */
35063 - lp->a.reset(ioaddr);
35064 + lp->a->reset(ioaddr);
35065
35066 /* switch pcnet32 to 32bit mode */
35067 - lp->a.write_bcr(ioaddr, 20, 2);
35068 + lp->a->write_bcr(ioaddr, 20, 2);
35069
35070 if (netif_msg_ifup(lp))
35071 printk(KERN_DEBUG
35072 @@ -2122,14 +2122,14 @@ static int pcnet32_open(struct net_devic
35073 (u32) (lp->init_dma_addr));
35074
35075 /* set/reset autoselect bit */
35076 - val = lp->a.read_bcr(ioaddr, 2) & ~2;
35077 + val = lp->a->read_bcr(ioaddr, 2) & ~2;
35078 if (lp->options & PCNET32_PORT_ASEL)
35079 val |= 2;
35080 - lp->a.write_bcr(ioaddr, 2, val);
35081 + lp->a->write_bcr(ioaddr, 2, val);
35082
35083 /* handle full duplex setting */
35084 if (lp->mii_if.full_duplex) {
35085 - val = lp->a.read_bcr(ioaddr, 9) & ~3;
35086 + val = lp->a->read_bcr(ioaddr, 9) & ~3;
35087 if (lp->options & PCNET32_PORT_FD) {
35088 val |= 1;
35089 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
35090 @@ -2139,14 +2139,14 @@ static int pcnet32_open(struct net_devic
35091 if (lp->chip_version == 0x2627)
35092 val |= 3;
35093 }
35094 - lp->a.write_bcr(ioaddr, 9, val);
35095 + lp->a->write_bcr(ioaddr, 9, val);
35096 }
35097
35098 /* set/reset GPSI bit in test register */
35099 - val = lp->a.read_csr(ioaddr, 124) & ~0x10;
35100 + val = lp->a->read_csr(ioaddr, 124) & ~0x10;
35101 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
35102 val |= 0x10;
35103 - lp->a.write_csr(ioaddr, 124, val);
35104 + lp->a->write_csr(ioaddr, 124, val);
35105
35106 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
35107 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
35108 @@ -2167,24 +2167,24 @@ static int pcnet32_open(struct net_devic
35109 * duplex, and/or enable auto negotiation, and clear DANAS
35110 */
35111 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
35112 - lp->a.write_bcr(ioaddr, 32,
35113 - lp->a.read_bcr(ioaddr, 32) | 0x0080);
35114 + lp->a->write_bcr(ioaddr, 32,
35115 + lp->a->read_bcr(ioaddr, 32) | 0x0080);
35116 /* disable Auto Negotiation, set 10Mpbs, HD */
35117 - val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
35118 + val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
35119 if (lp->options & PCNET32_PORT_FD)
35120 val |= 0x10;
35121 if (lp->options & PCNET32_PORT_100)
35122 val |= 0x08;
35123 - lp->a.write_bcr(ioaddr, 32, val);
35124 + lp->a->write_bcr(ioaddr, 32, val);
35125 } else {
35126 if (lp->options & PCNET32_PORT_ASEL) {
35127 - lp->a.write_bcr(ioaddr, 32,
35128 - lp->a.read_bcr(ioaddr,
35129 + lp->a->write_bcr(ioaddr, 32,
35130 + lp->a->read_bcr(ioaddr,
35131 32) | 0x0080);
35132 /* enable auto negotiate, setup, disable fd */
35133 - val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
35134 + val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
35135 val |= 0x20;
35136 - lp->a.write_bcr(ioaddr, 32, val);
35137 + lp->a->write_bcr(ioaddr, 32, val);
35138 }
35139 }
35140 } else {
35141 @@ -2197,10 +2197,10 @@ static int pcnet32_open(struct net_devic
35142 * There is really no good other way to handle multiple PHYs
35143 * other than turning off all automatics
35144 */
35145 - val = lp->a.read_bcr(ioaddr, 2);
35146 - lp->a.write_bcr(ioaddr, 2, val & ~2);
35147 - val = lp->a.read_bcr(ioaddr, 32);
35148 - lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
35149 + val = lp->a->read_bcr(ioaddr, 2);
35150 + lp->a->write_bcr(ioaddr, 2, val & ~2);
35151 + val = lp->a->read_bcr(ioaddr, 32);
35152 + lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
35153
35154 if (!(lp->options & PCNET32_PORT_ASEL)) {
35155 /* setup ecmd */
35156 @@ -2210,7 +2210,7 @@ static int pcnet32_open(struct net_devic
35157 ecmd.speed =
35158 lp->
35159 options & PCNET32_PORT_100 ? SPEED_100 : SPEED_10;
35160 - bcr9 = lp->a.read_bcr(ioaddr, 9);
35161 + bcr9 = lp->a->read_bcr(ioaddr, 9);
35162
35163 if (lp->options & PCNET32_PORT_FD) {
35164 ecmd.duplex = DUPLEX_FULL;
35165 @@ -2219,7 +2219,7 @@ static int pcnet32_open(struct net_devic
35166 ecmd.duplex = DUPLEX_HALF;
35167 bcr9 |= ~(1 << 0);
35168 }
35169 - lp->a.write_bcr(ioaddr, 9, bcr9);
35170 + lp->a->write_bcr(ioaddr, 9, bcr9);
35171 }
35172
35173 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
35174 @@ -2252,9 +2252,9 @@ static int pcnet32_open(struct net_devic
35175
35176 #ifdef DO_DXSUFLO
35177 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
35178 - val = lp->a.read_csr(ioaddr, CSR3);
35179 + val = lp->a->read_csr(ioaddr, CSR3);
35180 val |= 0x40;
35181 - lp->a.write_csr(ioaddr, CSR3, val);
35182 + lp->a->write_csr(ioaddr, CSR3, val);
35183 }
35184 #endif
35185
35186 @@ -2270,11 +2270,11 @@ static int pcnet32_open(struct net_devic
35187 napi_enable(&lp->napi);
35188
35189 /* Re-initialize the PCNET32, and start it when done. */
35190 - lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
35191 - lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
35192 + lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
35193 + lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
35194
35195 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35196 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
35197 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
35198 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
35199
35200 netif_start_queue(dev);
35201
35202 @@ -2286,20 +2286,20 @@ static int pcnet32_open(struct net_devic
35203
35204 i = 0;
35205 while (i++ < 100)
35206 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
35207 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
35208 break;
35209 /*
35210 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
35211 * reports that doing so triggers a bug in the '974.
35212 */
35213 - lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
35214 + lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
35215
35216 if (netif_msg_ifup(lp))
35217 printk(KERN_DEBUG
35218 "%s: pcnet32 open after %d ticks, init block %#x csr0 %4.4x.\n",
35219 dev->name, i,
35220 (u32) (lp->init_dma_addr),
35221 - lp->a.read_csr(ioaddr, CSR0));
35222 + lp->a->read_csr(ioaddr, CSR0));
35223
35224 spin_unlock_irqrestore(&lp->lock, flags);
35225
35226 @@ -2313,7 +2313,7 @@ static int pcnet32_open(struct net_devic
35227 * Switch back to 16bit mode to avoid problems with dumb
35228 * DOS packet driver after a warm reboot
35229 */
35230 - lp->a.write_bcr(ioaddr, 20, 4);
35231 + lp->a->write_bcr(ioaddr, 20, 4);
35232
35233 err_free_irq:
35234 spin_unlock_irqrestore(&lp->lock, flags);
35235 @@ -2420,7 +2420,7 @@ static void pcnet32_restart(struct net_d
35236
35237 /* wait for stop */
35238 for (i = 0; i < 100; i++)
35239 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
35240 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
35241 break;
35242
35243 if (i >= 100 && netif_msg_drv(lp))
35244 @@ -2433,13 +2433,13 @@ static void pcnet32_restart(struct net_d
35245 return;
35246
35247 /* ReInit Ring */
35248 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
35249 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
35250 i = 0;
35251 while (i++ < 1000)
35252 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
35253 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
35254 break;
35255
35256 - lp->a.write_csr(ioaddr, CSR0, csr0_bits);
35257 + lp->a->write_csr(ioaddr, CSR0, csr0_bits);
35258 }
35259
35260 static void pcnet32_tx_timeout(struct net_device *dev)
35261 @@ -2452,8 +2452,8 @@ static void pcnet32_tx_timeout(struct ne
35262 if (pcnet32_debug & NETIF_MSG_DRV)
35263 printk(KERN_ERR
35264 "%s: transmit timed out, status %4.4x, resetting.\n",
35265 - dev->name, lp->a.read_csr(ioaddr, CSR0));
35266 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
35267 + dev->name, lp->a->read_csr(ioaddr, CSR0));
35268 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
35269 dev->stats.tx_errors++;
35270 if (netif_msg_tx_err(lp)) {
35271 int i;
35272 @@ -2497,7 +2497,7 @@ static netdev_tx_t pcnet32_start_xmit(st
35273 if (netif_msg_tx_queued(lp)) {
35274 printk(KERN_DEBUG
35275 "%s: pcnet32_start_xmit() called, csr0 %4.4x.\n",
35276 - dev->name, lp->a.read_csr(ioaddr, CSR0));
35277 + dev->name, lp->a->read_csr(ioaddr, CSR0));
35278 }
35279
35280 /* Default status -- will not enable Successful-TxDone
35281 @@ -2528,7 +2528,7 @@ static netdev_tx_t pcnet32_start_xmit(st
35282 dev->stats.tx_bytes += skb->len;
35283
35284 /* Trigger an immediate send poll. */
35285 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
35286 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
35287
35288 dev->trans_start = jiffies;
35289
35290 @@ -2555,18 +2555,18 @@ pcnet32_interrupt(int irq, void *dev_id)
35291
35292 spin_lock(&lp->lock);
35293
35294 - csr0 = lp->a.read_csr(ioaddr, CSR0);
35295 + csr0 = lp->a->read_csr(ioaddr, CSR0);
35296 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
35297 if (csr0 == 0xffff) {
35298 break; /* PCMCIA remove happened */
35299 }
35300 /* Acknowledge all of the current interrupt sources ASAP. */
35301 - lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
35302 + lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
35303
35304 if (netif_msg_intr(lp))
35305 printk(KERN_DEBUG
35306 "%s: interrupt csr0=%#2.2x new csr=%#2.2x.\n",
35307 - dev->name, csr0, lp->a.read_csr(ioaddr, CSR0));
35308 + dev->name, csr0, lp->a->read_csr(ioaddr, CSR0));
35309
35310 /* Log misc errors. */
35311 if (csr0 & 0x4000)
35312 @@ -2595,19 +2595,19 @@ pcnet32_interrupt(int irq, void *dev_id)
35313 if (napi_schedule_prep(&lp->napi)) {
35314 u16 val;
35315 /* set interrupt masks */
35316 - val = lp->a.read_csr(ioaddr, CSR3);
35317 + val = lp->a->read_csr(ioaddr, CSR3);
35318 val |= 0x5f00;
35319 - lp->a.write_csr(ioaddr, CSR3, val);
35320 + lp->a->write_csr(ioaddr, CSR3, val);
35321
35322 __napi_schedule(&lp->napi);
35323 break;
35324 }
35325 - csr0 = lp->a.read_csr(ioaddr, CSR0);
35326 + csr0 = lp->a->read_csr(ioaddr, CSR0);
35327 }
35328
35329 if (netif_msg_intr(lp))
35330 printk(KERN_DEBUG "%s: exiting interrupt, csr0=%#4.4x.\n",
35331 - dev->name, lp->a.read_csr(ioaddr, CSR0));
35332 + dev->name, lp->a->read_csr(ioaddr, CSR0));
35333
35334 spin_unlock(&lp->lock);
35335
35336 @@ -2627,21 +2627,21 @@ static int pcnet32_close(struct net_devi
35337
35338 spin_lock_irqsave(&lp->lock, flags);
35339
35340 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
35341 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
35342
35343 if (netif_msg_ifdown(lp))
35344 printk(KERN_DEBUG
35345 "%s: Shutting down ethercard, status was %2.2x.\n",
35346 - dev->name, lp->a.read_csr(ioaddr, CSR0));
35347 + dev->name, lp->a->read_csr(ioaddr, CSR0));
35348
35349 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
35350 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
35351 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
35352
35353 /*
35354 * Switch back to 16bit mode to avoid problems with dumb
35355 * DOS packet driver after a warm reboot
35356 */
35357 - lp->a.write_bcr(ioaddr, 20, 4);
35358 + lp->a->write_bcr(ioaddr, 20, 4);
35359
35360 spin_unlock_irqrestore(&lp->lock, flags);
35361
35362 @@ -2664,7 +2664,7 @@ static struct net_device_stats *pcnet32_
35363 unsigned long flags;
35364
35365 spin_lock_irqsave(&lp->lock, flags);
35366 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
35367 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
35368 spin_unlock_irqrestore(&lp->lock, flags);
35369
35370 return &dev->stats;
35371 @@ -2686,10 +2686,10 @@ static void pcnet32_load_multicast(struc
35372 if (dev->flags & IFF_ALLMULTI) {
35373 ib->filter[0] = cpu_to_le32(~0U);
35374 ib->filter[1] = cpu_to_le32(~0U);
35375 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
35376 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
35377 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
35378 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
35379 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
35380 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
35381 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
35382 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
35383 return;
35384 }
35385 /* clear the multicast filter */
35386 @@ -2710,7 +2710,7 @@ static void pcnet32_load_multicast(struc
35387 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
35388 }
35389 for (i = 0; i < 4; i++)
35390 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
35391 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
35392 le16_to_cpu(mcast_table[i]));
35393 return;
35394 }
35395 @@ -2726,7 +2726,7 @@ static void pcnet32_set_multicast_list(s
35396
35397 spin_lock_irqsave(&lp->lock, flags);
35398 suspended = pcnet32_suspend(dev, &flags, 0);
35399 - csr15 = lp->a.read_csr(ioaddr, CSR15);
35400 + csr15 = lp->a->read_csr(ioaddr, CSR15);
35401 if (dev->flags & IFF_PROMISC) {
35402 /* Log any net taps. */
35403 if (netif_msg_hw(lp))
35404 @@ -2735,21 +2735,21 @@ static void pcnet32_set_multicast_list(s
35405 lp->init_block->mode =
35406 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
35407 7);
35408 - lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
35409 + lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
35410 } else {
35411 lp->init_block->mode =
35412 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
35413 - lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
35414 + lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
35415 pcnet32_load_multicast(dev);
35416 }
35417
35418 if (suspended) {
35419 int csr5;
35420 /* clear SUSPEND (SPND) - CSR5 bit 0 */
35421 - csr5 = lp->a.read_csr(ioaddr, CSR5);
35422 - lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
35423 + csr5 = lp->a->read_csr(ioaddr, CSR5);
35424 + lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
35425 } else {
35426 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
35427 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
35428 pcnet32_restart(dev, CSR0_NORMAL);
35429 netif_wake_queue(dev);
35430 }
35431 @@ -2767,8 +2767,8 @@ static int mdio_read(struct net_device *
35432 if (!lp->mii)
35433 return 0;
35434
35435 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
35436 - val_out = lp->a.read_bcr(ioaddr, 34);
35437 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
35438 + val_out = lp->a->read_bcr(ioaddr, 34);
35439
35440 return val_out;
35441 }
35442 @@ -2782,8 +2782,8 @@ static void mdio_write(struct net_device
35443 if (!lp->mii)
35444 return;
35445
35446 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
35447 - lp->a.write_bcr(ioaddr, 34, val);
35448 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
35449 + lp->a->write_bcr(ioaddr, 34, val);
35450 }
35451
35452 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
35453 @@ -2862,7 +2862,7 @@ static void pcnet32_check_media(struct n
35454 curr_link = mii_link_ok(&lp->mii_if);
35455 } else {
35456 ulong ioaddr = dev->base_addr; /* card base I/O address */
35457 - curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
35458 + curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
35459 }
35460 if (!curr_link) {
35461 if (prev_link || verbose) {
35462 @@ -2887,13 +2887,13 @@ static void pcnet32_check_media(struct n
35463 (ecmd.duplex ==
35464 DUPLEX_FULL) ? "full" : "half");
35465 }
35466 - bcr9 = lp->a.read_bcr(dev->base_addr, 9);
35467 + bcr9 = lp->a->read_bcr(dev->base_addr, 9);
35468 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
35469 if (lp->mii_if.full_duplex)
35470 bcr9 |= (1 << 0);
35471 else
35472 bcr9 &= ~(1 << 0);
35473 - lp->a.write_bcr(dev->base_addr, 9, bcr9);
35474 + lp->a->write_bcr(dev->base_addr, 9, bcr9);
35475 }
35476 } else {
35477 if (netif_msg_link(lp))
35478 diff -urNp linux-2.6.32.46/drivers/net/tg3.h linux-2.6.32.46/drivers/net/tg3.h
35479 --- linux-2.6.32.46/drivers/net/tg3.h 2011-03-27 14:31:47.000000000 -0400
35480 +++ linux-2.6.32.46/drivers/net/tg3.h 2011-04-17 15:56:46.000000000 -0400
35481 @@ -95,6 +95,7 @@
35482 #define CHIPREV_ID_5750_A0 0x4000
35483 #define CHIPREV_ID_5750_A1 0x4001
35484 #define CHIPREV_ID_5750_A3 0x4003
35485 +#define CHIPREV_ID_5750_C1 0x4201
35486 #define CHIPREV_ID_5750_C2 0x4202
35487 #define CHIPREV_ID_5752_A0_HW 0x5000
35488 #define CHIPREV_ID_5752_A0 0x6000
35489 diff -urNp linux-2.6.32.46/drivers/net/tokenring/abyss.c linux-2.6.32.46/drivers/net/tokenring/abyss.c
35490 --- linux-2.6.32.46/drivers/net/tokenring/abyss.c 2011-03-27 14:31:47.000000000 -0400
35491 +++ linux-2.6.32.46/drivers/net/tokenring/abyss.c 2011-08-05 20:33:55.000000000 -0400
35492 @@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
35493
35494 static int __init abyss_init (void)
35495 {
35496 - abyss_netdev_ops = tms380tr_netdev_ops;
35497 + pax_open_kernel();
35498 + memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
35499
35500 - abyss_netdev_ops.ndo_open = abyss_open;
35501 - abyss_netdev_ops.ndo_stop = abyss_close;
35502 + *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
35503 + *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
35504 + pax_close_kernel();
35505
35506 return pci_register_driver(&abyss_driver);
35507 }
35508 diff -urNp linux-2.6.32.46/drivers/net/tokenring/madgemc.c linux-2.6.32.46/drivers/net/tokenring/madgemc.c
35509 --- linux-2.6.32.46/drivers/net/tokenring/madgemc.c 2011-03-27 14:31:47.000000000 -0400
35510 +++ linux-2.6.32.46/drivers/net/tokenring/madgemc.c 2011-08-05 20:33:55.000000000 -0400
35511 @@ -755,9 +755,11 @@ static struct mca_driver madgemc_driver
35512
35513 static int __init madgemc_init (void)
35514 {
35515 - madgemc_netdev_ops = tms380tr_netdev_ops;
35516 - madgemc_netdev_ops.ndo_open = madgemc_open;
35517 - madgemc_netdev_ops.ndo_stop = madgemc_close;
35518 + pax_open_kernel();
35519 + memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
35520 + *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
35521 + *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
35522 + pax_close_kernel();
35523
35524 return mca_register_driver (&madgemc_driver);
35525 }
35526 diff -urNp linux-2.6.32.46/drivers/net/tokenring/proteon.c linux-2.6.32.46/drivers/net/tokenring/proteon.c
35527 --- linux-2.6.32.46/drivers/net/tokenring/proteon.c 2011-03-27 14:31:47.000000000 -0400
35528 +++ linux-2.6.32.46/drivers/net/tokenring/proteon.c 2011-08-05 20:33:55.000000000 -0400
35529 @@ -353,9 +353,11 @@ static int __init proteon_init(void)
35530 struct platform_device *pdev;
35531 int i, num = 0, err = 0;
35532
35533 - proteon_netdev_ops = tms380tr_netdev_ops;
35534 - proteon_netdev_ops.ndo_open = proteon_open;
35535 - proteon_netdev_ops.ndo_stop = tms380tr_close;
35536 + pax_open_kernel();
35537 + memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
35538 + *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
35539 + *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
35540 + pax_close_kernel();
35541
35542 err = platform_driver_register(&proteon_driver);
35543 if (err)
35544 diff -urNp linux-2.6.32.46/drivers/net/tokenring/skisa.c linux-2.6.32.46/drivers/net/tokenring/skisa.c
35545 --- linux-2.6.32.46/drivers/net/tokenring/skisa.c 2011-03-27 14:31:47.000000000 -0400
35546 +++ linux-2.6.32.46/drivers/net/tokenring/skisa.c 2011-08-05 20:33:55.000000000 -0400
35547 @@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
35548 struct platform_device *pdev;
35549 int i, num = 0, err = 0;
35550
35551 - sk_isa_netdev_ops = tms380tr_netdev_ops;
35552 - sk_isa_netdev_ops.ndo_open = sk_isa_open;
35553 - sk_isa_netdev_ops.ndo_stop = tms380tr_close;
35554 + pax_open_kernel();
35555 + memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
35556 + *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
35557 + *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
35558 + pax_close_kernel();
35559
35560 err = platform_driver_register(&sk_isa_driver);
35561 if (err)
35562 diff -urNp linux-2.6.32.46/drivers/net/tulip/de2104x.c linux-2.6.32.46/drivers/net/tulip/de2104x.c
35563 --- linux-2.6.32.46/drivers/net/tulip/de2104x.c 2011-03-27 14:31:47.000000000 -0400
35564 +++ linux-2.6.32.46/drivers/net/tulip/de2104x.c 2011-05-16 21:46:57.000000000 -0400
35565 @@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
35566 struct de_srom_info_leaf *il;
35567 void *bufp;
35568
35569 + pax_track_stack();
35570 +
35571 /* download entire eeprom */
35572 for (i = 0; i < DE_EEPROM_WORDS; i++)
35573 ((__le16 *)ee_data)[i] =
35574 diff -urNp linux-2.6.32.46/drivers/net/tulip/de4x5.c linux-2.6.32.46/drivers/net/tulip/de4x5.c
35575 --- linux-2.6.32.46/drivers/net/tulip/de4x5.c 2011-03-27 14:31:47.000000000 -0400
35576 +++ linux-2.6.32.46/drivers/net/tulip/de4x5.c 2011-04-17 15:56:46.000000000 -0400
35577 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
35578 for (i=0; i<ETH_ALEN; i++) {
35579 tmp.addr[i] = dev->dev_addr[i];
35580 }
35581 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35582 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
35583 break;
35584
35585 case DE4X5_SET_HWADDR: /* Set the hardware address */
35586 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
35587 spin_lock_irqsave(&lp->lock, flags);
35588 memcpy(&statbuf, &lp->pktStats, ioc->len);
35589 spin_unlock_irqrestore(&lp->lock, flags);
35590 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
35591 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
35592 return -EFAULT;
35593 break;
35594 }
35595 diff -urNp linux-2.6.32.46/drivers/net/usb/hso.c linux-2.6.32.46/drivers/net/usb/hso.c
35596 --- linux-2.6.32.46/drivers/net/usb/hso.c 2011-03-27 14:31:47.000000000 -0400
35597 +++ linux-2.6.32.46/drivers/net/usb/hso.c 2011-04-17 15:56:46.000000000 -0400
35598 @@ -71,7 +71,7 @@
35599 #include <asm/byteorder.h>
35600 #include <linux/serial_core.h>
35601 #include <linux/serial.h>
35602 -
35603 +#include <asm/local.h>
35604
35605 #define DRIVER_VERSION "1.2"
35606 #define MOD_AUTHOR "Option Wireless"
35607 @@ -258,7 +258,7 @@ struct hso_serial {
35608
35609 /* from usb_serial_port */
35610 struct tty_struct *tty;
35611 - int open_count;
35612 + local_t open_count;
35613 spinlock_t serial_lock;
35614
35615 int (*write_data) (struct hso_serial *serial);
35616 @@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
35617 struct urb *urb;
35618
35619 urb = serial->rx_urb[0];
35620 - if (serial->open_count > 0) {
35621 + if (local_read(&serial->open_count) > 0) {
35622 count = put_rxbuf_data(urb, serial);
35623 if (count == -1)
35624 return;
35625 @@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
35626 DUMP1(urb->transfer_buffer, urb->actual_length);
35627
35628 /* Anyone listening? */
35629 - if (serial->open_count == 0)
35630 + if (local_read(&serial->open_count) == 0)
35631 return;
35632
35633 if (status == 0) {
35634 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35635 spin_unlock_irq(&serial->serial_lock);
35636
35637 /* check for port already opened, if not set the termios */
35638 - serial->open_count++;
35639 - if (serial->open_count == 1) {
35640 + if (local_inc_return(&serial->open_count) == 1) {
35641 tty->low_latency = 1;
35642 serial->rx_state = RX_IDLE;
35643 /* Force default termio settings */
35644 @@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
35645 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35646 if (result) {
35647 hso_stop_serial_device(serial->parent);
35648 - serial->open_count--;
35649 + local_dec(&serial->open_count);
35650 kref_put(&serial->parent->ref, hso_serial_ref_free);
35651 }
35652 } else {
35653 @@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
35654
35655 /* reset the rts and dtr */
35656 /* do the actual close */
35657 - serial->open_count--;
35658 + local_dec(&serial->open_count);
35659
35660 - if (serial->open_count <= 0) {
35661 - serial->open_count = 0;
35662 + if (local_read(&serial->open_count) <= 0) {
35663 + local_set(&serial->open_count, 0);
35664 spin_lock_irq(&serial->serial_lock);
35665 if (serial->tty == tty) {
35666 serial->tty->driver_data = NULL;
35667 @@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
35668
35669 /* the actual setup */
35670 spin_lock_irqsave(&serial->serial_lock, flags);
35671 - if (serial->open_count)
35672 + if (local_read(&serial->open_count))
35673 _hso_serial_set_termios(tty, old);
35674 else
35675 tty->termios = old;
35676 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35677 /* Start all serial ports */
35678 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35679 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35680 - if (dev2ser(serial_table[i])->open_count) {
35681 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35682 result =
35683 hso_start_serial_device(serial_table[i], GFP_NOIO);
35684 hso_kick_transmit(dev2ser(serial_table[i]));
35685 diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-config.h linux-2.6.32.46/drivers/net/vxge/vxge-config.h
35686 --- linux-2.6.32.46/drivers/net/vxge/vxge-config.h 2011-03-27 14:31:47.000000000 -0400
35687 +++ linux-2.6.32.46/drivers/net/vxge/vxge-config.h 2011-08-05 20:33:55.000000000 -0400
35688 @@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs {
35689 void (*link_down)(struct __vxge_hw_device *devh);
35690 void (*crit_err)(struct __vxge_hw_device *devh,
35691 enum vxge_hw_event type, u64 ext_data);
35692 -};
35693 +} __no_const;
35694
35695 /*
35696 * struct __vxge_hw_blockpool_entry - Block private data structure
35697 diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-main.c linux-2.6.32.46/drivers/net/vxge/vxge-main.c
35698 --- linux-2.6.32.46/drivers/net/vxge/vxge-main.c 2011-03-27 14:31:47.000000000 -0400
35699 +++ linux-2.6.32.46/drivers/net/vxge/vxge-main.c 2011-05-16 21:46:57.000000000 -0400
35700 @@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
35701 struct sk_buff *completed[NR_SKB_COMPLETED];
35702 int more;
35703
35704 + pax_track_stack();
35705 +
35706 do {
35707 more = 0;
35708 skb_ptr = completed;
35709 @@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
35710 u8 mtable[256] = {0}; /* CPU to vpath mapping */
35711 int index;
35712
35713 + pax_track_stack();
35714 +
35715 /*
35716 * Filling
35717 * - itable with bucket numbers
35718 diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h
35719 --- linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h 2011-03-27 14:31:47.000000000 -0400
35720 +++ linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h 2011-08-05 20:33:55.000000000 -0400
35721 @@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs {
35722 struct vxge_hw_mempool_dma *dma_object,
35723 u32 index,
35724 u32 is_last);
35725 -};
35726 +} __no_const;
35727
35728 void
35729 __vxge_hw_mempool_destroy(
35730 diff -urNp linux-2.6.32.46/drivers/net/wan/cycx_x25.c linux-2.6.32.46/drivers/net/wan/cycx_x25.c
35731 --- linux-2.6.32.46/drivers/net/wan/cycx_x25.c 2011-03-27 14:31:47.000000000 -0400
35732 +++ linux-2.6.32.46/drivers/net/wan/cycx_x25.c 2011-05-16 21:46:57.000000000 -0400
35733 @@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
35734 unsigned char hex[1024],
35735 * phex = hex;
35736
35737 + pax_track_stack();
35738 +
35739 if (len >= (sizeof(hex) / 2))
35740 len = (sizeof(hex) / 2) - 1;
35741
35742 diff -urNp linux-2.6.32.46/drivers/net/wan/hdlc_x25.c linux-2.6.32.46/drivers/net/wan/hdlc_x25.c
35743 --- linux-2.6.32.46/drivers/net/wan/hdlc_x25.c 2011-03-27 14:31:47.000000000 -0400
35744 +++ linux-2.6.32.46/drivers/net/wan/hdlc_x25.c 2011-08-05 20:33:55.000000000 -0400
35745 @@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
35746
35747 static int x25_open(struct net_device *dev)
35748 {
35749 - struct lapb_register_struct cb;
35750 + static struct lapb_register_struct cb = {
35751 + .connect_confirmation = x25_connected,
35752 + .connect_indication = x25_connected,
35753 + .disconnect_confirmation = x25_disconnected,
35754 + .disconnect_indication = x25_disconnected,
35755 + .data_indication = x25_data_indication,
35756 + .data_transmit = x25_data_transmit
35757 + };
35758 int result;
35759
35760 - cb.connect_confirmation = x25_connected;
35761 - cb.connect_indication = x25_connected;
35762 - cb.disconnect_confirmation = x25_disconnected;
35763 - cb.disconnect_indication = x25_disconnected;
35764 - cb.data_indication = x25_data_indication;
35765 - cb.data_transmit = x25_data_transmit;
35766 -
35767 result = lapb_register(dev, &cb);
35768 if (result != LAPB_OK)
35769 return result;
35770 diff -urNp linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c
35771 --- linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c 2011-03-27 14:31:47.000000000 -0400
35772 +++ linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c 2011-05-16 21:46:57.000000000 -0400
35773 @@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
35774 int do_autopm = 1;
35775 DECLARE_COMPLETION_ONSTACK(notif_completion);
35776
35777 + pax_track_stack();
35778 +
35779 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
35780 i2400m, ack, ack_size);
35781 BUG_ON(_ack == i2400m->bm_ack_buf);
35782 diff -urNp linux-2.6.32.46/drivers/net/wireless/airo.c linux-2.6.32.46/drivers/net/wireless/airo.c
35783 --- linux-2.6.32.46/drivers/net/wireless/airo.c 2011-03-27 14:31:47.000000000 -0400
35784 +++ linux-2.6.32.46/drivers/net/wireless/airo.c 2011-05-16 21:46:57.000000000 -0400
35785 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
35786 BSSListElement * loop_net;
35787 BSSListElement * tmp_net;
35788
35789 + pax_track_stack();
35790 +
35791 /* Blow away current list of scan results */
35792 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
35793 list_move_tail (&loop_net->list, &ai->network_free_list);
35794 @@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
35795 WepKeyRid wkr;
35796 int rc;
35797
35798 + pax_track_stack();
35799 +
35800 memset( &mySsid, 0, sizeof( mySsid ) );
35801 kfree (ai->flash);
35802 ai->flash = NULL;
35803 @@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
35804 __le32 *vals = stats.vals;
35805 int len;
35806
35807 + pax_track_stack();
35808 +
35809 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35810 return -ENOMEM;
35811 data = (struct proc_data *)file->private_data;
35812 @@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
35813 /* If doLoseSync is not 1, we won't do a Lose Sync */
35814 int doLoseSync = -1;
35815
35816 + pax_track_stack();
35817 +
35818 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35819 return -ENOMEM;
35820 data = (struct proc_data *)file->private_data;
35821 @@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
35822 int i;
35823 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
35824
35825 + pax_track_stack();
35826 +
35827 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
35828 if (!qual)
35829 return -ENOMEM;
35830 @@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
35831 CapabilityRid cap_rid;
35832 __le32 *vals = stats_rid.vals;
35833
35834 + pax_track_stack();
35835 +
35836 /* Get stats out of the card */
35837 clear_bit(JOB_WSTATS, &local->jobs);
35838 if (local->power.event) {
35839 diff -urNp linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c
35840 --- linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c 2011-03-27 14:31:47.000000000 -0400
35841 +++ linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c 2011-05-16 21:46:57.000000000 -0400
35842 @@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
35843 unsigned int v;
35844 u64 tsf;
35845
35846 + pax_track_stack();
35847 +
35848 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
35849 len += snprintf(buf+len, sizeof(buf)-len,
35850 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
35851 @@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
35852 unsigned int len = 0;
35853 unsigned int i;
35854
35855 + pax_track_stack();
35856 +
35857 len += snprintf(buf+len, sizeof(buf)-len,
35858 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
35859
35860 diff -urNp linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c
35861 --- linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c 2011-03-27 14:31:47.000000000 -0400
35862 +++ linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c 2011-05-16 21:46:57.000000000 -0400
35863 @@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
35864 char buf[512];
35865 unsigned int len = 0;
35866
35867 + pax_track_stack();
35868 +
35869 len += snprintf(buf + len, sizeof(buf) - len,
35870 "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
35871 len += snprintf(buf + len, sizeof(buf) - len,
35872 @@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
35873 int i;
35874 u8 addr[ETH_ALEN];
35875
35876 + pax_track_stack();
35877 +
35878 len += snprintf(buf + len, sizeof(buf) - len,
35879 "primary: %s (%s chan=%d ht=%d)\n",
35880 wiphy_name(sc->pri_wiphy->hw->wiphy),
35881 diff -urNp linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c
35882 --- linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35883 +++ linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35884 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
35885 struct b43_debugfs_fops {
35886 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
35887 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
35888 - struct file_operations fops;
35889 + const struct file_operations fops;
35890 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
35891 size_t file_struct_offset;
35892 };
35893 diff -urNp linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c
35894 --- linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35895 +++ linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35896 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
35897 struct b43legacy_debugfs_fops {
35898 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
35899 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
35900 - struct file_operations fops;
35901 + const struct file_operations fops;
35902 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
35903 size_t file_struct_offset;
35904 /* Take wl->irq_lock before calling read/write? */
35905 diff -urNp linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c
35906 --- linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c 2011-03-27 14:31:47.000000000 -0400
35907 +++ linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-16 21:46:57.000000000 -0400
35908 @@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
35909 int err;
35910 DECLARE_SSID_BUF(ssid);
35911
35912 + pax_track_stack();
35913 +
35914 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
35915
35916 if (ssid_len)
35917 @@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
35918 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
35919 int err;
35920
35921 + pax_track_stack();
35922 +
35923 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
35924 idx, keylen, len);
35925
35926 diff -urNp linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c
35927 --- linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-03-27 14:31:47.000000000 -0400
35928 +++ linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-16 21:46:57.000000000 -0400
35929 @@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
35930 unsigned long flags;
35931 DECLARE_SSID_BUF(ssid);
35932
35933 + pax_track_stack();
35934 +
35935 LIBIPW_DEBUG_SCAN("'%s' (%pM"
35936 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
35937 print_ssid(ssid, info_element->data, info_element->len),
35938 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c
35939 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-03-27 14:31:47.000000000 -0400
35940 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-04-17 15:56:46.000000000 -0400
35941 @@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
35942 },
35943 };
35944
35945 -static struct iwl_ops iwl1000_ops = {
35946 +static const struct iwl_ops iwl1000_ops = {
35947 .ucode = &iwl5000_ucode,
35948 .lib = &iwl1000_lib,
35949 .hcmd = &iwl5000_hcmd,
35950 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c
35951 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-03-27 14:31:47.000000000 -0400
35952 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-08-05 20:33:55.000000000 -0400
35953 @@ -3927,7 +3927,9 @@ static int iwl3945_pci_probe(struct pci_
35954 */
35955 if (iwl3945_mod_params.disable_hw_scan) {
35956 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
35957 - iwl3945_hw_ops.hw_scan = NULL;
35958 + pax_open_kernel();
35959 + *(void **)&iwl3945_hw_ops.hw_scan = NULL;
35960 + pax_close_kernel();
35961 }
35962
35963
35964 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c
35965 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-03-27 14:31:47.000000000 -0400
35966 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-04-17 15:56:46.000000000 -0400
35967 @@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
35968 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
35969 };
35970
35971 -static struct iwl_ops iwl3945_ops = {
35972 +static const struct iwl_ops iwl3945_ops = {
35973 .ucode = &iwl3945_ucode,
35974 .lib = &iwl3945_lib,
35975 .hcmd = &iwl3945_hcmd,
35976 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c
35977 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-03-27 14:31:47.000000000 -0400
35978 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-04-17 15:56:46.000000000 -0400
35979 @@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
35980 },
35981 };
35982
35983 -static struct iwl_ops iwl4965_ops = {
35984 +static const struct iwl_ops iwl4965_ops = {
35985 .ucode = &iwl4965_ucode,
35986 .lib = &iwl4965_lib,
35987 .hcmd = &iwl4965_hcmd,
35988 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c
35989 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:55:34.000000000 -0400
35990 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:56:37.000000000 -0400
35991 @@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
35992 },
35993 };
35994
35995 -struct iwl_ops iwl5000_ops = {
35996 +const struct iwl_ops iwl5000_ops = {
35997 .ucode = &iwl5000_ucode,
35998 .lib = &iwl5000_lib,
35999 .hcmd = &iwl5000_hcmd,
36000 .utils = &iwl5000_hcmd_utils,
36001 };
36002
36003 -static struct iwl_ops iwl5150_ops = {
36004 +static const struct iwl_ops iwl5150_ops = {
36005 .ucode = &iwl5000_ucode,
36006 .lib = &iwl5150_lib,
36007 .hcmd = &iwl5000_hcmd,
36008 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c
36009 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-03-27 14:31:47.000000000 -0400
36010 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-04-17 15:56:46.000000000 -0400
36011 @@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
36012 .calc_rssi = iwl5000_calc_rssi,
36013 };
36014
36015 -static struct iwl_ops iwl6000_ops = {
36016 +static const struct iwl_ops iwl6000_ops = {
36017 .ucode = &iwl5000_ucode,
36018 .lib = &iwl6000_lib,
36019 .hcmd = &iwl5000_hcmd,
36020 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c
36021 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-03-27 14:31:47.000000000 -0400
36022 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-08-05 20:33:55.000000000 -0400
36023 @@ -2911,7 +2911,9 @@ static int iwl_pci_probe(struct pci_dev
36024 if (iwl_debug_level & IWL_DL_INFO)
36025 dev_printk(KERN_DEBUG, &(pdev->dev),
36026 "Disabling hw_scan\n");
36027 - iwl_hw_ops.hw_scan = NULL;
36028 + pax_open_kernel();
36029 + *(void **)&iwl_hw_ops.hw_scan = NULL;
36030 + pax_close_kernel();
36031 }
36032
36033 hw = iwl_alloc_all(cfg, &iwl_hw_ops);
36034 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
36035 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-03-27 14:31:47.000000000 -0400
36036 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-16 21:46:57.000000000 -0400
36037 @@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
36038 u8 active_index = 0;
36039 s32 tpt = 0;
36040
36041 + pax_track_stack();
36042 +
36043 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
36044
36045 if (!ieee80211_is_data(hdr->frame_control) ||
36046 @@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
36047 u8 valid_tx_ant = 0;
36048 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
36049
36050 + pax_track_stack();
36051 +
36052 /* Override starting rate (index 0) if needed for debug purposes */
36053 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
36054
36055 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c
36056 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-03-27 14:31:47.000000000 -0400
36057 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-16 21:46:57.000000000 -0400
36058 @@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
36059 int pos = 0;
36060 const size_t bufsz = sizeof(buf);
36061
36062 + pax_track_stack();
36063 +
36064 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
36065 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
36066 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
36067 @@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
36068 const size_t bufsz = sizeof(buf);
36069 ssize_t ret;
36070
36071 + pax_track_stack();
36072 +
36073 for (i = 0; i < AC_NUM; i++) {
36074 pos += scnprintf(buf + pos, bufsz - pos,
36075 "\tcw_min\tcw_max\taifsn\ttxop\n");
36076 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h
36077 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-27 14:31:47.000000000 -0400
36078 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:56:46.000000000 -0400
36079 @@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
36080 #endif
36081
36082 #else
36083 -#define IWL_DEBUG(__priv, level, fmt, args...)
36084 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
36085 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
36086 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
36087 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
36088 void *p, u32 len)
36089 {}
36090 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h
36091 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-03-27 14:31:47.000000000 -0400
36092 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-04-17 15:56:46.000000000 -0400
36093 @@ -68,7 +68,7 @@ struct iwl_tx_queue;
36094
36095 /* shared structures from iwl-5000.c */
36096 extern struct iwl_mod_params iwl50_mod_params;
36097 -extern struct iwl_ops iwl5000_ops;
36098 +extern const struct iwl_ops iwl5000_ops;
36099 extern struct iwl_ucode_ops iwl5000_ucode;
36100 extern struct iwl_lib_ops iwl5000_lib;
36101 extern struct iwl_hcmd_ops iwl5000_hcmd;
36102 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c
36103 --- linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-03-27 14:31:47.000000000 -0400
36104 +++ linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-16 21:46:57.000000000 -0400
36105 @@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
36106 int buf_len = 512;
36107 size_t len = 0;
36108
36109 + pax_track_stack();
36110 +
36111 if (*ppos != 0)
36112 return 0;
36113 if (count < sizeof(buf))
36114 diff -urNp linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c
36115 --- linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c 2011-03-27 14:31:47.000000000 -0400
36116 +++ linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:56:46.000000000 -0400
36117 @@ -708,7 +708,7 @@ out_unlock:
36118 struct lbs_debugfs_files {
36119 const char *name;
36120 int perm;
36121 - struct file_operations fops;
36122 + const struct file_operations fops;
36123 };
36124
36125 static const struct lbs_debugfs_files debugfs_files[] = {
36126 diff -urNp linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c
36127 --- linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c 2011-03-27 14:31:47.000000000 -0400
36128 +++ linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:56:46.000000000 -0400
36129 @@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
36130
36131 devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
36132
36133 - if (rts_threshold < 0 || rts_threshold > 2347)
36134 + if (rts_threshold > 2347)
36135 rts_threshold = 2347;
36136
36137 tmp = cpu_to_le32(rts_threshold);
36138 diff -urNp linux-2.6.32.46/drivers/oprofile/buffer_sync.c linux-2.6.32.46/drivers/oprofile/buffer_sync.c
36139 --- linux-2.6.32.46/drivers/oprofile/buffer_sync.c 2011-03-27 14:31:47.000000000 -0400
36140 +++ linux-2.6.32.46/drivers/oprofile/buffer_sync.c 2011-04-17 15:56:46.000000000 -0400
36141 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
36142 if (cookie == NO_COOKIE)
36143 offset = pc;
36144 if (cookie == INVALID_COOKIE) {
36145 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36146 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36147 offset = pc;
36148 }
36149 if (cookie != last_cookie) {
36150 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
36151 /* add userspace sample */
36152
36153 if (!mm) {
36154 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
36155 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
36156 return 0;
36157 }
36158
36159 cookie = lookup_dcookie(mm, s->eip, &offset);
36160
36161 if (cookie == INVALID_COOKIE) {
36162 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
36163 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
36164 return 0;
36165 }
36166
36167 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
36168 /* ignore backtraces if failed to add a sample */
36169 if (state == sb_bt_start) {
36170 state = sb_bt_ignore;
36171 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
36172 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
36173 }
36174 }
36175 release_mm(mm);
36176 diff -urNp linux-2.6.32.46/drivers/oprofile/event_buffer.c linux-2.6.32.46/drivers/oprofile/event_buffer.c
36177 --- linux-2.6.32.46/drivers/oprofile/event_buffer.c 2011-03-27 14:31:47.000000000 -0400
36178 +++ linux-2.6.32.46/drivers/oprofile/event_buffer.c 2011-04-17 15:56:46.000000000 -0400
36179 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
36180 }
36181
36182 if (buffer_pos == buffer_size) {
36183 - atomic_inc(&oprofile_stats.event_lost_overflow);
36184 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
36185 return;
36186 }
36187
36188 diff -urNp linux-2.6.32.46/drivers/oprofile/oprof.c linux-2.6.32.46/drivers/oprofile/oprof.c
36189 --- linux-2.6.32.46/drivers/oprofile/oprof.c 2011-03-27 14:31:47.000000000 -0400
36190 +++ linux-2.6.32.46/drivers/oprofile/oprof.c 2011-04-17 15:56:46.000000000 -0400
36191 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
36192 if (oprofile_ops.switch_events())
36193 return;
36194
36195 - atomic_inc(&oprofile_stats.multiplex_counter);
36196 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
36197 start_switch_worker();
36198 }
36199
36200 diff -urNp linux-2.6.32.46/drivers/oprofile/oprofilefs.c linux-2.6.32.46/drivers/oprofile/oprofilefs.c
36201 --- linux-2.6.32.46/drivers/oprofile/oprofilefs.c 2011-03-27 14:31:47.000000000 -0400
36202 +++ linux-2.6.32.46/drivers/oprofile/oprofilefs.c 2011-04-17 15:56:46.000000000 -0400
36203 @@ -187,7 +187,7 @@ static const struct file_operations atom
36204
36205
36206 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
36207 - char const *name, atomic_t *val)
36208 + char const *name, atomic_unchecked_t *val)
36209 {
36210 struct dentry *d = __oprofilefs_create_file(sb, root, name,
36211 &atomic_ro_fops, 0444);
36212 diff -urNp linux-2.6.32.46/drivers/oprofile/oprofile_stats.c linux-2.6.32.46/drivers/oprofile/oprofile_stats.c
36213 --- linux-2.6.32.46/drivers/oprofile/oprofile_stats.c 2011-03-27 14:31:47.000000000 -0400
36214 +++ linux-2.6.32.46/drivers/oprofile/oprofile_stats.c 2011-04-17 15:56:46.000000000 -0400
36215 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
36216 cpu_buf->sample_invalid_eip = 0;
36217 }
36218
36219 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
36220 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
36221 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
36222 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
36223 - atomic_set(&oprofile_stats.multiplex_counter, 0);
36224 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
36225 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
36226 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
36227 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
36228 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
36229 }
36230
36231
36232 diff -urNp linux-2.6.32.46/drivers/oprofile/oprofile_stats.h linux-2.6.32.46/drivers/oprofile/oprofile_stats.h
36233 --- linux-2.6.32.46/drivers/oprofile/oprofile_stats.h 2011-03-27 14:31:47.000000000 -0400
36234 +++ linux-2.6.32.46/drivers/oprofile/oprofile_stats.h 2011-04-17 15:56:46.000000000 -0400
36235 @@ -13,11 +13,11 @@
36236 #include <asm/atomic.h>
36237
36238 struct oprofile_stat_struct {
36239 - atomic_t sample_lost_no_mm;
36240 - atomic_t sample_lost_no_mapping;
36241 - atomic_t bt_lost_no_mapping;
36242 - atomic_t event_lost_overflow;
36243 - atomic_t multiplex_counter;
36244 + atomic_unchecked_t sample_lost_no_mm;
36245 + atomic_unchecked_t sample_lost_no_mapping;
36246 + atomic_unchecked_t bt_lost_no_mapping;
36247 + atomic_unchecked_t event_lost_overflow;
36248 + atomic_unchecked_t multiplex_counter;
36249 };
36250
36251 extern struct oprofile_stat_struct oprofile_stats;
36252 diff -urNp linux-2.6.32.46/drivers/parisc/pdc_stable.c linux-2.6.32.46/drivers/parisc/pdc_stable.c
36253 --- linux-2.6.32.46/drivers/parisc/pdc_stable.c 2011-03-27 14:31:47.000000000 -0400
36254 +++ linux-2.6.32.46/drivers/parisc/pdc_stable.c 2011-04-17 15:56:46.000000000 -0400
36255 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
36256 return ret;
36257 }
36258
36259 -static struct sysfs_ops pdcspath_attr_ops = {
36260 +static const struct sysfs_ops pdcspath_attr_ops = {
36261 .show = pdcspath_attr_show,
36262 .store = pdcspath_attr_store,
36263 };
36264 diff -urNp linux-2.6.32.46/drivers/parport/procfs.c linux-2.6.32.46/drivers/parport/procfs.c
36265 --- linux-2.6.32.46/drivers/parport/procfs.c 2011-03-27 14:31:47.000000000 -0400
36266 +++ linux-2.6.32.46/drivers/parport/procfs.c 2011-04-17 15:56:46.000000000 -0400
36267 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
36268
36269 *ppos += len;
36270
36271 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
36272 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
36273 }
36274
36275 #ifdef CONFIG_PARPORT_1284
36276 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
36277
36278 *ppos += len;
36279
36280 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
36281 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
36282 }
36283 #endif /* IEEE1284.3 support. */
36284
36285 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c
36286 --- linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c 2011-03-27 14:31:47.000000000 -0400
36287 +++ linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:56:46.000000000 -0400
36288 @@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
36289 }
36290
36291
36292 -static struct acpi_dock_ops acpiphp_dock_ops = {
36293 +static const struct acpi_dock_ops acpiphp_dock_ops = {
36294 .handler = handle_hotplug_event_func,
36295 };
36296
36297 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h
36298 --- linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h 2011-03-27 14:31:47.000000000 -0400
36299 +++ linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h 2011-08-05 20:33:55.000000000 -0400
36300 @@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
36301 int (*hardware_test) (struct slot* slot, u32 value);
36302 u8 (*get_power) (struct slot* slot);
36303 int (*set_power) (struct slot* slot, int value);
36304 -};
36305 +} __no_const;
36306
36307 struct cpci_hp_controller {
36308 unsigned int irq;
36309 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c
36310 --- linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-27 14:31:47.000000000 -0400
36311 +++ linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:56:46.000000000 -0400
36312 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
36313
36314 void compaq_nvram_init (void __iomem *rom_start)
36315 {
36316 +
36317 +#ifndef CONFIG_PAX_KERNEXEC
36318 if (rom_start) {
36319 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
36320 }
36321 +#endif
36322 +
36323 dbg("int15 entry = %p\n", compaq_int15_entry_point);
36324
36325 /* initialize our int15 lock */
36326 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/fakephp.c linux-2.6.32.46/drivers/pci/hotplug/fakephp.c
36327 --- linux-2.6.32.46/drivers/pci/hotplug/fakephp.c 2011-03-27 14:31:47.000000000 -0400
36328 +++ linux-2.6.32.46/drivers/pci/hotplug/fakephp.c 2011-04-17 15:56:46.000000000 -0400
36329 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
36330 }
36331
36332 static struct kobj_type legacy_ktype = {
36333 - .sysfs_ops = &(struct sysfs_ops){
36334 + .sysfs_ops = &(const struct sysfs_ops){
36335 .store = legacy_store, .show = legacy_show
36336 },
36337 .release = &legacy_release,
36338 diff -urNp linux-2.6.32.46/drivers/pci/intel-iommu.c linux-2.6.32.46/drivers/pci/intel-iommu.c
36339 --- linux-2.6.32.46/drivers/pci/intel-iommu.c 2011-05-10 22:12:01.000000000 -0400
36340 +++ linux-2.6.32.46/drivers/pci/intel-iommu.c 2011-05-10 22:12:33.000000000 -0400
36341 @@ -2643,7 +2643,7 @@ error:
36342 return 0;
36343 }
36344
36345 -static dma_addr_t intel_map_page(struct device *dev, struct page *page,
36346 +dma_addr_t intel_map_page(struct device *dev, struct page *page,
36347 unsigned long offset, size_t size,
36348 enum dma_data_direction dir,
36349 struct dma_attrs *attrs)
36350 @@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
36351 spin_unlock_irqrestore(&async_umap_flush_lock, flags);
36352 }
36353
36354 -static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
36355 +void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
36356 size_t size, enum dma_data_direction dir,
36357 struct dma_attrs *attrs)
36358 {
36359 @@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
36360 }
36361 }
36362
36363 -static void *intel_alloc_coherent(struct device *hwdev, size_t size,
36364 +void *intel_alloc_coherent(struct device *hwdev, size_t size,
36365 dma_addr_t *dma_handle, gfp_t flags)
36366 {
36367 void *vaddr;
36368 @@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
36369 return NULL;
36370 }
36371
36372 -static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
36373 +void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
36374 dma_addr_t dma_handle)
36375 {
36376 int order;
36377 @@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
36378 free_pages((unsigned long)vaddr, order);
36379 }
36380
36381 -static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
36382 +void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
36383 int nelems, enum dma_data_direction dir,
36384 struct dma_attrs *attrs)
36385 {
36386 @@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
36387 return nelems;
36388 }
36389
36390 -static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
36391 +int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
36392 enum dma_data_direction dir, struct dma_attrs *attrs)
36393 {
36394 int i;
36395 @@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
36396 return nelems;
36397 }
36398
36399 -static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
36400 +int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
36401 {
36402 return !dma_addr;
36403 }
36404
36405 -struct dma_map_ops intel_dma_ops = {
36406 +const struct dma_map_ops intel_dma_ops = {
36407 .alloc_coherent = intel_alloc_coherent,
36408 .free_coherent = intel_free_coherent,
36409 .map_sg = intel_map_sg,
36410 diff -urNp linux-2.6.32.46/drivers/pci/pcie/aspm.c linux-2.6.32.46/drivers/pci/pcie/aspm.c
36411 --- linux-2.6.32.46/drivers/pci/pcie/aspm.c 2011-03-27 14:31:47.000000000 -0400
36412 +++ linux-2.6.32.46/drivers/pci/pcie/aspm.c 2011-04-17 15:56:46.000000000 -0400
36413 @@ -27,9 +27,9 @@
36414 #define MODULE_PARAM_PREFIX "pcie_aspm."
36415
36416 /* Note: those are not register definitions */
36417 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
36418 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
36419 -#define ASPM_STATE_L1 (4) /* L1 state */
36420 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
36421 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
36422 +#define ASPM_STATE_L1 (4U) /* L1 state */
36423 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
36424 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
36425
36426 diff -urNp linux-2.6.32.46/drivers/pci/probe.c linux-2.6.32.46/drivers/pci/probe.c
36427 --- linux-2.6.32.46/drivers/pci/probe.c 2011-03-27 14:31:47.000000000 -0400
36428 +++ linux-2.6.32.46/drivers/pci/probe.c 2011-04-17 15:56:46.000000000 -0400
36429 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
36430 return ret;
36431 }
36432
36433 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
36434 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
36435 struct device_attribute *attr,
36436 char *buf)
36437 {
36438 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
36439 }
36440
36441 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
36442 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
36443 struct device_attribute *attr,
36444 char *buf)
36445 {
36446 diff -urNp linux-2.6.32.46/drivers/pci/proc.c linux-2.6.32.46/drivers/pci/proc.c
36447 --- linux-2.6.32.46/drivers/pci/proc.c 2011-03-27 14:31:47.000000000 -0400
36448 +++ linux-2.6.32.46/drivers/pci/proc.c 2011-04-17 15:56:46.000000000 -0400
36449 @@ -480,7 +480,16 @@ static const struct file_operations proc
36450 static int __init pci_proc_init(void)
36451 {
36452 struct pci_dev *dev = NULL;
36453 +
36454 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
36455 +#ifdef CONFIG_GRKERNSEC_PROC_USER
36456 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
36457 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36458 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
36459 +#endif
36460 +#else
36461 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
36462 +#endif
36463 proc_create("devices", 0, proc_bus_pci_dir,
36464 &proc_bus_pci_dev_operations);
36465 proc_initialized = 1;
36466 diff -urNp linux-2.6.32.46/drivers/pci/slot.c linux-2.6.32.46/drivers/pci/slot.c
36467 --- linux-2.6.32.46/drivers/pci/slot.c 2011-03-27 14:31:47.000000000 -0400
36468 +++ linux-2.6.32.46/drivers/pci/slot.c 2011-04-17 15:56:46.000000000 -0400
36469 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
36470 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
36471 }
36472
36473 -static struct sysfs_ops pci_slot_sysfs_ops = {
36474 +static const struct sysfs_ops pci_slot_sysfs_ops = {
36475 .show = pci_slot_attr_show,
36476 .store = pci_slot_attr_store,
36477 };
36478 diff -urNp linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c
36479 --- linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c 2011-03-27 14:31:47.000000000 -0400
36480 +++ linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c 2011-04-17 15:56:46.000000000 -0400
36481 @@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
36482 return -EFAULT;
36483 }
36484 }
36485 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
36486 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
36487 if (!buf)
36488 return -ENOMEM;
36489
36490 diff -urNp linux-2.6.32.46/drivers/platform/x86/acer-wmi.c linux-2.6.32.46/drivers/platform/x86/acer-wmi.c
36491 --- linux-2.6.32.46/drivers/platform/x86/acer-wmi.c 2011-03-27 14:31:47.000000000 -0400
36492 +++ linux-2.6.32.46/drivers/platform/x86/acer-wmi.c 2011-04-17 15:56:46.000000000 -0400
36493 @@ -918,7 +918,7 @@ static int update_bl_status(struct backl
36494 return 0;
36495 }
36496
36497 -static struct backlight_ops acer_bl_ops = {
36498 +static const struct backlight_ops acer_bl_ops = {
36499 .get_brightness = read_brightness,
36500 .update_status = update_bl_status,
36501 };
36502 diff -urNp linux-2.6.32.46/drivers/platform/x86/asus_acpi.c linux-2.6.32.46/drivers/platform/x86/asus_acpi.c
36503 --- linux-2.6.32.46/drivers/platform/x86/asus_acpi.c 2011-03-27 14:31:47.000000000 -0400
36504 +++ linux-2.6.32.46/drivers/platform/x86/asus_acpi.c 2011-04-17 15:56:46.000000000 -0400
36505 @@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
36506 return 0;
36507 }
36508
36509 -static struct backlight_ops asus_backlight_data = {
36510 +static const struct backlight_ops asus_backlight_data = {
36511 .get_brightness = read_brightness,
36512 .update_status = set_brightness_status,
36513 };
36514 diff -urNp linux-2.6.32.46/drivers/platform/x86/asus-laptop.c linux-2.6.32.46/drivers/platform/x86/asus-laptop.c
36515 --- linux-2.6.32.46/drivers/platform/x86/asus-laptop.c 2011-03-27 14:31:47.000000000 -0400
36516 +++ linux-2.6.32.46/drivers/platform/x86/asus-laptop.c 2011-04-17 15:56:46.000000000 -0400
36517 @@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
36518 */
36519 static int read_brightness(struct backlight_device *bd);
36520 static int update_bl_status(struct backlight_device *bd);
36521 -static struct backlight_ops asusbl_ops = {
36522 +static const struct backlight_ops asusbl_ops = {
36523 .get_brightness = read_brightness,
36524 .update_status = update_bl_status,
36525 };
36526 diff -urNp linux-2.6.32.46/drivers/platform/x86/compal-laptop.c linux-2.6.32.46/drivers/platform/x86/compal-laptop.c
36527 --- linux-2.6.32.46/drivers/platform/x86/compal-laptop.c 2011-03-27 14:31:47.000000000 -0400
36528 +++ linux-2.6.32.46/drivers/platform/x86/compal-laptop.c 2011-04-17 15:56:46.000000000 -0400
36529 @@ -163,7 +163,7 @@ static int bl_update_status(struct backl
36530 return set_lcd_level(b->props.brightness);
36531 }
36532
36533 -static struct backlight_ops compalbl_ops = {
36534 +static const struct backlight_ops compalbl_ops = {
36535 .get_brightness = bl_get_brightness,
36536 .update_status = bl_update_status,
36537 };
36538 diff -urNp linux-2.6.32.46/drivers/platform/x86/dell-laptop.c linux-2.6.32.46/drivers/platform/x86/dell-laptop.c
36539 --- linux-2.6.32.46/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:01.000000000 -0400
36540 +++ linux-2.6.32.46/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:33.000000000 -0400
36541 @@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
36542 return buffer.output[1];
36543 }
36544
36545 -static struct backlight_ops dell_ops = {
36546 +static const struct backlight_ops dell_ops = {
36547 .get_brightness = dell_get_intensity,
36548 .update_status = dell_send_intensity,
36549 };
36550 diff -urNp linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c
36551 --- linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c 2011-03-27 14:31:47.000000000 -0400
36552 +++ linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c 2011-04-17 15:56:46.000000000 -0400
36553 @@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
36554 */
36555 static int read_brightness(struct backlight_device *bd);
36556 static int update_bl_status(struct backlight_device *bd);
36557 -static struct backlight_ops eeepcbl_ops = {
36558 +static const struct backlight_ops eeepcbl_ops = {
36559 .get_brightness = read_brightness,
36560 .update_status = update_bl_status,
36561 };
36562 diff -urNp linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c
36563 --- linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c 2011-03-27 14:31:47.000000000 -0400
36564 +++ linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c 2011-04-17 15:56:46.000000000 -0400
36565 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
36566 return ret;
36567 }
36568
36569 -static struct backlight_ops fujitsubl_ops = {
36570 +static const struct backlight_ops fujitsubl_ops = {
36571 .get_brightness = bl_get_brightness,
36572 .update_status = bl_update_status,
36573 };
36574 diff -urNp linux-2.6.32.46/drivers/platform/x86/msi-laptop.c linux-2.6.32.46/drivers/platform/x86/msi-laptop.c
36575 --- linux-2.6.32.46/drivers/platform/x86/msi-laptop.c 2011-03-27 14:31:47.000000000 -0400
36576 +++ linux-2.6.32.46/drivers/platform/x86/msi-laptop.c 2011-04-17 15:56:46.000000000 -0400
36577 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
36578 return set_lcd_level(b->props.brightness);
36579 }
36580
36581 -static struct backlight_ops msibl_ops = {
36582 +static const struct backlight_ops msibl_ops = {
36583 .get_brightness = bl_get_brightness,
36584 .update_status = bl_update_status,
36585 };
36586 diff -urNp linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c
36587 --- linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c 2011-03-27 14:31:47.000000000 -0400
36588 +++ linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c 2011-04-17 15:56:46.000000000 -0400
36589 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
36590 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
36591 }
36592
36593 -static struct backlight_ops pcc_backlight_ops = {
36594 +static const struct backlight_ops pcc_backlight_ops = {
36595 .get_brightness = bl_get,
36596 .update_status = bl_set_status,
36597 };
36598 diff -urNp linux-2.6.32.46/drivers/platform/x86/sony-laptop.c linux-2.6.32.46/drivers/platform/x86/sony-laptop.c
36599 --- linux-2.6.32.46/drivers/platform/x86/sony-laptop.c 2011-03-27 14:31:47.000000000 -0400
36600 +++ linux-2.6.32.46/drivers/platform/x86/sony-laptop.c 2011-04-17 15:56:46.000000000 -0400
36601 @@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
36602 }
36603
36604 static struct backlight_device *sony_backlight_device;
36605 -static struct backlight_ops sony_backlight_ops = {
36606 +static const struct backlight_ops sony_backlight_ops = {
36607 .update_status = sony_backlight_update_status,
36608 .get_brightness = sony_backlight_get_brightness,
36609 };
36610 diff -urNp linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c
36611 --- linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c 2011-03-27 14:31:47.000000000 -0400
36612 +++ linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c 2011-08-05 20:33:55.000000000 -0400
36613 @@ -2137,7 +2137,7 @@ static int hotkey_mask_get(void)
36614 return 0;
36615 }
36616
36617 -void static hotkey_mask_warn_incomplete_mask(void)
36618 +static void hotkey_mask_warn_incomplete_mask(void)
36619 {
36620 /* log only what the user can fix... */
36621 const u32 wantedmask = hotkey_driver_mask &
36622 @@ -6122,7 +6122,7 @@ static void tpacpi_brightness_notify_cha
36623 BACKLIGHT_UPDATE_HOTKEY);
36624 }
36625
36626 -static struct backlight_ops ibm_backlight_data = {
36627 +static const struct backlight_ops ibm_backlight_data = {
36628 .get_brightness = brightness_get,
36629 .update_status = brightness_update_status,
36630 };
36631 diff -urNp linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c
36632 --- linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c 2011-03-27 14:31:47.000000000 -0400
36633 +++ linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c 2011-04-17 15:56:46.000000000 -0400
36634 @@ -671,7 +671,7 @@ static acpi_status remove_device(void)
36635 return AE_OK;
36636 }
36637
36638 -static struct backlight_ops toshiba_backlight_data = {
36639 +static const struct backlight_ops toshiba_backlight_data = {
36640 .get_brightness = get_lcd,
36641 .update_status = set_lcd_status,
36642 };
36643 diff -urNp linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c
36644 --- linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c 2011-03-27 14:31:47.000000000 -0400
36645 +++ linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:56:46.000000000 -0400
36646 @@ -60,7 +60,7 @@ do { \
36647 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
36648 } while(0)
36649
36650 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
36651 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
36652 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
36653
36654 /*
36655 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
36656
36657 cpu = get_cpu();
36658 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
36659 +
36660 + pax_open_kernel();
36661 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
36662 + pax_close_kernel();
36663
36664 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
36665 spin_lock_irqsave(&pnp_bios_lock, flags);
36666 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
36667 :"memory");
36668 spin_unlock_irqrestore(&pnp_bios_lock, flags);
36669
36670 + pax_open_kernel();
36671 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
36672 + pax_close_kernel();
36673 +
36674 put_cpu();
36675
36676 /* If we get here and this is set then the PnP BIOS faulted on us. */
36677 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
36678 return status;
36679 }
36680
36681 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
36682 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
36683 {
36684 int i;
36685
36686 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
36687 pnp_bios_callpoint.offset = header->fields.pm16offset;
36688 pnp_bios_callpoint.segment = PNP_CS16;
36689
36690 + pax_open_kernel();
36691 +
36692 for_each_possible_cpu(i) {
36693 struct desc_struct *gdt = get_cpu_gdt_table(i);
36694 if (!gdt)
36695 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
36696 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
36697 (unsigned long)__va(header->fields.pm16dseg));
36698 }
36699 +
36700 + pax_close_kernel();
36701 }
36702 diff -urNp linux-2.6.32.46/drivers/pnp/resource.c linux-2.6.32.46/drivers/pnp/resource.c
36703 --- linux-2.6.32.46/drivers/pnp/resource.c 2011-03-27 14:31:47.000000000 -0400
36704 +++ linux-2.6.32.46/drivers/pnp/resource.c 2011-04-17 15:56:46.000000000 -0400
36705 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
36706 return 1;
36707
36708 /* check if the resource is valid */
36709 - if (*irq < 0 || *irq > 15)
36710 + if (*irq > 15)
36711 return 0;
36712
36713 /* check if the resource is reserved */
36714 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
36715 return 1;
36716
36717 /* check if the resource is valid */
36718 - if (*dma < 0 || *dma == 4 || *dma > 7)
36719 + if (*dma == 4 || *dma > 7)
36720 return 0;
36721
36722 /* check if the resource is reserved */
36723 diff -urNp linux-2.6.32.46/drivers/power/bq27x00_battery.c linux-2.6.32.46/drivers/power/bq27x00_battery.c
36724 --- linux-2.6.32.46/drivers/power/bq27x00_battery.c 2011-03-27 14:31:47.000000000 -0400
36725 +++ linux-2.6.32.46/drivers/power/bq27x00_battery.c 2011-08-05 20:33:55.000000000 -0400
36726 @@ -44,7 +44,7 @@ struct bq27x00_device_info;
36727 struct bq27x00_access_methods {
36728 int (*read)(u8 reg, int *rt_value, int b_single,
36729 struct bq27x00_device_info *di);
36730 -};
36731 +} __no_const;
36732
36733 struct bq27x00_device_info {
36734 struct device *dev;
36735 diff -urNp linux-2.6.32.46/drivers/rtc/rtc-dev.c linux-2.6.32.46/drivers/rtc/rtc-dev.c
36736 --- linux-2.6.32.46/drivers/rtc/rtc-dev.c 2011-03-27 14:31:47.000000000 -0400
36737 +++ linux-2.6.32.46/drivers/rtc/rtc-dev.c 2011-04-17 15:56:46.000000000 -0400
36738 @@ -14,6 +14,7 @@
36739 #include <linux/module.h>
36740 #include <linux/rtc.h>
36741 #include <linux/sched.h>
36742 +#include <linux/grsecurity.h>
36743 #include "rtc-core.h"
36744
36745 static dev_t rtc_devt;
36746 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
36747 if (copy_from_user(&tm, uarg, sizeof(tm)))
36748 return -EFAULT;
36749
36750 + gr_log_timechange();
36751 +
36752 return rtc_set_time(rtc, &tm);
36753
36754 case RTC_PIE_ON:
36755 diff -urNp linux-2.6.32.46/drivers/s390/cio/qdio_perf.c linux-2.6.32.46/drivers/s390/cio/qdio_perf.c
36756 --- linux-2.6.32.46/drivers/s390/cio/qdio_perf.c 2011-03-27 14:31:47.000000000 -0400
36757 +++ linux-2.6.32.46/drivers/s390/cio/qdio_perf.c 2011-04-17 15:56:46.000000000 -0400
36758 @@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
36759 static int qdio_perf_proc_show(struct seq_file *m, void *v)
36760 {
36761 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
36762 - (long)atomic_long_read(&perf_stats.qdio_int));
36763 + (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
36764 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
36765 - (long)atomic_long_read(&perf_stats.pci_int));
36766 + (long)atomic_long_read_unchecked(&perf_stats.pci_int));
36767 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
36768 - (long)atomic_long_read(&perf_stats.thin_int));
36769 + (long)atomic_long_read_unchecked(&perf_stats.thin_int));
36770 seq_printf(m, "\n");
36771 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
36772 - (long)atomic_long_read(&perf_stats.tasklet_inbound));
36773 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
36774 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
36775 - (long)atomic_long_read(&perf_stats.tasklet_outbound));
36776 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
36777 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
36778 - (long)atomic_long_read(&perf_stats.tasklet_thinint),
36779 - (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
36780 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
36781 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
36782 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
36783 - (long)atomic_long_read(&perf_stats.thinint_inbound),
36784 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
36785 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
36786 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
36787 seq_printf(m, "\n");
36788 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
36789 - (long)atomic_long_read(&perf_stats.siga_in));
36790 + (long)atomic_long_read_unchecked(&perf_stats.siga_in));
36791 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
36792 - (long)atomic_long_read(&perf_stats.siga_out));
36793 + (long)atomic_long_read_unchecked(&perf_stats.siga_out));
36794 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
36795 - (long)atomic_long_read(&perf_stats.siga_sync));
36796 + (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
36797 seq_printf(m, "\n");
36798 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
36799 - (long)atomic_long_read(&perf_stats.inbound_handler));
36800 + (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
36801 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
36802 - (long)atomic_long_read(&perf_stats.outbound_handler));
36803 + (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
36804 seq_printf(m, "\n");
36805 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
36806 - (long)atomic_long_read(&perf_stats.fast_requeue));
36807 + (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
36808 seq_printf(m, "Number of outbound target full condition\t: %li\n",
36809 - (long)atomic_long_read(&perf_stats.outbound_target_full));
36810 + (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
36811 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
36812 - (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
36813 + (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
36814 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
36815 - (long)atomic_long_read(&perf_stats.debug_stop_polling));
36816 + (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
36817 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
36818 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
36819 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
36820 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
36821 - (long)atomic_long_read(&perf_stats.debug_eqbs_all),
36822 - (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
36823 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
36824 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
36825 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
36826 - (long)atomic_long_read(&perf_stats.debug_sqbs_all),
36827 - (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
36828 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
36829 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
36830 seq_printf(m, "\n");
36831 return 0;
36832 }
36833 diff -urNp linux-2.6.32.46/drivers/s390/cio/qdio_perf.h linux-2.6.32.46/drivers/s390/cio/qdio_perf.h
36834 --- linux-2.6.32.46/drivers/s390/cio/qdio_perf.h 2011-03-27 14:31:47.000000000 -0400
36835 +++ linux-2.6.32.46/drivers/s390/cio/qdio_perf.h 2011-04-17 15:56:46.000000000 -0400
36836 @@ -13,46 +13,46 @@
36837
36838 struct qdio_perf_stats {
36839 /* interrupt handler calls */
36840 - atomic_long_t qdio_int;
36841 - atomic_long_t pci_int;
36842 - atomic_long_t thin_int;
36843 + atomic_long_unchecked_t qdio_int;
36844 + atomic_long_unchecked_t pci_int;
36845 + atomic_long_unchecked_t thin_int;
36846
36847 /* tasklet runs */
36848 - atomic_long_t tasklet_inbound;
36849 - atomic_long_t tasklet_outbound;
36850 - atomic_long_t tasklet_thinint;
36851 - atomic_long_t tasklet_thinint_loop;
36852 - atomic_long_t thinint_inbound;
36853 - atomic_long_t thinint_inbound_loop;
36854 - atomic_long_t thinint_inbound_loop2;
36855 + atomic_long_unchecked_t tasklet_inbound;
36856 + atomic_long_unchecked_t tasklet_outbound;
36857 + atomic_long_unchecked_t tasklet_thinint;
36858 + atomic_long_unchecked_t tasklet_thinint_loop;
36859 + atomic_long_unchecked_t thinint_inbound;
36860 + atomic_long_unchecked_t thinint_inbound_loop;
36861 + atomic_long_unchecked_t thinint_inbound_loop2;
36862
36863 /* signal adapter calls */
36864 - atomic_long_t siga_out;
36865 - atomic_long_t siga_in;
36866 - atomic_long_t siga_sync;
36867 + atomic_long_unchecked_t siga_out;
36868 + atomic_long_unchecked_t siga_in;
36869 + atomic_long_unchecked_t siga_sync;
36870
36871 /* misc */
36872 - atomic_long_t inbound_handler;
36873 - atomic_long_t outbound_handler;
36874 - atomic_long_t fast_requeue;
36875 - atomic_long_t outbound_target_full;
36876 + atomic_long_unchecked_t inbound_handler;
36877 + atomic_long_unchecked_t outbound_handler;
36878 + atomic_long_unchecked_t fast_requeue;
36879 + atomic_long_unchecked_t outbound_target_full;
36880
36881 /* for debugging */
36882 - atomic_long_t debug_tl_out_timer;
36883 - atomic_long_t debug_stop_polling;
36884 - atomic_long_t debug_eqbs_all;
36885 - atomic_long_t debug_eqbs_incomplete;
36886 - atomic_long_t debug_sqbs_all;
36887 - atomic_long_t debug_sqbs_incomplete;
36888 + atomic_long_unchecked_t debug_tl_out_timer;
36889 + atomic_long_unchecked_t debug_stop_polling;
36890 + atomic_long_unchecked_t debug_eqbs_all;
36891 + atomic_long_unchecked_t debug_eqbs_incomplete;
36892 + atomic_long_unchecked_t debug_sqbs_all;
36893 + atomic_long_unchecked_t debug_sqbs_incomplete;
36894 };
36895
36896 extern struct qdio_perf_stats perf_stats;
36897 extern int qdio_performance_stats;
36898
36899 -static inline void qdio_perf_stat_inc(atomic_long_t *count)
36900 +static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
36901 {
36902 if (qdio_performance_stats)
36903 - atomic_long_inc(count);
36904 + atomic_long_inc_unchecked(count);
36905 }
36906
36907 int qdio_setup_perf_stats(void);
36908 diff -urNp linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h
36909 --- linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h 2011-03-27 14:31:47.000000000 -0400
36910 +++ linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h 2011-08-05 20:33:55.000000000 -0400
36911 @@ -471,7 +471,7 @@ struct adapter_ops
36912 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
36913 /* Administrative operations */
36914 int (*adapter_comm)(struct aac_dev * dev, int comm);
36915 -};
36916 +} __no_const;
36917
36918 /*
36919 * Define which interrupt handler needs to be installed
36920 diff -urNp linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c
36921 --- linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c 2011-03-27 14:31:47.000000000 -0400
36922 +++ linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c 2011-05-16 21:46:57.000000000 -0400
36923 @@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
36924 u32 actual_fibsize64, actual_fibsize = 0;
36925 int i;
36926
36927 + pax_track_stack();
36928
36929 if (dev->in_reset) {
36930 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
36931 diff -urNp linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c
36932 --- linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-27 14:31:47.000000000 -0400
36933 +++ linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:56:46.000000000 -0400
36934 @@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
36935 flash_error_table[i].reason);
36936 }
36937
36938 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
36939 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
36940 asd_show_update_bios, asd_store_update_bios);
36941
36942 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
36943 diff -urNp linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h
36944 --- linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h 2011-03-27 14:31:47.000000000 -0400
36945 +++ linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h 2011-08-05 20:33:55.000000000 -0400
36946 @@ -61,7 +61,7 @@ struct bfa_hwif_s {
36947 void (*hw_isr_mode_set)(struct bfa_s *bfa, bfa_boolean_t msix);
36948 void (*hw_msix_getvecs)(struct bfa_s *bfa, u32 *vecmap,
36949 u32 *nvecs, u32 *maxvec);
36950 -};
36951 +} __no_const;
36952 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
36953
36954 struct bfa_iocfc_s {
36955 diff -urNp linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h
36956 --- linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h 2011-03-27 14:31:47.000000000 -0400
36957 +++ linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h 2011-08-05 20:33:55.000000000 -0400
36958 @@ -127,7 +127,7 @@ struct bfa_ioc_cbfn_s {
36959 bfa_ioc_disable_cbfn_t disable_cbfn;
36960 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
36961 bfa_ioc_reset_cbfn_t reset_cbfn;
36962 -};
36963 +} __no_const;
36964
36965 /**
36966 * Heartbeat failure notification queue element.
36967 diff -urNp linux-2.6.32.46/drivers/scsi/BusLogic.c linux-2.6.32.46/drivers/scsi/BusLogic.c
36968 --- linux-2.6.32.46/drivers/scsi/BusLogic.c 2011-03-27 14:31:47.000000000 -0400
36969 +++ linux-2.6.32.46/drivers/scsi/BusLogic.c 2011-05-16 21:46:57.000000000 -0400
36970 @@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
36971 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
36972 *PrototypeHostAdapter)
36973 {
36974 + pax_track_stack();
36975 +
36976 /*
36977 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
36978 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
36979 diff -urNp linux-2.6.32.46/drivers/scsi/dpt_i2o.c linux-2.6.32.46/drivers/scsi/dpt_i2o.c
36980 --- linux-2.6.32.46/drivers/scsi/dpt_i2o.c 2011-03-27 14:31:47.000000000 -0400
36981 +++ linux-2.6.32.46/drivers/scsi/dpt_i2o.c 2011-05-16 21:46:57.000000000 -0400
36982 @@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
36983 dma_addr_t addr;
36984 ulong flags = 0;
36985
36986 + pax_track_stack();
36987 +
36988 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
36989 // get user msg size in u32s
36990 if(get_user(size, &user_msg[0])){
36991 @@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
36992 s32 rcode;
36993 dma_addr_t addr;
36994
36995 + pax_track_stack();
36996 +
36997 memset(msg, 0 , sizeof(msg));
36998 len = scsi_bufflen(cmd);
36999 direction = 0x00000000;
37000 diff -urNp linux-2.6.32.46/drivers/scsi/eata.c linux-2.6.32.46/drivers/scsi/eata.c
37001 --- linux-2.6.32.46/drivers/scsi/eata.c 2011-03-27 14:31:47.000000000 -0400
37002 +++ linux-2.6.32.46/drivers/scsi/eata.c 2011-05-16 21:46:57.000000000 -0400
37003 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
37004 struct hostdata *ha;
37005 char name[16];
37006
37007 + pax_track_stack();
37008 +
37009 sprintf(name, "%s%d", driver_name, j);
37010
37011 if (!request_region(port_base, REGION_SIZE, driver_name)) {
37012 diff -urNp linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c
37013 --- linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c 2011-03-27 14:31:47.000000000 -0400
37014 +++ linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c 2011-05-16 21:46:57.000000000 -0400
37015 @@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
37016 size_t rlen;
37017 size_t dlen;
37018
37019 + pax_track_stack();
37020 +
37021 fiph = (struct fip_header *)skb->data;
37022 sub = fiph->fip_subcode;
37023 if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
37024 diff -urNp linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c
37025 --- linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c 2011-03-27 14:31:47.000000000 -0400
37026 +++ linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c 2011-08-05 20:33:55.000000000 -0400
37027 @@ -669,7 +669,7 @@ static int __devinit fnic_probe(struct p
37028 /* Start local port initiatialization */
37029
37030 lp->link_up = 0;
37031 - lp->tt = fnic_transport_template;
37032 + memcpy((void *)&lp->tt, &fnic_transport_template, sizeof(fnic_transport_template));
37033
37034 lp->max_retry_count = fnic->config.flogi_retries;
37035 lp->max_rport_retry_count = fnic->config.plogi_retries;
37036 diff -urNp linux-2.6.32.46/drivers/scsi/gdth.c linux-2.6.32.46/drivers/scsi/gdth.c
37037 --- linux-2.6.32.46/drivers/scsi/gdth.c 2011-03-27 14:31:47.000000000 -0400
37038 +++ linux-2.6.32.46/drivers/scsi/gdth.c 2011-05-16 21:46:57.000000000 -0400
37039 @@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
37040 ulong flags;
37041 gdth_ha_str *ha;
37042
37043 + pax_track_stack();
37044 +
37045 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
37046 return -EFAULT;
37047 ha = gdth_find_ha(ldrv.ionode);
37048 @@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
37049 gdth_ha_str *ha;
37050 int rval;
37051
37052 + pax_track_stack();
37053 +
37054 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
37055 res.number >= MAX_HDRIVES)
37056 return -EFAULT;
37057 @@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
37058 gdth_ha_str *ha;
37059 int rval;
37060
37061 + pax_track_stack();
37062 +
37063 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
37064 return -EFAULT;
37065 ha = gdth_find_ha(gen.ionode);
37066 @@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
37067 int i;
37068 gdth_cmd_str gdtcmd;
37069 char cmnd[MAX_COMMAND_SIZE];
37070 +
37071 + pax_track_stack();
37072 +
37073 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
37074
37075 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
37076 diff -urNp linux-2.6.32.46/drivers/scsi/gdth_proc.c linux-2.6.32.46/drivers/scsi/gdth_proc.c
37077 --- linux-2.6.32.46/drivers/scsi/gdth_proc.c 2011-03-27 14:31:47.000000000 -0400
37078 +++ linux-2.6.32.46/drivers/scsi/gdth_proc.c 2011-05-16 21:46:57.000000000 -0400
37079 @@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
37080 ulong64 paddr;
37081
37082 char cmnd[MAX_COMMAND_SIZE];
37083 +
37084 + pax_track_stack();
37085 +
37086 memset(cmnd, 0xff, 12);
37087 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
37088
37089 @@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
37090 gdth_hget_str *phg;
37091 char cmnd[MAX_COMMAND_SIZE];
37092
37093 + pax_track_stack();
37094 +
37095 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
37096 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
37097 if (!gdtcmd || !estr)
37098 diff -urNp linux-2.6.32.46/drivers/scsi/hosts.c linux-2.6.32.46/drivers/scsi/hosts.c
37099 --- linux-2.6.32.46/drivers/scsi/hosts.c 2011-03-27 14:31:47.000000000 -0400
37100 +++ linux-2.6.32.46/drivers/scsi/hosts.c 2011-05-04 17:56:28.000000000 -0400
37101 @@ -40,7 +40,7 @@
37102 #include "scsi_logging.h"
37103
37104
37105 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
37106 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
37107
37108
37109 static void scsi_host_cls_release(struct device *dev)
37110 @@ -344,7 +344,7 @@ struct Scsi_Host *scsi_host_alloc(struct
37111 * subtract one because we increment first then return, but we need to
37112 * know what the next host number was before increment
37113 */
37114 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
37115 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
37116 shost->dma_channel = 0xff;
37117
37118 /* These three are default values which can be overridden */
37119 diff -urNp linux-2.6.32.46/drivers/scsi/ipr.c linux-2.6.32.46/drivers/scsi/ipr.c
37120 --- linux-2.6.32.46/drivers/scsi/ipr.c 2011-03-27 14:31:47.000000000 -0400
37121 +++ linux-2.6.32.46/drivers/scsi/ipr.c 2011-04-17 15:56:46.000000000 -0400
37122 @@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
37123 return true;
37124 }
37125
37126 -static struct ata_port_operations ipr_sata_ops = {
37127 +static const struct ata_port_operations ipr_sata_ops = {
37128 .phy_reset = ipr_ata_phy_reset,
37129 .hardreset = ipr_sata_reset,
37130 .post_internal_cmd = ipr_ata_post_internal,
37131 diff -urNp linux-2.6.32.46/drivers/scsi/ips.h linux-2.6.32.46/drivers/scsi/ips.h
37132 --- linux-2.6.32.46/drivers/scsi/ips.h 2011-03-27 14:31:47.000000000 -0400
37133 +++ linux-2.6.32.46/drivers/scsi/ips.h 2011-08-05 20:33:55.000000000 -0400
37134 @@ -1027,7 +1027,7 @@ typedef struct {
37135 int (*intr)(struct ips_ha *);
37136 void (*enableint)(struct ips_ha *);
37137 uint32_t (*statupd)(struct ips_ha *);
37138 -} ips_hw_func_t;
37139 +} __no_const ips_hw_func_t;
37140
37141 typedef struct ips_ha {
37142 uint8_t ha_id[IPS_MAX_CHANNELS+1];
37143 diff -urNp linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c
37144 --- linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c 2011-03-27 14:31:47.000000000 -0400
37145 +++ linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c 2011-08-23 21:22:32.000000000 -0400
37146 @@ -86,12 +86,12 @@ struct fc_exch_mgr {
37147 * all together if not used XXX
37148 */
37149 struct {
37150 - atomic_t no_free_exch;
37151 - atomic_t no_free_exch_xid;
37152 - atomic_t xid_not_found;
37153 - atomic_t xid_busy;
37154 - atomic_t seq_not_found;
37155 - atomic_t non_bls_resp;
37156 + atomic_unchecked_t no_free_exch;
37157 + atomic_unchecked_t no_free_exch_xid;
37158 + atomic_unchecked_t xid_not_found;
37159 + atomic_unchecked_t xid_busy;
37160 + atomic_unchecked_t seq_not_found;
37161 + atomic_unchecked_t non_bls_resp;
37162 } stats;
37163 };
37164 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
37165 @@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
37166 /* allocate memory for exchange */
37167 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
37168 if (!ep) {
37169 - atomic_inc(&mp->stats.no_free_exch);
37170 + atomic_inc_unchecked(&mp->stats.no_free_exch);
37171 goto out;
37172 }
37173 memset(ep, 0, sizeof(*ep));
37174 @@ -557,7 +557,7 @@ out:
37175 return ep;
37176 err:
37177 spin_unlock_bh(&pool->lock);
37178 - atomic_inc(&mp->stats.no_free_exch_xid);
37179 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
37180 mempool_free(ep, mp->ep_pool);
37181 return NULL;
37182 }
37183 @@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37184 xid = ntohs(fh->fh_ox_id); /* we originated exch */
37185 ep = fc_exch_find(mp, xid);
37186 if (!ep) {
37187 - atomic_inc(&mp->stats.xid_not_found);
37188 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37189 reject = FC_RJT_OX_ID;
37190 goto out;
37191 }
37192 @@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37193 ep = fc_exch_find(mp, xid);
37194 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
37195 if (ep) {
37196 - atomic_inc(&mp->stats.xid_busy);
37197 + atomic_inc_unchecked(&mp->stats.xid_busy);
37198 reject = FC_RJT_RX_ID;
37199 goto rel;
37200 }
37201 @@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37202 }
37203 xid = ep->xid; /* get our XID */
37204 } else if (!ep) {
37205 - atomic_inc(&mp->stats.xid_not_found);
37206 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37207 reject = FC_RJT_RX_ID; /* XID not found */
37208 goto out;
37209 }
37210 @@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
37211 } else {
37212 sp = &ep->seq;
37213 if (sp->id != fh->fh_seq_id) {
37214 - atomic_inc(&mp->stats.seq_not_found);
37215 + atomic_inc_unchecked(&mp->stats.seq_not_found);
37216 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
37217 goto rel;
37218 }
37219 @@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
37220
37221 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
37222 if (!ep) {
37223 - atomic_inc(&mp->stats.xid_not_found);
37224 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37225 goto out;
37226 }
37227 if (ep->esb_stat & ESB_ST_COMPLETE) {
37228 - atomic_inc(&mp->stats.xid_not_found);
37229 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37230 goto out;
37231 }
37232 if (ep->rxid == FC_XID_UNKNOWN)
37233 ep->rxid = ntohs(fh->fh_rx_id);
37234 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
37235 - atomic_inc(&mp->stats.xid_not_found);
37236 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37237 goto rel;
37238 }
37239 if (ep->did != ntoh24(fh->fh_s_id) &&
37240 ep->did != FC_FID_FLOGI) {
37241 - atomic_inc(&mp->stats.xid_not_found);
37242 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37243 goto rel;
37244 }
37245 sof = fr_sof(fp);
37246 @@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
37247 } else {
37248 sp = &ep->seq;
37249 if (sp->id != fh->fh_seq_id) {
37250 - atomic_inc(&mp->stats.seq_not_found);
37251 + atomic_inc_unchecked(&mp->stats.seq_not_found);
37252 goto rel;
37253 }
37254 }
37255 @@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
37256 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
37257
37258 if (!sp)
37259 - atomic_inc(&mp->stats.xid_not_found);
37260 + atomic_inc_unchecked(&mp->stats.xid_not_found);
37261 else
37262 - atomic_inc(&mp->stats.non_bls_resp);
37263 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
37264
37265 fc_frame_free(fp);
37266 }
37267 diff -urNp linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c
37268 --- linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c 2011-03-27 14:31:47.000000000 -0400
37269 +++ linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c 2011-04-23 12:56:11.000000000 -0400
37270 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
37271 }
37272 }
37273
37274 -static struct ata_port_operations sas_sata_ops = {
37275 +static const struct ata_port_operations sas_sata_ops = {
37276 .phy_reset = sas_ata_phy_reset,
37277 .post_internal_cmd = sas_ata_post_internal,
37278 .qc_defer = ata_std_qc_defer,
37279 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c
37280 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c 2011-03-27 14:31:47.000000000 -0400
37281 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-16 21:46:57.000000000 -0400
37282 @@ -124,7 +124,7 @@ struct lpfc_debug {
37283 int len;
37284 };
37285
37286 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
37287 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
37288 static unsigned long lpfc_debugfs_start_time = 0L;
37289
37290 /**
37291 @@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
37292 lpfc_debugfs_enable = 0;
37293
37294 len = 0;
37295 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
37296 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
37297 (lpfc_debugfs_max_disc_trc - 1);
37298 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
37299 dtp = vport->disc_trc + i;
37300 @@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
37301 lpfc_debugfs_enable = 0;
37302
37303 len = 0;
37304 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
37305 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
37306 (lpfc_debugfs_max_slow_ring_trc - 1);
37307 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
37308 dtp = phba->slow_ring_trc + i;
37309 @@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
37310 uint32_t *ptr;
37311 char buffer[1024];
37312
37313 + pax_track_stack();
37314 +
37315 off = 0;
37316 spin_lock_irq(&phba->hbalock);
37317
37318 @@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
37319 !vport || !vport->disc_trc)
37320 return;
37321
37322 - index = atomic_inc_return(&vport->disc_trc_cnt) &
37323 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
37324 (lpfc_debugfs_max_disc_trc - 1);
37325 dtp = vport->disc_trc + index;
37326 dtp->fmt = fmt;
37327 dtp->data1 = data1;
37328 dtp->data2 = data2;
37329 dtp->data3 = data3;
37330 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
37331 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
37332 dtp->jif = jiffies;
37333 #endif
37334 return;
37335 @@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
37336 !phba || !phba->slow_ring_trc)
37337 return;
37338
37339 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
37340 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
37341 (lpfc_debugfs_max_slow_ring_trc - 1);
37342 dtp = phba->slow_ring_trc + index;
37343 dtp->fmt = fmt;
37344 dtp->data1 = data1;
37345 dtp->data2 = data2;
37346 dtp->data3 = data3;
37347 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
37348 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
37349 dtp->jif = jiffies;
37350 #endif
37351 return;
37352 @@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
37353 "slow_ring buffer\n");
37354 goto debug_failed;
37355 }
37356 - atomic_set(&phba->slow_ring_trc_cnt, 0);
37357 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
37358 memset(phba->slow_ring_trc, 0,
37359 (sizeof(struct lpfc_debugfs_trc) *
37360 lpfc_debugfs_max_slow_ring_trc));
37361 @@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
37362 "buffer\n");
37363 goto debug_failed;
37364 }
37365 - atomic_set(&vport->disc_trc_cnt, 0);
37366 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
37367
37368 snprintf(name, sizeof(name), "discovery_trace");
37369 vport->debug_disc_trc =
37370 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h
37371 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h 2011-03-27 14:31:47.000000000 -0400
37372 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h 2011-05-04 17:56:28.000000000 -0400
37373 @@ -400,7 +400,7 @@ struct lpfc_vport {
37374 struct dentry *debug_nodelist;
37375 struct dentry *vport_debugfs_root;
37376 struct lpfc_debugfs_trc *disc_trc;
37377 - atomic_t disc_trc_cnt;
37378 + atomic_unchecked_t disc_trc_cnt;
37379 #endif
37380 uint8_t stat_data_enabled;
37381 uint8_t stat_data_blocked;
37382 @@ -725,8 +725,8 @@ struct lpfc_hba {
37383 struct timer_list fabric_block_timer;
37384 unsigned long bit_flags;
37385 #define FABRIC_COMANDS_BLOCKED 0
37386 - atomic_t num_rsrc_err;
37387 - atomic_t num_cmd_success;
37388 + atomic_unchecked_t num_rsrc_err;
37389 + atomic_unchecked_t num_cmd_success;
37390 unsigned long last_rsrc_error_time;
37391 unsigned long last_ramp_down_time;
37392 unsigned long last_ramp_up_time;
37393 @@ -740,7 +740,7 @@ struct lpfc_hba {
37394 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
37395 struct dentry *debug_slow_ring_trc;
37396 struct lpfc_debugfs_trc *slow_ring_trc;
37397 - atomic_t slow_ring_trc_cnt;
37398 + atomic_unchecked_t slow_ring_trc_cnt;
37399 #endif
37400
37401 /* Used for deferred freeing of ELS data buffers */
37402 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c
37403 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c 2011-03-27 14:31:47.000000000 -0400
37404 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c 2011-08-05 20:33:55.000000000 -0400
37405 @@ -8021,8 +8021,10 @@ lpfc_init(void)
37406 printk(LPFC_COPYRIGHT "\n");
37407
37408 if (lpfc_enable_npiv) {
37409 - lpfc_transport_functions.vport_create = lpfc_vport_create;
37410 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
37411 + pax_open_kernel();
37412 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
37413 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
37414 + pax_close_kernel();
37415 }
37416 lpfc_transport_template =
37417 fc_attach_transport(&lpfc_transport_functions);
37418 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c
37419 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c 2011-03-27 14:31:47.000000000 -0400
37420 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-04 17:56:28.000000000 -0400
37421 @@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
37422 uint32_t evt_posted;
37423
37424 spin_lock_irqsave(&phba->hbalock, flags);
37425 - atomic_inc(&phba->num_rsrc_err);
37426 + atomic_inc_unchecked(&phba->num_rsrc_err);
37427 phba->last_rsrc_error_time = jiffies;
37428
37429 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
37430 @@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
37431 unsigned long flags;
37432 struct lpfc_hba *phba = vport->phba;
37433 uint32_t evt_posted;
37434 - atomic_inc(&phba->num_cmd_success);
37435 + atomic_inc_unchecked(&phba->num_cmd_success);
37436
37437 if (vport->cfg_lun_queue_depth <= queue_depth)
37438 return;
37439 @@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
37440 int i;
37441 struct lpfc_rport_data *rdata;
37442
37443 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
37444 - num_cmd_success = atomic_read(&phba->num_cmd_success);
37445 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
37446 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
37447
37448 vports = lpfc_create_vport_work_array(phba);
37449 if (vports != NULL)
37450 @@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
37451 }
37452 }
37453 lpfc_destroy_vport_work_array(phba, vports);
37454 - atomic_set(&phba->num_rsrc_err, 0);
37455 - atomic_set(&phba->num_cmd_success, 0);
37456 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
37457 + atomic_set_unchecked(&phba->num_cmd_success, 0);
37458 }
37459
37460 /**
37461 @@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
37462 }
37463 }
37464 lpfc_destroy_vport_work_array(phba, vports);
37465 - atomic_set(&phba->num_rsrc_err, 0);
37466 - atomic_set(&phba->num_cmd_success, 0);
37467 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
37468 + atomic_set_unchecked(&phba->num_cmd_success, 0);
37469 }
37470
37471 /**
37472 diff -urNp linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c
37473 --- linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c 2011-03-27 14:31:47.000000000 -0400
37474 +++ linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-16 21:46:57.000000000 -0400
37475 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
37476 int rval;
37477 int i;
37478
37479 + pax_track_stack();
37480 +
37481 // Allocate memory for the base list of scb for management module.
37482 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
37483
37484 diff -urNp linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c
37485 --- linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c 2011-03-27 14:31:47.000000000 -0400
37486 +++ linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c 2011-05-16 21:46:57.000000000 -0400
37487 @@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
37488 int nelem = ARRAY_SIZE(get_attrs), a = 0;
37489 int ret;
37490
37491 + pax_track_stack();
37492 +
37493 or = osd_start_request(od, GFP_KERNEL);
37494 if (!or)
37495 return -ENOMEM;
37496 diff -urNp linux-2.6.32.46/drivers/scsi/pmcraid.c linux-2.6.32.46/drivers/scsi/pmcraid.c
37497 --- linux-2.6.32.46/drivers/scsi/pmcraid.c 2011-08-09 18:35:29.000000000 -0400
37498 +++ linux-2.6.32.46/drivers/scsi/pmcraid.c 2011-08-09 18:33:59.000000000 -0400
37499 @@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
37500 res->scsi_dev = scsi_dev;
37501 scsi_dev->hostdata = res;
37502 res->change_detected = 0;
37503 - atomic_set(&res->read_failures, 0);
37504 - atomic_set(&res->write_failures, 0);
37505 + atomic_set_unchecked(&res->read_failures, 0);
37506 + atomic_set_unchecked(&res->write_failures, 0);
37507 rc = 0;
37508 }
37509 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
37510 @@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
37511
37512 /* If this was a SCSI read/write command keep count of errors */
37513 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
37514 - atomic_inc(&res->read_failures);
37515 + atomic_inc_unchecked(&res->read_failures);
37516 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
37517 - atomic_inc(&res->write_failures);
37518 + atomic_inc_unchecked(&res->write_failures);
37519
37520 if (!RES_IS_GSCSI(res->cfg_entry) &&
37521 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
37522 @@ -4116,7 +4116,7 @@ static void pmcraid_worker_function(stru
37523
37524 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
37525 /* add resources only after host is added into system */
37526 - if (!atomic_read(&pinstance->expose_resources))
37527 + if (!atomic_read_unchecked(&pinstance->expose_resources))
37528 return;
37529
37530 spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
37531 @@ -4850,7 +4850,7 @@ static int __devinit pmcraid_init_instan
37532 init_waitqueue_head(&pinstance->reset_wait_q);
37533
37534 atomic_set(&pinstance->outstanding_cmds, 0);
37535 - atomic_set(&pinstance->expose_resources, 0);
37536 + atomic_set_unchecked(&pinstance->expose_resources, 0);
37537
37538 INIT_LIST_HEAD(&pinstance->free_res_q);
37539 INIT_LIST_HEAD(&pinstance->used_res_q);
37540 @@ -5502,7 +5502,7 @@ static int __devinit pmcraid_probe(
37541 /* Schedule worker thread to handle CCN and take care of adding and
37542 * removing devices to OS
37543 */
37544 - atomic_set(&pinstance->expose_resources, 1);
37545 + atomic_set_unchecked(&pinstance->expose_resources, 1);
37546 schedule_work(&pinstance->worker_q);
37547 return rc;
37548
37549 diff -urNp linux-2.6.32.46/drivers/scsi/pmcraid.h linux-2.6.32.46/drivers/scsi/pmcraid.h
37550 --- linux-2.6.32.46/drivers/scsi/pmcraid.h 2011-03-27 14:31:47.000000000 -0400
37551 +++ linux-2.6.32.46/drivers/scsi/pmcraid.h 2011-05-04 17:56:28.000000000 -0400
37552 @@ -690,7 +690,7 @@ struct pmcraid_instance {
37553 atomic_t outstanding_cmds;
37554
37555 /* should add/delete resources to mid-layer now ?*/
37556 - atomic_t expose_resources;
37557 + atomic_unchecked_t expose_resources;
37558
37559 /* Tasklet to handle deferred processing */
37560 struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
37561 @@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
37562 struct list_head queue; /* link to "to be exposed" resources */
37563 struct pmcraid_config_table_entry cfg_entry;
37564 struct scsi_device *scsi_dev; /* Link scsi_device structure */
37565 - atomic_t read_failures; /* count of failed READ commands */
37566 - atomic_t write_failures; /* count of failed WRITE commands */
37567 + atomic_unchecked_t read_failures; /* count of failed READ commands */
37568 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
37569
37570 /* To indicate add/delete/modify during CCN */
37571 u8 change_detected;
37572 diff -urNp linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h
37573 --- linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h 2011-03-27 14:31:47.000000000 -0400
37574 +++ linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h 2011-08-05 20:33:55.000000000 -0400
37575 @@ -2089,7 +2089,7 @@ struct isp_operations {
37576
37577 int (*get_flash_version) (struct scsi_qla_host *, void *);
37578 int (*start_scsi) (srb_t *);
37579 -};
37580 +} __no_const;
37581
37582 /* MSI-X Support *************************************************************/
37583
37584 diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h
37585 --- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h 2011-03-27 14:31:47.000000000 -0400
37586 +++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h 2011-05-04 17:56:28.000000000 -0400
37587 @@ -240,7 +240,7 @@ struct ddb_entry {
37588 atomic_t retry_relogin_timer; /* Min Time between relogins
37589 * (4000 only) */
37590 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
37591 - atomic_t relogin_retry_count; /* Num of times relogin has been
37592 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
37593 * retried */
37594
37595 uint16_t port;
37596 diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c
37597 --- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c 2011-03-27 14:31:47.000000000 -0400
37598 +++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c 2011-05-04 17:56:28.000000000 -0400
37599 @@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
37600 atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
37601 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
37602 atomic_set(&ddb_entry->relogin_timer, 0);
37603 - atomic_set(&ddb_entry->relogin_retry_count, 0);
37604 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
37605 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
37606 list_add_tail(&ddb_entry->list, &ha->ddb_list);
37607 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
37608 @@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
37609 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
37610 atomic_set(&ddb_entry->port_down_timer,
37611 ha->port_down_retry_count);
37612 - atomic_set(&ddb_entry->relogin_retry_count, 0);
37613 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
37614 atomic_set(&ddb_entry->relogin_timer, 0);
37615 clear_bit(DF_RELOGIN, &ddb_entry->flags);
37616 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
37617 diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c
37618 --- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c 2011-03-27 14:31:47.000000000 -0400
37619 +++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c 2011-05-04 17:56:28.000000000 -0400
37620 @@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
37621 ddb_entry->fw_ddb_device_state ==
37622 DDB_DS_SESSION_FAILED) {
37623 /* Reset retry relogin timer */
37624 - atomic_inc(&ddb_entry->relogin_retry_count);
37625 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
37626 DEBUG2(printk("scsi%ld: index[%d] relogin"
37627 " timed out-retrying"
37628 " relogin (%d)\n",
37629 ha->host_no,
37630 ddb_entry->fw_ddb_index,
37631 - atomic_read(&ddb_entry->
37632 + atomic_read_unchecked(&ddb_entry->
37633 relogin_retry_count))
37634 );
37635 start_dpc++;
37636 diff -urNp linux-2.6.32.46/drivers/scsi/scsi.c linux-2.6.32.46/drivers/scsi/scsi.c
37637 --- linux-2.6.32.46/drivers/scsi/scsi.c 2011-03-27 14:31:47.000000000 -0400
37638 +++ linux-2.6.32.46/drivers/scsi/scsi.c 2011-05-04 17:56:28.000000000 -0400
37639 @@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
37640 unsigned long timeout;
37641 int rtn = 0;
37642
37643 - atomic_inc(&cmd->device->iorequest_cnt);
37644 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
37645
37646 /* check if the device is still usable */
37647 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
37648 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_debug.c linux-2.6.32.46/drivers/scsi/scsi_debug.c
37649 --- linux-2.6.32.46/drivers/scsi/scsi_debug.c 2011-03-27 14:31:47.000000000 -0400
37650 +++ linux-2.6.32.46/drivers/scsi/scsi_debug.c 2011-05-16 21:46:57.000000000 -0400
37651 @@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
37652 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
37653 unsigned char *cmd = (unsigned char *)scp->cmnd;
37654
37655 + pax_track_stack();
37656 +
37657 if ((errsts = check_readiness(scp, 1, devip)))
37658 return errsts;
37659 memset(arr, 0, sizeof(arr));
37660 @@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
37661 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
37662 unsigned char *cmd = (unsigned char *)scp->cmnd;
37663
37664 + pax_track_stack();
37665 +
37666 if ((errsts = check_readiness(scp, 1, devip)))
37667 return errsts;
37668 memset(arr, 0, sizeof(arr));
37669 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_lib.c linux-2.6.32.46/drivers/scsi/scsi_lib.c
37670 --- linux-2.6.32.46/drivers/scsi/scsi_lib.c 2011-05-10 22:12:01.000000000 -0400
37671 +++ linux-2.6.32.46/drivers/scsi/scsi_lib.c 2011-05-10 22:12:33.000000000 -0400
37672 @@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
37673
37674 scsi_init_cmd_errh(cmd);
37675 cmd->result = DID_NO_CONNECT << 16;
37676 - atomic_inc(&cmd->device->iorequest_cnt);
37677 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
37678
37679 /*
37680 * SCSI request completion path will do scsi_device_unbusy(),
37681 @@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
37682 */
37683 cmd->serial_number = 0;
37684
37685 - atomic_inc(&cmd->device->iodone_cnt);
37686 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
37687 if (cmd->result)
37688 - atomic_inc(&cmd->device->ioerr_cnt);
37689 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
37690
37691 disposition = scsi_decide_disposition(cmd);
37692 if (disposition != SUCCESS &&
37693 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_sysfs.c linux-2.6.32.46/drivers/scsi/scsi_sysfs.c
37694 --- linux-2.6.32.46/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:34.000000000 -0400
37695 +++ linux-2.6.32.46/drivers/scsi/scsi_sysfs.c 2011-06-25 12:56:37.000000000 -0400
37696 @@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
37697 char *buf) \
37698 { \
37699 struct scsi_device *sdev = to_scsi_device(dev); \
37700 - unsigned long long count = atomic_read(&sdev->field); \
37701 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
37702 return snprintf(buf, 20, "0x%llx\n", count); \
37703 } \
37704 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
37705 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c
37706 --- linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c 2011-03-27 14:31:47.000000000 -0400
37707 +++ linux-2.6.32.46/drivers/scsi/scsi_tgt_lib.c 2011-10-06 09:37:14.000000000 -0400
37708 @@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
37709 int err;
37710
37711 dprintk("%lx %u\n", uaddr, len);
37712 - err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
37713 + err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
37714 if (err) {
37715 /*
37716 * TODO: need to fixup sg_tablesize, max_segment_size,
37717 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c
37718 --- linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-03-27 14:31:47.000000000 -0400
37719 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-05-04 17:56:28.000000000 -0400
37720 @@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
37721 * Netlink Infrastructure
37722 */
37723
37724 -static atomic_t fc_event_seq;
37725 +static atomic_unchecked_t fc_event_seq;
37726
37727 /**
37728 * fc_get_event_number - Obtain the next sequential FC event number
37729 @@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
37730 u32
37731 fc_get_event_number(void)
37732 {
37733 - return atomic_add_return(1, &fc_event_seq);
37734 + return atomic_add_return_unchecked(1, &fc_event_seq);
37735 }
37736 EXPORT_SYMBOL(fc_get_event_number);
37737
37738 @@ -641,7 +641,7 @@ static __init int fc_transport_init(void
37739 {
37740 int error;
37741
37742 - atomic_set(&fc_event_seq, 0);
37743 + atomic_set_unchecked(&fc_event_seq, 0);
37744
37745 error = transport_class_register(&fc_host_class);
37746 if (error)
37747 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c
37748 --- linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c 2011-03-27 14:31:47.000000000 -0400
37749 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c 2011-05-04 17:56:28.000000000 -0400
37750 @@ -81,7 +81,7 @@ struct iscsi_internal {
37751 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
37752 };
37753
37754 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
37755 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
37756 static struct workqueue_struct *iscsi_eh_timer_workq;
37757
37758 /*
37759 @@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
37760 int err;
37761
37762 ihost = shost->shost_data;
37763 - session->sid = atomic_add_return(1, &iscsi_session_nr);
37764 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
37765
37766 if (id == ISCSI_MAX_TARGET) {
37767 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
37768 @@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
37769 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
37770 ISCSI_TRANSPORT_VERSION);
37771
37772 - atomic_set(&iscsi_session_nr, 0);
37773 + atomic_set_unchecked(&iscsi_session_nr, 0);
37774
37775 err = class_register(&iscsi_transport_class);
37776 if (err)
37777 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c
37778 --- linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c 2011-03-27 14:31:47.000000000 -0400
37779 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c 2011-05-04 17:56:28.000000000 -0400
37780 @@ -33,7 +33,7 @@
37781 #include "scsi_transport_srp_internal.h"
37782
37783 struct srp_host_attrs {
37784 - atomic_t next_port_id;
37785 + atomic_unchecked_t next_port_id;
37786 };
37787 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
37788
37789 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
37790 struct Scsi_Host *shost = dev_to_shost(dev);
37791 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
37792
37793 - atomic_set(&srp_host->next_port_id, 0);
37794 + atomic_set_unchecked(&srp_host->next_port_id, 0);
37795 return 0;
37796 }
37797
37798 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
37799 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
37800 rport->roles = ids->roles;
37801
37802 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
37803 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
37804 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
37805
37806 transport_setup_device(&rport->dev);
37807 diff -urNp linux-2.6.32.46/drivers/scsi/sg.c linux-2.6.32.46/drivers/scsi/sg.c
37808 --- linux-2.6.32.46/drivers/scsi/sg.c 2011-03-27 14:31:47.000000000 -0400
37809 +++ linux-2.6.32.46/drivers/scsi/sg.c 2011-10-06 09:37:08.000000000 -0400
37810 @@ -1064,7 +1064,7 @@ sg_ioctl(struct inode *inode, struct fil
37811 sdp->disk->disk_name,
37812 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
37813 NULL,
37814 - (char *)arg);
37815 + (char __user *)arg);
37816 case BLKTRACESTART:
37817 return blk_trace_startstop(sdp->device->request_queue, 1);
37818 case BLKTRACESTOP:
37819 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
37820 const struct file_operations * fops;
37821 };
37822
37823 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
37824 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
37825 {"allow_dio", &adio_fops},
37826 {"debug", &debug_fops},
37827 {"def_reserved_size", &dressz_fops},
37828 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
37829 {
37830 int k, mask;
37831 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
37832 - struct sg_proc_leaf * leaf;
37833 + const struct sg_proc_leaf * leaf;
37834
37835 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
37836 if (!sg_proc_sgp)
37837 diff -urNp linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c
37838 --- linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-03-27 14:31:47.000000000 -0400
37839 +++ linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-16 21:46:57.000000000 -0400
37840 @@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
37841 int do_iounmap = 0;
37842 int do_disable_device = 1;
37843
37844 + pax_track_stack();
37845 +
37846 memset(&sym_dev, 0, sizeof(sym_dev));
37847 memset(&nvram, 0, sizeof(nvram));
37848 sym_dev.pdev = pdev;
37849 diff -urNp linux-2.6.32.46/drivers/serial/kgdboc.c linux-2.6.32.46/drivers/serial/kgdboc.c
37850 --- linux-2.6.32.46/drivers/serial/kgdboc.c 2011-03-27 14:31:47.000000000 -0400
37851 +++ linux-2.6.32.46/drivers/serial/kgdboc.c 2011-04-17 15:56:46.000000000 -0400
37852 @@ -18,7 +18,7 @@
37853
37854 #define MAX_CONFIG_LEN 40
37855
37856 -static struct kgdb_io kgdboc_io_ops;
37857 +static const struct kgdb_io kgdboc_io_ops;
37858
37859 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
37860 static int configured = -1;
37861 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
37862 module_put(THIS_MODULE);
37863 }
37864
37865 -static struct kgdb_io kgdboc_io_ops = {
37866 +static const struct kgdb_io kgdboc_io_ops = {
37867 .name = "kgdboc",
37868 .read_char = kgdboc_get_char,
37869 .write_char = kgdboc_put_char,
37870 diff -urNp linux-2.6.32.46/drivers/spi/spi.c linux-2.6.32.46/drivers/spi/spi.c
37871 --- linux-2.6.32.46/drivers/spi/spi.c 2011-03-27 14:31:47.000000000 -0400
37872 +++ linux-2.6.32.46/drivers/spi/spi.c 2011-05-04 17:56:28.000000000 -0400
37873 @@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
37874 EXPORT_SYMBOL_GPL(spi_sync);
37875
37876 /* portable code must never pass more than 32 bytes */
37877 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
37878 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
37879
37880 static u8 *buf;
37881
37882 diff -urNp linux-2.6.32.46/drivers/staging/android/binder.c linux-2.6.32.46/drivers/staging/android/binder.c
37883 --- linux-2.6.32.46/drivers/staging/android/binder.c 2011-03-27 14:31:47.000000000 -0400
37884 +++ linux-2.6.32.46/drivers/staging/android/binder.c 2011-04-17 15:56:46.000000000 -0400
37885 @@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
37886 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
37887 }
37888
37889 -static struct vm_operations_struct binder_vm_ops = {
37890 +static const struct vm_operations_struct binder_vm_ops = {
37891 .open = binder_vma_open,
37892 .close = binder_vma_close,
37893 };
37894 diff -urNp linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c
37895 --- linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c 2011-03-27 14:31:47.000000000 -0400
37896 +++ linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c 2011-04-17 15:56:46.000000000 -0400
37897 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
37898 return VM_FAULT_NOPAGE;
37899 }
37900
37901 -static struct vm_operations_struct b3dfg_vm_ops = {
37902 +static const struct vm_operations_struct b3dfg_vm_ops = {
37903 .fault = b3dfg_vma_fault,
37904 };
37905
37906 @@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
37907 return r;
37908 }
37909
37910 -static struct file_operations b3dfg_fops = {
37911 +static const struct file_operations b3dfg_fops = {
37912 .owner = THIS_MODULE,
37913 .open = b3dfg_open,
37914 .release = b3dfg_release,
37915 diff -urNp linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c
37916 --- linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c 2011-08-09 18:35:29.000000000 -0400
37917 +++ linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c 2011-08-09 18:34:00.000000000 -0400
37918 @@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
37919 mutex_unlock(&dev->mutex);
37920 }
37921
37922 -static struct vm_operations_struct comedi_vm_ops = {
37923 +static const struct vm_operations_struct comedi_vm_ops = {
37924 .close = comedi_unmap,
37925 };
37926
37927 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c
37928 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c 2011-03-27 14:31:47.000000000 -0400
37929 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c 2011-04-17 15:56:46.000000000 -0400
37930 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
37931 static dev_t adsp_devno;
37932 static struct class *adsp_class;
37933
37934 -static struct file_operations adsp_fops = {
37935 +static const struct file_operations adsp_fops = {
37936 .owner = THIS_MODULE,
37937 .open = adsp_open,
37938 .unlocked_ioctl = adsp_ioctl,
37939 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c
37940 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c 2011-03-27 14:31:47.000000000 -0400
37941 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c 2011-04-17 15:56:46.000000000 -0400
37942 @@ -1022,7 +1022,7 @@ done:
37943 return rc;
37944 }
37945
37946 -static struct file_operations audio_aac_fops = {
37947 +static const struct file_operations audio_aac_fops = {
37948 .owner = THIS_MODULE,
37949 .open = audio_open,
37950 .release = audio_release,
37951 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c
37952 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-03-27 14:31:47.000000000 -0400
37953 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-04-17 15:56:46.000000000 -0400
37954 @@ -833,7 +833,7 @@ done:
37955 return rc;
37956 }
37957
37958 -static struct file_operations audio_amrnb_fops = {
37959 +static const struct file_operations audio_amrnb_fops = {
37960 .owner = THIS_MODULE,
37961 .open = audamrnb_open,
37962 .release = audamrnb_release,
37963 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c
37964 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c 2011-03-27 14:31:47.000000000 -0400
37965 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c 2011-04-17 15:56:46.000000000 -0400
37966 @@ -805,7 +805,7 @@ dma_fail:
37967 return rc;
37968 }
37969
37970 -static struct file_operations audio_evrc_fops = {
37971 +static const struct file_operations audio_evrc_fops = {
37972 .owner = THIS_MODULE,
37973 .open = audevrc_open,
37974 .release = audevrc_release,
37975 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c
37976 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c 2011-03-27 14:31:47.000000000 -0400
37977 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c 2011-04-17 15:56:46.000000000 -0400
37978 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
37979 return 0;
37980 }
37981
37982 -static struct file_operations audio_fops = {
37983 +static const struct file_operations audio_fops = {
37984 .owner = THIS_MODULE,
37985 .open = audio_in_open,
37986 .release = audio_in_release,
37987 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
37988 .unlocked_ioctl = audio_in_ioctl,
37989 };
37990
37991 -static struct file_operations audpre_fops = {
37992 +static const struct file_operations audpre_fops = {
37993 .owner = THIS_MODULE,
37994 .open = audpre_open,
37995 .unlocked_ioctl = audpre_ioctl,
37996 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c
37997 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c 2011-03-27 14:31:47.000000000 -0400
37998 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c 2011-04-17 15:56:46.000000000 -0400
37999 @@ -941,7 +941,7 @@ done:
38000 return rc;
38001 }
38002
38003 -static struct file_operations audio_mp3_fops = {
38004 +static const struct file_operations audio_mp3_fops = {
38005 .owner = THIS_MODULE,
38006 .open = audio_open,
38007 .release = audio_release,
38008 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c
38009 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c 2011-03-27 14:31:47.000000000 -0400
38010 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c 2011-04-17 15:56:46.000000000 -0400
38011 @@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
38012 return 0;
38013 }
38014
38015 -static struct file_operations audio_fops = {
38016 +static const struct file_operations audio_fops = {
38017 .owner = THIS_MODULE,
38018 .open = audio_open,
38019 .release = audio_release,
38020 @@ -819,7 +819,7 @@ static struct file_operations audio_fops
38021 .unlocked_ioctl = audio_ioctl,
38022 };
38023
38024 -static struct file_operations audpp_fops = {
38025 +static const struct file_operations audpp_fops = {
38026 .owner = THIS_MODULE,
38027 .open = audpp_open,
38028 .unlocked_ioctl = audpp_ioctl,
38029 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c
38030 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-03-27 14:31:47.000000000 -0400
38031 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-04-17 15:56:46.000000000 -0400
38032 @@ -816,7 +816,7 @@ err:
38033 return rc;
38034 }
38035
38036 -static struct file_operations audio_qcelp_fops = {
38037 +static const struct file_operations audio_qcelp_fops = {
38038 .owner = THIS_MODULE,
38039 .open = audqcelp_open,
38040 .release = audqcelp_release,
38041 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c
38042 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c 2011-03-27 14:31:47.000000000 -0400
38043 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c 2011-04-17 15:56:46.000000000 -0400
38044 @@ -242,7 +242,7 @@ err:
38045 return rc;
38046 }
38047
38048 -static struct file_operations snd_fops = {
38049 +static const struct file_operations snd_fops = {
38050 .owner = THIS_MODULE,
38051 .open = snd_open,
38052 .release = snd_release,
38053 diff -urNp linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c
38054 --- linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c 2011-03-27 14:31:47.000000000 -0400
38055 +++ linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c 2011-04-17 15:56:46.000000000 -0400
38056 @@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
38057 return 0;
38058 }
38059
38060 -static struct file_operations qmi_fops = {
38061 +static const struct file_operations qmi_fops = {
38062 .owner = THIS_MODULE,
38063 .read = qmi_read,
38064 .write = qmi_write,
38065 diff -urNp linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c
38066 --- linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-03-27 14:31:47.000000000 -0400
38067 +++ linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-04-17 15:56:46.000000000 -0400
38068 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
38069 return rc;
38070 }
38071
38072 -static struct file_operations rpcrouter_server_fops = {
38073 +static const struct file_operations rpcrouter_server_fops = {
38074 .owner = THIS_MODULE,
38075 .open = rpcrouter_open,
38076 .release = rpcrouter_release,
38077 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
38078 .unlocked_ioctl = rpcrouter_ioctl,
38079 };
38080
38081 -static struct file_operations rpcrouter_router_fops = {
38082 +static const struct file_operations rpcrouter_router_fops = {
38083 .owner = THIS_MODULE,
38084 .open = rpcrouter_open,
38085 .release = rpcrouter_release,
38086 diff -urNp linux-2.6.32.46/drivers/staging/dst/dcore.c linux-2.6.32.46/drivers/staging/dst/dcore.c
38087 --- linux-2.6.32.46/drivers/staging/dst/dcore.c 2011-03-27 14:31:47.000000000 -0400
38088 +++ linux-2.6.32.46/drivers/staging/dst/dcore.c 2011-04-17 15:56:46.000000000 -0400
38089 @@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
38090 return 0;
38091 }
38092
38093 -static struct block_device_operations dst_blk_ops = {
38094 +static const struct block_device_operations dst_blk_ops = {
38095 .open = dst_bdev_open,
38096 .release = dst_bdev_release,
38097 .owner = THIS_MODULE,
38098 @@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
38099 n->size = ctl->size;
38100
38101 atomic_set(&n->refcnt, 1);
38102 - atomic_long_set(&n->gen, 0);
38103 + atomic_long_set_unchecked(&n->gen, 0);
38104 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
38105
38106 err = dst_node_sysfs_init(n);
38107 diff -urNp linux-2.6.32.46/drivers/staging/dst/trans.c linux-2.6.32.46/drivers/staging/dst/trans.c
38108 --- linux-2.6.32.46/drivers/staging/dst/trans.c 2011-03-27 14:31:47.000000000 -0400
38109 +++ linux-2.6.32.46/drivers/staging/dst/trans.c 2011-04-17 15:56:46.000000000 -0400
38110 @@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
38111 t->error = 0;
38112 t->retries = 0;
38113 atomic_set(&t->refcnt, 1);
38114 - t->gen = atomic_long_inc_return(&n->gen);
38115 + t->gen = atomic_long_inc_return_unchecked(&n->gen);
38116
38117 t->enc = bio_data_dir(bio);
38118 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
38119 diff -urNp linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c
38120 --- linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c 2011-03-27 14:31:47.000000000 -0400
38121 +++ linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c 2011-05-04 17:56:28.000000000 -0400
38122 @@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
38123 struct net_device_stats *stats = &etdev->net_stats;
38124
38125 if (pMpTcb->Flags & fMP_DEST_BROAD)
38126 - atomic_inc(&etdev->Stats.brdcstxmt);
38127 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
38128 else if (pMpTcb->Flags & fMP_DEST_MULTI)
38129 - atomic_inc(&etdev->Stats.multixmt);
38130 + atomic_inc_unchecked(&etdev->Stats.multixmt);
38131 else
38132 - atomic_inc(&etdev->Stats.unixmt);
38133 + atomic_inc_unchecked(&etdev->Stats.unixmt);
38134
38135 if (pMpTcb->Packet) {
38136 stats->tx_bytes += pMpTcb->Packet->len;
38137 diff -urNp linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h
38138 --- linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h 2011-03-27 14:31:47.000000000 -0400
38139 +++ linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h 2011-05-04 17:56:28.000000000 -0400
38140 @@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
38141 * operations
38142 */
38143 u32 unircv; /* # multicast packets received */
38144 - atomic_t unixmt; /* # multicast packets for Tx */
38145 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
38146 u32 multircv; /* # multicast packets received */
38147 - atomic_t multixmt; /* # multicast packets for Tx */
38148 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
38149 u32 brdcstrcv; /* # broadcast packets received */
38150 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
38151 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
38152 u32 norcvbuf; /* # Rx packets discarded */
38153 u32 noxmtbuf; /* # Tx packets discarded */
38154
38155 diff -urNp linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c
38156 --- linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c 2011-03-27 14:31:47.000000000 -0400
38157 +++ linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:56:46.000000000 -0400
38158 @@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
38159 return 0;
38160 }
38161
38162 -static struct vm_operations_struct go7007_vm_ops = {
38163 +static const struct vm_operations_struct go7007_vm_ops = {
38164 .open = go7007_vm_open,
38165 .close = go7007_vm_close,
38166 .fault = go7007_vm_fault,
38167 diff -urNp linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c
38168 --- linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c 2011-03-27 14:31:47.000000000 -0400
38169 +++ linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c 2011-04-17 15:56:46.000000000 -0400
38170 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
38171 /* The one and only one */
38172 static struct blkvsc_driver_context g_blkvsc_drv;
38173
38174 -static struct block_device_operations block_ops = {
38175 +static const struct block_device_operations block_ops = {
38176 .owner = THIS_MODULE,
38177 .open = blkvsc_open,
38178 .release = blkvsc_release,
38179 diff -urNp linux-2.6.32.46/drivers/staging/hv/Channel.c linux-2.6.32.46/drivers/staging/hv/Channel.c
38180 --- linux-2.6.32.46/drivers/staging/hv/Channel.c 2011-04-17 17:00:52.000000000 -0400
38181 +++ linux-2.6.32.46/drivers/staging/hv/Channel.c 2011-05-04 17:56:28.000000000 -0400
38182 @@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
38183
38184 DPRINT_ENTER(VMBUS);
38185
38186 - nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
38187 - atomic_inc(&gVmbusConnection.NextGpadlHandle);
38188 + nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
38189 + atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
38190
38191 VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
38192 ASSERT(msgInfo != NULL);
38193 diff -urNp linux-2.6.32.46/drivers/staging/hv/Hv.c linux-2.6.32.46/drivers/staging/hv/Hv.c
38194 --- linux-2.6.32.46/drivers/staging/hv/Hv.c 2011-03-27 14:31:47.000000000 -0400
38195 +++ linux-2.6.32.46/drivers/staging/hv/Hv.c 2011-04-17 15:56:46.000000000 -0400
38196 @@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
38197 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
38198 u32 outputAddressHi = outputAddress >> 32;
38199 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
38200 - volatile void *hypercallPage = gHvContext.HypercallPage;
38201 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
38202
38203 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
38204 Control, Input, Output);
38205 diff -urNp linux-2.6.32.46/drivers/staging/hv/VmbusApi.h linux-2.6.32.46/drivers/staging/hv/VmbusApi.h
38206 --- linux-2.6.32.46/drivers/staging/hv/VmbusApi.h 2011-03-27 14:31:47.000000000 -0400
38207 +++ linux-2.6.32.46/drivers/staging/hv/VmbusApi.h 2011-08-29 22:32:57.000000000 -0400
38208 @@ -109,7 +109,7 @@ struct vmbus_channel_interface {
38209 u32 *GpadlHandle);
38210 int (*TeardownGpadl)(struct hv_device *device, u32 GpadlHandle);
38211 void (*GetInfo)(struct hv_device *dev, struct hv_device_info *devinfo);
38212 -};
38213 +} __no_const;
38214
38215 /* Base driver object */
38216 struct hv_driver {
38217 diff -urNp linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c
38218 --- linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c 2011-03-27 14:31:47.000000000 -0400
38219 +++ linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c 2011-05-04 17:56:28.000000000 -0400
38220 @@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
38221 to_device_context(root_device_obj);
38222 struct device_context *child_device_ctx =
38223 to_device_context(child_device_obj);
38224 - static atomic_t device_num = ATOMIC_INIT(0);
38225 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
38226
38227 DPRINT_ENTER(VMBUS_DRV);
38228
38229 @@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
38230
38231 /* Set the device name. Otherwise, device_register() will fail. */
38232 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
38233 - atomic_inc_return(&device_num));
38234 + atomic_inc_return_unchecked(&device_num));
38235
38236 /* The new device belongs to this bus */
38237 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
38238 diff -urNp linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h
38239 --- linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h 2011-04-17 17:00:52.000000000 -0400
38240 +++ linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h 2011-05-04 17:56:28.000000000 -0400
38241 @@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
38242 struct VMBUS_CONNECTION {
38243 enum VMBUS_CONNECT_STATE ConnectState;
38244
38245 - atomic_t NextGpadlHandle;
38246 + atomic_unchecked_t NextGpadlHandle;
38247
38248 /*
38249 * Represents channel interrupts. Each bit position represents a
38250 diff -urNp linux-2.6.32.46/drivers/staging/iio/ring_generic.h linux-2.6.32.46/drivers/staging/iio/ring_generic.h
38251 --- linux-2.6.32.46/drivers/staging/iio/ring_generic.h 2011-03-27 14:31:47.000000000 -0400
38252 +++ linux-2.6.32.46/drivers/staging/iio/ring_generic.h 2011-08-23 20:24:26.000000000 -0400
38253 @@ -87,7 +87,7 @@ struct iio_ring_access_funcs {
38254
38255 int (*is_enabled)(struct iio_ring_buffer *ring);
38256 int (*enable)(struct iio_ring_buffer *ring);
38257 -};
38258 +} __no_const;
38259
38260 /**
38261 * struct iio_ring_buffer - general ring buffer structure
38262 diff -urNp linux-2.6.32.46/drivers/staging/octeon/ethernet.c linux-2.6.32.46/drivers/staging/octeon/ethernet.c
38263 --- linux-2.6.32.46/drivers/staging/octeon/ethernet.c 2011-03-27 14:31:47.000000000 -0400
38264 +++ linux-2.6.32.46/drivers/staging/octeon/ethernet.c 2011-05-04 17:56:28.000000000 -0400
38265 @@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
38266 * since the RX tasklet also increments it.
38267 */
38268 #ifdef CONFIG_64BIT
38269 - atomic64_add(rx_status.dropped_packets,
38270 - (atomic64_t *)&priv->stats.rx_dropped);
38271 + atomic64_add_unchecked(rx_status.dropped_packets,
38272 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
38273 #else
38274 - atomic_add(rx_status.dropped_packets,
38275 - (atomic_t *)&priv->stats.rx_dropped);
38276 + atomic_add_unchecked(rx_status.dropped_packets,
38277 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
38278 #endif
38279 }
38280
38281 diff -urNp linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c
38282 --- linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c 2011-03-27 14:31:47.000000000 -0400
38283 +++ linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c 2011-05-04 17:56:28.000000000 -0400
38284 @@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
38285 /* Increment RX stats for virtual ports */
38286 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
38287 #ifdef CONFIG_64BIT
38288 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
38289 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
38290 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
38291 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
38292 #else
38293 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
38294 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
38295 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
38296 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
38297 #endif
38298 }
38299 netif_receive_skb(skb);
38300 @@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
38301 dev->name);
38302 */
38303 #ifdef CONFIG_64BIT
38304 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
38305 + atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
38306 #else
38307 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
38308 + atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
38309 #endif
38310 dev_kfree_skb_irq(skb);
38311 }
38312 diff -urNp linux-2.6.32.46/drivers/staging/panel/panel.c linux-2.6.32.46/drivers/staging/panel/panel.c
38313 --- linux-2.6.32.46/drivers/staging/panel/panel.c 2011-03-27 14:31:47.000000000 -0400
38314 +++ linux-2.6.32.46/drivers/staging/panel/panel.c 2011-04-17 15:56:46.000000000 -0400
38315 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
38316 return 0;
38317 }
38318
38319 -static struct file_operations lcd_fops = {
38320 +static const struct file_operations lcd_fops = {
38321 .write = lcd_write,
38322 .open = lcd_open,
38323 .release = lcd_release,
38324 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
38325 return 0;
38326 }
38327
38328 -static struct file_operations keypad_fops = {
38329 +static const struct file_operations keypad_fops = {
38330 .read = keypad_read, /* read */
38331 .open = keypad_open, /* open */
38332 .release = keypad_release, /* close */
38333 diff -urNp linux-2.6.32.46/drivers/staging/phison/phison.c linux-2.6.32.46/drivers/staging/phison/phison.c
38334 --- linux-2.6.32.46/drivers/staging/phison/phison.c 2011-03-27 14:31:47.000000000 -0400
38335 +++ linux-2.6.32.46/drivers/staging/phison/phison.c 2011-04-17 15:56:46.000000000 -0400
38336 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
38337 ATA_BMDMA_SHT(DRV_NAME),
38338 };
38339
38340 -static struct ata_port_operations phison_ops = {
38341 +static const struct ata_port_operations phison_ops = {
38342 .inherits = &ata_bmdma_port_ops,
38343 .prereset = phison_pre_reset,
38344 };
38345 diff -urNp linux-2.6.32.46/drivers/staging/poch/poch.c linux-2.6.32.46/drivers/staging/poch/poch.c
38346 --- linux-2.6.32.46/drivers/staging/poch/poch.c 2011-03-27 14:31:47.000000000 -0400
38347 +++ linux-2.6.32.46/drivers/staging/poch/poch.c 2011-04-17 15:56:46.000000000 -0400
38348 @@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
38349 return 0;
38350 }
38351
38352 -static struct file_operations poch_fops = {
38353 +static const struct file_operations poch_fops = {
38354 .owner = THIS_MODULE,
38355 .open = poch_open,
38356 .release = poch_release,
38357 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/inode.c linux-2.6.32.46/drivers/staging/pohmelfs/inode.c
38358 --- linux-2.6.32.46/drivers/staging/pohmelfs/inode.c 2011-03-27 14:31:47.000000000 -0400
38359 +++ linux-2.6.32.46/drivers/staging/pohmelfs/inode.c 2011-05-04 17:56:20.000000000 -0400
38360 @@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
38361 mutex_init(&psb->mcache_lock);
38362 psb->mcache_root = RB_ROOT;
38363 psb->mcache_timeout = msecs_to_jiffies(5000);
38364 - atomic_long_set(&psb->mcache_gen, 0);
38365 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
38366
38367 psb->trans_max_pages = 100;
38368
38369 @@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
38370 INIT_LIST_HEAD(&psb->crypto_ready_list);
38371 INIT_LIST_HEAD(&psb->crypto_active_list);
38372
38373 - atomic_set(&psb->trans_gen, 1);
38374 + atomic_set_unchecked(&psb->trans_gen, 1);
38375 atomic_long_set(&psb->total_inodes, 0);
38376
38377 mutex_init(&psb->state_lock);
38378 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c
38379 --- linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c 2011-03-27 14:31:47.000000000 -0400
38380 +++ linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:56:46.000000000 -0400
38381 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
38382 m->data = data;
38383 m->start = start;
38384 m->size = size;
38385 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
38386 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
38387
38388 mutex_lock(&psb->mcache_lock);
38389 err = pohmelfs_mcache_insert(psb, m);
38390 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h
38391 --- linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h 2011-03-27 14:31:47.000000000 -0400
38392 +++ linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h 2011-05-04 17:56:20.000000000 -0400
38393 @@ -570,14 +570,14 @@ struct pohmelfs_config;
38394 struct pohmelfs_sb {
38395 struct rb_root mcache_root;
38396 struct mutex mcache_lock;
38397 - atomic_long_t mcache_gen;
38398 + atomic_long_unchecked_t mcache_gen;
38399 unsigned long mcache_timeout;
38400
38401 unsigned int idx;
38402
38403 unsigned int trans_retries;
38404
38405 - atomic_t trans_gen;
38406 + atomic_unchecked_t trans_gen;
38407
38408 unsigned int crypto_attached_size;
38409 unsigned int crypto_align_size;
38410 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/trans.c linux-2.6.32.46/drivers/staging/pohmelfs/trans.c
38411 --- linux-2.6.32.46/drivers/staging/pohmelfs/trans.c 2011-03-27 14:31:47.000000000 -0400
38412 +++ linux-2.6.32.46/drivers/staging/pohmelfs/trans.c 2011-05-04 17:56:28.000000000 -0400
38413 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
38414 int err;
38415 struct netfs_cmd *cmd = t->iovec.iov_base;
38416
38417 - t->gen = atomic_inc_return(&psb->trans_gen);
38418 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
38419
38420 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
38421 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
38422 diff -urNp linux-2.6.32.46/drivers/staging/sep/sep_driver.c linux-2.6.32.46/drivers/staging/sep/sep_driver.c
38423 --- linux-2.6.32.46/drivers/staging/sep/sep_driver.c 2011-03-27 14:31:47.000000000 -0400
38424 +++ linux-2.6.32.46/drivers/staging/sep/sep_driver.c 2011-04-17 15:56:46.000000000 -0400
38425 @@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
38426 static dev_t sep_devno;
38427
38428 /* the files operations structure of the driver */
38429 -static struct file_operations sep_file_operations = {
38430 +static const struct file_operations sep_file_operations = {
38431 .owner = THIS_MODULE,
38432 .ioctl = sep_ioctl,
38433 .poll = sep_poll,
38434 diff -urNp linux-2.6.32.46/drivers/staging/usbip/usbip_common.h linux-2.6.32.46/drivers/staging/usbip/usbip_common.h
38435 --- linux-2.6.32.46/drivers/staging/usbip/usbip_common.h 2011-04-17 17:00:52.000000000 -0400
38436 +++ linux-2.6.32.46/drivers/staging/usbip/usbip_common.h 2011-08-23 20:24:26.000000000 -0400
38437 @@ -374,7 +374,7 @@ struct usbip_device {
38438 void (*shutdown)(struct usbip_device *);
38439 void (*reset)(struct usbip_device *);
38440 void (*unusable)(struct usbip_device *);
38441 - } eh_ops;
38442 + } __no_const eh_ops;
38443 };
38444
38445
38446 diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci.h linux-2.6.32.46/drivers/staging/usbip/vhci.h
38447 --- linux-2.6.32.46/drivers/staging/usbip/vhci.h 2011-03-27 14:31:47.000000000 -0400
38448 +++ linux-2.6.32.46/drivers/staging/usbip/vhci.h 2011-05-04 17:56:28.000000000 -0400
38449 @@ -92,7 +92,7 @@ struct vhci_hcd {
38450 unsigned resuming:1;
38451 unsigned long re_timeout;
38452
38453 - atomic_t seqnum;
38454 + atomic_unchecked_t seqnum;
38455
38456 /*
38457 * NOTE:
38458 diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c
38459 --- linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:01.000000000 -0400
38460 +++ linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:33.000000000 -0400
38461 @@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
38462 return;
38463 }
38464
38465 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
38466 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
38467 if (priv->seqnum == 0xffff)
38468 usbip_uinfo("seqnum max\n");
38469
38470 @@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
38471 return -ENOMEM;
38472 }
38473
38474 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
38475 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
38476 if (unlink->seqnum == 0xffff)
38477 usbip_uinfo("seqnum max\n");
38478
38479 @@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
38480 vdev->rhport = rhport;
38481 }
38482
38483 - atomic_set(&vhci->seqnum, 0);
38484 + atomic_set_unchecked(&vhci->seqnum, 0);
38485 spin_lock_init(&vhci->lock);
38486
38487
38488 diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c
38489 --- linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c 2011-04-17 17:00:52.000000000 -0400
38490 +++ linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c 2011-05-04 17:56:28.000000000 -0400
38491 @@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
38492 usbip_uerr("cannot find a urb of seqnum %u\n",
38493 pdu->base.seqnum);
38494 usbip_uinfo("max seqnum %d\n",
38495 - atomic_read(&the_controller->seqnum));
38496 + atomic_read_unchecked(&the_controller->seqnum));
38497 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
38498 return;
38499 }
38500 diff -urNp linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c
38501 --- linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c 2011-03-27 14:31:47.000000000 -0400
38502 +++ linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:56:46.000000000 -0400
38503 @@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
38504 static int __init vme_user_probe(struct device *, int, int);
38505 static int __exit vme_user_remove(struct device *, int, int);
38506
38507 -static struct file_operations vme_user_fops = {
38508 +static const struct file_operations vme_user_fops = {
38509 .open = vme_user_open,
38510 .release = vme_user_release,
38511 .read = vme_user_read,
38512 diff -urNp linux-2.6.32.46/drivers/staging/vt6655/hostap.c linux-2.6.32.46/drivers/staging/vt6655/hostap.c
38513 --- linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-03-27 14:31:47.000000000 -0400
38514 +++ linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-09-14 09:51:07.000000000 -0400
38515 @@ -84,7 +84,7 @@ static int hostap_enable_hostapd(PSDevic
38516 PSDevice apdev_priv;
38517 struct net_device *dev = pDevice->dev;
38518 int ret;
38519 - const struct net_device_ops apdev_netdev_ops = {
38520 + net_device_ops_no_const apdev_netdev_ops = {
38521 .ndo_start_xmit = pDevice->tx_80211,
38522 };
38523
38524 diff -urNp linux-2.6.32.46/drivers/staging/vt6656/hostap.c linux-2.6.32.46/drivers/staging/vt6656/hostap.c
38525 --- linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-03-27 14:31:47.000000000 -0400
38526 +++ linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-09-14 09:49:53.000000000 -0400
38527 @@ -86,7 +86,7 @@ static int hostap_enable_hostapd(PSDevic
38528 PSDevice apdev_priv;
38529 struct net_device *dev = pDevice->dev;
38530 int ret;
38531 - const struct net_device_ops apdev_netdev_ops = {
38532 + net_device_ops_no_const apdev_netdev_ops = {
38533 .ndo_start_xmit = pDevice->tx_80211,
38534 };
38535
38536 diff -urNp linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c
38537 --- linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c 2011-03-27 14:31:47.000000000 -0400
38538 +++ linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c 2011-08-23 20:24:26.000000000 -0400
38539 @@ -205,7 +205,7 @@ static void unlocked_usbctlx_complete(hf
38540
38541 struct usbctlx_completor {
38542 int (*complete) (struct usbctlx_completor *);
38543 -};
38544 +} __no_const;
38545 typedef struct usbctlx_completor usbctlx_completor_t;
38546
38547 static int
38548 diff -urNp linux-2.6.32.46/drivers/telephony/ixj.c linux-2.6.32.46/drivers/telephony/ixj.c
38549 --- linux-2.6.32.46/drivers/telephony/ixj.c 2011-03-27 14:31:47.000000000 -0400
38550 +++ linux-2.6.32.46/drivers/telephony/ixj.c 2011-05-16 21:46:57.000000000 -0400
38551 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
38552 bool mContinue;
38553 char *pIn, *pOut;
38554
38555 + pax_track_stack();
38556 +
38557 if (!SCI_Prepare(j))
38558 return 0;
38559
38560 diff -urNp linux-2.6.32.46/drivers/uio/uio.c linux-2.6.32.46/drivers/uio/uio.c
38561 --- linux-2.6.32.46/drivers/uio/uio.c 2011-03-27 14:31:47.000000000 -0400
38562 +++ linux-2.6.32.46/drivers/uio/uio.c 2011-05-04 17:56:20.000000000 -0400
38563 @@ -23,6 +23,7 @@
38564 #include <linux/string.h>
38565 #include <linux/kobject.h>
38566 #include <linux/uio_driver.h>
38567 +#include <asm/local.h>
38568
38569 #define UIO_MAX_DEVICES 255
38570
38571 @@ -30,10 +31,10 @@ struct uio_device {
38572 struct module *owner;
38573 struct device *dev;
38574 int minor;
38575 - atomic_t event;
38576 + atomic_unchecked_t event;
38577 struct fasync_struct *async_queue;
38578 wait_queue_head_t wait;
38579 - int vma_count;
38580 + local_t vma_count;
38581 struct uio_info *info;
38582 struct kobject *map_dir;
38583 struct kobject *portio_dir;
38584 @@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
38585 return entry->show(mem, buf);
38586 }
38587
38588 -static struct sysfs_ops map_sysfs_ops = {
38589 +static const struct sysfs_ops map_sysfs_ops = {
38590 .show = map_type_show,
38591 };
38592
38593 @@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
38594 return entry->show(port, buf);
38595 }
38596
38597 -static struct sysfs_ops portio_sysfs_ops = {
38598 +static const struct sysfs_ops portio_sysfs_ops = {
38599 .show = portio_type_show,
38600 };
38601
38602 @@ -255,7 +256,7 @@ static ssize_t show_event(struct device
38603 struct uio_device *idev = dev_get_drvdata(dev);
38604 if (idev)
38605 return sprintf(buf, "%u\n",
38606 - (unsigned int)atomic_read(&idev->event));
38607 + (unsigned int)atomic_read_unchecked(&idev->event));
38608 else
38609 return -ENODEV;
38610 }
38611 @@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
38612 {
38613 struct uio_device *idev = info->uio_dev;
38614
38615 - atomic_inc(&idev->event);
38616 + atomic_inc_unchecked(&idev->event);
38617 wake_up_interruptible(&idev->wait);
38618 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
38619 }
38620 @@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
38621 }
38622
38623 listener->dev = idev;
38624 - listener->event_count = atomic_read(&idev->event);
38625 + listener->event_count = atomic_read_unchecked(&idev->event);
38626 filep->private_data = listener;
38627
38628 if (idev->info->open) {
38629 @@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
38630 return -EIO;
38631
38632 poll_wait(filep, &idev->wait, wait);
38633 - if (listener->event_count != atomic_read(&idev->event))
38634 + if (listener->event_count != atomic_read_unchecked(&idev->event))
38635 return POLLIN | POLLRDNORM;
38636 return 0;
38637 }
38638 @@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
38639 do {
38640 set_current_state(TASK_INTERRUPTIBLE);
38641
38642 - event_count = atomic_read(&idev->event);
38643 + event_count = atomic_read_unchecked(&idev->event);
38644 if (event_count != listener->event_count) {
38645 if (copy_to_user(buf, &event_count, count))
38646 retval = -EFAULT;
38647 @@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
38648 static void uio_vma_open(struct vm_area_struct *vma)
38649 {
38650 struct uio_device *idev = vma->vm_private_data;
38651 - idev->vma_count++;
38652 + local_inc(&idev->vma_count);
38653 }
38654
38655 static void uio_vma_close(struct vm_area_struct *vma)
38656 {
38657 struct uio_device *idev = vma->vm_private_data;
38658 - idev->vma_count--;
38659 + local_dec(&idev->vma_count);
38660 }
38661
38662 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
38663 @@ -840,7 +841,7 @@ int __uio_register_device(struct module
38664 idev->owner = owner;
38665 idev->info = info;
38666 init_waitqueue_head(&idev->wait);
38667 - atomic_set(&idev->event, 0);
38668 + atomic_set_unchecked(&idev->event, 0);
38669
38670 ret = uio_get_minor(idev);
38671 if (ret)
38672 diff -urNp linux-2.6.32.46/drivers/usb/atm/usbatm.c linux-2.6.32.46/drivers/usb/atm/usbatm.c
38673 --- linux-2.6.32.46/drivers/usb/atm/usbatm.c 2011-03-27 14:31:47.000000000 -0400
38674 +++ linux-2.6.32.46/drivers/usb/atm/usbatm.c 2011-04-17 15:56:46.000000000 -0400
38675 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
38676 if (printk_ratelimit())
38677 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
38678 __func__, vpi, vci);
38679 - atomic_inc(&vcc->stats->rx_err);
38680 + atomic_inc_unchecked(&vcc->stats->rx_err);
38681 return;
38682 }
38683
38684 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
38685 if (length > ATM_MAX_AAL5_PDU) {
38686 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
38687 __func__, length, vcc);
38688 - atomic_inc(&vcc->stats->rx_err);
38689 + atomic_inc_unchecked(&vcc->stats->rx_err);
38690 goto out;
38691 }
38692
38693 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
38694 if (sarb->len < pdu_length) {
38695 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
38696 __func__, pdu_length, sarb->len, vcc);
38697 - atomic_inc(&vcc->stats->rx_err);
38698 + atomic_inc_unchecked(&vcc->stats->rx_err);
38699 goto out;
38700 }
38701
38702 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
38703 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
38704 __func__, vcc);
38705 - atomic_inc(&vcc->stats->rx_err);
38706 + atomic_inc_unchecked(&vcc->stats->rx_err);
38707 goto out;
38708 }
38709
38710 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
38711 if (printk_ratelimit())
38712 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
38713 __func__, length);
38714 - atomic_inc(&vcc->stats->rx_drop);
38715 + atomic_inc_unchecked(&vcc->stats->rx_drop);
38716 goto out;
38717 }
38718
38719 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
38720
38721 vcc->push(vcc, skb);
38722
38723 - atomic_inc(&vcc->stats->rx);
38724 + atomic_inc_unchecked(&vcc->stats->rx);
38725 out:
38726 skb_trim(sarb, 0);
38727 }
38728 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
38729 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
38730
38731 usbatm_pop(vcc, skb);
38732 - atomic_inc(&vcc->stats->tx);
38733 + atomic_inc_unchecked(&vcc->stats->tx);
38734
38735 skb = skb_dequeue(&instance->sndqueue);
38736 }
38737 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
38738 if (!left--)
38739 return sprintf(page,
38740 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
38741 - atomic_read(&atm_dev->stats.aal5.tx),
38742 - atomic_read(&atm_dev->stats.aal5.tx_err),
38743 - atomic_read(&atm_dev->stats.aal5.rx),
38744 - atomic_read(&atm_dev->stats.aal5.rx_err),
38745 - atomic_read(&atm_dev->stats.aal5.rx_drop));
38746 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
38747 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
38748 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
38749 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
38750 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
38751
38752 if (!left--) {
38753 if (instance->disconnected)
38754 diff -urNp linux-2.6.32.46/drivers/usb/class/cdc-wdm.c linux-2.6.32.46/drivers/usb/class/cdc-wdm.c
38755 --- linux-2.6.32.46/drivers/usb/class/cdc-wdm.c 2011-03-27 14:31:47.000000000 -0400
38756 +++ linux-2.6.32.46/drivers/usb/class/cdc-wdm.c 2011-04-17 15:56:46.000000000 -0400
38757 @@ -314,7 +314,7 @@ static ssize_t wdm_write
38758 if (r < 0)
38759 goto outnp;
38760
38761 - if (!file->f_flags && O_NONBLOCK)
38762 + if (!(file->f_flags & O_NONBLOCK))
38763 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
38764 &desc->flags));
38765 else
38766 diff -urNp linux-2.6.32.46/drivers/usb/core/hcd.c linux-2.6.32.46/drivers/usb/core/hcd.c
38767 --- linux-2.6.32.46/drivers/usb/core/hcd.c 2011-03-27 14:31:47.000000000 -0400
38768 +++ linux-2.6.32.46/drivers/usb/core/hcd.c 2011-04-17 15:56:46.000000000 -0400
38769 @@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
38770
38771 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
38772
38773 -struct usb_mon_operations *mon_ops;
38774 +const struct usb_mon_operations *mon_ops;
38775
38776 /*
38777 * The registration is unlocked.
38778 @@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
38779 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
38780 */
38781
38782 -int usb_mon_register (struct usb_mon_operations *ops)
38783 +int usb_mon_register (const struct usb_mon_operations *ops)
38784 {
38785
38786 if (mon_ops)
38787 diff -urNp linux-2.6.32.46/drivers/usb/core/hcd.h linux-2.6.32.46/drivers/usb/core/hcd.h
38788 --- linux-2.6.32.46/drivers/usb/core/hcd.h 2011-03-27 14:31:47.000000000 -0400
38789 +++ linux-2.6.32.46/drivers/usb/core/hcd.h 2011-04-17 15:56:46.000000000 -0400
38790 @@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
38791 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
38792
38793 struct usb_mon_operations {
38794 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
38795 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
38796 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
38797 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
38798 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
38799 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
38800 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
38801 };
38802
38803 -extern struct usb_mon_operations *mon_ops;
38804 +extern const struct usb_mon_operations *mon_ops;
38805
38806 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
38807 {
38808 @@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
38809 (*mon_ops->urb_complete)(bus, urb, status);
38810 }
38811
38812 -int usb_mon_register(struct usb_mon_operations *ops);
38813 +int usb_mon_register(const struct usb_mon_operations *ops);
38814 void usb_mon_deregister(void);
38815
38816 #else
38817 diff -urNp linux-2.6.32.46/drivers/usb/core/message.c linux-2.6.32.46/drivers/usb/core/message.c
38818 --- linux-2.6.32.46/drivers/usb/core/message.c 2011-03-27 14:31:47.000000000 -0400
38819 +++ linux-2.6.32.46/drivers/usb/core/message.c 2011-04-17 15:56:46.000000000 -0400
38820 @@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
38821 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
38822 if (buf) {
38823 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
38824 - if (len > 0) {
38825 - smallbuf = kmalloc(++len, GFP_NOIO);
38826 + if (len++ > 0) {
38827 + smallbuf = kmalloc(len, GFP_NOIO);
38828 if (!smallbuf)
38829 return buf;
38830 memcpy(smallbuf, buf, len);
38831 diff -urNp linux-2.6.32.46/drivers/usb/misc/appledisplay.c linux-2.6.32.46/drivers/usb/misc/appledisplay.c
38832 --- linux-2.6.32.46/drivers/usb/misc/appledisplay.c 2011-03-27 14:31:47.000000000 -0400
38833 +++ linux-2.6.32.46/drivers/usb/misc/appledisplay.c 2011-04-17 15:56:46.000000000 -0400
38834 @@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
38835 return pdata->msgdata[1];
38836 }
38837
38838 -static struct backlight_ops appledisplay_bl_data = {
38839 +static const struct backlight_ops appledisplay_bl_data = {
38840 .get_brightness = appledisplay_bl_get_brightness,
38841 .update_status = appledisplay_bl_update_status,
38842 };
38843 diff -urNp linux-2.6.32.46/drivers/usb/mon/mon_main.c linux-2.6.32.46/drivers/usb/mon/mon_main.c
38844 --- linux-2.6.32.46/drivers/usb/mon/mon_main.c 2011-03-27 14:31:47.000000000 -0400
38845 +++ linux-2.6.32.46/drivers/usb/mon/mon_main.c 2011-04-17 15:56:46.000000000 -0400
38846 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
38847 /*
38848 * Ops
38849 */
38850 -static struct usb_mon_operations mon_ops_0 = {
38851 +static const struct usb_mon_operations mon_ops_0 = {
38852 .urb_submit = mon_submit,
38853 .urb_submit_error = mon_submit_error,
38854 .urb_complete = mon_complete,
38855 diff -urNp linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h
38856 --- linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h 2011-03-27 14:31:47.000000000 -0400
38857 +++ linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h 2011-05-04 17:56:28.000000000 -0400
38858 @@ -192,7 +192,7 @@ struct wahc {
38859 struct list_head xfer_delayed_list;
38860 spinlock_t xfer_list_lock;
38861 struct work_struct xfer_work;
38862 - atomic_t xfer_id_count;
38863 + atomic_unchecked_t xfer_id_count;
38864 };
38865
38866
38867 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
38868 INIT_LIST_HEAD(&wa->xfer_delayed_list);
38869 spin_lock_init(&wa->xfer_list_lock);
38870 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
38871 - atomic_set(&wa->xfer_id_count, 1);
38872 + atomic_set_unchecked(&wa->xfer_id_count, 1);
38873 }
38874
38875 /**
38876 diff -urNp linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c
38877 --- linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c 2011-03-27 14:31:47.000000000 -0400
38878 +++ linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c 2011-05-04 17:56:28.000000000 -0400
38879 @@ -293,7 +293,7 @@ out:
38880 */
38881 static void wa_xfer_id_init(struct wa_xfer *xfer)
38882 {
38883 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
38884 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
38885 }
38886
38887 /*
38888 diff -urNp linux-2.6.32.46/drivers/uwb/wlp/messages.c linux-2.6.32.46/drivers/uwb/wlp/messages.c
38889 --- linux-2.6.32.46/drivers/uwb/wlp/messages.c 2011-03-27 14:31:47.000000000 -0400
38890 +++ linux-2.6.32.46/drivers/uwb/wlp/messages.c 2011-04-17 15:56:46.000000000 -0400
38891 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
38892 size_t len = skb->len;
38893 size_t used;
38894 ssize_t result;
38895 - struct wlp_nonce enonce, rnonce;
38896 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
38897 enum wlp_assc_error assc_err;
38898 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
38899 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
38900 diff -urNp linux-2.6.32.46/drivers/uwb/wlp/sysfs.c linux-2.6.32.46/drivers/uwb/wlp/sysfs.c
38901 --- linux-2.6.32.46/drivers/uwb/wlp/sysfs.c 2011-03-27 14:31:47.000000000 -0400
38902 +++ linux-2.6.32.46/drivers/uwb/wlp/sysfs.c 2011-04-17 15:56:46.000000000 -0400
38903 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
38904 return ret;
38905 }
38906
38907 -static
38908 -struct sysfs_ops wss_sysfs_ops = {
38909 +static const struct sysfs_ops wss_sysfs_ops = {
38910 .show = wlp_wss_attr_show,
38911 .store = wlp_wss_attr_store,
38912 };
38913 diff -urNp linux-2.6.32.46/drivers/video/atmel_lcdfb.c linux-2.6.32.46/drivers/video/atmel_lcdfb.c
38914 --- linux-2.6.32.46/drivers/video/atmel_lcdfb.c 2011-03-27 14:31:47.000000000 -0400
38915 +++ linux-2.6.32.46/drivers/video/atmel_lcdfb.c 2011-04-17 15:56:46.000000000 -0400
38916 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
38917 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
38918 }
38919
38920 -static struct backlight_ops atmel_lcdc_bl_ops = {
38921 +static const struct backlight_ops atmel_lcdc_bl_ops = {
38922 .update_status = atmel_bl_update_status,
38923 .get_brightness = atmel_bl_get_brightness,
38924 };
38925 diff -urNp linux-2.6.32.46/drivers/video/aty/aty128fb.c linux-2.6.32.46/drivers/video/aty/aty128fb.c
38926 --- linux-2.6.32.46/drivers/video/aty/aty128fb.c 2011-03-27 14:31:47.000000000 -0400
38927 +++ linux-2.6.32.46/drivers/video/aty/aty128fb.c 2011-04-17 15:56:46.000000000 -0400
38928 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
38929 return bd->props.brightness;
38930 }
38931
38932 -static struct backlight_ops aty128_bl_data = {
38933 +static const struct backlight_ops aty128_bl_data = {
38934 .get_brightness = aty128_bl_get_brightness,
38935 .update_status = aty128_bl_update_status,
38936 };
38937 diff -urNp linux-2.6.32.46/drivers/video/aty/atyfb_base.c linux-2.6.32.46/drivers/video/aty/atyfb_base.c
38938 --- linux-2.6.32.46/drivers/video/aty/atyfb_base.c 2011-03-27 14:31:47.000000000 -0400
38939 +++ linux-2.6.32.46/drivers/video/aty/atyfb_base.c 2011-04-17 15:56:46.000000000 -0400
38940 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
38941 return bd->props.brightness;
38942 }
38943
38944 -static struct backlight_ops aty_bl_data = {
38945 +static const struct backlight_ops aty_bl_data = {
38946 .get_brightness = aty_bl_get_brightness,
38947 .update_status = aty_bl_update_status,
38948 };
38949 diff -urNp linux-2.6.32.46/drivers/video/aty/radeon_backlight.c linux-2.6.32.46/drivers/video/aty/radeon_backlight.c
38950 --- linux-2.6.32.46/drivers/video/aty/radeon_backlight.c 2011-03-27 14:31:47.000000000 -0400
38951 +++ linux-2.6.32.46/drivers/video/aty/radeon_backlight.c 2011-04-17 15:56:46.000000000 -0400
38952 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
38953 return bd->props.brightness;
38954 }
38955
38956 -static struct backlight_ops radeon_bl_data = {
38957 +static const struct backlight_ops radeon_bl_data = {
38958 .get_brightness = radeon_bl_get_brightness,
38959 .update_status = radeon_bl_update_status,
38960 };
38961 diff -urNp linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c
38962 --- linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c 2011-03-27 14:31:47.000000000 -0400
38963 +++ linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c 2011-04-17 15:56:46.000000000 -0400
38964 @@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
38965 return error ? data->current_brightness : reg_val;
38966 }
38967
38968 -static struct backlight_ops adp5520_bl_ops = {
38969 +static const struct backlight_ops adp5520_bl_ops = {
38970 .update_status = adp5520_bl_update_status,
38971 .get_brightness = adp5520_bl_get_brightness,
38972 };
38973 diff -urNp linux-2.6.32.46/drivers/video/backlight/adx_bl.c linux-2.6.32.46/drivers/video/backlight/adx_bl.c
38974 --- linux-2.6.32.46/drivers/video/backlight/adx_bl.c 2011-03-27 14:31:47.000000000 -0400
38975 +++ linux-2.6.32.46/drivers/video/backlight/adx_bl.c 2011-04-17 15:56:46.000000000 -0400
38976 @@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
38977 return 1;
38978 }
38979
38980 -static struct backlight_ops adx_backlight_ops = {
38981 +static const struct backlight_ops adx_backlight_ops = {
38982 .options = 0,
38983 .update_status = adx_backlight_update_status,
38984 .get_brightness = adx_backlight_get_brightness,
38985 diff -urNp linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c
38986 --- linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c 2011-03-27 14:31:47.000000000 -0400
38987 +++ linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c 2011-04-17 15:56:46.000000000 -0400
38988 @@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
38989 return pwm_channel_enable(&pwmbl->pwmc);
38990 }
38991
38992 -static struct backlight_ops atmel_pwm_bl_ops = {
38993 +static const struct backlight_ops atmel_pwm_bl_ops = {
38994 .get_brightness = atmel_pwm_bl_get_intensity,
38995 .update_status = atmel_pwm_bl_set_intensity,
38996 };
38997 diff -urNp linux-2.6.32.46/drivers/video/backlight/backlight.c linux-2.6.32.46/drivers/video/backlight/backlight.c
38998 --- linux-2.6.32.46/drivers/video/backlight/backlight.c 2011-03-27 14:31:47.000000000 -0400
38999 +++ linux-2.6.32.46/drivers/video/backlight/backlight.c 2011-04-17 15:56:46.000000000 -0400
39000 @@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
39001 * ERR_PTR() or a pointer to the newly allocated device.
39002 */
39003 struct backlight_device *backlight_device_register(const char *name,
39004 - struct device *parent, void *devdata, struct backlight_ops *ops)
39005 + struct device *parent, void *devdata, const struct backlight_ops *ops)
39006 {
39007 struct backlight_device *new_bd;
39008 int rc;
39009 diff -urNp linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c
39010 --- linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c 2011-03-27 14:31:47.000000000 -0400
39011 +++ linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c 2011-04-17 15:56:46.000000000 -0400
39012 @@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
39013 }
39014 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
39015
39016 -static struct backlight_ops corgi_bl_ops = {
39017 +static const struct backlight_ops corgi_bl_ops = {
39018 .get_brightness = corgi_bl_get_intensity,
39019 .update_status = corgi_bl_update_status,
39020 };
39021 diff -urNp linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c
39022 --- linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c 2011-03-27 14:31:47.000000000 -0400
39023 +++ linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c 2011-04-17 15:56:46.000000000 -0400
39024 @@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
39025 return intensity;
39026 }
39027
39028 -static struct backlight_ops cr_backlight_ops = {
39029 +static const struct backlight_ops cr_backlight_ops = {
39030 .get_brightness = cr_backlight_get_intensity,
39031 .update_status = cr_backlight_set_intensity,
39032 };
39033 diff -urNp linux-2.6.32.46/drivers/video/backlight/da903x_bl.c linux-2.6.32.46/drivers/video/backlight/da903x_bl.c
39034 --- linux-2.6.32.46/drivers/video/backlight/da903x_bl.c 2011-03-27 14:31:47.000000000 -0400
39035 +++ linux-2.6.32.46/drivers/video/backlight/da903x_bl.c 2011-04-17 15:56:46.000000000 -0400
39036 @@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
39037 return data->current_brightness;
39038 }
39039
39040 -static struct backlight_ops da903x_backlight_ops = {
39041 +static const struct backlight_ops da903x_backlight_ops = {
39042 .update_status = da903x_backlight_update_status,
39043 .get_brightness = da903x_backlight_get_brightness,
39044 };
39045 diff -urNp linux-2.6.32.46/drivers/video/backlight/generic_bl.c linux-2.6.32.46/drivers/video/backlight/generic_bl.c
39046 --- linux-2.6.32.46/drivers/video/backlight/generic_bl.c 2011-03-27 14:31:47.000000000 -0400
39047 +++ linux-2.6.32.46/drivers/video/backlight/generic_bl.c 2011-04-17 15:56:46.000000000 -0400
39048 @@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
39049 }
39050 EXPORT_SYMBOL(corgibl_limit_intensity);
39051
39052 -static struct backlight_ops genericbl_ops = {
39053 +static const struct backlight_ops genericbl_ops = {
39054 .options = BL_CORE_SUSPENDRESUME,
39055 .get_brightness = genericbl_get_intensity,
39056 .update_status = genericbl_send_intensity,
39057 diff -urNp linux-2.6.32.46/drivers/video/backlight/hp680_bl.c linux-2.6.32.46/drivers/video/backlight/hp680_bl.c
39058 --- linux-2.6.32.46/drivers/video/backlight/hp680_bl.c 2011-03-27 14:31:47.000000000 -0400
39059 +++ linux-2.6.32.46/drivers/video/backlight/hp680_bl.c 2011-04-17 15:56:46.000000000 -0400
39060 @@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
39061 return current_intensity;
39062 }
39063
39064 -static struct backlight_ops hp680bl_ops = {
39065 +static const struct backlight_ops hp680bl_ops = {
39066 .get_brightness = hp680bl_get_intensity,
39067 .update_status = hp680bl_set_intensity,
39068 };
39069 diff -urNp linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c
39070 --- linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c 2011-03-27 14:31:47.000000000 -0400
39071 +++ linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c 2011-04-17 15:56:46.000000000 -0400
39072 @@ -93,7 +93,7 @@ out:
39073 return ret;
39074 }
39075
39076 -static struct backlight_ops jornada_bl_ops = {
39077 +static const struct backlight_ops jornada_bl_ops = {
39078 .get_brightness = jornada_bl_get_brightness,
39079 .update_status = jornada_bl_update_status,
39080 .options = BL_CORE_SUSPENDRESUME,
39081 diff -urNp linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c
39082 --- linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c 2011-03-27 14:31:47.000000000 -0400
39083 +++ linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c 2011-04-17 15:56:46.000000000 -0400
39084 @@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
39085 return kb3886bl_intensity;
39086 }
39087
39088 -static struct backlight_ops kb3886bl_ops = {
39089 +static const struct backlight_ops kb3886bl_ops = {
39090 .get_brightness = kb3886bl_get_intensity,
39091 .update_status = kb3886bl_send_intensity,
39092 };
39093 diff -urNp linux-2.6.32.46/drivers/video/backlight/locomolcd.c linux-2.6.32.46/drivers/video/backlight/locomolcd.c
39094 --- linux-2.6.32.46/drivers/video/backlight/locomolcd.c 2011-03-27 14:31:47.000000000 -0400
39095 +++ linux-2.6.32.46/drivers/video/backlight/locomolcd.c 2011-04-17 15:56:46.000000000 -0400
39096 @@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
39097 return current_intensity;
39098 }
39099
39100 -static struct backlight_ops locomobl_data = {
39101 +static const struct backlight_ops locomobl_data = {
39102 .get_brightness = locomolcd_get_intensity,
39103 .update_status = locomolcd_set_intensity,
39104 };
39105 diff -urNp linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c
39106 --- linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:01.000000000 -0400
39107 +++ linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:33.000000000 -0400
39108 @@ -33,7 +33,7 @@ struct dmi_match_data {
39109 unsigned long iostart;
39110 unsigned long iolen;
39111 /* Backlight operations structure. */
39112 - struct backlight_ops backlight_ops;
39113 + const struct backlight_ops backlight_ops;
39114 };
39115
39116 /* Module parameters. */
39117 diff -urNp linux-2.6.32.46/drivers/video/backlight/omap1_bl.c linux-2.6.32.46/drivers/video/backlight/omap1_bl.c
39118 --- linux-2.6.32.46/drivers/video/backlight/omap1_bl.c 2011-03-27 14:31:47.000000000 -0400
39119 +++ linux-2.6.32.46/drivers/video/backlight/omap1_bl.c 2011-04-17 15:56:46.000000000 -0400
39120 @@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
39121 return bl->current_intensity;
39122 }
39123
39124 -static struct backlight_ops omapbl_ops = {
39125 +static const struct backlight_ops omapbl_ops = {
39126 .get_brightness = omapbl_get_intensity,
39127 .update_status = omapbl_update_status,
39128 };
39129 diff -urNp linux-2.6.32.46/drivers/video/backlight/progear_bl.c linux-2.6.32.46/drivers/video/backlight/progear_bl.c
39130 --- linux-2.6.32.46/drivers/video/backlight/progear_bl.c 2011-03-27 14:31:47.000000000 -0400
39131 +++ linux-2.6.32.46/drivers/video/backlight/progear_bl.c 2011-04-17 15:56:46.000000000 -0400
39132 @@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
39133 return intensity - HW_LEVEL_MIN;
39134 }
39135
39136 -static struct backlight_ops progearbl_ops = {
39137 +static const struct backlight_ops progearbl_ops = {
39138 .get_brightness = progearbl_get_intensity,
39139 .update_status = progearbl_set_intensity,
39140 };
39141 diff -urNp linux-2.6.32.46/drivers/video/backlight/pwm_bl.c linux-2.6.32.46/drivers/video/backlight/pwm_bl.c
39142 --- linux-2.6.32.46/drivers/video/backlight/pwm_bl.c 2011-03-27 14:31:47.000000000 -0400
39143 +++ linux-2.6.32.46/drivers/video/backlight/pwm_bl.c 2011-04-17 15:56:46.000000000 -0400
39144 @@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
39145 return bl->props.brightness;
39146 }
39147
39148 -static struct backlight_ops pwm_backlight_ops = {
39149 +static const struct backlight_ops pwm_backlight_ops = {
39150 .update_status = pwm_backlight_update_status,
39151 .get_brightness = pwm_backlight_get_brightness,
39152 };
39153 diff -urNp linux-2.6.32.46/drivers/video/backlight/tosa_bl.c linux-2.6.32.46/drivers/video/backlight/tosa_bl.c
39154 --- linux-2.6.32.46/drivers/video/backlight/tosa_bl.c 2011-03-27 14:31:47.000000000 -0400
39155 +++ linux-2.6.32.46/drivers/video/backlight/tosa_bl.c 2011-04-17 15:56:46.000000000 -0400
39156 @@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
39157 return props->brightness;
39158 }
39159
39160 -static struct backlight_ops bl_ops = {
39161 +static const struct backlight_ops bl_ops = {
39162 .get_brightness = tosa_bl_get_brightness,
39163 .update_status = tosa_bl_update_status,
39164 };
39165 diff -urNp linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c
39166 --- linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c 2011-03-27 14:31:47.000000000 -0400
39167 +++ linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c 2011-04-17 15:56:46.000000000 -0400
39168 @@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
39169 return data->current_brightness;
39170 }
39171
39172 -static struct backlight_ops wm831x_backlight_ops = {
39173 +static const struct backlight_ops wm831x_backlight_ops = {
39174 .options = BL_CORE_SUSPENDRESUME,
39175 .update_status = wm831x_backlight_update_status,
39176 .get_brightness = wm831x_backlight_get_brightness,
39177 diff -urNp linux-2.6.32.46/drivers/video/bf54x-lq043fb.c linux-2.6.32.46/drivers/video/bf54x-lq043fb.c
39178 --- linux-2.6.32.46/drivers/video/bf54x-lq043fb.c 2011-03-27 14:31:47.000000000 -0400
39179 +++ linux-2.6.32.46/drivers/video/bf54x-lq043fb.c 2011-04-17 15:56:46.000000000 -0400
39180 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
39181 return 0;
39182 }
39183
39184 -static struct backlight_ops bfin_lq043fb_bl_ops = {
39185 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
39186 .get_brightness = bl_get_brightness,
39187 };
39188
39189 diff -urNp linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c
39190 --- linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c 2011-03-27 14:31:47.000000000 -0400
39191 +++ linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c 2011-04-17 15:56:46.000000000 -0400
39192 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
39193 return 0;
39194 }
39195
39196 -static struct backlight_ops bfin_lq043fb_bl_ops = {
39197 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
39198 .get_brightness = bl_get_brightness,
39199 };
39200
39201 diff -urNp linux-2.6.32.46/drivers/video/fbcmap.c linux-2.6.32.46/drivers/video/fbcmap.c
39202 --- linux-2.6.32.46/drivers/video/fbcmap.c 2011-03-27 14:31:47.000000000 -0400
39203 +++ linux-2.6.32.46/drivers/video/fbcmap.c 2011-04-17 15:56:46.000000000 -0400
39204 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
39205 rc = -ENODEV;
39206 goto out;
39207 }
39208 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
39209 - !info->fbops->fb_setcmap)) {
39210 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
39211 rc = -EINVAL;
39212 goto out1;
39213 }
39214 diff -urNp linux-2.6.32.46/drivers/video/fbmem.c linux-2.6.32.46/drivers/video/fbmem.c
39215 --- linux-2.6.32.46/drivers/video/fbmem.c 2011-03-27 14:31:47.000000000 -0400
39216 +++ linux-2.6.32.46/drivers/video/fbmem.c 2011-05-16 21:46:57.000000000 -0400
39217 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
39218 image->dx += image->width + 8;
39219 }
39220 } else if (rotate == FB_ROTATE_UD) {
39221 - for (x = 0; x < num && image->dx >= 0; x++) {
39222 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
39223 info->fbops->fb_imageblit(info, image);
39224 image->dx -= image->width + 8;
39225 }
39226 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
39227 image->dy += image->height + 8;
39228 }
39229 } else if (rotate == FB_ROTATE_CCW) {
39230 - for (x = 0; x < num && image->dy >= 0; x++) {
39231 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
39232 info->fbops->fb_imageblit(info, image);
39233 image->dy -= image->height + 8;
39234 }
39235 @@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
39236 int flags = info->flags;
39237 int ret = 0;
39238
39239 + pax_track_stack();
39240 +
39241 if (var->activate & FB_ACTIVATE_INV_MODE) {
39242 struct fb_videomode mode1, mode2;
39243
39244 @@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
39245 void __user *argp = (void __user *)arg;
39246 long ret = 0;
39247
39248 + pax_track_stack();
39249 +
39250 switch (cmd) {
39251 case FBIOGET_VSCREENINFO:
39252 if (!lock_fb_info(info))
39253 @@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
39254 return -EFAULT;
39255 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
39256 return -EINVAL;
39257 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
39258 + if (con2fb.framebuffer >= FB_MAX)
39259 return -EINVAL;
39260 if (!registered_fb[con2fb.framebuffer])
39261 request_module("fb%d", con2fb.framebuffer);
39262 diff -urNp linux-2.6.32.46/drivers/video/i810/i810_accel.c linux-2.6.32.46/drivers/video/i810/i810_accel.c
39263 --- linux-2.6.32.46/drivers/video/i810/i810_accel.c 2011-03-27 14:31:47.000000000 -0400
39264 +++ linux-2.6.32.46/drivers/video/i810/i810_accel.c 2011-04-17 15:56:46.000000000 -0400
39265 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
39266 }
39267 }
39268 printk("ringbuffer lockup!!!\n");
39269 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
39270 i810_report_error(mmio);
39271 par->dev_flags |= LOCKUP;
39272 info->pixmap.scan_align = 1;
39273 diff -urNp linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm
39274 --- linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm 2011-03-27 14:31:47.000000000 -0400
39275 +++ linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm 2011-08-29 23:49:24.000000000 -0400
39276 @@ -1,1604 +1,1123 @@
39277 P3
39278 -# Standard 224-color Linux logo
39279 80 80
39280 255
39281 - 0 0 0 0 0 0 0 0 0 0 0 0
39282 - 0 0 0 0 0 0 0 0 0 0 0 0
39283 - 0 0 0 0 0 0 0 0 0 0 0 0
39284 - 0 0 0 0 0 0 0 0 0 0 0 0
39285 - 0 0 0 0 0 0 0 0 0 0 0 0
39286 - 0 0 0 0 0 0 0 0 0 0 0 0
39287 - 0 0 0 0 0 0 0 0 0 0 0 0
39288 - 0 0 0 0 0 0 0 0 0 0 0 0
39289 - 0 0 0 0 0 0 0 0 0 0 0 0
39290 - 6 6 6 6 6 6 10 10 10 10 10 10
39291 - 10 10 10 6 6 6 6 6 6 6 6 6
39292 - 0 0 0 0 0 0 0 0 0 0 0 0
39293 - 0 0 0 0 0 0 0 0 0 0 0 0
39294 - 0 0 0 0 0 0 0 0 0 0 0 0
39295 - 0 0 0 0 0 0 0 0 0 0 0 0
39296 - 0 0 0 0 0 0 0 0 0 0 0 0
39297 - 0 0 0 0 0 0 0 0 0 0 0 0
39298 - 0 0 0 0 0 0 0 0 0 0 0 0
39299 - 0 0 0 0 0 0 0 0 0 0 0 0
39300 - 0 0 0 0 0 0 0 0 0 0 0 0
39301 - 0 0 0 0 0 0 0 0 0 0 0 0
39302 - 0 0 0 0 0 0 0 0 0 0 0 0
39303 - 0 0 0 0 0 0 0 0 0 0 0 0
39304 - 0 0 0 0 0 0 0 0 0 0 0 0
39305 - 0 0 0 0 0 0 0 0 0 0 0 0
39306 - 0 0 0 0 0 0 0 0 0 0 0 0
39307 - 0 0 0 0 0 0 0 0 0 0 0 0
39308 - 0 0 0 0 0 0 0 0 0 0 0 0
39309 - 0 0 0 6 6 6 10 10 10 14 14 14
39310 - 22 22 22 26 26 26 30 30 30 34 34 34
39311 - 30 30 30 30 30 30 26 26 26 18 18 18
39312 - 14 14 14 10 10 10 6 6 6 0 0 0
39313 - 0 0 0 0 0 0 0 0 0 0 0 0
39314 - 0 0 0 0 0 0 0 0 0 0 0 0
39315 - 0 0 0 0 0 0 0 0 0 0 0 0
39316 - 0 0 0 0 0 0 0 0 0 0 0 0
39317 - 0 0 0 0 0 0 0 0 0 0 0 0
39318 - 0 0 0 0 0 0 0 0 0 0 0 0
39319 - 0 0 0 0 0 0 0 0 0 0 0 0
39320 - 0 0 0 0 0 0 0 0 0 0 0 0
39321 - 0 0 0 0 0 0 0 0 0 0 0 0
39322 - 0 0 0 0 0 1 0 0 1 0 0 0
39323 - 0 0 0 0 0 0 0 0 0 0 0 0
39324 - 0 0 0 0 0 0 0 0 0 0 0 0
39325 - 0 0 0 0 0 0 0 0 0 0 0 0
39326 - 0 0 0 0 0 0 0 0 0 0 0 0
39327 - 0 0 0 0 0 0 0 0 0 0 0 0
39328 - 0 0 0 0 0 0 0 0 0 0 0 0
39329 - 6 6 6 14 14 14 26 26 26 42 42 42
39330 - 54 54 54 66 66 66 78 78 78 78 78 78
39331 - 78 78 78 74 74 74 66 66 66 54 54 54
39332 - 42 42 42 26 26 26 18 18 18 10 10 10
39333 - 6 6 6 0 0 0 0 0 0 0 0 0
39334 - 0 0 0 0 0 0 0 0 0 0 0 0
39335 - 0 0 0 0 0 0 0 0 0 0 0 0
39336 - 0 0 0 0 0 0 0 0 0 0 0 0
39337 - 0 0 0 0 0 0 0 0 0 0 0 0
39338 - 0 0 0 0 0 0 0 0 0 0 0 0
39339 - 0 0 0 0 0 0 0 0 0 0 0 0
39340 - 0 0 0 0 0 0 0 0 0 0 0 0
39341 - 0 0 0 0 0 0 0 0 0 0 0 0
39342 - 0 0 1 0 0 0 0 0 0 0 0 0
39343 - 0 0 0 0 0 0 0 0 0 0 0 0
39344 - 0 0 0 0 0 0 0 0 0 0 0 0
39345 - 0 0 0 0 0 0 0 0 0 0 0 0
39346 - 0 0 0 0 0 0 0 0 0 0 0 0
39347 - 0 0 0 0 0 0 0 0 0 0 0 0
39348 - 0 0 0 0 0 0 0 0 0 10 10 10
39349 - 22 22 22 42 42 42 66 66 66 86 86 86
39350 - 66 66 66 38 38 38 38 38 38 22 22 22
39351 - 26 26 26 34 34 34 54 54 54 66 66 66
39352 - 86 86 86 70 70 70 46 46 46 26 26 26
39353 - 14 14 14 6 6 6 0 0 0 0 0 0
39354 - 0 0 0 0 0 0 0 0 0 0 0 0
39355 - 0 0 0 0 0 0 0 0 0 0 0 0
39356 - 0 0 0 0 0 0 0 0 0 0 0 0
39357 - 0 0 0 0 0 0 0 0 0 0 0 0
39358 - 0 0 0 0 0 0 0 0 0 0 0 0
39359 - 0 0 0 0 0 0 0 0 0 0 0 0
39360 - 0 0 0 0 0 0 0 0 0 0 0 0
39361 - 0 0 0 0 0 0 0 0 0 0 0 0
39362 - 0 0 1 0 0 1 0 0 1 0 0 0
39363 - 0 0 0 0 0 0 0 0 0 0 0 0
39364 - 0 0 0 0 0 0 0 0 0 0 0 0
39365 - 0 0 0 0 0 0 0 0 0 0 0 0
39366 - 0 0 0 0 0 0 0 0 0 0 0 0
39367 - 0 0 0 0 0 0 0 0 0 0 0 0
39368 - 0 0 0 0 0 0 10 10 10 26 26 26
39369 - 50 50 50 82 82 82 58 58 58 6 6 6
39370 - 2 2 6 2 2 6 2 2 6 2 2 6
39371 - 2 2 6 2 2 6 2 2 6 2 2 6
39372 - 6 6 6 54 54 54 86 86 86 66 66 66
39373 - 38 38 38 18 18 18 6 6 6 0 0 0
39374 - 0 0 0 0 0 0 0 0 0 0 0 0
39375 - 0 0 0 0 0 0 0 0 0 0 0 0
39376 - 0 0 0 0 0 0 0 0 0 0 0 0
39377 - 0 0 0 0 0 0 0 0 0 0 0 0
39378 - 0 0 0 0 0 0 0 0 0 0 0 0
39379 - 0 0 0 0 0 0 0 0 0 0 0 0
39380 - 0 0 0 0 0 0 0 0 0 0 0 0
39381 - 0 0 0 0 0 0 0 0 0 0 0 0
39382 - 0 0 0 0 0 0 0 0 0 0 0 0
39383 - 0 0 0 0 0 0 0 0 0 0 0 0
39384 - 0 0 0 0 0 0 0 0 0 0 0 0
39385 - 0 0 0 0 0 0 0 0 0 0 0 0
39386 - 0 0 0 0 0 0 0 0 0 0 0 0
39387 - 0 0 0 0 0 0 0 0 0 0 0 0
39388 - 0 0 0 6 6 6 22 22 22 50 50 50
39389 - 78 78 78 34 34 34 2 2 6 2 2 6
39390 - 2 2 6 2 2 6 2 2 6 2 2 6
39391 - 2 2 6 2 2 6 2 2 6 2 2 6
39392 - 2 2 6 2 2 6 6 6 6 70 70 70
39393 - 78 78 78 46 46 46 22 22 22 6 6 6
39394 - 0 0 0 0 0 0 0 0 0 0 0 0
39395 - 0 0 0 0 0 0 0 0 0 0 0 0
39396 - 0 0 0 0 0 0 0 0 0 0 0 0
39397 - 0 0 0 0 0 0 0 0 0 0 0 0
39398 - 0 0 0 0 0 0 0 0 0 0 0 0
39399 - 0 0 0 0 0 0 0 0 0 0 0 0
39400 - 0 0 0 0 0 0 0 0 0 0 0 0
39401 - 0 0 0 0 0 0 0 0 0 0 0 0
39402 - 0 0 1 0 0 1 0 0 1 0 0 0
39403 - 0 0 0 0 0 0 0 0 0 0 0 0
39404 - 0 0 0 0 0 0 0 0 0 0 0 0
39405 - 0 0 0 0 0 0 0 0 0 0 0 0
39406 - 0 0 0 0 0 0 0 0 0 0 0 0
39407 - 0 0 0 0 0 0 0 0 0 0 0 0
39408 - 6 6 6 18 18 18 42 42 42 82 82 82
39409 - 26 26 26 2 2 6 2 2 6 2 2 6
39410 - 2 2 6 2 2 6 2 2 6 2 2 6
39411 - 2 2 6 2 2 6 2 2 6 14 14 14
39412 - 46 46 46 34 34 34 6 6 6 2 2 6
39413 - 42 42 42 78 78 78 42 42 42 18 18 18
39414 - 6 6 6 0 0 0 0 0 0 0 0 0
39415 - 0 0 0 0 0 0 0 0 0 0 0 0
39416 - 0 0 0 0 0 0 0 0 0 0 0 0
39417 - 0 0 0 0 0 0 0 0 0 0 0 0
39418 - 0 0 0 0 0 0 0 0 0 0 0 0
39419 - 0 0 0 0 0 0 0 0 0 0 0 0
39420 - 0 0 0 0 0 0 0 0 0 0 0 0
39421 - 0 0 0 0 0 0 0 0 0 0 0 0
39422 - 0 0 1 0 0 0 0 0 1 0 0 0
39423 - 0 0 0 0 0 0 0 0 0 0 0 0
39424 - 0 0 0 0 0 0 0 0 0 0 0 0
39425 - 0 0 0 0 0 0 0 0 0 0 0 0
39426 - 0 0 0 0 0 0 0 0 0 0 0 0
39427 - 0 0 0 0 0 0 0 0 0 0 0 0
39428 - 10 10 10 30 30 30 66 66 66 58 58 58
39429 - 2 2 6 2 2 6 2 2 6 2 2 6
39430 - 2 2 6 2 2 6 2 2 6 2 2 6
39431 - 2 2 6 2 2 6 2 2 6 26 26 26
39432 - 86 86 86 101 101 101 46 46 46 10 10 10
39433 - 2 2 6 58 58 58 70 70 70 34 34 34
39434 - 10 10 10 0 0 0 0 0 0 0 0 0
39435 - 0 0 0 0 0 0 0 0 0 0 0 0
39436 - 0 0 0 0 0 0 0 0 0 0 0 0
39437 - 0 0 0 0 0 0 0 0 0 0 0 0
39438 - 0 0 0 0 0 0 0 0 0 0 0 0
39439 - 0 0 0 0 0 0 0 0 0 0 0 0
39440 - 0 0 0 0 0 0 0 0 0 0 0 0
39441 - 0 0 0 0 0 0 0 0 0 0 0 0
39442 - 0 0 1 0 0 1 0 0 1 0 0 0
39443 - 0 0 0 0 0 0 0 0 0 0 0 0
39444 - 0 0 0 0 0 0 0 0 0 0 0 0
39445 - 0 0 0 0 0 0 0 0 0 0 0 0
39446 - 0 0 0 0 0 0 0 0 0 0 0 0
39447 - 0 0 0 0 0 0 0 0 0 0 0 0
39448 - 14 14 14 42 42 42 86 86 86 10 10 10
39449 - 2 2 6 2 2 6 2 2 6 2 2 6
39450 - 2 2 6 2 2 6 2 2 6 2 2 6
39451 - 2 2 6 2 2 6 2 2 6 30 30 30
39452 - 94 94 94 94 94 94 58 58 58 26 26 26
39453 - 2 2 6 6 6 6 78 78 78 54 54 54
39454 - 22 22 22 6 6 6 0 0 0 0 0 0
39455 - 0 0 0 0 0 0 0 0 0 0 0 0
39456 - 0 0 0 0 0 0 0 0 0 0 0 0
39457 - 0 0 0 0 0 0 0 0 0 0 0 0
39458 - 0 0 0 0 0 0 0 0 0 0 0 0
39459 - 0 0 0 0 0 0 0 0 0 0 0 0
39460 - 0 0 0 0 0 0 0 0 0 0 0 0
39461 - 0 0 0 0 0 0 0 0 0 0 0 0
39462 - 0 0 0 0 0 0 0 0 0 0 0 0
39463 - 0 0 0 0 0 0 0 0 0 0 0 0
39464 - 0 0 0 0 0 0 0 0 0 0 0 0
39465 - 0 0 0 0 0 0 0 0 0 0 0 0
39466 - 0 0 0 0 0 0 0 0 0 0 0 0
39467 - 0 0 0 0 0 0 0 0 0 6 6 6
39468 - 22 22 22 62 62 62 62 62 62 2 2 6
39469 - 2 2 6 2 2 6 2 2 6 2 2 6
39470 - 2 2 6 2 2 6 2 2 6 2 2 6
39471 - 2 2 6 2 2 6 2 2 6 26 26 26
39472 - 54 54 54 38 38 38 18 18 18 10 10 10
39473 - 2 2 6 2 2 6 34 34 34 82 82 82
39474 - 38 38 38 14 14 14 0 0 0 0 0 0
39475 - 0 0 0 0 0 0 0 0 0 0 0 0
39476 - 0 0 0 0 0 0 0 0 0 0 0 0
39477 - 0 0 0 0 0 0 0 0 0 0 0 0
39478 - 0 0 0 0 0 0 0 0 0 0 0 0
39479 - 0 0 0 0 0 0 0 0 0 0 0 0
39480 - 0 0 0 0 0 0 0 0 0 0 0 0
39481 - 0 0 0 0 0 0 0 0 0 0 0 0
39482 - 0 0 0 0 0 1 0 0 1 0 0 0
39483 - 0 0 0 0 0 0 0 0 0 0 0 0
39484 - 0 0 0 0 0 0 0 0 0 0 0 0
39485 - 0 0 0 0 0 0 0 0 0 0 0 0
39486 - 0 0 0 0 0 0 0 0 0 0 0 0
39487 - 0 0 0 0 0 0 0 0 0 6 6 6
39488 - 30 30 30 78 78 78 30 30 30 2 2 6
39489 - 2 2 6 2 2 6 2 2 6 2 2 6
39490 - 2 2 6 2 2 6 2 2 6 2 2 6
39491 - 2 2 6 2 2 6 2 2 6 10 10 10
39492 - 10 10 10 2 2 6 2 2 6 2 2 6
39493 - 2 2 6 2 2 6 2 2 6 78 78 78
39494 - 50 50 50 18 18 18 6 6 6 0 0 0
39495 - 0 0 0 0 0 0 0 0 0 0 0 0
39496 - 0 0 0 0 0 0 0 0 0 0 0 0
39497 - 0 0 0 0 0 0 0 0 0 0 0 0
39498 - 0 0 0 0 0 0 0 0 0 0 0 0
39499 - 0 0 0 0 0 0 0 0 0 0 0 0
39500 - 0 0 0 0 0 0 0 0 0 0 0 0
39501 - 0 0 0 0 0 0 0 0 0 0 0 0
39502 - 0 0 1 0 0 0 0 0 0 0 0 0
39503 - 0 0 0 0 0 0 0 0 0 0 0 0
39504 - 0 0 0 0 0 0 0 0 0 0 0 0
39505 - 0 0 0 0 0 0 0 0 0 0 0 0
39506 - 0 0 0 0 0 0 0 0 0 0 0 0
39507 - 0 0 0 0 0 0 0 0 0 10 10 10
39508 - 38 38 38 86 86 86 14 14 14 2 2 6
39509 - 2 2 6 2 2 6 2 2 6 2 2 6
39510 - 2 2 6 2 2 6 2 2 6 2 2 6
39511 - 2 2 6 2 2 6 2 2 6 2 2 6
39512 - 2 2 6 2 2 6 2 2 6 2 2 6
39513 - 2 2 6 2 2 6 2 2 6 54 54 54
39514 - 66 66 66 26 26 26 6 6 6 0 0 0
39515 - 0 0 0 0 0 0 0 0 0 0 0 0
39516 - 0 0 0 0 0 0 0 0 0 0 0 0
39517 - 0 0 0 0 0 0 0 0 0 0 0 0
39518 - 0 0 0 0 0 0 0 0 0 0 0 0
39519 - 0 0 0 0 0 0 0 0 0 0 0 0
39520 - 0 0 0 0 0 0 0 0 0 0 0 0
39521 - 0 0 0 0 0 0 0 0 0 0 0 0
39522 - 0 0 0 0 0 1 0 0 1 0 0 0
39523 - 0 0 0 0 0 0 0 0 0 0 0 0
39524 - 0 0 0 0 0 0 0 0 0 0 0 0
39525 - 0 0 0 0 0 0 0 0 0 0 0 0
39526 - 0 0 0 0 0 0 0 0 0 0 0 0
39527 - 0 0 0 0 0 0 0 0 0 14 14 14
39528 - 42 42 42 82 82 82 2 2 6 2 2 6
39529 - 2 2 6 6 6 6 10 10 10 2 2 6
39530 - 2 2 6 2 2 6 2 2 6 2 2 6
39531 - 2 2 6 2 2 6 2 2 6 6 6 6
39532 - 14 14 14 10 10 10 2 2 6 2 2 6
39533 - 2 2 6 2 2 6 2 2 6 18 18 18
39534 - 82 82 82 34 34 34 10 10 10 0 0 0
39535 - 0 0 0 0 0 0 0 0 0 0 0 0
39536 - 0 0 0 0 0 0 0 0 0 0 0 0
39537 - 0 0 0 0 0 0 0 0 0 0 0 0
39538 - 0 0 0 0 0 0 0 0 0 0 0 0
39539 - 0 0 0 0 0 0 0 0 0 0 0 0
39540 - 0 0 0 0 0 0 0 0 0 0 0 0
39541 - 0 0 0 0 0 0 0 0 0 0 0 0
39542 - 0 0 1 0 0 0 0 0 0 0 0 0
39543 - 0 0 0 0 0 0 0 0 0 0 0 0
39544 - 0 0 0 0 0 0 0 0 0 0 0 0
39545 - 0 0 0 0 0 0 0 0 0 0 0 0
39546 - 0 0 0 0 0 0 0 0 0 0 0 0
39547 - 0 0 0 0 0 0 0 0 0 14 14 14
39548 - 46 46 46 86 86 86 2 2 6 2 2 6
39549 - 6 6 6 6 6 6 22 22 22 34 34 34
39550 - 6 6 6 2 2 6 2 2 6 2 2 6
39551 - 2 2 6 2 2 6 18 18 18 34 34 34
39552 - 10 10 10 50 50 50 22 22 22 2 2 6
39553 - 2 2 6 2 2 6 2 2 6 10 10 10
39554 - 86 86 86 42 42 42 14 14 14 0 0 0
39555 - 0 0 0 0 0 0 0 0 0 0 0 0
39556 - 0 0 0 0 0 0 0 0 0 0 0 0
39557 - 0 0 0 0 0 0 0 0 0 0 0 0
39558 - 0 0 0 0 0 0 0 0 0 0 0 0
39559 - 0 0 0 0 0 0 0 0 0 0 0 0
39560 - 0 0 0 0 0 0 0 0 0 0 0 0
39561 - 0 0 0 0 0 0 0 0 0 0 0 0
39562 - 0 0 1 0 0 1 0 0 1 0 0 0
39563 - 0 0 0 0 0 0 0 0 0 0 0 0
39564 - 0 0 0 0 0 0 0 0 0 0 0 0
39565 - 0 0 0 0 0 0 0 0 0 0 0 0
39566 - 0 0 0 0 0 0 0 0 0 0 0 0
39567 - 0 0 0 0 0 0 0 0 0 14 14 14
39568 - 46 46 46 86 86 86 2 2 6 2 2 6
39569 - 38 38 38 116 116 116 94 94 94 22 22 22
39570 - 22 22 22 2 2 6 2 2 6 2 2 6
39571 - 14 14 14 86 86 86 138 138 138 162 162 162
39572 -154 154 154 38 38 38 26 26 26 6 6 6
39573 - 2 2 6 2 2 6 2 2 6 2 2 6
39574 - 86 86 86 46 46 46 14 14 14 0 0 0
39575 - 0 0 0 0 0 0 0 0 0 0 0 0
39576 - 0 0 0 0 0 0 0 0 0 0 0 0
39577 - 0 0 0 0 0 0 0 0 0 0 0 0
39578 - 0 0 0 0 0 0 0 0 0 0 0 0
39579 - 0 0 0 0 0 0 0 0 0 0 0 0
39580 - 0 0 0 0 0 0 0 0 0 0 0 0
39581 - 0 0 0 0 0 0 0 0 0 0 0 0
39582 - 0 0 0 0 0 0 0 0 0 0 0 0
39583 - 0 0 0 0 0 0 0 0 0 0 0 0
39584 - 0 0 0 0 0 0 0 0 0 0 0 0
39585 - 0 0 0 0 0 0 0 0 0 0 0 0
39586 - 0 0 0 0 0 0 0 0 0 0 0 0
39587 - 0 0 0 0 0 0 0 0 0 14 14 14
39588 - 46 46 46 86 86 86 2 2 6 14 14 14
39589 -134 134 134 198 198 198 195 195 195 116 116 116
39590 - 10 10 10 2 2 6 2 2 6 6 6 6
39591 -101 98 89 187 187 187 210 210 210 218 218 218
39592 -214 214 214 134 134 134 14 14 14 6 6 6
39593 - 2 2 6 2 2 6 2 2 6 2 2 6
39594 - 86 86 86 50 50 50 18 18 18 6 6 6
39595 - 0 0 0 0 0 0 0 0 0 0 0 0
39596 - 0 0 0 0 0 0 0 0 0 0 0 0
39597 - 0 0 0 0 0 0 0 0 0 0 0 0
39598 - 0 0 0 0 0 0 0 0 0 0 0 0
39599 - 0 0 0 0 0 0 0 0 0 0 0 0
39600 - 0 0 0 0 0 0 0 0 0 0 0 0
39601 - 0 0 0 0 0 0 0 0 1 0 0 0
39602 - 0 0 1 0 0 1 0 0 1 0 0 0
39603 - 0 0 0 0 0 0 0 0 0 0 0 0
39604 - 0 0 0 0 0 0 0 0 0 0 0 0
39605 - 0 0 0 0 0 0 0 0 0 0 0 0
39606 - 0 0 0 0 0 0 0 0 0 0 0 0
39607 - 0 0 0 0 0 0 0 0 0 14 14 14
39608 - 46 46 46 86 86 86 2 2 6 54 54 54
39609 -218 218 218 195 195 195 226 226 226 246 246 246
39610 - 58 58 58 2 2 6 2 2 6 30 30 30
39611 -210 210 210 253 253 253 174 174 174 123 123 123
39612 -221 221 221 234 234 234 74 74 74 2 2 6
39613 - 2 2 6 2 2 6 2 2 6 2 2 6
39614 - 70 70 70 58 58 58 22 22 22 6 6 6
39615 - 0 0 0 0 0 0 0 0 0 0 0 0
39616 - 0 0 0 0 0 0 0 0 0 0 0 0
39617 - 0 0 0 0 0 0 0 0 0 0 0 0
39618 - 0 0 0 0 0 0 0 0 0 0 0 0
39619 - 0 0 0 0 0 0 0 0 0 0 0 0
39620 - 0 0 0 0 0 0 0 0 0 0 0 0
39621 - 0 0 0 0 0 0 0 0 0 0 0 0
39622 - 0 0 0 0 0 0 0 0 0 0 0 0
39623 - 0 0 0 0 0 0 0 0 0 0 0 0
39624 - 0 0 0 0 0 0 0 0 0 0 0 0
39625 - 0 0 0 0 0 0 0 0 0 0 0 0
39626 - 0 0 0 0 0 0 0 0 0 0 0 0
39627 - 0 0 0 0 0 0 0 0 0 14 14 14
39628 - 46 46 46 82 82 82 2 2 6 106 106 106
39629 -170 170 170 26 26 26 86 86 86 226 226 226
39630 -123 123 123 10 10 10 14 14 14 46 46 46
39631 -231 231 231 190 190 190 6 6 6 70 70 70
39632 - 90 90 90 238 238 238 158 158 158 2 2 6
39633 - 2 2 6 2 2 6 2 2 6 2 2 6
39634 - 70 70 70 58 58 58 22 22 22 6 6 6
39635 - 0 0 0 0 0 0 0 0 0 0 0 0
39636 - 0 0 0 0 0 0 0 0 0 0 0 0
39637 - 0 0 0 0 0 0 0 0 0 0 0 0
39638 - 0 0 0 0 0 0 0 0 0 0 0 0
39639 - 0 0 0 0 0 0 0 0 0 0 0 0
39640 - 0 0 0 0 0 0 0 0 0 0 0 0
39641 - 0 0 0 0 0 0 0 0 1 0 0 0
39642 - 0 0 1 0 0 1 0 0 1 0 0 0
39643 - 0 0 0 0 0 0 0 0 0 0 0 0
39644 - 0 0 0 0 0 0 0 0 0 0 0 0
39645 - 0 0 0 0 0 0 0 0 0 0 0 0
39646 - 0 0 0 0 0 0 0 0 0 0 0 0
39647 - 0 0 0 0 0 0 0 0 0 14 14 14
39648 - 42 42 42 86 86 86 6 6 6 116 116 116
39649 -106 106 106 6 6 6 70 70 70 149 149 149
39650 -128 128 128 18 18 18 38 38 38 54 54 54
39651 -221 221 221 106 106 106 2 2 6 14 14 14
39652 - 46 46 46 190 190 190 198 198 198 2 2 6
39653 - 2 2 6 2 2 6 2 2 6 2 2 6
39654 - 74 74 74 62 62 62 22 22 22 6 6 6
39655 - 0 0 0 0 0 0 0 0 0 0 0 0
39656 - 0 0 0 0 0 0 0 0 0 0 0 0
39657 - 0 0 0 0 0 0 0 0 0 0 0 0
39658 - 0 0 0 0 0 0 0 0 0 0 0 0
39659 - 0 0 0 0 0 0 0 0 0 0 0 0
39660 - 0 0 0 0 0 0 0 0 0 0 0 0
39661 - 0 0 0 0 0 0 0 0 1 0 0 0
39662 - 0 0 1 0 0 0 0 0 1 0 0 0
39663 - 0 0 0 0 0 0 0 0 0 0 0 0
39664 - 0 0 0 0 0 0 0 0 0 0 0 0
39665 - 0 0 0 0 0 0 0 0 0 0 0 0
39666 - 0 0 0 0 0 0 0 0 0 0 0 0
39667 - 0 0 0 0 0 0 0 0 0 14 14 14
39668 - 42 42 42 94 94 94 14 14 14 101 101 101
39669 -128 128 128 2 2 6 18 18 18 116 116 116
39670 -118 98 46 121 92 8 121 92 8 98 78 10
39671 -162 162 162 106 106 106 2 2 6 2 2 6
39672 - 2 2 6 195 195 195 195 195 195 6 6 6
39673 - 2 2 6 2 2 6 2 2 6 2 2 6
39674 - 74 74 74 62 62 62 22 22 22 6 6 6
39675 - 0 0 0 0 0 0 0 0 0 0 0 0
39676 - 0 0 0 0 0 0 0 0 0 0 0 0
39677 - 0 0 0 0 0 0 0 0 0 0 0 0
39678 - 0 0 0 0 0 0 0 0 0 0 0 0
39679 - 0 0 0 0 0 0 0 0 0 0 0 0
39680 - 0 0 0 0 0 0 0 0 0 0 0 0
39681 - 0 0 0 0 0 0 0 0 1 0 0 1
39682 - 0 0 1 0 0 0 0 0 1 0 0 0
39683 - 0 0 0 0 0 0 0 0 0 0 0 0
39684 - 0 0 0 0 0 0 0 0 0 0 0 0
39685 - 0 0 0 0 0 0 0 0 0 0 0 0
39686 - 0 0 0 0 0 0 0 0 0 0 0 0
39687 - 0 0 0 0 0 0 0 0 0 10 10 10
39688 - 38 38 38 90 90 90 14 14 14 58 58 58
39689 -210 210 210 26 26 26 54 38 6 154 114 10
39690 -226 170 11 236 186 11 225 175 15 184 144 12
39691 -215 174 15 175 146 61 37 26 9 2 2 6
39692 - 70 70 70 246 246 246 138 138 138 2 2 6
39693 - 2 2 6 2 2 6 2 2 6 2 2 6
39694 - 70 70 70 66 66 66 26 26 26 6 6 6
39695 - 0 0 0 0 0 0 0 0 0 0 0 0
39696 - 0 0 0 0 0 0 0 0 0 0 0 0
39697 - 0 0 0 0 0 0 0 0 0 0 0 0
39698 - 0 0 0 0 0 0 0 0 0 0 0 0
39699 - 0 0 0 0 0 0 0 0 0 0 0 0
39700 - 0 0 0 0 0 0 0 0 0 0 0 0
39701 - 0 0 0 0 0 0 0 0 0 0 0 0
39702 - 0 0 0 0 0 0 0 0 0 0 0 0
39703 - 0 0 0 0 0 0 0 0 0 0 0 0
39704 - 0 0 0 0 0 0 0 0 0 0 0 0
39705 - 0 0 0 0 0 0 0 0 0 0 0 0
39706 - 0 0 0 0 0 0 0 0 0 0 0 0
39707 - 0 0 0 0 0 0 0 0 0 10 10 10
39708 - 38 38 38 86 86 86 14 14 14 10 10 10
39709 -195 195 195 188 164 115 192 133 9 225 175 15
39710 -239 182 13 234 190 10 232 195 16 232 200 30
39711 -245 207 45 241 208 19 232 195 16 184 144 12
39712 -218 194 134 211 206 186 42 42 42 2 2 6
39713 - 2 2 6 2 2 6 2 2 6 2 2 6
39714 - 50 50 50 74 74 74 30 30 30 6 6 6
39715 - 0 0 0 0 0 0 0 0 0 0 0 0
39716 - 0 0 0 0 0 0 0 0 0 0 0 0
39717 - 0 0 0 0 0 0 0 0 0 0 0 0
39718 - 0 0 0 0 0 0 0 0 0 0 0 0
39719 - 0 0 0 0 0 0 0 0 0 0 0 0
39720 - 0 0 0 0 0 0 0 0 0 0 0 0
39721 - 0 0 0 0 0 0 0 0 0 0 0 0
39722 - 0 0 0 0 0 0 0 0 0 0 0 0
39723 - 0 0 0 0 0 0 0 0 0 0 0 0
39724 - 0 0 0 0 0 0 0 0 0 0 0 0
39725 - 0 0 0 0 0 0 0 0 0 0 0 0
39726 - 0 0 0 0 0 0 0 0 0 0 0 0
39727 - 0 0 0 0 0 0 0 0 0 10 10 10
39728 - 34 34 34 86 86 86 14 14 14 2 2 6
39729 -121 87 25 192 133 9 219 162 10 239 182 13
39730 -236 186 11 232 195 16 241 208 19 244 214 54
39731 -246 218 60 246 218 38 246 215 20 241 208 19
39732 -241 208 19 226 184 13 121 87 25 2 2 6
39733 - 2 2 6 2 2 6 2 2 6 2 2 6
39734 - 50 50 50 82 82 82 34 34 34 10 10 10
39735 - 0 0 0 0 0 0 0 0 0 0 0 0
39736 - 0 0 0 0 0 0 0 0 0 0 0 0
39737 - 0 0 0 0 0 0 0 0 0 0 0 0
39738 - 0 0 0 0 0 0 0 0 0 0 0 0
39739 - 0 0 0 0 0 0 0 0 0 0 0 0
39740 - 0 0 0 0 0 0 0 0 0 0 0 0
39741 - 0 0 0 0 0 0 0 0 0 0 0 0
39742 - 0 0 0 0 0 0 0 0 0 0 0 0
39743 - 0 0 0 0 0 0 0 0 0 0 0 0
39744 - 0 0 0 0 0 0 0 0 0 0 0 0
39745 - 0 0 0 0 0 0 0 0 0 0 0 0
39746 - 0 0 0 0 0 0 0 0 0 0 0 0
39747 - 0 0 0 0 0 0 0 0 0 10 10 10
39748 - 34 34 34 82 82 82 30 30 30 61 42 6
39749 -180 123 7 206 145 10 230 174 11 239 182 13
39750 -234 190 10 238 202 15 241 208 19 246 218 74
39751 -246 218 38 246 215 20 246 215 20 246 215 20
39752 -226 184 13 215 174 15 184 144 12 6 6 6
39753 - 2 2 6 2 2 6 2 2 6 2 2 6
39754 - 26 26 26 94 94 94 42 42 42 14 14 14
39755 - 0 0 0 0 0 0 0 0 0 0 0 0
39756 - 0 0 0 0 0 0 0 0 0 0 0 0
39757 - 0 0 0 0 0 0 0 0 0 0 0 0
39758 - 0 0 0 0 0 0 0 0 0 0 0 0
39759 - 0 0 0 0 0 0 0 0 0 0 0 0
39760 - 0 0 0 0 0 0 0 0 0 0 0 0
39761 - 0 0 0 0 0 0 0 0 0 0 0 0
39762 - 0 0 0 0 0 0 0 0 0 0 0 0
39763 - 0 0 0 0 0 0 0 0 0 0 0 0
39764 - 0 0 0 0 0 0 0 0 0 0 0 0
39765 - 0 0 0 0 0 0 0 0 0 0 0 0
39766 - 0 0 0 0 0 0 0 0 0 0 0 0
39767 - 0 0 0 0 0 0 0 0 0 10 10 10
39768 - 30 30 30 78 78 78 50 50 50 104 69 6
39769 -192 133 9 216 158 10 236 178 12 236 186 11
39770 -232 195 16 241 208 19 244 214 54 245 215 43
39771 -246 215 20 246 215 20 241 208 19 198 155 10
39772 -200 144 11 216 158 10 156 118 10 2 2 6
39773 - 2 2 6 2 2 6 2 2 6 2 2 6
39774 - 6 6 6 90 90 90 54 54 54 18 18 18
39775 - 6 6 6 0 0 0 0 0 0 0 0 0
39776 - 0 0 0 0 0 0 0 0 0 0 0 0
39777 - 0 0 0 0 0 0 0 0 0 0 0 0
39778 - 0 0 0 0 0 0 0 0 0 0 0 0
39779 - 0 0 0 0 0 0 0 0 0 0 0 0
39780 - 0 0 0 0 0 0 0 0 0 0 0 0
39781 - 0 0 0 0 0 0 0 0 0 0 0 0
39782 - 0 0 0 0 0 0 0 0 0 0 0 0
39783 - 0 0 0 0 0 0 0 0 0 0 0 0
39784 - 0 0 0 0 0 0 0 0 0 0 0 0
39785 - 0 0 0 0 0 0 0 0 0 0 0 0
39786 - 0 0 0 0 0 0 0 0 0 0 0 0
39787 - 0 0 0 0 0 0 0 0 0 10 10 10
39788 - 30 30 30 78 78 78 46 46 46 22 22 22
39789 -137 92 6 210 162 10 239 182 13 238 190 10
39790 -238 202 15 241 208 19 246 215 20 246 215 20
39791 -241 208 19 203 166 17 185 133 11 210 150 10
39792 -216 158 10 210 150 10 102 78 10 2 2 6
39793 - 6 6 6 54 54 54 14 14 14 2 2 6
39794 - 2 2 6 62 62 62 74 74 74 30 30 30
39795 - 10 10 10 0 0 0 0 0 0 0 0 0
39796 - 0 0 0 0 0 0 0 0 0 0 0 0
39797 - 0 0 0 0 0 0 0 0 0 0 0 0
39798 - 0 0 0 0 0 0 0 0 0 0 0 0
39799 - 0 0 0 0 0 0 0 0 0 0 0 0
39800 - 0 0 0 0 0 0 0 0 0 0 0 0
39801 - 0 0 0 0 0 0 0 0 0 0 0 0
39802 - 0 0 0 0 0 0 0 0 0 0 0 0
39803 - 0 0 0 0 0 0 0 0 0 0 0 0
39804 - 0 0 0 0 0 0 0 0 0 0 0 0
39805 - 0 0 0 0 0 0 0 0 0 0 0 0
39806 - 0 0 0 0 0 0 0 0 0 0 0 0
39807 - 0 0 0 0 0 0 0 0 0 10 10 10
39808 - 34 34 34 78 78 78 50 50 50 6 6 6
39809 - 94 70 30 139 102 15 190 146 13 226 184 13
39810 -232 200 30 232 195 16 215 174 15 190 146 13
39811 -168 122 10 192 133 9 210 150 10 213 154 11
39812 -202 150 34 182 157 106 101 98 89 2 2 6
39813 - 2 2 6 78 78 78 116 116 116 58 58 58
39814 - 2 2 6 22 22 22 90 90 90 46 46 46
39815 - 18 18 18 6 6 6 0 0 0 0 0 0
39816 - 0 0 0 0 0 0 0 0 0 0 0 0
39817 - 0 0 0 0 0 0 0 0 0 0 0 0
39818 - 0 0 0 0 0 0 0 0 0 0 0 0
39819 - 0 0 0 0 0 0 0 0 0 0 0 0
39820 - 0 0 0 0 0 0 0 0 0 0 0 0
39821 - 0 0 0 0 0 0 0 0 0 0 0 0
39822 - 0 0 0 0 0 0 0 0 0 0 0 0
39823 - 0 0 0 0 0 0 0 0 0 0 0 0
39824 - 0 0 0 0 0 0 0 0 0 0 0 0
39825 - 0 0 0 0 0 0 0 0 0 0 0 0
39826 - 0 0 0 0 0 0 0 0 0 0 0 0
39827 - 0 0 0 0 0 0 0 0 0 10 10 10
39828 - 38 38 38 86 86 86 50 50 50 6 6 6
39829 -128 128 128 174 154 114 156 107 11 168 122 10
39830 -198 155 10 184 144 12 197 138 11 200 144 11
39831 -206 145 10 206 145 10 197 138 11 188 164 115
39832 -195 195 195 198 198 198 174 174 174 14 14 14
39833 - 2 2 6 22 22 22 116 116 116 116 116 116
39834 - 22 22 22 2 2 6 74 74 74 70 70 70
39835 - 30 30 30 10 10 10 0 0 0 0 0 0
39836 - 0 0 0 0 0 0 0 0 0 0 0 0
39837 - 0 0 0 0 0 0 0 0 0 0 0 0
39838 - 0 0 0 0 0 0 0 0 0 0 0 0
39839 - 0 0 0 0 0 0 0 0 0 0 0 0
39840 - 0 0 0 0 0 0 0 0 0 0 0 0
39841 - 0 0 0 0 0 0 0 0 0 0 0 0
39842 - 0 0 0 0 0 0 0 0 0 0 0 0
39843 - 0 0 0 0 0 0 0 0 0 0 0 0
39844 - 0 0 0 0 0 0 0 0 0 0 0 0
39845 - 0 0 0 0 0 0 0 0 0 0 0 0
39846 - 0 0 0 0 0 0 0 0 0 0 0 0
39847 - 0 0 0 0 0 0 6 6 6 18 18 18
39848 - 50 50 50 101 101 101 26 26 26 10 10 10
39849 -138 138 138 190 190 190 174 154 114 156 107 11
39850 -197 138 11 200 144 11 197 138 11 192 133 9
39851 -180 123 7 190 142 34 190 178 144 187 187 187
39852 -202 202 202 221 221 221 214 214 214 66 66 66
39853 - 2 2 6 2 2 6 50 50 50 62 62 62
39854 - 6 6 6 2 2 6 10 10 10 90 90 90
39855 - 50 50 50 18 18 18 6 6 6 0 0 0
39856 - 0 0 0 0 0 0 0 0 0 0 0 0
39857 - 0 0 0 0 0 0 0 0 0 0 0 0
39858 - 0 0 0 0 0 0 0 0 0 0 0 0
39859 - 0 0 0 0 0 0 0 0 0 0 0 0
39860 - 0 0 0 0 0 0 0 0 0 0 0 0
39861 - 0 0 0 0 0 0 0 0 0 0 0 0
39862 - 0 0 0 0 0 0 0 0 0 0 0 0
39863 - 0 0 0 0 0 0 0 0 0 0 0 0
39864 - 0 0 0 0 0 0 0 0 0 0 0 0
39865 - 0 0 0 0 0 0 0 0 0 0 0 0
39866 - 0 0 0 0 0 0 0 0 0 0 0 0
39867 - 0 0 0 0 0 0 10 10 10 34 34 34
39868 - 74 74 74 74 74 74 2 2 6 6 6 6
39869 -144 144 144 198 198 198 190 190 190 178 166 146
39870 -154 121 60 156 107 11 156 107 11 168 124 44
39871 -174 154 114 187 187 187 190 190 190 210 210 210
39872 -246 246 246 253 253 253 253 253 253 182 182 182
39873 - 6 6 6 2 2 6 2 2 6 2 2 6
39874 - 2 2 6 2 2 6 2 2 6 62 62 62
39875 - 74 74 74 34 34 34 14 14 14 0 0 0
39876 - 0 0 0 0 0 0 0 0 0 0 0 0
39877 - 0 0 0 0 0 0 0 0 0 0 0 0
39878 - 0 0 0 0 0 0 0 0 0 0 0 0
39879 - 0 0 0 0 0 0 0 0 0 0 0 0
39880 - 0 0 0 0 0 0 0 0 0 0 0 0
39881 - 0 0 0 0 0 0 0 0 0 0 0 0
39882 - 0 0 0 0 0 0 0 0 0 0 0 0
39883 - 0 0 0 0 0 0 0 0 0 0 0 0
39884 - 0 0 0 0 0 0 0 0 0 0 0 0
39885 - 0 0 0 0 0 0 0 0 0 0 0 0
39886 - 0 0 0 0 0 0 0 0 0 0 0 0
39887 - 0 0 0 10 10 10 22 22 22 54 54 54
39888 - 94 94 94 18 18 18 2 2 6 46 46 46
39889 -234 234 234 221 221 221 190 190 190 190 190 190
39890 -190 190 190 187 187 187 187 187 187 190 190 190
39891 -190 190 190 195 195 195 214 214 214 242 242 242
39892 -253 253 253 253 253 253 253 253 253 253 253 253
39893 - 82 82 82 2 2 6 2 2 6 2 2 6
39894 - 2 2 6 2 2 6 2 2 6 14 14 14
39895 - 86 86 86 54 54 54 22 22 22 6 6 6
39896 - 0 0 0 0 0 0 0 0 0 0 0 0
39897 - 0 0 0 0 0 0 0 0 0 0 0 0
39898 - 0 0 0 0 0 0 0 0 0 0 0 0
39899 - 0 0 0 0 0 0 0 0 0 0 0 0
39900 - 0 0 0 0 0 0 0 0 0 0 0 0
39901 - 0 0 0 0 0 0 0 0 0 0 0 0
39902 - 0 0 0 0 0 0 0 0 0 0 0 0
39903 - 0 0 0 0 0 0 0 0 0 0 0 0
39904 - 0 0 0 0 0 0 0 0 0 0 0 0
39905 - 0 0 0 0 0 0 0 0 0 0 0 0
39906 - 0 0 0 0 0 0 0 0 0 0 0 0
39907 - 6 6 6 18 18 18 46 46 46 90 90 90
39908 - 46 46 46 18 18 18 6 6 6 182 182 182
39909 -253 253 253 246 246 246 206 206 206 190 190 190
39910 -190 190 190 190 190 190 190 190 190 190 190 190
39911 -206 206 206 231 231 231 250 250 250 253 253 253
39912 -253 253 253 253 253 253 253 253 253 253 253 253
39913 -202 202 202 14 14 14 2 2 6 2 2 6
39914 - 2 2 6 2 2 6 2 2 6 2 2 6
39915 - 42 42 42 86 86 86 42 42 42 18 18 18
39916 - 6 6 6 0 0 0 0 0 0 0 0 0
39917 - 0 0 0 0 0 0 0 0 0 0 0 0
39918 - 0 0 0 0 0 0 0 0 0 0 0 0
39919 - 0 0 0 0 0 0 0 0 0 0 0 0
39920 - 0 0 0 0 0 0 0 0 0 0 0 0
39921 - 0 0 0 0 0 0 0 0 0 0 0 0
39922 - 0 0 0 0 0 0 0 0 0 0 0 0
39923 - 0 0 0 0 0 0 0 0 0 0 0 0
39924 - 0 0 0 0 0 0 0 0 0 0 0 0
39925 - 0 0 0 0 0 0 0 0 0 0 0 0
39926 - 0 0 0 0 0 0 0 0 0 6 6 6
39927 - 14 14 14 38 38 38 74 74 74 66 66 66
39928 - 2 2 6 6 6 6 90 90 90 250 250 250
39929 -253 253 253 253 253 253 238 238 238 198 198 198
39930 -190 190 190 190 190 190 195 195 195 221 221 221
39931 -246 246 246 253 253 253 253 253 253 253 253 253
39932 -253 253 253 253 253 253 253 253 253 253 253 253
39933 -253 253 253 82 82 82 2 2 6 2 2 6
39934 - 2 2 6 2 2 6 2 2 6 2 2 6
39935 - 2 2 6 78 78 78 70 70 70 34 34 34
39936 - 14 14 14 6 6 6 0 0 0 0 0 0
39937 - 0 0 0 0 0 0 0 0 0 0 0 0
39938 - 0 0 0 0 0 0 0 0 0 0 0 0
39939 - 0 0 0 0 0 0 0 0 0 0 0 0
39940 - 0 0 0 0 0 0 0 0 0 0 0 0
39941 - 0 0 0 0 0 0 0 0 0 0 0 0
39942 - 0 0 0 0 0 0 0 0 0 0 0 0
39943 - 0 0 0 0 0 0 0 0 0 0 0 0
39944 - 0 0 0 0 0 0 0 0 0 0 0 0
39945 - 0 0 0 0 0 0 0 0 0 0 0 0
39946 - 0 0 0 0 0 0 0 0 0 14 14 14
39947 - 34 34 34 66 66 66 78 78 78 6 6 6
39948 - 2 2 6 18 18 18 218 218 218 253 253 253
39949 -253 253 253 253 253 253 253 253 253 246 246 246
39950 -226 226 226 231 231 231 246 246 246 253 253 253
39951 -253 253 253 253 253 253 253 253 253 253 253 253
39952 -253 253 253 253 253 253 253 253 253 253 253 253
39953 -253 253 253 178 178 178 2 2 6 2 2 6
39954 - 2 2 6 2 2 6 2 2 6 2 2 6
39955 - 2 2 6 18 18 18 90 90 90 62 62 62
39956 - 30 30 30 10 10 10 0 0 0 0 0 0
39957 - 0 0 0 0 0 0 0 0 0 0 0 0
39958 - 0 0 0 0 0 0 0 0 0 0 0 0
39959 - 0 0 0 0 0 0 0 0 0 0 0 0
39960 - 0 0 0 0 0 0 0 0 0 0 0 0
39961 - 0 0 0 0 0 0 0 0 0 0 0 0
39962 - 0 0 0 0 0 0 0 0 0 0 0 0
39963 - 0 0 0 0 0 0 0 0 0 0 0 0
39964 - 0 0 0 0 0 0 0 0 0 0 0 0
39965 - 0 0 0 0 0 0 0 0 0 0 0 0
39966 - 0 0 0 0 0 0 10 10 10 26 26 26
39967 - 58 58 58 90 90 90 18 18 18 2 2 6
39968 - 2 2 6 110 110 110 253 253 253 253 253 253
39969 -253 253 253 253 253 253 253 253 253 253 253 253
39970 -250 250 250 253 253 253 253 253 253 253 253 253
39971 -253 253 253 253 253 253 253 253 253 253 253 253
39972 -253 253 253 253 253 253 253 253 253 253 253 253
39973 -253 253 253 231 231 231 18 18 18 2 2 6
39974 - 2 2 6 2 2 6 2 2 6 2 2 6
39975 - 2 2 6 2 2 6 18 18 18 94 94 94
39976 - 54 54 54 26 26 26 10 10 10 0 0 0
39977 - 0 0 0 0 0 0 0 0 0 0 0 0
39978 - 0 0 0 0 0 0 0 0 0 0 0 0
39979 - 0 0 0 0 0 0 0 0 0 0 0 0
39980 - 0 0 0 0 0 0 0 0 0 0 0 0
39981 - 0 0 0 0 0 0 0 0 0 0 0 0
39982 - 0 0 0 0 0 0 0 0 0 0 0 0
39983 - 0 0 0 0 0 0 0 0 0 0 0 0
39984 - 0 0 0 0 0 0 0 0 0 0 0 0
39985 - 0 0 0 0 0 0 0 0 0 0 0 0
39986 - 0 0 0 6 6 6 22 22 22 50 50 50
39987 - 90 90 90 26 26 26 2 2 6 2 2 6
39988 - 14 14 14 195 195 195 250 250 250 253 253 253
39989 -253 253 253 253 253 253 253 253 253 253 253 253
39990 -253 253 253 253 253 253 253 253 253 253 253 253
39991 -253 253 253 253 253 253 253 253 253 253 253 253
39992 -253 253 253 253 253 253 253 253 253 253 253 253
39993 -250 250 250 242 242 242 54 54 54 2 2 6
39994 - 2 2 6 2 2 6 2 2 6 2 2 6
39995 - 2 2 6 2 2 6 2 2 6 38 38 38
39996 - 86 86 86 50 50 50 22 22 22 6 6 6
39997 - 0 0 0 0 0 0 0 0 0 0 0 0
39998 - 0 0 0 0 0 0 0 0 0 0 0 0
39999 - 0 0 0 0 0 0 0 0 0 0 0 0
40000 - 0 0 0 0 0 0 0 0 0 0 0 0
40001 - 0 0 0 0 0 0 0 0 0 0 0 0
40002 - 0 0 0 0 0 0 0 0 0 0 0 0
40003 - 0 0 0 0 0 0 0 0 0 0 0 0
40004 - 0 0 0 0 0 0 0 0 0 0 0 0
40005 - 0 0 0 0 0 0 0 0 0 0 0 0
40006 - 6 6 6 14 14 14 38 38 38 82 82 82
40007 - 34 34 34 2 2 6 2 2 6 2 2 6
40008 - 42 42 42 195 195 195 246 246 246 253 253 253
40009 -253 253 253 253 253 253 253 253 253 250 250 250
40010 -242 242 242 242 242 242 250 250 250 253 253 253
40011 -253 253 253 253 253 253 253 253 253 253 253 253
40012 -253 253 253 250 250 250 246 246 246 238 238 238
40013 -226 226 226 231 231 231 101 101 101 6 6 6
40014 - 2 2 6 2 2 6 2 2 6 2 2 6
40015 - 2 2 6 2 2 6 2 2 6 2 2 6
40016 - 38 38 38 82 82 82 42 42 42 14 14 14
40017 - 6 6 6 0 0 0 0 0 0 0 0 0
40018 - 0 0 0 0 0 0 0 0 0 0 0 0
40019 - 0 0 0 0 0 0 0 0 0 0 0 0
40020 - 0 0 0 0 0 0 0 0 0 0 0 0
40021 - 0 0 0 0 0 0 0 0 0 0 0 0
40022 - 0 0 0 0 0 0 0 0 0 0 0 0
40023 - 0 0 0 0 0 0 0 0 0 0 0 0
40024 - 0 0 0 0 0 0 0 0 0 0 0 0
40025 - 0 0 0 0 0 0 0 0 0 0 0 0
40026 - 10 10 10 26 26 26 62 62 62 66 66 66
40027 - 2 2 6 2 2 6 2 2 6 6 6 6
40028 - 70 70 70 170 170 170 206 206 206 234 234 234
40029 -246 246 246 250 250 250 250 250 250 238 238 238
40030 -226 226 226 231 231 231 238 238 238 250 250 250
40031 -250 250 250 250 250 250 246 246 246 231 231 231
40032 -214 214 214 206 206 206 202 202 202 202 202 202
40033 -198 198 198 202 202 202 182 182 182 18 18 18
40034 - 2 2 6 2 2 6 2 2 6 2 2 6
40035 - 2 2 6 2 2 6 2 2 6 2 2 6
40036 - 2 2 6 62 62 62 66 66 66 30 30 30
40037 - 10 10 10 0 0 0 0 0 0 0 0 0
40038 - 0 0 0 0 0 0 0 0 0 0 0 0
40039 - 0 0 0 0 0 0 0 0 0 0 0 0
40040 - 0 0 0 0 0 0 0 0 0 0 0 0
40041 - 0 0 0 0 0 0 0 0 0 0 0 0
40042 - 0 0 0 0 0 0 0 0 0 0 0 0
40043 - 0 0 0 0 0 0 0 0 0 0 0 0
40044 - 0 0 0 0 0 0 0 0 0 0 0 0
40045 - 0 0 0 0 0 0 0 0 0 0 0 0
40046 - 14 14 14 42 42 42 82 82 82 18 18 18
40047 - 2 2 6 2 2 6 2 2 6 10 10 10
40048 - 94 94 94 182 182 182 218 218 218 242 242 242
40049 -250 250 250 253 253 253 253 253 253 250 250 250
40050 -234 234 234 253 253 253 253 253 253 253 253 253
40051 -253 253 253 253 253 253 253 253 253 246 246 246
40052 -238 238 238 226 226 226 210 210 210 202 202 202
40053 -195 195 195 195 195 195 210 210 210 158 158 158
40054 - 6 6 6 14 14 14 50 50 50 14 14 14
40055 - 2 2 6 2 2 6 2 2 6 2 2 6
40056 - 2 2 6 6 6 6 86 86 86 46 46 46
40057 - 18 18 18 6 6 6 0 0 0 0 0 0
40058 - 0 0 0 0 0 0 0 0 0 0 0 0
40059 - 0 0 0 0 0 0 0 0 0 0 0 0
40060 - 0 0 0 0 0 0 0 0 0 0 0 0
40061 - 0 0 0 0 0 0 0 0 0 0 0 0
40062 - 0 0 0 0 0 0 0 0 0 0 0 0
40063 - 0 0 0 0 0 0 0 0 0 0 0 0
40064 - 0 0 0 0 0 0 0 0 0 0 0 0
40065 - 0 0 0 0 0 0 0 0 0 6 6 6
40066 - 22 22 22 54 54 54 70 70 70 2 2 6
40067 - 2 2 6 10 10 10 2 2 6 22 22 22
40068 -166 166 166 231 231 231 250 250 250 253 253 253
40069 -253 253 253 253 253 253 253 253 253 250 250 250
40070 -242 242 242 253 253 253 253 253 253 253 253 253
40071 -253 253 253 253 253 253 253 253 253 253 253 253
40072 -253 253 253 253 253 253 253 253 253 246 246 246
40073 -231 231 231 206 206 206 198 198 198 226 226 226
40074 - 94 94 94 2 2 6 6 6 6 38 38 38
40075 - 30 30 30 2 2 6 2 2 6 2 2 6
40076 - 2 2 6 2 2 6 62 62 62 66 66 66
40077 - 26 26 26 10 10 10 0 0 0 0 0 0
40078 - 0 0 0 0 0 0 0 0 0 0 0 0
40079 - 0 0 0 0 0 0 0 0 0 0 0 0
40080 - 0 0 0 0 0 0 0 0 0 0 0 0
40081 - 0 0 0 0 0 0 0 0 0 0 0 0
40082 - 0 0 0 0 0 0 0 0 0 0 0 0
40083 - 0 0 0 0 0 0 0 0 0 0 0 0
40084 - 0 0 0 0 0 0 0 0 0 0 0 0
40085 - 0 0 0 0 0 0 0 0 0 10 10 10
40086 - 30 30 30 74 74 74 50 50 50 2 2 6
40087 - 26 26 26 26 26 26 2 2 6 106 106 106
40088 -238 238 238 253 253 253 253 253 253 253 253 253
40089 -253 253 253 253 253 253 253 253 253 253 253 253
40090 -253 253 253 253 253 253 253 253 253 253 253 253
40091 -253 253 253 253 253 253 253 253 253 253 253 253
40092 -253 253 253 253 253 253 253 253 253 253 253 253
40093 -253 253 253 246 246 246 218 218 218 202 202 202
40094 -210 210 210 14 14 14 2 2 6 2 2 6
40095 - 30 30 30 22 22 22 2 2 6 2 2 6
40096 - 2 2 6 2 2 6 18 18 18 86 86 86
40097 - 42 42 42 14 14 14 0 0 0 0 0 0
40098 - 0 0 0 0 0 0 0 0 0 0 0 0
40099 - 0 0 0 0 0 0 0 0 0 0 0 0
40100 - 0 0 0 0 0 0 0 0 0 0 0 0
40101 - 0 0 0 0 0 0 0 0 0 0 0 0
40102 - 0 0 0 0 0 0 0 0 0 0 0 0
40103 - 0 0 0 0 0 0 0 0 0 0 0 0
40104 - 0 0 0 0 0 0 0 0 0 0 0 0
40105 - 0 0 0 0 0 0 0 0 0 14 14 14
40106 - 42 42 42 90 90 90 22 22 22 2 2 6
40107 - 42 42 42 2 2 6 18 18 18 218 218 218
40108 -253 253 253 253 253 253 253 253 253 253 253 253
40109 -253 253 253 253 253 253 253 253 253 253 253 253
40110 -253 253 253 253 253 253 253 253 253 253 253 253
40111 -253 253 253 253 253 253 253 253 253 253 253 253
40112 -253 253 253 253 253 253 253 253 253 253 253 253
40113 -253 253 253 253 253 253 250 250 250 221 221 221
40114 -218 218 218 101 101 101 2 2 6 14 14 14
40115 - 18 18 18 38 38 38 10 10 10 2 2 6
40116 - 2 2 6 2 2 6 2 2 6 78 78 78
40117 - 58 58 58 22 22 22 6 6 6 0 0 0
40118 - 0 0 0 0 0 0 0 0 0 0 0 0
40119 - 0 0 0 0 0 0 0 0 0 0 0 0
40120 - 0 0 0 0 0 0 0 0 0 0 0 0
40121 - 0 0 0 0 0 0 0 0 0 0 0 0
40122 - 0 0 0 0 0 0 0 0 0 0 0 0
40123 - 0 0 0 0 0 0 0 0 0 0 0 0
40124 - 0 0 0 0 0 0 0 0 0 0 0 0
40125 - 0 0 0 0 0 0 6 6 6 18 18 18
40126 - 54 54 54 82 82 82 2 2 6 26 26 26
40127 - 22 22 22 2 2 6 123 123 123 253 253 253
40128 -253 253 253 253 253 253 253 253 253 253 253 253
40129 -253 253 253 253 253 253 253 253 253 253 253 253
40130 -253 253 253 253 253 253 253 253 253 253 253 253
40131 -253 253 253 253 253 253 253 253 253 253 253 253
40132 -253 253 253 253 253 253 253 253 253 253 253 253
40133 -253 253 253 253 253 253 253 253 253 250 250 250
40134 -238 238 238 198 198 198 6 6 6 38 38 38
40135 - 58 58 58 26 26 26 38 38 38 2 2 6
40136 - 2 2 6 2 2 6 2 2 6 46 46 46
40137 - 78 78 78 30 30 30 10 10 10 0 0 0
40138 - 0 0 0 0 0 0 0 0 0 0 0 0
40139 - 0 0 0 0 0 0 0 0 0 0 0 0
40140 - 0 0 0 0 0 0 0 0 0 0 0 0
40141 - 0 0 0 0 0 0 0 0 0 0 0 0
40142 - 0 0 0 0 0 0 0 0 0 0 0 0
40143 - 0 0 0 0 0 0 0 0 0 0 0 0
40144 - 0 0 0 0 0 0 0 0 0 0 0 0
40145 - 0 0 0 0 0 0 10 10 10 30 30 30
40146 - 74 74 74 58 58 58 2 2 6 42 42 42
40147 - 2 2 6 22 22 22 231 231 231 253 253 253
40148 -253 253 253 253 253 253 253 253 253 253 253 253
40149 -253 253 253 253 253 253 253 253 253 250 250 250
40150 -253 253 253 253 253 253 253 253 253 253 253 253
40151 -253 253 253 253 253 253 253 253 253 253 253 253
40152 -253 253 253 253 253 253 253 253 253 253 253 253
40153 -253 253 253 253 253 253 253 253 253 253 253 253
40154 -253 253 253 246 246 246 46 46 46 38 38 38
40155 - 42 42 42 14 14 14 38 38 38 14 14 14
40156 - 2 2 6 2 2 6 2 2 6 6 6 6
40157 - 86 86 86 46 46 46 14 14 14 0 0 0
40158 - 0 0 0 0 0 0 0 0 0 0 0 0
40159 - 0 0 0 0 0 0 0 0 0 0 0 0
40160 - 0 0 0 0 0 0 0 0 0 0 0 0
40161 - 0 0 0 0 0 0 0 0 0 0 0 0
40162 - 0 0 0 0 0 0 0 0 0 0 0 0
40163 - 0 0 0 0 0 0 0 0 0 0 0 0
40164 - 0 0 0 0 0 0 0 0 0 0 0 0
40165 - 0 0 0 6 6 6 14 14 14 42 42 42
40166 - 90 90 90 18 18 18 18 18 18 26 26 26
40167 - 2 2 6 116 116 116 253 253 253 253 253 253
40168 -253 253 253 253 253 253 253 253 253 253 253 253
40169 -253 253 253 253 253 253 250 250 250 238 238 238
40170 -253 253 253 253 253 253 253 253 253 253 253 253
40171 -253 253 253 253 253 253 253 253 253 253 253 253
40172 -253 253 253 253 253 253 253 253 253 253 253 253
40173 -253 253 253 253 253 253 253 253 253 253 253 253
40174 -253 253 253 253 253 253 94 94 94 6 6 6
40175 - 2 2 6 2 2 6 10 10 10 34 34 34
40176 - 2 2 6 2 2 6 2 2 6 2 2 6
40177 - 74 74 74 58 58 58 22 22 22 6 6 6
40178 - 0 0 0 0 0 0 0 0 0 0 0 0
40179 - 0 0 0 0 0 0 0 0 0 0 0 0
40180 - 0 0 0 0 0 0 0 0 0 0 0 0
40181 - 0 0 0 0 0 0 0 0 0 0 0 0
40182 - 0 0 0 0 0 0 0 0 0 0 0 0
40183 - 0 0 0 0 0 0 0 0 0 0 0 0
40184 - 0 0 0 0 0 0 0 0 0 0 0 0
40185 - 0 0 0 10 10 10 26 26 26 66 66 66
40186 - 82 82 82 2 2 6 38 38 38 6 6 6
40187 - 14 14 14 210 210 210 253 253 253 253 253 253
40188 -253 253 253 253 253 253 253 253 253 253 253 253
40189 -253 253 253 253 253 253 246 246 246 242 242 242
40190 -253 253 253 253 253 253 253 253 253 253 253 253
40191 -253 253 253 253 253 253 253 253 253 253 253 253
40192 -253 253 253 253 253 253 253 253 253 253 253 253
40193 -253 253 253 253 253 253 253 253 253 253 253 253
40194 -253 253 253 253 253 253 144 144 144 2 2 6
40195 - 2 2 6 2 2 6 2 2 6 46 46 46
40196 - 2 2 6 2 2 6 2 2 6 2 2 6
40197 - 42 42 42 74 74 74 30 30 30 10 10 10
40198 - 0 0 0 0 0 0 0 0 0 0 0 0
40199 - 0 0 0 0 0 0 0 0 0 0 0 0
40200 - 0 0 0 0 0 0 0 0 0 0 0 0
40201 - 0 0 0 0 0 0 0 0 0 0 0 0
40202 - 0 0 0 0 0 0 0 0 0 0 0 0
40203 - 0 0 0 0 0 0 0 0 0 0 0 0
40204 - 0 0 0 0 0 0 0 0 0 0 0 0
40205 - 6 6 6 14 14 14 42 42 42 90 90 90
40206 - 26 26 26 6 6 6 42 42 42 2 2 6
40207 - 74 74 74 250 250 250 253 253 253 253 253 253
40208 -253 253 253 253 253 253 253 253 253 253 253 253
40209 -253 253 253 253 253 253 242 242 242 242 242 242
40210 -253 253 253 253 253 253 253 253 253 253 253 253
40211 -253 253 253 253 253 253 253 253 253 253 253 253
40212 -253 253 253 253 253 253 253 253 253 253 253 253
40213 -253 253 253 253 253 253 253 253 253 253 253 253
40214 -253 253 253 253 253 253 182 182 182 2 2 6
40215 - 2 2 6 2 2 6 2 2 6 46 46 46
40216 - 2 2 6 2 2 6 2 2 6 2 2 6
40217 - 10 10 10 86 86 86 38 38 38 10 10 10
40218 - 0 0 0 0 0 0 0 0 0 0 0 0
40219 - 0 0 0 0 0 0 0 0 0 0 0 0
40220 - 0 0 0 0 0 0 0 0 0 0 0 0
40221 - 0 0 0 0 0 0 0 0 0 0 0 0
40222 - 0 0 0 0 0 0 0 0 0 0 0 0
40223 - 0 0 0 0 0 0 0 0 0 0 0 0
40224 - 0 0 0 0 0 0 0 0 0 0 0 0
40225 - 10 10 10 26 26 26 66 66 66 82 82 82
40226 - 2 2 6 22 22 22 18 18 18 2 2 6
40227 -149 149 149 253 253 253 253 253 253 253 253 253
40228 -253 253 253 253 253 253 253 253 253 253 253 253
40229 -253 253 253 253 253 253 234 234 234 242 242 242
40230 -253 253 253 253 253 253 253 253 253 253 253 253
40231 -253 253 253 253 253 253 253 253 253 253 253 253
40232 -253 253 253 253 253 253 253 253 253 253 253 253
40233 -253 253 253 253 253 253 253 253 253 253 253 253
40234 -253 253 253 253 253 253 206 206 206 2 2 6
40235 - 2 2 6 2 2 6 2 2 6 38 38 38
40236 - 2 2 6 2 2 6 2 2 6 2 2 6
40237 - 6 6 6 86 86 86 46 46 46 14 14 14
40238 - 0 0 0 0 0 0 0 0 0 0 0 0
40239 - 0 0 0 0 0 0 0 0 0 0 0 0
40240 - 0 0 0 0 0 0 0 0 0 0 0 0
40241 - 0 0 0 0 0 0 0 0 0 0 0 0
40242 - 0 0 0 0 0 0 0 0 0 0 0 0
40243 - 0 0 0 0 0 0 0 0 0 0 0 0
40244 - 0 0 0 0 0 0 0 0 0 6 6 6
40245 - 18 18 18 46 46 46 86 86 86 18 18 18
40246 - 2 2 6 34 34 34 10 10 10 6 6 6
40247 -210 210 210 253 253 253 253 253 253 253 253 253
40248 -253 253 253 253 253 253 253 253 253 253 253 253
40249 -253 253 253 253 253 253 234 234 234 242 242 242
40250 -253 253 253 253 253 253 253 253 253 253 253 253
40251 -253 253 253 253 253 253 253 253 253 253 253 253
40252 -253 253 253 253 253 253 253 253 253 253 253 253
40253 -253 253 253 253 253 253 253 253 253 253 253 253
40254 -253 253 253 253 253 253 221 221 221 6 6 6
40255 - 2 2 6 2 2 6 6 6 6 30 30 30
40256 - 2 2 6 2 2 6 2 2 6 2 2 6
40257 - 2 2 6 82 82 82 54 54 54 18 18 18
40258 - 6 6 6 0 0 0 0 0 0 0 0 0
40259 - 0 0 0 0 0 0 0 0 0 0 0 0
40260 - 0 0 0 0 0 0 0 0 0 0 0 0
40261 - 0 0 0 0 0 0 0 0 0 0 0 0
40262 - 0 0 0 0 0 0 0 0 0 0 0 0
40263 - 0 0 0 0 0 0 0 0 0 0 0 0
40264 - 0 0 0 0 0 0 0 0 0 10 10 10
40265 - 26 26 26 66 66 66 62 62 62 2 2 6
40266 - 2 2 6 38 38 38 10 10 10 26 26 26
40267 -238 238 238 253 253 253 253 253 253 253 253 253
40268 -253 253 253 253 253 253 253 253 253 253 253 253
40269 -253 253 253 253 253 253 231 231 231 238 238 238
40270 -253 253 253 253 253 253 253 253 253 253 253 253
40271 -253 253 253 253 253 253 253 253 253 253 253 253
40272 -253 253 253 253 253 253 253 253 253 253 253 253
40273 -253 253 253 253 253 253 253 253 253 253 253 253
40274 -253 253 253 253 253 253 231 231 231 6 6 6
40275 - 2 2 6 2 2 6 10 10 10 30 30 30
40276 - 2 2 6 2 2 6 2 2 6 2 2 6
40277 - 2 2 6 66 66 66 58 58 58 22 22 22
40278 - 6 6 6 0 0 0 0 0 0 0 0 0
40279 - 0 0 0 0 0 0 0 0 0 0 0 0
40280 - 0 0 0 0 0 0 0 0 0 0 0 0
40281 - 0 0 0 0 0 0 0 0 0 0 0 0
40282 - 0 0 0 0 0 0 0 0 0 0 0 0
40283 - 0 0 0 0 0 0 0 0 0 0 0 0
40284 - 0 0 0 0 0 0 0 0 0 10 10 10
40285 - 38 38 38 78 78 78 6 6 6 2 2 6
40286 - 2 2 6 46 46 46 14 14 14 42 42 42
40287 -246 246 246 253 253 253 253 253 253 253 253 253
40288 -253 253 253 253 253 253 253 253 253 253 253 253
40289 -253 253 253 253 253 253 231 231 231 242 242 242
40290 -253 253 253 253 253 253 253 253 253 253 253 253
40291 -253 253 253 253 253 253 253 253 253 253 253 253
40292 -253 253 253 253 253 253 253 253 253 253 253 253
40293 -253 253 253 253 253 253 253 253 253 253 253 253
40294 -253 253 253 253 253 253 234 234 234 10 10 10
40295 - 2 2 6 2 2 6 22 22 22 14 14 14
40296 - 2 2 6 2 2 6 2 2 6 2 2 6
40297 - 2 2 6 66 66 66 62 62 62 22 22 22
40298 - 6 6 6 0 0 0 0 0 0 0 0 0
40299 - 0 0 0 0 0 0 0 0 0 0 0 0
40300 - 0 0 0 0 0 0 0 0 0 0 0 0
40301 - 0 0 0 0 0 0 0 0 0 0 0 0
40302 - 0 0 0 0 0 0 0 0 0 0 0 0
40303 - 0 0 0 0 0 0 0 0 0 0 0 0
40304 - 0 0 0 0 0 0 6 6 6 18 18 18
40305 - 50 50 50 74 74 74 2 2 6 2 2 6
40306 - 14 14 14 70 70 70 34 34 34 62 62 62
40307 -250 250 250 253 253 253 253 253 253 253 253 253
40308 -253 253 253 253 253 253 253 253 253 253 253 253
40309 -253 253 253 253 253 253 231 231 231 246 246 246
40310 -253 253 253 253 253 253 253 253 253 253 253 253
40311 -253 253 253 253 253 253 253 253 253 253 253 253
40312 -253 253 253 253 253 253 253 253 253 253 253 253
40313 -253 253 253 253 253 253 253 253 253 253 253 253
40314 -253 253 253 253 253 253 234 234 234 14 14 14
40315 - 2 2 6 2 2 6 30 30 30 2 2 6
40316 - 2 2 6 2 2 6 2 2 6 2 2 6
40317 - 2 2 6 66 66 66 62 62 62 22 22 22
40318 - 6 6 6 0 0 0 0 0 0 0 0 0
40319 - 0 0 0 0 0 0 0 0 0 0 0 0
40320 - 0 0 0 0 0 0 0 0 0 0 0 0
40321 - 0 0 0 0 0 0 0 0 0 0 0 0
40322 - 0 0 0 0 0 0 0 0 0 0 0 0
40323 - 0 0 0 0 0 0 0 0 0 0 0 0
40324 - 0 0 0 0 0 0 6 6 6 18 18 18
40325 - 54 54 54 62 62 62 2 2 6 2 2 6
40326 - 2 2 6 30 30 30 46 46 46 70 70 70
40327 -250 250 250 253 253 253 253 253 253 253 253 253
40328 -253 253 253 253 253 253 253 253 253 253 253 253
40329 -253 253 253 253 253 253 231 231 231 246 246 246
40330 -253 253 253 253 253 253 253 253 253 253 253 253
40331 -253 253 253 253 253 253 253 253 253 253 253 253
40332 -253 253 253 253 253 253 253 253 253 253 253 253
40333 -253 253 253 253 253 253 253 253 253 253 253 253
40334 -253 253 253 253 253 253 226 226 226 10 10 10
40335 - 2 2 6 6 6 6 30 30 30 2 2 6
40336 - 2 2 6 2 2 6 2 2 6 2 2 6
40337 - 2 2 6 66 66 66 58 58 58 22 22 22
40338 - 6 6 6 0 0 0 0 0 0 0 0 0
40339 - 0 0 0 0 0 0 0 0 0 0 0 0
40340 - 0 0 0 0 0 0 0 0 0 0 0 0
40341 - 0 0 0 0 0 0 0 0 0 0 0 0
40342 - 0 0 0 0 0 0 0 0 0 0 0 0
40343 - 0 0 0 0 0 0 0 0 0 0 0 0
40344 - 0 0 0 0 0 0 6 6 6 22 22 22
40345 - 58 58 58 62 62 62 2 2 6 2 2 6
40346 - 2 2 6 2 2 6 30 30 30 78 78 78
40347 -250 250 250 253 253 253 253 253 253 253 253 253
40348 -253 253 253 253 253 253 253 253 253 253 253 253
40349 -253 253 253 253 253 253 231 231 231 246 246 246
40350 -253 253 253 253 253 253 253 253 253 253 253 253
40351 -253 253 253 253 253 253 253 253 253 253 253 253
40352 -253 253 253 253 253 253 253 253 253 253 253 253
40353 -253 253 253 253 253 253 253 253 253 253 253 253
40354 -253 253 253 253 253 253 206 206 206 2 2 6
40355 - 22 22 22 34 34 34 18 14 6 22 22 22
40356 - 26 26 26 18 18 18 6 6 6 2 2 6
40357 - 2 2 6 82 82 82 54 54 54 18 18 18
40358 - 6 6 6 0 0 0 0 0 0 0 0 0
40359 - 0 0 0 0 0 0 0 0 0 0 0 0
40360 - 0 0 0 0 0 0 0 0 0 0 0 0
40361 - 0 0 0 0 0 0 0 0 0 0 0 0
40362 - 0 0 0 0 0 0 0 0 0 0 0 0
40363 - 0 0 0 0 0 0 0 0 0 0 0 0
40364 - 0 0 0 0 0 0 6 6 6 26 26 26
40365 - 62 62 62 106 106 106 74 54 14 185 133 11
40366 -210 162 10 121 92 8 6 6 6 62 62 62
40367 -238 238 238 253 253 253 253 253 253 253 253 253
40368 -253 253 253 253 253 253 253 253 253 253 253 253
40369 -253 253 253 253 253 253 231 231 231 246 246 246
40370 -253 253 253 253 253 253 253 253 253 253 253 253
40371 -253 253 253 253 253 253 253 253 253 253 253 253
40372 -253 253 253 253 253 253 253 253 253 253 253 253
40373 -253 253 253 253 253 253 253 253 253 253 253 253
40374 -253 253 253 253 253 253 158 158 158 18 18 18
40375 - 14 14 14 2 2 6 2 2 6 2 2 6
40376 - 6 6 6 18 18 18 66 66 66 38 38 38
40377 - 6 6 6 94 94 94 50 50 50 18 18 18
40378 - 6 6 6 0 0 0 0 0 0 0 0 0
40379 - 0 0 0 0 0 0 0 0 0 0 0 0
40380 - 0 0 0 0 0 0 0 0 0 0 0 0
40381 - 0 0 0 0 0 0 0 0 0 0 0 0
40382 - 0 0 0 0 0 0 0 0 0 0 0 0
40383 - 0 0 0 0 0 0 0 0 0 6 6 6
40384 - 10 10 10 10 10 10 18 18 18 38 38 38
40385 - 78 78 78 142 134 106 216 158 10 242 186 14
40386 -246 190 14 246 190 14 156 118 10 10 10 10
40387 - 90 90 90 238 238 238 253 253 253 253 253 253
40388 -253 253 253 253 253 253 253 253 253 253 253 253
40389 -253 253 253 253 253 253 231 231 231 250 250 250
40390 -253 253 253 253 253 253 253 253 253 253 253 253
40391 -253 253 253 253 253 253 253 253 253 253 253 253
40392 -253 253 253 253 253 253 253 253 253 253 253 253
40393 -253 253 253 253 253 253 253 253 253 246 230 190
40394 -238 204 91 238 204 91 181 142 44 37 26 9
40395 - 2 2 6 2 2 6 2 2 6 2 2 6
40396 - 2 2 6 2 2 6 38 38 38 46 46 46
40397 - 26 26 26 106 106 106 54 54 54 18 18 18
40398 - 6 6 6 0 0 0 0 0 0 0 0 0
40399 - 0 0 0 0 0 0 0 0 0 0 0 0
40400 - 0 0 0 0 0 0 0 0 0 0 0 0
40401 - 0 0 0 0 0 0 0 0 0 0 0 0
40402 - 0 0 0 0 0 0 0 0 0 0 0 0
40403 - 0 0 0 6 6 6 14 14 14 22 22 22
40404 - 30 30 30 38 38 38 50 50 50 70 70 70
40405 -106 106 106 190 142 34 226 170 11 242 186 14
40406 -246 190 14 246 190 14 246 190 14 154 114 10
40407 - 6 6 6 74 74 74 226 226 226 253 253 253
40408 -253 253 253 253 253 253 253 253 253 253 253 253
40409 -253 253 253 253 253 253 231 231 231 250 250 250
40410 -253 253 253 253 253 253 253 253 253 253 253 253
40411 -253 253 253 253 253 253 253 253 253 253 253 253
40412 -253 253 253 253 253 253 253 253 253 253 253 253
40413 -253 253 253 253 253 253 253 253 253 228 184 62
40414 -241 196 14 241 208 19 232 195 16 38 30 10
40415 - 2 2 6 2 2 6 2 2 6 2 2 6
40416 - 2 2 6 6 6 6 30 30 30 26 26 26
40417 -203 166 17 154 142 90 66 66 66 26 26 26
40418 - 6 6 6 0 0 0 0 0 0 0 0 0
40419 - 0 0 0 0 0 0 0 0 0 0 0 0
40420 - 0 0 0 0 0 0 0 0 0 0 0 0
40421 - 0 0 0 0 0 0 0 0 0 0 0 0
40422 - 0 0 0 0 0 0 0 0 0 0 0 0
40423 - 6 6 6 18 18 18 38 38 38 58 58 58
40424 - 78 78 78 86 86 86 101 101 101 123 123 123
40425 -175 146 61 210 150 10 234 174 13 246 186 14
40426 -246 190 14 246 190 14 246 190 14 238 190 10
40427 -102 78 10 2 2 6 46 46 46 198 198 198
40428 -253 253 253 253 253 253 253 253 253 253 253 253
40429 -253 253 253 253 253 253 234 234 234 242 242 242
40430 -253 253 253 253 253 253 253 253 253 253 253 253
40431 -253 253 253 253 253 253 253 253 253 253 253 253
40432 -253 253 253 253 253 253 253 253 253 253 253 253
40433 -253 253 253 253 253 253 253 253 253 224 178 62
40434 -242 186 14 241 196 14 210 166 10 22 18 6
40435 - 2 2 6 2 2 6 2 2 6 2 2 6
40436 - 2 2 6 2 2 6 6 6 6 121 92 8
40437 -238 202 15 232 195 16 82 82 82 34 34 34
40438 - 10 10 10 0 0 0 0 0 0 0 0 0
40439 - 0 0 0 0 0 0 0 0 0 0 0 0
40440 - 0 0 0 0 0 0 0 0 0 0 0 0
40441 - 0 0 0 0 0 0 0 0 0 0 0 0
40442 - 0 0 0 0 0 0 0 0 0 0 0 0
40443 - 14 14 14 38 38 38 70 70 70 154 122 46
40444 -190 142 34 200 144 11 197 138 11 197 138 11
40445 -213 154 11 226 170 11 242 186 14 246 190 14
40446 -246 190 14 246 190 14 246 190 14 246 190 14
40447 -225 175 15 46 32 6 2 2 6 22 22 22
40448 -158 158 158 250 250 250 253 253 253 253 253 253
40449 -253 253 253 253 253 253 253 253 253 253 253 253
40450 -253 253 253 253 253 253 253 253 253 253 253 253
40451 -253 253 253 253 253 253 253 253 253 253 253 253
40452 -253 253 253 253 253 253 253 253 253 253 253 253
40453 -253 253 253 250 250 250 242 242 242 224 178 62
40454 -239 182 13 236 186 11 213 154 11 46 32 6
40455 - 2 2 6 2 2 6 2 2 6 2 2 6
40456 - 2 2 6 2 2 6 61 42 6 225 175 15
40457 -238 190 10 236 186 11 112 100 78 42 42 42
40458 - 14 14 14 0 0 0 0 0 0 0 0 0
40459 - 0 0 0 0 0 0 0 0 0 0 0 0
40460 - 0 0 0 0 0 0 0 0 0 0 0 0
40461 - 0 0 0 0 0 0 0 0 0 0 0 0
40462 - 0 0 0 0 0 0 0 0 0 6 6 6
40463 - 22 22 22 54 54 54 154 122 46 213 154 11
40464 -226 170 11 230 174 11 226 170 11 226 170 11
40465 -236 178 12 242 186 14 246 190 14 246 190 14
40466 -246 190 14 246 190 14 246 190 14 246 190 14
40467 -241 196 14 184 144 12 10 10 10 2 2 6
40468 - 6 6 6 116 116 116 242 242 242 253 253 253
40469 -253 253 253 253 253 253 253 253 253 253 253 253
40470 -253 253 253 253 253 253 253 253 253 253 253 253
40471 -253 253 253 253 253 253 253 253 253 253 253 253
40472 -253 253 253 253 253 253 253 253 253 253 253 253
40473 -253 253 253 231 231 231 198 198 198 214 170 54
40474 -236 178 12 236 178 12 210 150 10 137 92 6
40475 - 18 14 6 2 2 6 2 2 6 2 2 6
40476 - 6 6 6 70 47 6 200 144 11 236 178 12
40477 -239 182 13 239 182 13 124 112 88 58 58 58
40478 - 22 22 22 6 6 6 0 0 0 0 0 0
40479 - 0 0 0 0 0 0 0 0 0 0 0 0
40480 - 0 0 0 0 0 0 0 0 0 0 0 0
40481 - 0 0 0 0 0 0 0 0 0 0 0 0
40482 - 0 0 0 0 0 0 0 0 0 10 10 10
40483 - 30 30 30 70 70 70 180 133 36 226 170 11
40484 -239 182 13 242 186 14 242 186 14 246 186 14
40485 -246 190 14 246 190 14 246 190 14 246 190 14
40486 -246 190 14 246 190 14 246 190 14 246 190 14
40487 -246 190 14 232 195 16 98 70 6 2 2 6
40488 - 2 2 6 2 2 6 66 66 66 221 221 221
40489 -253 253 253 253 253 253 253 253 253 253 253 253
40490 -253 253 253 253 253 253 253 253 253 253 253 253
40491 -253 253 253 253 253 253 253 253 253 253 253 253
40492 -253 253 253 253 253 253 253 253 253 253 253 253
40493 -253 253 253 206 206 206 198 198 198 214 166 58
40494 -230 174 11 230 174 11 216 158 10 192 133 9
40495 -163 110 8 116 81 8 102 78 10 116 81 8
40496 -167 114 7 197 138 11 226 170 11 239 182 13
40497 -242 186 14 242 186 14 162 146 94 78 78 78
40498 - 34 34 34 14 14 14 6 6 6 0 0 0
40499 - 0 0 0 0 0 0 0 0 0 0 0 0
40500 - 0 0 0 0 0 0 0 0 0 0 0 0
40501 - 0 0 0 0 0 0 0 0 0 0 0 0
40502 - 0 0 0 0 0 0 0 0 0 6 6 6
40503 - 30 30 30 78 78 78 190 142 34 226 170 11
40504 -239 182 13 246 190 14 246 190 14 246 190 14
40505 -246 190 14 246 190 14 246 190 14 246 190 14
40506 -246 190 14 246 190 14 246 190 14 246 190 14
40507 -246 190 14 241 196 14 203 166 17 22 18 6
40508 - 2 2 6 2 2 6 2 2 6 38 38 38
40509 -218 218 218 253 253 253 253 253 253 253 253 253
40510 -253 253 253 253 253 253 253 253 253 253 253 253
40511 -253 253 253 253 253 253 253 253 253 253 253 253
40512 -253 253 253 253 253 253 253 253 253 253 253 253
40513 -250 250 250 206 206 206 198 198 198 202 162 69
40514 -226 170 11 236 178 12 224 166 10 210 150 10
40515 -200 144 11 197 138 11 192 133 9 197 138 11
40516 -210 150 10 226 170 11 242 186 14 246 190 14
40517 -246 190 14 246 186 14 225 175 15 124 112 88
40518 - 62 62 62 30 30 30 14 14 14 6 6 6
40519 - 0 0 0 0 0 0 0 0 0 0 0 0
40520 - 0 0 0 0 0 0 0 0 0 0 0 0
40521 - 0 0 0 0 0 0 0 0 0 0 0 0
40522 - 0 0 0 0 0 0 0 0 0 10 10 10
40523 - 30 30 30 78 78 78 174 135 50 224 166 10
40524 -239 182 13 246 190 14 246 190 14 246 190 14
40525 -246 190 14 246 190 14 246 190 14 246 190 14
40526 -246 190 14 246 190 14 246 190 14 246 190 14
40527 -246 190 14 246 190 14 241 196 14 139 102 15
40528 - 2 2 6 2 2 6 2 2 6 2 2 6
40529 - 78 78 78 250 250 250 253 253 253 253 253 253
40530 -253 253 253 253 253 253 253 253 253 253 253 253
40531 -253 253 253 253 253 253 253 253 253 253 253 253
40532 -253 253 253 253 253 253 253 253 253 253 253 253
40533 -250 250 250 214 214 214 198 198 198 190 150 46
40534 -219 162 10 236 178 12 234 174 13 224 166 10
40535 -216 158 10 213 154 11 213 154 11 216 158 10
40536 -226 170 11 239 182 13 246 190 14 246 190 14
40537 -246 190 14 246 190 14 242 186 14 206 162 42
40538 -101 101 101 58 58 58 30 30 30 14 14 14
40539 - 6 6 6 0 0 0 0 0 0 0 0 0
40540 - 0 0 0 0 0 0 0 0 0 0 0 0
40541 - 0 0 0 0 0 0 0 0 0 0 0 0
40542 - 0 0 0 0 0 0 0 0 0 10 10 10
40543 - 30 30 30 74 74 74 174 135 50 216 158 10
40544 -236 178 12 246 190 14 246 190 14 246 190 14
40545 -246 190 14 246 190 14 246 190 14 246 190 14
40546 -246 190 14 246 190 14 246 190 14 246 190 14
40547 -246 190 14 246 190 14 241 196 14 226 184 13
40548 - 61 42 6 2 2 6 2 2 6 2 2 6
40549 - 22 22 22 238 238 238 253 253 253 253 253 253
40550 -253 253 253 253 253 253 253 253 253 253 253 253
40551 -253 253 253 253 253 253 253 253 253 253 253 253
40552 -253 253 253 253 253 253 253 253 253 253 253 253
40553 -253 253 253 226 226 226 187 187 187 180 133 36
40554 -216 158 10 236 178 12 239 182 13 236 178 12
40555 -230 174 11 226 170 11 226 170 11 230 174 11
40556 -236 178 12 242 186 14 246 190 14 246 190 14
40557 -246 190 14 246 190 14 246 186 14 239 182 13
40558 -206 162 42 106 106 106 66 66 66 34 34 34
40559 - 14 14 14 6 6 6 0 0 0 0 0 0
40560 - 0 0 0 0 0 0 0 0 0 0 0 0
40561 - 0 0 0 0 0 0 0 0 0 0 0 0
40562 - 0 0 0 0 0 0 0 0 0 6 6 6
40563 - 26 26 26 70 70 70 163 133 67 213 154 11
40564 -236 178 12 246 190 14 246 190 14 246 190 14
40565 -246 190 14 246 190 14 246 190 14 246 190 14
40566 -246 190 14 246 190 14 246 190 14 246 190 14
40567 -246 190 14 246 190 14 246 190 14 241 196 14
40568 -190 146 13 18 14 6 2 2 6 2 2 6
40569 - 46 46 46 246 246 246 253 253 253 253 253 253
40570 -253 253 253 253 253 253 253 253 253 253 253 253
40571 -253 253 253 253 253 253 253 253 253 253 253 253
40572 -253 253 253 253 253 253 253 253 253 253 253 253
40573 -253 253 253 221 221 221 86 86 86 156 107 11
40574 -216 158 10 236 178 12 242 186 14 246 186 14
40575 -242 186 14 239 182 13 239 182 13 242 186 14
40576 -242 186 14 246 186 14 246 190 14 246 190 14
40577 -246 190 14 246 190 14 246 190 14 246 190 14
40578 -242 186 14 225 175 15 142 122 72 66 66 66
40579 - 30 30 30 10 10 10 0 0 0 0 0 0
40580 - 0 0 0 0 0 0 0 0 0 0 0 0
40581 - 0 0 0 0 0 0 0 0 0 0 0 0
40582 - 0 0 0 0 0 0 0 0 0 6 6 6
40583 - 26 26 26 70 70 70 163 133 67 210 150 10
40584 -236 178 12 246 190 14 246 190 14 246 190 14
40585 -246 190 14 246 190 14 246 190 14 246 190 14
40586 -246 190 14 246 190 14 246 190 14 246 190 14
40587 -246 190 14 246 190 14 246 190 14 246 190 14
40588 -232 195 16 121 92 8 34 34 34 106 106 106
40589 -221 221 221 253 253 253 253 253 253 253 253 253
40590 -253 253 253 253 253 253 253 253 253 253 253 253
40591 -253 253 253 253 253 253 253 253 253 253 253 253
40592 -253 253 253 253 253 253 253 253 253 253 253 253
40593 -242 242 242 82 82 82 18 14 6 163 110 8
40594 -216 158 10 236 178 12 242 186 14 246 190 14
40595 -246 190 14 246 190 14 246 190 14 246 190 14
40596 -246 190 14 246 190 14 246 190 14 246 190 14
40597 -246 190 14 246 190 14 246 190 14 246 190 14
40598 -246 190 14 246 190 14 242 186 14 163 133 67
40599 - 46 46 46 18 18 18 6 6 6 0 0 0
40600 - 0 0 0 0 0 0 0 0 0 0 0 0
40601 - 0 0 0 0 0 0 0 0 0 0 0 0
40602 - 0 0 0 0 0 0 0 0 0 10 10 10
40603 - 30 30 30 78 78 78 163 133 67 210 150 10
40604 -236 178 12 246 186 14 246 190 14 246 190 14
40605 -246 190 14 246 190 14 246 190 14 246 190 14
40606 -246 190 14 246 190 14 246 190 14 246 190 14
40607 -246 190 14 246 190 14 246 190 14 246 190 14
40608 -241 196 14 215 174 15 190 178 144 253 253 253
40609 -253 253 253 253 253 253 253 253 253 253 253 253
40610 -253 253 253 253 253 253 253 253 253 253 253 253
40611 -253 253 253 253 253 253 253 253 253 253 253 253
40612 -253 253 253 253 253 253 253 253 253 218 218 218
40613 - 58 58 58 2 2 6 22 18 6 167 114 7
40614 -216 158 10 236 178 12 246 186 14 246 190 14
40615 -246 190 14 246 190 14 246 190 14 246 190 14
40616 -246 190 14 246 190 14 246 190 14 246 190 14
40617 -246 190 14 246 190 14 246 190 14 246 190 14
40618 -246 190 14 246 186 14 242 186 14 190 150 46
40619 - 54 54 54 22 22 22 6 6 6 0 0 0
40620 - 0 0 0 0 0 0 0 0 0 0 0 0
40621 - 0 0 0 0 0 0 0 0 0 0 0 0
40622 - 0 0 0 0 0 0 0 0 0 14 14 14
40623 - 38 38 38 86 86 86 180 133 36 213 154 11
40624 -236 178 12 246 186 14 246 190 14 246 190 14
40625 -246 190 14 246 190 14 246 190 14 246 190 14
40626 -246 190 14 246 190 14 246 190 14 246 190 14
40627 -246 190 14 246 190 14 246 190 14 246 190 14
40628 -246 190 14 232 195 16 190 146 13 214 214 214
40629 -253 253 253 253 253 253 253 253 253 253 253 253
40630 -253 253 253 253 253 253 253 253 253 253 253 253
40631 -253 253 253 253 253 253 253 253 253 253 253 253
40632 -253 253 253 250 250 250 170 170 170 26 26 26
40633 - 2 2 6 2 2 6 37 26 9 163 110 8
40634 -219 162 10 239 182 13 246 186 14 246 190 14
40635 -246 190 14 246 190 14 246 190 14 246 190 14
40636 -246 190 14 246 190 14 246 190 14 246 190 14
40637 -246 190 14 246 190 14 246 190 14 246 190 14
40638 -246 186 14 236 178 12 224 166 10 142 122 72
40639 - 46 46 46 18 18 18 6 6 6 0 0 0
40640 - 0 0 0 0 0 0 0 0 0 0 0 0
40641 - 0 0 0 0 0 0 0 0 0 0 0 0
40642 - 0 0 0 0 0 0 6 6 6 18 18 18
40643 - 50 50 50 109 106 95 192 133 9 224 166 10
40644 -242 186 14 246 190 14 246 190 14 246 190 14
40645 -246 190 14 246 190 14 246 190 14 246 190 14
40646 -246 190 14 246 190 14 246 190 14 246 190 14
40647 -246 190 14 246 190 14 246 190 14 246 190 14
40648 -242 186 14 226 184 13 210 162 10 142 110 46
40649 -226 226 226 253 253 253 253 253 253 253 253 253
40650 -253 253 253 253 253 253 253 253 253 253 253 253
40651 -253 253 253 253 253 253 253 253 253 253 253 253
40652 -198 198 198 66 66 66 2 2 6 2 2 6
40653 - 2 2 6 2 2 6 50 34 6 156 107 11
40654 -219 162 10 239 182 13 246 186 14 246 190 14
40655 -246 190 14 246 190 14 246 190 14 246 190 14
40656 -246 190 14 246 190 14 246 190 14 246 190 14
40657 -246 190 14 246 190 14 246 190 14 242 186 14
40658 -234 174 13 213 154 11 154 122 46 66 66 66
40659 - 30 30 30 10 10 10 0 0 0 0 0 0
40660 - 0 0 0 0 0 0 0 0 0 0 0 0
40661 - 0 0 0 0 0 0 0 0 0 0 0 0
40662 - 0 0 0 0 0 0 6 6 6 22 22 22
40663 - 58 58 58 154 121 60 206 145 10 234 174 13
40664 -242 186 14 246 186 14 246 190 14 246 190 14
40665 -246 190 14 246 190 14 246 190 14 246 190 14
40666 -246 190 14 246 190 14 246 190 14 246 190 14
40667 -246 190 14 246 190 14 246 190 14 246 190 14
40668 -246 186 14 236 178 12 210 162 10 163 110 8
40669 - 61 42 6 138 138 138 218 218 218 250 250 250
40670 -253 253 253 253 253 253 253 253 253 250 250 250
40671 -242 242 242 210 210 210 144 144 144 66 66 66
40672 - 6 6 6 2 2 6 2 2 6 2 2 6
40673 - 2 2 6 2 2 6 61 42 6 163 110 8
40674 -216 158 10 236 178 12 246 190 14 246 190 14
40675 -246 190 14 246 190 14 246 190 14 246 190 14
40676 -246 190 14 246 190 14 246 190 14 246 190 14
40677 -246 190 14 239 182 13 230 174 11 216 158 10
40678 -190 142 34 124 112 88 70 70 70 38 38 38
40679 - 18 18 18 6 6 6 0 0 0 0 0 0
40680 - 0 0 0 0 0 0 0 0 0 0 0 0
40681 - 0 0 0 0 0 0 0 0 0 0 0 0
40682 - 0 0 0 0 0 0 6 6 6 22 22 22
40683 - 62 62 62 168 124 44 206 145 10 224 166 10
40684 -236 178 12 239 182 13 242 186 14 242 186 14
40685 -246 186 14 246 190 14 246 190 14 246 190 14
40686 -246 190 14 246 190 14 246 190 14 246 190 14
40687 -246 190 14 246 190 14 246 190 14 246 190 14
40688 -246 190 14 236 178 12 216 158 10 175 118 6
40689 - 80 54 7 2 2 6 6 6 6 30 30 30
40690 - 54 54 54 62 62 62 50 50 50 38 38 38
40691 - 14 14 14 2 2 6 2 2 6 2 2 6
40692 - 2 2 6 2 2 6 2 2 6 2 2 6
40693 - 2 2 6 6 6 6 80 54 7 167 114 7
40694 -213 154 11 236 178 12 246 190 14 246 190 14
40695 -246 190 14 246 190 14 246 190 14 246 190 14
40696 -246 190 14 242 186 14 239 182 13 239 182 13
40697 -230 174 11 210 150 10 174 135 50 124 112 88
40698 - 82 82 82 54 54 54 34 34 34 18 18 18
40699 - 6 6 6 0 0 0 0 0 0 0 0 0
40700 - 0 0 0 0 0 0 0 0 0 0 0 0
40701 - 0 0 0 0 0 0 0 0 0 0 0 0
40702 - 0 0 0 0 0 0 6 6 6 18 18 18
40703 - 50 50 50 158 118 36 192 133 9 200 144 11
40704 -216 158 10 219 162 10 224 166 10 226 170 11
40705 -230 174 11 236 178 12 239 182 13 239 182 13
40706 -242 186 14 246 186 14 246 190 14 246 190 14
40707 -246 190 14 246 190 14 246 190 14 246 190 14
40708 -246 186 14 230 174 11 210 150 10 163 110 8
40709 -104 69 6 10 10 10 2 2 6 2 2 6
40710 - 2 2 6 2 2 6 2 2 6 2 2 6
40711 - 2 2 6 2 2 6 2 2 6 2 2 6
40712 - 2 2 6 2 2 6 2 2 6 2 2 6
40713 - 2 2 6 6 6 6 91 60 6 167 114 7
40714 -206 145 10 230 174 11 242 186 14 246 190 14
40715 -246 190 14 246 190 14 246 186 14 242 186 14
40716 -239 182 13 230 174 11 224 166 10 213 154 11
40717 -180 133 36 124 112 88 86 86 86 58 58 58
40718 - 38 38 38 22 22 22 10 10 10 6 6 6
40719 - 0 0 0 0 0 0 0 0 0 0 0 0
40720 - 0 0 0 0 0 0 0 0 0 0 0 0
40721 - 0 0 0 0 0 0 0 0 0 0 0 0
40722 - 0 0 0 0 0 0 0 0 0 14 14 14
40723 - 34 34 34 70 70 70 138 110 50 158 118 36
40724 -167 114 7 180 123 7 192 133 9 197 138 11
40725 -200 144 11 206 145 10 213 154 11 219 162 10
40726 -224 166 10 230 174 11 239 182 13 242 186 14
40727 -246 186 14 246 186 14 246 186 14 246 186 14
40728 -239 182 13 216 158 10 185 133 11 152 99 6
40729 -104 69 6 18 14 6 2 2 6 2 2 6
40730 - 2 2 6 2 2 6 2 2 6 2 2 6
40731 - 2 2 6 2 2 6 2 2 6 2 2 6
40732 - 2 2 6 2 2 6 2 2 6 2 2 6
40733 - 2 2 6 6 6 6 80 54 7 152 99 6
40734 -192 133 9 219 162 10 236 178 12 239 182 13
40735 -246 186 14 242 186 14 239 182 13 236 178 12
40736 -224 166 10 206 145 10 192 133 9 154 121 60
40737 - 94 94 94 62 62 62 42 42 42 22 22 22
40738 - 14 14 14 6 6 6 0 0 0 0 0 0
40739 - 0 0 0 0 0 0 0 0 0 0 0 0
40740 - 0 0 0 0 0 0 0 0 0 0 0 0
40741 - 0 0 0 0 0 0 0 0 0 0 0 0
40742 - 0 0 0 0 0 0 0 0 0 6 6 6
40743 - 18 18 18 34 34 34 58 58 58 78 78 78
40744 -101 98 89 124 112 88 142 110 46 156 107 11
40745 -163 110 8 167 114 7 175 118 6 180 123 7
40746 -185 133 11 197 138 11 210 150 10 219 162 10
40747 -226 170 11 236 178 12 236 178 12 234 174 13
40748 -219 162 10 197 138 11 163 110 8 130 83 6
40749 - 91 60 6 10 10 10 2 2 6 2 2 6
40750 - 18 18 18 38 38 38 38 38 38 38 38 38
40751 - 38 38 38 38 38 38 38 38 38 38 38 38
40752 - 38 38 38 38 38 38 26 26 26 2 2 6
40753 - 2 2 6 6 6 6 70 47 6 137 92 6
40754 -175 118 6 200 144 11 219 162 10 230 174 11
40755 -234 174 13 230 174 11 219 162 10 210 150 10
40756 -192 133 9 163 110 8 124 112 88 82 82 82
40757 - 50 50 50 30 30 30 14 14 14 6 6 6
40758 - 0 0 0 0 0 0 0 0 0 0 0 0
40759 - 0 0 0 0 0 0 0 0 0 0 0 0
40760 - 0 0 0 0 0 0 0 0 0 0 0 0
40761 - 0 0 0 0 0 0 0 0 0 0 0 0
40762 - 0 0 0 0 0 0 0 0 0 0 0 0
40763 - 6 6 6 14 14 14 22 22 22 34 34 34
40764 - 42 42 42 58 58 58 74 74 74 86 86 86
40765 -101 98 89 122 102 70 130 98 46 121 87 25
40766 -137 92 6 152 99 6 163 110 8 180 123 7
40767 -185 133 11 197 138 11 206 145 10 200 144 11
40768 -180 123 7 156 107 11 130 83 6 104 69 6
40769 - 50 34 6 54 54 54 110 110 110 101 98 89
40770 - 86 86 86 82 82 82 78 78 78 78 78 78
40771 - 78 78 78 78 78 78 78 78 78 78 78 78
40772 - 78 78 78 82 82 82 86 86 86 94 94 94
40773 -106 106 106 101 101 101 86 66 34 124 80 6
40774 -156 107 11 180 123 7 192 133 9 200 144 11
40775 -206 145 10 200 144 11 192 133 9 175 118 6
40776 -139 102 15 109 106 95 70 70 70 42 42 42
40777 - 22 22 22 10 10 10 0 0 0 0 0 0
40778 - 0 0 0 0 0 0 0 0 0 0 0 0
40779 - 0 0 0 0 0 0 0 0 0 0 0 0
40780 - 0 0 0 0 0 0 0 0 0 0 0 0
40781 - 0 0 0 0 0 0 0 0 0 0 0 0
40782 - 0 0 0 0 0 0 0 0 0 0 0 0
40783 - 0 0 0 0 0 0 6 6 6 10 10 10
40784 - 14 14 14 22 22 22 30 30 30 38 38 38
40785 - 50 50 50 62 62 62 74 74 74 90 90 90
40786 -101 98 89 112 100 78 121 87 25 124 80 6
40787 -137 92 6 152 99 6 152 99 6 152 99 6
40788 -138 86 6 124 80 6 98 70 6 86 66 30
40789 -101 98 89 82 82 82 58 58 58 46 46 46
40790 - 38 38 38 34 34 34 34 34 34 34 34 34
40791 - 34 34 34 34 34 34 34 34 34 34 34 34
40792 - 34 34 34 34 34 34 38 38 38 42 42 42
40793 - 54 54 54 82 82 82 94 86 76 91 60 6
40794 -134 86 6 156 107 11 167 114 7 175 118 6
40795 -175 118 6 167 114 7 152 99 6 121 87 25
40796 -101 98 89 62 62 62 34 34 34 18 18 18
40797 - 6 6 6 0 0 0 0 0 0 0 0 0
40798 - 0 0 0 0 0 0 0 0 0 0 0 0
40799 - 0 0 0 0 0 0 0 0 0 0 0 0
40800 - 0 0 0 0 0 0 0 0 0 0 0 0
40801 - 0 0 0 0 0 0 0 0 0 0 0 0
40802 - 0 0 0 0 0 0 0 0 0 0 0 0
40803 - 0 0 0 0 0 0 0 0 0 0 0 0
40804 - 0 0 0 6 6 6 6 6 6 10 10 10
40805 - 18 18 18 22 22 22 30 30 30 42 42 42
40806 - 50 50 50 66 66 66 86 86 86 101 98 89
40807 -106 86 58 98 70 6 104 69 6 104 69 6
40808 -104 69 6 91 60 6 82 62 34 90 90 90
40809 - 62 62 62 38 38 38 22 22 22 14 14 14
40810 - 10 10 10 10 10 10 10 10 10 10 10 10
40811 - 10 10 10 10 10 10 6 6 6 10 10 10
40812 - 10 10 10 10 10 10 10 10 10 14 14 14
40813 - 22 22 22 42 42 42 70 70 70 89 81 66
40814 - 80 54 7 104 69 6 124 80 6 137 92 6
40815 -134 86 6 116 81 8 100 82 52 86 86 86
40816 - 58 58 58 30 30 30 14 14 14 6 6 6
40817 - 0 0 0 0 0 0 0 0 0 0 0 0
40818 - 0 0 0 0 0 0 0 0 0 0 0 0
40819 - 0 0 0 0 0 0 0 0 0 0 0 0
40820 - 0 0 0 0 0 0 0 0 0 0 0 0
40821 - 0 0 0 0 0 0 0 0 0 0 0 0
40822 - 0 0 0 0 0 0 0 0 0 0 0 0
40823 - 0 0 0 0 0 0 0 0 0 0 0 0
40824 - 0 0 0 0 0 0 0 0 0 0 0 0
40825 - 0 0 0 6 6 6 10 10 10 14 14 14
40826 - 18 18 18 26 26 26 38 38 38 54 54 54
40827 - 70 70 70 86 86 86 94 86 76 89 81 66
40828 - 89 81 66 86 86 86 74 74 74 50 50 50
40829 - 30 30 30 14 14 14 6 6 6 0 0 0
40830 - 0 0 0 0 0 0 0 0 0 0 0 0
40831 - 0 0 0 0 0 0 0 0 0 0 0 0
40832 - 0 0 0 0 0 0 0 0 0 0 0 0
40833 - 6 6 6 18 18 18 34 34 34 58 58 58
40834 - 82 82 82 89 81 66 89 81 66 89 81 66
40835 - 94 86 66 94 86 76 74 74 74 50 50 50
40836 - 26 26 26 14 14 14 6 6 6 0 0 0
40837 - 0 0 0 0 0 0 0 0 0 0 0 0
40838 - 0 0 0 0 0 0 0 0 0 0 0 0
40839 - 0 0 0 0 0 0 0 0 0 0 0 0
40840 - 0 0 0 0 0 0 0 0 0 0 0 0
40841 - 0 0 0 0 0 0 0 0 0 0 0 0
40842 - 0 0 0 0 0 0 0 0 0 0 0 0
40843 - 0 0 0 0 0 0 0 0 0 0 0 0
40844 - 0 0 0 0 0 0 0 0 0 0 0 0
40845 - 0 0 0 0 0 0 0 0 0 0 0 0
40846 - 6 6 6 6 6 6 14 14 14 18 18 18
40847 - 30 30 30 38 38 38 46 46 46 54 54 54
40848 - 50 50 50 42 42 42 30 30 30 18 18 18
40849 - 10 10 10 0 0 0 0 0 0 0 0 0
40850 - 0 0 0 0 0 0 0 0 0 0 0 0
40851 - 0 0 0 0 0 0 0 0 0 0 0 0
40852 - 0 0 0 0 0 0 0 0 0 0 0 0
40853 - 0 0 0 6 6 6 14 14 14 26 26 26
40854 - 38 38 38 50 50 50 58 58 58 58 58 58
40855 - 54 54 54 42 42 42 30 30 30 18 18 18
40856 - 10 10 10 0 0 0 0 0 0 0 0 0
40857 - 0 0 0 0 0 0 0 0 0 0 0 0
40858 - 0 0 0 0 0 0 0 0 0 0 0 0
40859 - 0 0 0 0 0 0 0 0 0 0 0 0
40860 - 0 0 0 0 0 0 0 0 0 0 0 0
40861 - 0 0 0 0 0 0 0 0 0 0 0 0
40862 - 0 0 0 0 0 0 0 0 0 0 0 0
40863 - 0 0 0 0 0 0 0 0 0 0 0 0
40864 - 0 0 0 0 0 0 0 0 0 0 0 0
40865 - 0 0 0 0 0 0 0 0 0 0 0 0
40866 - 0 0 0 0 0 0 0 0 0 6 6 6
40867 - 6 6 6 10 10 10 14 14 14 18 18 18
40868 - 18 18 18 14 14 14 10 10 10 6 6 6
40869 - 0 0 0 0 0 0 0 0 0 0 0 0
40870 - 0 0 0 0 0 0 0 0 0 0 0 0
40871 - 0 0 0 0 0 0 0 0 0 0 0 0
40872 - 0 0 0 0 0 0 0 0 0 0 0 0
40873 - 0 0 0 0 0 0 0 0 0 6 6 6
40874 - 14 14 14 18 18 18 22 22 22 22 22 22
40875 - 18 18 18 14 14 14 10 10 10 6 6 6
40876 - 0 0 0 0 0 0 0 0 0 0 0 0
40877 - 0 0 0 0 0 0 0 0 0 0 0 0
40878 - 0 0 0 0 0 0 0 0 0 0 0 0
40879 - 0 0 0 0 0 0 0 0 0 0 0 0
40880 - 0 0 0 0 0 0 0 0 0 0 0 0
40881 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40882 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40883 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40884 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40885 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40886 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40887 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40888 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40889 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40890 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40891 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40892 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40893 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40894 +4 4 4 4 4 4
40895 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40896 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40897 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40898 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40899 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40900 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40901 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40902 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40903 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40904 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40905 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40906 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40907 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40908 +4 4 4 4 4 4
40909 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40910 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40911 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40912 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40913 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40914 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40915 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40916 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40917 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40918 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40919 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40920 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40921 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40922 +4 4 4 4 4 4
40923 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40924 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40925 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40926 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40927 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40928 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40929 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40930 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40931 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40932 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40933 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40934 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40935 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40936 +4 4 4 4 4 4
40937 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40938 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40939 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40940 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40941 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40942 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40943 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40944 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40945 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40946 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40947 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40948 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40949 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40950 +4 4 4 4 4 4
40951 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40952 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40953 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40954 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40955 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40956 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40957 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40958 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40959 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40960 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40961 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40962 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40963 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40964 +4 4 4 4 4 4
40965 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40966 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40967 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40968 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40969 +4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
40970 +0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
40971 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40972 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40973 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40974 +4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
40975 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
40976 +4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
40977 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40978 +4 4 4 4 4 4
40979 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40980 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40981 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40982 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40983 +4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
40984 +37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
40985 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40986 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40987 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40988 +4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
40989 +2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
40990 +4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
40991 +1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40992 +4 4 4 4 4 4
40993 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40994 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40995 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40996 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40997 +2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
40998 +153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
40999 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
41000 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41001 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41002 +4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
41003 +60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
41004 +4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
41005 +2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
41006 +4 4 4 4 4 4
41007 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41008 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41009 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41010 +4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
41011 +4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
41012 +165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
41013 +1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
41014 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41015 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
41016 +3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
41017 +163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
41018 +0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
41019 +37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
41020 +4 4 4 4 4 4
41021 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41022 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41023 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41024 +4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
41025 +37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
41026 +156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
41027 +125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
41028 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
41029 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
41030 +0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
41031 +174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
41032 +0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
41033 +64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
41034 +4 4 4 4 4 4
41035 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41036 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41037 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
41038 +5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
41039 +156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
41040 +156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
41041 +174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
41042 +1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
41043 +4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
41044 +13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
41045 +174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
41046 +22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
41047 +90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
41048 +4 4 4 4 4 4
41049 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41050 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41051 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
41052 +0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
41053 +174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
41054 +156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
41055 +163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
41056 +4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
41057 +5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
41058 +131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
41059 +190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
41060 +90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
41061 +31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
41062 +4 4 4 4 4 4
41063 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41064 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41065 +4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
41066 +4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
41067 +155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
41068 +167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
41069 +153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
41070 +41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
41071 +1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
41072 +177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
41073 +125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
41074 +136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
41075 +7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
41076 +4 4 4 4 4 4
41077 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41078 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41079 +4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
41080 +125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
41081 +156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
41082 +137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
41083 +156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
41084 +167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
41085 +0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
41086 +166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
41087 +6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
41088 +90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
41089 +1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
41090 +4 4 4 4 4 4
41091 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41092 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41093 +1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
41094 +167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
41095 +157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
41096 +26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
41097 +158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
41098 +165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
41099 +60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
41100 +137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
41101 +52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
41102 +13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
41103 +4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
41104 +4 4 4 4 4 4
41105 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41106 +4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
41107 +0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
41108 +158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
41109 +167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
41110 +4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
41111 +174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
41112 +155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
41113 +137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
41114 +16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
41115 +136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
41116 +2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
41117 +4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
41118 +4 4 4 4 4 4
41119 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41120 +4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
41121 +37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
41122 +157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
41123 +153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
41124 +4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
41125 +125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
41126 +156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
41127 +174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
41128 +4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
41129 +136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
41130 +1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
41131 +2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
41132 +0 0 0 4 4 4
41133 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
41134 +4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
41135 +158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
41136 +153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
41137 +37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
41138 +4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
41139 +4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
41140 +154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
41141 +174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
41142 +32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
41143 +28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
41144 +50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
41145 +0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
41146 +2 0 0 0 0 0
41147 +4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
41148 +0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
41149 +174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
41150 +165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
41151 +4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
41152 +4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
41153 +4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
41154 +174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
41155 +60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
41156 +136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
41157 +22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
41158 +136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
41159 +26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
41160 +37 38 37 0 0 0
41161 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
41162 +13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
41163 +153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
41164 +177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
41165 +4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
41166 +5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
41167 +6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
41168 +166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
41169 +4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
41170 +146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
41171 +71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
41172 +90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
41173 +125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
41174 +85 115 134 4 0 0
41175 +4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
41176 +125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
41177 +155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
41178 +125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
41179 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
41180 +0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
41181 +5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
41182 +37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
41183 +4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
41184 +90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
41185 +2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
41186 +13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
41187 +166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
41188 +60 73 81 4 0 0
41189 +4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
41190 +174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
41191 +156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
41192 +4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
41193 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
41194 +10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
41195 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
41196 +4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
41197 +80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
41198 +28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
41199 +50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
41200 +1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
41201 +167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
41202 +16 19 21 4 0 0
41203 +4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
41204 +158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
41205 +167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
41206 +4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
41207 +4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
41208 +80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
41209 +4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
41210 +3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
41211 +146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
41212 +68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
41213 +136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
41214 +24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
41215 +163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
41216 +4 0 0 4 3 3
41217 +3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
41218 +156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
41219 +155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
41220 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
41221 +2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
41222 +136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
41223 +0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
41224 +0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
41225 +136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
41226 +28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
41227 +22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
41228 +137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
41229 +60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
41230 +3 2 2 4 4 4
41231 +3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
41232 +157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
41233 +37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
41234 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
41235 +0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
41236 +101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
41237 +14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
41238 +22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
41239 +136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
41240 +17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
41241 +2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
41242 +166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
41243 +13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
41244 +4 4 4 4 4 4
41245 +1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
41246 +163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
41247 +4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
41248 +4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
41249 +40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
41250 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
41251 +101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
41252 +136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
41253 +136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
41254 +136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
41255 +3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
41256 +174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
41257 +4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
41258 +4 4 4 4 4 4
41259 +4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
41260 +155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
41261 +4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
41262 +4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
41263 +101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
41264 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
41265 +136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
41266 +136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
41267 +136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
41268 +90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
41269 +85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
41270 +167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
41271 +6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
41272 +5 5 5 5 5 5
41273 +1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
41274 +131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
41275 +6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
41276 +0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
41277 +101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
41278 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
41279 +101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
41280 +136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
41281 +101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
41282 +7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
41283 +174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
41284 +24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
41285 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
41286 +5 5 5 4 4 4
41287 +4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
41288 +131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
41289 +6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
41290 +13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
41291 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
41292 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
41293 +101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
41294 +136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
41295 +136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
41296 +2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
41297 +174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
41298 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
41299 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41300 +4 4 4 4 4 4
41301 +1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
41302 +137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
41303 +4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
41304 +64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
41305 +90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
41306 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
41307 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
41308 +136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
41309 +101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
41310 +37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
41311 +167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
41312 +3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
41313 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41314 +4 4 4 4 4 4
41315 +4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
41316 +153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
41317 +4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
41318 +90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
41319 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
41320 +90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
41321 +101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
41322 +101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
41323 +35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
41324 +154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
41325 +60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
41326 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41327 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41328 +4 4 4 4 4 4
41329 +1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
41330 +153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
41331 +4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
41332 +64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
41333 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
41334 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
41335 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
41336 +136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
41337 +13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
41338 +174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
41339 +6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
41340 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41341 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41342 +4 4 4 4 4 4
41343 +4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
41344 +156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
41345 +4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
41346 +90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
41347 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
41348 +90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
41349 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
41350 +101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
41351 +2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
41352 +174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
41353 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41354 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41355 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41356 +4 4 4 4 4 4
41357 +3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
41358 +158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
41359 +4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
41360 +37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
41361 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
41362 +90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
41363 +101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
41364 +90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
41365 +5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
41366 +167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
41367 +6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
41368 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41369 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41370 +4 4 4 4 4 4
41371 +4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
41372 +163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
41373 +4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
41374 +18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
41375 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
41376 +90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
41377 +101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
41378 +13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
41379 +3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
41380 +174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
41381 +4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
41382 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41383 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41384 +4 4 4 4 4 4
41385 +1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
41386 +167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
41387 +4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
41388 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
41389 +26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
41390 +90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
41391 +101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
41392 +7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
41393 +4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
41394 +174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
41395 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41396 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41397 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41398 +4 4 4 4 4 4
41399 +4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
41400 +174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
41401 +5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
41402 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
41403 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
41404 +90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
41405 +101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
41406 +2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
41407 +3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
41408 +153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
41409 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41410 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41411 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41412 +4 4 4 4 4 4
41413 +1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
41414 +174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
41415 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
41416 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
41417 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
41418 +26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
41419 +35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
41420 +2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
41421 +3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
41422 +131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
41423 +4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41424 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41425 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41426 +4 4 4 4 4 4
41427 +3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
41428 +174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
41429 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
41430 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
41431 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
41432 +26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
41433 +7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
41434 +4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
41435 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
41436 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41437 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41438 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41439 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41440 +4 4 4 4 4 4
41441 +1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
41442 +174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
41443 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
41444 +18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
41445 +18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
41446 +26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
41447 +28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
41448 +3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
41449 +4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
41450 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41451 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41452 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41453 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41454 +4 4 4 4 4 4
41455 +4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
41456 +174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
41457 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
41458 +10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
41459 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
41460 +18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
41461 +90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
41462 +3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
41463 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
41464 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41465 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41466 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41467 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41468 +4 4 4 4 4 4
41469 +1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
41470 +177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
41471 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
41472 +10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
41473 +26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
41474 +6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
41475 +10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
41476 +2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
41477 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
41478 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41479 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41480 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41481 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41482 +4 4 4 4 4 4
41483 +4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
41484 +177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
41485 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
41486 +10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
41487 +26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
41488 +7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
41489 +3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
41490 +21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
41491 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
41492 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41493 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41494 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41495 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41496 +4 4 4 4 4 4
41497 +3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
41498 +190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
41499 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
41500 +10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
41501 +24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
41502 +18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
41503 +28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
41504 +26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
41505 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
41506 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41507 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41508 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41509 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41510 +4 4 4 4 4 4
41511 +4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
41512 +190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
41513 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
41514 +10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
41515 +0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
41516 +26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
41517 +37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
41518 +90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
41519 +4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
41520 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41521 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41522 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41523 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41524 +4 4 4 4 4 4
41525 +4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
41526 +193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
41527 +5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
41528 +10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
41529 +1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
41530 +26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
41531 +22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
41532 +26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
41533 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
41534 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41535 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41536 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41537 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41538 +4 4 4 4 4 4
41539 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
41540 +190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
41541 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
41542 +10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
41543 +2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
41544 +26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
41545 +10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
41546 +26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
41547 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
41548 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41549 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41550 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41551 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41552 +4 4 4 4 4 4
41553 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
41554 +193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
41555 +5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
41556 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
41557 +13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
41558 +10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
41559 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
41560 +26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
41561 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
41562 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41563 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41564 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41565 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41566 +4 4 4 4 4 4
41567 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
41568 +190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
41569 +5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
41570 +28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
41571 +10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
41572 +28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
41573 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
41574 +26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
41575 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
41576 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41577 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41578 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41579 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41580 +4 4 4 4 4 4
41581 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
41582 +193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
41583 +5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
41584 +4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
41585 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
41586 +10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
41587 +18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
41588 +22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
41589 +4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
41590 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41591 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41592 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41593 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41594 +4 4 4 4 4 4
41595 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
41596 +190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
41597 +6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
41598 +1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
41599 +18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
41600 +10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
41601 +26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
41602 +1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
41603 +5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
41604 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41605 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41606 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41607 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41608 +4 4 4 4 4 4
41609 +4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
41610 +193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
41611 +2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
41612 +4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
41613 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
41614 +10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
41615 +26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
41616 +2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
41617 +3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
41618 +131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41619 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41620 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41621 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41622 +4 4 4 4 4 4
41623 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
41624 +193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
41625 +0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
41626 +4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
41627 +13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
41628 +10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
41629 +28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
41630 +4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
41631 +0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
41632 +125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
41633 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41634 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41635 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41636 +4 4 4 4 4 4
41637 +4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
41638 +193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
41639 +120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
41640 +4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
41641 +4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
41642 +10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
41643 +4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
41644 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
41645 +24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
41646 +125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
41647 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41648 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41649 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41650 +4 4 4 4 4 4
41651 +4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
41652 +174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
41653 +220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
41654 +3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
41655 +4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
41656 +10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
41657 +1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
41658 +5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
41659 +137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
41660 +125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
41661 +0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41662 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41663 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41664 +4 4 4 4 4 4
41665 +5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
41666 +193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
41667 +220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
41668 +4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
41669 +4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
41670 +22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
41671 +4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41672 +1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
41673 +166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
41674 +125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
41675 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
41676 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41677 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41678 +4 4 4 4 4 4
41679 +4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
41680 +220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
41681 +205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
41682 +24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
41683 +4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
41684 +4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
41685 +4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
41686 +2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
41687 +156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
41688 +137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
41689 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41690 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41691 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41692 +4 4 4 4 4 4
41693 +5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
41694 +125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
41695 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
41696 +193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
41697 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
41698 +1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
41699 +5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
41700 +60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
41701 +153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
41702 +125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
41703 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41704 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41705 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41706 +4 4 4 4 4 4
41707 +4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
41708 +6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
41709 +193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
41710 +244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
41711 +0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
41712 +4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
41713 +3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
41714 +220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
41715 +153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
41716 +13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
41717 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41718 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41719 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41720 +4 4 4 4 4 4
41721 +5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
41722 +6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
41723 +244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
41724 +220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
41725 +3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
41726 +4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
41727 +0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
41728 +177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
41729 +158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
41730 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
41731 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41732 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41733 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41734 +4 4 4 4 4 4
41735 +5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
41736 +6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
41737 +177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
41738 +220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
41739 +125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
41740 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
41741 +37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
41742 +174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
41743 +158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
41744 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
41745 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41746 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41747 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41748 +4 4 4 4 4 4
41749 +4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
41750 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
41751 +26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
41752 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
41753 +244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
41754 +0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
41755 +177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
41756 +174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
41757 +60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
41758 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41759 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41760 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41761 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41762 +4 4 4 4 4 4
41763 +5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
41764 +6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
41765 +6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
41766 +220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
41767 +220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
41768 +0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
41769 +220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
41770 +174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
41771 +4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
41772 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41773 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41774 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41775 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41776 +4 4 4 4 4 4
41777 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
41778 +6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
41779 +4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
41780 +220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
41781 +205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
41782 +60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
41783 +177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
41784 +190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
41785 +4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41786 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41787 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41788 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41789 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41790 +4 4 4 4 4 4
41791 +4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
41792 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
41793 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
41794 +125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
41795 +205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
41796 +193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
41797 +190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
41798 +153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
41799 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41800 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41801 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41802 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41803 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41804 +4 4 4 4 4 4
41805 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
41806 +6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
41807 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
41808 +4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
41809 +205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
41810 +220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
41811 +174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
41812 +6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
41813 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41814 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41815 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41816 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41817 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41818 +4 4 4 4 4 4
41819 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
41820 +5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
41821 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
41822 +4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
41823 +220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
41824 +190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
41825 +193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
41826 +4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
41827 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41828 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41829 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41830 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41831 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41832 +4 4 4 4 4 4
41833 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41834 +4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
41835 +4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
41836 +6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
41837 +174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
41838 +193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
41839 +193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
41840 +6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
41841 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41842 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41843 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41844 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41845 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41846 +4 4 4 4 4 4
41847 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41848 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
41849 +5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
41850 +5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
41851 +6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
41852 +193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
41853 +60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
41854 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
41855 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41856 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41857 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41858 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41859 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41860 +4 4 4 4 4 4
41861 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41862 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41863 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
41864 +5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
41865 +4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
41866 +193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
41867 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
41868 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
41869 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41870 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41871 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41872 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41873 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41874 +4 4 4 4 4 4
41875 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41876 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41877 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
41878 +4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
41879 +6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
41880 +153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
41881 +6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
41882 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41883 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41884 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41885 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41886 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41887 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41888 +4 4 4 4 4 4
41889 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41890 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41891 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41892 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
41893 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
41894 +24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
41895 +6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
41896 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41897 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41898 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41899 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41900 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41901 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41902 +4 4 4 4 4 4
41903 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41904 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41905 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41906 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
41907 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
41908 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
41909 +4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
41910 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41911 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41912 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41913 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41914 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41915 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41916 +4 4 4 4 4 4
41917 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41918 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41919 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41920 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
41921 +5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
41922 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
41923 +6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
41924 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41925 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41926 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41927 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41928 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41929 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41930 +4 4 4 4 4 4
41931 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41932 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41933 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41934 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
41935 +4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
41936 +4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
41937 +6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41938 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41939 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41940 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41941 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41942 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41943 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41944 +4 4 4 4 4 4
41945 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41946 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41947 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41948 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41949 +4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
41950 +6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
41951 +4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
41952 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41953 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41954 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41955 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41956 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41957 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41958 +4 4 4 4 4 4
41959 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41960 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41961 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41962 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41963 +4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
41964 +4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
41965 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41966 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41967 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41968 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41969 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41970 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41971 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41972 +4 4 4 4 4 4
41973 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41974 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41975 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41976 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41977 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
41978 +5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
41979 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41980 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41981 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41982 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41983 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41984 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41985 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41986 +4 4 4 4 4 4
41987 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41988 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41989 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41990 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41991 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
41992 +5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
41993 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41994 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41995 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41996 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41997 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41998 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41999 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42000 +4 4 4 4 4 4
42001 diff -urNp linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c
42002 --- linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c 2011-03-27 14:31:47.000000000 -0400
42003 +++ linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c 2011-04-17 15:56:46.000000000 -0400
42004 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
42005 return bd->props.brightness;
42006 }
42007
42008 -static struct backlight_ops nvidia_bl_ops = {
42009 +static const struct backlight_ops nvidia_bl_ops = {
42010 .get_brightness = nvidia_bl_get_brightness,
42011 .update_status = nvidia_bl_update_status,
42012 };
42013 diff -urNp linux-2.6.32.46/drivers/video/riva/fbdev.c linux-2.6.32.46/drivers/video/riva/fbdev.c
42014 --- linux-2.6.32.46/drivers/video/riva/fbdev.c 2011-03-27 14:31:47.000000000 -0400
42015 +++ linux-2.6.32.46/drivers/video/riva/fbdev.c 2011-04-17 15:56:46.000000000 -0400
42016 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
42017 return bd->props.brightness;
42018 }
42019
42020 -static struct backlight_ops riva_bl_ops = {
42021 +static const struct backlight_ops riva_bl_ops = {
42022 .get_brightness = riva_bl_get_brightness,
42023 .update_status = riva_bl_update_status,
42024 };
42025 diff -urNp linux-2.6.32.46/drivers/video/uvesafb.c linux-2.6.32.46/drivers/video/uvesafb.c
42026 --- linux-2.6.32.46/drivers/video/uvesafb.c 2011-03-27 14:31:47.000000000 -0400
42027 +++ linux-2.6.32.46/drivers/video/uvesafb.c 2011-04-17 15:56:46.000000000 -0400
42028 @@ -18,6 +18,7 @@
42029 #include <linux/fb.h>
42030 #include <linux/io.h>
42031 #include <linux/mutex.h>
42032 +#include <linux/moduleloader.h>
42033 #include <video/edid.h>
42034 #include <video/uvesafb.h>
42035 #ifdef CONFIG_X86
42036 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
42037 NULL,
42038 };
42039
42040 - return call_usermodehelper(v86d_path, argv, envp, 1);
42041 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
42042 }
42043
42044 /*
42045 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
42046 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
42047 par->pmi_setpal = par->ypan = 0;
42048 } else {
42049 +
42050 +#ifdef CONFIG_PAX_KERNEXEC
42051 +#ifdef CONFIG_MODULES
42052 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
42053 +#endif
42054 + if (!par->pmi_code) {
42055 + par->pmi_setpal = par->ypan = 0;
42056 + return 0;
42057 + }
42058 +#endif
42059 +
42060 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
42061 + task->t.regs.edi);
42062 +
42063 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42064 + pax_open_kernel();
42065 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
42066 + pax_close_kernel();
42067 +
42068 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
42069 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
42070 +#else
42071 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
42072 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
42073 +#endif
42074 +
42075 printk(KERN_INFO "uvesafb: protected mode interface info at "
42076 "%04x:%04x\n",
42077 (u16)task->t.regs.es, (u16)task->t.regs.edi);
42078 @@ -1799,6 +1822,11 @@ out:
42079 if (par->vbe_modes)
42080 kfree(par->vbe_modes);
42081
42082 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42083 + if (par->pmi_code)
42084 + module_free_exec(NULL, par->pmi_code);
42085 +#endif
42086 +
42087 framebuffer_release(info);
42088 return err;
42089 }
42090 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
42091 kfree(par->vbe_state_orig);
42092 if (par->vbe_state_saved)
42093 kfree(par->vbe_state_saved);
42094 +
42095 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42096 + if (par->pmi_code)
42097 + module_free_exec(NULL, par->pmi_code);
42098 +#endif
42099 +
42100 }
42101
42102 framebuffer_release(info);
42103 diff -urNp linux-2.6.32.46/drivers/video/vesafb.c linux-2.6.32.46/drivers/video/vesafb.c
42104 --- linux-2.6.32.46/drivers/video/vesafb.c 2011-03-27 14:31:47.000000000 -0400
42105 +++ linux-2.6.32.46/drivers/video/vesafb.c 2011-08-05 20:33:55.000000000 -0400
42106 @@ -9,6 +9,7 @@
42107 */
42108
42109 #include <linux/module.h>
42110 +#include <linux/moduleloader.h>
42111 #include <linux/kernel.h>
42112 #include <linux/errno.h>
42113 #include <linux/string.h>
42114 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
42115 static int vram_total __initdata; /* Set total amount of memory */
42116 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
42117 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
42118 -static void (*pmi_start)(void) __read_mostly;
42119 -static void (*pmi_pal) (void) __read_mostly;
42120 +static void (*pmi_start)(void) __read_only;
42121 +static void (*pmi_pal) (void) __read_only;
42122 static int depth __read_mostly;
42123 static int vga_compat __read_mostly;
42124 /* --------------------------------------------------------------------- */
42125 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
42126 unsigned int size_vmode;
42127 unsigned int size_remap;
42128 unsigned int size_total;
42129 + void *pmi_code = NULL;
42130
42131 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
42132 return -ENODEV;
42133 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
42134 size_remap = size_total;
42135 vesafb_fix.smem_len = size_remap;
42136
42137 -#ifndef __i386__
42138 - screen_info.vesapm_seg = 0;
42139 -#endif
42140 -
42141 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
42142 printk(KERN_WARNING
42143 "vesafb: cannot reserve video memory at 0x%lx\n",
42144 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
42145 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
42146 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
42147
42148 +#ifdef __i386__
42149 +
42150 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42151 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
42152 + if (!pmi_code)
42153 +#elif !defined(CONFIG_PAX_KERNEXEC)
42154 + if (0)
42155 +#endif
42156 +
42157 +#endif
42158 + screen_info.vesapm_seg = 0;
42159 +
42160 if (screen_info.vesapm_seg) {
42161 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
42162 - screen_info.vesapm_seg,screen_info.vesapm_off);
42163 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
42164 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
42165 }
42166
42167 if (screen_info.vesapm_seg < 0xc000)
42168 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
42169
42170 if (ypan || pmi_setpal) {
42171 unsigned short *pmi_base;
42172 +
42173 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
42174 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
42175 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
42176 +
42177 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42178 + pax_open_kernel();
42179 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
42180 +#else
42181 + pmi_code = pmi_base;
42182 +#endif
42183 +
42184 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
42185 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
42186 +
42187 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42188 + pmi_start = ktva_ktla(pmi_start);
42189 + pmi_pal = ktva_ktla(pmi_pal);
42190 + pax_close_kernel();
42191 +#endif
42192 +
42193 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
42194 if (pmi_base[3]) {
42195 printk(KERN_INFO "vesafb: pmi: ports = ");
42196 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
42197 info->node, info->fix.id);
42198 return 0;
42199 err:
42200 +
42201 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
42202 + module_free_exec(NULL, pmi_code);
42203 +#endif
42204 +
42205 if (info->screen_base)
42206 iounmap(info->screen_base);
42207 framebuffer_release(info);
42208 diff -urNp linux-2.6.32.46/drivers/xen/sys-hypervisor.c linux-2.6.32.46/drivers/xen/sys-hypervisor.c
42209 --- linux-2.6.32.46/drivers/xen/sys-hypervisor.c 2011-03-27 14:31:47.000000000 -0400
42210 +++ linux-2.6.32.46/drivers/xen/sys-hypervisor.c 2011-04-17 15:56:46.000000000 -0400
42211 @@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
42212 return 0;
42213 }
42214
42215 -static struct sysfs_ops hyp_sysfs_ops = {
42216 +static const struct sysfs_ops hyp_sysfs_ops = {
42217 .show = hyp_sysfs_show,
42218 .store = hyp_sysfs_store,
42219 };
42220 diff -urNp linux-2.6.32.46/fs/9p/vfs_inode.c linux-2.6.32.46/fs/9p/vfs_inode.c
42221 --- linux-2.6.32.46/fs/9p/vfs_inode.c 2011-03-27 14:31:47.000000000 -0400
42222 +++ linux-2.6.32.46/fs/9p/vfs_inode.c 2011-04-17 15:56:46.000000000 -0400
42223 @@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
42224 static void
42225 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
42226 {
42227 - char *s = nd_get_link(nd);
42228 + const char *s = nd_get_link(nd);
42229
42230 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
42231 IS_ERR(s) ? "<error>" : s);
42232 diff -urNp linux-2.6.32.46/fs/aio.c linux-2.6.32.46/fs/aio.c
42233 --- linux-2.6.32.46/fs/aio.c 2011-03-27 14:31:47.000000000 -0400
42234 +++ linux-2.6.32.46/fs/aio.c 2011-06-04 20:40:21.000000000 -0400
42235 @@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
42236 size += sizeof(struct io_event) * nr_events;
42237 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
42238
42239 - if (nr_pages < 0)
42240 + if (nr_pages <= 0)
42241 return -EINVAL;
42242
42243 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
42244 @@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
42245 struct aio_timeout to;
42246 int retry = 0;
42247
42248 + pax_track_stack();
42249 +
42250 /* needed to zero any padding within an entry (there shouldn't be
42251 * any, but C is fun!
42252 */
42253 @@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
42254 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
42255 {
42256 ssize_t ret;
42257 + struct iovec iovstack;
42258
42259 ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
42260 kiocb->ki_nbytes, 1,
42261 - &kiocb->ki_inline_vec, &kiocb->ki_iovec);
42262 + &iovstack, &kiocb->ki_iovec);
42263 if (ret < 0)
42264 goto out;
42265
42266 + if (kiocb->ki_iovec == &iovstack) {
42267 + kiocb->ki_inline_vec = iovstack;
42268 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
42269 + }
42270 kiocb->ki_nr_segs = kiocb->ki_nbytes;
42271 kiocb->ki_cur_seg = 0;
42272 /* ki_nbytes/left now reflect bytes instead of segs */
42273 diff -urNp linux-2.6.32.46/fs/attr.c linux-2.6.32.46/fs/attr.c
42274 --- linux-2.6.32.46/fs/attr.c 2011-03-27 14:31:47.000000000 -0400
42275 +++ linux-2.6.32.46/fs/attr.c 2011-04-17 15:56:46.000000000 -0400
42276 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
42277 unsigned long limit;
42278
42279 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
42280 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
42281 if (limit != RLIM_INFINITY && offset > limit)
42282 goto out_sig;
42283 if (offset > inode->i_sb->s_maxbytes)
42284 diff -urNp linux-2.6.32.46/fs/autofs/root.c linux-2.6.32.46/fs/autofs/root.c
42285 --- linux-2.6.32.46/fs/autofs/root.c 2011-03-27 14:31:47.000000000 -0400
42286 +++ linux-2.6.32.46/fs/autofs/root.c 2011-04-17 15:56:46.000000000 -0400
42287 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
42288 set_bit(n,sbi->symlink_bitmap);
42289 sl = &sbi->symlink[n];
42290 sl->len = strlen(symname);
42291 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
42292 + slsize = sl->len+1;
42293 + sl->data = kmalloc(slsize, GFP_KERNEL);
42294 if (!sl->data) {
42295 clear_bit(n,sbi->symlink_bitmap);
42296 unlock_kernel();
42297 diff -urNp linux-2.6.32.46/fs/autofs4/symlink.c linux-2.6.32.46/fs/autofs4/symlink.c
42298 --- linux-2.6.32.46/fs/autofs4/symlink.c 2011-03-27 14:31:47.000000000 -0400
42299 +++ linux-2.6.32.46/fs/autofs4/symlink.c 2011-04-17 15:56:46.000000000 -0400
42300 @@ -15,7 +15,7 @@
42301 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
42302 {
42303 struct autofs_info *ino = autofs4_dentry_ino(dentry);
42304 - nd_set_link(nd, (char *)ino->u.symlink);
42305 + nd_set_link(nd, ino->u.symlink);
42306 return NULL;
42307 }
42308
42309 diff -urNp linux-2.6.32.46/fs/autofs4/waitq.c linux-2.6.32.46/fs/autofs4/waitq.c
42310 --- linux-2.6.32.46/fs/autofs4/waitq.c 2011-03-27 14:31:47.000000000 -0400
42311 +++ linux-2.6.32.46/fs/autofs4/waitq.c 2011-10-06 09:37:14.000000000 -0400
42312 @@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
42313 {
42314 unsigned long sigpipe, flags;
42315 mm_segment_t fs;
42316 - const char *data = (const char *)addr;
42317 + const char __user *data = (const char __force_user *)addr;
42318 ssize_t wr = 0;
42319
42320 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
42321 diff -urNp linux-2.6.32.46/fs/befs/linuxvfs.c linux-2.6.32.46/fs/befs/linuxvfs.c
42322 --- linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:24:44.000000000 -0400
42323 +++ linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:25:07.000000000 -0400
42324 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
42325 {
42326 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
42327 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
42328 - char *link = nd_get_link(nd);
42329 + const char *link = nd_get_link(nd);
42330 if (!IS_ERR(link))
42331 kfree(link);
42332 }
42333 diff -urNp linux-2.6.32.46/fs/binfmt_aout.c linux-2.6.32.46/fs/binfmt_aout.c
42334 --- linux-2.6.32.46/fs/binfmt_aout.c 2011-03-27 14:31:47.000000000 -0400
42335 +++ linux-2.6.32.46/fs/binfmt_aout.c 2011-04-17 15:56:46.000000000 -0400
42336 @@ -16,6 +16,7 @@
42337 #include <linux/string.h>
42338 #include <linux/fs.h>
42339 #include <linux/file.h>
42340 +#include <linux/security.h>
42341 #include <linux/stat.h>
42342 #include <linux/fcntl.h>
42343 #include <linux/ptrace.h>
42344 @@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
42345 #endif
42346 # define START_STACK(u) (u.start_stack)
42347
42348 + memset(&dump, 0, sizeof(dump));
42349 +
42350 fs = get_fs();
42351 set_fs(KERNEL_DS);
42352 has_dumped = 1;
42353 @@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
42354
42355 /* If the size of the dump file exceeds the rlimit, then see what would happen
42356 if we wrote the stack, but not the data area. */
42357 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
42358 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
42359 dump.u_dsize = 0;
42360
42361 /* Make sure we have enough room to write the stack and data areas. */
42362 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
42363 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
42364 dump.u_ssize = 0;
42365
42366 @@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
42367 dump_size = dump.u_ssize << PAGE_SHIFT;
42368 DUMP_WRITE(dump_start,dump_size);
42369 }
42370 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
42371 - set_fs(KERNEL_DS);
42372 - DUMP_WRITE(current,sizeof(*current));
42373 +/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
42374 end_coredump:
42375 set_fs(fs);
42376 return has_dumped;
42377 @@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
42378 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
42379 if (rlim >= RLIM_INFINITY)
42380 rlim = ~0;
42381 +
42382 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
42383 if (ex.a_data + ex.a_bss > rlim)
42384 return -ENOMEM;
42385
42386 @@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
42387 install_exec_creds(bprm);
42388 current->flags &= ~PF_FORKNOEXEC;
42389
42390 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
42391 + current->mm->pax_flags = 0UL;
42392 +#endif
42393 +
42394 +#ifdef CONFIG_PAX_PAGEEXEC
42395 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
42396 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
42397 +
42398 +#ifdef CONFIG_PAX_EMUTRAMP
42399 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
42400 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
42401 +#endif
42402 +
42403 +#ifdef CONFIG_PAX_MPROTECT
42404 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
42405 + current->mm->pax_flags |= MF_PAX_MPROTECT;
42406 +#endif
42407 +
42408 + }
42409 +#endif
42410 +
42411 if (N_MAGIC(ex) == OMAGIC) {
42412 unsigned long text_addr, map_size;
42413 loff_t pos;
42414 @@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
42415
42416 down_write(&current->mm->mmap_sem);
42417 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
42418 - PROT_READ | PROT_WRITE | PROT_EXEC,
42419 + PROT_READ | PROT_WRITE,
42420 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
42421 fd_offset + ex.a_text);
42422 up_write(&current->mm->mmap_sem);
42423 diff -urNp linux-2.6.32.46/fs/binfmt_elf.c linux-2.6.32.46/fs/binfmt_elf.c
42424 --- linux-2.6.32.46/fs/binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
42425 +++ linux-2.6.32.46/fs/binfmt_elf.c 2011-05-16 21:46:57.000000000 -0400
42426 @@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
42427 #define elf_core_dump NULL
42428 #endif
42429
42430 +#ifdef CONFIG_PAX_MPROTECT
42431 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
42432 +#endif
42433 +
42434 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
42435 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
42436 #else
42437 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
42438 .load_binary = load_elf_binary,
42439 .load_shlib = load_elf_library,
42440 .core_dump = elf_core_dump,
42441 +
42442 +#ifdef CONFIG_PAX_MPROTECT
42443 + .handle_mprotect= elf_handle_mprotect,
42444 +#endif
42445 +
42446 .min_coredump = ELF_EXEC_PAGESIZE,
42447 .hasvdso = 1
42448 };
42449 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
42450
42451 static int set_brk(unsigned long start, unsigned long end)
42452 {
42453 + unsigned long e = end;
42454 +
42455 start = ELF_PAGEALIGN(start);
42456 end = ELF_PAGEALIGN(end);
42457 if (end > start) {
42458 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
42459 if (BAD_ADDR(addr))
42460 return addr;
42461 }
42462 - current->mm->start_brk = current->mm->brk = end;
42463 + current->mm->start_brk = current->mm->brk = e;
42464 return 0;
42465 }
42466
42467 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
42468 elf_addr_t __user *u_rand_bytes;
42469 const char *k_platform = ELF_PLATFORM;
42470 const char *k_base_platform = ELF_BASE_PLATFORM;
42471 - unsigned char k_rand_bytes[16];
42472 + u32 k_rand_bytes[4];
42473 int items;
42474 elf_addr_t *elf_info;
42475 int ei_index = 0;
42476 const struct cred *cred = current_cred();
42477 struct vm_area_struct *vma;
42478 + unsigned long saved_auxv[AT_VECTOR_SIZE];
42479 +
42480 + pax_track_stack();
42481
42482 /*
42483 * In some cases (e.g. Hyper-Threading), we want to avoid L1
42484 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
42485 * Generate 16 random bytes for userspace PRNG seeding.
42486 */
42487 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
42488 - u_rand_bytes = (elf_addr_t __user *)
42489 - STACK_ALLOC(p, sizeof(k_rand_bytes));
42490 + srandom32(k_rand_bytes[0] ^ random32());
42491 + srandom32(k_rand_bytes[1] ^ random32());
42492 + srandom32(k_rand_bytes[2] ^ random32());
42493 + srandom32(k_rand_bytes[3] ^ random32());
42494 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
42495 + u_rand_bytes = (elf_addr_t __user *) p;
42496 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
42497 return -EFAULT;
42498
42499 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
42500 return -EFAULT;
42501 current->mm->env_end = p;
42502
42503 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
42504 +
42505 /* Put the elf_info on the stack in the right place. */
42506 sp = (elf_addr_t __user *)envp + 1;
42507 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
42508 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
42509 return -EFAULT;
42510 return 0;
42511 }
42512 @@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
42513 {
42514 struct elf_phdr *elf_phdata;
42515 struct elf_phdr *eppnt;
42516 - unsigned long load_addr = 0;
42517 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
42518 int load_addr_set = 0;
42519 unsigned long last_bss = 0, elf_bss = 0;
42520 - unsigned long error = ~0UL;
42521 + unsigned long error = -EINVAL;
42522 unsigned long total_size;
42523 int retval, i, size;
42524
42525 @@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
42526 goto out_close;
42527 }
42528
42529 +#ifdef CONFIG_PAX_SEGMEXEC
42530 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
42531 + pax_task_size = SEGMEXEC_TASK_SIZE;
42532 +#endif
42533 +
42534 eppnt = elf_phdata;
42535 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
42536 if (eppnt->p_type == PT_LOAD) {
42537 @@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
42538 k = load_addr + eppnt->p_vaddr;
42539 if (BAD_ADDR(k) ||
42540 eppnt->p_filesz > eppnt->p_memsz ||
42541 - eppnt->p_memsz > TASK_SIZE ||
42542 - TASK_SIZE - eppnt->p_memsz < k) {
42543 + eppnt->p_memsz > pax_task_size ||
42544 + pax_task_size - eppnt->p_memsz < k) {
42545 error = -ENOMEM;
42546 goto out_close;
42547 }
42548 @@ -532,6 +557,194 @@ out:
42549 return error;
42550 }
42551
42552 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
42553 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
42554 +{
42555 + unsigned long pax_flags = 0UL;
42556 +
42557 +#ifdef CONFIG_PAX_PAGEEXEC
42558 + if (elf_phdata->p_flags & PF_PAGEEXEC)
42559 + pax_flags |= MF_PAX_PAGEEXEC;
42560 +#endif
42561 +
42562 +#ifdef CONFIG_PAX_SEGMEXEC
42563 + if (elf_phdata->p_flags & PF_SEGMEXEC)
42564 + pax_flags |= MF_PAX_SEGMEXEC;
42565 +#endif
42566 +
42567 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
42568 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
42569 + if (nx_enabled)
42570 + pax_flags &= ~MF_PAX_SEGMEXEC;
42571 + else
42572 + pax_flags &= ~MF_PAX_PAGEEXEC;
42573 + }
42574 +#endif
42575 +
42576 +#ifdef CONFIG_PAX_EMUTRAMP
42577 + if (elf_phdata->p_flags & PF_EMUTRAMP)
42578 + pax_flags |= MF_PAX_EMUTRAMP;
42579 +#endif
42580 +
42581 +#ifdef CONFIG_PAX_MPROTECT
42582 + if (elf_phdata->p_flags & PF_MPROTECT)
42583 + pax_flags |= MF_PAX_MPROTECT;
42584 +#endif
42585 +
42586 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
42587 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
42588 + pax_flags |= MF_PAX_RANDMMAP;
42589 +#endif
42590 +
42591 + return pax_flags;
42592 +}
42593 +#endif
42594 +
42595 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
42596 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
42597 +{
42598 + unsigned long pax_flags = 0UL;
42599 +
42600 +#ifdef CONFIG_PAX_PAGEEXEC
42601 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
42602 + pax_flags |= MF_PAX_PAGEEXEC;
42603 +#endif
42604 +
42605 +#ifdef CONFIG_PAX_SEGMEXEC
42606 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
42607 + pax_flags |= MF_PAX_SEGMEXEC;
42608 +#endif
42609 +
42610 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
42611 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
42612 + if (nx_enabled)
42613 + pax_flags &= ~MF_PAX_SEGMEXEC;
42614 + else
42615 + pax_flags &= ~MF_PAX_PAGEEXEC;
42616 + }
42617 +#endif
42618 +
42619 +#ifdef CONFIG_PAX_EMUTRAMP
42620 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
42621 + pax_flags |= MF_PAX_EMUTRAMP;
42622 +#endif
42623 +
42624 +#ifdef CONFIG_PAX_MPROTECT
42625 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
42626 + pax_flags |= MF_PAX_MPROTECT;
42627 +#endif
42628 +
42629 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
42630 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
42631 + pax_flags |= MF_PAX_RANDMMAP;
42632 +#endif
42633 +
42634 + return pax_flags;
42635 +}
42636 +#endif
42637 +
42638 +#ifdef CONFIG_PAX_EI_PAX
42639 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
42640 +{
42641 + unsigned long pax_flags = 0UL;
42642 +
42643 +#ifdef CONFIG_PAX_PAGEEXEC
42644 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
42645 + pax_flags |= MF_PAX_PAGEEXEC;
42646 +#endif
42647 +
42648 +#ifdef CONFIG_PAX_SEGMEXEC
42649 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
42650 + pax_flags |= MF_PAX_SEGMEXEC;
42651 +#endif
42652 +
42653 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
42654 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
42655 + if (nx_enabled)
42656 + pax_flags &= ~MF_PAX_SEGMEXEC;
42657 + else
42658 + pax_flags &= ~MF_PAX_PAGEEXEC;
42659 + }
42660 +#endif
42661 +
42662 +#ifdef CONFIG_PAX_EMUTRAMP
42663 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
42664 + pax_flags |= MF_PAX_EMUTRAMP;
42665 +#endif
42666 +
42667 +#ifdef CONFIG_PAX_MPROTECT
42668 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
42669 + pax_flags |= MF_PAX_MPROTECT;
42670 +#endif
42671 +
42672 +#ifdef CONFIG_PAX_ASLR
42673 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
42674 + pax_flags |= MF_PAX_RANDMMAP;
42675 +#endif
42676 +
42677 + return pax_flags;
42678 +}
42679 +#endif
42680 +
42681 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
42682 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
42683 +{
42684 + unsigned long pax_flags = 0UL;
42685 +
42686 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
42687 + unsigned long i;
42688 + int found_flags = 0;
42689 +#endif
42690 +
42691 +#ifdef CONFIG_PAX_EI_PAX
42692 + pax_flags = pax_parse_ei_pax(elf_ex);
42693 +#endif
42694 +
42695 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
42696 + for (i = 0UL; i < elf_ex->e_phnum; i++)
42697 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
42698 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
42699 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
42700 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
42701 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
42702 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
42703 + return -EINVAL;
42704 +
42705 +#ifdef CONFIG_PAX_SOFTMODE
42706 + if (pax_softmode)
42707 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
42708 + else
42709 +#endif
42710 +
42711 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
42712 + found_flags = 1;
42713 + break;
42714 + }
42715 +#endif
42716 +
42717 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
42718 + if (found_flags == 0) {
42719 + struct elf_phdr phdr;
42720 + memset(&phdr, 0, sizeof(phdr));
42721 + phdr.p_flags = PF_NOEMUTRAMP;
42722 +#ifdef CONFIG_PAX_SOFTMODE
42723 + if (pax_softmode)
42724 + pax_flags = pax_parse_softmode(&phdr);
42725 + else
42726 +#endif
42727 + pax_flags = pax_parse_hardmode(&phdr);
42728 + }
42729 +#endif
42730 +
42731 +
42732 + if (0 > pax_check_flags(&pax_flags))
42733 + return -EINVAL;
42734 +
42735 + current->mm->pax_flags = pax_flags;
42736 + return 0;
42737 +}
42738 +#endif
42739 +
42740 /*
42741 * These are the functions used to load ELF style executables and shared
42742 * libraries. There is no binary dependent code anywhere else.
42743 @@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
42744 {
42745 unsigned int random_variable = 0;
42746
42747 +#ifdef CONFIG_PAX_RANDUSTACK
42748 + if (randomize_va_space)
42749 + return stack_top - current->mm->delta_stack;
42750 +#endif
42751 +
42752 if ((current->flags & PF_RANDOMIZE) &&
42753 !(current->personality & ADDR_NO_RANDOMIZE)) {
42754 random_variable = get_random_int() & STACK_RND_MASK;
42755 @@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
42756 unsigned long load_addr = 0, load_bias = 0;
42757 int load_addr_set = 0;
42758 char * elf_interpreter = NULL;
42759 - unsigned long error;
42760 + unsigned long error = 0;
42761 struct elf_phdr *elf_ppnt, *elf_phdata;
42762 unsigned long elf_bss, elf_brk;
42763 int retval, i;
42764 @@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
42765 unsigned long start_code, end_code, start_data, end_data;
42766 unsigned long reloc_func_desc = 0;
42767 int executable_stack = EXSTACK_DEFAULT;
42768 - unsigned long def_flags = 0;
42769 struct {
42770 struct elfhdr elf_ex;
42771 struct elfhdr interp_elf_ex;
42772 } *loc;
42773 + unsigned long pax_task_size = TASK_SIZE;
42774
42775 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
42776 if (!loc) {
42777 @@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
42778
42779 /* OK, This is the point of no return */
42780 current->flags &= ~PF_FORKNOEXEC;
42781 - current->mm->def_flags = def_flags;
42782 +
42783 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
42784 + current->mm->pax_flags = 0UL;
42785 +#endif
42786 +
42787 +#ifdef CONFIG_PAX_DLRESOLVE
42788 + current->mm->call_dl_resolve = 0UL;
42789 +#endif
42790 +
42791 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
42792 + current->mm->call_syscall = 0UL;
42793 +#endif
42794 +
42795 +#ifdef CONFIG_PAX_ASLR
42796 + current->mm->delta_mmap = 0UL;
42797 + current->mm->delta_stack = 0UL;
42798 +#endif
42799 +
42800 + current->mm->def_flags = 0;
42801 +
42802 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
42803 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
42804 + send_sig(SIGKILL, current, 0);
42805 + goto out_free_dentry;
42806 + }
42807 +#endif
42808 +
42809 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
42810 + pax_set_initial_flags(bprm);
42811 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
42812 + if (pax_set_initial_flags_func)
42813 + (pax_set_initial_flags_func)(bprm);
42814 +#endif
42815 +
42816 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
42817 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
42818 + current->mm->context.user_cs_limit = PAGE_SIZE;
42819 + current->mm->def_flags |= VM_PAGEEXEC;
42820 + }
42821 +#endif
42822 +
42823 +#ifdef CONFIG_PAX_SEGMEXEC
42824 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
42825 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
42826 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
42827 + pax_task_size = SEGMEXEC_TASK_SIZE;
42828 + }
42829 +#endif
42830 +
42831 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
42832 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
42833 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
42834 + put_cpu();
42835 + }
42836 +#endif
42837
42838 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
42839 may depend on the personality. */
42840 SET_PERSONALITY(loc->elf_ex);
42841 +
42842 +#ifdef CONFIG_PAX_ASLR
42843 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
42844 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
42845 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
42846 + }
42847 +#endif
42848 +
42849 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42850 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
42851 + executable_stack = EXSTACK_DISABLE_X;
42852 + current->personality &= ~READ_IMPLIES_EXEC;
42853 + } else
42854 +#endif
42855 +
42856 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
42857 current->personality |= READ_IMPLIES_EXEC;
42858
42859 @@ -804,6 +1091,20 @@ static int load_elf_binary(struct linux_
42860 #else
42861 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
42862 #endif
42863 +
42864 +#ifdef CONFIG_PAX_RANDMMAP
42865 + /* PaX: randomize base address at the default exe base if requested */
42866 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
42867 +#ifdef CONFIG_SPARC64
42868 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
42869 +#else
42870 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
42871 +#endif
42872 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
42873 + elf_flags |= MAP_FIXED;
42874 + }
42875 +#endif
42876 +
42877 }
42878
42879 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
42880 @@ -836,9 +1137,9 @@ static int load_elf_binary(struct linux_
42881 * allowed task size. Note that p_filesz must always be
42882 * <= p_memsz so it is only necessary to check p_memsz.
42883 */
42884 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
42885 - elf_ppnt->p_memsz > TASK_SIZE ||
42886 - TASK_SIZE - elf_ppnt->p_memsz < k) {
42887 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
42888 + elf_ppnt->p_memsz > pax_task_size ||
42889 + pax_task_size - elf_ppnt->p_memsz < k) {
42890 /* set_brk can never work. Avoid overflows. */
42891 send_sig(SIGKILL, current, 0);
42892 retval = -EINVAL;
42893 @@ -866,6 +1167,11 @@ static int load_elf_binary(struct linux_
42894 start_data += load_bias;
42895 end_data += load_bias;
42896
42897 +#ifdef CONFIG_PAX_RANDMMAP
42898 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
42899 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
42900 +#endif
42901 +
42902 /* Calling set_brk effectively mmaps the pages that we need
42903 * for the bss and break sections. We must do this before
42904 * mapping in the interpreter, to make sure it doesn't wind
42905 @@ -877,9 +1183,11 @@ static int load_elf_binary(struct linux_
42906 goto out_free_dentry;
42907 }
42908 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
42909 - send_sig(SIGSEGV, current, 0);
42910 - retval = -EFAULT; /* Nobody gets to see this, but.. */
42911 - goto out_free_dentry;
42912 + /*
42913 + * This bss-zeroing can fail if the ELF
42914 + * file specifies odd protections. So
42915 + * we don't check the return value
42916 + */
42917 }
42918
42919 if (elf_interpreter) {
42920 @@ -1112,8 +1420,10 @@ static int dump_seek(struct file *file,
42921 unsigned long n = off;
42922 if (n > PAGE_SIZE)
42923 n = PAGE_SIZE;
42924 - if (!dump_write(file, buf, n))
42925 + if (!dump_write(file, buf, n)) {
42926 + free_page((unsigned long)buf);
42927 return 0;
42928 + }
42929 off -= n;
42930 }
42931 free_page((unsigned long)buf);
42932 @@ -1125,7 +1435,7 @@ static int dump_seek(struct file *file,
42933 * Decide what to dump of a segment, part, all or none.
42934 */
42935 static unsigned long vma_dump_size(struct vm_area_struct *vma,
42936 - unsigned long mm_flags)
42937 + unsigned long mm_flags, long signr)
42938 {
42939 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
42940
42941 @@ -1159,7 +1469,7 @@ static unsigned long vma_dump_size(struc
42942 if (vma->vm_file == NULL)
42943 return 0;
42944
42945 - if (FILTER(MAPPED_PRIVATE))
42946 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
42947 goto whole;
42948
42949 /*
42950 @@ -1255,8 +1565,11 @@ static int writenote(struct memelfnote *
42951 #undef DUMP_WRITE
42952
42953 #define DUMP_WRITE(addr, nr) \
42954 + do { \
42955 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
42956 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
42957 - goto end_coredump;
42958 + goto end_coredump; \
42959 + } while (0);
42960
42961 static void fill_elf_header(struct elfhdr *elf, int segs,
42962 u16 machine, u32 flags, u8 osabi)
42963 @@ -1385,9 +1698,9 @@ static void fill_auxv_note(struct memelf
42964 {
42965 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
42966 int i = 0;
42967 - do
42968 + do {
42969 i += 2;
42970 - while (auxv[i - 2] != AT_NULL);
42971 + } while (auxv[i - 2] != AT_NULL);
42972 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
42973 }
42974
42975 @@ -1973,7 +2286,7 @@ static int elf_core_dump(long signr, str
42976 phdr.p_offset = offset;
42977 phdr.p_vaddr = vma->vm_start;
42978 phdr.p_paddr = 0;
42979 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
42980 + phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
42981 phdr.p_memsz = vma->vm_end - vma->vm_start;
42982 offset += phdr.p_filesz;
42983 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
42984 @@ -2006,7 +2319,7 @@ static int elf_core_dump(long signr, str
42985 unsigned long addr;
42986 unsigned long end;
42987
42988 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
42989 + end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
42990
42991 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
42992 struct page *page;
42993 @@ -2015,6 +2328,7 @@ static int elf_core_dump(long signr, str
42994 page = get_dump_page(addr);
42995 if (page) {
42996 void *kaddr = kmap(page);
42997 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
42998 stop = ((size += PAGE_SIZE) > limit) ||
42999 !dump_write(file, kaddr, PAGE_SIZE);
43000 kunmap(page);
43001 @@ -2042,6 +2356,97 @@ out:
43002
43003 #endif /* USE_ELF_CORE_DUMP */
43004
43005 +#ifdef CONFIG_PAX_MPROTECT
43006 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
43007 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
43008 + * we'll remove VM_MAYWRITE for good on RELRO segments.
43009 + *
43010 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
43011 + * basis because we want to allow the common case and not the special ones.
43012 + */
43013 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
43014 +{
43015 + struct elfhdr elf_h;
43016 + struct elf_phdr elf_p;
43017 + unsigned long i;
43018 + unsigned long oldflags;
43019 + bool is_textrel_rw, is_textrel_rx, is_relro;
43020 +
43021 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
43022 + return;
43023 +
43024 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
43025 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
43026 +
43027 +#ifdef CONFIG_PAX_ELFRELOCS
43028 + /* possible TEXTREL */
43029 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
43030 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
43031 +#else
43032 + is_textrel_rw = false;
43033 + is_textrel_rx = false;
43034 +#endif
43035 +
43036 + /* possible RELRO */
43037 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
43038 +
43039 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
43040 + return;
43041 +
43042 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
43043 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
43044 +
43045 +#ifdef CONFIG_PAX_ETEXECRELOCS
43046 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
43047 +#else
43048 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
43049 +#endif
43050 +
43051 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
43052 + !elf_check_arch(&elf_h) ||
43053 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
43054 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
43055 + return;
43056 +
43057 + for (i = 0UL; i < elf_h.e_phnum; i++) {
43058 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
43059 + return;
43060 + switch (elf_p.p_type) {
43061 + case PT_DYNAMIC:
43062 + if (!is_textrel_rw && !is_textrel_rx)
43063 + continue;
43064 + i = 0UL;
43065 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
43066 + elf_dyn dyn;
43067 +
43068 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
43069 + return;
43070 + if (dyn.d_tag == DT_NULL)
43071 + return;
43072 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
43073 + gr_log_textrel(vma);
43074 + if (is_textrel_rw)
43075 + vma->vm_flags |= VM_MAYWRITE;
43076 + else
43077 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
43078 + vma->vm_flags &= ~VM_MAYWRITE;
43079 + return;
43080 + }
43081 + i++;
43082 + }
43083 + return;
43084 +
43085 + case PT_GNU_RELRO:
43086 + if (!is_relro)
43087 + continue;
43088 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
43089 + vma->vm_flags &= ~VM_MAYWRITE;
43090 + return;
43091 + }
43092 + }
43093 +}
43094 +#endif
43095 +
43096 static int __init init_elf_binfmt(void)
43097 {
43098 return register_binfmt(&elf_format);
43099 diff -urNp linux-2.6.32.46/fs/binfmt_flat.c linux-2.6.32.46/fs/binfmt_flat.c
43100 --- linux-2.6.32.46/fs/binfmt_flat.c 2011-03-27 14:31:47.000000000 -0400
43101 +++ linux-2.6.32.46/fs/binfmt_flat.c 2011-04-17 15:56:46.000000000 -0400
43102 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
43103 realdatastart = (unsigned long) -ENOMEM;
43104 printk("Unable to allocate RAM for process data, errno %d\n",
43105 (int)-realdatastart);
43106 + down_write(&current->mm->mmap_sem);
43107 do_munmap(current->mm, textpos, text_len);
43108 + up_write(&current->mm->mmap_sem);
43109 ret = realdatastart;
43110 goto err;
43111 }
43112 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
43113 }
43114 if (IS_ERR_VALUE(result)) {
43115 printk("Unable to read data+bss, errno %d\n", (int)-result);
43116 + down_write(&current->mm->mmap_sem);
43117 do_munmap(current->mm, textpos, text_len);
43118 do_munmap(current->mm, realdatastart, data_len + extra);
43119 + up_write(&current->mm->mmap_sem);
43120 ret = result;
43121 goto err;
43122 }
43123 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
43124 }
43125 if (IS_ERR_VALUE(result)) {
43126 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
43127 + down_write(&current->mm->mmap_sem);
43128 do_munmap(current->mm, textpos, text_len + data_len + extra +
43129 MAX_SHARED_LIBS * sizeof(unsigned long));
43130 + up_write(&current->mm->mmap_sem);
43131 ret = result;
43132 goto err;
43133 }
43134 diff -urNp linux-2.6.32.46/fs/bio.c linux-2.6.32.46/fs/bio.c
43135 --- linux-2.6.32.46/fs/bio.c 2011-03-27 14:31:47.000000000 -0400
43136 +++ linux-2.6.32.46/fs/bio.c 2011-10-06 09:37:14.000000000 -0400
43137 @@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
43138
43139 i = 0;
43140 while (i < bio_slab_nr) {
43141 - struct bio_slab *bslab = &bio_slabs[i];
43142 + bslab = &bio_slabs[i];
43143
43144 if (!bslab->slab && entry == -1)
43145 entry = i;
43146 @@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
43147 const int read = bio_data_dir(bio) == READ;
43148 struct bio_map_data *bmd = bio->bi_private;
43149 int i;
43150 - char *p = bmd->sgvecs[0].iov_base;
43151 + char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
43152
43153 __bio_for_each_segment(bvec, bio, i, 0) {
43154 char *addr = page_address(bvec->bv_page);
43155 diff -urNp linux-2.6.32.46/fs/block_dev.c linux-2.6.32.46/fs/block_dev.c
43156 --- linux-2.6.32.46/fs/block_dev.c 2011-08-09 18:35:29.000000000 -0400
43157 +++ linux-2.6.32.46/fs/block_dev.c 2011-08-09 18:34:00.000000000 -0400
43158 @@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
43159 else if (bdev->bd_contains == bdev)
43160 res = 0; /* is a whole device which isn't held */
43161
43162 - else if (bdev->bd_contains->bd_holder == bd_claim)
43163 + else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
43164 res = 0; /* is a partition of a device that is being partitioned */
43165 else if (bdev->bd_contains->bd_holder != NULL)
43166 res = -EBUSY; /* is a partition of a held device */
43167 diff -urNp linux-2.6.32.46/fs/btrfs/ctree.c linux-2.6.32.46/fs/btrfs/ctree.c
43168 --- linux-2.6.32.46/fs/btrfs/ctree.c 2011-03-27 14:31:47.000000000 -0400
43169 +++ linux-2.6.32.46/fs/btrfs/ctree.c 2011-04-17 15:56:46.000000000 -0400
43170 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
43171 free_extent_buffer(buf);
43172 add_root_to_dirty_list(root);
43173 } else {
43174 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
43175 - parent_start = parent->start;
43176 - else
43177 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
43178 + if (parent)
43179 + parent_start = parent->start;
43180 + else
43181 + parent_start = 0;
43182 + } else
43183 parent_start = 0;
43184
43185 WARN_ON(trans->transid != btrfs_header_generation(parent));
43186 @@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
43187
43188 ret = 0;
43189 if (slot == 0) {
43190 - struct btrfs_disk_key disk_key;
43191 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
43192 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
43193 }
43194 diff -urNp linux-2.6.32.46/fs/btrfs/disk-io.c linux-2.6.32.46/fs/btrfs/disk-io.c
43195 --- linux-2.6.32.46/fs/btrfs/disk-io.c 2011-04-17 17:00:52.000000000 -0400
43196 +++ linux-2.6.32.46/fs/btrfs/disk-io.c 2011-04-17 17:03:11.000000000 -0400
43197 @@ -39,7 +39,7 @@
43198 #include "tree-log.h"
43199 #include "free-space-cache.h"
43200
43201 -static struct extent_io_ops btree_extent_io_ops;
43202 +static const struct extent_io_ops btree_extent_io_ops;
43203 static void end_workqueue_fn(struct btrfs_work *work);
43204 static void free_fs_root(struct btrfs_root *root);
43205
43206 @@ -2607,7 +2607,7 @@ out:
43207 return 0;
43208 }
43209
43210 -static struct extent_io_ops btree_extent_io_ops = {
43211 +static const struct extent_io_ops btree_extent_io_ops = {
43212 .write_cache_pages_lock_hook = btree_lock_page_hook,
43213 .readpage_end_io_hook = btree_readpage_end_io_hook,
43214 .submit_bio_hook = btree_submit_bio_hook,
43215 diff -urNp linux-2.6.32.46/fs/btrfs/extent_io.h linux-2.6.32.46/fs/btrfs/extent_io.h
43216 --- linux-2.6.32.46/fs/btrfs/extent_io.h 2011-03-27 14:31:47.000000000 -0400
43217 +++ linux-2.6.32.46/fs/btrfs/extent_io.h 2011-04-17 15:56:46.000000000 -0400
43218 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
43219 struct bio *bio, int mirror_num,
43220 unsigned long bio_flags);
43221 struct extent_io_ops {
43222 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
43223 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
43224 u64 start, u64 end, int *page_started,
43225 unsigned long *nr_written);
43226 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
43227 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
43228 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
43229 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
43230 extent_submit_bio_hook_t *submit_bio_hook;
43231 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
43232 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
43233 size_t size, struct bio *bio,
43234 unsigned long bio_flags);
43235 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
43236 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
43237 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
43238 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
43239 u64 start, u64 end,
43240 struct extent_state *state);
43241 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
43242 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
43243 u64 start, u64 end,
43244 struct extent_state *state);
43245 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
43246 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
43247 struct extent_state *state);
43248 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
43249 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
43250 struct extent_state *state, int uptodate);
43251 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
43252 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
43253 unsigned long old, unsigned long bits);
43254 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
43255 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
43256 unsigned long bits);
43257 - int (*merge_extent_hook)(struct inode *inode,
43258 + int (* const merge_extent_hook)(struct inode *inode,
43259 struct extent_state *new,
43260 struct extent_state *other);
43261 - int (*split_extent_hook)(struct inode *inode,
43262 + int (* const split_extent_hook)(struct inode *inode,
43263 struct extent_state *orig, u64 split);
43264 - int (*write_cache_pages_lock_hook)(struct page *page);
43265 + int (* const write_cache_pages_lock_hook)(struct page *page);
43266 };
43267
43268 struct extent_io_tree {
43269 @@ -88,7 +88,7 @@ struct extent_io_tree {
43270 u64 dirty_bytes;
43271 spinlock_t lock;
43272 spinlock_t buffer_lock;
43273 - struct extent_io_ops *ops;
43274 + const struct extent_io_ops *ops;
43275 };
43276
43277 struct extent_state {
43278 diff -urNp linux-2.6.32.46/fs/btrfs/extent-tree.c linux-2.6.32.46/fs/btrfs/extent-tree.c
43279 --- linux-2.6.32.46/fs/btrfs/extent-tree.c 2011-03-27 14:31:47.000000000 -0400
43280 +++ linux-2.6.32.46/fs/btrfs/extent-tree.c 2011-06-12 06:39:08.000000000 -0400
43281 @@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
43282 u64 group_start = group->key.objectid;
43283 new_extents = kmalloc(sizeof(*new_extents),
43284 GFP_NOFS);
43285 + if (!new_extents) {
43286 + ret = -ENOMEM;
43287 + goto out;
43288 + }
43289 nr_extents = 1;
43290 ret = get_new_locations(reloc_inode,
43291 extent_key,
43292 diff -urNp linux-2.6.32.46/fs/btrfs/free-space-cache.c linux-2.6.32.46/fs/btrfs/free-space-cache.c
43293 --- linux-2.6.32.46/fs/btrfs/free-space-cache.c 2011-03-27 14:31:47.000000000 -0400
43294 +++ linux-2.6.32.46/fs/btrfs/free-space-cache.c 2011-04-17 15:56:46.000000000 -0400
43295 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
43296
43297 while(1) {
43298 if (entry->bytes < bytes || entry->offset < min_start) {
43299 - struct rb_node *node;
43300 -
43301 node = rb_next(&entry->offset_index);
43302 if (!node)
43303 break;
43304 @@ -1226,7 +1224,7 @@ again:
43305 */
43306 while (entry->bitmap || found_bitmap ||
43307 (!entry->bitmap && entry->bytes < min_bytes)) {
43308 - struct rb_node *node = rb_next(&entry->offset_index);
43309 + node = rb_next(&entry->offset_index);
43310
43311 if (entry->bitmap && entry->bytes > bytes + empty_size) {
43312 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
43313 diff -urNp linux-2.6.32.46/fs/btrfs/inode.c linux-2.6.32.46/fs/btrfs/inode.c
43314 --- linux-2.6.32.46/fs/btrfs/inode.c 2011-03-27 14:31:47.000000000 -0400
43315 +++ linux-2.6.32.46/fs/btrfs/inode.c 2011-06-12 06:39:58.000000000 -0400
43316 @@ -63,7 +63,7 @@ static const struct inode_operations btr
43317 static const struct address_space_operations btrfs_aops;
43318 static const struct address_space_operations btrfs_symlink_aops;
43319 static const struct file_operations btrfs_dir_file_operations;
43320 -static struct extent_io_ops btrfs_extent_io_ops;
43321 +static const struct extent_io_ops btrfs_extent_io_ops;
43322
43323 static struct kmem_cache *btrfs_inode_cachep;
43324 struct kmem_cache *btrfs_trans_handle_cachep;
43325 @@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
43326 1, 0, NULL, GFP_NOFS);
43327 while (start < end) {
43328 async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
43329 + BUG_ON(!async_cow);
43330 async_cow->inode = inode;
43331 async_cow->root = root;
43332 async_cow->locked_page = locked_page;
43333 @@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
43334 inline_size = btrfs_file_extent_inline_item_len(leaf,
43335 btrfs_item_nr(leaf, path->slots[0]));
43336 tmp = kmalloc(inline_size, GFP_NOFS);
43337 + if (!tmp)
43338 + return -ENOMEM;
43339 ptr = btrfs_file_extent_inline_start(item);
43340
43341 read_extent_buffer(leaf, tmp, ptr, inline_size);
43342 @@ -5410,7 +5413,7 @@ fail:
43343 return -ENOMEM;
43344 }
43345
43346 -static int btrfs_getattr(struct vfsmount *mnt,
43347 +int btrfs_getattr(struct vfsmount *mnt,
43348 struct dentry *dentry, struct kstat *stat)
43349 {
43350 struct inode *inode = dentry->d_inode;
43351 @@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
43352 return 0;
43353 }
43354
43355 +EXPORT_SYMBOL(btrfs_getattr);
43356 +
43357 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
43358 +{
43359 + return BTRFS_I(inode)->root->anon_super.s_dev;
43360 +}
43361 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
43362 +
43363 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
43364 struct inode *new_dir, struct dentry *new_dentry)
43365 {
43366 @@ -5972,7 +5983,7 @@ static const struct file_operations btrf
43367 .fsync = btrfs_sync_file,
43368 };
43369
43370 -static struct extent_io_ops btrfs_extent_io_ops = {
43371 +static const struct extent_io_ops btrfs_extent_io_ops = {
43372 .fill_delalloc = run_delalloc_range,
43373 .submit_bio_hook = btrfs_submit_bio_hook,
43374 .merge_bio_hook = btrfs_merge_bio_hook,
43375 diff -urNp linux-2.6.32.46/fs/btrfs/relocation.c linux-2.6.32.46/fs/btrfs/relocation.c
43376 --- linux-2.6.32.46/fs/btrfs/relocation.c 2011-03-27 14:31:47.000000000 -0400
43377 +++ linux-2.6.32.46/fs/btrfs/relocation.c 2011-04-17 15:56:46.000000000 -0400
43378 @@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
43379 }
43380 spin_unlock(&rc->reloc_root_tree.lock);
43381
43382 - BUG_ON((struct btrfs_root *)node->data != root);
43383 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
43384
43385 if (!del) {
43386 spin_lock(&rc->reloc_root_tree.lock);
43387 diff -urNp linux-2.6.32.46/fs/btrfs/sysfs.c linux-2.6.32.46/fs/btrfs/sysfs.c
43388 --- linux-2.6.32.46/fs/btrfs/sysfs.c 2011-03-27 14:31:47.000000000 -0400
43389 +++ linux-2.6.32.46/fs/btrfs/sysfs.c 2011-04-17 15:56:46.000000000 -0400
43390 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
43391 complete(&root->kobj_unregister);
43392 }
43393
43394 -static struct sysfs_ops btrfs_super_attr_ops = {
43395 +static const struct sysfs_ops btrfs_super_attr_ops = {
43396 .show = btrfs_super_attr_show,
43397 .store = btrfs_super_attr_store,
43398 };
43399
43400 -static struct sysfs_ops btrfs_root_attr_ops = {
43401 +static const struct sysfs_ops btrfs_root_attr_ops = {
43402 .show = btrfs_root_attr_show,
43403 .store = btrfs_root_attr_store,
43404 };
43405 diff -urNp linux-2.6.32.46/fs/buffer.c linux-2.6.32.46/fs/buffer.c
43406 --- linux-2.6.32.46/fs/buffer.c 2011-03-27 14:31:47.000000000 -0400
43407 +++ linux-2.6.32.46/fs/buffer.c 2011-04-17 15:56:46.000000000 -0400
43408 @@ -25,6 +25,7 @@
43409 #include <linux/percpu.h>
43410 #include <linux/slab.h>
43411 #include <linux/capability.h>
43412 +#include <linux/security.h>
43413 #include <linux/blkdev.h>
43414 #include <linux/file.h>
43415 #include <linux/quotaops.h>
43416 diff -urNp linux-2.6.32.46/fs/cachefiles/bind.c linux-2.6.32.46/fs/cachefiles/bind.c
43417 --- linux-2.6.32.46/fs/cachefiles/bind.c 2011-03-27 14:31:47.000000000 -0400
43418 +++ linux-2.6.32.46/fs/cachefiles/bind.c 2011-04-17 15:56:46.000000000 -0400
43419 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
43420 args);
43421
43422 /* start by checking things over */
43423 - ASSERT(cache->fstop_percent >= 0 &&
43424 - cache->fstop_percent < cache->fcull_percent &&
43425 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
43426 cache->fcull_percent < cache->frun_percent &&
43427 cache->frun_percent < 100);
43428
43429 - ASSERT(cache->bstop_percent >= 0 &&
43430 - cache->bstop_percent < cache->bcull_percent &&
43431 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
43432 cache->bcull_percent < cache->brun_percent &&
43433 cache->brun_percent < 100);
43434
43435 diff -urNp linux-2.6.32.46/fs/cachefiles/daemon.c linux-2.6.32.46/fs/cachefiles/daemon.c
43436 --- linux-2.6.32.46/fs/cachefiles/daemon.c 2011-03-27 14:31:47.000000000 -0400
43437 +++ linux-2.6.32.46/fs/cachefiles/daemon.c 2011-04-17 15:56:46.000000000 -0400
43438 @@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
43439 if (test_bit(CACHEFILES_DEAD, &cache->flags))
43440 return -EIO;
43441
43442 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
43443 + if (datalen > PAGE_SIZE - 1)
43444 return -EOPNOTSUPP;
43445
43446 /* drag the command string into the kernel so we can parse it */
43447 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
43448 if (args[0] != '%' || args[1] != '\0')
43449 return -EINVAL;
43450
43451 - if (fstop < 0 || fstop >= cache->fcull_percent)
43452 + if (fstop >= cache->fcull_percent)
43453 return cachefiles_daemon_range_error(cache, args);
43454
43455 cache->fstop_percent = fstop;
43456 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
43457 if (args[0] != '%' || args[1] != '\0')
43458 return -EINVAL;
43459
43460 - if (bstop < 0 || bstop >= cache->bcull_percent)
43461 + if (bstop >= cache->bcull_percent)
43462 return cachefiles_daemon_range_error(cache, args);
43463
43464 cache->bstop_percent = bstop;
43465 diff -urNp linux-2.6.32.46/fs/cachefiles/internal.h linux-2.6.32.46/fs/cachefiles/internal.h
43466 --- linux-2.6.32.46/fs/cachefiles/internal.h 2011-03-27 14:31:47.000000000 -0400
43467 +++ linux-2.6.32.46/fs/cachefiles/internal.h 2011-05-04 17:56:28.000000000 -0400
43468 @@ -56,7 +56,7 @@ struct cachefiles_cache {
43469 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
43470 struct rb_root active_nodes; /* active nodes (can't be culled) */
43471 rwlock_t active_lock; /* lock for active_nodes */
43472 - atomic_t gravecounter; /* graveyard uniquifier */
43473 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
43474 unsigned frun_percent; /* when to stop culling (% files) */
43475 unsigned fcull_percent; /* when to start culling (% files) */
43476 unsigned fstop_percent; /* when to stop allocating (% files) */
43477 @@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
43478 * proc.c
43479 */
43480 #ifdef CONFIG_CACHEFILES_HISTOGRAM
43481 -extern atomic_t cachefiles_lookup_histogram[HZ];
43482 -extern atomic_t cachefiles_mkdir_histogram[HZ];
43483 -extern atomic_t cachefiles_create_histogram[HZ];
43484 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
43485 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
43486 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
43487
43488 extern int __init cachefiles_proc_init(void);
43489 extern void cachefiles_proc_cleanup(void);
43490 static inline
43491 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
43492 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
43493 {
43494 unsigned long jif = jiffies - start_jif;
43495 if (jif >= HZ)
43496 jif = HZ - 1;
43497 - atomic_inc(&histogram[jif]);
43498 + atomic_inc_unchecked(&histogram[jif]);
43499 }
43500
43501 #else
43502 diff -urNp linux-2.6.32.46/fs/cachefiles/namei.c linux-2.6.32.46/fs/cachefiles/namei.c
43503 --- linux-2.6.32.46/fs/cachefiles/namei.c 2011-03-27 14:31:47.000000000 -0400
43504 +++ linux-2.6.32.46/fs/cachefiles/namei.c 2011-05-04 17:56:28.000000000 -0400
43505 @@ -250,7 +250,7 @@ try_again:
43506 /* first step is to make up a grave dentry in the graveyard */
43507 sprintf(nbuffer, "%08x%08x",
43508 (uint32_t) get_seconds(),
43509 - (uint32_t) atomic_inc_return(&cache->gravecounter));
43510 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
43511
43512 /* do the multiway lock magic */
43513 trap = lock_rename(cache->graveyard, dir);
43514 diff -urNp linux-2.6.32.46/fs/cachefiles/proc.c linux-2.6.32.46/fs/cachefiles/proc.c
43515 --- linux-2.6.32.46/fs/cachefiles/proc.c 2011-03-27 14:31:47.000000000 -0400
43516 +++ linux-2.6.32.46/fs/cachefiles/proc.c 2011-05-04 17:56:28.000000000 -0400
43517 @@ -14,9 +14,9 @@
43518 #include <linux/seq_file.h>
43519 #include "internal.h"
43520
43521 -atomic_t cachefiles_lookup_histogram[HZ];
43522 -atomic_t cachefiles_mkdir_histogram[HZ];
43523 -atomic_t cachefiles_create_histogram[HZ];
43524 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
43525 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
43526 +atomic_unchecked_t cachefiles_create_histogram[HZ];
43527
43528 /*
43529 * display the latency histogram
43530 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
43531 return 0;
43532 default:
43533 index = (unsigned long) v - 3;
43534 - x = atomic_read(&cachefiles_lookup_histogram[index]);
43535 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
43536 - z = atomic_read(&cachefiles_create_histogram[index]);
43537 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
43538 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
43539 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
43540 if (x == 0 && y == 0 && z == 0)
43541 return 0;
43542
43543 diff -urNp linux-2.6.32.46/fs/cachefiles/rdwr.c linux-2.6.32.46/fs/cachefiles/rdwr.c
43544 --- linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-03-27 14:31:47.000000000 -0400
43545 +++ linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-10-06 09:37:14.000000000 -0400
43546 @@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
43547 old_fs = get_fs();
43548 set_fs(KERNEL_DS);
43549 ret = file->f_op->write(
43550 - file, (const void __user *) data, len, &pos);
43551 + file, (const void __force_user *) data, len, &pos);
43552 set_fs(old_fs);
43553 kunmap(page);
43554 if (ret != len)
43555 diff -urNp linux-2.6.32.46/fs/cifs/cifs_debug.c linux-2.6.32.46/fs/cifs/cifs_debug.c
43556 --- linux-2.6.32.46/fs/cifs/cifs_debug.c 2011-03-27 14:31:47.000000000 -0400
43557 +++ linux-2.6.32.46/fs/cifs/cifs_debug.c 2011-05-04 17:56:28.000000000 -0400
43558 @@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
43559 tcon = list_entry(tmp3,
43560 struct cifsTconInfo,
43561 tcon_list);
43562 - atomic_set(&tcon->num_smbs_sent, 0);
43563 - atomic_set(&tcon->num_writes, 0);
43564 - atomic_set(&tcon->num_reads, 0);
43565 - atomic_set(&tcon->num_oplock_brks, 0);
43566 - atomic_set(&tcon->num_opens, 0);
43567 - atomic_set(&tcon->num_posixopens, 0);
43568 - atomic_set(&tcon->num_posixmkdirs, 0);
43569 - atomic_set(&tcon->num_closes, 0);
43570 - atomic_set(&tcon->num_deletes, 0);
43571 - atomic_set(&tcon->num_mkdirs, 0);
43572 - atomic_set(&tcon->num_rmdirs, 0);
43573 - atomic_set(&tcon->num_renames, 0);
43574 - atomic_set(&tcon->num_t2renames, 0);
43575 - atomic_set(&tcon->num_ffirst, 0);
43576 - atomic_set(&tcon->num_fnext, 0);
43577 - atomic_set(&tcon->num_fclose, 0);
43578 - atomic_set(&tcon->num_hardlinks, 0);
43579 - atomic_set(&tcon->num_symlinks, 0);
43580 - atomic_set(&tcon->num_locks, 0);
43581 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
43582 + atomic_set_unchecked(&tcon->num_writes, 0);
43583 + atomic_set_unchecked(&tcon->num_reads, 0);
43584 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
43585 + atomic_set_unchecked(&tcon->num_opens, 0);
43586 + atomic_set_unchecked(&tcon->num_posixopens, 0);
43587 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
43588 + atomic_set_unchecked(&tcon->num_closes, 0);
43589 + atomic_set_unchecked(&tcon->num_deletes, 0);
43590 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
43591 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
43592 + atomic_set_unchecked(&tcon->num_renames, 0);
43593 + atomic_set_unchecked(&tcon->num_t2renames, 0);
43594 + atomic_set_unchecked(&tcon->num_ffirst, 0);
43595 + atomic_set_unchecked(&tcon->num_fnext, 0);
43596 + atomic_set_unchecked(&tcon->num_fclose, 0);
43597 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
43598 + atomic_set_unchecked(&tcon->num_symlinks, 0);
43599 + atomic_set_unchecked(&tcon->num_locks, 0);
43600 }
43601 }
43602 }
43603 @@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
43604 if (tcon->need_reconnect)
43605 seq_puts(m, "\tDISCONNECTED ");
43606 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
43607 - atomic_read(&tcon->num_smbs_sent),
43608 - atomic_read(&tcon->num_oplock_brks));
43609 + atomic_read_unchecked(&tcon->num_smbs_sent),
43610 + atomic_read_unchecked(&tcon->num_oplock_brks));
43611 seq_printf(m, "\nReads: %d Bytes: %lld",
43612 - atomic_read(&tcon->num_reads),
43613 + atomic_read_unchecked(&tcon->num_reads),
43614 (long long)(tcon->bytes_read));
43615 seq_printf(m, "\nWrites: %d Bytes: %lld",
43616 - atomic_read(&tcon->num_writes),
43617 + atomic_read_unchecked(&tcon->num_writes),
43618 (long long)(tcon->bytes_written));
43619 seq_printf(m, "\nFlushes: %d",
43620 - atomic_read(&tcon->num_flushes));
43621 + atomic_read_unchecked(&tcon->num_flushes));
43622 seq_printf(m, "\nLocks: %d HardLinks: %d "
43623 "Symlinks: %d",
43624 - atomic_read(&tcon->num_locks),
43625 - atomic_read(&tcon->num_hardlinks),
43626 - atomic_read(&tcon->num_symlinks));
43627 + atomic_read_unchecked(&tcon->num_locks),
43628 + atomic_read_unchecked(&tcon->num_hardlinks),
43629 + atomic_read_unchecked(&tcon->num_symlinks));
43630 seq_printf(m, "\nOpens: %d Closes: %d "
43631 "Deletes: %d",
43632 - atomic_read(&tcon->num_opens),
43633 - atomic_read(&tcon->num_closes),
43634 - atomic_read(&tcon->num_deletes));
43635 + atomic_read_unchecked(&tcon->num_opens),
43636 + atomic_read_unchecked(&tcon->num_closes),
43637 + atomic_read_unchecked(&tcon->num_deletes));
43638 seq_printf(m, "\nPosix Opens: %d "
43639 "Posix Mkdirs: %d",
43640 - atomic_read(&tcon->num_posixopens),
43641 - atomic_read(&tcon->num_posixmkdirs));
43642 + atomic_read_unchecked(&tcon->num_posixopens),
43643 + atomic_read_unchecked(&tcon->num_posixmkdirs));
43644 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
43645 - atomic_read(&tcon->num_mkdirs),
43646 - atomic_read(&tcon->num_rmdirs));
43647 + atomic_read_unchecked(&tcon->num_mkdirs),
43648 + atomic_read_unchecked(&tcon->num_rmdirs));
43649 seq_printf(m, "\nRenames: %d T2 Renames %d",
43650 - atomic_read(&tcon->num_renames),
43651 - atomic_read(&tcon->num_t2renames));
43652 + atomic_read_unchecked(&tcon->num_renames),
43653 + atomic_read_unchecked(&tcon->num_t2renames));
43654 seq_printf(m, "\nFindFirst: %d FNext %d "
43655 "FClose %d",
43656 - atomic_read(&tcon->num_ffirst),
43657 - atomic_read(&tcon->num_fnext),
43658 - atomic_read(&tcon->num_fclose));
43659 + atomic_read_unchecked(&tcon->num_ffirst),
43660 + atomic_read_unchecked(&tcon->num_fnext),
43661 + atomic_read_unchecked(&tcon->num_fclose));
43662 }
43663 }
43664 }
43665 diff -urNp linux-2.6.32.46/fs/cifs/cifsfs.c linux-2.6.32.46/fs/cifs/cifsfs.c
43666 --- linux-2.6.32.46/fs/cifs/cifsfs.c 2011-03-27 14:31:47.000000000 -0400
43667 +++ linux-2.6.32.46/fs/cifs/cifsfs.c 2011-08-25 17:17:57.000000000 -0400
43668 @@ -869,7 +869,7 @@ cifs_init_request_bufs(void)
43669 cifs_req_cachep = kmem_cache_create("cifs_request",
43670 CIFSMaxBufSize +
43671 MAX_CIFS_HDR_SIZE, 0,
43672 - SLAB_HWCACHE_ALIGN, NULL);
43673 + SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
43674 if (cifs_req_cachep == NULL)
43675 return -ENOMEM;
43676
43677 @@ -896,7 +896,7 @@ cifs_init_request_bufs(void)
43678 efficient to alloc 1 per page off the slab compared to 17K (5page)
43679 alloc of large cifs buffers even when page debugging is on */
43680 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
43681 - MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
43682 + MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
43683 NULL);
43684 if (cifs_sm_req_cachep == NULL) {
43685 mempool_destroy(cifs_req_poolp);
43686 @@ -991,8 +991,8 @@ init_cifs(void)
43687 atomic_set(&bufAllocCount, 0);
43688 atomic_set(&smBufAllocCount, 0);
43689 #ifdef CONFIG_CIFS_STATS2
43690 - atomic_set(&totBufAllocCount, 0);
43691 - atomic_set(&totSmBufAllocCount, 0);
43692 + atomic_set_unchecked(&totBufAllocCount, 0);
43693 + atomic_set_unchecked(&totSmBufAllocCount, 0);
43694 #endif /* CONFIG_CIFS_STATS2 */
43695
43696 atomic_set(&midCount, 0);
43697 diff -urNp linux-2.6.32.46/fs/cifs/cifsglob.h linux-2.6.32.46/fs/cifs/cifsglob.h
43698 --- linux-2.6.32.46/fs/cifs/cifsglob.h 2011-08-09 18:35:29.000000000 -0400
43699 +++ linux-2.6.32.46/fs/cifs/cifsglob.h 2011-08-25 17:17:57.000000000 -0400
43700 @@ -252,28 +252,28 @@ struct cifsTconInfo {
43701 __u16 Flags; /* optional support bits */
43702 enum statusEnum tidStatus;
43703 #ifdef CONFIG_CIFS_STATS
43704 - atomic_t num_smbs_sent;
43705 - atomic_t num_writes;
43706 - atomic_t num_reads;
43707 - atomic_t num_flushes;
43708 - atomic_t num_oplock_brks;
43709 - atomic_t num_opens;
43710 - atomic_t num_closes;
43711 - atomic_t num_deletes;
43712 - atomic_t num_mkdirs;
43713 - atomic_t num_posixopens;
43714 - atomic_t num_posixmkdirs;
43715 - atomic_t num_rmdirs;
43716 - atomic_t num_renames;
43717 - atomic_t num_t2renames;
43718 - atomic_t num_ffirst;
43719 - atomic_t num_fnext;
43720 - atomic_t num_fclose;
43721 - atomic_t num_hardlinks;
43722 - atomic_t num_symlinks;
43723 - atomic_t num_locks;
43724 - atomic_t num_acl_get;
43725 - atomic_t num_acl_set;
43726 + atomic_unchecked_t num_smbs_sent;
43727 + atomic_unchecked_t num_writes;
43728 + atomic_unchecked_t num_reads;
43729 + atomic_unchecked_t num_flushes;
43730 + atomic_unchecked_t num_oplock_brks;
43731 + atomic_unchecked_t num_opens;
43732 + atomic_unchecked_t num_closes;
43733 + atomic_unchecked_t num_deletes;
43734 + atomic_unchecked_t num_mkdirs;
43735 + atomic_unchecked_t num_posixopens;
43736 + atomic_unchecked_t num_posixmkdirs;
43737 + atomic_unchecked_t num_rmdirs;
43738 + atomic_unchecked_t num_renames;
43739 + atomic_unchecked_t num_t2renames;
43740 + atomic_unchecked_t num_ffirst;
43741 + atomic_unchecked_t num_fnext;
43742 + atomic_unchecked_t num_fclose;
43743 + atomic_unchecked_t num_hardlinks;
43744 + atomic_unchecked_t num_symlinks;
43745 + atomic_unchecked_t num_locks;
43746 + atomic_unchecked_t num_acl_get;
43747 + atomic_unchecked_t num_acl_set;
43748 #ifdef CONFIG_CIFS_STATS2
43749 unsigned long long time_writes;
43750 unsigned long long time_reads;
43751 @@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
43752 }
43753
43754 #ifdef CONFIG_CIFS_STATS
43755 -#define cifs_stats_inc atomic_inc
43756 +#define cifs_stats_inc atomic_inc_unchecked
43757
43758 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
43759 unsigned int bytes)
43760 @@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
43761 /* Various Debug counters */
43762 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
43763 #ifdef CONFIG_CIFS_STATS2
43764 -GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
43765 -GLOBAL_EXTERN atomic_t totSmBufAllocCount;
43766 +GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
43767 +GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
43768 #endif
43769 GLOBAL_EXTERN atomic_t smBufAllocCount;
43770 GLOBAL_EXTERN atomic_t midCount;
43771 diff -urNp linux-2.6.32.46/fs/cifs/link.c linux-2.6.32.46/fs/cifs/link.c
43772 --- linux-2.6.32.46/fs/cifs/link.c 2011-03-27 14:31:47.000000000 -0400
43773 +++ linux-2.6.32.46/fs/cifs/link.c 2011-04-17 15:56:46.000000000 -0400
43774 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
43775
43776 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
43777 {
43778 - char *p = nd_get_link(nd);
43779 + const char *p = nd_get_link(nd);
43780 if (!IS_ERR(p))
43781 kfree(p);
43782 }
43783 diff -urNp linux-2.6.32.46/fs/cifs/misc.c linux-2.6.32.46/fs/cifs/misc.c
43784 --- linux-2.6.32.46/fs/cifs/misc.c 2011-03-27 14:31:47.000000000 -0400
43785 +++ linux-2.6.32.46/fs/cifs/misc.c 2011-08-25 17:17:57.000000000 -0400
43786 @@ -155,7 +155,7 @@ cifs_buf_get(void)
43787 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
43788 atomic_inc(&bufAllocCount);
43789 #ifdef CONFIG_CIFS_STATS2
43790 - atomic_inc(&totBufAllocCount);
43791 + atomic_inc_unchecked(&totBufAllocCount);
43792 #endif /* CONFIG_CIFS_STATS2 */
43793 }
43794
43795 @@ -190,7 +190,7 @@ cifs_small_buf_get(void)
43796 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
43797 atomic_inc(&smBufAllocCount);
43798 #ifdef CONFIG_CIFS_STATS2
43799 - atomic_inc(&totSmBufAllocCount);
43800 + atomic_inc_unchecked(&totSmBufAllocCount);
43801 #endif /* CONFIG_CIFS_STATS2 */
43802
43803 }
43804 diff -urNp linux-2.6.32.46/fs/coda/cache.c linux-2.6.32.46/fs/coda/cache.c
43805 --- linux-2.6.32.46/fs/coda/cache.c 2011-03-27 14:31:47.000000000 -0400
43806 +++ linux-2.6.32.46/fs/coda/cache.c 2011-05-04 17:56:28.000000000 -0400
43807 @@ -24,14 +24,14 @@
43808 #include <linux/coda_fs_i.h>
43809 #include <linux/coda_cache.h>
43810
43811 -static atomic_t permission_epoch = ATOMIC_INIT(0);
43812 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
43813
43814 /* replace or extend an acl cache hit */
43815 void coda_cache_enter(struct inode *inode, int mask)
43816 {
43817 struct coda_inode_info *cii = ITOC(inode);
43818
43819 - cii->c_cached_epoch = atomic_read(&permission_epoch);
43820 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
43821 if (cii->c_uid != current_fsuid()) {
43822 cii->c_uid = current_fsuid();
43823 cii->c_cached_perm = mask;
43824 @@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
43825 void coda_cache_clear_inode(struct inode *inode)
43826 {
43827 struct coda_inode_info *cii = ITOC(inode);
43828 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
43829 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
43830 }
43831
43832 /* remove all acl caches */
43833 void coda_cache_clear_all(struct super_block *sb)
43834 {
43835 - atomic_inc(&permission_epoch);
43836 + atomic_inc_unchecked(&permission_epoch);
43837 }
43838
43839
43840 @@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
43841
43842 hit = (mask & cii->c_cached_perm) == mask &&
43843 cii->c_uid == current_fsuid() &&
43844 - cii->c_cached_epoch == atomic_read(&permission_epoch);
43845 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
43846
43847 return hit;
43848 }
43849 diff -urNp linux-2.6.32.46/fs/compat_binfmt_elf.c linux-2.6.32.46/fs/compat_binfmt_elf.c
43850 --- linux-2.6.32.46/fs/compat_binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
43851 +++ linux-2.6.32.46/fs/compat_binfmt_elf.c 2011-04-17 15:56:46.000000000 -0400
43852 @@ -29,10 +29,12 @@
43853 #undef elfhdr
43854 #undef elf_phdr
43855 #undef elf_note
43856 +#undef elf_dyn
43857 #undef elf_addr_t
43858 #define elfhdr elf32_hdr
43859 #define elf_phdr elf32_phdr
43860 #define elf_note elf32_note
43861 +#define elf_dyn Elf32_Dyn
43862 #define elf_addr_t Elf32_Addr
43863
43864 /*
43865 diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c
43866 --- linux-2.6.32.46/fs/compat.c 2011-04-17 17:00:52.000000000 -0400
43867 +++ linux-2.6.32.46/fs/compat.c 2011-10-06 09:37:14.000000000 -0400
43868 @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char _
43869 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
43870 {
43871 compat_ino_t ino = stat->ino;
43872 - typeof(ubuf->st_uid) uid = 0;
43873 - typeof(ubuf->st_gid) gid = 0;
43874 + typeof(((struct compat_stat *)0)->st_uid) uid = 0;
43875 + typeof(((struct compat_stat *)0)->st_gid) gid = 0;
43876 int err;
43877
43878 SET_UID(uid, stat->uid);
43879 @@ -533,7 +533,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
43880
43881 set_fs(KERNEL_DS);
43882 /* The __user pointer cast is valid because of the set_fs() */
43883 - ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
43884 + ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
43885 set_fs(oldfs);
43886 /* truncating is ok because it's a user address */
43887 if (!ret)
43888 @@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
43889
43890 struct compat_readdir_callback {
43891 struct compat_old_linux_dirent __user *dirent;
43892 + struct file * file;
43893 int result;
43894 };
43895
43896 @@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
43897 buf->result = -EOVERFLOW;
43898 return -EOVERFLOW;
43899 }
43900 +
43901 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
43902 + return 0;
43903 +
43904 buf->result++;
43905 dirent = buf->dirent;
43906 if (!access_ok(VERIFY_WRITE, dirent,
43907 @@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
43908
43909 buf.result = 0;
43910 buf.dirent = dirent;
43911 + buf.file = file;
43912
43913 error = vfs_readdir(file, compat_fillonedir, &buf);
43914 if (buf.result)
43915 @@ -899,6 +905,7 @@ struct compat_linux_dirent {
43916 struct compat_getdents_callback {
43917 struct compat_linux_dirent __user *current_dir;
43918 struct compat_linux_dirent __user *previous;
43919 + struct file * file;
43920 int count;
43921 int error;
43922 };
43923 @@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
43924 buf->error = -EOVERFLOW;
43925 return -EOVERFLOW;
43926 }
43927 +
43928 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
43929 + return 0;
43930 +
43931 dirent = buf->previous;
43932 if (dirent) {
43933 if (__put_user(offset, &dirent->d_off))
43934 @@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
43935 buf.previous = NULL;
43936 buf.count = count;
43937 buf.error = 0;
43938 + buf.file = file;
43939
43940 error = vfs_readdir(file, compat_filldir, &buf);
43941 if (error >= 0)
43942 @@ -987,6 +999,7 @@ out:
43943 struct compat_getdents_callback64 {
43944 struct linux_dirent64 __user *current_dir;
43945 struct linux_dirent64 __user *previous;
43946 + struct file * file;
43947 int count;
43948 int error;
43949 };
43950 @@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
43951 buf->error = -EINVAL; /* only used if we fail.. */
43952 if (reclen > buf->count)
43953 return -EINVAL;
43954 +
43955 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
43956 + return 0;
43957 +
43958 dirent = buf->previous;
43959
43960 if (dirent) {
43961 @@ -1054,13 +1071,14 @@ asmlinkage long compat_sys_getdents64(un
43962 buf.previous = NULL;
43963 buf.count = count;
43964 buf.error = 0;
43965 + buf.file = file;
43966
43967 error = vfs_readdir(file, compat_filldir64, &buf);
43968 if (error >= 0)
43969 error = buf.error;
43970 lastdirent = buf.previous;
43971 if (lastdirent) {
43972 - typeof(lastdirent->d_off) d_off = file->f_pos;
43973 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
43974 if (__put_user_unaligned(d_off, &lastdirent->d_off))
43975 error = -EFAULT;
43976 else
43977 @@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
43978 * verify all the pointers
43979 */
43980 ret = -EINVAL;
43981 - if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
43982 + if (nr_segs > UIO_MAXIOV)
43983 goto out;
43984 if (!file->f_op)
43985 goto out;
43986 @@ -1463,11 +1481,35 @@ int compat_do_execve(char * filename,
43987 compat_uptr_t __user *envp,
43988 struct pt_regs * regs)
43989 {
43990 +#ifdef CONFIG_GRKERNSEC
43991 + struct file *old_exec_file;
43992 + struct acl_subject_label *old_acl;
43993 + struct rlimit old_rlim[RLIM_NLIMITS];
43994 +#endif
43995 struct linux_binprm *bprm;
43996 struct file *file;
43997 struct files_struct *displaced;
43998 bool clear_in_exec;
43999 int retval;
44000 + const struct cred *cred = current_cred();
44001 +
44002 + /*
44003 + * We move the actual failure in case of RLIMIT_NPROC excess from
44004 + * set*uid() to execve() because too many poorly written programs
44005 + * don't check setuid() return code. Here we additionally recheck
44006 + * whether NPROC limit is still exceeded.
44007 + */
44008 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
44009 +
44010 + if ((current->flags & PF_NPROC_EXCEEDED) &&
44011 + atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
44012 + retval = -EAGAIN;
44013 + goto out_ret;
44014 + }
44015 +
44016 + /* We're below the limit (still or again), so we don't want to make
44017 + * further execve() calls fail. */
44018 + current->flags &= ~PF_NPROC_EXCEEDED;
44019
44020 retval = unshare_files(&displaced);
44021 if (retval)
44022 @@ -1499,6 +1541,15 @@ int compat_do_execve(char * filename,
44023 bprm->filename = filename;
44024 bprm->interp = filename;
44025
44026 + if (gr_process_user_ban()) {
44027 + retval = -EPERM;
44028 + goto out_file;
44029 + }
44030 +
44031 + retval = -EACCES;
44032 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
44033 + goto out_file;
44034 +
44035 retval = bprm_mm_init(bprm);
44036 if (retval)
44037 goto out_file;
44038 @@ -1528,9 +1579,40 @@ int compat_do_execve(char * filename,
44039 if (retval < 0)
44040 goto out;
44041
44042 + if (!gr_tpe_allow(file)) {
44043 + retval = -EACCES;
44044 + goto out;
44045 + }
44046 +
44047 + if (gr_check_crash_exec(file)) {
44048 + retval = -EACCES;
44049 + goto out;
44050 + }
44051 +
44052 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
44053 +
44054 + gr_handle_exec_args_compat(bprm, argv);
44055 +
44056 +#ifdef CONFIG_GRKERNSEC
44057 + old_acl = current->acl;
44058 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
44059 + old_exec_file = current->exec_file;
44060 + get_file(file);
44061 + current->exec_file = file;
44062 +#endif
44063 +
44064 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
44065 + bprm->unsafe & LSM_UNSAFE_SHARE);
44066 + if (retval < 0)
44067 + goto out_fail;
44068 +
44069 retval = search_binary_handler(bprm, regs);
44070 if (retval < 0)
44071 - goto out;
44072 + goto out_fail;
44073 +#ifdef CONFIG_GRKERNSEC
44074 + if (old_exec_file)
44075 + fput(old_exec_file);
44076 +#endif
44077
44078 /* execve succeeded */
44079 current->fs->in_exec = 0;
44080 @@ -1541,6 +1623,14 @@ int compat_do_execve(char * filename,
44081 put_files_struct(displaced);
44082 return retval;
44083
44084 +out_fail:
44085 +#ifdef CONFIG_GRKERNSEC
44086 + current->acl = old_acl;
44087 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
44088 + fput(current->exec_file);
44089 + current->exec_file = old_exec_file;
44090 +#endif
44091 +
44092 out:
44093 if (bprm->mm) {
44094 acct_arg_size(bprm, 0);
44095 @@ -1711,6 +1801,8 @@ int compat_core_sys_select(int n, compat
44096 struct fdtable *fdt;
44097 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
44098
44099 + pax_track_stack();
44100 +
44101 if (n < 0)
44102 goto out_nofds;
44103
44104 @@ -2151,7 +2243,7 @@ asmlinkage long compat_sys_nfsservctl(in
44105 oldfs = get_fs();
44106 set_fs(KERNEL_DS);
44107 /* The __user pointer casts are valid because of the set_fs() */
44108 - err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres);
44109 + err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres);
44110 set_fs(oldfs);
44111
44112 if (err)
44113 diff -urNp linux-2.6.32.46/fs/compat_ioctl.c linux-2.6.32.46/fs/compat_ioctl.c
44114 --- linux-2.6.32.46/fs/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
44115 +++ linux-2.6.32.46/fs/compat_ioctl.c 2011-10-06 09:37:14.000000000 -0400
44116 @@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
44117 up = (struct compat_video_spu_palette __user *) arg;
44118 err = get_user(palp, &up->palette);
44119 err |= get_user(length, &up->length);
44120 + if (err)
44121 + return -EFAULT;
44122
44123 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
44124 err = put_user(compat_ptr(palp), &up_native->palette);
44125 @@ -1513,7 +1515,7 @@ static int serial_struct_ioctl(unsigned
44126 return -EFAULT;
44127 if (__get_user(udata, &ss32->iomem_base))
44128 return -EFAULT;
44129 - ss.iomem_base = compat_ptr(udata);
44130 + ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
44131 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
44132 __get_user(ss.port_high, &ss32->port_high))
44133 return -EFAULT;
44134 @@ -1809,7 +1811,7 @@ static int compat_ioctl_preallocate(stru
44135 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
44136 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
44137 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
44138 - copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
44139 + copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
44140 return -EFAULT;
44141
44142 return ioctl_preallocate(file, p);
44143 diff -urNp linux-2.6.32.46/fs/configfs/dir.c linux-2.6.32.46/fs/configfs/dir.c
44144 --- linux-2.6.32.46/fs/configfs/dir.c 2011-03-27 14:31:47.000000000 -0400
44145 +++ linux-2.6.32.46/fs/configfs/dir.c 2011-05-11 18:25:15.000000000 -0400
44146 @@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
44147 }
44148 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
44149 struct configfs_dirent *next;
44150 - const char * name;
44151 + const unsigned char * name;
44152 + char d_name[sizeof(next->s_dentry->d_iname)];
44153 int len;
44154
44155 next = list_entry(p, struct configfs_dirent,
44156 @@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
44157 continue;
44158
44159 name = configfs_get_name(next);
44160 - len = strlen(name);
44161 + if (next->s_dentry && name == next->s_dentry->d_iname) {
44162 + len = next->s_dentry->d_name.len;
44163 + memcpy(d_name, name, len);
44164 + name = d_name;
44165 + } else
44166 + len = strlen(name);
44167 if (next->s_dentry)
44168 ino = next->s_dentry->d_inode->i_ino;
44169 else
44170 diff -urNp linux-2.6.32.46/fs/dcache.c linux-2.6.32.46/fs/dcache.c
44171 --- linux-2.6.32.46/fs/dcache.c 2011-03-27 14:31:47.000000000 -0400
44172 +++ linux-2.6.32.46/fs/dcache.c 2011-04-23 13:32:21.000000000 -0400
44173 @@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
44174
44175 static struct kmem_cache *dentry_cache __read_mostly;
44176
44177 -#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
44178 -
44179 /*
44180 * This is the single most critical data structure when it comes
44181 * to the dcache: the hashtable for lookups. Somebody should try
44182 @@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
44183 mempages -= reserve;
44184
44185 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
44186 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
44187 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
44188
44189 dcache_init();
44190 inode_init();
44191 diff -urNp linux-2.6.32.46/fs/dlm/lockspace.c linux-2.6.32.46/fs/dlm/lockspace.c
44192 --- linux-2.6.32.46/fs/dlm/lockspace.c 2011-03-27 14:31:47.000000000 -0400
44193 +++ linux-2.6.32.46/fs/dlm/lockspace.c 2011-04-17 15:56:46.000000000 -0400
44194 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
44195 kfree(ls);
44196 }
44197
44198 -static struct sysfs_ops dlm_attr_ops = {
44199 +static const struct sysfs_ops dlm_attr_ops = {
44200 .show = dlm_attr_show,
44201 .store = dlm_attr_store,
44202 };
44203 diff -urNp linux-2.6.32.46/fs/ecryptfs/inode.c linux-2.6.32.46/fs/ecryptfs/inode.c
44204 --- linux-2.6.32.46/fs/ecryptfs/inode.c 2011-03-27 14:31:47.000000000 -0400
44205 +++ linux-2.6.32.46/fs/ecryptfs/inode.c 2011-10-06 09:37:14.000000000 -0400
44206 @@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
44207 old_fs = get_fs();
44208 set_fs(get_ds());
44209 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
44210 - (char __user *)lower_buf,
44211 + (char __force_user *)lower_buf,
44212 lower_bufsiz);
44213 set_fs(old_fs);
44214 if (rc < 0)
44215 @@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
44216 }
44217 old_fs = get_fs();
44218 set_fs(get_ds());
44219 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
44220 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
44221 set_fs(old_fs);
44222 if (rc < 0)
44223 goto out_free;
44224 diff -urNp linux-2.6.32.46/fs/exec.c linux-2.6.32.46/fs/exec.c
44225 --- linux-2.6.32.46/fs/exec.c 2011-06-25 12:55:34.000000000 -0400
44226 +++ linux-2.6.32.46/fs/exec.c 2011-10-06 09:37:14.000000000 -0400
44227 @@ -56,12 +56,24 @@
44228 #include <linux/fsnotify.h>
44229 #include <linux/fs_struct.h>
44230 #include <linux/pipe_fs_i.h>
44231 +#include <linux/random.h>
44232 +#include <linux/seq_file.h>
44233 +
44234 +#ifdef CONFIG_PAX_REFCOUNT
44235 +#include <linux/kallsyms.h>
44236 +#include <linux/kdebug.h>
44237 +#endif
44238
44239 #include <asm/uaccess.h>
44240 #include <asm/mmu_context.h>
44241 #include <asm/tlb.h>
44242 #include "internal.h"
44243
44244 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
44245 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
44246 +EXPORT_SYMBOL(pax_set_initial_flags_func);
44247 +#endif
44248 +
44249 int core_uses_pid;
44250 char core_pattern[CORENAME_MAX_SIZE] = "core";
44251 unsigned int core_pipe_limit;
44252 @@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
44253 goto out;
44254
44255 file = do_filp_open(AT_FDCWD, tmp,
44256 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
44257 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
44258 MAY_READ | MAY_EXEC | MAY_OPEN);
44259 putname(tmp);
44260 error = PTR_ERR(file);
44261 @@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
44262 int write)
44263 {
44264 struct page *page;
44265 - int ret;
44266
44267 -#ifdef CONFIG_STACK_GROWSUP
44268 - if (write) {
44269 - ret = expand_stack_downwards(bprm->vma, pos);
44270 - if (ret < 0)
44271 - return NULL;
44272 - }
44273 -#endif
44274 - ret = get_user_pages(current, bprm->mm, pos,
44275 - 1, write, 1, &page, NULL);
44276 - if (ret <= 0)
44277 + if (0 > expand_stack_downwards(bprm->vma, pos))
44278 + return NULL;
44279 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
44280 return NULL;
44281
44282 if (write) {
44283 @@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
44284 vma->vm_end = STACK_TOP_MAX;
44285 vma->vm_start = vma->vm_end - PAGE_SIZE;
44286 vma->vm_flags = VM_STACK_FLAGS;
44287 +
44288 +#ifdef CONFIG_PAX_SEGMEXEC
44289 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
44290 +#endif
44291 +
44292 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
44293
44294 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
44295 @@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
44296 mm->stack_vm = mm->total_vm = 1;
44297 up_write(&mm->mmap_sem);
44298 bprm->p = vma->vm_end - sizeof(void *);
44299 +
44300 +#ifdef CONFIG_PAX_RANDUSTACK
44301 + if (randomize_va_space)
44302 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
44303 +#endif
44304 +
44305 return 0;
44306 err:
44307 up_write(&mm->mmap_sem);
44308 @@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
44309 int r;
44310 mm_segment_t oldfs = get_fs();
44311 set_fs(KERNEL_DS);
44312 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
44313 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
44314 set_fs(oldfs);
44315 return r;
44316 }
44317 @@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
44318 unsigned long new_end = old_end - shift;
44319 struct mmu_gather *tlb;
44320
44321 - BUG_ON(new_start > new_end);
44322 + if (new_start >= new_end || new_start < mmap_min_addr)
44323 + return -ENOMEM;
44324
44325 /*
44326 * ensure there are no vmas between where we want to go
44327 @@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
44328 if (vma != find_vma(mm, new_start))
44329 return -EFAULT;
44330
44331 +#ifdef CONFIG_PAX_SEGMEXEC
44332 + BUG_ON(pax_find_mirror_vma(vma));
44333 +#endif
44334 +
44335 /*
44336 * cover the whole range: [new_start, old_end)
44337 */
44338 @@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
44339 stack_top = arch_align_stack(stack_top);
44340 stack_top = PAGE_ALIGN(stack_top);
44341
44342 - if (unlikely(stack_top < mmap_min_addr) ||
44343 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
44344 - return -ENOMEM;
44345 -
44346 stack_shift = vma->vm_end - stack_top;
44347
44348 bprm->p -= stack_shift;
44349 @@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
44350 bprm->exec -= stack_shift;
44351
44352 down_write(&mm->mmap_sem);
44353 +
44354 + /* Move stack pages down in memory. */
44355 + if (stack_shift) {
44356 + ret = shift_arg_pages(vma, stack_shift);
44357 + if (ret)
44358 + goto out_unlock;
44359 + }
44360 +
44361 vm_flags = VM_STACK_FLAGS;
44362
44363 /*
44364 @@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
44365 vm_flags &= ~VM_EXEC;
44366 vm_flags |= mm->def_flags;
44367
44368 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44369 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44370 + vm_flags &= ~VM_EXEC;
44371 +
44372 +#ifdef CONFIG_PAX_MPROTECT
44373 + if (mm->pax_flags & MF_PAX_MPROTECT)
44374 + vm_flags &= ~VM_MAYEXEC;
44375 +#endif
44376 +
44377 + }
44378 +#endif
44379 +
44380 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
44381 vm_flags);
44382 if (ret)
44383 goto out_unlock;
44384 BUG_ON(prev != vma);
44385
44386 - /* Move stack pages down in memory. */
44387 - if (stack_shift) {
44388 - ret = shift_arg_pages(vma, stack_shift);
44389 - if (ret)
44390 - goto out_unlock;
44391 - }
44392 -
44393 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
44394 stack_size = vma->vm_end - vma->vm_start;
44395 /*
44396 @@ -707,7 +736,7 @@ struct file *open_exec(const char *name)
44397 int err;
44398
44399 file = do_filp_open(AT_FDCWD, name,
44400 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
44401 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
44402 MAY_EXEC | MAY_OPEN);
44403 if (IS_ERR(file))
44404 goto out;
44405 @@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
44406 old_fs = get_fs();
44407 set_fs(get_ds());
44408 /* The cast to a user pointer is valid due to the set_fs() */
44409 - result = vfs_read(file, (void __user *)addr, count, &pos);
44410 + result = vfs_read(file, (void __force_user *)addr, count, &pos);
44411 set_fs(old_fs);
44412 return result;
44413 }
44414 @@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
44415 }
44416 rcu_read_unlock();
44417
44418 - if (p->fs->users > n_fs) {
44419 + if (atomic_read(&p->fs->users) > n_fs) {
44420 bprm->unsafe |= LSM_UNSAFE_SHARE;
44421 } else {
44422 res = -EAGAIN;
44423 @@ -1347,11 +1376,35 @@ int do_execve(char * filename,
44424 char __user *__user *envp,
44425 struct pt_regs * regs)
44426 {
44427 +#ifdef CONFIG_GRKERNSEC
44428 + struct file *old_exec_file;
44429 + struct acl_subject_label *old_acl;
44430 + struct rlimit old_rlim[RLIM_NLIMITS];
44431 +#endif
44432 struct linux_binprm *bprm;
44433 struct file *file;
44434 struct files_struct *displaced;
44435 bool clear_in_exec;
44436 int retval;
44437 + const struct cred *cred = current_cred();
44438 +
44439 + /*
44440 + * We move the actual failure in case of RLIMIT_NPROC excess from
44441 + * set*uid() to execve() because too many poorly written programs
44442 + * don't check setuid() return code. Here we additionally recheck
44443 + * whether NPROC limit is still exceeded.
44444 + */
44445 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
44446 +
44447 + if ((current->flags & PF_NPROC_EXCEEDED) &&
44448 + atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
44449 + retval = -EAGAIN;
44450 + goto out_ret;
44451 + }
44452 +
44453 + /* We're below the limit (still or again), so we don't want to make
44454 + * further execve() calls fail. */
44455 + current->flags &= ~PF_NPROC_EXCEEDED;
44456
44457 retval = unshare_files(&displaced);
44458 if (retval)
44459 @@ -1383,6 +1436,16 @@ int do_execve(char * filename,
44460 bprm->filename = filename;
44461 bprm->interp = filename;
44462
44463 + if (gr_process_user_ban()) {
44464 + retval = -EPERM;
44465 + goto out_file;
44466 + }
44467 +
44468 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
44469 + retval = -EACCES;
44470 + goto out_file;
44471 + }
44472 +
44473 retval = bprm_mm_init(bprm);
44474 if (retval)
44475 goto out_file;
44476 @@ -1412,10 +1475,41 @@ int do_execve(char * filename,
44477 if (retval < 0)
44478 goto out;
44479
44480 + if (!gr_tpe_allow(file)) {
44481 + retval = -EACCES;
44482 + goto out;
44483 + }
44484 +
44485 + if (gr_check_crash_exec(file)) {
44486 + retval = -EACCES;
44487 + goto out;
44488 + }
44489 +
44490 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
44491 +
44492 + gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
44493 +
44494 +#ifdef CONFIG_GRKERNSEC
44495 + old_acl = current->acl;
44496 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
44497 + old_exec_file = current->exec_file;
44498 + get_file(file);
44499 + current->exec_file = file;
44500 +#endif
44501 +
44502 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
44503 + bprm->unsafe & LSM_UNSAFE_SHARE);
44504 + if (retval < 0)
44505 + goto out_fail;
44506 +
44507 current->flags &= ~PF_KTHREAD;
44508 retval = search_binary_handler(bprm,regs);
44509 if (retval < 0)
44510 - goto out;
44511 + goto out_fail;
44512 +#ifdef CONFIG_GRKERNSEC
44513 + if (old_exec_file)
44514 + fput(old_exec_file);
44515 +#endif
44516
44517 /* execve succeeded */
44518 current->fs->in_exec = 0;
44519 @@ -1426,6 +1520,14 @@ int do_execve(char * filename,
44520 put_files_struct(displaced);
44521 return retval;
44522
44523 +out_fail:
44524 +#ifdef CONFIG_GRKERNSEC
44525 + current->acl = old_acl;
44526 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
44527 + fput(current->exec_file);
44528 + current->exec_file = old_exec_file;
44529 +#endif
44530 +
44531 out:
44532 if (bprm->mm) {
44533 acct_arg_size(bprm, 0);
44534 @@ -1591,6 +1693,220 @@ out:
44535 return ispipe;
44536 }
44537
44538 +int pax_check_flags(unsigned long *flags)
44539 +{
44540 + int retval = 0;
44541 +
44542 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
44543 + if (*flags & MF_PAX_SEGMEXEC)
44544 + {
44545 + *flags &= ~MF_PAX_SEGMEXEC;
44546 + retval = -EINVAL;
44547 + }
44548 +#endif
44549 +
44550 + if ((*flags & MF_PAX_PAGEEXEC)
44551 +
44552 +#ifdef CONFIG_PAX_PAGEEXEC
44553 + && (*flags & MF_PAX_SEGMEXEC)
44554 +#endif
44555 +
44556 + )
44557 + {
44558 + *flags &= ~MF_PAX_PAGEEXEC;
44559 + retval = -EINVAL;
44560 + }
44561 +
44562 + if ((*flags & MF_PAX_MPROTECT)
44563 +
44564 +#ifdef CONFIG_PAX_MPROTECT
44565 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
44566 +#endif
44567 +
44568 + )
44569 + {
44570 + *flags &= ~MF_PAX_MPROTECT;
44571 + retval = -EINVAL;
44572 + }
44573 +
44574 + if ((*flags & MF_PAX_EMUTRAMP)
44575 +
44576 +#ifdef CONFIG_PAX_EMUTRAMP
44577 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
44578 +#endif
44579 +
44580 + )
44581 + {
44582 + *flags &= ~MF_PAX_EMUTRAMP;
44583 + retval = -EINVAL;
44584 + }
44585 +
44586 + return retval;
44587 +}
44588 +
44589 +EXPORT_SYMBOL(pax_check_flags);
44590 +
44591 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44592 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
44593 +{
44594 + struct task_struct *tsk = current;
44595 + struct mm_struct *mm = current->mm;
44596 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
44597 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
44598 + char *path_exec = NULL;
44599 + char *path_fault = NULL;
44600 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
44601 +
44602 + if (buffer_exec && buffer_fault) {
44603 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
44604 +
44605 + down_read(&mm->mmap_sem);
44606 + vma = mm->mmap;
44607 + while (vma && (!vma_exec || !vma_fault)) {
44608 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
44609 + vma_exec = vma;
44610 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
44611 + vma_fault = vma;
44612 + vma = vma->vm_next;
44613 + }
44614 + if (vma_exec) {
44615 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
44616 + if (IS_ERR(path_exec))
44617 + path_exec = "<path too long>";
44618 + else {
44619 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
44620 + if (path_exec) {
44621 + *path_exec = 0;
44622 + path_exec = buffer_exec;
44623 + } else
44624 + path_exec = "<path too long>";
44625 + }
44626 + }
44627 + if (vma_fault) {
44628 + start = vma_fault->vm_start;
44629 + end = vma_fault->vm_end;
44630 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
44631 + if (vma_fault->vm_file) {
44632 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
44633 + if (IS_ERR(path_fault))
44634 + path_fault = "<path too long>";
44635 + else {
44636 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
44637 + if (path_fault) {
44638 + *path_fault = 0;
44639 + path_fault = buffer_fault;
44640 + } else
44641 + path_fault = "<path too long>";
44642 + }
44643 + } else
44644 + path_fault = "<anonymous mapping>";
44645 + }
44646 + up_read(&mm->mmap_sem);
44647 + }
44648 + if (tsk->signal->curr_ip)
44649 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
44650 + else
44651 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
44652 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
44653 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
44654 + task_uid(tsk), task_euid(tsk), pc, sp);
44655 + free_page((unsigned long)buffer_exec);
44656 + free_page((unsigned long)buffer_fault);
44657 + pax_report_insns(pc, sp);
44658 + do_coredump(SIGKILL, SIGKILL, regs);
44659 +}
44660 +#endif
44661 +
44662 +#ifdef CONFIG_PAX_REFCOUNT
44663 +void pax_report_refcount_overflow(struct pt_regs *regs)
44664 +{
44665 + if (current->signal->curr_ip)
44666 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
44667 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
44668 + else
44669 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
44670 + current->comm, task_pid_nr(current), current_uid(), current_euid());
44671 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
44672 + show_regs(regs);
44673 + force_sig_specific(SIGKILL, current);
44674 +}
44675 +#endif
44676 +
44677 +#ifdef CONFIG_PAX_USERCOPY
44678 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
44679 +int object_is_on_stack(const void *obj, unsigned long len)
44680 +{
44681 + const void * const stack = task_stack_page(current);
44682 + const void * const stackend = stack + THREAD_SIZE;
44683 +
44684 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
44685 + const void *frame = NULL;
44686 + const void *oldframe;
44687 +#endif
44688 +
44689 + if (obj + len < obj)
44690 + return -1;
44691 +
44692 + if (obj + len <= stack || stackend <= obj)
44693 + return 0;
44694 +
44695 + if (obj < stack || stackend < obj + len)
44696 + return -1;
44697 +
44698 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
44699 + oldframe = __builtin_frame_address(1);
44700 + if (oldframe)
44701 + frame = __builtin_frame_address(2);
44702 + /*
44703 + low ----------------------------------------------> high
44704 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
44705 + ^----------------^
44706 + allow copies only within here
44707 + */
44708 + while (stack <= frame && frame < stackend) {
44709 + /* if obj + len extends past the last frame, this
44710 + check won't pass and the next frame will be 0,
44711 + causing us to bail out and correctly report
44712 + the copy as invalid
44713 + */
44714 + if (obj + len <= frame)
44715 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
44716 + oldframe = frame;
44717 + frame = *(const void * const *)frame;
44718 + }
44719 + return -1;
44720 +#else
44721 + return 1;
44722 +#endif
44723 +}
44724 +
44725 +
44726 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
44727 +{
44728 + if (current->signal->curr_ip)
44729 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
44730 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
44731 + else
44732 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
44733 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
44734 +
44735 + dump_stack();
44736 + gr_handle_kernel_exploit();
44737 + do_group_exit(SIGKILL);
44738 +}
44739 +#endif
44740 +
44741 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
44742 +void pax_track_stack(void)
44743 +{
44744 + unsigned long sp = (unsigned long)&sp;
44745 + if (sp < current_thread_info()->lowest_stack &&
44746 + sp > (unsigned long)task_stack_page(current))
44747 + current_thread_info()->lowest_stack = sp;
44748 +}
44749 +EXPORT_SYMBOL(pax_track_stack);
44750 +#endif
44751 +
44752 static int zap_process(struct task_struct *start)
44753 {
44754 struct task_struct *t;
44755 @@ -1793,17 +2109,17 @@ static void wait_for_dump_helpers(struct
44756 pipe = file->f_path.dentry->d_inode->i_pipe;
44757
44758 pipe_lock(pipe);
44759 - pipe->readers++;
44760 - pipe->writers--;
44761 + atomic_inc(&pipe->readers);
44762 + atomic_dec(&pipe->writers);
44763
44764 - while ((pipe->readers > 1) && (!signal_pending(current))) {
44765 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
44766 wake_up_interruptible_sync(&pipe->wait);
44767 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
44768 pipe_wait(pipe);
44769 }
44770
44771 - pipe->readers--;
44772 - pipe->writers++;
44773 + atomic_dec(&pipe->readers);
44774 + atomic_inc(&pipe->writers);
44775 pipe_unlock(pipe);
44776
44777 }
44778 @@ -1826,10 +2142,13 @@ void do_coredump(long signr, int exit_co
44779 char **helper_argv = NULL;
44780 int helper_argc = 0;
44781 int dump_count = 0;
44782 - static atomic_t core_dump_count = ATOMIC_INIT(0);
44783 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
44784
44785 audit_core_dumps(signr);
44786
44787 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
44788 + gr_handle_brute_attach(current, mm->flags);
44789 +
44790 binfmt = mm->binfmt;
44791 if (!binfmt || !binfmt->core_dump)
44792 goto fail;
44793 @@ -1874,6 +2193,8 @@ void do_coredump(long signr, int exit_co
44794 */
44795 clear_thread_flag(TIF_SIGPENDING);
44796
44797 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
44798 +
44799 /*
44800 * lock_kernel() because format_corename() is controlled by sysctl, which
44801 * uses lock_kernel()
44802 @@ -1908,7 +2229,7 @@ void do_coredump(long signr, int exit_co
44803 goto fail_unlock;
44804 }
44805
44806 - dump_count = atomic_inc_return(&core_dump_count);
44807 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
44808 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
44809 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
44810 task_tgid_vnr(current), current->comm);
44811 @@ -1972,7 +2293,7 @@ close_fail:
44812 filp_close(file, NULL);
44813 fail_dropcount:
44814 if (dump_count)
44815 - atomic_dec(&core_dump_count);
44816 + atomic_dec_unchecked(&core_dump_count);
44817 fail_unlock:
44818 if (helper_argv)
44819 argv_free(helper_argv);
44820 diff -urNp linux-2.6.32.46/fs/ext2/balloc.c linux-2.6.32.46/fs/ext2/balloc.c
44821 --- linux-2.6.32.46/fs/ext2/balloc.c 2011-03-27 14:31:47.000000000 -0400
44822 +++ linux-2.6.32.46/fs/ext2/balloc.c 2011-04-17 15:56:46.000000000 -0400
44823 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
44824
44825 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
44826 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
44827 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
44828 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
44829 sbi->s_resuid != current_fsuid() &&
44830 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
44831 return 0;
44832 diff -urNp linux-2.6.32.46/fs/ext3/balloc.c linux-2.6.32.46/fs/ext3/balloc.c
44833 --- linux-2.6.32.46/fs/ext3/balloc.c 2011-03-27 14:31:47.000000000 -0400
44834 +++ linux-2.6.32.46/fs/ext3/balloc.c 2011-04-17 15:56:46.000000000 -0400
44835 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
44836
44837 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
44838 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
44839 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
44840 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
44841 sbi->s_resuid != current_fsuid() &&
44842 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
44843 return 0;
44844 diff -urNp linux-2.6.32.46/fs/ext4/balloc.c linux-2.6.32.46/fs/ext4/balloc.c
44845 --- linux-2.6.32.46/fs/ext4/balloc.c 2011-03-27 14:31:47.000000000 -0400
44846 +++ linux-2.6.32.46/fs/ext4/balloc.c 2011-04-17 15:56:46.000000000 -0400
44847 @@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
44848 /* Hm, nope. Are (enough) root reserved blocks available? */
44849 if (sbi->s_resuid == current_fsuid() ||
44850 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
44851 - capable(CAP_SYS_RESOURCE)) {
44852 + capable_nolog(CAP_SYS_RESOURCE)) {
44853 if (free_blocks >= (nblocks + dirty_blocks))
44854 return 1;
44855 }
44856 diff -urNp linux-2.6.32.46/fs/ext4/ext4.h linux-2.6.32.46/fs/ext4/ext4.h
44857 --- linux-2.6.32.46/fs/ext4/ext4.h 2011-03-27 14:31:47.000000000 -0400
44858 +++ linux-2.6.32.46/fs/ext4/ext4.h 2011-04-17 15:56:46.000000000 -0400
44859 @@ -1078,19 +1078,19 @@ struct ext4_sb_info {
44860
44861 /* stats for buddy allocator */
44862 spinlock_t s_mb_pa_lock;
44863 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
44864 - atomic_t s_bal_success; /* we found long enough chunks */
44865 - atomic_t s_bal_allocated; /* in blocks */
44866 - atomic_t s_bal_ex_scanned; /* total extents scanned */
44867 - atomic_t s_bal_goals; /* goal hits */
44868 - atomic_t s_bal_breaks; /* too long searches */
44869 - atomic_t s_bal_2orders; /* 2^order hits */
44870 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
44871 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
44872 + atomic_unchecked_t s_bal_allocated; /* in blocks */
44873 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
44874 + atomic_unchecked_t s_bal_goals; /* goal hits */
44875 + atomic_unchecked_t s_bal_breaks; /* too long searches */
44876 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
44877 spinlock_t s_bal_lock;
44878 unsigned long s_mb_buddies_generated;
44879 unsigned long long s_mb_generation_time;
44880 - atomic_t s_mb_lost_chunks;
44881 - atomic_t s_mb_preallocated;
44882 - atomic_t s_mb_discarded;
44883 + atomic_unchecked_t s_mb_lost_chunks;
44884 + atomic_unchecked_t s_mb_preallocated;
44885 + atomic_unchecked_t s_mb_discarded;
44886 atomic_t s_lock_busy;
44887
44888 /* locality groups */
44889 diff -urNp linux-2.6.32.46/fs/ext4/mballoc.c linux-2.6.32.46/fs/ext4/mballoc.c
44890 --- linux-2.6.32.46/fs/ext4/mballoc.c 2011-06-25 12:55:34.000000000 -0400
44891 +++ linux-2.6.32.46/fs/ext4/mballoc.c 2011-06-25 12:56:37.000000000 -0400
44892 @@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
44893 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
44894
44895 if (EXT4_SB(sb)->s_mb_stats)
44896 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
44897 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
44898
44899 break;
44900 }
44901 @@ -2131,7 +2131,7 @@ repeat:
44902 ac->ac_status = AC_STATUS_CONTINUE;
44903 ac->ac_flags |= EXT4_MB_HINT_FIRST;
44904 cr = 3;
44905 - atomic_inc(&sbi->s_mb_lost_chunks);
44906 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
44907 goto repeat;
44908 }
44909 }
44910 @@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
44911 ext4_grpblk_t counters[16];
44912 } sg;
44913
44914 + pax_track_stack();
44915 +
44916 group--;
44917 if (group == 0)
44918 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
44919 @@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
44920 if (sbi->s_mb_stats) {
44921 printk(KERN_INFO
44922 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
44923 - atomic_read(&sbi->s_bal_allocated),
44924 - atomic_read(&sbi->s_bal_reqs),
44925 - atomic_read(&sbi->s_bal_success));
44926 + atomic_read_unchecked(&sbi->s_bal_allocated),
44927 + atomic_read_unchecked(&sbi->s_bal_reqs),
44928 + atomic_read_unchecked(&sbi->s_bal_success));
44929 printk(KERN_INFO
44930 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
44931 "%u 2^N hits, %u breaks, %u lost\n",
44932 - atomic_read(&sbi->s_bal_ex_scanned),
44933 - atomic_read(&sbi->s_bal_goals),
44934 - atomic_read(&sbi->s_bal_2orders),
44935 - atomic_read(&sbi->s_bal_breaks),
44936 - atomic_read(&sbi->s_mb_lost_chunks));
44937 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
44938 + atomic_read_unchecked(&sbi->s_bal_goals),
44939 + atomic_read_unchecked(&sbi->s_bal_2orders),
44940 + atomic_read_unchecked(&sbi->s_bal_breaks),
44941 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
44942 printk(KERN_INFO
44943 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
44944 sbi->s_mb_buddies_generated++,
44945 sbi->s_mb_generation_time);
44946 printk(KERN_INFO
44947 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
44948 - atomic_read(&sbi->s_mb_preallocated),
44949 - atomic_read(&sbi->s_mb_discarded));
44950 + atomic_read_unchecked(&sbi->s_mb_preallocated),
44951 + atomic_read_unchecked(&sbi->s_mb_discarded));
44952 }
44953
44954 free_percpu(sbi->s_locality_groups);
44955 @@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
44956 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
44957
44958 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
44959 - atomic_inc(&sbi->s_bal_reqs);
44960 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
44961 + atomic_inc_unchecked(&sbi->s_bal_reqs);
44962 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
44963 if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
44964 - atomic_inc(&sbi->s_bal_success);
44965 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
44966 + atomic_inc_unchecked(&sbi->s_bal_success);
44967 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
44968 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
44969 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
44970 - atomic_inc(&sbi->s_bal_goals);
44971 + atomic_inc_unchecked(&sbi->s_bal_goals);
44972 if (ac->ac_found > sbi->s_mb_max_to_scan)
44973 - atomic_inc(&sbi->s_bal_breaks);
44974 + atomic_inc_unchecked(&sbi->s_bal_breaks);
44975 }
44976
44977 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
44978 @@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
44979 trace_ext4_mb_new_inode_pa(ac, pa);
44980
44981 ext4_mb_use_inode_pa(ac, pa);
44982 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44983 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44984
44985 ei = EXT4_I(ac->ac_inode);
44986 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
44987 @@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
44988 trace_ext4_mb_new_group_pa(ac, pa);
44989
44990 ext4_mb_use_group_pa(ac, pa);
44991 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44992 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44993
44994 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
44995 lg = ac->ac_lg;
44996 @@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
44997 * from the bitmap and continue.
44998 */
44999 }
45000 - atomic_add(free, &sbi->s_mb_discarded);
45001 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
45002
45003 return err;
45004 }
45005 @@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
45006 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
45007 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
45008 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
45009 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
45010 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
45011
45012 if (ac) {
45013 ac->ac_sb = sb;
45014 diff -urNp linux-2.6.32.46/fs/ext4/super.c linux-2.6.32.46/fs/ext4/super.c
45015 --- linux-2.6.32.46/fs/ext4/super.c 2011-03-27 14:31:47.000000000 -0400
45016 +++ linux-2.6.32.46/fs/ext4/super.c 2011-04-17 15:56:46.000000000 -0400
45017 @@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
45018 }
45019
45020
45021 -static struct sysfs_ops ext4_attr_ops = {
45022 +static const struct sysfs_ops ext4_attr_ops = {
45023 .show = ext4_attr_show,
45024 .store = ext4_attr_store,
45025 };
45026 diff -urNp linux-2.6.32.46/fs/fcntl.c linux-2.6.32.46/fs/fcntl.c
45027 --- linux-2.6.32.46/fs/fcntl.c 2011-03-27 14:31:47.000000000 -0400
45028 +++ linux-2.6.32.46/fs/fcntl.c 2011-10-06 09:37:14.000000000 -0400
45029 @@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
45030 if (err)
45031 return err;
45032
45033 + if (gr_handle_chroot_fowner(pid, type))
45034 + return -ENOENT;
45035 + if (gr_check_protected_task_fowner(pid, type))
45036 + return -EACCES;
45037 +
45038 f_modown(filp, pid, type, force);
45039 return 0;
45040 }
45041 @@ -265,7 +270,7 @@ pid_t f_getown(struct file *filp)
45042
45043 static int f_setown_ex(struct file *filp, unsigned long arg)
45044 {
45045 - struct f_owner_ex * __user owner_p = (void * __user)arg;
45046 + struct f_owner_ex __user *owner_p = (void __user *)arg;
45047 struct f_owner_ex owner;
45048 struct pid *pid;
45049 int type;
45050 @@ -305,7 +310,7 @@ static int f_setown_ex(struct file *filp
45051
45052 static int f_getown_ex(struct file *filp, unsigned long arg)
45053 {
45054 - struct f_owner_ex * __user owner_p = (void * __user)arg;
45055 + struct f_owner_ex __user *owner_p = (void __user *)arg;
45056 struct f_owner_ex owner;
45057 int ret = 0;
45058
45059 @@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
45060 switch (cmd) {
45061 case F_DUPFD:
45062 case F_DUPFD_CLOEXEC:
45063 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
45064 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
45065 break;
45066 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
45067 diff -urNp linux-2.6.32.46/fs/fifo.c linux-2.6.32.46/fs/fifo.c
45068 --- linux-2.6.32.46/fs/fifo.c 2011-03-27 14:31:47.000000000 -0400
45069 +++ linux-2.6.32.46/fs/fifo.c 2011-04-17 15:56:46.000000000 -0400
45070 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
45071 */
45072 filp->f_op = &read_pipefifo_fops;
45073 pipe->r_counter++;
45074 - if (pipe->readers++ == 0)
45075 + if (atomic_inc_return(&pipe->readers) == 1)
45076 wake_up_partner(inode);
45077
45078 - if (!pipe->writers) {
45079 + if (!atomic_read(&pipe->writers)) {
45080 if ((filp->f_flags & O_NONBLOCK)) {
45081 /* suppress POLLHUP until we have
45082 * seen a writer */
45083 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
45084 * errno=ENXIO when there is no process reading the FIFO.
45085 */
45086 ret = -ENXIO;
45087 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
45088 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
45089 goto err;
45090
45091 filp->f_op = &write_pipefifo_fops;
45092 pipe->w_counter++;
45093 - if (!pipe->writers++)
45094 + if (atomic_inc_return(&pipe->writers) == 1)
45095 wake_up_partner(inode);
45096
45097 - if (!pipe->readers) {
45098 + if (!atomic_read(&pipe->readers)) {
45099 wait_for_partner(inode, &pipe->r_counter);
45100 if (signal_pending(current))
45101 goto err_wr;
45102 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
45103 */
45104 filp->f_op = &rdwr_pipefifo_fops;
45105
45106 - pipe->readers++;
45107 - pipe->writers++;
45108 + atomic_inc(&pipe->readers);
45109 + atomic_inc(&pipe->writers);
45110 pipe->r_counter++;
45111 pipe->w_counter++;
45112 - if (pipe->readers == 1 || pipe->writers == 1)
45113 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
45114 wake_up_partner(inode);
45115 break;
45116
45117 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
45118 return 0;
45119
45120 err_rd:
45121 - if (!--pipe->readers)
45122 + if (atomic_dec_and_test(&pipe->readers))
45123 wake_up_interruptible(&pipe->wait);
45124 ret = -ERESTARTSYS;
45125 goto err;
45126
45127 err_wr:
45128 - if (!--pipe->writers)
45129 + if (atomic_dec_and_test(&pipe->writers))
45130 wake_up_interruptible(&pipe->wait);
45131 ret = -ERESTARTSYS;
45132 goto err;
45133
45134 err:
45135 - if (!pipe->readers && !pipe->writers)
45136 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
45137 free_pipe_info(inode);
45138
45139 err_nocleanup:
45140 diff -urNp linux-2.6.32.46/fs/file.c linux-2.6.32.46/fs/file.c
45141 --- linux-2.6.32.46/fs/file.c 2011-03-27 14:31:47.000000000 -0400
45142 +++ linux-2.6.32.46/fs/file.c 2011-04-17 15:56:46.000000000 -0400
45143 @@ -14,6 +14,7 @@
45144 #include <linux/slab.h>
45145 #include <linux/vmalloc.h>
45146 #include <linux/file.h>
45147 +#include <linux/security.h>
45148 #include <linux/fdtable.h>
45149 #include <linux/bitops.h>
45150 #include <linux/interrupt.h>
45151 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
45152 * N.B. For clone tasks sharing a files structure, this test
45153 * will limit the total number of files that can be opened.
45154 */
45155 +
45156 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
45157 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
45158 return -EMFILE;
45159
45160 diff -urNp linux-2.6.32.46/fs/filesystems.c linux-2.6.32.46/fs/filesystems.c
45161 --- linux-2.6.32.46/fs/filesystems.c 2011-03-27 14:31:47.000000000 -0400
45162 +++ linux-2.6.32.46/fs/filesystems.c 2011-04-17 15:56:46.000000000 -0400
45163 @@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
45164 int len = dot ? dot - name : strlen(name);
45165
45166 fs = __get_fs_type(name, len);
45167 +
45168 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
45169 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
45170 +#else
45171 if (!fs && (request_module("%.*s", len, name) == 0))
45172 +#endif
45173 fs = __get_fs_type(name, len);
45174
45175 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
45176 diff -urNp linux-2.6.32.46/fs/fscache/cookie.c linux-2.6.32.46/fs/fscache/cookie.c
45177 --- linux-2.6.32.46/fs/fscache/cookie.c 2011-03-27 14:31:47.000000000 -0400
45178 +++ linux-2.6.32.46/fs/fscache/cookie.c 2011-05-04 17:56:28.000000000 -0400
45179 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
45180 parent ? (char *) parent->def->name : "<no-parent>",
45181 def->name, netfs_data);
45182
45183 - fscache_stat(&fscache_n_acquires);
45184 + fscache_stat_unchecked(&fscache_n_acquires);
45185
45186 /* if there's no parent cookie, then we don't create one here either */
45187 if (!parent) {
45188 - fscache_stat(&fscache_n_acquires_null);
45189 + fscache_stat_unchecked(&fscache_n_acquires_null);
45190 _leave(" [no parent]");
45191 return NULL;
45192 }
45193 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
45194 /* allocate and initialise a cookie */
45195 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
45196 if (!cookie) {
45197 - fscache_stat(&fscache_n_acquires_oom);
45198 + fscache_stat_unchecked(&fscache_n_acquires_oom);
45199 _leave(" [ENOMEM]");
45200 return NULL;
45201 }
45202 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
45203
45204 switch (cookie->def->type) {
45205 case FSCACHE_COOKIE_TYPE_INDEX:
45206 - fscache_stat(&fscache_n_cookie_index);
45207 + fscache_stat_unchecked(&fscache_n_cookie_index);
45208 break;
45209 case FSCACHE_COOKIE_TYPE_DATAFILE:
45210 - fscache_stat(&fscache_n_cookie_data);
45211 + fscache_stat_unchecked(&fscache_n_cookie_data);
45212 break;
45213 default:
45214 - fscache_stat(&fscache_n_cookie_special);
45215 + fscache_stat_unchecked(&fscache_n_cookie_special);
45216 break;
45217 }
45218
45219 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
45220 if (fscache_acquire_non_index_cookie(cookie) < 0) {
45221 atomic_dec(&parent->n_children);
45222 __fscache_cookie_put(cookie);
45223 - fscache_stat(&fscache_n_acquires_nobufs);
45224 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
45225 _leave(" = NULL");
45226 return NULL;
45227 }
45228 }
45229
45230 - fscache_stat(&fscache_n_acquires_ok);
45231 + fscache_stat_unchecked(&fscache_n_acquires_ok);
45232 _leave(" = %p", cookie);
45233 return cookie;
45234 }
45235 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
45236 cache = fscache_select_cache_for_object(cookie->parent);
45237 if (!cache) {
45238 up_read(&fscache_addremove_sem);
45239 - fscache_stat(&fscache_n_acquires_no_cache);
45240 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
45241 _leave(" = -ENOMEDIUM [no cache]");
45242 return -ENOMEDIUM;
45243 }
45244 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
45245 object = cache->ops->alloc_object(cache, cookie);
45246 fscache_stat_d(&fscache_n_cop_alloc_object);
45247 if (IS_ERR(object)) {
45248 - fscache_stat(&fscache_n_object_no_alloc);
45249 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
45250 ret = PTR_ERR(object);
45251 goto error;
45252 }
45253
45254 - fscache_stat(&fscache_n_object_alloc);
45255 + fscache_stat_unchecked(&fscache_n_object_alloc);
45256
45257 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
45258
45259 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
45260 struct fscache_object *object;
45261 struct hlist_node *_p;
45262
45263 - fscache_stat(&fscache_n_updates);
45264 + fscache_stat_unchecked(&fscache_n_updates);
45265
45266 if (!cookie) {
45267 - fscache_stat(&fscache_n_updates_null);
45268 + fscache_stat_unchecked(&fscache_n_updates_null);
45269 _leave(" [no cookie]");
45270 return;
45271 }
45272 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
45273 struct fscache_object *object;
45274 unsigned long event;
45275
45276 - fscache_stat(&fscache_n_relinquishes);
45277 + fscache_stat_unchecked(&fscache_n_relinquishes);
45278 if (retire)
45279 - fscache_stat(&fscache_n_relinquishes_retire);
45280 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
45281
45282 if (!cookie) {
45283 - fscache_stat(&fscache_n_relinquishes_null);
45284 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
45285 _leave(" [no cookie]");
45286 return;
45287 }
45288 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
45289
45290 /* wait for the cookie to finish being instantiated (or to fail) */
45291 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
45292 - fscache_stat(&fscache_n_relinquishes_waitcrt);
45293 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
45294 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
45295 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
45296 }
45297 diff -urNp linux-2.6.32.46/fs/fscache/internal.h linux-2.6.32.46/fs/fscache/internal.h
45298 --- linux-2.6.32.46/fs/fscache/internal.h 2011-03-27 14:31:47.000000000 -0400
45299 +++ linux-2.6.32.46/fs/fscache/internal.h 2011-05-04 17:56:28.000000000 -0400
45300 @@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
45301 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
45302 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
45303
45304 -extern atomic_t fscache_n_op_pend;
45305 -extern atomic_t fscache_n_op_run;
45306 -extern atomic_t fscache_n_op_enqueue;
45307 -extern atomic_t fscache_n_op_deferred_release;
45308 -extern atomic_t fscache_n_op_release;
45309 -extern atomic_t fscache_n_op_gc;
45310 -extern atomic_t fscache_n_op_cancelled;
45311 -extern atomic_t fscache_n_op_rejected;
45312 -
45313 -extern atomic_t fscache_n_attr_changed;
45314 -extern atomic_t fscache_n_attr_changed_ok;
45315 -extern atomic_t fscache_n_attr_changed_nobufs;
45316 -extern atomic_t fscache_n_attr_changed_nomem;
45317 -extern atomic_t fscache_n_attr_changed_calls;
45318 -
45319 -extern atomic_t fscache_n_allocs;
45320 -extern atomic_t fscache_n_allocs_ok;
45321 -extern atomic_t fscache_n_allocs_wait;
45322 -extern atomic_t fscache_n_allocs_nobufs;
45323 -extern atomic_t fscache_n_allocs_intr;
45324 -extern atomic_t fscache_n_allocs_object_dead;
45325 -extern atomic_t fscache_n_alloc_ops;
45326 -extern atomic_t fscache_n_alloc_op_waits;
45327 -
45328 -extern atomic_t fscache_n_retrievals;
45329 -extern atomic_t fscache_n_retrievals_ok;
45330 -extern atomic_t fscache_n_retrievals_wait;
45331 -extern atomic_t fscache_n_retrievals_nodata;
45332 -extern atomic_t fscache_n_retrievals_nobufs;
45333 -extern atomic_t fscache_n_retrievals_intr;
45334 -extern atomic_t fscache_n_retrievals_nomem;
45335 -extern atomic_t fscache_n_retrievals_object_dead;
45336 -extern atomic_t fscache_n_retrieval_ops;
45337 -extern atomic_t fscache_n_retrieval_op_waits;
45338 -
45339 -extern atomic_t fscache_n_stores;
45340 -extern atomic_t fscache_n_stores_ok;
45341 -extern atomic_t fscache_n_stores_again;
45342 -extern atomic_t fscache_n_stores_nobufs;
45343 -extern atomic_t fscache_n_stores_oom;
45344 -extern atomic_t fscache_n_store_ops;
45345 -extern atomic_t fscache_n_store_calls;
45346 -extern atomic_t fscache_n_store_pages;
45347 -extern atomic_t fscache_n_store_radix_deletes;
45348 -extern atomic_t fscache_n_store_pages_over_limit;
45349 -
45350 -extern atomic_t fscache_n_store_vmscan_not_storing;
45351 -extern atomic_t fscache_n_store_vmscan_gone;
45352 -extern atomic_t fscache_n_store_vmscan_busy;
45353 -extern atomic_t fscache_n_store_vmscan_cancelled;
45354 -
45355 -extern atomic_t fscache_n_marks;
45356 -extern atomic_t fscache_n_uncaches;
45357 -
45358 -extern atomic_t fscache_n_acquires;
45359 -extern atomic_t fscache_n_acquires_null;
45360 -extern atomic_t fscache_n_acquires_no_cache;
45361 -extern atomic_t fscache_n_acquires_ok;
45362 -extern atomic_t fscache_n_acquires_nobufs;
45363 -extern atomic_t fscache_n_acquires_oom;
45364 -
45365 -extern atomic_t fscache_n_updates;
45366 -extern atomic_t fscache_n_updates_null;
45367 -extern atomic_t fscache_n_updates_run;
45368 -
45369 -extern atomic_t fscache_n_relinquishes;
45370 -extern atomic_t fscache_n_relinquishes_null;
45371 -extern atomic_t fscache_n_relinquishes_waitcrt;
45372 -extern atomic_t fscache_n_relinquishes_retire;
45373 -
45374 -extern atomic_t fscache_n_cookie_index;
45375 -extern atomic_t fscache_n_cookie_data;
45376 -extern atomic_t fscache_n_cookie_special;
45377 -
45378 -extern atomic_t fscache_n_object_alloc;
45379 -extern atomic_t fscache_n_object_no_alloc;
45380 -extern atomic_t fscache_n_object_lookups;
45381 -extern atomic_t fscache_n_object_lookups_negative;
45382 -extern atomic_t fscache_n_object_lookups_positive;
45383 -extern atomic_t fscache_n_object_lookups_timed_out;
45384 -extern atomic_t fscache_n_object_created;
45385 -extern atomic_t fscache_n_object_avail;
45386 -extern atomic_t fscache_n_object_dead;
45387 -
45388 -extern atomic_t fscache_n_checkaux_none;
45389 -extern atomic_t fscache_n_checkaux_okay;
45390 -extern atomic_t fscache_n_checkaux_update;
45391 -extern atomic_t fscache_n_checkaux_obsolete;
45392 +extern atomic_unchecked_t fscache_n_op_pend;
45393 +extern atomic_unchecked_t fscache_n_op_run;
45394 +extern atomic_unchecked_t fscache_n_op_enqueue;
45395 +extern atomic_unchecked_t fscache_n_op_deferred_release;
45396 +extern atomic_unchecked_t fscache_n_op_release;
45397 +extern atomic_unchecked_t fscache_n_op_gc;
45398 +extern atomic_unchecked_t fscache_n_op_cancelled;
45399 +extern atomic_unchecked_t fscache_n_op_rejected;
45400 +
45401 +extern atomic_unchecked_t fscache_n_attr_changed;
45402 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
45403 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
45404 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
45405 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
45406 +
45407 +extern atomic_unchecked_t fscache_n_allocs;
45408 +extern atomic_unchecked_t fscache_n_allocs_ok;
45409 +extern atomic_unchecked_t fscache_n_allocs_wait;
45410 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
45411 +extern atomic_unchecked_t fscache_n_allocs_intr;
45412 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
45413 +extern atomic_unchecked_t fscache_n_alloc_ops;
45414 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
45415 +
45416 +extern atomic_unchecked_t fscache_n_retrievals;
45417 +extern atomic_unchecked_t fscache_n_retrievals_ok;
45418 +extern atomic_unchecked_t fscache_n_retrievals_wait;
45419 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
45420 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
45421 +extern atomic_unchecked_t fscache_n_retrievals_intr;
45422 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
45423 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
45424 +extern atomic_unchecked_t fscache_n_retrieval_ops;
45425 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
45426 +
45427 +extern atomic_unchecked_t fscache_n_stores;
45428 +extern atomic_unchecked_t fscache_n_stores_ok;
45429 +extern atomic_unchecked_t fscache_n_stores_again;
45430 +extern atomic_unchecked_t fscache_n_stores_nobufs;
45431 +extern atomic_unchecked_t fscache_n_stores_oom;
45432 +extern atomic_unchecked_t fscache_n_store_ops;
45433 +extern atomic_unchecked_t fscache_n_store_calls;
45434 +extern atomic_unchecked_t fscache_n_store_pages;
45435 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
45436 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
45437 +
45438 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
45439 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
45440 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
45441 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
45442 +
45443 +extern atomic_unchecked_t fscache_n_marks;
45444 +extern atomic_unchecked_t fscache_n_uncaches;
45445 +
45446 +extern atomic_unchecked_t fscache_n_acquires;
45447 +extern atomic_unchecked_t fscache_n_acquires_null;
45448 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
45449 +extern atomic_unchecked_t fscache_n_acquires_ok;
45450 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
45451 +extern atomic_unchecked_t fscache_n_acquires_oom;
45452 +
45453 +extern atomic_unchecked_t fscache_n_updates;
45454 +extern atomic_unchecked_t fscache_n_updates_null;
45455 +extern atomic_unchecked_t fscache_n_updates_run;
45456 +
45457 +extern atomic_unchecked_t fscache_n_relinquishes;
45458 +extern atomic_unchecked_t fscache_n_relinquishes_null;
45459 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
45460 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
45461 +
45462 +extern atomic_unchecked_t fscache_n_cookie_index;
45463 +extern atomic_unchecked_t fscache_n_cookie_data;
45464 +extern atomic_unchecked_t fscache_n_cookie_special;
45465 +
45466 +extern atomic_unchecked_t fscache_n_object_alloc;
45467 +extern atomic_unchecked_t fscache_n_object_no_alloc;
45468 +extern atomic_unchecked_t fscache_n_object_lookups;
45469 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
45470 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
45471 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
45472 +extern atomic_unchecked_t fscache_n_object_created;
45473 +extern atomic_unchecked_t fscache_n_object_avail;
45474 +extern atomic_unchecked_t fscache_n_object_dead;
45475 +
45476 +extern atomic_unchecked_t fscache_n_checkaux_none;
45477 +extern atomic_unchecked_t fscache_n_checkaux_okay;
45478 +extern atomic_unchecked_t fscache_n_checkaux_update;
45479 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
45480
45481 extern atomic_t fscache_n_cop_alloc_object;
45482 extern atomic_t fscache_n_cop_lookup_object;
45483 @@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
45484 atomic_inc(stat);
45485 }
45486
45487 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
45488 +{
45489 + atomic_inc_unchecked(stat);
45490 +}
45491 +
45492 static inline void fscache_stat_d(atomic_t *stat)
45493 {
45494 atomic_dec(stat);
45495 @@ -259,6 +264,7 @@ extern const struct file_operations fsca
45496
45497 #define __fscache_stat(stat) (NULL)
45498 #define fscache_stat(stat) do {} while (0)
45499 +#define fscache_stat_unchecked(stat) do {} while (0)
45500 #define fscache_stat_d(stat) do {} while (0)
45501 #endif
45502
45503 diff -urNp linux-2.6.32.46/fs/fscache/object.c linux-2.6.32.46/fs/fscache/object.c
45504 --- linux-2.6.32.46/fs/fscache/object.c 2011-03-27 14:31:47.000000000 -0400
45505 +++ linux-2.6.32.46/fs/fscache/object.c 2011-05-04 17:56:28.000000000 -0400
45506 @@ -144,7 +144,7 @@ static void fscache_object_state_machine
45507 /* update the object metadata on disk */
45508 case FSCACHE_OBJECT_UPDATING:
45509 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
45510 - fscache_stat(&fscache_n_updates_run);
45511 + fscache_stat_unchecked(&fscache_n_updates_run);
45512 fscache_stat(&fscache_n_cop_update_object);
45513 object->cache->ops->update_object(object);
45514 fscache_stat_d(&fscache_n_cop_update_object);
45515 @@ -233,7 +233,7 @@ static void fscache_object_state_machine
45516 spin_lock(&object->lock);
45517 object->state = FSCACHE_OBJECT_DEAD;
45518 spin_unlock(&object->lock);
45519 - fscache_stat(&fscache_n_object_dead);
45520 + fscache_stat_unchecked(&fscache_n_object_dead);
45521 goto terminal_transit;
45522
45523 /* handle the parent cache of this object being withdrawn from
45524 @@ -248,7 +248,7 @@ static void fscache_object_state_machine
45525 spin_lock(&object->lock);
45526 object->state = FSCACHE_OBJECT_DEAD;
45527 spin_unlock(&object->lock);
45528 - fscache_stat(&fscache_n_object_dead);
45529 + fscache_stat_unchecked(&fscache_n_object_dead);
45530 goto terminal_transit;
45531
45532 /* complain about the object being woken up once it is
45533 @@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
45534 parent->cookie->def->name, cookie->def->name,
45535 object->cache->tag->name);
45536
45537 - fscache_stat(&fscache_n_object_lookups);
45538 + fscache_stat_unchecked(&fscache_n_object_lookups);
45539 fscache_stat(&fscache_n_cop_lookup_object);
45540 ret = object->cache->ops->lookup_object(object);
45541 fscache_stat_d(&fscache_n_cop_lookup_object);
45542 @@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
45543 if (ret == -ETIMEDOUT) {
45544 /* probably stuck behind another object, so move this one to
45545 * the back of the queue */
45546 - fscache_stat(&fscache_n_object_lookups_timed_out);
45547 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
45548 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
45549 }
45550
45551 @@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
45552
45553 spin_lock(&object->lock);
45554 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
45555 - fscache_stat(&fscache_n_object_lookups_negative);
45556 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
45557
45558 /* transit here to allow write requests to begin stacking up
45559 * and read requests to begin returning ENODATA */
45560 @@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
45561 * result, in which case there may be data available */
45562 spin_lock(&object->lock);
45563 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
45564 - fscache_stat(&fscache_n_object_lookups_positive);
45565 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
45566
45567 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
45568
45569 @@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
45570 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
45571 } else {
45572 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
45573 - fscache_stat(&fscache_n_object_created);
45574 + fscache_stat_unchecked(&fscache_n_object_created);
45575
45576 object->state = FSCACHE_OBJECT_AVAILABLE;
45577 spin_unlock(&object->lock);
45578 @@ -633,7 +633,7 @@ static void fscache_object_available(str
45579 fscache_enqueue_dependents(object);
45580
45581 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
45582 - fscache_stat(&fscache_n_object_avail);
45583 + fscache_stat_unchecked(&fscache_n_object_avail);
45584
45585 _leave("");
45586 }
45587 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
45588 enum fscache_checkaux result;
45589
45590 if (!object->cookie->def->check_aux) {
45591 - fscache_stat(&fscache_n_checkaux_none);
45592 + fscache_stat_unchecked(&fscache_n_checkaux_none);
45593 return FSCACHE_CHECKAUX_OKAY;
45594 }
45595
45596 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
45597 switch (result) {
45598 /* entry okay as is */
45599 case FSCACHE_CHECKAUX_OKAY:
45600 - fscache_stat(&fscache_n_checkaux_okay);
45601 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
45602 break;
45603
45604 /* entry requires update */
45605 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
45606 - fscache_stat(&fscache_n_checkaux_update);
45607 + fscache_stat_unchecked(&fscache_n_checkaux_update);
45608 break;
45609
45610 /* entry requires deletion */
45611 case FSCACHE_CHECKAUX_OBSOLETE:
45612 - fscache_stat(&fscache_n_checkaux_obsolete);
45613 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
45614 break;
45615
45616 default:
45617 diff -urNp linux-2.6.32.46/fs/fscache/operation.c linux-2.6.32.46/fs/fscache/operation.c
45618 --- linux-2.6.32.46/fs/fscache/operation.c 2011-03-27 14:31:47.000000000 -0400
45619 +++ linux-2.6.32.46/fs/fscache/operation.c 2011-05-04 17:56:28.000000000 -0400
45620 @@ -16,7 +16,7 @@
45621 #include <linux/seq_file.h>
45622 #include "internal.h"
45623
45624 -atomic_t fscache_op_debug_id;
45625 +atomic_unchecked_t fscache_op_debug_id;
45626 EXPORT_SYMBOL(fscache_op_debug_id);
45627
45628 /**
45629 @@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
45630 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
45631 ASSERTCMP(atomic_read(&op->usage), >, 0);
45632
45633 - fscache_stat(&fscache_n_op_enqueue);
45634 + fscache_stat_unchecked(&fscache_n_op_enqueue);
45635 switch (op->flags & FSCACHE_OP_TYPE) {
45636 case FSCACHE_OP_FAST:
45637 _debug("queue fast");
45638 @@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
45639 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
45640 if (op->processor)
45641 fscache_enqueue_operation(op);
45642 - fscache_stat(&fscache_n_op_run);
45643 + fscache_stat_unchecked(&fscache_n_op_run);
45644 }
45645
45646 /*
45647 @@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
45648 if (object->n_ops > 0) {
45649 atomic_inc(&op->usage);
45650 list_add_tail(&op->pend_link, &object->pending_ops);
45651 - fscache_stat(&fscache_n_op_pend);
45652 + fscache_stat_unchecked(&fscache_n_op_pend);
45653 } else if (!list_empty(&object->pending_ops)) {
45654 atomic_inc(&op->usage);
45655 list_add_tail(&op->pend_link, &object->pending_ops);
45656 - fscache_stat(&fscache_n_op_pend);
45657 + fscache_stat_unchecked(&fscache_n_op_pend);
45658 fscache_start_operations(object);
45659 } else {
45660 ASSERTCMP(object->n_in_progress, ==, 0);
45661 @@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
45662 object->n_exclusive++; /* reads and writes must wait */
45663 atomic_inc(&op->usage);
45664 list_add_tail(&op->pend_link, &object->pending_ops);
45665 - fscache_stat(&fscache_n_op_pend);
45666 + fscache_stat_unchecked(&fscache_n_op_pend);
45667 ret = 0;
45668 } else {
45669 /* not allowed to submit ops in any other state */
45670 @@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
45671 if (object->n_exclusive > 0) {
45672 atomic_inc(&op->usage);
45673 list_add_tail(&op->pend_link, &object->pending_ops);
45674 - fscache_stat(&fscache_n_op_pend);
45675 + fscache_stat_unchecked(&fscache_n_op_pend);
45676 } else if (!list_empty(&object->pending_ops)) {
45677 atomic_inc(&op->usage);
45678 list_add_tail(&op->pend_link, &object->pending_ops);
45679 - fscache_stat(&fscache_n_op_pend);
45680 + fscache_stat_unchecked(&fscache_n_op_pend);
45681 fscache_start_operations(object);
45682 } else {
45683 ASSERTCMP(object->n_exclusive, ==, 0);
45684 @@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
45685 object->n_ops++;
45686 atomic_inc(&op->usage);
45687 list_add_tail(&op->pend_link, &object->pending_ops);
45688 - fscache_stat(&fscache_n_op_pend);
45689 + fscache_stat_unchecked(&fscache_n_op_pend);
45690 ret = 0;
45691 } else if (object->state == FSCACHE_OBJECT_DYING ||
45692 object->state == FSCACHE_OBJECT_LC_DYING ||
45693 object->state == FSCACHE_OBJECT_WITHDRAWING) {
45694 - fscache_stat(&fscache_n_op_rejected);
45695 + fscache_stat_unchecked(&fscache_n_op_rejected);
45696 ret = -ENOBUFS;
45697 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
45698 fscache_report_unexpected_submission(object, op, ostate);
45699 @@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
45700
45701 ret = -EBUSY;
45702 if (!list_empty(&op->pend_link)) {
45703 - fscache_stat(&fscache_n_op_cancelled);
45704 + fscache_stat_unchecked(&fscache_n_op_cancelled);
45705 list_del_init(&op->pend_link);
45706 object->n_ops--;
45707 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
45708 @@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
45709 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
45710 BUG();
45711
45712 - fscache_stat(&fscache_n_op_release);
45713 + fscache_stat_unchecked(&fscache_n_op_release);
45714
45715 if (op->release) {
45716 op->release(op);
45717 @@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
45718 * lock, and defer it otherwise */
45719 if (!spin_trylock(&object->lock)) {
45720 _debug("defer put");
45721 - fscache_stat(&fscache_n_op_deferred_release);
45722 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
45723
45724 cache = object->cache;
45725 spin_lock(&cache->op_gc_list_lock);
45726 @@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
45727
45728 _debug("GC DEFERRED REL OBJ%x OP%x",
45729 object->debug_id, op->debug_id);
45730 - fscache_stat(&fscache_n_op_gc);
45731 + fscache_stat_unchecked(&fscache_n_op_gc);
45732
45733 ASSERTCMP(atomic_read(&op->usage), ==, 0);
45734
45735 diff -urNp linux-2.6.32.46/fs/fscache/page.c linux-2.6.32.46/fs/fscache/page.c
45736 --- linux-2.6.32.46/fs/fscache/page.c 2011-03-27 14:31:47.000000000 -0400
45737 +++ linux-2.6.32.46/fs/fscache/page.c 2011-05-04 17:56:28.000000000 -0400
45738 @@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
45739 val = radix_tree_lookup(&cookie->stores, page->index);
45740 if (!val) {
45741 rcu_read_unlock();
45742 - fscache_stat(&fscache_n_store_vmscan_not_storing);
45743 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
45744 __fscache_uncache_page(cookie, page);
45745 return true;
45746 }
45747 @@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
45748 spin_unlock(&cookie->stores_lock);
45749
45750 if (xpage) {
45751 - fscache_stat(&fscache_n_store_vmscan_cancelled);
45752 - fscache_stat(&fscache_n_store_radix_deletes);
45753 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
45754 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
45755 ASSERTCMP(xpage, ==, page);
45756 } else {
45757 - fscache_stat(&fscache_n_store_vmscan_gone);
45758 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
45759 }
45760
45761 wake_up_bit(&cookie->flags, 0);
45762 @@ -106,7 +106,7 @@ page_busy:
45763 /* we might want to wait here, but that could deadlock the allocator as
45764 * the slow-work threads writing to the cache may all end up sleeping
45765 * on memory allocation */
45766 - fscache_stat(&fscache_n_store_vmscan_busy);
45767 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
45768 return false;
45769 }
45770 EXPORT_SYMBOL(__fscache_maybe_release_page);
45771 @@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
45772 FSCACHE_COOKIE_STORING_TAG);
45773 if (!radix_tree_tag_get(&cookie->stores, page->index,
45774 FSCACHE_COOKIE_PENDING_TAG)) {
45775 - fscache_stat(&fscache_n_store_radix_deletes);
45776 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
45777 xpage = radix_tree_delete(&cookie->stores, page->index);
45778 }
45779 spin_unlock(&cookie->stores_lock);
45780 @@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
45781
45782 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
45783
45784 - fscache_stat(&fscache_n_attr_changed_calls);
45785 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
45786
45787 if (fscache_object_is_active(object)) {
45788 fscache_set_op_state(op, "CallFS");
45789 @@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
45790
45791 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
45792
45793 - fscache_stat(&fscache_n_attr_changed);
45794 + fscache_stat_unchecked(&fscache_n_attr_changed);
45795
45796 op = kzalloc(sizeof(*op), GFP_KERNEL);
45797 if (!op) {
45798 - fscache_stat(&fscache_n_attr_changed_nomem);
45799 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
45800 _leave(" = -ENOMEM");
45801 return -ENOMEM;
45802 }
45803 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
45804 if (fscache_submit_exclusive_op(object, op) < 0)
45805 goto nobufs;
45806 spin_unlock(&cookie->lock);
45807 - fscache_stat(&fscache_n_attr_changed_ok);
45808 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
45809 fscache_put_operation(op);
45810 _leave(" = 0");
45811 return 0;
45812 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
45813 nobufs:
45814 spin_unlock(&cookie->lock);
45815 kfree(op);
45816 - fscache_stat(&fscache_n_attr_changed_nobufs);
45817 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
45818 _leave(" = %d", -ENOBUFS);
45819 return -ENOBUFS;
45820 }
45821 @@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
45822 /* allocate a retrieval operation and attempt to submit it */
45823 op = kzalloc(sizeof(*op), GFP_NOIO);
45824 if (!op) {
45825 - fscache_stat(&fscache_n_retrievals_nomem);
45826 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
45827 return NULL;
45828 }
45829
45830 @@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
45831 return 0;
45832 }
45833
45834 - fscache_stat(&fscache_n_retrievals_wait);
45835 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
45836
45837 jif = jiffies;
45838 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
45839 fscache_wait_bit_interruptible,
45840 TASK_INTERRUPTIBLE) != 0) {
45841 - fscache_stat(&fscache_n_retrievals_intr);
45842 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
45843 _leave(" = -ERESTARTSYS");
45844 return -ERESTARTSYS;
45845 }
45846 @@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
45847 */
45848 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
45849 struct fscache_retrieval *op,
45850 - atomic_t *stat_op_waits,
45851 - atomic_t *stat_object_dead)
45852 + atomic_unchecked_t *stat_op_waits,
45853 + atomic_unchecked_t *stat_object_dead)
45854 {
45855 int ret;
45856
45857 @@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
45858 goto check_if_dead;
45859
45860 _debug(">>> WT");
45861 - fscache_stat(stat_op_waits);
45862 + fscache_stat_unchecked(stat_op_waits);
45863 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
45864 fscache_wait_bit_interruptible,
45865 TASK_INTERRUPTIBLE) < 0) {
45866 @@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
45867
45868 check_if_dead:
45869 if (unlikely(fscache_object_is_dead(object))) {
45870 - fscache_stat(stat_object_dead);
45871 + fscache_stat_unchecked(stat_object_dead);
45872 return -ENOBUFS;
45873 }
45874 return 0;
45875 @@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
45876
45877 _enter("%p,%p,,,", cookie, page);
45878
45879 - fscache_stat(&fscache_n_retrievals);
45880 + fscache_stat_unchecked(&fscache_n_retrievals);
45881
45882 if (hlist_empty(&cookie->backing_objects))
45883 goto nobufs;
45884 @@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
45885 goto nobufs_unlock;
45886 spin_unlock(&cookie->lock);
45887
45888 - fscache_stat(&fscache_n_retrieval_ops);
45889 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
45890
45891 /* pin the netfs read context in case we need to do the actual netfs
45892 * read because we've encountered a cache read failure */
45893 @@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
45894
45895 error:
45896 if (ret == -ENOMEM)
45897 - fscache_stat(&fscache_n_retrievals_nomem);
45898 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
45899 else if (ret == -ERESTARTSYS)
45900 - fscache_stat(&fscache_n_retrievals_intr);
45901 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
45902 else if (ret == -ENODATA)
45903 - fscache_stat(&fscache_n_retrievals_nodata);
45904 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
45905 else if (ret < 0)
45906 - fscache_stat(&fscache_n_retrievals_nobufs);
45907 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
45908 else
45909 - fscache_stat(&fscache_n_retrievals_ok);
45910 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
45911
45912 fscache_put_retrieval(op);
45913 _leave(" = %d", ret);
45914 @@ -453,7 +453,7 @@ nobufs_unlock:
45915 spin_unlock(&cookie->lock);
45916 kfree(op);
45917 nobufs:
45918 - fscache_stat(&fscache_n_retrievals_nobufs);
45919 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
45920 _leave(" = -ENOBUFS");
45921 return -ENOBUFS;
45922 }
45923 @@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
45924
45925 _enter("%p,,%d,,,", cookie, *nr_pages);
45926
45927 - fscache_stat(&fscache_n_retrievals);
45928 + fscache_stat_unchecked(&fscache_n_retrievals);
45929
45930 if (hlist_empty(&cookie->backing_objects))
45931 goto nobufs;
45932 @@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
45933 goto nobufs_unlock;
45934 spin_unlock(&cookie->lock);
45935
45936 - fscache_stat(&fscache_n_retrieval_ops);
45937 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
45938
45939 /* pin the netfs read context in case we need to do the actual netfs
45940 * read because we've encountered a cache read failure */
45941 @@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
45942
45943 error:
45944 if (ret == -ENOMEM)
45945 - fscache_stat(&fscache_n_retrievals_nomem);
45946 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
45947 else if (ret == -ERESTARTSYS)
45948 - fscache_stat(&fscache_n_retrievals_intr);
45949 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
45950 else if (ret == -ENODATA)
45951 - fscache_stat(&fscache_n_retrievals_nodata);
45952 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
45953 else if (ret < 0)
45954 - fscache_stat(&fscache_n_retrievals_nobufs);
45955 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
45956 else
45957 - fscache_stat(&fscache_n_retrievals_ok);
45958 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
45959
45960 fscache_put_retrieval(op);
45961 _leave(" = %d", ret);
45962 @@ -570,7 +570,7 @@ nobufs_unlock:
45963 spin_unlock(&cookie->lock);
45964 kfree(op);
45965 nobufs:
45966 - fscache_stat(&fscache_n_retrievals_nobufs);
45967 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
45968 _leave(" = -ENOBUFS");
45969 return -ENOBUFS;
45970 }
45971 @@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
45972
45973 _enter("%p,%p,,,", cookie, page);
45974
45975 - fscache_stat(&fscache_n_allocs);
45976 + fscache_stat_unchecked(&fscache_n_allocs);
45977
45978 if (hlist_empty(&cookie->backing_objects))
45979 goto nobufs;
45980 @@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
45981 goto nobufs_unlock;
45982 spin_unlock(&cookie->lock);
45983
45984 - fscache_stat(&fscache_n_alloc_ops);
45985 + fscache_stat_unchecked(&fscache_n_alloc_ops);
45986
45987 ret = fscache_wait_for_retrieval_activation(
45988 object, op,
45989 @@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
45990
45991 error:
45992 if (ret == -ERESTARTSYS)
45993 - fscache_stat(&fscache_n_allocs_intr);
45994 + fscache_stat_unchecked(&fscache_n_allocs_intr);
45995 else if (ret < 0)
45996 - fscache_stat(&fscache_n_allocs_nobufs);
45997 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
45998 else
45999 - fscache_stat(&fscache_n_allocs_ok);
46000 + fscache_stat_unchecked(&fscache_n_allocs_ok);
46001
46002 fscache_put_retrieval(op);
46003 _leave(" = %d", ret);
46004 @@ -651,7 +651,7 @@ nobufs_unlock:
46005 spin_unlock(&cookie->lock);
46006 kfree(op);
46007 nobufs:
46008 - fscache_stat(&fscache_n_allocs_nobufs);
46009 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
46010 _leave(" = -ENOBUFS");
46011 return -ENOBUFS;
46012 }
46013 @@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
46014
46015 spin_lock(&cookie->stores_lock);
46016
46017 - fscache_stat(&fscache_n_store_calls);
46018 + fscache_stat_unchecked(&fscache_n_store_calls);
46019
46020 /* find a page to store */
46021 page = NULL;
46022 @@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
46023 page = results[0];
46024 _debug("gang %d [%lx]", n, page->index);
46025 if (page->index > op->store_limit) {
46026 - fscache_stat(&fscache_n_store_pages_over_limit);
46027 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
46028 goto superseded;
46029 }
46030
46031 @@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
46032
46033 if (page) {
46034 fscache_set_op_state(&op->op, "Store");
46035 - fscache_stat(&fscache_n_store_pages);
46036 + fscache_stat_unchecked(&fscache_n_store_pages);
46037 fscache_stat(&fscache_n_cop_write_page);
46038 ret = object->cache->ops->write_page(op, page);
46039 fscache_stat_d(&fscache_n_cop_write_page);
46040 @@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
46041 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46042 ASSERT(PageFsCache(page));
46043
46044 - fscache_stat(&fscache_n_stores);
46045 + fscache_stat_unchecked(&fscache_n_stores);
46046
46047 op = kzalloc(sizeof(*op), GFP_NOIO);
46048 if (!op)
46049 @@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
46050 spin_unlock(&cookie->stores_lock);
46051 spin_unlock(&object->lock);
46052
46053 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
46054 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
46055 op->store_limit = object->store_limit;
46056
46057 if (fscache_submit_op(object, &op->op) < 0)
46058 @@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
46059
46060 spin_unlock(&cookie->lock);
46061 radix_tree_preload_end();
46062 - fscache_stat(&fscache_n_store_ops);
46063 - fscache_stat(&fscache_n_stores_ok);
46064 + fscache_stat_unchecked(&fscache_n_store_ops);
46065 + fscache_stat_unchecked(&fscache_n_stores_ok);
46066
46067 /* the slow work queue now carries its own ref on the object */
46068 fscache_put_operation(&op->op);
46069 @@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
46070 return 0;
46071
46072 already_queued:
46073 - fscache_stat(&fscache_n_stores_again);
46074 + fscache_stat_unchecked(&fscache_n_stores_again);
46075 already_pending:
46076 spin_unlock(&cookie->stores_lock);
46077 spin_unlock(&object->lock);
46078 spin_unlock(&cookie->lock);
46079 radix_tree_preload_end();
46080 kfree(op);
46081 - fscache_stat(&fscache_n_stores_ok);
46082 + fscache_stat_unchecked(&fscache_n_stores_ok);
46083 _leave(" = 0");
46084 return 0;
46085
46086 @@ -886,14 +886,14 @@ nobufs:
46087 spin_unlock(&cookie->lock);
46088 radix_tree_preload_end();
46089 kfree(op);
46090 - fscache_stat(&fscache_n_stores_nobufs);
46091 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
46092 _leave(" = -ENOBUFS");
46093 return -ENOBUFS;
46094
46095 nomem_free:
46096 kfree(op);
46097 nomem:
46098 - fscache_stat(&fscache_n_stores_oom);
46099 + fscache_stat_unchecked(&fscache_n_stores_oom);
46100 _leave(" = -ENOMEM");
46101 return -ENOMEM;
46102 }
46103 @@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
46104 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
46105 ASSERTCMP(page, !=, NULL);
46106
46107 - fscache_stat(&fscache_n_uncaches);
46108 + fscache_stat_unchecked(&fscache_n_uncaches);
46109
46110 /* cache withdrawal may beat us to it */
46111 if (!PageFsCache(page))
46112 @@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
46113 unsigned long loop;
46114
46115 #ifdef CONFIG_FSCACHE_STATS
46116 - atomic_add(pagevec->nr, &fscache_n_marks);
46117 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
46118 #endif
46119
46120 for (loop = 0; loop < pagevec->nr; loop++) {
46121 diff -urNp linux-2.6.32.46/fs/fscache/stats.c linux-2.6.32.46/fs/fscache/stats.c
46122 --- linux-2.6.32.46/fs/fscache/stats.c 2011-03-27 14:31:47.000000000 -0400
46123 +++ linux-2.6.32.46/fs/fscache/stats.c 2011-05-04 17:56:28.000000000 -0400
46124 @@ -18,95 +18,95 @@
46125 /*
46126 * operation counters
46127 */
46128 -atomic_t fscache_n_op_pend;
46129 -atomic_t fscache_n_op_run;
46130 -atomic_t fscache_n_op_enqueue;
46131 -atomic_t fscache_n_op_requeue;
46132 -atomic_t fscache_n_op_deferred_release;
46133 -atomic_t fscache_n_op_release;
46134 -atomic_t fscache_n_op_gc;
46135 -atomic_t fscache_n_op_cancelled;
46136 -atomic_t fscache_n_op_rejected;
46137 -
46138 -atomic_t fscache_n_attr_changed;
46139 -atomic_t fscache_n_attr_changed_ok;
46140 -atomic_t fscache_n_attr_changed_nobufs;
46141 -atomic_t fscache_n_attr_changed_nomem;
46142 -atomic_t fscache_n_attr_changed_calls;
46143 -
46144 -atomic_t fscache_n_allocs;
46145 -atomic_t fscache_n_allocs_ok;
46146 -atomic_t fscache_n_allocs_wait;
46147 -atomic_t fscache_n_allocs_nobufs;
46148 -atomic_t fscache_n_allocs_intr;
46149 -atomic_t fscache_n_allocs_object_dead;
46150 -atomic_t fscache_n_alloc_ops;
46151 -atomic_t fscache_n_alloc_op_waits;
46152 -
46153 -atomic_t fscache_n_retrievals;
46154 -atomic_t fscache_n_retrievals_ok;
46155 -atomic_t fscache_n_retrievals_wait;
46156 -atomic_t fscache_n_retrievals_nodata;
46157 -atomic_t fscache_n_retrievals_nobufs;
46158 -atomic_t fscache_n_retrievals_intr;
46159 -atomic_t fscache_n_retrievals_nomem;
46160 -atomic_t fscache_n_retrievals_object_dead;
46161 -atomic_t fscache_n_retrieval_ops;
46162 -atomic_t fscache_n_retrieval_op_waits;
46163 -
46164 -atomic_t fscache_n_stores;
46165 -atomic_t fscache_n_stores_ok;
46166 -atomic_t fscache_n_stores_again;
46167 -atomic_t fscache_n_stores_nobufs;
46168 -atomic_t fscache_n_stores_oom;
46169 -atomic_t fscache_n_store_ops;
46170 -atomic_t fscache_n_store_calls;
46171 -atomic_t fscache_n_store_pages;
46172 -atomic_t fscache_n_store_radix_deletes;
46173 -atomic_t fscache_n_store_pages_over_limit;
46174 -
46175 -atomic_t fscache_n_store_vmscan_not_storing;
46176 -atomic_t fscache_n_store_vmscan_gone;
46177 -atomic_t fscache_n_store_vmscan_busy;
46178 -atomic_t fscache_n_store_vmscan_cancelled;
46179 -
46180 -atomic_t fscache_n_marks;
46181 -atomic_t fscache_n_uncaches;
46182 -
46183 -atomic_t fscache_n_acquires;
46184 -atomic_t fscache_n_acquires_null;
46185 -atomic_t fscache_n_acquires_no_cache;
46186 -atomic_t fscache_n_acquires_ok;
46187 -atomic_t fscache_n_acquires_nobufs;
46188 -atomic_t fscache_n_acquires_oom;
46189 -
46190 -atomic_t fscache_n_updates;
46191 -atomic_t fscache_n_updates_null;
46192 -atomic_t fscache_n_updates_run;
46193 -
46194 -atomic_t fscache_n_relinquishes;
46195 -atomic_t fscache_n_relinquishes_null;
46196 -atomic_t fscache_n_relinquishes_waitcrt;
46197 -atomic_t fscache_n_relinquishes_retire;
46198 -
46199 -atomic_t fscache_n_cookie_index;
46200 -atomic_t fscache_n_cookie_data;
46201 -atomic_t fscache_n_cookie_special;
46202 -
46203 -atomic_t fscache_n_object_alloc;
46204 -atomic_t fscache_n_object_no_alloc;
46205 -atomic_t fscache_n_object_lookups;
46206 -atomic_t fscache_n_object_lookups_negative;
46207 -atomic_t fscache_n_object_lookups_positive;
46208 -atomic_t fscache_n_object_lookups_timed_out;
46209 -atomic_t fscache_n_object_created;
46210 -atomic_t fscache_n_object_avail;
46211 -atomic_t fscache_n_object_dead;
46212 -
46213 -atomic_t fscache_n_checkaux_none;
46214 -atomic_t fscache_n_checkaux_okay;
46215 -atomic_t fscache_n_checkaux_update;
46216 -atomic_t fscache_n_checkaux_obsolete;
46217 +atomic_unchecked_t fscache_n_op_pend;
46218 +atomic_unchecked_t fscache_n_op_run;
46219 +atomic_unchecked_t fscache_n_op_enqueue;
46220 +atomic_unchecked_t fscache_n_op_requeue;
46221 +atomic_unchecked_t fscache_n_op_deferred_release;
46222 +atomic_unchecked_t fscache_n_op_release;
46223 +atomic_unchecked_t fscache_n_op_gc;
46224 +atomic_unchecked_t fscache_n_op_cancelled;
46225 +atomic_unchecked_t fscache_n_op_rejected;
46226 +
46227 +atomic_unchecked_t fscache_n_attr_changed;
46228 +atomic_unchecked_t fscache_n_attr_changed_ok;
46229 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
46230 +atomic_unchecked_t fscache_n_attr_changed_nomem;
46231 +atomic_unchecked_t fscache_n_attr_changed_calls;
46232 +
46233 +atomic_unchecked_t fscache_n_allocs;
46234 +atomic_unchecked_t fscache_n_allocs_ok;
46235 +atomic_unchecked_t fscache_n_allocs_wait;
46236 +atomic_unchecked_t fscache_n_allocs_nobufs;
46237 +atomic_unchecked_t fscache_n_allocs_intr;
46238 +atomic_unchecked_t fscache_n_allocs_object_dead;
46239 +atomic_unchecked_t fscache_n_alloc_ops;
46240 +atomic_unchecked_t fscache_n_alloc_op_waits;
46241 +
46242 +atomic_unchecked_t fscache_n_retrievals;
46243 +atomic_unchecked_t fscache_n_retrievals_ok;
46244 +atomic_unchecked_t fscache_n_retrievals_wait;
46245 +atomic_unchecked_t fscache_n_retrievals_nodata;
46246 +atomic_unchecked_t fscache_n_retrievals_nobufs;
46247 +atomic_unchecked_t fscache_n_retrievals_intr;
46248 +atomic_unchecked_t fscache_n_retrievals_nomem;
46249 +atomic_unchecked_t fscache_n_retrievals_object_dead;
46250 +atomic_unchecked_t fscache_n_retrieval_ops;
46251 +atomic_unchecked_t fscache_n_retrieval_op_waits;
46252 +
46253 +atomic_unchecked_t fscache_n_stores;
46254 +atomic_unchecked_t fscache_n_stores_ok;
46255 +atomic_unchecked_t fscache_n_stores_again;
46256 +atomic_unchecked_t fscache_n_stores_nobufs;
46257 +atomic_unchecked_t fscache_n_stores_oom;
46258 +atomic_unchecked_t fscache_n_store_ops;
46259 +atomic_unchecked_t fscache_n_store_calls;
46260 +atomic_unchecked_t fscache_n_store_pages;
46261 +atomic_unchecked_t fscache_n_store_radix_deletes;
46262 +atomic_unchecked_t fscache_n_store_pages_over_limit;
46263 +
46264 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
46265 +atomic_unchecked_t fscache_n_store_vmscan_gone;
46266 +atomic_unchecked_t fscache_n_store_vmscan_busy;
46267 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
46268 +
46269 +atomic_unchecked_t fscache_n_marks;
46270 +atomic_unchecked_t fscache_n_uncaches;
46271 +
46272 +atomic_unchecked_t fscache_n_acquires;
46273 +atomic_unchecked_t fscache_n_acquires_null;
46274 +atomic_unchecked_t fscache_n_acquires_no_cache;
46275 +atomic_unchecked_t fscache_n_acquires_ok;
46276 +atomic_unchecked_t fscache_n_acquires_nobufs;
46277 +atomic_unchecked_t fscache_n_acquires_oom;
46278 +
46279 +atomic_unchecked_t fscache_n_updates;
46280 +atomic_unchecked_t fscache_n_updates_null;
46281 +atomic_unchecked_t fscache_n_updates_run;
46282 +
46283 +atomic_unchecked_t fscache_n_relinquishes;
46284 +atomic_unchecked_t fscache_n_relinquishes_null;
46285 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
46286 +atomic_unchecked_t fscache_n_relinquishes_retire;
46287 +
46288 +atomic_unchecked_t fscache_n_cookie_index;
46289 +atomic_unchecked_t fscache_n_cookie_data;
46290 +atomic_unchecked_t fscache_n_cookie_special;
46291 +
46292 +atomic_unchecked_t fscache_n_object_alloc;
46293 +atomic_unchecked_t fscache_n_object_no_alloc;
46294 +atomic_unchecked_t fscache_n_object_lookups;
46295 +atomic_unchecked_t fscache_n_object_lookups_negative;
46296 +atomic_unchecked_t fscache_n_object_lookups_positive;
46297 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
46298 +atomic_unchecked_t fscache_n_object_created;
46299 +atomic_unchecked_t fscache_n_object_avail;
46300 +atomic_unchecked_t fscache_n_object_dead;
46301 +
46302 +atomic_unchecked_t fscache_n_checkaux_none;
46303 +atomic_unchecked_t fscache_n_checkaux_okay;
46304 +atomic_unchecked_t fscache_n_checkaux_update;
46305 +atomic_unchecked_t fscache_n_checkaux_obsolete;
46306
46307 atomic_t fscache_n_cop_alloc_object;
46308 atomic_t fscache_n_cop_lookup_object;
46309 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
46310 seq_puts(m, "FS-Cache statistics\n");
46311
46312 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
46313 - atomic_read(&fscache_n_cookie_index),
46314 - atomic_read(&fscache_n_cookie_data),
46315 - atomic_read(&fscache_n_cookie_special));
46316 + atomic_read_unchecked(&fscache_n_cookie_index),
46317 + atomic_read_unchecked(&fscache_n_cookie_data),
46318 + atomic_read_unchecked(&fscache_n_cookie_special));
46319
46320 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
46321 - atomic_read(&fscache_n_object_alloc),
46322 - atomic_read(&fscache_n_object_no_alloc),
46323 - atomic_read(&fscache_n_object_avail),
46324 - atomic_read(&fscache_n_object_dead));
46325 + atomic_read_unchecked(&fscache_n_object_alloc),
46326 + atomic_read_unchecked(&fscache_n_object_no_alloc),
46327 + atomic_read_unchecked(&fscache_n_object_avail),
46328 + atomic_read_unchecked(&fscache_n_object_dead));
46329 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
46330 - atomic_read(&fscache_n_checkaux_none),
46331 - atomic_read(&fscache_n_checkaux_okay),
46332 - atomic_read(&fscache_n_checkaux_update),
46333 - atomic_read(&fscache_n_checkaux_obsolete));
46334 + atomic_read_unchecked(&fscache_n_checkaux_none),
46335 + atomic_read_unchecked(&fscache_n_checkaux_okay),
46336 + atomic_read_unchecked(&fscache_n_checkaux_update),
46337 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
46338
46339 seq_printf(m, "Pages : mrk=%u unc=%u\n",
46340 - atomic_read(&fscache_n_marks),
46341 - atomic_read(&fscache_n_uncaches));
46342 + atomic_read_unchecked(&fscache_n_marks),
46343 + atomic_read_unchecked(&fscache_n_uncaches));
46344
46345 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
46346 " oom=%u\n",
46347 - atomic_read(&fscache_n_acquires),
46348 - atomic_read(&fscache_n_acquires_null),
46349 - atomic_read(&fscache_n_acquires_no_cache),
46350 - atomic_read(&fscache_n_acquires_ok),
46351 - atomic_read(&fscache_n_acquires_nobufs),
46352 - atomic_read(&fscache_n_acquires_oom));
46353 + atomic_read_unchecked(&fscache_n_acquires),
46354 + atomic_read_unchecked(&fscache_n_acquires_null),
46355 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
46356 + atomic_read_unchecked(&fscache_n_acquires_ok),
46357 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
46358 + atomic_read_unchecked(&fscache_n_acquires_oom));
46359
46360 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
46361 - atomic_read(&fscache_n_object_lookups),
46362 - atomic_read(&fscache_n_object_lookups_negative),
46363 - atomic_read(&fscache_n_object_lookups_positive),
46364 - atomic_read(&fscache_n_object_lookups_timed_out),
46365 - atomic_read(&fscache_n_object_created));
46366 + atomic_read_unchecked(&fscache_n_object_lookups),
46367 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
46368 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
46369 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
46370 + atomic_read_unchecked(&fscache_n_object_created));
46371
46372 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
46373 - atomic_read(&fscache_n_updates),
46374 - atomic_read(&fscache_n_updates_null),
46375 - atomic_read(&fscache_n_updates_run));
46376 + atomic_read_unchecked(&fscache_n_updates),
46377 + atomic_read_unchecked(&fscache_n_updates_null),
46378 + atomic_read_unchecked(&fscache_n_updates_run));
46379
46380 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
46381 - atomic_read(&fscache_n_relinquishes),
46382 - atomic_read(&fscache_n_relinquishes_null),
46383 - atomic_read(&fscache_n_relinquishes_waitcrt),
46384 - atomic_read(&fscache_n_relinquishes_retire));
46385 + atomic_read_unchecked(&fscache_n_relinquishes),
46386 + atomic_read_unchecked(&fscache_n_relinquishes_null),
46387 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
46388 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
46389
46390 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
46391 - atomic_read(&fscache_n_attr_changed),
46392 - atomic_read(&fscache_n_attr_changed_ok),
46393 - atomic_read(&fscache_n_attr_changed_nobufs),
46394 - atomic_read(&fscache_n_attr_changed_nomem),
46395 - atomic_read(&fscache_n_attr_changed_calls));
46396 + atomic_read_unchecked(&fscache_n_attr_changed),
46397 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
46398 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
46399 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
46400 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
46401
46402 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
46403 - atomic_read(&fscache_n_allocs),
46404 - atomic_read(&fscache_n_allocs_ok),
46405 - atomic_read(&fscache_n_allocs_wait),
46406 - atomic_read(&fscache_n_allocs_nobufs),
46407 - atomic_read(&fscache_n_allocs_intr));
46408 + atomic_read_unchecked(&fscache_n_allocs),
46409 + atomic_read_unchecked(&fscache_n_allocs_ok),
46410 + atomic_read_unchecked(&fscache_n_allocs_wait),
46411 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
46412 + atomic_read_unchecked(&fscache_n_allocs_intr));
46413 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
46414 - atomic_read(&fscache_n_alloc_ops),
46415 - atomic_read(&fscache_n_alloc_op_waits),
46416 - atomic_read(&fscache_n_allocs_object_dead));
46417 + atomic_read_unchecked(&fscache_n_alloc_ops),
46418 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
46419 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
46420
46421 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
46422 " int=%u oom=%u\n",
46423 - atomic_read(&fscache_n_retrievals),
46424 - atomic_read(&fscache_n_retrievals_ok),
46425 - atomic_read(&fscache_n_retrievals_wait),
46426 - atomic_read(&fscache_n_retrievals_nodata),
46427 - atomic_read(&fscache_n_retrievals_nobufs),
46428 - atomic_read(&fscache_n_retrievals_intr),
46429 - atomic_read(&fscache_n_retrievals_nomem));
46430 + atomic_read_unchecked(&fscache_n_retrievals),
46431 + atomic_read_unchecked(&fscache_n_retrievals_ok),
46432 + atomic_read_unchecked(&fscache_n_retrievals_wait),
46433 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
46434 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
46435 + atomic_read_unchecked(&fscache_n_retrievals_intr),
46436 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
46437 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
46438 - atomic_read(&fscache_n_retrieval_ops),
46439 - atomic_read(&fscache_n_retrieval_op_waits),
46440 - atomic_read(&fscache_n_retrievals_object_dead));
46441 + atomic_read_unchecked(&fscache_n_retrieval_ops),
46442 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
46443 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
46444
46445 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
46446 - atomic_read(&fscache_n_stores),
46447 - atomic_read(&fscache_n_stores_ok),
46448 - atomic_read(&fscache_n_stores_again),
46449 - atomic_read(&fscache_n_stores_nobufs),
46450 - atomic_read(&fscache_n_stores_oom));
46451 + atomic_read_unchecked(&fscache_n_stores),
46452 + atomic_read_unchecked(&fscache_n_stores_ok),
46453 + atomic_read_unchecked(&fscache_n_stores_again),
46454 + atomic_read_unchecked(&fscache_n_stores_nobufs),
46455 + atomic_read_unchecked(&fscache_n_stores_oom));
46456 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
46457 - atomic_read(&fscache_n_store_ops),
46458 - atomic_read(&fscache_n_store_calls),
46459 - atomic_read(&fscache_n_store_pages),
46460 - atomic_read(&fscache_n_store_radix_deletes),
46461 - atomic_read(&fscache_n_store_pages_over_limit));
46462 + atomic_read_unchecked(&fscache_n_store_ops),
46463 + atomic_read_unchecked(&fscache_n_store_calls),
46464 + atomic_read_unchecked(&fscache_n_store_pages),
46465 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
46466 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
46467
46468 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
46469 - atomic_read(&fscache_n_store_vmscan_not_storing),
46470 - atomic_read(&fscache_n_store_vmscan_gone),
46471 - atomic_read(&fscache_n_store_vmscan_busy),
46472 - atomic_read(&fscache_n_store_vmscan_cancelled));
46473 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
46474 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
46475 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
46476 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
46477
46478 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
46479 - atomic_read(&fscache_n_op_pend),
46480 - atomic_read(&fscache_n_op_run),
46481 - atomic_read(&fscache_n_op_enqueue),
46482 - atomic_read(&fscache_n_op_cancelled),
46483 - atomic_read(&fscache_n_op_rejected));
46484 + atomic_read_unchecked(&fscache_n_op_pend),
46485 + atomic_read_unchecked(&fscache_n_op_run),
46486 + atomic_read_unchecked(&fscache_n_op_enqueue),
46487 + atomic_read_unchecked(&fscache_n_op_cancelled),
46488 + atomic_read_unchecked(&fscache_n_op_rejected));
46489 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
46490 - atomic_read(&fscache_n_op_deferred_release),
46491 - atomic_read(&fscache_n_op_release),
46492 - atomic_read(&fscache_n_op_gc));
46493 + atomic_read_unchecked(&fscache_n_op_deferred_release),
46494 + atomic_read_unchecked(&fscache_n_op_release),
46495 + atomic_read_unchecked(&fscache_n_op_gc));
46496
46497 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
46498 atomic_read(&fscache_n_cop_alloc_object),
46499 diff -urNp linux-2.6.32.46/fs/fs_struct.c linux-2.6.32.46/fs/fs_struct.c
46500 --- linux-2.6.32.46/fs/fs_struct.c 2011-03-27 14:31:47.000000000 -0400
46501 +++ linux-2.6.32.46/fs/fs_struct.c 2011-04-17 15:56:46.000000000 -0400
46502 @@ -4,6 +4,7 @@
46503 #include <linux/path.h>
46504 #include <linux/slab.h>
46505 #include <linux/fs_struct.h>
46506 +#include <linux/grsecurity.h>
46507
46508 /*
46509 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
46510 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
46511 old_root = fs->root;
46512 fs->root = *path;
46513 path_get(path);
46514 + gr_set_chroot_entries(current, path);
46515 write_unlock(&fs->lock);
46516 if (old_root.dentry)
46517 path_put(&old_root);
46518 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
46519 && fs->root.mnt == old_root->mnt) {
46520 path_get(new_root);
46521 fs->root = *new_root;
46522 + gr_set_chroot_entries(p, new_root);
46523 count++;
46524 }
46525 if (fs->pwd.dentry == old_root->dentry
46526 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
46527 task_lock(tsk);
46528 write_lock(&fs->lock);
46529 tsk->fs = NULL;
46530 - kill = !--fs->users;
46531 + gr_clear_chroot_entries(tsk);
46532 + kill = !atomic_dec_return(&fs->users);
46533 write_unlock(&fs->lock);
46534 task_unlock(tsk);
46535 if (kill)
46536 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
46537 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
46538 /* We don't need to lock fs - think why ;-) */
46539 if (fs) {
46540 - fs->users = 1;
46541 + atomic_set(&fs->users, 1);
46542 fs->in_exec = 0;
46543 rwlock_init(&fs->lock);
46544 fs->umask = old->umask;
46545 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
46546
46547 task_lock(current);
46548 write_lock(&fs->lock);
46549 - kill = !--fs->users;
46550 + kill = !atomic_dec_return(&fs->users);
46551 current->fs = new_fs;
46552 + gr_set_chroot_entries(current, &new_fs->root);
46553 write_unlock(&fs->lock);
46554 task_unlock(current);
46555
46556 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
46557
46558 /* to be mentioned only in INIT_TASK */
46559 struct fs_struct init_fs = {
46560 - .users = 1,
46561 + .users = ATOMIC_INIT(1),
46562 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
46563 .umask = 0022,
46564 };
46565 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
46566 task_lock(current);
46567
46568 write_lock(&init_fs.lock);
46569 - init_fs.users++;
46570 + atomic_inc(&init_fs.users);
46571 write_unlock(&init_fs.lock);
46572
46573 write_lock(&fs->lock);
46574 current->fs = &init_fs;
46575 - kill = !--fs->users;
46576 + gr_set_chroot_entries(current, &current->fs->root);
46577 + kill = !atomic_dec_return(&fs->users);
46578 write_unlock(&fs->lock);
46579
46580 task_unlock(current);
46581 diff -urNp linux-2.6.32.46/fs/fuse/cuse.c linux-2.6.32.46/fs/fuse/cuse.c
46582 --- linux-2.6.32.46/fs/fuse/cuse.c 2011-03-27 14:31:47.000000000 -0400
46583 +++ linux-2.6.32.46/fs/fuse/cuse.c 2011-08-05 20:33:55.000000000 -0400
46584 @@ -576,10 +576,12 @@ static int __init cuse_init(void)
46585 INIT_LIST_HEAD(&cuse_conntbl[i]);
46586
46587 /* inherit and extend fuse_dev_operations */
46588 - cuse_channel_fops = fuse_dev_operations;
46589 - cuse_channel_fops.owner = THIS_MODULE;
46590 - cuse_channel_fops.open = cuse_channel_open;
46591 - cuse_channel_fops.release = cuse_channel_release;
46592 + pax_open_kernel();
46593 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
46594 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
46595 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
46596 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
46597 + pax_close_kernel();
46598
46599 cuse_class = class_create(THIS_MODULE, "cuse");
46600 if (IS_ERR(cuse_class))
46601 diff -urNp linux-2.6.32.46/fs/fuse/dev.c linux-2.6.32.46/fs/fuse/dev.c
46602 --- linux-2.6.32.46/fs/fuse/dev.c 2011-08-29 22:24:44.000000000 -0400
46603 +++ linux-2.6.32.46/fs/fuse/dev.c 2011-08-29 22:25:07.000000000 -0400
46604 @@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
46605 {
46606 struct fuse_notify_inval_entry_out outarg;
46607 int err = -EINVAL;
46608 - char buf[FUSE_NAME_MAX+1];
46609 + char *buf = NULL;
46610 struct qstr name;
46611
46612 if (size < sizeof(outarg))
46613 @@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
46614 if (outarg.namelen > FUSE_NAME_MAX)
46615 goto err;
46616
46617 + err = -ENOMEM;
46618 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
46619 + if (!buf)
46620 + goto err;
46621 +
46622 err = -EINVAL;
46623 if (size != sizeof(outarg) + outarg.namelen + 1)
46624 goto err;
46625 @@ -914,17 +919,15 @@ static int fuse_notify_inval_entry(struc
46626
46627 down_read(&fc->killsb);
46628 err = -ENOENT;
46629 - if (!fc->sb)
46630 - goto err_unlock;
46631 -
46632 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
46633 -
46634 -err_unlock:
46635 + if (fc->sb)
46636 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
46637 up_read(&fc->killsb);
46638 + kfree(buf);
46639 return err;
46640
46641 err:
46642 fuse_copy_finish(cs);
46643 + kfree(buf);
46644 return err;
46645 }
46646
46647 diff -urNp linux-2.6.32.46/fs/fuse/dir.c linux-2.6.32.46/fs/fuse/dir.c
46648 --- linux-2.6.32.46/fs/fuse/dir.c 2011-03-27 14:31:47.000000000 -0400
46649 +++ linux-2.6.32.46/fs/fuse/dir.c 2011-04-17 15:56:46.000000000 -0400
46650 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
46651 return link;
46652 }
46653
46654 -static void free_link(char *link)
46655 +static void free_link(const char *link)
46656 {
46657 if (!IS_ERR(link))
46658 free_page((unsigned long) link);
46659 diff -urNp linux-2.6.32.46/fs/gfs2/ops_inode.c linux-2.6.32.46/fs/gfs2/ops_inode.c
46660 --- linux-2.6.32.46/fs/gfs2/ops_inode.c 2011-03-27 14:31:47.000000000 -0400
46661 +++ linux-2.6.32.46/fs/gfs2/ops_inode.c 2011-05-16 21:46:57.000000000 -0400
46662 @@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
46663 unsigned int x;
46664 int error;
46665
46666 + pax_track_stack();
46667 +
46668 if (ndentry->d_inode) {
46669 nip = GFS2_I(ndentry->d_inode);
46670 if (ip == nip)
46671 diff -urNp linux-2.6.32.46/fs/gfs2/sys.c linux-2.6.32.46/fs/gfs2/sys.c
46672 --- linux-2.6.32.46/fs/gfs2/sys.c 2011-03-27 14:31:47.000000000 -0400
46673 +++ linux-2.6.32.46/fs/gfs2/sys.c 2011-04-17 15:56:46.000000000 -0400
46674 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
46675 return a->store ? a->store(sdp, buf, len) : len;
46676 }
46677
46678 -static struct sysfs_ops gfs2_attr_ops = {
46679 +static const struct sysfs_ops gfs2_attr_ops = {
46680 .show = gfs2_attr_show,
46681 .store = gfs2_attr_store,
46682 };
46683 @@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
46684 return 0;
46685 }
46686
46687 -static struct kset_uevent_ops gfs2_uevent_ops = {
46688 +static const struct kset_uevent_ops gfs2_uevent_ops = {
46689 .uevent = gfs2_uevent,
46690 };
46691
46692 diff -urNp linux-2.6.32.46/fs/hfsplus/catalog.c linux-2.6.32.46/fs/hfsplus/catalog.c
46693 --- linux-2.6.32.46/fs/hfsplus/catalog.c 2011-03-27 14:31:47.000000000 -0400
46694 +++ linux-2.6.32.46/fs/hfsplus/catalog.c 2011-05-16 21:46:57.000000000 -0400
46695 @@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
46696 int err;
46697 u16 type;
46698
46699 + pax_track_stack();
46700 +
46701 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
46702 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
46703 if (err)
46704 @@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
46705 int entry_size;
46706 int err;
46707
46708 + pax_track_stack();
46709 +
46710 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
46711 sb = dir->i_sb;
46712 hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
46713 @@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
46714 int entry_size, type;
46715 int err = 0;
46716
46717 + pax_track_stack();
46718 +
46719 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
46720 dst_dir->i_ino, dst_name->name);
46721 sb = src_dir->i_sb;
46722 diff -urNp linux-2.6.32.46/fs/hfsplus/dir.c linux-2.6.32.46/fs/hfsplus/dir.c
46723 --- linux-2.6.32.46/fs/hfsplus/dir.c 2011-03-27 14:31:47.000000000 -0400
46724 +++ linux-2.6.32.46/fs/hfsplus/dir.c 2011-05-16 21:46:57.000000000 -0400
46725 @@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
46726 struct hfsplus_readdir_data *rd;
46727 u16 type;
46728
46729 + pax_track_stack();
46730 +
46731 if (filp->f_pos >= inode->i_size)
46732 return 0;
46733
46734 diff -urNp linux-2.6.32.46/fs/hfsplus/inode.c linux-2.6.32.46/fs/hfsplus/inode.c
46735 --- linux-2.6.32.46/fs/hfsplus/inode.c 2011-03-27 14:31:47.000000000 -0400
46736 +++ linux-2.6.32.46/fs/hfsplus/inode.c 2011-05-16 21:46:57.000000000 -0400
46737 @@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
46738 int res = 0;
46739 u16 type;
46740
46741 + pax_track_stack();
46742 +
46743 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
46744
46745 HFSPLUS_I(inode).dev = 0;
46746 @@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
46747 struct hfs_find_data fd;
46748 hfsplus_cat_entry entry;
46749
46750 + pax_track_stack();
46751 +
46752 if (HFSPLUS_IS_RSRC(inode))
46753 main_inode = HFSPLUS_I(inode).rsrc_inode;
46754
46755 diff -urNp linux-2.6.32.46/fs/hfsplus/ioctl.c linux-2.6.32.46/fs/hfsplus/ioctl.c
46756 --- linux-2.6.32.46/fs/hfsplus/ioctl.c 2011-03-27 14:31:47.000000000 -0400
46757 +++ linux-2.6.32.46/fs/hfsplus/ioctl.c 2011-05-16 21:46:57.000000000 -0400
46758 @@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
46759 struct hfsplus_cat_file *file;
46760 int res;
46761
46762 + pax_track_stack();
46763 +
46764 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
46765 return -EOPNOTSUPP;
46766
46767 @@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
46768 struct hfsplus_cat_file *file;
46769 ssize_t res = 0;
46770
46771 + pax_track_stack();
46772 +
46773 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
46774 return -EOPNOTSUPP;
46775
46776 diff -urNp linux-2.6.32.46/fs/hfsplus/super.c linux-2.6.32.46/fs/hfsplus/super.c
46777 --- linux-2.6.32.46/fs/hfsplus/super.c 2011-03-27 14:31:47.000000000 -0400
46778 +++ linux-2.6.32.46/fs/hfsplus/super.c 2011-05-16 21:46:57.000000000 -0400
46779 @@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
46780 struct nls_table *nls = NULL;
46781 int err = -EINVAL;
46782
46783 + pax_track_stack();
46784 +
46785 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
46786 if (!sbi)
46787 return -ENOMEM;
46788 diff -urNp linux-2.6.32.46/fs/hugetlbfs/inode.c linux-2.6.32.46/fs/hugetlbfs/inode.c
46789 --- linux-2.6.32.46/fs/hugetlbfs/inode.c 2011-03-27 14:31:47.000000000 -0400
46790 +++ linux-2.6.32.46/fs/hugetlbfs/inode.c 2011-04-17 15:56:46.000000000 -0400
46791 @@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
46792 .kill_sb = kill_litter_super,
46793 };
46794
46795 -static struct vfsmount *hugetlbfs_vfsmount;
46796 +struct vfsmount *hugetlbfs_vfsmount;
46797
46798 static int can_do_hugetlb_shm(void)
46799 {
46800 diff -urNp linux-2.6.32.46/fs/ioctl.c linux-2.6.32.46/fs/ioctl.c
46801 --- linux-2.6.32.46/fs/ioctl.c 2011-03-27 14:31:47.000000000 -0400
46802 +++ linux-2.6.32.46/fs/ioctl.c 2011-04-17 15:56:46.000000000 -0400
46803 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
46804 u64 phys, u64 len, u32 flags)
46805 {
46806 struct fiemap_extent extent;
46807 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
46808 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
46809
46810 /* only count the extents */
46811 if (fieinfo->fi_extents_max == 0) {
46812 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
46813
46814 fieinfo.fi_flags = fiemap.fm_flags;
46815 fieinfo.fi_extents_max = fiemap.fm_extent_count;
46816 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
46817 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
46818
46819 if (fiemap.fm_extent_count != 0 &&
46820 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
46821 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
46822 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
46823 fiemap.fm_flags = fieinfo.fi_flags;
46824 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
46825 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
46826 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
46827 error = -EFAULT;
46828
46829 return error;
46830 diff -urNp linux-2.6.32.46/fs/jbd/checkpoint.c linux-2.6.32.46/fs/jbd/checkpoint.c
46831 --- linux-2.6.32.46/fs/jbd/checkpoint.c 2011-03-27 14:31:47.000000000 -0400
46832 +++ linux-2.6.32.46/fs/jbd/checkpoint.c 2011-05-16 21:46:57.000000000 -0400
46833 @@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
46834 tid_t this_tid;
46835 int result;
46836
46837 + pax_track_stack();
46838 +
46839 jbd_debug(1, "Start checkpoint\n");
46840
46841 /*
46842 diff -urNp linux-2.6.32.46/fs/jffs2/compr_rtime.c linux-2.6.32.46/fs/jffs2/compr_rtime.c
46843 --- linux-2.6.32.46/fs/jffs2/compr_rtime.c 2011-03-27 14:31:47.000000000 -0400
46844 +++ linux-2.6.32.46/fs/jffs2/compr_rtime.c 2011-05-16 21:46:57.000000000 -0400
46845 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
46846 int outpos = 0;
46847 int pos=0;
46848
46849 + pax_track_stack();
46850 +
46851 memset(positions,0,sizeof(positions));
46852
46853 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
46854 @@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
46855 int outpos = 0;
46856 int pos=0;
46857
46858 + pax_track_stack();
46859 +
46860 memset(positions,0,sizeof(positions));
46861
46862 while (outpos<destlen) {
46863 diff -urNp linux-2.6.32.46/fs/jffs2/compr_rubin.c linux-2.6.32.46/fs/jffs2/compr_rubin.c
46864 --- linux-2.6.32.46/fs/jffs2/compr_rubin.c 2011-03-27 14:31:47.000000000 -0400
46865 +++ linux-2.6.32.46/fs/jffs2/compr_rubin.c 2011-05-16 21:46:57.000000000 -0400
46866 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
46867 int ret;
46868 uint32_t mysrclen, mydstlen;
46869
46870 + pax_track_stack();
46871 +
46872 mysrclen = *sourcelen;
46873 mydstlen = *dstlen - 8;
46874
46875 diff -urNp linux-2.6.32.46/fs/jffs2/erase.c linux-2.6.32.46/fs/jffs2/erase.c
46876 --- linux-2.6.32.46/fs/jffs2/erase.c 2011-03-27 14:31:47.000000000 -0400
46877 +++ linux-2.6.32.46/fs/jffs2/erase.c 2011-04-17 15:56:46.000000000 -0400
46878 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
46879 struct jffs2_unknown_node marker = {
46880 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
46881 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
46882 - .totlen = cpu_to_je32(c->cleanmarker_size)
46883 + .totlen = cpu_to_je32(c->cleanmarker_size),
46884 + .hdr_crc = cpu_to_je32(0)
46885 };
46886
46887 jffs2_prealloc_raw_node_refs(c, jeb, 1);
46888 diff -urNp linux-2.6.32.46/fs/jffs2/wbuf.c linux-2.6.32.46/fs/jffs2/wbuf.c
46889 --- linux-2.6.32.46/fs/jffs2/wbuf.c 2011-03-27 14:31:47.000000000 -0400
46890 +++ linux-2.6.32.46/fs/jffs2/wbuf.c 2011-04-17 15:56:46.000000000 -0400
46891 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
46892 {
46893 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
46894 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
46895 - .totlen = constant_cpu_to_je32(8)
46896 + .totlen = constant_cpu_to_je32(8),
46897 + .hdr_crc = constant_cpu_to_je32(0)
46898 };
46899
46900 /*
46901 diff -urNp linux-2.6.32.46/fs/jffs2/xattr.c linux-2.6.32.46/fs/jffs2/xattr.c
46902 --- linux-2.6.32.46/fs/jffs2/xattr.c 2011-03-27 14:31:47.000000000 -0400
46903 +++ linux-2.6.32.46/fs/jffs2/xattr.c 2011-05-16 21:46:57.000000000 -0400
46904 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
46905
46906 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
46907
46908 + pax_track_stack();
46909 +
46910 /* Phase.1 : Merge same xref */
46911 for (i=0; i < XREF_TMPHASH_SIZE; i++)
46912 xref_tmphash[i] = NULL;
46913 diff -urNp linux-2.6.32.46/fs/jfs/super.c linux-2.6.32.46/fs/jfs/super.c
46914 --- linux-2.6.32.46/fs/jfs/super.c 2011-03-27 14:31:47.000000000 -0400
46915 +++ linux-2.6.32.46/fs/jfs/super.c 2011-06-07 18:06:04.000000000 -0400
46916 @@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
46917
46918 jfs_inode_cachep =
46919 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
46920 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
46921 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
46922 init_once);
46923 if (jfs_inode_cachep == NULL)
46924 return -ENOMEM;
46925 diff -urNp linux-2.6.32.46/fs/Kconfig.binfmt linux-2.6.32.46/fs/Kconfig.binfmt
46926 --- linux-2.6.32.46/fs/Kconfig.binfmt 2011-03-27 14:31:47.000000000 -0400
46927 +++ linux-2.6.32.46/fs/Kconfig.binfmt 2011-04-17 15:56:46.000000000 -0400
46928 @@ -86,7 +86,7 @@ config HAVE_AOUT
46929
46930 config BINFMT_AOUT
46931 tristate "Kernel support for a.out and ECOFF binaries"
46932 - depends on HAVE_AOUT
46933 + depends on HAVE_AOUT && BROKEN
46934 ---help---
46935 A.out (Assembler.OUTput) is a set of formats for libraries and
46936 executables used in the earliest versions of UNIX. Linux used
46937 diff -urNp linux-2.6.32.46/fs/libfs.c linux-2.6.32.46/fs/libfs.c
46938 --- linux-2.6.32.46/fs/libfs.c 2011-03-27 14:31:47.000000000 -0400
46939 +++ linux-2.6.32.46/fs/libfs.c 2011-05-11 18:25:15.000000000 -0400
46940 @@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
46941
46942 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
46943 struct dentry *next;
46944 + char d_name[sizeof(next->d_iname)];
46945 + const unsigned char *name;
46946 +
46947 next = list_entry(p, struct dentry, d_u.d_child);
46948 if (d_unhashed(next) || !next->d_inode)
46949 continue;
46950
46951 spin_unlock(&dcache_lock);
46952 - if (filldir(dirent, next->d_name.name,
46953 + name = next->d_name.name;
46954 + if (name == next->d_iname) {
46955 + memcpy(d_name, name, next->d_name.len);
46956 + name = d_name;
46957 + }
46958 + if (filldir(dirent, name,
46959 next->d_name.len, filp->f_pos,
46960 next->d_inode->i_ino,
46961 dt_type(next->d_inode)) < 0)
46962 diff -urNp linux-2.6.32.46/fs/lockd/clntproc.c linux-2.6.32.46/fs/lockd/clntproc.c
46963 --- linux-2.6.32.46/fs/lockd/clntproc.c 2011-03-27 14:31:47.000000000 -0400
46964 +++ linux-2.6.32.46/fs/lockd/clntproc.c 2011-05-16 21:46:57.000000000 -0400
46965 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
46966 /*
46967 * Cookie counter for NLM requests
46968 */
46969 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
46970 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
46971
46972 void nlmclnt_next_cookie(struct nlm_cookie *c)
46973 {
46974 - u32 cookie = atomic_inc_return(&nlm_cookie);
46975 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
46976
46977 memcpy(c->data, &cookie, 4);
46978 c->len=4;
46979 @@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
46980 struct nlm_rqst reqst, *req;
46981 int status;
46982
46983 + pax_track_stack();
46984 +
46985 req = &reqst;
46986 memset(req, 0, sizeof(*req));
46987 locks_init_lock(&req->a_args.lock.fl);
46988 diff -urNp linux-2.6.32.46/fs/lockd/svc.c linux-2.6.32.46/fs/lockd/svc.c
46989 --- linux-2.6.32.46/fs/lockd/svc.c 2011-03-27 14:31:47.000000000 -0400
46990 +++ linux-2.6.32.46/fs/lockd/svc.c 2011-04-17 15:56:46.000000000 -0400
46991 @@ -43,7 +43,7 @@
46992
46993 static struct svc_program nlmsvc_program;
46994
46995 -struct nlmsvc_binding * nlmsvc_ops;
46996 +const struct nlmsvc_binding * nlmsvc_ops;
46997 EXPORT_SYMBOL_GPL(nlmsvc_ops);
46998
46999 static DEFINE_MUTEX(nlmsvc_mutex);
47000 diff -urNp linux-2.6.32.46/fs/locks.c linux-2.6.32.46/fs/locks.c
47001 --- linux-2.6.32.46/fs/locks.c 2011-03-27 14:31:47.000000000 -0400
47002 +++ linux-2.6.32.46/fs/locks.c 2011-07-06 19:47:11.000000000 -0400
47003 @@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
47004
47005 static struct kmem_cache *filelock_cache __read_mostly;
47006
47007 +static void locks_init_lock_always(struct file_lock *fl)
47008 +{
47009 + fl->fl_next = NULL;
47010 + fl->fl_fasync = NULL;
47011 + fl->fl_owner = NULL;
47012 + fl->fl_pid = 0;
47013 + fl->fl_nspid = NULL;
47014 + fl->fl_file = NULL;
47015 + fl->fl_flags = 0;
47016 + fl->fl_type = 0;
47017 + fl->fl_start = fl->fl_end = 0;
47018 +}
47019 +
47020 /* Allocate an empty lock structure. */
47021 static struct file_lock *locks_alloc_lock(void)
47022 {
47023 - return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
47024 + struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
47025 +
47026 + if (fl)
47027 + locks_init_lock_always(fl);
47028 +
47029 + return fl;
47030 }
47031
47032 void locks_release_private(struct file_lock *fl)
47033 @@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *f
47034 INIT_LIST_HEAD(&fl->fl_link);
47035 INIT_LIST_HEAD(&fl->fl_block);
47036 init_waitqueue_head(&fl->fl_wait);
47037 - fl->fl_next = NULL;
47038 - fl->fl_fasync = NULL;
47039 - fl->fl_owner = NULL;
47040 - fl->fl_pid = 0;
47041 - fl->fl_nspid = NULL;
47042 - fl->fl_file = NULL;
47043 - fl->fl_flags = 0;
47044 - fl->fl_type = 0;
47045 - fl->fl_start = fl->fl_end = 0;
47046 fl->fl_ops = NULL;
47047 fl->fl_lmops = NULL;
47048 + locks_init_lock_always(fl);
47049 }
47050
47051 EXPORT_SYMBOL(locks_init_lock);
47052 @@ -2007,16 +2017,16 @@ void locks_remove_flock(struct file *fil
47053 return;
47054
47055 if (filp->f_op && filp->f_op->flock) {
47056 - struct file_lock fl = {
47057 + struct file_lock flock = {
47058 .fl_pid = current->tgid,
47059 .fl_file = filp,
47060 .fl_flags = FL_FLOCK,
47061 .fl_type = F_UNLCK,
47062 .fl_end = OFFSET_MAX,
47063 };
47064 - filp->f_op->flock(filp, F_SETLKW, &fl);
47065 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
47066 - fl.fl_ops->fl_release_private(&fl);
47067 + filp->f_op->flock(filp, F_SETLKW, &flock);
47068 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
47069 + flock.fl_ops->fl_release_private(&flock);
47070 }
47071
47072 lock_kernel();
47073 diff -urNp linux-2.6.32.46/fs/mbcache.c linux-2.6.32.46/fs/mbcache.c
47074 --- linux-2.6.32.46/fs/mbcache.c 2011-03-27 14:31:47.000000000 -0400
47075 +++ linux-2.6.32.46/fs/mbcache.c 2011-08-05 20:33:55.000000000 -0400
47076 @@ -266,9 +266,9 @@ mb_cache_create(const char *name, struct
47077 if (!cache)
47078 goto fail;
47079 cache->c_name = name;
47080 - cache->c_op.free = NULL;
47081 + *(void **)&cache->c_op.free = NULL;
47082 if (cache_op)
47083 - cache->c_op.free = cache_op->free;
47084 + *(void **)&cache->c_op.free = cache_op->free;
47085 atomic_set(&cache->c_entry_count, 0);
47086 cache->c_bucket_bits = bucket_bits;
47087 #ifdef MB_CACHE_INDEXES_COUNT
47088 diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c
47089 --- linux-2.6.32.46/fs/namei.c 2011-03-27 14:31:47.000000000 -0400
47090 +++ linux-2.6.32.46/fs/namei.c 2011-10-06 03:36:41.000000000 -0400
47091 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
47092 return ret;
47093
47094 /*
47095 - * Read/write DACs are always overridable.
47096 - * Executable DACs are overridable if at least one exec bit is set.
47097 - */
47098 - if (!(mask & MAY_EXEC) || execute_ok(inode))
47099 - if (capable(CAP_DAC_OVERRIDE))
47100 - return 0;
47101 -
47102 - /*
47103 * Searching includes executable on directories, else just read.
47104 */
47105 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
47106 @@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
47107 if (capable(CAP_DAC_READ_SEARCH))
47108 return 0;
47109
47110 + /*
47111 + * Read/write DACs are always overridable.
47112 + * Executable DACs are overridable if at least one exec bit is set.
47113 + */
47114 + if (!(mask & MAY_EXEC) || execute_ok(inode))
47115 + if (capable(CAP_DAC_OVERRIDE))
47116 + return 0;
47117 +
47118 return -EACCES;
47119 }
47120
47121 @@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
47122 if (!ret)
47123 goto ok;
47124
47125 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
47126 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
47127 + capable(CAP_DAC_OVERRIDE))
47128 goto ok;
47129
47130 return ret;
47131 @@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
47132 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
47133 error = PTR_ERR(cookie);
47134 if (!IS_ERR(cookie)) {
47135 - char *s = nd_get_link(nd);
47136 + const char *s = nd_get_link(nd);
47137 error = 0;
47138 if (s)
47139 error = __vfs_follow_link(nd, s);
47140 @@ -669,6 +670,18 @@ static inline int do_follow_link(struct
47141 err = security_inode_follow_link(path->dentry, nd);
47142 if (err)
47143 goto loop;
47144 +
47145 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
47146 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
47147 + err = -EACCES;
47148 + goto loop;
47149 + }
47150 +
47151 + if (!gr_acl_handle_hidden_file(path->dentry, nd->path.mnt)) {
47152 + err = -ENOENT;
47153 + goto loop;
47154 + }
47155 +
47156 current->link_count++;
47157 current->total_link_count++;
47158 nd->depth++;
47159 @@ -1016,11 +1029,18 @@ return_reval:
47160 break;
47161 }
47162 return_base:
47163 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
47164 + path_put(&nd->path);
47165 + return -ENOENT;
47166 + }
47167 return 0;
47168 out_dput:
47169 path_put_conditional(&next, nd);
47170 break;
47171 }
47172 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
47173 + err = -ENOENT;
47174 +
47175 path_put(&nd->path);
47176 return_err:
47177 return err;
47178 @@ -1091,13 +1111,20 @@ static int do_path_lookup(int dfd, const
47179 int retval = path_init(dfd, name, flags, nd);
47180 if (!retval)
47181 retval = path_walk(name, nd);
47182 - if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
47183 - nd->path.dentry->d_inode))
47184 - audit_inode(name, nd->path.dentry);
47185 +
47186 + if (likely(!retval)) {
47187 + if (nd->path.dentry && nd->path.dentry->d_inode) {
47188 + if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
47189 + retval = -ENOENT;
47190 + if (!audit_dummy_context())
47191 + audit_inode(name, nd->path.dentry);
47192 + }
47193 + }
47194 if (nd->root.mnt) {
47195 path_put(&nd->root);
47196 nd->root.mnt = NULL;
47197 }
47198 +
47199 return retval;
47200 }
47201
47202 @@ -1576,6 +1603,20 @@ int may_open(struct path *path, int acc_
47203 if (error)
47204 goto err_out;
47205
47206 +
47207 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
47208 + error = -EPERM;
47209 + goto err_out;
47210 + }
47211 + if (gr_handle_rawio(inode)) {
47212 + error = -EPERM;
47213 + goto err_out;
47214 + }
47215 + if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
47216 + error = -EACCES;
47217 + goto err_out;
47218 + }
47219 +
47220 if (flag & O_TRUNC) {
47221 error = get_write_access(inode);
47222 if (error)
47223 @@ -1621,12 +1662,19 @@ static int __open_namei_create(struct na
47224 int error;
47225 struct dentry *dir = nd->path.dentry;
47226
47227 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
47228 + error = -EACCES;
47229 + goto out_unlock;
47230 + }
47231 +
47232 if (!IS_POSIXACL(dir->d_inode))
47233 mode &= ~current_umask();
47234 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
47235 if (error)
47236 goto out_unlock;
47237 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
47238 + if (!error)
47239 + gr_handle_create(path->dentry, nd->path.mnt);
47240 out_unlock:
47241 mutex_unlock(&dir->d_inode->i_mutex);
47242 dput(nd->path.dentry);
47243 @@ -1709,6 +1757,22 @@ struct file *do_filp_open(int dfd, const
47244 &nd, flag);
47245 if (error)
47246 return ERR_PTR(error);
47247 +
47248 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
47249 + error = -EPERM;
47250 + goto exit;
47251 + }
47252 +
47253 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
47254 + error = -EPERM;
47255 + goto exit;
47256 + }
47257 +
47258 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
47259 + error = -EACCES;
47260 + goto exit;
47261 + }
47262 +
47263 goto ok;
47264 }
47265
47266 @@ -1795,6 +1859,14 @@ do_last:
47267 /*
47268 * It already exists.
47269 */
47270 +
47271 + /* only check if O_CREAT is specified, all other checks need
47272 + to go into may_open */
47273 + if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
47274 + error = -EACCES;
47275 + goto exit_mutex_unlock;
47276 + }
47277 +
47278 mutex_unlock(&dir->d_inode->i_mutex);
47279 audit_inode(pathname, path.dentry);
47280
47281 @@ -1887,6 +1959,13 @@ do_link:
47282 error = security_inode_follow_link(path.dentry, &nd);
47283 if (error)
47284 goto exit_dput;
47285 +
47286 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
47287 + path.dentry, nd.path.mnt)) {
47288 + error = -EACCES;
47289 + goto exit_dput;
47290 + }
47291 +
47292 error = __do_follow_link(&path, &nd);
47293 if (error) {
47294 /* Does someone understand code flow here? Or it is only
47295 @@ -2061,6 +2140,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
47296 error = may_mknod(mode);
47297 if (error)
47298 goto out_dput;
47299 +
47300 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
47301 + error = -EPERM;
47302 + goto out_dput;
47303 + }
47304 +
47305 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
47306 + error = -EACCES;
47307 + goto out_dput;
47308 + }
47309 +
47310 error = mnt_want_write(nd.path.mnt);
47311 if (error)
47312 goto out_dput;
47313 @@ -2081,6 +2171,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
47314 }
47315 out_drop_write:
47316 mnt_drop_write(nd.path.mnt);
47317 +
47318 + if (!error)
47319 + gr_handle_create(dentry, nd.path.mnt);
47320 out_dput:
47321 dput(dentry);
47322 out_unlock:
47323 @@ -2134,6 +2227,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
47324 if (IS_ERR(dentry))
47325 goto out_unlock;
47326
47327 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
47328 + error = -EACCES;
47329 + goto out_dput;
47330 + }
47331 +
47332 if (!IS_POSIXACL(nd.path.dentry->d_inode))
47333 mode &= ~current_umask();
47334 error = mnt_want_write(nd.path.mnt);
47335 @@ -2145,6 +2243,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
47336 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
47337 out_drop_write:
47338 mnt_drop_write(nd.path.mnt);
47339 +
47340 + if (!error)
47341 + gr_handle_create(dentry, nd.path.mnt);
47342 +
47343 out_dput:
47344 dput(dentry);
47345 out_unlock:
47346 @@ -2226,6 +2328,8 @@ static long do_rmdir(int dfd, const char
47347 char * name;
47348 struct dentry *dentry;
47349 struct nameidata nd;
47350 + ino_t saved_ino = 0;
47351 + dev_t saved_dev = 0;
47352
47353 error = user_path_parent(dfd, pathname, &nd, &name);
47354 if (error)
47355 @@ -2250,6 +2354,19 @@ static long do_rmdir(int dfd, const char
47356 error = PTR_ERR(dentry);
47357 if (IS_ERR(dentry))
47358 goto exit2;
47359 +
47360 + if (dentry->d_inode != NULL) {
47361 + if (dentry->d_inode->i_nlink <= 1) {
47362 + saved_ino = dentry->d_inode->i_ino;
47363 + saved_dev = gr_get_dev_from_dentry(dentry);
47364 + }
47365 +
47366 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
47367 + error = -EACCES;
47368 + goto exit3;
47369 + }
47370 + }
47371 +
47372 error = mnt_want_write(nd.path.mnt);
47373 if (error)
47374 goto exit3;
47375 @@ -2257,6 +2374,8 @@ static long do_rmdir(int dfd, const char
47376 if (error)
47377 goto exit4;
47378 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
47379 + if (!error && (saved_dev || saved_ino))
47380 + gr_handle_delete(saved_ino, saved_dev);
47381 exit4:
47382 mnt_drop_write(nd.path.mnt);
47383 exit3:
47384 @@ -2318,6 +2437,8 @@ static long do_unlinkat(int dfd, const c
47385 struct dentry *dentry;
47386 struct nameidata nd;
47387 struct inode *inode = NULL;
47388 + ino_t saved_ino = 0;
47389 + dev_t saved_dev = 0;
47390
47391 error = user_path_parent(dfd, pathname, &nd, &name);
47392 if (error)
47393 @@ -2337,8 +2458,19 @@ static long do_unlinkat(int dfd, const c
47394 if (nd.last.name[nd.last.len])
47395 goto slashes;
47396 inode = dentry->d_inode;
47397 - if (inode)
47398 + if (inode) {
47399 + if (inode->i_nlink <= 1) {
47400 + saved_ino = inode->i_ino;
47401 + saved_dev = gr_get_dev_from_dentry(dentry);
47402 + }
47403 +
47404 atomic_inc(&inode->i_count);
47405 +
47406 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
47407 + error = -EACCES;
47408 + goto exit2;
47409 + }
47410 + }
47411 error = mnt_want_write(nd.path.mnt);
47412 if (error)
47413 goto exit2;
47414 @@ -2346,6 +2478,8 @@ static long do_unlinkat(int dfd, const c
47415 if (error)
47416 goto exit3;
47417 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
47418 + if (!error && (saved_ino || saved_dev))
47419 + gr_handle_delete(saved_ino, saved_dev);
47420 exit3:
47421 mnt_drop_write(nd.path.mnt);
47422 exit2:
47423 @@ -2424,6 +2558,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
47424 if (IS_ERR(dentry))
47425 goto out_unlock;
47426
47427 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
47428 + error = -EACCES;
47429 + goto out_dput;
47430 + }
47431 +
47432 error = mnt_want_write(nd.path.mnt);
47433 if (error)
47434 goto out_dput;
47435 @@ -2431,6 +2570,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
47436 if (error)
47437 goto out_drop_write;
47438 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
47439 + if (!error)
47440 + gr_handle_create(dentry, nd.path.mnt);
47441 out_drop_write:
47442 mnt_drop_write(nd.path.mnt);
47443 out_dput:
47444 @@ -2524,6 +2665,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
47445 error = PTR_ERR(new_dentry);
47446 if (IS_ERR(new_dentry))
47447 goto out_unlock;
47448 +
47449 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
47450 + old_path.dentry->d_inode,
47451 + old_path.dentry->d_inode->i_mode, to)) {
47452 + error = -EACCES;
47453 + goto out_dput;
47454 + }
47455 +
47456 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
47457 + old_path.dentry, old_path.mnt, to)) {
47458 + error = -EACCES;
47459 + goto out_dput;
47460 + }
47461 +
47462 error = mnt_want_write(nd.path.mnt);
47463 if (error)
47464 goto out_dput;
47465 @@ -2531,6 +2686,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
47466 if (error)
47467 goto out_drop_write;
47468 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
47469 + if (!error)
47470 + gr_handle_create(new_dentry, nd.path.mnt);
47471 out_drop_write:
47472 mnt_drop_write(nd.path.mnt);
47473 out_dput:
47474 @@ -2708,6 +2865,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
47475 char *to;
47476 int error;
47477
47478 + pax_track_stack();
47479 +
47480 error = user_path_parent(olddfd, oldname, &oldnd, &from);
47481 if (error)
47482 goto exit;
47483 @@ -2764,6 +2923,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
47484 if (new_dentry == trap)
47485 goto exit5;
47486
47487 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
47488 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
47489 + to);
47490 + if (error)
47491 + goto exit5;
47492 +
47493 error = mnt_want_write(oldnd.path.mnt);
47494 if (error)
47495 goto exit5;
47496 @@ -2773,6 +2938,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
47497 goto exit6;
47498 error = vfs_rename(old_dir->d_inode, old_dentry,
47499 new_dir->d_inode, new_dentry);
47500 + if (!error)
47501 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
47502 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
47503 exit6:
47504 mnt_drop_write(oldnd.path.mnt);
47505 exit5:
47506 @@ -2798,6 +2966,8 @@ SYSCALL_DEFINE2(rename, const char __use
47507
47508 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
47509 {
47510 + char tmpbuf[64];
47511 + const char *newlink;
47512 int len;
47513
47514 len = PTR_ERR(link);
47515 @@ -2807,7 +2977,14 @@ int vfs_readlink(struct dentry *dentry,
47516 len = strlen(link);
47517 if (len > (unsigned) buflen)
47518 len = buflen;
47519 - if (copy_to_user(buffer, link, len))
47520 +
47521 + if (len < sizeof(tmpbuf)) {
47522 + memcpy(tmpbuf, link, len);
47523 + newlink = tmpbuf;
47524 + } else
47525 + newlink = link;
47526 +
47527 + if (copy_to_user(buffer, newlink, len))
47528 len = -EFAULT;
47529 out:
47530 return len;
47531 diff -urNp linux-2.6.32.46/fs/namespace.c linux-2.6.32.46/fs/namespace.c
47532 --- linux-2.6.32.46/fs/namespace.c 2011-03-27 14:31:47.000000000 -0400
47533 +++ linux-2.6.32.46/fs/namespace.c 2011-04-17 15:56:46.000000000 -0400
47534 @@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
47535 if (!(sb->s_flags & MS_RDONLY))
47536 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
47537 up_write(&sb->s_umount);
47538 +
47539 + gr_log_remount(mnt->mnt_devname, retval);
47540 +
47541 return retval;
47542 }
47543
47544 @@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
47545 security_sb_umount_busy(mnt);
47546 up_write(&namespace_sem);
47547 release_mounts(&umount_list);
47548 +
47549 + gr_log_unmount(mnt->mnt_devname, retval);
47550 +
47551 return retval;
47552 }
47553
47554 @@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
47555 if (retval)
47556 goto dput_out;
47557
47558 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
47559 + retval = -EPERM;
47560 + goto dput_out;
47561 + }
47562 +
47563 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
47564 + retval = -EPERM;
47565 + goto dput_out;
47566 + }
47567 +
47568 if (flags & MS_REMOUNT)
47569 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
47570 data_page);
47571 @@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
47572 dev_name, data_page);
47573 dput_out:
47574 path_put(&path);
47575 +
47576 + gr_log_mount(dev_name, dir_name, retval);
47577 +
47578 return retval;
47579 }
47580
47581 @@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
47582 goto out1;
47583 }
47584
47585 + if (gr_handle_chroot_pivot()) {
47586 + error = -EPERM;
47587 + path_put(&old);
47588 + goto out1;
47589 + }
47590 +
47591 read_lock(&current->fs->lock);
47592 root = current->fs->root;
47593 path_get(&current->fs->root);
47594 diff -urNp linux-2.6.32.46/fs/ncpfs/dir.c linux-2.6.32.46/fs/ncpfs/dir.c
47595 --- linux-2.6.32.46/fs/ncpfs/dir.c 2011-03-27 14:31:47.000000000 -0400
47596 +++ linux-2.6.32.46/fs/ncpfs/dir.c 2011-05-16 21:46:57.000000000 -0400
47597 @@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
47598 int res, val = 0, len;
47599 __u8 __name[NCP_MAXPATHLEN + 1];
47600
47601 + pax_track_stack();
47602 +
47603 parent = dget_parent(dentry);
47604 dir = parent->d_inode;
47605
47606 @@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
47607 int error, res, len;
47608 __u8 __name[NCP_MAXPATHLEN + 1];
47609
47610 + pax_track_stack();
47611 +
47612 lock_kernel();
47613 error = -EIO;
47614 if (!ncp_conn_valid(server))
47615 @@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
47616 int error, result, len;
47617 int opmode;
47618 __u8 __name[NCP_MAXPATHLEN + 1];
47619 -
47620 +
47621 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
47622 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
47623
47624 + pax_track_stack();
47625 +
47626 error = -EIO;
47627 lock_kernel();
47628 if (!ncp_conn_valid(server))
47629 @@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
47630 int error, len;
47631 __u8 __name[NCP_MAXPATHLEN + 1];
47632
47633 + pax_track_stack();
47634 +
47635 DPRINTK("ncp_mkdir: making %s/%s\n",
47636 dentry->d_parent->d_name.name, dentry->d_name.name);
47637
47638 @@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
47639 if (!ncp_conn_valid(server))
47640 goto out;
47641
47642 + pax_track_stack();
47643 +
47644 ncp_age_dentry(server, dentry);
47645 len = sizeof(__name);
47646 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
47647 @@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
47648 int old_len, new_len;
47649 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
47650
47651 + pax_track_stack();
47652 +
47653 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
47654 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
47655 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
47656 diff -urNp linux-2.6.32.46/fs/ncpfs/inode.c linux-2.6.32.46/fs/ncpfs/inode.c
47657 --- linux-2.6.32.46/fs/ncpfs/inode.c 2011-03-27 14:31:47.000000000 -0400
47658 +++ linux-2.6.32.46/fs/ncpfs/inode.c 2011-05-16 21:46:57.000000000 -0400
47659 @@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
47660 #endif
47661 struct ncp_entry_info finfo;
47662
47663 + pax_track_stack();
47664 +
47665 data.wdog_pid = NULL;
47666 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
47667 if (!server)
47668 diff -urNp linux-2.6.32.46/fs/nfs/inode.c linux-2.6.32.46/fs/nfs/inode.c
47669 --- linux-2.6.32.46/fs/nfs/inode.c 2011-05-10 22:12:01.000000000 -0400
47670 +++ linux-2.6.32.46/fs/nfs/inode.c 2011-07-06 19:53:33.000000000 -0400
47671 @@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct
47672 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
47673 nfsi->attrtimeo_timestamp = jiffies;
47674
47675 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
47676 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
47677 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
47678 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
47679 else
47680 @@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
47681 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
47682 }
47683
47684 -static atomic_long_t nfs_attr_generation_counter;
47685 +static atomic_long_unchecked_t nfs_attr_generation_counter;
47686
47687 static unsigned long nfs_read_attr_generation_counter(void)
47688 {
47689 - return atomic_long_read(&nfs_attr_generation_counter);
47690 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
47691 }
47692
47693 unsigned long nfs_inc_attr_generation_counter(void)
47694 {
47695 - return atomic_long_inc_return(&nfs_attr_generation_counter);
47696 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
47697 }
47698
47699 void nfs_fattr_init(struct nfs_fattr *fattr)
47700 diff -urNp linux-2.6.32.46/fs/nfsd/lockd.c linux-2.6.32.46/fs/nfsd/lockd.c
47701 --- linux-2.6.32.46/fs/nfsd/lockd.c 2011-04-17 17:00:52.000000000 -0400
47702 +++ linux-2.6.32.46/fs/nfsd/lockd.c 2011-04-17 17:03:15.000000000 -0400
47703 @@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
47704 fput(filp);
47705 }
47706
47707 -static struct nlmsvc_binding nfsd_nlm_ops = {
47708 +static const struct nlmsvc_binding nfsd_nlm_ops = {
47709 .fopen = nlm_fopen, /* open file for locking */
47710 .fclose = nlm_fclose, /* close file */
47711 };
47712 diff -urNp linux-2.6.32.46/fs/nfsd/nfs4state.c linux-2.6.32.46/fs/nfsd/nfs4state.c
47713 --- linux-2.6.32.46/fs/nfsd/nfs4state.c 2011-03-27 14:31:47.000000000 -0400
47714 +++ linux-2.6.32.46/fs/nfsd/nfs4state.c 2011-05-16 21:46:57.000000000 -0400
47715 @@ -3457,6 +3457,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
47716 unsigned int cmd;
47717 int err;
47718
47719 + pax_track_stack();
47720 +
47721 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
47722 (long long) lock->lk_offset,
47723 (long long) lock->lk_length);
47724 diff -urNp linux-2.6.32.46/fs/nfsd/nfs4xdr.c linux-2.6.32.46/fs/nfsd/nfs4xdr.c
47725 --- linux-2.6.32.46/fs/nfsd/nfs4xdr.c 2011-03-27 14:31:47.000000000 -0400
47726 +++ linux-2.6.32.46/fs/nfsd/nfs4xdr.c 2011-05-16 21:46:57.000000000 -0400
47727 @@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
47728 struct nfsd4_compoundres *resp = rqstp->rq_resp;
47729 u32 minorversion = resp->cstate.minorversion;
47730
47731 + pax_track_stack();
47732 +
47733 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
47734 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
47735 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
47736 diff -urNp linux-2.6.32.46/fs/nfsd/vfs.c linux-2.6.32.46/fs/nfsd/vfs.c
47737 --- linux-2.6.32.46/fs/nfsd/vfs.c 2011-05-10 22:12:01.000000000 -0400
47738 +++ linux-2.6.32.46/fs/nfsd/vfs.c 2011-10-06 09:37:14.000000000 -0400
47739 @@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
47740 } else {
47741 oldfs = get_fs();
47742 set_fs(KERNEL_DS);
47743 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
47744 + host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
47745 set_fs(oldfs);
47746 }
47747
47748 @@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
47749
47750 /* Write the data. */
47751 oldfs = get_fs(); set_fs(KERNEL_DS);
47752 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
47753 + host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
47754 set_fs(oldfs);
47755 if (host_err < 0)
47756 goto out_nfserr;
47757 @@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
47758 */
47759
47760 oldfs = get_fs(); set_fs(KERNEL_DS);
47761 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
47762 + host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
47763 set_fs(oldfs);
47764
47765 if (host_err < 0)
47766 diff -urNp linux-2.6.32.46/fs/nilfs2/ioctl.c linux-2.6.32.46/fs/nilfs2/ioctl.c
47767 --- linux-2.6.32.46/fs/nilfs2/ioctl.c 2011-03-27 14:31:47.000000000 -0400
47768 +++ linux-2.6.32.46/fs/nilfs2/ioctl.c 2011-05-04 17:56:28.000000000 -0400
47769 @@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
47770 unsigned int cmd, void __user *argp)
47771 {
47772 struct nilfs_argv argv[5];
47773 - const static size_t argsz[5] = {
47774 + static const size_t argsz[5] = {
47775 sizeof(struct nilfs_vdesc),
47776 sizeof(struct nilfs_period),
47777 sizeof(__u64),
47778 diff -urNp linux-2.6.32.46/fs/notify/dnotify/dnotify.c linux-2.6.32.46/fs/notify/dnotify/dnotify.c
47779 --- linux-2.6.32.46/fs/notify/dnotify/dnotify.c 2011-03-27 14:31:47.000000000 -0400
47780 +++ linux-2.6.32.46/fs/notify/dnotify/dnotify.c 2011-04-17 15:56:46.000000000 -0400
47781 @@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
47782 kmem_cache_free(dnotify_mark_entry_cache, dnentry);
47783 }
47784
47785 -static struct fsnotify_ops dnotify_fsnotify_ops = {
47786 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
47787 .handle_event = dnotify_handle_event,
47788 .should_send_event = dnotify_should_send_event,
47789 .free_group_priv = NULL,
47790 diff -urNp linux-2.6.32.46/fs/notify/notification.c linux-2.6.32.46/fs/notify/notification.c
47791 --- linux-2.6.32.46/fs/notify/notification.c 2011-03-27 14:31:47.000000000 -0400
47792 +++ linux-2.6.32.46/fs/notify/notification.c 2011-05-04 17:56:28.000000000 -0400
47793 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
47794 * get set to 0 so it will never get 'freed'
47795 */
47796 static struct fsnotify_event q_overflow_event;
47797 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
47798 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
47799
47800 /**
47801 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
47802 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
47803 */
47804 u32 fsnotify_get_cookie(void)
47805 {
47806 - return atomic_inc_return(&fsnotify_sync_cookie);
47807 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
47808 }
47809 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
47810
47811 diff -urNp linux-2.6.32.46/fs/ntfs/dir.c linux-2.6.32.46/fs/ntfs/dir.c
47812 --- linux-2.6.32.46/fs/ntfs/dir.c 2011-03-27 14:31:47.000000000 -0400
47813 +++ linux-2.6.32.46/fs/ntfs/dir.c 2011-04-17 15:56:46.000000000 -0400
47814 @@ -1328,7 +1328,7 @@ find_next_index_buffer:
47815 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
47816 ~(s64)(ndir->itype.index.block_size - 1)));
47817 /* Bounds checks. */
47818 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
47819 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
47820 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
47821 "inode 0x%lx or driver bug.", vdir->i_ino);
47822 goto err_out;
47823 diff -urNp linux-2.6.32.46/fs/ntfs/file.c linux-2.6.32.46/fs/ntfs/file.c
47824 --- linux-2.6.32.46/fs/ntfs/file.c 2011-03-27 14:31:47.000000000 -0400
47825 +++ linux-2.6.32.46/fs/ntfs/file.c 2011-04-17 15:56:46.000000000 -0400
47826 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
47827 #endif /* NTFS_RW */
47828 };
47829
47830 -const struct file_operations ntfs_empty_file_ops = {};
47831 +const struct file_operations ntfs_empty_file_ops __read_only;
47832
47833 -const struct inode_operations ntfs_empty_inode_ops = {};
47834 +const struct inode_operations ntfs_empty_inode_ops __read_only;
47835 diff -urNp linux-2.6.32.46/fs/ocfs2/cluster/masklog.c linux-2.6.32.46/fs/ocfs2/cluster/masklog.c
47836 --- linux-2.6.32.46/fs/ocfs2/cluster/masklog.c 2011-03-27 14:31:47.000000000 -0400
47837 +++ linux-2.6.32.46/fs/ocfs2/cluster/masklog.c 2011-04-17 15:56:46.000000000 -0400
47838 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
47839 return mlog_mask_store(mlog_attr->mask, buf, count);
47840 }
47841
47842 -static struct sysfs_ops mlog_attr_ops = {
47843 +static const struct sysfs_ops mlog_attr_ops = {
47844 .show = mlog_show,
47845 .store = mlog_store,
47846 };
47847 diff -urNp linux-2.6.32.46/fs/ocfs2/localalloc.c linux-2.6.32.46/fs/ocfs2/localalloc.c
47848 --- linux-2.6.32.46/fs/ocfs2/localalloc.c 2011-03-27 14:31:47.000000000 -0400
47849 +++ linux-2.6.32.46/fs/ocfs2/localalloc.c 2011-04-17 15:56:46.000000000 -0400
47850 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
47851 goto bail;
47852 }
47853
47854 - atomic_inc(&osb->alloc_stats.moves);
47855 + atomic_inc_unchecked(&osb->alloc_stats.moves);
47856
47857 status = 0;
47858 bail:
47859 diff -urNp linux-2.6.32.46/fs/ocfs2/namei.c linux-2.6.32.46/fs/ocfs2/namei.c
47860 --- linux-2.6.32.46/fs/ocfs2/namei.c 2011-03-27 14:31:47.000000000 -0400
47861 +++ linux-2.6.32.46/fs/ocfs2/namei.c 2011-05-16 21:46:57.000000000 -0400
47862 @@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
47863 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
47864 struct ocfs2_dir_lookup_result target_insert = { NULL, };
47865
47866 + pax_track_stack();
47867 +
47868 /* At some point it might be nice to break this function up a
47869 * bit. */
47870
47871 diff -urNp linux-2.6.32.46/fs/ocfs2/ocfs2.h linux-2.6.32.46/fs/ocfs2/ocfs2.h
47872 --- linux-2.6.32.46/fs/ocfs2/ocfs2.h 2011-03-27 14:31:47.000000000 -0400
47873 +++ linux-2.6.32.46/fs/ocfs2/ocfs2.h 2011-04-17 15:56:46.000000000 -0400
47874 @@ -217,11 +217,11 @@ enum ocfs2_vol_state
47875
47876 struct ocfs2_alloc_stats
47877 {
47878 - atomic_t moves;
47879 - atomic_t local_data;
47880 - atomic_t bitmap_data;
47881 - atomic_t bg_allocs;
47882 - atomic_t bg_extends;
47883 + atomic_unchecked_t moves;
47884 + atomic_unchecked_t local_data;
47885 + atomic_unchecked_t bitmap_data;
47886 + atomic_unchecked_t bg_allocs;
47887 + atomic_unchecked_t bg_extends;
47888 };
47889
47890 enum ocfs2_local_alloc_state
47891 diff -urNp linux-2.6.32.46/fs/ocfs2/suballoc.c linux-2.6.32.46/fs/ocfs2/suballoc.c
47892 --- linux-2.6.32.46/fs/ocfs2/suballoc.c 2011-03-27 14:31:47.000000000 -0400
47893 +++ linux-2.6.32.46/fs/ocfs2/suballoc.c 2011-04-17 15:56:46.000000000 -0400
47894 @@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
47895 mlog_errno(status);
47896 goto bail;
47897 }
47898 - atomic_inc(&osb->alloc_stats.bg_extends);
47899 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
47900
47901 /* You should never ask for this much metadata */
47902 BUG_ON(bits_wanted >
47903 @@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
47904 mlog_errno(status);
47905 goto bail;
47906 }
47907 - atomic_inc(&osb->alloc_stats.bg_allocs);
47908 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
47909
47910 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
47911 ac->ac_bits_given += (*num_bits);
47912 @@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
47913 mlog_errno(status);
47914 goto bail;
47915 }
47916 - atomic_inc(&osb->alloc_stats.bg_allocs);
47917 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
47918
47919 BUG_ON(num_bits != 1);
47920
47921 @@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
47922 cluster_start,
47923 num_clusters);
47924 if (!status)
47925 - atomic_inc(&osb->alloc_stats.local_data);
47926 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
47927 } else {
47928 if (min_clusters > (osb->bitmap_cpg - 1)) {
47929 /* The only paths asking for contiguousness
47930 @@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
47931 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
47932 bg_blkno,
47933 bg_bit_off);
47934 - atomic_inc(&osb->alloc_stats.bitmap_data);
47935 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
47936 }
47937 }
47938 if (status < 0) {
47939 diff -urNp linux-2.6.32.46/fs/ocfs2/super.c linux-2.6.32.46/fs/ocfs2/super.c
47940 --- linux-2.6.32.46/fs/ocfs2/super.c 2011-03-27 14:31:47.000000000 -0400
47941 +++ linux-2.6.32.46/fs/ocfs2/super.c 2011-04-17 15:56:46.000000000 -0400
47942 @@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
47943 "%10s => GlobalAllocs: %d LocalAllocs: %d "
47944 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
47945 "Stats",
47946 - atomic_read(&osb->alloc_stats.bitmap_data),
47947 - atomic_read(&osb->alloc_stats.local_data),
47948 - atomic_read(&osb->alloc_stats.bg_allocs),
47949 - atomic_read(&osb->alloc_stats.moves),
47950 - atomic_read(&osb->alloc_stats.bg_extends));
47951 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
47952 + atomic_read_unchecked(&osb->alloc_stats.local_data),
47953 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
47954 + atomic_read_unchecked(&osb->alloc_stats.moves),
47955 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
47956
47957 out += snprintf(buf + out, len - out,
47958 "%10s => State: %u Descriptor: %llu Size: %u bits "
47959 @@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
47960 spin_lock_init(&osb->osb_xattr_lock);
47961 ocfs2_init_inode_steal_slot(osb);
47962
47963 - atomic_set(&osb->alloc_stats.moves, 0);
47964 - atomic_set(&osb->alloc_stats.local_data, 0);
47965 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
47966 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
47967 - atomic_set(&osb->alloc_stats.bg_extends, 0);
47968 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
47969 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
47970 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
47971 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
47972 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
47973
47974 /* Copy the blockcheck stats from the superblock probe */
47975 osb->osb_ecc_stats = *stats;
47976 diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
47977 --- linux-2.6.32.46/fs/open.c 2011-03-27 14:31:47.000000000 -0400
47978 +++ linux-2.6.32.46/fs/open.c 2011-09-13 16:03:56.000000000 -0400
47979 @@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
47980 error = locks_verify_truncate(inode, NULL, length);
47981 if (!error)
47982 error = security_path_truncate(&path, length, 0);
47983 +
47984 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
47985 + error = -EACCES;
47986 +
47987 if (!error) {
47988 vfs_dq_init(inode);
47989 error = do_truncate(path.dentry, length, 0, NULL);
47990 @@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
47991 if (__mnt_is_readonly(path.mnt))
47992 res = -EROFS;
47993
47994 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
47995 + res = -EACCES;
47996 +
47997 out_path_release:
47998 path_put(&path);
47999 out:
48000 @@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
48001 if (error)
48002 goto dput_and_out;
48003
48004 + gr_log_chdir(path.dentry, path.mnt);
48005 +
48006 set_fs_pwd(current->fs, &path);
48007
48008 dput_and_out:
48009 @@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
48010 goto out_putf;
48011
48012 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
48013 +
48014 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
48015 + error = -EPERM;
48016 +
48017 + if (!error)
48018 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
48019 +
48020 if (!error)
48021 set_fs_pwd(current->fs, &file->f_path);
48022 out_putf:
48023 @@ -588,7 +604,13 @@ SYSCALL_DEFINE1(chroot, const char __use
48024 if (!capable(CAP_SYS_CHROOT))
48025 goto dput_and_out;
48026
48027 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
48028 + goto dput_and_out;
48029 +
48030 set_fs_root(current->fs, &path);
48031 +
48032 + gr_handle_chroot_chdir(&path);
48033 +
48034 error = 0;
48035 dput_and_out:
48036 path_put(&path);
48037 @@ -616,12 +638,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
48038 err = mnt_want_write_file(file);
48039 if (err)
48040 goto out_putf;
48041 +
48042 mutex_lock(&inode->i_mutex);
48043 +
48044 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
48045 + err = -EACCES;
48046 + goto out_unlock;
48047 + }
48048 +
48049 if (mode == (mode_t) -1)
48050 mode = inode->i_mode;
48051 +
48052 + if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
48053 + err = -EPERM;
48054 + goto out_unlock;
48055 + }
48056 +
48057 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
48058 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
48059 err = notify_change(dentry, &newattrs);
48060 +
48061 +out_unlock:
48062 mutex_unlock(&inode->i_mutex);
48063 mnt_drop_write(file->f_path.mnt);
48064 out_putf:
48065 @@ -645,12 +682,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
48066 error = mnt_want_write(path.mnt);
48067 if (error)
48068 goto dput_and_out;
48069 +
48070 mutex_lock(&inode->i_mutex);
48071 +
48072 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
48073 + error = -EACCES;
48074 + goto out_unlock;
48075 + }
48076 +
48077 if (mode == (mode_t) -1)
48078 mode = inode->i_mode;
48079 +
48080 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
48081 + error = -EACCES;
48082 + goto out_unlock;
48083 + }
48084 +
48085 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
48086 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
48087 error = notify_change(path.dentry, &newattrs);
48088 +
48089 +out_unlock:
48090 mutex_unlock(&inode->i_mutex);
48091 mnt_drop_write(path.mnt);
48092 dput_and_out:
48093 @@ -664,12 +716,15 @@ SYSCALL_DEFINE2(chmod, const char __user
48094 return sys_fchmodat(AT_FDCWD, filename, mode);
48095 }
48096
48097 -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
48098 +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
48099 {
48100 struct inode *inode = dentry->d_inode;
48101 int error;
48102 struct iattr newattrs;
48103
48104 + if (!gr_acl_handle_chown(dentry, mnt))
48105 + return -EACCES;
48106 +
48107 newattrs.ia_valid = ATTR_CTIME;
48108 if (user != (uid_t) -1) {
48109 newattrs.ia_valid |= ATTR_UID;
48110 @@ -700,7 +755,7 @@ SYSCALL_DEFINE3(chown, const char __user
48111 error = mnt_want_write(path.mnt);
48112 if (error)
48113 goto out_release;
48114 - error = chown_common(path.dentry, user, group);
48115 + error = chown_common(path.dentry, user, group, path.mnt);
48116 mnt_drop_write(path.mnt);
48117 out_release:
48118 path_put(&path);
48119 @@ -725,7 +780,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
48120 error = mnt_want_write(path.mnt);
48121 if (error)
48122 goto out_release;
48123 - error = chown_common(path.dentry, user, group);
48124 + error = chown_common(path.dentry, user, group, path.mnt);
48125 mnt_drop_write(path.mnt);
48126 out_release:
48127 path_put(&path);
48128 @@ -744,7 +799,7 @@ SYSCALL_DEFINE3(lchown, const char __use
48129 error = mnt_want_write(path.mnt);
48130 if (error)
48131 goto out_release;
48132 - error = chown_common(path.dentry, user, group);
48133 + error = chown_common(path.dentry, user, group, path.mnt);
48134 mnt_drop_write(path.mnt);
48135 out_release:
48136 path_put(&path);
48137 @@ -767,7 +822,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
48138 goto out_fput;
48139 dentry = file->f_path.dentry;
48140 audit_inode(NULL, dentry);
48141 - error = chown_common(dentry, user, group);
48142 + error = chown_common(dentry, user, group, file->f_path.mnt);
48143 mnt_drop_write(file->f_path.mnt);
48144 out_fput:
48145 fput(file);
48146 @@ -1036,7 +1091,10 @@ long do_sys_open(int dfd, const char __u
48147 if (!IS_ERR(tmp)) {
48148 fd = get_unused_fd_flags(flags);
48149 if (fd >= 0) {
48150 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
48151 + struct file *f;
48152 + /* don't allow to be set by userland */
48153 + flags &= ~FMODE_GREXEC;
48154 + f = do_filp_open(dfd, tmp, flags, mode, 0);
48155 if (IS_ERR(f)) {
48156 put_unused_fd(fd);
48157 fd = PTR_ERR(f);
48158 diff -urNp linux-2.6.32.46/fs/partitions/ldm.c linux-2.6.32.46/fs/partitions/ldm.c
48159 --- linux-2.6.32.46/fs/partitions/ldm.c 2011-06-25 12:55:34.000000000 -0400
48160 +++ linux-2.6.32.46/fs/partitions/ldm.c 2011-06-25 12:56:37.000000000 -0400
48161 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
48162 ldm_error ("A VBLK claims to have %d parts.", num);
48163 return false;
48164 }
48165 +
48166 if (rec >= num) {
48167 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
48168 return false;
48169 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
48170 goto found;
48171 }
48172
48173 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
48174 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
48175 if (!f) {
48176 ldm_crit ("Out of memory.");
48177 return false;
48178 diff -urNp linux-2.6.32.46/fs/partitions/mac.c linux-2.6.32.46/fs/partitions/mac.c
48179 --- linux-2.6.32.46/fs/partitions/mac.c 2011-03-27 14:31:47.000000000 -0400
48180 +++ linux-2.6.32.46/fs/partitions/mac.c 2011-04-17 15:56:46.000000000 -0400
48181 @@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
48182 return 0; /* not a MacOS disk */
48183 }
48184 blocks_in_map = be32_to_cpu(part->map_count);
48185 + printk(" [mac]");
48186 if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
48187 put_dev_sector(sect);
48188 return 0;
48189 }
48190 - printk(" [mac]");
48191 for (slot = 1; slot <= blocks_in_map; ++slot) {
48192 int pos = slot * secsize;
48193 put_dev_sector(sect);
48194 diff -urNp linux-2.6.32.46/fs/pipe.c linux-2.6.32.46/fs/pipe.c
48195 --- linux-2.6.32.46/fs/pipe.c 2011-03-27 14:31:47.000000000 -0400
48196 +++ linux-2.6.32.46/fs/pipe.c 2011-04-23 13:37:17.000000000 -0400
48197 @@ -401,9 +401,9 @@ redo:
48198 }
48199 if (bufs) /* More to do? */
48200 continue;
48201 - if (!pipe->writers)
48202 + if (!atomic_read(&pipe->writers))
48203 break;
48204 - if (!pipe->waiting_writers) {
48205 + if (!atomic_read(&pipe->waiting_writers)) {
48206 /* syscall merging: Usually we must not sleep
48207 * if O_NONBLOCK is set, or if we got some data.
48208 * But if a writer sleeps in kernel space, then
48209 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
48210 mutex_lock(&inode->i_mutex);
48211 pipe = inode->i_pipe;
48212
48213 - if (!pipe->readers) {
48214 + if (!atomic_read(&pipe->readers)) {
48215 send_sig(SIGPIPE, current, 0);
48216 ret = -EPIPE;
48217 goto out;
48218 @@ -511,7 +511,7 @@ redo1:
48219 for (;;) {
48220 int bufs;
48221
48222 - if (!pipe->readers) {
48223 + if (!atomic_read(&pipe->readers)) {
48224 send_sig(SIGPIPE, current, 0);
48225 if (!ret)
48226 ret = -EPIPE;
48227 @@ -597,9 +597,9 @@ redo2:
48228 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
48229 do_wakeup = 0;
48230 }
48231 - pipe->waiting_writers++;
48232 + atomic_inc(&pipe->waiting_writers);
48233 pipe_wait(pipe);
48234 - pipe->waiting_writers--;
48235 + atomic_dec(&pipe->waiting_writers);
48236 }
48237 out:
48238 mutex_unlock(&inode->i_mutex);
48239 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
48240 mask = 0;
48241 if (filp->f_mode & FMODE_READ) {
48242 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
48243 - if (!pipe->writers && filp->f_version != pipe->w_counter)
48244 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
48245 mask |= POLLHUP;
48246 }
48247
48248 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
48249 * Most Unices do not set POLLERR for FIFOs but on Linux they
48250 * behave exactly like pipes for poll().
48251 */
48252 - if (!pipe->readers)
48253 + if (!atomic_read(&pipe->readers))
48254 mask |= POLLERR;
48255 }
48256
48257 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
48258
48259 mutex_lock(&inode->i_mutex);
48260 pipe = inode->i_pipe;
48261 - pipe->readers -= decr;
48262 - pipe->writers -= decw;
48263 + atomic_sub(decr, &pipe->readers);
48264 + atomic_sub(decw, &pipe->writers);
48265
48266 - if (!pipe->readers && !pipe->writers) {
48267 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
48268 free_pipe_info(inode);
48269 } else {
48270 wake_up_interruptible_sync(&pipe->wait);
48271 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
48272
48273 if (inode->i_pipe) {
48274 ret = 0;
48275 - inode->i_pipe->readers++;
48276 + atomic_inc(&inode->i_pipe->readers);
48277 }
48278
48279 mutex_unlock(&inode->i_mutex);
48280 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
48281
48282 if (inode->i_pipe) {
48283 ret = 0;
48284 - inode->i_pipe->writers++;
48285 + atomic_inc(&inode->i_pipe->writers);
48286 }
48287
48288 mutex_unlock(&inode->i_mutex);
48289 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
48290 if (inode->i_pipe) {
48291 ret = 0;
48292 if (filp->f_mode & FMODE_READ)
48293 - inode->i_pipe->readers++;
48294 + atomic_inc(&inode->i_pipe->readers);
48295 if (filp->f_mode & FMODE_WRITE)
48296 - inode->i_pipe->writers++;
48297 + atomic_inc(&inode->i_pipe->writers);
48298 }
48299
48300 mutex_unlock(&inode->i_mutex);
48301 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
48302 inode->i_pipe = NULL;
48303 }
48304
48305 -static struct vfsmount *pipe_mnt __read_mostly;
48306 +struct vfsmount *pipe_mnt __read_mostly;
48307 static int pipefs_delete_dentry(struct dentry *dentry)
48308 {
48309 /*
48310 @@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
48311 goto fail_iput;
48312 inode->i_pipe = pipe;
48313
48314 - pipe->readers = pipe->writers = 1;
48315 + atomic_set(&pipe->readers, 1);
48316 + atomic_set(&pipe->writers, 1);
48317 inode->i_fop = &rdwr_pipefifo_fops;
48318
48319 /*
48320 diff -urNp linux-2.6.32.46/fs/proc/array.c linux-2.6.32.46/fs/proc/array.c
48321 --- linux-2.6.32.46/fs/proc/array.c 2011-03-27 14:31:47.000000000 -0400
48322 +++ linux-2.6.32.46/fs/proc/array.c 2011-05-16 21:46:57.000000000 -0400
48323 @@ -60,6 +60,7 @@
48324 #include <linux/tty.h>
48325 #include <linux/string.h>
48326 #include <linux/mman.h>
48327 +#include <linux/grsecurity.h>
48328 #include <linux/proc_fs.h>
48329 #include <linux/ioport.h>
48330 #include <linux/uaccess.h>
48331 @@ -321,6 +322,21 @@ static inline void task_context_switch_c
48332 p->nivcsw);
48333 }
48334
48335 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
48336 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
48337 +{
48338 + if (p->mm)
48339 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
48340 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
48341 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
48342 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
48343 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
48344 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
48345 + else
48346 + seq_printf(m, "PaX:\t-----\n");
48347 +}
48348 +#endif
48349 +
48350 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
48351 struct pid *pid, struct task_struct *task)
48352 {
48353 @@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
48354 task_cap(m, task);
48355 cpuset_task_status_allowed(m, task);
48356 task_context_switch_counts(m, task);
48357 +
48358 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
48359 + task_pax(m, task);
48360 +#endif
48361 +
48362 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
48363 + task_grsec_rbac(m, task);
48364 +#endif
48365 +
48366 return 0;
48367 }
48368
48369 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48370 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
48371 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
48372 + _mm->pax_flags & MF_PAX_SEGMEXEC))
48373 +#endif
48374 +
48375 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
48376 struct pid *pid, struct task_struct *task, int whole)
48377 {
48378 @@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
48379 cputime_t cutime, cstime, utime, stime;
48380 cputime_t cgtime, gtime;
48381 unsigned long rsslim = 0;
48382 - char tcomm[sizeof(task->comm)];
48383 + char tcomm[sizeof(task->comm)] = { 0 };
48384 unsigned long flags;
48385
48386 + pax_track_stack();
48387 +
48388 state = *get_task_state(task);
48389 vsize = eip = esp = 0;
48390 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
48391 @@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
48392 gtime = task_gtime(task);
48393 }
48394
48395 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48396 + if (PAX_RAND_FLAGS(mm)) {
48397 + eip = 0;
48398 + esp = 0;
48399 + wchan = 0;
48400 + }
48401 +#endif
48402 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48403 + wchan = 0;
48404 + eip =0;
48405 + esp =0;
48406 +#endif
48407 +
48408 /* scale priority and nice values from timeslices to -20..20 */
48409 /* to make it look like a "normal" Unix priority/nice value */
48410 priority = task_prio(task);
48411 @@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
48412 vsize,
48413 mm ? get_mm_rss(mm) : 0,
48414 rsslim,
48415 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48416 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
48417 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
48418 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
48419 +#else
48420 mm ? (permitted ? mm->start_code : 1) : 0,
48421 mm ? (permitted ? mm->end_code : 1) : 0,
48422 (permitted && mm) ? mm->start_stack : 0,
48423 +#endif
48424 esp,
48425 eip,
48426 /* The signal information here is obsolete.
48427 @@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
48428
48429 return 0;
48430 }
48431 +
48432 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
48433 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
48434 +{
48435 + u32 curr_ip = 0;
48436 + unsigned long flags;
48437 +
48438 + if (lock_task_sighand(task, &flags)) {
48439 + curr_ip = task->signal->curr_ip;
48440 + unlock_task_sighand(task, &flags);
48441 + }
48442 +
48443 + return sprintf(buffer, "%pI4\n", &curr_ip);
48444 +}
48445 +#endif
48446 diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c
48447 --- linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:35:30.000000000 -0400
48448 +++ linux-2.6.32.46/fs/proc/base.c 2011-09-13 14:51:06.000000000 -0400
48449 @@ -102,6 +102,22 @@ struct pid_entry {
48450 union proc_op op;
48451 };
48452
48453 +struct getdents_callback {
48454 + struct linux_dirent __user * current_dir;
48455 + struct linux_dirent __user * previous;
48456 + struct file * file;
48457 + int count;
48458 + int error;
48459 +};
48460 +
48461 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
48462 + loff_t offset, u64 ino, unsigned int d_type)
48463 +{
48464 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
48465 + buf->error = -EINVAL;
48466 + return 0;
48467 +}
48468 +
48469 #define NOD(NAME, MODE, IOP, FOP, OP) { \
48470 .name = (NAME), \
48471 .len = sizeof(NAME) - 1, \
48472 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
48473 if (task == current)
48474 return 0;
48475
48476 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
48477 + return -EPERM;
48478 +
48479 /*
48480 * If current is actively ptrace'ing, and would also be
48481 * permitted to freshly attach with ptrace now, permit it.
48482 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
48483 if (!mm->arg_end)
48484 goto out_mm; /* Shh! No looking before we're done */
48485
48486 + if (gr_acl_handle_procpidmem(task))
48487 + goto out_mm;
48488 +
48489 len = mm->arg_end - mm->arg_start;
48490
48491 if (len > PAGE_SIZE)
48492 @@ -287,12 +309,28 @@ out:
48493 return res;
48494 }
48495
48496 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48497 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
48498 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
48499 + _mm->pax_flags & MF_PAX_SEGMEXEC))
48500 +#endif
48501 +
48502 static int proc_pid_auxv(struct task_struct *task, char *buffer)
48503 {
48504 int res = 0;
48505 struct mm_struct *mm = get_task_mm(task);
48506 if (mm) {
48507 unsigned int nwords = 0;
48508 +
48509 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48510 + /* allow if we're currently ptracing this task */
48511 + if (PAX_RAND_FLAGS(mm) &&
48512 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
48513 + mmput(mm);
48514 + return 0;
48515 + }
48516 +#endif
48517 +
48518 do {
48519 nwords += 2;
48520 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
48521 @@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
48522 }
48523
48524
48525 -#ifdef CONFIG_KALLSYMS
48526 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48527 /*
48528 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
48529 * Returns the resolved symbol. If that fails, simply return the address.
48530 @@ -328,7 +366,7 @@ static int proc_pid_wchan(struct task_st
48531 }
48532 #endif /* CONFIG_KALLSYMS */
48533
48534 -#ifdef CONFIG_STACKTRACE
48535 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48536
48537 #define MAX_STACK_TRACE_DEPTH 64
48538
48539 @@ -522,7 +560,7 @@ static int proc_pid_limits(struct task_s
48540 return count;
48541 }
48542
48543 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
48544 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
48545 static int proc_pid_syscall(struct task_struct *task, char *buffer)
48546 {
48547 long nr;
48548 @@ -547,7 +585,7 @@ static int proc_pid_syscall(struct task_
48549 /************************************************************************/
48550
48551 /* permission checks */
48552 -static int proc_fd_access_allowed(struct inode *inode)
48553 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
48554 {
48555 struct task_struct *task;
48556 int allowed = 0;
48557 @@ -557,7 +595,10 @@ static int proc_fd_access_allowed(struct
48558 */
48559 task = get_proc_task(inode);
48560 if (task) {
48561 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
48562 + if (log)
48563 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
48564 + else
48565 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
48566 put_task_struct(task);
48567 }
48568 return allowed;
48569 @@ -936,6 +977,9 @@ static ssize_t environ_read(struct file
48570 if (!task)
48571 goto out_no_task;
48572
48573 + if (gr_acl_handle_procpidmem(task))
48574 + goto out;
48575 +
48576 if (!ptrace_may_access(task, PTRACE_MODE_READ))
48577 goto out;
48578
48579 @@ -1350,7 +1394,7 @@ static void *proc_pid_follow_link(struct
48580 path_put(&nd->path);
48581
48582 /* Are we allowed to snoop on the tasks file descriptors? */
48583 - if (!proc_fd_access_allowed(inode))
48584 + if (!proc_fd_access_allowed(inode,0))
48585 goto out;
48586
48587 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
48588 @@ -1390,8 +1434,18 @@ static int proc_pid_readlink(struct dent
48589 struct path path;
48590
48591 /* Are we allowed to snoop on the tasks file descriptors? */
48592 - if (!proc_fd_access_allowed(inode))
48593 - goto out;
48594 + /* logging this is needed for learning on chromium to work properly,
48595 + but we don't want to flood the logs from 'ps' which does a readlink
48596 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
48597 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
48598 + */
48599 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
48600 + if (!proc_fd_access_allowed(inode,0))
48601 + goto out;
48602 + } else {
48603 + if (!proc_fd_access_allowed(inode,1))
48604 + goto out;
48605 + }
48606
48607 error = PROC_I(inode)->op.proc_get_link(inode, &path);
48608 if (error)
48609 @@ -1456,7 +1510,11 @@ static struct inode *proc_pid_make_inode
48610 rcu_read_lock();
48611 cred = __task_cred(task);
48612 inode->i_uid = cred->euid;
48613 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
48614 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
48615 +#else
48616 inode->i_gid = cred->egid;
48617 +#endif
48618 rcu_read_unlock();
48619 }
48620 security_task_to_inode(task, inode);
48621 @@ -1474,6 +1532,9 @@ static int pid_getattr(struct vfsmount *
48622 struct inode *inode = dentry->d_inode;
48623 struct task_struct *task;
48624 const struct cred *cred;
48625 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48626 + const struct cred *tmpcred = current_cred();
48627 +#endif
48628
48629 generic_fillattr(inode, stat);
48630
48631 @@ -1481,13 +1542,41 @@ static int pid_getattr(struct vfsmount *
48632 stat->uid = 0;
48633 stat->gid = 0;
48634 task = pid_task(proc_pid(inode), PIDTYPE_PID);
48635 +
48636 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
48637 + rcu_read_unlock();
48638 + return -ENOENT;
48639 + }
48640 +
48641 if (task) {
48642 + cred = __task_cred(task);
48643 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48644 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
48645 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
48646 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
48647 +#endif
48648 + ) {
48649 +#endif
48650 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
48651 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48652 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
48653 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48654 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
48655 +#endif
48656 task_dumpable(task)) {
48657 - cred = __task_cred(task);
48658 stat->uid = cred->euid;
48659 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
48660 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
48661 +#else
48662 stat->gid = cred->egid;
48663 +#endif
48664 }
48665 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48666 + } else {
48667 + rcu_read_unlock();
48668 + return -ENOENT;
48669 + }
48670 +#endif
48671 }
48672 rcu_read_unlock();
48673 return 0;
48674 @@ -1518,11 +1607,20 @@ static int pid_revalidate(struct dentry
48675
48676 if (task) {
48677 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
48678 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48679 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
48680 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48681 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
48682 +#endif
48683 task_dumpable(task)) {
48684 rcu_read_lock();
48685 cred = __task_cred(task);
48686 inode->i_uid = cred->euid;
48687 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
48688 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
48689 +#else
48690 inode->i_gid = cred->egid;
48691 +#endif
48692 rcu_read_unlock();
48693 } else {
48694 inode->i_uid = 0;
48695 @@ -1643,7 +1741,8 @@ static int proc_fd_info(struct inode *in
48696 int fd = proc_fd(inode);
48697
48698 if (task) {
48699 - files = get_files_struct(task);
48700 + if (!gr_acl_handle_procpidmem(task))
48701 + files = get_files_struct(task);
48702 put_task_struct(task);
48703 }
48704 if (files) {
48705 @@ -1895,12 +1994,22 @@ static const struct file_operations proc
48706 static int proc_fd_permission(struct inode *inode, int mask)
48707 {
48708 int rv;
48709 + struct task_struct *task;
48710
48711 rv = generic_permission(inode, mask, NULL);
48712 - if (rv == 0)
48713 - return 0;
48714 +
48715 if (task_pid(current) == proc_pid(inode))
48716 rv = 0;
48717 +
48718 + task = get_proc_task(inode);
48719 + if (task == NULL)
48720 + return rv;
48721 +
48722 + if (gr_acl_handle_procpidmem(task))
48723 + rv = -EACCES;
48724 +
48725 + put_task_struct(task);
48726 +
48727 return rv;
48728 }
48729
48730 @@ -2009,6 +2118,9 @@ static struct dentry *proc_pident_lookup
48731 if (!task)
48732 goto out_no_task;
48733
48734 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
48735 + goto out;
48736 +
48737 /*
48738 * Yes, it does not scale. And it should not. Don't add
48739 * new entries into /proc/<tgid>/ without very good reasons.
48740 @@ -2053,6 +2165,9 @@ static int proc_pident_readdir(struct fi
48741 if (!task)
48742 goto out_no_task;
48743
48744 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
48745 + goto out;
48746 +
48747 ret = 0;
48748 i = filp->f_pos;
48749 switch (i) {
48750 @@ -2320,7 +2435,7 @@ static void *proc_self_follow_link(struc
48751 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
48752 void *cookie)
48753 {
48754 - char *s = nd_get_link(nd);
48755 + const char *s = nd_get_link(nd);
48756 if (!IS_ERR(s))
48757 __putname(s);
48758 }
48759 @@ -2522,7 +2637,7 @@ static const struct pid_entry tgid_base_
48760 #ifdef CONFIG_SCHED_DEBUG
48761 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
48762 #endif
48763 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
48764 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
48765 INF("syscall", S_IRUSR, proc_pid_syscall),
48766 #endif
48767 INF("cmdline", S_IRUGO, proc_pid_cmdline),
48768 @@ -2547,10 +2662,10 @@ static const struct pid_entry tgid_base_
48769 #ifdef CONFIG_SECURITY
48770 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
48771 #endif
48772 -#ifdef CONFIG_KALLSYMS
48773 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48774 INF("wchan", S_IRUGO, proc_pid_wchan),
48775 #endif
48776 -#ifdef CONFIG_STACKTRACE
48777 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48778 ONE("stack", S_IRUSR, proc_pid_stack),
48779 #endif
48780 #ifdef CONFIG_SCHEDSTATS
48781 @@ -2580,6 +2695,9 @@ static const struct pid_entry tgid_base_
48782 #ifdef CONFIG_TASK_IO_ACCOUNTING
48783 INF("io", S_IRUSR, proc_tgid_io_accounting),
48784 #endif
48785 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
48786 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
48787 +#endif
48788 };
48789
48790 static int proc_tgid_base_readdir(struct file * filp,
48791 @@ -2704,7 +2822,14 @@ static struct dentry *proc_pid_instantia
48792 if (!inode)
48793 goto out;
48794
48795 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48796 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
48797 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48798 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
48799 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
48800 +#else
48801 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
48802 +#endif
48803 inode->i_op = &proc_tgid_base_inode_operations;
48804 inode->i_fop = &proc_tgid_base_operations;
48805 inode->i_flags|=S_IMMUTABLE;
48806 @@ -2746,7 +2871,11 @@ struct dentry *proc_pid_lookup(struct in
48807 if (!task)
48808 goto out;
48809
48810 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
48811 + goto out_put_task;
48812 +
48813 result = proc_pid_instantiate(dir, dentry, task, NULL);
48814 +out_put_task:
48815 put_task_struct(task);
48816 out:
48817 return result;
48818 @@ -2811,6 +2940,11 @@ int proc_pid_readdir(struct file * filp,
48819 {
48820 unsigned int nr;
48821 struct task_struct *reaper;
48822 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48823 + const struct cred *tmpcred = current_cred();
48824 + const struct cred *itercred;
48825 +#endif
48826 + filldir_t __filldir = filldir;
48827 struct tgid_iter iter;
48828 struct pid_namespace *ns;
48829
48830 @@ -2834,8 +2968,27 @@ int proc_pid_readdir(struct file * filp,
48831 for (iter = next_tgid(ns, iter);
48832 iter.task;
48833 iter.tgid += 1, iter = next_tgid(ns, iter)) {
48834 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48835 + rcu_read_lock();
48836 + itercred = __task_cred(iter.task);
48837 +#endif
48838 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
48839 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48840 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
48841 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
48842 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
48843 +#endif
48844 + )
48845 +#endif
48846 + )
48847 + __filldir = &gr_fake_filldir;
48848 + else
48849 + __filldir = filldir;
48850 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48851 + rcu_read_unlock();
48852 +#endif
48853 filp->f_pos = iter.tgid + TGID_OFFSET;
48854 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
48855 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
48856 put_task_struct(iter.task);
48857 goto out;
48858 }
48859 @@ -2861,7 +3014,7 @@ static const struct pid_entry tid_base_s
48860 #ifdef CONFIG_SCHED_DEBUG
48861 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
48862 #endif
48863 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
48864 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
48865 INF("syscall", S_IRUSR, proc_pid_syscall),
48866 #endif
48867 INF("cmdline", S_IRUGO, proc_pid_cmdline),
48868 @@ -2885,10 +3038,10 @@ static const struct pid_entry tid_base_s
48869 #ifdef CONFIG_SECURITY
48870 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
48871 #endif
48872 -#ifdef CONFIG_KALLSYMS
48873 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48874 INF("wchan", S_IRUGO, proc_pid_wchan),
48875 #endif
48876 -#ifdef CONFIG_STACKTRACE
48877 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48878 ONE("stack", S_IRUSR, proc_pid_stack),
48879 #endif
48880 #ifdef CONFIG_SCHEDSTATS
48881 diff -urNp linux-2.6.32.46/fs/proc/cmdline.c linux-2.6.32.46/fs/proc/cmdline.c
48882 --- linux-2.6.32.46/fs/proc/cmdline.c 2011-03-27 14:31:47.000000000 -0400
48883 +++ linux-2.6.32.46/fs/proc/cmdline.c 2011-04-17 15:56:46.000000000 -0400
48884 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
48885
48886 static int __init proc_cmdline_init(void)
48887 {
48888 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
48889 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
48890 +#else
48891 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
48892 +#endif
48893 return 0;
48894 }
48895 module_init(proc_cmdline_init);
48896 diff -urNp linux-2.6.32.46/fs/proc/devices.c linux-2.6.32.46/fs/proc/devices.c
48897 --- linux-2.6.32.46/fs/proc/devices.c 2011-03-27 14:31:47.000000000 -0400
48898 +++ linux-2.6.32.46/fs/proc/devices.c 2011-04-17 15:56:46.000000000 -0400
48899 @@ -64,7 +64,11 @@ static const struct file_operations proc
48900
48901 static int __init proc_devices_init(void)
48902 {
48903 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
48904 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
48905 +#else
48906 proc_create("devices", 0, NULL, &proc_devinfo_operations);
48907 +#endif
48908 return 0;
48909 }
48910 module_init(proc_devices_init);
48911 diff -urNp linux-2.6.32.46/fs/proc/inode.c linux-2.6.32.46/fs/proc/inode.c
48912 --- linux-2.6.32.46/fs/proc/inode.c 2011-03-27 14:31:47.000000000 -0400
48913 +++ linux-2.6.32.46/fs/proc/inode.c 2011-04-17 15:56:46.000000000 -0400
48914 @@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
48915 if (de->mode) {
48916 inode->i_mode = de->mode;
48917 inode->i_uid = de->uid;
48918 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
48919 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
48920 +#else
48921 inode->i_gid = de->gid;
48922 +#endif
48923 }
48924 if (de->size)
48925 inode->i_size = de->size;
48926 diff -urNp linux-2.6.32.46/fs/proc/internal.h linux-2.6.32.46/fs/proc/internal.h
48927 --- linux-2.6.32.46/fs/proc/internal.h 2011-03-27 14:31:47.000000000 -0400
48928 +++ linux-2.6.32.46/fs/proc/internal.h 2011-04-17 15:56:46.000000000 -0400
48929 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
48930 struct pid *pid, struct task_struct *task);
48931 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
48932 struct pid *pid, struct task_struct *task);
48933 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
48934 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
48935 +#endif
48936 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
48937
48938 extern const struct file_operations proc_maps_operations;
48939 diff -urNp linux-2.6.32.46/fs/proc/Kconfig linux-2.6.32.46/fs/proc/Kconfig
48940 --- linux-2.6.32.46/fs/proc/Kconfig 2011-03-27 14:31:47.000000000 -0400
48941 +++ linux-2.6.32.46/fs/proc/Kconfig 2011-04-17 15:56:46.000000000 -0400
48942 @@ -30,12 +30,12 @@ config PROC_FS
48943
48944 config PROC_KCORE
48945 bool "/proc/kcore support" if !ARM
48946 - depends on PROC_FS && MMU
48947 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
48948
48949 config PROC_VMCORE
48950 bool "/proc/vmcore support (EXPERIMENTAL)"
48951 - depends on PROC_FS && CRASH_DUMP
48952 - default y
48953 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
48954 + default n
48955 help
48956 Exports the dump image of crashed kernel in ELF format.
48957
48958 @@ -59,8 +59,8 @@ config PROC_SYSCTL
48959 limited in memory.
48960
48961 config PROC_PAGE_MONITOR
48962 - default y
48963 - depends on PROC_FS && MMU
48964 + default n
48965 + depends on PROC_FS && MMU && !GRKERNSEC
48966 bool "Enable /proc page monitoring" if EMBEDDED
48967 help
48968 Various /proc files exist to monitor process memory utilization:
48969 diff -urNp linux-2.6.32.46/fs/proc/kcore.c linux-2.6.32.46/fs/proc/kcore.c
48970 --- linux-2.6.32.46/fs/proc/kcore.c 2011-03-27 14:31:47.000000000 -0400
48971 +++ linux-2.6.32.46/fs/proc/kcore.c 2011-05-16 21:46:57.000000000 -0400
48972 @@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
48973 off_t offset = 0;
48974 struct kcore_list *m;
48975
48976 + pax_track_stack();
48977 +
48978 /* setup ELF header */
48979 elf = (struct elfhdr *) bufp;
48980 bufp += sizeof(struct elfhdr);
48981 @@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
48982 * the addresses in the elf_phdr on our list.
48983 */
48984 start = kc_offset_to_vaddr(*fpos - elf_buflen);
48985 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
48986 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
48987 + if (tsz > buflen)
48988 tsz = buflen;
48989 -
48990 +
48991 while (buflen) {
48992 struct kcore_list *m;
48993
48994 @@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
48995 kfree(elf_buf);
48996 } else {
48997 if (kern_addr_valid(start)) {
48998 - unsigned long n;
48999 + char *elf_buf;
49000 + mm_segment_t oldfs;
49001
49002 - n = copy_to_user(buffer, (char *)start, tsz);
49003 - /*
49004 - * We cannot distingush between fault on source
49005 - * and fault on destination. When this happens
49006 - * we clear too and hope it will trigger the
49007 - * EFAULT again.
49008 - */
49009 - if (n) {
49010 - if (clear_user(buffer + tsz - n,
49011 - n))
49012 + elf_buf = kmalloc(tsz, GFP_KERNEL);
49013 + if (!elf_buf)
49014 + return -ENOMEM;
49015 + oldfs = get_fs();
49016 + set_fs(KERNEL_DS);
49017 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
49018 + set_fs(oldfs);
49019 + if (copy_to_user(buffer, elf_buf, tsz)) {
49020 + kfree(elf_buf);
49021 return -EFAULT;
49022 + }
49023 }
49024 + set_fs(oldfs);
49025 + kfree(elf_buf);
49026 } else {
49027 if (clear_user(buffer, tsz))
49028 return -EFAULT;
49029 @@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
49030
49031 static int open_kcore(struct inode *inode, struct file *filp)
49032 {
49033 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49034 + return -EPERM;
49035 +#endif
49036 if (!capable(CAP_SYS_RAWIO))
49037 return -EPERM;
49038 if (kcore_need_update)
49039 diff -urNp linux-2.6.32.46/fs/proc/meminfo.c linux-2.6.32.46/fs/proc/meminfo.c
49040 --- linux-2.6.32.46/fs/proc/meminfo.c 2011-03-27 14:31:47.000000000 -0400
49041 +++ linux-2.6.32.46/fs/proc/meminfo.c 2011-05-16 21:46:57.000000000 -0400
49042 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
49043 unsigned long pages[NR_LRU_LISTS];
49044 int lru;
49045
49046 + pax_track_stack();
49047 +
49048 /*
49049 * display in kilobytes.
49050 */
49051 @@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
49052 vmi.used >> 10,
49053 vmi.largest_chunk >> 10
49054 #ifdef CONFIG_MEMORY_FAILURE
49055 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
49056 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
49057 #endif
49058 );
49059
49060 diff -urNp linux-2.6.32.46/fs/proc/nommu.c linux-2.6.32.46/fs/proc/nommu.c
49061 --- linux-2.6.32.46/fs/proc/nommu.c 2011-03-27 14:31:47.000000000 -0400
49062 +++ linux-2.6.32.46/fs/proc/nommu.c 2011-04-17 15:56:46.000000000 -0400
49063 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
49064 if (len < 1)
49065 len = 1;
49066 seq_printf(m, "%*c", len, ' ');
49067 - seq_path(m, &file->f_path, "");
49068 + seq_path(m, &file->f_path, "\n\\");
49069 }
49070
49071 seq_putc(m, '\n');
49072 diff -urNp linux-2.6.32.46/fs/proc/proc_net.c linux-2.6.32.46/fs/proc/proc_net.c
49073 --- linux-2.6.32.46/fs/proc/proc_net.c 2011-03-27 14:31:47.000000000 -0400
49074 +++ linux-2.6.32.46/fs/proc/proc_net.c 2011-04-17 15:56:46.000000000 -0400
49075 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
49076 struct task_struct *task;
49077 struct nsproxy *ns;
49078 struct net *net = NULL;
49079 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49080 + const struct cred *cred = current_cred();
49081 +#endif
49082 +
49083 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49084 + if (cred->fsuid)
49085 + return net;
49086 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49087 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
49088 + return net;
49089 +#endif
49090
49091 rcu_read_lock();
49092 task = pid_task(proc_pid(dir), PIDTYPE_PID);
49093 diff -urNp linux-2.6.32.46/fs/proc/proc_sysctl.c linux-2.6.32.46/fs/proc/proc_sysctl.c
49094 --- linux-2.6.32.46/fs/proc/proc_sysctl.c 2011-03-27 14:31:47.000000000 -0400
49095 +++ linux-2.6.32.46/fs/proc/proc_sysctl.c 2011-04-17 15:56:46.000000000 -0400
49096 @@ -7,6 +7,8 @@
49097 #include <linux/security.h>
49098 #include "internal.h"
49099
49100 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
49101 +
49102 static const struct dentry_operations proc_sys_dentry_operations;
49103 static const struct file_operations proc_sys_file_operations;
49104 static const struct inode_operations proc_sys_inode_operations;
49105 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
49106 if (!p)
49107 goto out;
49108
49109 + if (gr_handle_sysctl(p, MAY_EXEC))
49110 + goto out;
49111 +
49112 err = ERR_PTR(-ENOMEM);
49113 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
49114 if (h)
49115 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
49116 if (*pos < file->f_pos)
49117 continue;
49118
49119 + if (gr_handle_sysctl(table, 0))
49120 + continue;
49121 +
49122 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
49123 if (res)
49124 return res;
49125 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
49126 if (IS_ERR(head))
49127 return PTR_ERR(head);
49128
49129 + if (table && gr_handle_sysctl(table, MAY_EXEC))
49130 + return -ENOENT;
49131 +
49132 generic_fillattr(inode, stat);
49133 if (table)
49134 stat->mode = (stat->mode & S_IFMT) | table->mode;
49135 diff -urNp linux-2.6.32.46/fs/proc/root.c linux-2.6.32.46/fs/proc/root.c
49136 --- linux-2.6.32.46/fs/proc/root.c 2011-03-27 14:31:47.000000000 -0400
49137 +++ linux-2.6.32.46/fs/proc/root.c 2011-04-17 15:56:46.000000000 -0400
49138 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
49139 #ifdef CONFIG_PROC_DEVICETREE
49140 proc_device_tree_init();
49141 #endif
49142 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49143 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49144 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
49145 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49146 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
49147 +#endif
49148 +#else
49149 proc_mkdir("bus", NULL);
49150 +#endif
49151 proc_sys_init();
49152 }
49153
49154 diff -urNp linux-2.6.32.46/fs/proc/task_mmu.c linux-2.6.32.46/fs/proc/task_mmu.c
49155 --- linux-2.6.32.46/fs/proc/task_mmu.c 2011-03-27 14:31:47.000000000 -0400
49156 +++ linux-2.6.32.46/fs/proc/task_mmu.c 2011-04-23 13:38:09.000000000 -0400
49157 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
49158 "VmStk:\t%8lu kB\n"
49159 "VmExe:\t%8lu kB\n"
49160 "VmLib:\t%8lu kB\n"
49161 - "VmPTE:\t%8lu kB\n",
49162 - hiwater_vm << (PAGE_SHIFT-10),
49163 + "VmPTE:\t%8lu kB\n"
49164 +
49165 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49166 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
49167 +#endif
49168 +
49169 + ,hiwater_vm << (PAGE_SHIFT-10),
49170 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
49171 mm->locked_vm << (PAGE_SHIFT-10),
49172 hiwater_rss << (PAGE_SHIFT-10),
49173 total_rss << (PAGE_SHIFT-10),
49174 data << (PAGE_SHIFT-10),
49175 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
49176 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
49177 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
49178 +
49179 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49180 + , mm->context.user_cs_base, mm->context.user_cs_limit
49181 +#endif
49182 +
49183 + );
49184 }
49185
49186 unsigned long task_vsize(struct mm_struct *mm)
49187 @@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
49188 struct proc_maps_private *priv = m->private;
49189 struct vm_area_struct *vma = v;
49190
49191 - vma_stop(priv, vma);
49192 + if (!IS_ERR(vma))
49193 + vma_stop(priv, vma);
49194 if (priv->task)
49195 put_task_struct(priv->task);
49196 }
49197 @@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
49198 return ret;
49199 }
49200
49201 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49202 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
49203 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
49204 + _mm->pax_flags & MF_PAX_SEGMEXEC))
49205 +#endif
49206 +
49207 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
49208 {
49209 struct mm_struct *mm = vma->vm_mm;
49210 @@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
49211 int flags = vma->vm_flags;
49212 unsigned long ino = 0;
49213 unsigned long long pgoff = 0;
49214 - unsigned long start;
49215 dev_t dev = 0;
49216 int len;
49217
49218 @@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
49219 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
49220 }
49221
49222 - /* We don't show the stack guard page in /proc/maps */
49223 - start = vma->vm_start;
49224 - if (vma->vm_flags & VM_GROWSDOWN)
49225 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
49226 - start += PAGE_SIZE;
49227 -
49228 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
49229 - start,
49230 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49231 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
49232 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
49233 +#else
49234 + vma->vm_start,
49235 vma->vm_end,
49236 +#endif
49237 flags & VM_READ ? 'r' : '-',
49238 flags & VM_WRITE ? 'w' : '-',
49239 flags & VM_EXEC ? 'x' : '-',
49240 flags & VM_MAYSHARE ? 's' : 'p',
49241 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49242 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
49243 +#else
49244 pgoff,
49245 +#endif
49246 MAJOR(dev), MINOR(dev), ino, &len);
49247
49248 /*
49249 @@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
49250 */
49251 if (file) {
49252 pad_len_spaces(m, len);
49253 - seq_path(m, &file->f_path, "\n");
49254 + seq_path(m, &file->f_path, "\n\\");
49255 } else {
49256 const char *name = arch_vma_name(vma);
49257 if (!name) {
49258 @@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
49259 if (vma->vm_start <= mm->brk &&
49260 vma->vm_end >= mm->start_brk) {
49261 name = "[heap]";
49262 - } else if (vma->vm_start <= mm->start_stack &&
49263 - vma->vm_end >= mm->start_stack) {
49264 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
49265 + (vma->vm_start <= mm->start_stack &&
49266 + vma->vm_end >= mm->start_stack)) {
49267 name = "[stack]";
49268 }
49269 } else {
49270 @@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
49271 };
49272
49273 memset(&mss, 0, sizeof mss);
49274 - mss.vma = vma;
49275 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
49276 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
49277 +
49278 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49279 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
49280 +#endif
49281 + mss.vma = vma;
49282 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
49283 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
49284 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49285 + }
49286 +#endif
49287
49288 show_map_vma(m, vma);
49289
49290 @@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
49291 "Swap: %8lu kB\n"
49292 "KernelPageSize: %8lu kB\n"
49293 "MMUPageSize: %8lu kB\n",
49294 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49295 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
49296 +#else
49297 (vma->vm_end - vma->vm_start) >> 10,
49298 +#endif
49299 mss.resident >> 10,
49300 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
49301 mss.shared_clean >> 10,
49302 diff -urNp linux-2.6.32.46/fs/proc/task_nommu.c linux-2.6.32.46/fs/proc/task_nommu.c
49303 --- linux-2.6.32.46/fs/proc/task_nommu.c 2011-03-27 14:31:47.000000000 -0400
49304 +++ linux-2.6.32.46/fs/proc/task_nommu.c 2011-04-17 15:56:46.000000000 -0400
49305 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
49306 else
49307 bytes += kobjsize(mm);
49308
49309 - if (current->fs && current->fs->users > 1)
49310 + if (current->fs && atomic_read(&current->fs->users) > 1)
49311 sbytes += kobjsize(current->fs);
49312 else
49313 bytes += kobjsize(current->fs);
49314 @@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
49315 if (len < 1)
49316 len = 1;
49317 seq_printf(m, "%*c", len, ' ');
49318 - seq_path(m, &file->f_path, "");
49319 + seq_path(m, &file->f_path, "\n\\");
49320 }
49321
49322 seq_putc(m, '\n');
49323 diff -urNp linux-2.6.32.46/fs/readdir.c linux-2.6.32.46/fs/readdir.c
49324 --- linux-2.6.32.46/fs/readdir.c 2011-03-27 14:31:47.000000000 -0400
49325 +++ linux-2.6.32.46/fs/readdir.c 2011-10-06 09:37:14.000000000 -0400
49326 @@ -16,6 +16,7 @@
49327 #include <linux/security.h>
49328 #include <linux/syscalls.h>
49329 #include <linux/unistd.h>
49330 +#include <linux/namei.h>
49331
49332 #include <asm/uaccess.h>
49333
49334 @@ -67,6 +68,7 @@ struct old_linux_dirent {
49335
49336 struct readdir_callback {
49337 struct old_linux_dirent __user * dirent;
49338 + struct file * file;
49339 int result;
49340 };
49341
49342 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
49343 buf->result = -EOVERFLOW;
49344 return -EOVERFLOW;
49345 }
49346 +
49347 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
49348 + return 0;
49349 +
49350 buf->result++;
49351 dirent = buf->dirent;
49352 if (!access_ok(VERIFY_WRITE, dirent,
49353 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
49354
49355 buf.result = 0;
49356 buf.dirent = dirent;
49357 + buf.file = file;
49358
49359 error = vfs_readdir(file, fillonedir, &buf);
49360 if (buf.result)
49361 @@ -142,6 +149,7 @@ struct linux_dirent {
49362 struct getdents_callback {
49363 struct linux_dirent __user * current_dir;
49364 struct linux_dirent __user * previous;
49365 + struct file * file;
49366 int count;
49367 int error;
49368 };
49369 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
49370 buf->error = -EOVERFLOW;
49371 return -EOVERFLOW;
49372 }
49373 +
49374 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
49375 + return 0;
49376 +
49377 dirent = buf->previous;
49378 if (dirent) {
49379 if (__put_user(offset, &dirent->d_off))
49380 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
49381 buf.previous = NULL;
49382 buf.count = count;
49383 buf.error = 0;
49384 + buf.file = file;
49385
49386 error = vfs_readdir(file, filldir, &buf);
49387 if (error >= 0)
49388 @@ -228,6 +241,7 @@ out:
49389 struct getdents_callback64 {
49390 struct linux_dirent64 __user * current_dir;
49391 struct linux_dirent64 __user * previous;
49392 + struct file *file;
49393 int count;
49394 int error;
49395 };
49396 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
49397 buf->error = -EINVAL; /* only used if we fail.. */
49398 if (reclen > buf->count)
49399 return -EINVAL;
49400 +
49401 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
49402 + return 0;
49403 +
49404 dirent = buf->previous;
49405 if (dirent) {
49406 if (__put_user(offset, &dirent->d_off))
49407 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
49408
49409 buf.current_dir = dirent;
49410 buf.previous = NULL;
49411 + buf.file = file;
49412 buf.count = count;
49413 buf.error = 0;
49414
49415 @@ -297,7 +316,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
49416 error = buf.error;
49417 lastdirent = buf.previous;
49418 if (lastdirent) {
49419 - typeof(lastdirent->d_off) d_off = file->f_pos;
49420 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
49421 if (__put_user(d_off, &lastdirent->d_off))
49422 error = -EFAULT;
49423 else
49424 diff -urNp linux-2.6.32.46/fs/reiserfs/dir.c linux-2.6.32.46/fs/reiserfs/dir.c
49425 --- linux-2.6.32.46/fs/reiserfs/dir.c 2011-03-27 14:31:47.000000000 -0400
49426 +++ linux-2.6.32.46/fs/reiserfs/dir.c 2011-05-16 21:46:57.000000000 -0400
49427 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
49428 struct reiserfs_dir_entry de;
49429 int ret = 0;
49430
49431 + pax_track_stack();
49432 +
49433 reiserfs_write_lock(inode->i_sb);
49434
49435 reiserfs_check_lock_depth(inode->i_sb, "readdir");
49436 diff -urNp linux-2.6.32.46/fs/reiserfs/do_balan.c linux-2.6.32.46/fs/reiserfs/do_balan.c
49437 --- linux-2.6.32.46/fs/reiserfs/do_balan.c 2011-03-27 14:31:47.000000000 -0400
49438 +++ linux-2.6.32.46/fs/reiserfs/do_balan.c 2011-04-17 15:56:46.000000000 -0400
49439 @@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
49440 return;
49441 }
49442
49443 - atomic_inc(&(fs_generation(tb->tb_sb)));
49444 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
49445 do_balance_starts(tb);
49446
49447 /* balance leaf returns 0 except if combining L R and S into
49448 diff -urNp linux-2.6.32.46/fs/reiserfs/item_ops.c linux-2.6.32.46/fs/reiserfs/item_ops.c
49449 --- linux-2.6.32.46/fs/reiserfs/item_ops.c 2011-03-27 14:31:47.000000000 -0400
49450 +++ linux-2.6.32.46/fs/reiserfs/item_ops.c 2011-04-17 15:56:46.000000000 -0400
49451 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
49452 vi->vi_index, vi->vi_type, vi->vi_ih);
49453 }
49454
49455 -static struct item_operations stat_data_ops = {
49456 +static const struct item_operations stat_data_ops = {
49457 .bytes_number = sd_bytes_number,
49458 .decrement_key = sd_decrement_key,
49459 .is_left_mergeable = sd_is_left_mergeable,
49460 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
49461 vi->vi_index, vi->vi_type, vi->vi_ih);
49462 }
49463
49464 -static struct item_operations direct_ops = {
49465 +static const struct item_operations direct_ops = {
49466 .bytes_number = direct_bytes_number,
49467 .decrement_key = direct_decrement_key,
49468 .is_left_mergeable = direct_is_left_mergeable,
49469 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
49470 vi->vi_index, vi->vi_type, vi->vi_ih);
49471 }
49472
49473 -static struct item_operations indirect_ops = {
49474 +static const struct item_operations indirect_ops = {
49475 .bytes_number = indirect_bytes_number,
49476 .decrement_key = indirect_decrement_key,
49477 .is_left_mergeable = indirect_is_left_mergeable,
49478 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
49479 printk("\n");
49480 }
49481
49482 -static struct item_operations direntry_ops = {
49483 +static const struct item_operations direntry_ops = {
49484 .bytes_number = direntry_bytes_number,
49485 .decrement_key = direntry_decrement_key,
49486 .is_left_mergeable = direntry_is_left_mergeable,
49487 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
49488 "Invalid item type observed, run fsck ASAP");
49489 }
49490
49491 -static struct item_operations errcatch_ops = {
49492 +static const struct item_operations errcatch_ops = {
49493 errcatch_bytes_number,
49494 errcatch_decrement_key,
49495 errcatch_is_left_mergeable,
49496 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
49497 #error Item types must use disk-format assigned values.
49498 #endif
49499
49500 -struct item_operations *item_ops[TYPE_ANY + 1] = {
49501 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
49502 &stat_data_ops,
49503 &indirect_ops,
49504 &direct_ops,
49505 diff -urNp linux-2.6.32.46/fs/reiserfs/journal.c linux-2.6.32.46/fs/reiserfs/journal.c
49506 --- linux-2.6.32.46/fs/reiserfs/journal.c 2011-03-27 14:31:47.000000000 -0400
49507 +++ linux-2.6.32.46/fs/reiserfs/journal.c 2011-05-16 21:46:57.000000000 -0400
49508 @@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
49509 struct buffer_head *bh;
49510 int i, j;
49511
49512 + pax_track_stack();
49513 +
49514 bh = __getblk(dev, block, bufsize);
49515 if (buffer_uptodate(bh))
49516 return (bh);
49517 diff -urNp linux-2.6.32.46/fs/reiserfs/namei.c linux-2.6.32.46/fs/reiserfs/namei.c
49518 --- linux-2.6.32.46/fs/reiserfs/namei.c 2011-03-27 14:31:47.000000000 -0400
49519 +++ linux-2.6.32.46/fs/reiserfs/namei.c 2011-05-16 21:46:57.000000000 -0400
49520 @@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
49521 unsigned long savelink = 1;
49522 struct timespec ctime;
49523
49524 + pax_track_stack();
49525 +
49526 /* three balancings: (1) old name removal, (2) new name insertion
49527 and (3) maybe "save" link insertion
49528 stat data updates: (1) old directory,
49529 diff -urNp linux-2.6.32.46/fs/reiserfs/procfs.c linux-2.6.32.46/fs/reiserfs/procfs.c
49530 --- linux-2.6.32.46/fs/reiserfs/procfs.c 2011-03-27 14:31:47.000000000 -0400
49531 +++ linux-2.6.32.46/fs/reiserfs/procfs.c 2011-05-16 21:46:57.000000000 -0400
49532 @@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
49533 "SMALL_TAILS " : "NO_TAILS ",
49534 replay_only(sb) ? "REPLAY_ONLY " : "",
49535 convert_reiserfs(sb) ? "CONV " : "",
49536 - atomic_read(&r->s_generation_counter),
49537 + atomic_read_unchecked(&r->s_generation_counter),
49538 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
49539 SF(s_do_balance), SF(s_unneeded_left_neighbor),
49540 SF(s_good_search_by_key_reada), SF(s_bmaps),
49541 @@ -309,6 +309,8 @@ static int show_journal(struct seq_file
49542 struct journal_params *jp = &rs->s_v1.s_journal;
49543 char b[BDEVNAME_SIZE];
49544
49545 + pax_track_stack();
49546 +
49547 seq_printf(m, /* on-disk fields */
49548 "jp_journal_1st_block: \t%i\n"
49549 "jp_journal_dev: \t%s[%x]\n"
49550 diff -urNp linux-2.6.32.46/fs/reiserfs/stree.c linux-2.6.32.46/fs/reiserfs/stree.c
49551 --- linux-2.6.32.46/fs/reiserfs/stree.c 2011-03-27 14:31:47.000000000 -0400
49552 +++ linux-2.6.32.46/fs/reiserfs/stree.c 2011-05-16 21:46:57.000000000 -0400
49553 @@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
49554 int iter = 0;
49555 #endif
49556
49557 + pax_track_stack();
49558 +
49559 BUG_ON(!th->t_trans_id);
49560
49561 init_tb_struct(th, &s_del_balance, sb, path,
49562 @@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
49563 int retval;
49564 int quota_cut_bytes = 0;
49565
49566 + pax_track_stack();
49567 +
49568 BUG_ON(!th->t_trans_id);
49569
49570 le_key2cpu_key(&cpu_key, key);
49571 @@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
49572 int quota_cut_bytes;
49573 loff_t tail_pos = 0;
49574
49575 + pax_track_stack();
49576 +
49577 BUG_ON(!th->t_trans_id);
49578
49579 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
49580 @@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
49581 int retval;
49582 int fs_gen;
49583
49584 + pax_track_stack();
49585 +
49586 BUG_ON(!th->t_trans_id);
49587
49588 fs_gen = get_generation(inode->i_sb);
49589 @@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
49590 int fs_gen = 0;
49591 int quota_bytes = 0;
49592
49593 + pax_track_stack();
49594 +
49595 BUG_ON(!th->t_trans_id);
49596
49597 if (inode) { /* Do we count quotas for item? */
49598 diff -urNp linux-2.6.32.46/fs/reiserfs/super.c linux-2.6.32.46/fs/reiserfs/super.c
49599 --- linux-2.6.32.46/fs/reiserfs/super.c 2011-03-27 14:31:47.000000000 -0400
49600 +++ linux-2.6.32.46/fs/reiserfs/super.c 2011-05-16 21:46:57.000000000 -0400
49601 @@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
49602 {.option_name = NULL}
49603 };
49604
49605 + pax_track_stack();
49606 +
49607 *blocks = 0;
49608 if (!options || !*options)
49609 /* use default configuration: create tails, journaling on, no
49610 diff -urNp linux-2.6.32.46/fs/select.c linux-2.6.32.46/fs/select.c
49611 --- linux-2.6.32.46/fs/select.c 2011-03-27 14:31:47.000000000 -0400
49612 +++ linux-2.6.32.46/fs/select.c 2011-05-16 21:46:57.000000000 -0400
49613 @@ -20,6 +20,7 @@
49614 #include <linux/module.h>
49615 #include <linux/slab.h>
49616 #include <linux/poll.h>
49617 +#include <linux/security.h>
49618 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
49619 #include <linux/file.h>
49620 #include <linux/fdtable.h>
49621 @@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
49622 int retval, i, timed_out = 0;
49623 unsigned long slack = 0;
49624
49625 + pax_track_stack();
49626 +
49627 rcu_read_lock();
49628 retval = max_select_fd(n, fds);
49629 rcu_read_unlock();
49630 @@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
49631 /* Allocate small arguments on the stack to save memory and be faster */
49632 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
49633
49634 + pax_track_stack();
49635 +
49636 ret = -EINVAL;
49637 if (n < 0)
49638 goto out_nofds;
49639 @@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
49640 struct poll_list *walk = head;
49641 unsigned long todo = nfds;
49642
49643 + pax_track_stack();
49644 +
49645 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
49646 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
49647 return -EINVAL;
49648
49649 diff -urNp linux-2.6.32.46/fs/seq_file.c linux-2.6.32.46/fs/seq_file.c
49650 --- linux-2.6.32.46/fs/seq_file.c 2011-03-27 14:31:47.000000000 -0400
49651 +++ linux-2.6.32.46/fs/seq_file.c 2011-08-23 21:22:32.000000000 -0400
49652 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
49653 return 0;
49654 }
49655 if (!m->buf) {
49656 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
49657 + m->size = PAGE_SIZE;
49658 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
49659 if (!m->buf)
49660 return -ENOMEM;
49661 }
49662 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
49663 Eoverflow:
49664 m->op->stop(m, p);
49665 kfree(m->buf);
49666 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
49667 + m->size <<= 1;
49668 + m->buf = kmalloc(m->size, GFP_KERNEL);
49669 return !m->buf ? -ENOMEM : -EAGAIN;
49670 }
49671
49672 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
49673 m->version = file->f_version;
49674 /* grab buffer if we didn't have one */
49675 if (!m->buf) {
49676 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
49677 + m->size = PAGE_SIZE;
49678 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
49679 if (!m->buf)
49680 goto Enomem;
49681 }
49682 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
49683 goto Fill;
49684 m->op->stop(m, p);
49685 kfree(m->buf);
49686 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
49687 + m->size <<= 1;
49688 + m->buf = kmalloc(m->size, GFP_KERNEL);
49689 if (!m->buf)
49690 goto Enomem;
49691 m->count = 0;
49692 @@ -551,7 +555,7 @@ static void single_stop(struct seq_file
49693 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
49694 void *data)
49695 {
49696 - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
49697 + seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
49698 int res = -ENOMEM;
49699
49700 if (op) {
49701 diff -urNp linux-2.6.32.46/fs/smbfs/proc.c linux-2.6.32.46/fs/smbfs/proc.c
49702 --- linux-2.6.32.46/fs/smbfs/proc.c 2011-03-27 14:31:47.000000000 -0400
49703 +++ linux-2.6.32.46/fs/smbfs/proc.c 2011-08-05 20:33:55.000000000 -0400
49704 @@ -266,9 +266,9 @@ int smb_setcodepage(struct smb_sb_info *
49705
49706 out:
49707 if (server->local_nls != NULL && server->remote_nls != NULL)
49708 - server->ops->convert = convert_cp;
49709 + *(void **)&server->ops->convert = convert_cp;
49710 else
49711 - server->ops->convert = convert_memcpy;
49712 + *(void **)&server->ops->convert = convert_memcpy;
49713
49714 smb_unlock_server(server);
49715 return n;
49716 @@ -933,9 +933,9 @@ smb_newconn(struct smb_sb_info *server,
49717
49718 /* FIXME: the win9x code wants to modify these ... (seek/trunc bug) */
49719 if (server->mnt->flags & SMB_MOUNT_OLDATTR) {
49720 - server->ops->getattr = smb_proc_getattr_core;
49721 + *(void **)&server->ops->getattr = smb_proc_getattr_core;
49722 } else if (server->mnt->flags & SMB_MOUNT_DIRATTR) {
49723 - server->ops->getattr = smb_proc_getattr_ff;
49724 + *(void **)&server->ops->getattr = smb_proc_getattr_ff;
49725 }
49726
49727 /* Decode server capabilities */
49728 @@ -3439,7 +3439,7 @@ out:
49729 static void
49730 install_ops(struct smb_ops *dst, struct smb_ops *src)
49731 {
49732 - memcpy(dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
49733 + memcpy((void *)dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
49734 }
49735
49736 /* < LANMAN2 */
49737 diff -urNp linux-2.6.32.46/fs/smbfs/symlink.c linux-2.6.32.46/fs/smbfs/symlink.c
49738 --- linux-2.6.32.46/fs/smbfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
49739 +++ linux-2.6.32.46/fs/smbfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
49740 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
49741
49742 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
49743 {
49744 - char *s = nd_get_link(nd);
49745 + const char *s = nd_get_link(nd);
49746 if (!IS_ERR(s))
49747 __putname(s);
49748 }
49749 diff -urNp linux-2.6.32.46/fs/splice.c linux-2.6.32.46/fs/splice.c
49750 --- linux-2.6.32.46/fs/splice.c 2011-03-27 14:31:47.000000000 -0400
49751 +++ linux-2.6.32.46/fs/splice.c 2011-10-06 09:37:14.000000000 -0400
49752 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
49753 pipe_lock(pipe);
49754
49755 for (;;) {
49756 - if (!pipe->readers) {
49757 + if (!atomic_read(&pipe->readers)) {
49758 send_sig(SIGPIPE, current, 0);
49759 if (!ret)
49760 ret = -EPIPE;
49761 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
49762 do_wakeup = 0;
49763 }
49764
49765 - pipe->waiting_writers++;
49766 + atomic_inc(&pipe->waiting_writers);
49767 pipe_wait(pipe);
49768 - pipe->waiting_writers--;
49769 + atomic_dec(&pipe->waiting_writers);
49770 }
49771
49772 pipe_unlock(pipe);
49773 @@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
49774 .spd_release = spd_release_page,
49775 };
49776
49777 + pax_track_stack();
49778 +
49779 index = *ppos >> PAGE_CACHE_SHIFT;
49780 loff = *ppos & ~PAGE_CACHE_MASK;
49781 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
49782 @@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
49783 old_fs = get_fs();
49784 set_fs(get_ds());
49785 /* The cast to a user pointer is valid due to the set_fs() */
49786 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
49787 + res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
49788 set_fs(old_fs);
49789
49790 return res;
49791 @@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
49792 old_fs = get_fs();
49793 set_fs(get_ds());
49794 /* The cast to a user pointer is valid due to the set_fs() */
49795 - res = vfs_write(file, (const char __user *)buf, count, &pos);
49796 + res = vfs_write(file, (const char __force_user *)buf, count, &pos);
49797 set_fs(old_fs);
49798
49799 return res;
49800 @@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
49801 .spd_release = spd_release_page,
49802 };
49803
49804 + pax_track_stack();
49805 +
49806 index = *ppos >> PAGE_CACHE_SHIFT;
49807 offset = *ppos & ~PAGE_CACHE_MASK;
49808 nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
49809 @@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
49810 goto err;
49811
49812 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
49813 - vec[i].iov_base = (void __user *) page_address(page);
49814 + vec[i].iov_base = (__force void __user *) page_address(page);
49815 vec[i].iov_len = this_len;
49816 pages[i] = page;
49817 spd.nr_pages++;
49818 @@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
49819 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
49820 {
49821 while (!pipe->nrbufs) {
49822 - if (!pipe->writers)
49823 + if (!atomic_read(&pipe->writers))
49824 return 0;
49825
49826 - if (!pipe->waiting_writers && sd->num_spliced)
49827 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
49828 return 0;
49829
49830 if (sd->flags & SPLICE_F_NONBLOCK)
49831 @@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
49832 * out of the pipe right after the splice_to_pipe(). So set
49833 * PIPE_READERS appropriately.
49834 */
49835 - pipe->readers = 1;
49836 + atomic_set(&pipe->readers, 1);
49837
49838 current->splice_pipe = pipe;
49839 }
49840 @@ -1592,6 +1596,8 @@ static long vmsplice_to_pipe(struct file
49841 .spd_release = spd_release_page,
49842 };
49843
49844 + pax_track_stack();
49845 +
49846 pipe = pipe_info(file->f_path.dentry->d_inode);
49847 if (!pipe)
49848 return -EBADF;
49849 @@ -1700,9 +1706,9 @@ static int ipipe_prep(struct pipe_inode_
49850 ret = -ERESTARTSYS;
49851 break;
49852 }
49853 - if (!pipe->writers)
49854 + if (!atomic_read(&pipe->writers))
49855 break;
49856 - if (!pipe->waiting_writers) {
49857 + if (!atomic_read(&pipe->waiting_writers)) {
49858 if (flags & SPLICE_F_NONBLOCK) {
49859 ret = -EAGAIN;
49860 break;
49861 @@ -1734,7 +1740,7 @@ static int opipe_prep(struct pipe_inode_
49862 pipe_lock(pipe);
49863
49864 while (pipe->nrbufs >= PIPE_BUFFERS) {
49865 - if (!pipe->readers) {
49866 + if (!atomic_read(&pipe->readers)) {
49867 send_sig(SIGPIPE, current, 0);
49868 ret = -EPIPE;
49869 break;
49870 @@ -1747,9 +1753,9 @@ static int opipe_prep(struct pipe_inode_
49871 ret = -ERESTARTSYS;
49872 break;
49873 }
49874 - pipe->waiting_writers++;
49875 + atomic_inc(&pipe->waiting_writers);
49876 pipe_wait(pipe);
49877 - pipe->waiting_writers--;
49878 + atomic_dec(&pipe->waiting_writers);
49879 }
49880
49881 pipe_unlock(pipe);
49882 @@ -1785,14 +1791,14 @@ retry:
49883 pipe_double_lock(ipipe, opipe);
49884
49885 do {
49886 - if (!opipe->readers) {
49887 + if (!atomic_read(&opipe->readers)) {
49888 send_sig(SIGPIPE, current, 0);
49889 if (!ret)
49890 ret = -EPIPE;
49891 break;
49892 }
49893
49894 - if (!ipipe->nrbufs && !ipipe->writers)
49895 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
49896 break;
49897
49898 /*
49899 @@ -1892,7 +1898,7 @@ static int link_pipe(struct pipe_inode_i
49900 pipe_double_lock(ipipe, opipe);
49901
49902 do {
49903 - if (!opipe->readers) {
49904 + if (!atomic_read(&opipe->readers)) {
49905 send_sig(SIGPIPE, current, 0);
49906 if (!ret)
49907 ret = -EPIPE;
49908 @@ -1937,7 +1943,7 @@ static int link_pipe(struct pipe_inode_i
49909 * return EAGAIN if we have the potential of some data in the
49910 * future, otherwise just return 0
49911 */
49912 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
49913 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
49914 ret = -EAGAIN;
49915
49916 pipe_unlock(ipipe);
49917 diff -urNp linux-2.6.32.46/fs/sysfs/file.c linux-2.6.32.46/fs/sysfs/file.c
49918 --- linux-2.6.32.46/fs/sysfs/file.c 2011-03-27 14:31:47.000000000 -0400
49919 +++ linux-2.6.32.46/fs/sysfs/file.c 2011-05-04 17:56:20.000000000 -0400
49920 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
49921
49922 struct sysfs_open_dirent {
49923 atomic_t refcnt;
49924 - atomic_t event;
49925 + atomic_unchecked_t event;
49926 wait_queue_head_t poll;
49927 struct list_head buffers; /* goes through sysfs_buffer.list */
49928 };
49929 @@ -53,7 +53,7 @@ struct sysfs_buffer {
49930 size_t count;
49931 loff_t pos;
49932 char * page;
49933 - struct sysfs_ops * ops;
49934 + const struct sysfs_ops * ops;
49935 struct mutex mutex;
49936 int needs_read_fill;
49937 int event;
49938 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
49939 {
49940 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
49941 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
49942 - struct sysfs_ops * ops = buffer->ops;
49943 + const struct sysfs_ops * ops = buffer->ops;
49944 int ret = 0;
49945 ssize_t count;
49946
49947 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
49948 if (!sysfs_get_active_two(attr_sd))
49949 return -ENODEV;
49950
49951 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
49952 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
49953 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
49954
49955 sysfs_put_active_two(attr_sd);
49956 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
49957 {
49958 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
49959 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
49960 - struct sysfs_ops * ops = buffer->ops;
49961 + const struct sysfs_ops * ops = buffer->ops;
49962 int rc;
49963
49964 /* need attr_sd for attr and ops, its parent for kobj */
49965 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
49966 return -ENOMEM;
49967
49968 atomic_set(&new_od->refcnt, 0);
49969 - atomic_set(&new_od->event, 1);
49970 + atomic_set_unchecked(&new_od->event, 1);
49971 init_waitqueue_head(&new_od->poll);
49972 INIT_LIST_HEAD(&new_od->buffers);
49973 goto retry;
49974 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
49975 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
49976 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
49977 struct sysfs_buffer *buffer;
49978 - struct sysfs_ops *ops;
49979 + const struct sysfs_ops *ops;
49980 int error = -EACCES;
49981 char *p;
49982
49983 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
49984
49985 sysfs_put_active_two(attr_sd);
49986
49987 - if (buffer->event != atomic_read(&od->event))
49988 + if (buffer->event != atomic_read_unchecked(&od->event))
49989 goto trigger;
49990
49991 return DEFAULT_POLLMASK;
49992 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
49993
49994 od = sd->s_attr.open;
49995 if (od) {
49996 - atomic_inc(&od->event);
49997 + atomic_inc_unchecked(&od->event);
49998 wake_up_interruptible(&od->poll);
49999 }
50000
50001 diff -urNp linux-2.6.32.46/fs/sysfs/mount.c linux-2.6.32.46/fs/sysfs/mount.c
50002 --- linux-2.6.32.46/fs/sysfs/mount.c 2011-03-27 14:31:47.000000000 -0400
50003 +++ linux-2.6.32.46/fs/sysfs/mount.c 2011-04-17 15:56:46.000000000 -0400
50004 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
50005 .s_name = "",
50006 .s_count = ATOMIC_INIT(1),
50007 .s_flags = SYSFS_DIR,
50008 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
50009 + .s_mode = S_IFDIR | S_IRWXU,
50010 +#else
50011 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
50012 +#endif
50013 .s_ino = 1,
50014 };
50015
50016 diff -urNp linux-2.6.32.46/fs/sysfs/symlink.c linux-2.6.32.46/fs/sysfs/symlink.c
50017 --- linux-2.6.32.46/fs/sysfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
50018 +++ linux-2.6.32.46/fs/sysfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
50019 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
50020
50021 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
50022 {
50023 - char *page = nd_get_link(nd);
50024 + const char *page = nd_get_link(nd);
50025 if (!IS_ERR(page))
50026 free_page((unsigned long)page);
50027 }
50028 diff -urNp linux-2.6.32.46/fs/udf/balloc.c linux-2.6.32.46/fs/udf/balloc.c
50029 --- linux-2.6.32.46/fs/udf/balloc.c 2011-03-27 14:31:47.000000000 -0400
50030 +++ linux-2.6.32.46/fs/udf/balloc.c 2011-04-17 15:56:46.000000000 -0400
50031 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
50032
50033 mutex_lock(&sbi->s_alloc_mutex);
50034 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
50035 - if (bloc->logicalBlockNum < 0 ||
50036 - (bloc->logicalBlockNum + count) >
50037 - partmap->s_partition_len) {
50038 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
50039 udf_debug("%d < %d || %d + %d > %d\n",
50040 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
50041 count, partmap->s_partition_len);
50042 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
50043
50044 mutex_lock(&sbi->s_alloc_mutex);
50045 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
50046 - if (bloc->logicalBlockNum < 0 ||
50047 - (bloc->logicalBlockNum + count) >
50048 - partmap->s_partition_len) {
50049 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
50050 udf_debug("%d < %d || %d + %d > %d\n",
50051 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
50052 partmap->s_partition_len);
50053 diff -urNp linux-2.6.32.46/fs/udf/inode.c linux-2.6.32.46/fs/udf/inode.c
50054 --- linux-2.6.32.46/fs/udf/inode.c 2011-03-27 14:31:47.000000000 -0400
50055 +++ linux-2.6.32.46/fs/udf/inode.c 2011-05-16 21:46:57.000000000 -0400
50056 @@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
50057 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
50058 int lastblock = 0;
50059
50060 + pax_track_stack();
50061 +
50062 prev_epos.offset = udf_file_entry_alloc_offset(inode);
50063 prev_epos.block = iinfo->i_location;
50064 prev_epos.bh = NULL;
50065 diff -urNp linux-2.6.32.46/fs/udf/misc.c linux-2.6.32.46/fs/udf/misc.c
50066 --- linux-2.6.32.46/fs/udf/misc.c 2011-03-27 14:31:47.000000000 -0400
50067 +++ linux-2.6.32.46/fs/udf/misc.c 2011-04-23 12:56:11.000000000 -0400
50068 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
50069
50070 u8 udf_tag_checksum(const struct tag *t)
50071 {
50072 - u8 *data = (u8 *)t;
50073 + const u8 *data = (const u8 *)t;
50074 u8 checksum = 0;
50075 int i;
50076 for (i = 0; i < sizeof(struct tag); ++i)
50077 diff -urNp linux-2.6.32.46/fs/utimes.c linux-2.6.32.46/fs/utimes.c
50078 --- linux-2.6.32.46/fs/utimes.c 2011-03-27 14:31:47.000000000 -0400
50079 +++ linux-2.6.32.46/fs/utimes.c 2011-04-17 15:56:46.000000000 -0400
50080 @@ -1,6 +1,7 @@
50081 #include <linux/compiler.h>
50082 #include <linux/file.h>
50083 #include <linux/fs.h>
50084 +#include <linux/security.h>
50085 #include <linux/linkage.h>
50086 #include <linux/mount.h>
50087 #include <linux/namei.h>
50088 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
50089 goto mnt_drop_write_and_out;
50090 }
50091 }
50092 +
50093 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
50094 + error = -EACCES;
50095 + goto mnt_drop_write_and_out;
50096 + }
50097 +
50098 mutex_lock(&inode->i_mutex);
50099 error = notify_change(path->dentry, &newattrs);
50100 mutex_unlock(&inode->i_mutex);
50101 diff -urNp linux-2.6.32.46/fs/xattr_acl.c linux-2.6.32.46/fs/xattr_acl.c
50102 --- linux-2.6.32.46/fs/xattr_acl.c 2011-03-27 14:31:47.000000000 -0400
50103 +++ linux-2.6.32.46/fs/xattr_acl.c 2011-04-17 15:56:46.000000000 -0400
50104 @@ -17,8 +17,8 @@
50105 struct posix_acl *
50106 posix_acl_from_xattr(const void *value, size_t size)
50107 {
50108 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
50109 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
50110 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
50111 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
50112 int count;
50113 struct posix_acl *acl;
50114 struct posix_acl_entry *acl_e;
50115 diff -urNp linux-2.6.32.46/fs/xattr.c linux-2.6.32.46/fs/xattr.c
50116 --- linux-2.6.32.46/fs/xattr.c 2011-03-27 14:31:47.000000000 -0400
50117 +++ linux-2.6.32.46/fs/xattr.c 2011-04-17 15:56:46.000000000 -0400
50118 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
50119 * Extended attribute SET operations
50120 */
50121 static long
50122 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
50123 +setxattr(struct path *path, const char __user *name, const void __user *value,
50124 size_t size, int flags)
50125 {
50126 int error;
50127 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
50128 return PTR_ERR(kvalue);
50129 }
50130
50131 - error = vfs_setxattr(d, kname, kvalue, size, flags);
50132 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
50133 + error = -EACCES;
50134 + goto out;
50135 + }
50136 +
50137 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
50138 +out:
50139 kfree(kvalue);
50140 return error;
50141 }
50142 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
50143 return error;
50144 error = mnt_want_write(path.mnt);
50145 if (!error) {
50146 - error = setxattr(path.dentry, name, value, size, flags);
50147 + error = setxattr(&path, name, value, size, flags);
50148 mnt_drop_write(path.mnt);
50149 }
50150 path_put(&path);
50151 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
50152 return error;
50153 error = mnt_want_write(path.mnt);
50154 if (!error) {
50155 - error = setxattr(path.dentry, name, value, size, flags);
50156 + error = setxattr(&path, name, value, size, flags);
50157 mnt_drop_write(path.mnt);
50158 }
50159 path_put(&path);
50160 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
50161 const void __user *,value, size_t, size, int, flags)
50162 {
50163 struct file *f;
50164 - struct dentry *dentry;
50165 int error = -EBADF;
50166
50167 f = fget(fd);
50168 if (!f)
50169 return error;
50170 - dentry = f->f_path.dentry;
50171 - audit_inode(NULL, dentry);
50172 + audit_inode(NULL, f->f_path.dentry);
50173 error = mnt_want_write_file(f);
50174 if (!error) {
50175 - error = setxattr(dentry, name, value, size, flags);
50176 + error = setxattr(&f->f_path, name, value, size, flags);
50177 mnt_drop_write(f->f_path.mnt);
50178 }
50179 fput(f);
50180 diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c
50181 --- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-27 14:31:47.000000000 -0400
50182 +++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:56:46.000000000 -0400
50183 @@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
50184 xfs_fsop_geom_t fsgeo;
50185 int error;
50186
50187 + memset(&fsgeo, 0, sizeof(fsgeo));
50188 error = xfs_fs_geometry(mp, &fsgeo, 3);
50189 if (error)
50190 return -error;
50191 diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c
50192 --- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 17:00:52.000000000 -0400
50193 +++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:07:09.000000000 -0400
50194 @@ -134,7 +134,7 @@ xfs_find_handle(
50195 }
50196
50197 error = -EFAULT;
50198 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
50199 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
50200 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
50201 goto out_put;
50202
50203 @@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
50204 if (IS_ERR(dentry))
50205 return PTR_ERR(dentry);
50206
50207 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
50208 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
50209 if (!kbuf)
50210 goto out_dput;
50211
50212 @@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
50213 xfs_mount_t *mp,
50214 void __user *arg)
50215 {
50216 - xfs_fsop_geom_t fsgeo;
50217 + xfs_fsop_geom_t fsgeo;
50218 int error;
50219
50220 error = xfs_fs_geometry(mp, &fsgeo, 3);
50221 diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c
50222 --- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c 2011-03-27 14:31:47.000000000 -0400
50223 +++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:56:46.000000000 -0400
50224 @@ -468,7 +468,7 @@ xfs_vn_put_link(
50225 struct nameidata *nd,
50226 void *p)
50227 {
50228 - char *s = nd_get_link(nd);
50229 + const char *s = nd_get_link(nd);
50230
50231 if (!IS_ERR(s))
50232 kfree(s);
50233 diff -urNp linux-2.6.32.46/fs/xfs/xfs_bmap.c linux-2.6.32.46/fs/xfs/xfs_bmap.c
50234 --- linux-2.6.32.46/fs/xfs/xfs_bmap.c 2011-03-27 14:31:47.000000000 -0400
50235 +++ linux-2.6.32.46/fs/xfs/xfs_bmap.c 2011-04-17 15:56:46.000000000 -0400
50236 @@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
50237 int nmap,
50238 int ret_nmap);
50239 #else
50240 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
50241 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
50242 #endif /* DEBUG */
50243
50244 #if defined(XFS_RW_TRACE)
50245 diff -urNp linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c
50246 --- linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c 2011-03-27 14:31:47.000000000 -0400
50247 +++ linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:07:30.000000000 -0400
50248 @@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
50249 }
50250
50251 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
50252 - if (filldir(dirent, sfep->name, sfep->namelen,
50253 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
50254 + char name[sfep->namelen];
50255 + memcpy(name, sfep->name, sfep->namelen);
50256 + if (filldir(dirent, name, sfep->namelen,
50257 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
50258 + *offset = off & 0x7fffffff;
50259 + return 0;
50260 + }
50261 + } else if (filldir(dirent, sfep->name, sfep->namelen,
50262 off & 0x7fffffff, ino, DT_UNKNOWN)) {
50263 *offset = off & 0x7fffffff;
50264 return 0;
50265 diff -urNp linux-2.6.32.46/grsecurity/gracl_alloc.c linux-2.6.32.46/grsecurity/gracl_alloc.c
50266 --- linux-2.6.32.46/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
50267 +++ linux-2.6.32.46/grsecurity/gracl_alloc.c 2011-04-17 15:56:46.000000000 -0400
50268 @@ -0,0 +1,105 @@
50269 +#include <linux/kernel.h>
50270 +#include <linux/mm.h>
50271 +#include <linux/slab.h>
50272 +#include <linux/vmalloc.h>
50273 +#include <linux/gracl.h>
50274 +#include <linux/grsecurity.h>
50275 +
50276 +static unsigned long alloc_stack_next = 1;
50277 +static unsigned long alloc_stack_size = 1;
50278 +static void **alloc_stack;
50279 +
50280 +static __inline__ int
50281 +alloc_pop(void)
50282 +{
50283 + if (alloc_stack_next == 1)
50284 + return 0;
50285 +
50286 + kfree(alloc_stack[alloc_stack_next - 2]);
50287 +
50288 + alloc_stack_next--;
50289 +
50290 + return 1;
50291 +}
50292 +
50293 +static __inline__ int
50294 +alloc_push(void *buf)
50295 +{
50296 + if (alloc_stack_next >= alloc_stack_size)
50297 + return 1;
50298 +
50299 + alloc_stack[alloc_stack_next - 1] = buf;
50300 +
50301 + alloc_stack_next++;
50302 +
50303 + return 0;
50304 +}
50305 +
50306 +void *
50307 +acl_alloc(unsigned long len)
50308 +{
50309 + void *ret = NULL;
50310 +
50311 + if (!len || len > PAGE_SIZE)
50312 + goto out;
50313 +
50314 + ret = kmalloc(len, GFP_KERNEL);
50315 +
50316 + if (ret) {
50317 + if (alloc_push(ret)) {
50318 + kfree(ret);
50319 + ret = NULL;
50320 + }
50321 + }
50322 +
50323 +out:
50324 + return ret;
50325 +}
50326 +
50327 +void *
50328 +acl_alloc_num(unsigned long num, unsigned long len)
50329 +{
50330 + if (!len || (num > (PAGE_SIZE / len)))
50331 + return NULL;
50332 +
50333 + return acl_alloc(num * len);
50334 +}
50335 +
50336 +void
50337 +acl_free_all(void)
50338 +{
50339 + if (gr_acl_is_enabled() || !alloc_stack)
50340 + return;
50341 +
50342 + while (alloc_pop()) ;
50343 +
50344 + if (alloc_stack) {
50345 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
50346 + kfree(alloc_stack);
50347 + else
50348 + vfree(alloc_stack);
50349 + }
50350 +
50351 + alloc_stack = NULL;
50352 + alloc_stack_size = 1;
50353 + alloc_stack_next = 1;
50354 +
50355 + return;
50356 +}
50357 +
50358 +int
50359 +acl_alloc_stack_init(unsigned long size)
50360 +{
50361 + if ((size * sizeof (void *)) <= PAGE_SIZE)
50362 + alloc_stack =
50363 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
50364 + else
50365 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
50366 +
50367 + alloc_stack_size = size;
50368 +
50369 + if (!alloc_stack)
50370 + return 0;
50371 + else
50372 + return 1;
50373 +}
50374 diff -urNp linux-2.6.32.46/grsecurity/gracl.c linux-2.6.32.46/grsecurity/gracl.c
50375 --- linux-2.6.32.46/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
50376 +++ linux-2.6.32.46/grsecurity/gracl.c 2011-07-14 20:02:48.000000000 -0400
50377 @@ -0,0 +1,4082 @@
50378 +#include <linux/kernel.h>
50379 +#include <linux/module.h>
50380 +#include <linux/sched.h>
50381 +#include <linux/mm.h>
50382 +#include <linux/file.h>
50383 +#include <linux/fs.h>
50384 +#include <linux/namei.h>
50385 +#include <linux/mount.h>
50386 +#include <linux/tty.h>
50387 +#include <linux/proc_fs.h>
50388 +#include <linux/smp_lock.h>
50389 +#include <linux/slab.h>
50390 +#include <linux/vmalloc.h>
50391 +#include <linux/types.h>
50392 +#include <linux/sysctl.h>
50393 +#include <linux/netdevice.h>
50394 +#include <linux/ptrace.h>
50395 +#include <linux/gracl.h>
50396 +#include <linux/gralloc.h>
50397 +#include <linux/grsecurity.h>
50398 +#include <linux/grinternal.h>
50399 +#include <linux/pid_namespace.h>
50400 +#include <linux/fdtable.h>
50401 +#include <linux/percpu.h>
50402 +
50403 +#include <asm/uaccess.h>
50404 +#include <asm/errno.h>
50405 +#include <asm/mman.h>
50406 +
50407 +static struct acl_role_db acl_role_set;
50408 +static struct name_db name_set;
50409 +static struct inodev_db inodev_set;
50410 +
50411 +/* for keeping track of userspace pointers used for subjects, so we
50412 + can share references in the kernel as well
50413 +*/
50414 +
50415 +static struct dentry *real_root;
50416 +static struct vfsmount *real_root_mnt;
50417 +
50418 +static struct acl_subj_map_db subj_map_set;
50419 +
50420 +static struct acl_role_label *default_role;
50421 +
50422 +static struct acl_role_label *role_list;
50423 +
50424 +static u16 acl_sp_role_value;
50425 +
50426 +extern char *gr_shared_page[4];
50427 +static DEFINE_MUTEX(gr_dev_mutex);
50428 +DEFINE_RWLOCK(gr_inode_lock);
50429 +
50430 +struct gr_arg *gr_usermode;
50431 +
50432 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
50433 +
50434 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
50435 +extern void gr_clear_learn_entries(void);
50436 +
50437 +#ifdef CONFIG_GRKERNSEC_RESLOG
50438 +extern void gr_log_resource(const struct task_struct *task,
50439 + const int res, const unsigned long wanted, const int gt);
50440 +#endif
50441 +
50442 +unsigned char *gr_system_salt;
50443 +unsigned char *gr_system_sum;
50444 +
50445 +static struct sprole_pw **acl_special_roles = NULL;
50446 +static __u16 num_sprole_pws = 0;
50447 +
50448 +static struct acl_role_label *kernel_role = NULL;
50449 +
50450 +static unsigned int gr_auth_attempts = 0;
50451 +static unsigned long gr_auth_expires = 0UL;
50452 +
50453 +#ifdef CONFIG_NET
50454 +extern struct vfsmount *sock_mnt;
50455 +#endif
50456 +extern struct vfsmount *pipe_mnt;
50457 +extern struct vfsmount *shm_mnt;
50458 +#ifdef CONFIG_HUGETLBFS
50459 +extern struct vfsmount *hugetlbfs_vfsmount;
50460 +#endif
50461 +
50462 +static struct acl_object_label *fakefs_obj_rw;
50463 +static struct acl_object_label *fakefs_obj_rwx;
50464 +
50465 +extern int gr_init_uidset(void);
50466 +extern void gr_free_uidset(void);
50467 +extern void gr_remove_uid(uid_t uid);
50468 +extern int gr_find_uid(uid_t uid);
50469 +
50470 +__inline__ int
50471 +gr_acl_is_enabled(void)
50472 +{
50473 + return (gr_status & GR_READY);
50474 +}
50475 +
50476 +#ifdef CONFIG_BTRFS_FS
50477 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
50478 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
50479 +#endif
50480 +
50481 +static inline dev_t __get_dev(const struct dentry *dentry)
50482 +{
50483 +#ifdef CONFIG_BTRFS_FS
50484 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
50485 + return get_btrfs_dev_from_inode(dentry->d_inode);
50486 + else
50487 +#endif
50488 + return dentry->d_inode->i_sb->s_dev;
50489 +}
50490 +
50491 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
50492 +{
50493 + return __get_dev(dentry);
50494 +}
50495 +
50496 +static char gr_task_roletype_to_char(struct task_struct *task)
50497 +{
50498 + switch (task->role->roletype &
50499 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
50500 + GR_ROLE_SPECIAL)) {
50501 + case GR_ROLE_DEFAULT:
50502 + return 'D';
50503 + case GR_ROLE_USER:
50504 + return 'U';
50505 + case GR_ROLE_GROUP:
50506 + return 'G';
50507 + case GR_ROLE_SPECIAL:
50508 + return 'S';
50509 + }
50510 +
50511 + return 'X';
50512 +}
50513 +
50514 +char gr_roletype_to_char(void)
50515 +{
50516 + return gr_task_roletype_to_char(current);
50517 +}
50518 +
50519 +__inline__ int
50520 +gr_acl_tpe_check(void)
50521 +{
50522 + if (unlikely(!(gr_status & GR_READY)))
50523 + return 0;
50524 + if (current->role->roletype & GR_ROLE_TPE)
50525 + return 1;
50526 + else
50527 + return 0;
50528 +}
50529 +
50530 +int
50531 +gr_handle_rawio(const struct inode *inode)
50532 +{
50533 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
50534 + if (inode && S_ISBLK(inode->i_mode) &&
50535 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
50536 + !capable(CAP_SYS_RAWIO))
50537 + return 1;
50538 +#endif
50539 + return 0;
50540 +}
50541 +
50542 +static int
50543 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
50544 +{
50545 + if (likely(lena != lenb))
50546 + return 0;
50547 +
50548 + return !memcmp(a, b, lena);
50549 +}
50550 +
50551 +/* this must be called with vfsmount_lock and dcache_lock held */
50552 +
50553 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
50554 + struct dentry *root, struct vfsmount *rootmnt,
50555 + char *buffer, int buflen)
50556 +{
50557 + char * end = buffer+buflen;
50558 + char * retval;
50559 + int namelen;
50560 +
50561 + *--end = '\0';
50562 + buflen--;
50563 +
50564 + if (buflen < 1)
50565 + goto Elong;
50566 + /* Get '/' right */
50567 + retval = end-1;
50568 + *retval = '/';
50569 +
50570 + for (;;) {
50571 + struct dentry * parent;
50572 +
50573 + if (dentry == root && vfsmnt == rootmnt)
50574 + break;
50575 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
50576 + /* Global root? */
50577 + if (vfsmnt->mnt_parent == vfsmnt)
50578 + goto global_root;
50579 + dentry = vfsmnt->mnt_mountpoint;
50580 + vfsmnt = vfsmnt->mnt_parent;
50581 + continue;
50582 + }
50583 + parent = dentry->d_parent;
50584 + prefetch(parent);
50585 + namelen = dentry->d_name.len;
50586 + buflen -= namelen + 1;
50587 + if (buflen < 0)
50588 + goto Elong;
50589 + end -= namelen;
50590 + memcpy(end, dentry->d_name.name, namelen);
50591 + *--end = '/';
50592 + retval = end;
50593 + dentry = parent;
50594 + }
50595 +
50596 +out:
50597 + return retval;
50598 +
50599 +global_root:
50600 + namelen = dentry->d_name.len;
50601 + buflen -= namelen;
50602 + if (buflen < 0)
50603 + goto Elong;
50604 + retval -= namelen-1; /* hit the slash */
50605 + memcpy(retval, dentry->d_name.name, namelen);
50606 + goto out;
50607 +Elong:
50608 + retval = ERR_PTR(-ENAMETOOLONG);
50609 + goto out;
50610 +}
50611 +
50612 +static char *
50613 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
50614 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
50615 +{
50616 + char *retval;
50617 +
50618 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
50619 + if (unlikely(IS_ERR(retval)))
50620 + retval = strcpy(buf, "<path too long>");
50621 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
50622 + retval[1] = '\0';
50623 +
50624 + return retval;
50625 +}
50626 +
50627 +static char *
50628 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
50629 + char *buf, int buflen)
50630 +{
50631 + char *res;
50632 +
50633 + /* we can use real_root, real_root_mnt, because this is only called
50634 + by the RBAC system */
50635 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
50636 +
50637 + return res;
50638 +}
50639 +
50640 +static char *
50641 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
50642 + char *buf, int buflen)
50643 +{
50644 + char *res;
50645 + struct dentry *root;
50646 + struct vfsmount *rootmnt;
50647 + struct task_struct *reaper = &init_task;
50648 +
50649 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
50650 + read_lock(&reaper->fs->lock);
50651 + root = dget(reaper->fs->root.dentry);
50652 + rootmnt = mntget(reaper->fs->root.mnt);
50653 + read_unlock(&reaper->fs->lock);
50654 +
50655 + spin_lock(&dcache_lock);
50656 + spin_lock(&vfsmount_lock);
50657 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
50658 + spin_unlock(&vfsmount_lock);
50659 + spin_unlock(&dcache_lock);
50660 +
50661 + dput(root);
50662 + mntput(rootmnt);
50663 + return res;
50664 +}
50665 +
50666 +static char *
50667 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
50668 +{
50669 + char *ret;
50670 + spin_lock(&dcache_lock);
50671 + spin_lock(&vfsmount_lock);
50672 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
50673 + PAGE_SIZE);
50674 + spin_unlock(&vfsmount_lock);
50675 + spin_unlock(&dcache_lock);
50676 + return ret;
50677 +}
50678 +
50679 +char *
50680 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
50681 +{
50682 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
50683 + PAGE_SIZE);
50684 +}
50685 +
50686 +char *
50687 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
50688 +{
50689 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
50690 + PAGE_SIZE);
50691 +}
50692 +
50693 +char *
50694 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
50695 +{
50696 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
50697 + PAGE_SIZE);
50698 +}
50699 +
50700 +char *
50701 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
50702 +{
50703 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
50704 + PAGE_SIZE);
50705 +}
50706 +
50707 +char *
50708 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
50709 +{
50710 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
50711 + PAGE_SIZE);
50712 +}
50713 +
50714 +__inline__ __u32
50715 +to_gr_audit(const __u32 reqmode)
50716 +{
50717 + /* masks off auditable permission flags, then shifts them to create
50718 + auditing flags, and adds the special case of append auditing if
50719 + we're requesting write */
50720 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
50721 +}
50722 +
50723 +struct acl_subject_label *
50724 +lookup_subject_map(const struct acl_subject_label *userp)
50725 +{
50726 + unsigned int index = shash(userp, subj_map_set.s_size);
50727 + struct subject_map *match;
50728 +
50729 + match = subj_map_set.s_hash[index];
50730 +
50731 + while (match && match->user != userp)
50732 + match = match->next;
50733 +
50734 + if (match != NULL)
50735 + return match->kernel;
50736 + else
50737 + return NULL;
50738 +}
50739 +
50740 +static void
50741 +insert_subj_map_entry(struct subject_map *subjmap)
50742 +{
50743 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
50744 + struct subject_map **curr;
50745 +
50746 + subjmap->prev = NULL;
50747 +
50748 + curr = &subj_map_set.s_hash[index];
50749 + if (*curr != NULL)
50750 + (*curr)->prev = subjmap;
50751 +
50752 + subjmap->next = *curr;
50753 + *curr = subjmap;
50754 +
50755 + return;
50756 +}
50757 +
50758 +static struct acl_role_label *
50759 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
50760 + const gid_t gid)
50761 +{
50762 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
50763 + struct acl_role_label *match;
50764 + struct role_allowed_ip *ipp;
50765 + unsigned int x;
50766 + u32 curr_ip = task->signal->curr_ip;
50767 +
50768 + task->signal->saved_ip = curr_ip;
50769 +
50770 + match = acl_role_set.r_hash[index];
50771 +
50772 + while (match) {
50773 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
50774 + for (x = 0; x < match->domain_child_num; x++) {
50775 + if (match->domain_children[x] == uid)
50776 + goto found;
50777 + }
50778 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
50779 + break;
50780 + match = match->next;
50781 + }
50782 +found:
50783 + if (match == NULL) {
50784 + try_group:
50785 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
50786 + match = acl_role_set.r_hash[index];
50787 +
50788 + while (match) {
50789 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
50790 + for (x = 0; x < match->domain_child_num; x++) {
50791 + if (match->domain_children[x] == gid)
50792 + goto found2;
50793 + }
50794 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
50795 + break;
50796 + match = match->next;
50797 + }
50798 +found2:
50799 + if (match == NULL)
50800 + match = default_role;
50801 + if (match->allowed_ips == NULL)
50802 + return match;
50803 + else {
50804 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
50805 + if (likely
50806 + ((ntohl(curr_ip) & ipp->netmask) ==
50807 + (ntohl(ipp->addr) & ipp->netmask)))
50808 + return match;
50809 + }
50810 + match = default_role;
50811 + }
50812 + } else if (match->allowed_ips == NULL) {
50813 + return match;
50814 + } else {
50815 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
50816 + if (likely
50817 + ((ntohl(curr_ip) & ipp->netmask) ==
50818 + (ntohl(ipp->addr) & ipp->netmask)))
50819 + return match;
50820 + }
50821 + goto try_group;
50822 + }
50823 +
50824 + return match;
50825 +}
50826 +
50827 +struct acl_subject_label *
50828 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
50829 + const struct acl_role_label *role)
50830 +{
50831 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
50832 + struct acl_subject_label *match;
50833 +
50834 + match = role->subj_hash[index];
50835 +
50836 + while (match && (match->inode != ino || match->device != dev ||
50837 + (match->mode & GR_DELETED))) {
50838 + match = match->next;
50839 + }
50840 +
50841 + if (match && !(match->mode & GR_DELETED))
50842 + return match;
50843 + else
50844 + return NULL;
50845 +}
50846 +
50847 +struct acl_subject_label *
50848 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
50849 + const struct acl_role_label *role)
50850 +{
50851 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
50852 + struct acl_subject_label *match;
50853 +
50854 + match = role->subj_hash[index];
50855 +
50856 + while (match && (match->inode != ino || match->device != dev ||
50857 + !(match->mode & GR_DELETED))) {
50858 + match = match->next;
50859 + }
50860 +
50861 + if (match && (match->mode & GR_DELETED))
50862 + return match;
50863 + else
50864 + return NULL;
50865 +}
50866 +
50867 +static struct acl_object_label *
50868 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
50869 + const struct acl_subject_label *subj)
50870 +{
50871 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
50872 + struct acl_object_label *match;
50873 +
50874 + match = subj->obj_hash[index];
50875 +
50876 + while (match && (match->inode != ino || match->device != dev ||
50877 + (match->mode & GR_DELETED))) {
50878 + match = match->next;
50879 + }
50880 +
50881 + if (match && !(match->mode & GR_DELETED))
50882 + return match;
50883 + else
50884 + return NULL;
50885 +}
50886 +
50887 +static struct acl_object_label *
50888 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
50889 + const struct acl_subject_label *subj)
50890 +{
50891 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
50892 + struct acl_object_label *match;
50893 +
50894 + match = subj->obj_hash[index];
50895 +
50896 + while (match && (match->inode != ino || match->device != dev ||
50897 + !(match->mode & GR_DELETED))) {
50898 + match = match->next;
50899 + }
50900 +
50901 + if (match && (match->mode & GR_DELETED))
50902 + return match;
50903 +
50904 + match = subj->obj_hash[index];
50905 +
50906 + while (match && (match->inode != ino || match->device != dev ||
50907 + (match->mode & GR_DELETED))) {
50908 + match = match->next;
50909 + }
50910 +
50911 + if (match && !(match->mode & GR_DELETED))
50912 + return match;
50913 + else
50914 + return NULL;
50915 +}
50916 +
50917 +static struct name_entry *
50918 +lookup_name_entry(const char *name)
50919 +{
50920 + unsigned int len = strlen(name);
50921 + unsigned int key = full_name_hash(name, len);
50922 + unsigned int index = key % name_set.n_size;
50923 + struct name_entry *match;
50924 +
50925 + match = name_set.n_hash[index];
50926 +
50927 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
50928 + match = match->next;
50929 +
50930 + return match;
50931 +}
50932 +
50933 +static struct name_entry *
50934 +lookup_name_entry_create(const char *name)
50935 +{
50936 + unsigned int len = strlen(name);
50937 + unsigned int key = full_name_hash(name, len);
50938 + unsigned int index = key % name_set.n_size;
50939 + struct name_entry *match;
50940 +
50941 + match = name_set.n_hash[index];
50942 +
50943 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
50944 + !match->deleted))
50945 + match = match->next;
50946 +
50947 + if (match && match->deleted)
50948 + return match;
50949 +
50950 + match = name_set.n_hash[index];
50951 +
50952 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
50953 + match->deleted))
50954 + match = match->next;
50955 +
50956 + if (match && !match->deleted)
50957 + return match;
50958 + else
50959 + return NULL;
50960 +}
50961 +
50962 +static struct inodev_entry *
50963 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
50964 +{
50965 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
50966 + struct inodev_entry *match;
50967 +
50968 + match = inodev_set.i_hash[index];
50969 +
50970 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
50971 + match = match->next;
50972 +
50973 + return match;
50974 +}
50975 +
50976 +static void
50977 +insert_inodev_entry(struct inodev_entry *entry)
50978 +{
50979 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
50980 + inodev_set.i_size);
50981 + struct inodev_entry **curr;
50982 +
50983 + entry->prev = NULL;
50984 +
50985 + curr = &inodev_set.i_hash[index];
50986 + if (*curr != NULL)
50987 + (*curr)->prev = entry;
50988 +
50989 + entry->next = *curr;
50990 + *curr = entry;
50991 +
50992 + return;
50993 +}
50994 +
50995 +static void
50996 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
50997 +{
50998 + unsigned int index =
50999 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
51000 + struct acl_role_label **curr;
51001 + struct acl_role_label *tmp;
51002 +
51003 + curr = &acl_role_set.r_hash[index];
51004 +
51005 + /* if role was already inserted due to domains and already has
51006 + a role in the same bucket as it attached, then we need to
51007 + combine these two buckets
51008 + */
51009 + if (role->next) {
51010 + tmp = role->next;
51011 + while (tmp->next)
51012 + tmp = tmp->next;
51013 + tmp->next = *curr;
51014 + } else
51015 + role->next = *curr;
51016 + *curr = role;
51017 +
51018 + return;
51019 +}
51020 +
51021 +static void
51022 +insert_acl_role_label(struct acl_role_label *role)
51023 +{
51024 + int i;
51025 +
51026 + if (role_list == NULL) {
51027 + role_list = role;
51028 + role->prev = NULL;
51029 + } else {
51030 + role->prev = role_list;
51031 + role_list = role;
51032 + }
51033 +
51034 + /* used for hash chains */
51035 + role->next = NULL;
51036 +
51037 + if (role->roletype & GR_ROLE_DOMAIN) {
51038 + for (i = 0; i < role->domain_child_num; i++)
51039 + __insert_acl_role_label(role, role->domain_children[i]);
51040 + } else
51041 + __insert_acl_role_label(role, role->uidgid);
51042 +}
51043 +
51044 +static int
51045 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
51046 +{
51047 + struct name_entry **curr, *nentry;
51048 + struct inodev_entry *ientry;
51049 + unsigned int len = strlen(name);
51050 + unsigned int key = full_name_hash(name, len);
51051 + unsigned int index = key % name_set.n_size;
51052 +
51053 + curr = &name_set.n_hash[index];
51054 +
51055 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
51056 + curr = &((*curr)->next);
51057 +
51058 + if (*curr != NULL)
51059 + return 1;
51060 +
51061 + nentry = acl_alloc(sizeof (struct name_entry));
51062 + if (nentry == NULL)
51063 + return 0;
51064 + ientry = acl_alloc(sizeof (struct inodev_entry));
51065 + if (ientry == NULL)
51066 + return 0;
51067 + ientry->nentry = nentry;
51068 +
51069 + nentry->key = key;
51070 + nentry->name = name;
51071 + nentry->inode = inode;
51072 + nentry->device = device;
51073 + nentry->len = len;
51074 + nentry->deleted = deleted;
51075 +
51076 + nentry->prev = NULL;
51077 + curr = &name_set.n_hash[index];
51078 + if (*curr != NULL)
51079 + (*curr)->prev = nentry;
51080 + nentry->next = *curr;
51081 + *curr = nentry;
51082 +
51083 + /* insert us into the table searchable by inode/dev */
51084 + insert_inodev_entry(ientry);
51085 +
51086 + return 1;
51087 +}
51088 +
51089 +static void
51090 +insert_acl_obj_label(struct acl_object_label *obj,
51091 + struct acl_subject_label *subj)
51092 +{
51093 + unsigned int index =
51094 + fhash(obj->inode, obj->device, subj->obj_hash_size);
51095 + struct acl_object_label **curr;
51096 +
51097 +
51098 + obj->prev = NULL;
51099 +
51100 + curr = &subj->obj_hash[index];
51101 + if (*curr != NULL)
51102 + (*curr)->prev = obj;
51103 +
51104 + obj->next = *curr;
51105 + *curr = obj;
51106 +
51107 + return;
51108 +}
51109 +
51110 +static void
51111 +insert_acl_subj_label(struct acl_subject_label *obj,
51112 + struct acl_role_label *role)
51113 +{
51114 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
51115 + struct acl_subject_label **curr;
51116 +
51117 + obj->prev = NULL;
51118 +
51119 + curr = &role->subj_hash[index];
51120 + if (*curr != NULL)
51121 + (*curr)->prev = obj;
51122 +
51123 + obj->next = *curr;
51124 + *curr = obj;
51125 +
51126 + return;
51127 +}
51128 +
51129 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
51130 +
51131 +static void *
51132 +create_table(__u32 * len, int elementsize)
51133 +{
51134 + unsigned int table_sizes[] = {
51135 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
51136 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
51137 + 4194301, 8388593, 16777213, 33554393, 67108859
51138 + };
51139 + void *newtable = NULL;
51140 + unsigned int pwr = 0;
51141 +
51142 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
51143 + table_sizes[pwr] <= *len)
51144 + pwr++;
51145 +
51146 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
51147 + return newtable;
51148 +
51149 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
51150 + newtable =
51151 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
51152 + else
51153 + newtable = vmalloc(table_sizes[pwr] * elementsize);
51154 +
51155 + *len = table_sizes[pwr];
51156 +
51157 + return newtable;
51158 +}
51159 +
51160 +static int
51161 +init_variables(const struct gr_arg *arg)
51162 +{
51163 + struct task_struct *reaper = &init_task;
51164 + unsigned int stacksize;
51165 +
51166 + subj_map_set.s_size = arg->role_db.num_subjects;
51167 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
51168 + name_set.n_size = arg->role_db.num_objects;
51169 + inodev_set.i_size = arg->role_db.num_objects;
51170 +
51171 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
51172 + !name_set.n_size || !inodev_set.i_size)
51173 + return 1;
51174 +
51175 + if (!gr_init_uidset())
51176 + return 1;
51177 +
51178 + /* set up the stack that holds allocation info */
51179 +
51180 + stacksize = arg->role_db.num_pointers + 5;
51181 +
51182 + if (!acl_alloc_stack_init(stacksize))
51183 + return 1;
51184 +
51185 + /* grab reference for the real root dentry and vfsmount */
51186 + read_lock(&reaper->fs->lock);
51187 + real_root = dget(reaper->fs->root.dentry);
51188 + real_root_mnt = mntget(reaper->fs->root.mnt);
51189 + read_unlock(&reaper->fs->lock);
51190 +
51191 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
51192 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
51193 +#endif
51194 +
51195 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
51196 + if (fakefs_obj_rw == NULL)
51197 + return 1;
51198 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
51199 +
51200 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
51201 + if (fakefs_obj_rwx == NULL)
51202 + return 1;
51203 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
51204 +
51205 + subj_map_set.s_hash =
51206 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
51207 + acl_role_set.r_hash =
51208 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
51209 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
51210 + inodev_set.i_hash =
51211 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
51212 +
51213 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
51214 + !name_set.n_hash || !inodev_set.i_hash)
51215 + return 1;
51216 +
51217 + memset(subj_map_set.s_hash, 0,
51218 + sizeof(struct subject_map *) * subj_map_set.s_size);
51219 + memset(acl_role_set.r_hash, 0,
51220 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
51221 + memset(name_set.n_hash, 0,
51222 + sizeof (struct name_entry *) * name_set.n_size);
51223 + memset(inodev_set.i_hash, 0,
51224 + sizeof (struct inodev_entry *) * inodev_set.i_size);
51225 +
51226 + return 0;
51227 +}
51228 +
51229 +/* free information not needed after startup
51230 + currently contains user->kernel pointer mappings for subjects
51231 +*/
51232 +
51233 +static void
51234 +free_init_variables(void)
51235 +{
51236 + __u32 i;
51237 +
51238 + if (subj_map_set.s_hash) {
51239 + for (i = 0; i < subj_map_set.s_size; i++) {
51240 + if (subj_map_set.s_hash[i]) {
51241 + kfree(subj_map_set.s_hash[i]);
51242 + subj_map_set.s_hash[i] = NULL;
51243 + }
51244 + }
51245 +
51246 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
51247 + PAGE_SIZE)
51248 + kfree(subj_map_set.s_hash);
51249 + else
51250 + vfree(subj_map_set.s_hash);
51251 + }
51252 +
51253 + return;
51254 +}
51255 +
51256 +static void
51257 +free_variables(void)
51258 +{
51259 + struct acl_subject_label *s;
51260 + struct acl_role_label *r;
51261 + struct task_struct *task, *task2;
51262 + unsigned int x;
51263 +
51264 + gr_clear_learn_entries();
51265 +
51266 + read_lock(&tasklist_lock);
51267 + do_each_thread(task2, task) {
51268 + task->acl_sp_role = 0;
51269 + task->acl_role_id = 0;
51270 + task->acl = NULL;
51271 + task->role = NULL;
51272 + } while_each_thread(task2, task);
51273 + read_unlock(&tasklist_lock);
51274 +
51275 + /* release the reference to the real root dentry and vfsmount */
51276 + if (real_root)
51277 + dput(real_root);
51278 + real_root = NULL;
51279 + if (real_root_mnt)
51280 + mntput(real_root_mnt);
51281 + real_root_mnt = NULL;
51282 +
51283 + /* free all object hash tables */
51284 +
51285 + FOR_EACH_ROLE_START(r)
51286 + if (r->subj_hash == NULL)
51287 + goto next_role;
51288 + FOR_EACH_SUBJECT_START(r, s, x)
51289 + if (s->obj_hash == NULL)
51290 + break;
51291 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
51292 + kfree(s->obj_hash);
51293 + else
51294 + vfree(s->obj_hash);
51295 + FOR_EACH_SUBJECT_END(s, x)
51296 + FOR_EACH_NESTED_SUBJECT_START(r, s)
51297 + if (s->obj_hash == NULL)
51298 + break;
51299 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
51300 + kfree(s->obj_hash);
51301 + else
51302 + vfree(s->obj_hash);
51303 + FOR_EACH_NESTED_SUBJECT_END(s)
51304 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
51305 + kfree(r->subj_hash);
51306 + else
51307 + vfree(r->subj_hash);
51308 + r->subj_hash = NULL;
51309 +next_role:
51310 + FOR_EACH_ROLE_END(r)
51311 +
51312 + acl_free_all();
51313 +
51314 + if (acl_role_set.r_hash) {
51315 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
51316 + PAGE_SIZE)
51317 + kfree(acl_role_set.r_hash);
51318 + else
51319 + vfree(acl_role_set.r_hash);
51320 + }
51321 + if (name_set.n_hash) {
51322 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
51323 + PAGE_SIZE)
51324 + kfree(name_set.n_hash);
51325 + else
51326 + vfree(name_set.n_hash);
51327 + }
51328 +
51329 + if (inodev_set.i_hash) {
51330 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
51331 + PAGE_SIZE)
51332 + kfree(inodev_set.i_hash);
51333 + else
51334 + vfree(inodev_set.i_hash);
51335 + }
51336 +
51337 + gr_free_uidset();
51338 +
51339 + memset(&name_set, 0, sizeof (struct name_db));
51340 + memset(&inodev_set, 0, sizeof (struct inodev_db));
51341 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
51342 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
51343 +
51344 + default_role = NULL;
51345 + role_list = NULL;
51346 +
51347 + return;
51348 +}
51349 +
51350 +static __u32
51351 +count_user_objs(struct acl_object_label *userp)
51352 +{
51353 + struct acl_object_label o_tmp;
51354 + __u32 num = 0;
51355 +
51356 + while (userp) {
51357 + if (copy_from_user(&o_tmp, userp,
51358 + sizeof (struct acl_object_label)))
51359 + break;
51360 +
51361 + userp = o_tmp.prev;
51362 + num++;
51363 + }
51364 +
51365 + return num;
51366 +}
51367 +
51368 +static struct acl_subject_label *
51369 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
51370 +
51371 +static int
51372 +copy_user_glob(struct acl_object_label *obj)
51373 +{
51374 + struct acl_object_label *g_tmp, **guser;
51375 + unsigned int len;
51376 + char *tmp;
51377 +
51378 + if (obj->globbed == NULL)
51379 + return 0;
51380 +
51381 + guser = &obj->globbed;
51382 + while (*guser) {
51383 + g_tmp = (struct acl_object_label *)
51384 + acl_alloc(sizeof (struct acl_object_label));
51385 + if (g_tmp == NULL)
51386 + return -ENOMEM;
51387 +
51388 + if (copy_from_user(g_tmp, *guser,
51389 + sizeof (struct acl_object_label)))
51390 + return -EFAULT;
51391 +
51392 + len = strnlen_user(g_tmp->filename, PATH_MAX);
51393 +
51394 + if (!len || len >= PATH_MAX)
51395 + return -EINVAL;
51396 +
51397 + if ((tmp = (char *) acl_alloc(len)) == NULL)
51398 + return -ENOMEM;
51399 +
51400 + if (copy_from_user(tmp, g_tmp->filename, len))
51401 + return -EFAULT;
51402 + tmp[len-1] = '\0';
51403 + g_tmp->filename = tmp;
51404 +
51405 + *guser = g_tmp;
51406 + guser = &(g_tmp->next);
51407 + }
51408 +
51409 + return 0;
51410 +}
51411 +
51412 +static int
51413 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
51414 + struct acl_role_label *role)
51415 +{
51416 + struct acl_object_label *o_tmp;
51417 + unsigned int len;
51418 + int ret;
51419 + char *tmp;
51420 +
51421 + while (userp) {
51422 + if ((o_tmp = (struct acl_object_label *)
51423 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
51424 + return -ENOMEM;
51425 +
51426 + if (copy_from_user(o_tmp, userp,
51427 + sizeof (struct acl_object_label)))
51428 + return -EFAULT;
51429 +
51430 + userp = o_tmp->prev;
51431 +
51432 + len = strnlen_user(o_tmp->filename, PATH_MAX);
51433 +
51434 + if (!len || len >= PATH_MAX)
51435 + return -EINVAL;
51436 +
51437 + if ((tmp = (char *) acl_alloc(len)) == NULL)
51438 + return -ENOMEM;
51439 +
51440 + if (copy_from_user(tmp, o_tmp->filename, len))
51441 + return -EFAULT;
51442 + tmp[len-1] = '\0';
51443 + o_tmp->filename = tmp;
51444 +
51445 + insert_acl_obj_label(o_tmp, subj);
51446 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
51447 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
51448 + return -ENOMEM;
51449 +
51450 + ret = copy_user_glob(o_tmp);
51451 + if (ret)
51452 + return ret;
51453 +
51454 + if (o_tmp->nested) {
51455 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
51456 + if (IS_ERR(o_tmp->nested))
51457 + return PTR_ERR(o_tmp->nested);
51458 +
51459 + /* insert into nested subject list */
51460 + o_tmp->nested->next = role->hash->first;
51461 + role->hash->first = o_tmp->nested;
51462 + }
51463 + }
51464 +
51465 + return 0;
51466 +}
51467 +
51468 +static __u32
51469 +count_user_subjs(struct acl_subject_label *userp)
51470 +{
51471 + struct acl_subject_label s_tmp;
51472 + __u32 num = 0;
51473 +
51474 + while (userp) {
51475 + if (copy_from_user(&s_tmp, userp,
51476 + sizeof (struct acl_subject_label)))
51477 + break;
51478 +
51479 + userp = s_tmp.prev;
51480 + /* do not count nested subjects against this count, since
51481 + they are not included in the hash table, but are
51482 + attached to objects. We have already counted
51483 + the subjects in userspace for the allocation
51484 + stack
51485 + */
51486 + if (!(s_tmp.mode & GR_NESTED))
51487 + num++;
51488 + }
51489 +
51490 + return num;
51491 +}
51492 +
51493 +static int
51494 +copy_user_allowedips(struct acl_role_label *rolep)
51495 +{
51496 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
51497 +
51498 + ruserip = rolep->allowed_ips;
51499 +
51500 + while (ruserip) {
51501 + rlast = rtmp;
51502 +
51503 + if ((rtmp = (struct role_allowed_ip *)
51504 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
51505 + return -ENOMEM;
51506 +
51507 + if (copy_from_user(rtmp, ruserip,
51508 + sizeof (struct role_allowed_ip)))
51509 + return -EFAULT;
51510 +
51511 + ruserip = rtmp->prev;
51512 +
51513 + if (!rlast) {
51514 + rtmp->prev = NULL;
51515 + rolep->allowed_ips = rtmp;
51516 + } else {
51517 + rlast->next = rtmp;
51518 + rtmp->prev = rlast;
51519 + }
51520 +
51521 + if (!ruserip)
51522 + rtmp->next = NULL;
51523 + }
51524 +
51525 + return 0;
51526 +}
51527 +
51528 +static int
51529 +copy_user_transitions(struct acl_role_label *rolep)
51530 +{
51531 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
51532 +
51533 + unsigned int len;
51534 + char *tmp;
51535 +
51536 + rusertp = rolep->transitions;
51537 +
51538 + while (rusertp) {
51539 + rlast = rtmp;
51540 +
51541 + if ((rtmp = (struct role_transition *)
51542 + acl_alloc(sizeof (struct role_transition))) == NULL)
51543 + return -ENOMEM;
51544 +
51545 + if (copy_from_user(rtmp, rusertp,
51546 + sizeof (struct role_transition)))
51547 + return -EFAULT;
51548 +
51549 + rusertp = rtmp->prev;
51550 +
51551 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
51552 +
51553 + if (!len || len >= GR_SPROLE_LEN)
51554 + return -EINVAL;
51555 +
51556 + if ((tmp = (char *) acl_alloc(len)) == NULL)
51557 + return -ENOMEM;
51558 +
51559 + if (copy_from_user(tmp, rtmp->rolename, len))
51560 + return -EFAULT;
51561 + tmp[len-1] = '\0';
51562 + rtmp->rolename = tmp;
51563 +
51564 + if (!rlast) {
51565 + rtmp->prev = NULL;
51566 + rolep->transitions = rtmp;
51567 + } else {
51568 + rlast->next = rtmp;
51569 + rtmp->prev = rlast;
51570 + }
51571 +
51572 + if (!rusertp)
51573 + rtmp->next = NULL;
51574 + }
51575 +
51576 + return 0;
51577 +}
51578 +
51579 +static struct acl_subject_label *
51580 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
51581 +{
51582 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
51583 + unsigned int len;
51584 + char *tmp;
51585 + __u32 num_objs;
51586 + struct acl_ip_label **i_tmp, *i_utmp2;
51587 + struct gr_hash_struct ghash;
51588 + struct subject_map *subjmap;
51589 + unsigned int i_num;
51590 + int err;
51591 +
51592 + s_tmp = lookup_subject_map(userp);
51593 +
51594 + /* we've already copied this subject into the kernel, just return
51595 + the reference to it, and don't copy it over again
51596 + */
51597 + if (s_tmp)
51598 + return(s_tmp);
51599 +
51600 + if ((s_tmp = (struct acl_subject_label *)
51601 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
51602 + return ERR_PTR(-ENOMEM);
51603 +
51604 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
51605 + if (subjmap == NULL)
51606 + return ERR_PTR(-ENOMEM);
51607 +
51608 + subjmap->user = userp;
51609 + subjmap->kernel = s_tmp;
51610 + insert_subj_map_entry(subjmap);
51611 +
51612 + if (copy_from_user(s_tmp, userp,
51613 + sizeof (struct acl_subject_label)))
51614 + return ERR_PTR(-EFAULT);
51615 +
51616 + len = strnlen_user(s_tmp->filename, PATH_MAX);
51617 +
51618 + if (!len || len >= PATH_MAX)
51619 + return ERR_PTR(-EINVAL);
51620 +
51621 + if ((tmp = (char *) acl_alloc(len)) == NULL)
51622 + return ERR_PTR(-ENOMEM);
51623 +
51624 + if (copy_from_user(tmp, s_tmp->filename, len))
51625 + return ERR_PTR(-EFAULT);
51626 + tmp[len-1] = '\0';
51627 + s_tmp->filename = tmp;
51628 +
51629 + if (!strcmp(s_tmp->filename, "/"))
51630 + role->root_label = s_tmp;
51631 +
51632 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
51633 + return ERR_PTR(-EFAULT);
51634 +
51635 + /* copy user and group transition tables */
51636 +
51637 + if (s_tmp->user_trans_num) {
51638 + uid_t *uidlist;
51639 +
51640 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
51641 + if (uidlist == NULL)
51642 + return ERR_PTR(-ENOMEM);
51643 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
51644 + return ERR_PTR(-EFAULT);
51645 +
51646 + s_tmp->user_transitions = uidlist;
51647 + }
51648 +
51649 + if (s_tmp->group_trans_num) {
51650 + gid_t *gidlist;
51651 +
51652 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
51653 + if (gidlist == NULL)
51654 + return ERR_PTR(-ENOMEM);
51655 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
51656 + return ERR_PTR(-EFAULT);
51657 +
51658 + s_tmp->group_transitions = gidlist;
51659 + }
51660 +
51661 + /* set up object hash table */
51662 + num_objs = count_user_objs(ghash.first);
51663 +
51664 + s_tmp->obj_hash_size = num_objs;
51665 + s_tmp->obj_hash =
51666 + (struct acl_object_label **)
51667 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
51668 +
51669 + if (!s_tmp->obj_hash)
51670 + return ERR_PTR(-ENOMEM);
51671 +
51672 + memset(s_tmp->obj_hash, 0,
51673 + s_tmp->obj_hash_size *
51674 + sizeof (struct acl_object_label *));
51675 +
51676 + /* add in objects */
51677 + err = copy_user_objs(ghash.first, s_tmp, role);
51678 +
51679 + if (err)
51680 + return ERR_PTR(err);
51681 +
51682 + /* set pointer for parent subject */
51683 + if (s_tmp->parent_subject) {
51684 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
51685 +
51686 + if (IS_ERR(s_tmp2))
51687 + return s_tmp2;
51688 +
51689 + s_tmp->parent_subject = s_tmp2;
51690 + }
51691 +
51692 + /* add in ip acls */
51693 +
51694 + if (!s_tmp->ip_num) {
51695 + s_tmp->ips = NULL;
51696 + goto insert;
51697 + }
51698 +
51699 + i_tmp =
51700 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
51701 + sizeof (struct acl_ip_label *));
51702 +
51703 + if (!i_tmp)
51704 + return ERR_PTR(-ENOMEM);
51705 +
51706 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
51707 + *(i_tmp + i_num) =
51708 + (struct acl_ip_label *)
51709 + acl_alloc(sizeof (struct acl_ip_label));
51710 + if (!*(i_tmp + i_num))
51711 + return ERR_PTR(-ENOMEM);
51712 +
51713 + if (copy_from_user
51714 + (&i_utmp2, s_tmp->ips + i_num,
51715 + sizeof (struct acl_ip_label *)))
51716 + return ERR_PTR(-EFAULT);
51717 +
51718 + if (copy_from_user
51719 + (*(i_tmp + i_num), i_utmp2,
51720 + sizeof (struct acl_ip_label)))
51721 + return ERR_PTR(-EFAULT);
51722 +
51723 + if ((*(i_tmp + i_num))->iface == NULL)
51724 + continue;
51725 +
51726 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
51727 + if (!len || len >= IFNAMSIZ)
51728 + return ERR_PTR(-EINVAL);
51729 + tmp = acl_alloc(len);
51730 + if (tmp == NULL)
51731 + return ERR_PTR(-ENOMEM);
51732 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
51733 + return ERR_PTR(-EFAULT);
51734 + (*(i_tmp + i_num))->iface = tmp;
51735 + }
51736 +
51737 + s_tmp->ips = i_tmp;
51738 +
51739 +insert:
51740 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
51741 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
51742 + return ERR_PTR(-ENOMEM);
51743 +
51744 + return s_tmp;
51745 +}
51746 +
51747 +static int
51748 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
51749 +{
51750 + struct acl_subject_label s_pre;
51751 + struct acl_subject_label * ret;
51752 + int err;
51753 +
51754 + while (userp) {
51755 + if (copy_from_user(&s_pre, userp,
51756 + sizeof (struct acl_subject_label)))
51757 + return -EFAULT;
51758 +
51759 + /* do not add nested subjects here, add
51760 + while parsing objects
51761 + */
51762 +
51763 + if (s_pre.mode & GR_NESTED) {
51764 + userp = s_pre.prev;
51765 + continue;
51766 + }
51767 +
51768 + ret = do_copy_user_subj(userp, role);
51769 +
51770 + err = PTR_ERR(ret);
51771 + if (IS_ERR(ret))
51772 + return err;
51773 +
51774 + insert_acl_subj_label(ret, role);
51775 +
51776 + userp = s_pre.prev;
51777 + }
51778 +
51779 + return 0;
51780 +}
51781 +
51782 +static int
51783 +copy_user_acl(struct gr_arg *arg)
51784 +{
51785 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
51786 + struct sprole_pw *sptmp;
51787 + struct gr_hash_struct *ghash;
51788 + uid_t *domainlist;
51789 + unsigned int r_num;
51790 + unsigned int len;
51791 + char *tmp;
51792 + int err = 0;
51793 + __u16 i;
51794 + __u32 num_subjs;
51795 +
51796 + /* we need a default and kernel role */
51797 + if (arg->role_db.num_roles < 2)
51798 + return -EINVAL;
51799 +
51800 + /* copy special role authentication info from userspace */
51801 +
51802 + num_sprole_pws = arg->num_sprole_pws;
51803 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
51804 +
51805 + if (!acl_special_roles) {
51806 + err = -ENOMEM;
51807 + goto cleanup;
51808 + }
51809 +
51810 + for (i = 0; i < num_sprole_pws; i++) {
51811 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
51812 + if (!sptmp) {
51813 + err = -ENOMEM;
51814 + goto cleanup;
51815 + }
51816 + if (copy_from_user(sptmp, arg->sprole_pws + i,
51817 + sizeof (struct sprole_pw))) {
51818 + err = -EFAULT;
51819 + goto cleanup;
51820 + }
51821 +
51822 + len =
51823 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
51824 +
51825 + if (!len || len >= GR_SPROLE_LEN) {
51826 + err = -EINVAL;
51827 + goto cleanup;
51828 + }
51829 +
51830 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
51831 + err = -ENOMEM;
51832 + goto cleanup;
51833 + }
51834 +
51835 + if (copy_from_user(tmp, sptmp->rolename, len)) {
51836 + err = -EFAULT;
51837 + goto cleanup;
51838 + }
51839 + tmp[len-1] = '\0';
51840 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
51841 + printk(KERN_ALERT "Copying special role %s\n", tmp);
51842 +#endif
51843 + sptmp->rolename = tmp;
51844 + acl_special_roles[i] = sptmp;
51845 + }
51846 +
51847 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
51848 +
51849 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
51850 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
51851 +
51852 + if (!r_tmp) {
51853 + err = -ENOMEM;
51854 + goto cleanup;
51855 + }
51856 +
51857 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
51858 + sizeof (struct acl_role_label *))) {
51859 + err = -EFAULT;
51860 + goto cleanup;
51861 + }
51862 +
51863 + if (copy_from_user(r_tmp, r_utmp2,
51864 + sizeof (struct acl_role_label))) {
51865 + err = -EFAULT;
51866 + goto cleanup;
51867 + }
51868 +
51869 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
51870 +
51871 + if (!len || len >= PATH_MAX) {
51872 + err = -EINVAL;
51873 + goto cleanup;
51874 + }
51875 +
51876 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
51877 + err = -ENOMEM;
51878 + goto cleanup;
51879 + }
51880 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
51881 + err = -EFAULT;
51882 + goto cleanup;
51883 + }
51884 + tmp[len-1] = '\0';
51885 + r_tmp->rolename = tmp;
51886 +
51887 + if (!strcmp(r_tmp->rolename, "default")
51888 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
51889 + default_role = r_tmp;
51890 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
51891 + kernel_role = r_tmp;
51892 + }
51893 +
51894 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
51895 + err = -ENOMEM;
51896 + goto cleanup;
51897 + }
51898 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
51899 + err = -EFAULT;
51900 + goto cleanup;
51901 + }
51902 +
51903 + r_tmp->hash = ghash;
51904 +
51905 + num_subjs = count_user_subjs(r_tmp->hash->first);
51906 +
51907 + r_tmp->subj_hash_size = num_subjs;
51908 + r_tmp->subj_hash =
51909 + (struct acl_subject_label **)
51910 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
51911 +
51912 + if (!r_tmp->subj_hash) {
51913 + err = -ENOMEM;
51914 + goto cleanup;
51915 + }
51916 +
51917 + err = copy_user_allowedips(r_tmp);
51918 + if (err)
51919 + goto cleanup;
51920 +
51921 + /* copy domain info */
51922 + if (r_tmp->domain_children != NULL) {
51923 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
51924 + if (domainlist == NULL) {
51925 + err = -ENOMEM;
51926 + goto cleanup;
51927 + }
51928 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
51929 + err = -EFAULT;
51930 + goto cleanup;
51931 + }
51932 + r_tmp->domain_children = domainlist;
51933 + }
51934 +
51935 + err = copy_user_transitions(r_tmp);
51936 + if (err)
51937 + goto cleanup;
51938 +
51939 + memset(r_tmp->subj_hash, 0,
51940 + r_tmp->subj_hash_size *
51941 + sizeof (struct acl_subject_label *));
51942 +
51943 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
51944 +
51945 + if (err)
51946 + goto cleanup;
51947 +
51948 + /* set nested subject list to null */
51949 + r_tmp->hash->first = NULL;
51950 +
51951 + insert_acl_role_label(r_tmp);
51952 + }
51953 +
51954 + goto return_err;
51955 + cleanup:
51956 + free_variables();
51957 + return_err:
51958 + return err;
51959 +
51960 +}
51961 +
51962 +static int
51963 +gracl_init(struct gr_arg *args)
51964 +{
51965 + int error = 0;
51966 +
51967 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
51968 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
51969 +
51970 + if (init_variables(args)) {
51971 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
51972 + error = -ENOMEM;
51973 + free_variables();
51974 + goto out;
51975 + }
51976 +
51977 + error = copy_user_acl(args);
51978 + free_init_variables();
51979 + if (error) {
51980 + free_variables();
51981 + goto out;
51982 + }
51983 +
51984 + if ((error = gr_set_acls(0))) {
51985 + free_variables();
51986 + goto out;
51987 + }
51988 +
51989 + pax_open_kernel();
51990 + gr_status |= GR_READY;
51991 + pax_close_kernel();
51992 +
51993 + out:
51994 + return error;
51995 +}
51996 +
51997 +/* derived from glibc fnmatch() 0: match, 1: no match*/
51998 +
51999 +static int
52000 +glob_match(const char *p, const char *n)
52001 +{
52002 + char c;
52003 +
52004 + while ((c = *p++) != '\0') {
52005 + switch (c) {
52006 + case '?':
52007 + if (*n == '\0')
52008 + return 1;
52009 + else if (*n == '/')
52010 + return 1;
52011 + break;
52012 + case '\\':
52013 + if (*n != c)
52014 + return 1;
52015 + break;
52016 + case '*':
52017 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
52018 + if (*n == '/')
52019 + return 1;
52020 + else if (c == '?') {
52021 + if (*n == '\0')
52022 + return 1;
52023 + else
52024 + ++n;
52025 + }
52026 + }
52027 + if (c == '\0') {
52028 + return 0;
52029 + } else {
52030 + const char *endp;
52031 +
52032 + if ((endp = strchr(n, '/')) == NULL)
52033 + endp = n + strlen(n);
52034 +
52035 + if (c == '[') {
52036 + for (--p; n < endp; ++n)
52037 + if (!glob_match(p, n))
52038 + return 0;
52039 + } else if (c == '/') {
52040 + while (*n != '\0' && *n != '/')
52041 + ++n;
52042 + if (*n == '/' && !glob_match(p, n + 1))
52043 + return 0;
52044 + } else {
52045 + for (--p; n < endp; ++n)
52046 + if (*n == c && !glob_match(p, n))
52047 + return 0;
52048 + }
52049 +
52050 + return 1;
52051 + }
52052 + case '[':
52053 + {
52054 + int not;
52055 + char cold;
52056 +
52057 + if (*n == '\0' || *n == '/')
52058 + return 1;
52059 +
52060 + not = (*p == '!' || *p == '^');
52061 + if (not)
52062 + ++p;
52063 +
52064 + c = *p++;
52065 + for (;;) {
52066 + unsigned char fn = (unsigned char)*n;
52067 +
52068 + if (c == '\0')
52069 + return 1;
52070 + else {
52071 + if (c == fn)
52072 + goto matched;
52073 + cold = c;
52074 + c = *p++;
52075 +
52076 + if (c == '-' && *p != ']') {
52077 + unsigned char cend = *p++;
52078 +
52079 + if (cend == '\0')
52080 + return 1;
52081 +
52082 + if (cold <= fn && fn <= cend)
52083 + goto matched;
52084 +
52085 + c = *p++;
52086 + }
52087 + }
52088 +
52089 + if (c == ']')
52090 + break;
52091 + }
52092 + if (!not)
52093 + return 1;
52094 + break;
52095 + matched:
52096 + while (c != ']') {
52097 + if (c == '\0')
52098 + return 1;
52099 +
52100 + c = *p++;
52101 + }
52102 + if (not)
52103 + return 1;
52104 + }
52105 + break;
52106 + default:
52107 + if (c != *n)
52108 + return 1;
52109 + }
52110 +
52111 + ++n;
52112 + }
52113 +
52114 + if (*n == '\0')
52115 + return 0;
52116 +
52117 + if (*n == '/')
52118 + return 0;
52119 +
52120 + return 1;
52121 +}
52122 +
52123 +static struct acl_object_label *
52124 +chk_glob_label(struct acl_object_label *globbed,
52125 + struct dentry *dentry, struct vfsmount *mnt, char **path)
52126 +{
52127 + struct acl_object_label *tmp;
52128 +
52129 + if (*path == NULL)
52130 + *path = gr_to_filename_nolock(dentry, mnt);
52131 +
52132 + tmp = globbed;
52133 +
52134 + while (tmp) {
52135 + if (!glob_match(tmp->filename, *path))
52136 + return tmp;
52137 + tmp = tmp->next;
52138 + }
52139 +
52140 + return NULL;
52141 +}
52142 +
52143 +static struct acl_object_label *
52144 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
52145 + const ino_t curr_ino, const dev_t curr_dev,
52146 + const struct acl_subject_label *subj, char **path, const int checkglob)
52147 +{
52148 + struct acl_subject_label *tmpsubj;
52149 + struct acl_object_label *retval;
52150 + struct acl_object_label *retval2;
52151 +
52152 + tmpsubj = (struct acl_subject_label *) subj;
52153 + read_lock(&gr_inode_lock);
52154 + do {
52155 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
52156 + if (retval) {
52157 + if (checkglob && retval->globbed) {
52158 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
52159 + (struct vfsmount *)orig_mnt, path);
52160 + if (retval2)
52161 + retval = retval2;
52162 + }
52163 + break;
52164 + }
52165 + } while ((tmpsubj = tmpsubj->parent_subject));
52166 + read_unlock(&gr_inode_lock);
52167 +
52168 + return retval;
52169 +}
52170 +
52171 +static __inline__ struct acl_object_label *
52172 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
52173 + const struct dentry *curr_dentry,
52174 + const struct acl_subject_label *subj, char **path, const int checkglob)
52175 +{
52176 + int newglob = checkglob;
52177 +
52178 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
52179 + as we don't want a / * rule to match instead of the / object
52180 + don't do this for create lookups that call this function though, since they're looking up
52181 + on the parent and thus need globbing checks on all paths
52182 + */
52183 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
52184 + newglob = GR_NO_GLOB;
52185 +
52186 + return __full_lookup(orig_dentry, orig_mnt,
52187 + curr_dentry->d_inode->i_ino,
52188 + __get_dev(curr_dentry), subj, path, newglob);
52189 +}
52190 +
52191 +static struct acl_object_label *
52192 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
52193 + const struct acl_subject_label *subj, char *path, const int checkglob)
52194 +{
52195 + struct dentry *dentry = (struct dentry *) l_dentry;
52196 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
52197 + struct acl_object_label *retval;
52198 +
52199 + spin_lock(&dcache_lock);
52200 + spin_lock(&vfsmount_lock);
52201 +
52202 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
52203 +#ifdef CONFIG_NET
52204 + mnt == sock_mnt ||
52205 +#endif
52206 +#ifdef CONFIG_HUGETLBFS
52207 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
52208 +#endif
52209 + /* ignore Eric Biederman */
52210 + IS_PRIVATE(l_dentry->d_inode))) {
52211 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
52212 + goto out;
52213 + }
52214 +
52215 + for (;;) {
52216 + if (dentry == real_root && mnt == real_root_mnt)
52217 + break;
52218 +
52219 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
52220 + if (mnt->mnt_parent == mnt)
52221 + break;
52222 +
52223 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
52224 + if (retval != NULL)
52225 + goto out;
52226 +
52227 + dentry = mnt->mnt_mountpoint;
52228 + mnt = mnt->mnt_parent;
52229 + continue;
52230 + }
52231 +
52232 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
52233 + if (retval != NULL)
52234 + goto out;
52235 +
52236 + dentry = dentry->d_parent;
52237 + }
52238 +
52239 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
52240 +
52241 + if (retval == NULL)
52242 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
52243 +out:
52244 + spin_unlock(&vfsmount_lock);
52245 + spin_unlock(&dcache_lock);
52246 +
52247 + BUG_ON(retval == NULL);
52248 +
52249 + return retval;
52250 +}
52251 +
52252 +static __inline__ struct acl_object_label *
52253 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
52254 + const struct acl_subject_label *subj)
52255 +{
52256 + char *path = NULL;
52257 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
52258 +}
52259 +
52260 +static __inline__ struct acl_object_label *
52261 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
52262 + const struct acl_subject_label *subj)
52263 +{
52264 + char *path = NULL;
52265 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
52266 +}
52267 +
52268 +static __inline__ struct acl_object_label *
52269 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
52270 + const struct acl_subject_label *subj, char *path)
52271 +{
52272 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
52273 +}
52274 +
52275 +static struct acl_subject_label *
52276 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
52277 + const struct acl_role_label *role)
52278 +{
52279 + struct dentry *dentry = (struct dentry *) l_dentry;
52280 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
52281 + struct acl_subject_label *retval;
52282 +
52283 + spin_lock(&dcache_lock);
52284 + spin_lock(&vfsmount_lock);
52285 +
52286 + for (;;) {
52287 + if (dentry == real_root && mnt == real_root_mnt)
52288 + break;
52289 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
52290 + if (mnt->mnt_parent == mnt)
52291 + break;
52292 +
52293 + read_lock(&gr_inode_lock);
52294 + retval =
52295 + lookup_acl_subj_label(dentry->d_inode->i_ino,
52296 + __get_dev(dentry), role);
52297 + read_unlock(&gr_inode_lock);
52298 + if (retval != NULL)
52299 + goto out;
52300 +
52301 + dentry = mnt->mnt_mountpoint;
52302 + mnt = mnt->mnt_parent;
52303 + continue;
52304 + }
52305 +
52306 + read_lock(&gr_inode_lock);
52307 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
52308 + __get_dev(dentry), role);
52309 + read_unlock(&gr_inode_lock);
52310 + if (retval != NULL)
52311 + goto out;
52312 +
52313 + dentry = dentry->d_parent;
52314 + }
52315 +
52316 + read_lock(&gr_inode_lock);
52317 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
52318 + __get_dev(dentry), role);
52319 + read_unlock(&gr_inode_lock);
52320 +
52321 + if (unlikely(retval == NULL)) {
52322 + read_lock(&gr_inode_lock);
52323 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
52324 + __get_dev(real_root), role);
52325 + read_unlock(&gr_inode_lock);
52326 + }
52327 +out:
52328 + spin_unlock(&vfsmount_lock);
52329 + spin_unlock(&dcache_lock);
52330 +
52331 + BUG_ON(retval == NULL);
52332 +
52333 + return retval;
52334 +}
52335 +
52336 +static void
52337 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
52338 +{
52339 + struct task_struct *task = current;
52340 + const struct cred *cred = current_cred();
52341 +
52342 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
52343 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
52344 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
52345 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
52346 +
52347 + return;
52348 +}
52349 +
52350 +static void
52351 +gr_log_learn_sysctl(const char *path, const __u32 mode)
52352 +{
52353 + struct task_struct *task = current;
52354 + const struct cred *cred = current_cred();
52355 +
52356 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
52357 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
52358 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
52359 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
52360 +
52361 + return;
52362 +}
52363 +
52364 +static void
52365 +gr_log_learn_id_change(const char type, const unsigned int real,
52366 + const unsigned int effective, const unsigned int fs)
52367 +{
52368 + struct task_struct *task = current;
52369 + const struct cred *cred = current_cred();
52370 +
52371 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
52372 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
52373 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
52374 + type, real, effective, fs, &task->signal->saved_ip);
52375 +
52376 + return;
52377 +}
52378 +
52379 +__u32
52380 +gr_check_link(const struct dentry * new_dentry,
52381 + const struct dentry * parent_dentry,
52382 + const struct vfsmount * parent_mnt,
52383 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
52384 +{
52385 + struct acl_object_label *obj;
52386 + __u32 oldmode, newmode;
52387 + __u32 needmode;
52388 +
52389 + if (unlikely(!(gr_status & GR_READY)))
52390 + return (GR_CREATE | GR_LINK);
52391 +
52392 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
52393 + oldmode = obj->mode;
52394 +
52395 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
52396 + oldmode |= (GR_CREATE | GR_LINK);
52397 +
52398 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
52399 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
52400 + needmode |= GR_SETID | GR_AUDIT_SETID;
52401 +
52402 + newmode =
52403 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
52404 + oldmode | needmode);
52405 +
52406 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
52407 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
52408 + GR_INHERIT | GR_AUDIT_INHERIT);
52409 +
52410 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
52411 + goto bad;
52412 +
52413 + if ((oldmode & needmode) != needmode)
52414 + goto bad;
52415 +
52416 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
52417 + if ((newmode & needmode) != needmode)
52418 + goto bad;
52419 +
52420 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
52421 + return newmode;
52422 +bad:
52423 + needmode = oldmode;
52424 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
52425 + needmode |= GR_SETID;
52426 +
52427 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
52428 + gr_log_learn(old_dentry, old_mnt, needmode);
52429 + return (GR_CREATE | GR_LINK);
52430 + } else if (newmode & GR_SUPPRESS)
52431 + return GR_SUPPRESS;
52432 + else
52433 + return 0;
52434 +}
52435 +
52436 +__u32
52437 +gr_search_file(const struct dentry * dentry, const __u32 mode,
52438 + const struct vfsmount * mnt)
52439 +{
52440 + __u32 retval = mode;
52441 + struct acl_subject_label *curracl;
52442 + struct acl_object_label *currobj;
52443 +
52444 + if (unlikely(!(gr_status & GR_READY)))
52445 + return (mode & ~GR_AUDITS);
52446 +
52447 + curracl = current->acl;
52448 +
52449 + currobj = chk_obj_label(dentry, mnt, curracl);
52450 + retval = currobj->mode & mode;
52451 +
52452 + /* if we're opening a specified transfer file for writing
52453 + (e.g. /dev/initctl), then transfer our role to init
52454 + */
52455 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
52456 + current->role->roletype & GR_ROLE_PERSIST)) {
52457 + struct task_struct *task = init_pid_ns.child_reaper;
52458 +
52459 + if (task->role != current->role) {
52460 + task->acl_sp_role = 0;
52461 + task->acl_role_id = current->acl_role_id;
52462 + task->role = current->role;
52463 + rcu_read_lock();
52464 + read_lock(&grsec_exec_file_lock);
52465 + gr_apply_subject_to_task(task);
52466 + read_unlock(&grsec_exec_file_lock);
52467 + rcu_read_unlock();
52468 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
52469 + }
52470 + }
52471 +
52472 + if (unlikely
52473 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
52474 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
52475 + __u32 new_mode = mode;
52476 +
52477 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
52478 +
52479 + retval = new_mode;
52480 +
52481 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
52482 + new_mode |= GR_INHERIT;
52483 +
52484 + if (!(mode & GR_NOLEARN))
52485 + gr_log_learn(dentry, mnt, new_mode);
52486 + }
52487 +
52488 + return retval;
52489 +}
52490 +
52491 +__u32
52492 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
52493 + const struct vfsmount * mnt, const __u32 mode)
52494 +{
52495 + struct name_entry *match;
52496 + struct acl_object_label *matchpo;
52497 + struct acl_subject_label *curracl;
52498 + char *path;
52499 + __u32 retval;
52500 +
52501 + if (unlikely(!(gr_status & GR_READY)))
52502 + return (mode & ~GR_AUDITS);
52503 +
52504 + preempt_disable();
52505 + path = gr_to_filename_rbac(new_dentry, mnt);
52506 + match = lookup_name_entry_create(path);
52507 +
52508 + if (!match)
52509 + goto check_parent;
52510 +
52511 + curracl = current->acl;
52512 +
52513 + read_lock(&gr_inode_lock);
52514 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
52515 + read_unlock(&gr_inode_lock);
52516 +
52517 + if (matchpo) {
52518 + if ((matchpo->mode & mode) !=
52519 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
52520 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
52521 + __u32 new_mode = mode;
52522 +
52523 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
52524 +
52525 + gr_log_learn(new_dentry, mnt, new_mode);
52526 +
52527 + preempt_enable();
52528 + return new_mode;
52529 + }
52530 + preempt_enable();
52531 + return (matchpo->mode & mode);
52532 + }
52533 +
52534 + check_parent:
52535 + curracl = current->acl;
52536 +
52537 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
52538 + retval = matchpo->mode & mode;
52539 +
52540 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
52541 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
52542 + __u32 new_mode = mode;
52543 +
52544 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
52545 +
52546 + gr_log_learn(new_dentry, mnt, new_mode);
52547 + preempt_enable();
52548 + return new_mode;
52549 + }
52550 +
52551 + preempt_enable();
52552 + return retval;
52553 +}
52554 +
52555 +int
52556 +gr_check_hidden_task(const struct task_struct *task)
52557 +{
52558 + if (unlikely(!(gr_status & GR_READY)))
52559 + return 0;
52560 +
52561 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
52562 + return 1;
52563 +
52564 + return 0;
52565 +}
52566 +
52567 +int
52568 +gr_check_protected_task(const struct task_struct *task)
52569 +{
52570 + if (unlikely(!(gr_status & GR_READY) || !task))
52571 + return 0;
52572 +
52573 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
52574 + task->acl != current->acl)
52575 + return 1;
52576 +
52577 + return 0;
52578 +}
52579 +
52580 +int
52581 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
52582 +{
52583 + struct task_struct *p;
52584 + int ret = 0;
52585 +
52586 + if (unlikely(!(gr_status & GR_READY) || !pid))
52587 + return ret;
52588 +
52589 + read_lock(&tasklist_lock);
52590 + do_each_pid_task(pid, type, p) {
52591 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
52592 + p->acl != current->acl) {
52593 + ret = 1;
52594 + goto out;
52595 + }
52596 + } while_each_pid_task(pid, type, p);
52597 +out:
52598 + read_unlock(&tasklist_lock);
52599 +
52600 + return ret;
52601 +}
52602 +
52603 +void
52604 +gr_copy_label(struct task_struct *tsk)
52605 +{
52606 + tsk->signal->used_accept = 0;
52607 + tsk->acl_sp_role = 0;
52608 + tsk->acl_role_id = current->acl_role_id;
52609 + tsk->acl = current->acl;
52610 + tsk->role = current->role;
52611 + tsk->signal->curr_ip = current->signal->curr_ip;
52612 + tsk->signal->saved_ip = current->signal->saved_ip;
52613 + if (current->exec_file)
52614 + get_file(current->exec_file);
52615 + tsk->exec_file = current->exec_file;
52616 + tsk->is_writable = current->is_writable;
52617 + if (unlikely(current->signal->used_accept)) {
52618 + current->signal->curr_ip = 0;
52619 + current->signal->saved_ip = 0;
52620 + }
52621 +
52622 + return;
52623 +}
52624 +
52625 +static void
52626 +gr_set_proc_res(struct task_struct *task)
52627 +{
52628 + struct acl_subject_label *proc;
52629 + unsigned short i;
52630 +
52631 + proc = task->acl;
52632 +
52633 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
52634 + return;
52635 +
52636 + for (i = 0; i < RLIM_NLIMITS; i++) {
52637 + if (!(proc->resmask & (1 << i)))
52638 + continue;
52639 +
52640 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
52641 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
52642 + }
52643 +
52644 + return;
52645 +}
52646 +
52647 +extern int __gr_process_user_ban(struct user_struct *user);
52648 +
52649 +int
52650 +gr_check_user_change(int real, int effective, int fs)
52651 +{
52652 + unsigned int i;
52653 + __u16 num;
52654 + uid_t *uidlist;
52655 + int curuid;
52656 + int realok = 0;
52657 + int effectiveok = 0;
52658 + int fsok = 0;
52659 +
52660 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
52661 + struct user_struct *user;
52662 +
52663 + if (real == -1)
52664 + goto skipit;
52665 +
52666 + user = find_user(real);
52667 + if (user == NULL)
52668 + goto skipit;
52669 +
52670 + if (__gr_process_user_ban(user)) {
52671 + /* for find_user */
52672 + free_uid(user);
52673 + return 1;
52674 + }
52675 +
52676 + /* for find_user */
52677 + free_uid(user);
52678 +
52679 +skipit:
52680 +#endif
52681 +
52682 + if (unlikely(!(gr_status & GR_READY)))
52683 + return 0;
52684 +
52685 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
52686 + gr_log_learn_id_change('u', real, effective, fs);
52687 +
52688 + num = current->acl->user_trans_num;
52689 + uidlist = current->acl->user_transitions;
52690 +
52691 + if (uidlist == NULL)
52692 + return 0;
52693 +
52694 + if (real == -1)
52695 + realok = 1;
52696 + if (effective == -1)
52697 + effectiveok = 1;
52698 + if (fs == -1)
52699 + fsok = 1;
52700 +
52701 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
52702 + for (i = 0; i < num; i++) {
52703 + curuid = (int)uidlist[i];
52704 + if (real == curuid)
52705 + realok = 1;
52706 + if (effective == curuid)
52707 + effectiveok = 1;
52708 + if (fs == curuid)
52709 + fsok = 1;
52710 + }
52711 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
52712 + for (i = 0; i < num; i++) {
52713 + curuid = (int)uidlist[i];
52714 + if (real == curuid)
52715 + break;
52716 + if (effective == curuid)
52717 + break;
52718 + if (fs == curuid)
52719 + break;
52720 + }
52721 + /* not in deny list */
52722 + if (i == num) {
52723 + realok = 1;
52724 + effectiveok = 1;
52725 + fsok = 1;
52726 + }
52727 + }
52728 +
52729 + if (realok && effectiveok && fsok)
52730 + return 0;
52731 + else {
52732 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
52733 + return 1;
52734 + }
52735 +}
52736 +
52737 +int
52738 +gr_check_group_change(int real, int effective, int fs)
52739 +{
52740 + unsigned int i;
52741 + __u16 num;
52742 + gid_t *gidlist;
52743 + int curgid;
52744 + int realok = 0;
52745 + int effectiveok = 0;
52746 + int fsok = 0;
52747 +
52748 + if (unlikely(!(gr_status & GR_READY)))
52749 + return 0;
52750 +
52751 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
52752 + gr_log_learn_id_change('g', real, effective, fs);
52753 +
52754 + num = current->acl->group_trans_num;
52755 + gidlist = current->acl->group_transitions;
52756 +
52757 + if (gidlist == NULL)
52758 + return 0;
52759 +
52760 + if (real == -1)
52761 + realok = 1;
52762 + if (effective == -1)
52763 + effectiveok = 1;
52764 + if (fs == -1)
52765 + fsok = 1;
52766 +
52767 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
52768 + for (i = 0; i < num; i++) {
52769 + curgid = (int)gidlist[i];
52770 + if (real == curgid)
52771 + realok = 1;
52772 + if (effective == curgid)
52773 + effectiveok = 1;
52774 + if (fs == curgid)
52775 + fsok = 1;
52776 + }
52777 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
52778 + for (i = 0; i < num; i++) {
52779 + curgid = (int)gidlist[i];
52780 + if (real == curgid)
52781 + break;
52782 + if (effective == curgid)
52783 + break;
52784 + if (fs == curgid)
52785 + break;
52786 + }
52787 + /* not in deny list */
52788 + if (i == num) {
52789 + realok = 1;
52790 + effectiveok = 1;
52791 + fsok = 1;
52792 + }
52793 + }
52794 +
52795 + if (realok && effectiveok && fsok)
52796 + return 0;
52797 + else {
52798 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
52799 + return 1;
52800 + }
52801 +}
52802 +
52803 +void
52804 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
52805 +{
52806 + struct acl_role_label *role = task->role;
52807 + struct acl_subject_label *subj = NULL;
52808 + struct acl_object_label *obj;
52809 + struct file *filp;
52810 +
52811 + if (unlikely(!(gr_status & GR_READY)))
52812 + return;
52813 +
52814 + filp = task->exec_file;
52815 +
52816 + /* kernel process, we'll give them the kernel role */
52817 + if (unlikely(!filp)) {
52818 + task->role = kernel_role;
52819 + task->acl = kernel_role->root_label;
52820 + return;
52821 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
52822 + role = lookup_acl_role_label(task, uid, gid);
52823 +
52824 + /* perform subject lookup in possibly new role
52825 + we can use this result below in the case where role == task->role
52826 + */
52827 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
52828 +
52829 + /* if we changed uid/gid, but result in the same role
52830 + and are using inheritance, don't lose the inherited subject
52831 + if current subject is other than what normal lookup
52832 + would result in, we arrived via inheritance, don't
52833 + lose subject
52834 + */
52835 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
52836 + (subj == task->acl)))
52837 + task->acl = subj;
52838 +
52839 + task->role = role;
52840 +
52841 + task->is_writable = 0;
52842 +
52843 + /* ignore additional mmap checks for processes that are writable
52844 + by the default ACL */
52845 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
52846 + if (unlikely(obj->mode & GR_WRITE))
52847 + task->is_writable = 1;
52848 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
52849 + if (unlikely(obj->mode & GR_WRITE))
52850 + task->is_writable = 1;
52851 +
52852 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52853 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
52854 +#endif
52855 +
52856 + gr_set_proc_res(task);
52857 +
52858 + return;
52859 +}
52860 +
52861 +int
52862 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
52863 + const int unsafe_share)
52864 +{
52865 + struct task_struct *task = current;
52866 + struct acl_subject_label *newacl;
52867 + struct acl_object_label *obj;
52868 + __u32 retmode;
52869 +
52870 + if (unlikely(!(gr_status & GR_READY)))
52871 + return 0;
52872 +
52873 + newacl = chk_subj_label(dentry, mnt, task->role);
52874 +
52875 + task_lock(task);
52876 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
52877 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
52878 + !(task->role->roletype & GR_ROLE_GOD) &&
52879 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
52880 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
52881 + task_unlock(task);
52882 + if (unsafe_share)
52883 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
52884 + else
52885 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
52886 + return -EACCES;
52887 + }
52888 + task_unlock(task);
52889 +
52890 + obj = chk_obj_label(dentry, mnt, task->acl);
52891 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
52892 +
52893 + if (!(task->acl->mode & GR_INHERITLEARN) &&
52894 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
52895 + if (obj->nested)
52896 + task->acl = obj->nested;
52897 + else
52898 + task->acl = newacl;
52899 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
52900 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
52901 +
52902 + task->is_writable = 0;
52903 +
52904 + /* ignore additional mmap checks for processes that are writable
52905 + by the default ACL */
52906 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
52907 + if (unlikely(obj->mode & GR_WRITE))
52908 + task->is_writable = 1;
52909 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
52910 + if (unlikely(obj->mode & GR_WRITE))
52911 + task->is_writable = 1;
52912 +
52913 + gr_set_proc_res(task);
52914 +
52915 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52916 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
52917 +#endif
52918 + return 0;
52919 +}
52920 +
52921 +/* always called with valid inodev ptr */
52922 +static void
52923 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
52924 +{
52925 + struct acl_object_label *matchpo;
52926 + struct acl_subject_label *matchps;
52927 + struct acl_subject_label *subj;
52928 + struct acl_role_label *role;
52929 + unsigned int x;
52930 +
52931 + FOR_EACH_ROLE_START(role)
52932 + FOR_EACH_SUBJECT_START(role, subj, x)
52933 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
52934 + matchpo->mode |= GR_DELETED;
52935 + FOR_EACH_SUBJECT_END(subj,x)
52936 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
52937 + if (subj->inode == ino && subj->device == dev)
52938 + subj->mode |= GR_DELETED;
52939 + FOR_EACH_NESTED_SUBJECT_END(subj)
52940 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
52941 + matchps->mode |= GR_DELETED;
52942 + FOR_EACH_ROLE_END(role)
52943 +
52944 + inodev->nentry->deleted = 1;
52945 +
52946 + return;
52947 +}
52948 +
52949 +void
52950 +gr_handle_delete(const ino_t ino, const dev_t dev)
52951 +{
52952 + struct inodev_entry *inodev;
52953 +
52954 + if (unlikely(!(gr_status & GR_READY)))
52955 + return;
52956 +
52957 + write_lock(&gr_inode_lock);
52958 + inodev = lookup_inodev_entry(ino, dev);
52959 + if (inodev != NULL)
52960 + do_handle_delete(inodev, ino, dev);
52961 + write_unlock(&gr_inode_lock);
52962 +
52963 + return;
52964 +}
52965 +
52966 +static void
52967 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
52968 + const ino_t newinode, const dev_t newdevice,
52969 + struct acl_subject_label *subj)
52970 +{
52971 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
52972 + struct acl_object_label *match;
52973 +
52974 + match = subj->obj_hash[index];
52975 +
52976 + while (match && (match->inode != oldinode ||
52977 + match->device != olddevice ||
52978 + !(match->mode & GR_DELETED)))
52979 + match = match->next;
52980 +
52981 + if (match && (match->inode == oldinode)
52982 + && (match->device == olddevice)
52983 + && (match->mode & GR_DELETED)) {
52984 + if (match->prev == NULL) {
52985 + subj->obj_hash[index] = match->next;
52986 + if (match->next != NULL)
52987 + match->next->prev = NULL;
52988 + } else {
52989 + match->prev->next = match->next;
52990 + if (match->next != NULL)
52991 + match->next->prev = match->prev;
52992 + }
52993 + match->prev = NULL;
52994 + match->next = NULL;
52995 + match->inode = newinode;
52996 + match->device = newdevice;
52997 + match->mode &= ~GR_DELETED;
52998 +
52999 + insert_acl_obj_label(match, subj);
53000 + }
53001 +
53002 + return;
53003 +}
53004 +
53005 +static void
53006 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
53007 + const ino_t newinode, const dev_t newdevice,
53008 + struct acl_role_label *role)
53009 +{
53010 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
53011 + struct acl_subject_label *match;
53012 +
53013 + match = role->subj_hash[index];
53014 +
53015 + while (match && (match->inode != oldinode ||
53016 + match->device != olddevice ||
53017 + !(match->mode & GR_DELETED)))
53018 + match = match->next;
53019 +
53020 + if (match && (match->inode == oldinode)
53021 + && (match->device == olddevice)
53022 + && (match->mode & GR_DELETED)) {
53023 + if (match->prev == NULL) {
53024 + role->subj_hash[index] = match->next;
53025 + if (match->next != NULL)
53026 + match->next->prev = NULL;
53027 + } else {
53028 + match->prev->next = match->next;
53029 + if (match->next != NULL)
53030 + match->next->prev = match->prev;
53031 + }
53032 + match->prev = NULL;
53033 + match->next = NULL;
53034 + match->inode = newinode;
53035 + match->device = newdevice;
53036 + match->mode &= ~GR_DELETED;
53037 +
53038 + insert_acl_subj_label(match, role);
53039 + }
53040 +
53041 + return;
53042 +}
53043 +
53044 +static void
53045 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
53046 + const ino_t newinode, const dev_t newdevice)
53047 +{
53048 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
53049 + struct inodev_entry *match;
53050 +
53051 + match = inodev_set.i_hash[index];
53052 +
53053 + while (match && (match->nentry->inode != oldinode ||
53054 + match->nentry->device != olddevice || !match->nentry->deleted))
53055 + match = match->next;
53056 +
53057 + if (match && (match->nentry->inode == oldinode)
53058 + && (match->nentry->device == olddevice) &&
53059 + match->nentry->deleted) {
53060 + if (match->prev == NULL) {
53061 + inodev_set.i_hash[index] = match->next;
53062 + if (match->next != NULL)
53063 + match->next->prev = NULL;
53064 + } else {
53065 + match->prev->next = match->next;
53066 + if (match->next != NULL)
53067 + match->next->prev = match->prev;
53068 + }
53069 + match->prev = NULL;
53070 + match->next = NULL;
53071 + match->nentry->inode = newinode;
53072 + match->nentry->device = newdevice;
53073 + match->nentry->deleted = 0;
53074 +
53075 + insert_inodev_entry(match);
53076 + }
53077 +
53078 + return;
53079 +}
53080 +
53081 +static void
53082 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
53083 + const struct vfsmount *mnt)
53084 +{
53085 + struct acl_subject_label *subj;
53086 + struct acl_role_label *role;
53087 + unsigned int x;
53088 + ino_t inode = dentry->d_inode->i_ino;
53089 + dev_t dev = __get_dev(dentry);
53090 +
53091 + FOR_EACH_ROLE_START(role)
53092 + update_acl_subj_label(matchn->inode, matchn->device,
53093 + inode, dev, role);
53094 +
53095 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
53096 + if ((subj->inode == inode) && (subj->device == dev)) {
53097 + subj->inode = inode;
53098 + subj->device = dev;
53099 + }
53100 + FOR_EACH_NESTED_SUBJECT_END(subj)
53101 + FOR_EACH_SUBJECT_START(role, subj, x)
53102 + update_acl_obj_label(matchn->inode, matchn->device,
53103 + inode, dev, subj);
53104 + FOR_EACH_SUBJECT_END(subj,x)
53105 + FOR_EACH_ROLE_END(role)
53106 +
53107 + update_inodev_entry(matchn->inode, matchn->device, inode, dev);
53108 +
53109 + return;
53110 +}
53111 +
53112 +void
53113 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
53114 +{
53115 + struct name_entry *matchn;
53116 +
53117 + if (unlikely(!(gr_status & GR_READY)))
53118 + return;
53119 +
53120 + preempt_disable();
53121 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
53122 +
53123 + if (unlikely((unsigned long)matchn)) {
53124 + write_lock(&gr_inode_lock);
53125 + do_handle_create(matchn, dentry, mnt);
53126 + write_unlock(&gr_inode_lock);
53127 + }
53128 + preempt_enable();
53129 +
53130 + return;
53131 +}
53132 +
53133 +void
53134 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
53135 + struct dentry *old_dentry,
53136 + struct dentry *new_dentry,
53137 + struct vfsmount *mnt, const __u8 replace)
53138 +{
53139 + struct name_entry *matchn;
53140 + struct inodev_entry *inodev;
53141 + ino_t oldinode = old_dentry->d_inode->i_ino;
53142 + dev_t olddev = __get_dev(old_dentry);
53143 +
53144 + /* vfs_rename swaps the name and parent link for old_dentry and
53145 + new_dentry
53146 + at this point, old_dentry has the new name, parent link, and inode
53147 + for the renamed file
53148 + if a file is being replaced by a rename, new_dentry has the inode
53149 + and name for the replaced file
53150 + */
53151 +
53152 + if (unlikely(!(gr_status & GR_READY)))
53153 + return;
53154 +
53155 + preempt_disable();
53156 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
53157 +
53158 + /* we wouldn't have to check d_inode if it weren't for
53159 + NFS silly-renaming
53160 + */
53161 +
53162 + write_lock(&gr_inode_lock);
53163 + if (unlikely(replace && new_dentry->d_inode)) {
53164 + ino_t newinode = new_dentry->d_inode->i_ino;
53165 + dev_t newdev = __get_dev(new_dentry);
53166 + inodev = lookup_inodev_entry(newinode, newdev);
53167 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
53168 + do_handle_delete(inodev, newinode, newdev);
53169 + }
53170 +
53171 + inodev = lookup_inodev_entry(oldinode, olddev);
53172 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
53173 + do_handle_delete(inodev, oldinode, olddev);
53174 +
53175 + if (unlikely((unsigned long)matchn))
53176 + do_handle_create(matchn, old_dentry, mnt);
53177 +
53178 + write_unlock(&gr_inode_lock);
53179 + preempt_enable();
53180 +
53181 + return;
53182 +}
53183 +
53184 +static int
53185 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
53186 + unsigned char **sum)
53187 +{
53188 + struct acl_role_label *r;
53189 + struct role_allowed_ip *ipp;
53190 + struct role_transition *trans;
53191 + unsigned int i;
53192 + int found = 0;
53193 + u32 curr_ip = current->signal->curr_ip;
53194 +
53195 + current->signal->saved_ip = curr_ip;
53196 +
53197 + /* check transition table */
53198 +
53199 + for (trans = current->role->transitions; trans; trans = trans->next) {
53200 + if (!strcmp(rolename, trans->rolename)) {
53201 + found = 1;
53202 + break;
53203 + }
53204 + }
53205 +
53206 + if (!found)
53207 + return 0;
53208 +
53209 + /* handle special roles that do not require authentication
53210 + and check ip */
53211 +
53212 + FOR_EACH_ROLE_START(r)
53213 + if (!strcmp(rolename, r->rolename) &&
53214 + (r->roletype & GR_ROLE_SPECIAL)) {
53215 + found = 0;
53216 + if (r->allowed_ips != NULL) {
53217 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
53218 + if ((ntohl(curr_ip) & ipp->netmask) ==
53219 + (ntohl(ipp->addr) & ipp->netmask))
53220 + found = 1;
53221 + }
53222 + } else
53223 + found = 2;
53224 + if (!found)
53225 + return 0;
53226 +
53227 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
53228 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
53229 + *salt = NULL;
53230 + *sum = NULL;
53231 + return 1;
53232 + }
53233 + }
53234 + FOR_EACH_ROLE_END(r)
53235 +
53236 + for (i = 0; i < num_sprole_pws; i++) {
53237 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
53238 + *salt = acl_special_roles[i]->salt;
53239 + *sum = acl_special_roles[i]->sum;
53240 + return 1;
53241 + }
53242 + }
53243 +
53244 + return 0;
53245 +}
53246 +
53247 +static void
53248 +assign_special_role(char *rolename)
53249 +{
53250 + struct acl_object_label *obj;
53251 + struct acl_role_label *r;
53252 + struct acl_role_label *assigned = NULL;
53253 + struct task_struct *tsk;
53254 + struct file *filp;
53255 +
53256 + FOR_EACH_ROLE_START(r)
53257 + if (!strcmp(rolename, r->rolename) &&
53258 + (r->roletype & GR_ROLE_SPECIAL)) {
53259 + assigned = r;
53260 + break;
53261 + }
53262 + FOR_EACH_ROLE_END(r)
53263 +
53264 + if (!assigned)
53265 + return;
53266 +
53267 + read_lock(&tasklist_lock);
53268 + read_lock(&grsec_exec_file_lock);
53269 +
53270 + tsk = current->real_parent;
53271 + if (tsk == NULL)
53272 + goto out_unlock;
53273 +
53274 + filp = tsk->exec_file;
53275 + if (filp == NULL)
53276 + goto out_unlock;
53277 +
53278 + tsk->is_writable = 0;
53279 +
53280 + tsk->acl_sp_role = 1;
53281 + tsk->acl_role_id = ++acl_sp_role_value;
53282 + tsk->role = assigned;
53283 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
53284 +
53285 + /* ignore additional mmap checks for processes that are writable
53286 + by the default ACL */
53287 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
53288 + if (unlikely(obj->mode & GR_WRITE))
53289 + tsk->is_writable = 1;
53290 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
53291 + if (unlikely(obj->mode & GR_WRITE))
53292 + tsk->is_writable = 1;
53293 +
53294 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53295 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
53296 +#endif
53297 +
53298 +out_unlock:
53299 + read_unlock(&grsec_exec_file_lock);
53300 + read_unlock(&tasklist_lock);
53301 + return;
53302 +}
53303 +
53304 +int gr_check_secure_terminal(struct task_struct *task)
53305 +{
53306 + struct task_struct *p, *p2, *p3;
53307 + struct files_struct *files;
53308 + struct fdtable *fdt;
53309 + struct file *our_file = NULL, *file;
53310 + int i;
53311 +
53312 + if (task->signal->tty == NULL)
53313 + return 1;
53314 +
53315 + files = get_files_struct(task);
53316 + if (files != NULL) {
53317 + rcu_read_lock();
53318 + fdt = files_fdtable(files);
53319 + for (i=0; i < fdt->max_fds; i++) {
53320 + file = fcheck_files(files, i);
53321 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
53322 + get_file(file);
53323 + our_file = file;
53324 + }
53325 + }
53326 + rcu_read_unlock();
53327 + put_files_struct(files);
53328 + }
53329 +
53330 + if (our_file == NULL)
53331 + return 1;
53332 +
53333 + read_lock(&tasklist_lock);
53334 + do_each_thread(p2, p) {
53335 + files = get_files_struct(p);
53336 + if (files == NULL ||
53337 + (p->signal && p->signal->tty == task->signal->tty)) {
53338 + if (files != NULL)
53339 + put_files_struct(files);
53340 + continue;
53341 + }
53342 + rcu_read_lock();
53343 + fdt = files_fdtable(files);
53344 + for (i=0; i < fdt->max_fds; i++) {
53345 + file = fcheck_files(files, i);
53346 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
53347 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
53348 + p3 = task;
53349 + while (p3->pid > 0) {
53350 + if (p3 == p)
53351 + break;
53352 + p3 = p3->real_parent;
53353 + }
53354 + if (p3 == p)
53355 + break;
53356 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
53357 + gr_handle_alertkill(p);
53358 + rcu_read_unlock();
53359 + put_files_struct(files);
53360 + read_unlock(&tasklist_lock);
53361 + fput(our_file);
53362 + return 0;
53363 + }
53364 + }
53365 + rcu_read_unlock();
53366 + put_files_struct(files);
53367 + } while_each_thread(p2, p);
53368 + read_unlock(&tasklist_lock);
53369 +
53370 + fput(our_file);
53371 + return 1;
53372 +}
53373 +
53374 +ssize_t
53375 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
53376 +{
53377 + struct gr_arg_wrapper uwrap;
53378 + unsigned char *sprole_salt = NULL;
53379 + unsigned char *sprole_sum = NULL;
53380 + int error = sizeof (struct gr_arg_wrapper);
53381 + int error2 = 0;
53382 +
53383 + mutex_lock(&gr_dev_mutex);
53384 +
53385 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
53386 + error = -EPERM;
53387 + goto out;
53388 + }
53389 +
53390 + if (count != sizeof (struct gr_arg_wrapper)) {
53391 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
53392 + error = -EINVAL;
53393 + goto out;
53394 + }
53395 +
53396 +
53397 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
53398 + gr_auth_expires = 0;
53399 + gr_auth_attempts = 0;
53400 + }
53401 +
53402 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
53403 + error = -EFAULT;
53404 + goto out;
53405 + }
53406 +
53407 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
53408 + error = -EINVAL;
53409 + goto out;
53410 + }
53411 +
53412 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
53413 + error = -EFAULT;
53414 + goto out;
53415 + }
53416 +
53417 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
53418 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
53419 + time_after(gr_auth_expires, get_seconds())) {
53420 + error = -EBUSY;
53421 + goto out;
53422 + }
53423 +
53424 + /* if non-root trying to do anything other than use a special role,
53425 + do not attempt authentication, do not count towards authentication
53426 + locking
53427 + */
53428 +
53429 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
53430 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
53431 + current_uid()) {
53432 + error = -EPERM;
53433 + goto out;
53434 + }
53435 +
53436 + /* ensure pw and special role name are null terminated */
53437 +
53438 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
53439 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
53440 +
53441 + /* Okay.
53442 + * We have our enough of the argument structure..(we have yet
53443 + * to copy_from_user the tables themselves) . Copy the tables
53444 + * only if we need them, i.e. for loading operations. */
53445 +
53446 + switch (gr_usermode->mode) {
53447 + case GR_STATUS:
53448 + if (gr_status & GR_READY) {
53449 + error = 1;
53450 + if (!gr_check_secure_terminal(current))
53451 + error = 3;
53452 + } else
53453 + error = 2;
53454 + goto out;
53455 + case GR_SHUTDOWN:
53456 + if ((gr_status & GR_READY)
53457 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
53458 + pax_open_kernel();
53459 + gr_status &= ~GR_READY;
53460 + pax_close_kernel();
53461 +
53462 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
53463 + free_variables();
53464 + memset(gr_usermode, 0, sizeof (struct gr_arg));
53465 + memset(gr_system_salt, 0, GR_SALT_LEN);
53466 + memset(gr_system_sum, 0, GR_SHA_LEN);
53467 + } else if (gr_status & GR_READY) {
53468 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
53469 + error = -EPERM;
53470 + } else {
53471 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
53472 + error = -EAGAIN;
53473 + }
53474 + break;
53475 + case GR_ENABLE:
53476 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
53477 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
53478 + else {
53479 + if (gr_status & GR_READY)
53480 + error = -EAGAIN;
53481 + else
53482 + error = error2;
53483 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
53484 + }
53485 + break;
53486 + case GR_RELOAD:
53487 + if (!(gr_status & GR_READY)) {
53488 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
53489 + error = -EAGAIN;
53490 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
53491 + lock_kernel();
53492 +
53493 + pax_open_kernel();
53494 + gr_status &= ~GR_READY;
53495 + pax_close_kernel();
53496 +
53497 + free_variables();
53498 + if (!(error2 = gracl_init(gr_usermode))) {
53499 + unlock_kernel();
53500 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
53501 + } else {
53502 + unlock_kernel();
53503 + error = error2;
53504 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
53505 + }
53506 + } else {
53507 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
53508 + error = -EPERM;
53509 + }
53510 + break;
53511 + case GR_SEGVMOD:
53512 + if (unlikely(!(gr_status & GR_READY))) {
53513 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
53514 + error = -EAGAIN;
53515 + break;
53516 + }
53517 +
53518 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
53519 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
53520 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
53521 + struct acl_subject_label *segvacl;
53522 + segvacl =
53523 + lookup_acl_subj_label(gr_usermode->segv_inode,
53524 + gr_usermode->segv_device,
53525 + current->role);
53526 + if (segvacl) {
53527 + segvacl->crashes = 0;
53528 + segvacl->expires = 0;
53529 + }
53530 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
53531 + gr_remove_uid(gr_usermode->segv_uid);
53532 + }
53533 + } else {
53534 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
53535 + error = -EPERM;
53536 + }
53537 + break;
53538 + case GR_SPROLE:
53539 + case GR_SPROLEPAM:
53540 + if (unlikely(!(gr_status & GR_READY))) {
53541 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
53542 + error = -EAGAIN;
53543 + break;
53544 + }
53545 +
53546 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
53547 + current->role->expires = 0;
53548 + current->role->auth_attempts = 0;
53549 + }
53550 +
53551 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
53552 + time_after(current->role->expires, get_seconds())) {
53553 + error = -EBUSY;
53554 + goto out;
53555 + }
53556 +
53557 + if (lookup_special_role_auth
53558 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
53559 + && ((!sprole_salt && !sprole_sum)
53560 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
53561 + char *p = "";
53562 + assign_special_role(gr_usermode->sp_role);
53563 + read_lock(&tasklist_lock);
53564 + if (current->real_parent)
53565 + p = current->real_parent->role->rolename;
53566 + read_unlock(&tasklist_lock);
53567 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
53568 + p, acl_sp_role_value);
53569 + } else {
53570 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
53571 + error = -EPERM;
53572 + if(!(current->role->auth_attempts++))
53573 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
53574 +
53575 + goto out;
53576 + }
53577 + break;
53578 + case GR_UNSPROLE:
53579 + if (unlikely(!(gr_status & GR_READY))) {
53580 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
53581 + error = -EAGAIN;
53582 + break;
53583 + }
53584 +
53585 + if (current->role->roletype & GR_ROLE_SPECIAL) {
53586 + char *p = "";
53587 + int i = 0;
53588 +
53589 + read_lock(&tasklist_lock);
53590 + if (current->real_parent) {
53591 + p = current->real_parent->role->rolename;
53592 + i = current->real_parent->acl_role_id;
53593 + }
53594 + read_unlock(&tasklist_lock);
53595 +
53596 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
53597 + gr_set_acls(1);
53598 + } else {
53599 + error = -EPERM;
53600 + goto out;
53601 + }
53602 + break;
53603 + default:
53604 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
53605 + error = -EINVAL;
53606 + break;
53607 + }
53608 +
53609 + if (error != -EPERM)
53610 + goto out;
53611 +
53612 + if(!(gr_auth_attempts++))
53613 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
53614 +
53615 + out:
53616 + mutex_unlock(&gr_dev_mutex);
53617 + return error;
53618 +}
53619 +
53620 +/* must be called with
53621 + rcu_read_lock();
53622 + read_lock(&tasklist_lock);
53623 + read_lock(&grsec_exec_file_lock);
53624 +*/
53625 +int gr_apply_subject_to_task(struct task_struct *task)
53626 +{
53627 + struct acl_object_label *obj;
53628 + char *tmpname;
53629 + struct acl_subject_label *tmpsubj;
53630 + struct file *filp;
53631 + struct name_entry *nmatch;
53632 +
53633 + filp = task->exec_file;
53634 + if (filp == NULL)
53635 + return 0;
53636 +
53637 + /* the following is to apply the correct subject
53638 + on binaries running when the RBAC system
53639 + is enabled, when the binaries have been
53640 + replaced or deleted since their execution
53641 + -----
53642 + when the RBAC system starts, the inode/dev
53643 + from exec_file will be one the RBAC system
53644 + is unaware of. It only knows the inode/dev
53645 + of the present file on disk, or the absence
53646 + of it.
53647 + */
53648 + preempt_disable();
53649 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
53650 +
53651 + nmatch = lookup_name_entry(tmpname);
53652 + preempt_enable();
53653 + tmpsubj = NULL;
53654 + if (nmatch) {
53655 + if (nmatch->deleted)
53656 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
53657 + else
53658 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
53659 + if (tmpsubj != NULL)
53660 + task->acl = tmpsubj;
53661 + }
53662 + if (tmpsubj == NULL)
53663 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
53664 + task->role);
53665 + if (task->acl) {
53666 + task->is_writable = 0;
53667 + /* ignore additional mmap checks for processes that are writable
53668 + by the default ACL */
53669 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
53670 + if (unlikely(obj->mode & GR_WRITE))
53671 + task->is_writable = 1;
53672 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
53673 + if (unlikely(obj->mode & GR_WRITE))
53674 + task->is_writable = 1;
53675 +
53676 + gr_set_proc_res(task);
53677 +
53678 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53679 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
53680 +#endif
53681 + } else {
53682 + return 1;
53683 + }
53684 +
53685 + return 0;
53686 +}
53687 +
53688 +int
53689 +gr_set_acls(const int type)
53690 +{
53691 + struct task_struct *task, *task2;
53692 + struct acl_role_label *role = current->role;
53693 + __u16 acl_role_id = current->acl_role_id;
53694 + const struct cred *cred;
53695 + int ret;
53696 +
53697 + rcu_read_lock();
53698 + read_lock(&tasklist_lock);
53699 + read_lock(&grsec_exec_file_lock);
53700 + do_each_thread(task2, task) {
53701 + /* check to see if we're called from the exit handler,
53702 + if so, only replace ACLs that have inherited the admin
53703 + ACL */
53704 +
53705 + if (type && (task->role != role ||
53706 + task->acl_role_id != acl_role_id))
53707 + continue;
53708 +
53709 + task->acl_role_id = 0;
53710 + task->acl_sp_role = 0;
53711 +
53712 + if (task->exec_file) {
53713 + cred = __task_cred(task);
53714 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
53715 +
53716 + ret = gr_apply_subject_to_task(task);
53717 + if (ret) {
53718 + read_unlock(&grsec_exec_file_lock);
53719 + read_unlock(&tasklist_lock);
53720 + rcu_read_unlock();
53721 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
53722 + return ret;
53723 + }
53724 + } else {
53725 + // it's a kernel process
53726 + task->role = kernel_role;
53727 + task->acl = kernel_role->root_label;
53728 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
53729 + task->acl->mode &= ~GR_PROCFIND;
53730 +#endif
53731 + }
53732 + } while_each_thread(task2, task);
53733 + read_unlock(&grsec_exec_file_lock);
53734 + read_unlock(&tasklist_lock);
53735 + rcu_read_unlock();
53736 +
53737 + return 0;
53738 +}
53739 +
53740 +void
53741 +gr_learn_resource(const struct task_struct *task,
53742 + const int res, const unsigned long wanted, const int gt)
53743 +{
53744 + struct acl_subject_label *acl;
53745 + const struct cred *cred;
53746 +
53747 + if (unlikely((gr_status & GR_READY) &&
53748 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
53749 + goto skip_reslog;
53750 +
53751 +#ifdef CONFIG_GRKERNSEC_RESLOG
53752 + gr_log_resource(task, res, wanted, gt);
53753 +#endif
53754 + skip_reslog:
53755 +
53756 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
53757 + return;
53758 +
53759 + acl = task->acl;
53760 +
53761 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
53762 + !(acl->resmask & (1 << (unsigned short) res))))
53763 + return;
53764 +
53765 + if (wanted >= acl->res[res].rlim_cur) {
53766 + unsigned long res_add;
53767 +
53768 + res_add = wanted;
53769 + switch (res) {
53770 + case RLIMIT_CPU:
53771 + res_add += GR_RLIM_CPU_BUMP;
53772 + break;
53773 + case RLIMIT_FSIZE:
53774 + res_add += GR_RLIM_FSIZE_BUMP;
53775 + break;
53776 + case RLIMIT_DATA:
53777 + res_add += GR_RLIM_DATA_BUMP;
53778 + break;
53779 + case RLIMIT_STACK:
53780 + res_add += GR_RLIM_STACK_BUMP;
53781 + break;
53782 + case RLIMIT_CORE:
53783 + res_add += GR_RLIM_CORE_BUMP;
53784 + break;
53785 + case RLIMIT_RSS:
53786 + res_add += GR_RLIM_RSS_BUMP;
53787 + break;
53788 + case RLIMIT_NPROC:
53789 + res_add += GR_RLIM_NPROC_BUMP;
53790 + break;
53791 + case RLIMIT_NOFILE:
53792 + res_add += GR_RLIM_NOFILE_BUMP;
53793 + break;
53794 + case RLIMIT_MEMLOCK:
53795 + res_add += GR_RLIM_MEMLOCK_BUMP;
53796 + break;
53797 + case RLIMIT_AS:
53798 + res_add += GR_RLIM_AS_BUMP;
53799 + break;
53800 + case RLIMIT_LOCKS:
53801 + res_add += GR_RLIM_LOCKS_BUMP;
53802 + break;
53803 + case RLIMIT_SIGPENDING:
53804 + res_add += GR_RLIM_SIGPENDING_BUMP;
53805 + break;
53806 + case RLIMIT_MSGQUEUE:
53807 + res_add += GR_RLIM_MSGQUEUE_BUMP;
53808 + break;
53809 + case RLIMIT_NICE:
53810 + res_add += GR_RLIM_NICE_BUMP;
53811 + break;
53812 + case RLIMIT_RTPRIO:
53813 + res_add += GR_RLIM_RTPRIO_BUMP;
53814 + break;
53815 + case RLIMIT_RTTIME:
53816 + res_add += GR_RLIM_RTTIME_BUMP;
53817 + break;
53818 + }
53819 +
53820 + acl->res[res].rlim_cur = res_add;
53821 +
53822 + if (wanted > acl->res[res].rlim_max)
53823 + acl->res[res].rlim_max = res_add;
53824 +
53825 + /* only log the subject filename, since resource logging is supported for
53826 + single-subject learning only */
53827 + rcu_read_lock();
53828 + cred = __task_cred(task);
53829 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
53830 + task->role->roletype, cred->uid, cred->gid, acl->filename,
53831 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
53832 + "", (unsigned long) res, &task->signal->saved_ip);
53833 + rcu_read_unlock();
53834 + }
53835 +
53836 + return;
53837 +}
53838 +
53839 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
53840 +void
53841 +pax_set_initial_flags(struct linux_binprm *bprm)
53842 +{
53843 + struct task_struct *task = current;
53844 + struct acl_subject_label *proc;
53845 + unsigned long flags;
53846 +
53847 + if (unlikely(!(gr_status & GR_READY)))
53848 + return;
53849 +
53850 + flags = pax_get_flags(task);
53851 +
53852 + proc = task->acl;
53853 +
53854 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
53855 + flags &= ~MF_PAX_PAGEEXEC;
53856 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
53857 + flags &= ~MF_PAX_SEGMEXEC;
53858 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
53859 + flags &= ~MF_PAX_RANDMMAP;
53860 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
53861 + flags &= ~MF_PAX_EMUTRAMP;
53862 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
53863 + flags &= ~MF_PAX_MPROTECT;
53864 +
53865 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
53866 + flags |= MF_PAX_PAGEEXEC;
53867 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
53868 + flags |= MF_PAX_SEGMEXEC;
53869 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
53870 + flags |= MF_PAX_RANDMMAP;
53871 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
53872 + flags |= MF_PAX_EMUTRAMP;
53873 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
53874 + flags |= MF_PAX_MPROTECT;
53875 +
53876 + pax_set_flags(task, flags);
53877 +
53878 + return;
53879 +}
53880 +#endif
53881 +
53882 +#ifdef CONFIG_SYSCTL
53883 +/* Eric Biederman likes breaking userland ABI and every inode-based security
53884 + system to save 35kb of memory */
53885 +
53886 +/* we modify the passed in filename, but adjust it back before returning */
53887 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
53888 +{
53889 + struct name_entry *nmatch;
53890 + char *p, *lastp = NULL;
53891 + struct acl_object_label *obj = NULL, *tmp;
53892 + struct acl_subject_label *tmpsubj;
53893 + char c = '\0';
53894 +
53895 + read_lock(&gr_inode_lock);
53896 +
53897 + p = name + len - 1;
53898 + do {
53899 + nmatch = lookup_name_entry(name);
53900 + if (lastp != NULL)
53901 + *lastp = c;
53902 +
53903 + if (nmatch == NULL)
53904 + goto next_component;
53905 + tmpsubj = current->acl;
53906 + do {
53907 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
53908 + if (obj != NULL) {
53909 + tmp = obj->globbed;
53910 + while (tmp) {
53911 + if (!glob_match(tmp->filename, name)) {
53912 + obj = tmp;
53913 + goto found_obj;
53914 + }
53915 + tmp = tmp->next;
53916 + }
53917 + goto found_obj;
53918 + }
53919 + } while ((tmpsubj = tmpsubj->parent_subject));
53920 +next_component:
53921 + /* end case */
53922 + if (p == name)
53923 + break;
53924 +
53925 + while (*p != '/')
53926 + p--;
53927 + if (p == name)
53928 + lastp = p + 1;
53929 + else {
53930 + lastp = p;
53931 + p--;
53932 + }
53933 + c = *lastp;
53934 + *lastp = '\0';
53935 + } while (1);
53936 +found_obj:
53937 + read_unlock(&gr_inode_lock);
53938 + /* obj returned will always be non-null */
53939 + return obj;
53940 +}
53941 +
53942 +/* returns 0 when allowing, non-zero on error
53943 + op of 0 is used for readdir, so we don't log the names of hidden files
53944 +*/
53945 +__u32
53946 +gr_handle_sysctl(const struct ctl_table *table, const int op)
53947 +{
53948 + ctl_table *tmp;
53949 + const char *proc_sys = "/proc/sys";
53950 + char *path;
53951 + struct acl_object_label *obj;
53952 + unsigned short len = 0, pos = 0, depth = 0, i;
53953 + __u32 err = 0;
53954 + __u32 mode = 0;
53955 +
53956 + if (unlikely(!(gr_status & GR_READY)))
53957 + return 0;
53958 +
53959 + /* for now, ignore operations on non-sysctl entries if it's not a
53960 + readdir*/
53961 + if (table->child != NULL && op != 0)
53962 + return 0;
53963 +
53964 + mode |= GR_FIND;
53965 + /* it's only a read if it's an entry, read on dirs is for readdir */
53966 + if (op & MAY_READ)
53967 + mode |= GR_READ;
53968 + if (op & MAY_WRITE)
53969 + mode |= GR_WRITE;
53970 +
53971 + preempt_disable();
53972 +
53973 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
53974 +
53975 + /* it's only a read/write if it's an actual entry, not a dir
53976 + (which are opened for readdir)
53977 + */
53978 +
53979 + /* convert the requested sysctl entry into a pathname */
53980 +
53981 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
53982 + len += strlen(tmp->procname);
53983 + len++;
53984 + depth++;
53985 + }
53986 +
53987 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
53988 + /* deny */
53989 + goto out;
53990 + }
53991 +
53992 + memset(path, 0, PAGE_SIZE);
53993 +
53994 + memcpy(path, proc_sys, strlen(proc_sys));
53995 +
53996 + pos += strlen(proc_sys);
53997 +
53998 + for (; depth > 0; depth--) {
53999 + path[pos] = '/';
54000 + pos++;
54001 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
54002 + if (depth == i) {
54003 + memcpy(path + pos, tmp->procname,
54004 + strlen(tmp->procname));
54005 + pos += strlen(tmp->procname);
54006 + }
54007 + i++;
54008 + }
54009 + }
54010 +
54011 + obj = gr_lookup_by_name(path, pos);
54012 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
54013 +
54014 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
54015 + ((err & mode) != mode))) {
54016 + __u32 new_mode = mode;
54017 +
54018 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54019 +
54020 + err = 0;
54021 + gr_log_learn_sysctl(path, new_mode);
54022 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
54023 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
54024 + err = -ENOENT;
54025 + } else if (!(err & GR_FIND)) {
54026 + err = -ENOENT;
54027 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
54028 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
54029 + path, (mode & GR_READ) ? " reading" : "",
54030 + (mode & GR_WRITE) ? " writing" : "");
54031 + err = -EACCES;
54032 + } else if ((err & mode) != mode) {
54033 + err = -EACCES;
54034 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
54035 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
54036 + path, (mode & GR_READ) ? " reading" : "",
54037 + (mode & GR_WRITE) ? " writing" : "");
54038 + err = 0;
54039 + } else
54040 + err = 0;
54041 +
54042 + out:
54043 + preempt_enable();
54044 +
54045 + return err;
54046 +}
54047 +#endif
54048 +
54049 +int
54050 +gr_handle_proc_ptrace(struct task_struct *task)
54051 +{
54052 + struct file *filp;
54053 + struct task_struct *tmp = task;
54054 + struct task_struct *curtemp = current;
54055 + __u32 retmode;
54056 +
54057 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
54058 + if (unlikely(!(gr_status & GR_READY)))
54059 + return 0;
54060 +#endif
54061 +
54062 + read_lock(&tasklist_lock);
54063 + read_lock(&grsec_exec_file_lock);
54064 + filp = task->exec_file;
54065 +
54066 + while (tmp->pid > 0) {
54067 + if (tmp == curtemp)
54068 + break;
54069 + tmp = tmp->real_parent;
54070 + }
54071 +
54072 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
54073 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
54074 + read_unlock(&grsec_exec_file_lock);
54075 + read_unlock(&tasklist_lock);
54076 + return 1;
54077 + }
54078 +
54079 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
54080 + if (!(gr_status & GR_READY)) {
54081 + read_unlock(&grsec_exec_file_lock);
54082 + read_unlock(&tasklist_lock);
54083 + return 0;
54084 + }
54085 +#endif
54086 +
54087 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
54088 + read_unlock(&grsec_exec_file_lock);
54089 + read_unlock(&tasklist_lock);
54090 +
54091 + if (retmode & GR_NOPTRACE)
54092 + return 1;
54093 +
54094 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
54095 + && (current->acl != task->acl || (current->acl != current->role->root_label
54096 + && current->pid != task->pid)))
54097 + return 1;
54098 +
54099 + return 0;
54100 +}
54101 +
54102 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
54103 +{
54104 + if (unlikely(!(gr_status & GR_READY)))
54105 + return;
54106 +
54107 + if (!(current->role->roletype & GR_ROLE_GOD))
54108 + return;
54109 +
54110 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
54111 + p->role->rolename, gr_task_roletype_to_char(p),
54112 + p->acl->filename);
54113 +}
54114 +
54115 +int
54116 +gr_handle_ptrace(struct task_struct *task, const long request)
54117 +{
54118 + struct task_struct *tmp = task;
54119 + struct task_struct *curtemp = current;
54120 + __u32 retmode;
54121 +
54122 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
54123 + if (unlikely(!(gr_status & GR_READY)))
54124 + return 0;
54125 +#endif
54126 +
54127 + read_lock(&tasklist_lock);
54128 + while (tmp->pid > 0) {
54129 + if (tmp == curtemp)
54130 + break;
54131 + tmp = tmp->real_parent;
54132 + }
54133 +
54134 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
54135 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
54136 + read_unlock(&tasklist_lock);
54137 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
54138 + return 1;
54139 + }
54140 + read_unlock(&tasklist_lock);
54141 +
54142 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
54143 + if (!(gr_status & GR_READY))
54144 + return 0;
54145 +#endif
54146 +
54147 + read_lock(&grsec_exec_file_lock);
54148 + if (unlikely(!task->exec_file)) {
54149 + read_unlock(&grsec_exec_file_lock);
54150 + return 0;
54151 + }
54152 +
54153 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
54154 + read_unlock(&grsec_exec_file_lock);
54155 +
54156 + if (retmode & GR_NOPTRACE) {
54157 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
54158 + return 1;
54159 + }
54160 +
54161 + if (retmode & GR_PTRACERD) {
54162 + switch (request) {
54163 + case PTRACE_POKETEXT:
54164 + case PTRACE_POKEDATA:
54165 + case PTRACE_POKEUSR:
54166 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
54167 + case PTRACE_SETREGS:
54168 + case PTRACE_SETFPREGS:
54169 +#endif
54170 +#ifdef CONFIG_X86
54171 + case PTRACE_SETFPXREGS:
54172 +#endif
54173 +#ifdef CONFIG_ALTIVEC
54174 + case PTRACE_SETVRREGS:
54175 +#endif
54176 + return 1;
54177 + default:
54178 + return 0;
54179 + }
54180 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
54181 + !(current->role->roletype & GR_ROLE_GOD) &&
54182 + (current->acl != task->acl)) {
54183 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
54184 + return 1;
54185 + }
54186 +
54187 + return 0;
54188 +}
54189 +
54190 +static int is_writable_mmap(const struct file *filp)
54191 +{
54192 + struct task_struct *task = current;
54193 + struct acl_object_label *obj, *obj2;
54194 +
54195 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
54196 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
54197 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54198 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
54199 + task->role->root_label);
54200 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
54201 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
54202 + return 1;
54203 + }
54204 + }
54205 + return 0;
54206 +}
54207 +
54208 +int
54209 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
54210 +{
54211 + __u32 mode;
54212 +
54213 + if (unlikely(!file || !(prot & PROT_EXEC)))
54214 + return 1;
54215 +
54216 + if (is_writable_mmap(file))
54217 + return 0;
54218 +
54219 + mode =
54220 + gr_search_file(file->f_path.dentry,
54221 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
54222 + file->f_path.mnt);
54223 +
54224 + if (!gr_tpe_allow(file))
54225 + return 0;
54226 +
54227 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
54228 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
54229 + return 0;
54230 + } else if (unlikely(!(mode & GR_EXEC))) {
54231 + return 0;
54232 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
54233 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
54234 + return 1;
54235 + }
54236 +
54237 + return 1;
54238 +}
54239 +
54240 +int
54241 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
54242 +{
54243 + __u32 mode;
54244 +
54245 + if (unlikely(!file || !(prot & PROT_EXEC)))
54246 + return 1;
54247 +
54248 + if (is_writable_mmap(file))
54249 + return 0;
54250 +
54251 + mode =
54252 + gr_search_file(file->f_path.dentry,
54253 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
54254 + file->f_path.mnt);
54255 +
54256 + if (!gr_tpe_allow(file))
54257 + return 0;
54258 +
54259 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
54260 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
54261 + return 0;
54262 + } else if (unlikely(!(mode & GR_EXEC))) {
54263 + return 0;
54264 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
54265 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
54266 + return 1;
54267 + }
54268 +
54269 + return 1;
54270 +}
54271 +
54272 +void
54273 +gr_acl_handle_psacct(struct task_struct *task, const long code)
54274 +{
54275 + unsigned long runtime;
54276 + unsigned long cputime;
54277 + unsigned int wday, cday;
54278 + __u8 whr, chr;
54279 + __u8 wmin, cmin;
54280 + __u8 wsec, csec;
54281 + struct timespec timeval;
54282 +
54283 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
54284 + !(task->acl->mode & GR_PROCACCT)))
54285 + return;
54286 +
54287 + do_posix_clock_monotonic_gettime(&timeval);
54288 + runtime = timeval.tv_sec - task->start_time.tv_sec;
54289 + wday = runtime / (3600 * 24);
54290 + runtime -= wday * (3600 * 24);
54291 + whr = runtime / 3600;
54292 + runtime -= whr * 3600;
54293 + wmin = runtime / 60;
54294 + runtime -= wmin * 60;
54295 + wsec = runtime;
54296 +
54297 + cputime = (task->utime + task->stime) / HZ;
54298 + cday = cputime / (3600 * 24);
54299 + cputime -= cday * (3600 * 24);
54300 + chr = cputime / 3600;
54301 + cputime -= chr * 3600;
54302 + cmin = cputime / 60;
54303 + cputime -= cmin * 60;
54304 + csec = cputime;
54305 +
54306 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
54307 +
54308 + return;
54309 +}
54310 +
54311 +void gr_set_kernel_label(struct task_struct *task)
54312 +{
54313 + if (gr_status & GR_READY) {
54314 + task->role = kernel_role;
54315 + task->acl = kernel_role->root_label;
54316 + }
54317 + return;
54318 +}
54319 +
54320 +#ifdef CONFIG_TASKSTATS
54321 +int gr_is_taskstats_denied(int pid)
54322 +{
54323 + struct task_struct *task;
54324 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
54325 + const struct cred *cred;
54326 +#endif
54327 + int ret = 0;
54328 +
54329 + /* restrict taskstats viewing to un-chrooted root users
54330 + who have the 'view' subject flag if the RBAC system is enabled
54331 + */
54332 +
54333 + rcu_read_lock();
54334 + read_lock(&tasklist_lock);
54335 + task = find_task_by_vpid(pid);
54336 + if (task) {
54337 +#ifdef CONFIG_GRKERNSEC_CHROOT
54338 + if (proc_is_chrooted(task))
54339 + ret = -EACCES;
54340 +#endif
54341 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
54342 + cred = __task_cred(task);
54343 +#ifdef CONFIG_GRKERNSEC_PROC_USER
54344 + if (cred->uid != 0)
54345 + ret = -EACCES;
54346 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
54347 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
54348 + ret = -EACCES;
54349 +#endif
54350 +#endif
54351 + if (gr_status & GR_READY) {
54352 + if (!(task->acl->mode & GR_VIEW))
54353 + ret = -EACCES;
54354 + }
54355 + } else
54356 + ret = -ENOENT;
54357 +
54358 + read_unlock(&tasklist_lock);
54359 + rcu_read_unlock();
54360 +
54361 + return ret;
54362 +}
54363 +#endif
54364 +
54365 +/* AUXV entries are filled via a descendant of search_binary_handler
54366 + after we've already applied the subject for the target
54367 +*/
54368 +int gr_acl_enable_at_secure(void)
54369 +{
54370 + if (unlikely(!(gr_status & GR_READY)))
54371 + return 0;
54372 +
54373 + if (current->acl->mode & GR_ATSECURE)
54374 + return 1;
54375 +
54376 + return 0;
54377 +}
54378 +
54379 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
54380 +{
54381 + struct task_struct *task = current;
54382 + struct dentry *dentry = file->f_path.dentry;
54383 + struct vfsmount *mnt = file->f_path.mnt;
54384 + struct acl_object_label *obj, *tmp;
54385 + struct acl_subject_label *subj;
54386 + unsigned int bufsize;
54387 + int is_not_root;
54388 + char *path;
54389 + dev_t dev = __get_dev(dentry);
54390 +
54391 + if (unlikely(!(gr_status & GR_READY)))
54392 + return 1;
54393 +
54394 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54395 + return 1;
54396 +
54397 + /* ignore Eric Biederman */
54398 + if (IS_PRIVATE(dentry->d_inode))
54399 + return 1;
54400 +
54401 + subj = task->acl;
54402 + do {
54403 + obj = lookup_acl_obj_label(ino, dev, subj);
54404 + if (obj != NULL)
54405 + return (obj->mode & GR_FIND) ? 1 : 0;
54406 + } while ((subj = subj->parent_subject));
54407 +
54408 + /* this is purely an optimization since we're looking for an object
54409 + for the directory we're doing a readdir on
54410 + if it's possible for any globbed object to match the entry we're
54411 + filling into the directory, then the object we find here will be
54412 + an anchor point with attached globbed objects
54413 + */
54414 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
54415 + if (obj->globbed == NULL)
54416 + return (obj->mode & GR_FIND) ? 1 : 0;
54417 +
54418 + is_not_root = ((obj->filename[0] == '/') &&
54419 + (obj->filename[1] == '\0')) ? 0 : 1;
54420 + bufsize = PAGE_SIZE - namelen - is_not_root;
54421 +
54422 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
54423 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
54424 + return 1;
54425 +
54426 + preempt_disable();
54427 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
54428 + bufsize);
54429 +
54430 + bufsize = strlen(path);
54431 +
54432 + /* if base is "/", don't append an additional slash */
54433 + if (is_not_root)
54434 + *(path + bufsize) = '/';
54435 + memcpy(path + bufsize + is_not_root, name, namelen);
54436 + *(path + bufsize + namelen + is_not_root) = '\0';
54437 +
54438 + tmp = obj->globbed;
54439 + while (tmp) {
54440 + if (!glob_match(tmp->filename, path)) {
54441 + preempt_enable();
54442 + return (tmp->mode & GR_FIND) ? 1 : 0;
54443 + }
54444 + tmp = tmp->next;
54445 + }
54446 + preempt_enable();
54447 + return (obj->mode & GR_FIND) ? 1 : 0;
54448 +}
54449 +
54450 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
54451 +EXPORT_SYMBOL(gr_acl_is_enabled);
54452 +#endif
54453 +EXPORT_SYMBOL(gr_learn_resource);
54454 +EXPORT_SYMBOL(gr_set_kernel_label);
54455 +#ifdef CONFIG_SECURITY
54456 +EXPORT_SYMBOL(gr_check_user_change);
54457 +EXPORT_SYMBOL(gr_check_group_change);
54458 +#endif
54459 +
54460 diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gracl_cap.c
54461 --- linux-2.6.32.46/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
54462 +++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-09-14 08:53:50.000000000 -0400
54463 @@ -0,0 +1,101 @@
54464 +#include <linux/kernel.h>
54465 +#include <linux/module.h>
54466 +#include <linux/sched.h>
54467 +#include <linux/gracl.h>
54468 +#include <linux/grsecurity.h>
54469 +#include <linux/grinternal.h>
54470 +
54471 +extern const char *captab_log[];
54472 +extern int captab_log_entries;
54473 +
54474 +int
54475 +gr_acl_is_capable(const int cap)
54476 +{
54477 + struct task_struct *task = current;
54478 + const struct cred *cred = current_cred();
54479 + struct acl_subject_label *curracl;
54480 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
54481 + kernel_cap_t cap_audit = __cap_empty_set;
54482 +
54483 + if (!gr_acl_is_enabled())
54484 + return 1;
54485 +
54486 + curracl = task->acl;
54487 +
54488 + cap_drop = curracl->cap_lower;
54489 + cap_mask = curracl->cap_mask;
54490 + cap_audit = curracl->cap_invert_audit;
54491 +
54492 + while ((curracl = curracl->parent_subject)) {
54493 + /* if the cap isn't specified in the current computed mask but is specified in the
54494 + current level subject, and is lowered in the current level subject, then add
54495 + it to the set of dropped capabilities
54496 + otherwise, add the current level subject's mask to the current computed mask
54497 + */
54498 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
54499 + cap_raise(cap_mask, cap);
54500 + if (cap_raised(curracl->cap_lower, cap))
54501 + cap_raise(cap_drop, cap);
54502 + if (cap_raised(curracl->cap_invert_audit, cap))
54503 + cap_raise(cap_audit, cap);
54504 + }
54505 + }
54506 +
54507 + if (!cap_raised(cap_drop, cap)) {
54508 + if (cap_raised(cap_audit, cap))
54509 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
54510 + return 1;
54511 + }
54512 +
54513 + curracl = task->acl;
54514 +
54515 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
54516 + && cap_raised(cred->cap_effective, cap)) {
54517 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
54518 + task->role->roletype, cred->uid,
54519 + cred->gid, task->exec_file ?
54520 + gr_to_filename(task->exec_file->f_path.dentry,
54521 + task->exec_file->f_path.mnt) : curracl->filename,
54522 + curracl->filename, 0UL,
54523 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
54524 + return 1;
54525 + }
54526 +
54527 + if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
54528 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
54529 + return 0;
54530 +}
54531 +
54532 +int
54533 +gr_acl_is_capable_nolog(const int cap)
54534 +{
54535 + struct acl_subject_label *curracl;
54536 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
54537 +
54538 + if (!gr_acl_is_enabled())
54539 + return 1;
54540 +
54541 + curracl = current->acl;
54542 +
54543 + cap_drop = curracl->cap_lower;
54544 + cap_mask = curracl->cap_mask;
54545 +
54546 + while ((curracl = curracl->parent_subject)) {
54547 + /* if the cap isn't specified in the current computed mask but is specified in the
54548 + current level subject, and is lowered in the current level subject, then add
54549 + it to the set of dropped capabilities
54550 + otherwise, add the current level subject's mask to the current computed mask
54551 + */
54552 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
54553 + cap_raise(cap_mask, cap);
54554 + if (cap_raised(curracl->cap_lower, cap))
54555 + cap_raise(cap_drop, cap);
54556 + }
54557 + }
54558 +
54559 + if (!cap_raised(cap_drop, cap))
54560 + return 1;
54561 +
54562 + return 0;
54563 +}
54564 +
54565 diff -urNp linux-2.6.32.46/grsecurity/gracl_fs.c linux-2.6.32.46/grsecurity/gracl_fs.c
54566 --- linux-2.6.32.46/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
54567 +++ linux-2.6.32.46/grsecurity/gracl_fs.c 2011-04-17 15:56:46.000000000 -0400
54568 @@ -0,0 +1,431 @@
54569 +#include <linux/kernel.h>
54570 +#include <linux/sched.h>
54571 +#include <linux/types.h>
54572 +#include <linux/fs.h>
54573 +#include <linux/file.h>
54574 +#include <linux/stat.h>
54575 +#include <linux/grsecurity.h>
54576 +#include <linux/grinternal.h>
54577 +#include <linux/gracl.h>
54578 +
54579 +__u32
54580 +gr_acl_handle_hidden_file(const struct dentry * dentry,
54581 + const struct vfsmount * mnt)
54582 +{
54583 + __u32 mode;
54584 +
54585 + if (unlikely(!dentry->d_inode))
54586 + return GR_FIND;
54587 +
54588 + mode =
54589 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
54590 +
54591 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
54592 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
54593 + return mode;
54594 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
54595 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
54596 + return 0;
54597 + } else if (unlikely(!(mode & GR_FIND)))
54598 + return 0;
54599 +
54600 + return GR_FIND;
54601 +}
54602 +
54603 +__u32
54604 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
54605 + const int fmode)
54606 +{
54607 + __u32 reqmode = GR_FIND;
54608 + __u32 mode;
54609 +
54610 + if (unlikely(!dentry->d_inode))
54611 + return reqmode;
54612 +
54613 + if (unlikely(fmode & O_APPEND))
54614 + reqmode |= GR_APPEND;
54615 + else if (unlikely(fmode & FMODE_WRITE))
54616 + reqmode |= GR_WRITE;
54617 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
54618 + reqmode |= GR_READ;
54619 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
54620 + reqmode &= ~GR_READ;
54621 + mode =
54622 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
54623 + mnt);
54624 +
54625 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
54626 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
54627 + reqmode & GR_READ ? " reading" : "",
54628 + reqmode & GR_WRITE ? " writing" : reqmode &
54629 + GR_APPEND ? " appending" : "");
54630 + return reqmode;
54631 + } else
54632 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
54633 + {
54634 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
54635 + reqmode & GR_READ ? " reading" : "",
54636 + reqmode & GR_WRITE ? " writing" : reqmode &
54637 + GR_APPEND ? " appending" : "");
54638 + return 0;
54639 + } else if (unlikely((mode & reqmode) != reqmode))
54640 + return 0;
54641 +
54642 + return reqmode;
54643 +}
54644 +
54645 +__u32
54646 +gr_acl_handle_creat(const struct dentry * dentry,
54647 + const struct dentry * p_dentry,
54648 + const struct vfsmount * p_mnt, const int fmode,
54649 + const int imode)
54650 +{
54651 + __u32 reqmode = GR_WRITE | GR_CREATE;
54652 + __u32 mode;
54653 +
54654 + if (unlikely(fmode & O_APPEND))
54655 + reqmode |= GR_APPEND;
54656 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
54657 + reqmode |= GR_READ;
54658 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
54659 + reqmode |= GR_SETID;
54660 +
54661 + mode =
54662 + gr_check_create(dentry, p_dentry, p_mnt,
54663 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
54664 +
54665 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
54666 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
54667 + reqmode & GR_READ ? " reading" : "",
54668 + reqmode & GR_WRITE ? " writing" : reqmode &
54669 + GR_APPEND ? " appending" : "");
54670 + return reqmode;
54671 + } else
54672 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
54673 + {
54674 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
54675 + reqmode & GR_READ ? " reading" : "",
54676 + reqmode & GR_WRITE ? " writing" : reqmode &
54677 + GR_APPEND ? " appending" : "");
54678 + return 0;
54679 + } else if (unlikely((mode & reqmode) != reqmode))
54680 + return 0;
54681 +
54682 + return reqmode;
54683 +}
54684 +
54685 +__u32
54686 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
54687 + const int fmode)
54688 +{
54689 + __u32 mode, reqmode = GR_FIND;
54690 +
54691 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
54692 + reqmode |= GR_EXEC;
54693 + if (fmode & S_IWOTH)
54694 + reqmode |= GR_WRITE;
54695 + if (fmode & S_IROTH)
54696 + reqmode |= GR_READ;
54697 +
54698 + mode =
54699 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
54700 + mnt);
54701 +
54702 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
54703 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
54704 + reqmode & GR_READ ? " reading" : "",
54705 + reqmode & GR_WRITE ? " writing" : "",
54706 + reqmode & GR_EXEC ? " executing" : "");
54707 + return reqmode;
54708 + } else
54709 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
54710 + {
54711 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
54712 + reqmode & GR_READ ? " reading" : "",
54713 + reqmode & GR_WRITE ? " writing" : "",
54714 + reqmode & GR_EXEC ? " executing" : "");
54715 + return 0;
54716 + } else if (unlikely((mode & reqmode) != reqmode))
54717 + return 0;
54718 +
54719 + return reqmode;
54720 +}
54721 +
54722 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
54723 +{
54724 + __u32 mode;
54725 +
54726 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
54727 +
54728 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
54729 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
54730 + return mode;
54731 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
54732 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
54733 + return 0;
54734 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
54735 + return 0;
54736 +
54737 + return (reqmode);
54738 +}
54739 +
54740 +__u32
54741 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
54742 +{
54743 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
54744 +}
54745 +
54746 +__u32
54747 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
54748 +{
54749 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
54750 +}
54751 +
54752 +__u32
54753 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
54754 +{
54755 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
54756 +}
54757 +
54758 +__u32
54759 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
54760 +{
54761 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
54762 +}
54763 +
54764 +__u32
54765 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
54766 + mode_t mode)
54767 +{
54768 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
54769 + return 1;
54770 +
54771 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
54772 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
54773 + GR_FCHMOD_ACL_MSG);
54774 + } else {
54775 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
54776 + }
54777 +}
54778 +
54779 +__u32
54780 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
54781 + mode_t mode)
54782 +{
54783 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
54784 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
54785 + GR_CHMOD_ACL_MSG);
54786 + } else {
54787 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
54788 + }
54789 +}
54790 +
54791 +__u32
54792 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
54793 +{
54794 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
54795 +}
54796 +
54797 +__u32
54798 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
54799 +{
54800 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
54801 +}
54802 +
54803 +__u32
54804 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
54805 +{
54806 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
54807 +}
54808 +
54809 +__u32
54810 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
54811 +{
54812 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
54813 + GR_UNIXCONNECT_ACL_MSG);
54814 +}
54815 +
54816 +/* hardlinks require at minimum create permission,
54817 + any additional privilege required is based on the
54818 + privilege of the file being linked to
54819 +*/
54820 +__u32
54821 +gr_acl_handle_link(const struct dentry * new_dentry,
54822 + const struct dentry * parent_dentry,
54823 + const struct vfsmount * parent_mnt,
54824 + const struct dentry * old_dentry,
54825 + const struct vfsmount * old_mnt, const char *to)
54826 +{
54827 + __u32 mode;
54828 + __u32 needmode = GR_CREATE | GR_LINK;
54829 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
54830 +
54831 + mode =
54832 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
54833 + old_mnt);
54834 +
54835 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
54836 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
54837 + return mode;
54838 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
54839 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
54840 + return 0;
54841 + } else if (unlikely((mode & needmode) != needmode))
54842 + return 0;
54843 +
54844 + return 1;
54845 +}
54846 +
54847 +__u32
54848 +gr_acl_handle_symlink(const struct dentry * new_dentry,
54849 + const struct dentry * parent_dentry,
54850 + const struct vfsmount * parent_mnt, const char *from)
54851 +{
54852 + __u32 needmode = GR_WRITE | GR_CREATE;
54853 + __u32 mode;
54854 +
54855 + mode =
54856 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
54857 + GR_CREATE | GR_AUDIT_CREATE |
54858 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
54859 +
54860 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
54861 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
54862 + return mode;
54863 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
54864 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
54865 + return 0;
54866 + } else if (unlikely((mode & needmode) != needmode))
54867 + return 0;
54868 +
54869 + return (GR_WRITE | GR_CREATE);
54870 +}
54871 +
54872 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
54873 +{
54874 + __u32 mode;
54875 +
54876 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
54877 +
54878 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
54879 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
54880 + return mode;
54881 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
54882 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
54883 + return 0;
54884 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
54885 + return 0;
54886 +
54887 + return (reqmode);
54888 +}
54889 +
54890 +__u32
54891 +gr_acl_handle_mknod(const struct dentry * new_dentry,
54892 + const struct dentry * parent_dentry,
54893 + const struct vfsmount * parent_mnt,
54894 + const int mode)
54895 +{
54896 + __u32 reqmode = GR_WRITE | GR_CREATE;
54897 + if (unlikely(mode & (S_ISUID | S_ISGID)))
54898 + reqmode |= GR_SETID;
54899 +
54900 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
54901 + reqmode, GR_MKNOD_ACL_MSG);
54902 +}
54903 +
54904 +__u32
54905 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
54906 + const struct dentry *parent_dentry,
54907 + const struct vfsmount *parent_mnt)
54908 +{
54909 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
54910 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
54911 +}
54912 +
54913 +#define RENAME_CHECK_SUCCESS(old, new) \
54914 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
54915 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
54916 +
54917 +int
54918 +gr_acl_handle_rename(struct dentry *new_dentry,
54919 + struct dentry *parent_dentry,
54920 + const struct vfsmount *parent_mnt,
54921 + struct dentry *old_dentry,
54922 + struct inode *old_parent_inode,
54923 + struct vfsmount *old_mnt, const char *newname)
54924 +{
54925 + __u32 comp1, comp2;
54926 + int error = 0;
54927 +
54928 + if (unlikely(!gr_acl_is_enabled()))
54929 + return 0;
54930 +
54931 + if (!new_dentry->d_inode) {
54932 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
54933 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
54934 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
54935 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
54936 + GR_DELETE | GR_AUDIT_DELETE |
54937 + GR_AUDIT_READ | GR_AUDIT_WRITE |
54938 + GR_SUPPRESS, old_mnt);
54939 + } else {
54940 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
54941 + GR_CREATE | GR_DELETE |
54942 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
54943 + GR_AUDIT_READ | GR_AUDIT_WRITE |
54944 + GR_SUPPRESS, parent_mnt);
54945 + comp2 =
54946 + gr_search_file(old_dentry,
54947 + GR_READ | GR_WRITE | GR_AUDIT_READ |
54948 + GR_DELETE | GR_AUDIT_DELETE |
54949 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
54950 + }
54951 +
54952 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
54953 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
54954 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
54955 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
54956 + && !(comp2 & GR_SUPPRESS)) {
54957 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
54958 + error = -EACCES;
54959 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
54960 + error = -EACCES;
54961 +
54962 + return error;
54963 +}
54964 +
54965 +void
54966 +gr_acl_handle_exit(void)
54967 +{
54968 + u16 id;
54969 + char *rolename;
54970 + struct file *exec_file;
54971 +
54972 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
54973 + !(current->role->roletype & GR_ROLE_PERSIST))) {
54974 + id = current->acl_role_id;
54975 + rolename = current->role->rolename;
54976 + gr_set_acls(1);
54977 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
54978 + }
54979 +
54980 + write_lock(&grsec_exec_file_lock);
54981 + exec_file = current->exec_file;
54982 + current->exec_file = NULL;
54983 + write_unlock(&grsec_exec_file_lock);
54984 +
54985 + if (exec_file)
54986 + fput(exec_file);
54987 +}
54988 +
54989 +int
54990 +gr_acl_handle_procpidmem(const struct task_struct *task)
54991 +{
54992 + if (unlikely(!gr_acl_is_enabled()))
54993 + return 0;
54994 +
54995 + if (task != current && task->acl->mode & GR_PROTPROCFD)
54996 + return -EACCES;
54997 +
54998 + return 0;
54999 +}
55000 diff -urNp linux-2.6.32.46/grsecurity/gracl_ip.c linux-2.6.32.46/grsecurity/gracl_ip.c
55001 --- linux-2.6.32.46/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
55002 +++ linux-2.6.32.46/grsecurity/gracl_ip.c 2011-04-17 15:56:46.000000000 -0400
55003 @@ -0,0 +1,382 @@
55004 +#include <linux/kernel.h>
55005 +#include <asm/uaccess.h>
55006 +#include <asm/errno.h>
55007 +#include <net/sock.h>
55008 +#include <linux/file.h>
55009 +#include <linux/fs.h>
55010 +#include <linux/net.h>
55011 +#include <linux/in.h>
55012 +#include <linux/skbuff.h>
55013 +#include <linux/ip.h>
55014 +#include <linux/udp.h>
55015 +#include <linux/smp_lock.h>
55016 +#include <linux/types.h>
55017 +#include <linux/sched.h>
55018 +#include <linux/netdevice.h>
55019 +#include <linux/inetdevice.h>
55020 +#include <linux/gracl.h>
55021 +#include <linux/grsecurity.h>
55022 +#include <linux/grinternal.h>
55023 +
55024 +#define GR_BIND 0x01
55025 +#define GR_CONNECT 0x02
55026 +#define GR_INVERT 0x04
55027 +#define GR_BINDOVERRIDE 0x08
55028 +#define GR_CONNECTOVERRIDE 0x10
55029 +#define GR_SOCK_FAMILY 0x20
55030 +
55031 +static const char * gr_protocols[IPPROTO_MAX] = {
55032 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
55033 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
55034 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
55035 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
55036 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
55037 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
55038 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
55039 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
55040 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
55041 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
55042 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
55043 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
55044 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
55045 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
55046 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
55047 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
55048 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
55049 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
55050 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
55051 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
55052 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
55053 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
55054 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
55055 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
55056 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
55057 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
55058 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
55059 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
55060 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
55061 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
55062 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
55063 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
55064 + };
55065 +
55066 +static const char * gr_socktypes[SOCK_MAX] = {
55067 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
55068 + "unknown:7", "unknown:8", "unknown:9", "packet"
55069 + };
55070 +
55071 +static const char * gr_sockfamilies[AF_MAX+1] = {
55072 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
55073 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
55074 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
55075 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
55076 + };
55077 +
55078 +const char *
55079 +gr_proto_to_name(unsigned char proto)
55080 +{
55081 + return gr_protocols[proto];
55082 +}
55083 +
55084 +const char *
55085 +gr_socktype_to_name(unsigned char type)
55086 +{
55087 + return gr_socktypes[type];
55088 +}
55089 +
55090 +const char *
55091 +gr_sockfamily_to_name(unsigned char family)
55092 +{
55093 + return gr_sockfamilies[family];
55094 +}
55095 +
55096 +int
55097 +gr_search_socket(const int domain, const int type, const int protocol)
55098 +{
55099 + struct acl_subject_label *curr;
55100 + const struct cred *cred = current_cred();
55101 +
55102 + if (unlikely(!gr_acl_is_enabled()))
55103 + goto exit;
55104 +
55105 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
55106 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
55107 + goto exit; // let the kernel handle it
55108 +
55109 + curr = current->acl;
55110 +
55111 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
55112 + /* the family is allowed, if this is PF_INET allow it only if
55113 + the extra sock type/protocol checks pass */
55114 + if (domain == PF_INET)
55115 + goto inet_check;
55116 + goto exit;
55117 + } else {
55118 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
55119 + __u32 fakeip = 0;
55120 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
55121 + current->role->roletype, cred->uid,
55122 + cred->gid, current->exec_file ?
55123 + gr_to_filename(current->exec_file->f_path.dentry,
55124 + current->exec_file->f_path.mnt) :
55125 + curr->filename, curr->filename,
55126 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
55127 + &current->signal->saved_ip);
55128 + goto exit;
55129 + }
55130 + goto exit_fail;
55131 + }
55132 +
55133 +inet_check:
55134 + /* the rest of this checking is for IPv4 only */
55135 + if (!curr->ips)
55136 + goto exit;
55137 +
55138 + if ((curr->ip_type & (1 << type)) &&
55139 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
55140 + goto exit;
55141 +
55142 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
55143 + /* we don't place acls on raw sockets , and sometimes
55144 + dgram/ip sockets are opened for ioctl and not
55145 + bind/connect, so we'll fake a bind learn log */
55146 + if (type == SOCK_RAW || type == SOCK_PACKET) {
55147 + __u32 fakeip = 0;
55148 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
55149 + current->role->roletype, cred->uid,
55150 + cred->gid, current->exec_file ?
55151 + gr_to_filename(current->exec_file->f_path.dentry,
55152 + current->exec_file->f_path.mnt) :
55153 + curr->filename, curr->filename,
55154 + &fakeip, 0, type,
55155 + protocol, GR_CONNECT, &current->signal->saved_ip);
55156 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
55157 + __u32 fakeip = 0;
55158 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
55159 + current->role->roletype, cred->uid,
55160 + cred->gid, current->exec_file ?
55161 + gr_to_filename(current->exec_file->f_path.dentry,
55162 + current->exec_file->f_path.mnt) :
55163 + curr->filename, curr->filename,
55164 + &fakeip, 0, type,
55165 + protocol, GR_BIND, &current->signal->saved_ip);
55166 + }
55167 + /* we'll log when they use connect or bind */
55168 + goto exit;
55169 + }
55170 +
55171 +exit_fail:
55172 + if (domain == PF_INET)
55173 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
55174 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
55175 + else
55176 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
55177 + gr_socktype_to_name(type), protocol);
55178 +
55179 + return 0;
55180 +exit:
55181 + return 1;
55182 +}
55183 +
55184 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
55185 +{
55186 + if ((ip->mode & mode) &&
55187 + (ip_port >= ip->low) &&
55188 + (ip_port <= ip->high) &&
55189 + ((ntohl(ip_addr) & our_netmask) ==
55190 + (ntohl(our_addr) & our_netmask))
55191 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
55192 + && (ip->type & (1 << type))) {
55193 + if (ip->mode & GR_INVERT)
55194 + return 2; // specifically denied
55195 + else
55196 + return 1; // allowed
55197 + }
55198 +
55199 + return 0; // not specifically allowed, may continue parsing
55200 +}
55201 +
55202 +static int
55203 +gr_search_connectbind(const int full_mode, struct sock *sk,
55204 + struct sockaddr_in *addr, const int type)
55205 +{
55206 + char iface[IFNAMSIZ] = {0};
55207 + struct acl_subject_label *curr;
55208 + struct acl_ip_label *ip;
55209 + struct inet_sock *isk;
55210 + struct net_device *dev;
55211 + struct in_device *idev;
55212 + unsigned long i;
55213 + int ret;
55214 + int mode = full_mode & (GR_BIND | GR_CONNECT);
55215 + __u32 ip_addr = 0;
55216 + __u32 our_addr;
55217 + __u32 our_netmask;
55218 + char *p;
55219 + __u16 ip_port = 0;
55220 + const struct cred *cred = current_cred();
55221 +
55222 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
55223 + return 0;
55224 +
55225 + curr = current->acl;
55226 + isk = inet_sk(sk);
55227 +
55228 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
55229 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
55230 + addr->sin_addr.s_addr = curr->inaddr_any_override;
55231 + if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
55232 + struct sockaddr_in saddr;
55233 + int err;
55234 +
55235 + saddr.sin_family = AF_INET;
55236 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
55237 + saddr.sin_port = isk->sport;
55238 +
55239 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
55240 + if (err)
55241 + return err;
55242 +
55243 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
55244 + if (err)
55245 + return err;
55246 + }
55247 +
55248 + if (!curr->ips)
55249 + return 0;
55250 +
55251 + ip_addr = addr->sin_addr.s_addr;
55252 + ip_port = ntohs(addr->sin_port);
55253 +
55254 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
55255 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
55256 + current->role->roletype, cred->uid,
55257 + cred->gid, current->exec_file ?
55258 + gr_to_filename(current->exec_file->f_path.dentry,
55259 + current->exec_file->f_path.mnt) :
55260 + curr->filename, curr->filename,
55261 + &ip_addr, ip_port, type,
55262 + sk->sk_protocol, mode, &current->signal->saved_ip);
55263 + return 0;
55264 + }
55265 +
55266 + for (i = 0; i < curr->ip_num; i++) {
55267 + ip = *(curr->ips + i);
55268 + if (ip->iface != NULL) {
55269 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
55270 + p = strchr(iface, ':');
55271 + if (p != NULL)
55272 + *p = '\0';
55273 + dev = dev_get_by_name(sock_net(sk), iface);
55274 + if (dev == NULL)
55275 + continue;
55276 + idev = in_dev_get(dev);
55277 + if (idev == NULL) {
55278 + dev_put(dev);
55279 + continue;
55280 + }
55281 + rcu_read_lock();
55282 + for_ifa(idev) {
55283 + if (!strcmp(ip->iface, ifa->ifa_label)) {
55284 + our_addr = ifa->ifa_address;
55285 + our_netmask = 0xffffffff;
55286 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
55287 + if (ret == 1) {
55288 + rcu_read_unlock();
55289 + in_dev_put(idev);
55290 + dev_put(dev);
55291 + return 0;
55292 + } else if (ret == 2) {
55293 + rcu_read_unlock();
55294 + in_dev_put(idev);
55295 + dev_put(dev);
55296 + goto denied;
55297 + }
55298 + }
55299 + } endfor_ifa(idev);
55300 + rcu_read_unlock();
55301 + in_dev_put(idev);
55302 + dev_put(dev);
55303 + } else {
55304 + our_addr = ip->addr;
55305 + our_netmask = ip->netmask;
55306 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
55307 + if (ret == 1)
55308 + return 0;
55309 + else if (ret == 2)
55310 + goto denied;
55311 + }
55312 + }
55313 +
55314 +denied:
55315 + if (mode == GR_BIND)
55316 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
55317 + else if (mode == GR_CONNECT)
55318 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
55319 +
55320 + return -EACCES;
55321 +}
55322 +
55323 +int
55324 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
55325 +{
55326 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
55327 +}
55328 +
55329 +int
55330 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
55331 +{
55332 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
55333 +}
55334 +
55335 +int gr_search_listen(struct socket *sock)
55336 +{
55337 + struct sock *sk = sock->sk;
55338 + struct sockaddr_in addr;
55339 +
55340 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
55341 + addr.sin_port = inet_sk(sk)->sport;
55342 +
55343 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
55344 +}
55345 +
55346 +int gr_search_accept(struct socket *sock)
55347 +{
55348 + struct sock *sk = sock->sk;
55349 + struct sockaddr_in addr;
55350 +
55351 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
55352 + addr.sin_port = inet_sk(sk)->sport;
55353 +
55354 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
55355 +}
55356 +
55357 +int
55358 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
55359 +{
55360 + if (addr)
55361 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
55362 + else {
55363 + struct sockaddr_in sin;
55364 + const struct inet_sock *inet = inet_sk(sk);
55365 +
55366 + sin.sin_addr.s_addr = inet->daddr;
55367 + sin.sin_port = inet->dport;
55368 +
55369 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
55370 + }
55371 +}
55372 +
55373 +int
55374 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
55375 +{
55376 + struct sockaddr_in sin;
55377 +
55378 + if (unlikely(skb->len < sizeof (struct udphdr)))
55379 + return 0; // skip this packet
55380 +
55381 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
55382 + sin.sin_port = udp_hdr(skb)->source;
55383 +
55384 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
55385 +}
55386 diff -urNp linux-2.6.32.46/grsecurity/gracl_learn.c linux-2.6.32.46/grsecurity/gracl_learn.c
55387 --- linux-2.6.32.46/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
55388 +++ linux-2.6.32.46/grsecurity/gracl_learn.c 2011-07-14 21:02:03.000000000 -0400
55389 @@ -0,0 +1,208 @@
55390 +#include <linux/kernel.h>
55391 +#include <linux/mm.h>
55392 +#include <linux/sched.h>
55393 +#include <linux/poll.h>
55394 +#include <linux/smp_lock.h>
55395 +#include <linux/string.h>
55396 +#include <linux/file.h>
55397 +#include <linux/types.h>
55398 +#include <linux/vmalloc.h>
55399 +#include <linux/grinternal.h>
55400 +
55401 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
55402 + size_t count, loff_t *ppos);
55403 +extern int gr_acl_is_enabled(void);
55404 +
55405 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
55406 +static int gr_learn_attached;
55407 +
55408 +/* use a 512k buffer */
55409 +#define LEARN_BUFFER_SIZE (512 * 1024)
55410 +
55411 +static DEFINE_SPINLOCK(gr_learn_lock);
55412 +static DEFINE_MUTEX(gr_learn_user_mutex);
55413 +
55414 +/* we need to maintain two buffers, so that the kernel context of grlearn
55415 + uses a semaphore around the userspace copying, and the other kernel contexts
55416 + use a spinlock when copying into the buffer, since they cannot sleep
55417 +*/
55418 +static char *learn_buffer;
55419 +static char *learn_buffer_user;
55420 +static int learn_buffer_len;
55421 +static int learn_buffer_user_len;
55422 +
55423 +static ssize_t
55424 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
55425 +{
55426 + DECLARE_WAITQUEUE(wait, current);
55427 + ssize_t retval = 0;
55428 +
55429 + add_wait_queue(&learn_wait, &wait);
55430 + set_current_state(TASK_INTERRUPTIBLE);
55431 + do {
55432 + mutex_lock(&gr_learn_user_mutex);
55433 + spin_lock(&gr_learn_lock);
55434 + if (learn_buffer_len)
55435 + break;
55436 + spin_unlock(&gr_learn_lock);
55437 + mutex_unlock(&gr_learn_user_mutex);
55438 + if (file->f_flags & O_NONBLOCK) {
55439 + retval = -EAGAIN;
55440 + goto out;
55441 + }
55442 + if (signal_pending(current)) {
55443 + retval = -ERESTARTSYS;
55444 + goto out;
55445 + }
55446 +
55447 + schedule();
55448 + } while (1);
55449 +
55450 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
55451 + learn_buffer_user_len = learn_buffer_len;
55452 + retval = learn_buffer_len;
55453 + learn_buffer_len = 0;
55454 +
55455 + spin_unlock(&gr_learn_lock);
55456 +
55457 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
55458 + retval = -EFAULT;
55459 +
55460 + mutex_unlock(&gr_learn_user_mutex);
55461 +out:
55462 + set_current_state(TASK_RUNNING);
55463 + remove_wait_queue(&learn_wait, &wait);
55464 + return retval;
55465 +}
55466 +
55467 +static unsigned int
55468 +poll_learn(struct file * file, poll_table * wait)
55469 +{
55470 + poll_wait(file, &learn_wait, wait);
55471 +
55472 + if (learn_buffer_len)
55473 + return (POLLIN | POLLRDNORM);
55474 +
55475 + return 0;
55476 +}
55477 +
55478 +void
55479 +gr_clear_learn_entries(void)
55480 +{
55481 + char *tmp;
55482 +
55483 + mutex_lock(&gr_learn_user_mutex);
55484 + spin_lock(&gr_learn_lock);
55485 + tmp = learn_buffer;
55486 + learn_buffer = NULL;
55487 + spin_unlock(&gr_learn_lock);
55488 + if (tmp)
55489 + vfree(tmp);
55490 + if (learn_buffer_user != NULL) {
55491 + vfree(learn_buffer_user);
55492 + learn_buffer_user = NULL;
55493 + }
55494 + learn_buffer_len = 0;
55495 + mutex_unlock(&gr_learn_user_mutex);
55496 +
55497 + return;
55498 +}
55499 +
55500 +void
55501 +gr_add_learn_entry(const char *fmt, ...)
55502 +{
55503 + va_list args;
55504 + unsigned int len;
55505 +
55506 + if (!gr_learn_attached)
55507 + return;
55508 +
55509 + spin_lock(&gr_learn_lock);
55510 +
55511 + /* leave a gap at the end so we know when it's "full" but don't have to
55512 + compute the exact length of the string we're trying to append
55513 + */
55514 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
55515 + spin_unlock(&gr_learn_lock);
55516 + wake_up_interruptible(&learn_wait);
55517 + return;
55518 + }
55519 + if (learn_buffer == NULL) {
55520 + spin_unlock(&gr_learn_lock);
55521 + return;
55522 + }
55523 +
55524 + va_start(args, fmt);
55525 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
55526 + va_end(args);
55527 +
55528 + learn_buffer_len += len + 1;
55529 +
55530 + spin_unlock(&gr_learn_lock);
55531 + wake_up_interruptible(&learn_wait);
55532 +
55533 + return;
55534 +}
55535 +
55536 +static int
55537 +open_learn(struct inode *inode, struct file *file)
55538 +{
55539 + if (file->f_mode & FMODE_READ && gr_learn_attached)
55540 + return -EBUSY;
55541 + if (file->f_mode & FMODE_READ) {
55542 + int retval = 0;
55543 + mutex_lock(&gr_learn_user_mutex);
55544 + if (learn_buffer == NULL)
55545 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
55546 + if (learn_buffer_user == NULL)
55547 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
55548 + if (learn_buffer == NULL) {
55549 + retval = -ENOMEM;
55550 + goto out_error;
55551 + }
55552 + if (learn_buffer_user == NULL) {
55553 + retval = -ENOMEM;
55554 + goto out_error;
55555 + }
55556 + learn_buffer_len = 0;
55557 + learn_buffer_user_len = 0;
55558 + gr_learn_attached = 1;
55559 +out_error:
55560 + mutex_unlock(&gr_learn_user_mutex);
55561 + return retval;
55562 + }
55563 + return 0;
55564 +}
55565 +
55566 +static int
55567 +close_learn(struct inode *inode, struct file *file)
55568 +{
55569 + if (file->f_mode & FMODE_READ) {
55570 + char *tmp = NULL;
55571 + mutex_lock(&gr_learn_user_mutex);
55572 + spin_lock(&gr_learn_lock);
55573 + tmp = learn_buffer;
55574 + learn_buffer = NULL;
55575 + spin_unlock(&gr_learn_lock);
55576 + if (tmp)
55577 + vfree(tmp);
55578 + if (learn_buffer_user != NULL) {
55579 + vfree(learn_buffer_user);
55580 + learn_buffer_user = NULL;
55581 + }
55582 + learn_buffer_len = 0;
55583 + learn_buffer_user_len = 0;
55584 + gr_learn_attached = 0;
55585 + mutex_unlock(&gr_learn_user_mutex);
55586 + }
55587 +
55588 + return 0;
55589 +}
55590 +
55591 +const struct file_operations grsec_fops = {
55592 + .read = read_learn,
55593 + .write = write_grsec_handler,
55594 + .open = open_learn,
55595 + .release = close_learn,
55596 + .poll = poll_learn,
55597 +};
55598 diff -urNp linux-2.6.32.46/grsecurity/gracl_res.c linux-2.6.32.46/grsecurity/gracl_res.c
55599 --- linux-2.6.32.46/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
55600 +++ linux-2.6.32.46/grsecurity/gracl_res.c 2011-04-17 15:56:46.000000000 -0400
55601 @@ -0,0 +1,67 @@
55602 +#include <linux/kernel.h>
55603 +#include <linux/sched.h>
55604 +#include <linux/gracl.h>
55605 +#include <linux/grinternal.h>
55606 +
55607 +static const char *restab_log[] = {
55608 + [RLIMIT_CPU] = "RLIMIT_CPU",
55609 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
55610 + [RLIMIT_DATA] = "RLIMIT_DATA",
55611 + [RLIMIT_STACK] = "RLIMIT_STACK",
55612 + [RLIMIT_CORE] = "RLIMIT_CORE",
55613 + [RLIMIT_RSS] = "RLIMIT_RSS",
55614 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
55615 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
55616 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
55617 + [RLIMIT_AS] = "RLIMIT_AS",
55618 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
55619 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
55620 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
55621 + [RLIMIT_NICE] = "RLIMIT_NICE",
55622 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
55623 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
55624 + [GR_CRASH_RES] = "RLIMIT_CRASH"
55625 +};
55626 +
55627 +void
55628 +gr_log_resource(const struct task_struct *task,
55629 + const int res, const unsigned long wanted, const int gt)
55630 +{
55631 + const struct cred *cred;
55632 + unsigned long rlim;
55633 +
55634 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
55635 + return;
55636 +
55637 + // not yet supported resource
55638 + if (unlikely(!restab_log[res]))
55639 + return;
55640 +
55641 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
55642 + rlim = task->signal->rlim[res].rlim_max;
55643 + else
55644 + rlim = task->signal->rlim[res].rlim_cur;
55645 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
55646 + return;
55647 +
55648 + rcu_read_lock();
55649 + cred = __task_cred(task);
55650 +
55651 + if (res == RLIMIT_NPROC &&
55652 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
55653 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
55654 + goto out_rcu_unlock;
55655 + else if (res == RLIMIT_MEMLOCK &&
55656 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
55657 + goto out_rcu_unlock;
55658 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
55659 + goto out_rcu_unlock;
55660 + rcu_read_unlock();
55661 +
55662 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
55663 +
55664 + return;
55665 +out_rcu_unlock:
55666 + rcu_read_unlock();
55667 + return;
55668 +}
55669 diff -urNp linux-2.6.32.46/grsecurity/gracl_segv.c linux-2.6.32.46/grsecurity/gracl_segv.c
55670 --- linux-2.6.32.46/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
55671 +++ linux-2.6.32.46/grsecurity/gracl_segv.c 2011-04-17 15:56:46.000000000 -0400
55672 @@ -0,0 +1,284 @@
55673 +#include <linux/kernel.h>
55674 +#include <linux/mm.h>
55675 +#include <asm/uaccess.h>
55676 +#include <asm/errno.h>
55677 +#include <asm/mman.h>
55678 +#include <net/sock.h>
55679 +#include <linux/file.h>
55680 +#include <linux/fs.h>
55681 +#include <linux/net.h>
55682 +#include <linux/in.h>
55683 +#include <linux/smp_lock.h>
55684 +#include <linux/slab.h>
55685 +#include <linux/types.h>
55686 +#include <linux/sched.h>
55687 +#include <linux/timer.h>
55688 +#include <linux/gracl.h>
55689 +#include <linux/grsecurity.h>
55690 +#include <linux/grinternal.h>
55691 +
55692 +static struct crash_uid *uid_set;
55693 +static unsigned short uid_used;
55694 +static DEFINE_SPINLOCK(gr_uid_lock);
55695 +extern rwlock_t gr_inode_lock;
55696 +extern struct acl_subject_label *
55697 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
55698 + struct acl_role_label *role);
55699 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
55700 +
55701 +int
55702 +gr_init_uidset(void)
55703 +{
55704 + uid_set =
55705 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
55706 + uid_used = 0;
55707 +
55708 + return uid_set ? 1 : 0;
55709 +}
55710 +
55711 +void
55712 +gr_free_uidset(void)
55713 +{
55714 + if (uid_set)
55715 + kfree(uid_set);
55716 +
55717 + return;
55718 +}
55719 +
55720 +int
55721 +gr_find_uid(const uid_t uid)
55722 +{
55723 + struct crash_uid *tmp = uid_set;
55724 + uid_t buid;
55725 + int low = 0, high = uid_used - 1, mid;
55726 +
55727 + while (high >= low) {
55728 + mid = (low + high) >> 1;
55729 + buid = tmp[mid].uid;
55730 + if (buid == uid)
55731 + return mid;
55732 + if (buid > uid)
55733 + high = mid - 1;
55734 + if (buid < uid)
55735 + low = mid + 1;
55736 + }
55737 +
55738 + return -1;
55739 +}
55740 +
55741 +static __inline__ void
55742 +gr_insertsort(void)
55743 +{
55744 + unsigned short i, j;
55745 + struct crash_uid index;
55746 +
55747 + for (i = 1; i < uid_used; i++) {
55748 + index = uid_set[i];
55749 + j = i;
55750 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
55751 + uid_set[j] = uid_set[j - 1];
55752 + j--;
55753 + }
55754 + uid_set[j] = index;
55755 + }
55756 +
55757 + return;
55758 +}
55759 +
55760 +static __inline__ void
55761 +gr_insert_uid(const uid_t uid, const unsigned long expires)
55762 +{
55763 + int loc;
55764 +
55765 + if (uid_used == GR_UIDTABLE_MAX)
55766 + return;
55767 +
55768 + loc = gr_find_uid(uid);
55769 +
55770 + if (loc >= 0) {
55771 + uid_set[loc].expires = expires;
55772 + return;
55773 + }
55774 +
55775 + uid_set[uid_used].uid = uid;
55776 + uid_set[uid_used].expires = expires;
55777 + uid_used++;
55778 +
55779 + gr_insertsort();
55780 +
55781 + return;
55782 +}
55783 +
55784 +void
55785 +gr_remove_uid(const unsigned short loc)
55786 +{
55787 + unsigned short i;
55788 +
55789 + for (i = loc + 1; i < uid_used; i++)
55790 + uid_set[i - 1] = uid_set[i];
55791 +
55792 + uid_used--;
55793 +
55794 + return;
55795 +}
55796 +
55797 +int
55798 +gr_check_crash_uid(const uid_t uid)
55799 +{
55800 + int loc;
55801 + int ret = 0;
55802 +
55803 + if (unlikely(!gr_acl_is_enabled()))
55804 + return 0;
55805 +
55806 + spin_lock(&gr_uid_lock);
55807 + loc = gr_find_uid(uid);
55808 +
55809 + if (loc < 0)
55810 + goto out_unlock;
55811 +
55812 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
55813 + gr_remove_uid(loc);
55814 + else
55815 + ret = 1;
55816 +
55817 +out_unlock:
55818 + spin_unlock(&gr_uid_lock);
55819 + return ret;
55820 +}
55821 +
55822 +static __inline__ int
55823 +proc_is_setxid(const struct cred *cred)
55824 +{
55825 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
55826 + cred->uid != cred->fsuid)
55827 + return 1;
55828 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
55829 + cred->gid != cred->fsgid)
55830 + return 1;
55831 +
55832 + return 0;
55833 +}
55834 +
55835 +void
55836 +gr_handle_crash(struct task_struct *task, const int sig)
55837 +{
55838 + struct acl_subject_label *curr;
55839 + struct acl_subject_label *curr2;
55840 + struct task_struct *tsk, *tsk2;
55841 + const struct cred *cred;
55842 + const struct cred *cred2;
55843 +
55844 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
55845 + return;
55846 +
55847 + if (unlikely(!gr_acl_is_enabled()))
55848 + return;
55849 +
55850 + curr = task->acl;
55851 +
55852 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
55853 + return;
55854 +
55855 + if (time_before_eq(curr->expires, get_seconds())) {
55856 + curr->expires = 0;
55857 + curr->crashes = 0;
55858 + }
55859 +
55860 + curr->crashes++;
55861 +
55862 + if (!curr->expires)
55863 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
55864 +
55865 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
55866 + time_after(curr->expires, get_seconds())) {
55867 + rcu_read_lock();
55868 + cred = __task_cred(task);
55869 + if (cred->uid && proc_is_setxid(cred)) {
55870 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
55871 + spin_lock(&gr_uid_lock);
55872 + gr_insert_uid(cred->uid, curr->expires);
55873 + spin_unlock(&gr_uid_lock);
55874 + curr->expires = 0;
55875 + curr->crashes = 0;
55876 + read_lock(&tasklist_lock);
55877 + do_each_thread(tsk2, tsk) {
55878 + cred2 = __task_cred(tsk);
55879 + if (tsk != task && cred2->uid == cred->uid)
55880 + gr_fake_force_sig(SIGKILL, tsk);
55881 + } while_each_thread(tsk2, tsk);
55882 + read_unlock(&tasklist_lock);
55883 + } else {
55884 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
55885 + read_lock(&tasklist_lock);
55886 + do_each_thread(tsk2, tsk) {
55887 + if (likely(tsk != task)) {
55888 + curr2 = tsk->acl;
55889 +
55890 + if (curr2->device == curr->device &&
55891 + curr2->inode == curr->inode)
55892 + gr_fake_force_sig(SIGKILL, tsk);
55893 + }
55894 + } while_each_thread(tsk2, tsk);
55895 + read_unlock(&tasklist_lock);
55896 + }
55897 + rcu_read_unlock();
55898 + }
55899 +
55900 + return;
55901 +}
55902 +
55903 +int
55904 +gr_check_crash_exec(const struct file *filp)
55905 +{
55906 + struct acl_subject_label *curr;
55907 +
55908 + if (unlikely(!gr_acl_is_enabled()))
55909 + return 0;
55910 +
55911 + read_lock(&gr_inode_lock);
55912 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
55913 + filp->f_path.dentry->d_inode->i_sb->s_dev,
55914 + current->role);
55915 + read_unlock(&gr_inode_lock);
55916 +
55917 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
55918 + (!curr->crashes && !curr->expires))
55919 + return 0;
55920 +
55921 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
55922 + time_after(curr->expires, get_seconds()))
55923 + return 1;
55924 + else if (time_before_eq(curr->expires, get_seconds())) {
55925 + curr->crashes = 0;
55926 + curr->expires = 0;
55927 + }
55928 +
55929 + return 0;
55930 +}
55931 +
55932 +void
55933 +gr_handle_alertkill(struct task_struct *task)
55934 +{
55935 + struct acl_subject_label *curracl;
55936 + __u32 curr_ip;
55937 + struct task_struct *p, *p2;
55938 +
55939 + if (unlikely(!gr_acl_is_enabled()))
55940 + return;
55941 +
55942 + curracl = task->acl;
55943 + curr_ip = task->signal->curr_ip;
55944 +
55945 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
55946 + read_lock(&tasklist_lock);
55947 + do_each_thread(p2, p) {
55948 + if (p->signal->curr_ip == curr_ip)
55949 + gr_fake_force_sig(SIGKILL, p);
55950 + } while_each_thread(p2, p);
55951 + read_unlock(&tasklist_lock);
55952 + } else if (curracl->mode & GR_KILLPROC)
55953 + gr_fake_force_sig(SIGKILL, task);
55954 +
55955 + return;
55956 +}
55957 diff -urNp linux-2.6.32.46/grsecurity/gracl_shm.c linux-2.6.32.46/grsecurity/gracl_shm.c
55958 --- linux-2.6.32.46/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
55959 +++ linux-2.6.32.46/grsecurity/gracl_shm.c 2011-04-17 15:56:46.000000000 -0400
55960 @@ -0,0 +1,40 @@
55961 +#include <linux/kernel.h>
55962 +#include <linux/mm.h>
55963 +#include <linux/sched.h>
55964 +#include <linux/file.h>
55965 +#include <linux/ipc.h>
55966 +#include <linux/gracl.h>
55967 +#include <linux/grsecurity.h>
55968 +#include <linux/grinternal.h>
55969 +
55970 +int
55971 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
55972 + const time_t shm_createtime, const uid_t cuid, const int shmid)
55973 +{
55974 + struct task_struct *task;
55975 +
55976 + if (!gr_acl_is_enabled())
55977 + return 1;
55978 +
55979 + rcu_read_lock();
55980 + read_lock(&tasklist_lock);
55981 +
55982 + task = find_task_by_vpid(shm_cprid);
55983 +
55984 + if (unlikely(!task))
55985 + task = find_task_by_vpid(shm_lapid);
55986 +
55987 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
55988 + (task->pid == shm_lapid)) &&
55989 + (task->acl->mode & GR_PROTSHM) &&
55990 + (task->acl != current->acl))) {
55991 + read_unlock(&tasklist_lock);
55992 + rcu_read_unlock();
55993 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
55994 + return 0;
55995 + }
55996 + read_unlock(&tasklist_lock);
55997 + rcu_read_unlock();
55998 +
55999 + return 1;
56000 +}
56001 diff -urNp linux-2.6.32.46/grsecurity/grsec_chdir.c linux-2.6.32.46/grsecurity/grsec_chdir.c
56002 --- linux-2.6.32.46/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
56003 +++ linux-2.6.32.46/grsecurity/grsec_chdir.c 2011-04-17 15:56:46.000000000 -0400
56004 @@ -0,0 +1,19 @@
56005 +#include <linux/kernel.h>
56006 +#include <linux/sched.h>
56007 +#include <linux/fs.h>
56008 +#include <linux/file.h>
56009 +#include <linux/grsecurity.h>
56010 +#include <linux/grinternal.h>
56011 +
56012 +void
56013 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
56014 +{
56015 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
56016 + if ((grsec_enable_chdir && grsec_enable_group &&
56017 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
56018 + !grsec_enable_group)) {
56019 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
56020 + }
56021 +#endif
56022 + return;
56023 +}
56024 diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/grsec_chroot.c
56025 --- linux-2.6.32.46/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
56026 +++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-09-15 06:48:16.000000000 -0400
56027 @@ -0,0 +1,386 @@
56028 +#include <linux/kernel.h>
56029 +#include <linux/module.h>
56030 +#include <linux/sched.h>
56031 +#include <linux/file.h>
56032 +#include <linux/fs.h>
56033 +#include <linux/mount.h>
56034 +#include <linux/types.h>
56035 +#include <linux/pid_namespace.h>
56036 +#include <linux/grsecurity.h>
56037 +#include <linux/grinternal.h>
56038 +
56039 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
56040 +{
56041 +#ifdef CONFIG_GRKERNSEC
56042 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
56043 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
56044 + task->gr_is_chrooted = 1;
56045 + else
56046 + task->gr_is_chrooted = 0;
56047 +
56048 + task->gr_chroot_dentry = path->dentry;
56049 +#endif
56050 + return;
56051 +}
56052 +
56053 +void gr_clear_chroot_entries(struct task_struct *task)
56054 +{
56055 +#ifdef CONFIG_GRKERNSEC
56056 + task->gr_is_chrooted = 0;
56057 + task->gr_chroot_dentry = NULL;
56058 +#endif
56059 + return;
56060 +}
56061 +
56062 +int
56063 +gr_handle_chroot_unix(const pid_t pid)
56064 +{
56065 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
56066 + struct task_struct *p;
56067 +
56068 + if (unlikely(!grsec_enable_chroot_unix))
56069 + return 1;
56070 +
56071 + if (likely(!proc_is_chrooted(current)))
56072 + return 1;
56073 +
56074 + rcu_read_lock();
56075 + read_lock(&tasklist_lock);
56076 +
56077 + p = find_task_by_vpid_unrestricted(pid);
56078 + if (unlikely(p && !have_same_root(current, p))) {
56079 + read_unlock(&tasklist_lock);
56080 + rcu_read_unlock();
56081 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
56082 + return 0;
56083 + }
56084 + read_unlock(&tasklist_lock);
56085 + rcu_read_unlock();
56086 +#endif
56087 + return 1;
56088 +}
56089 +
56090 +int
56091 +gr_handle_chroot_nice(void)
56092 +{
56093 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
56094 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
56095 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
56096 + return -EPERM;
56097 + }
56098 +#endif
56099 + return 0;
56100 +}
56101 +
56102 +int
56103 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
56104 +{
56105 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
56106 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
56107 + && proc_is_chrooted(current)) {
56108 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
56109 + return -EACCES;
56110 + }
56111 +#endif
56112 + return 0;
56113 +}
56114 +
56115 +int
56116 +gr_handle_chroot_rawio(const struct inode *inode)
56117 +{
56118 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56119 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
56120 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
56121 + return 1;
56122 +#endif
56123 + return 0;
56124 +}
56125 +
56126 +int
56127 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
56128 +{
56129 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
56130 + struct task_struct *p;
56131 + int ret = 0;
56132 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
56133 + return ret;
56134 +
56135 + read_lock(&tasklist_lock);
56136 + do_each_pid_task(pid, type, p) {
56137 + if (!have_same_root(current, p)) {
56138 + ret = 1;
56139 + goto out;
56140 + }
56141 + } while_each_pid_task(pid, type, p);
56142 +out:
56143 + read_unlock(&tasklist_lock);
56144 + return ret;
56145 +#endif
56146 + return 0;
56147 +}
56148 +
56149 +int
56150 +gr_pid_is_chrooted(struct task_struct *p)
56151 +{
56152 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
56153 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
56154 + return 0;
56155 +
56156 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
56157 + !have_same_root(current, p)) {
56158 + return 1;
56159 + }
56160 +#endif
56161 + return 0;
56162 +}
56163 +
56164 +EXPORT_SYMBOL(gr_pid_is_chrooted);
56165 +
56166 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
56167 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
56168 +{
56169 + struct dentry *dentry = (struct dentry *)u_dentry;
56170 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
56171 + struct dentry *realroot;
56172 + struct vfsmount *realrootmnt;
56173 + struct dentry *currentroot;
56174 + struct vfsmount *currentmnt;
56175 + struct task_struct *reaper = &init_task;
56176 + int ret = 1;
56177 +
56178 + read_lock(&reaper->fs->lock);
56179 + realrootmnt = mntget(reaper->fs->root.mnt);
56180 + realroot = dget(reaper->fs->root.dentry);
56181 + read_unlock(&reaper->fs->lock);
56182 +
56183 + read_lock(&current->fs->lock);
56184 + currentmnt = mntget(current->fs->root.mnt);
56185 + currentroot = dget(current->fs->root.dentry);
56186 + read_unlock(&current->fs->lock);
56187 +
56188 + spin_lock(&dcache_lock);
56189 + for (;;) {
56190 + if (unlikely((dentry == realroot && mnt == realrootmnt)
56191 + || (dentry == currentroot && mnt == currentmnt)))
56192 + break;
56193 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
56194 + if (mnt->mnt_parent == mnt)
56195 + break;
56196 + dentry = mnt->mnt_mountpoint;
56197 + mnt = mnt->mnt_parent;
56198 + continue;
56199 + }
56200 + dentry = dentry->d_parent;
56201 + }
56202 + spin_unlock(&dcache_lock);
56203 +
56204 + dput(currentroot);
56205 + mntput(currentmnt);
56206 +
56207 + /* access is outside of chroot */
56208 + if (dentry == realroot && mnt == realrootmnt)
56209 + ret = 0;
56210 +
56211 + dput(realroot);
56212 + mntput(realrootmnt);
56213 + return ret;
56214 +}
56215 +#endif
56216 +
56217 +int
56218 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
56219 +{
56220 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
56221 + if (!grsec_enable_chroot_fchdir)
56222 + return 1;
56223 +
56224 + if (!proc_is_chrooted(current))
56225 + return 1;
56226 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
56227 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
56228 + return 0;
56229 + }
56230 +#endif
56231 + return 1;
56232 +}
56233 +
56234 +int
56235 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
56236 + const time_t shm_createtime)
56237 +{
56238 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
56239 + struct task_struct *p;
56240 + time_t starttime;
56241 +
56242 + if (unlikely(!grsec_enable_chroot_shmat))
56243 + return 1;
56244 +
56245 + if (likely(!proc_is_chrooted(current)))
56246 + return 1;
56247 +
56248 + rcu_read_lock();
56249 + read_lock(&tasklist_lock);
56250 +
56251 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
56252 + starttime = p->start_time.tv_sec;
56253 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
56254 + if (have_same_root(current, p)) {
56255 + goto allow;
56256 + } else {
56257 + read_unlock(&tasklist_lock);
56258 + rcu_read_unlock();
56259 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
56260 + return 0;
56261 + }
56262 + }
56263 + /* creator exited, pid reuse, fall through to next check */
56264 + }
56265 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
56266 + if (unlikely(!have_same_root(current, p))) {
56267 + read_unlock(&tasklist_lock);
56268 + rcu_read_unlock();
56269 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
56270 + return 0;
56271 + }
56272 + }
56273 +
56274 +allow:
56275 + read_unlock(&tasklist_lock);
56276 + rcu_read_unlock();
56277 +#endif
56278 + return 1;
56279 +}
56280 +
56281 +void
56282 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
56283 +{
56284 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
56285 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
56286 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
56287 +#endif
56288 + return;
56289 +}
56290 +
56291 +int
56292 +gr_handle_chroot_mknod(const struct dentry *dentry,
56293 + const struct vfsmount *mnt, const int mode)
56294 +{
56295 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
56296 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
56297 + proc_is_chrooted(current)) {
56298 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
56299 + return -EPERM;
56300 + }
56301 +#endif
56302 + return 0;
56303 +}
56304 +
56305 +int
56306 +gr_handle_chroot_mount(const struct dentry *dentry,
56307 + const struct vfsmount *mnt, const char *dev_name)
56308 +{
56309 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
56310 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
56311 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
56312 + return -EPERM;
56313 + }
56314 +#endif
56315 + return 0;
56316 +}
56317 +
56318 +int
56319 +gr_handle_chroot_pivot(void)
56320 +{
56321 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
56322 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
56323 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
56324 + return -EPERM;
56325 + }
56326 +#endif
56327 + return 0;
56328 +}
56329 +
56330 +int
56331 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
56332 +{
56333 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
56334 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
56335 + !gr_is_outside_chroot(dentry, mnt)) {
56336 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
56337 + return -EPERM;
56338 + }
56339 +#endif
56340 + return 0;
56341 +}
56342 +
56343 +extern const char *captab_log[];
56344 +extern int captab_log_entries;
56345 +
56346 +int
56347 +gr_chroot_is_capable(const int cap)
56348 +{
56349 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56350 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
56351 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
56352 + if (cap_raised(chroot_caps, cap)) {
56353 + const struct cred *creds = current_cred();
56354 + if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
56355 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
56356 + }
56357 + return 0;
56358 + }
56359 + }
56360 +#endif
56361 + return 1;
56362 +}
56363 +
56364 +int
56365 +gr_chroot_is_capable_nolog(const int cap)
56366 +{
56367 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56368 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
56369 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
56370 + if (cap_raised(chroot_caps, cap)) {
56371 + return 0;
56372 + }
56373 + }
56374 +#endif
56375 + return 1;
56376 +}
56377 +
56378 +int
56379 +gr_handle_chroot_sysctl(const int op)
56380 +{
56381 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
56382 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
56383 + && (op & MAY_WRITE))
56384 + return -EACCES;
56385 +#endif
56386 + return 0;
56387 +}
56388 +
56389 +void
56390 +gr_handle_chroot_chdir(struct path *path)
56391 +{
56392 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
56393 + if (grsec_enable_chroot_chdir)
56394 + set_fs_pwd(current->fs, path);
56395 +#endif
56396 + return;
56397 +}
56398 +
56399 +int
56400 +gr_handle_chroot_chmod(const struct dentry *dentry,
56401 + const struct vfsmount *mnt, const int mode)
56402 +{
56403 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
56404 + /* allow chmod +s on directories, but not on files */
56405 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
56406 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
56407 + proc_is_chrooted(current)) {
56408 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
56409 + return -EPERM;
56410 + }
56411 +#endif
56412 + return 0;
56413 +}
56414 diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c
56415 --- linux-2.6.32.46/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
56416 +++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-09-24 08:13:29.000000000 -0400
56417 @@ -0,0 +1,433 @@
56418 +#include <linux/kernel.h>
56419 +#include <linux/module.h>
56420 +#include <linux/sched.h>
56421 +#include <linux/file.h>
56422 +#include <linux/fs.h>
56423 +#include <linux/kdev_t.h>
56424 +#include <linux/net.h>
56425 +#include <linux/in.h>
56426 +#include <linux/ip.h>
56427 +#include <linux/skbuff.h>
56428 +#include <linux/sysctl.h>
56429 +
56430 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
56431 +void
56432 +pax_set_initial_flags(struct linux_binprm *bprm)
56433 +{
56434 + return;
56435 +}
56436 +#endif
56437 +
56438 +#ifdef CONFIG_SYSCTL
56439 +__u32
56440 +gr_handle_sysctl(const struct ctl_table * table, const int op)
56441 +{
56442 + return 0;
56443 +}
56444 +#endif
56445 +
56446 +#ifdef CONFIG_TASKSTATS
56447 +int gr_is_taskstats_denied(int pid)
56448 +{
56449 + return 0;
56450 +}
56451 +#endif
56452 +
56453 +int
56454 +gr_acl_is_enabled(void)
56455 +{
56456 + return 0;
56457 +}
56458 +
56459 +int
56460 +gr_handle_rawio(const struct inode *inode)
56461 +{
56462 + return 0;
56463 +}
56464 +
56465 +void
56466 +gr_acl_handle_psacct(struct task_struct *task, const long code)
56467 +{
56468 + return;
56469 +}
56470 +
56471 +int
56472 +gr_handle_ptrace(struct task_struct *task, const long request)
56473 +{
56474 + return 0;
56475 +}
56476 +
56477 +int
56478 +gr_handle_proc_ptrace(struct task_struct *task)
56479 +{
56480 + return 0;
56481 +}
56482 +
56483 +void
56484 +gr_learn_resource(const struct task_struct *task,
56485 + const int res, const unsigned long wanted, const int gt)
56486 +{
56487 + return;
56488 +}
56489 +
56490 +int
56491 +gr_set_acls(const int type)
56492 +{
56493 + return 0;
56494 +}
56495 +
56496 +int
56497 +gr_check_hidden_task(const struct task_struct *tsk)
56498 +{
56499 + return 0;
56500 +}
56501 +
56502 +int
56503 +gr_check_protected_task(const struct task_struct *task)
56504 +{
56505 + return 0;
56506 +}
56507 +
56508 +int
56509 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
56510 +{
56511 + return 0;
56512 +}
56513 +
56514 +void
56515 +gr_copy_label(struct task_struct *tsk)
56516 +{
56517 + return;
56518 +}
56519 +
56520 +void
56521 +gr_set_pax_flags(struct task_struct *task)
56522 +{
56523 + return;
56524 +}
56525 +
56526 +int
56527 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
56528 + const int unsafe_share)
56529 +{
56530 + return 0;
56531 +}
56532 +
56533 +void
56534 +gr_handle_delete(const ino_t ino, const dev_t dev)
56535 +{
56536 + return;
56537 +}
56538 +
56539 +void
56540 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
56541 +{
56542 + return;
56543 +}
56544 +
56545 +void
56546 +gr_handle_crash(struct task_struct *task, const int sig)
56547 +{
56548 + return;
56549 +}
56550 +
56551 +int
56552 +gr_check_crash_exec(const struct file *filp)
56553 +{
56554 + return 0;
56555 +}
56556 +
56557 +int
56558 +gr_check_crash_uid(const uid_t uid)
56559 +{
56560 + return 0;
56561 +}
56562 +
56563 +void
56564 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
56565 + struct dentry *old_dentry,
56566 + struct dentry *new_dentry,
56567 + struct vfsmount *mnt, const __u8 replace)
56568 +{
56569 + return;
56570 +}
56571 +
56572 +int
56573 +gr_search_socket(const int family, const int type, const int protocol)
56574 +{
56575 + return 1;
56576 +}
56577 +
56578 +int
56579 +gr_search_connectbind(const int mode, const struct socket *sock,
56580 + const struct sockaddr_in *addr)
56581 +{
56582 + return 0;
56583 +}
56584 +
56585 +void
56586 +gr_handle_alertkill(struct task_struct *task)
56587 +{
56588 + return;
56589 +}
56590 +
56591 +__u32
56592 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
56593 +{
56594 + return 1;
56595 +}
56596 +
56597 +__u32
56598 +gr_acl_handle_hidden_file(const struct dentry * dentry,
56599 + const struct vfsmount * mnt)
56600 +{
56601 + return 1;
56602 +}
56603 +
56604 +__u32
56605 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56606 + const int fmode)
56607 +{
56608 + return 1;
56609 +}
56610 +
56611 +__u32
56612 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56613 +{
56614 + return 1;
56615 +}
56616 +
56617 +__u32
56618 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
56619 +{
56620 + return 1;
56621 +}
56622 +
56623 +int
56624 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
56625 + unsigned int *vm_flags)
56626 +{
56627 + return 1;
56628 +}
56629 +
56630 +__u32
56631 +gr_acl_handle_truncate(const struct dentry * dentry,
56632 + const struct vfsmount * mnt)
56633 +{
56634 + return 1;
56635 +}
56636 +
56637 +__u32
56638 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
56639 +{
56640 + return 1;
56641 +}
56642 +
56643 +__u32
56644 +gr_acl_handle_access(const struct dentry * dentry,
56645 + const struct vfsmount * mnt, const int fmode)
56646 +{
56647 + return 1;
56648 +}
56649 +
56650 +__u32
56651 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
56652 + mode_t mode)
56653 +{
56654 + return 1;
56655 +}
56656 +
56657 +__u32
56658 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
56659 + mode_t mode)
56660 +{
56661 + return 1;
56662 +}
56663 +
56664 +__u32
56665 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
56666 +{
56667 + return 1;
56668 +}
56669 +
56670 +__u32
56671 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
56672 +{
56673 + return 1;
56674 +}
56675 +
56676 +void
56677 +grsecurity_init(void)
56678 +{
56679 + return;
56680 +}
56681 +
56682 +__u32
56683 +gr_acl_handle_mknod(const struct dentry * new_dentry,
56684 + const struct dentry * parent_dentry,
56685 + const struct vfsmount * parent_mnt,
56686 + const int mode)
56687 +{
56688 + return 1;
56689 +}
56690 +
56691 +__u32
56692 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
56693 + const struct dentry * parent_dentry,
56694 + const struct vfsmount * parent_mnt)
56695 +{
56696 + return 1;
56697 +}
56698 +
56699 +__u32
56700 +gr_acl_handle_symlink(const struct dentry * new_dentry,
56701 + const struct dentry * parent_dentry,
56702 + const struct vfsmount * parent_mnt, const char *from)
56703 +{
56704 + return 1;
56705 +}
56706 +
56707 +__u32
56708 +gr_acl_handle_link(const struct dentry * new_dentry,
56709 + const struct dentry * parent_dentry,
56710 + const struct vfsmount * parent_mnt,
56711 + const struct dentry * old_dentry,
56712 + const struct vfsmount * old_mnt, const char *to)
56713 +{
56714 + return 1;
56715 +}
56716 +
56717 +int
56718 +gr_acl_handle_rename(const struct dentry *new_dentry,
56719 + const struct dentry *parent_dentry,
56720 + const struct vfsmount *parent_mnt,
56721 + const struct dentry *old_dentry,
56722 + const struct inode *old_parent_inode,
56723 + const struct vfsmount *old_mnt, const char *newname)
56724 +{
56725 + return 0;
56726 +}
56727 +
56728 +int
56729 +gr_acl_handle_filldir(const struct file *file, const char *name,
56730 + const int namelen, const ino_t ino)
56731 +{
56732 + return 1;
56733 +}
56734 +
56735 +int
56736 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
56737 + const time_t shm_createtime, const uid_t cuid, const int shmid)
56738 +{
56739 + return 1;
56740 +}
56741 +
56742 +int
56743 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
56744 +{
56745 + return 0;
56746 +}
56747 +
56748 +int
56749 +gr_search_accept(const struct socket *sock)
56750 +{
56751 + return 0;
56752 +}
56753 +
56754 +int
56755 +gr_search_listen(const struct socket *sock)
56756 +{
56757 + return 0;
56758 +}
56759 +
56760 +int
56761 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
56762 +{
56763 + return 0;
56764 +}
56765 +
56766 +__u32
56767 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
56768 +{
56769 + return 1;
56770 +}
56771 +
56772 +__u32
56773 +gr_acl_handle_creat(const struct dentry * dentry,
56774 + const struct dentry * p_dentry,
56775 + const struct vfsmount * p_mnt, const int fmode,
56776 + const int imode)
56777 +{
56778 + return 1;
56779 +}
56780 +
56781 +void
56782 +gr_acl_handle_exit(void)
56783 +{
56784 + return;
56785 +}
56786 +
56787 +int
56788 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
56789 +{
56790 + return 1;
56791 +}
56792 +
56793 +void
56794 +gr_set_role_label(const uid_t uid, const gid_t gid)
56795 +{
56796 + return;
56797 +}
56798 +
56799 +int
56800 +gr_acl_handle_procpidmem(const struct task_struct *task)
56801 +{
56802 + return 0;
56803 +}
56804 +
56805 +int
56806 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
56807 +{
56808 + return 0;
56809 +}
56810 +
56811 +int
56812 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
56813 +{
56814 + return 0;
56815 +}
56816 +
56817 +void
56818 +gr_set_kernel_label(struct task_struct *task)
56819 +{
56820 + return;
56821 +}
56822 +
56823 +int
56824 +gr_check_user_change(int real, int effective, int fs)
56825 +{
56826 + return 0;
56827 +}
56828 +
56829 +int
56830 +gr_check_group_change(int real, int effective, int fs)
56831 +{
56832 + return 0;
56833 +}
56834 +
56835 +int gr_acl_enable_at_secure(void)
56836 +{
56837 + return 0;
56838 +}
56839 +
56840 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
56841 +{
56842 + return dentry->d_inode->i_sb->s_dev;
56843 +}
56844 +
56845 +EXPORT_SYMBOL(gr_learn_resource);
56846 +EXPORT_SYMBOL(gr_set_kernel_label);
56847 +#ifdef CONFIG_SECURITY
56848 +EXPORT_SYMBOL(gr_check_user_change);
56849 +EXPORT_SYMBOL(gr_check_group_change);
56850 +#endif
56851 diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/grsec_exec.c
56852 --- linux-2.6.32.46/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
56853 +++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-09-13 22:54:27.000000000 -0400
56854 @@ -0,0 +1,204 @@
56855 +#include <linux/kernel.h>
56856 +#include <linux/sched.h>
56857 +#include <linux/file.h>
56858 +#include <linux/binfmts.h>
56859 +#include <linux/smp_lock.h>
56860 +#include <linux/fs.h>
56861 +#include <linux/types.h>
56862 +#include <linux/grdefs.h>
56863 +#include <linux/grinternal.h>
56864 +#include <linux/capability.h>
56865 +#include <linux/compat.h>
56866 +#include <linux/module.h>
56867 +
56868 +#include <asm/uaccess.h>
56869 +
56870 +#ifdef CONFIG_GRKERNSEC_EXECLOG
56871 +static char gr_exec_arg_buf[132];
56872 +static DEFINE_MUTEX(gr_exec_arg_mutex);
56873 +#endif
56874 +
56875 +void
56876 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
56877 +{
56878 +#ifdef CONFIG_GRKERNSEC_EXECLOG
56879 + char *grarg = gr_exec_arg_buf;
56880 + unsigned int i, x, execlen = 0;
56881 + char c;
56882 +
56883 + if (!((grsec_enable_execlog && grsec_enable_group &&
56884 + in_group_p(grsec_audit_gid))
56885 + || (grsec_enable_execlog && !grsec_enable_group)))
56886 + return;
56887 +
56888 + mutex_lock(&gr_exec_arg_mutex);
56889 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
56890 +
56891 + if (unlikely(argv == NULL))
56892 + goto log;
56893 +
56894 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
56895 + const char __user *p;
56896 + unsigned int len;
56897 +
56898 + if (copy_from_user(&p, argv + i, sizeof(p)))
56899 + goto log;
56900 + if (!p)
56901 + goto log;
56902 + len = strnlen_user(p, 128 - execlen);
56903 + if (len > 128 - execlen)
56904 + len = 128 - execlen;
56905 + else if (len > 0)
56906 + len--;
56907 + if (copy_from_user(grarg + execlen, p, len))
56908 + goto log;
56909 +
56910 + /* rewrite unprintable characters */
56911 + for (x = 0; x < len; x++) {
56912 + c = *(grarg + execlen + x);
56913 + if (c < 32 || c > 126)
56914 + *(grarg + execlen + x) = ' ';
56915 + }
56916 +
56917 + execlen += len;
56918 + *(grarg + execlen) = ' ';
56919 + *(grarg + execlen + 1) = '\0';
56920 + execlen++;
56921 + }
56922 +
56923 + log:
56924 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
56925 + bprm->file->f_path.mnt, grarg);
56926 + mutex_unlock(&gr_exec_arg_mutex);
56927 +#endif
56928 + return;
56929 +}
56930 +
56931 +#ifdef CONFIG_COMPAT
56932 +void
56933 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
56934 +{
56935 +#ifdef CONFIG_GRKERNSEC_EXECLOG
56936 + char *grarg = gr_exec_arg_buf;
56937 + unsigned int i, x, execlen = 0;
56938 + char c;
56939 +
56940 + if (!((grsec_enable_execlog && grsec_enable_group &&
56941 + in_group_p(grsec_audit_gid))
56942 + || (grsec_enable_execlog && !grsec_enable_group)))
56943 + return;
56944 +
56945 + mutex_lock(&gr_exec_arg_mutex);
56946 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
56947 +
56948 + if (unlikely(argv == NULL))
56949 + goto log;
56950 +
56951 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
56952 + compat_uptr_t p;
56953 + unsigned int len;
56954 +
56955 + if (get_user(p, argv + i))
56956 + goto log;
56957 + len = strnlen_user(compat_ptr(p), 128 - execlen);
56958 + if (len > 128 - execlen)
56959 + len = 128 - execlen;
56960 + else if (len > 0)
56961 + len--;
56962 + else
56963 + goto log;
56964 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
56965 + goto log;
56966 +
56967 + /* rewrite unprintable characters */
56968 + for (x = 0; x < len; x++) {
56969 + c = *(grarg + execlen + x);
56970 + if (c < 32 || c > 126)
56971 + *(grarg + execlen + x) = ' ';
56972 + }
56973 +
56974 + execlen += len;
56975 + *(grarg + execlen) = ' ';
56976 + *(grarg + execlen + 1) = '\0';
56977 + execlen++;
56978 + }
56979 +
56980 + log:
56981 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
56982 + bprm->file->f_path.mnt, grarg);
56983 + mutex_unlock(&gr_exec_arg_mutex);
56984 +#endif
56985 + return;
56986 +}
56987 +#endif
56988 +
56989 +#ifdef CONFIG_GRKERNSEC
56990 +extern int gr_acl_is_capable(const int cap);
56991 +extern int gr_acl_is_capable_nolog(const int cap);
56992 +extern int gr_chroot_is_capable(const int cap);
56993 +extern int gr_chroot_is_capable_nolog(const int cap);
56994 +#endif
56995 +
56996 +const char *captab_log[] = {
56997 + "CAP_CHOWN",
56998 + "CAP_DAC_OVERRIDE",
56999 + "CAP_DAC_READ_SEARCH",
57000 + "CAP_FOWNER",
57001 + "CAP_FSETID",
57002 + "CAP_KILL",
57003 + "CAP_SETGID",
57004 + "CAP_SETUID",
57005 + "CAP_SETPCAP",
57006 + "CAP_LINUX_IMMUTABLE",
57007 + "CAP_NET_BIND_SERVICE",
57008 + "CAP_NET_BROADCAST",
57009 + "CAP_NET_ADMIN",
57010 + "CAP_NET_RAW",
57011 + "CAP_IPC_LOCK",
57012 + "CAP_IPC_OWNER",
57013 + "CAP_SYS_MODULE",
57014 + "CAP_SYS_RAWIO",
57015 + "CAP_SYS_CHROOT",
57016 + "CAP_SYS_PTRACE",
57017 + "CAP_SYS_PACCT",
57018 + "CAP_SYS_ADMIN",
57019 + "CAP_SYS_BOOT",
57020 + "CAP_SYS_NICE",
57021 + "CAP_SYS_RESOURCE",
57022 + "CAP_SYS_TIME",
57023 + "CAP_SYS_TTY_CONFIG",
57024 + "CAP_MKNOD",
57025 + "CAP_LEASE",
57026 + "CAP_AUDIT_WRITE",
57027 + "CAP_AUDIT_CONTROL",
57028 + "CAP_SETFCAP",
57029 + "CAP_MAC_OVERRIDE",
57030 + "CAP_MAC_ADMIN"
57031 +};
57032 +
57033 +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
57034 +
57035 +int gr_is_capable(const int cap)
57036 +{
57037 +#ifdef CONFIG_GRKERNSEC
57038 + if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
57039 + return 1;
57040 + return 0;
57041 +#else
57042 + return 1;
57043 +#endif
57044 +}
57045 +
57046 +int gr_is_capable_nolog(const int cap)
57047 +{
57048 +#ifdef CONFIG_GRKERNSEC
57049 + if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
57050 + return 1;
57051 + return 0;
57052 +#else
57053 + return 1;
57054 +#endif
57055 +}
57056 +
57057 +EXPORT_SYMBOL(gr_is_capable);
57058 +EXPORT_SYMBOL(gr_is_capable_nolog);
57059 diff -urNp linux-2.6.32.46/grsecurity/grsec_fifo.c linux-2.6.32.46/grsecurity/grsec_fifo.c
57060 --- linux-2.6.32.46/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
57061 +++ linux-2.6.32.46/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400
57062 @@ -0,0 +1,24 @@
57063 +#include <linux/kernel.h>
57064 +#include <linux/sched.h>
57065 +#include <linux/fs.h>
57066 +#include <linux/file.h>
57067 +#include <linux/grinternal.h>
57068 +
57069 +int
57070 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
57071 + const struct dentry *dir, const int flag, const int acc_mode)
57072 +{
57073 +#ifdef CONFIG_GRKERNSEC_FIFO
57074 + const struct cred *cred = current_cred();
57075 +
57076 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
57077 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
57078 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
57079 + (cred->fsuid != dentry->d_inode->i_uid)) {
57080 + if (!inode_permission(dentry->d_inode, acc_mode))
57081 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
57082 + return -EACCES;
57083 + }
57084 +#endif
57085 + return 0;
57086 +}
57087 diff -urNp linux-2.6.32.46/grsecurity/grsec_fork.c linux-2.6.32.46/grsecurity/grsec_fork.c
57088 --- linux-2.6.32.46/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
57089 +++ linux-2.6.32.46/grsecurity/grsec_fork.c 2011-04-17 15:56:46.000000000 -0400
57090 @@ -0,0 +1,23 @@
57091 +#include <linux/kernel.h>
57092 +#include <linux/sched.h>
57093 +#include <linux/grsecurity.h>
57094 +#include <linux/grinternal.h>
57095 +#include <linux/errno.h>
57096 +
57097 +void
57098 +gr_log_forkfail(const int retval)
57099 +{
57100 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
57101 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
57102 + switch (retval) {
57103 + case -EAGAIN:
57104 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
57105 + break;
57106 + case -ENOMEM:
57107 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
57108 + break;
57109 + }
57110 + }
57111 +#endif
57112 + return;
57113 +}
57114 diff -urNp linux-2.6.32.46/grsecurity/grsec_init.c linux-2.6.32.46/grsecurity/grsec_init.c
57115 --- linux-2.6.32.46/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
57116 +++ linux-2.6.32.46/grsecurity/grsec_init.c 2011-08-11 19:57:42.000000000 -0400
57117 @@ -0,0 +1,270 @@
57118 +#include <linux/kernel.h>
57119 +#include <linux/sched.h>
57120 +#include <linux/mm.h>
57121 +#include <linux/smp_lock.h>
57122 +#include <linux/gracl.h>
57123 +#include <linux/slab.h>
57124 +#include <linux/vmalloc.h>
57125 +#include <linux/percpu.h>
57126 +#include <linux/module.h>
57127 +
57128 +int grsec_enable_brute;
57129 +int grsec_enable_link;
57130 +int grsec_enable_dmesg;
57131 +int grsec_enable_harden_ptrace;
57132 +int grsec_enable_fifo;
57133 +int grsec_enable_execlog;
57134 +int grsec_enable_signal;
57135 +int grsec_enable_forkfail;
57136 +int grsec_enable_audit_ptrace;
57137 +int grsec_enable_time;
57138 +int grsec_enable_audit_textrel;
57139 +int grsec_enable_group;
57140 +int grsec_audit_gid;
57141 +int grsec_enable_chdir;
57142 +int grsec_enable_mount;
57143 +int grsec_enable_rofs;
57144 +int grsec_enable_chroot_findtask;
57145 +int grsec_enable_chroot_mount;
57146 +int grsec_enable_chroot_shmat;
57147 +int grsec_enable_chroot_fchdir;
57148 +int grsec_enable_chroot_double;
57149 +int grsec_enable_chroot_pivot;
57150 +int grsec_enable_chroot_chdir;
57151 +int grsec_enable_chroot_chmod;
57152 +int grsec_enable_chroot_mknod;
57153 +int grsec_enable_chroot_nice;
57154 +int grsec_enable_chroot_execlog;
57155 +int grsec_enable_chroot_caps;
57156 +int grsec_enable_chroot_sysctl;
57157 +int grsec_enable_chroot_unix;
57158 +int grsec_enable_tpe;
57159 +int grsec_tpe_gid;
57160 +int grsec_enable_blackhole;
57161 +#ifdef CONFIG_IPV6_MODULE
57162 +EXPORT_SYMBOL(grsec_enable_blackhole);
57163 +#endif
57164 +int grsec_lastack_retries;
57165 +int grsec_enable_tpe_all;
57166 +int grsec_enable_tpe_invert;
57167 +int grsec_enable_socket_all;
57168 +int grsec_socket_all_gid;
57169 +int grsec_enable_socket_client;
57170 +int grsec_socket_client_gid;
57171 +int grsec_enable_socket_server;
57172 +int grsec_socket_server_gid;
57173 +int grsec_resource_logging;
57174 +int grsec_disable_privio;
57175 +int grsec_enable_log_rwxmaps;
57176 +int grsec_lock;
57177 +
57178 +DEFINE_SPINLOCK(grsec_alert_lock);
57179 +unsigned long grsec_alert_wtime = 0;
57180 +unsigned long grsec_alert_fyet = 0;
57181 +
57182 +DEFINE_SPINLOCK(grsec_audit_lock);
57183 +
57184 +DEFINE_RWLOCK(grsec_exec_file_lock);
57185 +
57186 +char *gr_shared_page[4];
57187 +
57188 +char *gr_alert_log_fmt;
57189 +char *gr_audit_log_fmt;
57190 +char *gr_alert_log_buf;
57191 +char *gr_audit_log_buf;
57192 +
57193 +extern struct gr_arg *gr_usermode;
57194 +extern unsigned char *gr_system_salt;
57195 +extern unsigned char *gr_system_sum;
57196 +
57197 +void __init
57198 +grsecurity_init(void)
57199 +{
57200 + int j;
57201 + /* create the per-cpu shared pages */
57202 +
57203 +#ifdef CONFIG_X86
57204 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
57205 +#endif
57206 +
57207 + for (j = 0; j < 4; j++) {
57208 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
57209 + if (gr_shared_page[j] == NULL) {
57210 + panic("Unable to allocate grsecurity shared page");
57211 + return;
57212 + }
57213 + }
57214 +
57215 + /* allocate log buffers */
57216 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
57217 + if (!gr_alert_log_fmt) {
57218 + panic("Unable to allocate grsecurity alert log format buffer");
57219 + return;
57220 + }
57221 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
57222 + if (!gr_audit_log_fmt) {
57223 + panic("Unable to allocate grsecurity audit log format buffer");
57224 + return;
57225 + }
57226 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
57227 + if (!gr_alert_log_buf) {
57228 + panic("Unable to allocate grsecurity alert log buffer");
57229 + return;
57230 + }
57231 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
57232 + if (!gr_audit_log_buf) {
57233 + panic("Unable to allocate grsecurity audit log buffer");
57234 + return;
57235 + }
57236 +
57237 + /* allocate memory for authentication structure */
57238 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
57239 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
57240 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
57241 +
57242 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
57243 + panic("Unable to allocate grsecurity authentication structure");
57244 + return;
57245 + }
57246 +
57247 +
57248 +#ifdef CONFIG_GRKERNSEC_IO
57249 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
57250 + grsec_disable_privio = 1;
57251 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
57252 + grsec_disable_privio = 1;
57253 +#else
57254 + grsec_disable_privio = 0;
57255 +#endif
57256 +#endif
57257 +
57258 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
57259 + /* for backward compatibility, tpe_invert always defaults to on if
57260 + enabled in the kernel
57261 + */
57262 + grsec_enable_tpe_invert = 1;
57263 +#endif
57264 +
57265 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
57266 +#ifndef CONFIG_GRKERNSEC_SYSCTL
57267 + grsec_lock = 1;
57268 +#endif
57269 +
57270 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
57271 + grsec_enable_audit_textrel = 1;
57272 +#endif
57273 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
57274 + grsec_enable_log_rwxmaps = 1;
57275 +#endif
57276 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
57277 + grsec_enable_group = 1;
57278 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
57279 +#endif
57280 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57281 + grsec_enable_chdir = 1;
57282 +#endif
57283 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
57284 + grsec_enable_harden_ptrace = 1;
57285 +#endif
57286 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
57287 + grsec_enable_mount = 1;
57288 +#endif
57289 +#ifdef CONFIG_GRKERNSEC_LINK
57290 + grsec_enable_link = 1;
57291 +#endif
57292 +#ifdef CONFIG_GRKERNSEC_BRUTE
57293 + grsec_enable_brute = 1;
57294 +#endif
57295 +#ifdef CONFIG_GRKERNSEC_DMESG
57296 + grsec_enable_dmesg = 1;
57297 +#endif
57298 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
57299 + grsec_enable_blackhole = 1;
57300 + grsec_lastack_retries = 4;
57301 +#endif
57302 +#ifdef CONFIG_GRKERNSEC_FIFO
57303 + grsec_enable_fifo = 1;
57304 +#endif
57305 +#ifdef CONFIG_GRKERNSEC_EXECLOG
57306 + grsec_enable_execlog = 1;
57307 +#endif
57308 +#ifdef CONFIG_GRKERNSEC_SIGNAL
57309 + grsec_enable_signal = 1;
57310 +#endif
57311 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
57312 + grsec_enable_forkfail = 1;
57313 +#endif
57314 +#ifdef CONFIG_GRKERNSEC_TIME
57315 + grsec_enable_time = 1;
57316 +#endif
57317 +#ifdef CONFIG_GRKERNSEC_RESLOG
57318 + grsec_resource_logging = 1;
57319 +#endif
57320 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57321 + grsec_enable_chroot_findtask = 1;
57322 +#endif
57323 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57324 + grsec_enable_chroot_unix = 1;
57325 +#endif
57326 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57327 + grsec_enable_chroot_mount = 1;
57328 +#endif
57329 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57330 + grsec_enable_chroot_fchdir = 1;
57331 +#endif
57332 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57333 + grsec_enable_chroot_shmat = 1;
57334 +#endif
57335 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
57336 + grsec_enable_audit_ptrace = 1;
57337 +#endif
57338 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57339 + grsec_enable_chroot_double = 1;
57340 +#endif
57341 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57342 + grsec_enable_chroot_pivot = 1;
57343 +#endif
57344 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57345 + grsec_enable_chroot_chdir = 1;
57346 +#endif
57347 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57348 + grsec_enable_chroot_chmod = 1;
57349 +#endif
57350 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57351 + grsec_enable_chroot_mknod = 1;
57352 +#endif
57353 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57354 + grsec_enable_chroot_nice = 1;
57355 +#endif
57356 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57357 + grsec_enable_chroot_execlog = 1;
57358 +#endif
57359 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57360 + grsec_enable_chroot_caps = 1;
57361 +#endif
57362 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57363 + grsec_enable_chroot_sysctl = 1;
57364 +#endif
57365 +#ifdef CONFIG_GRKERNSEC_TPE
57366 + grsec_enable_tpe = 1;
57367 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
57368 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
57369 + grsec_enable_tpe_all = 1;
57370 +#endif
57371 +#endif
57372 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
57373 + grsec_enable_socket_all = 1;
57374 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
57375 +#endif
57376 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
57377 + grsec_enable_socket_client = 1;
57378 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
57379 +#endif
57380 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
57381 + grsec_enable_socket_server = 1;
57382 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
57383 +#endif
57384 +#endif
57385 +
57386 + return;
57387 +}
57388 diff -urNp linux-2.6.32.46/grsecurity/grsec_link.c linux-2.6.32.46/grsecurity/grsec_link.c
57389 --- linux-2.6.32.46/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
57390 +++ linux-2.6.32.46/grsecurity/grsec_link.c 2011-04-17 15:56:46.000000000 -0400
57391 @@ -0,0 +1,43 @@
57392 +#include <linux/kernel.h>
57393 +#include <linux/sched.h>
57394 +#include <linux/fs.h>
57395 +#include <linux/file.h>
57396 +#include <linux/grinternal.h>
57397 +
57398 +int
57399 +gr_handle_follow_link(const struct inode *parent,
57400 + const struct inode *inode,
57401 + const struct dentry *dentry, const struct vfsmount *mnt)
57402 +{
57403 +#ifdef CONFIG_GRKERNSEC_LINK
57404 + const struct cred *cred = current_cred();
57405 +
57406 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
57407 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
57408 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
57409 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
57410 + return -EACCES;
57411 + }
57412 +#endif
57413 + return 0;
57414 +}
57415 +
57416 +int
57417 +gr_handle_hardlink(const struct dentry *dentry,
57418 + const struct vfsmount *mnt,
57419 + struct inode *inode, const int mode, const char *to)
57420 +{
57421 +#ifdef CONFIG_GRKERNSEC_LINK
57422 + const struct cred *cred = current_cred();
57423 +
57424 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
57425 + (!S_ISREG(mode) || (mode & S_ISUID) ||
57426 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
57427 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
57428 + !capable(CAP_FOWNER) && cred->uid) {
57429 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
57430 + return -EPERM;
57431 + }
57432 +#endif
57433 + return 0;
57434 +}
57435 diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grsec_log.c
57436 --- linux-2.6.32.46/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
57437 +++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-09-26 10:44:49.000000000 -0400
57438 @@ -0,0 +1,315 @@
57439 +#include <linux/kernel.h>
57440 +#include <linux/sched.h>
57441 +#include <linux/file.h>
57442 +#include <linux/tty.h>
57443 +#include <linux/fs.h>
57444 +#include <linux/grinternal.h>
57445 +
57446 +#ifdef CONFIG_TREE_PREEMPT_RCU
57447 +#define DISABLE_PREEMPT() preempt_disable()
57448 +#define ENABLE_PREEMPT() preempt_enable()
57449 +#else
57450 +#define DISABLE_PREEMPT()
57451 +#define ENABLE_PREEMPT()
57452 +#endif
57453 +
57454 +#define BEGIN_LOCKS(x) \
57455 + DISABLE_PREEMPT(); \
57456 + rcu_read_lock(); \
57457 + read_lock(&tasklist_lock); \
57458 + read_lock(&grsec_exec_file_lock); \
57459 + if (x != GR_DO_AUDIT) \
57460 + spin_lock(&grsec_alert_lock); \
57461 + else \
57462 + spin_lock(&grsec_audit_lock)
57463 +
57464 +#define END_LOCKS(x) \
57465 + if (x != GR_DO_AUDIT) \
57466 + spin_unlock(&grsec_alert_lock); \
57467 + else \
57468 + spin_unlock(&grsec_audit_lock); \
57469 + read_unlock(&grsec_exec_file_lock); \
57470 + read_unlock(&tasklist_lock); \
57471 + rcu_read_unlock(); \
57472 + ENABLE_PREEMPT(); \
57473 + if (x == GR_DONT_AUDIT) \
57474 + gr_handle_alertkill(current)
57475 +
57476 +enum {
57477 + FLOODING,
57478 + NO_FLOODING
57479 +};
57480 +
57481 +extern char *gr_alert_log_fmt;
57482 +extern char *gr_audit_log_fmt;
57483 +extern char *gr_alert_log_buf;
57484 +extern char *gr_audit_log_buf;
57485 +
57486 +static int gr_log_start(int audit)
57487 +{
57488 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
57489 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
57490 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
57491 +#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
57492 + unsigned long curr_secs = get_seconds();
57493 +
57494 + if (audit == GR_DO_AUDIT)
57495 + goto set_fmt;
57496 +
57497 + if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
57498 + grsec_alert_wtime = curr_secs;
57499 + grsec_alert_fyet = 0;
57500 + } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
57501 + && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
57502 + grsec_alert_fyet++;
57503 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
57504 + grsec_alert_wtime = curr_secs;
57505 + grsec_alert_fyet++;
57506 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
57507 + return FLOODING;
57508 + }
57509 + else return FLOODING;
57510 +
57511 +set_fmt:
57512 +#endif
57513 + memset(buf, 0, PAGE_SIZE);
57514 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
57515 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
57516 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
57517 + } else if (current->signal->curr_ip) {
57518 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
57519 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
57520 + } else if (gr_acl_is_enabled()) {
57521 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
57522 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
57523 + } else {
57524 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
57525 + strcpy(buf, fmt);
57526 + }
57527 +
57528 + return NO_FLOODING;
57529 +}
57530 +
57531 +static void gr_log_middle(int audit, const char *msg, va_list ap)
57532 + __attribute__ ((format (printf, 2, 0)));
57533 +
57534 +static void gr_log_middle(int audit, const char *msg, va_list ap)
57535 +{
57536 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
57537 + unsigned int len = strlen(buf);
57538 +
57539 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
57540 +
57541 + return;
57542 +}
57543 +
57544 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
57545 + __attribute__ ((format (printf, 2, 3)));
57546 +
57547 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
57548 +{
57549 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
57550 + unsigned int len = strlen(buf);
57551 + va_list ap;
57552 +
57553 + va_start(ap, msg);
57554 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
57555 + va_end(ap);
57556 +
57557 + return;
57558 +}
57559 +
57560 +static void gr_log_end(int audit)
57561 +{
57562 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
57563 + unsigned int len = strlen(buf);
57564 +
57565 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
57566 + printk("%s\n", buf);
57567 +
57568 + return;
57569 +}
57570 +
57571 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
57572 +{
57573 + int logtype;
57574 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
57575 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
57576 + void *voidptr = NULL;
57577 + int num1 = 0, num2 = 0;
57578 + unsigned long ulong1 = 0, ulong2 = 0;
57579 + struct dentry *dentry = NULL;
57580 + struct vfsmount *mnt = NULL;
57581 + struct file *file = NULL;
57582 + struct task_struct *task = NULL;
57583 + const struct cred *cred, *pcred;
57584 + va_list ap;
57585 +
57586 + BEGIN_LOCKS(audit);
57587 + logtype = gr_log_start(audit);
57588 + if (logtype == FLOODING) {
57589 + END_LOCKS(audit);
57590 + return;
57591 + }
57592 + va_start(ap, argtypes);
57593 + switch (argtypes) {
57594 + case GR_TTYSNIFF:
57595 + task = va_arg(ap, struct task_struct *);
57596 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
57597 + break;
57598 + case GR_SYSCTL_HIDDEN:
57599 + str1 = va_arg(ap, char *);
57600 + gr_log_middle_varargs(audit, msg, result, str1);
57601 + break;
57602 + case GR_RBAC:
57603 + dentry = va_arg(ap, struct dentry *);
57604 + mnt = va_arg(ap, struct vfsmount *);
57605 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
57606 + break;
57607 + case GR_RBAC_STR:
57608 + dentry = va_arg(ap, struct dentry *);
57609 + mnt = va_arg(ap, struct vfsmount *);
57610 + str1 = va_arg(ap, char *);
57611 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
57612 + break;
57613 + case GR_STR_RBAC:
57614 + str1 = va_arg(ap, char *);
57615 + dentry = va_arg(ap, struct dentry *);
57616 + mnt = va_arg(ap, struct vfsmount *);
57617 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
57618 + break;
57619 + case GR_RBAC_MODE2:
57620 + dentry = va_arg(ap, struct dentry *);
57621 + mnt = va_arg(ap, struct vfsmount *);
57622 + str1 = va_arg(ap, char *);
57623 + str2 = va_arg(ap, char *);
57624 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
57625 + break;
57626 + case GR_RBAC_MODE3:
57627 + dentry = va_arg(ap, struct dentry *);
57628 + mnt = va_arg(ap, struct vfsmount *);
57629 + str1 = va_arg(ap, char *);
57630 + str2 = va_arg(ap, char *);
57631 + str3 = va_arg(ap, char *);
57632 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
57633 + break;
57634 + case GR_FILENAME:
57635 + dentry = va_arg(ap, struct dentry *);
57636 + mnt = va_arg(ap, struct vfsmount *);
57637 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
57638 + break;
57639 + case GR_STR_FILENAME:
57640 + str1 = va_arg(ap, char *);
57641 + dentry = va_arg(ap, struct dentry *);
57642 + mnt = va_arg(ap, struct vfsmount *);
57643 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
57644 + break;
57645 + case GR_FILENAME_STR:
57646 + dentry = va_arg(ap, struct dentry *);
57647 + mnt = va_arg(ap, struct vfsmount *);
57648 + str1 = va_arg(ap, char *);
57649 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
57650 + break;
57651 + case GR_FILENAME_TWO_INT:
57652 + dentry = va_arg(ap, struct dentry *);
57653 + mnt = va_arg(ap, struct vfsmount *);
57654 + num1 = va_arg(ap, int);
57655 + num2 = va_arg(ap, int);
57656 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
57657 + break;
57658 + case GR_FILENAME_TWO_INT_STR:
57659 + dentry = va_arg(ap, struct dentry *);
57660 + mnt = va_arg(ap, struct vfsmount *);
57661 + num1 = va_arg(ap, int);
57662 + num2 = va_arg(ap, int);
57663 + str1 = va_arg(ap, char *);
57664 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
57665 + break;
57666 + case GR_TEXTREL:
57667 + file = va_arg(ap, struct file *);
57668 + ulong1 = va_arg(ap, unsigned long);
57669 + ulong2 = va_arg(ap, unsigned long);
57670 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
57671 + break;
57672 + case GR_PTRACE:
57673 + task = va_arg(ap, struct task_struct *);
57674 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
57675 + break;
57676 + case GR_RESOURCE:
57677 + task = va_arg(ap, struct task_struct *);
57678 + cred = __task_cred(task);
57679 + pcred = __task_cred(task->real_parent);
57680 + ulong1 = va_arg(ap, unsigned long);
57681 + str1 = va_arg(ap, char *);
57682 + ulong2 = va_arg(ap, unsigned long);
57683 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
57684 + break;
57685 + case GR_CAP:
57686 + task = va_arg(ap, struct task_struct *);
57687 + cred = __task_cred(task);
57688 + pcred = __task_cred(task->real_parent);
57689 + str1 = va_arg(ap, char *);
57690 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
57691 + break;
57692 + case GR_SIG:
57693 + str1 = va_arg(ap, char *);
57694 + voidptr = va_arg(ap, void *);
57695 + gr_log_middle_varargs(audit, msg, str1, voidptr);
57696 + break;
57697 + case GR_SIG2:
57698 + task = va_arg(ap, struct task_struct *);
57699 + cred = __task_cred(task);
57700 + pcred = __task_cred(task->real_parent);
57701 + num1 = va_arg(ap, int);
57702 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
57703 + break;
57704 + case GR_CRASH1:
57705 + task = va_arg(ap, struct task_struct *);
57706 + cred = __task_cred(task);
57707 + pcred = __task_cred(task->real_parent);
57708 + ulong1 = va_arg(ap, unsigned long);
57709 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
57710 + break;
57711 + case GR_CRASH2:
57712 + task = va_arg(ap, struct task_struct *);
57713 + cred = __task_cred(task);
57714 + pcred = __task_cred(task->real_parent);
57715 + ulong1 = va_arg(ap, unsigned long);
57716 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
57717 + break;
57718 + case GR_RWXMAP:
57719 + file = va_arg(ap, struct file *);
57720 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
57721 + break;
57722 + case GR_PSACCT:
57723 + {
57724 + unsigned int wday, cday;
57725 + __u8 whr, chr;
57726 + __u8 wmin, cmin;
57727 + __u8 wsec, csec;
57728 + char cur_tty[64] = { 0 };
57729 + char parent_tty[64] = { 0 };
57730 +
57731 + task = va_arg(ap, struct task_struct *);
57732 + wday = va_arg(ap, unsigned int);
57733 + cday = va_arg(ap, unsigned int);
57734 + whr = va_arg(ap, int);
57735 + chr = va_arg(ap, int);
57736 + wmin = va_arg(ap, int);
57737 + cmin = va_arg(ap, int);
57738 + wsec = va_arg(ap, int);
57739 + csec = va_arg(ap, int);
57740 + ulong1 = va_arg(ap, unsigned long);
57741 + cred = __task_cred(task);
57742 + pcred = __task_cred(task->real_parent);
57743 +
57744 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
57745 + }
57746 + break;
57747 + default:
57748 + gr_log_middle(audit, msg, ap);
57749 + }
57750 + va_end(ap);
57751 + gr_log_end(audit);
57752 + END_LOCKS(audit);
57753 +}
57754 diff -urNp linux-2.6.32.46/grsecurity/grsec_mem.c linux-2.6.32.46/grsecurity/grsec_mem.c
57755 --- linux-2.6.32.46/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
57756 +++ linux-2.6.32.46/grsecurity/grsec_mem.c 2011-04-17 15:56:46.000000000 -0400
57757 @@ -0,0 +1,33 @@
57758 +#include <linux/kernel.h>
57759 +#include <linux/sched.h>
57760 +#include <linux/mm.h>
57761 +#include <linux/mman.h>
57762 +#include <linux/grinternal.h>
57763 +
57764 +void
57765 +gr_handle_ioperm(void)
57766 +{
57767 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
57768 + return;
57769 +}
57770 +
57771 +void
57772 +gr_handle_iopl(void)
57773 +{
57774 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
57775 + return;
57776 +}
57777 +
57778 +void
57779 +gr_handle_mem_readwrite(u64 from, u64 to)
57780 +{
57781 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
57782 + return;
57783 +}
57784 +
57785 +void
57786 +gr_handle_vm86(void)
57787 +{
57788 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
57789 + return;
57790 +}
57791 diff -urNp linux-2.6.32.46/grsecurity/grsec_mount.c linux-2.6.32.46/grsecurity/grsec_mount.c
57792 --- linux-2.6.32.46/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
57793 +++ linux-2.6.32.46/grsecurity/grsec_mount.c 2011-06-20 19:47:03.000000000 -0400
57794 @@ -0,0 +1,62 @@
57795 +#include <linux/kernel.h>
57796 +#include <linux/sched.h>
57797 +#include <linux/mount.h>
57798 +#include <linux/grsecurity.h>
57799 +#include <linux/grinternal.h>
57800 +
57801 +void
57802 +gr_log_remount(const char *devname, const int retval)
57803 +{
57804 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
57805 + if (grsec_enable_mount && (retval >= 0))
57806 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
57807 +#endif
57808 + return;
57809 +}
57810 +
57811 +void
57812 +gr_log_unmount(const char *devname, const int retval)
57813 +{
57814 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
57815 + if (grsec_enable_mount && (retval >= 0))
57816 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
57817 +#endif
57818 + return;
57819 +}
57820 +
57821 +void
57822 +gr_log_mount(const char *from, const char *to, const int retval)
57823 +{
57824 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
57825 + if (grsec_enable_mount && (retval >= 0))
57826 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
57827 +#endif
57828 + return;
57829 +}
57830 +
57831 +int
57832 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
57833 +{
57834 +#ifdef CONFIG_GRKERNSEC_ROFS
57835 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
57836 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
57837 + return -EPERM;
57838 + } else
57839 + return 0;
57840 +#endif
57841 + return 0;
57842 +}
57843 +
57844 +int
57845 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
57846 +{
57847 +#ifdef CONFIG_GRKERNSEC_ROFS
57848 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
57849 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
57850 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
57851 + return -EPERM;
57852 + } else
57853 + return 0;
57854 +#endif
57855 + return 0;
57856 +}
57857 diff -urNp linux-2.6.32.46/grsecurity/grsec_pax.c linux-2.6.32.46/grsecurity/grsec_pax.c
57858 --- linux-2.6.32.46/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
57859 +++ linux-2.6.32.46/grsecurity/grsec_pax.c 2011-04-17 15:56:46.000000000 -0400
57860 @@ -0,0 +1,36 @@
57861 +#include <linux/kernel.h>
57862 +#include <linux/sched.h>
57863 +#include <linux/mm.h>
57864 +#include <linux/file.h>
57865 +#include <linux/grinternal.h>
57866 +#include <linux/grsecurity.h>
57867 +
57868 +void
57869 +gr_log_textrel(struct vm_area_struct * vma)
57870 +{
57871 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
57872 + if (grsec_enable_audit_textrel)
57873 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
57874 +#endif
57875 + return;
57876 +}
57877 +
57878 +void
57879 +gr_log_rwxmmap(struct file *file)
57880 +{
57881 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
57882 + if (grsec_enable_log_rwxmaps)
57883 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
57884 +#endif
57885 + return;
57886 +}
57887 +
57888 +void
57889 +gr_log_rwxmprotect(struct file *file)
57890 +{
57891 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
57892 + if (grsec_enable_log_rwxmaps)
57893 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
57894 +#endif
57895 + return;
57896 +}
57897 diff -urNp linux-2.6.32.46/grsecurity/grsec_ptrace.c linux-2.6.32.46/grsecurity/grsec_ptrace.c
57898 --- linux-2.6.32.46/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
57899 +++ linux-2.6.32.46/grsecurity/grsec_ptrace.c 2011-04-17 15:56:46.000000000 -0400
57900 @@ -0,0 +1,14 @@
57901 +#include <linux/kernel.h>
57902 +#include <linux/sched.h>
57903 +#include <linux/grinternal.h>
57904 +#include <linux/grsecurity.h>
57905 +
57906 +void
57907 +gr_audit_ptrace(struct task_struct *task)
57908 +{
57909 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
57910 + if (grsec_enable_audit_ptrace)
57911 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
57912 +#endif
57913 + return;
57914 +}
57915 diff -urNp linux-2.6.32.46/grsecurity/grsec_sig.c linux-2.6.32.46/grsecurity/grsec_sig.c
57916 --- linux-2.6.32.46/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
57917 +++ linux-2.6.32.46/grsecurity/grsec_sig.c 2011-06-29 19:40:31.000000000 -0400
57918 @@ -0,0 +1,205 @@
57919 +#include <linux/kernel.h>
57920 +#include <linux/sched.h>
57921 +#include <linux/delay.h>
57922 +#include <linux/grsecurity.h>
57923 +#include <linux/grinternal.h>
57924 +#include <linux/hardirq.h>
57925 +
57926 +char *signames[] = {
57927 + [SIGSEGV] = "Segmentation fault",
57928 + [SIGILL] = "Illegal instruction",
57929 + [SIGABRT] = "Abort",
57930 + [SIGBUS] = "Invalid alignment/Bus error"
57931 +};
57932 +
57933 +void
57934 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
57935 +{
57936 +#ifdef CONFIG_GRKERNSEC_SIGNAL
57937 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
57938 + (sig == SIGABRT) || (sig == SIGBUS))) {
57939 + if (t->pid == current->pid) {
57940 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
57941 + } else {
57942 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
57943 + }
57944 + }
57945 +#endif
57946 + return;
57947 +}
57948 +
57949 +int
57950 +gr_handle_signal(const struct task_struct *p, const int sig)
57951 +{
57952 +#ifdef CONFIG_GRKERNSEC
57953 + if (current->pid > 1 && gr_check_protected_task(p)) {
57954 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
57955 + return -EPERM;
57956 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
57957 + return -EPERM;
57958 + }
57959 +#endif
57960 + return 0;
57961 +}
57962 +
57963 +#ifdef CONFIG_GRKERNSEC
57964 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
57965 +
57966 +int gr_fake_force_sig(int sig, struct task_struct *t)
57967 +{
57968 + unsigned long int flags;
57969 + int ret, blocked, ignored;
57970 + struct k_sigaction *action;
57971 +
57972 + spin_lock_irqsave(&t->sighand->siglock, flags);
57973 + action = &t->sighand->action[sig-1];
57974 + ignored = action->sa.sa_handler == SIG_IGN;
57975 + blocked = sigismember(&t->blocked, sig);
57976 + if (blocked || ignored) {
57977 + action->sa.sa_handler = SIG_DFL;
57978 + if (blocked) {
57979 + sigdelset(&t->blocked, sig);
57980 + recalc_sigpending_and_wake(t);
57981 + }
57982 + }
57983 + if (action->sa.sa_handler == SIG_DFL)
57984 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
57985 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
57986 +
57987 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
57988 +
57989 + return ret;
57990 +}
57991 +#endif
57992 +
57993 +#ifdef CONFIG_GRKERNSEC_BRUTE
57994 +#define GR_USER_BAN_TIME (15 * 60)
57995 +
57996 +static int __get_dumpable(unsigned long mm_flags)
57997 +{
57998 + int ret;
57999 +
58000 + ret = mm_flags & MMF_DUMPABLE_MASK;
58001 + return (ret >= 2) ? 2 : ret;
58002 +}
58003 +#endif
58004 +
58005 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
58006 +{
58007 +#ifdef CONFIG_GRKERNSEC_BRUTE
58008 + uid_t uid = 0;
58009 +
58010 + if (!grsec_enable_brute)
58011 + return;
58012 +
58013 + rcu_read_lock();
58014 + read_lock(&tasklist_lock);
58015 + read_lock(&grsec_exec_file_lock);
58016 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
58017 + p->real_parent->brute = 1;
58018 + else {
58019 + const struct cred *cred = __task_cred(p), *cred2;
58020 + struct task_struct *tsk, *tsk2;
58021 +
58022 + if (!__get_dumpable(mm_flags) && cred->uid) {
58023 + struct user_struct *user;
58024 +
58025 + uid = cred->uid;
58026 +
58027 + /* this is put upon execution past expiration */
58028 + user = find_user(uid);
58029 + if (user == NULL)
58030 + goto unlock;
58031 + user->banned = 1;
58032 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
58033 + if (user->ban_expires == ~0UL)
58034 + user->ban_expires--;
58035 +
58036 + do_each_thread(tsk2, tsk) {
58037 + cred2 = __task_cred(tsk);
58038 + if (tsk != p && cred2->uid == uid)
58039 + gr_fake_force_sig(SIGKILL, tsk);
58040 + } while_each_thread(tsk2, tsk);
58041 + }
58042 + }
58043 +unlock:
58044 + read_unlock(&grsec_exec_file_lock);
58045 + read_unlock(&tasklist_lock);
58046 + rcu_read_unlock();
58047 +
58048 + if (uid)
58049 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
58050 +#endif
58051 + return;
58052 +}
58053 +
58054 +void gr_handle_brute_check(void)
58055 +{
58056 +#ifdef CONFIG_GRKERNSEC_BRUTE
58057 + if (current->brute)
58058 + msleep(30 * 1000);
58059 +#endif
58060 + return;
58061 +}
58062 +
58063 +void gr_handle_kernel_exploit(void)
58064 +{
58065 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
58066 + const struct cred *cred;
58067 + struct task_struct *tsk, *tsk2;
58068 + struct user_struct *user;
58069 + uid_t uid;
58070 +
58071 + if (in_irq() || in_serving_softirq() || in_nmi())
58072 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
58073 +
58074 + uid = current_uid();
58075 +
58076 + if (uid == 0)
58077 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
58078 + else {
58079 + /* kill all the processes of this user, hold a reference
58080 + to their creds struct, and prevent them from creating
58081 + another process until system reset
58082 + */
58083 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
58084 + /* we intentionally leak this ref */
58085 + user = get_uid(current->cred->user);
58086 + if (user) {
58087 + user->banned = 1;
58088 + user->ban_expires = ~0UL;
58089 + }
58090 +
58091 + read_lock(&tasklist_lock);
58092 + do_each_thread(tsk2, tsk) {
58093 + cred = __task_cred(tsk);
58094 + if (cred->uid == uid)
58095 + gr_fake_force_sig(SIGKILL, tsk);
58096 + } while_each_thread(tsk2, tsk);
58097 + read_unlock(&tasklist_lock);
58098 + }
58099 +#endif
58100 +}
58101 +
58102 +int __gr_process_user_ban(struct user_struct *user)
58103 +{
58104 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
58105 + if (unlikely(user->banned)) {
58106 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
58107 + user->banned = 0;
58108 + user->ban_expires = 0;
58109 + free_uid(user);
58110 + } else
58111 + return -EPERM;
58112 + }
58113 +#endif
58114 + return 0;
58115 +}
58116 +
58117 +int gr_process_user_ban(void)
58118 +{
58119 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
58120 + return __gr_process_user_ban(current->cred->user);
58121 +#endif
58122 + return 0;
58123 +}
58124 diff -urNp linux-2.6.32.46/grsecurity/grsec_sock.c linux-2.6.32.46/grsecurity/grsec_sock.c
58125 --- linux-2.6.32.46/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
58126 +++ linux-2.6.32.46/grsecurity/grsec_sock.c 2011-04-17 15:56:46.000000000 -0400
58127 @@ -0,0 +1,275 @@
58128 +#include <linux/kernel.h>
58129 +#include <linux/module.h>
58130 +#include <linux/sched.h>
58131 +#include <linux/file.h>
58132 +#include <linux/net.h>
58133 +#include <linux/in.h>
58134 +#include <linux/ip.h>
58135 +#include <net/sock.h>
58136 +#include <net/inet_sock.h>
58137 +#include <linux/grsecurity.h>
58138 +#include <linux/grinternal.h>
58139 +#include <linux/gracl.h>
58140 +
58141 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
58142 +EXPORT_SYMBOL(gr_cap_rtnetlink);
58143 +
58144 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
58145 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
58146 +
58147 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
58148 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
58149 +
58150 +#ifdef CONFIG_UNIX_MODULE
58151 +EXPORT_SYMBOL(gr_acl_handle_unix);
58152 +EXPORT_SYMBOL(gr_acl_handle_mknod);
58153 +EXPORT_SYMBOL(gr_handle_chroot_unix);
58154 +EXPORT_SYMBOL(gr_handle_create);
58155 +#endif
58156 +
58157 +#ifdef CONFIG_GRKERNSEC
58158 +#define gr_conn_table_size 32749
58159 +struct conn_table_entry {
58160 + struct conn_table_entry *next;
58161 + struct signal_struct *sig;
58162 +};
58163 +
58164 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
58165 +DEFINE_SPINLOCK(gr_conn_table_lock);
58166 +
58167 +extern const char * gr_socktype_to_name(unsigned char type);
58168 +extern const char * gr_proto_to_name(unsigned char proto);
58169 +extern const char * gr_sockfamily_to_name(unsigned char family);
58170 +
58171 +static __inline__ int
58172 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
58173 +{
58174 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
58175 +}
58176 +
58177 +static __inline__ int
58178 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
58179 + __u16 sport, __u16 dport)
58180 +{
58181 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
58182 + sig->gr_sport == sport && sig->gr_dport == dport))
58183 + return 1;
58184 + else
58185 + return 0;
58186 +}
58187 +
58188 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
58189 +{
58190 + struct conn_table_entry **match;
58191 + unsigned int index;
58192 +
58193 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
58194 + sig->gr_sport, sig->gr_dport,
58195 + gr_conn_table_size);
58196 +
58197 + newent->sig = sig;
58198 +
58199 + match = &gr_conn_table[index];
58200 + newent->next = *match;
58201 + *match = newent;
58202 +
58203 + return;
58204 +}
58205 +
58206 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
58207 +{
58208 + struct conn_table_entry *match, *last = NULL;
58209 + unsigned int index;
58210 +
58211 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
58212 + sig->gr_sport, sig->gr_dport,
58213 + gr_conn_table_size);
58214 +
58215 + match = gr_conn_table[index];
58216 + while (match && !conn_match(match->sig,
58217 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
58218 + sig->gr_dport)) {
58219 + last = match;
58220 + match = match->next;
58221 + }
58222 +
58223 + if (match) {
58224 + if (last)
58225 + last->next = match->next;
58226 + else
58227 + gr_conn_table[index] = NULL;
58228 + kfree(match);
58229 + }
58230 +
58231 + return;
58232 +}
58233 +
58234 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
58235 + __u16 sport, __u16 dport)
58236 +{
58237 + struct conn_table_entry *match;
58238 + unsigned int index;
58239 +
58240 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
58241 +
58242 + match = gr_conn_table[index];
58243 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
58244 + match = match->next;
58245 +
58246 + if (match)
58247 + return match->sig;
58248 + else
58249 + return NULL;
58250 +}
58251 +
58252 +#endif
58253 +
58254 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
58255 +{
58256 +#ifdef CONFIG_GRKERNSEC
58257 + struct signal_struct *sig = task->signal;
58258 + struct conn_table_entry *newent;
58259 +
58260 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
58261 + if (newent == NULL)
58262 + return;
58263 + /* no bh lock needed since we are called with bh disabled */
58264 + spin_lock(&gr_conn_table_lock);
58265 + gr_del_task_from_ip_table_nolock(sig);
58266 + sig->gr_saddr = inet->rcv_saddr;
58267 + sig->gr_daddr = inet->daddr;
58268 + sig->gr_sport = inet->sport;
58269 + sig->gr_dport = inet->dport;
58270 + gr_add_to_task_ip_table_nolock(sig, newent);
58271 + spin_unlock(&gr_conn_table_lock);
58272 +#endif
58273 + return;
58274 +}
58275 +
58276 +void gr_del_task_from_ip_table(struct task_struct *task)
58277 +{
58278 +#ifdef CONFIG_GRKERNSEC
58279 + spin_lock_bh(&gr_conn_table_lock);
58280 + gr_del_task_from_ip_table_nolock(task->signal);
58281 + spin_unlock_bh(&gr_conn_table_lock);
58282 +#endif
58283 + return;
58284 +}
58285 +
58286 +void
58287 +gr_attach_curr_ip(const struct sock *sk)
58288 +{
58289 +#ifdef CONFIG_GRKERNSEC
58290 + struct signal_struct *p, *set;
58291 + const struct inet_sock *inet = inet_sk(sk);
58292 +
58293 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
58294 + return;
58295 +
58296 + set = current->signal;
58297 +
58298 + spin_lock_bh(&gr_conn_table_lock);
58299 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
58300 + inet->dport, inet->sport);
58301 + if (unlikely(p != NULL)) {
58302 + set->curr_ip = p->curr_ip;
58303 + set->used_accept = 1;
58304 + gr_del_task_from_ip_table_nolock(p);
58305 + spin_unlock_bh(&gr_conn_table_lock);
58306 + return;
58307 + }
58308 + spin_unlock_bh(&gr_conn_table_lock);
58309 +
58310 + set->curr_ip = inet->daddr;
58311 + set->used_accept = 1;
58312 +#endif
58313 + return;
58314 +}
58315 +
58316 +int
58317 +gr_handle_sock_all(const int family, const int type, const int protocol)
58318 +{
58319 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58320 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
58321 + (family != AF_UNIX)) {
58322 + if (family == AF_INET)
58323 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
58324 + else
58325 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
58326 + return -EACCES;
58327 + }
58328 +#endif
58329 + return 0;
58330 +}
58331 +
58332 +int
58333 +gr_handle_sock_server(const struct sockaddr *sck)
58334 +{
58335 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58336 + if (grsec_enable_socket_server &&
58337 + in_group_p(grsec_socket_server_gid) &&
58338 + sck && (sck->sa_family != AF_UNIX) &&
58339 + (sck->sa_family != AF_LOCAL)) {
58340 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
58341 + return -EACCES;
58342 + }
58343 +#endif
58344 + return 0;
58345 +}
58346 +
58347 +int
58348 +gr_handle_sock_server_other(const struct sock *sck)
58349 +{
58350 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58351 + if (grsec_enable_socket_server &&
58352 + in_group_p(grsec_socket_server_gid) &&
58353 + sck && (sck->sk_family != AF_UNIX) &&
58354 + (sck->sk_family != AF_LOCAL)) {
58355 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
58356 + return -EACCES;
58357 + }
58358 +#endif
58359 + return 0;
58360 +}
58361 +
58362 +int
58363 +gr_handle_sock_client(const struct sockaddr *sck)
58364 +{
58365 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58366 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
58367 + sck && (sck->sa_family != AF_UNIX) &&
58368 + (sck->sa_family != AF_LOCAL)) {
58369 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
58370 + return -EACCES;
58371 + }
58372 +#endif
58373 + return 0;
58374 +}
58375 +
58376 +kernel_cap_t
58377 +gr_cap_rtnetlink(struct sock *sock)
58378 +{
58379 +#ifdef CONFIG_GRKERNSEC
58380 + if (!gr_acl_is_enabled())
58381 + return current_cap();
58382 + else if (sock->sk_protocol == NETLINK_ISCSI &&
58383 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
58384 + gr_is_capable(CAP_SYS_ADMIN))
58385 + return current_cap();
58386 + else if (sock->sk_protocol == NETLINK_AUDIT &&
58387 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
58388 + gr_is_capable(CAP_AUDIT_WRITE) &&
58389 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
58390 + gr_is_capable(CAP_AUDIT_CONTROL))
58391 + return current_cap();
58392 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
58393 + ((sock->sk_protocol == NETLINK_ROUTE) ?
58394 + gr_is_capable_nolog(CAP_NET_ADMIN) :
58395 + gr_is_capable(CAP_NET_ADMIN)))
58396 + return current_cap();
58397 + else
58398 + return __cap_empty_set;
58399 +#else
58400 + return current_cap();
58401 +#endif
58402 +}
58403 diff -urNp linux-2.6.32.46/grsecurity/grsec_sysctl.c linux-2.6.32.46/grsecurity/grsec_sysctl.c
58404 --- linux-2.6.32.46/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
58405 +++ linux-2.6.32.46/grsecurity/grsec_sysctl.c 2011-08-11 19:57:54.000000000 -0400
58406 @@ -0,0 +1,479 @@
58407 +#include <linux/kernel.h>
58408 +#include <linux/sched.h>
58409 +#include <linux/sysctl.h>
58410 +#include <linux/grsecurity.h>
58411 +#include <linux/grinternal.h>
58412 +
58413 +int
58414 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
58415 +{
58416 +#ifdef CONFIG_GRKERNSEC_SYSCTL
58417 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
58418 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
58419 + return -EACCES;
58420 + }
58421 +#endif
58422 + return 0;
58423 +}
58424 +
58425 +#ifdef CONFIG_GRKERNSEC_ROFS
58426 +static int __maybe_unused one = 1;
58427 +#endif
58428 +
58429 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
58430 +ctl_table grsecurity_table[] = {
58431 +#ifdef CONFIG_GRKERNSEC_SYSCTL
58432 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
58433 +#ifdef CONFIG_GRKERNSEC_IO
58434 + {
58435 + .ctl_name = CTL_UNNUMBERED,
58436 + .procname = "disable_priv_io",
58437 + .data = &grsec_disable_privio,
58438 + .maxlen = sizeof(int),
58439 + .mode = 0600,
58440 + .proc_handler = &proc_dointvec,
58441 + },
58442 +#endif
58443 +#endif
58444 +#ifdef CONFIG_GRKERNSEC_LINK
58445 + {
58446 + .ctl_name = CTL_UNNUMBERED,
58447 + .procname = "linking_restrictions",
58448 + .data = &grsec_enable_link,
58449 + .maxlen = sizeof(int),
58450 + .mode = 0600,
58451 + .proc_handler = &proc_dointvec,
58452 + },
58453 +#endif
58454 +#ifdef CONFIG_GRKERNSEC_BRUTE
58455 + {
58456 + .ctl_name = CTL_UNNUMBERED,
58457 + .procname = "deter_bruteforce",
58458 + .data = &grsec_enable_brute,
58459 + .maxlen = sizeof(int),
58460 + .mode = 0600,
58461 + .proc_handler = &proc_dointvec,
58462 + },
58463 +#endif
58464 +#ifdef CONFIG_GRKERNSEC_FIFO
58465 + {
58466 + .ctl_name = CTL_UNNUMBERED,
58467 + .procname = "fifo_restrictions",
58468 + .data = &grsec_enable_fifo,
58469 + .maxlen = sizeof(int),
58470 + .mode = 0600,
58471 + .proc_handler = &proc_dointvec,
58472 + },
58473 +#endif
58474 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58475 + {
58476 + .ctl_name = CTL_UNNUMBERED,
58477 + .procname = "ip_blackhole",
58478 + .data = &grsec_enable_blackhole,
58479 + .maxlen = sizeof(int),
58480 + .mode = 0600,
58481 + .proc_handler = &proc_dointvec,
58482 + },
58483 + {
58484 + .ctl_name = CTL_UNNUMBERED,
58485 + .procname = "lastack_retries",
58486 + .data = &grsec_lastack_retries,
58487 + .maxlen = sizeof(int),
58488 + .mode = 0600,
58489 + .proc_handler = &proc_dointvec,
58490 + },
58491 +#endif
58492 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58493 + {
58494 + .ctl_name = CTL_UNNUMBERED,
58495 + .procname = "exec_logging",
58496 + .data = &grsec_enable_execlog,
58497 + .maxlen = sizeof(int),
58498 + .mode = 0600,
58499 + .proc_handler = &proc_dointvec,
58500 + },
58501 +#endif
58502 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
58503 + {
58504 + .ctl_name = CTL_UNNUMBERED,
58505 + .procname = "rwxmap_logging",
58506 + .data = &grsec_enable_log_rwxmaps,
58507 + .maxlen = sizeof(int),
58508 + .mode = 0600,
58509 + .proc_handler = &proc_dointvec,
58510 + },
58511 +#endif
58512 +#ifdef CONFIG_GRKERNSEC_SIGNAL
58513 + {
58514 + .ctl_name = CTL_UNNUMBERED,
58515 + .procname = "signal_logging",
58516 + .data = &grsec_enable_signal,
58517 + .maxlen = sizeof(int),
58518 + .mode = 0600,
58519 + .proc_handler = &proc_dointvec,
58520 + },
58521 +#endif
58522 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
58523 + {
58524 + .ctl_name = CTL_UNNUMBERED,
58525 + .procname = "forkfail_logging",
58526 + .data = &grsec_enable_forkfail,
58527 + .maxlen = sizeof(int),
58528 + .mode = 0600,
58529 + .proc_handler = &proc_dointvec,
58530 + },
58531 +#endif
58532 +#ifdef CONFIG_GRKERNSEC_TIME
58533 + {
58534 + .ctl_name = CTL_UNNUMBERED,
58535 + .procname = "timechange_logging",
58536 + .data = &grsec_enable_time,
58537 + .maxlen = sizeof(int),
58538 + .mode = 0600,
58539 + .proc_handler = &proc_dointvec,
58540 + },
58541 +#endif
58542 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58543 + {
58544 + .ctl_name = CTL_UNNUMBERED,
58545 + .procname = "chroot_deny_shmat",
58546 + .data = &grsec_enable_chroot_shmat,
58547 + .maxlen = sizeof(int),
58548 + .mode = 0600,
58549 + .proc_handler = &proc_dointvec,
58550 + },
58551 +#endif
58552 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58553 + {
58554 + .ctl_name = CTL_UNNUMBERED,
58555 + .procname = "chroot_deny_unix",
58556 + .data = &grsec_enable_chroot_unix,
58557 + .maxlen = sizeof(int),
58558 + .mode = 0600,
58559 + .proc_handler = &proc_dointvec,
58560 + },
58561 +#endif
58562 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58563 + {
58564 + .ctl_name = CTL_UNNUMBERED,
58565 + .procname = "chroot_deny_mount",
58566 + .data = &grsec_enable_chroot_mount,
58567 + .maxlen = sizeof(int),
58568 + .mode = 0600,
58569 + .proc_handler = &proc_dointvec,
58570 + },
58571 +#endif
58572 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58573 + {
58574 + .ctl_name = CTL_UNNUMBERED,
58575 + .procname = "chroot_deny_fchdir",
58576 + .data = &grsec_enable_chroot_fchdir,
58577 + .maxlen = sizeof(int),
58578 + .mode = 0600,
58579 + .proc_handler = &proc_dointvec,
58580 + },
58581 +#endif
58582 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58583 + {
58584 + .ctl_name = CTL_UNNUMBERED,
58585 + .procname = "chroot_deny_chroot",
58586 + .data = &grsec_enable_chroot_double,
58587 + .maxlen = sizeof(int),
58588 + .mode = 0600,
58589 + .proc_handler = &proc_dointvec,
58590 + },
58591 +#endif
58592 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58593 + {
58594 + .ctl_name = CTL_UNNUMBERED,
58595 + .procname = "chroot_deny_pivot",
58596 + .data = &grsec_enable_chroot_pivot,
58597 + .maxlen = sizeof(int),
58598 + .mode = 0600,
58599 + .proc_handler = &proc_dointvec,
58600 + },
58601 +#endif
58602 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58603 + {
58604 + .ctl_name = CTL_UNNUMBERED,
58605 + .procname = "chroot_enforce_chdir",
58606 + .data = &grsec_enable_chroot_chdir,
58607 + .maxlen = sizeof(int),
58608 + .mode = 0600,
58609 + .proc_handler = &proc_dointvec,
58610 + },
58611 +#endif
58612 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58613 + {
58614 + .ctl_name = CTL_UNNUMBERED,
58615 + .procname = "chroot_deny_chmod",
58616 + .data = &grsec_enable_chroot_chmod,
58617 + .maxlen = sizeof(int),
58618 + .mode = 0600,
58619 + .proc_handler = &proc_dointvec,
58620 + },
58621 +#endif
58622 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58623 + {
58624 + .ctl_name = CTL_UNNUMBERED,
58625 + .procname = "chroot_deny_mknod",
58626 + .data = &grsec_enable_chroot_mknod,
58627 + .maxlen = sizeof(int),
58628 + .mode = 0600,
58629 + .proc_handler = &proc_dointvec,
58630 + },
58631 +#endif
58632 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58633 + {
58634 + .ctl_name = CTL_UNNUMBERED,
58635 + .procname = "chroot_restrict_nice",
58636 + .data = &grsec_enable_chroot_nice,
58637 + .maxlen = sizeof(int),
58638 + .mode = 0600,
58639 + .proc_handler = &proc_dointvec,
58640 + },
58641 +#endif
58642 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58643 + {
58644 + .ctl_name = CTL_UNNUMBERED,
58645 + .procname = "chroot_execlog",
58646 + .data = &grsec_enable_chroot_execlog,
58647 + .maxlen = sizeof(int),
58648 + .mode = 0600,
58649 + .proc_handler = &proc_dointvec,
58650 + },
58651 +#endif
58652 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58653 + {
58654 + .ctl_name = CTL_UNNUMBERED,
58655 + .procname = "chroot_caps",
58656 + .data = &grsec_enable_chroot_caps,
58657 + .maxlen = sizeof(int),
58658 + .mode = 0600,
58659 + .proc_handler = &proc_dointvec,
58660 + },
58661 +#endif
58662 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58663 + {
58664 + .ctl_name = CTL_UNNUMBERED,
58665 + .procname = "chroot_deny_sysctl",
58666 + .data = &grsec_enable_chroot_sysctl,
58667 + .maxlen = sizeof(int),
58668 + .mode = 0600,
58669 + .proc_handler = &proc_dointvec,
58670 + },
58671 +#endif
58672 +#ifdef CONFIG_GRKERNSEC_TPE
58673 + {
58674 + .ctl_name = CTL_UNNUMBERED,
58675 + .procname = "tpe",
58676 + .data = &grsec_enable_tpe,
58677 + .maxlen = sizeof(int),
58678 + .mode = 0600,
58679 + .proc_handler = &proc_dointvec,
58680 + },
58681 + {
58682 + .ctl_name = CTL_UNNUMBERED,
58683 + .procname = "tpe_gid",
58684 + .data = &grsec_tpe_gid,
58685 + .maxlen = sizeof(int),
58686 + .mode = 0600,
58687 + .proc_handler = &proc_dointvec,
58688 + },
58689 +#endif
58690 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58691 + {
58692 + .ctl_name = CTL_UNNUMBERED,
58693 + .procname = "tpe_invert",
58694 + .data = &grsec_enable_tpe_invert,
58695 + .maxlen = sizeof(int),
58696 + .mode = 0600,
58697 + .proc_handler = &proc_dointvec,
58698 + },
58699 +#endif
58700 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58701 + {
58702 + .ctl_name = CTL_UNNUMBERED,
58703 + .procname = "tpe_restrict_all",
58704 + .data = &grsec_enable_tpe_all,
58705 + .maxlen = sizeof(int),
58706 + .mode = 0600,
58707 + .proc_handler = &proc_dointvec,
58708 + },
58709 +#endif
58710 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
58711 + {
58712 + .ctl_name = CTL_UNNUMBERED,
58713 + .procname = "socket_all",
58714 + .data = &grsec_enable_socket_all,
58715 + .maxlen = sizeof(int),
58716 + .mode = 0600,
58717 + .proc_handler = &proc_dointvec,
58718 + },
58719 + {
58720 + .ctl_name = CTL_UNNUMBERED,
58721 + .procname = "socket_all_gid",
58722 + .data = &grsec_socket_all_gid,
58723 + .maxlen = sizeof(int),
58724 + .mode = 0600,
58725 + .proc_handler = &proc_dointvec,
58726 + },
58727 +#endif
58728 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
58729 + {
58730 + .ctl_name = CTL_UNNUMBERED,
58731 + .procname = "socket_client",
58732 + .data = &grsec_enable_socket_client,
58733 + .maxlen = sizeof(int),
58734 + .mode = 0600,
58735 + .proc_handler = &proc_dointvec,
58736 + },
58737 + {
58738 + .ctl_name = CTL_UNNUMBERED,
58739 + .procname = "socket_client_gid",
58740 + .data = &grsec_socket_client_gid,
58741 + .maxlen = sizeof(int),
58742 + .mode = 0600,
58743 + .proc_handler = &proc_dointvec,
58744 + },
58745 +#endif
58746 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
58747 + {
58748 + .ctl_name = CTL_UNNUMBERED,
58749 + .procname = "socket_server",
58750 + .data = &grsec_enable_socket_server,
58751 + .maxlen = sizeof(int),
58752 + .mode = 0600,
58753 + .proc_handler = &proc_dointvec,
58754 + },
58755 + {
58756 + .ctl_name = CTL_UNNUMBERED,
58757 + .procname = "socket_server_gid",
58758 + .data = &grsec_socket_server_gid,
58759 + .maxlen = sizeof(int),
58760 + .mode = 0600,
58761 + .proc_handler = &proc_dointvec,
58762 + },
58763 +#endif
58764 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
58765 + {
58766 + .ctl_name = CTL_UNNUMBERED,
58767 + .procname = "audit_group",
58768 + .data = &grsec_enable_group,
58769 + .maxlen = sizeof(int),
58770 + .mode = 0600,
58771 + .proc_handler = &proc_dointvec,
58772 + },
58773 + {
58774 + .ctl_name = CTL_UNNUMBERED,
58775 + .procname = "audit_gid",
58776 + .data = &grsec_audit_gid,
58777 + .maxlen = sizeof(int),
58778 + .mode = 0600,
58779 + .proc_handler = &proc_dointvec,
58780 + },
58781 +#endif
58782 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58783 + {
58784 + .ctl_name = CTL_UNNUMBERED,
58785 + .procname = "audit_chdir",
58786 + .data = &grsec_enable_chdir,
58787 + .maxlen = sizeof(int),
58788 + .mode = 0600,
58789 + .proc_handler = &proc_dointvec,
58790 + },
58791 +#endif
58792 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
58793 + {
58794 + .ctl_name = CTL_UNNUMBERED,
58795 + .procname = "audit_mount",
58796 + .data = &grsec_enable_mount,
58797 + .maxlen = sizeof(int),
58798 + .mode = 0600,
58799 + .proc_handler = &proc_dointvec,
58800 + },
58801 +#endif
58802 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
58803 + {
58804 + .ctl_name = CTL_UNNUMBERED,
58805 + .procname = "audit_textrel",
58806 + .data = &grsec_enable_audit_textrel,
58807 + .maxlen = sizeof(int),
58808 + .mode = 0600,
58809 + .proc_handler = &proc_dointvec,
58810 + },
58811 +#endif
58812 +#ifdef CONFIG_GRKERNSEC_DMESG
58813 + {
58814 + .ctl_name = CTL_UNNUMBERED,
58815 + .procname = "dmesg",
58816 + .data = &grsec_enable_dmesg,
58817 + .maxlen = sizeof(int),
58818 + .mode = 0600,
58819 + .proc_handler = &proc_dointvec,
58820 + },
58821 +#endif
58822 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58823 + {
58824 + .ctl_name = CTL_UNNUMBERED,
58825 + .procname = "chroot_findtask",
58826 + .data = &grsec_enable_chroot_findtask,
58827 + .maxlen = sizeof(int),
58828 + .mode = 0600,
58829 + .proc_handler = &proc_dointvec,
58830 + },
58831 +#endif
58832 +#ifdef CONFIG_GRKERNSEC_RESLOG
58833 + {
58834 + .ctl_name = CTL_UNNUMBERED,
58835 + .procname = "resource_logging",
58836 + .data = &grsec_resource_logging,
58837 + .maxlen = sizeof(int),
58838 + .mode = 0600,
58839 + .proc_handler = &proc_dointvec,
58840 + },
58841 +#endif
58842 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
58843 + {
58844 + .ctl_name = CTL_UNNUMBERED,
58845 + .procname = "audit_ptrace",
58846 + .data = &grsec_enable_audit_ptrace,
58847 + .maxlen = sizeof(int),
58848 + .mode = 0600,
58849 + .proc_handler = &proc_dointvec,
58850 + },
58851 +#endif
58852 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
58853 + {
58854 + .ctl_name = CTL_UNNUMBERED,
58855 + .procname = "harden_ptrace",
58856 + .data = &grsec_enable_harden_ptrace,
58857 + .maxlen = sizeof(int),
58858 + .mode = 0600,
58859 + .proc_handler = &proc_dointvec,
58860 + },
58861 +#endif
58862 + {
58863 + .ctl_name = CTL_UNNUMBERED,
58864 + .procname = "grsec_lock",
58865 + .data = &grsec_lock,
58866 + .maxlen = sizeof(int),
58867 + .mode = 0600,
58868 + .proc_handler = &proc_dointvec,
58869 + },
58870 +#endif
58871 +#ifdef CONFIG_GRKERNSEC_ROFS
58872 + {
58873 + .ctl_name = CTL_UNNUMBERED,
58874 + .procname = "romount_protect",
58875 + .data = &grsec_enable_rofs,
58876 + .maxlen = sizeof(int),
58877 + .mode = 0600,
58878 + .proc_handler = &proc_dointvec_minmax,
58879 + .extra1 = &one,
58880 + .extra2 = &one,
58881 + },
58882 +#endif
58883 + { .ctl_name = 0 }
58884 +};
58885 +#endif
58886 diff -urNp linux-2.6.32.46/grsecurity/grsec_time.c linux-2.6.32.46/grsecurity/grsec_time.c
58887 --- linux-2.6.32.46/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
58888 +++ linux-2.6.32.46/grsecurity/grsec_time.c 2011-04-17 15:56:46.000000000 -0400
58889 @@ -0,0 +1,16 @@
58890 +#include <linux/kernel.h>
58891 +#include <linux/sched.h>
58892 +#include <linux/grinternal.h>
58893 +#include <linux/module.h>
58894 +
58895 +void
58896 +gr_log_timechange(void)
58897 +{
58898 +#ifdef CONFIG_GRKERNSEC_TIME
58899 + if (grsec_enable_time)
58900 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
58901 +#endif
58902 + return;
58903 +}
58904 +
58905 +EXPORT_SYMBOL(gr_log_timechange);
58906 diff -urNp linux-2.6.32.46/grsecurity/grsec_tpe.c linux-2.6.32.46/grsecurity/grsec_tpe.c
58907 --- linux-2.6.32.46/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
58908 +++ linux-2.6.32.46/grsecurity/grsec_tpe.c 2011-04-17 15:56:46.000000000 -0400
58909 @@ -0,0 +1,39 @@
58910 +#include <linux/kernel.h>
58911 +#include <linux/sched.h>
58912 +#include <linux/file.h>
58913 +#include <linux/fs.h>
58914 +#include <linux/grinternal.h>
58915 +
58916 +extern int gr_acl_tpe_check(void);
58917 +
58918 +int
58919 +gr_tpe_allow(const struct file *file)
58920 +{
58921 +#ifdef CONFIG_GRKERNSEC
58922 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
58923 + const struct cred *cred = current_cred();
58924 +
58925 + if (cred->uid && ((grsec_enable_tpe &&
58926 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
58927 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
58928 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
58929 +#else
58930 + in_group_p(grsec_tpe_gid)
58931 +#endif
58932 + ) || gr_acl_tpe_check()) &&
58933 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
58934 + (inode->i_mode & S_IWOTH))))) {
58935 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
58936 + return 0;
58937 + }
58938 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
58939 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
58940 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
58941 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
58942 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
58943 + return 0;
58944 + }
58945 +#endif
58946 +#endif
58947 + return 1;
58948 +}
58949 diff -urNp linux-2.6.32.46/grsecurity/grsum.c linux-2.6.32.46/grsecurity/grsum.c
58950 --- linux-2.6.32.46/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
58951 +++ linux-2.6.32.46/grsecurity/grsum.c 2011-04-17 15:56:46.000000000 -0400
58952 @@ -0,0 +1,61 @@
58953 +#include <linux/err.h>
58954 +#include <linux/kernel.h>
58955 +#include <linux/sched.h>
58956 +#include <linux/mm.h>
58957 +#include <linux/scatterlist.h>
58958 +#include <linux/crypto.h>
58959 +#include <linux/gracl.h>
58960 +
58961 +
58962 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
58963 +#error "crypto and sha256 must be built into the kernel"
58964 +#endif
58965 +
58966 +int
58967 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
58968 +{
58969 + char *p;
58970 + struct crypto_hash *tfm;
58971 + struct hash_desc desc;
58972 + struct scatterlist sg;
58973 + unsigned char temp_sum[GR_SHA_LEN];
58974 + volatile int retval = 0;
58975 + volatile int dummy = 0;
58976 + unsigned int i;
58977 +
58978 + sg_init_table(&sg, 1);
58979 +
58980 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
58981 + if (IS_ERR(tfm)) {
58982 + /* should never happen, since sha256 should be built in */
58983 + return 1;
58984 + }
58985 +
58986 + desc.tfm = tfm;
58987 + desc.flags = 0;
58988 +
58989 + crypto_hash_init(&desc);
58990 +
58991 + p = salt;
58992 + sg_set_buf(&sg, p, GR_SALT_LEN);
58993 + crypto_hash_update(&desc, &sg, sg.length);
58994 +
58995 + p = entry->pw;
58996 + sg_set_buf(&sg, p, strlen(p));
58997 +
58998 + crypto_hash_update(&desc, &sg, sg.length);
58999 +
59000 + crypto_hash_final(&desc, temp_sum);
59001 +
59002 + memset(entry->pw, 0, GR_PW_LEN);
59003 +
59004 + for (i = 0; i < GR_SHA_LEN; i++)
59005 + if (sum[i] != temp_sum[i])
59006 + retval = 1;
59007 + else
59008 + dummy = 1; // waste a cycle
59009 +
59010 + crypto_free_hash(tfm);
59011 +
59012 + return retval;
59013 +}
59014 diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
59015 --- linux-2.6.32.46/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
59016 +++ linux-2.6.32.46/grsecurity/Kconfig 2011-09-15 00:00:38.000000000 -0400
59017 @@ -0,0 +1,1037 @@
59018 +#
59019 +# grecurity configuration
59020 +#
59021 +
59022 +menu "Grsecurity"
59023 +
59024 +config GRKERNSEC
59025 + bool "Grsecurity"
59026 + select CRYPTO
59027 + select CRYPTO_SHA256
59028 + help
59029 + If you say Y here, you will be able to configure many features
59030 + that will enhance the security of your system. It is highly
59031 + recommended that you say Y here and read through the help
59032 + for each option so that you fully understand the features and
59033 + can evaluate their usefulness for your machine.
59034 +
59035 +choice
59036 + prompt "Security Level"
59037 + depends on GRKERNSEC
59038 + default GRKERNSEC_CUSTOM
59039 +
59040 +config GRKERNSEC_LOW
59041 + bool "Low"
59042 + select GRKERNSEC_LINK
59043 + select GRKERNSEC_FIFO
59044 + select GRKERNSEC_RANDNET
59045 + select GRKERNSEC_DMESG
59046 + select GRKERNSEC_CHROOT
59047 + select GRKERNSEC_CHROOT_CHDIR
59048 +
59049 + help
59050 + If you choose this option, several of the grsecurity options will
59051 + be enabled that will give you greater protection against a number
59052 + of attacks, while assuring that none of your software will have any
59053 + conflicts with the additional security measures. If you run a lot
59054 + of unusual software, or you are having problems with the higher
59055 + security levels, you should say Y here. With this option, the
59056 + following features are enabled:
59057 +
59058 + - Linking restrictions
59059 + - FIFO restrictions
59060 + - Restricted dmesg
59061 + - Enforced chdir("/") on chroot
59062 + - Runtime module disabling
59063 +
59064 +config GRKERNSEC_MEDIUM
59065 + bool "Medium"
59066 + select PAX
59067 + select PAX_EI_PAX
59068 + select PAX_PT_PAX_FLAGS
59069 + select PAX_HAVE_ACL_FLAGS
59070 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
59071 + select GRKERNSEC_CHROOT
59072 + select GRKERNSEC_CHROOT_SYSCTL
59073 + select GRKERNSEC_LINK
59074 + select GRKERNSEC_FIFO
59075 + select GRKERNSEC_DMESG
59076 + select GRKERNSEC_RANDNET
59077 + select GRKERNSEC_FORKFAIL
59078 + select GRKERNSEC_TIME
59079 + select GRKERNSEC_SIGNAL
59080 + select GRKERNSEC_CHROOT
59081 + select GRKERNSEC_CHROOT_UNIX
59082 + select GRKERNSEC_CHROOT_MOUNT
59083 + select GRKERNSEC_CHROOT_PIVOT
59084 + select GRKERNSEC_CHROOT_DOUBLE
59085 + select GRKERNSEC_CHROOT_CHDIR
59086 + select GRKERNSEC_CHROOT_MKNOD
59087 + select GRKERNSEC_PROC
59088 + select GRKERNSEC_PROC_USERGROUP
59089 + select PAX_RANDUSTACK
59090 + select PAX_ASLR
59091 + select PAX_RANDMMAP
59092 + select PAX_REFCOUNT if (X86 || SPARC64)
59093 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
59094 +
59095 + help
59096 + If you say Y here, several features in addition to those included
59097 + in the low additional security level will be enabled. These
59098 + features provide even more security to your system, though in rare
59099 + cases they may be incompatible with very old or poorly written
59100 + software. If you enable this option, make sure that your auth
59101 + service (identd) is running as gid 1001. With this option,
59102 + the following features (in addition to those provided in the
59103 + low additional security level) will be enabled:
59104 +
59105 + - Failed fork logging
59106 + - Time change logging
59107 + - Signal logging
59108 + - Deny mounts in chroot
59109 + - Deny double chrooting
59110 + - Deny sysctl writes in chroot
59111 + - Deny mknod in chroot
59112 + - Deny access to abstract AF_UNIX sockets out of chroot
59113 + - Deny pivot_root in chroot
59114 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
59115 + - /proc restrictions with special GID set to 10 (usually wheel)
59116 + - Address Space Layout Randomization (ASLR)
59117 + - Prevent exploitation of most refcount overflows
59118 + - Bounds checking of copying between the kernel and userland
59119 +
59120 +config GRKERNSEC_HIGH
59121 + bool "High"
59122 + select GRKERNSEC_LINK
59123 + select GRKERNSEC_FIFO
59124 + select GRKERNSEC_DMESG
59125 + select GRKERNSEC_FORKFAIL
59126 + select GRKERNSEC_TIME
59127 + select GRKERNSEC_SIGNAL
59128 + select GRKERNSEC_CHROOT
59129 + select GRKERNSEC_CHROOT_SHMAT
59130 + select GRKERNSEC_CHROOT_UNIX
59131 + select GRKERNSEC_CHROOT_MOUNT
59132 + select GRKERNSEC_CHROOT_FCHDIR
59133 + select GRKERNSEC_CHROOT_PIVOT
59134 + select GRKERNSEC_CHROOT_DOUBLE
59135 + select GRKERNSEC_CHROOT_CHDIR
59136 + select GRKERNSEC_CHROOT_MKNOD
59137 + select GRKERNSEC_CHROOT_CAPS
59138 + select GRKERNSEC_CHROOT_SYSCTL
59139 + select GRKERNSEC_CHROOT_FINDTASK
59140 + select GRKERNSEC_SYSFS_RESTRICT
59141 + select GRKERNSEC_PROC
59142 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
59143 + select GRKERNSEC_HIDESYM
59144 + select GRKERNSEC_BRUTE
59145 + select GRKERNSEC_PROC_USERGROUP
59146 + select GRKERNSEC_KMEM
59147 + select GRKERNSEC_RESLOG
59148 + select GRKERNSEC_RANDNET
59149 + select GRKERNSEC_PROC_ADD
59150 + select GRKERNSEC_CHROOT_CHMOD
59151 + select GRKERNSEC_CHROOT_NICE
59152 + select GRKERNSEC_AUDIT_MOUNT
59153 + select GRKERNSEC_MODHARDEN if (MODULES)
59154 + select GRKERNSEC_HARDEN_PTRACE
59155 + select GRKERNSEC_VM86 if (X86_32)
59156 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
59157 + select PAX
59158 + select PAX_RANDUSTACK
59159 + select PAX_ASLR
59160 + select PAX_RANDMMAP
59161 + select PAX_NOEXEC
59162 + select PAX_MPROTECT
59163 + select PAX_EI_PAX
59164 + select PAX_PT_PAX_FLAGS
59165 + select PAX_HAVE_ACL_FLAGS
59166 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
59167 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
59168 + select PAX_RANDKSTACK if (X86_TSC && X86)
59169 + select PAX_SEGMEXEC if (X86_32)
59170 + select PAX_PAGEEXEC
59171 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
59172 + select PAX_EMUTRAMP if (PARISC)
59173 + select PAX_EMUSIGRT if (PARISC)
59174 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
59175 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
59176 + select PAX_REFCOUNT if (X86 || SPARC64)
59177 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
59178 + help
59179 + If you say Y here, many of the features of grsecurity will be
59180 + enabled, which will protect you against many kinds of attacks
59181 + against your system. The heightened security comes at a cost
59182 + of an increased chance of incompatibilities with rare software
59183 + on your machine. Since this security level enables PaX, you should
59184 + view <http://pax.grsecurity.net> and read about the PaX
59185 + project. While you are there, download chpax and run it on
59186 + binaries that cause problems with PaX. Also remember that
59187 + since the /proc restrictions are enabled, you must run your
59188 + identd as gid 1001. This security level enables the following
59189 + features in addition to those listed in the low and medium
59190 + security levels:
59191 +
59192 + - Additional /proc restrictions
59193 + - Chmod restrictions in chroot
59194 + - No signals, ptrace, or viewing of processes outside of chroot
59195 + - Capability restrictions in chroot
59196 + - Deny fchdir out of chroot
59197 + - Priority restrictions in chroot
59198 + - Segmentation-based implementation of PaX
59199 + - Mprotect restrictions
59200 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
59201 + - Kernel stack randomization
59202 + - Mount/unmount/remount logging
59203 + - Kernel symbol hiding
59204 + - Prevention of memory exhaustion-based exploits
59205 + - Hardening of module auto-loading
59206 + - Ptrace restrictions
59207 + - Restricted vm86 mode
59208 + - Restricted sysfs/debugfs
59209 + - Active kernel exploit response
59210 +
59211 +config GRKERNSEC_CUSTOM
59212 + bool "Custom"
59213 + help
59214 + If you say Y here, you will be able to configure every grsecurity
59215 + option, which allows you to enable many more features that aren't
59216 + covered in the basic security levels. These additional features
59217 + include TPE, socket restrictions, and the sysctl system for
59218 + grsecurity. It is advised that you read through the help for
59219 + each option to determine its usefulness in your situation.
59220 +
59221 +endchoice
59222 +
59223 +menu "Address Space Protection"
59224 +depends on GRKERNSEC
59225 +
59226 +config GRKERNSEC_KMEM
59227 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
59228 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
59229 + help
59230 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
59231 + be written to via mmap or otherwise to modify the running kernel.
59232 + /dev/port will also not be allowed to be opened. If you have module
59233 + support disabled, enabling this will close up four ways that are
59234 + currently used to insert malicious code into the running kernel.
59235 + Even with all these features enabled, we still highly recommend that
59236 + you use the RBAC system, as it is still possible for an attacker to
59237 + modify the running kernel through privileged I/O granted by ioperm/iopl.
59238 + If you are not using XFree86, you may be able to stop this additional
59239 + case by enabling the 'Disable privileged I/O' option. Though nothing
59240 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
59241 + but only to video memory, which is the only writing we allow in this
59242 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
59243 + not be allowed to mprotect it with PROT_WRITE later.
59244 + It is highly recommended that you say Y here if you meet all the
59245 + conditions above.
59246 +
59247 +config GRKERNSEC_VM86
59248 + bool "Restrict VM86 mode"
59249 + depends on X86_32
59250 +
59251 + help
59252 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
59253 + make use of a special execution mode on 32bit x86 processors called
59254 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
59255 + video cards and will still work with this option enabled. The purpose
59256 + of the option is to prevent exploitation of emulation errors in
59257 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
59258 + Nearly all users should be able to enable this option.
59259 +
59260 +config GRKERNSEC_IO
59261 + bool "Disable privileged I/O"
59262 + depends on X86
59263 + select RTC_CLASS
59264 + select RTC_INTF_DEV
59265 + select RTC_DRV_CMOS
59266 +
59267 + help
59268 + If you say Y here, all ioperm and iopl calls will return an error.
59269 + Ioperm and iopl can be used to modify the running kernel.
59270 + Unfortunately, some programs need this access to operate properly,
59271 + the most notable of which are XFree86 and hwclock. hwclock can be
59272 + remedied by having RTC support in the kernel, so real-time
59273 + clock support is enabled if this option is enabled, to ensure
59274 + that hwclock operates correctly. XFree86 still will not
59275 + operate correctly with this option enabled, so DO NOT CHOOSE Y
59276 + IF YOU USE XFree86. If you use XFree86 and you still want to
59277 + protect your kernel against modification, use the RBAC system.
59278 +
59279 +config GRKERNSEC_PROC_MEMMAP
59280 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
59281 + default y if (PAX_NOEXEC || PAX_ASLR)
59282 + depends on PAX_NOEXEC || PAX_ASLR
59283 + help
59284 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
59285 + give no information about the addresses of its mappings if
59286 + PaX features that rely on random addresses are enabled on the task.
59287 + If you use PaX it is greatly recommended that you say Y here as it
59288 + closes up a hole that makes the full ASLR useless for suid
59289 + binaries.
59290 +
59291 +config GRKERNSEC_BRUTE
59292 + bool "Deter exploit bruteforcing"
59293 + help
59294 + If you say Y here, attempts to bruteforce exploits against forking
59295 + daemons such as apache or sshd, as well as against suid/sgid binaries
59296 + will be deterred. When a child of a forking daemon is killed by PaX
59297 + or crashes due to an illegal instruction or other suspicious signal,
59298 + the parent process will be delayed 30 seconds upon every subsequent
59299 + fork until the administrator is able to assess the situation and
59300 + restart the daemon.
59301 + In the suid/sgid case, the attempt is logged, the user has all their
59302 + processes terminated, and they are prevented from executing any further
59303 + processes for 15 minutes.
59304 + It is recommended that you also enable signal logging in the auditing
59305 + section so that logs are generated when a process triggers a suspicious
59306 + signal.
59307 + If the sysctl option is enabled, a sysctl option with name
59308 + "deter_bruteforce" is created.
59309 +
59310 +config GRKERNSEC_MODHARDEN
59311 + bool "Harden module auto-loading"
59312 + depends on MODULES
59313 + help
59314 + If you say Y here, module auto-loading in response to use of some
59315 + feature implemented by an unloaded module will be restricted to
59316 + root users. Enabling this option helps defend against attacks
59317 + by unprivileged users who abuse the auto-loading behavior to
59318 + cause a vulnerable module to load that is then exploited.
59319 +
59320 + If this option prevents a legitimate use of auto-loading for a
59321 + non-root user, the administrator can execute modprobe manually
59322 + with the exact name of the module mentioned in the alert log.
59323 + Alternatively, the administrator can add the module to the list
59324 + of modules loaded at boot by modifying init scripts.
59325 +
59326 + Modification of init scripts will most likely be needed on
59327 + Ubuntu servers with encrypted home directory support enabled,
59328 + as the first non-root user logging in will cause the ecb(aes),
59329 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
59330 +
59331 +config GRKERNSEC_HIDESYM
59332 + bool "Hide kernel symbols"
59333 + help
59334 + If you say Y here, getting information on loaded modules, and
59335 + displaying all kernel symbols through a syscall will be restricted
59336 + to users with CAP_SYS_MODULE. For software compatibility reasons,
59337 + /proc/kallsyms will be restricted to the root user. The RBAC
59338 + system can hide that entry even from root.
59339 +
59340 + This option also prevents leaking of kernel addresses through
59341 + several /proc entries.
59342 +
59343 + Note that this option is only effective provided the following
59344 + conditions are met:
59345 + 1) The kernel using grsecurity is not precompiled by some distribution
59346 + 2) You have also enabled GRKERNSEC_DMESG
59347 + 3) You are using the RBAC system and hiding other files such as your
59348 + kernel image and System.map. Alternatively, enabling this option
59349 + causes the permissions on /boot, /lib/modules, and the kernel
59350 + source directory to change at compile time to prevent
59351 + reading by non-root users.
59352 + If the above conditions are met, this option will aid in providing a
59353 + useful protection against local kernel exploitation of overflows
59354 + and arbitrary read/write vulnerabilities.
59355 +
59356 +config GRKERNSEC_KERN_LOCKOUT
59357 + bool "Active kernel exploit response"
59358 + depends on X86 || ARM || PPC || SPARC
59359 + help
59360 + If you say Y here, when a PaX alert is triggered due to suspicious
59361 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
59362 + or an OOPs occurs due to bad memory accesses, instead of just
59363 + terminating the offending process (and potentially allowing
59364 + a subsequent exploit from the same user), we will take one of two
59365 + actions:
59366 + If the user was root, we will panic the system
59367 + If the user was non-root, we will log the attempt, terminate
59368 + all processes owned by the user, then prevent them from creating
59369 + any new processes until the system is restarted
59370 + This deters repeated kernel exploitation/bruteforcing attempts
59371 + and is useful for later forensics.
59372 +
59373 +endmenu
59374 +menu "Role Based Access Control Options"
59375 +depends on GRKERNSEC
59376 +
59377 +config GRKERNSEC_RBAC_DEBUG
59378 + bool
59379 +
59380 +config GRKERNSEC_NO_RBAC
59381 + bool "Disable RBAC system"
59382 + help
59383 + If you say Y here, the /dev/grsec device will be removed from the kernel,
59384 + preventing the RBAC system from being enabled. You should only say Y
59385 + here if you have no intention of using the RBAC system, so as to prevent
59386 + an attacker with root access from misusing the RBAC system to hide files
59387 + and processes when loadable module support and /dev/[k]mem have been
59388 + locked down.
59389 +
59390 +config GRKERNSEC_ACL_HIDEKERN
59391 + bool "Hide kernel processes"
59392 + help
59393 + If you say Y here, all kernel threads will be hidden to all
59394 + processes but those whose subject has the "view hidden processes"
59395 + flag.
59396 +
59397 +config GRKERNSEC_ACL_MAXTRIES
59398 + int "Maximum tries before password lockout"
59399 + default 3
59400 + help
59401 + This option enforces the maximum number of times a user can attempt
59402 + to authorize themselves with the grsecurity RBAC system before being
59403 + denied the ability to attempt authorization again for a specified time.
59404 + The lower the number, the harder it will be to brute-force a password.
59405 +
59406 +config GRKERNSEC_ACL_TIMEOUT
59407 + int "Time to wait after max password tries, in seconds"
59408 + default 30
59409 + help
59410 + This option specifies the time the user must wait after attempting to
59411 + authorize to the RBAC system with the maximum number of invalid
59412 + passwords. The higher the number, the harder it will be to brute-force
59413 + a password.
59414 +
59415 +endmenu
59416 +menu "Filesystem Protections"
59417 +depends on GRKERNSEC
59418 +
59419 +config GRKERNSEC_PROC
59420 + bool "Proc restrictions"
59421 + help
59422 + If you say Y here, the permissions of the /proc filesystem
59423 + will be altered to enhance system security and privacy. You MUST
59424 + choose either a user only restriction or a user and group restriction.
59425 + Depending upon the option you choose, you can either restrict users to
59426 + see only the processes they themselves run, or choose a group that can
59427 + view all processes and files normally restricted to root if you choose
59428 + the "restrict to user only" option. NOTE: If you're running identd as
59429 + a non-root user, you will have to run it as the group you specify here.
59430 +
59431 +config GRKERNSEC_PROC_USER
59432 + bool "Restrict /proc to user only"
59433 + depends on GRKERNSEC_PROC
59434 + help
59435 + If you say Y here, non-root users will only be able to view their own
59436 + processes, and restricts them from viewing network-related information,
59437 + and viewing kernel symbol and module information.
59438 +
59439 +config GRKERNSEC_PROC_USERGROUP
59440 + bool "Allow special group"
59441 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
59442 + help
59443 + If you say Y here, you will be able to select a group that will be
59444 + able to view all processes and network-related information. If you've
59445 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
59446 + remain hidden. This option is useful if you want to run identd as
59447 + a non-root user.
59448 +
59449 +config GRKERNSEC_PROC_GID
59450 + int "GID for special group"
59451 + depends on GRKERNSEC_PROC_USERGROUP
59452 + default 1001
59453 +
59454 +config GRKERNSEC_PROC_ADD
59455 + bool "Additional restrictions"
59456 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
59457 + help
59458 + If you say Y here, additional restrictions will be placed on
59459 + /proc that keep normal users from viewing device information and
59460 + slabinfo information that could be useful for exploits.
59461 +
59462 +config GRKERNSEC_LINK
59463 + bool "Linking restrictions"
59464 + help
59465 + If you say Y here, /tmp race exploits will be prevented, since users
59466 + will no longer be able to follow symlinks owned by other users in
59467 + world-writable +t directories (e.g. /tmp), unless the owner of the
59468 + symlink is the owner of the directory. users will also not be
59469 + able to hardlink to files they do not own. If the sysctl option is
59470 + enabled, a sysctl option with name "linking_restrictions" is created.
59471 +
59472 +config GRKERNSEC_FIFO
59473 + bool "FIFO restrictions"
59474 + help
59475 + If you say Y here, users will not be able to write to FIFOs they don't
59476 + own in world-writable +t directories (e.g. /tmp), unless the owner of
59477 + the FIFO is the same owner of the directory it's held in. If the sysctl
59478 + option is enabled, a sysctl option with name "fifo_restrictions" is
59479 + created.
59480 +
59481 +config GRKERNSEC_SYSFS_RESTRICT
59482 + bool "Sysfs/debugfs restriction"
59483 + depends on SYSFS
59484 + help
59485 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
59486 + any filesystem normally mounted under it (e.g. debugfs) will only
59487 + be accessible by root. These filesystems generally provide access
59488 + to hardware and debug information that isn't appropriate for unprivileged
59489 + users of the system. Sysfs and debugfs have also become a large source
59490 + of new vulnerabilities, ranging from infoleaks to local compromise.
59491 + There has been very little oversight with an eye toward security involved
59492 + in adding new exporters of information to these filesystems, so their
59493 + use is discouraged.
59494 + This option is equivalent to a chmod 0700 of the mount paths.
59495 +
59496 +config GRKERNSEC_ROFS
59497 + bool "Runtime read-only mount protection"
59498 + help
59499 + If you say Y here, a sysctl option with name "romount_protect" will
59500 + be created. By setting this option to 1 at runtime, filesystems
59501 + will be protected in the following ways:
59502 + * No new writable mounts will be allowed
59503 + * Existing read-only mounts won't be able to be remounted read/write
59504 + * Write operations will be denied on all block devices
59505 + This option acts independently of grsec_lock: once it is set to 1,
59506 + it cannot be turned off. Therefore, please be mindful of the resulting
59507 + behavior if this option is enabled in an init script on a read-only
59508 + filesystem. This feature is mainly intended for secure embedded systems.
59509 +
59510 +config GRKERNSEC_CHROOT
59511 + bool "Chroot jail restrictions"
59512 + help
59513 + If you say Y here, you will be able to choose several options that will
59514 + make breaking out of a chrooted jail much more difficult. If you
59515 + encounter no software incompatibilities with the following options, it
59516 + is recommended that you enable each one.
59517 +
59518 +config GRKERNSEC_CHROOT_MOUNT
59519 + bool "Deny mounts"
59520 + depends on GRKERNSEC_CHROOT
59521 + help
59522 + If you say Y here, processes inside a chroot will not be able to
59523 + mount or remount filesystems. If the sysctl option is enabled, a
59524 + sysctl option with name "chroot_deny_mount" is created.
59525 +
59526 +config GRKERNSEC_CHROOT_DOUBLE
59527 + bool "Deny double-chroots"
59528 + depends on GRKERNSEC_CHROOT
59529 + help
59530 + If you say Y here, processes inside a chroot will not be able to chroot
59531 + again outside the chroot. This is a widely used method of breaking
59532 + out of a chroot jail and should not be allowed. If the sysctl
59533 + option is enabled, a sysctl option with name
59534 + "chroot_deny_chroot" is created.
59535 +
59536 +config GRKERNSEC_CHROOT_PIVOT
59537 + bool "Deny pivot_root in chroot"
59538 + depends on GRKERNSEC_CHROOT
59539 + help
59540 + If you say Y here, processes inside a chroot will not be able to use
59541 + a function called pivot_root() that was introduced in Linux 2.3.41. It
59542 + works similar to chroot in that it changes the root filesystem. This
59543 + function could be misused in a chrooted process to attempt to break out
59544 + of the chroot, and therefore should not be allowed. If the sysctl
59545 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
59546 + created.
59547 +
59548 +config GRKERNSEC_CHROOT_CHDIR
59549 + bool "Enforce chdir(\"/\") on all chroots"
59550 + depends on GRKERNSEC_CHROOT
59551 + help
59552 + If you say Y here, the current working directory of all newly-chrooted
59553 + applications will be set to the the root directory of the chroot.
59554 + The man page on chroot(2) states:
59555 + Note that this call does not change the current working
59556 + directory, so that `.' can be outside the tree rooted at
59557 + `/'. In particular, the super-user can escape from a
59558 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
59559 +
59560 + It is recommended that you say Y here, since it's not known to break
59561 + any software. If the sysctl option is enabled, a sysctl option with
59562 + name "chroot_enforce_chdir" is created.
59563 +
59564 +config GRKERNSEC_CHROOT_CHMOD
59565 + bool "Deny (f)chmod +s"
59566 + depends on GRKERNSEC_CHROOT
59567 + help
59568 + If you say Y here, processes inside a chroot will not be able to chmod
59569 + or fchmod files to make them have suid or sgid bits. This protects
59570 + against another published method of breaking a chroot. If the sysctl
59571 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
59572 + created.
59573 +
59574 +config GRKERNSEC_CHROOT_FCHDIR
59575 + bool "Deny fchdir out of chroot"
59576 + depends on GRKERNSEC_CHROOT
59577 + help
59578 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
59579 + to a file descriptor of the chrooting process that points to a directory
59580 + outside the filesystem will be stopped. If the sysctl option
59581 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
59582 +
59583 +config GRKERNSEC_CHROOT_MKNOD
59584 + bool "Deny mknod"
59585 + depends on GRKERNSEC_CHROOT
59586 + help
59587 + If you say Y here, processes inside a chroot will not be allowed to
59588 + mknod. The problem with using mknod inside a chroot is that it
59589 + would allow an attacker to create a device entry that is the same
59590 + as one on the physical root of your system, which could range from
59591 + anything from the console device to a device for your harddrive (which
59592 + they could then use to wipe the drive or steal data). It is recommended
59593 + that you say Y here, unless you run into software incompatibilities.
59594 + If the sysctl option is enabled, a sysctl option with name
59595 + "chroot_deny_mknod" is created.
59596 +
59597 +config GRKERNSEC_CHROOT_SHMAT
59598 + bool "Deny shmat() out of chroot"
59599 + depends on GRKERNSEC_CHROOT
59600 + help
59601 + If you say Y here, processes inside a chroot will not be able to attach
59602 + to shared memory segments that were created outside of the chroot jail.
59603 + It is recommended that you say Y here. If the sysctl option is enabled,
59604 + a sysctl option with name "chroot_deny_shmat" is created.
59605 +
59606 +config GRKERNSEC_CHROOT_UNIX
59607 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
59608 + depends on GRKERNSEC_CHROOT
59609 + help
59610 + If you say Y here, processes inside a chroot will not be able to
59611 + connect to abstract (meaning not belonging to a filesystem) Unix
59612 + domain sockets that were bound outside of a chroot. It is recommended
59613 + that you say Y here. If the sysctl option is enabled, a sysctl option
59614 + with name "chroot_deny_unix" is created.
59615 +
59616 +config GRKERNSEC_CHROOT_FINDTASK
59617 + bool "Protect outside processes"
59618 + depends on GRKERNSEC_CHROOT
59619 + help
59620 + If you say Y here, processes inside a chroot will not be able to
59621 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
59622 + getsid, or view any process outside of the chroot. If the sysctl
59623 + option is enabled, a sysctl option with name "chroot_findtask" is
59624 + created.
59625 +
59626 +config GRKERNSEC_CHROOT_NICE
59627 + bool "Restrict priority changes"
59628 + depends on GRKERNSEC_CHROOT
59629 + help
59630 + If you say Y here, processes inside a chroot will not be able to raise
59631 + the priority of processes in the chroot, or alter the priority of
59632 + processes outside the chroot. This provides more security than simply
59633 + removing CAP_SYS_NICE from the process' capability set. If the
59634 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
59635 + is created.
59636 +
59637 +config GRKERNSEC_CHROOT_SYSCTL
59638 + bool "Deny sysctl writes"
59639 + depends on GRKERNSEC_CHROOT
59640 + help
59641 + If you say Y here, an attacker in a chroot will not be able to
59642 + write to sysctl entries, either by sysctl(2) or through a /proc
59643 + interface. It is strongly recommended that you say Y here. If the
59644 + sysctl option is enabled, a sysctl option with name
59645 + "chroot_deny_sysctl" is created.
59646 +
59647 +config GRKERNSEC_CHROOT_CAPS
59648 + bool "Capability restrictions"
59649 + depends on GRKERNSEC_CHROOT
59650 + help
59651 + If you say Y here, the capabilities on all processes within a
59652 + chroot jail will be lowered to stop module insertion, raw i/o,
59653 + system and net admin tasks, rebooting the system, modifying immutable
59654 + files, modifying IPC owned by another, and changing the system time.
59655 + This is left an option because it can break some apps. Disable this
59656 + if your chrooted apps are having problems performing those kinds of
59657 + tasks. If the sysctl option is enabled, a sysctl option with
59658 + name "chroot_caps" is created.
59659 +
59660 +endmenu
59661 +menu "Kernel Auditing"
59662 +depends on GRKERNSEC
59663 +
59664 +config GRKERNSEC_AUDIT_GROUP
59665 + bool "Single group for auditing"
59666 + help
59667 + If you say Y here, the exec, chdir, and (un)mount logging features
59668 + will only operate on a group you specify. This option is recommended
59669 + if you only want to watch certain users instead of having a large
59670 + amount of logs from the entire system. If the sysctl option is enabled,
59671 + a sysctl option with name "audit_group" is created.
59672 +
59673 +config GRKERNSEC_AUDIT_GID
59674 + int "GID for auditing"
59675 + depends on GRKERNSEC_AUDIT_GROUP
59676 + default 1007
59677 +
59678 +config GRKERNSEC_EXECLOG
59679 + bool "Exec logging"
59680 + help
59681 + If you say Y here, all execve() calls will be logged (since the
59682 + other exec*() calls are frontends to execve(), all execution
59683 + will be logged). Useful for shell-servers that like to keep track
59684 + of their users. If the sysctl option is enabled, a sysctl option with
59685 + name "exec_logging" is created.
59686 + WARNING: This option when enabled will produce a LOT of logs, especially
59687 + on an active system.
59688 +
59689 +config GRKERNSEC_RESLOG
59690 + bool "Resource logging"
59691 + help
59692 + If you say Y here, all attempts to overstep resource limits will
59693 + be logged with the resource name, the requested size, and the current
59694 + limit. It is highly recommended that you say Y here. If the sysctl
59695 + option is enabled, a sysctl option with name "resource_logging" is
59696 + created. If the RBAC system is enabled, the sysctl value is ignored.
59697 +
59698 +config GRKERNSEC_CHROOT_EXECLOG
59699 + bool "Log execs within chroot"
59700 + help
59701 + If you say Y here, all executions inside a chroot jail will be logged
59702 + to syslog. This can cause a large amount of logs if certain
59703 + applications (eg. djb's daemontools) are installed on the system, and
59704 + is therefore left as an option. If the sysctl option is enabled, a
59705 + sysctl option with name "chroot_execlog" is created.
59706 +
59707 +config GRKERNSEC_AUDIT_PTRACE
59708 + bool "Ptrace logging"
59709 + help
59710 + If you say Y here, all attempts to attach to a process via ptrace
59711 + will be logged. If the sysctl option is enabled, a sysctl option
59712 + with name "audit_ptrace" is created.
59713 +
59714 +config GRKERNSEC_AUDIT_CHDIR
59715 + bool "Chdir logging"
59716 + help
59717 + If you say Y here, all chdir() calls will be logged. If the sysctl
59718 + option is enabled, a sysctl option with name "audit_chdir" is created.
59719 +
59720 +config GRKERNSEC_AUDIT_MOUNT
59721 + bool "(Un)Mount logging"
59722 + help
59723 + If you say Y here, all mounts and unmounts will be logged. If the
59724 + sysctl option is enabled, a sysctl option with name "audit_mount" is
59725 + created.
59726 +
59727 +config GRKERNSEC_SIGNAL
59728 + bool "Signal logging"
59729 + help
59730 + If you say Y here, certain important signals will be logged, such as
59731 + SIGSEGV, which will as a result inform you of when a error in a program
59732 + occurred, which in some cases could mean a possible exploit attempt.
59733 + If the sysctl option is enabled, a sysctl option with name
59734 + "signal_logging" is created.
59735 +
59736 +config GRKERNSEC_FORKFAIL
59737 + bool "Fork failure logging"
59738 + help
59739 + If you say Y here, all failed fork() attempts will be logged.
59740 + This could suggest a fork bomb, or someone attempting to overstep
59741 + their process limit. If the sysctl option is enabled, a sysctl option
59742 + with name "forkfail_logging" is created.
59743 +
59744 +config GRKERNSEC_TIME
59745 + bool "Time change logging"
59746 + help
59747 + If you say Y here, any changes of the system clock will be logged.
59748 + If the sysctl option is enabled, a sysctl option with name
59749 + "timechange_logging" is created.
59750 +
59751 +config GRKERNSEC_PROC_IPADDR
59752 + bool "/proc/<pid>/ipaddr support"
59753 + help
59754 + If you say Y here, a new entry will be added to each /proc/<pid>
59755 + directory that contains the IP address of the person using the task.
59756 + The IP is carried across local TCP and AF_UNIX stream sockets.
59757 + This information can be useful for IDS/IPSes to perform remote response
59758 + to a local attack. The entry is readable by only the owner of the
59759 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
59760 + the RBAC system), and thus does not create privacy concerns.
59761 +
59762 +config GRKERNSEC_RWXMAP_LOG
59763 + bool 'Denied RWX mmap/mprotect logging'
59764 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
59765 + help
59766 + If you say Y here, calls to mmap() and mprotect() with explicit
59767 + usage of PROT_WRITE and PROT_EXEC together will be logged when
59768 + denied by the PAX_MPROTECT feature. If the sysctl option is
59769 + enabled, a sysctl option with name "rwxmap_logging" is created.
59770 +
59771 +config GRKERNSEC_AUDIT_TEXTREL
59772 + bool 'ELF text relocations logging (READ HELP)'
59773 + depends on PAX_MPROTECT
59774 + help
59775 + If you say Y here, text relocations will be logged with the filename
59776 + of the offending library or binary. The purpose of the feature is
59777 + to help Linux distribution developers get rid of libraries and
59778 + binaries that need text relocations which hinder the future progress
59779 + of PaX. Only Linux distribution developers should say Y here, and
59780 + never on a production machine, as this option creates an information
59781 + leak that could aid an attacker in defeating the randomization of
59782 + a single memory region. If the sysctl option is enabled, a sysctl
59783 + option with name "audit_textrel" is created.
59784 +
59785 +endmenu
59786 +
59787 +menu "Executable Protections"
59788 +depends on GRKERNSEC
59789 +
59790 +config GRKERNSEC_DMESG
59791 + bool "Dmesg(8) restriction"
59792 + help
59793 + If you say Y here, non-root users will not be able to use dmesg(8)
59794 + to view up to the last 4kb of messages in the kernel's log buffer.
59795 + The kernel's log buffer often contains kernel addresses and other
59796 + identifying information useful to an attacker in fingerprinting a
59797 + system for a targeted exploit.
59798 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
59799 + created.
59800 +
59801 +config GRKERNSEC_HARDEN_PTRACE
59802 + bool "Deter ptrace-based process snooping"
59803 + help
59804 + If you say Y here, TTY sniffers and other malicious monitoring
59805 + programs implemented through ptrace will be defeated. If you
59806 + have been using the RBAC system, this option has already been
59807 + enabled for several years for all users, with the ability to make
59808 + fine-grained exceptions.
59809 +
59810 + This option only affects the ability of non-root users to ptrace
59811 + processes that are not a descendent of the ptracing process.
59812 + This means that strace ./binary and gdb ./binary will still work,
59813 + but attaching to arbitrary processes will not. If the sysctl
59814 + option is enabled, a sysctl option with name "harden_ptrace" is
59815 + created.
59816 +
59817 +config GRKERNSEC_TPE
59818 + bool "Trusted Path Execution (TPE)"
59819 + help
59820 + If you say Y here, you will be able to choose a gid to add to the
59821 + supplementary groups of users you want to mark as "untrusted."
59822 + These users will not be able to execute any files that are not in
59823 + root-owned directories writable only by root. If the sysctl option
59824 + is enabled, a sysctl option with name "tpe" is created.
59825 +
59826 +config GRKERNSEC_TPE_ALL
59827 + bool "Partially restrict all non-root users"
59828 + depends on GRKERNSEC_TPE
59829 + help
59830 + If you say Y here, all non-root users will be covered under
59831 + a weaker TPE restriction. This is separate from, and in addition to,
59832 + the main TPE options that you have selected elsewhere. Thus, if a
59833 + "trusted" GID is chosen, this restriction applies to even that GID.
59834 + Under this restriction, all non-root users will only be allowed to
59835 + execute files in directories they own that are not group or
59836 + world-writable, or in directories owned by root and writable only by
59837 + root. If the sysctl option is enabled, a sysctl option with name
59838 + "tpe_restrict_all" is created.
59839 +
59840 +config GRKERNSEC_TPE_INVERT
59841 + bool "Invert GID option"
59842 + depends on GRKERNSEC_TPE
59843 + help
59844 + If you say Y here, the group you specify in the TPE configuration will
59845 + decide what group TPE restrictions will be *disabled* for. This
59846 + option is useful if you want TPE restrictions to be applied to most
59847 + users on the system. If the sysctl option is enabled, a sysctl option
59848 + with name "tpe_invert" is created. Unlike other sysctl options, this
59849 + entry will default to on for backward-compatibility.
59850 +
59851 +config GRKERNSEC_TPE_GID
59852 + int "GID for untrusted users"
59853 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
59854 + default 1005
59855 + help
59856 + Setting this GID determines what group TPE restrictions will be
59857 + *enabled* for. If the sysctl option is enabled, a sysctl option
59858 + with name "tpe_gid" is created.
59859 +
59860 +config GRKERNSEC_TPE_GID
59861 + int "GID for trusted users"
59862 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
59863 + default 1005
59864 + help
59865 + Setting this GID determines what group TPE restrictions will be
59866 + *disabled* for. If the sysctl option is enabled, a sysctl option
59867 + with name "tpe_gid" is created.
59868 +
59869 +endmenu
59870 +menu "Network Protections"
59871 +depends on GRKERNSEC
59872 +
59873 +config GRKERNSEC_RANDNET
59874 + bool "Larger entropy pools"
59875 + help
59876 + If you say Y here, the entropy pools used for many features of Linux
59877 + and grsecurity will be doubled in size. Since several grsecurity
59878 + features use additional randomness, it is recommended that you say Y
59879 + here. Saying Y here has a similar effect as modifying
59880 + /proc/sys/kernel/random/poolsize.
59881 +
59882 +config GRKERNSEC_BLACKHOLE
59883 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
59884 + depends on NET
59885 + help
59886 + If you say Y here, neither TCP resets nor ICMP
59887 + destination-unreachable packets will be sent in response to packets
59888 + sent to ports for which no associated listening process exists.
59889 + This feature supports both IPV4 and IPV6 and exempts the
59890 + loopback interface from blackholing. Enabling this feature
59891 + makes a host more resilient to DoS attacks and reduces network
59892 + visibility against scanners.
59893 +
59894 + The blackhole feature as-implemented is equivalent to the FreeBSD
59895 + blackhole feature, as it prevents RST responses to all packets, not
59896 + just SYNs. Under most application behavior this causes no
59897 + problems, but applications (like haproxy) may not close certain
59898 + connections in a way that cleanly terminates them on the remote
59899 + end, leaving the remote host in LAST_ACK state. Because of this
59900 + side-effect and to prevent intentional LAST_ACK DoSes, this
59901 + feature also adds automatic mitigation against such attacks.
59902 + The mitigation drastically reduces the amount of time a socket
59903 + can spend in LAST_ACK state. If you're using haproxy and not
59904 + all servers it connects to have this option enabled, consider
59905 + disabling this feature on the haproxy host.
59906 +
59907 + If the sysctl option is enabled, two sysctl options with names
59908 + "ip_blackhole" and "lastack_retries" will be created.
59909 + While "ip_blackhole" takes the standard zero/non-zero on/off
59910 + toggle, "lastack_retries" uses the same kinds of values as
59911 + "tcp_retries1" and "tcp_retries2". The default value of 4
59912 + prevents a socket from lasting more than 45 seconds in LAST_ACK
59913 + state.
59914 +
59915 +config GRKERNSEC_SOCKET
59916 + bool "Socket restrictions"
59917 + depends on NET
59918 + help
59919 + If you say Y here, you will be able to choose from several options.
59920 + If you assign a GID on your system and add it to the supplementary
59921 + groups of users you want to restrict socket access to, this patch
59922 + will perform up to three things, based on the option(s) you choose.
59923 +
59924 +config GRKERNSEC_SOCKET_ALL
59925 + bool "Deny any sockets to group"
59926 + depends on GRKERNSEC_SOCKET
59927 + help
59928 + If you say Y here, you will be able to choose a GID of whose users will
59929 + be unable to connect to other hosts from your machine or run server
59930 + applications from your machine. If the sysctl option is enabled, a
59931 + sysctl option with name "socket_all" is created.
59932 +
59933 +config GRKERNSEC_SOCKET_ALL_GID
59934 + int "GID to deny all sockets for"
59935 + depends on GRKERNSEC_SOCKET_ALL
59936 + default 1004
59937 + help
59938 + Here you can choose the GID to disable socket access for. Remember to
59939 + add the users you want socket access disabled for to the GID
59940 + specified here. If the sysctl option is enabled, a sysctl option
59941 + with name "socket_all_gid" is created.
59942 +
59943 +config GRKERNSEC_SOCKET_CLIENT
59944 + bool "Deny client sockets to group"
59945 + depends on GRKERNSEC_SOCKET
59946 + help
59947 + If you say Y here, you will be able to choose a GID of whose users will
59948 + be unable to connect to other hosts from your machine, but will be
59949 + able to run servers. If this option is enabled, all users in the group
59950 + you specify will have to use passive mode when initiating ftp transfers
59951 + from the shell on your machine. If the sysctl option is enabled, a
59952 + sysctl option with name "socket_client" is created.
59953 +
59954 +config GRKERNSEC_SOCKET_CLIENT_GID
59955 + int "GID to deny client sockets for"
59956 + depends on GRKERNSEC_SOCKET_CLIENT
59957 + default 1003
59958 + help
59959 + Here you can choose the GID to disable client socket access for.
59960 + Remember to add the users you want client socket access disabled for to
59961 + the GID specified here. If the sysctl option is enabled, a sysctl
59962 + option with name "socket_client_gid" is created.
59963 +
59964 +config GRKERNSEC_SOCKET_SERVER
59965 + bool "Deny server sockets to group"
59966 + depends on GRKERNSEC_SOCKET
59967 + help
59968 + If you say Y here, you will be able to choose a GID of whose users will
59969 + be unable to run server applications from your machine. If the sysctl
59970 + option is enabled, a sysctl option with name "socket_server" is created.
59971 +
59972 +config GRKERNSEC_SOCKET_SERVER_GID
59973 + int "GID to deny server sockets for"
59974 + depends on GRKERNSEC_SOCKET_SERVER
59975 + default 1002
59976 + help
59977 + Here you can choose the GID to disable server socket access for.
59978 + Remember to add the users you want server socket access disabled for to
59979 + the GID specified here. If the sysctl option is enabled, a sysctl
59980 + option with name "socket_server_gid" is created.
59981 +
59982 +endmenu
59983 +menu "Sysctl support"
59984 +depends on GRKERNSEC && SYSCTL
59985 +
59986 +config GRKERNSEC_SYSCTL
59987 + bool "Sysctl support"
59988 + help
59989 + If you say Y here, you will be able to change the options that
59990 + grsecurity runs with at bootup, without having to recompile your
59991 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
59992 + to enable (1) or disable (0) various features. All the sysctl entries
59993 + are mutable until the "grsec_lock" entry is set to a non-zero value.
59994 + All features enabled in the kernel configuration are disabled at boot
59995 + if you do not say Y to the "Turn on features by default" option.
59996 + All options should be set at startup, and the grsec_lock entry should
59997 + be set to a non-zero value after all the options are set.
59998 + *THIS IS EXTREMELY IMPORTANT*
59999 +
60000 +config GRKERNSEC_SYSCTL_DISTRO
60001 + bool "Extra sysctl support for distro makers (READ HELP)"
60002 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
60003 + help
60004 + If you say Y here, additional sysctl options will be created
60005 + for features that affect processes running as root. Therefore,
60006 + it is critical when using this option that the grsec_lock entry be
60007 + enabled after boot. Only distros with prebuilt kernel packages
60008 + with this option enabled that can ensure grsec_lock is enabled
60009 + after boot should use this option.
60010 + *Failure to set grsec_lock after boot makes all grsec features
60011 + this option covers useless*
60012 +
60013 + Currently this option creates the following sysctl entries:
60014 + "Disable Privileged I/O": "disable_priv_io"
60015 +
60016 +config GRKERNSEC_SYSCTL_ON
60017 + bool "Turn on features by default"
60018 + depends on GRKERNSEC_SYSCTL
60019 + help
60020 + If you say Y here, instead of having all features enabled in the
60021 + kernel configuration disabled at boot time, the features will be
60022 + enabled at boot time. It is recommended you say Y here unless
60023 + there is some reason you would want all sysctl-tunable features to
60024 + be disabled by default. As mentioned elsewhere, it is important
60025 + to enable the grsec_lock entry once you have finished modifying
60026 + the sysctl entries.
60027 +
60028 +endmenu
60029 +menu "Logging Options"
60030 +depends on GRKERNSEC
60031 +
60032 +config GRKERNSEC_FLOODTIME
60033 + int "Seconds in between log messages (minimum)"
60034 + default 10
60035 + help
60036 + This option allows you to enforce the number of seconds between
60037 + grsecurity log messages. The default should be suitable for most
60038 + people, however, if you choose to change it, choose a value small enough
60039 + to allow informative logs to be produced, but large enough to
60040 + prevent flooding.
60041 +
60042 +config GRKERNSEC_FLOODBURST
60043 + int "Number of messages in a burst (maximum)"
60044 + default 6
60045 + help
60046 + This option allows you to choose the maximum number of messages allowed
60047 + within the flood time interval you chose in a separate option. The
60048 + default should be suitable for most people, however if you find that
60049 + many of your logs are being interpreted as flooding, you may want to
60050 + raise this value.
60051 +
60052 +endmenu
60053 +
60054 +endmenu
60055 diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefile
60056 --- linux-2.6.32.46/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
60057 +++ linux-2.6.32.46/grsecurity/Makefile 2011-09-14 23:29:39.000000000 -0400
60058 @@ -0,0 +1,35 @@
60059 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
60060 +# during 2001-2009 it has been completely redesigned by Brad Spengler
60061 +# into an RBAC system
60062 +#
60063 +# All code in this directory and various hooks inserted throughout the kernel
60064 +# are copyright Brad Spengler - Open Source Security, Inc., and released
60065 +# under the GPL v2 or higher
60066 +
60067 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
60068 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
60069 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
60070 +
60071 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
60072 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
60073 + gracl_learn.o grsec_log.o
60074 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
60075 +
60076 +ifdef CONFIG_NET
60077 +obj-y += grsec_sock.o
60078 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
60079 +endif
60080 +
60081 +ifndef CONFIG_GRKERNSEC
60082 +obj-y += grsec_disabled.o
60083 +endif
60084 +
60085 +ifdef CONFIG_GRKERNSEC_HIDESYM
60086 +extra-y := grsec_hidesym.o
60087 +$(obj)/grsec_hidesym.o:
60088 + @-chmod -f 500 /boot
60089 + @-chmod -f 500 /lib/modules
60090 + @-chmod -f 500 /lib64/modules
60091 + @-chmod -f 700 .
60092 + @echo ' grsec: protected kernel image paths'
60093 +endif
60094 diff -urNp linux-2.6.32.46/include/acpi/acpi_bus.h linux-2.6.32.46/include/acpi/acpi_bus.h
60095 --- linux-2.6.32.46/include/acpi/acpi_bus.h 2011-03-27 14:31:47.000000000 -0400
60096 +++ linux-2.6.32.46/include/acpi/acpi_bus.h 2011-08-05 20:33:55.000000000 -0400
60097 @@ -107,7 +107,7 @@ struct acpi_device_ops {
60098 acpi_op_bind bind;
60099 acpi_op_unbind unbind;
60100 acpi_op_notify notify;
60101 -};
60102 +} __no_const;
60103
60104 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
60105
60106 diff -urNp linux-2.6.32.46/include/acpi/acpi_drivers.h linux-2.6.32.46/include/acpi/acpi_drivers.h
60107 --- linux-2.6.32.46/include/acpi/acpi_drivers.h 2011-03-27 14:31:47.000000000 -0400
60108 +++ linux-2.6.32.46/include/acpi/acpi_drivers.h 2011-04-17 15:56:46.000000000 -0400
60109 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
60110 Dock Station
60111 -------------------------------------------------------------------------- */
60112 struct acpi_dock_ops {
60113 - acpi_notify_handler handler;
60114 - acpi_notify_handler uevent;
60115 + const acpi_notify_handler handler;
60116 + const acpi_notify_handler uevent;
60117 };
60118
60119 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
60120 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
60121 extern int register_dock_notifier(struct notifier_block *nb);
60122 extern void unregister_dock_notifier(struct notifier_block *nb);
60123 extern int register_hotplug_dock_device(acpi_handle handle,
60124 - struct acpi_dock_ops *ops,
60125 + const struct acpi_dock_ops *ops,
60126 void *context);
60127 extern void unregister_hotplug_dock_device(acpi_handle handle);
60128 #else
60129 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
60130 {
60131 }
60132 static inline int register_hotplug_dock_device(acpi_handle handle,
60133 - struct acpi_dock_ops *ops,
60134 + const struct acpi_dock_ops *ops,
60135 void *context)
60136 {
60137 return -ENODEV;
60138 diff -urNp linux-2.6.32.46/include/asm-generic/atomic-long.h linux-2.6.32.46/include/asm-generic/atomic-long.h
60139 --- linux-2.6.32.46/include/asm-generic/atomic-long.h 2011-03-27 14:31:47.000000000 -0400
60140 +++ linux-2.6.32.46/include/asm-generic/atomic-long.h 2011-07-13 22:21:25.000000000 -0400
60141 @@ -22,6 +22,12 @@
60142
60143 typedef atomic64_t atomic_long_t;
60144
60145 +#ifdef CONFIG_PAX_REFCOUNT
60146 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
60147 +#else
60148 +typedef atomic64_t atomic_long_unchecked_t;
60149 +#endif
60150 +
60151 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
60152
60153 static inline long atomic_long_read(atomic_long_t *l)
60154 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
60155 return (long)atomic64_read(v);
60156 }
60157
60158 +#ifdef CONFIG_PAX_REFCOUNT
60159 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
60160 +{
60161 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
60162 +
60163 + return (long)atomic64_read_unchecked(v);
60164 +}
60165 +#endif
60166 +
60167 static inline void atomic_long_set(atomic_long_t *l, long i)
60168 {
60169 atomic64_t *v = (atomic64_t *)l;
60170 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
60171 atomic64_set(v, i);
60172 }
60173
60174 +#ifdef CONFIG_PAX_REFCOUNT
60175 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
60176 +{
60177 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
60178 +
60179 + atomic64_set_unchecked(v, i);
60180 +}
60181 +#endif
60182 +
60183 static inline void atomic_long_inc(atomic_long_t *l)
60184 {
60185 atomic64_t *v = (atomic64_t *)l;
60186 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
60187 atomic64_inc(v);
60188 }
60189
60190 +#ifdef CONFIG_PAX_REFCOUNT
60191 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
60192 +{
60193 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
60194 +
60195 + atomic64_inc_unchecked(v);
60196 +}
60197 +#endif
60198 +
60199 static inline void atomic_long_dec(atomic_long_t *l)
60200 {
60201 atomic64_t *v = (atomic64_t *)l;
60202 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
60203 atomic64_dec(v);
60204 }
60205
60206 +#ifdef CONFIG_PAX_REFCOUNT
60207 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
60208 +{
60209 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
60210 +
60211 + atomic64_dec_unchecked(v);
60212 +}
60213 +#endif
60214 +
60215 static inline void atomic_long_add(long i, atomic_long_t *l)
60216 {
60217 atomic64_t *v = (atomic64_t *)l;
60218 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
60219 atomic64_add(i, v);
60220 }
60221
60222 +#ifdef CONFIG_PAX_REFCOUNT
60223 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
60224 +{
60225 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
60226 +
60227 + atomic64_add_unchecked(i, v);
60228 +}
60229 +#endif
60230 +
60231 static inline void atomic_long_sub(long i, atomic_long_t *l)
60232 {
60233 atomic64_t *v = (atomic64_t *)l;
60234 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
60235 return (long)atomic64_inc_return(v);
60236 }
60237
60238 +#ifdef CONFIG_PAX_REFCOUNT
60239 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
60240 +{
60241 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
60242 +
60243 + return (long)atomic64_inc_return_unchecked(v);
60244 +}
60245 +#endif
60246 +
60247 static inline long atomic_long_dec_return(atomic_long_t *l)
60248 {
60249 atomic64_t *v = (atomic64_t *)l;
60250 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
60251
60252 typedef atomic_t atomic_long_t;
60253
60254 +#ifdef CONFIG_PAX_REFCOUNT
60255 +typedef atomic_unchecked_t atomic_long_unchecked_t;
60256 +#else
60257 +typedef atomic_t atomic_long_unchecked_t;
60258 +#endif
60259 +
60260 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
60261 static inline long atomic_long_read(atomic_long_t *l)
60262 {
60263 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
60264 return (long)atomic_read(v);
60265 }
60266
60267 +#ifdef CONFIG_PAX_REFCOUNT
60268 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
60269 +{
60270 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
60271 +
60272 + return (long)atomic_read_unchecked(v);
60273 +}
60274 +#endif
60275 +
60276 static inline void atomic_long_set(atomic_long_t *l, long i)
60277 {
60278 atomic_t *v = (atomic_t *)l;
60279 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
60280 atomic_set(v, i);
60281 }
60282
60283 +#ifdef CONFIG_PAX_REFCOUNT
60284 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
60285 +{
60286 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
60287 +
60288 + atomic_set_unchecked(v, i);
60289 +}
60290 +#endif
60291 +
60292 static inline void atomic_long_inc(atomic_long_t *l)
60293 {
60294 atomic_t *v = (atomic_t *)l;
60295 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
60296 atomic_inc(v);
60297 }
60298
60299 +#ifdef CONFIG_PAX_REFCOUNT
60300 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
60301 +{
60302 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
60303 +
60304 + atomic_inc_unchecked(v);
60305 +}
60306 +#endif
60307 +
60308 static inline void atomic_long_dec(atomic_long_t *l)
60309 {
60310 atomic_t *v = (atomic_t *)l;
60311 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
60312 atomic_dec(v);
60313 }
60314
60315 +#ifdef CONFIG_PAX_REFCOUNT
60316 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
60317 +{
60318 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
60319 +
60320 + atomic_dec_unchecked(v);
60321 +}
60322 +#endif
60323 +
60324 static inline void atomic_long_add(long i, atomic_long_t *l)
60325 {
60326 atomic_t *v = (atomic_t *)l;
60327 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
60328 atomic_add(i, v);
60329 }
60330
60331 +#ifdef CONFIG_PAX_REFCOUNT
60332 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
60333 +{
60334 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
60335 +
60336 + atomic_add_unchecked(i, v);
60337 +}
60338 +#endif
60339 +
60340 static inline void atomic_long_sub(long i, atomic_long_t *l)
60341 {
60342 atomic_t *v = (atomic_t *)l;
60343 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
60344 return (long)atomic_inc_return(v);
60345 }
60346
60347 +#ifdef CONFIG_PAX_REFCOUNT
60348 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
60349 +{
60350 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
60351 +
60352 + return (long)atomic_inc_return_unchecked(v);
60353 +}
60354 +#endif
60355 +
60356 static inline long atomic_long_dec_return(atomic_long_t *l)
60357 {
60358 atomic_t *v = (atomic_t *)l;
60359 @@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
60360
60361 #endif /* BITS_PER_LONG == 64 */
60362
60363 +#ifdef CONFIG_PAX_REFCOUNT
60364 +static inline void pax_refcount_needs_these_functions(void)
60365 +{
60366 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
60367 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
60368 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
60369 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
60370 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
60371 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
60372 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
60373 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
60374 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
60375 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
60376 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
60377 +
60378 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
60379 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
60380 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
60381 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
60382 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
60383 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
60384 +}
60385 +#else
60386 +#define atomic_read_unchecked(v) atomic_read(v)
60387 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
60388 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
60389 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
60390 +#define atomic_inc_unchecked(v) atomic_inc(v)
60391 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
60392 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
60393 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
60394 +#define atomic_dec_unchecked(v) atomic_dec(v)
60395 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
60396 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
60397 +
60398 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
60399 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
60400 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
60401 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
60402 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
60403 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
60404 +#endif
60405 +
60406 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
60407 diff -urNp linux-2.6.32.46/include/asm-generic/bug.h linux-2.6.32.46/include/asm-generic/bug.h
60408 --- linux-2.6.32.46/include/asm-generic/bug.h 2011-07-13 17:23:04.000000000 -0400
60409 +++ linux-2.6.32.46/include/asm-generic/bug.h 2011-08-21 17:56:07.000000000 -0400
60410 @@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha
60411
60412 #else /* !CONFIG_BUG */
60413 #ifndef HAVE_ARCH_BUG
60414 -#define BUG() do {} while(0)
60415 +#define BUG() do { for (;;) ; } while(0)
60416 #endif
60417
60418 #ifndef HAVE_ARCH_BUG_ON
60419 -#define BUG_ON(condition) do { if (condition) ; } while(0)
60420 +#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0)
60421 #endif
60422
60423 #ifndef HAVE_ARCH_WARN_ON
60424 diff -urNp linux-2.6.32.46/include/asm-generic/cache.h linux-2.6.32.46/include/asm-generic/cache.h
60425 --- linux-2.6.32.46/include/asm-generic/cache.h 2011-03-27 14:31:47.000000000 -0400
60426 +++ linux-2.6.32.46/include/asm-generic/cache.h 2011-07-06 19:53:33.000000000 -0400
60427 @@ -6,7 +6,7 @@
60428 * cache lines need to provide their own cache.h.
60429 */
60430
60431 -#define L1_CACHE_SHIFT 5
60432 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
60433 +#define L1_CACHE_SHIFT 5UL
60434 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
60435
60436 #endif /* __ASM_GENERIC_CACHE_H */
60437 diff -urNp linux-2.6.32.46/include/asm-generic/dma-mapping-common.h linux-2.6.32.46/include/asm-generic/dma-mapping-common.h
60438 --- linux-2.6.32.46/include/asm-generic/dma-mapping-common.h 2011-03-27 14:31:47.000000000 -0400
60439 +++ linux-2.6.32.46/include/asm-generic/dma-mapping-common.h 2011-04-17 15:56:46.000000000 -0400
60440 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
60441 enum dma_data_direction dir,
60442 struct dma_attrs *attrs)
60443 {
60444 - struct dma_map_ops *ops = get_dma_ops(dev);
60445 + const struct dma_map_ops *ops = get_dma_ops(dev);
60446 dma_addr_t addr;
60447
60448 kmemcheck_mark_initialized(ptr, size);
60449 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
60450 enum dma_data_direction dir,
60451 struct dma_attrs *attrs)
60452 {
60453 - struct dma_map_ops *ops = get_dma_ops(dev);
60454 + const struct dma_map_ops *ops = get_dma_ops(dev);
60455
60456 BUG_ON(!valid_dma_direction(dir));
60457 if (ops->unmap_page)
60458 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
60459 int nents, enum dma_data_direction dir,
60460 struct dma_attrs *attrs)
60461 {
60462 - struct dma_map_ops *ops = get_dma_ops(dev);
60463 + const struct dma_map_ops *ops = get_dma_ops(dev);
60464 int i, ents;
60465 struct scatterlist *s;
60466
60467 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
60468 int nents, enum dma_data_direction dir,
60469 struct dma_attrs *attrs)
60470 {
60471 - struct dma_map_ops *ops = get_dma_ops(dev);
60472 + const struct dma_map_ops *ops = get_dma_ops(dev);
60473
60474 BUG_ON(!valid_dma_direction(dir));
60475 debug_dma_unmap_sg(dev, sg, nents, dir);
60476 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
60477 size_t offset, size_t size,
60478 enum dma_data_direction dir)
60479 {
60480 - struct dma_map_ops *ops = get_dma_ops(dev);
60481 + const struct dma_map_ops *ops = get_dma_ops(dev);
60482 dma_addr_t addr;
60483
60484 kmemcheck_mark_initialized(page_address(page) + offset, size);
60485 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
60486 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
60487 size_t size, enum dma_data_direction dir)
60488 {
60489 - struct dma_map_ops *ops = get_dma_ops(dev);
60490 + const struct dma_map_ops *ops = get_dma_ops(dev);
60491
60492 BUG_ON(!valid_dma_direction(dir));
60493 if (ops->unmap_page)
60494 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
60495 size_t size,
60496 enum dma_data_direction dir)
60497 {
60498 - struct dma_map_ops *ops = get_dma_ops(dev);
60499 + const struct dma_map_ops *ops = get_dma_ops(dev);
60500
60501 BUG_ON(!valid_dma_direction(dir));
60502 if (ops->sync_single_for_cpu)
60503 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
60504 dma_addr_t addr, size_t size,
60505 enum dma_data_direction dir)
60506 {
60507 - struct dma_map_ops *ops = get_dma_ops(dev);
60508 + const struct dma_map_ops *ops = get_dma_ops(dev);
60509
60510 BUG_ON(!valid_dma_direction(dir));
60511 if (ops->sync_single_for_device)
60512 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
60513 size_t size,
60514 enum dma_data_direction dir)
60515 {
60516 - struct dma_map_ops *ops = get_dma_ops(dev);
60517 + const struct dma_map_ops *ops = get_dma_ops(dev);
60518
60519 BUG_ON(!valid_dma_direction(dir));
60520 if (ops->sync_single_range_for_cpu) {
60521 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
60522 size_t size,
60523 enum dma_data_direction dir)
60524 {
60525 - struct dma_map_ops *ops = get_dma_ops(dev);
60526 + const struct dma_map_ops *ops = get_dma_ops(dev);
60527
60528 BUG_ON(!valid_dma_direction(dir));
60529 if (ops->sync_single_range_for_device) {
60530 @@ -155,7 +155,7 @@ static inline void
60531 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
60532 int nelems, enum dma_data_direction dir)
60533 {
60534 - struct dma_map_ops *ops = get_dma_ops(dev);
60535 + const struct dma_map_ops *ops = get_dma_ops(dev);
60536
60537 BUG_ON(!valid_dma_direction(dir));
60538 if (ops->sync_sg_for_cpu)
60539 @@ -167,7 +167,7 @@ static inline void
60540 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
60541 int nelems, enum dma_data_direction dir)
60542 {
60543 - struct dma_map_ops *ops = get_dma_ops(dev);
60544 + const struct dma_map_ops *ops = get_dma_ops(dev);
60545
60546 BUG_ON(!valid_dma_direction(dir));
60547 if (ops->sync_sg_for_device)
60548 diff -urNp linux-2.6.32.46/include/asm-generic/emergency-restart.h linux-2.6.32.46/include/asm-generic/emergency-restart.h
60549 --- linux-2.6.32.46/include/asm-generic/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
60550 +++ linux-2.6.32.46/include/asm-generic/emergency-restart.h 2011-08-21 19:17:17.000000000 -0400
60551 @@ -1,7 +1,7 @@
60552 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
60553 #define _ASM_GENERIC_EMERGENCY_RESTART_H
60554
60555 -static inline void machine_emergency_restart(void)
60556 +static inline __noreturn void machine_emergency_restart(void)
60557 {
60558 machine_restart(NULL);
60559 }
60560 diff -urNp linux-2.6.32.46/include/asm-generic/futex.h linux-2.6.32.46/include/asm-generic/futex.h
60561 --- linux-2.6.32.46/include/asm-generic/futex.h 2011-03-27 14:31:47.000000000 -0400
60562 +++ linux-2.6.32.46/include/asm-generic/futex.h 2011-04-17 15:56:46.000000000 -0400
60563 @@ -6,7 +6,7 @@
60564 #include <asm/errno.h>
60565
60566 static inline int
60567 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
60568 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
60569 {
60570 int op = (encoded_op >> 28) & 7;
60571 int cmp = (encoded_op >> 24) & 15;
60572 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
60573 }
60574
60575 static inline int
60576 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
60577 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
60578 {
60579 return -ENOSYS;
60580 }
60581 diff -urNp linux-2.6.32.46/include/asm-generic/int-l64.h linux-2.6.32.46/include/asm-generic/int-l64.h
60582 --- linux-2.6.32.46/include/asm-generic/int-l64.h 2011-03-27 14:31:47.000000000 -0400
60583 +++ linux-2.6.32.46/include/asm-generic/int-l64.h 2011-04-17 15:56:46.000000000 -0400
60584 @@ -46,6 +46,8 @@ typedef unsigned int u32;
60585 typedef signed long s64;
60586 typedef unsigned long u64;
60587
60588 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
60589 +
60590 #define S8_C(x) x
60591 #define U8_C(x) x ## U
60592 #define S16_C(x) x
60593 diff -urNp linux-2.6.32.46/include/asm-generic/int-ll64.h linux-2.6.32.46/include/asm-generic/int-ll64.h
60594 --- linux-2.6.32.46/include/asm-generic/int-ll64.h 2011-03-27 14:31:47.000000000 -0400
60595 +++ linux-2.6.32.46/include/asm-generic/int-ll64.h 2011-04-17 15:56:46.000000000 -0400
60596 @@ -51,6 +51,8 @@ typedef unsigned int u32;
60597 typedef signed long long s64;
60598 typedef unsigned long long u64;
60599
60600 +typedef unsigned long long intoverflow_t;
60601 +
60602 #define S8_C(x) x
60603 #define U8_C(x) x ## U
60604 #define S16_C(x) x
60605 diff -urNp linux-2.6.32.46/include/asm-generic/kmap_types.h linux-2.6.32.46/include/asm-generic/kmap_types.h
60606 --- linux-2.6.32.46/include/asm-generic/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
60607 +++ linux-2.6.32.46/include/asm-generic/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
60608 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
60609 KMAP_D(16) KM_IRQ_PTE,
60610 KMAP_D(17) KM_NMI,
60611 KMAP_D(18) KM_NMI_PTE,
60612 -KMAP_D(19) KM_TYPE_NR
60613 +KMAP_D(19) KM_CLEARPAGE,
60614 +KMAP_D(20) KM_TYPE_NR
60615 };
60616
60617 #undef KMAP_D
60618 diff -urNp linux-2.6.32.46/include/asm-generic/pgtable.h linux-2.6.32.46/include/asm-generic/pgtable.h
60619 --- linux-2.6.32.46/include/asm-generic/pgtable.h 2011-03-27 14:31:47.000000000 -0400
60620 +++ linux-2.6.32.46/include/asm-generic/pgtable.h 2011-04-17 15:56:46.000000000 -0400
60621 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
60622 unsigned long size);
60623 #endif
60624
60625 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
60626 +static inline unsigned long pax_open_kernel(void) { return 0; }
60627 +#endif
60628 +
60629 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
60630 +static inline unsigned long pax_close_kernel(void) { return 0; }
60631 +#endif
60632 +
60633 #endif /* !__ASSEMBLY__ */
60634
60635 #endif /* _ASM_GENERIC_PGTABLE_H */
60636 diff -urNp linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h
60637 --- linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h 2011-03-27 14:31:47.000000000 -0400
60638 +++ linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:56:46.000000000 -0400
60639 @@ -1,14 +1,19 @@
60640 #ifndef _PGTABLE_NOPMD_H
60641 #define _PGTABLE_NOPMD_H
60642
60643 -#ifndef __ASSEMBLY__
60644 -
60645 #include <asm-generic/pgtable-nopud.h>
60646
60647 -struct mm_struct;
60648 -
60649 #define __PAGETABLE_PMD_FOLDED
60650
60651 +#define PMD_SHIFT PUD_SHIFT
60652 +#define PTRS_PER_PMD 1
60653 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
60654 +#define PMD_MASK (~(PMD_SIZE-1))
60655 +
60656 +#ifndef __ASSEMBLY__
60657 +
60658 +struct mm_struct;
60659 +
60660 /*
60661 * Having the pmd type consist of a pud gets the size right, and allows
60662 * us to conceptually access the pud entry that this pmd is folded into
60663 @@ -16,11 +21,6 @@ struct mm_struct;
60664 */
60665 typedef struct { pud_t pud; } pmd_t;
60666
60667 -#define PMD_SHIFT PUD_SHIFT
60668 -#define PTRS_PER_PMD 1
60669 -#define PMD_SIZE (1UL << PMD_SHIFT)
60670 -#define PMD_MASK (~(PMD_SIZE-1))
60671 -
60672 /*
60673 * The "pud_xxx()" functions here are trivial for a folded two-level
60674 * setup: the pmd is never bad, and a pmd always exists (as it's folded
60675 diff -urNp linux-2.6.32.46/include/asm-generic/pgtable-nopud.h linux-2.6.32.46/include/asm-generic/pgtable-nopud.h
60676 --- linux-2.6.32.46/include/asm-generic/pgtable-nopud.h 2011-03-27 14:31:47.000000000 -0400
60677 +++ linux-2.6.32.46/include/asm-generic/pgtable-nopud.h 2011-04-17 15:56:46.000000000 -0400
60678 @@ -1,10 +1,15 @@
60679 #ifndef _PGTABLE_NOPUD_H
60680 #define _PGTABLE_NOPUD_H
60681
60682 -#ifndef __ASSEMBLY__
60683 -
60684 #define __PAGETABLE_PUD_FOLDED
60685
60686 +#define PUD_SHIFT PGDIR_SHIFT
60687 +#define PTRS_PER_PUD 1
60688 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
60689 +#define PUD_MASK (~(PUD_SIZE-1))
60690 +
60691 +#ifndef __ASSEMBLY__
60692 +
60693 /*
60694 * Having the pud type consist of a pgd gets the size right, and allows
60695 * us to conceptually access the pgd entry that this pud is folded into
60696 @@ -12,11 +17,6 @@
60697 */
60698 typedef struct { pgd_t pgd; } pud_t;
60699
60700 -#define PUD_SHIFT PGDIR_SHIFT
60701 -#define PTRS_PER_PUD 1
60702 -#define PUD_SIZE (1UL << PUD_SHIFT)
60703 -#define PUD_MASK (~(PUD_SIZE-1))
60704 -
60705 /*
60706 * The "pgd_xxx()" functions here are trivial for a folded two-level
60707 * setup: the pud is never bad, and a pud always exists (as it's folded
60708 diff -urNp linux-2.6.32.46/include/asm-generic/vmlinux.lds.h linux-2.6.32.46/include/asm-generic/vmlinux.lds.h
60709 --- linux-2.6.32.46/include/asm-generic/vmlinux.lds.h 2011-03-27 14:31:47.000000000 -0400
60710 +++ linux-2.6.32.46/include/asm-generic/vmlinux.lds.h 2011-04-17 15:56:46.000000000 -0400
60711 @@ -199,6 +199,7 @@
60712 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
60713 VMLINUX_SYMBOL(__start_rodata) = .; \
60714 *(.rodata) *(.rodata.*) \
60715 + *(.data.read_only) \
60716 *(__vermagic) /* Kernel version magic */ \
60717 *(__markers_strings) /* Markers: strings */ \
60718 *(__tracepoints_strings)/* Tracepoints: strings */ \
60719 @@ -656,22 +657,24 @@
60720 * section in the linker script will go there too. @phdr should have
60721 * a leading colon.
60722 *
60723 - * Note that this macros defines __per_cpu_load as an absolute symbol.
60724 + * Note that this macros defines per_cpu_load as an absolute symbol.
60725 * If there is no need to put the percpu section at a predetermined
60726 * address, use PERCPU().
60727 */
60728 #define PERCPU_VADDR(vaddr, phdr) \
60729 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
60730 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
60731 + per_cpu_load = .; \
60732 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
60733 - LOAD_OFFSET) { \
60734 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
60735 VMLINUX_SYMBOL(__per_cpu_start) = .; \
60736 *(.data.percpu.first) \
60737 - *(.data.percpu.page_aligned) \
60738 *(.data.percpu) \
60739 + . = ALIGN(PAGE_SIZE); \
60740 + *(.data.percpu.page_aligned) \
60741 *(.data.percpu.shared_aligned) \
60742 VMLINUX_SYMBOL(__per_cpu_end) = .; \
60743 } phdr \
60744 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
60745 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
60746
60747 /**
60748 * PERCPU - define output section for percpu area, simple version
60749 diff -urNp linux-2.6.32.46/include/drm/drm_crtc_helper.h linux-2.6.32.46/include/drm/drm_crtc_helper.h
60750 --- linux-2.6.32.46/include/drm/drm_crtc_helper.h 2011-03-27 14:31:47.000000000 -0400
60751 +++ linux-2.6.32.46/include/drm/drm_crtc_helper.h 2011-08-05 20:33:55.000000000 -0400
60752 @@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs {
60753
60754 /* reload the current crtc LUT */
60755 void (*load_lut)(struct drm_crtc *crtc);
60756 -};
60757 +} __no_const;
60758
60759 struct drm_encoder_helper_funcs {
60760 void (*dpms)(struct drm_encoder *encoder, int mode);
60761 @@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs {
60762 struct drm_connector *connector);
60763 /* disable encoder when not in use - more explicit than dpms off */
60764 void (*disable)(struct drm_encoder *encoder);
60765 -};
60766 +} __no_const;
60767
60768 struct drm_connector_helper_funcs {
60769 int (*get_modes)(struct drm_connector *connector);
60770 diff -urNp linux-2.6.32.46/include/drm/drmP.h linux-2.6.32.46/include/drm/drmP.h
60771 --- linux-2.6.32.46/include/drm/drmP.h 2011-03-27 14:31:47.000000000 -0400
60772 +++ linux-2.6.32.46/include/drm/drmP.h 2011-04-17 15:56:46.000000000 -0400
60773 @@ -71,6 +71,7 @@
60774 #include <linux/workqueue.h>
60775 #include <linux/poll.h>
60776 #include <asm/pgalloc.h>
60777 +#include <asm/local.h>
60778 #include "drm.h"
60779
60780 #include <linux/idr.h>
60781 @@ -814,7 +815,7 @@ struct drm_driver {
60782 void (*vgaarb_irq)(struct drm_device *dev, bool state);
60783
60784 /* Driver private ops for this object */
60785 - struct vm_operations_struct *gem_vm_ops;
60786 + const struct vm_operations_struct *gem_vm_ops;
60787
60788 int major;
60789 int minor;
60790 @@ -917,7 +918,7 @@ struct drm_device {
60791
60792 /** \name Usage Counters */
60793 /*@{ */
60794 - int open_count; /**< Outstanding files open */
60795 + local_t open_count; /**< Outstanding files open */
60796 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
60797 atomic_t vma_count; /**< Outstanding vma areas open */
60798 int buf_use; /**< Buffers in use -- cannot alloc */
60799 @@ -928,7 +929,7 @@ struct drm_device {
60800 /*@{ */
60801 unsigned long counters;
60802 enum drm_stat_type types[15];
60803 - atomic_t counts[15];
60804 + atomic_unchecked_t counts[15];
60805 /*@} */
60806
60807 struct list_head filelist;
60808 @@ -1016,7 +1017,7 @@ struct drm_device {
60809 struct pci_controller *hose;
60810 #endif
60811 struct drm_sg_mem *sg; /**< Scatter gather memory */
60812 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
60813 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
60814 void *dev_private; /**< device private data */
60815 void *mm_private;
60816 struct address_space *dev_mapping;
60817 @@ -1042,11 +1043,11 @@ struct drm_device {
60818 spinlock_t object_name_lock;
60819 struct idr object_name_idr;
60820 atomic_t object_count;
60821 - atomic_t object_memory;
60822 + atomic_unchecked_t object_memory;
60823 atomic_t pin_count;
60824 - atomic_t pin_memory;
60825 + atomic_unchecked_t pin_memory;
60826 atomic_t gtt_count;
60827 - atomic_t gtt_memory;
60828 + atomic_unchecked_t gtt_memory;
60829 uint32_t gtt_total;
60830 uint32_t invalidate_domains; /* domains pending invalidation */
60831 uint32_t flush_domains; /* domains pending flush */
60832 diff -urNp linux-2.6.32.46/include/drm/ttm/ttm_memory.h linux-2.6.32.46/include/drm/ttm/ttm_memory.h
60833 --- linux-2.6.32.46/include/drm/ttm/ttm_memory.h 2011-03-27 14:31:47.000000000 -0400
60834 +++ linux-2.6.32.46/include/drm/ttm/ttm_memory.h 2011-08-05 20:33:55.000000000 -0400
60835 @@ -47,7 +47,7 @@
60836
60837 struct ttm_mem_shrink {
60838 int (*do_shrink) (struct ttm_mem_shrink *);
60839 -};
60840 +} __no_const;
60841
60842 /**
60843 * struct ttm_mem_global - Global memory accounting structure.
60844 diff -urNp linux-2.6.32.46/include/linux/a.out.h linux-2.6.32.46/include/linux/a.out.h
60845 --- linux-2.6.32.46/include/linux/a.out.h 2011-03-27 14:31:47.000000000 -0400
60846 +++ linux-2.6.32.46/include/linux/a.out.h 2011-04-17 15:56:46.000000000 -0400
60847 @@ -39,6 +39,14 @@ enum machine_type {
60848 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
60849 };
60850
60851 +/* Constants for the N_FLAGS field */
60852 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
60853 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
60854 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
60855 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
60856 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
60857 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
60858 +
60859 #if !defined (N_MAGIC)
60860 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
60861 #endif
60862 diff -urNp linux-2.6.32.46/include/linux/atmdev.h linux-2.6.32.46/include/linux/atmdev.h
60863 --- linux-2.6.32.46/include/linux/atmdev.h 2011-03-27 14:31:47.000000000 -0400
60864 +++ linux-2.6.32.46/include/linux/atmdev.h 2011-04-17 15:56:46.000000000 -0400
60865 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
60866 #endif
60867
60868 struct k_atm_aal_stats {
60869 -#define __HANDLE_ITEM(i) atomic_t i
60870 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
60871 __AAL_STAT_ITEMS
60872 #undef __HANDLE_ITEM
60873 };
60874 diff -urNp linux-2.6.32.46/include/linux/backlight.h linux-2.6.32.46/include/linux/backlight.h
60875 --- linux-2.6.32.46/include/linux/backlight.h 2011-03-27 14:31:47.000000000 -0400
60876 +++ linux-2.6.32.46/include/linux/backlight.h 2011-04-17 15:56:46.000000000 -0400
60877 @@ -36,18 +36,18 @@ struct backlight_device;
60878 struct fb_info;
60879
60880 struct backlight_ops {
60881 - unsigned int options;
60882 + const unsigned int options;
60883
60884 #define BL_CORE_SUSPENDRESUME (1 << 0)
60885
60886 /* Notify the backlight driver some property has changed */
60887 - int (*update_status)(struct backlight_device *);
60888 + int (* const update_status)(struct backlight_device *);
60889 /* Return the current backlight brightness (accounting for power,
60890 fb_blank etc.) */
60891 - int (*get_brightness)(struct backlight_device *);
60892 + int (* const get_brightness)(struct backlight_device *);
60893 /* Check if given framebuffer device is the one bound to this backlight;
60894 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
60895 - int (*check_fb)(struct fb_info *);
60896 + int (* const check_fb)(struct fb_info *);
60897 };
60898
60899 /* This structure defines all the properties of a backlight */
60900 @@ -86,7 +86,7 @@ struct backlight_device {
60901 registered this device has been unloaded, and if class_get_devdata()
60902 points to something in the body of that driver, it is also invalid. */
60903 struct mutex ops_lock;
60904 - struct backlight_ops *ops;
60905 + const struct backlight_ops *ops;
60906
60907 /* The framebuffer notifier block */
60908 struct notifier_block fb_notif;
60909 @@ -103,7 +103,7 @@ static inline void backlight_update_stat
60910 }
60911
60912 extern struct backlight_device *backlight_device_register(const char *name,
60913 - struct device *dev, void *devdata, struct backlight_ops *ops);
60914 + struct device *dev, void *devdata, const struct backlight_ops *ops);
60915 extern void backlight_device_unregister(struct backlight_device *bd);
60916 extern void backlight_force_update(struct backlight_device *bd,
60917 enum backlight_update_reason reason);
60918 diff -urNp linux-2.6.32.46/include/linux/binfmts.h linux-2.6.32.46/include/linux/binfmts.h
60919 --- linux-2.6.32.46/include/linux/binfmts.h 2011-04-17 17:00:52.000000000 -0400
60920 +++ linux-2.6.32.46/include/linux/binfmts.h 2011-04-17 15:56:46.000000000 -0400
60921 @@ -83,6 +83,7 @@ struct linux_binfmt {
60922 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
60923 int (*load_shlib)(struct file *);
60924 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
60925 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
60926 unsigned long min_coredump; /* minimal dump size */
60927 int hasvdso;
60928 };
60929 diff -urNp linux-2.6.32.46/include/linux/blkdev.h linux-2.6.32.46/include/linux/blkdev.h
60930 --- linux-2.6.32.46/include/linux/blkdev.h 2011-03-27 14:31:47.000000000 -0400
60931 +++ linux-2.6.32.46/include/linux/blkdev.h 2011-08-26 20:27:21.000000000 -0400
60932 @@ -1278,7 +1278,7 @@ struct block_device_operations {
60933 int (*revalidate_disk) (struct gendisk *);
60934 int (*getgeo)(struct block_device *, struct hd_geometry *);
60935 struct module *owner;
60936 -};
60937 +} __do_const;
60938
60939 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
60940 unsigned long);
60941 diff -urNp linux-2.6.32.46/include/linux/blktrace_api.h linux-2.6.32.46/include/linux/blktrace_api.h
60942 --- linux-2.6.32.46/include/linux/blktrace_api.h 2011-03-27 14:31:47.000000000 -0400
60943 +++ linux-2.6.32.46/include/linux/blktrace_api.h 2011-05-04 17:56:28.000000000 -0400
60944 @@ -160,7 +160,7 @@ struct blk_trace {
60945 struct dentry *dir;
60946 struct dentry *dropped_file;
60947 struct dentry *msg_file;
60948 - atomic_t dropped;
60949 + atomic_unchecked_t dropped;
60950 };
60951
60952 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
60953 diff -urNp linux-2.6.32.46/include/linux/byteorder/little_endian.h linux-2.6.32.46/include/linux/byteorder/little_endian.h
60954 --- linux-2.6.32.46/include/linux/byteorder/little_endian.h 2011-03-27 14:31:47.000000000 -0400
60955 +++ linux-2.6.32.46/include/linux/byteorder/little_endian.h 2011-04-17 15:56:46.000000000 -0400
60956 @@ -42,51 +42,51 @@
60957
60958 static inline __le64 __cpu_to_le64p(const __u64 *p)
60959 {
60960 - return (__force __le64)*p;
60961 + return (__force const __le64)*p;
60962 }
60963 static inline __u64 __le64_to_cpup(const __le64 *p)
60964 {
60965 - return (__force __u64)*p;
60966 + return (__force const __u64)*p;
60967 }
60968 static inline __le32 __cpu_to_le32p(const __u32 *p)
60969 {
60970 - return (__force __le32)*p;
60971 + return (__force const __le32)*p;
60972 }
60973 static inline __u32 __le32_to_cpup(const __le32 *p)
60974 {
60975 - return (__force __u32)*p;
60976 + return (__force const __u32)*p;
60977 }
60978 static inline __le16 __cpu_to_le16p(const __u16 *p)
60979 {
60980 - return (__force __le16)*p;
60981 + return (__force const __le16)*p;
60982 }
60983 static inline __u16 __le16_to_cpup(const __le16 *p)
60984 {
60985 - return (__force __u16)*p;
60986 + return (__force const __u16)*p;
60987 }
60988 static inline __be64 __cpu_to_be64p(const __u64 *p)
60989 {
60990 - return (__force __be64)__swab64p(p);
60991 + return (__force const __be64)__swab64p(p);
60992 }
60993 static inline __u64 __be64_to_cpup(const __be64 *p)
60994 {
60995 - return __swab64p((__u64 *)p);
60996 + return __swab64p((const __u64 *)p);
60997 }
60998 static inline __be32 __cpu_to_be32p(const __u32 *p)
60999 {
61000 - return (__force __be32)__swab32p(p);
61001 + return (__force const __be32)__swab32p(p);
61002 }
61003 static inline __u32 __be32_to_cpup(const __be32 *p)
61004 {
61005 - return __swab32p((__u32 *)p);
61006 + return __swab32p((const __u32 *)p);
61007 }
61008 static inline __be16 __cpu_to_be16p(const __u16 *p)
61009 {
61010 - return (__force __be16)__swab16p(p);
61011 + return (__force const __be16)__swab16p(p);
61012 }
61013 static inline __u16 __be16_to_cpup(const __be16 *p)
61014 {
61015 - return __swab16p((__u16 *)p);
61016 + return __swab16p((const __u16 *)p);
61017 }
61018 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
61019 #define __le64_to_cpus(x) do { (void)(x); } while (0)
61020 diff -urNp linux-2.6.32.46/include/linux/cache.h linux-2.6.32.46/include/linux/cache.h
61021 --- linux-2.6.32.46/include/linux/cache.h 2011-03-27 14:31:47.000000000 -0400
61022 +++ linux-2.6.32.46/include/linux/cache.h 2011-04-17 15:56:46.000000000 -0400
61023 @@ -16,6 +16,10 @@
61024 #define __read_mostly
61025 #endif
61026
61027 +#ifndef __read_only
61028 +#define __read_only __read_mostly
61029 +#endif
61030 +
61031 #ifndef ____cacheline_aligned
61032 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
61033 #endif
61034 diff -urNp linux-2.6.32.46/include/linux/capability.h linux-2.6.32.46/include/linux/capability.h
61035 --- linux-2.6.32.46/include/linux/capability.h 2011-03-27 14:31:47.000000000 -0400
61036 +++ linux-2.6.32.46/include/linux/capability.h 2011-04-17 15:56:46.000000000 -0400
61037 @@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
61038 (security_real_capable_noaudit((t), (cap)) == 0)
61039
61040 extern int capable(int cap);
61041 +int capable_nolog(int cap);
61042
61043 /* audit system wants to get cap info from files as well */
61044 struct dentry;
61045 diff -urNp linux-2.6.32.46/include/linux/compiler-gcc4.h linux-2.6.32.46/include/linux/compiler-gcc4.h
61046 --- linux-2.6.32.46/include/linux/compiler-gcc4.h 2011-03-27 14:31:47.000000000 -0400
61047 +++ linux-2.6.32.46/include/linux/compiler-gcc4.h 2011-08-26 20:19:09.000000000 -0400
61048 @@ -36,4 +36,16 @@
61049 the kernel context */
61050 #define __cold __attribute__((__cold__))
61051
61052 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
61053 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
61054 +#define __bos0(ptr) __bos((ptr), 0)
61055 +#define __bos1(ptr) __bos((ptr), 1)
61056 +
61057 +#if __GNUC_MINOR__ >= 5
61058 +#ifdef CONSTIFY_PLUGIN
61059 +#define __no_const __attribute__((no_const))
61060 +#define __do_const __attribute__((do_const))
61061 +#endif
61062 +#endif
61063 +
61064 #endif
61065 diff -urNp linux-2.6.32.46/include/linux/compiler.h linux-2.6.32.46/include/linux/compiler.h
61066 --- linux-2.6.32.46/include/linux/compiler.h 2011-03-27 14:31:47.000000000 -0400
61067 +++ linux-2.6.32.46/include/linux/compiler.h 2011-10-06 09:37:14.000000000 -0400
61068 @@ -5,11 +5,14 @@
61069
61070 #ifdef __CHECKER__
61071 # define __user __attribute__((noderef, address_space(1)))
61072 +# define __force_user __force __user
61073 # define __kernel /* default address space */
61074 +# define __force_kernel __force __kernel
61075 # define __safe __attribute__((safe))
61076 # define __force __attribute__((force))
61077 # define __nocast __attribute__((nocast))
61078 # define __iomem __attribute__((noderef, address_space(2)))
61079 +# define __force_iomem __force __iomem
61080 # define __acquires(x) __attribute__((context(x,0,1)))
61081 # define __releases(x) __attribute__((context(x,1,0)))
61082 # define __acquire(x) __context__(x,1)
61083 @@ -17,13 +20,34 @@
61084 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
61085 extern void __chk_user_ptr(const volatile void __user *);
61086 extern void __chk_io_ptr(const volatile void __iomem *);
61087 +#elif defined(CHECKER_PLUGIN)
61088 +//# define __user
61089 +//# define __force_user
61090 +//# define __kernel
61091 +//# define __force_kernel
61092 +# define __safe
61093 +# define __force
61094 +# define __nocast
61095 +# define __iomem
61096 +# define __force_iomem
61097 +# define __chk_user_ptr(x) (void)0
61098 +# define __chk_io_ptr(x) (void)0
61099 +# define __builtin_warning(x, y...) (1)
61100 +# define __acquires(x)
61101 +# define __releases(x)
61102 +# define __acquire(x) (void)0
61103 +# define __release(x) (void)0
61104 +# define __cond_lock(x,c) (c)
61105 #else
61106 # define __user
61107 +# define __force_user
61108 # define __kernel
61109 +# define __force_kernel
61110 # define __safe
61111 # define __force
61112 # define __nocast
61113 # define __iomem
61114 +# define __force_iomem
61115 # define __chk_user_ptr(x) (void)0
61116 # define __chk_io_ptr(x) (void)0
61117 # define __builtin_warning(x, y...) (1)
61118 @@ -247,6 +271,14 @@ void ftrace_likely_update(struct ftrace_
61119 # define __attribute_const__ /* unimplemented */
61120 #endif
61121
61122 +#ifndef __no_const
61123 +# define __no_const
61124 +#endif
61125 +
61126 +#ifndef __do_const
61127 +# define __do_const
61128 +#endif
61129 +
61130 /*
61131 * Tell gcc if a function is cold. The compiler will assume any path
61132 * directly leading to the call is unlikely.
61133 @@ -256,6 +288,22 @@ void ftrace_likely_update(struct ftrace_
61134 #define __cold
61135 #endif
61136
61137 +#ifndef __alloc_size
61138 +#define __alloc_size(...)
61139 +#endif
61140 +
61141 +#ifndef __bos
61142 +#define __bos(ptr, arg)
61143 +#endif
61144 +
61145 +#ifndef __bos0
61146 +#define __bos0(ptr)
61147 +#endif
61148 +
61149 +#ifndef __bos1
61150 +#define __bos1(ptr)
61151 +#endif
61152 +
61153 /* Simple shorthand for a section definition */
61154 #ifndef __section
61155 # define __section(S) __attribute__ ((__section__(#S)))
61156 @@ -278,6 +326,7 @@ void ftrace_likely_update(struct ftrace_
61157 * use is to mediate communication between process-level code and irq/NMI
61158 * handlers, all running on the same CPU.
61159 */
61160 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
61161 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
61162 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
61163
61164 #endif /* __LINUX_COMPILER_H */
61165 diff -urNp linux-2.6.32.46/include/linux/crypto.h linux-2.6.32.46/include/linux/crypto.h
61166 --- linux-2.6.32.46/include/linux/crypto.h 2011-03-27 14:31:47.000000000 -0400
61167 +++ linux-2.6.32.46/include/linux/crypto.h 2011-08-05 20:33:55.000000000 -0400
61168 @@ -394,7 +394,7 @@ struct cipher_tfm {
61169 const u8 *key, unsigned int keylen);
61170 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
61171 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
61172 -};
61173 +} __no_const;
61174
61175 struct hash_tfm {
61176 int (*init)(struct hash_desc *desc);
61177 @@ -415,13 +415,13 @@ struct compress_tfm {
61178 int (*cot_decompress)(struct crypto_tfm *tfm,
61179 const u8 *src, unsigned int slen,
61180 u8 *dst, unsigned int *dlen);
61181 -};
61182 +} __no_const;
61183
61184 struct rng_tfm {
61185 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
61186 unsigned int dlen);
61187 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
61188 -};
61189 +} __no_const;
61190
61191 #define crt_ablkcipher crt_u.ablkcipher
61192 #define crt_aead crt_u.aead
61193 diff -urNp linux-2.6.32.46/include/linux/dcache.h linux-2.6.32.46/include/linux/dcache.h
61194 --- linux-2.6.32.46/include/linux/dcache.h 2011-03-27 14:31:47.000000000 -0400
61195 +++ linux-2.6.32.46/include/linux/dcache.h 2011-04-23 13:34:46.000000000 -0400
61196 @@ -119,6 +119,8 @@ struct dentry {
61197 unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
61198 };
61199
61200 +#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
61201 +
61202 /*
61203 * dentry->d_lock spinlock nesting subclasses:
61204 *
61205 diff -urNp linux-2.6.32.46/include/linux/decompress/mm.h linux-2.6.32.46/include/linux/decompress/mm.h
61206 --- linux-2.6.32.46/include/linux/decompress/mm.h 2011-03-27 14:31:47.000000000 -0400
61207 +++ linux-2.6.32.46/include/linux/decompress/mm.h 2011-04-17 15:56:46.000000000 -0400
61208 @@ -78,7 +78,7 @@ static void free(void *where)
61209 * warnings when not needed (indeed large_malloc / large_free are not
61210 * needed by inflate */
61211
61212 -#define malloc(a) kmalloc(a, GFP_KERNEL)
61213 +#define malloc(a) kmalloc((a), GFP_KERNEL)
61214 #define free(a) kfree(a)
61215
61216 #define large_malloc(a) vmalloc(a)
61217 diff -urNp linux-2.6.32.46/include/linux/dma-mapping.h linux-2.6.32.46/include/linux/dma-mapping.h
61218 --- linux-2.6.32.46/include/linux/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
61219 +++ linux-2.6.32.46/include/linux/dma-mapping.h 2011-08-26 20:19:09.000000000 -0400
61220 @@ -16,51 +16,51 @@ enum dma_data_direction {
61221 };
61222
61223 struct dma_map_ops {
61224 - void* (*alloc_coherent)(struct device *dev, size_t size,
61225 + void* (* const alloc_coherent)(struct device *dev, size_t size,
61226 dma_addr_t *dma_handle, gfp_t gfp);
61227 - void (*free_coherent)(struct device *dev, size_t size,
61228 + void (* const free_coherent)(struct device *dev, size_t size,
61229 void *vaddr, dma_addr_t dma_handle);
61230 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
61231 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
61232 unsigned long offset, size_t size,
61233 enum dma_data_direction dir,
61234 struct dma_attrs *attrs);
61235 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
61236 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
61237 size_t size, enum dma_data_direction dir,
61238 struct dma_attrs *attrs);
61239 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
61240 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
61241 int nents, enum dma_data_direction dir,
61242 struct dma_attrs *attrs);
61243 - void (*unmap_sg)(struct device *dev,
61244 + void (* const unmap_sg)(struct device *dev,
61245 struct scatterlist *sg, int nents,
61246 enum dma_data_direction dir,
61247 struct dma_attrs *attrs);
61248 - void (*sync_single_for_cpu)(struct device *dev,
61249 + void (* const sync_single_for_cpu)(struct device *dev,
61250 dma_addr_t dma_handle, size_t size,
61251 enum dma_data_direction dir);
61252 - void (*sync_single_for_device)(struct device *dev,
61253 + void (* const sync_single_for_device)(struct device *dev,
61254 dma_addr_t dma_handle, size_t size,
61255 enum dma_data_direction dir);
61256 - void (*sync_single_range_for_cpu)(struct device *dev,
61257 + void (* const sync_single_range_for_cpu)(struct device *dev,
61258 dma_addr_t dma_handle,
61259 unsigned long offset,
61260 size_t size,
61261 enum dma_data_direction dir);
61262 - void (*sync_single_range_for_device)(struct device *dev,
61263 + void (* const sync_single_range_for_device)(struct device *dev,
61264 dma_addr_t dma_handle,
61265 unsigned long offset,
61266 size_t size,
61267 enum dma_data_direction dir);
61268 - void (*sync_sg_for_cpu)(struct device *dev,
61269 + void (* const sync_sg_for_cpu)(struct device *dev,
61270 struct scatterlist *sg, int nents,
61271 enum dma_data_direction dir);
61272 - void (*sync_sg_for_device)(struct device *dev,
61273 + void (* const sync_sg_for_device)(struct device *dev,
61274 struct scatterlist *sg, int nents,
61275 enum dma_data_direction dir);
61276 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
61277 - int (*dma_supported)(struct device *dev, u64 mask);
61278 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
61279 + int (* const dma_supported)(struct device *dev, u64 mask);
61280 int (*set_dma_mask)(struct device *dev, u64 mask);
61281 int is_phys;
61282 -};
61283 +} __do_const;
61284
61285 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
61286
61287 diff -urNp linux-2.6.32.46/include/linux/dst.h linux-2.6.32.46/include/linux/dst.h
61288 --- linux-2.6.32.46/include/linux/dst.h 2011-03-27 14:31:47.000000000 -0400
61289 +++ linux-2.6.32.46/include/linux/dst.h 2011-04-17 15:56:46.000000000 -0400
61290 @@ -380,7 +380,7 @@ struct dst_node
61291 struct thread_pool *pool;
61292
61293 /* Transaction IDs live here */
61294 - atomic_long_t gen;
61295 + atomic_long_unchecked_t gen;
61296
61297 /*
61298 * How frequently and how many times transaction
61299 diff -urNp linux-2.6.32.46/include/linux/elf.h linux-2.6.32.46/include/linux/elf.h
61300 --- linux-2.6.32.46/include/linux/elf.h 2011-03-27 14:31:47.000000000 -0400
61301 +++ linux-2.6.32.46/include/linux/elf.h 2011-04-17 15:56:46.000000000 -0400
61302 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
61303 #define PT_GNU_EH_FRAME 0x6474e550
61304
61305 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
61306 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
61307 +
61308 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
61309 +
61310 +/* Constants for the e_flags field */
61311 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
61312 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
61313 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
61314 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
61315 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
61316 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
61317
61318 /* These constants define the different elf file types */
61319 #define ET_NONE 0
61320 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
61321 #define DT_DEBUG 21
61322 #define DT_TEXTREL 22
61323 #define DT_JMPREL 23
61324 +#define DT_FLAGS 30
61325 + #define DF_TEXTREL 0x00000004
61326 #define DT_ENCODING 32
61327 #define OLD_DT_LOOS 0x60000000
61328 #define DT_LOOS 0x6000000d
61329 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
61330 #define PF_W 0x2
61331 #define PF_X 0x1
61332
61333 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
61334 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
61335 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
61336 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
61337 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
61338 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
61339 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
61340 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
61341 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
61342 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
61343 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
61344 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
61345 +
61346 typedef struct elf32_phdr{
61347 Elf32_Word p_type;
61348 Elf32_Off p_offset;
61349 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
61350 #define EI_OSABI 7
61351 #define EI_PAD 8
61352
61353 +#define EI_PAX 14
61354 +
61355 #define ELFMAG0 0x7f /* EI_MAG */
61356 #define ELFMAG1 'E'
61357 #define ELFMAG2 'L'
61358 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
61359 #define elf_phdr elf32_phdr
61360 #define elf_note elf32_note
61361 #define elf_addr_t Elf32_Off
61362 +#define elf_dyn Elf32_Dyn
61363
61364 #else
61365
61366 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
61367 #define elf_phdr elf64_phdr
61368 #define elf_note elf64_note
61369 #define elf_addr_t Elf64_Off
61370 +#define elf_dyn Elf64_Dyn
61371
61372 #endif
61373
61374 diff -urNp linux-2.6.32.46/include/linux/fscache-cache.h linux-2.6.32.46/include/linux/fscache-cache.h
61375 --- linux-2.6.32.46/include/linux/fscache-cache.h 2011-03-27 14:31:47.000000000 -0400
61376 +++ linux-2.6.32.46/include/linux/fscache-cache.h 2011-05-04 17:56:28.000000000 -0400
61377 @@ -116,7 +116,7 @@ struct fscache_operation {
61378 #endif
61379 };
61380
61381 -extern atomic_t fscache_op_debug_id;
61382 +extern atomic_unchecked_t fscache_op_debug_id;
61383 extern const struct slow_work_ops fscache_op_slow_work_ops;
61384
61385 extern void fscache_enqueue_operation(struct fscache_operation *);
61386 @@ -134,7 +134,7 @@ static inline void fscache_operation_ini
61387 fscache_operation_release_t release)
61388 {
61389 atomic_set(&op->usage, 1);
61390 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
61391 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
61392 op->release = release;
61393 INIT_LIST_HEAD(&op->pend_link);
61394 fscache_set_op_state(op, "Init");
61395 diff -urNp linux-2.6.32.46/include/linux/fs.h linux-2.6.32.46/include/linux/fs.h
61396 --- linux-2.6.32.46/include/linux/fs.h 2011-07-13 17:23:04.000000000 -0400
61397 +++ linux-2.6.32.46/include/linux/fs.h 2011-08-26 20:19:09.000000000 -0400
61398 @@ -90,6 +90,11 @@ struct inodes_stat_t {
61399 /* Expect random access pattern */
61400 #define FMODE_RANDOM ((__force fmode_t)4096)
61401
61402 +/* Hack for grsec so as not to require read permission simply to execute
61403 + * a binary
61404 + */
61405 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
61406 +
61407 /*
61408 * The below are the various read and write types that we support. Some of
61409 * them include behavioral modifiers that send information down to the
61410 @@ -568,41 +573,41 @@ typedef int (*read_actor_t)(read_descrip
61411 unsigned long, unsigned long);
61412
61413 struct address_space_operations {
61414 - int (*writepage)(struct page *page, struct writeback_control *wbc);
61415 - int (*readpage)(struct file *, struct page *);
61416 - void (*sync_page)(struct page *);
61417 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
61418 + int (* const readpage)(struct file *, struct page *);
61419 + void (* const sync_page)(struct page *);
61420
61421 /* Write back some dirty pages from this mapping. */
61422 - int (*writepages)(struct address_space *, struct writeback_control *);
61423 + int (* const writepages)(struct address_space *, struct writeback_control *);
61424
61425 /* Set a page dirty. Return true if this dirtied it */
61426 - int (*set_page_dirty)(struct page *page);
61427 + int (* const set_page_dirty)(struct page *page);
61428
61429 - int (*readpages)(struct file *filp, struct address_space *mapping,
61430 + int (* const readpages)(struct file *filp, struct address_space *mapping,
61431 struct list_head *pages, unsigned nr_pages);
61432
61433 - int (*write_begin)(struct file *, struct address_space *mapping,
61434 + int (* const write_begin)(struct file *, struct address_space *mapping,
61435 loff_t pos, unsigned len, unsigned flags,
61436 struct page **pagep, void **fsdata);
61437 - int (*write_end)(struct file *, struct address_space *mapping,
61438 + int (* const write_end)(struct file *, struct address_space *mapping,
61439 loff_t pos, unsigned len, unsigned copied,
61440 struct page *page, void *fsdata);
61441
61442 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
61443 - sector_t (*bmap)(struct address_space *, sector_t);
61444 - void (*invalidatepage) (struct page *, unsigned long);
61445 - int (*releasepage) (struct page *, gfp_t);
61446 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
61447 + sector_t (* const bmap)(struct address_space *, sector_t);
61448 + void (* const invalidatepage) (struct page *, unsigned long);
61449 + int (* const releasepage) (struct page *, gfp_t);
61450 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
61451 loff_t offset, unsigned long nr_segs);
61452 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
61453 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
61454 void **, unsigned long *);
61455 /* migrate the contents of a page to the specified target */
61456 - int (*migratepage) (struct address_space *,
61457 + int (* const migratepage) (struct address_space *,
61458 struct page *, struct page *);
61459 - int (*launder_page) (struct page *);
61460 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
61461 + int (* const launder_page) (struct page *);
61462 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
61463 unsigned long);
61464 - int (*error_remove_page)(struct address_space *, struct page *);
61465 + int (* const error_remove_page)(struct address_space *, struct page *);
61466 };
61467
61468 /*
61469 @@ -1031,19 +1036,19 @@ static inline int file_check_writeable(s
61470 typedef struct files_struct *fl_owner_t;
61471
61472 struct file_lock_operations {
61473 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
61474 - void (*fl_release_private)(struct file_lock *);
61475 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
61476 + void (* const fl_release_private)(struct file_lock *);
61477 };
61478
61479 struct lock_manager_operations {
61480 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
61481 - void (*fl_notify)(struct file_lock *); /* unblock callback */
61482 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
61483 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
61484 - void (*fl_release_private)(struct file_lock *);
61485 - void (*fl_break)(struct file_lock *);
61486 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
61487 - int (*fl_change)(struct file_lock **, int);
61488 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
61489 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
61490 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
61491 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
61492 + void (* const fl_release_private)(struct file_lock *);
61493 + void (* const fl_break)(struct file_lock *);
61494 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
61495 + int (* const fl_change)(struct file_lock **, int);
61496 };
61497
61498 struct lock_manager {
61499 @@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
61500 unsigned int fi_flags; /* Flags as passed from user */
61501 unsigned int fi_extents_mapped; /* Number of mapped extents */
61502 unsigned int fi_extents_max; /* Size of fiemap_extent array */
61503 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
61504 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
61505 * array */
61506 };
61507 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
61508 @@ -1512,7 +1517,8 @@ struct file_operations {
61509 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
61510 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
61511 int (*setlease)(struct file *, long, struct file_lock **);
61512 -};
61513 +} __do_const;
61514 +typedef struct file_operations __no_const file_operations_no_const;
61515
61516 struct inode_operations {
61517 int (*create) (struct inode *,struct dentry *,int, struct nameidata *);
61518 @@ -1559,30 +1565,30 @@ extern ssize_t vfs_writev(struct file *,
61519 unsigned long, loff_t *);
61520
61521 struct super_operations {
61522 - struct inode *(*alloc_inode)(struct super_block *sb);
61523 - void (*destroy_inode)(struct inode *);
61524 + struct inode *(* const alloc_inode)(struct super_block *sb);
61525 + void (* const destroy_inode)(struct inode *);
61526
61527 - void (*dirty_inode) (struct inode *);
61528 - int (*write_inode) (struct inode *, int);
61529 - void (*drop_inode) (struct inode *);
61530 - void (*delete_inode) (struct inode *);
61531 - void (*put_super) (struct super_block *);
61532 - void (*write_super) (struct super_block *);
61533 - int (*sync_fs)(struct super_block *sb, int wait);
61534 - int (*freeze_fs) (struct super_block *);
61535 - int (*unfreeze_fs) (struct super_block *);
61536 - int (*statfs) (struct dentry *, struct kstatfs *);
61537 - int (*remount_fs) (struct super_block *, int *, char *);
61538 - void (*clear_inode) (struct inode *);
61539 - void (*umount_begin) (struct super_block *);
61540 + void (* const dirty_inode) (struct inode *);
61541 + int (* const write_inode) (struct inode *, int);
61542 + void (* const drop_inode) (struct inode *);
61543 + void (* const delete_inode) (struct inode *);
61544 + void (* const put_super) (struct super_block *);
61545 + void (* const write_super) (struct super_block *);
61546 + int (* const sync_fs)(struct super_block *sb, int wait);
61547 + int (* const freeze_fs) (struct super_block *);
61548 + int (* const unfreeze_fs) (struct super_block *);
61549 + int (* const statfs) (struct dentry *, struct kstatfs *);
61550 + int (* const remount_fs) (struct super_block *, int *, char *);
61551 + void (* const clear_inode) (struct inode *);
61552 + void (* const umount_begin) (struct super_block *);
61553
61554 - int (*show_options)(struct seq_file *, struct vfsmount *);
61555 - int (*show_stats)(struct seq_file *, struct vfsmount *);
61556 + int (* const show_options)(struct seq_file *, struct vfsmount *);
61557 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
61558 #ifdef CONFIG_QUOTA
61559 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
61560 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
61561 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
61562 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
61563 #endif
61564 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
61565 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
61566 };
61567
61568 /*
61569 diff -urNp linux-2.6.32.46/include/linux/fs_struct.h linux-2.6.32.46/include/linux/fs_struct.h
61570 --- linux-2.6.32.46/include/linux/fs_struct.h 2011-03-27 14:31:47.000000000 -0400
61571 +++ linux-2.6.32.46/include/linux/fs_struct.h 2011-04-17 15:56:46.000000000 -0400
61572 @@ -4,7 +4,7 @@
61573 #include <linux/path.h>
61574
61575 struct fs_struct {
61576 - int users;
61577 + atomic_t users;
61578 rwlock_t lock;
61579 int umask;
61580 int in_exec;
61581 diff -urNp linux-2.6.32.46/include/linux/ftrace_event.h linux-2.6.32.46/include/linux/ftrace_event.h
61582 --- linux-2.6.32.46/include/linux/ftrace_event.h 2011-03-27 14:31:47.000000000 -0400
61583 +++ linux-2.6.32.46/include/linux/ftrace_event.h 2011-05-04 17:56:28.000000000 -0400
61584 @@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
61585 int filter_type);
61586 extern int trace_define_common_fields(struct ftrace_event_call *call);
61587
61588 -#define is_signed_type(type) (((type)(-1)) < 0)
61589 +#define is_signed_type(type) (((type)(-1)) < (type)1)
61590
61591 int trace_set_clr_event(const char *system, const char *event, int set);
61592
61593 diff -urNp linux-2.6.32.46/include/linux/genhd.h linux-2.6.32.46/include/linux/genhd.h
61594 --- linux-2.6.32.46/include/linux/genhd.h 2011-03-27 14:31:47.000000000 -0400
61595 +++ linux-2.6.32.46/include/linux/genhd.h 2011-04-17 15:56:46.000000000 -0400
61596 @@ -161,7 +161,7 @@ struct gendisk {
61597
61598 struct timer_rand_state *random;
61599
61600 - atomic_t sync_io; /* RAID */
61601 + atomic_unchecked_t sync_io; /* RAID */
61602 struct work_struct async_notify;
61603 #ifdef CONFIG_BLK_DEV_INTEGRITY
61604 struct blk_integrity *integrity;
61605 diff -urNp linux-2.6.32.46/include/linux/gracl.h linux-2.6.32.46/include/linux/gracl.h
61606 --- linux-2.6.32.46/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
61607 +++ linux-2.6.32.46/include/linux/gracl.h 2011-04-17 15:56:46.000000000 -0400
61608 @@ -0,0 +1,317 @@
61609 +#ifndef GR_ACL_H
61610 +#define GR_ACL_H
61611 +
61612 +#include <linux/grdefs.h>
61613 +#include <linux/resource.h>
61614 +#include <linux/capability.h>
61615 +#include <linux/dcache.h>
61616 +#include <asm/resource.h>
61617 +
61618 +/* Major status information */
61619 +
61620 +#define GR_VERSION "grsecurity 2.2.2"
61621 +#define GRSECURITY_VERSION 0x2202
61622 +
61623 +enum {
61624 + GR_SHUTDOWN = 0,
61625 + GR_ENABLE = 1,
61626 + GR_SPROLE = 2,
61627 + GR_RELOAD = 3,
61628 + GR_SEGVMOD = 4,
61629 + GR_STATUS = 5,
61630 + GR_UNSPROLE = 6,
61631 + GR_PASSSET = 7,
61632 + GR_SPROLEPAM = 8,
61633 +};
61634 +
61635 +/* Password setup definitions
61636 + * kernel/grhash.c */
61637 +enum {
61638 + GR_PW_LEN = 128,
61639 + GR_SALT_LEN = 16,
61640 + GR_SHA_LEN = 32,
61641 +};
61642 +
61643 +enum {
61644 + GR_SPROLE_LEN = 64,
61645 +};
61646 +
61647 +enum {
61648 + GR_NO_GLOB = 0,
61649 + GR_REG_GLOB,
61650 + GR_CREATE_GLOB
61651 +};
61652 +
61653 +#define GR_NLIMITS 32
61654 +
61655 +/* Begin Data Structures */
61656 +
61657 +struct sprole_pw {
61658 + unsigned char *rolename;
61659 + unsigned char salt[GR_SALT_LEN];
61660 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
61661 +};
61662 +
61663 +struct name_entry {
61664 + __u32 key;
61665 + ino_t inode;
61666 + dev_t device;
61667 + char *name;
61668 + __u16 len;
61669 + __u8 deleted;
61670 + struct name_entry *prev;
61671 + struct name_entry *next;
61672 +};
61673 +
61674 +struct inodev_entry {
61675 + struct name_entry *nentry;
61676 + struct inodev_entry *prev;
61677 + struct inodev_entry *next;
61678 +};
61679 +
61680 +struct acl_role_db {
61681 + struct acl_role_label **r_hash;
61682 + __u32 r_size;
61683 +};
61684 +
61685 +struct inodev_db {
61686 + struct inodev_entry **i_hash;
61687 + __u32 i_size;
61688 +};
61689 +
61690 +struct name_db {
61691 + struct name_entry **n_hash;
61692 + __u32 n_size;
61693 +};
61694 +
61695 +struct crash_uid {
61696 + uid_t uid;
61697 + unsigned long expires;
61698 +};
61699 +
61700 +struct gr_hash_struct {
61701 + void **table;
61702 + void **nametable;
61703 + void *first;
61704 + __u32 table_size;
61705 + __u32 used_size;
61706 + int type;
61707 +};
61708 +
61709 +/* Userspace Grsecurity ACL data structures */
61710 +
61711 +struct acl_subject_label {
61712 + char *filename;
61713 + ino_t inode;
61714 + dev_t device;
61715 + __u32 mode;
61716 + kernel_cap_t cap_mask;
61717 + kernel_cap_t cap_lower;
61718 + kernel_cap_t cap_invert_audit;
61719 +
61720 + struct rlimit res[GR_NLIMITS];
61721 + __u32 resmask;
61722 +
61723 + __u8 user_trans_type;
61724 + __u8 group_trans_type;
61725 + uid_t *user_transitions;
61726 + gid_t *group_transitions;
61727 + __u16 user_trans_num;
61728 + __u16 group_trans_num;
61729 +
61730 + __u32 sock_families[2];
61731 + __u32 ip_proto[8];
61732 + __u32 ip_type;
61733 + struct acl_ip_label **ips;
61734 + __u32 ip_num;
61735 + __u32 inaddr_any_override;
61736 +
61737 + __u32 crashes;
61738 + unsigned long expires;
61739 +
61740 + struct acl_subject_label *parent_subject;
61741 + struct gr_hash_struct *hash;
61742 + struct acl_subject_label *prev;
61743 + struct acl_subject_label *next;
61744 +
61745 + struct acl_object_label **obj_hash;
61746 + __u32 obj_hash_size;
61747 + __u16 pax_flags;
61748 +};
61749 +
61750 +struct role_allowed_ip {
61751 + __u32 addr;
61752 + __u32 netmask;
61753 +
61754 + struct role_allowed_ip *prev;
61755 + struct role_allowed_ip *next;
61756 +};
61757 +
61758 +struct role_transition {
61759 + char *rolename;
61760 +
61761 + struct role_transition *prev;
61762 + struct role_transition *next;
61763 +};
61764 +
61765 +struct acl_role_label {
61766 + char *rolename;
61767 + uid_t uidgid;
61768 + __u16 roletype;
61769 +
61770 + __u16 auth_attempts;
61771 + unsigned long expires;
61772 +
61773 + struct acl_subject_label *root_label;
61774 + struct gr_hash_struct *hash;
61775 +
61776 + struct acl_role_label *prev;
61777 + struct acl_role_label *next;
61778 +
61779 + struct role_transition *transitions;
61780 + struct role_allowed_ip *allowed_ips;
61781 + uid_t *domain_children;
61782 + __u16 domain_child_num;
61783 +
61784 + struct acl_subject_label **subj_hash;
61785 + __u32 subj_hash_size;
61786 +};
61787 +
61788 +struct user_acl_role_db {
61789 + struct acl_role_label **r_table;
61790 + __u32 num_pointers; /* Number of allocations to track */
61791 + __u32 num_roles; /* Number of roles */
61792 + __u32 num_domain_children; /* Number of domain children */
61793 + __u32 num_subjects; /* Number of subjects */
61794 + __u32 num_objects; /* Number of objects */
61795 +};
61796 +
61797 +struct acl_object_label {
61798 + char *filename;
61799 + ino_t inode;
61800 + dev_t device;
61801 + __u32 mode;
61802 +
61803 + struct acl_subject_label *nested;
61804 + struct acl_object_label *globbed;
61805 +
61806 + /* next two structures not used */
61807 +
61808 + struct acl_object_label *prev;
61809 + struct acl_object_label *next;
61810 +};
61811 +
61812 +struct acl_ip_label {
61813 + char *iface;
61814 + __u32 addr;
61815 + __u32 netmask;
61816 + __u16 low, high;
61817 + __u8 mode;
61818 + __u32 type;
61819 + __u32 proto[8];
61820 +
61821 + /* next two structures not used */
61822 +
61823 + struct acl_ip_label *prev;
61824 + struct acl_ip_label *next;
61825 +};
61826 +
61827 +struct gr_arg {
61828 + struct user_acl_role_db role_db;
61829 + unsigned char pw[GR_PW_LEN];
61830 + unsigned char salt[GR_SALT_LEN];
61831 + unsigned char sum[GR_SHA_LEN];
61832 + unsigned char sp_role[GR_SPROLE_LEN];
61833 + struct sprole_pw *sprole_pws;
61834 + dev_t segv_device;
61835 + ino_t segv_inode;
61836 + uid_t segv_uid;
61837 + __u16 num_sprole_pws;
61838 + __u16 mode;
61839 +};
61840 +
61841 +struct gr_arg_wrapper {
61842 + struct gr_arg *arg;
61843 + __u32 version;
61844 + __u32 size;
61845 +};
61846 +
61847 +struct subject_map {
61848 + struct acl_subject_label *user;
61849 + struct acl_subject_label *kernel;
61850 + struct subject_map *prev;
61851 + struct subject_map *next;
61852 +};
61853 +
61854 +struct acl_subj_map_db {
61855 + struct subject_map **s_hash;
61856 + __u32 s_size;
61857 +};
61858 +
61859 +/* End Data Structures Section */
61860 +
61861 +/* Hash functions generated by empirical testing by Brad Spengler
61862 + Makes good use of the low bits of the inode. Generally 0-1 times
61863 + in loop for successful match. 0-3 for unsuccessful match.
61864 + Shift/add algorithm with modulus of table size and an XOR*/
61865 +
61866 +static __inline__ unsigned int
61867 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
61868 +{
61869 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
61870 +}
61871 +
61872 + static __inline__ unsigned int
61873 +shash(const struct acl_subject_label *userp, const unsigned int sz)
61874 +{
61875 + return ((const unsigned long)userp % sz);
61876 +}
61877 +
61878 +static __inline__ unsigned int
61879 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
61880 +{
61881 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
61882 +}
61883 +
61884 +static __inline__ unsigned int
61885 +nhash(const char *name, const __u16 len, const unsigned int sz)
61886 +{
61887 + return full_name_hash((const unsigned char *)name, len) % sz;
61888 +}
61889 +
61890 +#define FOR_EACH_ROLE_START(role) \
61891 + role = role_list; \
61892 + while (role) {
61893 +
61894 +#define FOR_EACH_ROLE_END(role) \
61895 + role = role->prev; \
61896 + }
61897 +
61898 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
61899 + subj = NULL; \
61900 + iter = 0; \
61901 + while (iter < role->subj_hash_size) { \
61902 + if (subj == NULL) \
61903 + subj = role->subj_hash[iter]; \
61904 + if (subj == NULL) { \
61905 + iter++; \
61906 + continue; \
61907 + }
61908 +
61909 +#define FOR_EACH_SUBJECT_END(subj,iter) \
61910 + subj = subj->next; \
61911 + if (subj == NULL) \
61912 + iter++; \
61913 + }
61914 +
61915 +
61916 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
61917 + subj = role->hash->first; \
61918 + while (subj != NULL) {
61919 +
61920 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
61921 + subj = subj->next; \
61922 + }
61923 +
61924 +#endif
61925 +
61926 diff -urNp linux-2.6.32.46/include/linux/gralloc.h linux-2.6.32.46/include/linux/gralloc.h
61927 --- linux-2.6.32.46/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
61928 +++ linux-2.6.32.46/include/linux/gralloc.h 2011-04-17 15:56:46.000000000 -0400
61929 @@ -0,0 +1,9 @@
61930 +#ifndef __GRALLOC_H
61931 +#define __GRALLOC_H
61932 +
61933 +void acl_free_all(void);
61934 +int acl_alloc_stack_init(unsigned long size);
61935 +void *acl_alloc(unsigned long len);
61936 +void *acl_alloc_num(unsigned long num, unsigned long len);
61937 +
61938 +#endif
61939 diff -urNp linux-2.6.32.46/include/linux/grdefs.h linux-2.6.32.46/include/linux/grdefs.h
61940 --- linux-2.6.32.46/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
61941 +++ linux-2.6.32.46/include/linux/grdefs.h 2011-06-11 16:20:26.000000000 -0400
61942 @@ -0,0 +1,140 @@
61943 +#ifndef GRDEFS_H
61944 +#define GRDEFS_H
61945 +
61946 +/* Begin grsecurity status declarations */
61947 +
61948 +enum {
61949 + GR_READY = 0x01,
61950 + GR_STATUS_INIT = 0x00 // disabled state
61951 +};
61952 +
61953 +/* Begin ACL declarations */
61954 +
61955 +/* Role flags */
61956 +
61957 +enum {
61958 + GR_ROLE_USER = 0x0001,
61959 + GR_ROLE_GROUP = 0x0002,
61960 + GR_ROLE_DEFAULT = 0x0004,
61961 + GR_ROLE_SPECIAL = 0x0008,
61962 + GR_ROLE_AUTH = 0x0010,
61963 + GR_ROLE_NOPW = 0x0020,
61964 + GR_ROLE_GOD = 0x0040,
61965 + GR_ROLE_LEARN = 0x0080,
61966 + GR_ROLE_TPE = 0x0100,
61967 + GR_ROLE_DOMAIN = 0x0200,
61968 + GR_ROLE_PAM = 0x0400,
61969 + GR_ROLE_PERSIST = 0x800
61970 +};
61971 +
61972 +/* ACL Subject and Object mode flags */
61973 +enum {
61974 + GR_DELETED = 0x80000000
61975 +};
61976 +
61977 +/* ACL Object-only mode flags */
61978 +enum {
61979 + GR_READ = 0x00000001,
61980 + GR_APPEND = 0x00000002,
61981 + GR_WRITE = 0x00000004,
61982 + GR_EXEC = 0x00000008,
61983 + GR_FIND = 0x00000010,
61984 + GR_INHERIT = 0x00000020,
61985 + GR_SETID = 0x00000040,
61986 + GR_CREATE = 0x00000080,
61987 + GR_DELETE = 0x00000100,
61988 + GR_LINK = 0x00000200,
61989 + GR_AUDIT_READ = 0x00000400,
61990 + GR_AUDIT_APPEND = 0x00000800,
61991 + GR_AUDIT_WRITE = 0x00001000,
61992 + GR_AUDIT_EXEC = 0x00002000,
61993 + GR_AUDIT_FIND = 0x00004000,
61994 + GR_AUDIT_INHERIT= 0x00008000,
61995 + GR_AUDIT_SETID = 0x00010000,
61996 + GR_AUDIT_CREATE = 0x00020000,
61997 + GR_AUDIT_DELETE = 0x00040000,
61998 + GR_AUDIT_LINK = 0x00080000,
61999 + GR_PTRACERD = 0x00100000,
62000 + GR_NOPTRACE = 0x00200000,
62001 + GR_SUPPRESS = 0x00400000,
62002 + GR_NOLEARN = 0x00800000,
62003 + GR_INIT_TRANSFER= 0x01000000
62004 +};
62005 +
62006 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
62007 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
62008 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
62009 +
62010 +/* ACL subject-only mode flags */
62011 +enum {
62012 + GR_KILL = 0x00000001,
62013 + GR_VIEW = 0x00000002,
62014 + GR_PROTECTED = 0x00000004,
62015 + GR_LEARN = 0x00000008,
62016 + GR_OVERRIDE = 0x00000010,
62017 + /* just a placeholder, this mode is only used in userspace */
62018 + GR_DUMMY = 0x00000020,
62019 + GR_PROTSHM = 0x00000040,
62020 + GR_KILLPROC = 0x00000080,
62021 + GR_KILLIPPROC = 0x00000100,
62022 + /* just a placeholder, this mode is only used in userspace */
62023 + GR_NOTROJAN = 0x00000200,
62024 + GR_PROTPROCFD = 0x00000400,
62025 + GR_PROCACCT = 0x00000800,
62026 + GR_RELAXPTRACE = 0x00001000,
62027 + GR_NESTED = 0x00002000,
62028 + GR_INHERITLEARN = 0x00004000,
62029 + GR_PROCFIND = 0x00008000,
62030 + GR_POVERRIDE = 0x00010000,
62031 + GR_KERNELAUTH = 0x00020000,
62032 + GR_ATSECURE = 0x00040000,
62033 + GR_SHMEXEC = 0x00080000
62034 +};
62035 +
62036 +enum {
62037 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
62038 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
62039 + GR_PAX_ENABLE_MPROTECT = 0x0004,
62040 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
62041 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
62042 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
62043 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
62044 + GR_PAX_DISABLE_MPROTECT = 0x0400,
62045 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
62046 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
62047 +};
62048 +
62049 +enum {
62050 + GR_ID_USER = 0x01,
62051 + GR_ID_GROUP = 0x02,
62052 +};
62053 +
62054 +enum {
62055 + GR_ID_ALLOW = 0x01,
62056 + GR_ID_DENY = 0x02,
62057 +};
62058 +
62059 +#define GR_CRASH_RES 31
62060 +#define GR_UIDTABLE_MAX 500
62061 +
62062 +/* begin resource learning section */
62063 +enum {
62064 + GR_RLIM_CPU_BUMP = 60,
62065 + GR_RLIM_FSIZE_BUMP = 50000,
62066 + GR_RLIM_DATA_BUMP = 10000,
62067 + GR_RLIM_STACK_BUMP = 1000,
62068 + GR_RLIM_CORE_BUMP = 10000,
62069 + GR_RLIM_RSS_BUMP = 500000,
62070 + GR_RLIM_NPROC_BUMP = 1,
62071 + GR_RLIM_NOFILE_BUMP = 5,
62072 + GR_RLIM_MEMLOCK_BUMP = 50000,
62073 + GR_RLIM_AS_BUMP = 500000,
62074 + GR_RLIM_LOCKS_BUMP = 2,
62075 + GR_RLIM_SIGPENDING_BUMP = 5,
62076 + GR_RLIM_MSGQUEUE_BUMP = 10000,
62077 + GR_RLIM_NICE_BUMP = 1,
62078 + GR_RLIM_RTPRIO_BUMP = 1,
62079 + GR_RLIM_RTTIME_BUMP = 1000000
62080 +};
62081 +
62082 +#endif
62083 diff -urNp linux-2.6.32.46/include/linux/grinternal.h linux-2.6.32.46/include/linux/grinternal.h
62084 --- linux-2.6.32.46/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
62085 +++ linux-2.6.32.46/include/linux/grinternal.h 2011-08-11 19:58:37.000000000 -0400
62086 @@ -0,0 +1,217 @@
62087 +#ifndef __GRINTERNAL_H
62088 +#define __GRINTERNAL_H
62089 +
62090 +#ifdef CONFIG_GRKERNSEC
62091 +
62092 +#include <linux/fs.h>
62093 +#include <linux/mnt_namespace.h>
62094 +#include <linux/nsproxy.h>
62095 +#include <linux/gracl.h>
62096 +#include <linux/grdefs.h>
62097 +#include <linux/grmsg.h>
62098 +
62099 +void gr_add_learn_entry(const char *fmt, ...)
62100 + __attribute__ ((format (printf, 1, 2)));
62101 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
62102 + const struct vfsmount *mnt);
62103 +__u32 gr_check_create(const struct dentry *new_dentry,
62104 + const struct dentry *parent,
62105 + const struct vfsmount *mnt, const __u32 mode);
62106 +int gr_check_protected_task(const struct task_struct *task);
62107 +__u32 to_gr_audit(const __u32 reqmode);
62108 +int gr_set_acls(const int type);
62109 +int gr_apply_subject_to_task(struct task_struct *task);
62110 +int gr_acl_is_enabled(void);
62111 +char gr_roletype_to_char(void);
62112 +
62113 +void gr_handle_alertkill(struct task_struct *task);
62114 +char *gr_to_filename(const struct dentry *dentry,
62115 + const struct vfsmount *mnt);
62116 +char *gr_to_filename1(const struct dentry *dentry,
62117 + const struct vfsmount *mnt);
62118 +char *gr_to_filename2(const struct dentry *dentry,
62119 + const struct vfsmount *mnt);
62120 +char *gr_to_filename3(const struct dentry *dentry,
62121 + const struct vfsmount *mnt);
62122 +
62123 +extern int grsec_enable_harden_ptrace;
62124 +extern int grsec_enable_link;
62125 +extern int grsec_enable_fifo;
62126 +extern int grsec_enable_shm;
62127 +extern int grsec_enable_execlog;
62128 +extern int grsec_enable_signal;
62129 +extern int grsec_enable_audit_ptrace;
62130 +extern int grsec_enable_forkfail;
62131 +extern int grsec_enable_time;
62132 +extern int grsec_enable_rofs;
62133 +extern int grsec_enable_chroot_shmat;
62134 +extern int grsec_enable_chroot_mount;
62135 +extern int grsec_enable_chroot_double;
62136 +extern int grsec_enable_chroot_pivot;
62137 +extern int grsec_enable_chroot_chdir;
62138 +extern int grsec_enable_chroot_chmod;
62139 +extern int grsec_enable_chroot_mknod;
62140 +extern int grsec_enable_chroot_fchdir;
62141 +extern int grsec_enable_chroot_nice;
62142 +extern int grsec_enable_chroot_execlog;
62143 +extern int grsec_enable_chroot_caps;
62144 +extern int grsec_enable_chroot_sysctl;
62145 +extern int grsec_enable_chroot_unix;
62146 +extern int grsec_enable_tpe;
62147 +extern int grsec_tpe_gid;
62148 +extern int grsec_enable_tpe_all;
62149 +extern int grsec_enable_tpe_invert;
62150 +extern int grsec_enable_socket_all;
62151 +extern int grsec_socket_all_gid;
62152 +extern int grsec_enable_socket_client;
62153 +extern int grsec_socket_client_gid;
62154 +extern int grsec_enable_socket_server;
62155 +extern int grsec_socket_server_gid;
62156 +extern int grsec_audit_gid;
62157 +extern int grsec_enable_group;
62158 +extern int grsec_enable_audit_textrel;
62159 +extern int grsec_enable_log_rwxmaps;
62160 +extern int grsec_enable_mount;
62161 +extern int grsec_enable_chdir;
62162 +extern int grsec_resource_logging;
62163 +extern int grsec_enable_blackhole;
62164 +extern int grsec_lastack_retries;
62165 +extern int grsec_enable_brute;
62166 +extern int grsec_lock;
62167 +
62168 +extern spinlock_t grsec_alert_lock;
62169 +extern unsigned long grsec_alert_wtime;
62170 +extern unsigned long grsec_alert_fyet;
62171 +
62172 +extern spinlock_t grsec_audit_lock;
62173 +
62174 +extern rwlock_t grsec_exec_file_lock;
62175 +
62176 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
62177 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
62178 + (tsk)->exec_file->f_vfsmnt) : "/")
62179 +
62180 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
62181 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
62182 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
62183 +
62184 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
62185 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
62186 + (tsk)->exec_file->f_vfsmnt) : "/")
62187 +
62188 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
62189 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
62190 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
62191 +
62192 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
62193 +
62194 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
62195 +
62196 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
62197 + (task)->pid, (cred)->uid, \
62198 + (cred)->euid, (cred)->gid, (cred)->egid, \
62199 + gr_parent_task_fullpath(task), \
62200 + (task)->real_parent->comm, (task)->real_parent->pid, \
62201 + (pcred)->uid, (pcred)->euid, \
62202 + (pcred)->gid, (pcred)->egid
62203 +
62204 +#define GR_CHROOT_CAPS {{ \
62205 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
62206 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
62207 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
62208 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
62209 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
62210 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
62211 +
62212 +#define security_learn(normal_msg,args...) \
62213 +({ \
62214 + read_lock(&grsec_exec_file_lock); \
62215 + gr_add_learn_entry(normal_msg "\n", ## args); \
62216 + read_unlock(&grsec_exec_file_lock); \
62217 +})
62218 +
62219 +enum {
62220 + GR_DO_AUDIT,
62221 + GR_DONT_AUDIT,
62222 + GR_DONT_AUDIT_GOOD
62223 +};
62224 +
62225 +enum {
62226 + GR_TTYSNIFF,
62227 + GR_RBAC,
62228 + GR_RBAC_STR,
62229 + GR_STR_RBAC,
62230 + GR_RBAC_MODE2,
62231 + GR_RBAC_MODE3,
62232 + GR_FILENAME,
62233 + GR_SYSCTL_HIDDEN,
62234 + GR_NOARGS,
62235 + GR_ONE_INT,
62236 + GR_ONE_INT_TWO_STR,
62237 + GR_ONE_STR,
62238 + GR_STR_INT,
62239 + GR_TWO_STR_INT,
62240 + GR_TWO_INT,
62241 + GR_TWO_U64,
62242 + GR_THREE_INT,
62243 + GR_FIVE_INT_TWO_STR,
62244 + GR_TWO_STR,
62245 + GR_THREE_STR,
62246 + GR_FOUR_STR,
62247 + GR_STR_FILENAME,
62248 + GR_FILENAME_STR,
62249 + GR_FILENAME_TWO_INT,
62250 + GR_FILENAME_TWO_INT_STR,
62251 + GR_TEXTREL,
62252 + GR_PTRACE,
62253 + GR_RESOURCE,
62254 + GR_CAP,
62255 + GR_SIG,
62256 + GR_SIG2,
62257 + GR_CRASH1,
62258 + GR_CRASH2,
62259 + GR_PSACCT,
62260 + GR_RWXMAP
62261 +};
62262 +
62263 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
62264 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
62265 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
62266 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
62267 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
62268 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
62269 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
62270 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
62271 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
62272 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
62273 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
62274 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
62275 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
62276 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
62277 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
62278 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
62279 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
62280 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
62281 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
62282 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
62283 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
62284 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
62285 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
62286 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
62287 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
62288 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
62289 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
62290 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
62291 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
62292 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
62293 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
62294 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
62295 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
62296 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
62297 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
62298 +
62299 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
62300 +
62301 +#endif
62302 +
62303 +#endif
62304 diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/grmsg.h
62305 --- linux-2.6.32.46/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
62306 +++ linux-2.6.32.46/include/linux/grmsg.h 2011-09-13 15:44:53.000000000 -0400
62307 @@ -0,0 +1,108 @@
62308 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
62309 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
62310 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
62311 +#define GR_STOPMOD_MSG "denied modification of module state by "
62312 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
62313 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
62314 +#define GR_IOPERM_MSG "denied use of ioperm() by "
62315 +#define GR_IOPL_MSG "denied use of iopl() by "
62316 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
62317 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
62318 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
62319 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
62320 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
62321 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
62322 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
62323 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
62324 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
62325 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
62326 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
62327 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
62328 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
62329 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
62330 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
62331 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
62332 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
62333 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
62334 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
62335 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
62336 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
62337 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
62338 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
62339 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
62340 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
62341 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
62342 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
62343 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
62344 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
62345 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
62346 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
62347 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
62348 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
62349 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
62350 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
62351 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
62352 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
62353 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
62354 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
62355 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
62356 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
62357 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
62358 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
62359 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
62360 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
62361 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
62362 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
62363 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
62364 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
62365 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
62366 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
62367 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
62368 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
62369 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
62370 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
62371 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
62372 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
62373 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
62374 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
62375 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
62376 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
62377 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
62378 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
62379 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
62380 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
62381 +#define GR_NICE_CHROOT_MSG "denied priority change by "
62382 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
62383 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
62384 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
62385 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
62386 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
62387 +#define GR_TIME_MSG "time set by "
62388 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
62389 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
62390 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
62391 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
62392 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
62393 +#define GR_BIND_MSG "denied bind() by "
62394 +#define GR_CONNECT_MSG "denied connect() by "
62395 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
62396 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
62397 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
62398 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
62399 +#define GR_CAP_ACL_MSG "use of %s denied for "
62400 +#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
62401 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
62402 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
62403 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
62404 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
62405 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
62406 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
62407 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
62408 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
62409 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
62410 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
62411 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
62412 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
62413 +#define GR_VM86_MSG "denied use of vm86 by "
62414 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
62415 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
62416 diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/linux/grsecurity.h
62417 --- linux-2.6.32.46/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
62418 +++ linux-2.6.32.46/include/linux/grsecurity.h 2011-09-13 16:03:42.000000000 -0400
62419 @@ -0,0 +1,216 @@
62420 +#ifndef GR_SECURITY_H
62421 +#define GR_SECURITY_H
62422 +#include <linux/fs.h>
62423 +#include <linux/fs_struct.h>
62424 +#include <linux/binfmts.h>
62425 +#include <linux/gracl.h>
62426 +#include <linux/compat.h>
62427 +
62428 +/* notify of brain-dead configs */
62429 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62430 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
62431 +#endif
62432 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
62433 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
62434 +#endif
62435 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
62436 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
62437 +#endif
62438 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
62439 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
62440 +#endif
62441 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
62442 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
62443 +#endif
62444 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
62445 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
62446 +#endif
62447 +
62448 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
62449 +void gr_handle_brute_check(void);
62450 +void gr_handle_kernel_exploit(void);
62451 +int gr_process_user_ban(void);
62452 +
62453 +char gr_roletype_to_char(void);
62454 +
62455 +int gr_acl_enable_at_secure(void);
62456 +
62457 +int gr_check_user_change(int real, int effective, int fs);
62458 +int gr_check_group_change(int real, int effective, int fs);
62459 +
62460 +void gr_del_task_from_ip_table(struct task_struct *p);
62461 +
62462 +int gr_pid_is_chrooted(struct task_struct *p);
62463 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
62464 +int gr_handle_chroot_nice(void);
62465 +int gr_handle_chroot_sysctl(const int op);
62466 +int gr_handle_chroot_setpriority(struct task_struct *p,
62467 + const int niceval);
62468 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
62469 +int gr_handle_chroot_chroot(const struct dentry *dentry,
62470 + const struct vfsmount *mnt);
62471 +void gr_handle_chroot_chdir(struct path *path);
62472 +int gr_handle_chroot_chmod(const struct dentry *dentry,
62473 + const struct vfsmount *mnt, const int mode);
62474 +int gr_handle_chroot_mknod(const struct dentry *dentry,
62475 + const struct vfsmount *mnt, const int mode);
62476 +int gr_handle_chroot_mount(const struct dentry *dentry,
62477 + const struct vfsmount *mnt,
62478 + const char *dev_name);
62479 +int gr_handle_chroot_pivot(void);
62480 +int gr_handle_chroot_unix(const pid_t pid);
62481 +
62482 +int gr_handle_rawio(const struct inode *inode);
62483 +
62484 +void gr_handle_ioperm(void);
62485 +void gr_handle_iopl(void);
62486 +
62487 +int gr_tpe_allow(const struct file *file);
62488 +
62489 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
62490 +void gr_clear_chroot_entries(struct task_struct *task);
62491 +
62492 +void gr_log_forkfail(const int retval);
62493 +void gr_log_timechange(void);
62494 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
62495 +void gr_log_chdir(const struct dentry *dentry,
62496 + const struct vfsmount *mnt);
62497 +void gr_log_chroot_exec(const struct dentry *dentry,
62498 + const struct vfsmount *mnt);
62499 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
62500 +#ifdef CONFIG_COMPAT
62501 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
62502 +#endif
62503 +void gr_log_remount(const char *devname, const int retval);
62504 +void gr_log_unmount(const char *devname, const int retval);
62505 +void gr_log_mount(const char *from, const char *to, const int retval);
62506 +void gr_log_textrel(struct vm_area_struct *vma);
62507 +void gr_log_rwxmmap(struct file *file);
62508 +void gr_log_rwxmprotect(struct file *file);
62509 +
62510 +int gr_handle_follow_link(const struct inode *parent,
62511 + const struct inode *inode,
62512 + const struct dentry *dentry,
62513 + const struct vfsmount *mnt);
62514 +int gr_handle_fifo(const struct dentry *dentry,
62515 + const struct vfsmount *mnt,
62516 + const struct dentry *dir, const int flag,
62517 + const int acc_mode);
62518 +int gr_handle_hardlink(const struct dentry *dentry,
62519 + const struct vfsmount *mnt,
62520 + struct inode *inode,
62521 + const int mode, const char *to);
62522 +
62523 +int gr_is_capable(const int cap);
62524 +int gr_is_capable_nolog(const int cap);
62525 +void gr_learn_resource(const struct task_struct *task, const int limit,
62526 + const unsigned long wanted, const int gt);
62527 +void gr_copy_label(struct task_struct *tsk);
62528 +void gr_handle_crash(struct task_struct *task, const int sig);
62529 +int gr_handle_signal(const struct task_struct *p, const int sig);
62530 +int gr_check_crash_uid(const uid_t uid);
62531 +int gr_check_protected_task(const struct task_struct *task);
62532 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
62533 +int gr_acl_handle_mmap(const struct file *file,
62534 + const unsigned long prot);
62535 +int gr_acl_handle_mprotect(const struct file *file,
62536 + const unsigned long prot);
62537 +int gr_check_hidden_task(const struct task_struct *tsk);
62538 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
62539 + const struct vfsmount *mnt);
62540 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
62541 + const struct vfsmount *mnt);
62542 +__u32 gr_acl_handle_access(const struct dentry *dentry,
62543 + const struct vfsmount *mnt, const int fmode);
62544 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
62545 + const struct vfsmount *mnt, mode_t mode);
62546 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
62547 + const struct vfsmount *mnt, mode_t mode);
62548 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
62549 + const struct vfsmount *mnt);
62550 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
62551 + const struct vfsmount *mnt);
62552 +int gr_handle_ptrace(struct task_struct *task, const long request);
62553 +int gr_handle_proc_ptrace(struct task_struct *task);
62554 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
62555 + const struct vfsmount *mnt);
62556 +int gr_check_crash_exec(const struct file *filp);
62557 +int gr_acl_is_enabled(void);
62558 +void gr_set_kernel_label(struct task_struct *task);
62559 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
62560 + const gid_t gid);
62561 +int gr_set_proc_label(const struct dentry *dentry,
62562 + const struct vfsmount *mnt,
62563 + const int unsafe_share);
62564 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
62565 + const struct vfsmount *mnt);
62566 +__u32 gr_acl_handle_open(const struct dentry *dentry,
62567 + const struct vfsmount *mnt, const int fmode);
62568 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
62569 + const struct dentry *p_dentry,
62570 + const struct vfsmount *p_mnt, const int fmode,
62571 + const int imode);
62572 +void gr_handle_create(const struct dentry *dentry,
62573 + const struct vfsmount *mnt);
62574 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
62575 + const struct dentry *parent_dentry,
62576 + const struct vfsmount *parent_mnt,
62577 + const int mode);
62578 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
62579 + const struct dentry *parent_dentry,
62580 + const struct vfsmount *parent_mnt);
62581 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
62582 + const struct vfsmount *mnt);
62583 +void gr_handle_delete(const ino_t ino, const dev_t dev);
62584 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
62585 + const struct vfsmount *mnt);
62586 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
62587 + const struct dentry *parent_dentry,
62588 + const struct vfsmount *parent_mnt,
62589 + const char *from);
62590 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
62591 + const struct dentry *parent_dentry,
62592 + const struct vfsmount *parent_mnt,
62593 + const struct dentry *old_dentry,
62594 + const struct vfsmount *old_mnt, const char *to);
62595 +int gr_acl_handle_rename(struct dentry *new_dentry,
62596 + struct dentry *parent_dentry,
62597 + const struct vfsmount *parent_mnt,
62598 + struct dentry *old_dentry,
62599 + struct inode *old_parent_inode,
62600 + struct vfsmount *old_mnt, const char *newname);
62601 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
62602 + struct dentry *old_dentry,
62603 + struct dentry *new_dentry,
62604 + struct vfsmount *mnt, const __u8 replace);
62605 +__u32 gr_check_link(const struct dentry *new_dentry,
62606 + const struct dentry *parent_dentry,
62607 + const struct vfsmount *parent_mnt,
62608 + const struct dentry *old_dentry,
62609 + const struct vfsmount *old_mnt);
62610 +int gr_acl_handle_filldir(const struct file *file, const char *name,
62611 + const unsigned int namelen, const ino_t ino);
62612 +
62613 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
62614 + const struct vfsmount *mnt);
62615 +void gr_acl_handle_exit(void);
62616 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
62617 +int gr_acl_handle_procpidmem(const struct task_struct *task);
62618 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
62619 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
62620 +void gr_audit_ptrace(struct task_struct *task);
62621 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
62622 +
62623 +#ifdef CONFIG_GRKERNSEC
62624 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
62625 +void gr_handle_vm86(void);
62626 +void gr_handle_mem_readwrite(u64 from, u64 to);
62627 +
62628 +extern int grsec_enable_dmesg;
62629 +extern int grsec_disable_privio;
62630 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
62631 +extern int grsec_enable_chroot_findtask;
62632 +#endif
62633 +#endif
62634 +
62635 +#endif
62636 diff -urNp linux-2.6.32.46/include/linux/hdpu_features.h linux-2.6.32.46/include/linux/hdpu_features.h
62637 --- linux-2.6.32.46/include/linux/hdpu_features.h 2011-03-27 14:31:47.000000000 -0400
62638 +++ linux-2.6.32.46/include/linux/hdpu_features.h 2011-04-17 15:56:46.000000000 -0400
62639 @@ -3,7 +3,7 @@
62640 struct cpustate_t {
62641 spinlock_t lock;
62642 int excl;
62643 - int open_count;
62644 + atomic_t open_count;
62645 unsigned char cached_val;
62646 int inited;
62647 unsigned long *set_addr;
62648 diff -urNp linux-2.6.32.46/include/linux/highmem.h linux-2.6.32.46/include/linux/highmem.h
62649 --- linux-2.6.32.46/include/linux/highmem.h 2011-03-27 14:31:47.000000000 -0400
62650 +++ linux-2.6.32.46/include/linux/highmem.h 2011-04-17 15:56:46.000000000 -0400
62651 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
62652 kunmap_atomic(kaddr, KM_USER0);
62653 }
62654
62655 +static inline void sanitize_highpage(struct page *page)
62656 +{
62657 + void *kaddr;
62658 + unsigned long flags;
62659 +
62660 + local_irq_save(flags);
62661 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
62662 + clear_page(kaddr);
62663 + kunmap_atomic(kaddr, KM_CLEARPAGE);
62664 + local_irq_restore(flags);
62665 +}
62666 +
62667 static inline void zero_user_segments(struct page *page,
62668 unsigned start1, unsigned end1,
62669 unsigned start2, unsigned end2)
62670 diff -urNp linux-2.6.32.46/include/linux/i2c.h linux-2.6.32.46/include/linux/i2c.h
62671 --- linux-2.6.32.46/include/linux/i2c.h 2011-03-27 14:31:47.000000000 -0400
62672 +++ linux-2.6.32.46/include/linux/i2c.h 2011-08-23 21:22:38.000000000 -0400
62673 @@ -325,6 +325,7 @@ struct i2c_algorithm {
62674 /* To determine what the adapter supports */
62675 u32 (*functionality) (struct i2c_adapter *);
62676 };
62677 +typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
62678
62679 /*
62680 * i2c_adapter is the structure used to identify a physical i2c bus along
62681 diff -urNp linux-2.6.32.46/include/linux/i2o.h linux-2.6.32.46/include/linux/i2o.h
62682 --- linux-2.6.32.46/include/linux/i2o.h 2011-03-27 14:31:47.000000000 -0400
62683 +++ linux-2.6.32.46/include/linux/i2o.h 2011-05-04 17:56:28.000000000 -0400
62684 @@ -564,7 +564,7 @@ struct i2o_controller {
62685 struct i2o_device *exec; /* Executive */
62686 #if BITS_PER_LONG == 64
62687 spinlock_t context_list_lock; /* lock for context_list */
62688 - atomic_t context_list_counter; /* needed for unique contexts */
62689 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
62690 struct list_head context_list; /* list of context id's
62691 and pointers */
62692 #endif
62693 diff -urNp linux-2.6.32.46/include/linux/init_task.h linux-2.6.32.46/include/linux/init_task.h
62694 --- linux-2.6.32.46/include/linux/init_task.h 2011-03-27 14:31:47.000000000 -0400
62695 +++ linux-2.6.32.46/include/linux/init_task.h 2011-05-18 20:44:59.000000000 -0400
62696 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
62697 #define INIT_IDS
62698 #endif
62699
62700 +#ifdef CONFIG_X86
62701 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
62702 +#else
62703 +#define INIT_TASK_THREAD_INFO
62704 +#endif
62705 +
62706 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
62707 /*
62708 * Because of the reduced scope of CAP_SETPCAP when filesystem
62709 @@ -156,6 +162,7 @@ extern struct cred init_cred;
62710 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
62711 .comm = "swapper", \
62712 .thread = INIT_THREAD, \
62713 + INIT_TASK_THREAD_INFO \
62714 .fs = &init_fs, \
62715 .files = &init_files, \
62716 .signal = &init_signals, \
62717 diff -urNp linux-2.6.32.46/include/linux/intel-iommu.h linux-2.6.32.46/include/linux/intel-iommu.h
62718 --- linux-2.6.32.46/include/linux/intel-iommu.h 2011-03-27 14:31:47.000000000 -0400
62719 +++ linux-2.6.32.46/include/linux/intel-iommu.h 2011-08-05 20:33:55.000000000 -0400
62720 @@ -296,7 +296,7 @@ struct iommu_flush {
62721 u8 fm, u64 type);
62722 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
62723 unsigned int size_order, u64 type);
62724 -};
62725 +} __no_const;
62726
62727 enum {
62728 SR_DMAR_FECTL_REG,
62729 diff -urNp linux-2.6.32.46/include/linux/interrupt.h linux-2.6.32.46/include/linux/interrupt.h
62730 --- linux-2.6.32.46/include/linux/interrupt.h 2011-06-25 12:55:35.000000000 -0400
62731 +++ linux-2.6.32.46/include/linux/interrupt.h 2011-06-25 12:56:37.000000000 -0400
62732 @@ -363,7 +363,7 @@ enum
62733 /* map softirq index to softirq name. update 'softirq_to_name' in
62734 * kernel/softirq.c when adding a new softirq.
62735 */
62736 -extern char *softirq_to_name[NR_SOFTIRQS];
62737 +extern const char * const softirq_to_name[NR_SOFTIRQS];
62738
62739 /* softirq mask and active fields moved to irq_cpustat_t in
62740 * asm/hardirq.h to get better cache usage. KAO
62741 @@ -371,12 +371,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
62742
62743 struct softirq_action
62744 {
62745 - void (*action)(struct softirq_action *);
62746 + void (*action)(void);
62747 };
62748
62749 asmlinkage void do_softirq(void);
62750 asmlinkage void __do_softirq(void);
62751 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
62752 +extern void open_softirq(int nr, void (*action)(void));
62753 extern void softirq_init(void);
62754 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
62755 extern void raise_softirq_irqoff(unsigned int nr);
62756 diff -urNp linux-2.6.32.46/include/linux/irq.h linux-2.6.32.46/include/linux/irq.h
62757 --- linux-2.6.32.46/include/linux/irq.h 2011-03-27 14:31:47.000000000 -0400
62758 +++ linux-2.6.32.46/include/linux/irq.h 2011-04-17 15:56:46.000000000 -0400
62759 @@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
62760 static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
62761 bool boot)
62762 {
62763 +#ifdef CONFIG_CPUMASK_OFFSTACK
62764 gfp_t gfp = GFP_ATOMIC;
62765
62766 if (boot)
62767 gfp = GFP_NOWAIT;
62768
62769 -#ifdef CONFIG_CPUMASK_OFFSTACK
62770 if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
62771 return false;
62772
62773 diff -urNp linux-2.6.32.46/include/linux/kallsyms.h linux-2.6.32.46/include/linux/kallsyms.h
62774 --- linux-2.6.32.46/include/linux/kallsyms.h 2011-03-27 14:31:47.000000000 -0400
62775 +++ linux-2.6.32.46/include/linux/kallsyms.h 2011-04-17 15:56:46.000000000 -0400
62776 @@ -15,7 +15,8 @@
62777
62778 struct module;
62779
62780 -#ifdef CONFIG_KALLSYMS
62781 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
62782 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
62783 /* Lookup the address for a symbol. Returns 0 if not found. */
62784 unsigned long kallsyms_lookup_name(const char *name);
62785
62786 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
62787 /* Stupid that this does nothing, but I didn't create this mess. */
62788 #define __print_symbol(fmt, addr)
62789 #endif /*CONFIG_KALLSYMS*/
62790 +#else /* when included by kallsyms.c, vsnprintf.c, or
62791 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
62792 +extern void __print_symbol(const char *fmt, unsigned long address);
62793 +extern int sprint_symbol(char *buffer, unsigned long address);
62794 +const char *kallsyms_lookup(unsigned long addr,
62795 + unsigned long *symbolsize,
62796 + unsigned long *offset,
62797 + char **modname, char *namebuf);
62798 +#endif
62799
62800 /* This macro allows us to keep printk typechecking */
62801 static void __check_printsym_format(const char *fmt, ...)
62802 diff -urNp linux-2.6.32.46/include/linux/kgdb.h linux-2.6.32.46/include/linux/kgdb.h
62803 --- linux-2.6.32.46/include/linux/kgdb.h 2011-03-27 14:31:47.000000000 -0400
62804 +++ linux-2.6.32.46/include/linux/kgdb.h 2011-08-26 20:25:20.000000000 -0400
62805 @@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
62806
62807 extern int kgdb_connected;
62808
62809 -extern atomic_t kgdb_setting_breakpoint;
62810 -extern atomic_t kgdb_cpu_doing_single_step;
62811 +extern atomic_unchecked_t kgdb_setting_breakpoint;
62812 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
62813
62814 extern struct task_struct *kgdb_usethread;
62815 extern struct task_struct *kgdb_contthread;
62816 @@ -235,7 +235,7 @@ struct kgdb_arch {
62817 int (*remove_hw_breakpoint)(unsigned long, int, enum kgdb_bptype);
62818 void (*remove_all_hw_break)(void);
62819 void (*correct_hw_break)(void);
62820 -};
62821 +} __do_const;
62822
62823 /**
62824 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
62825 @@ -257,14 +257,14 @@ struct kgdb_io {
62826 int (*init) (void);
62827 void (*pre_exception) (void);
62828 void (*post_exception) (void);
62829 -};
62830 +} __do_const;
62831
62832 -extern struct kgdb_arch arch_kgdb_ops;
62833 +extern const struct kgdb_arch arch_kgdb_ops;
62834
62835 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
62836
62837 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
62838 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
62839 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
62840 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
62841
62842 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
62843 extern int kgdb_mem2hex(char *mem, char *buf, int count);
62844 diff -urNp linux-2.6.32.46/include/linux/kmod.h linux-2.6.32.46/include/linux/kmod.h
62845 --- linux-2.6.32.46/include/linux/kmod.h 2011-03-27 14:31:47.000000000 -0400
62846 +++ linux-2.6.32.46/include/linux/kmod.h 2011-04-17 15:56:46.000000000 -0400
62847 @@ -31,6 +31,8 @@
62848 * usually useless though. */
62849 extern int __request_module(bool wait, const char *name, ...) \
62850 __attribute__((format(printf, 2, 3)));
62851 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
62852 + __attribute__((format(printf, 3, 4)));
62853 #define request_module(mod...) __request_module(true, mod)
62854 #define request_module_nowait(mod...) __request_module(false, mod)
62855 #define try_then_request_module(x, mod...) \
62856 diff -urNp linux-2.6.32.46/include/linux/kobject.h linux-2.6.32.46/include/linux/kobject.h
62857 --- linux-2.6.32.46/include/linux/kobject.h 2011-03-27 14:31:47.000000000 -0400
62858 +++ linux-2.6.32.46/include/linux/kobject.h 2011-04-17 15:56:46.000000000 -0400
62859 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
62860
62861 struct kobj_type {
62862 void (*release)(struct kobject *kobj);
62863 - struct sysfs_ops *sysfs_ops;
62864 + const struct sysfs_ops *sysfs_ops;
62865 struct attribute **default_attrs;
62866 };
62867
62868 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
62869 };
62870
62871 struct kset_uevent_ops {
62872 - int (*filter)(struct kset *kset, struct kobject *kobj);
62873 - const char *(*name)(struct kset *kset, struct kobject *kobj);
62874 - int (*uevent)(struct kset *kset, struct kobject *kobj,
62875 + int (* const filter)(struct kset *kset, struct kobject *kobj);
62876 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
62877 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
62878 struct kobj_uevent_env *env);
62879 };
62880
62881 @@ -132,7 +132,7 @@ struct kobj_attribute {
62882 const char *buf, size_t count);
62883 };
62884
62885 -extern struct sysfs_ops kobj_sysfs_ops;
62886 +extern const struct sysfs_ops kobj_sysfs_ops;
62887
62888 /**
62889 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
62890 @@ -155,14 +155,14 @@ struct kset {
62891 struct list_head list;
62892 spinlock_t list_lock;
62893 struct kobject kobj;
62894 - struct kset_uevent_ops *uevent_ops;
62895 + const struct kset_uevent_ops *uevent_ops;
62896 };
62897
62898 extern void kset_init(struct kset *kset);
62899 extern int __must_check kset_register(struct kset *kset);
62900 extern void kset_unregister(struct kset *kset);
62901 extern struct kset * __must_check kset_create_and_add(const char *name,
62902 - struct kset_uevent_ops *u,
62903 + const struct kset_uevent_ops *u,
62904 struct kobject *parent_kobj);
62905
62906 static inline struct kset *to_kset(struct kobject *kobj)
62907 diff -urNp linux-2.6.32.46/include/linux/kvm_host.h linux-2.6.32.46/include/linux/kvm_host.h
62908 --- linux-2.6.32.46/include/linux/kvm_host.h 2011-03-27 14:31:47.000000000 -0400
62909 +++ linux-2.6.32.46/include/linux/kvm_host.h 2011-04-17 15:56:46.000000000 -0400
62910 @@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
62911 void vcpu_load(struct kvm_vcpu *vcpu);
62912 void vcpu_put(struct kvm_vcpu *vcpu);
62913
62914 -int kvm_init(void *opaque, unsigned int vcpu_size,
62915 +int kvm_init(const void *opaque, unsigned int vcpu_size,
62916 struct module *module);
62917 void kvm_exit(void);
62918
62919 @@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
62920 struct kvm_guest_debug *dbg);
62921 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
62922
62923 -int kvm_arch_init(void *opaque);
62924 +int kvm_arch_init(const void *opaque);
62925 void kvm_arch_exit(void);
62926
62927 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
62928 diff -urNp linux-2.6.32.46/include/linux/libata.h linux-2.6.32.46/include/linux/libata.h
62929 --- linux-2.6.32.46/include/linux/libata.h 2011-03-27 14:31:47.000000000 -0400
62930 +++ linux-2.6.32.46/include/linux/libata.h 2011-08-26 20:19:09.000000000 -0400
62931 @@ -525,11 +525,11 @@ struct ata_ioports {
62932
62933 struct ata_host {
62934 spinlock_t lock;
62935 - struct device *dev;
62936 + struct device *dev;
62937 void __iomem * const *iomap;
62938 unsigned int n_ports;
62939 void *private_data;
62940 - struct ata_port_operations *ops;
62941 + const struct ata_port_operations *ops;
62942 unsigned long flags;
62943 #ifdef CONFIG_ATA_ACPI
62944 acpi_handle acpi_handle;
62945 @@ -710,7 +710,7 @@ struct ata_link {
62946
62947 struct ata_port {
62948 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
62949 - struct ata_port_operations *ops;
62950 + const struct ata_port_operations *ops;
62951 spinlock_t *lock;
62952 /* Flags owned by the EH context. Only EH should touch these once the
62953 port is active */
62954 @@ -884,7 +884,7 @@ struct ata_port_operations {
62955 * fields must be pointers.
62956 */
62957 const struct ata_port_operations *inherits;
62958 -};
62959 +} __do_const;
62960
62961 struct ata_port_info {
62962 unsigned long flags;
62963 @@ -892,7 +892,7 @@ struct ata_port_info {
62964 unsigned long pio_mask;
62965 unsigned long mwdma_mask;
62966 unsigned long udma_mask;
62967 - struct ata_port_operations *port_ops;
62968 + const struct ata_port_operations *port_ops;
62969 void *private_data;
62970 };
62971
62972 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
62973 extern const unsigned long sata_deb_timing_hotplug[];
62974 extern const unsigned long sata_deb_timing_long[];
62975
62976 -extern struct ata_port_operations ata_dummy_port_ops;
62977 +extern const struct ata_port_operations ata_dummy_port_ops;
62978 extern const struct ata_port_info ata_dummy_port_info;
62979
62980 static inline const unsigned long *
62981 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
62982 struct scsi_host_template *sht);
62983 extern void ata_host_detach(struct ata_host *host);
62984 extern void ata_host_init(struct ata_host *, struct device *,
62985 - unsigned long, struct ata_port_operations *);
62986 + unsigned long, const struct ata_port_operations *);
62987 extern int ata_scsi_detect(struct scsi_host_template *sht);
62988 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
62989 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
62990 diff -urNp linux-2.6.32.46/include/linux/lockd/bind.h linux-2.6.32.46/include/linux/lockd/bind.h
62991 --- linux-2.6.32.46/include/linux/lockd/bind.h 2011-03-27 14:31:47.000000000 -0400
62992 +++ linux-2.6.32.46/include/linux/lockd/bind.h 2011-04-17 15:56:46.000000000 -0400
62993 @@ -23,13 +23,13 @@ struct svc_rqst;
62994 * This is the set of functions for lockd->nfsd communication
62995 */
62996 struct nlmsvc_binding {
62997 - __be32 (*fopen)(struct svc_rqst *,
62998 + __be32 (* const fopen)(struct svc_rqst *,
62999 struct nfs_fh *,
63000 struct file **);
63001 - void (*fclose)(struct file *);
63002 + void (* const fclose)(struct file *);
63003 };
63004
63005 -extern struct nlmsvc_binding * nlmsvc_ops;
63006 +extern const struct nlmsvc_binding * nlmsvc_ops;
63007
63008 /*
63009 * Similar to nfs_client_initdata, but without the NFS-specific
63010 diff -urNp linux-2.6.32.46/include/linux/mca.h linux-2.6.32.46/include/linux/mca.h
63011 --- linux-2.6.32.46/include/linux/mca.h 2011-03-27 14:31:47.000000000 -0400
63012 +++ linux-2.6.32.46/include/linux/mca.h 2011-08-05 20:33:55.000000000 -0400
63013 @@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
63014 int region);
63015 void * (*mca_transform_memory)(struct mca_device *,
63016 void *memory);
63017 -};
63018 +} __no_const;
63019
63020 struct mca_bus {
63021 u64 default_dma_mask;
63022 diff -urNp linux-2.6.32.46/include/linux/memory.h linux-2.6.32.46/include/linux/memory.h
63023 --- linux-2.6.32.46/include/linux/memory.h 2011-03-27 14:31:47.000000000 -0400
63024 +++ linux-2.6.32.46/include/linux/memory.h 2011-08-05 20:33:55.000000000 -0400
63025 @@ -108,7 +108,7 @@ struct memory_accessor {
63026 size_t count);
63027 ssize_t (*write)(struct memory_accessor *, const char *buf,
63028 off_t offset, size_t count);
63029 -};
63030 +} __no_const;
63031
63032 /*
63033 * Kernel text modification mutex, used for code patching. Users of this lock
63034 diff -urNp linux-2.6.32.46/include/linux/mm.h linux-2.6.32.46/include/linux/mm.h
63035 --- linux-2.6.32.46/include/linux/mm.h 2011-03-27 14:31:47.000000000 -0400
63036 +++ linux-2.6.32.46/include/linux/mm.h 2011-04-17 15:56:46.000000000 -0400
63037 @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
63038
63039 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
63040 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
63041 +
63042 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63043 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
63044 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
63045 +#else
63046 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
63047 +#endif
63048 +
63049 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
63050 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
63051
63052 @@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
63053 int set_page_dirty_lock(struct page *page);
63054 int clear_page_dirty_for_io(struct page *page);
63055
63056 -/* Is the vma a continuation of the stack vma above it? */
63057 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
63058 -{
63059 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
63060 -}
63061 -
63062 extern unsigned long move_page_tables(struct vm_area_struct *vma,
63063 unsigned long old_addr, struct vm_area_struct *new_vma,
63064 unsigned long new_addr, unsigned long len);
63065 @@ -890,6 +891,8 @@ struct shrinker {
63066 extern void register_shrinker(struct shrinker *);
63067 extern void unregister_shrinker(struct shrinker *);
63068
63069 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
63070 +
63071 int vma_wants_writenotify(struct vm_area_struct *vma);
63072
63073 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
63074 @@ -1162,6 +1165,7 @@ out:
63075 }
63076
63077 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
63078 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
63079
63080 extern unsigned long do_brk(unsigned long, unsigned long);
63081
63082 @@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
63083 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
63084 struct vm_area_struct **pprev);
63085
63086 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
63087 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
63088 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
63089 +
63090 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
63091 NULL if none. Assume start_addr < end_addr. */
63092 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
63093 @@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
63094 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
63095 }
63096
63097 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
63098 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
63099 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
63100 unsigned long pfn, unsigned long size, pgprot_t);
63101 @@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
63102 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
63103 extern int sysctl_memory_failure_early_kill;
63104 extern int sysctl_memory_failure_recovery;
63105 -extern atomic_long_t mce_bad_pages;
63106 +extern atomic_long_unchecked_t mce_bad_pages;
63107 +
63108 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
63109 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
63110 +#else
63111 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
63112 +#endif
63113
63114 #endif /* __KERNEL__ */
63115 #endif /* _LINUX_MM_H */
63116 diff -urNp linux-2.6.32.46/include/linux/mm_types.h linux-2.6.32.46/include/linux/mm_types.h
63117 --- linux-2.6.32.46/include/linux/mm_types.h 2011-03-27 14:31:47.000000000 -0400
63118 +++ linux-2.6.32.46/include/linux/mm_types.h 2011-04-17 15:56:46.000000000 -0400
63119 @@ -186,6 +186,8 @@ struct vm_area_struct {
63120 #ifdef CONFIG_NUMA
63121 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
63122 #endif
63123 +
63124 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
63125 };
63126
63127 struct core_thread {
63128 @@ -287,6 +289,24 @@ struct mm_struct {
63129 #ifdef CONFIG_MMU_NOTIFIER
63130 struct mmu_notifier_mm *mmu_notifier_mm;
63131 #endif
63132 +
63133 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
63134 + unsigned long pax_flags;
63135 +#endif
63136 +
63137 +#ifdef CONFIG_PAX_DLRESOLVE
63138 + unsigned long call_dl_resolve;
63139 +#endif
63140 +
63141 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
63142 + unsigned long call_syscall;
63143 +#endif
63144 +
63145 +#ifdef CONFIG_PAX_ASLR
63146 + unsigned long delta_mmap; /* randomized offset */
63147 + unsigned long delta_stack; /* randomized offset */
63148 +#endif
63149 +
63150 };
63151
63152 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
63153 diff -urNp linux-2.6.32.46/include/linux/mmu_notifier.h linux-2.6.32.46/include/linux/mmu_notifier.h
63154 --- linux-2.6.32.46/include/linux/mmu_notifier.h 2011-03-27 14:31:47.000000000 -0400
63155 +++ linux-2.6.32.46/include/linux/mmu_notifier.h 2011-04-17 15:56:46.000000000 -0400
63156 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
63157 */
63158 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
63159 ({ \
63160 - pte_t __pte; \
63161 + pte_t ___pte; \
63162 struct vm_area_struct *___vma = __vma; \
63163 unsigned long ___address = __address; \
63164 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
63165 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
63166 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
63167 - __pte; \
63168 + ___pte; \
63169 })
63170
63171 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
63172 diff -urNp linux-2.6.32.46/include/linux/mmzone.h linux-2.6.32.46/include/linux/mmzone.h
63173 --- linux-2.6.32.46/include/linux/mmzone.h 2011-03-27 14:31:47.000000000 -0400
63174 +++ linux-2.6.32.46/include/linux/mmzone.h 2011-04-17 15:56:46.000000000 -0400
63175 @@ -350,7 +350,7 @@ struct zone {
63176 unsigned long flags; /* zone flags, see below */
63177
63178 /* Zone statistics */
63179 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
63180 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
63181
63182 /*
63183 * prev_priority holds the scanning priority for this zone. It is
63184 diff -urNp linux-2.6.32.46/include/linux/mod_devicetable.h linux-2.6.32.46/include/linux/mod_devicetable.h
63185 --- linux-2.6.32.46/include/linux/mod_devicetable.h 2011-03-27 14:31:47.000000000 -0400
63186 +++ linux-2.6.32.46/include/linux/mod_devicetable.h 2011-04-17 15:56:46.000000000 -0400
63187 @@ -12,7 +12,7 @@
63188 typedef unsigned long kernel_ulong_t;
63189 #endif
63190
63191 -#define PCI_ANY_ID (~0)
63192 +#define PCI_ANY_ID ((__u16)~0)
63193
63194 struct pci_device_id {
63195 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
63196 @@ -131,7 +131,7 @@ struct usb_device_id {
63197 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
63198 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
63199
63200 -#define HID_ANY_ID (~0)
63201 +#define HID_ANY_ID (~0U)
63202
63203 struct hid_device_id {
63204 __u16 bus;
63205 diff -urNp linux-2.6.32.46/include/linux/module.h linux-2.6.32.46/include/linux/module.h
63206 --- linux-2.6.32.46/include/linux/module.h 2011-03-27 14:31:47.000000000 -0400
63207 +++ linux-2.6.32.46/include/linux/module.h 2011-08-05 20:33:55.000000000 -0400
63208 @@ -16,6 +16,7 @@
63209 #include <linux/kobject.h>
63210 #include <linux/moduleparam.h>
63211 #include <linux/tracepoint.h>
63212 +#include <linux/fs.h>
63213
63214 #include <asm/local.h>
63215 #include <asm/module.h>
63216 @@ -287,16 +288,16 @@ struct module
63217 int (*init)(void);
63218
63219 /* If this is non-NULL, vfree after init() returns */
63220 - void *module_init;
63221 + void *module_init_rx, *module_init_rw;
63222
63223 /* Here is the actual code + data, vfree'd on unload. */
63224 - void *module_core;
63225 + void *module_core_rx, *module_core_rw;
63226
63227 /* Here are the sizes of the init and core sections */
63228 - unsigned int init_size, core_size;
63229 + unsigned int init_size_rw, core_size_rw;
63230
63231 /* The size of the executable code in each section. */
63232 - unsigned int init_text_size, core_text_size;
63233 + unsigned int init_size_rx, core_size_rx;
63234
63235 /* Arch-specific module values */
63236 struct mod_arch_specific arch;
63237 @@ -345,6 +346,10 @@ struct module
63238 #ifdef CONFIG_EVENT_TRACING
63239 struct ftrace_event_call *trace_events;
63240 unsigned int num_trace_events;
63241 + struct file_operations trace_id;
63242 + struct file_operations trace_enable;
63243 + struct file_operations trace_format;
63244 + struct file_operations trace_filter;
63245 #endif
63246 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
63247 unsigned long *ftrace_callsites;
63248 @@ -393,16 +398,46 @@ struct module *__module_address(unsigned
63249 bool is_module_address(unsigned long addr);
63250 bool is_module_text_address(unsigned long addr);
63251
63252 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
63253 +{
63254 +
63255 +#ifdef CONFIG_PAX_KERNEXEC
63256 + if (ktla_ktva(addr) >= (unsigned long)start &&
63257 + ktla_ktva(addr) < (unsigned long)start + size)
63258 + return 1;
63259 +#endif
63260 +
63261 + return ((void *)addr >= start && (void *)addr < start + size);
63262 +}
63263 +
63264 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
63265 +{
63266 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
63267 +}
63268 +
63269 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
63270 +{
63271 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
63272 +}
63273 +
63274 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
63275 +{
63276 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
63277 +}
63278 +
63279 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
63280 +{
63281 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
63282 +}
63283 +
63284 static inline int within_module_core(unsigned long addr, struct module *mod)
63285 {
63286 - return (unsigned long)mod->module_core <= addr &&
63287 - addr < (unsigned long)mod->module_core + mod->core_size;
63288 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
63289 }
63290
63291 static inline int within_module_init(unsigned long addr, struct module *mod)
63292 {
63293 - return (unsigned long)mod->module_init <= addr &&
63294 - addr < (unsigned long)mod->module_init + mod->init_size;
63295 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
63296 }
63297
63298 /* Search for module by name: must hold module_mutex. */
63299 diff -urNp linux-2.6.32.46/include/linux/moduleloader.h linux-2.6.32.46/include/linux/moduleloader.h
63300 --- linux-2.6.32.46/include/linux/moduleloader.h 2011-03-27 14:31:47.000000000 -0400
63301 +++ linux-2.6.32.46/include/linux/moduleloader.h 2011-04-17 15:56:46.000000000 -0400
63302 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
63303 sections. Returns NULL on failure. */
63304 void *module_alloc(unsigned long size);
63305
63306 +#ifdef CONFIG_PAX_KERNEXEC
63307 +void *module_alloc_exec(unsigned long size);
63308 +#else
63309 +#define module_alloc_exec(x) module_alloc(x)
63310 +#endif
63311 +
63312 /* Free memory returned from module_alloc. */
63313 void module_free(struct module *mod, void *module_region);
63314
63315 +#ifdef CONFIG_PAX_KERNEXEC
63316 +void module_free_exec(struct module *mod, void *module_region);
63317 +#else
63318 +#define module_free_exec(x, y) module_free((x), (y))
63319 +#endif
63320 +
63321 /* Apply the given relocation to the (simplified) ELF. Return -error
63322 or 0. */
63323 int apply_relocate(Elf_Shdr *sechdrs,
63324 diff -urNp linux-2.6.32.46/include/linux/moduleparam.h linux-2.6.32.46/include/linux/moduleparam.h
63325 --- linux-2.6.32.46/include/linux/moduleparam.h 2011-03-27 14:31:47.000000000 -0400
63326 +++ linux-2.6.32.46/include/linux/moduleparam.h 2011-04-17 15:56:46.000000000 -0400
63327 @@ -132,7 +132,7 @@ struct kparam_array
63328
63329 /* Actually copy string: maxlen param is usually sizeof(string). */
63330 #define module_param_string(name, string, len, perm) \
63331 - static const struct kparam_string __param_string_##name \
63332 + static const struct kparam_string __param_string_##name __used \
63333 = { len, string }; \
63334 __module_param_call(MODULE_PARAM_PREFIX, name, \
63335 param_set_copystring, param_get_string, \
63336 @@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
63337
63338 /* Comma-separated array: *nump is set to number they actually specified. */
63339 #define module_param_array_named(name, array, type, nump, perm) \
63340 - static const struct kparam_array __param_arr_##name \
63341 + static const struct kparam_array __param_arr_##name __used \
63342 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
63343 sizeof(array[0]), array }; \
63344 __module_param_call(MODULE_PARAM_PREFIX, name, \
63345 diff -urNp linux-2.6.32.46/include/linux/mutex.h linux-2.6.32.46/include/linux/mutex.h
63346 --- linux-2.6.32.46/include/linux/mutex.h 2011-03-27 14:31:47.000000000 -0400
63347 +++ linux-2.6.32.46/include/linux/mutex.h 2011-04-17 15:56:46.000000000 -0400
63348 @@ -51,7 +51,7 @@ struct mutex {
63349 spinlock_t wait_lock;
63350 struct list_head wait_list;
63351 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
63352 - struct thread_info *owner;
63353 + struct task_struct *owner;
63354 #endif
63355 #ifdef CONFIG_DEBUG_MUTEXES
63356 const char *name;
63357 diff -urNp linux-2.6.32.46/include/linux/namei.h linux-2.6.32.46/include/linux/namei.h
63358 --- linux-2.6.32.46/include/linux/namei.h 2011-03-27 14:31:47.000000000 -0400
63359 +++ linux-2.6.32.46/include/linux/namei.h 2011-04-17 15:56:46.000000000 -0400
63360 @@ -22,7 +22,7 @@ struct nameidata {
63361 unsigned int flags;
63362 int last_type;
63363 unsigned depth;
63364 - char *saved_names[MAX_NESTED_LINKS + 1];
63365 + const char *saved_names[MAX_NESTED_LINKS + 1];
63366
63367 /* Intent data */
63368 union {
63369 @@ -84,12 +84,12 @@ extern int follow_up(struct path *);
63370 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
63371 extern void unlock_rename(struct dentry *, struct dentry *);
63372
63373 -static inline void nd_set_link(struct nameidata *nd, char *path)
63374 +static inline void nd_set_link(struct nameidata *nd, const char *path)
63375 {
63376 nd->saved_names[nd->depth] = path;
63377 }
63378
63379 -static inline char *nd_get_link(struct nameidata *nd)
63380 +static inline const char *nd_get_link(const struct nameidata *nd)
63381 {
63382 return nd->saved_names[nd->depth];
63383 }
63384 diff -urNp linux-2.6.32.46/include/linux/netdevice.h linux-2.6.32.46/include/linux/netdevice.h
63385 --- linux-2.6.32.46/include/linux/netdevice.h 2011-08-09 18:35:30.000000000 -0400
63386 +++ linux-2.6.32.46/include/linux/netdevice.h 2011-08-23 21:22:38.000000000 -0400
63387 @@ -637,6 +637,7 @@ struct net_device_ops {
63388 u16 xid);
63389 #endif
63390 };
63391 +typedef struct net_device_ops __no_const net_device_ops_no_const;
63392
63393 /*
63394 * The DEVICE structure.
63395 diff -urNp linux-2.6.32.46/include/linux/netfilter/xt_gradm.h linux-2.6.32.46/include/linux/netfilter/xt_gradm.h
63396 --- linux-2.6.32.46/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
63397 +++ linux-2.6.32.46/include/linux/netfilter/xt_gradm.h 2011-04-17 15:56:46.000000000 -0400
63398 @@ -0,0 +1,9 @@
63399 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
63400 +#define _LINUX_NETFILTER_XT_GRADM_H 1
63401 +
63402 +struct xt_gradm_mtinfo {
63403 + __u16 flags;
63404 + __u16 invflags;
63405 +};
63406 +
63407 +#endif
63408 diff -urNp linux-2.6.32.46/include/linux/nodemask.h linux-2.6.32.46/include/linux/nodemask.h
63409 --- linux-2.6.32.46/include/linux/nodemask.h 2011-03-27 14:31:47.000000000 -0400
63410 +++ linux-2.6.32.46/include/linux/nodemask.h 2011-04-17 15:56:46.000000000 -0400
63411 @@ -464,11 +464,11 @@ static inline int num_node_state(enum no
63412
63413 #define any_online_node(mask) \
63414 ({ \
63415 - int node; \
63416 - for_each_node_mask(node, (mask)) \
63417 - if (node_online(node)) \
63418 + int __node; \
63419 + for_each_node_mask(__node, (mask)) \
63420 + if (node_online(__node)) \
63421 break; \
63422 - node; \
63423 + __node; \
63424 })
63425
63426 #define num_online_nodes() num_node_state(N_ONLINE)
63427 diff -urNp linux-2.6.32.46/include/linux/oprofile.h linux-2.6.32.46/include/linux/oprofile.h
63428 --- linux-2.6.32.46/include/linux/oprofile.h 2011-03-27 14:31:47.000000000 -0400
63429 +++ linux-2.6.32.46/include/linux/oprofile.h 2011-04-17 15:56:46.000000000 -0400
63430 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
63431 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
63432 char const * name, ulong * val);
63433
63434 -/** Create a file for read-only access to an atomic_t. */
63435 +/** Create a file for read-only access to an atomic_unchecked_t. */
63436 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
63437 - char const * name, atomic_t * val);
63438 + char const * name, atomic_unchecked_t * val);
63439
63440 /** create a directory */
63441 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
63442 diff -urNp linux-2.6.32.46/include/linux/pagemap.h linux-2.6.32.46/include/linux/pagemap.h
63443 --- linux-2.6.32.46/include/linux/pagemap.h 2011-03-27 14:31:47.000000000 -0400
63444 +++ linux-2.6.32.46/include/linux/pagemap.h 2011-08-17 19:36:28.000000000 -0400
63445 @@ -425,6 +425,7 @@ static inline int fault_in_pages_readabl
63446 if (((unsigned long)uaddr & PAGE_MASK) !=
63447 ((unsigned long)end & PAGE_MASK))
63448 ret = __get_user(c, end);
63449 + (void)c;
63450 }
63451 return ret;
63452 }
63453 diff -urNp linux-2.6.32.46/include/linux/perf_event.h linux-2.6.32.46/include/linux/perf_event.h
63454 --- linux-2.6.32.46/include/linux/perf_event.h 2011-03-27 14:31:47.000000000 -0400
63455 +++ linux-2.6.32.46/include/linux/perf_event.h 2011-05-04 17:56:28.000000000 -0400
63456 @@ -476,7 +476,7 @@ struct hw_perf_event {
63457 struct hrtimer hrtimer;
63458 };
63459 };
63460 - atomic64_t prev_count;
63461 + atomic64_unchecked_t prev_count;
63462 u64 sample_period;
63463 u64 last_period;
63464 atomic64_t period_left;
63465 @@ -557,7 +557,7 @@ struct perf_event {
63466 const struct pmu *pmu;
63467
63468 enum perf_event_active_state state;
63469 - atomic64_t count;
63470 + atomic64_unchecked_t count;
63471
63472 /*
63473 * These are the total time in nanoseconds that the event
63474 @@ -595,8 +595,8 @@ struct perf_event {
63475 * These accumulate total time (in nanoseconds) that children
63476 * events have been enabled and running, respectively.
63477 */
63478 - atomic64_t child_total_time_enabled;
63479 - atomic64_t child_total_time_running;
63480 + atomic64_unchecked_t child_total_time_enabled;
63481 + atomic64_unchecked_t child_total_time_running;
63482
63483 /*
63484 * Protect attach/detach and child_list:
63485 diff -urNp linux-2.6.32.46/include/linux/pipe_fs_i.h linux-2.6.32.46/include/linux/pipe_fs_i.h
63486 --- linux-2.6.32.46/include/linux/pipe_fs_i.h 2011-03-27 14:31:47.000000000 -0400
63487 +++ linux-2.6.32.46/include/linux/pipe_fs_i.h 2011-04-17 15:56:46.000000000 -0400
63488 @@ -46,9 +46,9 @@ struct pipe_inode_info {
63489 wait_queue_head_t wait;
63490 unsigned int nrbufs, curbuf;
63491 struct page *tmp_page;
63492 - unsigned int readers;
63493 - unsigned int writers;
63494 - unsigned int waiting_writers;
63495 + atomic_t readers;
63496 + atomic_t writers;
63497 + atomic_t waiting_writers;
63498 unsigned int r_counter;
63499 unsigned int w_counter;
63500 struct fasync_struct *fasync_readers;
63501 diff -urNp linux-2.6.32.46/include/linux/poison.h linux-2.6.32.46/include/linux/poison.h
63502 --- linux-2.6.32.46/include/linux/poison.h 2011-03-27 14:31:47.000000000 -0400
63503 +++ linux-2.6.32.46/include/linux/poison.h 2011-04-17 15:56:46.000000000 -0400
63504 @@ -19,8 +19,8 @@
63505 * under normal circumstances, used to verify that nobody uses
63506 * non-initialized list entries.
63507 */
63508 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
63509 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
63510 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
63511 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
63512
63513 /********** include/linux/timer.h **********/
63514 /*
63515 diff -urNp linux-2.6.32.46/include/linux/posix-timers.h linux-2.6.32.46/include/linux/posix-timers.h
63516 --- linux-2.6.32.46/include/linux/posix-timers.h 2011-03-27 14:31:47.000000000 -0400
63517 +++ linux-2.6.32.46/include/linux/posix-timers.h 2011-08-05 20:33:55.000000000 -0400
63518 @@ -67,7 +67,7 @@ struct k_itimer {
63519 };
63520
63521 struct k_clock {
63522 - int res; /* in nanoseconds */
63523 + const int res; /* in nanoseconds */
63524 int (*clock_getres) (const clockid_t which_clock, struct timespec *tp);
63525 int (*clock_set) (const clockid_t which_clock, struct timespec * tp);
63526 int (*clock_get) (const clockid_t which_clock, struct timespec * tp);
63527 diff -urNp linux-2.6.32.46/include/linux/preempt.h linux-2.6.32.46/include/linux/preempt.h
63528 --- linux-2.6.32.46/include/linux/preempt.h 2011-03-27 14:31:47.000000000 -0400
63529 +++ linux-2.6.32.46/include/linux/preempt.h 2011-08-05 20:33:55.000000000 -0400
63530 @@ -110,7 +110,7 @@ struct preempt_ops {
63531 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
63532 void (*sched_out)(struct preempt_notifier *notifier,
63533 struct task_struct *next);
63534 -};
63535 +} __no_const;
63536
63537 /**
63538 * preempt_notifier - key for installing preemption notifiers
63539 diff -urNp linux-2.6.32.46/include/linux/proc_fs.h linux-2.6.32.46/include/linux/proc_fs.h
63540 --- linux-2.6.32.46/include/linux/proc_fs.h 2011-03-27 14:31:47.000000000 -0400
63541 +++ linux-2.6.32.46/include/linux/proc_fs.h 2011-08-05 20:33:55.000000000 -0400
63542 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
63543 return proc_create_data(name, mode, parent, proc_fops, NULL);
63544 }
63545
63546 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
63547 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
63548 +{
63549 +#ifdef CONFIG_GRKERNSEC_PROC_USER
63550 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
63551 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
63552 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
63553 +#else
63554 + return proc_create_data(name, mode, parent, proc_fops, NULL);
63555 +#endif
63556 +}
63557 +
63558 +
63559 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
63560 mode_t mode, struct proc_dir_entry *base,
63561 read_proc_t *read_proc, void * data)
63562 @@ -256,7 +269,7 @@ union proc_op {
63563 int (*proc_show)(struct seq_file *m,
63564 struct pid_namespace *ns, struct pid *pid,
63565 struct task_struct *task);
63566 -};
63567 +} __no_const;
63568
63569 struct ctl_table_header;
63570 struct ctl_table;
63571 diff -urNp linux-2.6.32.46/include/linux/ptrace.h linux-2.6.32.46/include/linux/ptrace.h
63572 --- linux-2.6.32.46/include/linux/ptrace.h 2011-03-27 14:31:47.000000000 -0400
63573 +++ linux-2.6.32.46/include/linux/ptrace.h 2011-04-17 15:56:46.000000000 -0400
63574 @@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
63575 extern void exit_ptrace(struct task_struct *tracer);
63576 #define PTRACE_MODE_READ 1
63577 #define PTRACE_MODE_ATTACH 2
63578 -/* Returns 0 on success, -errno on denial. */
63579 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
63580 /* Returns true on success, false on denial. */
63581 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
63582 +/* Returns true on success, false on denial. */
63583 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
63584
63585 static inline int ptrace_reparented(struct task_struct *child)
63586 {
63587 diff -urNp linux-2.6.32.46/include/linux/random.h linux-2.6.32.46/include/linux/random.h
63588 --- linux-2.6.32.46/include/linux/random.h 2011-08-16 20:37:25.000000000 -0400
63589 +++ linux-2.6.32.46/include/linux/random.h 2011-08-07 19:48:09.000000000 -0400
63590 @@ -63,6 +63,11 @@ unsigned long randomize_range(unsigned l
63591 u32 random32(void);
63592 void srandom32(u32 seed);
63593
63594 +static inline unsigned long pax_get_random_long(void)
63595 +{
63596 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
63597 +}
63598 +
63599 #endif /* __KERNEL___ */
63600
63601 #endif /* _LINUX_RANDOM_H */
63602 diff -urNp linux-2.6.32.46/include/linux/reboot.h linux-2.6.32.46/include/linux/reboot.h
63603 --- linux-2.6.32.46/include/linux/reboot.h 2011-03-27 14:31:47.000000000 -0400
63604 +++ linux-2.6.32.46/include/linux/reboot.h 2011-05-22 23:02:06.000000000 -0400
63605 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
63606 * Architecture-specific implementations of sys_reboot commands.
63607 */
63608
63609 -extern void machine_restart(char *cmd);
63610 -extern void machine_halt(void);
63611 -extern void machine_power_off(void);
63612 +extern void machine_restart(char *cmd) __noreturn;
63613 +extern void machine_halt(void) __noreturn;
63614 +extern void machine_power_off(void) __noreturn;
63615
63616 extern void machine_shutdown(void);
63617 struct pt_regs;
63618 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
63619 */
63620
63621 extern void kernel_restart_prepare(char *cmd);
63622 -extern void kernel_restart(char *cmd);
63623 -extern void kernel_halt(void);
63624 -extern void kernel_power_off(void);
63625 +extern void kernel_restart(char *cmd) __noreturn;
63626 +extern void kernel_halt(void) __noreturn;
63627 +extern void kernel_power_off(void) __noreturn;
63628
63629 void ctrl_alt_del(void);
63630
63631 @@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
63632 * Emergency restart, callable from an interrupt handler.
63633 */
63634
63635 -extern void emergency_restart(void);
63636 +extern void emergency_restart(void) __noreturn;
63637 #include <asm/emergency-restart.h>
63638
63639 #endif
63640 diff -urNp linux-2.6.32.46/include/linux/reiserfs_fs.h linux-2.6.32.46/include/linux/reiserfs_fs.h
63641 --- linux-2.6.32.46/include/linux/reiserfs_fs.h 2011-03-27 14:31:47.000000000 -0400
63642 +++ linux-2.6.32.46/include/linux/reiserfs_fs.h 2011-04-17 15:56:46.000000000 -0400
63643 @@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
63644 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
63645
63646 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
63647 -#define get_generation(s) atomic_read (&fs_generation(s))
63648 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
63649 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
63650 #define __fs_changed(gen,s) (gen != get_generation (s))
63651 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
63652 @@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
63653 */
63654
63655 struct item_operations {
63656 - int (*bytes_number) (struct item_head * ih, int block_size);
63657 - void (*decrement_key) (struct cpu_key *);
63658 - int (*is_left_mergeable) (struct reiserfs_key * ih,
63659 + int (* const bytes_number) (struct item_head * ih, int block_size);
63660 + void (* const decrement_key) (struct cpu_key *);
63661 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
63662 unsigned long bsize);
63663 - void (*print_item) (struct item_head *, char *item);
63664 - void (*check_item) (struct item_head *, char *item);
63665 + void (* const print_item) (struct item_head *, char *item);
63666 + void (* const check_item) (struct item_head *, char *item);
63667
63668 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
63669 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
63670 int is_affected, int insert_size);
63671 - int (*check_left) (struct virtual_item * vi, int free,
63672 + int (* const check_left) (struct virtual_item * vi, int free,
63673 int start_skip, int end_skip);
63674 - int (*check_right) (struct virtual_item * vi, int free);
63675 - int (*part_size) (struct virtual_item * vi, int from, int to);
63676 - int (*unit_num) (struct virtual_item * vi);
63677 - void (*print_vi) (struct virtual_item * vi);
63678 + int (* const check_right) (struct virtual_item * vi, int free);
63679 + int (* const part_size) (struct virtual_item * vi, int from, int to);
63680 + int (* const unit_num) (struct virtual_item * vi);
63681 + void (* const print_vi) (struct virtual_item * vi);
63682 };
63683
63684 -extern struct item_operations *item_ops[TYPE_ANY + 1];
63685 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
63686
63687 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
63688 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
63689 diff -urNp linux-2.6.32.46/include/linux/reiserfs_fs_sb.h linux-2.6.32.46/include/linux/reiserfs_fs_sb.h
63690 --- linux-2.6.32.46/include/linux/reiserfs_fs_sb.h 2011-03-27 14:31:47.000000000 -0400
63691 +++ linux-2.6.32.46/include/linux/reiserfs_fs_sb.h 2011-04-17 15:56:46.000000000 -0400
63692 @@ -377,7 +377,7 @@ struct reiserfs_sb_info {
63693 /* Comment? -Hans */
63694 wait_queue_head_t s_wait;
63695 /* To be obsoleted soon by per buffer seals.. -Hans */
63696 - atomic_t s_generation_counter; // increased by one every time the
63697 + atomic_unchecked_t s_generation_counter; // increased by one every time the
63698 // tree gets re-balanced
63699 unsigned long s_properties; /* File system properties. Currently holds
63700 on-disk FS format */
63701 diff -urNp linux-2.6.32.46/include/linux/relay.h linux-2.6.32.46/include/linux/relay.h
63702 --- linux-2.6.32.46/include/linux/relay.h 2011-03-27 14:31:47.000000000 -0400
63703 +++ linux-2.6.32.46/include/linux/relay.h 2011-08-05 20:33:55.000000000 -0400
63704 @@ -159,7 +159,7 @@ struct rchan_callbacks
63705 * The callback should return 0 if successful, negative if not.
63706 */
63707 int (*remove_buf_file)(struct dentry *dentry);
63708 -};
63709 +} __no_const;
63710
63711 /*
63712 * CONFIG_RELAY kernel API, kernel/relay.c
63713 diff -urNp linux-2.6.32.46/include/linux/rfkill.h linux-2.6.32.46/include/linux/rfkill.h
63714 --- linux-2.6.32.46/include/linux/rfkill.h 2011-03-27 14:31:47.000000000 -0400
63715 +++ linux-2.6.32.46/include/linux/rfkill.h 2011-08-23 21:22:38.000000000 -0400
63716 @@ -144,6 +144,7 @@ struct rfkill_ops {
63717 void (*query)(struct rfkill *rfkill, void *data);
63718 int (*set_block)(void *data, bool blocked);
63719 };
63720 +typedef struct rfkill_ops __no_const rfkill_ops_no_const;
63721
63722 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
63723 /**
63724 diff -urNp linux-2.6.32.46/include/linux/sched.h linux-2.6.32.46/include/linux/sched.h
63725 --- linux-2.6.32.46/include/linux/sched.h 2011-03-27 14:31:47.000000000 -0400
63726 +++ linux-2.6.32.46/include/linux/sched.h 2011-08-11 19:48:55.000000000 -0400
63727 @@ -101,6 +101,7 @@ struct bio;
63728 struct fs_struct;
63729 struct bts_context;
63730 struct perf_event_context;
63731 +struct linux_binprm;
63732
63733 /*
63734 * List of flags we want to share for kernel threads,
63735 @@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
63736 extern signed long schedule_timeout_uninterruptible(signed long timeout);
63737 asmlinkage void __schedule(void);
63738 asmlinkage void schedule(void);
63739 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
63740 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
63741
63742 struct nsproxy;
63743 struct user_namespace;
63744 @@ -371,9 +372,12 @@ struct user_namespace;
63745 #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
63746
63747 extern int sysctl_max_map_count;
63748 +extern unsigned long sysctl_heap_stack_gap;
63749
63750 #include <linux/aio.h>
63751
63752 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
63753 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
63754 extern unsigned long
63755 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
63756 unsigned long, unsigned long);
63757 @@ -666,6 +670,16 @@ struct signal_struct {
63758 struct tty_audit_buf *tty_audit_buf;
63759 #endif
63760
63761 +#ifdef CONFIG_GRKERNSEC
63762 + u32 curr_ip;
63763 + u32 saved_ip;
63764 + u32 gr_saddr;
63765 + u32 gr_daddr;
63766 + u16 gr_sport;
63767 + u16 gr_dport;
63768 + u8 used_accept:1;
63769 +#endif
63770 +
63771 int oom_adj; /* OOM kill score adjustment (bit shift) */
63772 };
63773
63774 @@ -723,6 +737,11 @@ struct user_struct {
63775 struct key *session_keyring; /* UID's default session keyring */
63776 #endif
63777
63778 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
63779 + unsigned int banned;
63780 + unsigned long ban_expires;
63781 +#endif
63782 +
63783 /* Hash table maintenance information */
63784 struct hlist_node uidhash_node;
63785 uid_t uid;
63786 @@ -1328,8 +1347,8 @@ struct task_struct {
63787 struct list_head thread_group;
63788
63789 struct completion *vfork_done; /* for vfork() */
63790 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
63791 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
63792 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
63793 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
63794
63795 cputime_t utime, stime, utimescaled, stimescaled;
63796 cputime_t gtime;
63797 @@ -1343,16 +1362,6 @@ struct task_struct {
63798 struct task_cputime cputime_expires;
63799 struct list_head cpu_timers[3];
63800
63801 -/* process credentials */
63802 - const struct cred *real_cred; /* objective and real subjective task
63803 - * credentials (COW) */
63804 - const struct cred *cred; /* effective (overridable) subjective task
63805 - * credentials (COW) */
63806 - struct mutex cred_guard_mutex; /* guard against foreign influences on
63807 - * credential calculations
63808 - * (notably. ptrace) */
63809 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
63810 -
63811 char comm[TASK_COMM_LEN]; /* executable name excluding path
63812 - access with [gs]et_task_comm (which lock
63813 it with task_lock())
63814 @@ -1369,6 +1378,10 @@ struct task_struct {
63815 #endif
63816 /* CPU-specific state of this task */
63817 struct thread_struct thread;
63818 +/* thread_info moved to task_struct */
63819 +#ifdef CONFIG_X86
63820 + struct thread_info tinfo;
63821 +#endif
63822 /* filesystem information */
63823 struct fs_struct *fs;
63824 /* open file information */
63825 @@ -1436,6 +1449,15 @@ struct task_struct {
63826 int hardirq_context;
63827 int softirq_context;
63828 #endif
63829 +
63830 +/* process credentials */
63831 + const struct cred *real_cred; /* objective and real subjective task
63832 + * credentials (COW) */
63833 + struct mutex cred_guard_mutex; /* guard against foreign influences on
63834 + * credential calculations
63835 + * (notably. ptrace) */
63836 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
63837 +
63838 #ifdef CONFIG_LOCKDEP
63839 # define MAX_LOCK_DEPTH 48UL
63840 u64 curr_chain_key;
63841 @@ -1456,6 +1478,9 @@ struct task_struct {
63842
63843 struct backing_dev_info *backing_dev_info;
63844
63845 + const struct cred *cred; /* effective (overridable) subjective task
63846 + * credentials (COW) */
63847 +
63848 struct io_context *io_context;
63849
63850 unsigned long ptrace_message;
63851 @@ -1519,6 +1544,21 @@ struct task_struct {
63852 unsigned long default_timer_slack_ns;
63853
63854 struct list_head *scm_work_list;
63855 +
63856 +#ifdef CONFIG_GRKERNSEC
63857 + /* grsecurity */
63858 + struct dentry *gr_chroot_dentry;
63859 + struct acl_subject_label *acl;
63860 + struct acl_role_label *role;
63861 + struct file *exec_file;
63862 + u16 acl_role_id;
63863 + /* is this the task that authenticated to the special role */
63864 + u8 acl_sp_role;
63865 + u8 is_writable;
63866 + u8 brute;
63867 + u8 gr_is_chrooted;
63868 +#endif
63869 +
63870 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
63871 /* Index of current stored adress in ret_stack */
63872 int curr_ret_stack;
63873 @@ -1542,6 +1582,57 @@ struct task_struct {
63874 #endif /* CONFIG_TRACING */
63875 };
63876
63877 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
63878 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
63879 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
63880 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
63881 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
63882 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
63883 +
63884 +#ifdef CONFIG_PAX_SOFTMODE
63885 +extern int pax_softmode;
63886 +#endif
63887 +
63888 +extern int pax_check_flags(unsigned long *);
63889 +
63890 +/* if tsk != current then task_lock must be held on it */
63891 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
63892 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
63893 +{
63894 + if (likely(tsk->mm))
63895 + return tsk->mm->pax_flags;
63896 + else
63897 + return 0UL;
63898 +}
63899 +
63900 +/* if tsk != current then task_lock must be held on it */
63901 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
63902 +{
63903 + if (likely(tsk->mm)) {
63904 + tsk->mm->pax_flags = flags;
63905 + return 0;
63906 + }
63907 + return -EINVAL;
63908 +}
63909 +#endif
63910 +
63911 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
63912 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
63913 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
63914 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
63915 +#endif
63916 +
63917 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
63918 +extern void pax_report_insns(void *pc, void *sp);
63919 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
63920 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
63921 +
63922 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
63923 +extern void pax_track_stack(void);
63924 +#else
63925 +static inline void pax_track_stack(void) {}
63926 +#endif
63927 +
63928 /* Future-safe accessor for struct task_struct's cpus_allowed. */
63929 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
63930
63931 @@ -1740,7 +1831,7 @@ extern void thread_group_times(struct ta
63932 #define PF_DUMPCORE 0x00000200 /* dumped core */
63933 #define PF_SIGNALED 0x00000400 /* killed by a signal */
63934 #define PF_MEMALLOC 0x00000800 /* Allocating memory */
63935 -#define PF_FLUSHER 0x00001000 /* responsible for disk writeback */
63936 +#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
63937 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
63938 #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
63939 #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
63940 @@ -1978,7 +2069,9 @@ void yield(void);
63941 extern struct exec_domain default_exec_domain;
63942
63943 union thread_union {
63944 +#ifndef CONFIG_X86
63945 struct thread_info thread_info;
63946 +#endif
63947 unsigned long stack[THREAD_SIZE/sizeof(long)];
63948 };
63949
63950 @@ -2011,6 +2104,7 @@ extern struct pid_namespace init_pid_ns;
63951 */
63952
63953 extern struct task_struct *find_task_by_vpid(pid_t nr);
63954 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
63955 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
63956 struct pid_namespace *ns);
63957
63958 @@ -2155,7 +2249,7 @@ extern void __cleanup_sighand(struct sig
63959 extern void exit_itimers(struct signal_struct *);
63960 extern void flush_itimer_signals(void);
63961
63962 -extern NORET_TYPE void do_group_exit(int);
63963 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
63964
63965 extern void daemonize(const char *, ...);
63966 extern int allow_signal(int);
63967 @@ -2284,13 +2378,17 @@ static inline unsigned long *end_of_stac
63968
63969 #endif
63970
63971 -static inline int object_is_on_stack(void *obj)
63972 +static inline int object_starts_on_stack(void *obj)
63973 {
63974 - void *stack = task_stack_page(current);
63975 + const void *stack = task_stack_page(current);
63976
63977 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
63978 }
63979
63980 +#ifdef CONFIG_PAX_USERCOPY
63981 +extern int object_is_on_stack(const void *obj, unsigned long len);
63982 +#endif
63983 +
63984 extern void thread_info_cache_init(void);
63985
63986 #ifdef CONFIG_DEBUG_STACK_USAGE
63987 diff -urNp linux-2.6.32.46/include/linux/screen_info.h linux-2.6.32.46/include/linux/screen_info.h
63988 --- linux-2.6.32.46/include/linux/screen_info.h 2011-03-27 14:31:47.000000000 -0400
63989 +++ linux-2.6.32.46/include/linux/screen_info.h 2011-04-17 15:56:46.000000000 -0400
63990 @@ -42,7 +42,8 @@ struct screen_info {
63991 __u16 pages; /* 0x32 */
63992 __u16 vesa_attributes; /* 0x34 */
63993 __u32 capabilities; /* 0x36 */
63994 - __u8 _reserved[6]; /* 0x3a */
63995 + __u16 vesapm_size; /* 0x3a */
63996 + __u8 _reserved[4]; /* 0x3c */
63997 } __attribute__((packed));
63998
63999 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
64000 diff -urNp linux-2.6.32.46/include/linux/security.h linux-2.6.32.46/include/linux/security.h
64001 --- linux-2.6.32.46/include/linux/security.h 2011-03-27 14:31:47.000000000 -0400
64002 +++ linux-2.6.32.46/include/linux/security.h 2011-04-17 15:56:46.000000000 -0400
64003 @@ -34,6 +34,7 @@
64004 #include <linux/key.h>
64005 #include <linux/xfrm.h>
64006 #include <linux/gfp.h>
64007 +#include <linux/grsecurity.h>
64008 #include <net/flow.h>
64009
64010 /* Maximum number of letters for an LSM name string */
64011 diff -urNp linux-2.6.32.46/include/linux/seq_file.h linux-2.6.32.46/include/linux/seq_file.h
64012 --- linux-2.6.32.46/include/linux/seq_file.h 2011-03-27 14:31:47.000000000 -0400
64013 +++ linux-2.6.32.46/include/linux/seq_file.h 2011-08-23 21:22:38.000000000 -0400
64014 @@ -32,6 +32,7 @@ struct seq_operations {
64015 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
64016 int (*show) (struct seq_file *m, void *v);
64017 };
64018 +typedef struct seq_operations __no_const seq_operations_no_const;
64019
64020 #define SEQ_SKIP 1
64021
64022 diff -urNp linux-2.6.32.46/include/linux/shm.h linux-2.6.32.46/include/linux/shm.h
64023 --- linux-2.6.32.46/include/linux/shm.h 2011-03-27 14:31:47.000000000 -0400
64024 +++ linux-2.6.32.46/include/linux/shm.h 2011-04-17 15:56:46.000000000 -0400
64025 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
64026 pid_t shm_cprid;
64027 pid_t shm_lprid;
64028 struct user_struct *mlock_user;
64029 +#ifdef CONFIG_GRKERNSEC
64030 + time_t shm_createtime;
64031 + pid_t shm_lapid;
64032 +#endif
64033 };
64034
64035 /* shm_mode upper byte flags */
64036 diff -urNp linux-2.6.32.46/include/linux/skbuff.h linux-2.6.32.46/include/linux/skbuff.h
64037 --- linux-2.6.32.46/include/linux/skbuff.h 2011-03-27 14:31:47.000000000 -0400
64038 +++ linux-2.6.32.46/include/linux/skbuff.h 2011-08-21 15:27:56.000000000 -0400
64039 @@ -14,6 +14,7 @@
64040 #ifndef _LINUX_SKBUFF_H
64041 #define _LINUX_SKBUFF_H
64042
64043 +#include <linux/const.h>
64044 #include <linux/kernel.h>
64045 #include <linux/kmemcheck.h>
64046 #include <linux/compiler.h>
64047 @@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t
64048 */
64049 static inline int skb_queue_empty(const struct sk_buff_head *list)
64050 {
64051 - return list->next == (struct sk_buff *)list;
64052 + return list->next == (const struct sk_buff *)list;
64053 }
64054
64055 /**
64056 @@ -557,7 +558,7 @@ static inline int skb_queue_empty(const
64057 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
64058 const struct sk_buff *skb)
64059 {
64060 - return (skb->next == (struct sk_buff *) list);
64061 + return (skb->next == (const struct sk_buff *) list);
64062 }
64063
64064 /**
64065 @@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con
64066 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
64067 const struct sk_buff *skb)
64068 {
64069 - return (skb->prev == (struct sk_buff *) list);
64070 + return (skb->prev == (const struct sk_buff *) list);
64071 }
64072
64073 /**
64074 @@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con
64075 * headroom, you should not reduce this.
64076 */
64077 #ifndef NET_SKB_PAD
64078 -#define NET_SKB_PAD 32
64079 +#define NET_SKB_PAD (_AC(32,UL))
64080 #endif
64081
64082 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
64083 diff -urNp linux-2.6.32.46/include/linux/slab_def.h linux-2.6.32.46/include/linux/slab_def.h
64084 --- linux-2.6.32.46/include/linux/slab_def.h 2011-03-27 14:31:47.000000000 -0400
64085 +++ linux-2.6.32.46/include/linux/slab_def.h 2011-05-04 17:56:28.000000000 -0400
64086 @@ -69,10 +69,10 @@ struct kmem_cache {
64087 unsigned long node_allocs;
64088 unsigned long node_frees;
64089 unsigned long node_overflow;
64090 - atomic_t allochit;
64091 - atomic_t allocmiss;
64092 - atomic_t freehit;
64093 - atomic_t freemiss;
64094 + atomic_unchecked_t allochit;
64095 + atomic_unchecked_t allocmiss;
64096 + atomic_unchecked_t freehit;
64097 + atomic_unchecked_t freemiss;
64098
64099 /*
64100 * If debugging is enabled, then the allocator can add additional
64101 diff -urNp linux-2.6.32.46/include/linux/slab.h linux-2.6.32.46/include/linux/slab.h
64102 --- linux-2.6.32.46/include/linux/slab.h 2011-03-27 14:31:47.000000000 -0400
64103 +++ linux-2.6.32.46/include/linux/slab.h 2011-04-17 15:56:46.000000000 -0400
64104 @@ -11,12 +11,20 @@
64105
64106 #include <linux/gfp.h>
64107 #include <linux/types.h>
64108 +#include <linux/err.h>
64109
64110 /*
64111 * Flags to pass to kmem_cache_create().
64112 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
64113 */
64114 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
64115 +
64116 +#ifdef CONFIG_PAX_USERCOPY
64117 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
64118 +#else
64119 +#define SLAB_USERCOPY 0x00000000UL
64120 +#endif
64121 +
64122 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
64123 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
64124 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
64125 @@ -82,10 +90,13 @@
64126 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
64127 * Both make kfree a no-op.
64128 */
64129 -#define ZERO_SIZE_PTR ((void *)16)
64130 +#define ZERO_SIZE_PTR \
64131 +({ \
64132 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
64133 + (void *)(-MAX_ERRNO-1L); \
64134 +})
64135
64136 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
64137 - (unsigned long)ZERO_SIZE_PTR)
64138 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
64139
64140 /*
64141 * struct kmem_cache related prototypes
64142 @@ -138,6 +149,7 @@ void * __must_check krealloc(const void
64143 void kfree(const void *);
64144 void kzfree(const void *);
64145 size_t ksize(const void *);
64146 +void check_object_size(const void *ptr, unsigned long n, bool to);
64147
64148 /*
64149 * Allocator specific definitions. These are mainly used to establish optimized
64150 @@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
64151
64152 void __init kmem_cache_init_late(void);
64153
64154 +#define kmalloc(x, y) \
64155 +({ \
64156 + void *___retval; \
64157 + intoverflow_t ___x = (intoverflow_t)x; \
64158 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
64159 + ___retval = NULL; \
64160 + else \
64161 + ___retval = kmalloc((size_t)___x, (y)); \
64162 + ___retval; \
64163 +})
64164 +
64165 +#define kmalloc_node(x, y, z) \
64166 +({ \
64167 + void *___retval; \
64168 + intoverflow_t ___x = (intoverflow_t)x; \
64169 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
64170 + ___retval = NULL; \
64171 + else \
64172 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
64173 + ___retval; \
64174 +})
64175 +
64176 +#define kzalloc(x, y) \
64177 +({ \
64178 + void *___retval; \
64179 + intoverflow_t ___x = (intoverflow_t)x; \
64180 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
64181 + ___retval = NULL; \
64182 + else \
64183 + ___retval = kzalloc((size_t)___x, (y)); \
64184 + ___retval; \
64185 +})
64186 +
64187 #endif /* _LINUX_SLAB_H */
64188 diff -urNp linux-2.6.32.46/include/linux/slub_def.h linux-2.6.32.46/include/linux/slub_def.h
64189 --- linux-2.6.32.46/include/linux/slub_def.h 2011-03-27 14:31:47.000000000 -0400
64190 +++ linux-2.6.32.46/include/linux/slub_def.h 2011-08-05 20:33:55.000000000 -0400
64191 @@ -86,7 +86,7 @@ struct kmem_cache {
64192 struct kmem_cache_order_objects max;
64193 struct kmem_cache_order_objects min;
64194 gfp_t allocflags; /* gfp flags to use on each alloc */
64195 - int refcount; /* Refcount for slab cache destroy */
64196 + atomic_t refcount; /* Refcount for slab cache destroy */
64197 void (*ctor)(void *);
64198 int inuse; /* Offset to metadata */
64199 int align; /* Alignment */
64200 @@ -215,7 +215,7 @@ static __always_inline struct kmem_cache
64201 #endif
64202
64203 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
64204 -void *__kmalloc(size_t size, gfp_t flags);
64205 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
64206
64207 #ifdef CONFIG_KMEMTRACE
64208 extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
64209 diff -urNp linux-2.6.32.46/include/linux/sonet.h linux-2.6.32.46/include/linux/sonet.h
64210 --- linux-2.6.32.46/include/linux/sonet.h 2011-03-27 14:31:47.000000000 -0400
64211 +++ linux-2.6.32.46/include/linux/sonet.h 2011-04-17 15:56:46.000000000 -0400
64212 @@ -61,7 +61,7 @@ struct sonet_stats {
64213 #include <asm/atomic.h>
64214
64215 struct k_sonet_stats {
64216 -#define __HANDLE_ITEM(i) atomic_t i
64217 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
64218 __SONET_ITEMS
64219 #undef __HANDLE_ITEM
64220 };
64221 diff -urNp linux-2.6.32.46/include/linux/sunrpc/cache.h linux-2.6.32.46/include/linux/sunrpc/cache.h
64222 --- linux-2.6.32.46/include/linux/sunrpc/cache.h 2011-03-27 14:31:47.000000000 -0400
64223 +++ linux-2.6.32.46/include/linux/sunrpc/cache.h 2011-08-05 20:33:55.000000000 -0400
64224 @@ -125,7 +125,7 @@ struct cache_detail {
64225 */
64226 struct cache_req {
64227 struct cache_deferred_req *(*defer)(struct cache_req *req);
64228 -};
64229 +} __no_const;
64230 /* this must be embedded in a deferred_request that is being
64231 * delayed awaiting cache-fill
64232 */
64233 diff -urNp linux-2.6.32.46/include/linux/sunrpc/clnt.h linux-2.6.32.46/include/linux/sunrpc/clnt.h
64234 --- linux-2.6.32.46/include/linux/sunrpc/clnt.h 2011-03-27 14:31:47.000000000 -0400
64235 +++ linux-2.6.32.46/include/linux/sunrpc/clnt.h 2011-04-17 15:56:46.000000000 -0400
64236 @@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
64237 {
64238 switch (sap->sa_family) {
64239 case AF_INET:
64240 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
64241 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
64242 case AF_INET6:
64243 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
64244 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
64245 }
64246 return 0;
64247 }
64248 @@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
64249 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
64250 const struct sockaddr *src)
64251 {
64252 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
64253 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
64254 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
64255
64256 dsin->sin_family = ssin->sin_family;
64257 @@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
64258 if (sa->sa_family != AF_INET6)
64259 return 0;
64260
64261 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
64262 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
64263 }
64264
64265 #endif /* __KERNEL__ */
64266 diff -urNp linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h
64267 --- linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h 2011-03-27 14:31:47.000000000 -0400
64268 +++ linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h 2011-05-04 17:56:28.000000000 -0400
64269 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
64270 extern unsigned int svcrdma_max_requests;
64271 extern unsigned int svcrdma_max_req_size;
64272
64273 -extern atomic_t rdma_stat_recv;
64274 -extern atomic_t rdma_stat_read;
64275 -extern atomic_t rdma_stat_write;
64276 -extern atomic_t rdma_stat_sq_starve;
64277 -extern atomic_t rdma_stat_rq_starve;
64278 -extern atomic_t rdma_stat_rq_poll;
64279 -extern atomic_t rdma_stat_rq_prod;
64280 -extern atomic_t rdma_stat_sq_poll;
64281 -extern atomic_t rdma_stat_sq_prod;
64282 +extern atomic_unchecked_t rdma_stat_recv;
64283 +extern atomic_unchecked_t rdma_stat_read;
64284 +extern atomic_unchecked_t rdma_stat_write;
64285 +extern atomic_unchecked_t rdma_stat_sq_starve;
64286 +extern atomic_unchecked_t rdma_stat_rq_starve;
64287 +extern atomic_unchecked_t rdma_stat_rq_poll;
64288 +extern atomic_unchecked_t rdma_stat_rq_prod;
64289 +extern atomic_unchecked_t rdma_stat_sq_poll;
64290 +extern atomic_unchecked_t rdma_stat_sq_prod;
64291
64292 #define RPCRDMA_VERSION 1
64293
64294 diff -urNp linux-2.6.32.46/include/linux/suspend.h linux-2.6.32.46/include/linux/suspend.h
64295 --- linux-2.6.32.46/include/linux/suspend.h 2011-03-27 14:31:47.000000000 -0400
64296 +++ linux-2.6.32.46/include/linux/suspend.h 2011-04-17 15:56:46.000000000 -0400
64297 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
64298 * which require special recovery actions in that situation.
64299 */
64300 struct platform_suspend_ops {
64301 - int (*valid)(suspend_state_t state);
64302 - int (*begin)(suspend_state_t state);
64303 - int (*prepare)(void);
64304 - int (*prepare_late)(void);
64305 - int (*enter)(suspend_state_t state);
64306 - void (*wake)(void);
64307 - void (*finish)(void);
64308 - void (*end)(void);
64309 - void (*recover)(void);
64310 + int (* const valid)(suspend_state_t state);
64311 + int (* const begin)(suspend_state_t state);
64312 + int (* const prepare)(void);
64313 + int (* const prepare_late)(void);
64314 + int (* const enter)(suspend_state_t state);
64315 + void (* const wake)(void);
64316 + void (* const finish)(void);
64317 + void (* const end)(void);
64318 + void (* const recover)(void);
64319 };
64320
64321 #ifdef CONFIG_SUSPEND
64322 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
64323 * suspend_set_ops - set platform dependent suspend operations
64324 * @ops: The new suspend operations to set.
64325 */
64326 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
64327 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
64328 extern int suspend_valid_only_mem(suspend_state_t state);
64329
64330 /**
64331 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
64332 #else /* !CONFIG_SUSPEND */
64333 #define suspend_valid_only_mem NULL
64334
64335 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
64336 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
64337 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
64338 #endif /* !CONFIG_SUSPEND */
64339
64340 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
64341 * platforms which require special recovery actions in that situation.
64342 */
64343 struct platform_hibernation_ops {
64344 - int (*begin)(void);
64345 - void (*end)(void);
64346 - int (*pre_snapshot)(void);
64347 - void (*finish)(void);
64348 - int (*prepare)(void);
64349 - int (*enter)(void);
64350 - void (*leave)(void);
64351 - int (*pre_restore)(void);
64352 - void (*restore_cleanup)(void);
64353 - void (*recover)(void);
64354 + int (* const begin)(void);
64355 + void (* const end)(void);
64356 + int (* const pre_snapshot)(void);
64357 + void (* const finish)(void);
64358 + int (* const prepare)(void);
64359 + int (* const enter)(void);
64360 + void (* const leave)(void);
64361 + int (* const pre_restore)(void);
64362 + void (* const restore_cleanup)(void);
64363 + void (* const recover)(void);
64364 };
64365
64366 #ifdef CONFIG_HIBERNATION
64367 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
64368 extern void swsusp_unset_page_free(struct page *);
64369 extern unsigned long get_safe_page(gfp_t gfp_mask);
64370
64371 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
64372 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
64373 extern int hibernate(void);
64374 extern bool system_entering_hibernation(void);
64375 #else /* CONFIG_HIBERNATION */
64376 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
64377 static inline void swsusp_set_page_free(struct page *p) {}
64378 static inline void swsusp_unset_page_free(struct page *p) {}
64379
64380 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
64381 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
64382 static inline int hibernate(void) { return -ENOSYS; }
64383 static inline bool system_entering_hibernation(void) { return false; }
64384 #endif /* CONFIG_HIBERNATION */
64385 diff -urNp linux-2.6.32.46/include/linux/sysctl.h linux-2.6.32.46/include/linux/sysctl.h
64386 --- linux-2.6.32.46/include/linux/sysctl.h 2011-03-27 14:31:47.000000000 -0400
64387 +++ linux-2.6.32.46/include/linux/sysctl.h 2011-04-17 15:56:46.000000000 -0400
64388 @@ -164,7 +164,11 @@ enum
64389 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
64390 };
64391
64392 -
64393 +#ifdef CONFIG_PAX_SOFTMODE
64394 +enum {
64395 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
64396 +};
64397 +#endif
64398
64399 /* CTL_VM names: */
64400 enum
64401 @@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
64402
64403 extern int proc_dostring(struct ctl_table *, int,
64404 void __user *, size_t *, loff_t *);
64405 +extern int proc_dostring_modpriv(struct ctl_table *, int,
64406 + void __user *, size_t *, loff_t *);
64407 extern int proc_dointvec(struct ctl_table *, int,
64408 void __user *, size_t *, loff_t *);
64409 extern int proc_dointvec_minmax(struct ctl_table *, int,
64410 @@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
64411
64412 extern ctl_handler sysctl_data;
64413 extern ctl_handler sysctl_string;
64414 +extern ctl_handler sysctl_string_modpriv;
64415 extern ctl_handler sysctl_intvec;
64416 extern ctl_handler sysctl_jiffies;
64417 extern ctl_handler sysctl_ms_jiffies;
64418 diff -urNp linux-2.6.32.46/include/linux/sysfs.h linux-2.6.32.46/include/linux/sysfs.h
64419 --- linux-2.6.32.46/include/linux/sysfs.h 2011-03-27 14:31:47.000000000 -0400
64420 +++ linux-2.6.32.46/include/linux/sysfs.h 2011-04-17 15:56:46.000000000 -0400
64421 @@ -75,8 +75,8 @@ struct bin_attribute {
64422 };
64423
64424 struct sysfs_ops {
64425 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
64426 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
64427 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
64428 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
64429 };
64430
64431 struct sysfs_dirent;
64432 diff -urNp linux-2.6.32.46/include/linux/thread_info.h linux-2.6.32.46/include/linux/thread_info.h
64433 --- linux-2.6.32.46/include/linux/thread_info.h 2011-03-27 14:31:47.000000000 -0400
64434 +++ linux-2.6.32.46/include/linux/thread_info.h 2011-04-17 15:56:46.000000000 -0400
64435 @@ -23,7 +23,7 @@ struct restart_block {
64436 };
64437 /* For futex_wait and futex_wait_requeue_pi */
64438 struct {
64439 - u32 *uaddr;
64440 + u32 __user *uaddr;
64441 u32 val;
64442 u32 flags;
64443 u32 bitset;
64444 diff -urNp linux-2.6.32.46/include/linux/tty.h linux-2.6.32.46/include/linux/tty.h
64445 --- linux-2.6.32.46/include/linux/tty.h 2011-03-27 14:31:47.000000000 -0400
64446 +++ linux-2.6.32.46/include/linux/tty.h 2011-08-05 20:33:55.000000000 -0400
64447 @@ -493,7 +493,6 @@ extern void tty_ldisc_begin(void);
64448 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
64449 extern void tty_ldisc_enable(struct tty_struct *tty);
64450
64451 -
64452 /* n_tty.c */
64453 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
64454
64455 diff -urNp linux-2.6.32.46/include/linux/tty_ldisc.h linux-2.6.32.46/include/linux/tty_ldisc.h
64456 --- linux-2.6.32.46/include/linux/tty_ldisc.h 2011-03-27 14:31:47.000000000 -0400
64457 +++ linux-2.6.32.46/include/linux/tty_ldisc.h 2011-04-17 15:56:46.000000000 -0400
64458 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
64459
64460 struct module *owner;
64461
64462 - int refcount;
64463 + atomic_t refcount;
64464 };
64465
64466 struct tty_ldisc {
64467 diff -urNp linux-2.6.32.46/include/linux/types.h linux-2.6.32.46/include/linux/types.h
64468 --- linux-2.6.32.46/include/linux/types.h 2011-03-27 14:31:47.000000000 -0400
64469 +++ linux-2.6.32.46/include/linux/types.h 2011-04-17 15:56:46.000000000 -0400
64470 @@ -191,10 +191,26 @@ typedef struct {
64471 volatile int counter;
64472 } atomic_t;
64473
64474 +#ifdef CONFIG_PAX_REFCOUNT
64475 +typedef struct {
64476 + volatile int counter;
64477 +} atomic_unchecked_t;
64478 +#else
64479 +typedef atomic_t atomic_unchecked_t;
64480 +#endif
64481 +
64482 #ifdef CONFIG_64BIT
64483 typedef struct {
64484 volatile long counter;
64485 } atomic64_t;
64486 +
64487 +#ifdef CONFIG_PAX_REFCOUNT
64488 +typedef struct {
64489 + volatile long counter;
64490 +} atomic64_unchecked_t;
64491 +#else
64492 +typedef atomic64_t atomic64_unchecked_t;
64493 +#endif
64494 #endif
64495
64496 struct ustat {
64497 diff -urNp linux-2.6.32.46/include/linux/uaccess.h linux-2.6.32.46/include/linux/uaccess.h
64498 --- linux-2.6.32.46/include/linux/uaccess.h 2011-03-27 14:31:47.000000000 -0400
64499 +++ linux-2.6.32.46/include/linux/uaccess.h 2011-10-06 09:37:14.000000000 -0400
64500 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
64501 long ret; \
64502 mm_segment_t old_fs = get_fs(); \
64503 \
64504 - set_fs(KERNEL_DS); \
64505 pagefault_disable(); \
64506 - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
64507 - pagefault_enable(); \
64508 + set_fs(KERNEL_DS); \
64509 + ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
64510 set_fs(old_fs); \
64511 + pagefault_enable(); \
64512 ret; \
64513 })
64514
64515 @@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
64516 * Safely read from address @src to the buffer at @dst. If a kernel fault
64517 * happens, handle that and return -EFAULT.
64518 */
64519 -extern long probe_kernel_read(void *dst, void *src, size_t size);
64520 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
64521
64522 /*
64523 * probe_kernel_write(): safely attempt to write to a location
64524 @@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
64525 * Safely write to address @dst from the buffer at @src. If a kernel fault
64526 * happens, handle that and return -EFAULT.
64527 */
64528 -extern long probe_kernel_write(void *dst, void *src, size_t size);
64529 +extern long probe_kernel_write(void *dst, const void *src, size_t size);
64530
64531 #endif /* __LINUX_UACCESS_H__ */
64532 diff -urNp linux-2.6.32.46/include/linux/unaligned/access_ok.h linux-2.6.32.46/include/linux/unaligned/access_ok.h
64533 --- linux-2.6.32.46/include/linux/unaligned/access_ok.h 2011-03-27 14:31:47.000000000 -0400
64534 +++ linux-2.6.32.46/include/linux/unaligned/access_ok.h 2011-04-17 15:56:46.000000000 -0400
64535 @@ -6,32 +6,32 @@
64536
64537 static inline u16 get_unaligned_le16(const void *p)
64538 {
64539 - return le16_to_cpup((__le16 *)p);
64540 + return le16_to_cpup((const __le16 *)p);
64541 }
64542
64543 static inline u32 get_unaligned_le32(const void *p)
64544 {
64545 - return le32_to_cpup((__le32 *)p);
64546 + return le32_to_cpup((const __le32 *)p);
64547 }
64548
64549 static inline u64 get_unaligned_le64(const void *p)
64550 {
64551 - return le64_to_cpup((__le64 *)p);
64552 + return le64_to_cpup((const __le64 *)p);
64553 }
64554
64555 static inline u16 get_unaligned_be16(const void *p)
64556 {
64557 - return be16_to_cpup((__be16 *)p);
64558 + return be16_to_cpup((const __be16 *)p);
64559 }
64560
64561 static inline u32 get_unaligned_be32(const void *p)
64562 {
64563 - return be32_to_cpup((__be32 *)p);
64564 + return be32_to_cpup((const __be32 *)p);
64565 }
64566
64567 static inline u64 get_unaligned_be64(const void *p)
64568 {
64569 - return be64_to_cpup((__be64 *)p);
64570 + return be64_to_cpup((const __be64 *)p);
64571 }
64572
64573 static inline void put_unaligned_le16(u16 val, void *p)
64574 diff -urNp linux-2.6.32.46/include/linux/vmalloc.h linux-2.6.32.46/include/linux/vmalloc.h
64575 --- linux-2.6.32.46/include/linux/vmalloc.h 2011-03-27 14:31:47.000000000 -0400
64576 +++ linux-2.6.32.46/include/linux/vmalloc.h 2011-04-17 15:56:46.000000000 -0400
64577 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
64578 #define VM_MAP 0x00000004 /* vmap()ed pages */
64579 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
64580 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
64581 +
64582 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
64583 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
64584 +#endif
64585 +
64586 /* bits [20..32] reserved for arch specific ioremap internals */
64587
64588 /*
64589 @@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
64590
64591 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
64592
64593 +#define vmalloc(x) \
64594 +({ \
64595 + void *___retval; \
64596 + intoverflow_t ___x = (intoverflow_t)x; \
64597 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
64598 + ___retval = NULL; \
64599 + else \
64600 + ___retval = vmalloc((unsigned long)___x); \
64601 + ___retval; \
64602 +})
64603 +
64604 +#define __vmalloc(x, y, z) \
64605 +({ \
64606 + void *___retval; \
64607 + intoverflow_t ___x = (intoverflow_t)x; \
64608 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
64609 + ___retval = NULL; \
64610 + else \
64611 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
64612 + ___retval; \
64613 +})
64614 +
64615 +#define vmalloc_user(x) \
64616 +({ \
64617 + void *___retval; \
64618 + intoverflow_t ___x = (intoverflow_t)x; \
64619 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
64620 + ___retval = NULL; \
64621 + else \
64622 + ___retval = vmalloc_user((unsigned long)___x); \
64623 + ___retval; \
64624 +})
64625 +
64626 +#define vmalloc_exec(x) \
64627 +({ \
64628 + void *___retval; \
64629 + intoverflow_t ___x = (intoverflow_t)x; \
64630 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
64631 + ___retval = NULL; \
64632 + else \
64633 + ___retval = vmalloc_exec((unsigned long)___x); \
64634 + ___retval; \
64635 +})
64636 +
64637 +#define vmalloc_node(x, y) \
64638 +({ \
64639 + void *___retval; \
64640 + intoverflow_t ___x = (intoverflow_t)x; \
64641 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
64642 + ___retval = NULL; \
64643 + else \
64644 + ___retval = vmalloc_node((unsigned long)___x, (y));\
64645 + ___retval; \
64646 +})
64647 +
64648 +#define vmalloc_32(x) \
64649 +({ \
64650 + void *___retval; \
64651 + intoverflow_t ___x = (intoverflow_t)x; \
64652 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
64653 + ___retval = NULL; \
64654 + else \
64655 + ___retval = vmalloc_32((unsigned long)___x); \
64656 + ___retval; \
64657 +})
64658 +
64659 +#define vmalloc_32_user(x) \
64660 +({ \
64661 + void *___retval; \
64662 + intoverflow_t ___x = (intoverflow_t)x; \
64663 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
64664 + ___retval = NULL; \
64665 + else \
64666 + ___retval = vmalloc_32_user((unsigned long)___x);\
64667 + ___retval; \
64668 +})
64669 +
64670 #endif /* _LINUX_VMALLOC_H */
64671 diff -urNp linux-2.6.32.46/include/linux/vmstat.h linux-2.6.32.46/include/linux/vmstat.h
64672 --- linux-2.6.32.46/include/linux/vmstat.h 2011-03-27 14:31:47.000000000 -0400
64673 +++ linux-2.6.32.46/include/linux/vmstat.h 2011-04-17 15:56:46.000000000 -0400
64674 @@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
64675 /*
64676 * Zone based page accounting with per cpu differentials.
64677 */
64678 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64679 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
64680
64681 static inline void zone_page_state_add(long x, struct zone *zone,
64682 enum zone_stat_item item)
64683 {
64684 - atomic_long_add(x, &zone->vm_stat[item]);
64685 - atomic_long_add(x, &vm_stat[item]);
64686 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
64687 + atomic_long_add_unchecked(x, &vm_stat[item]);
64688 }
64689
64690 static inline unsigned long global_page_state(enum zone_stat_item item)
64691 {
64692 - long x = atomic_long_read(&vm_stat[item]);
64693 + long x = atomic_long_read_unchecked(&vm_stat[item]);
64694 #ifdef CONFIG_SMP
64695 if (x < 0)
64696 x = 0;
64697 @@ -158,7 +158,7 @@ static inline unsigned long global_page_
64698 static inline unsigned long zone_page_state(struct zone *zone,
64699 enum zone_stat_item item)
64700 {
64701 - long x = atomic_long_read(&zone->vm_stat[item]);
64702 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
64703 #ifdef CONFIG_SMP
64704 if (x < 0)
64705 x = 0;
64706 @@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
64707 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
64708 enum zone_stat_item item)
64709 {
64710 - long x = atomic_long_read(&zone->vm_stat[item]);
64711 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
64712
64713 #ifdef CONFIG_SMP
64714 int cpu;
64715 @@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
64716
64717 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
64718 {
64719 - atomic_long_inc(&zone->vm_stat[item]);
64720 - atomic_long_inc(&vm_stat[item]);
64721 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
64722 + atomic_long_inc_unchecked(&vm_stat[item]);
64723 }
64724
64725 static inline void __inc_zone_page_state(struct page *page,
64726 @@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
64727
64728 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
64729 {
64730 - atomic_long_dec(&zone->vm_stat[item]);
64731 - atomic_long_dec(&vm_stat[item]);
64732 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
64733 + atomic_long_dec_unchecked(&vm_stat[item]);
64734 }
64735
64736 static inline void __dec_zone_page_state(struct page *page,
64737 diff -urNp linux-2.6.32.46/include/media/saa7146_vv.h linux-2.6.32.46/include/media/saa7146_vv.h
64738 --- linux-2.6.32.46/include/media/saa7146_vv.h 2011-03-27 14:31:47.000000000 -0400
64739 +++ linux-2.6.32.46/include/media/saa7146_vv.h 2011-08-23 21:22:38.000000000 -0400
64740 @@ -167,7 +167,7 @@ struct saa7146_ext_vv
64741 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
64742
64743 /* the extension can override this */
64744 - struct v4l2_ioctl_ops ops;
64745 + v4l2_ioctl_ops_no_const ops;
64746 /* pointer to the saa7146 core ops */
64747 const struct v4l2_ioctl_ops *core_ops;
64748
64749 diff -urNp linux-2.6.32.46/include/media/v4l2-dev.h linux-2.6.32.46/include/media/v4l2-dev.h
64750 --- linux-2.6.32.46/include/media/v4l2-dev.h 2011-03-27 14:31:47.000000000 -0400
64751 +++ linux-2.6.32.46/include/media/v4l2-dev.h 2011-08-05 20:33:55.000000000 -0400
64752 @@ -34,7 +34,7 @@ struct v4l2_device;
64753 #define V4L2_FL_UNREGISTERED (0)
64754
64755 struct v4l2_file_operations {
64756 - struct module *owner;
64757 + struct module * const owner;
64758 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
64759 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
64760 unsigned int (*poll) (struct file *, struct poll_table_struct *);
64761 diff -urNp linux-2.6.32.46/include/media/v4l2-device.h linux-2.6.32.46/include/media/v4l2-device.h
64762 --- linux-2.6.32.46/include/media/v4l2-device.h 2011-03-27 14:31:47.000000000 -0400
64763 +++ linux-2.6.32.46/include/media/v4l2-device.h 2011-05-04 17:56:28.000000000 -0400
64764 @@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
64765 this function returns 0. If the name ends with a digit (e.g. cx18),
64766 then the name will be set to cx18-0 since cx180 looks really odd. */
64767 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
64768 - atomic_t *instance);
64769 + atomic_unchecked_t *instance);
64770
64771 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
64772 Since the parent disappears this ensures that v4l2_dev doesn't have an
64773 diff -urNp linux-2.6.32.46/include/media/v4l2-ioctl.h linux-2.6.32.46/include/media/v4l2-ioctl.h
64774 --- linux-2.6.32.46/include/media/v4l2-ioctl.h 2011-03-27 14:31:47.000000000 -0400
64775 +++ linux-2.6.32.46/include/media/v4l2-ioctl.h 2011-08-23 21:22:38.000000000 -0400
64776 @@ -243,6 +243,7 @@ struct v4l2_ioctl_ops {
64777 long (*vidioc_default) (struct file *file, void *fh,
64778 int cmd, void *arg);
64779 };
64780 +typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
64781
64782
64783 /* v4l debugging and diagnostics */
64784 diff -urNp linux-2.6.32.46/include/net/flow.h linux-2.6.32.46/include/net/flow.h
64785 --- linux-2.6.32.46/include/net/flow.h 2011-03-27 14:31:47.000000000 -0400
64786 +++ linux-2.6.32.46/include/net/flow.h 2011-05-04 17:56:28.000000000 -0400
64787 @@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
64788 extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
64789 u8 dir, flow_resolve_t resolver);
64790 extern void flow_cache_flush(void);
64791 -extern atomic_t flow_cache_genid;
64792 +extern atomic_unchecked_t flow_cache_genid;
64793
64794 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
64795 {
64796 diff -urNp linux-2.6.32.46/include/net/inetpeer.h linux-2.6.32.46/include/net/inetpeer.h
64797 --- linux-2.6.32.46/include/net/inetpeer.h 2011-03-27 14:31:47.000000000 -0400
64798 +++ linux-2.6.32.46/include/net/inetpeer.h 2011-04-17 15:56:46.000000000 -0400
64799 @@ -24,7 +24,7 @@ struct inet_peer
64800 __u32 dtime; /* the time of last use of not
64801 * referenced entries */
64802 atomic_t refcnt;
64803 - atomic_t rid; /* Frag reception counter */
64804 + atomic_unchecked_t rid; /* Frag reception counter */
64805 __u32 tcp_ts;
64806 unsigned long tcp_ts_stamp;
64807 };
64808 diff -urNp linux-2.6.32.46/include/net/ip_vs.h linux-2.6.32.46/include/net/ip_vs.h
64809 --- linux-2.6.32.46/include/net/ip_vs.h 2011-03-27 14:31:47.000000000 -0400
64810 +++ linux-2.6.32.46/include/net/ip_vs.h 2011-05-04 17:56:28.000000000 -0400
64811 @@ -365,7 +365,7 @@ struct ip_vs_conn {
64812 struct ip_vs_conn *control; /* Master control connection */
64813 atomic_t n_control; /* Number of controlled ones */
64814 struct ip_vs_dest *dest; /* real server */
64815 - atomic_t in_pkts; /* incoming packet counter */
64816 + atomic_unchecked_t in_pkts; /* incoming packet counter */
64817
64818 /* packet transmitter for different forwarding methods. If it
64819 mangles the packet, it must return NF_DROP or better NF_STOLEN,
64820 @@ -466,7 +466,7 @@ struct ip_vs_dest {
64821 union nf_inet_addr addr; /* IP address of the server */
64822 __be16 port; /* port number of the server */
64823 volatile unsigned flags; /* dest status flags */
64824 - atomic_t conn_flags; /* flags to copy to conn */
64825 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
64826 atomic_t weight; /* server weight */
64827
64828 atomic_t refcnt; /* reference counter */
64829 diff -urNp linux-2.6.32.46/include/net/irda/ircomm_core.h linux-2.6.32.46/include/net/irda/ircomm_core.h
64830 --- linux-2.6.32.46/include/net/irda/ircomm_core.h 2011-03-27 14:31:47.000000000 -0400
64831 +++ linux-2.6.32.46/include/net/irda/ircomm_core.h 2011-08-05 20:33:55.000000000 -0400
64832 @@ -51,7 +51,7 @@ typedef struct {
64833 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
64834 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
64835 struct ircomm_info *);
64836 -} call_t;
64837 +} __no_const call_t;
64838
64839 struct ircomm_cb {
64840 irda_queue_t queue;
64841 diff -urNp linux-2.6.32.46/include/net/irda/ircomm_tty.h linux-2.6.32.46/include/net/irda/ircomm_tty.h
64842 --- linux-2.6.32.46/include/net/irda/ircomm_tty.h 2011-03-27 14:31:47.000000000 -0400
64843 +++ linux-2.6.32.46/include/net/irda/ircomm_tty.h 2011-04-17 15:56:46.000000000 -0400
64844 @@ -35,6 +35,7 @@
64845 #include <linux/termios.h>
64846 #include <linux/timer.h>
64847 #include <linux/tty.h> /* struct tty_struct */
64848 +#include <asm/local.h>
64849
64850 #include <net/irda/irias_object.h>
64851 #include <net/irda/ircomm_core.h>
64852 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
64853 unsigned short close_delay;
64854 unsigned short closing_wait; /* time to wait before closing */
64855
64856 - int open_count;
64857 - int blocked_open; /* # of blocked opens */
64858 + local_t open_count;
64859 + local_t blocked_open; /* # of blocked opens */
64860
64861 /* Protect concurent access to :
64862 * o self->open_count
64863 diff -urNp linux-2.6.32.46/include/net/iucv/af_iucv.h linux-2.6.32.46/include/net/iucv/af_iucv.h
64864 --- linux-2.6.32.46/include/net/iucv/af_iucv.h 2011-03-27 14:31:47.000000000 -0400
64865 +++ linux-2.6.32.46/include/net/iucv/af_iucv.h 2011-05-04 17:56:28.000000000 -0400
64866 @@ -87,7 +87,7 @@ struct iucv_sock {
64867 struct iucv_sock_list {
64868 struct hlist_head head;
64869 rwlock_t lock;
64870 - atomic_t autobind_name;
64871 + atomic_unchecked_t autobind_name;
64872 };
64873
64874 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
64875 diff -urNp linux-2.6.32.46/include/net/lapb.h linux-2.6.32.46/include/net/lapb.h
64876 --- linux-2.6.32.46/include/net/lapb.h 2011-03-27 14:31:47.000000000 -0400
64877 +++ linux-2.6.32.46/include/net/lapb.h 2011-08-05 20:33:55.000000000 -0400
64878 @@ -95,7 +95,7 @@ struct lapb_cb {
64879 struct sk_buff_head write_queue;
64880 struct sk_buff_head ack_queue;
64881 unsigned char window;
64882 - struct lapb_register_struct callbacks;
64883 + struct lapb_register_struct *callbacks;
64884
64885 /* FRMR control information */
64886 struct lapb_frame frmr_data;
64887 diff -urNp linux-2.6.32.46/include/net/neighbour.h linux-2.6.32.46/include/net/neighbour.h
64888 --- linux-2.6.32.46/include/net/neighbour.h 2011-03-27 14:31:47.000000000 -0400
64889 +++ linux-2.6.32.46/include/net/neighbour.h 2011-08-26 20:29:08.000000000 -0400
64890 @@ -131,7 +131,7 @@ struct neigh_ops
64891 int (*connected_output)(struct sk_buff*);
64892 int (*hh_output)(struct sk_buff*);
64893 int (*queue_xmit)(struct sk_buff*);
64894 -};
64895 +} __do_const;
64896
64897 struct pneigh_entry
64898 {
64899 diff -urNp linux-2.6.32.46/include/net/netlink.h linux-2.6.32.46/include/net/netlink.h
64900 --- linux-2.6.32.46/include/net/netlink.h 2011-07-13 17:23:04.000000000 -0400
64901 +++ linux-2.6.32.46/include/net/netlink.h 2011-08-21 18:08:11.000000000 -0400
64902 @@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct
64903 {
64904 return (remaining >= (int) sizeof(struct nlmsghdr) &&
64905 nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
64906 - nlh->nlmsg_len <= remaining);
64907 + nlh->nlmsg_len <= (unsigned int)remaining);
64908 }
64909
64910 /**
64911 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
64912 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
64913 {
64914 if (mark)
64915 - skb_trim(skb, (unsigned char *) mark - skb->data);
64916 + skb_trim(skb, (const unsigned char *) mark - skb->data);
64917 }
64918
64919 /**
64920 diff -urNp linux-2.6.32.46/include/net/netns/ipv4.h linux-2.6.32.46/include/net/netns/ipv4.h
64921 --- linux-2.6.32.46/include/net/netns/ipv4.h 2011-03-27 14:31:47.000000000 -0400
64922 +++ linux-2.6.32.46/include/net/netns/ipv4.h 2011-05-04 17:56:28.000000000 -0400
64923 @@ -54,7 +54,7 @@ struct netns_ipv4 {
64924 int current_rt_cache_rebuild_count;
64925
64926 struct timer_list rt_secret_timer;
64927 - atomic_t rt_genid;
64928 + atomic_unchecked_t rt_genid;
64929
64930 #ifdef CONFIG_IP_MROUTE
64931 struct sock *mroute_sk;
64932 diff -urNp linux-2.6.32.46/include/net/sctp/sctp.h linux-2.6.32.46/include/net/sctp/sctp.h
64933 --- linux-2.6.32.46/include/net/sctp/sctp.h 2011-03-27 14:31:47.000000000 -0400
64934 +++ linux-2.6.32.46/include/net/sctp/sctp.h 2011-04-17 15:56:46.000000000 -0400
64935 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
64936
64937 #else /* SCTP_DEBUG */
64938
64939 -#define SCTP_DEBUG_PRINTK(whatever...)
64940 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
64941 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
64942 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
64943 #define SCTP_ENABLE_DEBUG
64944 #define SCTP_DISABLE_DEBUG
64945 #define SCTP_ASSERT(expr, str, func)
64946 diff -urNp linux-2.6.32.46/include/net/secure_seq.h linux-2.6.32.46/include/net/secure_seq.h
64947 --- linux-2.6.32.46/include/net/secure_seq.h 2011-08-16 20:37:25.000000000 -0400
64948 +++ linux-2.6.32.46/include/net/secure_seq.h 2011-08-07 19:48:09.000000000 -0400
64949 @@ -7,14 +7,14 @@ extern __u32 secure_ip_id(__be32 daddr);
64950 extern __u32 secure_ipv6_id(const __be32 daddr[4]);
64951 extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
64952 extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
64953 - __be16 dport);
64954 + __be16 dport);
64955 extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
64956 __be16 sport, __be16 dport);
64957 extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
64958 - __be16 sport, __be16 dport);
64959 + __be16 sport, __be16 dport);
64960 extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
64961 - __be16 sport, __be16 dport);
64962 + __be16 sport, __be16 dport);
64963 extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
64964 - __be16 sport, __be16 dport);
64965 + __be16 sport, __be16 dport);
64966
64967 #endif /* _NET_SECURE_SEQ */
64968 diff -urNp linux-2.6.32.46/include/net/sock.h linux-2.6.32.46/include/net/sock.h
64969 --- linux-2.6.32.46/include/net/sock.h 2011-03-27 14:31:47.000000000 -0400
64970 +++ linux-2.6.32.46/include/net/sock.h 2011-08-21 17:24:37.000000000 -0400
64971 @@ -272,7 +272,7 @@ struct sock {
64972 rwlock_t sk_callback_lock;
64973 int sk_err,
64974 sk_err_soft;
64975 - atomic_t sk_drops;
64976 + atomic_unchecked_t sk_drops;
64977 unsigned short sk_ack_backlog;
64978 unsigned short sk_max_ack_backlog;
64979 __u32 sk_priority;
64980 @@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea
64981 extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
64982 extern int sock_prot_inuse_get(struct net *net, struct proto *proto);
64983 #else
64984 -static void inline sock_prot_inuse_add(struct net *net, struct proto *prot,
64985 +static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
64986 int inc)
64987 {
64988 }
64989 diff -urNp linux-2.6.32.46/include/net/tcp.h linux-2.6.32.46/include/net/tcp.h
64990 --- linux-2.6.32.46/include/net/tcp.h 2011-03-27 14:31:47.000000000 -0400
64991 +++ linux-2.6.32.46/include/net/tcp.h 2011-08-23 21:29:10.000000000 -0400
64992 @@ -1444,8 +1444,8 @@ enum tcp_seq_states {
64993 struct tcp_seq_afinfo {
64994 char *name;
64995 sa_family_t family;
64996 - struct file_operations seq_fops;
64997 - struct seq_operations seq_ops;
64998 + file_operations_no_const seq_fops;
64999 + seq_operations_no_const seq_ops;
65000 };
65001
65002 struct tcp_iter_state {
65003 diff -urNp linux-2.6.32.46/include/net/udp.h linux-2.6.32.46/include/net/udp.h
65004 --- linux-2.6.32.46/include/net/udp.h 2011-03-27 14:31:47.000000000 -0400
65005 +++ linux-2.6.32.46/include/net/udp.h 2011-08-23 21:29:34.000000000 -0400
65006 @@ -187,8 +187,8 @@ struct udp_seq_afinfo {
65007 char *name;
65008 sa_family_t family;
65009 struct udp_table *udp_table;
65010 - struct file_operations seq_fops;
65011 - struct seq_operations seq_ops;
65012 + file_operations_no_const seq_fops;
65013 + seq_operations_no_const seq_ops;
65014 };
65015
65016 struct udp_iter_state {
65017 diff -urNp linux-2.6.32.46/include/rdma/iw_cm.h linux-2.6.32.46/include/rdma/iw_cm.h
65018 --- linux-2.6.32.46/include/rdma/iw_cm.h 2011-03-27 14:31:47.000000000 -0400
65019 +++ linux-2.6.32.46/include/rdma/iw_cm.h 2011-08-05 20:33:55.000000000 -0400
65020 @@ -129,7 +129,7 @@ struct iw_cm_verbs {
65021 int backlog);
65022
65023 int (*destroy_listen)(struct iw_cm_id *cm_id);
65024 -};
65025 +} __no_const;
65026
65027 /**
65028 * iw_create_cm_id - Create an IW CM identifier.
65029 diff -urNp linux-2.6.32.46/include/scsi/libfc.h linux-2.6.32.46/include/scsi/libfc.h
65030 --- linux-2.6.32.46/include/scsi/libfc.h 2011-03-27 14:31:47.000000000 -0400
65031 +++ linux-2.6.32.46/include/scsi/libfc.h 2011-08-23 21:22:38.000000000 -0400
65032 @@ -675,6 +675,7 @@ struct libfc_function_template {
65033 */
65034 void (*disc_stop_final) (struct fc_lport *);
65035 };
65036 +typedef struct libfc_function_template __no_const libfc_function_template_no_const;
65037
65038 /* information used by the discovery layer */
65039 struct fc_disc {
65040 @@ -707,7 +708,7 @@ struct fc_lport {
65041 struct fc_disc disc;
65042
65043 /* Operational Information */
65044 - struct libfc_function_template tt;
65045 + libfc_function_template_no_const tt;
65046 u8 link_up;
65047 u8 qfull;
65048 enum fc_lport_state state;
65049 diff -urNp linux-2.6.32.46/include/scsi/scsi_device.h linux-2.6.32.46/include/scsi/scsi_device.h
65050 --- linux-2.6.32.46/include/scsi/scsi_device.h 2011-04-17 17:00:52.000000000 -0400
65051 +++ linux-2.6.32.46/include/scsi/scsi_device.h 2011-05-04 17:56:28.000000000 -0400
65052 @@ -156,9 +156,9 @@ struct scsi_device {
65053 unsigned int max_device_blocked; /* what device_blocked counts down from */
65054 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
65055
65056 - atomic_t iorequest_cnt;
65057 - atomic_t iodone_cnt;
65058 - atomic_t ioerr_cnt;
65059 + atomic_unchecked_t iorequest_cnt;
65060 + atomic_unchecked_t iodone_cnt;
65061 + atomic_unchecked_t ioerr_cnt;
65062
65063 struct device sdev_gendev,
65064 sdev_dev;
65065 diff -urNp linux-2.6.32.46/include/scsi/scsi_transport_fc.h linux-2.6.32.46/include/scsi/scsi_transport_fc.h
65066 --- linux-2.6.32.46/include/scsi/scsi_transport_fc.h 2011-03-27 14:31:47.000000000 -0400
65067 +++ linux-2.6.32.46/include/scsi/scsi_transport_fc.h 2011-08-26 20:19:09.000000000 -0400
65068 @@ -708,7 +708,7 @@ struct fc_function_template {
65069 unsigned long show_host_system_hostname:1;
65070
65071 unsigned long disable_target_scan:1;
65072 -};
65073 +} __do_const;
65074
65075
65076 /**
65077 diff -urNp linux-2.6.32.46/include/sound/ac97_codec.h linux-2.6.32.46/include/sound/ac97_codec.h
65078 --- linux-2.6.32.46/include/sound/ac97_codec.h 2011-03-27 14:31:47.000000000 -0400
65079 +++ linux-2.6.32.46/include/sound/ac97_codec.h 2011-04-17 15:56:46.000000000 -0400
65080 @@ -419,15 +419,15 @@
65081 struct snd_ac97;
65082
65083 struct snd_ac97_build_ops {
65084 - int (*build_3d) (struct snd_ac97 *ac97);
65085 - int (*build_specific) (struct snd_ac97 *ac97);
65086 - int (*build_spdif) (struct snd_ac97 *ac97);
65087 - int (*build_post_spdif) (struct snd_ac97 *ac97);
65088 + int (* const build_3d) (struct snd_ac97 *ac97);
65089 + int (* const build_specific) (struct snd_ac97 *ac97);
65090 + int (* const build_spdif) (struct snd_ac97 *ac97);
65091 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
65092 #ifdef CONFIG_PM
65093 - void (*suspend) (struct snd_ac97 *ac97);
65094 - void (*resume) (struct snd_ac97 *ac97);
65095 + void (* const suspend) (struct snd_ac97 *ac97);
65096 + void (* const resume) (struct snd_ac97 *ac97);
65097 #endif
65098 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
65099 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
65100 };
65101
65102 struct snd_ac97_bus_ops {
65103 @@ -477,7 +477,7 @@ struct snd_ac97_template {
65104
65105 struct snd_ac97 {
65106 /* -- lowlevel (hardware) driver specific -- */
65107 - struct snd_ac97_build_ops * build_ops;
65108 + const struct snd_ac97_build_ops * build_ops;
65109 void *private_data;
65110 void (*private_free) (struct snd_ac97 *ac97);
65111 /* --- */
65112 diff -urNp linux-2.6.32.46/include/sound/ak4xxx-adda.h linux-2.6.32.46/include/sound/ak4xxx-adda.h
65113 --- linux-2.6.32.46/include/sound/ak4xxx-adda.h 2011-03-27 14:31:47.000000000 -0400
65114 +++ linux-2.6.32.46/include/sound/ak4xxx-adda.h 2011-08-05 20:33:55.000000000 -0400
65115 @@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
65116 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
65117 unsigned char val);
65118 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
65119 -};
65120 +} __no_const;
65121
65122 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
65123
65124 diff -urNp linux-2.6.32.46/include/sound/hwdep.h linux-2.6.32.46/include/sound/hwdep.h
65125 --- linux-2.6.32.46/include/sound/hwdep.h 2011-03-27 14:31:47.000000000 -0400
65126 +++ linux-2.6.32.46/include/sound/hwdep.h 2011-08-05 20:33:55.000000000 -0400
65127 @@ -49,7 +49,7 @@ struct snd_hwdep_ops {
65128 struct snd_hwdep_dsp_status *status);
65129 int (*dsp_load)(struct snd_hwdep *hw,
65130 struct snd_hwdep_dsp_image *image);
65131 -};
65132 +} __no_const;
65133
65134 struct snd_hwdep {
65135 struct snd_card *card;
65136 diff -urNp linux-2.6.32.46/include/sound/info.h linux-2.6.32.46/include/sound/info.h
65137 --- linux-2.6.32.46/include/sound/info.h 2011-03-27 14:31:47.000000000 -0400
65138 +++ linux-2.6.32.46/include/sound/info.h 2011-08-05 20:33:55.000000000 -0400
65139 @@ -44,7 +44,7 @@ struct snd_info_entry_text {
65140 struct snd_info_buffer *buffer);
65141 void (*write)(struct snd_info_entry *entry,
65142 struct snd_info_buffer *buffer);
65143 -};
65144 +} __no_const;
65145
65146 struct snd_info_entry_ops {
65147 int (*open)(struct snd_info_entry *entry,
65148 diff -urNp linux-2.6.32.46/include/sound/pcm.h linux-2.6.32.46/include/sound/pcm.h
65149 --- linux-2.6.32.46/include/sound/pcm.h 2011-03-27 14:31:47.000000000 -0400
65150 +++ linux-2.6.32.46/include/sound/pcm.h 2011-08-23 21:22:38.000000000 -0400
65151 @@ -80,6 +80,7 @@ struct snd_pcm_ops {
65152 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
65153 int (*ack)(struct snd_pcm_substream *substream);
65154 };
65155 +typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
65156
65157 /*
65158 *
65159 diff -urNp linux-2.6.32.46/include/sound/sb16_csp.h linux-2.6.32.46/include/sound/sb16_csp.h
65160 --- linux-2.6.32.46/include/sound/sb16_csp.h 2011-03-27 14:31:47.000000000 -0400
65161 +++ linux-2.6.32.46/include/sound/sb16_csp.h 2011-08-05 20:33:55.000000000 -0400
65162 @@ -139,7 +139,7 @@ struct snd_sb_csp_ops {
65163 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
65164 int (*csp_stop) (struct snd_sb_csp * p);
65165 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
65166 -};
65167 +} __no_const;
65168
65169 /*
65170 * CSP private data
65171 diff -urNp linux-2.6.32.46/include/sound/ymfpci.h linux-2.6.32.46/include/sound/ymfpci.h
65172 --- linux-2.6.32.46/include/sound/ymfpci.h 2011-03-27 14:31:47.000000000 -0400
65173 +++ linux-2.6.32.46/include/sound/ymfpci.h 2011-05-04 17:56:28.000000000 -0400
65174 @@ -358,7 +358,7 @@ struct snd_ymfpci {
65175 spinlock_t reg_lock;
65176 spinlock_t voice_lock;
65177 wait_queue_head_t interrupt_sleep;
65178 - atomic_t interrupt_sleep_count;
65179 + atomic_unchecked_t interrupt_sleep_count;
65180 struct snd_info_entry *proc_entry;
65181 const struct firmware *dsp_microcode;
65182 const struct firmware *controller_microcode;
65183 diff -urNp linux-2.6.32.46/include/trace/events/irq.h linux-2.6.32.46/include/trace/events/irq.h
65184 --- linux-2.6.32.46/include/trace/events/irq.h 2011-03-27 14:31:47.000000000 -0400
65185 +++ linux-2.6.32.46/include/trace/events/irq.h 2011-04-17 15:56:46.000000000 -0400
65186 @@ -34,7 +34,7 @@
65187 */
65188 TRACE_EVENT(irq_handler_entry,
65189
65190 - TP_PROTO(int irq, struct irqaction *action),
65191 + TP_PROTO(int irq, const struct irqaction *action),
65192
65193 TP_ARGS(irq, action),
65194
65195 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
65196 */
65197 TRACE_EVENT(irq_handler_exit,
65198
65199 - TP_PROTO(int irq, struct irqaction *action, int ret),
65200 + TP_PROTO(int irq, const struct irqaction *action, int ret),
65201
65202 TP_ARGS(irq, action, ret),
65203
65204 @@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
65205 */
65206 TRACE_EVENT(softirq_entry,
65207
65208 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
65209 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
65210
65211 TP_ARGS(h, vec),
65212
65213 @@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
65214 */
65215 TRACE_EVENT(softirq_exit,
65216
65217 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
65218 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
65219
65220 TP_ARGS(h, vec),
65221
65222 diff -urNp linux-2.6.32.46/include/video/uvesafb.h linux-2.6.32.46/include/video/uvesafb.h
65223 --- linux-2.6.32.46/include/video/uvesafb.h 2011-03-27 14:31:47.000000000 -0400
65224 +++ linux-2.6.32.46/include/video/uvesafb.h 2011-04-17 15:56:46.000000000 -0400
65225 @@ -177,6 +177,7 @@ struct uvesafb_par {
65226 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
65227 u8 pmi_setpal; /* PMI for palette changes */
65228 u16 *pmi_base; /* protected mode interface location */
65229 + u8 *pmi_code; /* protected mode code location */
65230 void *pmi_start;
65231 void *pmi_pal;
65232 u8 *vbe_state_orig; /*
65233 diff -urNp linux-2.6.32.46/init/do_mounts.c linux-2.6.32.46/init/do_mounts.c
65234 --- linux-2.6.32.46/init/do_mounts.c 2011-03-27 14:31:47.000000000 -0400
65235 +++ linux-2.6.32.46/init/do_mounts.c 2011-04-17 15:56:46.000000000 -0400
65236 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
65237
65238 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
65239 {
65240 - int err = sys_mount(name, "/root", fs, flags, data);
65241 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
65242 if (err)
65243 return err;
65244
65245 - sys_chdir("/root");
65246 + sys_chdir((__force const char __user *)"/root");
65247 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
65248 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
65249 current->fs->pwd.mnt->mnt_sb->s_type->name,
65250 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
65251 va_start(args, fmt);
65252 vsprintf(buf, fmt, args);
65253 va_end(args);
65254 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
65255 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
65256 if (fd >= 0) {
65257 sys_ioctl(fd, FDEJECT, 0);
65258 sys_close(fd);
65259 }
65260 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
65261 - fd = sys_open("/dev/console", O_RDWR, 0);
65262 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
65263 if (fd >= 0) {
65264 sys_ioctl(fd, TCGETS, (long)&termios);
65265 termios.c_lflag &= ~ICANON;
65266 sys_ioctl(fd, TCSETSF, (long)&termios);
65267 - sys_read(fd, &c, 1);
65268 + sys_read(fd, (char __user *)&c, 1);
65269 termios.c_lflag |= ICANON;
65270 sys_ioctl(fd, TCSETSF, (long)&termios);
65271 sys_close(fd);
65272 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
65273 mount_root();
65274 out:
65275 devtmpfs_mount("dev");
65276 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
65277 - sys_chroot(".");
65278 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
65279 + sys_chroot((__force char __user *)".");
65280 }
65281 diff -urNp linux-2.6.32.46/init/do_mounts.h linux-2.6.32.46/init/do_mounts.h
65282 --- linux-2.6.32.46/init/do_mounts.h 2011-03-27 14:31:47.000000000 -0400
65283 +++ linux-2.6.32.46/init/do_mounts.h 2011-10-06 09:37:14.000000000 -0400
65284 @@ -15,15 +15,15 @@ extern int root_mountflags;
65285
65286 static inline int create_dev(char *name, dev_t dev)
65287 {
65288 - sys_unlink(name);
65289 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
65290 + sys_unlink((char __force_user *)name);
65291 + return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
65292 }
65293
65294 #if BITS_PER_LONG == 32
65295 static inline u32 bstat(char *name)
65296 {
65297 struct stat64 stat;
65298 - if (sys_stat64(name, &stat) != 0)
65299 + if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
65300 return 0;
65301 if (!S_ISBLK(stat.st_mode))
65302 return 0;
65303 @@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
65304 static inline u32 bstat(char *name)
65305 {
65306 struct stat stat;
65307 - if (sys_newstat(name, &stat) != 0)
65308 + if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
65309 return 0;
65310 if (!S_ISBLK(stat.st_mode))
65311 return 0;
65312 diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mounts_initrd.c
65313 --- linux-2.6.32.46/init/do_mounts_initrd.c 2011-03-27 14:31:47.000000000 -0400
65314 +++ linux-2.6.32.46/init/do_mounts_initrd.c 2011-10-06 09:37:14.000000000 -0400
65315 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
65316 sys_close(old_fd);sys_close(root_fd);
65317 sys_close(0);sys_close(1);sys_close(2);
65318 sys_setsid();
65319 - (void) sys_open("/dev/console",O_RDWR,0);
65320 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
65321 (void) sys_dup(0);
65322 (void) sys_dup(0);
65323 return kernel_execve(shell, argv, envp_init);
65324 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
65325 create_dev("/dev/root.old", Root_RAM0);
65326 /* mount initrd on rootfs' /root */
65327 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
65328 - sys_mkdir("/old", 0700);
65329 - root_fd = sys_open("/", 0, 0);
65330 - old_fd = sys_open("/old", 0, 0);
65331 + sys_mkdir((const char __force_user *)"/old", 0700);
65332 + root_fd = sys_open((const char __force_user *)"/", 0, 0);
65333 + old_fd = sys_open((const char __force_user *)"/old", 0, 0);
65334 /* move initrd over / and chdir/chroot in initrd root */
65335 - sys_chdir("/root");
65336 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
65337 - sys_chroot(".");
65338 + sys_chdir((const char __force_user *)"/root");
65339 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
65340 + sys_chroot((const char __force_user *)".");
65341
65342 /*
65343 * In case that a resume from disk is carried out by linuxrc or one of
65344 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
65345
65346 /* move initrd to rootfs' /old */
65347 sys_fchdir(old_fd);
65348 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
65349 + sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
65350 /* switch root and cwd back to / of rootfs */
65351 sys_fchdir(root_fd);
65352 - sys_chroot(".");
65353 + sys_chroot((const char __force_user *)".");
65354 sys_close(old_fd);
65355 sys_close(root_fd);
65356
65357 if (new_decode_dev(real_root_dev) == Root_RAM0) {
65358 - sys_chdir("/old");
65359 + sys_chdir((const char __force_user *)"/old");
65360 return;
65361 }
65362
65363 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
65364 mount_root();
65365
65366 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
65367 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
65368 + error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
65369 if (!error)
65370 printk("okay\n");
65371 else {
65372 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
65373 + int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
65374 if (error == -ENOENT)
65375 printk("/initrd does not exist. Ignored.\n");
65376 else
65377 printk("failed\n");
65378 printk(KERN_NOTICE "Unmounting old root\n");
65379 - sys_umount("/old", MNT_DETACH);
65380 + sys_umount((char __force_user *)"/old", MNT_DETACH);
65381 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
65382 if (fd < 0) {
65383 error = fd;
65384 @@ -119,11 +119,11 @@ int __init initrd_load(void)
65385 * mounted in the normal path.
65386 */
65387 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
65388 - sys_unlink("/initrd.image");
65389 + sys_unlink((const char __force_user *)"/initrd.image");
65390 handle_initrd();
65391 return 1;
65392 }
65393 }
65394 - sys_unlink("/initrd.image");
65395 + sys_unlink((const char __force_user *)"/initrd.image");
65396 return 0;
65397 }
65398 diff -urNp linux-2.6.32.46/init/do_mounts_md.c linux-2.6.32.46/init/do_mounts_md.c
65399 --- linux-2.6.32.46/init/do_mounts_md.c 2011-03-27 14:31:47.000000000 -0400
65400 +++ linux-2.6.32.46/init/do_mounts_md.c 2011-10-06 09:37:14.000000000 -0400
65401 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
65402 partitioned ? "_d" : "", minor,
65403 md_setup_args[ent].device_names);
65404
65405 - fd = sys_open(name, 0, 0);
65406 + fd = sys_open((char __force_user *)name, 0, 0);
65407 if (fd < 0) {
65408 printk(KERN_ERR "md: open failed - cannot start "
65409 "array %s\n", name);
65410 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
65411 * array without it
65412 */
65413 sys_close(fd);
65414 - fd = sys_open(name, 0, 0);
65415 + fd = sys_open((char __force_user *)name, 0, 0);
65416 sys_ioctl(fd, BLKRRPART, 0);
65417 }
65418 sys_close(fd);
65419 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
65420
65421 wait_for_device_probe();
65422
65423 - fd = sys_open("/dev/md0", 0, 0);
65424 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
65425 if (fd >= 0) {
65426 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
65427 sys_close(fd);
65428 diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c
65429 --- linux-2.6.32.46/init/initramfs.c 2011-03-27 14:31:47.000000000 -0400
65430 +++ linux-2.6.32.46/init/initramfs.c 2011-10-06 09:37:14.000000000 -0400
65431 @@ -74,7 +74,7 @@ static void __init free_hash(void)
65432 }
65433 }
65434
65435 -static long __init do_utime(char __user *filename, time_t mtime)
65436 +static long __init do_utime(__force char __user *filename, time_t mtime)
65437 {
65438 struct timespec t[2];
65439
65440 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
65441 struct dir_entry *de, *tmp;
65442 list_for_each_entry_safe(de, tmp, &dir_list, list) {
65443 list_del(&de->list);
65444 - do_utime(de->name, de->mtime);
65445 + do_utime((char __force_user *)de->name, de->mtime);
65446 kfree(de->name);
65447 kfree(de);
65448 }
65449 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
65450 if (nlink >= 2) {
65451 char *old = find_link(major, minor, ino, mode, collected);
65452 if (old)
65453 - return (sys_link(old, collected) < 0) ? -1 : 1;
65454 + return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
65455 }
65456 return 0;
65457 }
65458 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
65459 {
65460 struct stat st;
65461
65462 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
65463 + if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
65464 if (S_ISDIR(st.st_mode))
65465 - sys_rmdir(path);
65466 + sys_rmdir((char __force_user *)path);
65467 else
65468 - sys_unlink(path);
65469 + sys_unlink((char __force_user *)path);
65470 }
65471 }
65472
65473 @@ -305,7 +305,7 @@ static int __init do_name(void)
65474 int openflags = O_WRONLY|O_CREAT;
65475 if (ml != 1)
65476 openflags |= O_TRUNC;
65477 - wfd = sys_open(collected, openflags, mode);
65478 + wfd = sys_open((char __force_user *)collected, openflags, mode);
65479
65480 if (wfd >= 0) {
65481 sys_fchown(wfd, uid, gid);
65482 @@ -317,17 +317,17 @@ static int __init do_name(void)
65483 }
65484 }
65485 } else if (S_ISDIR(mode)) {
65486 - sys_mkdir(collected, mode);
65487 - sys_chown(collected, uid, gid);
65488 - sys_chmod(collected, mode);
65489 + sys_mkdir((char __force_user *)collected, mode);
65490 + sys_chown((char __force_user *)collected, uid, gid);
65491 + sys_chmod((char __force_user *)collected, mode);
65492 dir_add(collected, mtime);
65493 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
65494 S_ISFIFO(mode) || S_ISSOCK(mode)) {
65495 if (maybe_link() == 0) {
65496 - sys_mknod(collected, mode, rdev);
65497 - sys_chown(collected, uid, gid);
65498 - sys_chmod(collected, mode);
65499 - do_utime(collected, mtime);
65500 + sys_mknod((char __force_user *)collected, mode, rdev);
65501 + sys_chown((char __force_user *)collected, uid, gid);
65502 + sys_chmod((char __force_user *)collected, mode);
65503 + do_utime((char __force_user *)collected, mtime);
65504 }
65505 }
65506 return 0;
65507 @@ -336,15 +336,15 @@ static int __init do_name(void)
65508 static int __init do_copy(void)
65509 {
65510 if (count >= body_len) {
65511 - sys_write(wfd, victim, body_len);
65512 + sys_write(wfd, (char __force_user *)victim, body_len);
65513 sys_close(wfd);
65514 - do_utime(vcollected, mtime);
65515 + do_utime((char __force_user *)vcollected, mtime);
65516 kfree(vcollected);
65517 eat(body_len);
65518 state = SkipIt;
65519 return 0;
65520 } else {
65521 - sys_write(wfd, victim, count);
65522 + sys_write(wfd, (char __force_user *)victim, count);
65523 body_len -= count;
65524 eat(count);
65525 return 1;
65526 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
65527 {
65528 collected[N_ALIGN(name_len) + body_len] = '\0';
65529 clean_path(collected, 0);
65530 - sys_symlink(collected + N_ALIGN(name_len), collected);
65531 - sys_lchown(collected, uid, gid);
65532 - do_utime(collected, mtime);
65533 + sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
65534 + sys_lchown((char __force_user *)collected, uid, gid);
65535 + do_utime((char __force_user *)collected, mtime);
65536 state = SkipIt;
65537 next_state = Reset;
65538 return 0;
65539 diff -urNp linux-2.6.32.46/init/Kconfig linux-2.6.32.46/init/Kconfig
65540 --- linux-2.6.32.46/init/Kconfig 2011-05-10 22:12:01.000000000 -0400
65541 +++ linux-2.6.32.46/init/Kconfig 2011-05-10 22:12:34.000000000 -0400
65542 @@ -1004,7 +1004,7 @@ config SLUB_DEBUG
65543
65544 config COMPAT_BRK
65545 bool "Disable heap randomization"
65546 - default y
65547 + default n
65548 help
65549 Randomizing heap placement makes heap exploits harder, but it
65550 also breaks ancient binaries (including anything libc5 based).
65551 diff -urNp linux-2.6.32.46/init/main.c linux-2.6.32.46/init/main.c
65552 --- linux-2.6.32.46/init/main.c 2011-05-10 22:12:01.000000000 -0400
65553 +++ linux-2.6.32.46/init/main.c 2011-10-06 09:37:14.000000000 -0400
65554 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
65555 #ifdef CONFIG_TC
65556 extern void tc_init(void);
65557 #endif
65558 +extern void grsecurity_init(void);
65559
65560 enum system_states system_state __read_mostly;
65561 EXPORT_SYMBOL(system_state);
65562 @@ -183,6 +184,49 @@ static int __init set_reset_devices(char
65563
65564 __setup("reset_devices", set_reset_devices);
65565
65566 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
65567 +extern char pax_enter_kernel_user[];
65568 +extern char pax_exit_kernel_user[];
65569 +extern pgdval_t clone_pgd_mask;
65570 +#endif
65571 +
65572 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
65573 +static int __init setup_pax_nouderef(char *str)
65574 +{
65575 +#ifdef CONFIG_X86_32
65576 + unsigned int cpu;
65577 + struct desc_struct *gdt;
65578 +
65579 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
65580 + gdt = get_cpu_gdt_table(cpu);
65581 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
65582 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
65583 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
65584 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
65585 + }
65586 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
65587 +#else
65588 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
65589 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
65590 + clone_pgd_mask = ~(pgdval_t)0UL;
65591 +#endif
65592 +
65593 + return 0;
65594 +}
65595 +early_param("pax_nouderef", setup_pax_nouderef);
65596 +#endif
65597 +
65598 +#ifdef CONFIG_PAX_SOFTMODE
65599 +int pax_softmode;
65600 +
65601 +static int __init setup_pax_softmode(char *str)
65602 +{
65603 + get_option(&str, &pax_softmode);
65604 + return 1;
65605 +}
65606 +__setup("pax_softmode=", setup_pax_softmode);
65607 +#endif
65608 +
65609 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
65610 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
65611 static const char *panic_later, *panic_param;
65612 @@ -705,52 +749,53 @@ int initcall_debug;
65613 core_param(initcall_debug, initcall_debug, bool, 0644);
65614
65615 static char msgbuf[64];
65616 -static struct boot_trace_call call;
65617 -static struct boot_trace_ret ret;
65618 +static struct boot_trace_call trace_call;
65619 +static struct boot_trace_ret trace_ret;
65620
65621 int do_one_initcall(initcall_t fn)
65622 {
65623 int count = preempt_count();
65624 ktime_t calltime, delta, rettime;
65625 + const char *msg1 = "", *msg2 = "";
65626
65627 if (initcall_debug) {
65628 - call.caller = task_pid_nr(current);
65629 - printk("calling %pF @ %i\n", fn, call.caller);
65630 + trace_call.caller = task_pid_nr(current);
65631 + printk("calling %pF @ %i\n", fn, trace_call.caller);
65632 calltime = ktime_get();
65633 - trace_boot_call(&call, fn);
65634 + trace_boot_call(&trace_call, fn);
65635 enable_boot_trace();
65636 }
65637
65638 - ret.result = fn();
65639 + trace_ret.result = fn();
65640
65641 if (initcall_debug) {
65642 disable_boot_trace();
65643 rettime = ktime_get();
65644 delta = ktime_sub(rettime, calltime);
65645 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
65646 - trace_boot_ret(&ret, fn);
65647 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
65648 + trace_boot_ret(&trace_ret, fn);
65649 printk("initcall %pF returned %d after %Ld usecs\n", fn,
65650 - ret.result, ret.duration);
65651 + trace_ret.result, trace_ret.duration);
65652 }
65653
65654 msgbuf[0] = 0;
65655
65656 - if (ret.result && ret.result != -ENODEV && initcall_debug)
65657 - sprintf(msgbuf, "error code %d ", ret.result);
65658 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
65659 + sprintf(msgbuf, "error code %d ", trace_ret.result);
65660
65661 if (preempt_count() != count) {
65662 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
65663 + msg1 = " preemption imbalance";
65664 preempt_count() = count;
65665 }
65666 if (irqs_disabled()) {
65667 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
65668 + msg2 = " disabled interrupts";
65669 local_irq_enable();
65670 }
65671 - if (msgbuf[0]) {
65672 - printk("initcall %pF returned with %s\n", fn, msgbuf);
65673 + if (msgbuf[0] || *msg1 || *msg2) {
65674 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
65675 }
65676
65677 - return ret.result;
65678 + return trace_ret.result;
65679 }
65680
65681
65682 @@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
65683 if (!ramdisk_execute_command)
65684 ramdisk_execute_command = "/init";
65685
65686 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
65687 + if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
65688 ramdisk_execute_command = NULL;
65689 prepare_namespace();
65690 }
65691
65692 + grsecurity_init();
65693 +
65694 /*
65695 * Ok, we have completed the initial bootup, and
65696 * we're essentially up and running. Get rid of the
65697 diff -urNp linux-2.6.32.46/init/noinitramfs.c linux-2.6.32.46/init/noinitramfs.c
65698 --- linux-2.6.32.46/init/noinitramfs.c 2011-03-27 14:31:47.000000000 -0400
65699 +++ linux-2.6.32.46/init/noinitramfs.c 2011-04-17 15:56:46.000000000 -0400
65700 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
65701 {
65702 int err;
65703
65704 - err = sys_mkdir("/dev", 0755);
65705 + err = sys_mkdir((const char __user *)"/dev", 0755);
65706 if (err < 0)
65707 goto out;
65708
65709 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
65710 if (err < 0)
65711 goto out;
65712
65713 - err = sys_mkdir("/root", 0700);
65714 + err = sys_mkdir((const char __user *)"/root", 0700);
65715 if (err < 0)
65716 goto out;
65717
65718 diff -urNp linux-2.6.32.46/ipc/mqueue.c linux-2.6.32.46/ipc/mqueue.c
65719 --- linux-2.6.32.46/ipc/mqueue.c 2011-03-27 14:31:47.000000000 -0400
65720 +++ linux-2.6.32.46/ipc/mqueue.c 2011-04-17 15:56:46.000000000 -0400
65721 @@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
65722 mq_bytes = (mq_msg_tblsz +
65723 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
65724
65725 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
65726 spin_lock(&mq_lock);
65727 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
65728 u->mq_bytes + mq_bytes >
65729 diff -urNp linux-2.6.32.46/ipc/msg.c linux-2.6.32.46/ipc/msg.c
65730 --- linux-2.6.32.46/ipc/msg.c 2011-03-27 14:31:47.000000000 -0400
65731 +++ linux-2.6.32.46/ipc/msg.c 2011-08-05 20:33:55.000000000 -0400
65732 @@ -310,18 +310,19 @@ static inline int msg_security(struct ke
65733 return security_msg_queue_associate(msq, msgflg);
65734 }
65735
65736 +static struct ipc_ops msg_ops = {
65737 + .getnew = newque,
65738 + .associate = msg_security,
65739 + .more_checks = NULL
65740 +};
65741 +
65742 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
65743 {
65744 struct ipc_namespace *ns;
65745 - struct ipc_ops msg_ops;
65746 struct ipc_params msg_params;
65747
65748 ns = current->nsproxy->ipc_ns;
65749
65750 - msg_ops.getnew = newque;
65751 - msg_ops.associate = msg_security;
65752 - msg_ops.more_checks = NULL;
65753 -
65754 msg_params.key = key;
65755 msg_params.flg = msgflg;
65756
65757 diff -urNp linux-2.6.32.46/ipc/sem.c linux-2.6.32.46/ipc/sem.c
65758 --- linux-2.6.32.46/ipc/sem.c 2011-03-27 14:31:47.000000000 -0400
65759 +++ linux-2.6.32.46/ipc/sem.c 2011-08-05 20:33:55.000000000 -0400
65760 @@ -309,10 +309,15 @@ static inline int sem_more_checks(struct
65761 return 0;
65762 }
65763
65764 +static struct ipc_ops sem_ops = {
65765 + .getnew = newary,
65766 + .associate = sem_security,
65767 + .more_checks = sem_more_checks
65768 +};
65769 +
65770 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
65771 {
65772 struct ipc_namespace *ns;
65773 - struct ipc_ops sem_ops;
65774 struct ipc_params sem_params;
65775
65776 ns = current->nsproxy->ipc_ns;
65777 @@ -320,10 +325,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
65778 if (nsems < 0 || nsems > ns->sc_semmsl)
65779 return -EINVAL;
65780
65781 - sem_ops.getnew = newary;
65782 - sem_ops.associate = sem_security;
65783 - sem_ops.more_checks = sem_more_checks;
65784 -
65785 sem_params.key = key;
65786 sem_params.flg = semflg;
65787 sem_params.u.nsems = nsems;
65788 @@ -671,6 +672,8 @@ static int semctl_main(struct ipc_namesp
65789 ushort* sem_io = fast_sem_io;
65790 int nsems;
65791
65792 + pax_track_stack();
65793 +
65794 sma = sem_lock_check(ns, semid);
65795 if (IS_ERR(sma))
65796 return PTR_ERR(sma);
65797 @@ -1071,6 +1074,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
65798 unsigned long jiffies_left = 0;
65799 struct ipc_namespace *ns;
65800
65801 + pax_track_stack();
65802 +
65803 ns = current->nsproxy->ipc_ns;
65804
65805 if (nsops < 1 || semid < 0)
65806 diff -urNp linux-2.6.32.46/ipc/shm.c linux-2.6.32.46/ipc/shm.c
65807 --- linux-2.6.32.46/ipc/shm.c 2011-03-27 14:31:47.000000000 -0400
65808 +++ linux-2.6.32.46/ipc/shm.c 2011-08-05 20:33:55.000000000 -0400
65809 @@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
65810 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
65811 #endif
65812
65813 +#ifdef CONFIG_GRKERNSEC
65814 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
65815 + const time_t shm_createtime, const uid_t cuid,
65816 + const int shmid);
65817 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
65818 + const time_t shm_createtime);
65819 +#endif
65820 +
65821 void shm_init_ns(struct ipc_namespace *ns)
65822 {
65823 ns->shm_ctlmax = SHMMAX;
65824 @@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
65825 shp->shm_lprid = 0;
65826 shp->shm_atim = shp->shm_dtim = 0;
65827 shp->shm_ctim = get_seconds();
65828 +#ifdef CONFIG_GRKERNSEC
65829 + {
65830 + struct timespec timeval;
65831 + do_posix_clock_monotonic_gettime(&timeval);
65832 +
65833 + shp->shm_createtime = timeval.tv_sec;
65834 + }
65835 +#endif
65836 shp->shm_segsz = size;
65837 shp->shm_nattch = 0;
65838 shp->shm_file = file;
65839 @@ -446,18 +462,19 @@ static inline int shm_more_checks(struct
65840 return 0;
65841 }
65842
65843 +static struct ipc_ops shm_ops = {
65844 + .getnew = newseg,
65845 + .associate = shm_security,
65846 + .more_checks = shm_more_checks
65847 +};
65848 +
65849 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
65850 {
65851 struct ipc_namespace *ns;
65852 - struct ipc_ops shm_ops;
65853 struct ipc_params shm_params;
65854
65855 ns = current->nsproxy->ipc_ns;
65856
65857 - shm_ops.getnew = newseg;
65858 - shm_ops.associate = shm_security;
65859 - shm_ops.more_checks = shm_more_checks;
65860 -
65861 shm_params.key = key;
65862 shm_params.flg = shmflg;
65863 shm_params.u.size = size;
65864 @@ -880,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
65865 if (err)
65866 goto out_unlock;
65867
65868 +#ifdef CONFIG_GRKERNSEC
65869 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
65870 + shp->shm_perm.cuid, shmid) ||
65871 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
65872 + err = -EACCES;
65873 + goto out_unlock;
65874 + }
65875 +#endif
65876 +
65877 path.dentry = dget(shp->shm_file->f_path.dentry);
65878 path.mnt = shp->shm_file->f_path.mnt;
65879 shp->shm_nattch++;
65880 +#ifdef CONFIG_GRKERNSEC
65881 + shp->shm_lapid = current->pid;
65882 +#endif
65883 size = i_size_read(path.dentry->d_inode);
65884 shm_unlock(shp);
65885
65886 diff -urNp linux-2.6.32.46/kernel/acct.c linux-2.6.32.46/kernel/acct.c
65887 --- linux-2.6.32.46/kernel/acct.c 2011-03-27 14:31:47.000000000 -0400
65888 +++ linux-2.6.32.46/kernel/acct.c 2011-10-06 09:37:14.000000000 -0400
65889 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
65890 */
65891 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
65892 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
65893 - file->f_op->write(file, (char *)&ac,
65894 + file->f_op->write(file, (char __force_user *)&ac,
65895 sizeof(acct_t), &file->f_pos);
65896 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
65897 set_fs(fs);
65898 diff -urNp linux-2.6.32.46/kernel/audit.c linux-2.6.32.46/kernel/audit.c
65899 --- linux-2.6.32.46/kernel/audit.c 2011-03-27 14:31:47.000000000 -0400
65900 +++ linux-2.6.32.46/kernel/audit.c 2011-05-04 17:56:28.000000000 -0400
65901 @@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
65902 3) suppressed due to audit_rate_limit
65903 4) suppressed due to audit_backlog_limit
65904 */
65905 -static atomic_t audit_lost = ATOMIC_INIT(0);
65906 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
65907
65908 /* The netlink socket. */
65909 static struct sock *audit_sock;
65910 @@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
65911 unsigned long now;
65912 int print;
65913
65914 - atomic_inc(&audit_lost);
65915 + atomic_inc_unchecked(&audit_lost);
65916
65917 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
65918
65919 @@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
65920 printk(KERN_WARNING
65921 "audit: audit_lost=%d audit_rate_limit=%d "
65922 "audit_backlog_limit=%d\n",
65923 - atomic_read(&audit_lost),
65924 + atomic_read_unchecked(&audit_lost),
65925 audit_rate_limit,
65926 audit_backlog_limit);
65927 audit_panic(message);
65928 @@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
65929 status_set.pid = audit_pid;
65930 status_set.rate_limit = audit_rate_limit;
65931 status_set.backlog_limit = audit_backlog_limit;
65932 - status_set.lost = atomic_read(&audit_lost);
65933 + status_set.lost = atomic_read_unchecked(&audit_lost);
65934 status_set.backlog = skb_queue_len(&audit_skb_queue);
65935 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
65936 &status_set, sizeof(status_set));
65937 @@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
65938 spin_unlock_irq(&tsk->sighand->siglock);
65939 }
65940 read_unlock(&tasklist_lock);
65941 - audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
65942 - &s, sizeof(s));
65943 +
65944 + if (!err)
65945 + audit_send_reply(NETLINK_CB(skb).pid, seq,
65946 + AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
65947 break;
65948 }
65949 case AUDIT_TTY_SET: {
65950 diff -urNp linux-2.6.32.46/kernel/auditsc.c linux-2.6.32.46/kernel/auditsc.c
65951 --- linux-2.6.32.46/kernel/auditsc.c 2011-03-27 14:31:47.000000000 -0400
65952 +++ linux-2.6.32.46/kernel/auditsc.c 2011-05-04 17:56:28.000000000 -0400
65953 @@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
65954 }
65955
65956 /* global counter which is incremented every time something logs in */
65957 -static atomic_t session_id = ATOMIC_INIT(0);
65958 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
65959
65960 /**
65961 * audit_set_loginuid - set a task's audit_context loginuid
65962 @@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
65963 */
65964 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
65965 {
65966 - unsigned int sessionid = atomic_inc_return(&session_id);
65967 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
65968 struct audit_context *context = task->audit_context;
65969
65970 if (context && context->in_syscall) {
65971 diff -urNp linux-2.6.32.46/kernel/capability.c linux-2.6.32.46/kernel/capability.c
65972 --- linux-2.6.32.46/kernel/capability.c 2011-03-27 14:31:47.000000000 -0400
65973 +++ linux-2.6.32.46/kernel/capability.c 2011-04-17 15:56:46.000000000 -0400
65974 @@ -305,10 +305,26 @@ int capable(int cap)
65975 BUG();
65976 }
65977
65978 - if (security_capable(cap) == 0) {
65979 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
65980 current->flags |= PF_SUPERPRIV;
65981 return 1;
65982 }
65983 return 0;
65984 }
65985 +
65986 +int capable_nolog(int cap)
65987 +{
65988 + if (unlikely(!cap_valid(cap))) {
65989 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
65990 + BUG();
65991 + }
65992 +
65993 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
65994 + current->flags |= PF_SUPERPRIV;
65995 + return 1;
65996 + }
65997 + return 0;
65998 +}
65999 +
66000 EXPORT_SYMBOL(capable);
66001 +EXPORT_SYMBOL(capable_nolog);
66002 diff -urNp linux-2.6.32.46/kernel/cgroup.c linux-2.6.32.46/kernel/cgroup.c
66003 --- linux-2.6.32.46/kernel/cgroup.c 2011-03-27 14:31:47.000000000 -0400
66004 +++ linux-2.6.32.46/kernel/cgroup.c 2011-05-16 21:46:57.000000000 -0400
66005 @@ -536,6 +536,8 @@ static struct css_set *find_css_set(
66006 struct hlist_head *hhead;
66007 struct cg_cgroup_link *link;
66008
66009 + pax_track_stack();
66010 +
66011 /* First see if we already have a cgroup group that matches
66012 * the desired set */
66013 read_lock(&css_set_lock);
66014 diff -urNp linux-2.6.32.46/kernel/compat.c linux-2.6.32.46/kernel/compat.c
66015 --- linux-2.6.32.46/kernel/compat.c 2011-03-27 14:31:47.000000000 -0400
66016 +++ linux-2.6.32.46/kernel/compat.c 2011-10-06 09:37:14.000000000 -0400
66017 @@ -108,7 +108,7 @@ static long compat_nanosleep_restart(str
66018 mm_segment_t oldfs;
66019 long ret;
66020
66021 - restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
66022 + restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
66023 oldfs = get_fs();
66024 set_fs(KERNEL_DS);
66025 ret = hrtimer_nanosleep_restart(restart);
66026 @@ -140,7 +140,7 @@ asmlinkage long compat_sys_nanosleep(str
66027 oldfs = get_fs();
66028 set_fs(KERNEL_DS);
66029 ret = hrtimer_nanosleep(&tu,
66030 - rmtp ? (struct timespec __user *)&rmt : NULL,
66031 + rmtp ? (struct timespec __force_user *)&rmt : NULL,
66032 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
66033 set_fs(oldfs);
66034
66035 @@ -247,7 +247,7 @@ asmlinkage long compat_sys_sigpending(co
66036 mm_segment_t old_fs = get_fs();
66037
66038 set_fs(KERNEL_DS);
66039 - ret = sys_sigpending((old_sigset_t __user *) &s);
66040 + ret = sys_sigpending((old_sigset_t __force_user *) &s);
66041 set_fs(old_fs);
66042 if (ret == 0)
66043 ret = put_user(s, set);
66044 @@ -266,8 +266,8 @@ asmlinkage long compat_sys_sigprocmask(i
66045 old_fs = get_fs();
66046 set_fs(KERNEL_DS);
66047 ret = sys_sigprocmask(how,
66048 - set ? (old_sigset_t __user *) &s : NULL,
66049 - oset ? (old_sigset_t __user *) &s : NULL);
66050 + set ? (old_sigset_t __force_user *) &s : NULL,
66051 + oset ? (old_sigset_t __force_user *) &s : NULL);
66052 set_fs(old_fs);
66053 if (ret == 0)
66054 if (oset)
66055 @@ -310,7 +310,7 @@ asmlinkage long compat_sys_old_getrlimit
66056 mm_segment_t old_fs = get_fs();
66057
66058 set_fs(KERNEL_DS);
66059 - ret = sys_old_getrlimit(resource, &r);
66060 + ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
66061 set_fs(old_fs);
66062
66063 if (!ret) {
66064 @@ -385,7 +385,7 @@ asmlinkage long compat_sys_getrusage(int
66065 mm_segment_t old_fs = get_fs();
66066
66067 set_fs(KERNEL_DS);
66068 - ret = sys_getrusage(who, (struct rusage __user *) &r);
66069 + ret = sys_getrusage(who, (struct rusage __force_user *) &r);
66070 set_fs(old_fs);
66071
66072 if (ret)
66073 @@ -412,8 +412,8 @@ compat_sys_wait4(compat_pid_t pid, compa
66074 set_fs (KERNEL_DS);
66075 ret = sys_wait4(pid,
66076 (stat_addr ?
66077 - (unsigned int __user *) &status : NULL),
66078 - options, (struct rusage __user *) &r);
66079 + (unsigned int __force_user *) &status : NULL),
66080 + options, (struct rusage __force_user *) &r);
66081 set_fs (old_fs);
66082
66083 if (ret > 0) {
66084 @@ -438,8 +438,8 @@ asmlinkage long compat_sys_waitid(int wh
66085 memset(&info, 0, sizeof(info));
66086
66087 set_fs(KERNEL_DS);
66088 - ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
66089 - uru ? (struct rusage __user *)&ru : NULL);
66090 + ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
66091 + uru ? (struct rusage __force_user *)&ru : NULL);
66092 set_fs(old_fs);
66093
66094 if ((ret < 0) || (info.si_signo == 0))
66095 @@ -569,8 +569,8 @@ long compat_sys_timer_settime(timer_t ti
66096 oldfs = get_fs();
66097 set_fs(KERNEL_DS);
66098 err = sys_timer_settime(timer_id, flags,
66099 - (struct itimerspec __user *) &newts,
66100 - (struct itimerspec __user *) &oldts);
66101 + (struct itimerspec __force_user *) &newts,
66102 + (struct itimerspec __force_user *) &oldts);
66103 set_fs(oldfs);
66104 if (!err && old && put_compat_itimerspec(old, &oldts))
66105 return -EFAULT;
66106 @@ -587,7 +587,7 @@ long compat_sys_timer_gettime(timer_t ti
66107 oldfs = get_fs();
66108 set_fs(KERNEL_DS);
66109 err = sys_timer_gettime(timer_id,
66110 - (struct itimerspec __user *) &ts);
66111 + (struct itimerspec __force_user *) &ts);
66112 set_fs(oldfs);
66113 if (!err && put_compat_itimerspec(setting, &ts))
66114 return -EFAULT;
66115 @@ -606,7 +606,7 @@ long compat_sys_clock_settime(clockid_t
66116 oldfs = get_fs();
66117 set_fs(KERNEL_DS);
66118 err = sys_clock_settime(which_clock,
66119 - (struct timespec __user *) &ts);
66120 + (struct timespec __force_user *) &ts);
66121 set_fs(oldfs);
66122 return err;
66123 }
66124 @@ -621,7 +621,7 @@ long compat_sys_clock_gettime(clockid_t
66125 oldfs = get_fs();
66126 set_fs(KERNEL_DS);
66127 err = sys_clock_gettime(which_clock,
66128 - (struct timespec __user *) &ts);
66129 + (struct timespec __force_user *) &ts);
66130 set_fs(oldfs);
66131 if (!err && put_compat_timespec(&ts, tp))
66132 return -EFAULT;
66133 @@ -638,7 +638,7 @@ long compat_sys_clock_getres(clockid_t w
66134 oldfs = get_fs();
66135 set_fs(KERNEL_DS);
66136 err = sys_clock_getres(which_clock,
66137 - (struct timespec __user *) &ts);
66138 + (struct timespec __force_user *) &ts);
66139 set_fs(oldfs);
66140 if (!err && tp && put_compat_timespec(&ts, tp))
66141 return -EFAULT;
66142 @@ -650,9 +650,9 @@ static long compat_clock_nanosleep_resta
66143 long err;
66144 mm_segment_t oldfs;
66145 struct timespec tu;
66146 - struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
66147 + struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
66148
66149 - restart->nanosleep.rmtp = (struct timespec __user *) &tu;
66150 + restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
66151 oldfs = get_fs();
66152 set_fs(KERNEL_DS);
66153 err = clock_nanosleep_restart(restart);
66154 @@ -684,8 +684,8 @@ long compat_sys_clock_nanosleep(clockid_
66155 oldfs = get_fs();
66156 set_fs(KERNEL_DS);
66157 err = sys_clock_nanosleep(which_clock, flags,
66158 - (struct timespec __user *) &in,
66159 - (struct timespec __user *) &out);
66160 + (struct timespec __force_user *) &in,
66161 + (struct timespec __force_user *) &out);
66162 set_fs(oldfs);
66163
66164 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
66165 diff -urNp linux-2.6.32.46/kernel/configs.c linux-2.6.32.46/kernel/configs.c
66166 --- linux-2.6.32.46/kernel/configs.c 2011-03-27 14:31:47.000000000 -0400
66167 +++ linux-2.6.32.46/kernel/configs.c 2011-04-17 15:56:46.000000000 -0400
66168 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
66169 struct proc_dir_entry *entry;
66170
66171 /* create the current config file */
66172 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
66173 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
66174 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
66175 + &ikconfig_file_ops);
66176 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
66177 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
66178 + &ikconfig_file_ops);
66179 +#endif
66180 +#else
66181 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
66182 &ikconfig_file_ops);
66183 +#endif
66184 +
66185 if (!entry)
66186 return -ENOMEM;
66187
66188 diff -urNp linux-2.6.32.46/kernel/cpu.c linux-2.6.32.46/kernel/cpu.c
66189 --- linux-2.6.32.46/kernel/cpu.c 2011-03-27 14:31:47.000000000 -0400
66190 +++ linux-2.6.32.46/kernel/cpu.c 2011-04-17 15:56:46.000000000 -0400
66191 @@ -19,7 +19,7 @@
66192 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
66193 static DEFINE_MUTEX(cpu_add_remove_lock);
66194
66195 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
66196 +static RAW_NOTIFIER_HEAD(cpu_chain);
66197
66198 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
66199 * Should always be manipulated under cpu_add_remove_lock
66200 diff -urNp linux-2.6.32.46/kernel/cred.c linux-2.6.32.46/kernel/cred.c
66201 --- linux-2.6.32.46/kernel/cred.c 2011-03-27 14:31:47.000000000 -0400
66202 +++ linux-2.6.32.46/kernel/cred.c 2011-08-11 19:49:38.000000000 -0400
66203 @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
66204 */
66205 void __put_cred(struct cred *cred)
66206 {
66207 + pax_track_stack();
66208 +
66209 kdebug("__put_cred(%p{%d,%d})", cred,
66210 atomic_read(&cred->usage),
66211 read_cred_subscribers(cred));
66212 @@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
66213 {
66214 struct cred *cred;
66215
66216 + pax_track_stack();
66217 +
66218 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
66219 atomic_read(&tsk->cred->usage),
66220 read_cred_subscribers(tsk->cred));
66221 @@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
66222 {
66223 const struct cred *cred;
66224
66225 + pax_track_stack();
66226 +
66227 rcu_read_lock();
66228
66229 do {
66230 @@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
66231 {
66232 struct cred *new;
66233
66234 + pax_track_stack();
66235 +
66236 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
66237 if (!new)
66238 return NULL;
66239 @@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
66240 const struct cred *old;
66241 struct cred *new;
66242
66243 + pax_track_stack();
66244 +
66245 validate_process_creds();
66246
66247 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
66248 @@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
66249 struct thread_group_cred *tgcred = NULL;
66250 struct cred *new;
66251
66252 + pax_track_stack();
66253 +
66254 #ifdef CONFIG_KEYS
66255 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
66256 if (!tgcred)
66257 @@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
66258 struct cred *new;
66259 int ret;
66260
66261 + pax_track_stack();
66262 +
66263 mutex_init(&p->cred_guard_mutex);
66264
66265 if (
66266 @@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
66267 struct task_struct *task = current;
66268 const struct cred *old = task->real_cred;
66269
66270 + pax_track_stack();
66271 +
66272 kdebug("commit_creds(%p{%d,%d})", new,
66273 atomic_read(&new->usage),
66274 read_cred_subscribers(new));
66275 @@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
66276
66277 get_cred(new); /* we will require a ref for the subj creds too */
66278
66279 + gr_set_role_label(task, new->uid, new->gid);
66280 +
66281 /* dumpability changes */
66282 if (old->euid != new->euid ||
66283 old->egid != new->egid ||
66284 @@ -563,10 +581,8 @@ int commit_creds(struct cred *new)
66285 key_fsgid_changed(task);
66286
66287 /* do it
66288 - * - What if a process setreuid()'s and this brings the
66289 - * new uid over his NPROC rlimit? We can check this now
66290 - * cheaply with the new uid cache, so if it matters
66291 - * we should be checking for it. -DaveM
66292 + * RLIMIT_NPROC limits on user->processes have already been checked
66293 + * in set_user().
66294 */
66295 alter_cred_subscribers(new, 2);
66296 if (new->user != old->user)
66297 @@ -606,6 +622,8 @@ EXPORT_SYMBOL(commit_creds);
66298 */
66299 void abort_creds(struct cred *new)
66300 {
66301 + pax_track_stack();
66302 +
66303 kdebug("abort_creds(%p{%d,%d})", new,
66304 atomic_read(&new->usage),
66305 read_cred_subscribers(new));
66306 @@ -629,6 +647,8 @@ const struct cred *override_creds(const
66307 {
66308 const struct cred *old = current->cred;
66309
66310 + pax_track_stack();
66311 +
66312 kdebug("override_creds(%p{%d,%d})", new,
66313 atomic_read(&new->usage),
66314 read_cred_subscribers(new));
66315 @@ -658,6 +678,8 @@ void revert_creds(const struct cred *old
66316 {
66317 const struct cred *override = current->cred;
66318
66319 + pax_track_stack();
66320 +
66321 kdebug("revert_creds(%p{%d,%d})", old,
66322 atomic_read(&old->usage),
66323 read_cred_subscribers(old));
66324 @@ -704,6 +726,8 @@ struct cred *prepare_kernel_cred(struct
66325 const struct cred *old;
66326 struct cred *new;
66327
66328 + pax_track_stack();
66329 +
66330 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
66331 if (!new)
66332 return NULL;
66333 @@ -758,6 +782,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
66334 */
66335 int set_security_override(struct cred *new, u32 secid)
66336 {
66337 + pax_track_stack();
66338 +
66339 return security_kernel_act_as(new, secid);
66340 }
66341 EXPORT_SYMBOL(set_security_override);
66342 @@ -777,6 +803,8 @@ int set_security_override_from_ctx(struc
66343 u32 secid;
66344 int ret;
66345
66346 + pax_track_stack();
66347 +
66348 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
66349 if (ret < 0)
66350 return ret;
66351 diff -urNp linux-2.6.32.46/kernel/exit.c linux-2.6.32.46/kernel/exit.c
66352 --- linux-2.6.32.46/kernel/exit.c 2011-03-27 14:31:47.000000000 -0400
66353 +++ linux-2.6.32.46/kernel/exit.c 2011-08-17 19:19:50.000000000 -0400
66354 @@ -55,6 +55,10 @@
66355 #include <asm/pgtable.h>
66356 #include <asm/mmu_context.h>
66357
66358 +#ifdef CONFIG_GRKERNSEC
66359 +extern rwlock_t grsec_exec_file_lock;
66360 +#endif
66361 +
66362 static void exit_mm(struct task_struct * tsk);
66363
66364 static void __unhash_process(struct task_struct *p)
66365 @@ -174,6 +178,10 @@ void release_task(struct task_struct * p
66366 struct task_struct *leader;
66367 int zap_leader;
66368 repeat:
66369 +#ifdef CONFIG_NET
66370 + gr_del_task_from_ip_table(p);
66371 +#endif
66372 +
66373 tracehook_prepare_release_task(p);
66374 /* don't need to get the RCU readlock here - the process is dead and
66375 * can't be modifying its own credentials */
66376 @@ -341,11 +349,22 @@ static void reparent_to_kthreadd(void)
66377 {
66378 write_lock_irq(&tasklist_lock);
66379
66380 +#ifdef CONFIG_GRKERNSEC
66381 + write_lock(&grsec_exec_file_lock);
66382 + if (current->exec_file) {
66383 + fput(current->exec_file);
66384 + current->exec_file = NULL;
66385 + }
66386 + write_unlock(&grsec_exec_file_lock);
66387 +#endif
66388 +
66389 ptrace_unlink(current);
66390 /* Reparent to init */
66391 current->real_parent = current->parent = kthreadd_task;
66392 list_move_tail(&current->sibling, &current->real_parent->children);
66393
66394 + gr_set_kernel_label(current);
66395 +
66396 /* Set the exit signal to SIGCHLD so we signal init on exit */
66397 current->exit_signal = SIGCHLD;
66398
66399 @@ -397,7 +416,7 @@ int allow_signal(int sig)
66400 * know it'll be handled, so that they don't get converted to
66401 * SIGKILL or just silently dropped.
66402 */
66403 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
66404 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
66405 recalc_sigpending();
66406 spin_unlock_irq(&current->sighand->siglock);
66407 return 0;
66408 @@ -433,6 +452,17 @@ void daemonize(const char *name, ...)
66409 vsnprintf(current->comm, sizeof(current->comm), name, args);
66410 va_end(args);
66411
66412 +#ifdef CONFIG_GRKERNSEC
66413 + write_lock(&grsec_exec_file_lock);
66414 + if (current->exec_file) {
66415 + fput(current->exec_file);
66416 + current->exec_file = NULL;
66417 + }
66418 + write_unlock(&grsec_exec_file_lock);
66419 +#endif
66420 +
66421 + gr_set_kernel_label(current);
66422 +
66423 /*
66424 * If we were started as result of loading a module, close all of the
66425 * user space pages. We don't need them, and if we didn't close them
66426 @@ -897,17 +927,17 @@ NORET_TYPE void do_exit(long code)
66427 struct task_struct *tsk = current;
66428 int group_dead;
66429
66430 - profile_task_exit(tsk);
66431 -
66432 - WARN_ON(atomic_read(&tsk->fs_excl));
66433 -
66434 + /*
66435 + * Check this first since set_fs() below depends on
66436 + * current_thread_info(), which we better not access when we're in
66437 + * interrupt context. Other than that, we want to do the set_fs()
66438 + * as early as possible.
66439 + */
66440 if (unlikely(in_interrupt()))
66441 panic("Aiee, killing interrupt handler!");
66442 - if (unlikely(!tsk->pid))
66443 - panic("Attempted to kill the idle task!");
66444
66445 /*
66446 - * If do_exit is called because this processes oopsed, it's possible
66447 + * If do_exit is called because this processes Oops'ed, it's possible
66448 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
66449 * continuing. Amongst other possible reasons, this is to prevent
66450 * mm_release()->clear_child_tid() from writing to a user-controlled
66451 @@ -915,6 +945,13 @@ NORET_TYPE void do_exit(long code)
66452 */
66453 set_fs(USER_DS);
66454
66455 + profile_task_exit(tsk);
66456 +
66457 + WARN_ON(atomic_read(&tsk->fs_excl));
66458 +
66459 + if (unlikely(!tsk->pid))
66460 + panic("Attempted to kill the idle task!");
66461 +
66462 tracehook_report_exit(&code);
66463
66464 validate_creds_for_do_exit(tsk);
66465 @@ -973,6 +1010,9 @@ NORET_TYPE void do_exit(long code)
66466 tsk->exit_code = code;
66467 taskstats_exit(tsk, group_dead);
66468
66469 + gr_acl_handle_psacct(tsk, code);
66470 + gr_acl_handle_exit();
66471 +
66472 exit_mm(tsk);
66473
66474 if (group_dead)
66475 @@ -1188,7 +1228,7 @@ static int wait_task_zombie(struct wait_
66476
66477 if (unlikely(wo->wo_flags & WNOWAIT)) {
66478 int exit_code = p->exit_code;
66479 - int why, status;
66480 + int why;
66481
66482 get_task_struct(p);
66483 read_unlock(&tasklist_lock);
66484 diff -urNp linux-2.6.32.46/kernel/fork.c linux-2.6.32.46/kernel/fork.c
66485 --- linux-2.6.32.46/kernel/fork.c 2011-03-27 14:31:47.000000000 -0400
66486 +++ linux-2.6.32.46/kernel/fork.c 2011-08-11 19:50:07.000000000 -0400
66487 @@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
66488 *stackend = STACK_END_MAGIC; /* for overflow detection */
66489
66490 #ifdef CONFIG_CC_STACKPROTECTOR
66491 - tsk->stack_canary = get_random_int();
66492 + tsk->stack_canary = pax_get_random_long();
66493 #endif
66494
66495 /* One for us, one for whoever does the "release_task()" (usually parent) */
66496 @@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
66497 mm->locked_vm = 0;
66498 mm->mmap = NULL;
66499 mm->mmap_cache = NULL;
66500 - mm->free_area_cache = oldmm->mmap_base;
66501 - mm->cached_hole_size = ~0UL;
66502 + mm->free_area_cache = oldmm->free_area_cache;
66503 + mm->cached_hole_size = oldmm->cached_hole_size;
66504 mm->map_count = 0;
66505 cpumask_clear(mm_cpumask(mm));
66506 mm->mm_rb = RB_ROOT;
66507 @@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
66508 tmp->vm_flags &= ~VM_LOCKED;
66509 tmp->vm_mm = mm;
66510 tmp->vm_next = tmp->vm_prev = NULL;
66511 + tmp->vm_mirror = NULL;
66512 anon_vma_link(tmp);
66513 file = tmp->vm_file;
66514 if (file) {
66515 @@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
66516 if (retval)
66517 goto out;
66518 }
66519 +
66520 +#ifdef CONFIG_PAX_SEGMEXEC
66521 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
66522 + struct vm_area_struct *mpnt_m;
66523 +
66524 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
66525 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
66526 +
66527 + if (!mpnt->vm_mirror)
66528 + continue;
66529 +
66530 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
66531 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
66532 + mpnt->vm_mirror = mpnt_m;
66533 + } else {
66534 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
66535 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
66536 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
66537 + mpnt->vm_mirror->vm_mirror = mpnt;
66538 + }
66539 + }
66540 + BUG_ON(mpnt_m);
66541 + }
66542 +#endif
66543 +
66544 /* a new mm has just been created */
66545 arch_dup_mmap(oldmm, mm);
66546 retval = 0;
66547 @@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
66548 write_unlock(&fs->lock);
66549 return -EAGAIN;
66550 }
66551 - fs->users++;
66552 + atomic_inc(&fs->users);
66553 write_unlock(&fs->lock);
66554 return 0;
66555 }
66556 tsk->fs = copy_fs_struct(fs);
66557 if (!tsk->fs)
66558 return -ENOMEM;
66559 + gr_set_chroot_entries(tsk, &tsk->fs->root);
66560 return 0;
66561 }
66562
66563 @@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(
66564 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
66565 #endif
66566 retval = -EAGAIN;
66567 +
66568 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
66569 +
66570 if (atomic_read(&p->real_cred->user->processes) >=
66571 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
66572 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
66573 - p->real_cred->user != INIT_USER)
66574 + if (p->real_cred->user != INIT_USER &&
66575 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
66576 goto bad_fork_free;
66577 }
66578 + current->flags &= ~PF_NPROC_EXCEEDED;
66579
66580 retval = copy_creds(p, clone_flags);
66581 if (retval < 0)
66582 @@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(
66583 goto bad_fork_free_pid;
66584 }
66585
66586 + gr_copy_label(p);
66587 +
66588 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
66589 /*
66590 * Clear TID on mm_release()?
66591 @@ -1333,6 +1366,8 @@ bad_fork_cleanup_count:
66592 bad_fork_free:
66593 free_task(p);
66594 fork_out:
66595 + gr_log_forkfail(retval);
66596 +
66597 return ERR_PTR(retval);
66598 }
66599
66600 @@ -1426,6 +1461,8 @@ long do_fork(unsigned long clone_flags,
66601 if (clone_flags & CLONE_PARENT_SETTID)
66602 put_user(nr, parent_tidptr);
66603
66604 + gr_handle_brute_check();
66605 +
66606 if (clone_flags & CLONE_VFORK) {
66607 p->vfork_done = &vfork;
66608 init_completion(&vfork);
66609 @@ -1558,7 +1595,7 @@ static int unshare_fs(unsigned long unsh
66610 return 0;
66611
66612 /* don't need lock here; in the worst case we'll do useless copy */
66613 - if (fs->users == 1)
66614 + if (atomic_read(&fs->users) == 1)
66615 return 0;
66616
66617 *new_fsp = copy_fs_struct(fs);
66618 @@ -1681,7 +1718,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
66619 fs = current->fs;
66620 write_lock(&fs->lock);
66621 current->fs = new_fs;
66622 - if (--fs->users)
66623 + gr_set_chroot_entries(current, &current->fs->root);
66624 + if (atomic_dec_return(&fs->users))
66625 new_fs = NULL;
66626 else
66627 new_fs = fs;
66628 diff -urNp linux-2.6.32.46/kernel/futex.c linux-2.6.32.46/kernel/futex.c
66629 --- linux-2.6.32.46/kernel/futex.c 2011-08-29 22:24:44.000000000 -0400
66630 +++ linux-2.6.32.46/kernel/futex.c 2011-08-29 22:25:07.000000000 -0400
66631 @@ -54,6 +54,7 @@
66632 #include <linux/mount.h>
66633 #include <linux/pagemap.h>
66634 #include <linux/syscalls.h>
66635 +#include <linux/ptrace.h>
66636 #include <linux/signal.h>
66637 #include <linux/module.h>
66638 #include <linux/magic.h>
66639 @@ -223,6 +224,11 @@ get_futex_key(u32 __user *uaddr, int fsh
66640 struct page *page;
66641 int err, ro = 0;
66642
66643 +#ifdef CONFIG_PAX_SEGMEXEC
66644 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
66645 + return -EFAULT;
66646 +#endif
66647 +
66648 /*
66649 * The futex address must be "naturally" aligned.
66650 */
66651 @@ -1819,6 +1825,8 @@ static int futex_wait(u32 __user *uaddr,
66652 struct futex_q q;
66653 int ret;
66654
66655 + pax_track_stack();
66656 +
66657 if (!bitset)
66658 return -EINVAL;
66659
66660 @@ -1871,7 +1879,7 @@ retry:
66661
66662 restart = &current_thread_info()->restart_block;
66663 restart->fn = futex_wait_restart;
66664 - restart->futex.uaddr = (u32 *)uaddr;
66665 + restart->futex.uaddr = uaddr;
66666 restart->futex.val = val;
66667 restart->futex.time = abs_time->tv64;
66668 restart->futex.bitset = bitset;
66669 @@ -2233,6 +2241,8 @@ static int futex_wait_requeue_pi(u32 __u
66670 struct futex_q q;
66671 int res, ret;
66672
66673 + pax_track_stack();
66674 +
66675 if (!bitset)
66676 return -EINVAL;
66677
66678 @@ -2407,7 +2417,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
66679 {
66680 struct robust_list_head __user *head;
66681 unsigned long ret;
66682 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
66683 const struct cred *cred = current_cred(), *pcred;
66684 +#endif
66685
66686 if (!futex_cmpxchg_enabled)
66687 return -ENOSYS;
66688 @@ -2423,11 +2435,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
66689 if (!p)
66690 goto err_unlock;
66691 ret = -EPERM;
66692 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
66693 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
66694 + goto err_unlock;
66695 +#else
66696 pcred = __task_cred(p);
66697 if (cred->euid != pcred->euid &&
66698 cred->euid != pcred->uid &&
66699 !capable(CAP_SYS_PTRACE))
66700 goto err_unlock;
66701 +#endif
66702 head = p->robust_list;
66703 rcu_read_unlock();
66704 }
66705 @@ -2489,7 +2506,7 @@ retry:
66706 */
66707 static inline int fetch_robust_entry(struct robust_list __user **entry,
66708 struct robust_list __user * __user *head,
66709 - int *pi)
66710 + unsigned int *pi)
66711 {
66712 unsigned long uentry;
66713
66714 @@ -2670,6 +2687,7 @@ static int __init futex_init(void)
66715 {
66716 u32 curval;
66717 int i;
66718 + mm_segment_t oldfs;
66719
66720 /*
66721 * This will fail and we want it. Some arch implementations do
66722 @@ -2681,7 +2699,10 @@ static int __init futex_init(void)
66723 * implementation, the non functional ones will return
66724 * -ENOSYS.
66725 */
66726 + oldfs = get_fs();
66727 + set_fs(USER_DS);
66728 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
66729 + set_fs(oldfs);
66730 if (curval == -EFAULT)
66731 futex_cmpxchg_enabled = 1;
66732
66733 diff -urNp linux-2.6.32.46/kernel/futex_compat.c linux-2.6.32.46/kernel/futex_compat.c
66734 --- linux-2.6.32.46/kernel/futex_compat.c 2011-03-27 14:31:47.000000000 -0400
66735 +++ linux-2.6.32.46/kernel/futex_compat.c 2011-04-17 15:56:46.000000000 -0400
66736 @@ -10,6 +10,7 @@
66737 #include <linux/compat.h>
66738 #include <linux/nsproxy.h>
66739 #include <linux/futex.h>
66740 +#include <linux/ptrace.h>
66741
66742 #include <asm/uaccess.h>
66743
66744 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
66745 {
66746 struct compat_robust_list_head __user *head;
66747 unsigned long ret;
66748 - const struct cred *cred = current_cred(), *pcred;
66749 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
66750 + const struct cred *cred = current_cred();
66751 + const struct cred *pcred;
66752 +#endif
66753
66754 if (!futex_cmpxchg_enabled)
66755 return -ENOSYS;
66756 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
66757 if (!p)
66758 goto err_unlock;
66759 ret = -EPERM;
66760 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
66761 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
66762 + goto err_unlock;
66763 +#else
66764 pcred = __task_cred(p);
66765 if (cred->euid != pcred->euid &&
66766 cred->euid != pcred->uid &&
66767 !capable(CAP_SYS_PTRACE))
66768 goto err_unlock;
66769 +#endif
66770 head = p->compat_robust_list;
66771 read_unlock(&tasklist_lock);
66772 }
66773 diff -urNp linux-2.6.32.46/kernel/gcov/base.c linux-2.6.32.46/kernel/gcov/base.c
66774 --- linux-2.6.32.46/kernel/gcov/base.c 2011-03-27 14:31:47.000000000 -0400
66775 +++ linux-2.6.32.46/kernel/gcov/base.c 2011-04-17 15:56:46.000000000 -0400
66776 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
66777 }
66778
66779 #ifdef CONFIG_MODULES
66780 -static inline int within(void *addr, void *start, unsigned long size)
66781 -{
66782 - return ((addr >= start) && (addr < start + size));
66783 -}
66784 -
66785 /* Update list and generate events when modules are unloaded. */
66786 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
66787 void *data)
66788 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
66789 prev = NULL;
66790 /* Remove entries located in module from linked list. */
66791 for (info = gcov_info_head; info; info = info->next) {
66792 - if (within(info, mod->module_core, mod->core_size)) {
66793 + if (within_module_core_rw((unsigned long)info, mod)) {
66794 if (prev)
66795 prev->next = info->next;
66796 else
66797 diff -urNp linux-2.6.32.46/kernel/hrtimer.c linux-2.6.32.46/kernel/hrtimer.c
66798 --- linux-2.6.32.46/kernel/hrtimer.c 2011-03-27 14:31:47.000000000 -0400
66799 +++ linux-2.6.32.46/kernel/hrtimer.c 2011-04-17 15:56:46.000000000 -0400
66800 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
66801 local_irq_restore(flags);
66802 }
66803
66804 -static void run_hrtimer_softirq(struct softirq_action *h)
66805 +static void run_hrtimer_softirq(void)
66806 {
66807 hrtimer_peek_ahead_timers();
66808 }
66809 diff -urNp linux-2.6.32.46/kernel/kallsyms.c linux-2.6.32.46/kernel/kallsyms.c
66810 --- linux-2.6.32.46/kernel/kallsyms.c 2011-03-27 14:31:47.000000000 -0400
66811 +++ linux-2.6.32.46/kernel/kallsyms.c 2011-04-17 15:56:46.000000000 -0400
66812 @@ -11,6 +11,9 @@
66813 * Changed the compression method from stem compression to "table lookup"
66814 * compression (see scripts/kallsyms.c for a more complete description)
66815 */
66816 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66817 +#define __INCLUDED_BY_HIDESYM 1
66818 +#endif
66819 #include <linux/kallsyms.h>
66820 #include <linux/module.h>
66821 #include <linux/init.h>
66822 @@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
66823
66824 static inline int is_kernel_inittext(unsigned long addr)
66825 {
66826 + if (system_state != SYSTEM_BOOTING)
66827 + return 0;
66828 +
66829 if (addr >= (unsigned long)_sinittext
66830 && addr <= (unsigned long)_einittext)
66831 return 1;
66832 return 0;
66833 }
66834
66835 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
66836 +#ifdef CONFIG_MODULES
66837 +static inline int is_module_text(unsigned long addr)
66838 +{
66839 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
66840 + return 1;
66841 +
66842 + addr = ktla_ktva(addr);
66843 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
66844 +}
66845 +#else
66846 +static inline int is_module_text(unsigned long addr)
66847 +{
66848 + return 0;
66849 +}
66850 +#endif
66851 +#endif
66852 +
66853 static inline int is_kernel_text(unsigned long addr)
66854 {
66855 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
66856 @@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
66857
66858 static inline int is_kernel(unsigned long addr)
66859 {
66860 +
66861 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
66862 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
66863 + return 1;
66864 +
66865 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
66866 +#else
66867 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
66868 +#endif
66869 +
66870 return 1;
66871 return in_gate_area_no_task(addr);
66872 }
66873
66874 static int is_ksym_addr(unsigned long addr)
66875 {
66876 +
66877 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
66878 + if (is_module_text(addr))
66879 + return 0;
66880 +#endif
66881 +
66882 if (all_var)
66883 return is_kernel(addr);
66884
66885 @@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
66886
66887 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
66888 {
66889 - iter->name[0] = '\0';
66890 iter->nameoff = get_symbol_offset(new_pos);
66891 iter->pos = new_pos;
66892 }
66893 @@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
66894 {
66895 struct kallsym_iter *iter = m->private;
66896
66897 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66898 + if (current_uid())
66899 + return 0;
66900 +#endif
66901 +
66902 /* Some debugging symbols have no name. Ignore them. */
66903 if (!iter->name[0])
66904 return 0;
66905 @@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
66906 struct kallsym_iter *iter;
66907 int ret;
66908
66909 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
66910 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
66911 if (!iter)
66912 return -ENOMEM;
66913 reset_iter(iter, 0);
66914 diff -urNp linux-2.6.32.46/kernel/kexec.c linux-2.6.32.46/kernel/kexec.c
66915 --- linux-2.6.32.46/kernel/kexec.c 2011-03-27 14:31:47.000000000 -0400
66916 +++ linux-2.6.32.46/kernel/kexec.c 2011-10-06 09:37:14.000000000 -0400
66917 @@ -1028,7 +1028,8 @@ asmlinkage long compat_sys_kexec_load(un
66918 unsigned long flags)
66919 {
66920 struct compat_kexec_segment in;
66921 - struct kexec_segment out, __user *ksegments;
66922 + struct kexec_segment out;
66923 + struct kexec_segment __user *ksegments;
66924 unsigned long i, result;
66925
66926 /* Don't allow clients that don't understand the native
66927 diff -urNp linux-2.6.32.46/kernel/kgdb.c linux-2.6.32.46/kernel/kgdb.c
66928 --- linux-2.6.32.46/kernel/kgdb.c 2011-04-17 17:00:52.000000000 -0400
66929 +++ linux-2.6.32.46/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
66930 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
66931 /* Guard for recursive entry */
66932 static int exception_level;
66933
66934 -static struct kgdb_io *kgdb_io_ops;
66935 +static const struct kgdb_io *kgdb_io_ops;
66936 static DEFINE_SPINLOCK(kgdb_registration_lock);
66937
66938 /* kgdb console driver is loaded */
66939 @@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
66940 */
66941 static atomic_t passive_cpu_wait[NR_CPUS];
66942 static atomic_t cpu_in_kgdb[NR_CPUS];
66943 -atomic_t kgdb_setting_breakpoint;
66944 +atomic_unchecked_t kgdb_setting_breakpoint;
66945
66946 struct task_struct *kgdb_usethread;
66947 struct task_struct *kgdb_contthread;
66948 @@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
66949 sizeof(unsigned long)];
66950
66951 /* to keep track of the CPU which is doing the single stepping*/
66952 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
66953 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
66954
66955 /*
66956 * If you are debugging a problem where roundup (the collection of
66957 @@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
66958 return 0;
66959 if (kgdb_connected)
66960 return 1;
66961 - if (atomic_read(&kgdb_setting_breakpoint))
66962 + if (atomic_read_unchecked(&kgdb_setting_breakpoint))
66963 return 1;
66964 if (print_wait)
66965 printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
66966 @@ -1426,8 +1426,8 @@ acquirelock:
66967 * instance of the exception handler wanted to come into the
66968 * debugger on a different CPU via a single step
66969 */
66970 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
66971 - atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
66972 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
66973 + atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
66974
66975 atomic_set(&kgdb_active, -1);
66976 touch_softlockup_watchdog();
66977 @@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
66978 *
66979 * Register it with the KGDB core.
66980 */
66981 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
66982 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
66983 {
66984 int err;
66985
66986 @@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
66987 *
66988 * Unregister it with the KGDB core.
66989 */
66990 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
66991 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
66992 {
66993 BUG_ON(kgdb_connected);
66994
66995 @@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
66996 */
66997 void kgdb_breakpoint(void)
66998 {
66999 - atomic_set(&kgdb_setting_breakpoint, 1);
67000 + atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
67001 wmb(); /* Sync point before breakpoint */
67002 arch_kgdb_breakpoint();
67003 wmb(); /* Sync point after breakpoint */
67004 - atomic_set(&kgdb_setting_breakpoint, 0);
67005 + atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
67006 }
67007 EXPORT_SYMBOL_GPL(kgdb_breakpoint);
67008
67009 diff -urNp linux-2.6.32.46/kernel/kmod.c linux-2.6.32.46/kernel/kmod.c
67010 --- linux-2.6.32.46/kernel/kmod.c 2011-03-27 14:31:47.000000000 -0400
67011 +++ linux-2.6.32.46/kernel/kmod.c 2011-10-06 09:37:14.000000000 -0400
67012 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
67013 * If module auto-loading support is disabled then this function
67014 * becomes a no-operation.
67015 */
67016 -int __request_module(bool wait, const char *fmt, ...)
67017 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
67018 {
67019 - va_list args;
67020 char module_name[MODULE_NAME_LEN];
67021 unsigned int max_modprobes;
67022 int ret;
67023 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
67024 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
67025 static char *envp[] = { "HOME=/",
67026 "TERM=linux",
67027 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
67028 @@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
67029 if (ret)
67030 return ret;
67031
67032 - va_start(args, fmt);
67033 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
67034 - va_end(args);
67035 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
67036 if (ret >= MODULE_NAME_LEN)
67037 return -ENAMETOOLONG;
67038
67039 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67040 + if (!current_uid()) {
67041 + /* hack to workaround consolekit/udisks stupidity */
67042 + read_lock(&tasklist_lock);
67043 + if (!strcmp(current->comm, "mount") &&
67044 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
67045 + read_unlock(&tasklist_lock);
67046 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
67047 + return -EPERM;
67048 + }
67049 + read_unlock(&tasklist_lock);
67050 + }
67051 +#endif
67052 +
67053 /* If modprobe needs a service that is in a module, we get a recursive
67054 * loop. Limit the number of running kmod threads to max_threads/2 or
67055 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
67056 @@ -121,6 +132,48 @@ int __request_module(bool wait, const ch
67057 atomic_dec(&kmod_concurrent);
67058 return ret;
67059 }
67060 +
67061 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
67062 +{
67063 + va_list args;
67064 + int ret;
67065 +
67066 + va_start(args, fmt);
67067 + ret = ____request_module(wait, module_param, fmt, args);
67068 + va_end(args);
67069 +
67070 + return ret;
67071 +}
67072 +
67073 +int __request_module(bool wait, const char *fmt, ...)
67074 +{
67075 + va_list args;
67076 + int ret;
67077 +
67078 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67079 + if (current_uid()) {
67080 + char module_param[MODULE_NAME_LEN];
67081 +
67082 + memset(module_param, 0, sizeof(module_param));
67083 +
67084 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
67085 +
67086 + va_start(args, fmt);
67087 + ret = ____request_module(wait, module_param, fmt, args);
67088 + va_end(args);
67089 +
67090 + return ret;
67091 + }
67092 +#endif
67093 +
67094 + va_start(args, fmt);
67095 + ret = ____request_module(wait, NULL, fmt, args);
67096 + va_end(args);
67097 +
67098 + return ret;
67099 +}
67100 +
67101 +
67102 EXPORT_SYMBOL(__request_module);
67103 #endif /* CONFIG_MODULES */
67104
67105 @@ -226,7 +279,7 @@ static int wait_for_helper(void *data)
67106 *
67107 * Thus the __user pointer cast is valid here.
67108 */
67109 - sys_wait4(pid, (int __user *)&ret, 0, NULL);
67110 + sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
67111
67112 /*
67113 * If ret is 0, either ____call_usermodehelper failed and the
67114 diff -urNp linux-2.6.32.46/kernel/kprobes.c linux-2.6.32.46/kernel/kprobes.c
67115 --- linux-2.6.32.46/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
67116 +++ linux-2.6.32.46/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
67117 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
67118 * kernel image and loaded module images reside. This is required
67119 * so x86_64 can correctly handle the %rip-relative fixups.
67120 */
67121 - kip->insns = module_alloc(PAGE_SIZE);
67122 + kip->insns = module_alloc_exec(PAGE_SIZE);
67123 if (!kip->insns) {
67124 kfree(kip);
67125 return NULL;
67126 @@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
67127 */
67128 if (!list_is_singular(&kprobe_insn_pages)) {
67129 list_del(&kip->list);
67130 - module_free(NULL, kip->insns);
67131 + module_free_exec(NULL, kip->insns);
67132 kfree(kip);
67133 }
67134 return 1;
67135 @@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
67136 {
67137 int i, err = 0;
67138 unsigned long offset = 0, size = 0;
67139 - char *modname, namebuf[128];
67140 + char *modname, namebuf[KSYM_NAME_LEN];
67141 const char *symbol_name;
67142 void *addr;
67143 struct kprobe_blackpoint *kb;
67144 @@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
67145 const char *sym = NULL;
67146 unsigned int i = *(loff_t *) v;
67147 unsigned long offset = 0;
67148 - char *modname, namebuf[128];
67149 + char *modname, namebuf[KSYM_NAME_LEN];
67150
67151 head = &kprobe_table[i];
67152 preempt_disable();
67153 diff -urNp linux-2.6.32.46/kernel/lockdep.c linux-2.6.32.46/kernel/lockdep.c
67154 --- linux-2.6.32.46/kernel/lockdep.c 2011-06-25 12:55:35.000000000 -0400
67155 +++ linux-2.6.32.46/kernel/lockdep.c 2011-06-25 12:56:37.000000000 -0400
67156 @@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
67157 /*
67158 * Various lockdep statistics:
67159 */
67160 -atomic_t chain_lookup_hits;
67161 -atomic_t chain_lookup_misses;
67162 -atomic_t hardirqs_on_events;
67163 -atomic_t hardirqs_off_events;
67164 -atomic_t redundant_hardirqs_on;
67165 -atomic_t redundant_hardirqs_off;
67166 -atomic_t softirqs_on_events;
67167 -atomic_t softirqs_off_events;
67168 -atomic_t redundant_softirqs_on;
67169 -atomic_t redundant_softirqs_off;
67170 -atomic_t nr_unused_locks;
67171 -atomic_t nr_cyclic_checks;
67172 -atomic_t nr_find_usage_forwards_checks;
67173 -atomic_t nr_find_usage_backwards_checks;
67174 +atomic_unchecked_t chain_lookup_hits;
67175 +atomic_unchecked_t chain_lookup_misses;
67176 +atomic_unchecked_t hardirqs_on_events;
67177 +atomic_unchecked_t hardirqs_off_events;
67178 +atomic_unchecked_t redundant_hardirqs_on;
67179 +atomic_unchecked_t redundant_hardirqs_off;
67180 +atomic_unchecked_t softirqs_on_events;
67181 +atomic_unchecked_t softirqs_off_events;
67182 +atomic_unchecked_t redundant_softirqs_on;
67183 +atomic_unchecked_t redundant_softirqs_off;
67184 +atomic_unchecked_t nr_unused_locks;
67185 +atomic_unchecked_t nr_cyclic_checks;
67186 +atomic_unchecked_t nr_find_usage_forwards_checks;
67187 +atomic_unchecked_t nr_find_usage_backwards_checks;
67188 #endif
67189
67190 /*
67191 @@ -577,6 +577,10 @@ static int static_obj(void *obj)
67192 int i;
67193 #endif
67194
67195 +#ifdef CONFIG_PAX_KERNEXEC
67196 + start = ktla_ktva(start);
67197 +#endif
67198 +
67199 /*
67200 * static variable?
67201 */
67202 @@ -592,8 +596,7 @@ static int static_obj(void *obj)
67203 */
67204 for_each_possible_cpu(i) {
67205 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
67206 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
67207 - + per_cpu_offset(i);
67208 + end = start + PERCPU_ENOUGH_ROOM;
67209
67210 if ((addr >= start) && (addr < end))
67211 return 1;
67212 @@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
67213 if (!static_obj(lock->key)) {
67214 debug_locks_off();
67215 printk("INFO: trying to register non-static key.\n");
67216 + printk("lock:%pS key:%pS.\n", lock, lock->key);
67217 printk("the code is fine but needs lockdep annotation.\n");
67218 printk("turning off the locking correctness validator.\n");
67219 dump_stack();
67220 @@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
67221 if (!class)
67222 return 0;
67223 }
67224 - debug_atomic_inc((atomic_t *)&class->ops);
67225 + debug_atomic_inc((atomic_unchecked_t *)&class->ops);
67226 if (very_verbose(class)) {
67227 printk("\nacquire class [%p] %s", class->key, class->name);
67228 if (class->name_version > 1)
67229 diff -urNp linux-2.6.32.46/kernel/lockdep_internals.h linux-2.6.32.46/kernel/lockdep_internals.h
67230 --- linux-2.6.32.46/kernel/lockdep_internals.h 2011-03-27 14:31:47.000000000 -0400
67231 +++ linux-2.6.32.46/kernel/lockdep_internals.h 2011-04-17 15:56:46.000000000 -0400
67232 @@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
67233 /*
67234 * Various lockdep statistics:
67235 */
67236 -extern atomic_t chain_lookup_hits;
67237 -extern atomic_t chain_lookup_misses;
67238 -extern atomic_t hardirqs_on_events;
67239 -extern atomic_t hardirqs_off_events;
67240 -extern atomic_t redundant_hardirqs_on;
67241 -extern atomic_t redundant_hardirqs_off;
67242 -extern atomic_t softirqs_on_events;
67243 -extern atomic_t softirqs_off_events;
67244 -extern atomic_t redundant_softirqs_on;
67245 -extern atomic_t redundant_softirqs_off;
67246 -extern atomic_t nr_unused_locks;
67247 -extern atomic_t nr_cyclic_checks;
67248 -extern atomic_t nr_cyclic_check_recursions;
67249 -extern atomic_t nr_find_usage_forwards_checks;
67250 -extern atomic_t nr_find_usage_forwards_recursions;
67251 -extern atomic_t nr_find_usage_backwards_checks;
67252 -extern atomic_t nr_find_usage_backwards_recursions;
67253 -# define debug_atomic_inc(ptr) atomic_inc(ptr)
67254 -# define debug_atomic_dec(ptr) atomic_dec(ptr)
67255 -# define debug_atomic_read(ptr) atomic_read(ptr)
67256 +extern atomic_unchecked_t chain_lookup_hits;
67257 +extern atomic_unchecked_t chain_lookup_misses;
67258 +extern atomic_unchecked_t hardirqs_on_events;
67259 +extern atomic_unchecked_t hardirqs_off_events;
67260 +extern atomic_unchecked_t redundant_hardirqs_on;
67261 +extern atomic_unchecked_t redundant_hardirqs_off;
67262 +extern atomic_unchecked_t softirqs_on_events;
67263 +extern atomic_unchecked_t softirqs_off_events;
67264 +extern atomic_unchecked_t redundant_softirqs_on;
67265 +extern atomic_unchecked_t redundant_softirqs_off;
67266 +extern atomic_unchecked_t nr_unused_locks;
67267 +extern atomic_unchecked_t nr_cyclic_checks;
67268 +extern atomic_unchecked_t nr_cyclic_check_recursions;
67269 +extern atomic_unchecked_t nr_find_usage_forwards_checks;
67270 +extern atomic_unchecked_t nr_find_usage_forwards_recursions;
67271 +extern atomic_unchecked_t nr_find_usage_backwards_checks;
67272 +extern atomic_unchecked_t nr_find_usage_backwards_recursions;
67273 +# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
67274 +# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
67275 +# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
67276 #else
67277 # define debug_atomic_inc(ptr) do { } while (0)
67278 # define debug_atomic_dec(ptr) do { } while (0)
67279 diff -urNp linux-2.6.32.46/kernel/lockdep_proc.c linux-2.6.32.46/kernel/lockdep_proc.c
67280 --- linux-2.6.32.46/kernel/lockdep_proc.c 2011-03-27 14:31:47.000000000 -0400
67281 +++ linux-2.6.32.46/kernel/lockdep_proc.c 2011-04-17 15:56:46.000000000 -0400
67282 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
67283
67284 static void print_name(struct seq_file *m, struct lock_class *class)
67285 {
67286 - char str[128];
67287 + char str[KSYM_NAME_LEN];
67288 const char *name = class->name;
67289
67290 if (!name) {
67291 diff -urNp linux-2.6.32.46/kernel/module.c linux-2.6.32.46/kernel/module.c
67292 --- linux-2.6.32.46/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
67293 +++ linux-2.6.32.46/kernel/module.c 2011-04-29 18:52:40.000000000 -0400
67294 @@ -55,6 +55,7 @@
67295 #include <linux/async.h>
67296 #include <linux/percpu.h>
67297 #include <linux/kmemleak.h>
67298 +#include <linux/grsecurity.h>
67299
67300 #define CREATE_TRACE_POINTS
67301 #include <trace/events/module.h>
67302 @@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
67303 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
67304
67305 /* Bounds of module allocation, for speeding __module_address */
67306 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
67307 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
67308 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
67309
67310 int register_module_notifier(struct notifier_block * nb)
67311 {
67312 @@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
67313 return true;
67314
67315 list_for_each_entry_rcu(mod, &modules, list) {
67316 - struct symsearch arr[] = {
67317 + struct symsearch modarr[] = {
67318 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
67319 NOT_GPL_ONLY, false },
67320 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
67321 @@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
67322 #endif
67323 };
67324
67325 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
67326 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
67327 return true;
67328 }
67329 return false;
67330 @@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
67331 void *ptr;
67332 int cpu;
67333
67334 - if (align > PAGE_SIZE) {
67335 + if (align-1 >= PAGE_SIZE) {
67336 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
67337 name, align, PAGE_SIZE);
67338 align = PAGE_SIZE;
67339 @@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
67340 * /sys/module/foo/sections stuff
67341 * J. Corbet <corbet@lwn.net>
67342 */
67343 -#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
67344 +#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
67345
67346 static inline bool sect_empty(const Elf_Shdr *sect)
67347 {
67348 @@ -1545,7 +1547,8 @@ static void free_module(struct module *m
67349 destroy_params(mod->kp, mod->num_kp);
67350
67351 /* This may be NULL, but that's OK */
67352 - module_free(mod, mod->module_init);
67353 + module_free(mod, mod->module_init_rw);
67354 + module_free_exec(mod, mod->module_init_rx);
67355 kfree(mod->args);
67356 if (mod->percpu)
67357 percpu_modfree(mod->percpu);
67358 @@ -1554,10 +1557,12 @@ static void free_module(struct module *m
67359 percpu_modfree(mod->refptr);
67360 #endif
67361 /* Free lock-classes: */
67362 - lockdep_free_key_range(mod->module_core, mod->core_size);
67363 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
67364 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
67365
67366 /* Finally, free the core (containing the module structure) */
67367 - module_free(mod, mod->module_core);
67368 + module_free_exec(mod, mod->module_core_rx);
67369 + module_free(mod, mod->module_core_rw);
67370
67371 #ifdef CONFIG_MPU
67372 update_protections(current->mm);
67373 @@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
67374 unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
67375 int ret = 0;
67376 const struct kernel_symbol *ksym;
67377 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67378 + int is_fs_load = 0;
67379 + int register_filesystem_found = 0;
67380 + char *p;
67381 +
67382 + p = strstr(mod->args, "grsec_modharden_fs");
67383 +
67384 + if (p) {
67385 + char *endptr = p + strlen("grsec_modharden_fs");
67386 + /* copy \0 as well */
67387 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
67388 + is_fs_load = 1;
67389 + }
67390 +#endif
67391 +
67392
67393 for (i = 1; i < n; i++) {
67394 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67395 + const char *name = strtab + sym[i].st_name;
67396 +
67397 + /* it's a real shame this will never get ripped and copied
67398 + upstream! ;(
67399 + */
67400 + if (is_fs_load && !strcmp(name, "register_filesystem"))
67401 + register_filesystem_found = 1;
67402 +#endif
67403 switch (sym[i].st_shndx) {
67404 case SHN_COMMON:
67405 /* We compiled with -fno-common. These are not
67406 @@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
67407 strtab + sym[i].st_name, mod);
67408 /* Ok if resolved. */
67409 if (ksym) {
67410 + pax_open_kernel();
67411 sym[i].st_value = ksym->value;
67412 + pax_close_kernel();
67413 break;
67414 }
67415
67416 @@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
67417 secbase = (unsigned long)mod->percpu;
67418 else
67419 secbase = sechdrs[sym[i].st_shndx].sh_addr;
67420 + pax_open_kernel();
67421 sym[i].st_value += secbase;
67422 + pax_close_kernel();
67423 break;
67424 }
67425 }
67426
67427 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67428 + if (is_fs_load && !register_filesystem_found) {
67429 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
67430 + ret = -EPERM;
67431 + }
67432 +#endif
67433 +
67434 return ret;
67435 }
67436
67437 @@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
67438 || s->sh_entsize != ~0UL
67439 || strstarts(secstrings + s->sh_name, ".init"))
67440 continue;
67441 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
67442 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
67443 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
67444 + else
67445 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
67446 DEBUGP("\t%s\n", secstrings + s->sh_name);
67447 }
67448 - if (m == 0)
67449 - mod->core_text_size = mod->core_size;
67450 }
67451
67452 DEBUGP("Init section allocation order:\n");
67453 @@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
67454 || s->sh_entsize != ~0UL
67455 || !strstarts(secstrings + s->sh_name, ".init"))
67456 continue;
67457 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
67458 - | INIT_OFFSET_MASK);
67459 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
67460 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
67461 + else
67462 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
67463 + s->sh_entsize |= INIT_OFFSET_MASK;
67464 DEBUGP("\t%s\n", secstrings + s->sh_name);
67465 }
67466 - if (m == 0)
67467 - mod->init_text_size = mod->init_size;
67468 }
67469 }
67470
67471 @@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
67472
67473 /* As per nm */
67474 static char elf_type(const Elf_Sym *sym,
67475 - Elf_Shdr *sechdrs,
67476 - const char *secstrings,
67477 - struct module *mod)
67478 + const Elf_Shdr *sechdrs,
67479 + const char *secstrings)
67480 {
67481 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
67482 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
67483 @@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
67484
67485 /* Put symbol section at end of init part of module. */
67486 symsect->sh_flags |= SHF_ALLOC;
67487 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
67488 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
67489 symindex) | INIT_OFFSET_MASK;
67490 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
67491
67492 @@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
67493 }
67494
67495 /* Append room for core symbols at end of core part. */
67496 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
67497 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
67498 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
67499 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
67500
67501 /* Put string table section at end of init part of module. */
67502 strsect->sh_flags |= SHF_ALLOC;
67503 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
67504 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
67505 strindex) | INIT_OFFSET_MASK;
67506 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
67507
67508 /* Append room for core symbols' strings at end of core part. */
67509 - *pstroffs = mod->core_size;
67510 + *pstroffs = mod->core_size_rx;
67511 __set_bit(0, strmap);
67512 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
67513 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
67514
67515 return symoffs;
67516 }
67517 @@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
67518 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
67519 mod->strtab = (void *)sechdrs[strindex].sh_addr;
67520
67521 + pax_open_kernel();
67522 +
67523 /* Set types up while we still have access to sections. */
67524 for (i = 0; i < mod->num_symtab; i++)
67525 mod->symtab[i].st_info
67526 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
67527 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
67528
67529 - mod->core_symtab = dst = mod->module_core + symoffs;
67530 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
67531 src = mod->symtab;
67532 *dst = *src;
67533 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
67534 @@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
67535 }
67536 mod->core_num_syms = ndst;
67537
67538 - mod->core_strtab = s = mod->module_core + stroffs;
67539 + mod->core_strtab = s = mod->module_core_rx + stroffs;
67540 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
67541 if (test_bit(i, strmap))
67542 *++s = mod->strtab[i];
67543 +
67544 + pax_close_kernel();
67545 }
67546 #else
67547 static inline unsigned long layout_symtab(struct module *mod,
67548 @@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
67549 #endif
67550 }
67551
67552 -static void *module_alloc_update_bounds(unsigned long size)
67553 +static void *module_alloc_update_bounds_rw(unsigned long size)
67554 {
67555 void *ret = module_alloc(size);
67556
67557 if (ret) {
67558 /* Update module bounds. */
67559 - if ((unsigned long)ret < module_addr_min)
67560 - module_addr_min = (unsigned long)ret;
67561 - if ((unsigned long)ret + size > module_addr_max)
67562 - module_addr_max = (unsigned long)ret + size;
67563 + if ((unsigned long)ret < module_addr_min_rw)
67564 + module_addr_min_rw = (unsigned long)ret;
67565 + if ((unsigned long)ret + size > module_addr_max_rw)
67566 + module_addr_max_rw = (unsigned long)ret + size;
67567 + }
67568 + return ret;
67569 +}
67570 +
67571 +static void *module_alloc_update_bounds_rx(unsigned long size)
67572 +{
67573 + void *ret = module_alloc_exec(size);
67574 +
67575 + if (ret) {
67576 + /* Update module bounds. */
67577 + if ((unsigned long)ret < module_addr_min_rx)
67578 + module_addr_min_rx = (unsigned long)ret;
67579 + if ((unsigned long)ret + size > module_addr_max_rx)
67580 + module_addr_max_rx = (unsigned long)ret + size;
67581 }
67582 return ret;
67583 }
67584 @@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
67585 unsigned int i;
67586
67587 /* only scan the sections containing data */
67588 - kmemleak_scan_area(mod->module_core, (unsigned long)mod -
67589 - (unsigned long)mod->module_core,
67590 + kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
67591 + (unsigned long)mod->module_core_rw,
67592 sizeof(struct module), GFP_KERNEL);
67593
67594 for (i = 1; i < hdr->e_shnum; i++) {
67595 @@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
67596 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
67597 continue;
67598
67599 - kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
67600 - (unsigned long)mod->module_core,
67601 + kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
67602 + (unsigned long)mod->module_core_rw,
67603 sechdrs[i].sh_size, GFP_KERNEL);
67604 }
67605 }
67606 @@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
67607 secstrings, &stroffs, strmap);
67608
67609 /* Do the allocs. */
67610 - ptr = module_alloc_update_bounds(mod->core_size);
67611 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
67612 /*
67613 * The pointer to this block is stored in the module structure
67614 * which is inside the block. Just mark it as not being a
67615 @@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
67616 err = -ENOMEM;
67617 goto free_percpu;
67618 }
67619 - memset(ptr, 0, mod->core_size);
67620 - mod->module_core = ptr;
67621 + memset(ptr, 0, mod->core_size_rw);
67622 + mod->module_core_rw = ptr;
67623
67624 - ptr = module_alloc_update_bounds(mod->init_size);
67625 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
67626 /*
67627 * The pointer to this block is stored in the module structure
67628 * which is inside the block. This block doesn't need to be
67629 * scanned as it contains data and code that will be freed
67630 * after the module is initialized.
67631 */
67632 - kmemleak_ignore(ptr);
67633 - if (!ptr && mod->init_size) {
67634 + kmemleak_not_leak(ptr);
67635 + if (!ptr && mod->init_size_rw) {
67636 + err = -ENOMEM;
67637 + goto free_core_rw;
67638 + }
67639 + memset(ptr, 0, mod->init_size_rw);
67640 + mod->module_init_rw = ptr;
67641 +
67642 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
67643 + kmemleak_not_leak(ptr);
67644 + if (!ptr) {
67645 err = -ENOMEM;
67646 - goto free_core;
67647 + goto free_init_rw;
67648 }
67649 - memset(ptr, 0, mod->init_size);
67650 - mod->module_init = ptr;
67651 +
67652 + pax_open_kernel();
67653 + memset(ptr, 0, mod->core_size_rx);
67654 + pax_close_kernel();
67655 + mod->module_core_rx = ptr;
67656 +
67657 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
67658 + kmemleak_not_leak(ptr);
67659 + if (!ptr && mod->init_size_rx) {
67660 + err = -ENOMEM;
67661 + goto free_core_rx;
67662 + }
67663 +
67664 + pax_open_kernel();
67665 + memset(ptr, 0, mod->init_size_rx);
67666 + pax_close_kernel();
67667 + mod->module_init_rx = ptr;
67668
67669 /* Transfer each section which specifies SHF_ALLOC */
67670 DEBUGP("final section addresses:\n");
67671 @@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
67672 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
67673 continue;
67674
67675 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
67676 - dest = mod->module_init
67677 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
67678 - else
67679 - dest = mod->module_core + sechdrs[i].sh_entsize;
67680 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
67681 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
67682 + dest = mod->module_init_rw
67683 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
67684 + else
67685 + dest = mod->module_init_rx
67686 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
67687 + } else {
67688 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
67689 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
67690 + else
67691 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
67692 + }
67693 +
67694 + if (sechdrs[i].sh_type != SHT_NOBITS) {
67695
67696 - if (sechdrs[i].sh_type != SHT_NOBITS)
67697 - memcpy(dest, (void *)sechdrs[i].sh_addr,
67698 - sechdrs[i].sh_size);
67699 +#ifdef CONFIG_PAX_KERNEXEC
67700 +#ifdef CONFIG_X86_64
67701 + if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
67702 + set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
67703 +#endif
67704 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
67705 + pax_open_kernel();
67706 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
67707 + pax_close_kernel();
67708 + } else
67709 +#endif
67710 +
67711 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
67712 + }
67713 /* Update sh_addr to point to copy in image. */
67714 - sechdrs[i].sh_addr = (unsigned long)dest;
67715 +
67716 +#ifdef CONFIG_PAX_KERNEXEC
67717 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
67718 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
67719 + else
67720 +#endif
67721 +
67722 + sechdrs[i].sh_addr = (unsigned long)dest;
67723 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
67724 }
67725 /* Module has been moved. */
67726 @@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
67727 mod->name);
67728 if (!mod->refptr) {
67729 err = -ENOMEM;
67730 - goto free_init;
67731 + goto free_init_rx;
67732 }
67733 #endif
67734 /* Now we've moved module, initialize linked lists, etc. */
67735 @@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
67736 /* Set up MODINFO_ATTR fields */
67737 setup_modinfo(mod, sechdrs, infoindex);
67738
67739 + mod->args = args;
67740 +
67741 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67742 + {
67743 + char *p, *p2;
67744 +
67745 + if (strstr(mod->args, "grsec_modharden_netdev")) {
67746 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
67747 + err = -EPERM;
67748 + goto cleanup;
67749 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
67750 + p += strlen("grsec_modharden_normal");
67751 + p2 = strstr(p, "_");
67752 + if (p2) {
67753 + *p2 = '\0';
67754 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
67755 + *p2 = '_';
67756 + }
67757 + err = -EPERM;
67758 + goto cleanup;
67759 + }
67760 + }
67761 +#endif
67762 +
67763 +
67764 /* Fix up syms, so that st_value is a pointer to location. */
67765 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
67766 mod);
67767 @@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
67768
67769 /* Now do relocations. */
67770 for (i = 1; i < hdr->e_shnum; i++) {
67771 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
67772 unsigned int info = sechdrs[i].sh_info;
67773 + strtab = (char *)sechdrs[strindex].sh_addr;
67774
67775 /* Not a valid relocation section? */
67776 if (info >= hdr->e_shnum)
67777 @@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
67778 * Do it before processing of module parameters, so the module
67779 * can provide parameter accessor functions of its own.
67780 */
67781 - if (mod->module_init)
67782 - flush_icache_range((unsigned long)mod->module_init,
67783 - (unsigned long)mod->module_init
67784 - + mod->init_size);
67785 - flush_icache_range((unsigned long)mod->module_core,
67786 - (unsigned long)mod->module_core + mod->core_size);
67787 + if (mod->module_init_rx)
67788 + flush_icache_range((unsigned long)mod->module_init_rx,
67789 + (unsigned long)mod->module_init_rx
67790 + + mod->init_size_rx);
67791 + flush_icache_range((unsigned long)mod->module_core_rx,
67792 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
67793
67794 set_fs(old_fs);
67795
67796 - mod->args = args;
67797 if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
67798 printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
67799 mod->name);
67800 @@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
67801 free_unload:
67802 module_unload_free(mod);
67803 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
67804 + free_init_rx:
67805 percpu_modfree(mod->refptr);
67806 - free_init:
67807 #endif
67808 - module_free(mod, mod->module_init);
67809 - free_core:
67810 - module_free(mod, mod->module_core);
67811 + module_free_exec(mod, mod->module_init_rx);
67812 + free_core_rx:
67813 + module_free_exec(mod, mod->module_core_rx);
67814 + free_init_rw:
67815 + module_free(mod, mod->module_init_rw);
67816 + free_core_rw:
67817 + module_free(mod, mod->module_core_rw);
67818 /* mod will be freed with core. Don't access it beyond this line! */
67819 free_percpu:
67820 if (percpu)
67821 @@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
67822 mod->symtab = mod->core_symtab;
67823 mod->strtab = mod->core_strtab;
67824 #endif
67825 - module_free(mod, mod->module_init);
67826 - mod->module_init = NULL;
67827 - mod->init_size = 0;
67828 - mod->init_text_size = 0;
67829 + module_free(mod, mod->module_init_rw);
67830 + module_free_exec(mod, mod->module_init_rx);
67831 + mod->module_init_rw = NULL;
67832 + mod->module_init_rx = NULL;
67833 + mod->init_size_rw = 0;
67834 + mod->init_size_rx = 0;
67835 mutex_unlock(&module_mutex);
67836
67837 return 0;
67838 @@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
67839 unsigned long nextval;
67840
67841 /* At worse, next value is at end of module */
67842 - if (within_module_init(addr, mod))
67843 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
67844 + if (within_module_init_rx(addr, mod))
67845 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
67846 + else if (within_module_init_rw(addr, mod))
67847 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
67848 + else if (within_module_core_rx(addr, mod))
67849 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
67850 + else if (within_module_core_rw(addr, mod))
67851 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
67852 else
67853 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
67854 + return NULL;
67855
67856 /* Scan for closest preceeding symbol, and next symbol. (ELF
67857 starts real symbols at 1). */
67858 @@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
67859 char buf[8];
67860
67861 seq_printf(m, "%s %u",
67862 - mod->name, mod->init_size + mod->core_size);
67863 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
67864 print_unload_info(m, mod);
67865
67866 /* Informative for users. */
67867 @@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
67868 mod->state == MODULE_STATE_COMING ? "Loading":
67869 "Live");
67870 /* Used by oprofile and other similar tools. */
67871 - seq_printf(m, " 0x%p", mod->module_core);
67872 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67873
67874 /* Taints info */
67875 if (mod->taints)
67876 @@ -2981,7 +3128,17 @@ static const struct file_operations proc
67877
67878 static int __init proc_modules_init(void)
67879 {
67880 +#ifndef CONFIG_GRKERNSEC_HIDESYM
67881 +#ifdef CONFIG_GRKERNSEC_PROC_USER
67882 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
67883 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67884 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
67885 +#else
67886 proc_create("modules", 0, NULL, &proc_modules_operations);
67887 +#endif
67888 +#else
67889 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
67890 +#endif
67891 return 0;
67892 }
67893 module_init(proc_modules_init);
67894 @@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
67895 {
67896 struct module *mod;
67897
67898 - if (addr < module_addr_min || addr > module_addr_max)
67899 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
67900 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
67901 return NULL;
67902
67903 list_for_each_entry_rcu(mod, &modules, list)
67904 - if (within_module_core(addr, mod)
67905 - || within_module_init(addr, mod))
67906 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
67907 return mod;
67908 return NULL;
67909 }
67910 @@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
67911 */
67912 struct module *__module_text_address(unsigned long addr)
67913 {
67914 - struct module *mod = __module_address(addr);
67915 + struct module *mod;
67916 +
67917 +#ifdef CONFIG_X86_32
67918 + addr = ktla_ktva(addr);
67919 +#endif
67920 +
67921 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
67922 + return NULL;
67923 +
67924 + mod = __module_address(addr);
67925 +
67926 if (mod) {
67927 /* Make sure it's within the text section. */
67928 - if (!within(addr, mod->module_init, mod->init_text_size)
67929 - && !within(addr, mod->module_core, mod->core_text_size))
67930 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
67931 mod = NULL;
67932 }
67933 return mod;
67934 diff -urNp linux-2.6.32.46/kernel/mutex.c linux-2.6.32.46/kernel/mutex.c
67935 --- linux-2.6.32.46/kernel/mutex.c 2011-03-27 14:31:47.000000000 -0400
67936 +++ linux-2.6.32.46/kernel/mutex.c 2011-04-17 15:56:46.000000000 -0400
67937 @@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
67938 */
67939
67940 for (;;) {
67941 - struct thread_info *owner;
67942 + struct task_struct *owner;
67943
67944 /*
67945 * If we own the BKL, then don't spin. The owner of
67946 @@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
67947 spin_lock_mutex(&lock->wait_lock, flags);
67948
67949 debug_mutex_lock_common(lock, &waiter);
67950 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
67951 + debug_mutex_add_waiter(lock, &waiter, task);
67952
67953 /* add waiting tasks to the end of the waitqueue (FIFO): */
67954 list_add_tail(&waiter.list, &lock->wait_list);
67955 @@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
67956 * TASK_UNINTERRUPTIBLE case.)
67957 */
67958 if (unlikely(signal_pending_state(state, task))) {
67959 - mutex_remove_waiter(lock, &waiter,
67960 - task_thread_info(task));
67961 + mutex_remove_waiter(lock, &waiter, task);
67962 mutex_release(&lock->dep_map, 1, ip);
67963 spin_unlock_mutex(&lock->wait_lock, flags);
67964
67965 @@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
67966 done:
67967 lock_acquired(&lock->dep_map, ip);
67968 /* got the lock - rejoice! */
67969 - mutex_remove_waiter(lock, &waiter, current_thread_info());
67970 + mutex_remove_waiter(lock, &waiter, task);
67971 mutex_set_owner(lock);
67972
67973 /* set it to 0 if there are no waiters left: */
67974 diff -urNp linux-2.6.32.46/kernel/mutex-debug.c linux-2.6.32.46/kernel/mutex-debug.c
67975 --- linux-2.6.32.46/kernel/mutex-debug.c 2011-03-27 14:31:47.000000000 -0400
67976 +++ linux-2.6.32.46/kernel/mutex-debug.c 2011-04-17 15:56:46.000000000 -0400
67977 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
67978 }
67979
67980 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
67981 - struct thread_info *ti)
67982 + struct task_struct *task)
67983 {
67984 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
67985
67986 /* Mark the current thread as blocked on the lock: */
67987 - ti->task->blocked_on = waiter;
67988 + task->blocked_on = waiter;
67989 }
67990
67991 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
67992 - struct thread_info *ti)
67993 + struct task_struct *task)
67994 {
67995 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
67996 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
67997 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
67998 - ti->task->blocked_on = NULL;
67999 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
68000 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
68001 + task->blocked_on = NULL;
68002
68003 list_del_init(&waiter->list);
68004 waiter->task = NULL;
68005 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
68006 return;
68007
68008 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
68009 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
68010 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
68011 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
68012 mutex_clear_owner(lock);
68013 }
68014 diff -urNp linux-2.6.32.46/kernel/mutex-debug.h linux-2.6.32.46/kernel/mutex-debug.h
68015 --- linux-2.6.32.46/kernel/mutex-debug.h 2011-03-27 14:31:47.000000000 -0400
68016 +++ linux-2.6.32.46/kernel/mutex-debug.h 2011-04-17 15:56:46.000000000 -0400
68017 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
68018 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
68019 extern void debug_mutex_add_waiter(struct mutex *lock,
68020 struct mutex_waiter *waiter,
68021 - struct thread_info *ti);
68022 + struct task_struct *task);
68023 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
68024 - struct thread_info *ti);
68025 + struct task_struct *task);
68026 extern void debug_mutex_unlock(struct mutex *lock);
68027 extern void debug_mutex_init(struct mutex *lock, const char *name,
68028 struct lock_class_key *key);
68029
68030 static inline void mutex_set_owner(struct mutex *lock)
68031 {
68032 - lock->owner = current_thread_info();
68033 + lock->owner = current;
68034 }
68035
68036 static inline void mutex_clear_owner(struct mutex *lock)
68037 diff -urNp linux-2.6.32.46/kernel/mutex.h linux-2.6.32.46/kernel/mutex.h
68038 --- linux-2.6.32.46/kernel/mutex.h 2011-03-27 14:31:47.000000000 -0400
68039 +++ linux-2.6.32.46/kernel/mutex.h 2011-04-17 15:56:46.000000000 -0400
68040 @@ -19,7 +19,7 @@
68041 #ifdef CONFIG_SMP
68042 static inline void mutex_set_owner(struct mutex *lock)
68043 {
68044 - lock->owner = current_thread_info();
68045 + lock->owner = current;
68046 }
68047
68048 static inline void mutex_clear_owner(struct mutex *lock)
68049 diff -urNp linux-2.6.32.46/kernel/panic.c linux-2.6.32.46/kernel/panic.c
68050 --- linux-2.6.32.46/kernel/panic.c 2011-03-27 14:31:47.000000000 -0400
68051 +++ linux-2.6.32.46/kernel/panic.c 2011-04-17 15:56:46.000000000 -0400
68052 @@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
68053 const char *board;
68054
68055 printk(KERN_WARNING "------------[ cut here ]------------\n");
68056 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
68057 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
68058 board = dmi_get_system_info(DMI_PRODUCT_NAME);
68059 if (board)
68060 printk(KERN_WARNING "Hardware name: %s\n", board);
68061 @@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
68062 */
68063 void __stack_chk_fail(void)
68064 {
68065 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
68066 + dump_stack();
68067 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
68068 __builtin_return_address(0));
68069 }
68070 EXPORT_SYMBOL(__stack_chk_fail);
68071 diff -urNp linux-2.6.32.46/kernel/params.c linux-2.6.32.46/kernel/params.c
68072 --- linux-2.6.32.46/kernel/params.c 2011-03-27 14:31:47.000000000 -0400
68073 +++ linux-2.6.32.46/kernel/params.c 2011-04-17 15:56:46.000000000 -0400
68074 @@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
68075 return ret;
68076 }
68077
68078 -static struct sysfs_ops module_sysfs_ops = {
68079 +static const struct sysfs_ops module_sysfs_ops = {
68080 .show = module_attr_show,
68081 .store = module_attr_store,
68082 };
68083 @@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
68084 return 0;
68085 }
68086
68087 -static struct kset_uevent_ops module_uevent_ops = {
68088 +static const struct kset_uevent_ops module_uevent_ops = {
68089 .filter = uevent_filter,
68090 };
68091
68092 diff -urNp linux-2.6.32.46/kernel/perf_event.c linux-2.6.32.46/kernel/perf_event.c
68093 --- linux-2.6.32.46/kernel/perf_event.c 2011-08-09 18:35:30.000000000 -0400
68094 +++ linux-2.6.32.46/kernel/perf_event.c 2011-10-06 09:37:14.000000000 -0400
68095 @@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
68096 */
68097 int sysctl_perf_event_sample_rate __read_mostly = 100000;
68098
68099 -static atomic64_t perf_event_id;
68100 +static atomic64_unchecked_t perf_event_id;
68101
68102 /*
68103 * Lock for (sysadmin-configurable) event reservations:
68104 @@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
68105 * In order to keep per-task stats reliable we need to flip the event
68106 * values when we flip the contexts.
68107 */
68108 - value = atomic64_read(&next_event->count);
68109 - value = atomic64_xchg(&event->count, value);
68110 - atomic64_set(&next_event->count, value);
68111 + value = atomic64_read_unchecked(&next_event->count);
68112 + value = atomic64_xchg_unchecked(&event->count, value);
68113 + atomic64_set_unchecked(&next_event->count, value);
68114
68115 swap(event->total_time_enabled, next_event->total_time_enabled);
68116 swap(event->total_time_running, next_event->total_time_running);
68117 @@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
68118 update_event_times(event);
68119 }
68120
68121 - return atomic64_read(&event->count);
68122 + return atomic64_read_unchecked(&event->count);
68123 }
68124
68125 /*
68126 @@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
68127 values[n++] = 1 + leader->nr_siblings;
68128 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
68129 values[n++] = leader->total_time_enabled +
68130 - atomic64_read(&leader->child_total_time_enabled);
68131 + atomic64_read_unchecked(&leader->child_total_time_enabled);
68132 }
68133 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
68134 values[n++] = leader->total_time_running +
68135 - atomic64_read(&leader->child_total_time_running);
68136 + atomic64_read_unchecked(&leader->child_total_time_running);
68137 }
68138
68139 size = n * sizeof(u64);
68140 @@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
68141 values[n++] = perf_event_read_value(event);
68142 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
68143 values[n++] = event->total_time_enabled +
68144 - atomic64_read(&event->child_total_time_enabled);
68145 + atomic64_read_unchecked(&event->child_total_time_enabled);
68146 }
68147 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
68148 values[n++] = event->total_time_running +
68149 - atomic64_read(&event->child_total_time_running);
68150 + atomic64_read_unchecked(&event->child_total_time_running);
68151 }
68152 if (read_format & PERF_FORMAT_ID)
68153 values[n++] = primary_event_id(event);
68154 @@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
68155 static void perf_event_reset(struct perf_event *event)
68156 {
68157 (void)perf_event_read(event);
68158 - atomic64_set(&event->count, 0);
68159 + atomic64_set_unchecked(&event->count, 0);
68160 perf_event_update_userpage(event);
68161 }
68162
68163 @@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
68164 ++userpg->lock;
68165 barrier();
68166 userpg->index = perf_event_index(event);
68167 - userpg->offset = atomic64_read(&event->count);
68168 + userpg->offset = atomic64_read_unchecked(&event->count);
68169 if (event->state == PERF_EVENT_STATE_ACTIVE)
68170 - userpg->offset -= atomic64_read(&event->hw.prev_count);
68171 + userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
68172
68173 userpg->time_enabled = event->total_time_enabled +
68174 - atomic64_read(&event->child_total_time_enabled);
68175 + atomic64_read_unchecked(&event->child_total_time_enabled);
68176
68177 userpg->time_running = event->total_time_running +
68178 - atomic64_read(&event->child_total_time_running);
68179 + atomic64_read_unchecked(&event->child_total_time_running);
68180
68181 barrier();
68182 ++userpg->lock;
68183 @@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
68184 u64 values[4];
68185 int n = 0;
68186
68187 - values[n++] = atomic64_read(&event->count);
68188 + values[n++] = atomic64_read_unchecked(&event->count);
68189 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
68190 values[n++] = event->total_time_enabled +
68191 - atomic64_read(&event->child_total_time_enabled);
68192 + atomic64_read_unchecked(&event->child_total_time_enabled);
68193 }
68194 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
68195 values[n++] = event->total_time_running +
68196 - atomic64_read(&event->child_total_time_running);
68197 + atomic64_read_unchecked(&event->child_total_time_running);
68198 }
68199 if (read_format & PERF_FORMAT_ID)
68200 values[n++] = primary_event_id(event);
68201 @@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
68202 if (leader != event)
68203 leader->pmu->read(leader);
68204
68205 - values[n++] = atomic64_read(&leader->count);
68206 + values[n++] = atomic64_read_unchecked(&leader->count);
68207 if (read_format & PERF_FORMAT_ID)
68208 values[n++] = primary_event_id(leader);
68209
68210 @@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
68211 if (sub != event)
68212 sub->pmu->read(sub);
68213
68214 - values[n++] = atomic64_read(&sub->count);
68215 + values[n++] = atomic64_read_unchecked(&sub->count);
68216 if (read_format & PERF_FORMAT_ID)
68217 values[n++] = primary_event_id(sub);
68218
68219 @@ -3525,12 +3525,12 @@ static void perf_event_mmap_event(struct
68220 * need to add enough zero bytes after the string to handle
68221 * the 64bit alignment we do later.
68222 */
68223 - buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
68224 + buf = kzalloc(PATH_MAX, GFP_KERNEL);
68225 if (!buf) {
68226 name = strncpy(tmp, "//enomem", sizeof(tmp));
68227 goto got_name;
68228 }
68229 - name = d_path(&file->f_path, buf, PATH_MAX);
68230 + name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
68231 if (IS_ERR(name)) {
68232 name = strncpy(tmp, "//toolong", sizeof(tmp));
68233 goto got_name;
68234 @@ -3783,7 +3783,7 @@ static void perf_swevent_add(struct perf
68235 {
68236 struct hw_perf_event *hwc = &event->hw;
68237
68238 - atomic64_add(nr, &event->count);
68239 + atomic64_add_unchecked(nr, &event->count);
68240
68241 if (!hwc->sample_period)
68242 return;
68243 @@ -4040,9 +4040,9 @@ static void cpu_clock_perf_event_update(
68244 u64 now;
68245
68246 now = cpu_clock(cpu);
68247 - prev = atomic64_read(&event->hw.prev_count);
68248 - atomic64_set(&event->hw.prev_count, now);
68249 - atomic64_add(now - prev, &event->count);
68250 + prev = atomic64_read_unchecked(&event->hw.prev_count);
68251 + atomic64_set_unchecked(&event->hw.prev_count, now);
68252 + atomic64_add_unchecked(now - prev, &event->count);
68253 }
68254
68255 static int cpu_clock_perf_event_enable(struct perf_event *event)
68256 @@ -4050,7 +4050,7 @@ static int cpu_clock_perf_event_enable(s
68257 struct hw_perf_event *hwc = &event->hw;
68258 int cpu = raw_smp_processor_id();
68259
68260 - atomic64_set(&hwc->prev_count, cpu_clock(cpu));
68261 + atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
68262 perf_swevent_start_hrtimer(event);
68263
68264 return 0;
68265 @@ -4082,9 +4082,9 @@ static void task_clock_perf_event_update
68266 u64 prev;
68267 s64 delta;
68268
68269 - prev = atomic64_xchg(&event->hw.prev_count, now);
68270 + prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
68271 delta = now - prev;
68272 - atomic64_add(delta, &event->count);
68273 + atomic64_add_unchecked(delta, &event->count);
68274 }
68275
68276 static int task_clock_perf_event_enable(struct perf_event *event)
68277 @@ -4094,7 +4094,7 @@ static int task_clock_perf_event_enable(
68278
68279 now = event->ctx->time;
68280
68281 - atomic64_set(&hwc->prev_count, now);
68282 + atomic64_set_unchecked(&hwc->prev_count, now);
68283
68284 perf_swevent_start_hrtimer(event);
68285
68286 @@ -4289,7 +4289,7 @@ perf_event_alloc(struct perf_event_attr
68287 event->parent = parent_event;
68288
68289 event->ns = get_pid_ns(current->nsproxy->pid_ns);
68290 - event->id = atomic64_inc_return(&perf_event_id);
68291 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
68292
68293 event->state = PERF_EVENT_STATE_INACTIVE;
68294
68295 @@ -4720,15 +4720,15 @@ static void sync_child_event(struct perf
68296 if (child_event->attr.inherit_stat)
68297 perf_event_read_event(child_event, child);
68298
68299 - child_val = atomic64_read(&child_event->count);
68300 + child_val = atomic64_read_unchecked(&child_event->count);
68301
68302 /*
68303 * Add back the child's count to the parent's count:
68304 */
68305 - atomic64_add(child_val, &parent_event->count);
68306 - atomic64_add(child_event->total_time_enabled,
68307 + atomic64_add_unchecked(child_val, &parent_event->count);
68308 + atomic64_add_unchecked(child_event->total_time_enabled,
68309 &parent_event->child_total_time_enabled);
68310 - atomic64_add(child_event->total_time_running,
68311 + atomic64_add_unchecked(child_event->total_time_running,
68312 &parent_event->child_total_time_running);
68313
68314 /*
68315 diff -urNp linux-2.6.32.46/kernel/pid.c linux-2.6.32.46/kernel/pid.c
68316 --- linux-2.6.32.46/kernel/pid.c 2011-04-22 19:16:29.000000000 -0400
68317 +++ linux-2.6.32.46/kernel/pid.c 2011-08-21 19:11:29.000000000 -0400
68318 @@ -33,6 +33,7 @@
68319 #include <linux/rculist.h>
68320 #include <linux/bootmem.h>
68321 #include <linux/hash.h>
68322 +#include <linux/security.h>
68323 #include <linux/pid_namespace.h>
68324 #include <linux/init_task.h>
68325 #include <linux/syscalls.h>
68326 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
68327
68328 int pid_max = PID_MAX_DEFAULT;
68329
68330 -#define RESERVED_PIDS 300
68331 +#define RESERVED_PIDS 500
68332
68333 int pid_max_min = RESERVED_PIDS + 1;
68334 int pid_max_max = PID_MAX_LIMIT;
68335 @@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
68336 */
68337 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
68338 {
68339 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
68340 + struct task_struct *task;
68341 +
68342 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
68343 +
68344 + if (gr_pid_is_chrooted(task))
68345 + return NULL;
68346 +
68347 + return task;
68348 }
68349
68350 struct task_struct *find_task_by_vpid(pid_t vnr)
68351 @@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi
68352 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
68353 }
68354
68355 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
68356 +{
68357 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
68358 +}
68359 +
68360 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
68361 {
68362 struct pid *pid;
68363 diff -urNp linux-2.6.32.46/kernel/posix-cpu-timers.c linux-2.6.32.46/kernel/posix-cpu-timers.c
68364 --- linux-2.6.32.46/kernel/posix-cpu-timers.c 2011-03-27 14:31:47.000000000 -0400
68365 +++ linux-2.6.32.46/kernel/posix-cpu-timers.c 2011-08-06 09:33:44.000000000 -0400
68366 @@ -6,6 +6,7 @@
68367 #include <linux/posix-timers.h>
68368 #include <linux/errno.h>
68369 #include <linux/math64.h>
68370 +#include <linux/security.h>
68371 #include <asm/uaccess.h>
68372 #include <linux/kernel_stat.h>
68373 #include <trace/events/timer.h>
68374 @@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(st
68375
68376 static __init int init_posix_cpu_timers(void)
68377 {
68378 - struct k_clock process = {
68379 + static struct k_clock process = {
68380 .clock_getres = process_cpu_clock_getres,
68381 .clock_get = process_cpu_clock_get,
68382 .clock_set = do_posix_clock_nosettime,
68383 @@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(
68384 .nsleep = process_cpu_nsleep,
68385 .nsleep_restart = process_cpu_nsleep_restart,
68386 };
68387 - struct k_clock thread = {
68388 + static struct k_clock thread = {
68389 .clock_getres = thread_cpu_clock_getres,
68390 .clock_get = thread_cpu_clock_get,
68391 .clock_set = do_posix_clock_nosettime,
68392 diff -urNp linux-2.6.32.46/kernel/posix-timers.c linux-2.6.32.46/kernel/posix-timers.c
68393 --- linux-2.6.32.46/kernel/posix-timers.c 2011-03-27 14:31:47.000000000 -0400
68394 +++ linux-2.6.32.46/kernel/posix-timers.c 2011-08-23 20:22:38.000000000 -0400
68395 @@ -42,6 +42,7 @@
68396 #include <linux/compiler.h>
68397 #include <linux/idr.h>
68398 #include <linux/posix-timers.h>
68399 +#include <linux/grsecurity.h>
68400 #include <linux/syscalls.h>
68401 #include <linux/wait.h>
68402 #include <linux/workqueue.h>
68403 @@ -131,7 +132,7 @@ static DEFINE_SPINLOCK(idr_lock);
68404 * which we beg off on and pass to do_sys_settimeofday().
68405 */
68406
68407 -static struct k_clock posix_clocks[MAX_CLOCKS];
68408 +static struct k_clock *posix_clocks[MAX_CLOCKS];
68409
68410 /*
68411 * These ones are defined below.
68412 @@ -157,8 +158,8 @@ static inline void unlock_timer(struct k
68413 */
68414 #define CLOCK_DISPATCH(clock, call, arglist) \
68415 ((clock) < 0 ? posix_cpu_##call arglist : \
68416 - (posix_clocks[clock].call != NULL \
68417 - ? (*posix_clocks[clock].call) arglist : common_##call arglist))
68418 + (posix_clocks[clock]->call != NULL \
68419 + ? (*posix_clocks[clock]->call) arglist : common_##call arglist))
68420
68421 /*
68422 * Default clock hook functions when the struct k_clock passed
68423 @@ -172,7 +173,7 @@ static inline int common_clock_getres(co
68424 struct timespec *tp)
68425 {
68426 tp->tv_sec = 0;
68427 - tp->tv_nsec = posix_clocks[which_clock].res;
68428 + tp->tv_nsec = posix_clocks[which_clock]->res;
68429 return 0;
68430 }
68431
68432 @@ -217,9 +218,11 @@ static inline int invalid_clockid(const
68433 return 0;
68434 if ((unsigned) which_clock >= MAX_CLOCKS)
68435 return 1;
68436 - if (posix_clocks[which_clock].clock_getres != NULL)
68437 + if (posix_clocks[which_clock] == NULL)
68438 return 0;
68439 - if (posix_clocks[which_clock].res != 0)
68440 + if (posix_clocks[which_clock]->clock_getres != NULL)
68441 + return 0;
68442 + if (posix_clocks[which_clock]->res != 0)
68443 return 0;
68444 return 1;
68445 }
68446 @@ -266,29 +269,29 @@ int posix_get_coarse_res(const clockid_t
68447 */
68448 static __init int init_posix_timers(void)
68449 {
68450 - struct k_clock clock_realtime = {
68451 + static struct k_clock clock_realtime = {
68452 .clock_getres = hrtimer_get_res,
68453 };
68454 - struct k_clock clock_monotonic = {
68455 + static struct k_clock clock_monotonic = {
68456 .clock_getres = hrtimer_get_res,
68457 .clock_get = posix_ktime_get_ts,
68458 .clock_set = do_posix_clock_nosettime,
68459 };
68460 - struct k_clock clock_monotonic_raw = {
68461 + static struct k_clock clock_monotonic_raw = {
68462 .clock_getres = hrtimer_get_res,
68463 .clock_get = posix_get_monotonic_raw,
68464 .clock_set = do_posix_clock_nosettime,
68465 .timer_create = no_timer_create,
68466 .nsleep = no_nsleep,
68467 };
68468 - struct k_clock clock_realtime_coarse = {
68469 + static struct k_clock clock_realtime_coarse = {
68470 .clock_getres = posix_get_coarse_res,
68471 .clock_get = posix_get_realtime_coarse,
68472 .clock_set = do_posix_clock_nosettime,
68473 .timer_create = no_timer_create,
68474 .nsleep = no_nsleep,
68475 };
68476 - struct k_clock clock_monotonic_coarse = {
68477 + static struct k_clock clock_monotonic_coarse = {
68478 .clock_getres = posix_get_coarse_res,
68479 .clock_get = posix_get_monotonic_coarse,
68480 .clock_set = do_posix_clock_nosettime,
68481 @@ -296,6 +299,8 @@ static __init int init_posix_timers(void
68482 .nsleep = no_nsleep,
68483 };
68484
68485 + pax_track_stack();
68486 +
68487 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
68488 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
68489 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
68490 @@ -484,7 +489,7 @@ void register_posix_clock(const clockid_
68491 return;
68492 }
68493
68494 - posix_clocks[clock_id] = *new_clock;
68495 + posix_clocks[clock_id] = new_clock;
68496 }
68497 EXPORT_SYMBOL_GPL(register_posix_clock);
68498
68499 @@ -948,6 +953,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
68500 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
68501 return -EFAULT;
68502
68503 + /* only the CLOCK_REALTIME clock can be set, all other clocks
68504 + have their clock_set fptr set to a nosettime dummy function
68505 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
68506 + call common_clock_set, which calls do_sys_settimeofday, which
68507 + we hook
68508 + */
68509 +
68510 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
68511 }
68512
68513 diff -urNp linux-2.6.32.46/kernel/power/hibernate.c linux-2.6.32.46/kernel/power/hibernate.c
68514 --- linux-2.6.32.46/kernel/power/hibernate.c 2011-03-27 14:31:47.000000000 -0400
68515 +++ linux-2.6.32.46/kernel/power/hibernate.c 2011-04-17 15:56:46.000000000 -0400
68516 @@ -48,14 +48,14 @@ enum {
68517
68518 static int hibernation_mode = HIBERNATION_SHUTDOWN;
68519
68520 -static struct platform_hibernation_ops *hibernation_ops;
68521 +static const struct platform_hibernation_ops *hibernation_ops;
68522
68523 /**
68524 * hibernation_set_ops - set the global hibernate operations
68525 * @ops: the hibernation operations to use in subsequent hibernation transitions
68526 */
68527
68528 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
68529 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
68530 {
68531 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
68532 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
68533 diff -urNp linux-2.6.32.46/kernel/power/poweroff.c linux-2.6.32.46/kernel/power/poweroff.c
68534 --- linux-2.6.32.46/kernel/power/poweroff.c 2011-03-27 14:31:47.000000000 -0400
68535 +++ linux-2.6.32.46/kernel/power/poweroff.c 2011-04-17 15:56:46.000000000 -0400
68536 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
68537 .enable_mask = SYSRQ_ENABLE_BOOT,
68538 };
68539
68540 -static int pm_sysrq_init(void)
68541 +static int __init pm_sysrq_init(void)
68542 {
68543 register_sysrq_key('o', &sysrq_poweroff_op);
68544 return 0;
68545 diff -urNp linux-2.6.32.46/kernel/power/process.c linux-2.6.32.46/kernel/power/process.c
68546 --- linux-2.6.32.46/kernel/power/process.c 2011-03-27 14:31:47.000000000 -0400
68547 +++ linux-2.6.32.46/kernel/power/process.c 2011-04-17 15:56:46.000000000 -0400
68548 @@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
68549 struct timeval start, end;
68550 u64 elapsed_csecs64;
68551 unsigned int elapsed_csecs;
68552 + bool timedout = false;
68553
68554 do_gettimeofday(&start);
68555
68556 end_time = jiffies + TIMEOUT;
68557 do {
68558 todo = 0;
68559 + if (time_after(jiffies, end_time))
68560 + timedout = true;
68561 read_lock(&tasklist_lock);
68562 do_each_thread(g, p) {
68563 if (frozen(p) || !freezeable(p))
68564 @@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
68565 * It is "frozen enough". If the task does wake
68566 * up, it will immediately call try_to_freeze.
68567 */
68568 - if (!task_is_stopped_or_traced(p) &&
68569 - !freezer_should_skip(p))
68570 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
68571 todo++;
68572 + if (timedout) {
68573 + printk(KERN_ERR "Task refusing to freeze:\n");
68574 + sched_show_task(p);
68575 + }
68576 + }
68577 } while_each_thread(g, p);
68578 read_unlock(&tasklist_lock);
68579 yield(); /* Yield is okay here */
68580 - if (time_after(jiffies, end_time))
68581 - break;
68582 - } while (todo);
68583 + } while (todo && !timedout);
68584
68585 do_gettimeofday(&end);
68586 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
68587 diff -urNp linux-2.6.32.46/kernel/power/suspend.c linux-2.6.32.46/kernel/power/suspend.c
68588 --- linux-2.6.32.46/kernel/power/suspend.c 2011-03-27 14:31:47.000000000 -0400
68589 +++ linux-2.6.32.46/kernel/power/suspend.c 2011-04-17 15:56:46.000000000 -0400
68590 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
68591 [PM_SUSPEND_MEM] = "mem",
68592 };
68593
68594 -static struct platform_suspend_ops *suspend_ops;
68595 +static const struct platform_suspend_ops *suspend_ops;
68596
68597 /**
68598 * suspend_set_ops - Set the global suspend method table.
68599 * @ops: Pointer to ops structure.
68600 */
68601 -void suspend_set_ops(struct platform_suspend_ops *ops)
68602 +void suspend_set_ops(const struct platform_suspend_ops *ops)
68603 {
68604 mutex_lock(&pm_mutex);
68605 suspend_ops = ops;
68606 diff -urNp linux-2.6.32.46/kernel/printk.c linux-2.6.32.46/kernel/printk.c
68607 --- linux-2.6.32.46/kernel/printk.c 2011-03-27 14:31:47.000000000 -0400
68608 +++ linux-2.6.32.46/kernel/printk.c 2011-04-17 15:56:46.000000000 -0400
68609 @@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
68610 char c;
68611 int error = 0;
68612
68613 +#ifdef CONFIG_GRKERNSEC_DMESG
68614 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
68615 + return -EPERM;
68616 +#endif
68617 +
68618 error = security_syslog(type);
68619 if (error)
68620 return error;
68621 diff -urNp linux-2.6.32.46/kernel/profile.c linux-2.6.32.46/kernel/profile.c
68622 --- linux-2.6.32.46/kernel/profile.c 2011-03-27 14:31:47.000000000 -0400
68623 +++ linux-2.6.32.46/kernel/profile.c 2011-05-04 17:56:28.000000000 -0400
68624 @@ -39,7 +39,7 @@ struct profile_hit {
68625 /* Oprofile timer tick hook */
68626 static int (*timer_hook)(struct pt_regs *) __read_mostly;
68627
68628 -static atomic_t *prof_buffer;
68629 +static atomic_unchecked_t *prof_buffer;
68630 static unsigned long prof_len, prof_shift;
68631
68632 int prof_on __read_mostly;
68633 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
68634 hits[i].pc = 0;
68635 continue;
68636 }
68637 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
68638 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
68639 hits[i].hits = hits[i].pc = 0;
68640 }
68641 }
68642 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
68643 * Add the current hit(s) and flush the write-queue out
68644 * to the global buffer:
68645 */
68646 - atomic_add(nr_hits, &prof_buffer[pc]);
68647 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
68648 for (i = 0; i < NR_PROFILE_HIT; ++i) {
68649 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
68650 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
68651 hits[i].pc = hits[i].hits = 0;
68652 }
68653 out:
68654 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
68655 if (prof_on != type || !prof_buffer)
68656 return;
68657 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
68658 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
68659 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
68660 }
68661 #endif /* !CONFIG_SMP */
68662 EXPORT_SYMBOL_GPL(profile_hits);
68663 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
68664 return -EFAULT;
68665 buf++; p++; count--; read++;
68666 }
68667 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
68668 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
68669 if (copy_to_user(buf, (void *)pnt, count))
68670 return -EFAULT;
68671 read += count;
68672 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
68673 }
68674 #endif
68675 profile_discard_flip_buffers();
68676 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
68677 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
68678 return count;
68679 }
68680
68681 diff -urNp linux-2.6.32.46/kernel/ptrace.c linux-2.6.32.46/kernel/ptrace.c
68682 --- linux-2.6.32.46/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
68683 +++ linux-2.6.32.46/kernel/ptrace.c 2011-05-22 23:02:06.000000000 -0400
68684 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
68685 return ret;
68686 }
68687
68688 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
68689 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
68690 + unsigned int log)
68691 {
68692 const struct cred *cred = current_cred(), *tcred;
68693
68694 @@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
68695 cred->gid != tcred->egid ||
68696 cred->gid != tcred->sgid ||
68697 cred->gid != tcred->gid) &&
68698 - !capable(CAP_SYS_PTRACE)) {
68699 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
68700 + (log && !capable(CAP_SYS_PTRACE)))
68701 + ) {
68702 rcu_read_unlock();
68703 return -EPERM;
68704 }
68705 @@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
68706 smp_rmb();
68707 if (task->mm)
68708 dumpable = get_dumpable(task->mm);
68709 - if (!dumpable && !capable(CAP_SYS_PTRACE))
68710 + if (!dumpable &&
68711 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
68712 + (log && !capable(CAP_SYS_PTRACE))))
68713 return -EPERM;
68714
68715 return security_ptrace_access_check(task, mode);
68716 @@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
68717 {
68718 int err;
68719 task_lock(task);
68720 - err = __ptrace_may_access(task, mode);
68721 + err = __ptrace_may_access(task, mode, 0);
68722 + task_unlock(task);
68723 + return !err;
68724 +}
68725 +
68726 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
68727 +{
68728 + int err;
68729 + task_lock(task);
68730 + err = __ptrace_may_access(task, mode, 1);
68731 task_unlock(task);
68732 return !err;
68733 }
68734 @@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
68735 goto out;
68736
68737 task_lock(task);
68738 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
68739 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
68740 task_unlock(task);
68741 if (retval)
68742 goto unlock_creds;
68743 @@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
68744 goto unlock_tasklist;
68745
68746 task->ptrace = PT_PTRACED;
68747 - if (capable(CAP_SYS_PTRACE))
68748 + if (capable_nolog(CAP_SYS_PTRACE))
68749 task->ptrace |= PT_PTRACE_CAP;
68750
68751 __ptrace_link(task, current);
68752 @@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
68753 {
68754 int copied = 0;
68755
68756 + pax_track_stack();
68757 +
68758 while (len > 0) {
68759 char buf[128];
68760 int this_len, retval;
68761 @@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
68762 {
68763 int copied = 0;
68764
68765 + pax_track_stack();
68766 +
68767 while (len > 0) {
68768 char buf[128];
68769 int this_len, retval;
68770 @@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
68771 int ret = -EIO;
68772 siginfo_t siginfo;
68773
68774 + pax_track_stack();
68775 +
68776 switch (request) {
68777 case PTRACE_PEEKTEXT:
68778 case PTRACE_PEEKDATA:
68779 @@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
68780 ret = ptrace_setoptions(child, data);
68781 break;
68782 case PTRACE_GETEVENTMSG:
68783 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
68784 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
68785 break;
68786
68787 case PTRACE_GETSIGINFO:
68788 ret = ptrace_getsiginfo(child, &siginfo);
68789 if (!ret)
68790 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
68791 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
68792 &siginfo);
68793 break;
68794
68795 case PTRACE_SETSIGINFO:
68796 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
68797 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
68798 sizeof siginfo))
68799 ret = -EFAULT;
68800 else
68801 @@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
68802 goto out;
68803 }
68804
68805 + if (gr_handle_ptrace(child, request)) {
68806 + ret = -EPERM;
68807 + goto out_put_task_struct;
68808 + }
68809 +
68810 if (request == PTRACE_ATTACH) {
68811 ret = ptrace_attach(child);
68812 /*
68813 * Some architectures need to do book-keeping after
68814 * a ptrace attach.
68815 */
68816 - if (!ret)
68817 + if (!ret) {
68818 arch_ptrace_attach(child);
68819 + gr_audit_ptrace(child);
68820 + }
68821 goto out_put_task_struct;
68822 }
68823
68824 @@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
68825 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
68826 if (copied != sizeof(tmp))
68827 return -EIO;
68828 - return put_user(tmp, (unsigned long __user *)data);
68829 + return put_user(tmp, (__force unsigned long __user *)data);
68830 }
68831
68832 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
68833 @@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
68834 siginfo_t siginfo;
68835 int ret;
68836
68837 + pax_track_stack();
68838 +
68839 switch (request) {
68840 case PTRACE_PEEKTEXT:
68841 case PTRACE_PEEKDATA:
68842 @@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
68843 goto out;
68844 }
68845
68846 + if (gr_handle_ptrace(child, request)) {
68847 + ret = -EPERM;
68848 + goto out_put_task_struct;
68849 + }
68850 +
68851 if (request == PTRACE_ATTACH) {
68852 ret = ptrace_attach(child);
68853 /*
68854 * Some architectures need to do book-keeping after
68855 * a ptrace attach.
68856 */
68857 - if (!ret)
68858 + if (!ret) {
68859 arch_ptrace_attach(child);
68860 + gr_audit_ptrace(child);
68861 + }
68862 goto out_put_task_struct;
68863 }
68864
68865 diff -urNp linux-2.6.32.46/kernel/rcutorture.c linux-2.6.32.46/kernel/rcutorture.c
68866 --- linux-2.6.32.46/kernel/rcutorture.c 2011-03-27 14:31:47.000000000 -0400
68867 +++ linux-2.6.32.46/kernel/rcutorture.c 2011-05-04 17:56:28.000000000 -0400
68868 @@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
68869 { 0 };
68870 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
68871 { 0 };
68872 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
68873 -static atomic_t n_rcu_torture_alloc;
68874 -static atomic_t n_rcu_torture_alloc_fail;
68875 -static atomic_t n_rcu_torture_free;
68876 -static atomic_t n_rcu_torture_mberror;
68877 -static atomic_t n_rcu_torture_error;
68878 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
68879 +static atomic_unchecked_t n_rcu_torture_alloc;
68880 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
68881 +static atomic_unchecked_t n_rcu_torture_free;
68882 +static atomic_unchecked_t n_rcu_torture_mberror;
68883 +static atomic_unchecked_t n_rcu_torture_error;
68884 static long n_rcu_torture_timers;
68885 static struct list_head rcu_torture_removed;
68886 static cpumask_var_t shuffle_tmp_mask;
68887 @@ -187,11 +187,11 @@ rcu_torture_alloc(void)
68888
68889 spin_lock_bh(&rcu_torture_lock);
68890 if (list_empty(&rcu_torture_freelist)) {
68891 - atomic_inc(&n_rcu_torture_alloc_fail);
68892 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
68893 spin_unlock_bh(&rcu_torture_lock);
68894 return NULL;
68895 }
68896 - atomic_inc(&n_rcu_torture_alloc);
68897 + atomic_inc_unchecked(&n_rcu_torture_alloc);
68898 p = rcu_torture_freelist.next;
68899 list_del_init(p);
68900 spin_unlock_bh(&rcu_torture_lock);
68901 @@ -204,7 +204,7 @@ rcu_torture_alloc(void)
68902 static void
68903 rcu_torture_free(struct rcu_torture *p)
68904 {
68905 - atomic_inc(&n_rcu_torture_free);
68906 + atomic_inc_unchecked(&n_rcu_torture_free);
68907 spin_lock_bh(&rcu_torture_lock);
68908 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
68909 spin_unlock_bh(&rcu_torture_lock);
68910 @@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
68911 i = rp->rtort_pipe_count;
68912 if (i > RCU_TORTURE_PIPE_LEN)
68913 i = RCU_TORTURE_PIPE_LEN;
68914 - atomic_inc(&rcu_torture_wcount[i]);
68915 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
68916 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
68917 rp->rtort_mbtest = 0;
68918 rcu_torture_free(rp);
68919 @@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
68920 i = rp->rtort_pipe_count;
68921 if (i > RCU_TORTURE_PIPE_LEN)
68922 i = RCU_TORTURE_PIPE_LEN;
68923 - atomic_inc(&rcu_torture_wcount[i]);
68924 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
68925 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
68926 rp->rtort_mbtest = 0;
68927 list_del(&rp->rtort_free);
68928 @@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
68929 i = old_rp->rtort_pipe_count;
68930 if (i > RCU_TORTURE_PIPE_LEN)
68931 i = RCU_TORTURE_PIPE_LEN;
68932 - atomic_inc(&rcu_torture_wcount[i]);
68933 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
68934 old_rp->rtort_pipe_count++;
68935 cur_ops->deferred_free(old_rp);
68936 }
68937 @@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
68938 return;
68939 }
68940 if (p->rtort_mbtest == 0)
68941 - atomic_inc(&n_rcu_torture_mberror);
68942 + atomic_inc_unchecked(&n_rcu_torture_mberror);
68943 spin_lock(&rand_lock);
68944 cur_ops->read_delay(&rand);
68945 n_rcu_torture_timers++;
68946 @@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
68947 continue;
68948 }
68949 if (p->rtort_mbtest == 0)
68950 - atomic_inc(&n_rcu_torture_mberror);
68951 + atomic_inc_unchecked(&n_rcu_torture_mberror);
68952 cur_ops->read_delay(&rand);
68953 preempt_disable();
68954 pipe_count = p->rtort_pipe_count;
68955 @@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
68956 rcu_torture_current,
68957 rcu_torture_current_version,
68958 list_empty(&rcu_torture_freelist),
68959 - atomic_read(&n_rcu_torture_alloc),
68960 - atomic_read(&n_rcu_torture_alloc_fail),
68961 - atomic_read(&n_rcu_torture_free),
68962 - atomic_read(&n_rcu_torture_mberror),
68963 + atomic_read_unchecked(&n_rcu_torture_alloc),
68964 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
68965 + atomic_read_unchecked(&n_rcu_torture_free),
68966 + atomic_read_unchecked(&n_rcu_torture_mberror),
68967 n_rcu_torture_timers);
68968 - if (atomic_read(&n_rcu_torture_mberror) != 0)
68969 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
68970 cnt += sprintf(&page[cnt], " !!!");
68971 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
68972 if (i > 1) {
68973 cnt += sprintf(&page[cnt], "!!! ");
68974 - atomic_inc(&n_rcu_torture_error);
68975 + atomic_inc_unchecked(&n_rcu_torture_error);
68976 WARN_ON_ONCE(1);
68977 }
68978 cnt += sprintf(&page[cnt], "Reader Pipe: ");
68979 @@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
68980 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
68981 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
68982 cnt += sprintf(&page[cnt], " %d",
68983 - atomic_read(&rcu_torture_wcount[i]));
68984 + atomic_read_unchecked(&rcu_torture_wcount[i]));
68985 }
68986 cnt += sprintf(&page[cnt], "\n");
68987 if (cur_ops->stats)
68988 @@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
68989
68990 if (cur_ops->cleanup)
68991 cur_ops->cleanup();
68992 - if (atomic_read(&n_rcu_torture_error))
68993 + if (atomic_read_unchecked(&n_rcu_torture_error))
68994 rcu_torture_print_module_parms("End of test: FAILURE");
68995 else
68996 rcu_torture_print_module_parms("End of test: SUCCESS");
68997 @@ -1138,13 +1138,13 @@ rcu_torture_init(void)
68998
68999 rcu_torture_current = NULL;
69000 rcu_torture_current_version = 0;
69001 - atomic_set(&n_rcu_torture_alloc, 0);
69002 - atomic_set(&n_rcu_torture_alloc_fail, 0);
69003 - atomic_set(&n_rcu_torture_free, 0);
69004 - atomic_set(&n_rcu_torture_mberror, 0);
69005 - atomic_set(&n_rcu_torture_error, 0);
69006 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
69007 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
69008 + atomic_set_unchecked(&n_rcu_torture_free, 0);
69009 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
69010 + atomic_set_unchecked(&n_rcu_torture_error, 0);
69011 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
69012 - atomic_set(&rcu_torture_wcount[i], 0);
69013 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
69014 for_each_possible_cpu(cpu) {
69015 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
69016 per_cpu(rcu_torture_count, cpu)[i] = 0;
69017 diff -urNp linux-2.6.32.46/kernel/rcutree.c linux-2.6.32.46/kernel/rcutree.c
69018 --- linux-2.6.32.46/kernel/rcutree.c 2011-03-27 14:31:47.000000000 -0400
69019 +++ linux-2.6.32.46/kernel/rcutree.c 2011-04-17 15:56:46.000000000 -0400
69020 @@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
69021 /*
69022 * Do softirq processing for the current CPU.
69023 */
69024 -static void rcu_process_callbacks(struct softirq_action *unused)
69025 +static void rcu_process_callbacks(void)
69026 {
69027 /*
69028 * Memory references from any prior RCU read-side critical sections
69029 diff -urNp linux-2.6.32.46/kernel/rcutree_plugin.h linux-2.6.32.46/kernel/rcutree_plugin.h
69030 --- linux-2.6.32.46/kernel/rcutree_plugin.h 2011-03-27 14:31:47.000000000 -0400
69031 +++ linux-2.6.32.46/kernel/rcutree_plugin.h 2011-04-17 15:56:46.000000000 -0400
69032 @@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
69033 */
69034 void __rcu_read_lock(void)
69035 {
69036 - ACCESS_ONCE(current->rcu_read_lock_nesting)++;
69037 + ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
69038 barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
69039 }
69040 EXPORT_SYMBOL_GPL(__rcu_read_lock);
69041 @@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
69042 struct task_struct *t = current;
69043
69044 barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
69045 - if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
69046 + if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
69047 unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
69048 rcu_read_unlock_special(t);
69049 }
69050 diff -urNp linux-2.6.32.46/kernel/relay.c linux-2.6.32.46/kernel/relay.c
69051 --- linux-2.6.32.46/kernel/relay.c 2011-03-27 14:31:47.000000000 -0400
69052 +++ linux-2.6.32.46/kernel/relay.c 2011-05-16 21:46:57.000000000 -0400
69053 @@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
69054 unsigned int flags,
69055 int *nonpad_ret)
69056 {
69057 - unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
69058 + unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
69059 struct rchan_buf *rbuf = in->private_data;
69060 unsigned int subbuf_size = rbuf->chan->subbuf_size;
69061 uint64_t pos = (uint64_t) *ppos;
69062 @@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
69063 .ops = &relay_pipe_buf_ops,
69064 .spd_release = relay_page_release,
69065 };
69066 + ssize_t ret;
69067 +
69068 + pax_track_stack();
69069
69070 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
69071 return 0;
69072 diff -urNp linux-2.6.32.46/kernel/resource.c linux-2.6.32.46/kernel/resource.c
69073 --- linux-2.6.32.46/kernel/resource.c 2011-03-27 14:31:47.000000000 -0400
69074 +++ linux-2.6.32.46/kernel/resource.c 2011-04-17 15:56:46.000000000 -0400
69075 @@ -132,8 +132,18 @@ static const struct file_operations proc
69076
69077 static int __init ioresources_init(void)
69078 {
69079 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
69080 +#ifdef CONFIG_GRKERNSEC_PROC_USER
69081 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
69082 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
69083 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69084 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
69085 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
69086 +#endif
69087 +#else
69088 proc_create("ioports", 0, NULL, &proc_ioports_operations);
69089 proc_create("iomem", 0, NULL, &proc_iomem_operations);
69090 +#endif
69091 return 0;
69092 }
69093 __initcall(ioresources_init);
69094 diff -urNp linux-2.6.32.46/kernel/rtmutex.c linux-2.6.32.46/kernel/rtmutex.c
69095 --- linux-2.6.32.46/kernel/rtmutex.c 2011-03-27 14:31:47.000000000 -0400
69096 +++ linux-2.6.32.46/kernel/rtmutex.c 2011-04-17 15:56:46.000000000 -0400
69097 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
69098 */
69099 spin_lock_irqsave(&pendowner->pi_lock, flags);
69100
69101 - WARN_ON(!pendowner->pi_blocked_on);
69102 + BUG_ON(!pendowner->pi_blocked_on);
69103 WARN_ON(pendowner->pi_blocked_on != waiter);
69104 WARN_ON(pendowner->pi_blocked_on->lock != lock);
69105
69106 diff -urNp linux-2.6.32.46/kernel/rtmutex-tester.c linux-2.6.32.46/kernel/rtmutex-tester.c
69107 --- linux-2.6.32.46/kernel/rtmutex-tester.c 2011-03-27 14:31:47.000000000 -0400
69108 +++ linux-2.6.32.46/kernel/rtmutex-tester.c 2011-05-04 17:56:28.000000000 -0400
69109 @@ -21,7 +21,7 @@
69110 #define MAX_RT_TEST_MUTEXES 8
69111
69112 static spinlock_t rttest_lock;
69113 -static atomic_t rttest_event;
69114 +static atomic_unchecked_t rttest_event;
69115
69116 struct test_thread_data {
69117 int opcode;
69118 @@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
69119
69120 case RTTEST_LOCKCONT:
69121 td->mutexes[td->opdata] = 1;
69122 - td->event = atomic_add_return(1, &rttest_event);
69123 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69124 return 0;
69125
69126 case RTTEST_RESET:
69127 @@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
69128 return 0;
69129
69130 case RTTEST_RESETEVENT:
69131 - atomic_set(&rttest_event, 0);
69132 + atomic_set_unchecked(&rttest_event, 0);
69133 return 0;
69134
69135 default:
69136 @@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
69137 return ret;
69138
69139 td->mutexes[id] = 1;
69140 - td->event = atomic_add_return(1, &rttest_event);
69141 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69142 rt_mutex_lock(&mutexes[id]);
69143 - td->event = atomic_add_return(1, &rttest_event);
69144 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69145 td->mutexes[id] = 4;
69146 return 0;
69147
69148 @@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
69149 return ret;
69150
69151 td->mutexes[id] = 1;
69152 - td->event = atomic_add_return(1, &rttest_event);
69153 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69154 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
69155 - td->event = atomic_add_return(1, &rttest_event);
69156 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69157 td->mutexes[id] = ret ? 0 : 4;
69158 return ret ? -EINTR : 0;
69159
69160 @@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
69161 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
69162 return ret;
69163
69164 - td->event = atomic_add_return(1, &rttest_event);
69165 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69166 rt_mutex_unlock(&mutexes[id]);
69167 - td->event = atomic_add_return(1, &rttest_event);
69168 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69169 td->mutexes[id] = 0;
69170 return 0;
69171
69172 @@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
69173 break;
69174
69175 td->mutexes[dat] = 2;
69176 - td->event = atomic_add_return(1, &rttest_event);
69177 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69178 break;
69179
69180 case RTTEST_LOCKBKL:
69181 @@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
69182 return;
69183
69184 td->mutexes[dat] = 3;
69185 - td->event = atomic_add_return(1, &rttest_event);
69186 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69187 break;
69188
69189 case RTTEST_LOCKNOWAIT:
69190 @@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
69191 return;
69192
69193 td->mutexes[dat] = 1;
69194 - td->event = atomic_add_return(1, &rttest_event);
69195 + td->event = atomic_add_return_unchecked(1, &rttest_event);
69196 return;
69197
69198 case RTTEST_LOCKBKL:
69199 diff -urNp linux-2.6.32.46/kernel/sched.c linux-2.6.32.46/kernel/sched.c
69200 --- linux-2.6.32.46/kernel/sched.c 2011-03-27 14:31:47.000000000 -0400
69201 +++ linux-2.6.32.46/kernel/sched.c 2011-08-21 19:29:25.000000000 -0400
69202 @@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct
69203 {
69204 unsigned long flags;
69205 struct rq *rq;
69206 - int cpu = get_cpu();
69207
69208 #ifdef CONFIG_SMP
69209 + int cpu = get_cpu();
69210 +
69211 rq = task_rq_lock(p, &flags);
69212 p->state = TASK_WAKING;
69213
69214 @@ -5043,7 +5044,7 @@ out:
69215 * In CONFIG_NO_HZ case, the idle load balance owner will do the
69216 * rebalancing for all the cpus for whom scheduler ticks are stopped.
69217 */
69218 -static void run_rebalance_domains(struct softirq_action *h)
69219 +static void run_rebalance_domains(void)
69220 {
69221 int this_cpu = smp_processor_id();
69222 struct rq *this_rq = cpu_rq(this_cpu);
69223 @@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void)
69224 struct rq *rq;
69225 int cpu;
69226
69227 + pax_track_stack();
69228 +
69229 need_resched:
69230 preempt_disable();
69231 cpu = smp_processor_id();
69232 @@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule);
69233 * Look out! "owner" is an entirely speculative pointer
69234 * access and not reliable.
69235 */
69236 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
69237 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
69238 {
69239 unsigned int cpu;
69240 struct rq *rq;
69241 @@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo
69242 * DEBUG_PAGEALLOC could have unmapped it if
69243 * the mutex owner just released it and exited.
69244 */
69245 - if (probe_kernel_address(&owner->cpu, cpu))
69246 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
69247 return 0;
69248 #else
69249 - cpu = owner->cpu;
69250 + cpu = task_thread_info(owner)->cpu;
69251 #endif
69252
69253 /*
69254 @@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo
69255 /*
69256 * Is that owner really running on that cpu?
69257 */
69258 - if (task_thread_info(rq->curr) != owner || need_resched())
69259 + if (rq->curr != owner || need_resched())
69260 return 0;
69261
69262 cpu_relax();
69263 @@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p
69264 /* convert nice value [19,-20] to rlimit style value [1,40] */
69265 int nice_rlim = 20 - nice;
69266
69267 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
69268 +
69269 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
69270 capable(CAP_SYS_NICE));
69271 }
69272 @@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment)
69273 if (nice > 19)
69274 nice = 19;
69275
69276 - if (increment < 0 && !can_nice(current, nice))
69277 + if (increment < 0 && (!can_nice(current, nice) ||
69278 + gr_handle_chroot_nice()))
69279 return -EPERM;
69280
69281 retval = security_task_setnice(current, nice);
69282 @@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int
69283 long power;
69284 int weight;
69285
69286 - WARN_ON(!sd || !sd->groups);
69287 + BUG_ON(!sd || !sd->groups);
69288
69289 if (cpu != group_first_cpu(sd->groups))
69290 return;
69291 diff -urNp linux-2.6.32.46/kernel/signal.c linux-2.6.32.46/kernel/signal.c
69292 --- linux-2.6.32.46/kernel/signal.c 2011-04-17 17:00:52.000000000 -0400
69293 +++ linux-2.6.32.46/kernel/signal.c 2011-08-16 21:15:58.000000000 -0400
69294 @@ -41,12 +41,12 @@
69295
69296 static struct kmem_cache *sigqueue_cachep;
69297
69298 -static void __user *sig_handler(struct task_struct *t, int sig)
69299 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
69300 {
69301 return t->sighand->action[sig - 1].sa.sa_handler;
69302 }
69303
69304 -static int sig_handler_ignored(void __user *handler, int sig)
69305 +static int sig_handler_ignored(__sighandler_t handler, int sig)
69306 {
69307 /* Is it explicitly or implicitly ignored? */
69308 return handler == SIG_IGN ||
69309 @@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
69310 static int sig_task_ignored(struct task_struct *t, int sig,
69311 int from_ancestor_ns)
69312 {
69313 - void __user *handler;
69314 + __sighandler_t handler;
69315
69316 handler = sig_handler(t, sig);
69317
69318 @@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
69319 */
69320 user = get_uid(__task_cred(t)->user);
69321 atomic_inc(&user->sigpending);
69322 +
69323 + if (!override_rlimit)
69324 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
69325 if (override_rlimit ||
69326 atomic_read(&user->sigpending) <=
69327 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
69328 @@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
69329
69330 int unhandled_signal(struct task_struct *tsk, int sig)
69331 {
69332 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
69333 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
69334 if (is_global_init(tsk))
69335 return 1;
69336 if (handler != SIG_IGN && handler != SIG_DFL)
69337 @@ -627,6 +630,13 @@ static int check_kill_permission(int sig
69338 }
69339 }
69340
69341 + /* allow glibc communication via tgkill to other threads in our
69342 + thread group */
69343 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
69344 + sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
69345 + && gr_handle_signal(t, sig))
69346 + return -EPERM;
69347 +
69348 return security_task_kill(t, info, sig, 0);
69349 }
69350
69351 @@ -968,7 +978,7 @@ __group_send_sig_info(int sig, struct si
69352 return send_signal(sig, info, p, 1);
69353 }
69354
69355 -static int
69356 +int
69357 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
69358 {
69359 return send_signal(sig, info, t, 0);
69360 @@ -1005,6 +1015,7 @@ force_sig_info(int sig, struct siginfo *
69361 unsigned long int flags;
69362 int ret, blocked, ignored;
69363 struct k_sigaction *action;
69364 + int is_unhandled = 0;
69365
69366 spin_lock_irqsave(&t->sighand->siglock, flags);
69367 action = &t->sighand->action[sig-1];
69368 @@ -1019,9 +1030,18 @@ force_sig_info(int sig, struct siginfo *
69369 }
69370 if (action->sa.sa_handler == SIG_DFL)
69371 t->signal->flags &= ~SIGNAL_UNKILLABLE;
69372 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
69373 + is_unhandled = 1;
69374 ret = specific_send_sig_info(sig, info, t);
69375 spin_unlock_irqrestore(&t->sighand->siglock, flags);
69376
69377 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
69378 + normal operation */
69379 + if (is_unhandled) {
69380 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
69381 + gr_handle_crash(t, sig);
69382 + }
69383 +
69384 return ret;
69385 }
69386
69387 @@ -1081,8 +1101,11 @@ int group_send_sig_info(int sig, struct
69388 {
69389 int ret = check_kill_permission(sig, info, p);
69390
69391 - if (!ret && sig)
69392 + if (!ret && sig) {
69393 ret = do_send_sig_info(sig, info, p, true);
69394 + if (!ret)
69395 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
69396 + }
69397
69398 return ret;
69399 }
69400 @@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
69401 {
69402 siginfo_t info;
69403
69404 + pax_track_stack();
69405 +
69406 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
69407
69408 memset(&info, 0, sizeof info);
69409 @@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid,
69410 int error = -ESRCH;
69411
69412 rcu_read_lock();
69413 - p = find_task_by_vpid(pid);
69414 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
69415 + /* allow glibc communication via tgkill to other threads in our
69416 + thread group */
69417 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
69418 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
69419 + p = find_task_by_vpid_unrestricted(pid);
69420 + else
69421 +#endif
69422 + p = find_task_by_vpid(pid);
69423 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
69424 error = check_kill_permission(sig, info, p);
69425 /*
69426 diff -urNp linux-2.6.32.46/kernel/smp.c linux-2.6.32.46/kernel/smp.c
69427 --- linux-2.6.32.46/kernel/smp.c 2011-03-27 14:31:47.000000000 -0400
69428 +++ linux-2.6.32.46/kernel/smp.c 2011-04-17 15:56:46.000000000 -0400
69429 @@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
69430 }
69431 EXPORT_SYMBOL(smp_call_function);
69432
69433 -void ipi_call_lock(void)
69434 +void ipi_call_lock(void) __acquires(call_function.lock)
69435 {
69436 spin_lock(&call_function.lock);
69437 }
69438
69439 -void ipi_call_unlock(void)
69440 +void ipi_call_unlock(void) __releases(call_function.lock)
69441 {
69442 spin_unlock(&call_function.lock);
69443 }
69444
69445 -void ipi_call_lock_irq(void)
69446 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
69447 {
69448 spin_lock_irq(&call_function.lock);
69449 }
69450
69451 -void ipi_call_unlock_irq(void)
69452 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
69453 {
69454 spin_unlock_irq(&call_function.lock);
69455 }
69456 diff -urNp linux-2.6.32.46/kernel/softirq.c linux-2.6.32.46/kernel/softirq.c
69457 --- linux-2.6.32.46/kernel/softirq.c 2011-03-27 14:31:47.000000000 -0400
69458 +++ linux-2.6.32.46/kernel/softirq.c 2011-08-05 20:33:55.000000000 -0400
69459 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
69460
69461 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
69462
69463 -char *softirq_to_name[NR_SOFTIRQS] = {
69464 +const char * const softirq_to_name[NR_SOFTIRQS] = {
69465 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
69466 "TASKLET", "SCHED", "HRTIMER", "RCU"
69467 };
69468 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
69469
69470 asmlinkage void __do_softirq(void)
69471 {
69472 - struct softirq_action *h;
69473 + const struct softirq_action *h;
69474 __u32 pending;
69475 int max_restart = MAX_SOFTIRQ_RESTART;
69476 int cpu;
69477 @@ -233,7 +233,7 @@ restart:
69478 kstat_incr_softirqs_this_cpu(h - softirq_vec);
69479
69480 trace_softirq_entry(h, softirq_vec);
69481 - h->action(h);
69482 + h->action();
69483 trace_softirq_exit(h, softirq_vec);
69484 if (unlikely(prev_count != preempt_count())) {
69485 printk(KERN_ERR "huh, entered softirq %td %s %p"
69486 @@ -363,9 +363,11 @@ void raise_softirq(unsigned int nr)
69487 local_irq_restore(flags);
69488 }
69489
69490 -void open_softirq(int nr, void (*action)(struct softirq_action *))
69491 +void open_softirq(int nr, void (*action)(void))
69492 {
69493 - softirq_vec[nr].action = action;
69494 + pax_open_kernel();
69495 + *(void **)&softirq_vec[nr].action = action;
69496 + pax_close_kernel();
69497 }
69498
69499 /*
69500 @@ -419,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
69501
69502 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
69503
69504 -static void tasklet_action(struct softirq_action *a)
69505 +static void tasklet_action(void)
69506 {
69507 struct tasklet_struct *list;
69508
69509 @@ -454,7 +456,7 @@ static void tasklet_action(struct softir
69510 }
69511 }
69512
69513 -static void tasklet_hi_action(struct softirq_action *a)
69514 +static void tasklet_hi_action(void)
69515 {
69516 struct tasklet_struct *list;
69517
69518 diff -urNp linux-2.6.32.46/kernel/sys.c linux-2.6.32.46/kernel/sys.c
69519 --- linux-2.6.32.46/kernel/sys.c 2011-03-27 14:31:47.000000000 -0400
69520 +++ linux-2.6.32.46/kernel/sys.c 2011-08-11 19:51:54.000000000 -0400
69521 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
69522 error = -EACCES;
69523 goto out;
69524 }
69525 +
69526 + if (gr_handle_chroot_setpriority(p, niceval)) {
69527 + error = -EACCES;
69528 + goto out;
69529 + }
69530 +
69531 no_nice = security_task_setnice(p, niceval);
69532 if (no_nice) {
69533 error = no_nice;
69534 @@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
69535 !(user = find_user(who)))
69536 goto out_unlock; /* No processes for this user */
69537
69538 - do_each_thread(g, p)
69539 + do_each_thread(g, p) {
69540 if (__task_cred(p)->uid == who)
69541 error = set_one_prio(p, niceval, error);
69542 - while_each_thread(g, p);
69543 + } while_each_thread(g, p);
69544 if (who != cred->uid)
69545 free_uid(user); /* For find_user() */
69546 break;
69547 @@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
69548 !(user = find_user(who)))
69549 goto out_unlock; /* No processes for this user */
69550
69551 - do_each_thread(g, p)
69552 + do_each_thread(g, p) {
69553 if (__task_cred(p)->uid == who) {
69554 niceval = 20 - task_nice(p);
69555 if (niceval > retval)
69556 retval = niceval;
69557 }
69558 - while_each_thread(g, p);
69559 + } while_each_thread(g, p);
69560 if (who != cred->uid)
69561 free_uid(user); /* for find_user() */
69562 break;
69563 @@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
69564 goto error;
69565 }
69566
69567 + if (gr_check_group_change(new->gid, new->egid, -1))
69568 + goto error;
69569 +
69570 if (rgid != (gid_t) -1 ||
69571 (egid != (gid_t) -1 && egid != old->gid))
69572 new->sgid = new->egid;
69573 @@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
69574 goto error;
69575
69576 retval = -EPERM;
69577 +
69578 + if (gr_check_group_change(gid, gid, gid))
69579 + goto error;
69580 +
69581 if (capable(CAP_SETGID))
69582 new->gid = new->egid = new->sgid = new->fsgid = gid;
69583 else if (gid == old->gid || gid == old->sgid)
69584 @@ -567,12 +580,19 @@ static int set_user(struct cred *new)
69585 if (!new_user)
69586 return -EAGAIN;
69587
69588 + /*
69589 + * We don't fail in case of NPROC limit excess here because too many
69590 + * poorly written programs don't check set*uid() return code, assuming
69591 + * it never fails if called by root. We may still enforce NPROC limit
69592 + * for programs doing set*uid()+execve() by harmlessly deferring the
69593 + * failure to the execve() stage.
69594 + */
69595 if (atomic_read(&new_user->processes) >=
69596 current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
69597 - new_user != INIT_USER) {
69598 - free_uid(new_user);
69599 - return -EAGAIN;
69600 - }
69601 + new_user != INIT_USER)
69602 + current->flags |= PF_NPROC_EXCEEDED;
69603 + else
69604 + current->flags &= ~PF_NPROC_EXCEEDED;
69605
69606 free_uid(new->user);
69607 new->user = new_user;
69608 @@ -627,6 +647,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
69609 goto error;
69610 }
69611
69612 + if (gr_check_user_change(new->uid, new->euid, -1))
69613 + goto error;
69614 +
69615 if (new->uid != old->uid) {
69616 retval = set_user(new);
69617 if (retval < 0)
69618 @@ -675,6 +698,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
69619 goto error;
69620
69621 retval = -EPERM;
69622 +
69623 + if (gr_check_crash_uid(uid))
69624 + goto error;
69625 + if (gr_check_user_change(uid, uid, uid))
69626 + goto error;
69627 +
69628 if (capable(CAP_SETUID)) {
69629 new->suid = new->uid = uid;
69630 if (uid != old->uid) {
69631 @@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
69632 goto error;
69633 }
69634
69635 + if (gr_check_user_change(ruid, euid, -1))
69636 + goto error;
69637 +
69638 if (ruid != (uid_t) -1) {
69639 new->uid = ruid;
69640 if (ruid != old->uid) {
69641 @@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
69642 goto error;
69643 }
69644
69645 + if (gr_check_group_change(rgid, egid, -1))
69646 + goto error;
69647 +
69648 if (rgid != (gid_t) -1)
69649 new->gid = rgid;
69650 if (egid != (gid_t) -1)
69651 @@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
69652 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
69653 goto error;
69654
69655 + if (gr_check_user_change(-1, -1, uid))
69656 + goto error;
69657 +
69658 if (uid == old->uid || uid == old->euid ||
69659 uid == old->suid || uid == old->fsuid ||
69660 capable(CAP_SETUID)) {
69661 @@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
69662 if (gid == old->gid || gid == old->egid ||
69663 gid == old->sgid || gid == old->fsgid ||
69664 capable(CAP_SETGID)) {
69665 + if (gr_check_group_change(-1, -1, gid))
69666 + goto error;
69667 +
69668 if (gid != old_fsgid) {
69669 new->fsgid = gid;
69670 goto change_okay;
69671 @@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
69672 error = get_dumpable(me->mm);
69673 break;
69674 case PR_SET_DUMPABLE:
69675 - if (arg2 < 0 || arg2 > 1) {
69676 + if (arg2 > 1) {
69677 error = -EINVAL;
69678 break;
69679 }
69680 diff -urNp linux-2.6.32.46/kernel/sysctl.c linux-2.6.32.46/kernel/sysctl.c
69681 --- linux-2.6.32.46/kernel/sysctl.c 2011-03-27 14:31:47.000000000 -0400
69682 +++ linux-2.6.32.46/kernel/sysctl.c 2011-04-17 15:56:46.000000000 -0400
69683 @@ -63,6 +63,13 @@
69684 static int deprecated_sysctl_warning(struct __sysctl_args *args);
69685
69686 #if defined(CONFIG_SYSCTL)
69687 +#include <linux/grsecurity.h>
69688 +#include <linux/grinternal.h>
69689 +
69690 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
69691 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
69692 + const int op);
69693 +extern int gr_handle_chroot_sysctl(const int op);
69694
69695 /* External variables not in a header file. */
69696 extern int C_A_D;
69697 @@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
69698 static int proc_taint(struct ctl_table *table, int write,
69699 void __user *buffer, size_t *lenp, loff_t *ppos);
69700 #endif
69701 +extern ctl_table grsecurity_table[];
69702
69703 static struct ctl_table root_table[];
69704 static struct ctl_table_root sysctl_table_root;
69705 @@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
69706 int sysctl_legacy_va_layout;
69707 #endif
69708
69709 +#ifdef CONFIG_PAX_SOFTMODE
69710 +static ctl_table pax_table[] = {
69711 + {
69712 + .ctl_name = CTL_UNNUMBERED,
69713 + .procname = "softmode",
69714 + .data = &pax_softmode,
69715 + .maxlen = sizeof(unsigned int),
69716 + .mode = 0600,
69717 + .proc_handler = &proc_dointvec,
69718 + },
69719 +
69720 + { .ctl_name = 0 }
69721 +};
69722 +#endif
69723 +
69724 extern int prove_locking;
69725 extern int lock_stat;
69726
69727 @@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
69728 #endif
69729
69730 static struct ctl_table kern_table[] = {
69731 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
69732 + {
69733 + .ctl_name = CTL_UNNUMBERED,
69734 + .procname = "grsecurity",
69735 + .mode = 0500,
69736 + .child = grsecurity_table,
69737 + },
69738 +#endif
69739 +
69740 +#ifdef CONFIG_PAX_SOFTMODE
69741 + {
69742 + .ctl_name = CTL_UNNUMBERED,
69743 + .procname = "pax",
69744 + .mode = 0500,
69745 + .child = pax_table,
69746 + },
69747 +#endif
69748 +
69749 {
69750 .ctl_name = CTL_UNNUMBERED,
69751 .procname = "sched_child_runs_first",
69752 @@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
69753 .data = &modprobe_path,
69754 .maxlen = KMOD_PATH_LEN,
69755 .mode = 0644,
69756 - .proc_handler = &proc_dostring,
69757 - .strategy = &sysctl_string,
69758 + .proc_handler = &proc_dostring_modpriv,
69759 + .strategy = &sysctl_string_modpriv,
69760 },
69761 {
69762 .ctl_name = CTL_UNNUMBERED,
69763 @@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
69764 .mode = 0644,
69765 .proc_handler = &proc_dointvec
69766 },
69767 + {
69768 + .procname = "heap_stack_gap",
69769 + .data = &sysctl_heap_stack_gap,
69770 + .maxlen = sizeof(sysctl_heap_stack_gap),
69771 + .mode = 0644,
69772 + .proc_handler = proc_doulongvec_minmax,
69773 + },
69774 #else
69775 {
69776 .ctl_name = CTL_UNNUMBERED,
69777 @@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
69778 return 0;
69779 }
69780
69781 +static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
69782 +
69783 static int parse_table(int __user *name, int nlen,
69784 void __user *oldval, size_t __user *oldlenp,
69785 void __user *newval, size_t newlen,
69786 @@ -1821,7 +1871,7 @@ repeat:
69787 if (n == table->ctl_name) {
69788 int error;
69789 if (table->child) {
69790 - if (sysctl_perm(root, table, MAY_EXEC))
69791 + if (sysctl_perm_nochk(root, table, MAY_EXEC))
69792 return -EPERM;
69793 name++;
69794 nlen--;
69795 @@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
69796 int error;
69797 int mode;
69798
69799 + if (table->parent != NULL && table->parent->procname != NULL &&
69800 + table->procname != NULL &&
69801 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
69802 + return -EACCES;
69803 + if (gr_handle_chroot_sysctl(op))
69804 + return -EACCES;
69805 + error = gr_handle_sysctl(table, op);
69806 + if (error)
69807 + return error;
69808 +
69809 + error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
69810 + if (error)
69811 + return error;
69812 +
69813 + if (root->permissions)
69814 + mode = root->permissions(root, current->nsproxy, table);
69815 + else
69816 + mode = table->mode;
69817 +
69818 + return test_perm(mode, op);
69819 +}
69820 +
69821 +int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
69822 +{
69823 + int error;
69824 + int mode;
69825 +
69826 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
69827 if (error)
69828 return error;
69829 @@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
69830 buffer, lenp, ppos);
69831 }
69832
69833 +int proc_dostring_modpriv(struct ctl_table *table, int write,
69834 + void __user *buffer, size_t *lenp, loff_t *ppos)
69835 +{
69836 + if (write && !capable(CAP_SYS_MODULE))
69837 + return -EPERM;
69838 +
69839 + return _proc_do_string(table->data, table->maxlen, write,
69840 + buffer, lenp, ppos);
69841 +}
69842 +
69843
69844 static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
69845 int *valp,
69846 @@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
69847 vleft = table->maxlen / sizeof(unsigned long);
69848 left = *lenp;
69849
69850 - for (; left && vleft--; i++, min++, max++, first=0) {
69851 + for (; left && vleft--; i++, first=0) {
69852 if (write) {
69853 while (left) {
69854 char c;
69855 @@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
69856 return -ENOSYS;
69857 }
69858
69859 +int proc_dostring_modpriv(struct ctl_table *table, int write,
69860 + void __user *buffer, size_t *lenp, loff_t *ppos)
69861 +{
69862 + return -ENOSYS;
69863 +}
69864 +
69865 int proc_dointvec(struct ctl_table *table, int write,
69866 void __user *buffer, size_t *lenp, loff_t *ppos)
69867 {
69868 @@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
69869 return 1;
69870 }
69871
69872 +int sysctl_string_modpriv(struct ctl_table *table,
69873 + void __user *oldval, size_t __user *oldlenp,
69874 + void __user *newval, size_t newlen)
69875 +{
69876 + if (newval && newlen && !capable(CAP_SYS_MODULE))
69877 + return -EPERM;
69878 +
69879 + return sysctl_string(table, oldval, oldlenp, newval, newlen);
69880 +}
69881 +
69882 /*
69883 * This function makes sure that all of the integers in the vector
69884 * are between the minimum and maximum values given in the arrays
69885 @@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
69886 return -ENOSYS;
69887 }
69888
69889 +int sysctl_string_modpriv(struct ctl_table *table,
69890 + void __user *oldval, size_t __user *oldlenp,
69891 + void __user *newval, size_t newlen)
69892 +{
69893 + return -ENOSYS;
69894 +}
69895 +
69896 int sysctl_intvec(struct ctl_table *table,
69897 void __user *oldval, size_t __user *oldlenp,
69898 void __user *newval, size_t newlen)
69899 @@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
69900 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
69901 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
69902 EXPORT_SYMBOL(proc_dostring);
69903 +EXPORT_SYMBOL(proc_dostring_modpriv);
69904 EXPORT_SYMBOL(proc_doulongvec_minmax);
69905 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
69906 EXPORT_SYMBOL(register_sysctl_table);
69907 @@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
69908 EXPORT_SYMBOL(sysctl_jiffies);
69909 EXPORT_SYMBOL(sysctl_ms_jiffies);
69910 EXPORT_SYMBOL(sysctl_string);
69911 +EXPORT_SYMBOL(sysctl_string_modpriv);
69912 EXPORT_SYMBOL(sysctl_data);
69913 EXPORT_SYMBOL(unregister_sysctl_table);
69914 diff -urNp linux-2.6.32.46/kernel/sysctl_check.c linux-2.6.32.46/kernel/sysctl_check.c
69915 --- linux-2.6.32.46/kernel/sysctl_check.c 2011-03-27 14:31:47.000000000 -0400
69916 +++ linux-2.6.32.46/kernel/sysctl_check.c 2011-04-17 15:56:46.000000000 -0400
69917 @@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
69918 } else {
69919 if ((table->strategy == sysctl_data) ||
69920 (table->strategy == sysctl_string) ||
69921 + (table->strategy == sysctl_string_modpriv) ||
69922 (table->strategy == sysctl_intvec) ||
69923 (table->strategy == sysctl_jiffies) ||
69924 (table->strategy == sysctl_ms_jiffies) ||
69925 (table->proc_handler == proc_dostring) ||
69926 + (table->proc_handler == proc_dostring_modpriv) ||
69927 (table->proc_handler == proc_dointvec) ||
69928 (table->proc_handler == proc_dointvec_minmax) ||
69929 (table->proc_handler == proc_dointvec_jiffies) ||
69930 diff -urNp linux-2.6.32.46/kernel/taskstats.c linux-2.6.32.46/kernel/taskstats.c
69931 --- linux-2.6.32.46/kernel/taskstats.c 2011-07-13 17:23:04.000000000 -0400
69932 +++ linux-2.6.32.46/kernel/taskstats.c 2011-07-13 17:23:19.000000000 -0400
69933 @@ -26,9 +26,12 @@
69934 #include <linux/cgroup.h>
69935 #include <linux/fs.h>
69936 #include <linux/file.h>
69937 +#include <linux/grsecurity.h>
69938 #include <net/genetlink.h>
69939 #include <asm/atomic.h>
69940
69941 +extern int gr_is_taskstats_denied(int pid);
69942 +
69943 /*
69944 * Maximum length of a cpumask that can be specified in
69945 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
69946 @@ -442,6 +445,9 @@ static int taskstats_user_cmd(struct sk_
69947 size_t size;
69948 cpumask_var_t mask;
69949
69950 + if (gr_is_taskstats_denied(current->pid))
69951 + return -EACCES;
69952 +
69953 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
69954 return -ENOMEM;
69955
69956 diff -urNp linux-2.6.32.46/kernel/time/tick-broadcast.c linux-2.6.32.46/kernel/time/tick-broadcast.c
69957 --- linux-2.6.32.46/kernel/time/tick-broadcast.c 2011-05-23 16:56:59.000000000 -0400
69958 +++ linux-2.6.32.46/kernel/time/tick-broadcast.c 2011-05-23 16:57:13.000000000 -0400
69959 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
69960 * then clear the broadcast bit.
69961 */
69962 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
69963 - int cpu = smp_processor_id();
69964 + cpu = smp_processor_id();
69965
69966 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
69967 tick_broadcast_clear_oneshot(cpu);
69968 diff -urNp linux-2.6.32.46/kernel/time/timekeeping.c linux-2.6.32.46/kernel/time/timekeeping.c
69969 --- linux-2.6.32.46/kernel/time/timekeeping.c 2011-06-25 12:55:35.000000000 -0400
69970 +++ linux-2.6.32.46/kernel/time/timekeeping.c 2011-06-25 12:56:37.000000000 -0400
69971 @@ -14,6 +14,7 @@
69972 #include <linux/init.h>
69973 #include <linux/mm.h>
69974 #include <linux/sched.h>
69975 +#include <linux/grsecurity.h>
69976 #include <linux/sysdev.h>
69977 #include <linux/clocksource.h>
69978 #include <linux/jiffies.h>
69979 @@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
69980 */
69981 struct timespec ts = xtime;
69982 timespec_add_ns(&ts, nsec);
69983 - ACCESS_ONCE(xtime_cache) = ts;
69984 + ACCESS_ONCE_RW(xtime_cache) = ts;
69985 }
69986
69987 /* must hold xtime_lock */
69988 @@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
69989 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
69990 return -EINVAL;
69991
69992 + gr_log_timechange();
69993 +
69994 write_seqlock_irqsave(&xtime_lock, flags);
69995
69996 timekeeping_forward_now();
69997 diff -urNp linux-2.6.32.46/kernel/time/timer_list.c linux-2.6.32.46/kernel/time/timer_list.c
69998 --- linux-2.6.32.46/kernel/time/timer_list.c 2011-03-27 14:31:47.000000000 -0400
69999 +++ linux-2.6.32.46/kernel/time/timer_list.c 2011-04-17 15:56:46.000000000 -0400
70000 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
70001
70002 static void print_name_offset(struct seq_file *m, void *sym)
70003 {
70004 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70005 + SEQ_printf(m, "<%p>", NULL);
70006 +#else
70007 char symname[KSYM_NAME_LEN];
70008
70009 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
70010 SEQ_printf(m, "<%p>", sym);
70011 else
70012 SEQ_printf(m, "%s", symname);
70013 +#endif
70014 }
70015
70016 static void
70017 @@ -112,7 +116,11 @@ next_one:
70018 static void
70019 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
70020 {
70021 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70022 + SEQ_printf(m, " .base: %p\n", NULL);
70023 +#else
70024 SEQ_printf(m, " .base: %p\n", base);
70025 +#endif
70026 SEQ_printf(m, " .index: %d\n",
70027 base->index);
70028 SEQ_printf(m, " .resolution: %Lu nsecs\n",
70029 @@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
70030 {
70031 struct proc_dir_entry *pe;
70032
70033 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70034 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
70035 +#else
70036 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
70037 +#endif
70038 if (!pe)
70039 return -ENOMEM;
70040 return 0;
70041 diff -urNp linux-2.6.32.46/kernel/time/timer_stats.c linux-2.6.32.46/kernel/time/timer_stats.c
70042 --- linux-2.6.32.46/kernel/time/timer_stats.c 2011-03-27 14:31:47.000000000 -0400
70043 +++ linux-2.6.32.46/kernel/time/timer_stats.c 2011-05-04 17:56:28.000000000 -0400
70044 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
70045 static unsigned long nr_entries;
70046 static struct entry entries[MAX_ENTRIES];
70047
70048 -static atomic_t overflow_count;
70049 +static atomic_unchecked_t overflow_count;
70050
70051 /*
70052 * The entries are in a hash-table, for fast lookup:
70053 @@ -140,7 +140,7 @@ static void reset_entries(void)
70054 nr_entries = 0;
70055 memset(entries, 0, sizeof(entries));
70056 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
70057 - atomic_set(&overflow_count, 0);
70058 + atomic_set_unchecked(&overflow_count, 0);
70059 }
70060
70061 static struct entry *alloc_entry(void)
70062 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
70063 if (likely(entry))
70064 entry->count++;
70065 else
70066 - atomic_inc(&overflow_count);
70067 + atomic_inc_unchecked(&overflow_count);
70068
70069 out_unlock:
70070 spin_unlock_irqrestore(lock, flags);
70071 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
70072
70073 static void print_name_offset(struct seq_file *m, unsigned long addr)
70074 {
70075 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70076 + seq_printf(m, "<%p>", NULL);
70077 +#else
70078 char symname[KSYM_NAME_LEN];
70079
70080 if (lookup_symbol_name(addr, symname) < 0)
70081 seq_printf(m, "<%p>", (void *)addr);
70082 else
70083 seq_printf(m, "%s", symname);
70084 +#endif
70085 }
70086
70087 static int tstats_show(struct seq_file *m, void *v)
70088 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
70089
70090 seq_puts(m, "Timer Stats Version: v0.2\n");
70091 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
70092 - if (atomic_read(&overflow_count))
70093 + if (atomic_read_unchecked(&overflow_count))
70094 seq_printf(m, "Overflow: %d entries\n",
70095 - atomic_read(&overflow_count));
70096 + atomic_read_unchecked(&overflow_count));
70097
70098 for (i = 0; i < nr_entries; i++) {
70099 entry = entries + i;
70100 @@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
70101 {
70102 struct proc_dir_entry *pe;
70103
70104 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70105 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
70106 +#else
70107 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
70108 +#endif
70109 if (!pe)
70110 return -ENOMEM;
70111 return 0;
70112 diff -urNp linux-2.6.32.46/kernel/time.c linux-2.6.32.46/kernel/time.c
70113 --- linux-2.6.32.46/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
70114 +++ linux-2.6.32.46/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
70115 @@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
70116 return error;
70117
70118 if (tz) {
70119 + /* we log in do_settimeofday called below, so don't log twice
70120 + */
70121 + if (!tv)
70122 + gr_log_timechange();
70123 +
70124 /* SMP safe, global irq locking makes it work. */
70125 sys_tz = *tz;
70126 update_vsyscall_tz();
70127 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
70128 * Avoid unnecessary multiplications/divisions in the
70129 * two most common HZ cases:
70130 */
70131 -unsigned int inline jiffies_to_msecs(const unsigned long j)
70132 +inline unsigned int jiffies_to_msecs(const unsigned long j)
70133 {
70134 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
70135 return (MSEC_PER_SEC / HZ) * j;
70136 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
70137 }
70138 EXPORT_SYMBOL(jiffies_to_msecs);
70139
70140 -unsigned int inline jiffies_to_usecs(const unsigned long j)
70141 +inline unsigned int jiffies_to_usecs(const unsigned long j)
70142 {
70143 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
70144 return (USEC_PER_SEC / HZ) * j;
70145 diff -urNp linux-2.6.32.46/kernel/timer.c linux-2.6.32.46/kernel/timer.c
70146 --- linux-2.6.32.46/kernel/timer.c 2011-03-27 14:31:47.000000000 -0400
70147 +++ linux-2.6.32.46/kernel/timer.c 2011-04-17 15:56:46.000000000 -0400
70148 @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
70149 /*
70150 * This function runs timers and the timer-tq in bottom half context.
70151 */
70152 -static void run_timer_softirq(struct softirq_action *h)
70153 +static void run_timer_softirq(void)
70154 {
70155 struct tvec_base *base = __get_cpu_var(tvec_bases);
70156
70157 diff -urNp linux-2.6.32.46/kernel/trace/blktrace.c linux-2.6.32.46/kernel/trace/blktrace.c
70158 --- linux-2.6.32.46/kernel/trace/blktrace.c 2011-03-27 14:31:47.000000000 -0400
70159 +++ linux-2.6.32.46/kernel/trace/blktrace.c 2011-05-04 17:56:28.000000000 -0400
70160 @@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
70161 struct blk_trace *bt = filp->private_data;
70162 char buf[16];
70163
70164 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
70165 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
70166
70167 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
70168 }
70169 @@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
70170 return 1;
70171
70172 bt = buf->chan->private_data;
70173 - atomic_inc(&bt->dropped);
70174 + atomic_inc_unchecked(&bt->dropped);
70175 return 0;
70176 }
70177
70178 @@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
70179
70180 bt->dir = dir;
70181 bt->dev = dev;
70182 - atomic_set(&bt->dropped, 0);
70183 + atomic_set_unchecked(&bt->dropped, 0);
70184
70185 ret = -EIO;
70186 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
70187 diff -urNp linux-2.6.32.46/kernel/trace/ftrace.c linux-2.6.32.46/kernel/trace/ftrace.c
70188 --- linux-2.6.32.46/kernel/trace/ftrace.c 2011-06-25 12:55:35.000000000 -0400
70189 +++ linux-2.6.32.46/kernel/trace/ftrace.c 2011-06-25 12:56:37.000000000 -0400
70190 @@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
70191
70192 ip = rec->ip;
70193
70194 + ret = ftrace_arch_code_modify_prepare();
70195 + FTRACE_WARN_ON(ret);
70196 + if (ret)
70197 + return 0;
70198 +
70199 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
70200 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
70201 if (ret) {
70202 ftrace_bug(ret, ip);
70203 rec->flags |= FTRACE_FL_FAILED;
70204 - return 0;
70205 }
70206 - return 1;
70207 + return ret ? 0 : 1;
70208 }
70209
70210 /*
70211 diff -urNp linux-2.6.32.46/kernel/trace/ring_buffer.c linux-2.6.32.46/kernel/trace/ring_buffer.c
70212 --- linux-2.6.32.46/kernel/trace/ring_buffer.c 2011-03-27 14:31:47.000000000 -0400
70213 +++ linux-2.6.32.46/kernel/trace/ring_buffer.c 2011-04-17 15:56:46.000000000 -0400
70214 @@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
70215 * the reader page). But if the next page is a header page,
70216 * its flags will be non zero.
70217 */
70218 -static int inline
70219 +static inline int
70220 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
70221 struct buffer_page *page, struct list_head *list)
70222 {
70223 diff -urNp linux-2.6.32.46/kernel/trace/trace.c linux-2.6.32.46/kernel/trace/trace.c
70224 --- linux-2.6.32.46/kernel/trace/trace.c 2011-03-27 14:31:47.000000000 -0400
70225 +++ linux-2.6.32.46/kernel/trace/trace.c 2011-05-16 21:46:57.000000000 -0400
70226 @@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
70227 size_t rem;
70228 unsigned int i;
70229
70230 + pax_track_stack();
70231 +
70232 /* copy the tracer to avoid using a global lock all around */
70233 mutex_lock(&trace_types_lock);
70234 if (unlikely(old_tracer != current_trace && current_trace)) {
70235 @@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
70236 int entries, size, i;
70237 size_t ret;
70238
70239 + pax_track_stack();
70240 +
70241 if (*ppos & (PAGE_SIZE - 1)) {
70242 WARN_ONCE(1, "Ftrace: previous read must page-align\n");
70243 return -EINVAL;
70244 @@ -3816,10 +3820,9 @@ static const struct file_operations trac
70245 };
70246 #endif
70247
70248 -static struct dentry *d_tracer;
70249 -
70250 struct dentry *tracing_init_dentry(void)
70251 {
70252 + static struct dentry *d_tracer;
70253 static int once;
70254
70255 if (d_tracer)
70256 @@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
70257 return d_tracer;
70258 }
70259
70260 -static struct dentry *d_percpu;
70261 -
70262 struct dentry *tracing_dentry_percpu(void)
70263 {
70264 + static struct dentry *d_percpu;
70265 static int once;
70266 struct dentry *d_tracer;
70267
70268 diff -urNp linux-2.6.32.46/kernel/trace/trace_events.c linux-2.6.32.46/kernel/trace/trace_events.c
70269 --- linux-2.6.32.46/kernel/trace/trace_events.c 2011-03-27 14:31:47.000000000 -0400
70270 +++ linux-2.6.32.46/kernel/trace/trace_events.c 2011-08-05 20:33:55.000000000 -0400
70271 @@ -951,13 +951,10 @@ static LIST_HEAD(ftrace_module_file_list
70272 * Modules must own their file_operations to keep up with
70273 * reference counting.
70274 */
70275 +
70276 struct ftrace_module_file_ops {
70277 struct list_head list;
70278 struct module *mod;
70279 - struct file_operations id;
70280 - struct file_operations enable;
70281 - struct file_operations format;
70282 - struct file_operations filter;
70283 };
70284
70285 static void remove_subsystem_dir(const char *name)
70286 @@ -1004,17 +1001,12 @@ trace_create_file_ops(struct module *mod
70287
70288 file_ops->mod = mod;
70289
70290 - file_ops->id = ftrace_event_id_fops;
70291 - file_ops->id.owner = mod;
70292 -
70293 - file_ops->enable = ftrace_enable_fops;
70294 - file_ops->enable.owner = mod;
70295 -
70296 - file_ops->filter = ftrace_event_filter_fops;
70297 - file_ops->filter.owner = mod;
70298 -
70299 - file_ops->format = ftrace_event_format_fops;
70300 - file_ops->format.owner = mod;
70301 + pax_open_kernel();
70302 + *(void **)&mod->trace_id.owner = mod;
70303 + *(void **)&mod->trace_enable.owner = mod;
70304 + *(void **)&mod->trace_filter.owner = mod;
70305 + *(void **)&mod->trace_format.owner = mod;
70306 + pax_close_kernel();
70307
70308 list_add(&file_ops->list, &ftrace_module_file_list);
70309
70310 @@ -1063,8 +1055,8 @@ static void trace_module_add_events(stru
70311 call->mod = mod;
70312 list_add(&call->list, &ftrace_events);
70313 event_create_dir(call, d_events,
70314 - &file_ops->id, &file_ops->enable,
70315 - &file_ops->filter, &file_ops->format);
70316 + &mod->trace_id, &mod->trace_enable,
70317 + &mod->trace_filter, &mod->trace_format);
70318 }
70319 }
70320
70321 diff -urNp linux-2.6.32.46/kernel/trace/trace_mmiotrace.c linux-2.6.32.46/kernel/trace/trace_mmiotrace.c
70322 --- linux-2.6.32.46/kernel/trace/trace_mmiotrace.c 2011-03-27 14:31:47.000000000 -0400
70323 +++ linux-2.6.32.46/kernel/trace/trace_mmiotrace.c 2011-05-04 17:56:28.000000000 -0400
70324 @@ -23,7 +23,7 @@ struct header_iter {
70325 static struct trace_array *mmio_trace_array;
70326 static bool overrun_detected;
70327 static unsigned long prev_overruns;
70328 -static atomic_t dropped_count;
70329 +static atomic_unchecked_t dropped_count;
70330
70331 static void mmio_reset_data(struct trace_array *tr)
70332 {
70333 @@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
70334
70335 static unsigned long count_overruns(struct trace_iterator *iter)
70336 {
70337 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
70338 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
70339 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
70340
70341 if (over > prev_overruns)
70342 @@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
70343 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
70344 sizeof(*entry), 0, pc);
70345 if (!event) {
70346 - atomic_inc(&dropped_count);
70347 + atomic_inc_unchecked(&dropped_count);
70348 return;
70349 }
70350 entry = ring_buffer_event_data(event);
70351 @@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
70352 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
70353 sizeof(*entry), 0, pc);
70354 if (!event) {
70355 - atomic_inc(&dropped_count);
70356 + atomic_inc_unchecked(&dropped_count);
70357 return;
70358 }
70359 entry = ring_buffer_event_data(event);
70360 diff -urNp linux-2.6.32.46/kernel/trace/trace_output.c linux-2.6.32.46/kernel/trace/trace_output.c
70361 --- linux-2.6.32.46/kernel/trace/trace_output.c 2011-03-27 14:31:47.000000000 -0400
70362 +++ linux-2.6.32.46/kernel/trace/trace_output.c 2011-04-17 15:56:46.000000000 -0400
70363 @@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
70364 return 0;
70365 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
70366 if (!IS_ERR(p)) {
70367 - p = mangle_path(s->buffer + s->len, p, "\n");
70368 + p = mangle_path(s->buffer + s->len, p, "\n\\");
70369 if (p) {
70370 s->len = p - s->buffer;
70371 return 1;
70372 diff -urNp linux-2.6.32.46/kernel/trace/trace_stack.c linux-2.6.32.46/kernel/trace/trace_stack.c
70373 --- linux-2.6.32.46/kernel/trace/trace_stack.c 2011-03-27 14:31:47.000000000 -0400
70374 +++ linux-2.6.32.46/kernel/trace/trace_stack.c 2011-04-17 15:56:46.000000000 -0400
70375 @@ -50,7 +50,7 @@ static inline void check_stack(void)
70376 return;
70377
70378 /* we do not handle interrupt stacks yet */
70379 - if (!object_is_on_stack(&this_size))
70380 + if (!object_starts_on_stack(&this_size))
70381 return;
70382
70383 local_irq_save(flags);
70384 diff -urNp linux-2.6.32.46/kernel/trace/trace_workqueue.c linux-2.6.32.46/kernel/trace/trace_workqueue.c
70385 --- linux-2.6.32.46/kernel/trace/trace_workqueue.c 2011-03-27 14:31:47.000000000 -0400
70386 +++ linux-2.6.32.46/kernel/trace/trace_workqueue.c 2011-04-17 15:56:46.000000000 -0400
70387 @@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
70388 int cpu;
70389 pid_t pid;
70390 /* Can be inserted from interrupt or user context, need to be atomic */
70391 - atomic_t inserted;
70392 + atomic_unchecked_t inserted;
70393 /*
70394 * Don't need to be atomic, works are serialized in a single workqueue thread
70395 * on a single CPU.
70396 @@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
70397 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
70398 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
70399 if (node->pid == wq_thread->pid) {
70400 - atomic_inc(&node->inserted);
70401 + atomic_inc_unchecked(&node->inserted);
70402 goto found;
70403 }
70404 }
70405 @@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
70406 tsk = get_pid_task(pid, PIDTYPE_PID);
70407 if (tsk) {
70408 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
70409 - atomic_read(&cws->inserted), cws->executed,
70410 + atomic_read_unchecked(&cws->inserted), cws->executed,
70411 tsk->comm);
70412 put_task_struct(tsk);
70413 }
70414 diff -urNp linux-2.6.32.46/kernel/user.c linux-2.6.32.46/kernel/user.c
70415 --- linux-2.6.32.46/kernel/user.c 2011-03-27 14:31:47.000000000 -0400
70416 +++ linux-2.6.32.46/kernel/user.c 2011-04-17 15:56:46.000000000 -0400
70417 @@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
70418 spin_lock_irq(&uidhash_lock);
70419 up = uid_hash_find(uid, hashent);
70420 if (up) {
70421 + put_user_ns(ns);
70422 key_put(new->uid_keyring);
70423 key_put(new->session_keyring);
70424 kmem_cache_free(uid_cachep, new);
70425 diff -urNp linux-2.6.32.46/lib/bitmap.c linux-2.6.32.46/lib/bitmap.c
70426 --- linux-2.6.32.46/lib/bitmap.c 2011-03-27 14:31:47.000000000 -0400
70427 +++ linux-2.6.32.46/lib/bitmap.c 2011-10-06 09:37:14.000000000 -0400
70428 @@ -341,7 +341,7 @@ int __bitmap_parse(const char *buf, unsi
70429 {
70430 int c, old_c, totaldigits, ndigits, nchunks, nbits;
70431 u32 chunk;
70432 - const char __user *ubuf = buf;
70433 + const char __user *ubuf = (const char __force_user *)buf;
70434
70435 bitmap_zero(maskp, nmaskbits);
70436
70437 @@ -426,7 +426,7 @@ int bitmap_parse_user(const char __user
70438 {
70439 if (!access_ok(VERIFY_READ, ubuf, ulen))
70440 return -EFAULT;
70441 - return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
70442 + return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
70443 }
70444 EXPORT_SYMBOL(bitmap_parse_user);
70445
70446 diff -urNp linux-2.6.32.46/lib/bug.c linux-2.6.32.46/lib/bug.c
70447 --- linux-2.6.32.46/lib/bug.c 2011-03-27 14:31:47.000000000 -0400
70448 +++ linux-2.6.32.46/lib/bug.c 2011-04-17 15:56:46.000000000 -0400
70449 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
70450 return BUG_TRAP_TYPE_NONE;
70451
70452 bug = find_bug(bugaddr);
70453 + if (!bug)
70454 + return BUG_TRAP_TYPE_NONE;
70455
70456 printk(KERN_EMERG "------------[ cut here ]------------\n");
70457
70458 diff -urNp linux-2.6.32.46/lib/debugobjects.c linux-2.6.32.46/lib/debugobjects.c
70459 --- linux-2.6.32.46/lib/debugobjects.c 2011-07-13 17:23:04.000000000 -0400
70460 +++ linux-2.6.32.46/lib/debugobjects.c 2011-07-13 17:23:19.000000000 -0400
70461 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
70462 if (limit > 4)
70463 return;
70464
70465 - is_on_stack = object_is_on_stack(addr);
70466 + is_on_stack = object_starts_on_stack(addr);
70467 if (is_on_stack == onstack)
70468 return;
70469
70470 diff -urNp linux-2.6.32.46/lib/devres.c linux-2.6.32.46/lib/devres.c
70471 --- linux-2.6.32.46/lib/devres.c 2011-03-27 14:31:47.000000000 -0400
70472 +++ linux-2.6.32.46/lib/devres.c 2011-10-06 09:37:14.000000000 -0400
70473 @@ -80,7 +80,7 @@ void devm_iounmap(struct device *dev, vo
70474 {
70475 iounmap(addr);
70476 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
70477 - (void *)addr));
70478 + (void __force *)addr));
70479 }
70480 EXPORT_SYMBOL(devm_iounmap);
70481
70482 @@ -140,7 +140,7 @@ void devm_ioport_unmap(struct device *de
70483 {
70484 ioport_unmap(addr);
70485 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
70486 - devm_ioport_map_match, (void *)addr));
70487 + devm_ioport_map_match, (void __force *)addr));
70488 }
70489 EXPORT_SYMBOL(devm_ioport_unmap);
70490
70491 diff -urNp linux-2.6.32.46/lib/dma-debug.c linux-2.6.32.46/lib/dma-debug.c
70492 --- linux-2.6.32.46/lib/dma-debug.c 2011-03-27 14:31:47.000000000 -0400
70493 +++ linux-2.6.32.46/lib/dma-debug.c 2011-04-17 15:56:46.000000000 -0400
70494 @@ -861,7 +861,7 @@ out:
70495
70496 static void check_for_stack(struct device *dev, void *addr)
70497 {
70498 - if (object_is_on_stack(addr))
70499 + if (object_starts_on_stack(addr))
70500 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
70501 "stack [addr=%p]\n", addr);
70502 }
70503 diff -urNp linux-2.6.32.46/lib/idr.c linux-2.6.32.46/lib/idr.c
70504 --- linux-2.6.32.46/lib/idr.c 2011-03-27 14:31:47.000000000 -0400
70505 +++ linux-2.6.32.46/lib/idr.c 2011-04-17 15:56:46.000000000 -0400
70506 @@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
70507 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
70508
70509 /* if already at the top layer, we need to grow */
70510 - if (id >= 1 << (idp->layers * IDR_BITS)) {
70511 + if (id >= (1 << (idp->layers * IDR_BITS))) {
70512 *starting_id = id;
70513 return IDR_NEED_TO_GROW;
70514 }
70515 diff -urNp linux-2.6.32.46/lib/inflate.c linux-2.6.32.46/lib/inflate.c
70516 --- linux-2.6.32.46/lib/inflate.c 2011-03-27 14:31:47.000000000 -0400
70517 +++ linux-2.6.32.46/lib/inflate.c 2011-04-17 15:56:46.000000000 -0400
70518 @@ -266,7 +266,7 @@ static void free(void *where)
70519 malloc_ptr = free_mem_ptr;
70520 }
70521 #else
70522 -#define malloc(a) kmalloc(a, GFP_KERNEL)
70523 +#define malloc(a) kmalloc((a), GFP_KERNEL)
70524 #define free(a) kfree(a)
70525 #endif
70526
70527 diff -urNp linux-2.6.32.46/lib/Kconfig.debug linux-2.6.32.46/lib/Kconfig.debug
70528 --- linux-2.6.32.46/lib/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
70529 +++ linux-2.6.32.46/lib/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
70530 @@ -905,7 +905,7 @@ config LATENCYTOP
70531 select STACKTRACE
70532 select SCHEDSTATS
70533 select SCHED_DEBUG
70534 - depends on HAVE_LATENCYTOP_SUPPORT
70535 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
70536 help
70537 Enable this option if you want to use the LatencyTOP tool
70538 to find out which userspace is blocking on what kernel operations.
70539 diff -urNp linux-2.6.32.46/lib/kobject.c linux-2.6.32.46/lib/kobject.c
70540 --- linux-2.6.32.46/lib/kobject.c 2011-03-27 14:31:47.000000000 -0400
70541 +++ linux-2.6.32.46/lib/kobject.c 2011-04-17 15:56:46.000000000 -0400
70542 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
70543 return ret;
70544 }
70545
70546 -struct sysfs_ops kobj_sysfs_ops = {
70547 +const struct sysfs_ops kobj_sysfs_ops = {
70548 .show = kobj_attr_show,
70549 .store = kobj_attr_store,
70550 };
70551 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
70552 * If the kset was not able to be created, NULL will be returned.
70553 */
70554 static struct kset *kset_create(const char *name,
70555 - struct kset_uevent_ops *uevent_ops,
70556 + const struct kset_uevent_ops *uevent_ops,
70557 struct kobject *parent_kobj)
70558 {
70559 struct kset *kset;
70560 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
70561 * If the kset was not able to be created, NULL will be returned.
70562 */
70563 struct kset *kset_create_and_add(const char *name,
70564 - struct kset_uevent_ops *uevent_ops,
70565 + const struct kset_uevent_ops *uevent_ops,
70566 struct kobject *parent_kobj)
70567 {
70568 struct kset *kset;
70569 diff -urNp linux-2.6.32.46/lib/kobject_uevent.c linux-2.6.32.46/lib/kobject_uevent.c
70570 --- linux-2.6.32.46/lib/kobject_uevent.c 2011-03-27 14:31:47.000000000 -0400
70571 +++ linux-2.6.32.46/lib/kobject_uevent.c 2011-04-17 15:56:46.000000000 -0400
70572 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
70573 const char *subsystem;
70574 struct kobject *top_kobj;
70575 struct kset *kset;
70576 - struct kset_uevent_ops *uevent_ops;
70577 + const struct kset_uevent_ops *uevent_ops;
70578 u64 seq;
70579 int i = 0;
70580 int retval = 0;
70581 diff -urNp linux-2.6.32.46/lib/kref.c linux-2.6.32.46/lib/kref.c
70582 --- linux-2.6.32.46/lib/kref.c 2011-03-27 14:31:47.000000000 -0400
70583 +++ linux-2.6.32.46/lib/kref.c 2011-04-17 15:56:46.000000000 -0400
70584 @@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
70585 */
70586 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
70587 {
70588 - WARN_ON(release == NULL);
70589 + BUG_ON(release == NULL);
70590 WARN_ON(release == (void (*)(struct kref *))kfree);
70591
70592 if (atomic_dec_and_test(&kref->refcount)) {
70593 diff -urNp linux-2.6.32.46/lib/parser.c linux-2.6.32.46/lib/parser.c
70594 --- linux-2.6.32.46/lib/parser.c 2011-03-27 14:31:47.000000000 -0400
70595 +++ linux-2.6.32.46/lib/parser.c 2011-04-17 15:56:46.000000000 -0400
70596 @@ -126,7 +126,7 @@ static int match_number(substring_t *s,
70597 char *buf;
70598 int ret;
70599
70600 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
70601 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
70602 if (!buf)
70603 return -ENOMEM;
70604 memcpy(buf, s->from, s->to - s->from);
70605 diff -urNp linux-2.6.32.46/lib/radix-tree.c linux-2.6.32.46/lib/radix-tree.c
70606 --- linux-2.6.32.46/lib/radix-tree.c 2011-03-27 14:31:47.000000000 -0400
70607 +++ linux-2.6.32.46/lib/radix-tree.c 2011-04-17 15:56:46.000000000 -0400
70608 @@ -81,7 +81,7 @@ struct radix_tree_preload {
70609 int nr;
70610 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
70611 };
70612 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
70613 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
70614
70615 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
70616 {
70617 diff -urNp linux-2.6.32.46/lib/random32.c linux-2.6.32.46/lib/random32.c
70618 --- linux-2.6.32.46/lib/random32.c 2011-03-27 14:31:47.000000000 -0400
70619 +++ linux-2.6.32.46/lib/random32.c 2011-04-17 15:56:46.000000000 -0400
70620 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
70621 */
70622 static inline u32 __seed(u32 x, u32 m)
70623 {
70624 - return (x < m) ? x + m : x;
70625 + return (x <= m) ? x + m + 1 : x;
70626 }
70627
70628 /**
70629 diff -urNp linux-2.6.32.46/lib/vsprintf.c linux-2.6.32.46/lib/vsprintf.c
70630 --- linux-2.6.32.46/lib/vsprintf.c 2011-03-27 14:31:47.000000000 -0400
70631 +++ linux-2.6.32.46/lib/vsprintf.c 2011-04-17 15:56:46.000000000 -0400
70632 @@ -16,6 +16,9 @@
70633 * - scnprintf and vscnprintf
70634 */
70635
70636 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70637 +#define __INCLUDED_BY_HIDESYM 1
70638 +#endif
70639 #include <stdarg.h>
70640 #include <linux/module.h>
70641 #include <linux/types.h>
70642 @@ -546,12 +549,12 @@ static char *number(char *buf, char *end
70643 return buf;
70644 }
70645
70646 -static char *string(char *buf, char *end, char *s, struct printf_spec spec)
70647 +static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
70648 {
70649 int len, i;
70650
70651 if ((unsigned long)s < PAGE_SIZE)
70652 - s = "<NULL>";
70653 + s = "(null)";
70654
70655 len = strnlen(s, spec.precision);
70656
70657 @@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
70658 unsigned long value = (unsigned long) ptr;
70659 #ifdef CONFIG_KALLSYMS
70660 char sym[KSYM_SYMBOL_LEN];
70661 - if (ext != 'f' && ext != 's')
70662 + if (ext != 'f' && ext != 's' && ext != 'a')
70663 sprint_symbol(sym, value);
70664 else
70665 kallsyms_lookup(value, NULL, NULL, NULL, sym);
70666 @@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
70667 * - 'f' For simple symbolic function names without offset
70668 * - 'S' For symbolic direct pointers with offset
70669 * - 's' For symbolic direct pointers without offset
70670 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
70671 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
70672 * - 'R' For a struct resource pointer, it prints the range of
70673 * addresses (not the name nor the flags)
70674 * - 'M' For a 6-byte MAC address, it prints the address in the
70675 @@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
70676 struct printf_spec spec)
70677 {
70678 if (!ptr)
70679 - return string(buf, end, "(null)", spec);
70680 + return string(buf, end, "(nil)", spec);
70681
70682 switch (*fmt) {
70683 case 'F':
70684 @@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
70685 case 's':
70686 /* Fallthrough */
70687 case 'S':
70688 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70689 + break;
70690 +#else
70691 + return symbol_string(buf, end, ptr, spec, *fmt);
70692 +#endif
70693 + case 'a':
70694 + /* Fallthrough */
70695 + case 'A':
70696 return symbol_string(buf, end, ptr, spec, *fmt);
70697 case 'R':
70698 return resource_string(buf, end, ptr, spec);
70699 @@ -1445,7 +1458,7 @@ do { \
70700 size_t len;
70701 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
70702 || (unsigned long)save_str < PAGE_SIZE)
70703 - save_str = "<NULL>";
70704 + save_str = "(null)";
70705 len = strlen(save_str);
70706 if (str + len + 1 < end)
70707 memcpy(str, save_str, len + 1);
70708 @@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
70709 typeof(type) value; \
70710 if (sizeof(type) == 8) { \
70711 args = PTR_ALIGN(args, sizeof(u32)); \
70712 - *(u32 *)&value = *(u32 *)args; \
70713 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
70714 + *(u32 *)&value = *(const u32 *)args; \
70715 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
70716 } else { \
70717 args = PTR_ALIGN(args, sizeof(type)); \
70718 - value = *(typeof(type) *)args; \
70719 + value = *(const typeof(type) *)args; \
70720 } \
70721 args += sizeof(type); \
70722 value; \
70723 @@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
70724 const char *str_arg = args;
70725 size_t len = strlen(str_arg);
70726 args += len + 1;
70727 - str = string(str, end, (char *)str_arg, spec);
70728 + str = string(str, end, str_arg, spec);
70729 break;
70730 }
70731
70732 diff -urNp linux-2.6.32.46/localversion-grsec linux-2.6.32.46/localversion-grsec
70733 --- linux-2.6.32.46/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
70734 +++ linux-2.6.32.46/localversion-grsec 2011-04-17 15:56:46.000000000 -0400
70735 @@ -0,0 +1 @@
70736 +-grsec
70737 diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile
70738 --- linux-2.6.32.46/Makefile 2011-08-29 22:24:44.000000000 -0400
70739 +++ linux-2.6.32.46/Makefile 2011-10-06 09:43:36.000000000 -0400
70740 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
70741
70742 HOSTCC = gcc
70743 HOSTCXX = g++
70744 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
70745 -HOSTCXXFLAGS = -O2
70746 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
70747 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
70748 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
70749
70750 # Decide whether to build built-in, modular, or both.
70751 # Normally, just do built-in.
70752 @@ -342,10 +343,12 @@ LINUXINCLUDE := -Iinclude \
70753 KBUILD_CPPFLAGS := -D__KERNEL__
70754
70755 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
70756 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
70757 -fno-strict-aliasing -fno-common \
70758 -Werror-implicit-function-declaration \
70759 -Wno-format-security \
70760 -fno-delete-null-pointer-checks
70761 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
70762 KBUILD_AFLAGS := -D__ASSEMBLY__
70763
70764 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
70765 @@ -376,8 +379,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
70766 # Rules shared between *config targets and build targets
70767
70768 # Basic helpers built in scripts/
70769 -PHONY += scripts_basic
70770 -scripts_basic:
70771 +PHONY += scripts_basic gcc-plugins
70772 +scripts_basic: gcc-plugins
70773 $(Q)$(MAKE) $(build)=scripts/basic
70774
70775 # To avoid any implicit rule to kick in, define an empty command.
70776 @@ -403,7 +406,7 @@ endif
70777 # of make so .config is not included in this case either (for *config).
70778
70779 no-dot-config-targets := clean mrproper distclean \
70780 - cscope TAGS tags help %docs check% \
70781 + cscope gtags TAGS tags help %docs check% \
70782 include/linux/version.h headers_% \
70783 kernelrelease kernelversion
70784
70785 @@ -526,6 +529,36 @@ else
70786 KBUILD_CFLAGS += -O2
70787 endif
70788
70789 +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
70790 +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
70791 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
70792 +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
70793 +endif
70794 +ifdef CONFIG_KALLOCSTAT_PLUGIN
70795 +KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
70796 +endif
70797 +ifdef CONFIG_PAX_KERNEXEC_PLUGIN
70798 +KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
70799 +endif
70800 +ifdef CONFIG_CHECKER_PLUGIN
70801 +ifeq ($(call cc-ifversion, -ge, 0406, y), y)
70802 +CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
70803 +endif
70804 +endif
70805 +GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
70806 +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
70807 +gcc-plugins:
70808 + $(Q)$(MAKE) $(build)=tools/gcc
70809 +else
70810 +gcc-plugins:
70811 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
70812 + $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
70813 +else
70814 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
70815 +endif
70816 + $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
70817 +endif
70818 +
70819 include $(srctree)/arch/$(SRCARCH)/Makefile
70820
70821 ifneq ($(CONFIG_FRAME_WARN),0)
70822 @@ -644,7 +677,7 @@ export mod_strip_cmd
70823
70824
70825 ifeq ($(KBUILD_EXTMOD),)
70826 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
70827 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
70828
70829 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
70830 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
70831 @@ -840,6 +873,8 @@ define rule_vmlinux-modpost
70832 endef
70833
70834 # vmlinux image - including updated kernel symbols
70835 +$(vmlinux-all): KBUILD_CFLAGS += $(GCC_PLUGINS)
70836 +$(vmlinux-all): gcc-plugins
70837 vmlinux: $(vmlinux-lds) $(vmlinux-init) $(vmlinux-main) vmlinux.o $(kallsyms.o) FORCE
70838 ifdef CONFIG_HEADERS_CHECK
70839 $(Q)$(MAKE) -f $(srctree)/Makefile headers_check
70840 @@ -874,7 +909,8 @@ $(sort $(vmlinux-init) $(vmlinux-main))
70841 # Error messages still appears in the original language
70842
70843 PHONY += $(vmlinux-dirs)
70844 -$(vmlinux-dirs): prepare scripts
70845 +$(vmlinux-dirs): KBUILD_CFLAGS += $(GCC_PLUGINS)
70846 +$(vmlinux-dirs): gcc-plugins prepare scripts
70847 $(Q)$(MAKE) $(build)=$@
70848
70849 # Build the kernel release string
70850 @@ -983,6 +1019,7 @@ prepare0: archprepare FORCE
70851 $(Q)$(MAKE) $(build)=. missing-syscalls
70852
70853 # All the preparing..
70854 +prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
70855 prepare: prepare0
70856
70857 # The asm symlink changes when $(ARCH) changes.
70858 @@ -1133,7 +1170,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_B
70859
70860 # Target to prepare building external modules
70861 PHONY += modules_prepare
70862 -modules_prepare: prepare scripts
70863 +modules_prepare: gcc-plugins prepare scripts
70864
70865 # Target to install modules
70866 PHONY += modules_install
70867 @@ -1198,7 +1235,7 @@ MRPROPER_FILES += .config .config.old in
70868 include/linux/autoconf.h include/linux/version.h \
70869 include/linux/utsrelease.h \
70870 include/linux/bounds.h include/asm*/asm-offsets.h \
70871 - Module.symvers Module.markers tags TAGS cscope*
70872 + Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
70873
70874 # clean - Delete most, but leave enough to build external modules
70875 #
70876 @@ -1242,7 +1279,7 @@ distclean: mrproper
70877 @find $(srctree) $(RCS_FIND_IGNORE) \
70878 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
70879 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
70880 - -o -name '.*.rej' -o -size 0 \
70881 + -o -name '.*.rej' -o -name '*.so' -o -size 0 \
70882 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
70883 -type f -print | xargs rm -f
70884
70885 @@ -1289,6 +1326,7 @@ help:
70886 @echo ' modules_prepare - Set up for building external modules'
70887 @echo ' tags/TAGS - Generate tags file for editors'
70888 @echo ' cscope - Generate cscope index'
70889 + @echo ' gtags - Generate GNU GLOBAL index'
70890 @echo ' kernelrelease - Output the release version string'
70891 @echo ' kernelversion - Output the version stored in Makefile'
70892 @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
70893 @@ -1390,6 +1428,7 @@ PHONY += $(module-dirs) modules
70894 $(module-dirs): crmodverdir $(objtree)/Module.symvers
70895 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
70896
70897 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
70898 modules: $(module-dirs)
70899 @$(kecho) ' Building modules, stage 2.';
70900 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
70901 @@ -1445,7 +1484,7 @@ endif # KBUILD_EXTMOD
70902 quiet_cmd_tags = GEN $@
70903 cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
70904
70905 -tags TAGS cscope: FORCE
70906 +tags TAGS cscope gtags: FORCE
70907 $(call cmd,tags)
70908
70909 # Scripts to check various things for consistency
70910 @@ -1510,17 +1549,19 @@ else
70911 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
70912 endif
70913
70914 -%.s: %.c prepare scripts FORCE
70915 +%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
70916 +%.s: %.c gcc-plugins prepare scripts FORCE
70917 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70918 %.i: %.c prepare scripts FORCE
70919 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70920 -%.o: %.c prepare scripts FORCE
70921 +%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
70922 +%.o: %.c gcc-plugins prepare scripts FORCE
70923 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70924 %.lst: %.c prepare scripts FORCE
70925 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70926 -%.s: %.S prepare scripts FORCE
70927 +%.s: %.S gcc-plugins prepare scripts FORCE
70928 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70929 -%.o: %.S prepare scripts FORCE
70930 +%.o: %.S gcc-plugins prepare scripts FORCE
70931 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70932 %.symtypes: %.c prepare scripts FORCE
70933 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
70934 @@ -1530,11 +1571,13 @@ endif
70935 $(cmd_crmodverdir)
70936 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
70937 $(build)=$(build-dir)
70938 -%/: prepare scripts FORCE
70939 +%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
70940 +%/: gcc-plugins prepare scripts FORCE
70941 $(cmd_crmodverdir)
70942 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
70943 $(build)=$(build-dir)
70944 -%.ko: prepare scripts FORCE
70945 +%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
70946 +%.ko: gcc-plugins prepare scripts FORCE
70947 $(cmd_crmodverdir)
70948 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
70949 $(build)=$(build-dir) $(@:.ko=.o)
70950 diff -urNp linux-2.6.32.46/mm/backing-dev.c linux-2.6.32.46/mm/backing-dev.c
70951 --- linux-2.6.32.46/mm/backing-dev.c 2011-03-27 14:31:47.000000000 -0400
70952 +++ linux-2.6.32.46/mm/backing-dev.c 2011-08-11 19:48:17.000000000 -0400
70953 @@ -272,7 +272,7 @@ static void bdi_task_init(struct backing
70954 list_add_tail_rcu(&wb->list, &bdi->wb_list);
70955 spin_unlock(&bdi->wb_lock);
70956
70957 - tsk->flags |= PF_FLUSHER | PF_SWAPWRITE;
70958 + tsk->flags |= PF_SWAPWRITE;
70959 set_freezable();
70960
70961 /*
70962 @@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
70963 * Add the default flusher task that gets created for any bdi
70964 * that has dirty data pending writeout
70965 */
70966 -void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
70967 +static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
70968 {
70969 if (!bdi_cap_writeback_dirty(bdi))
70970 return;
70971 diff -urNp linux-2.6.32.46/mm/filemap.c linux-2.6.32.46/mm/filemap.c
70972 --- linux-2.6.32.46/mm/filemap.c 2011-03-27 14:31:47.000000000 -0400
70973 +++ linux-2.6.32.46/mm/filemap.c 2011-04-17 15:56:46.000000000 -0400
70974 @@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
70975 struct address_space *mapping = file->f_mapping;
70976
70977 if (!mapping->a_ops->readpage)
70978 - return -ENOEXEC;
70979 + return -ENODEV;
70980 file_accessed(file);
70981 vma->vm_ops = &generic_file_vm_ops;
70982 vma->vm_flags |= VM_CAN_NONLINEAR;
70983 @@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
70984 *pos = i_size_read(inode);
70985
70986 if (limit != RLIM_INFINITY) {
70987 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
70988 if (*pos >= limit) {
70989 send_sig(SIGXFSZ, current, 0);
70990 return -EFBIG;
70991 diff -urNp linux-2.6.32.46/mm/fremap.c linux-2.6.32.46/mm/fremap.c
70992 --- linux-2.6.32.46/mm/fremap.c 2011-03-27 14:31:47.000000000 -0400
70993 +++ linux-2.6.32.46/mm/fremap.c 2011-04-17 15:56:46.000000000 -0400
70994 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
70995 retry:
70996 vma = find_vma(mm, start);
70997
70998 +#ifdef CONFIG_PAX_SEGMEXEC
70999 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
71000 + goto out;
71001 +#endif
71002 +
71003 /*
71004 * Make sure the vma is shared, that it supports prefaulting,
71005 * and that the remapped range is valid and fully within
71006 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
71007 /*
71008 * drop PG_Mlocked flag for over-mapped range
71009 */
71010 - unsigned int saved_flags = vma->vm_flags;
71011 + unsigned long saved_flags = vma->vm_flags;
71012 munlock_vma_pages_range(vma, start, start + size);
71013 vma->vm_flags = saved_flags;
71014 }
71015 diff -urNp linux-2.6.32.46/mm/highmem.c linux-2.6.32.46/mm/highmem.c
71016 --- linux-2.6.32.46/mm/highmem.c 2011-03-27 14:31:47.000000000 -0400
71017 +++ linux-2.6.32.46/mm/highmem.c 2011-04-17 15:56:46.000000000 -0400
71018 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
71019 * So no dangers, even with speculative execution.
71020 */
71021 page = pte_page(pkmap_page_table[i]);
71022 + pax_open_kernel();
71023 pte_clear(&init_mm, (unsigned long)page_address(page),
71024 &pkmap_page_table[i]);
71025 -
71026 + pax_close_kernel();
71027 set_page_address(page, NULL);
71028 need_flush = 1;
71029 }
71030 @@ -177,9 +178,11 @@ start:
71031 }
71032 }
71033 vaddr = PKMAP_ADDR(last_pkmap_nr);
71034 +
71035 + pax_open_kernel();
71036 set_pte_at(&init_mm, vaddr,
71037 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
71038 -
71039 + pax_close_kernel();
71040 pkmap_count[last_pkmap_nr] = 1;
71041 set_page_address(page, (void *)vaddr);
71042
71043 diff -urNp linux-2.6.32.46/mm/hugetlb.c linux-2.6.32.46/mm/hugetlb.c
71044 --- linux-2.6.32.46/mm/hugetlb.c 2011-07-13 17:23:04.000000000 -0400
71045 +++ linux-2.6.32.46/mm/hugetlb.c 2011-07-13 17:23:19.000000000 -0400
71046 @@ -1933,6 +1933,26 @@ static int unmap_ref_private(struct mm_s
71047 return 1;
71048 }
71049
71050 +#ifdef CONFIG_PAX_SEGMEXEC
71051 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
71052 +{
71053 + struct mm_struct *mm = vma->vm_mm;
71054 + struct vm_area_struct *vma_m;
71055 + unsigned long address_m;
71056 + pte_t *ptep_m;
71057 +
71058 + vma_m = pax_find_mirror_vma(vma);
71059 + if (!vma_m)
71060 + return;
71061 +
71062 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71063 + address_m = address + SEGMEXEC_TASK_SIZE;
71064 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
71065 + get_page(page_m);
71066 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
71067 +}
71068 +#endif
71069 +
71070 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
71071 unsigned long address, pte_t *ptep, pte_t pte,
71072 struct page *pagecache_page)
71073 @@ -2004,6 +2024,11 @@ retry_avoidcopy:
71074 huge_ptep_clear_flush(vma, address, ptep);
71075 set_huge_pte_at(mm, address, ptep,
71076 make_huge_pte(vma, new_page, 1));
71077 +
71078 +#ifdef CONFIG_PAX_SEGMEXEC
71079 + pax_mirror_huge_pte(vma, address, new_page);
71080 +#endif
71081 +
71082 /* Make the old page be freed below */
71083 new_page = old_page;
71084 }
71085 @@ -2135,6 +2160,10 @@ retry:
71086 && (vma->vm_flags & VM_SHARED)));
71087 set_huge_pte_at(mm, address, ptep, new_pte);
71088
71089 +#ifdef CONFIG_PAX_SEGMEXEC
71090 + pax_mirror_huge_pte(vma, address, page);
71091 +#endif
71092 +
71093 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
71094 /* Optimization, do the COW without a second fault */
71095 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
71096 @@ -2163,6 +2192,28 @@ int hugetlb_fault(struct mm_struct *mm,
71097 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
71098 struct hstate *h = hstate_vma(vma);
71099
71100 +#ifdef CONFIG_PAX_SEGMEXEC
71101 + struct vm_area_struct *vma_m;
71102 +
71103 + vma_m = pax_find_mirror_vma(vma);
71104 + if (vma_m) {
71105 + unsigned long address_m;
71106 +
71107 + if (vma->vm_start > vma_m->vm_start) {
71108 + address_m = address;
71109 + address -= SEGMEXEC_TASK_SIZE;
71110 + vma = vma_m;
71111 + h = hstate_vma(vma);
71112 + } else
71113 + address_m = address + SEGMEXEC_TASK_SIZE;
71114 +
71115 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
71116 + return VM_FAULT_OOM;
71117 + address_m &= HPAGE_MASK;
71118 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
71119 + }
71120 +#endif
71121 +
71122 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
71123 if (!ptep)
71124 return VM_FAULT_OOM;
71125 diff -urNp linux-2.6.32.46/mm/internal.h linux-2.6.32.46/mm/internal.h
71126 --- linux-2.6.32.46/mm/internal.h 2011-03-27 14:31:47.000000000 -0400
71127 +++ linux-2.6.32.46/mm/internal.h 2011-07-09 09:13:08.000000000 -0400
71128 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
71129 * in mm/page_alloc.c
71130 */
71131 extern void __free_pages_bootmem(struct page *page, unsigned int order);
71132 +extern void free_compound_page(struct page *page);
71133 extern void prep_compound_page(struct page *page, unsigned long order);
71134
71135
71136 diff -urNp linux-2.6.32.46/mm/Kconfig linux-2.6.32.46/mm/Kconfig
71137 --- linux-2.6.32.46/mm/Kconfig 2011-03-27 14:31:47.000000000 -0400
71138 +++ linux-2.6.32.46/mm/Kconfig 2011-04-17 15:56:46.000000000 -0400
71139 @@ -228,7 +228,7 @@ config KSM
71140 config DEFAULT_MMAP_MIN_ADDR
71141 int "Low address space to protect from user allocation"
71142 depends on MMU
71143 - default 4096
71144 + default 65536
71145 help
71146 This is the portion of low virtual memory which should be protected
71147 from userspace allocation. Keeping a user from writing to low pages
71148 diff -urNp linux-2.6.32.46/mm/kmemleak.c linux-2.6.32.46/mm/kmemleak.c
71149 --- linux-2.6.32.46/mm/kmemleak.c 2011-06-25 12:55:35.000000000 -0400
71150 +++ linux-2.6.32.46/mm/kmemleak.c 2011-06-25 12:56:37.000000000 -0400
71151 @@ -358,7 +358,7 @@ static void print_unreferenced(struct se
71152
71153 for (i = 0; i < object->trace_len; i++) {
71154 void *ptr = (void *)object->trace[i];
71155 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
71156 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
71157 }
71158 }
71159
71160 diff -urNp linux-2.6.32.46/mm/maccess.c linux-2.6.32.46/mm/maccess.c
71161 --- linux-2.6.32.46/mm/maccess.c 2011-03-27 14:31:47.000000000 -0400
71162 +++ linux-2.6.32.46/mm/maccess.c 2011-10-06 09:37:14.000000000 -0400
71163 @@ -14,7 +14,7 @@
71164 * Safely read from address @src to the buffer at @dst. If a kernel fault
71165 * happens, handle that and return -EFAULT.
71166 */
71167 -long probe_kernel_read(void *dst, void *src, size_t size)
71168 +long probe_kernel_read(void *dst, const void *src, size_t size)
71169 {
71170 long ret;
71171 mm_segment_t old_fs = get_fs();
71172 @@ -22,7 +22,7 @@ long probe_kernel_read(void *dst, void *
71173 set_fs(KERNEL_DS);
71174 pagefault_disable();
71175 ret = __copy_from_user_inatomic(dst,
71176 - (__force const void __user *)src, size);
71177 + (const void __force_user *)src, size);
71178 pagefault_enable();
71179 set_fs(old_fs);
71180
71181 @@ -39,14 +39,14 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
71182 * Safely write to address @dst from the buffer at @src. If a kernel fault
71183 * happens, handle that and return -EFAULT.
71184 */
71185 -long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
71186 +long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
71187 {
71188 long ret;
71189 mm_segment_t old_fs = get_fs();
71190
71191 set_fs(KERNEL_DS);
71192 pagefault_disable();
71193 - ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
71194 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
71195 pagefault_enable();
71196 set_fs(old_fs);
71197
71198 diff -urNp linux-2.6.32.46/mm/madvise.c linux-2.6.32.46/mm/madvise.c
71199 --- linux-2.6.32.46/mm/madvise.c 2011-03-27 14:31:47.000000000 -0400
71200 +++ linux-2.6.32.46/mm/madvise.c 2011-04-17 15:56:46.000000000 -0400
71201 @@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
71202 pgoff_t pgoff;
71203 unsigned long new_flags = vma->vm_flags;
71204
71205 +#ifdef CONFIG_PAX_SEGMEXEC
71206 + struct vm_area_struct *vma_m;
71207 +#endif
71208 +
71209 switch (behavior) {
71210 case MADV_NORMAL:
71211 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
71212 @@ -103,6 +107,13 @@ success:
71213 /*
71214 * vm_flags is protected by the mmap_sem held in write mode.
71215 */
71216 +
71217 +#ifdef CONFIG_PAX_SEGMEXEC
71218 + vma_m = pax_find_mirror_vma(vma);
71219 + if (vma_m)
71220 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
71221 +#endif
71222 +
71223 vma->vm_flags = new_flags;
71224
71225 out:
71226 @@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
71227 struct vm_area_struct ** prev,
71228 unsigned long start, unsigned long end)
71229 {
71230 +
71231 +#ifdef CONFIG_PAX_SEGMEXEC
71232 + struct vm_area_struct *vma_m;
71233 +#endif
71234 +
71235 *prev = vma;
71236 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
71237 return -EINVAL;
71238 @@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
71239 zap_page_range(vma, start, end - start, &details);
71240 } else
71241 zap_page_range(vma, start, end - start, NULL);
71242 +
71243 +#ifdef CONFIG_PAX_SEGMEXEC
71244 + vma_m = pax_find_mirror_vma(vma);
71245 + if (vma_m) {
71246 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
71247 + struct zap_details details = {
71248 + .nonlinear_vma = vma_m,
71249 + .last_index = ULONG_MAX,
71250 + };
71251 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
71252 + } else
71253 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
71254 + }
71255 +#endif
71256 +
71257 return 0;
71258 }
71259
71260 @@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
71261 if (end < start)
71262 goto out;
71263
71264 +#ifdef CONFIG_PAX_SEGMEXEC
71265 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
71266 + if (end > SEGMEXEC_TASK_SIZE)
71267 + goto out;
71268 + } else
71269 +#endif
71270 +
71271 + if (end > TASK_SIZE)
71272 + goto out;
71273 +
71274 error = 0;
71275 if (end == start)
71276 goto out;
71277 diff -urNp linux-2.6.32.46/mm/memory.c linux-2.6.32.46/mm/memory.c
71278 --- linux-2.6.32.46/mm/memory.c 2011-07-13 17:23:04.000000000 -0400
71279 +++ linux-2.6.32.46/mm/memory.c 2011-07-13 17:23:23.000000000 -0400
71280 @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
71281 return;
71282
71283 pmd = pmd_offset(pud, start);
71284 +
71285 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
71286 pud_clear(pud);
71287 pmd_free_tlb(tlb, pmd, start);
71288 +#endif
71289 +
71290 }
71291
71292 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
71293 @@ -219,9 +223,12 @@ static inline void free_pud_range(struct
71294 if (end - 1 > ceiling - 1)
71295 return;
71296
71297 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
71298 pud = pud_offset(pgd, start);
71299 pgd_clear(pgd);
71300 pud_free_tlb(tlb, pud, start);
71301 +#endif
71302 +
71303 }
71304
71305 /*
71306 @@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
71307 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
71308 i = 0;
71309
71310 - do {
71311 + while (nr_pages) {
71312 struct vm_area_struct *vma;
71313
71314 - vma = find_extend_vma(mm, start);
71315 + vma = find_vma(mm, start);
71316 if (!vma && in_gate_area(tsk, start)) {
71317 unsigned long pg = start & PAGE_MASK;
71318 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
71319 @@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
71320 continue;
71321 }
71322
71323 - if (!vma ||
71324 + if (!vma || start < vma->vm_start ||
71325 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
71326 !(vm_flags & vma->vm_flags))
71327 return i ? : -EFAULT;
71328 @@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
71329 start += PAGE_SIZE;
71330 nr_pages--;
71331 } while (nr_pages && start < vma->vm_end);
71332 - } while (nr_pages);
71333 + }
71334 return i;
71335 }
71336
71337 @@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
71338 page_add_file_rmap(page);
71339 set_pte_at(mm, addr, pte, mk_pte(page, prot));
71340
71341 +#ifdef CONFIG_PAX_SEGMEXEC
71342 + pax_mirror_file_pte(vma, addr, page, ptl);
71343 +#endif
71344 +
71345 retval = 0;
71346 pte_unmap_unlock(pte, ptl);
71347 return retval;
71348 @@ -1560,10 +1571,22 @@ out:
71349 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
71350 struct page *page)
71351 {
71352 +
71353 +#ifdef CONFIG_PAX_SEGMEXEC
71354 + struct vm_area_struct *vma_m;
71355 +#endif
71356 +
71357 if (addr < vma->vm_start || addr >= vma->vm_end)
71358 return -EFAULT;
71359 if (!page_count(page))
71360 return -EINVAL;
71361 +
71362 +#ifdef CONFIG_PAX_SEGMEXEC
71363 + vma_m = pax_find_mirror_vma(vma);
71364 + if (vma_m)
71365 + vma_m->vm_flags |= VM_INSERTPAGE;
71366 +#endif
71367 +
71368 vma->vm_flags |= VM_INSERTPAGE;
71369 return insert_page(vma, addr, page, vma->vm_page_prot);
71370 }
71371 @@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
71372 unsigned long pfn)
71373 {
71374 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
71375 + BUG_ON(vma->vm_mirror);
71376
71377 if (addr < vma->vm_start || addr >= vma->vm_end)
71378 return -EFAULT;
71379 @@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
71380 copy_user_highpage(dst, src, va, vma);
71381 }
71382
71383 +#ifdef CONFIG_PAX_SEGMEXEC
71384 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
71385 +{
71386 + struct mm_struct *mm = vma->vm_mm;
71387 + spinlock_t *ptl;
71388 + pte_t *pte, entry;
71389 +
71390 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
71391 + entry = *pte;
71392 + if (!pte_present(entry)) {
71393 + if (!pte_none(entry)) {
71394 + BUG_ON(pte_file(entry));
71395 + free_swap_and_cache(pte_to_swp_entry(entry));
71396 + pte_clear_not_present_full(mm, address, pte, 0);
71397 + }
71398 + } else {
71399 + struct page *page;
71400 +
71401 + flush_cache_page(vma, address, pte_pfn(entry));
71402 + entry = ptep_clear_flush(vma, address, pte);
71403 + BUG_ON(pte_dirty(entry));
71404 + page = vm_normal_page(vma, address, entry);
71405 + if (page) {
71406 + update_hiwater_rss(mm);
71407 + if (PageAnon(page))
71408 + dec_mm_counter(mm, anon_rss);
71409 + else
71410 + dec_mm_counter(mm, file_rss);
71411 + page_remove_rmap(page);
71412 + page_cache_release(page);
71413 + }
71414 + }
71415 + pte_unmap_unlock(pte, ptl);
71416 +}
71417 +
71418 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
71419 + *
71420 + * the ptl of the lower mapped page is held on entry and is not released on exit
71421 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
71422 + */
71423 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71424 +{
71425 + struct mm_struct *mm = vma->vm_mm;
71426 + unsigned long address_m;
71427 + spinlock_t *ptl_m;
71428 + struct vm_area_struct *vma_m;
71429 + pmd_t *pmd_m;
71430 + pte_t *pte_m, entry_m;
71431 +
71432 + BUG_ON(!page_m || !PageAnon(page_m));
71433 +
71434 + vma_m = pax_find_mirror_vma(vma);
71435 + if (!vma_m)
71436 + return;
71437 +
71438 + BUG_ON(!PageLocked(page_m));
71439 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71440 + address_m = address + SEGMEXEC_TASK_SIZE;
71441 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71442 + pte_m = pte_offset_map_nested(pmd_m, address_m);
71443 + ptl_m = pte_lockptr(mm, pmd_m);
71444 + if (ptl != ptl_m) {
71445 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71446 + if (!pte_none(*pte_m))
71447 + goto out;
71448 + }
71449 +
71450 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71451 + page_cache_get(page_m);
71452 + page_add_anon_rmap(page_m, vma_m, address_m);
71453 + inc_mm_counter(mm, anon_rss);
71454 + set_pte_at(mm, address_m, pte_m, entry_m);
71455 + update_mmu_cache(vma_m, address_m, entry_m);
71456 +out:
71457 + if (ptl != ptl_m)
71458 + spin_unlock(ptl_m);
71459 + pte_unmap_nested(pte_m);
71460 + unlock_page(page_m);
71461 +}
71462 +
71463 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
71464 +{
71465 + struct mm_struct *mm = vma->vm_mm;
71466 + unsigned long address_m;
71467 + spinlock_t *ptl_m;
71468 + struct vm_area_struct *vma_m;
71469 + pmd_t *pmd_m;
71470 + pte_t *pte_m, entry_m;
71471 +
71472 + BUG_ON(!page_m || PageAnon(page_m));
71473 +
71474 + vma_m = pax_find_mirror_vma(vma);
71475 + if (!vma_m)
71476 + return;
71477 +
71478 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71479 + address_m = address + SEGMEXEC_TASK_SIZE;
71480 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71481 + pte_m = pte_offset_map_nested(pmd_m, address_m);
71482 + ptl_m = pte_lockptr(mm, pmd_m);
71483 + if (ptl != ptl_m) {
71484 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71485 + if (!pte_none(*pte_m))
71486 + goto out;
71487 + }
71488 +
71489 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
71490 + page_cache_get(page_m);
71491 + page_add_file_rmap(page_m);
71492 + inc_mm_counter(mm, file_rss);
71493 + set_pte_at(mm, address_m, pte_m, entry_m);
71494 + update_mmu_cache(vma_m, address_m, entry_m);
71495 +out:
71496 + if (ptl != ptl_m)
71497 + spin_unlock(ptl_m);
71498 + pte_unmap_nested(pte_m);
71499 +}
71500 +
71501 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
71502 +{
71503 + struct mm_struct *mm = vma->vm_mm;
71504 + unsigned long address_m;
71505 + spinlock_t *ptl_m;
71506 + struct vm_area_struct *vma_m;
71507 + pmd_t *pmd_m;
71508 + pte_t *pte_m, entry_m;
71509 +
71510 + vma_m = pax_find_mirror_vma(vma);
71511 + if (!vma_m)
71512 + return;
71513 +
71514 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
71515 + address_m = address + SEGMEXEC_TASK_SIZE;
71516 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
71517 + pte_m = pte_offset_map_nested(pmd_m, address_m);
71518 + ptl_m = pte_lockptr(mm, pmd_m);
71519 + if (ptl != ptl_m) {
71520 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
71521 + if (!pte_none(*pte_m))
71522 + goto out;
71523 + }
71524 +
71525 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
71526 + set_pte_at(mm, address_m, pte_m, entry_m);
71527 +out:
71528 + if (ptl != ptl_m)
71529 + spin_unlock(ptl_m);
71530 + pte_unmap_nested(pte_m);
71531 +}
71532 +
71533 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
71534 +{
71535 + struct page *page_m;
71536 + pte_t entry;
71537 +
71538 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
71539 + goto out;
71540 +
71541 + entry = *pte;
71542 + page_m = vm_normal_page(vma, address, entry);
71543 + if (!page_m)
71544 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
71545 + else if (PageAnon(page_m)) {
71546 + if (pax_find_mirror_vma(vma)) {
71547 + pte_unmap_unlock(pte, ptl);
71548 + lock_page(page_m);
71549 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
71550 + if (pte_same(entry, *pte))
71551 + pax_mirror_anon_pte(vma, address, page_m, ptl);
71552 + else
71553 + unlock_page(page_m);
71554 + }
71555 + } else
71556 + pax_mirror_file_pte(vma, address, page_m, ptl);
71557 +
71558 +out:
71559 + pte_unmap_unlock(pte, ptl);
71560 +}
71561 +#endif
71562 +
71563 /*
71564 * This routine handles present pages, when users try to write
71565 * to a shared page. It is done by copying the page to a new address
71566 @@ -2156,6 +2360,12 @@ gotten:
71567 */
71568 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
71569 if (likely(pte_same(*page_table, orig_pte))) {
71570 +
71571 +#ifdef CONFIG_PAX_SEGMEXEC
71572 + if (pax_find_mirror_vma(vma))
71573 + BUG_ON(!trylock_page(new_page));
71574 +#endif
71575 +
71576 if (old_page) {
71577 if (!PageAnon(old_page)) {
71578 dec_mm_counter(mm, file_rss);
71579 @@ -2207,6 +2417,10 @@ gotten:
71580 page_remove_rmap(old_page);
71581 }
71582
71583 +#ifdef CONFIG_PAX_SEGMEXEC
71584 + pax_mirror_anon_pte(vma, address, new_page, ptl);
71585 +#endif
71586 +
71587 /* Free the old page.. */
71588 new_page = old_page;
71589 ret |= VM_FAULT_WRITE;
71590 @@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct
71591 swap_free(entry);
71592 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
71593 try_to_free_swap(page);
71594 +
71595 +#ifdef CONFIG_PAX_SEGMEXEC
71596 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
71597 +#endif
71598 +
71599 unlock_page(page);
71600
71601 if (flags & FAULT_FLAG_WRITE) {
71602 @@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct
71603
71604 /* No need to invalidate - it was non-present before */
71605 update_mmu_cache(vma, address, pte);
71606 +
71607 +#ifdef CONFIG_PAX_SEGMEXEC
71608 + pax_mirror_anon_pte(vma, address, page, ptl);
71609 +#endif
71610 +
71611 unlock:
71612 pte_unmap_unlock(page_table, ptl);
71613 out:
71614 @@ -2632,40 +2856,6 @@ out_release:
71615 }
71616
71617 /*
71618 - * This is like a special single-page "expand_{down|up}wards()",
71619 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
71620 - * doesn't hit another vma.
71621 - */
71622 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
71623 -{
71624 - address &= PAGE_MASK;
71625 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
71626 - struct vm_area_struct *prev = vma->vm_prev;
71627 -
71628 - /*
71629 - * Is there a mapping abutting this one below?
71630 - *
71631 - * That's only ok if it's the same stack mapping
71632 - * that has gotten split..
71633 - */
71634 - if (prev && prev->vm_end == address)
71635 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
71636 -
71637 - expand_stack(vma, address - PAGE_SIZE);
71638 - }
71639 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
71640 - struct vm_area_struct *next = vma->vm_next;
71641 -
71642 - /* As VM_GROWSDOWN but s/below/above/ */
71643 - if (next && next->vm_start == address + PAGE_SIZE)
71644 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
71645 -
71646 - expand_upwards(vma, address + PAGE_SIZE);
71647 - }
71648 - return 0;
71649 -}
71650 -
71651 -/*
71652 * We enter with non-exclusive mmap_sem (to exclude vma changes,
71653 * but allow concurrent faults), and pte mapped but not yet locked.
71654 * We return with mmap_sem still held, but pte unmapped and unlocked.
71655 @@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_s
71656 unsigned long address, pte_t *page_table, pmd_t *pmd,
71657 unsigned int flags)
71658 {
71659 - struct page *page;
71660 + struct page *page = NULL;
71661 spinlock_t *ptl;
71662 pte_t entry;
71663
71664 - pte_unmap(page_table);
71665 -
71666 - /* Check if we need to add a guard page to the stack */
71667 - if (check_stack_guard_page(vma, address) < 0)
71668 - return VM_FAULT_SIGBUS;
71669 -
71670 - /* Use the zero-page for reads */
71671 if (!(flags & FAULT_FLAG_WRITE)) {
71672 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
71673 vma->vm_page_prot));
71674 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
71675 + ptl = pte_lockptr(mm, pmd);
71676 + spin_lock(ptl);
71677 if (!pte_none(*page_table))
71678 goto unlock;
71679 goto setpte;
71680 }
71681
71682 /* Allocate our own private page. */
71683 + pte_unmap(page_table);
71684 +
71685 if (unlikely(anon_vma_prepare(vma)))
71686 goto oom;
71687 page = alloc_zeroed_user_highpage_movable(vma, address);
71688 @@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_s
71689 if (!pte_none(*page_table))
71690 goto release;
71691
71692 +#ifdef CONFIG_PAX_SEGMEXEC
71693 + if (pax_find_mirror_vma(vma))
71694 + BUG_ON(!trylock_page(page));
71695 +#endif
71696 +
71697 inc_mm_counter(mm, anon_rss);
71698 page_add_new_anon_rmap(page, vma, address);
71699 setpte:
71700 @@ -2720,6 +2911,12 @@ setpte:
71701
71702 /* No need to invalidate - it was non-present before */
71703 update_mmu_cache(vma, address, entry);
71704 +
71705 +#ifdef CONFIG_PAX_SEGMEXEC
71706 + if (page)
71707 + pax_mirror_anon_pte(vma, address, page, ptl);
71708 +#endif
71709 +
71710 unlock:
71711 pte_unmap_unlock(page_table, ptl);
71712 return 0;
71713 @@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *
71714 */
71715 /* Only go through if we didn't race with anybody else... */
71716 if (likely(pte_same(*page_table, orig_pte))) {
71717 +
71718 +#ifdef CONFIG_PAX_SEGMEXEC
71719 + if (anon && pax_find_mirror_vma(vma))
71720 + BUG_ON(!trylock_page(page));
71721 +#endif
71722 +
71723 flush_icache_page(vma, page);
71724 entry = mk_pte(page, vma->vm_page_prot);
71725 if (flags & FAULT_FLAG_WRITE)
71726 @@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *
71727
71728 /* no need to invalidate: a not-present page won't be cached */
71729 update_mmu_cache(vma, address, entry);
71730 +
71731 +#ifdef CONFIG_PAX_SEGMEXEC
71732 + if (anon)
71733 + pax_mirror_anon_pte(vma, address, page, ptl);
71734 + else
71735 + pax_mirror_file_pte(vma, address, page, ptl);
71736 +#endif
71737 +
71738 } else {
71739 if (charged)
71740 mem_cgroup_uncharge_page(page);
71741 @@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struc
71742 if (flags & FAULT_FLAG_WRITE)
71743 flush_tlb_page(vma, address);
71744 }
71745 +
71746 +#ifdef CONFIG_PAX_SEGMEXEC
71747 + pax_mirror_pte(vma, address, pte, pmd, ptl);
71748 + return 0;
71749 +#endif
71750 +
71751 unlock:
71752 pte_unmap_unlock(pte, ptl);
71753 return 0;
71754 @@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm
71755 pmd_t *pmd;
71756 pte_t *pte;
71757
71758 +#ifdef CONFIG_PAX_SEGMEXEC
71759 + struct vm_area_struct *vma_m;
71760 +#endif
71761 +
71762 __set_current_state(TASK_RUNNING);
71763
71764 count_vm_event(PGFAULT);
71765 @@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm
71766 if (unlikely(is_vm_hugetlb_page(vma)))
71767 return hugetlb_fault(mm, vma, address, flags);
71768
71769 +#ifdef CONFIG_PAX_SEGMEXEC
71770 + vma_m = pax_find_mirror_vma(vma);
71771 + if (vma_m) {
71772 + unsigned long address_m;
71773 + pgd_t *pgd_m;
71774 + pud_t *pud_m;
71775 + pmd_t *pmd_m;
71776 +
71777 + if (vma->vm_start > vma_m->vm_start) {
71778 + address_m = address;
71779 + address -= SEGMEXEC_TASK_SIZE;
71780 + vma = vma_m;
71781 + } else
71782 + address_m = address + SEGMEXEC_TASK_SIZE;
71783 +
71784 + pgd_m = pgd_offset(mm, address_m);
71785 + pud_m = pud_alloc(mm, pgd_m, address_m);
71786 + if (!pud_m)
71787 + return VM_FAULT_OOM;
71788 + pmd_m = pmd_alloc(mm, pud_m, address_m);
71789 + if (!pmd_m)
71790 + return VM_FAULT_OOM;
71791 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
71792 + return VM_FAULT_OOM;
71793 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
71794 + }
71795 +#endif
71796 +
71797 pgd = pgd_offset(mm, address);
71798 pud = pud_alloc(mm, pgd, address);
71799 if (!pud)
71800 @@ -3148,7 +3397,7 @@ static int __init gate_vma_init(void)
71801 gate_vma.vm_start = FIXADDR_USER_START;
71802 gate_vma.vm_end = FIXADDR_USER_END;
71803 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
71804 - gate_vma.vm_page_prot = __P101;
71805 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
71806 /*
71807 * Make sure the vDSO gets into every core dump.
71808 * Dumping its contents makes post-mortem fully interpretable later
71809 diff -urNp linux-2.6.32.46/mm/memory-failure.c linux-2.6.32.46/mm/memory-failure.c
71810 --- linux-2.6.32.46/mm/memory-failure.c 2011-03-27 14:31:47.000000000 -0400
71811 +++ linux-2.6.32.46/mm/memory-failure.c 2011-10-06 09:37:14.000000000 -0400
71812 @@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
71813
71814 int sysctl_memory_failure_recovery __read_mostly = 1;
71815
71816 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
71817 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
71818
71819 /*
71820 * Send all the processes who have the page mapped an ``action optional''
71821 @@ -64,7 +64,7 @@ static int kill_proc_ao(struct task_stru
71822 si.si_signo = SIGBUS;
71823 si.si_errno = 0;
71824 si.si_code = BUS_MCEERR_AO;
71825 - si.si_addr = (void *)addr;
71826 + si.si_addr = (void __user *)addr;
71827 #ifdef __ARCH_SI_TRAPNO
71828 si.si_trapno = trapno;
71829 #endif
71830 @@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
71831 return 0;
71832 }
71833
71834 - atomic_long_add(1, &mce_bad_pages);
71835 + atomic_long_add_unchecked(1, &mce_bad_pages);
71836
71837 /*
71838 * We need/can do nothing about count=0 pages.
71839 diff -urNp linux-2.6.32.46/mm/mempolicy.c linux-2.6.32.46/mm/mempolicy.c
71840 --- linux-2.6.32.46/mm/mempolicy.c 2011-03-27 14:31:47.000000000 -0400
71841 +++ linux-2.6.32.46/mm/mempolicy.c 2011-04-17 15:56:46.000000000 -0400
71842 @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
71843 struct vm_area_struct *next;
71844 int err;
71845
71846 +#ifdef CONFIG_PAX_SEGMEXEC
71847 + struct vm_area_struct *vma_m;
71848 +#endif
71849 +
71850 err = 0;
71851 for (; vma && vma->vm_start < end; vma = next) {
71852 next = vma->vm_next;
71853 @@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
71854 err = policy_vma(vma, new);
71855 if (err)
71856 break;
71857 +
71858 +#ifdef CONFIG_PAX_SEGMEXEC
71859 + vma_m = pax_find_mirror_vma(vma);
71860 + if (vma_m) {
71861 + err = policy_vma(vma_m, new);
71862 + if (err)
71863 + break;
71864 + }
71865 +#endif
71866 +
71867 }
71868 return err;
71869 }
71870 @@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
71871
71872 if (end < start)
71873 return -EINVAL;
71874 +
71875 +#ifdef CONFIG_PAX_SEGMEXEC
71876 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
71877 + if (end > SEGMEXEC_TASK_SIZE)
71878 + return -EINVAL;
71879 + } else
71880 +#endif
71881 +
71882 + if (end > TASK_SIZE)
71883 + return -EINVAL;
71884 +
71885 if (end == start)
71886 return 0;
71887
71888 @@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
71889 if (!mm)
71890 return -EINVAL;
71891
71892 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
71893 + if (mm != current->mm &&
71894 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
71895 + err = -EPERM;
71896 + goto out;
71897 + }
71898 +#endif
71899 +
71900 /*
71901 * Check if this process has the right to modify the specified
71902 * process. The right exists if the process has administrative
71903 @@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
71904 rcu_read_lock();
71905 tcred = __task_cred(task);
71906 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
71907 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
71908 - !capable(CAP_SYS_NICE)) {
71909 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
71910 rcu_read_unlock();
71911 err = -EPERM;
71912 goto out;
71913 @@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
71914
71915 if (file) {
71916 seq_printf(m, " file=");
71917 - seq_path(m, &file->f_path, "\n\t= ");
71918 + seq_path(m, &file->f_path, "\n\t\\= ");
71919 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
71920 seq_printf(m, " heap");
71921 } else if (vma->vm_start <= mm->start_stack &&
71922 diff -urNp linux-2.6.32.46/mm/migrate.c linux-2.6.32.46/mm/migrate.c
71923 --- linux-2.6.32.46/mm/migrate.c 2011-07-13 17:23:04.000000000 -0400
71924 +++ linux-2.6.32.46/mm/migrate.c 2011-07-13 17:23:23.000000000 -0400
71925 @@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
71926 unsigned long chunk_start;
71927 int err;
71928
71929 + pax_track_stack();
71930 +
71931 task_nodes = cpuset_mems_allowed(task);
71932
71933 err = -ENOMEM;
71934 @@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
71935 if (!mm)
71936 return -EINVAL;
71937
71938 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
71939 + if (mm != current->mm &&
71940 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
71941 + err = -EPERM;
71942 + goto out;
71943 + }
71944 +#endif
71945 +
71946 /*
71947 * Check if this process has the right to modify the specified
71948 * process. The right exists if the process has administrative
71949 @@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
71950 rcu_read_lock();
71951 tcred = __task_cred(task);
71952 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
71953 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
71954 - !capable(CAP_SYS_NICE)) {
71955 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
71956 rcu_read_unlock();
71957 err = -EPERM;
71958 goto out;
71959 diff -urNp linux-2.6.32.46/mm/mlock.c linux-2.6.32.46/mm/mlock.c
71960 --- linux-2.6.32.46/mm/mlock.c 2011-03-27 14:31:47.000000000 -0400
71961 +++ linux-2.6.32.46/mm/mlock.c 2011-04-17 15:56:46.000000000 -0400
71962 @@ -13,6 +13,7 @@
71963 #include <linux/pagemap.h>
71964 #include <linux/mempolicy.h>
71965 #include <linux/syscalls.h>
71966 +#include <linux/security.h>
71967 #include <linux/sched.h>
71968 #include <linux/module.h>
71969 #include <linux/rmap.h>
71970 @@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
71971 }
71972 }
71973
71974 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
71975 -{
71976 - return (vma->vm_flags & VM_GROWSDOWN) &&
71977 - (vma->vm_start == addr) &&
71978 - !vma_stack_continue(vma->vm_prev, addr);
71979 -}
71980 -
71981 /**
71982 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
71983 * @vma: target vma
71984 @@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
71985 if (vma->vm_flags & VM_WRITE)
71986 gup_flags |= FOLL_WRITE;
71987
71988 - /* We don't try to access the guard page of a stack vma */
71989 - if (stack_guard_page(vma, start)) {
71990 - addr += PAGE_SIZE;
71991 - nr_pages--;
71992 - }
71993 -
71994 while (nr_pages > 0) {
71995 int i;
71996
71997 @@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
71998 {
71999 unsigned long nstart, end, tmp;
72000 struct vm_area_struct * vma, * prev;
72001 - int error;
72002 + int error = -EINVAL;
72003
72004 len = PAGE_ALIGN(len);
72005 end = start + len;
72006 @@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
72007 return -EINVAL;
72008 if (end == start)
72009 return 0;
72010 + if (end > TASK_SIZE)
72011 + return -EINVAL;
72012 +
72013 vma = find_vma_prev(current->mm, start, &prev);
72014 if (!vma || vma->vm_start > start)
72015 return -ENOMEM;
72016 @@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
72017 for (nstart = start ; ; ) {
72018 unsigned int newflags;
72019
72020 +#ifdef CONFIG_PAX_SEGMEXEC
72021 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72022 + break;
72023 +#endif
72024 +
72025 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
72026
72027 newflags = vma->vm_flags | VM_LOCKED;
72028 @@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
72029 lock_limit >>= PAGE_SHIFT;
72030
72031 /* check against resource limits */
72032 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
72033 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
72034 error = do_mlock(start, len, 1);
72035 up_write(&current->mm->mmap_sem);
72036 @@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
72037 static int do_mlockall(int flags)
72038 {
72039 struct vm_area_struct * vma, * prev = NULL;
72040 - unsigned int def_flags = 0;
72041
72042 if (flags & MCL_FUTURE)
72043 - def_flags = VM_LOCKED;
72044 - current->mm->def_flags = def_flags;
72045 + current->mm->def_flags |= VM_LOCKED;
72046 + else
72047 + current->mm->def_flags &= ~VM_LOCKED;
72048 if (flags == MCL_FUTURE)
72049 goto out;
72050
72051 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
72052 - unsigned int newflags;
72053 + unsigned long newflags;
72054 +
72055 +#ifdef CONFIG_PAX_SEGMEXEC
72056 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
72057 + break;
72058 +#endif
72059
72060 + BUG_ON(vma->vm_end > TASK_SIZE);
72061 newflags = vma->vm_flags | VM_LOCKED;
72062 if (!(flags & MCL_CURRENT))
72063 newflags &= ~VM_LOCKED;
72064 @@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
72065 lock_limit >>= PAGE_SHIFT;
72066
72067 ret = -ENOMEM;
72068 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
72069 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
72070 capable(CAP_IPC_LOCK))
72071 ret = do_mlockall(flags);
72072 diff -urNp linux-2.6.32.46/mm/mmap.c linux-2.6.32.46/mm/mmap.c
72073 --- linux-2.6.32.46/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
72074 +++ linux-2.6.32.46/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
72075 @@ -45,6 +45,16 @@
72076 #define arch_rebalance_pgtables(addr, len) (addr)
72077 #endif
72078
72079 +static inline void verify_mm_writelocked(struct mm_struct *mm)
72080 +{
72081 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
72082 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
72083 + up_read(&mm->mmap_sem);
72084 + BUG();
72085 + }
72086 +#endif
72087 +}
72088 +
72089 static void unmap_region(struct mm_struct *mm,
72090 struct vm_area_struct *vma, struct vm_area_struct *prev,
72091 unsigned long start, unsigned long end);
72092 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
72093 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
72094 *
72095 */
72096 -pgprot_t protection_map[16] = {
72097 +pgprot_t protection_map[16] __read_only = {
72098 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
72099 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
72100 };
72101
72102 pgprot_t vm_get_page_prot(unsigned long vm_flags)
72103 {
72104 - return __pgprot(pgprot_val(protection_map[vm_flags &
72105 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
72106 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
72107 pgprot_val(arch_vm_get_page_prot(vm_flags)));
72108 +
72109 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72110 + if (!nx_enabled &&
72111 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
72112 + (vm_flags & (VM_READ | VM_WRITE)))
72113 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
72114 +#endif
72115 +
72116 + return prot;
72117 }
72118 EXPORT_SYMBOL(vm_get_page_prot);
72119
72120 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
72121 int sysctl_overcommit_ratio = 50; /* default is 50% */
72122 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
72123 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
72124 struct percpu_counter vm_committed_as;
72125
72126 /*
72127 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
72128 struct vm_area_struct *next = vma->vm_next;
72129
72130 might_sleep();
72131 + BUG_ON(vma->vm_mirror);
72132 if (vma->vm_ops && vma->vm_ops->close)
72133 vma->vm_ops->close(vma);
72134 if (vma->vm_file) {
72135 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
72136 * not page aligned -Ram Gupta
72137 */
72138 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
72139 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
72140 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
72141 (mm->end_data - mm->start_data) > rlim)
72142 goto out;
72143 @@ -704,6 +726,12 @@ static int
72144 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
72145 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72146 {
72147 +
72148 +#ifdef CONFIG_PAX_SEGMEXEC
72149 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
72150 + return 0;
72151 +#endif
72152 +
72153 if (is_mergeable_vma(vma, file, vm_flags) &&
72154 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72155 if (vma->vm_pgoff == vm_pgoff)
72156 @@ -723,6 +751,12 @@ static int
72157 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
72158 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
72159 {
72160 +
72161 +#ifdef CONFIG_PAX_SEGMEXEC
72162 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
72163 + return 0;
72164 +#endif
72165 +
72166 if (is_mergeable_vma(vma, file, vm_flags) &&
72167 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
72168 pgoff_t vm_pglen;
72169 @@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
72170 struct vm_area_struct *vma_merge(struct mm_struct *mm,
72171 struct vm_area_struct *prev, unsigned long addr,
72172 unsigned long end, unsigned long vm_flags,
72173 - struct anon_vma *anon_vma, struct file *file,
72174 + struct anon_vma *anon_vma, struct file *file,
72175 pgoff_t pgoff, struct mempolicy *policy)
72176 {
72177 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
72178 struct vm_area_struct *area, *next;
72179
72180 +#ifdef CONFIG_PAX_SEGMEXEC
72181 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
72182 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
72183 +
72184 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
72185 +#endif
72186 +
72187 /*
72188 * We later require that vma->vm_flags == vm_flags,
72189 * so this tests vma->vm_flags & VM_SPECIAL, too.
72190 @@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
72191 if (next && next->vm_end == end) /* cases 6, 7, 8 */
72192 next = next->vm_next;
72193
72194 +#ifdef CONFIG_PAX_SEGMEXEC
72195 + if (prev)
72196 + prev_m = pax_find_mirror_vma(prev);
72197 + if (area)
72198 + area_m = pax_find_mirror_vma(area);
72199 + if (next)
72200 + next_m = pax_find_mirror_vma(next);
72201 +#endif
72202 +
72203 /*
72204 * Can it merge with the predecessor?
72205 */
72206 @@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
72207 /* cases 1, 6 */
72208 vma_adjust(prev, prev->vm_start,
72209 next->vm_end, prev->vm_pgoff, NULL);
72210 - } else /* cases 2, 5, 7 */
72211 +
72212 +#ifdef CONFIG_PAX_SEGMEXEC
72213 + if (prev_m)
72214 + vma_adjust(prev_m, prev_m->vm_start,
72215 + next_m->vm_end, prev_m->vm_pgoff, NULL);
72216 +#endif
72217 +
72218 + } else { /* cases 2, 5, 7 */
72219 vma_adjust(prev, prev->vm_start,
72220 end, prev->vm_pgoff, NULL);
72221 +
72222 +#ifdef CONFIG_PAX_SEGMEXEC
72223 + if (prev_m)
72224 + vma_adjust(prev_m, prev_m->vm_start,
72225 + end_m, prev_m->vm_pgoff, NULL);
72226 +#endif
72227 +
72228 + }
72229 return prev;
72230 }
72231
72232 @@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
72233 mpol_equal(policy, vma_policy(next)) &&
72234 can_vma_merge_before(next, vm_flags,
72235 anon_vma, file, pgoff+pglen)) {
72236 - if (prev && addr < prev->vm_end) /* case 4 */
72237 + if (prev && addr < prev->vm_end) { /* case 4 */
72238 vma_adjust(prev, prev->vm_start,
72239 addr, prev->vm_pgoff, NULL);
72240 - else /* cases 3, 8 */
72241 +
72242 +#ifdef CONFIG_PAX_SEGMEXEC
72243 + if (prev_m)
72244 + vma_adjust(prev_m, prev_m->vm_start,
72245 + addr_m, prev_m->vm_pgoff, NULL);
72246 +#endif
72247 +
72248 + } else { /* cases 3, 8 */
72249 vma_adjust(area, addr, next->vm_end,
72250 next->vm_pgoff - pglen, NULL);
72251 +
72252 +#ifdef CONFIG_PAX_SEGMEXEC
72253 + if (area_m)
72254 + vma_adjust(area_m, addr_m, next_m->vm_end,
72255 + next_m->vm_pgoff - pglen, NULL);
72256 +#endif
72257 +
72258 + }
72259 return area;
72260 }
72261
72262 @@ -898,14 +978,11 @@ none:
72263 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
72264 struct file *file, long pages)
72265 {
72266 - const unsigned long stack_flags
72267 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
72268 -
72269 if (file) {
72270 mm->shared_vm += pages;
72271 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
72272 mm->exec_vm += pages;
72273 - } else if (flags & stack_flags)
72274 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
72275 mm->stack_vm += pages;
72276 if (flags & (VM_RESERVED|VM_IO))
72277 mm->reserved_vm += pages;
72278 @@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
72279 * (the exception is when the underlying filesystem is noexec
72280 * mounted, in which case we dont add PROT_EXEC.)
72281 */
72282 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
72283 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
72284 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
72285 prot |= PROT_EXEC;
72286
72287 @@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
72288 /* Obtain the address to map to. we verify (or select) it and ensure
72289 * that it represents a valid section of the address space.
72290 */
72291 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
72292 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
72293 if (addr & ~PAGE_MASK)
72294 return addr;
72295
72296 @@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
72297 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
72298 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
72299
72300 +#ifdef CONFIG_PAX_MPROTECT
72301 + if (mm->pax_flags & MF_PAX_MPROTECT) {
72302 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
72303 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
72304 + gr_log_rwxmmap(file);
72305 +
72306 +#ifdef CONFIG_PAX_EMUPLT
72307 + vm_flags &= ~VM_EXEC;
72308 +#else
72309 + return -EPERM;
72310 +#endif
72311 +
72312 + }
72313 +
72314 + if (!(vm_flags & VM_EXEC))
72315 + vm_flags &= ~VM_MAYEXEC;
72316 +#else
72317 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
72318 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
72319 +#endif
72320 + else
72321 + vm_flags &= ~VM_MAYWRITE;
72322 + }
72323 +#endif
72324 +
72325 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72326 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
72327 + vm_flags &= ~VM_PAGEEXEC;
72328 +#endif
72329 +
72330 if (flags & MAP_LOCKED)
72331 if (!can_do_mlock())
72332 return -EPERM;
72333 @@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
72334 locked += mm->locked_vm;
72335 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
72336 lock_limit >>= PAGE_SHIFT;
72337 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72338 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
72339 return -EAGAIN;
72340 }
72341 @@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
72342 if (error)
72343 return error;
72344
72345 + if (!gr_acl_handle_mmap(file, prot))
72346 + return -EACCES;
72347 +
72348 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
72349 }
72350 EXPORT_SYMBOL(do_mmap_pgoff);
72351 @@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
72352 */
72353 int vma_wants_writenotify(struct vm_area_struct *vma)
72354 {
72355 - unsigned int vm_flags = vma->vm_flags;
72356 + unsigned long vm_flags = vma->vm_flags;
72357
72358 /* If it was private or non-writable, the write bit is already clear */
72359 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
72360 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
72361 return 0;
72362
72363 /* The backer wishes to know when pages are first written to? */
72364 @@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
72365 unsigned long charged = 0;
72366 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
72367
72368 +#ifdef CONFIG_PAX_SEGMEXEC
72369 + struct vm_area_struct *vma_m = NULL;
72370 +#endif
72371 +
72372 + /*
72373 + * mm->mmap_sem is required to protect against another thread
72374 + * changing the mappings in case we sleep.
72375 + */
72376 + verify_mm_writelocked(mm);
72377 +
72378 /* Clear old maps */
72379 error = -ENOMEM;
72380 -munmap_back:
72381 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72382 if (vma && vma->vm_start < addr + len) {
72383 if (do_munmap(mm, addr, len))
72384 return -ENOMEM;
72385 - goto munmap_back;
72386 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
72387 + BUG_ON(vma && vma->vm_start < addr + len);
72388 }
72389
72390 /* Check against address space limit. */
72391 @@ -1173,6 +1294,16 @@ munmap_back:
72392 goto unacct_error;
72393 }
72394
72395 +#ifdef CONFIG_PAX_SEGMEXEC
72396 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72397 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72398 + if (!vma_m) {
72399 + error = -ENOMEM;
72400 + goto free_vma;
72401 + }
72402 + }
72403 +#endif
72404 +
72405 vma->vm_mm = mm;
72406 vma->vm_start = addr;
72407 vma->vm_end = addr + len;
72408 @@ -1195,6 +1326,19 @@ munmap_back:
72409 error = file->f_op->mmap(file, vma);
72410 if (error)
72411 goto unmap_and_free_vma;
72412 +
72413 +#ifdef CONFIG_PAX_SEGMEXEC
72414 + if (vma_m && (vm_flags & VM_EXECUTABLE))
72415 + added_exe_file_vma(mm);
72416 +#endif
72417 +
72418 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72419 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72420 + vma->vm_flags |= VM_PAGEEXEC;
72421 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
72422 + }
72423 +#endif
72424 +
72425 if (vm_flags & VM_EXECUTABLE)
72426 added_exe_file_vma(mm);
72427
72428 @@ -1218,6 +1362,11 @@ munmap_back:
72429 vma_link(mm, vma, prev, rb_link, rb_parent);
72430 file = vma->vm_file;
72431
72432 +#ifdef CONFIG_PAX_SEGMEXEC
72433 + if (vma_m)
72434 + pax_mirror_vma(vma_m, vma);
72435 +#endif
72436 +
72437 /* Once vma denies write, undo our temporary denial count */
72438 if (correct_wcount)
72439 atomic_inc(&inode->i_writecount);
72440 @@ -1226,6 +1375,7 @@ out:
72441
72442 mm->total_vm += len >> PAGE_SHIFT;
72443 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
72444 + track_exec_limit(mm, addr, addr + len, vm_flags);
72445 if (vm_flags & VM_LOCKED) {
72446 /*
72447 * makes pages present; downgrades, drops, reacquires mmap_sem
72448 @@ -1248,6 +1398,12 @@ unmap_and_free_vma:
72449 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
72450 charged = 0;
72451 free_vma:
72452 +
72453 +#ifdef CONFIG_PAX_SEGMEXEC
72454 + if (vma_m)
72455 + kmem_cache_free(vm_area_cachep, vma_m);
72456 +#endif
72457 +
72458 kmem_cache_free(vm_area_cachep, vma);
72459 unacct_error:
72460 if (charged)
72461 @@ -1255,6 +1411,44 @@ unacct_error:
72462 return error;
72463 }
72464
72465 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
72466 +{
72467 + if (!vma) {
72468 +#ifdef CONFIG_STACK_GROWSUP
72469 + if (addr > sysctl_heap_stack_gap)
72470 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
72471 + else
72472 + vma = find_vma(current->mm, 0);
72473 + if (vma && (vma->vm_flags & VM_GROWSUP))
72474 + return false;
72475 +#endif
72476 + return true;
72477 + }
72478 +
72479 + if (addr + len > vma->vm_start)
72480 + return false;
72481 +
72482 + if (vma->vm_flags & VM_GROWSDOWN)
72483 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
72484 +#ifdef CONFIG_STACK_GROWSUP
72485 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
72486 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
72487 +#endif
72488 +
72489 + return true;
72490 +}
72491 +
72492 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
72493 +{
72494 + if (vma->vm_start < len)
72495 + return -ENOMEM;
72496 + if (!(vma->vm_flags & VM_GROWSDOWN))
72497 + return vma->vm_start - len;
72498 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
72499 + return vma->vm_start - len - sysctl_heap_stack_gap;
72500 + return -ENOMEM;
72501 +}
72502 +
72503 /* Get an address range which is currently unmapped.
72504 * For shmat() with addr=0.
72505 *
72506 @@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
72507 if (flags & MAP_FIXED)
72508 return addr;
72509
72510 +#ifdef CONFIG_PAX_RANDMMAP
72511 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72512 +#endif
72513 +
72514 if (addr) {
72515 addr = PAGE_ALIGN(addr);
72516 - vma = find_vma(mm, addr);
72517 - if (TASK_SIZE - len >= addr &&
72518 - (!vma || addr + len <= vma->vm_start))
72519 - return addr;
72520 + if (TASK_SIZE - len >= addr) {
72521 + vma = find_vma(mm, addr);
72522 + if (check_heap_stack_gap(vma, addr, len))
72523 + return addr;
72524 + }
72525 }
72526 if (len > mm->cached_hole_size) {
72527 - start_addr = addr = mm->free_area_cache;
72528 + start_addr = addr = mm->free_area_cache;
72529 } else {
72530 - start_addr = addr = TASK_UNMAPPED_BASE;
72531 - mm->cached_hole_size = 0;
72532 + start_addr = addr = mm->mmap_base;
72533 + mm->cached_hole_size = 0;
72534 }
72535
72536 full_search:
72537 @@ -1303,34 +1502,40 @@ full_search:
72538 * Start a new search - just in case we missed
72539 * some holes.
72540 */
72541 - if (start_addr != TASK_UNMAPPED_BASE) {
72542 - addr = TASK_UNMAPPED_BASE;
72543 - start_addr = addr;
72544 + if (start_addr != mm->mmap_base) {
72545 + start_addr = addr = mm->mmap_base;
72546 mm->cached_hole_size = 0;
72547 goto full_search;
72548 }
72549 return -ENOMEM;
72550 }
72551 - if (!vma || addr + len <= vma->vm_start) {
72552 - /*
72553 - * Remember the place where we stopped the search:
72554 - */
72555 - mm->free_area_cache = addr + len;
72556 - return addr;
72557 - }
72558 + if (check_heap_stack_gap(vma, addr, len))
72559 + break;
72560 if (addr + mm->cached_hole_size < vma->vm_start)
72561 mm->cached_hole_size = vma->vm_start - addr;
72562 addr = vma->vm_end;
72563 }
72564 +
72565 + /*
72566 + * Remember the place where we stopped the search:
72567 + */
72568 + mm->free_area_cache = addr + len;
72569 + return addr;
72570 }
72571 #endif
72572
72573 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
72574 {
72575 +
72576 +#ifdef CONFIG_PAX_SEGMEXEC
72577 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
72578 + return;
72579 +#endif
72580 +
72581 /*
72582 * Is this a new hole at the lowest possible address?
72583 */
72584 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
72585 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
72586 mm->free_area_cache = addr;
72587 mm->cached_hole_size = ~0UL;
72588 }
72589 @@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
72590 {
72591 struct vm_area_struct *vma;
72592 struct mm_struct *mm = current->mm;
72593 - unsigned long addr = addr0;
72594 + unsigned long base = mm->mmap_base, addr = addr0;
72595
72596 /* requested length too big for entire address space */
72597 if (len > TASK_SIZE)
72598 @@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
72599 if (flags & MAP_FIXED)
72600 return addr;
72601
72602 +#ifdef CONFIG_PAX_RANDMMAP
72603 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
72604 +#endif
72605 +
72606 /* requesting a specific address */
72607 if (addr) {
72608 addr = PAGE_ALIGN(addr);
72609 - vma = find_vma(mm, addr);
72610 - if (TASK_SIZE - len >= addr &&
72611 - (!vma || addr + len <= vma->vm_start))
72612 - return addr;
72613 + if (TASK_SIZE - len >= addr) {
72614 + vma = find_vma(mm, addr);
72615 + if (check_heap_stack_gap(vma, addr, len))
72616 + return addr;
72617 + }
72618 }
72619
72620 /* check if free_area_cache is useful for us */
72621 @@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
72622 /* make sure it can fit in the remaining address space */
72623 if (addr > len) {
72624 vma = find_vma(mm, addr-len);
72625 - if (!vma || addr <= vma->vm_start)
72626 + if (check_heap_stack_gap(vma, addr - len, len))
72627 /* remember the address as a hint for next time */
72628 return (mm->free_area_cache = addr-len);
72629 }
72630 @@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
72631 * return with success:
72632 */
72633 vma = find_vma(mm, addr);
72634 - if (!vma || addr+len <= vma->vm_start)
72635 + if (check_heap_stack_gap(vma, addr, len))
72636 /* remember the address as a hint for next time */
72637 return (mm->free_area_cache = addr);
72638
72639 @@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
72640 mm->cached_hole_size = vma->vm_start - addr;
72641
72642 /* try just below the current vma->vm_start */
72643 - addr = vma->vm_start-len;
72644 - } while (len < vma->vm_start);
72645 + addr = skip_heap_stack_gap(vma, len);
72646 + } while (!IS_ERR_VALUE(addr));
72647
72648 bottomup:
72649 /*
72650 @@ -1414,13 +1624,21 @@ bottomup:
72651 * can happen with large stack limits and large mmap()
72652 * allocations.
72653 */
72654 + mm->mmap_base = TASK_UNMAPPED_BASE;
72655 +
72656 +#ifdef CONFIG_PAX_RANDMMAP
72657 + if (mm->pax_flags & MF_PAX_RANDMMAP)
72658 + mm->mmap_base += mm->delta_mmap;
72659 +#endif
72660 +
72661 + mm->free_area_cache = mm->mmap_base;
72662 mm->cached_hole_size = ~0UL;
72663 - mm->free_area_cache = TASK_UNMAPPED_BASE;
72664 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
72665 /*
72666 * Restore the topdown base:
72667 */
72668 - mm->free_area_cache = mm->mmap_base;
72669 + mm->mmap_base = base;
72670 + mm->free_area_cache = base;
72671 mm->cached_hole_size = ~0UL;
72672
72673 return addr;
72674 @@ -1429,6 +1647,12 @@ bottomup:
72675
72676 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
72677 {
72678 +
72679 +#ifdef CONFIG_PAX_SEGMEXEC
72680 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
72681 + return;
72682 +#endif
72683 +
72684 /*
72685 * Is this a new hole at the highest possible address?
72686 */
72687 @@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
72688 mm->free_area_cache = addr;
72689
72690 /* dont allow allocations above current base */
72691 - if (mm->free_area_cache > mm->mmap_base)
72692 + if (mm->free_area_cache > mm->mmap_base) {
72693 mm->free_area_cache = mm->mmap_base;
72694 + mm->cached_hole_size = ~0UL;
72695 + }
72696 }
72697
72698 unsigned long
72699 @@ -1545,6 +1771,27 @@ out:
72700 return prev ? prev->vm_next : vma;
72701 }
72702
72703 +#ifdef CONFIG_PAX_SEGMEXEC
72704 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
72705 +{
72706 + struct vm_area_struct *vma_m;
72707 +
72708 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
72709 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
72710 + BUG_ON(vma->vm_mirror);
72711 + return NULL;
72712 + }
72713 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
72714 + vma_m = vma->vm_mirror;
72715 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
72716 + BUG_ON(vma->vm_file != vma_m->vm_file);
72717 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
72718 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
72719 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
72720 + return vma_m;
72721 +}
72722 +#endif
72723 +
72724 /*
72725 * Verify that the stack growth is acceptable and
72726 * update accounting. This is shared with both the
72727 @@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
72728 return -ENOMEM;
72729
72730 /* Stack limit test */
72731 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
72732 if (size > rlim[RLIMIT_STACK].rlim_cur)
72733 return -ENOMEM;
72734
72735 @@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
72736 unsigned long limit;
72737 locked = mm->locked_vm + grow;
72738 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
72739 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
72740 if (locked > limit && !capable(CAP_IPC_LOCK))
72741 return -ENOMEM;
72742 }
72743 @@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
72744 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
72745 * vma is the last one with address > vma->vm_end. Have to extend vma.
72746 */
72747 +#ifndef CONFIG_IA64
72748 +static
72749 +#endif
72750 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
72751 {
72752 int error;
72753 + bool locknext;
72754
72755 if (!(vma->vm_flags & VM_GROWSUP))
72756 return -EFAULT;
72757
72758 + /* Also guard against wrapping around to address 0. */
72759 + if (address < PAGE_ALIGN(address+1))
72760 + address = PAGE_ALIGN(address+1);
72761 + else
72762 + return -ENOMEM;
72763 +
72764 /*
72765 * We must make sure the anon_vma is allocated
72766 * so that the anon_vma locking is not a noop.
72767 */
72768 if (unlikely(anon_vma_prepare(vma)))
72769 return -ENOMEM;
72770 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
72771 + if (locknext && anon_vma_prepare(vma->vm_next))
72772 + return -ENOMEM;
72773 anon_vma_lock(vma);
72774 + if (locknext)
72775 + anon_vma_lock(vma->vm_next);
72776
72777 /*
72778 * vma->vm_start/vm_end cannot change under us because the caller
72779 * is required to hold the mmap_sem in read mode. We need the
72780 - * anon_vma lock to serialize against concurrent expand_stacks.
72781 - * Also guard against wrapping around to address 0.
72782 + * anon_vma locks to serialize against concurrent expand_stacks
72783 + * and expand_upwards.
72784 */
72785 - if (address < PAGE_ALIGN(address+4))
72786 - address = PAGE_ALIGN(address+4);
72787 - else {
72788 - anon_vma_unlock(vma);
72789 - return -ENOMEM;
72790 - }
72791 error = 0;
72792
72793 /* Somebody else might have raced and expanded it already */
72794 - if (address > vma->vm_end) {
72795 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
72796 + error = -ENOMEM;
72797 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
72798 unsigned long size, grow;
72799
72800 size = address - vma->vm_start;
72801 @@ -1640,6 +1900,8 @@ int expand_upwards(struct vm_area_struct
72802 if (!error)
72803 vma->vm_end = address;
72804 }
72805 + if (locknext)
72806 + anon_vma_unlock(vma->vm_next);
72807 anon_vma_unlock(vma);
72808 return error;
72809 }
72810 @@ -1652,6 +1914,8 @@ static int expand_downwards(struct vm_ar
72811 unsigned long address)
72812 {
72813 int error;
72814 + bool lockprev = false;
72815 + struct vm_area_struct *prev;
72816
72817 /*
72818 * We must make sure the anon_vma is allocated
72819 @@ -1665,6 +1929,15 @@ static int expand_downwards(struct vm_ar
72820 if (error)
72821 return error;
72822
72823 + prev = vma->vm_prev;
72824 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
72825 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
72826 +#endif
72827 + if (lockprev && anon_vma_prepare(prev))
72828 + return -ENOMEM;
72829 + if (lockprev)
72830 + anon_vma_lock(prev);
72831 +
72832 anon_vma_lock(vma);
72833
72834 /*
72835 @@ -1674,9 +1947,17 @@ static int expand_downwards(struct vm_ar
72836 */
72837
72838 /* Somebody else might have raced and expanded it already */
72839 - if (address < vma->vm_start) {
72840 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
72841 + error = -ENOMEM;
72842 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
72843 unsigned long size, grow;
72844
72845 +#ifdef CONFIG_PAX_SEGMEXEC
72846 + struct vm_area_struct *vma_m;
72847 +
72848 + vma_m = pax_find_mirror_vma(vma);
72849 +#endif
72850 +
72851 size = vma->vm_end - address;
72852 grow = (vma->vm_start - address) >> PAGE_SHIFT;
72853
72854 @@ -1684,9 +1965,20 @@ static int expand_downwards(struct vm_ar
72855 if (!error) {
72856 vma->vm_start = address;
72857 vma->vm_pgoff -= grow;
72858 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
72859 +
72860 +#ifdef CONFIG_PAX_SEGMEXEC
72861 + if (vma_m) {
72862 + vma_m->vm_start -= grow << PAGE_SHIFT;
72863 + vma_m->vm_pgoff -= grow;
72864 + }
72865 +#endif
72866 +
72867 }
72868 }
72869 anon_vma_unlock(vma);
72870 + if (lockprev)
72871 + anon_vma_unlock(prev);
72872 return error;
72873 }
72874
72875 @@ -1762,6 +2054,13 @@ static void remove_vma_list(struct mm_st
72876 do {
72877 long nrpages = vma_pages(vma);
72878
72879 +#ifdef CONFIG_PAX_SEGMEXEC
72880 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
72881 + vma = remove_vma(vma);
72882 + continue;
72883 + }
72884 +#endif
72885 +
72886 mm->total_vm -= nrpages;
72887 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
72888 vma = remove_vma(vma);
72889 @@ -1807,6 +2106,16 @@ detach_vmas_to_be_unmapped(struct mm_str
72890 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
72891 vma->vm_prev = NULL;
72892 do {
72893 +
72894 +#ifdef CONFIG_PAX_SEGMEXEC
72895 + if (vma->vm_mirror) {
72896 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
72897 + vma->vm_mirror->vm_mirror = NULL;
72898 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
72899 + vma->vm_mirror = NULL;
72900 + }
72901 +#endif
72902 +
72903 rb_erase(&vma->vm_rb, &mm->mm_rb);
72904 mm->map_count--;
72905 tail_vma = vma;
72906 @@ -1834,10 +2143,25 @@ int split_vma(struct mm_struct * mm, str
72907 struct mempolicy *pol;
72908 struct vm_area_struct *new;
72909
72910 +#ifdef CONFIG_PAX_SEGMEXEC
72911 + struct vm_area_struct *vma_m, *new_m = NULL;
72912 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
72913 +#endif
72914 +
72915 if (is_vm_hugetlb_page(vma) && (addr &
72916 ~(huge_page_mask(hstate_vma(vma)))))
72917 return -EINVAL;
72918
72919 +#ifdef CONFIG_PAX_SEGMEXEC
72920 + vma_m = pax_find_mirror_vma(vma);
72921 +
72922 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
72923 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
72924 + if (mm->map_count >= sysctl_max_map_count-1)
72925 + return -ENOMEM;
72926 + } else
72927 +#endif
72928 +
72929 if (mm->map_count >= sysctl_max_map_count)
72930 return -ENOMEM;
72931
72932 @@ -1845,6 +2169,16 @@ int split_vma(struct mm_struct * mm, str
72933 if (!new)
72934 return -ENOMEM;
72935
72936 +#ifdef CONFIG_PAX_SEGMEXEC
72937 + if (vma_m) {
72938 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
72939 + if (!new_m) {
72940 + kmem_cache_free(vm_area_cachep, new);
72941 + return -ENOMEM;
72942 + }
72943 + }
72944 +#endif
72945 +
72946 /* most fields are the same, copy all, and then fixup */
72947 *new = *vma;
72948
72949 @@ -1855,8 +2189,29 @@ int split_vma(struct mm_struct * mm, str
72950 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
72951 }
72952
72953 +#ifdef CONFIG_PAX_SEGMEXEC
72954 + if (vma_m) {
72955 + *new_m = *vma_m;
72956 + new_m->vm_mirror = new;
72957 + new->vm_mirror = new_m;
72958 +
72959 + if (new_below)
72960 + new_m->vm_end = addr_m;
72961 + else {
72962 + new_m->vm_start = addr_m;
72963 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
72964 + }
72965 + }
72966 +#endif
72967 +
72968 pol = mpol_dup(vma_policy(vma));
72969 if (IS_ERR(pol)) {
72970 +
72971 +#ifdef CONFIG_PAX_SEGMEXEC
72972 + if (new_m)
72973 + kmem_cache_free(vm_area_cachep, new_m);
72974 +#endif
72975 +
72976 kmem_cache_free(vm_area_cachep, new);
72977 return PTR_ERR(pol);
72978 }
72979 @@ -1877,6 +2232,28 @@ int split_vma(struct mm_struct * mm, str
72980 else
72981 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
72982
72983 +#ifdef CONFIG_PAX_SEGMEXEC
72984 + if (vma_m) {
72985 + mpol_get(pol);
72986 + vma_set_policy(new_m, pol);
72987 +
72988 + if (new_m->vm_file) {
72989 + get_file(new_m->vm_file);
72990 + if (vma_m->vm_flags & VM_EXECUTABLE)
72991 + added_exe_file_vma(mm);
72992 + }
72993 +
72994 + if (new_m->vm_ops && new_m->vm_ops->open)
72995 + new_m->vm_ops->open(new_m);
72996 +
72997 + if (new_below)
72998 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
72999 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
73000 + else
73001 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
73002 + }
73003 +#endif
73004 +
73005 return 0;
73006 }
73007
73008 @@ -1885,11 +2262,30 @@ int split_vma(struct mm_struct * mm, str
73009 * work. This now handles partial unmappings.
73010 * Jeremy Fitzhardinge <jeremy@goop.org>
73011 */
73012 +#ifdef CONFIG_PAX_SEGMEXEC
73013 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73014 +{
73015 + int ret = __do_munmap(mm, start, len);
73016 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
73017 + return ret;
73018 +
73019 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
73020 +}
73021 +
73022 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73023 +#else
73024 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
73025 +#endif
73026 {
73027 unsigned long end;
73028 struct vm_area_struct *vma, *prev, *last;
73029
73030 + /*
73031 + * mm->mmap_sem is required to protect against another thread
73032 + * changing the mappings in case we sleep.
73033 + */
73034 + verify_mm_writelocked(mm);
73035 +
73036 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
73037 return -EINVAL;
73038
73039 @@ -1953,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
73040 /* Fix up all other VM information */
73041 remove_vma_list(mm, vma);
73042
73043 + track_exec_limit(mm, start, end, 0UL);
73044 +
73045 return 0;
73046 }
73047
73048 @@ -1965,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
73049
73050 profile_munmap(addr);
73051
73052 +#ifdef CONFIG_PAX_SEGMEXEC
73053 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
73054 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
73055 + return -EINVAL;
73056 +#endif
73057 +
73058 down_write(&mm->mmap_sem);
73059 ret = do_munmap(mm, addr, len);
73060 up_write(&mm->mmap_sem);
73061 return ret;
73062 }
73063
73064 -static inline void verify_mm_writelocked(struct mm_struct *mm)
73065 -{
73066 -#ifdef CONFIG_DEBUG_VM
73067 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
73068 - WARN_ON(1);
73069 - up_read(&mm->mmap_sem);
73070 - }
73071 -#endif
73072 -}
73073 -
73074 /*
73075 * this is really a simplified "do_mmap". it only handles
73076 * anonymous maps. eventually we may be able to do some
73077 @@ -1994,6 +2388,7 @@ unsigned long do_brk(unsigned long addr,
73078 struct rb_node ** rb_link, * rb_parent;
73079 pgoff_t pgoff = addr >> PAGE_SHIFT;
73080 int error;
73081 + unsigned long charged;
73082
73083 len = PAGE_ALIGN(len);
73084 if (!len)
73085 @@ -2005,16 +2400,30 @@ unsigned long do_brk(unsigned long addr,
73086
73087 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
73088
73089 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
73090 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
73091 + flags &= ~VM_EXEC;
73092 +
73093 +#ifdef CONFIG_PAX_MPROTECT
73094 + if (mm->pax_flags & MF_PAX_MPROTECT)
73095 + flags &= ~VM_MAYEXEC;
73096 +#endif
73097 +
73098 + }
73099 +#endif
73100 +
73101 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
73102 if (error & ~PAGE_MASK)
73103 return error;
73104
73105 + charged = len >> PAGE_SHIFT;
73106 +
73107 /*
73108 * mlock MCL_FUTURE?
73109 */
73110 if (mm->def_flags & VM_LOCKED) {
73111 unsigned long locked, lock_limit;
73112 - locked = len >> PAGE_SHIFT;
73113 + locked = charged;
73114 locked += mm->locked_vm;
73115 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
73116 lock_limit >>= PAGE_SHIFT;
73117 @@ -2031,22 +2440,22 @@ unsigned long do_brk(unsigned long addr,
73118 /*
73119 * Clear old maps. this also does some error checking for us
73120 */
73121 - munmap_back:
73122 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73123 if (vma && vma->vm_start < addr + len) {
73124 if (do_munmap(mm, addr, len))
73125 return -ENOMEM;
73126 - goto munmap_back;
73127 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
73128 + BUG_ON(vma && vma->vm_start < addr + len);
73129 }
73130
73131 /* Check against address space limits *after* clearing old maps... */
73132 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
73133 + if (!may_expand_vm(mm, charged))
73134 return -ENOMEM;
73135
73136 if (mm->map_count > sysctl_max_map_count)
73137 return -ENOMEM;
73138
73139 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
73140 + if (security_vm_enough_memory(charged))
73141 return -ENOMEM;
73142
73143 /* Can we just expand an old private anonymous mapping? */
73144 @@ -2060,7 +2469,7 @@ unsigned long do_brk(unsigned long addr,
73145 */
73146 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73147 if (!vma) {
73148 - vm_unacct_memory(len >> PAGE_SHIFT);
73149 + vm_unacct_memory(charged);
73150 return -ENOMEM;
73151 }
73152
73153 @@ -2072,11 +2481,12 @@ unsigned long do_brk(unsigned long addr,
73154 vma->vm_page_prot = vm_get_page_prot(flags);
73155 vma_link(mm, vma, prev, rb_link, rb_parent);
73156 out:
73157 - mm->total_vm += len >> PAGE_SHIFT;
73158 + mm->total_vm += charged;
73159 if (flags & VM_LOCKED) {
73160 if (!mlock_vma_pages_range(vma, addr, addr + len))
73161 - mm->locked_vm += (len >> PAGE_SHIFT);
73162 + mm->locked_vm += charged;
73163 }
73164 + track_exec_limit(mm, addr, addr + len, flags);
73165 return addr;
73166 }
73167
73168 @@ -2123,8 +2533,10 @@ void exit_mmap(struct mm_struct *mm)
73169 * Walk the list again, actually closing and freeing it,
73170 * with preemption enabled, without holding any MM locks.
73171 */
73172 - while (vma)
73173 + while (vma) {
73174 + vma->vm_mirror = NULL;
73175 vma = remove_vma(vma);
73176 + }
73177
73178 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
73179 }
73180 @@ -2138,6 +2550,10 @@ int insert_vm_struct(struct mm_struct *
73181 struct vm_area_struct * __vma, * prev;
73182 struct rb_node ** rb_link, * rb_parent;
73183
73184 +#ifdef CONFIG_PAX_SEGMEXEC
73185 + struct vm_area_struct *vma_m = NULL;
73186 +#endif
73187 +
73188 /*
73189 * The vm_pgoff of a purely anonymous vma should be irrelevant
73190 * until its first write fault, when page's anon_vma and index
73191 @@ -2160,7 +2576,22 @@ int insert_vm_struct(struct mm_struct *
73192 if ((vma->vm_flags & VM_ACCOUNT) &&
73193 security_vm_enough_memory_mm(mm, vma_pages(vma)))
73194 return -ENOMEM;
73195 +
73196 +#ifdef CONFIG_PAX_SEGMEXEC
73197 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
73198 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73199 + if (!vma_m)
73200 + return -ENOMEM;
73201 + }
73202 +#endif
73203 +
73204 vma_link(mm, vma, prev, rb_link, rb_parent);
73205 +
73206 +#ifdef CONFIG_PAX_SEGMEXEC
73207 + if (vma_m)
73208 + pax_mirror_vma(vma_m, vma);
73209 +#endif
73210 +
73211 return 0;
73212 }
73213
73214 @@ -2178,6 +2609,8 @@ struct vm_area_struct *copy_vma(struct v
73215 struct rb_node **rb_link, *rb_parent;
73216 struct mempolicy *pol;
73217
73218 + BUG_ON(vma->vm_mirror);
73219 +
73220 /*
73221 * If anonymous vma has not yet been faulted, update new pgoff
73222 * to match new location, to increase its chance of merging.
73223 @@ -2221,6 +2654,35 @@ struct vm_area_struct *copy_vma(struct v
73224 return new_vma;
73225 }
73226
73227 +#ifdef CONFIG_PAX_SEGMEXEC
73228 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
73229 +{
73230 + struct vm_area_struct *prev_m;
73231 + struct rb_node **rb_link_m, *rb_parent_m;
73232 + struct mempolicy *pol_m;
73233 +
73234 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
73235 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
73236 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
73237 + *vma_m = *vma;
73238 + pol_m = vma_policy(vma_m);
73239 + mpol_get(pol_m);
73240 + vma_set_policy(vma_m, pol_m);
73241 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
73242 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
73243 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
73244 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
73245 + if (vma_m->vm_file)
73246 + get_file(vma_m->vm_file);
73247 + if (vma_m->vm_ops && vma_m->vm_ops->open)
73248 + vma_m->vm_ops->open(vma_m);
73249 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
73250 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
73251 + vma_m->vm_mirror = vma;
73252 + vma->vm_mirror = vma_m;
73253 +}
73254 +#endif
73255 +
73256 /*
73257 * Return true if the calling process may expand its vm space by the passed
73258 * number of pages
73259 @@ -2231,7 +2693,7 @@ int may_expand_vm(struct mm_struct *mm,
73260 unsigned long lim;
73261
73262 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
73263 -
73264 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
73265 if (cur + npages > lim)
73266 return 0;
73267 return 1;
73268 @@ -2301,6 +2763,22 @@ int install_special_mapping(struct mm_st
73269 vma->vm_start = addr;
73270 vma->vm_end = addr + len;
73271
73272 +#ifdef CONFIG_PAX_MPROTECT
73273 + if (mm->pax_flags & MF_PAX_MPROTECT) {
73274 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
73275 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
73276 + return -EPERM;
73277 + if (!(vm_flags & VM_EXEC))
73278 + vm_flags &= ~VM_MAYEXEC;
73279 +#else
73280 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
73281 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
73282 +#endif
73283 + else
73284 + vm_flags &= ~VM_MAYWRITE;
73285 + }
73286 +#endif
73287 +
73288 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
73289 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
73290
73291 diff -urNp linux-2.6.32.46/mm/mprotect.c linux-2.6.32.46/mm/mprotect.c
73292 --- linux-2.6.32.46/mm/mprotect.c 2011-03-27 14:31:47.000000000 -0400
73293 +++ linux-2.6.32.46/mm/mprotect.c 2011-04-17 15:56:46.000000000 -0400
73294 @@ -24,10 +24,16 @@
73295 #include <linux/mmu_notifier.h>
73296 #include <linux/migrate.h>
73297 #include <linux/perf_event.h>
73298 +
73299 +#ifdef CONFIG_PAX_MPROTECT
73300 +#include <linux/elf.h>
73301 +#endif
73302 +
73303 #include <asm/uaccess.h>
73304 #include <asm/pgtable.h>
73305 #include <asm/cacheflush.h>
73306 #include <asm/tlbflush.h>
73307 +#include <asm/mmu_context.h>
73308
73309 #ifndef pgprot_modify
73310 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
73311 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
73312 flush_tlb_range(vma, start, end);
73313 }
73314
73315 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73316 +/* called while holding the mmap semaphor for writing except stack expansion */
73317 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
73318 +{
73319 + unsigned long oldlimit, newlimit = 0UL;
73320 +
73321 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
73322 + return;
73323 +
73324 + spin_lock(&mm->page_table_lock);
73325 + oldlimit = mm->context.user_cs_limit;
73326 + if ((prot & VM_EXEC) && oldlimit < end)
73327 + /* USER_CS limit moved up */
73328 + newlimit = end;
73329 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
73330 + /* USER_CS limit moved down */
73331 + newlimit = start;
73332 +
73333 + if (newlimit) {
73334 + mm->context.user_cs_limit = newlimit;
73335 +
73336 +#ifdef CONFIG_SMP
73337 + wmb();
73338 + cpus_clear(mm->context.cpu_user_cs_mask);
73339 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
73340 +#endif
73341 +
73342 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
73343 + }
73344 + spin_unlock(&mm->page_table_lock);
73345 + if (newlimit == end) {
73346 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
73347 +
73348 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
73349 + if (is_vm_hugetlb_page(vma))
73350 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
73351 + else
73352 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
73353 + }
73354 +}
73355 +#endif
73356 +
73357 int
73358 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
73359 unsigned long start, unsigned long end, unsigned long newflags)
73360 @@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
73361 int error;
73362 int dirty_accountable = 0;
73363
73364 +#ifdef CONFIG_PAX_SEGMEXEC
73365 + struct vm_area_struct *vma_m = NULL;
73366 + unsigned long start_m, end_m;
73367 +
73368 + start_m = start + SEGMEXEC_TASK_SIZE;
73369 + end_m = end + SEGMEXEC_TASK_SIZE;
73370 +#endif
73371 +
73372 if (newflags == oldflags) {
73373 *pprev = vma;
73374 return 0;
73375 }
73376
73377 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
73378 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
73379 +
73380 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
73381 + return -ENOMEM;
73382 +
73383 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
73384 + return -ENOMEM;
73385 + }
73386 +
73387 /*
73388 * If we make a private mapping writable we increase our commit;
73389 * but (without finer accounting) cannot reduce our commit if we
73390 @@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
73391 }
73392 }
73393
73394 +#ifdef CONFIG_PAX_SEGMEXEC
73395 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
73396 + if (start != vma->vm_start) {
73397 + error = split_vma(mm, vma, start, 1);
73398 + if (error)
73399 + goto fail;
73400 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
73401 + *pprev = (*pprev)->vm_next;
73402 + }
73403 +
73404 + if (end != vma->vm_end) {
73405 + error = split_vma(mm, vma, end, 0);
73406 + if (error)
73407 + goto fail;
73408 + }
73409 +
73410 + if (pax_find_mirror_vma(vma)) {
73411 + error = __do_munmap(mm, start_m, end_m - start_m);
73412 + if (error)
73413 + goto fail;
73414 + } else {
73415 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
73416 + if (!vma_m) {
73417 + error = -ENOMEM;
73418 + goto fail;
73419 + }
73420 + vma->vm_flags = newflags;
73421 + pax_mirror_vma(vma_m, vma);
73422 + }
73423 + }
73424 +#endif
73425 +
73426 /*
73427 * First try to merge with previous and/or next vma.
73428 */
73429 @@ -195,9 +293,21 @@ success:
73430 * vm_flags and vm_page_prot are protected by the mmap_sem
73431 * held in write mode.
73432 */
73433 +
73434 +#ifdef CONFIG_PAX_SEGMEXEC
73435 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
73436 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
73437 +#endif
73438 +
73439 vma->vm_flags = newflags;
73440 +
73441 +#ifdef CONFIG_PAX_MPROTECT
73442 + if (mm->binfmt && mm->binfmt->handle_mprotect)
73443 + mm->binfmt->handle_mprotect(vma, newflags);
73444 +#endif
73445 +
73446 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
73447 - vm_get_page_prot(newflags));
73448 + vm_get_page_prot(vma->vm_flags));
73449
73450 if (vma_wants_writenotify(vma)) {
73451 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
73452 @@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73453 end = start + len;
73454 if (end <= start)
73455 return -ENOMEM;
73456 +
73457 +#ifdef CONFIG_PAX_SEGMEXEC
73458 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
73459 + if (end > SEGMEXEC_TASK_SIZE)
73460 + return -EINVAL;
73461 + } else
73462 +#endif
73463 +
73464 + if (end > TASK_SIZE)
73465 + return -EINVAL;
73466 +
73467 if (!arch_validate_prot(prot))
73468 return -EINVAL;
73469
73470 @@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73471 /*
73472 * Does the application expect PROT_READ to imply PROT_EXEC:
73473 */
73474 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
73475 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
73476 prot |= PROT_EXEC;
73477
73478 vm_flags = calc_vm_prot_bits(prot);
73479 @@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73480 if (start > vma->vm_start)
73481 prev = vma;
73482
73483 +#ifdef CONFIG_PAX_MPROTECT
73484 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
73485 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
73486 +#endif
73487 +
73488 for (nstart = start ; ; ) {
73489 unsigned long newflags;
73490
73491 @@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73492
73493 /* newflags >> 4 shift VM_MAY% in place of VM_% */
73494 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
73495 + if (prot & (PROT_WRITE | PROT_EXEC))
73496 + gr_log_rwxmprotect(vma->vm_file);
73497 +
73498 + error = -EACCES;
73499 + goto out;
73500 + }
73501 +
73502 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
73503 error = -EACCES;
73504 goto out;
73505 }
73506 @@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
73507 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
73508 if (error)
73509 goto out;
73510 +
73511 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
73512 +
73513 nstart = tmp;
73514
73515 if (nstart < prev->vm_end)
73516 diff -urNp linux-2.6.32.46/mm/mremap.c linux-2.6.32.46/mm/mremap.c
73517 --- linux-2.6.32.46/mm/mremap.c 2011-04-17 17:00:52.000000000 -0400
73518 +++ linux-2.6.32.46/mm/mremap.c 2011-04-17 17:03:58.000000000 -0400
73519 @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
73520 continue;
73521 pte = ptep_clear_flush(vma, old_addr, old_pte);
73522 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
73523 +
73524 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73525 + if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
73526 + pte = pte_exprotect(pte);
73527 +#endif
73528 +
73529 set_pte_at(mm, new_addr, new_pte, pte);
73530 }
73531
73532 @@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
73533 if (is_vm_hugetlb_page(vma))
73534 goto Einval;
73535
73536 +#ifdef CONFIG_PAX_SEGMEXEC
73537 + if (pax_find_mirror_vma(vma))
73538 + goto Einval;
73539 +#endif
73540 +
73541 /* We can't remap across vm area boundaries */
73542 if (old_len > vma->vm_end - addr)
73543 goto Efault;
73544 @@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
73545 unsigned long ret = -EINVAL;
73546 unsigned long charged = 0;
73547 unsigned long map_flags;
73548 + unsigned long pax_task_size = TASK_SIZE;
73549
73550 if (new_addr & ~PAGE_MASK)
73551 goto out;
73552
73553 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
73554 +#ifdef CONFIG_PAX_SEGMEXEC
73555 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
73556 + pax_task_size = SEGMEXEC_TASK_SIZE;
73557 +#endif
73558 +
73559 + pax_task_size -= PAGE_SIZE;
73560 +
73561 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
73562 goto out;
73563
73564 /* Check if the location we're moving into overlaps the
73565 * old location at all, and fail if it does.
73566 */
73567 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
73568 - goto out;
73569 -
73570 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
73571 + if (addr + old_len > new_addr && new_addr + new_len > addr)
73572 goto out;
73573
73574 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
73575 @@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
73576 struct vm_area_struct *vma;
73577 unsigned long ret = -EINVAL;
73578 unsigned long charged = 0;
73579 + unsigned long pax_task_size = TASK_SIZE;
73580
73581 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
73582 goto out;
73583 @@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
73584 if (!new_len)
73585 goto out;
73586
73587 +#ifdef CONFIG_PAX_SEGMEXEC
73588 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
73589 + pax_task_size = SEGMEXEC_TASK_SIZE;
73590 +#endif
73591 +
73592 + pax_task_size -= PAGE_SIZE;
73593 +
73594 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
73595 + old_len > pax_task_size || addr > pax_task_size-old_len)
73596 + goto out;
73597 +
73598 if (flags & MREMAP_FIXED) {
73599 if (flags & MREMAP_MAYMOVE)
73600 ret = mremap_to(addr, old_len, new_addr, new_len);
73601 @@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
73602 addr + new_len);
73603 }
73604 ret = addr;
73605 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
73606 goto out;
73607 }
73608 }
73609 @@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
73610 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
73611 if (ret)
73612 goto out;
73613 +
73614 + map_flags = vma->vm_flags;
73615 ret = move_vma(vma, addr, old_len, new_len, new_addr);
73616 + if (!(ret & ~PAGE_MASK)) {
73617 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
73618 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
73619 + }
73620 }
73621 out:
73622 if (ret & ~PAGE_MASK)
73623 diff -urNp linux-2.6.32.46/mm/nommu.c linux-2.6.32.46/mm/nommu.c
73624 --- linux-2.6.32.46/mm/nommu.c 2011-03-27 14:31:47.000000000 -0400
73625 +++ linux-2.6.32.46/mm/nommu.c 2011-04-17 15:56:46.000000000 -0400
73626 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
73627 int sysctl_overcommit_ratio = 50; /* default is 50% */
73628 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
73629 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
73630 -int heap_stack_gap = 0;
73631
73632 atomic_long_t mmap_pages_allocated;
73633
73634 @@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
73635 EXPORT_SYMBOL(find_vma);
73636
73637 /*
73638 - * find a VMA
73639 - * - we don't extend stack VMAs under NOMMU conditions
73640 - */
73641 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
73642 -{
73643 - return find_vma(mm, addr);
73644 -}
73645 -
73646 -/*
73647 * expand a stack to a given address
73648 * - not supported under NOMMU conditions
73649 */
73650 diff -urNp linux-2.6.32.46/mm/page_alloc.c linux-2.6.32.46/mm/page_alloc.c
73651 --- linux-2.6.32.46/mm/page_alloc.c 2011-06-25 12:55:35.000000000 -0400
73652 +++ linux-2.6.32.46/mm/page_alloc.c 2011-07-09 09:13:08.000000000 -0400
73653 @@ -289,7 +289,7 @@ out:
73654 * This usage means that zero-order pages may not be compound.
73655 */
73656
73657 -static void free_compound_page(struct page *page)
73658 +void free_compound_page(struct page *page)
73659 {
73660 __free_pages_ok(page, compound_order(page));
73661 }
73662 @@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
73663 int bad = 0;
73664 int wasMlocked = __TestClearPageMlocked(page);
73665
73666 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
73667 + unsigned long index = 1UL << order;
73668 +#endif
73669 +
73670 kmemcheck_free_shadow(page, order);
73671
73672 for (i = 0 ; i < (1 << order) ; ++i)
73673 @@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
73674 debug_check_no_obj_freed(page_address(page),
73675 PAGE_SIZE << order);
73676 }
73677 +
73678 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
73679 + for (; index; --index)
73680 + sanitize_highpage(page + index - 1);
73681 +#endif
73682 +
73683 arch_free_page(page, order);
73684 kernel_map_pages(page, 1 << order, 0);
73685
73686 @@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
73687 arch_alloc_page(page, order);
73688 kernel_map_pages(page, 1 << order, 1);
73689
73690 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
73691 if (gfp_flags & __GFP_ZERO)
73692 prep_zero_page(page, order, gfp_flags);
73693 +#endif
73694
73695 if (order && (gfp_flags & __GFP_COMP))
73696 prep_compound_page(page, order);
73697 @@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
73698 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
73699 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
73700 }
73701 +
73702 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
73703 + sanitize_highpage(page);
73704 +#endif
73705 +
73706 arch_free_page(page, 0);
73707 kernel_map_pages(page, 1, 0);
73708
73709 @@ -2179,6 +2196,8 @@ void show_free_areas(void)
73710 int cpu;
73711 struct zone *zone;
73712
73713 + pax_track_stack();
73714 +
73715 for_each_populated_zone(zone) {
73716 show_node(zone);
73717 printk("%s per-cpu:\n", zone->name);
73718 @@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
73719 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
73720 }
73721 #else
73722 -static void inline setup_usemap(struct pglist_data *pgdat,
73723 +static inline void setup_usemap(struct pglist_data *pgdat,
73724 struct zone *zone, unsigned long zonesize) {}
73725 #endif /* CONFIG_SPARSEMEM */
73726
73727 diff -urNp linux-2.6.32.46/mm/percpu.c linux-2.6.32.46/mm/percpu.c
73728 --- linux-2.6.32.46/mm/percpu.c 2011-03-27 14:31:47.000000000 -0400
73729 +++ linux-2.6.32.46/mm/percpu.c 2011-04-17 15:56:46.000000000 -0400
73730 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
73731 static unsigned int pcpu_last_unit_cpu __read_mostly;
73732
73733 /* the address of the first chunk which starts with the kernel static area */
73734 -void *pcpu_base_addr __read_mostly;
73735 +void *pcpu_base_addr __read_only;
73736 EXPORT_SYMBOL_GPL(pcpu_base_addr);
73737
73738 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
73739 diff -urNp linux-2.6.32.46/mm/rmap.c linux-2.6.32.46/mm/rmap.c
73740 --- linux-2.6.32.46/mm/rmap.c 2011-03-27 14:31:47.000000000 -0400
73741 +++ linux-2.6.32.46/mm/rmap.c 2011-04-17 15:56:46.000000000 -0400
73742 @@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
73743 /* page_table_lock to protect against threads */
73744 spin_lock(&mm->page_table_lock);
73745 if (likely(!vma->anon_vma)) {
73746 +
73747 +#ifdef CONFIG_PAX_SEGMEXEC
73748 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
73749 +
73750 + if (vma_m) {
73751 + BUG_ON(vma_m->anon_vma);
73752 + vma_m->anon_vma = anon_vma;
73753 + list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
73754 + }
73755 +#endif
73756 +
73757 vma->anon_vma = anon_vma;
73758 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
73759 allocated = NULL;
73760 diff -urNp linux-2.6.32.46/mm/shmem.c linux-2.6.32.46/mm/shmem.c
73761 --- linux-2.6.32.46/mm/shmem.c 2011-03-27 14:31:47.000000000 -0400
73762 +++ linux-2.6.32.46/mm/shmem.c 2011-05-18 20:09:37.000000000 -0400
73763 @@ -31,7 +31,7 @@
73764 #include <linux/swap.h>
73765 #include <linux/ima.h>
73766
73767 -static struct vfsmount *shm_mnt;
73768 +struct vfsmount *shm_mnt;
73769
73770 #ifdef CONFIG_SHMEM
73771 /*
73772 @@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
73773 goto unlock;
73774 }
73775 entry = shmem_swp_entry(info, index, NULL);
73776 + if (!entry)
73777 + goto unlock;
73778 if (entry->val) {
73779 /*
73780 * The more uptodate page coming down from a stacked
73781 @@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
73782 struct vm_area_struct pvma;
73783 struct page *page;
73784
73785 + pax_track_stack();
73786 +
73787 spol = mpol_cond_copy(&mpol,
73788 mpol_shared_policy_lookup(&info->policy, idx));
73789
73790 @@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
73791
73792 info = SHMEM_I(inode);
73793 inode->i_size = len-1;
73794 - if (len <= (char *)inode - (char *)info) {
73795 + if (len <= (char *)inode - (char *)info && len <= 64) {
73796 /* do it inline */
73797 memcpy(info, symname, len);
73798 inode->i_op = &shmem_symlink_inline_operations;
73799 @@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
73800 int err = -ENOMEM;
73801
73802 /* Round up to L1_CACHE_BYTES to resist false sharing */
73803 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
73804 - L1_CACHE_BYTES), GFP_KERNEL);
73805 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
73806 if (!sbinfo)
73807 return -ENOMEM;
73808
73809 diff -urNp linux-2.6.32.46/mm/slab.c linux-2.6.32.46/mm/slab.c
73810 --- linux-2.6.32.46/mm/slab.c 2011-03-27 14:31:47.000000000 -0400
73811 +++ linux-2.6.32.46/mm/slab.c 2011-05-04 17:56:20.000000000 -0400
73812 @@ -174,7 +174,7 @@
73813
73814 /* Legal flag mask for kmem_cache_create(). */
73815 #if DEBUG
73816 -# define CREATE_MASK (SLAB_RED_ZONE | \
73817 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
73818 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
73819 SLAB_CACHE_DMA | \
73820 SLAB_STORE_USER | \
73821 @@ -182,7 +182,7 @@
73822 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
73823 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
73824 #else
73825 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
73826 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
73827 SLAB_CACHE_DMA | \
73828 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
73829 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
73830 @@ -308,7 +308,7 @@ struct kmem_list3 {
73831 * Need this for bootstrapping a per node allocator.
73832 */
73833 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
73834 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
73835 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
73836 #define CACHE_CACHE 0
73837 #define SIZE_AC MAX_NUMNODES
73838 #define SIZE_L3 (2 * MAX_NUMNODES)
73839 @@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
73840 if ((x)->max_freeable < i) \
73841 (x)->max_freeable = i; \
73842 } while (0)
73843 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
73844 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
73845 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
73846 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
73847 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
73848 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
73849 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
73850 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
73851 #else
73852 #define STATS_INC_ACTIVE(x) do { } while (0)
73853 #define STATS_DEC_ACTIVE(x) do { } while (0)
73854 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
73855 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
73856 */
73857 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
73858 - const struct slab *slab, void *obj)
73859 + const struct slab *slab, const void *obj)
73860 {
73861 u32 offset = (obj - slab->s_mem);
73862 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
73863 @@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
73864 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
73865 sizes[INDEX_AC].cs_size,
73866 ARCH_KMALLOC_MINALIGN,
73867 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
73868 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
73869 NULL);
73870
73871 if (INDEX_AC != INDEX_L3) {
73872 @@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
73873 kmem_cache_create(names[INDEX_L3].name,
73874 sizes[INDEX_L3].cs_size,
73875 ARCH_KMALLOC_MINALIGN,
73876 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
73877 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
73878 NULL);
73879 }
73880
73881 @@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
73882 sizes->cs_cachep = kmem_cache_create(names->name,
73883 sizes->cs_size,
73884 ARCH_KMALLOC_MINALIGN,
73885 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
73886 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
73887 NULL);
73888 }
73889 #ifdef CONFIG_ZONE_DMA
73890 @@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
73891 }
73892 /* cpu stats */
73893 {
73894 - unsigned long allochit = atomic_read(&cachep->allochit);
73895 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
73896 - unsigned long freehit = atomic_read(&cachep->freehit);
73897 - unsigned long freemiss = atomic_read(&cachep->freemiss);
73898 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
73899 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
73900 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
73901 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
73902
73903 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
73904 allochit, allocmiss, freehit, freemiss);
73905 @@ -4471,15 +4471,66 @@ static const struct file_operations proc
73906
73907 static int __init slab_proc_init(void)
73908 {
73909 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
73910 + mode_t gr_mode = S_IRUGO;
73911 +
73912 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
73913 + gr_mode = S_IRUSR;
73914 +#endif
73915 +
73916 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
73917 #ifdef CONFIG_DEBUG_SLAB_LEAK
73918 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
73919 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
73920 #endif
73921 return 0;
73922 }
73923 module_init(slab_proc_init);
73924 #endif
73925
73926 +void check_object_size(const void *ptr, unsigned long n, bool to)
73927 +{
73928 +
73929 +#ifdef CONFIG_PAX_USERCOPY
73930 + struct page *page;
73931 + struct kmem_cache *cachep = NULL;
73932 + struct slab *slabp;
73933 + unsigned int objnr;
73934 + unsigned long offset;
73935 +
73936 + if (!n)
73937 + return;
73938 +
73939 + if (ZERO_OR_NULL_PTR(ptr))
73940 + goto report;
73941 +
73942 + if (!virt_addr_valid(ptr))
73943 + return;
73944 +
73945 + page = virt_to_head_page(ptr);
73946 +
73947 + if (!PageSlab(page)) {
73948 + if (object_is_on_stack(ptr, n) == -1)
73949 + goto report;
73950 + return;
73951 + }
73952 +
73953 + cachep = page_get_cache(page);
73954 + if (!(cachep->flags & SLAB_USERCOPY))
73955 + goto report;
73956 +
73957 + slabp = page_get_slab(page);
73958 + objnr = obj_to_index(cachep, slabp, ptr);
73959 + BUG_ON(objnr >= cachep->num);
73960 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
73961 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
73962 + return;
73963 +
73964 +report:
73965 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
73966 +#endif
73967 +
73968 +}
73969 +EXPORT_SYMBOL(check_object_size);
73970 +
73971 /**
73972 * ksize - get the actual amount of memory allocated for a given object
73973 * @objp: Pointer to the object
73974 diff -urNp linux-2.6.32.46/mm/slob.c linux-2.6.32.46/mm/slob.c
73975 --- linux-2.6.32.46/mm/slob.c 2011-03-27 14:31:47.000000000 -0400
73976 +++ linux-2.6.32.46/mm/slob.c 2011-07-06 19:53:33.000000000 -0400
73977 @@ -29,7 +29,7 @@
73978 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
73979 * alloc_pages() directly, allocating compound pages so the page order
73980 * does not have to be separately tracked, and also stores the exact
73981 - * allocation size in page->private so that it can be used to accurately
73982 + * allocation size in slob_page->size so that it can be used to accurately
73983 * provide ksize(). These objects are detected in kfree() because slob_page()
73984 * is false for them.
73985 *
73986 @@ -58,6 +58,7 @@
73987 */
73988
73989 #include <linux/kernel.h>
73990 +#include <linux/sched.h>
73991 #include <linux/slab.h>
73992 #include <linux/mm.h>
73993 #include <linux/swap.h> /* struct reclaim_state */
73994 @@ -100,7 +101,8 @@ struct slob_page {
73995 unsigned long flags; /* mandatory */
73996 atomic_t _count; /* mandatory */
73997 slobidx_t units; /* free units left in page */
73998 - unsigned long pad[2];
73999 + unsigned long pad[1];
74000 + unsigned long size; /* size when >=PAGE_SIZE */
74001 slob_t *free; /* first free slob_t in page */
74002 struct list_head list; /* linked list of free pages */
74003 };
74004 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
74005 */
74006 static inline int is_slob_page(struct slob_page *sp)
74007 {
74008 - return PageSlab((struct page *)sp);
74009 + return PageSlab((struct page *)sp) && !sp->size;
74010 }
74011
74012 static inline void set_slob_page(struct slob_page *sp)
74013 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
74014
74015 static inline struct slob_page *slob_page(const void *addr)
74016 {
74017 - return (struct slob_page *)virt_to_page(addr);
74018 + return (struct slob_page *)virt_to_head_page(addr);
74019 }
74020
74021 /*
74022 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
74023 /*
74024 * Return the size of a slob block.
74025 */
74026 -static slobidx_t slob_units(slob_t *s)
74027 +static slobidx_t slob_units(const slob_t *s)
74028 {
74029 if (s->units > 0)
74030 return s->units;
74031 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
74032 /*
74033 * Return the next free slob block pointer after this one.
74034 */
74035 -static slob_t *slob_next(slob_t *s)
74036 +static slob_t *slob_next(const slob_t *s)
74037 {
74038 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
74039 slobidx_t next;
74040 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
74041 /*
74042 * Returns true if s is the last free block in its page.
74043 */
74044 -static int slob_last(slob_t *s)
74045 +static int slob_last(const slob_t *s)
74046 {
74047 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
74048 }
74049 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
74050 if (!page)
74051 return NULL;
74052
74053 + set_slob_page(page);
74054 return page_address(page);
74055 }
74056
74057 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
74058 if (!b)
74059 return NULL;
74060 sp = slob_page(b);
74061 - set_slob_page(sp);
74062
74063 spin_lock_irqsave(&slob_lock, flags);
74064 sp->units = SLOB_UNITS(PAGE_SIZE);
74065 sp->free = b;
74066 + sp->size = 0;
74067 INIT_LIST_HEAD(&sp->list);
74068 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
74069 set_slob_page_free(sp, slob_list);
74070 @@ -475,10 +478,9 @@ out:
74071 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
74072 #endif
74073
74074 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74075 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
74076 {
74077 - unsigned int *m;
74078 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74079 + slob_t *m;
74080 void *ret;
74081
74082 lockdep_trace_alloc(gfp);
74083 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
74084
74085 if (!m)
74086 return NULL;
74087 - *m = size;
74088 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
74089 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
74090 + m[0].units = size;
74091 + m[1].units = align;
74092 ret = (void *)m + align;
74093
74094 trace_kmalloc_node(_RET_IP_, ret,
74095 @@ -501,16 +506,25 @@ void *__kmalloc_node(size_t size, gfp_t
74096
74097 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
74098 if (ret) {
74099 - struct page *page;
74100 - page = virt_to_page(ret);
74101 - page->private = size;
74102 + struct slob_page *sp;
74103 + sp = slob_page(ret);
74104 + sp->size = size;
74105 }
74106
74107 trace_kmalloc_node(_RET_IP_, ret,
74108 size, PAGE_SIZE << order, gfp, node);
74109 }
74110
74111 - kmemleak_alloc(ret, size, 1, gfp);
74112 + return ret;
74113 +}
74114 +
74115 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
74116 +{
74117 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74118 + void *ret = __kmalloc_node_align(size, gfp, node, align);
74119 +
74120 + if (!ZERO_OR_NULL_PTR(ret))
74121 + kmemleak_alloc(ret, size, 1, gfp);
74122 return ret;
74123 }
74124 EXPORT_SYMBOL(__kmalloc_node);
74125 @@ -528,13 +542,88 @@ void kfree(const void *block)
74126 sp = slob_page(block);
74127 if (is_slob_page(sp)) {
74128 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74129 - unsigned int *m = (unsigned int *)(block - align);
74130 - slob_free(m, *m + align);
74131 - } else
74132 + slob_t *m = (slob_t *)(block - align);
74133 + slob_free(m, m[0].units + align);
74134 + } else {
74135 + clear_slob_page(sp);
74136 + free_slob_page(sp);
74137 + sp->size = 0;
74138 put_page(&sp->page);
74139 + }
74140 }
74141 EXPORT_SYMBOL(kfree);
74142
74143 +void check_object_size(const void *ptr, unsigned long n, bool to)
74144 +{
74145 +
74146 +#ifdef CONFIG_PAX_USERCOPY
74147 + struct slob_page *sp;
74148 + const slob_t *free;
74149 + const void *base;
74150 + unsigned long flags;
74151 +
74152 + if (!n)
74153 + return;
74154 +
74155 + if (ZERO_OR_NULL_PTR(ptr))
74156 + goto report;
74157 +
74158 + if (!virt_addr_valid(ptr))
74159 + return;
74160 +
74161 + sp = slob_page(ptr);
74162 + if (!PageSlab((struct page*)sp)) {
74163 + if (object_is_on_stack(ptr, n) == -1)
74164 + goto report;
74165 + return;
74166 + }
74167 +
74168 + if (sp->size) {
74169 + base = page_address(&sp->page);
74170 + if (base <= ptr && n <= sp->size - (ptr - base))
74171 + return;
74172 + goto report;
74173 + }
74174 +
74175 + /* some tricky double walking to find the chunk */
74176 + spin_lock_irqsave(&slob_lock, flags);
74177 + base = (void *)((unsigned long)ptr & PAGE_MASK);
74178 + free = sp->free;
74179 +
74180 + while (!slob_last(free) && (void *)free <= ptr) {
74181 + base = free + slob_units(free);
74182 + free = slob_next(free);
74183 + }
74184 +
74185 + while (base < (void *)free) {
74186 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
74187 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
74188 + int offset;
74189 +
74190 + if (ptr < base + align)
74191 + break;
74192 +
74193 + offset = ptr - base - align;
74194 + if (offset >= m) {
74195 + base += size;
74196 + continue;
74197 + }
74198 +
74199 + if (n > m - offset)
74200 + break;
74201 +
74202 + spin_unlock_irqrestore(&slob_lock, flags);
74203 + return;
74204 + }
74205 +
74206 + spin_unlock_irqrestore(&slob_lock, flags);
74207 +report:
74208 + pax_report_usercopy(ptr, n, to, NULL);
74209 +#endif
74210 +
74211 +}
74212 +EXPORT_SYMBOL(check_object_size);
74213 +
74214 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
74215 size_t ksize(const void *block)
74216 {
74217 @@ -547,10 +636,10 @@ size_t ksize(const void *block)
74218 sp = slob_page(block);
74219 if (is_slob_page(sp)) {
74220 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
74221 - unsigned int *m = (unsigned int *)(block - align);
74222 - return SLOB_UNITS(*m) * SLOB_UNIT;
74223 + slob_t *m = (slob_t *)(block - align);
74224 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
74225 } else
74226 - return sp->page.private;
74227 + return sp->size;
74228 }
74229 EXPORT_SYMBOL(ksize);
74230
74231 @@ -566,8 +655,13 @@ struct kmem_cache *kmem_cache_create(con
74232 {
74233 struct kmem_cache *c;
74234
74235 +#ifdef CONFIG_PAX_USERCOPY
74236 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
74237 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
74238 +#else
74239 c = slob_alloc(sizeof(struct kmem_cache),
74240 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
74241 +#endif
74242
74243 if (c) {
74244 c->name = name;
74245 @@ -605,17 +699,25 @@ void *kmem_cache_alloc_node(struct kmem_
74246 {
74247 void *b;
74248
74249 +#ifdef CONFIG_PAX_USERCOPY
74250 + b = __kmalloc_node_align(c->size, flags, node, c->align);
74251 +#else
74252 if (c->size < PAGE_SIZE) {
74253 b = slob_alloc(c->size, flags, c->align, node);
74254 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
74255 SLOB_UNITS(c->size) * SLOB_UNIT,
74256 flags, node);
74257 } else {
74258 + struct slob_page *sp;
74259 +
74260 b = slob_new_pages(flags, get_order(c->size), node);
74261 + sp = slob_page(b);
74262 + sp->size = c->size;
74263 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
74264 PAGE_SIZE << get_order(c->size),
74265 flags, node);
74266 }
74267 +#endif
74268
74269 if (c->ctor)
74270 c->ctor(b);
74271 @@ -627,10 +729,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
74272
74273 static void __kmem_cache_free(void *b, int size)
74274 {
74275 - if (size < PAGE_SIZE)
74276 + struct slob_page *sp = slob_page(b);
74277 +
74278 + if (is_slob_page(sp))
74279 slob_free(b, size);
74280 - else
74281 + else {
74282 + clear_slob_page(sp);
74283 + free_slob_page(sp);
74284 + sp->size = 0;
74285 slob_free_pages(b, get_order(size));
74286 + }
74287 }
74288
74289 static void kmem_rcu_free(struct rcu_head *head)
74290 @@ -643,18 +751,32 @@ static void kmem_rcu_free(struct rcu_hea
74291
74292 void kmem_cache_free(struct kmem_cache *c, void *b)
74293 {
74294 + int size = c->size;
74295 +
74296 +#ifdef CONFIG_PAX_USERCOPY
74297 + if (size + c->align < PAGE_SIZE) {
74298 + size += c->align;
74299 + b -= c->align;
74300 + }
74301 +#endif
74302 +
74303 kmemleak_free_recursive(b, c->flags);
74304 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
74305 struct slob_rcu *slob_rcu;
74306 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
74307 + slob_rcu = b + (size - sizeof(struct slob_rcu));
74308 INIT_RCU_HEAD(&slob_rcu->head);
74309 - slob_rcu->size = c->size;
74310 + slob_rcu->size = size;
74311 call_rcu(&slob_rcu->head, kmem_rcu_free);
74312 } else {
74313 - __kmem_cache_free(b, c->size);
74314 + __kmem_cache_free(b, size);
74315 }
74316
74317 +#ifdef CONFIG_PAX_USERCOPY
74318 + trace_kfree(_RET_IP_, b);
74319 +#else
74320 trace_kmem_cache_free(_RET_IP_, b);
74321 +#endif
74322 +
74323 }
74324 EXPORT_SYMBOL(kmem_cache_free);
74325
74326 diff -urNp linux-2.6.32.46/mm/slub.c linux-2.6.32.46/mm/slub.c
74327 --- linux-2.6.32.46/mm/slub.c 2011-03-27 14:31:47.000000000 -0400
74328 +++ linux-2.6.32.46/mm/slub.c 2011-09-25 22:23:01.000000000 -0400
74329 @@ -201,7 +201,7 @@ struct track {
74330
74331 enum track_item { TRACK_ALLOC, TRACK_FREE };
74332
74333 -#ifdef CONFIG_SLUB_DEBUG
74334 +#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
74335 static int sysfs_slab_add(struct kmem_cache *);
74336 static int sysfs_slab_alias(struct kmem_cache *, const char *);
74337 static void sysfs_slab_remove(struct kmem_cache *);
74338 @@ -410,7 +410,7 @@ static void print_track(const char *s, s
74339 if (!t->addr)
74340 return;
74341
74342 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
74343 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
74344 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
74345 }
74346
74347 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
74348
74349 page = virt_to_head_page(x);
74350
74351 + BUG_ON(!PageSlab(page));
74352 +
74353 slab_free(s, page, x, _RET_IP_);
74354
74355 trace_kmem_cache_free(_RET_IP_, x);
74356 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
74357 * Merge control. If this is set then no merging of slab caches will occur.
74358 * (Could be removed. This was introduced to pacify the merge skeptics.)
74359 */
74360 -static int slub_nomerge;
74361 +static int slub_nomerge = 1;
74362
74363 /*
74364 * Calculate the order of allocation given an slab object size.
74365 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
74366 * list to avoid pounding the page allocator excessively.
74367 */
74368 set_min_partial(s, ilog2(s->size));
74369 - s->refcount = 1;
74370 + atomic_set(&s->refcount, 1);
74371 #ifdef CONFIG_NUMA
74372 s->remote_node_defrag_ratio = 1000;
74373 #endif
74374 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
74375 void kmem_cache_destroy(struct kmem_cache *s)
74376 {
74377 down_write(&slub_lock);
74378 - s->refcount--;
74379 - if (!s->refcount) {
74380 + if (atomic_dec_and_test(&s->refcount)) {
74381 list_del(&s->list);
74382 up_write(&slub_lock);
74383 if (kmem_cache_close(s)) {
74384 @@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
74385 __setup("slub_nomerge", setup_slub_nomerge);
74386
74387 static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
74388 - const char *name, int size, gfp_t gfp_flags)
74389 + const char *name, int size, gfp_t gfp_flags, unsigned int flags)
74390 {
74391 - unsigned int flags = 0;
74392 -
74393 if (gfp_flags & SLUB_DMA)
74394 - flags = SLAB_CACHE_DMA;
74395 + flags |= SLAB_CACHE_DMA;
74396
74397 /*
74398 * This function is called with IRQs disabled during early-boot on
74399 @@ -2915,6 +2914,46 @@ void *__kmalloc_node(size_t size, gfp_t
74400 EXPORT_SYMBOL(__kmalloc_node);
74401 #endif
74402
74403 +void check_object_size(const void *ptr, unsigned long n, bool to)
74404 +{
74405 +
74406 +#ifdef CONFIG_PAX_USERCOPY
74407 + struct page *page;
74408 + struct kmem_cache *s = NULL;
74409 + unsigned long offset;
74410 +
74411 + if (!n)
74412 + return;
74413 +
74414 + if (ZERO_OR_NULL_PTR(ptr))
74415 + goto report;
74416 +
74417 + if (!virt_addr_valid(ptr))
74418 + return;
74419 +
74420 + page = get_object_page(ptr);
74421 +
74422 + if (!page) {
74423 + if (object_is_on_stack(ptr, n) == -1)
74424 + goto report;
74425 + return;
74426 + }
74427 +
74428 + s = page->slab;
74429 + if (!(s->flags & SLAB_USERCOPY))
74430 + goto report;
74431 +
74432 + offset = (ptr - page_address(page)) % s->size;
74433 + if (offset <= s->objsize && n <= s->objsize - offset)
74434 + return;
74435 +
74436 +report:
74437 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
74438 +#endif
74439 +
74440 +}
74441 +EXPORT_SYMBOL(check_object_size);
74442 +
74443 size_t ksize(const void *object)
74444 {
74445 struct page *page;
74446 @@ -3185,8 +3224,8 @@ void __init kmem_cache_init(void)
74447 * kmem_cache_open for slab_state == DOWN.
74448 */
74449 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
74450 - sizeof(struct kmem_cache_node), GFP_NOWAIT);
74451 - kmalloc_caches[0].refcount = -1;
74452 + sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
74453 + atomic_set(&kmalloc_caches[0].refcount, -1);
74454 caches++;
74455
74456 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
74457 @@ -3198,18 +3237,18 @@ void __init kmem_cache_init(void)
74458 /* Caches that are not of the two-to-the-power-of size */
74459 if (KMALLOC_MIN_SIZE <= 32) {
74460 create_kmalloc_cache(&kmalloc_caches[1],
74461 - "kmalloc-96", 96, GFP_NOWAIT);
74462 + "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
74463 caches++;
74464 }
74465 if (KMALLOC_MIN_SIZE <= 64) {
74466 create_kmalloc_cache(&kmalloc_caches[2],
74467 - "kmalloc-192", 192, GFP_NOWAIT);
74468 + "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
74469 caches++;
74470 }
74471
74472 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
74473 create_kmalloc_cache(&kmalloc_caches[i],
74474 - "kmalloc", 1 << i, GFP_NOWAIT);
74475 + "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
74476 caches++;
74477 }
74478
74479 @@ -3293,7 +3332,7 @@ static int slab_unmergeable(struct kmem_
74480 /*
74481 * We may have set a slab to be unmergeable during bootstrap.
74482 */
74483 - if (s->refcount < 0)
74484 + if (atomic_read(&s->refcount) < 0)
74485 return 1;
74486
74487 return 0;
74488 @@ -3353,7 +3392,7 @@ struct kmem_cache *kmem_cache_create(con
74489 if (s) {
74490 int cpu;
74491
74492 - s->refcount++;
74493 + atomic_inc(&s->refcount);
74494 /*
74495 * Adjust the object sizes so that we clear
74496 * the complete object on kzalloc.
74497 @@ -3372,7 +3411,7 @@ struct kmem_cache *kmem_cache_create(con
74498
74499 if (sysfs_slab_alias(s, name)) {
74500 down_write(&slub_lock);
74501 - s->refcount--;
74502 + atomic_dec(&s->refcount);
74503 up_write(&slub_lock);
74504 goto err;
74505 }
74506 @@ -4101,7 +4140,7 @@ SLAB_ATTR_RO(ctor);
74507
74508 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
74509 {
74510 - return sprintf(buf, "%d\n", s->refcount - 1);
74511 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
74512 }
74513 SLAB_ATTR_RO(aliases);
74514
74515 @@ -4503,7 +4542,7 @@ static void kmem_cache_release(struct ko
74516 kfree(s);
74517 }
74518
74519 -static struct sysfs_ops slab_sysfs_ops = {
74520 +static const struct sysfs_ops slab_sysfs_ops = {
74521 .show = slab_attr_show,
74522 .store = slab_attr_store,
74523 };
74524 @@ -4522,7 +4561,7 @@ static int uevent_filter(struct kset *ks
74525 return 0;
74526 }
74527
74528 -static struct kset_uevent_ops slab_uevent_ops = {
74529 +static const struct kset_uevent_ops slab_uevent_ops = {
74530 .filter = uevent_filter,
74531 };
74532
74533 @@ -4564,6 +4603,7 @@ static char *create_unique_id(struct kme
74534 return name;
74535 }
74536
74537 +#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
74538 static int sysfs_slab_add(struct kmem_cache *s)
74539 {
74540 int err;
74541 @@ -4619,6 +4659,7 @@ static void sysfs_slab_remove(struct kme
74542 kobject_del(&s->kobj);
74543 kobject_put(&s->kobj);
74544 }
74545 +#endif
74546
74547 /*
74548 * Need to buffer aliases during bootup until sysfs becomes
74549 @@ -4632,6 +4673,7 @@ struct saved_alias {
74550
74551 static struct saved_alias *alias_list;
74552
74553 +#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
74554 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
74555 {
74556 struct saved_alias *al;
74557 @@ -4654,6 +4696,7 @@ static int sysfs_slab_alias(struct kmem_
74558 alias_list = al;
74559 return 0;
74560 }
74561 +#endif
74562
74563 static int __init slab_sysfs_init(void)
74564 {
74565 @@ -4785,7 +4828,13 @@ static const struct file_operations proc
74566
74567 static int __init slab_proc_init(void)
74568 {
74569 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
74570 + mode_t gr_mode = S_IRUGO;
74571 +
74572 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
74573 + gr_mode = S_IRUSR;
74574 +#endif
74575 +
74576 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
74577 return 0;
74578 }
74579 module_init(slab_proc_init);
74580 diff -urNp linux-2.6.32.46/mm/swap.c linux-2.6.32.46/mm/swap.c
74581 --- linux-2.6.32.46/mm/swap.c 2011-03-27 14:31:47.000000000 -0400
74582 +++ linux-2.6.32.46/mm/swap.c 2011-07-09 09:15:19.000000000 -0400
74583 @@ -30,6 +30,7 @@
74584 #include <linux/notifier.h>
74585 #include <linux/backing-dev.h>
74586 #include <linux/memcontrol.h>
74587 +#include <linux/hugetlb.h>
74588
74589 #include "internal.h"
74590
74591 @@ -65,6 +66,8 @@ static void put_compound_page(struct pag
74592 compound_page_dtor *dtor;
74593
74594 dtor = get_compound_page_dtor(page);
74595 + if (!PageHuge(page))
74596 + BUG_ON(dtor != free_compound_page);
74597 (*dtor)(page);
74598 }
74599 }
74600 diff -urNp linux-2.6.32.46/mm/util.c linux-2.6.32.46/mm/util.c
74601 --- linux-2.6.32.46/mm/util.c 2011-03-27 14:31:47.000000000 -0400
74602 +++ linux-2.6.32.46/mm/util.c 2011-04-17 15:56:46.000000000 -0400
74603 @@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
74604 void arch_pick_mmap_layout(struct mm_struct *mm)
74605 {
74606 mm->mmap_base = TASK_UNMAPPED_BASE;
74607 +
74608 +#ifdef CONFIG_PAX_RANDMMAP
74609 + if (mm->pax_flags & MF_PAX_RANDMMAP)
74610 + mm->mmap_base += mm->delta_mmap;
74611 +#endif
74612 +
74613 mm->get_unmapped_area = arch_get_unmapped_area;
74614 mm->unmap_area = arch_unmap_area;
74615 }
74616 diff -urNp linux-2.6.32.46/mm/vmalloc.c linux-2.6.32.46/mm/vmalloc.c
74617 --- linux-2.6.32.46/mm/vmalloc.c 2011-08-29 22:24:44.000000000 -0400
74618 +++ linux-2.6.32.46/mm/vmalloc.c 2011-08-29 22:25:07.000000000 -0400
74619 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
74620
74621 pte = pte_offset_kernel(pmd, addr);
74622 do {
74623 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
74624 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
74625 +
74626 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
74627 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
74628 + BUG_ON(!pte_exec(*pte));
74629 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
74630 + continue;
74631 + }
74632 +#endif
74633 +
74634 + {
74635 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
74636 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
74637 + }
74638 } while (pte++, addr += PAGE_SIZE, addr != end);
74639 }
74640
74641 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
74642 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
74643 {
74644 pte_t *pte;
74645 + int ret = -ENOMEM;
74646
74647 /*
74648 * nr is a running index into the array which helps higher level
74649 @@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
74650 pte = pte_alloc_kernel(pmd, addr);
74651 if (!pte)
74652 return -ENOMEM;
74653 +
74654 + pax_open_kernel();
74655 do {
74656 struct page *page = pages[*nr];
74657
74658 - if (WARN_ON(!pte_none(*pte)))
74659 - return -EBUSY;
74660 - if (WARN_ON(!page))
74661 - return -ENOMEM;
74662 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
74663 + if (!(pgprot_val(prot) & _PAGE_NX))
74664 + BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
74665 + else
74666 +#endif
74667 +
74668 + if (WARN_ON(!pte_none(*pte))) {
74669 + ret = -EBUSY;
74670 + goto out;
74671 + }
74672 + if (WARN_ON(!page)) {
74673 + ret = -ENOMEM;
74674 + goto out;
74675 + }
74676 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
74677 (*nr)++;
74678 } while (pte++, addr += PAGE_SIZE, addr != end);
74679 - return 0;
74680 + ret = 0;
74681 +out:
74682 + pax_close_kernel();
74683 + return ret;
74684 }
74685
74686 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
74687 @@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
74688 * and fall back on vmalloc() if that fails. Others
74689 * just put it in the vmalloc space.
74690 */
74691 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
74692 +#ifdef CONFIG_MODULES
74693 +#ifdef MODULES_VADDR
74694 unsigned long addr = (unsigned long)x;
74695 if (addr >= MODULES_VADDR && addr < MODULES_END)
74696 return 1;
74697 #endif
74698 +
74699 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
74700 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
74701 + return 1;
74702 +#endif
74703 +
74704 +#endif
74705 +
74706 return is_vmalloc_addr(x);
74707 }
74708
74709 @@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
74710
74711 if (!pgd_none(*pgd)) {
74712 pud_t *pud = pud_offset(pgd, addr);
74713 +#ifdef CONFIG_X86
74714 + if (!pud_large(*pud))
74715 +#endif
74716 if (!pud_none(*pud)) {
74717 pmd_t *pmd = pmd_offset(pud, addr);
74718 +#ifdef CONFIG_X86
74719 + if (!pmd_large(*pmd))
74720 +#endif
74721 if (!pmd_none(*pmd)) {
74722 pte_t *ptep, pte;
74723
74724 @@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
74725 struct rb_node *tmp;
74726
74727 while (*p) {
74728 - struct vmap_area *tmp;
74729 + struct vmap_area *varea;
74730
74731 parent = *p;
74732 - tmp = rb_entry(parent, struct vmap_area, rb_node);
74733 - if (va->va_start < tmp->va_end)
74734 + varea = rb_entry(parent, struct vmap_area, rb_node);
74735 + if (va->va_start < varea->va_end)
74736 p = &(*p)->rb_left;
74737 - else if (va->va_end > tmp->va_start)
74738 + else if (va->va_end > varea->va_start)
74739 p = &(*p)->rb_right;
74740 else
74741 BUG();
74742 @@ -1233,6 +1275,16 @@ static struct vm_struct *__get_vm_area_n
74743 struct vm_struct *area;
74744
74745 BUG_ON(in_interrupt());
74746 +
74747 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
74748 + if (flags & VM_KERNEXEC) {
74749 + if (start != VMALLOC_START || end != VMALLOC_END)
74750 + return NULL;
74751 + start = (unsigned long)MODULES_EXEC_VADDR;
74752 + end = (unsigned long)MODULES_EXEC_END;
74753 + }
74754 +#endif
74755 +
74756 if (flags & VM_IOREMAP) {
74757 int bit = fls(size);
74758
74759 @@ -1458,6 +1510,11 @@ void *vmap(struct page **pages, unsigned
74760 if (count > totalram_pages)
74761 return NULL;
74762
74763 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
74764 + if (!(pgprot_val(prot) & _PAGE_NX))
74765 + flags |= VM_KERNEXEC;
74766 +#endif
74767 +
74768 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
74769 __builtin_return_address(0));
74770 if (!area)
74771 @@ -1568,6 +1625,13 @@ static void *__vmalloc_node(unsigned lon
74772 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
74773 return NULL;
74774
74775 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
74776 + if (!(pgprot_val(prot) & _PAGE_NX))
74777 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
74778 + node, gfp_mask, caller);
74779 + else
74780 +#endif
74781 +
74782 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
74783 VMALLOC_END, node, gfp_mask, caller);
74784
74785 @@ -1586,6 +1650,7 @@ static void *__vmalloc_node(unsigned lon
74786 return addr;
74787 }
74788
74789 +#undef __vmalloc
74790 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
74791 {
74792 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
74793 @@ -1602,6 +1667,7 @@ EXPORT_SYMBOL(__vmalloc);
74794 * For tight control over page level allocator and protection flags
74795 * use __vmalloc() instead.
74796 */
74797 +#undef vmalloc
74798 void *vmalloc(unsigned long size)
74799 {
74800 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
74801 @@ -1616,6 +1682,7 @@ EXPORT_SYMBOL(vmalloc);
74802 * The resulting memory area is zeroed so it can be mapped to userspace
74803 * without leaking data.
74804 */
74805 +#undef vmalloc_user
74806 void *vmalloc_user(unsigned long size)
74807 {
74808 struct vm_struct *area;
74809 @@ -1643,6 +1710,7 @@ EXPORT_SYMBOL(vmalloc_user);
74810 * For tight control over page level allocator and protection flags
74811 * use __vmalloc() instead.
74812 */
74813 +#undef vmalloc_node
74814 void *vmalloc_node(unsigned long size, int node)
74815 {
74816 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
74817 @@ -1665,10 +1733,10 @@ EXPORT_SYMBOL(vmalloc_node);
74818 * For tight control over page level allocator and protection flags
74819 * use __vmalloc() instead.
74820 */
74821 -
74822 +#undef vmalloc_exec
74823 void *vmalloc_exec(unsigned long size)
74824 {
74825 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
74826 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
74827 -1, __builtin_return_address(0));
74828 }
74829
74830 @@ -1687,6 +1755,7 @@ void *vmalloc_exec(unsigned long size)
74831 * Allocate enough 32bit PA addressable pages to cover @size from the
74832 * page level allocator and map them into contiguous kernel virtual space.
74833 */
74834 +#undef vmalloc_32
74835 void *vmalloc_32(unsigned long size)
74836 {
74837 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
74838 @@ -1701,6 +1770,7 @@ EXPORT_SYMBOL(vmalloc_32);
74839 * The resulting memory area is 32bit addressable and zeroed so it can be
74840 * mapped to userspace without leaking data.
74841 */
74842 +#undef vmalloc_32_user
74843 void *vmalloc_32_user(unsigned long size)
74844 {
74845 struct vm_struct *area;
74846 @@ -1965,6 +2035,8 @@ int remap_vmalloc_range(struct vm_area_s
74847 unsigned long uaddr = vma->vm_start;
74848 unsigned long usize = vma->vm_end - vma->vm_start;
74849
74850 + BUG_ON(vma->vm_mirror);
74851 +
74852 if ((PAGE_SIZE-1) & (unsigned long)addr)
74853 return -EINVAL;
74854
74855 diff -urNp linux-2.6.32.46/mm/vmstat.c linux-2.6.32.46/mm/vmstat.c
74856 --- linux-2.6.32.46/mm/vmstat.c 2011-03-27 14:31:47.000000000 -0400
74857 +++ linux-2.6.32.46/mm/vmstat.c 2011-04-17 15:56:46.000000000 -0400
74858 @@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
74859 *
74860 * vm_stat contains the global counters
74861 */
74862 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
74863 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
74864 EXPORT_SYMBOL(vm_stat);
74865
74866 #ifdef CONFIG_SMP
74867 @@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
74868 v = p->vm_stat_diff[i];
74869 p->vm_stat_diff[i] = 0;
74870 local_irq_restore(flags);
74871 - atomic_long_add(v, &zone->vm_stat[i]);
74872 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
74873 global_diff[i] += v;
74874 #ifdef CONFIG_NUMA
74875 /* 3 seconds idle till flush */
74876 @@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
74877
74878 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
74879 if (global_diff[i])
74880 - atomic_long_add(global_diff[i], &vm_stat[i]);
74881 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
74882 }
74883
74884 #endif
74885 @@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
74886 start_cpu_timer(cpu);
74887 #endif
74888 #ifdef CONFIG_PROC_FS
74889 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
74890 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
74891 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
74892 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
74893 + {
74894 + mode_t gr_mode = S_IRUGO;
74895 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
74896 + gr_mode = S_IRUSR;
74897 +#endif
74898 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
74899 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
74900 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
74901 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
74902 +#else
74903 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
74904 +#endif
74905 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
74906 + }
74907 #endif
74908 return 0;
74909 }
74910 diff -urNp linux-2.6.32.46/net/8021q/vlan.c linux-2.6.32.46/net/8021q/vlan.c
74911 --- linux-2.6.32.46/net/8021q/vlan.c 2011-03-27 14:31:47.000000000 -0400
74912 +++ linux-2.6.32.46/net/8021q/vlan.c 2011-04-17 15:56:46.000000000 -0400
74913 @@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
74914 err = -EPERM;
74915 if (!capable(CAP_NET_ADMIN))
74916 break;
74917 - if ((args.u.name_type >= 0) &&
74918 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
74919 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
74920 struct vlan_net *vn;
74921
74922 vn = net_generic(net, vlan_net_id);
74923 diff -urNp linux-2.6.32.46/net/9p/trans_fd.c linux-2.6.32.46/net/9p/trans_fd.c
74924 --- linux-2.6.32.46/net/9p/trans_fd.c 2011-03-27 14:31:47.000000000 -0400
74925 +++ linux-2.6.32.46/net/9p/trans_fd.c 2011-10-06 09:37:14.000000000 -0400
74926 @@ -419,7 +419,7 @@ static int p9_fd_write(struct p9_client
74927 oldfs = get_fs();
74928 set_fs(get_ds());
74929 /* The cast to a user pointer is valid due to the set_fs() */
74930 - ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
74931 + ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
74932 set_fs(oldfs);
74933
74934 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
74935 diff -urNp linux-2.6.32.46/net/atm/atm_misc.c linux-2.6.32.46/net/atm/atm_misc.c
74936 --- linux-2.6.32.46/net/atm/atm_misc.c 2011-03-27 14:31:47.000000000 -0400
74937 +++ linux-2.6.32.46/net/atm/atm_misc.c 2011-04-17 15:56:46.000000000 -0400
74938 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
74939 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
74940 return 1;
74941 atm_return(vcc,truesize);
74942 - atomic_inc(&vcc->stats->rx_drop);
74943 + atomic_inc_unchecked(&vcc->stats->rx_drop);
74944 return 0;
74945 }
74946
74947 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
74948 }
74949 }
74950 atm_return(vcc,guess);
74951 - atomic_inc(&vcc->stats->rx_drop);
74952 + atomic_inc_unchecked(&vcc->stats->rx_drop);
74953 return NULL;
74954 }
74955
74956 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
74957
74958 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
74959 {
74960 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
74961 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
74962 __SONET_ITEMS
74963 #undef __HANDLE_ITEM
74964 }
74965 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
74966
74967 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
74968 {
74969 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
74970 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
74971 __SONET_ITEMS
74972 #undef __HANDLE_ITEM
74973 }
74974 diff -urNp linux-2.6.32.46/net/atm/lec.h linux-2.6.32.46/net/atm/lec.h
74975 --- linux-2.6.32.46/net/atm/lec.h 2011-03-27 14:31:47.000000000 -0400
74976 +++ linux-2.6.32.46/net/atm/lec.h 2011-08-05 20:33:55.000000000 -0400
74977 @@ -48,7 +48,7 @@ struct lane2_ops {
74978 const u8 *tlvs, u32 sizeoftlvs);
74979 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
74980 const u8 *tlvs, u32 sizeoftlvs);
74981 -};
74982 +} __no_const;
74983
74984 /*
74985 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
74986 diff -urNp linux-2.6.32.46/net/atm/mpc.h linux-2.6.32.46/net/atm/mpc.h
74987 --- linux-2.6.32.46/net/atm/mpc.h 2011-03-27 14:31:47.000000000 -0400
74988 +++ linux-2.6.32.46/net/atm/mpc.h 2011-08-23 21:22:38.000000000 -0400
74989 @@ -33,7 +33,7 @@ struct mpoa_client {
74990 struct mpc_parameters parameters; /* parameters for this client */
74991
74992 const struct net_device_ops *old_ops;
74993 - struct net_device_ops new_ops;
74994 + net_device_ops_no_const new_ops;
74995 };
74996
74997
74998 diff -urNp linux-2.6.32.46/net/atm/mpoa_caches.c linux-2.6.32.46/net/atm/mpoa_caches.c
74999 --- linux-2.6.32.46/net/atm/mpoa_caches.c 2011-03-27 14:31:47.000000000 -0400
75000 +++ linux-2.6.32.46/net/atm/mpoa_caches.c 2011-05-16 21:46:57.000000000 -0400
75001 @@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
75002 struct timeval now;
75003 struct k_message msg;
75004
75005 + pax_track_stack();
75006 +
75007 do_gettimeofday(&now);
75008
75009 write_lock_irq(&client->egress_lock);
75010 diff -urNp linux-2.6.32.46/net/atm/proc.c linux-2.6.32.46/net/atm/proc.c
75011 --- linux-2.6.32.46/net/atm/proc.c 2011-03-27 14:31:47.000000000 -0400
75012 +++ linux-2.6.32.46/net/atm/proc.c 2011-04-17 15:56:46.000000000 -0400
75013 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
75014 const struct k_atm_aal_stats *stats)
75015 {
75016 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
75017 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
75018 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
75019 - atomic_read(&stats->rx_drop));
75020 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
75021 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
75022 + atomic_read_unchecked(&stats->rx_drop));
75023 }
75024
75025 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
75026 @@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
75027 {
75028 struct sock *sk = sk_atm(vcc);
75029
75030 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75031 + seq_printf(seq, "%p ", NULL);
75032 +#else
75033 seq_printf(seq, "%p ", vcc);
75034 +#endif
75035 +
75036 if (!vcc->dev)
75037 seq_printf(seq, "Unassigned ");
75038 else
75039 @@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
75040 {
75041 if (!vcc->dev)
75042 seq_printf(seq, sizeof(void *) == 4 ?
75043 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75044 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
75045 +#else
75046 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
75047 +#endif
75048 else
75049 seq_printf(seq, "%3d %3d %5d ",
75050 vcc->dev->number, vcc->vpi, vcc->vci);
75051 diff -urNp linux-2.6.32.46/net/atm/resources.c linux-2.6.32.46/net/atm/resources.c
75052 --- linux-2.6.32.46/net/atm/resources.c 2011-03-27 14:31:47.000000000 -0400
75053 +++ linux-2.6.32.46/net/atm/resources.c 2011-04-17 15:56:46.000000000 -0400
75054 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
75055 static void copy_aal_stats(struct k_atm_aal_stats *from,
75056 struct atm_aal_stats *to)
75057 {
75058 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
75059 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
75060 __AAL_STAT_ITEMS
75061 #undef __HANDLE_ITEM
75062 }
75063 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
75064 static void subtract_aal_stats(struct k_atm_aal_stats *from,
75065 struct atm_aal_stats *to)
75066 {
75067 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
75068 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
75069 __AAL_STAT_ITEMS
75070 #undef __HANDLE_ITEM
75071 }
75072 diff -urNp linux-2.6.32.46/net/bluetooth/l2cap.c linux-2.6.32.46/net/bluetooth/l2cap.c
75073 --- linux-2.6.32.46/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
75074 +++ linux-2.6.32.46/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400
75075 @@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
75076 err = -ENOTCONN;
75077 break;
75078 }
75079 -
75080 + memset(&cinfo, 0, sizeof(cinfo));
75081 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
75082 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
75083
75084 @@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
75085
75086 /* Reject if config buffer is too small. */
75087 len = cmd_len - sizeof(*req);
75088 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
75089 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
75090 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
75091 l2cap_build_conf_rsp(sk, rsp,
75092 L2CAP_CONF_REJECT, flags), rsp);
75093 diff -urNp linux-2.6.32.46/net/bluetooth/rfcomm/sock.c linux-2.6.32.46/net/bluetooth/rfcomm/sock.c
75094 --- linux-2.6.32.46/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
75095 +++ linux-2.6.32.46/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
75096 @@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st
75097
75098 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
75099
75100 + memset(&cinfo, 0, sizeof(cinfo));
75101 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
75102 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
75103
75104 diff -urNp linux-2.6.32.46/net/bridge/br_private.h linux-2.6.32.46/net/bridge/br_private.h
75105 --- linux-2.6.32.46/net/bridge/br_private.h 2011-08-09 18:35:30.000000000 -0400
75106 +++ linux-2.6.32.46/net/bridge/br_private.h 2011-08-09 18:34:01.000000000 -0400
75107 @@ -255,7 +255,7 @@ extern void br_ifinfo_notify(int event,
75108
75109 #ifdef CONFIG_SYSFS
75110 /* br_sysfs_if.c */
75111 -extern struct sysfs_ops brport_sysfs_ops;
75112 +extern const struct sysfs_ops brport_sysfs_ops;
75113 extern int br_sysfs_addif(struct net_bridge_port *p);
75114
75115 /* br_sysfs_br.c */
75116 diff -urNp linux-2.6.32.46/net/bridge/br_stp_if.c linux-2.6.32.46/net/bridge/br_stp_if.c
75117 --- linux-2.6.32.46/net/bridge/br_stp_if.c 2011-03-27 14:31:47.000000000 -0400
75118 +++ linux-2.6.32.46/net/bridge/br_stp_if.c 2011-04-17 15:56:46.000000000 -0400
75119 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
75120 char *envp[] = { NULL };
75121
75122 if (br->stp_enabled == BR_USER_STP) {
75123 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
75124 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
75125 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
75126 br->dev->name, r);
75127
75128 diff -urNp linux-2.6.32.46/net/bridge/br_sysfs_if.c linux-2.6.32.46/net/bridge/br_sysfs_if.c
75129 --- linux-2.6.32.46/net/bridge/br_sysfs_if.c 2011-03-27 14:31:47.000000000 -0400
75130 +++ linux-2.6.32.46/net/bridge/br_sysfs_if.c 2011-04-17 15:56:46.000000000 -0400
75131 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
75132 return ret;
75133 }
75134
75135 -struct sysfs_ops brport_sysfs_ops = {
75136 +const struct sysfs_ops brport_sysfs_ops = {
75137 .show = brport_show,
75138 .store = brport_store,
75139 };
75140 diff -urNp linux-2.6.32.46/net/bridge/netfilter/ebtables.c linux-2.6.32.46/net/bridge/netfilter/ebtables.c
75141 --- linux-2.6.32.46/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:52.000000000 -0400
75142 +++ linux-2.6.32.46/net/bridge/netfilter/ebtables.c 2011-05-16 21:46:57.000000000 -0400
75143 @@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
75144 unsigned int entries_size, nentries;
75145 char *entries;
75146
75147 + pax_track_stack();
75148 +
75149 if (cmd == EBT_SO_GET_ENTRIES) {
75150 entries_size = t->private->entries_size;
75151 nentries = t->private->nentries;
75152 diff -urNp linux-2.6.32.46/net/can/bcm.c linux-2.6.32.46/net/can/bcm.c
75153 --- linux-2.6.32.46/net/can/bcm.c 2011-05-10 22:12:01.000000000 -0400
75154 +++ linux-2.6.32.46/net/can/bcm.c 2011-05-10 22:12:34.000000000 -0400
75155 @@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
75156 struct bcm_sock *bo = bcm_sk(sk);
75157 struct bcm_op *op;
75158
75159 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75160 + seq_printf(m, ">>> socket %p", NULL);
75161 + seq_printf(m, " / sk %p", NULL);
75162 + seq_printf(m, " / bo %p", NULL);
75163 +#else
75164 seq_printf(m, ">>> socket %p", sk->sk_socket);
75165 seq_printf(m, " / sk %p", sk);
75166 seq_printf(m, " / bo %p", bo);
75167 +#endif
75168 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
75169 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
75170 seq_printf(m, " <<<\n");
75171 diff -urNp linux-2.6.32.46/net/compat.c linux-2.6.32.46/net/compat.c
75172 --- linux-2.6.32.46/net/compat.c 2011-03-27 14:31:47.000000000 -0400
75173 +++ linux-2.6.32.46/net/compat.c 2011-10-06 09:37:14.000000000 -0400
75174 @@ -69,9 +69,9 @@ int get_compat_msghdr(struct msghdr *kms
75175 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
75176 __get_user(kmsg->msg_flags, &umsg->msg_flags))
75177 return -EFAULT;
75178 - kmsg->msg_name = compat_ptr(tmp1);
75179 - kmsg->msg_iov = compat_ptr(tmp2);
75180 - kmsg->msg_control = compat_ptr(tmp3);
75181 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
75182 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
75183 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
75184 return 0;
75185 }
75186
75187 @@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *k
75188 kern_msg->msg_name = NULL;
75189
75190 tot_len = iov_from_user_compat_to_kern(kern_iov,
75191 - (struct compat_iovec __user *)kern_msg->msg_iov,
75192 + (struct compat_iovec __force_user *)kern_msg->msg_iov,
75193 kern_msg->msg_iovlen);
75194 if (tot_len >= 0)
75195 kern_msg->msg_iov = kern_iov;
75196 @@ -114,20 +114,20 @@ int verify_compat_iovec(struct msghdr *k
75197
75198 #define CMSG_COMPAT_FIRSTHDR(msg) \
75199 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
75200 - (struct compat_cmsghdr __user *)((msg)->msg_control) : \
75201 + (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
75202 (struct compat_cmsghdr __user *)NULL)
75203
75204 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
75205 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
75206 (ucmlen) <= (unsigned long) \
75207 ((mhdr)->msg_controllen - \
75208 - ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
75209 + ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
75210
75211 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
75212 struct compat_cmsghdr __user *cmsg, int cmsg_len)
75213 {
75214 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
75215 - if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
75216 + if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
75217 msg->msg_controllen)
75218 return NULL;
75219 return (struct compat_cmsghdr __user *)ptr;
75220 @@ -219,7 +219,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
75221 {
75222 struct compat_timeval ctv;
75223 struct compat_timespec cts[3];
75224 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
75225 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
75226 struct compat_cmsghdr cmhdr;
75227 int cmlen;
75228
75229 @@ -271,7 +271,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
75230
75231 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
75232 {
75233 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
75234 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
75235 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
75236 int fdnum = scm->fp->count;
75237 struct file **fp = scm->fp->fp;
75238 @@ -433,7 +433,7 @@ static int do_get_sock_timeout(struct so
75239 len = sizeof(ktime);
75240 old_fs = get_fs();
75241 set_fs(KERNEL_DS);
75242 - err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
75243 + err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
75244 set_fs(old_fs);
75245
75246 if (!err) {
75247 @@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *so
75248 case MCAST_JOIN_GROUP:
75249 case MCAST_LEAVE_GROUP:
75250 {
75251 - struct compat_group_req __user *gr32 = (void *)optval;
75252 + struct compat_group_req __user *gr32 = (void __user *)optval;
75253 struct group_req __user *kgr =
75254 compat_alloc_user_space(sizeof(struct group_req));
75255 u32 interface;
75256 @@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *so
75257 case MCAST_BLOCK_SOURCE:
75258 case MCAST_UNBLOCK_SOURCE:
75259 {
75260 - struct compat_group_source_req __user *gsr32 = (void *)optval;
75261 + struct compat_group_source_req __user *gsr32 = (void __user *)optval;
75262 struct group_source_req __user *kgsr = compat_alloc_user_space(
75263 sizeof(struct group_source_req));
75264 u32 interface;
75265 @@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *so
75266 }
75267 case MCAST_MSFILTER:
75268 {
75269 - struct compat_group_filter __user *gf32 = (void *)optval;
75270 + struct compat_group_filter __user *gf32 = (void __user *)optval;
75271 struct group_filter __user *kgf;
75272 u32 interface, fmode, numsrc;
75273
75274 diff -urNp linux-2.6.32.46/net/core/dev.c linux-2.6.32.46/net/core/dev.c
75275 --- linux-2.6.32.46/net/core/dev.c 2011-04-17 17:00:52.000000000 -0400
75276 +++ linux-2.6.32.46/net/core/dev.c 2011-08-05 20:33:55.000000000 -0400
75277 @@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
75278 if (no_module && capable(CAP_NET_ADMIN))
75279 no_module = request_module("netdev-%s", name);
75280 if (no_module && capable(CAP_SYS_MODULE)) {
75281 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
75282 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
75283 +#else
75284 if (!request_module("%s", name))
75285 pr_err("Loading kernel module for a network device "
75286 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
75287 "instead\n", name);
75288 +#endif
75289 }
75290 }
75291 EXPORT_SYMBOL(dev_load);
75292 @@ -1654,7 +1658,7 @@ static inline int illegal_highdma(struct
75293
75294 struct dev_gso_cb {
75295 void (*destructor)(struct sk_buff *skb);
75296 -};
75297 +} __no_const;
75298
75299 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
75300
75301 @@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
75302 }
75303 EXPORT_SYMBOL(netif_rx_ni);
75304
75305 -static void net_tx_action(struct softirq_action *h)
75306 +static void net_tx_action(void)
75307 {
75308 struct softnet_data *sd = &__get_cpu_var(softnet_data);
75309
75310 @@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
75311 EXPORT_SYMBOL(netif_napi_del);
75312
75313
75314 -static void net_rx_action(struct softirq_action *h)
75315 +static void net_rx_action(void)
75316 {
75317 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
75318 unsigned long time_limit = jiffies + 2;
75319 diff -urNp linux-2.6.32.46/net/core/flow.c linux-2.6.32.46/net/core/flow.c
75320 --- linux-2.6.32.46/net/core/flow.c 2011-03-27 14:31:47.000000000 -0400
75321 +++ linux-2.6.32.46/net/core/flow.c 2011-05-04 17:56:20.000000000 -0400
75322 @@ -35,11 +35,11 @@ struct flow_cache_entry {
75323 atomic_t *object_ref;
75324 };
75325
75326 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
75327 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
75328
75329 static u32 flow_hash_shift;
75330 #define flow_hash_size (1 << flow_hash_shift)
75331 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
75332 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
75333
75334 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
75335
75336 @@ -52,7 +52,7 @@ struct flow_percpu_info {
75337 u32 hash_rnd;
75338 int count;
75339 };
75340 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
75341 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
75342
75343 #define flow_hash_rnd_recalc(cpu) \
75344 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
75345 @@ -69,7 +69,7 @@ struct flow_flush_info {
75346 atomic_t cpuleft;
75347 struct completion completion;
75348 };
75349 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
75350 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
75351
75352 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
75353
75354 @@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
75355 if (fle->family == family &&
75356 fle->dir == dir &&
75357 flow_key_compare(key, &fle->key) == 0) {
75358 - if (fle->genid == atomic_read(&flow_cache_genid)) {
75359 + if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
75360 void *ret = fle->object;
75361
75362 if (ret)
75363 @@ -228,7 +228,7 @@ nocache:
75364 err = resolver(net, key, family, dir, &obj, &obj_ref);
75365
75366 if (fle && !err) {
75367 - fle->genid = atomic_read(&flow_cache_genid);
75368 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
75369
75370 if (fle->object)
75371 atomic_dec(fle->object_ref);
75372 @@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
75373
75374 fle = flow_table(cpu)[i];
75375 for (; fle; fle = fle->next) {
75376 - unsigned genid = atomic_read(&flow_cache_genid);
75377 + unsigned genid = atomic_read_unchecked(&flow_cache_genid);
75378
75379 if (!fle->object || fle->genid == genid)
75380 continue;
75381 diff -urNp linux-2.6.32.46/net/core/rtnetlink.c linux-2.6.32.46/net/core/rtnetlink.c
75382 --- linux-2.6.32.46/net/core/rtnetlink.c 2011-03-27 14:31:47.000000000 -0400
75383 +++ linux-2.6.32.46/net/core/rtnetlink.c 2011-08-05 20:33:55.000000000 -0400
75384 @@ -57,7 +57,7 @@ struct rtnl_link
75385 {
75386 rtnl_doit_func doit;
75387 rtnl_dumpit_func dumpit;
75388 -};
75389 +} __no_const;
75390
75391 static DEFINE_MUTEX(rtnl_mutex);
75392
75393 diff -urNp linux-2.6.32.46/net/core/scm.c linux-2.6.32.46/net/core/scm.c
75394 --- linux-2.6.32.46/net/core/scm.c 2011-03-27 14:31:47.000000000 -0400
75395 +++ linux-2.6.32.46/net/core/scm.c 2011-10-06 09:37:14.000000000 -0400
75396 @@ -190,7 +190,7 @@ error:
75397 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
75398 {
75399 struct cmsghdr __user *cm
75400 - = (__force struct cmsghdr __user *)msg->msg_control;
75401 + = (struct cmsghdr __force_user *)msg->msg_control;
75402 struct cmsghdr cmhdr;
75403 int cmlen = CMSG_LEN(len);
75404 int err;
75405 @@ -213,7 +213,7 @@ int put_cmsg(struct msghdr * msg, int le
75406 err = -EFAULT;
75407 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
75408 goto out;
75409 - if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
75410 + if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
75411 goto out;
75412 cmlen = CMSG_SPACE(len);
75413 if (msg->msg_controllen < cmlen)
75414 @@ -228,7 +228,7 @@ out:
75415 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
75416 {
75417 struct cmsghdr __user *cm
75418 - = (__force struct cmsghdr __user*)msg->msg_control;
75419 + = (struct cmsghdr __force_user *)msg->msg_control;
75420
75421 int fdmax = 0;
75422 int fdnum = scm->fp->count;
75423 @@ -248,7 +248,7 @@ void scm_detach_fds(struct msghdr *msg,
75424 if (fdnum < fdmax)
75425 fdmax = fdnum;
75426
75427 - for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
75428 + for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
75429 i++, cmfptr++)
75430 {
75431 int new_fd;
75432 diff -urNp linux-2.6.32.46/net/core/secure_seq.c linux-2.6.32.46/net/core/secure_seq.c
75433 --- linux-2.6.32.46/net/core/secure_seq.c 2011-08-16 20:37:25.000000000 -0400
75434 +++ linux-2.6.32.46/net/core/secure_seq.c 2011-08-07 19:48:09.000000000 -0400
75435 @@ -57,7 +57,7 @@ __u32 secure_tcpv6_sequence_number(__be3
75436 EXPORT_SYMBOL(secure_tcpv6_sequence_number);
75437
75438 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
75439 - __be16 dport)
75440 + __be16 dport)
75441 {
75442 u32 secret[MD5_MESSAGE_BYTES / 4];
75443 u32 hash[MD5_DIGEST_WORDS];
75444 @@ -71,7 +71,6 @@ u32 secure_ipv6_port_ephemeral(const __b
75445 secret[i] = net_secret[i];
75446
75447 md5_transform(hash, secret);
75448 -
75449 return hash[0];
75450 }
75451 #endif
75452 diff -urNp linux-2.6.32.46/net/core/skbuff.c linux-2.6.32.46/net/core/skbuff.c
75453 --- linux-2.6.32.46/net/core/skbuff.c 2011-03-27 14:31:47.000000000 -0400
75454 +++ linux-2.6.32.46/net/core/skbuff.c 2011-05-16 21:46:57.000000000 -0400
75455 @@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
75456 struct sk_buff *frag_iter;
75457 struct sock *sk = skb->sk;
75458
75459 + pax_track_stack();
75460 +
75461 /*
75462 * __skb_splice_bits() only fails if the output has no room left,
75463 * so no point in going over the frag_list for the error case.
75464 diff -urNp linux-2.6.32.46/net/core/sock.c linux-2.6.32.46/net/core/sock.c
75465 --- linux-2.6.32.46/net/core/sock.c 2011-03-27 14:31:47.000000000 -0400
75466 +++ linux-2.6.32.46/net/core/sock.c 2011-05-04 17:56:20.000000000 -0400
75467 @@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
75468 break;
75469
75470 case SO_PEERCRED:
75471 + {
75472 + struct ucred peercred;
75473 if (len > sizeof(sk->sk_peercred))
75474 len = sizeof(sk->sk_peercred);
75475 - if (copy_to_user(optval, &sk->sk_peercred, len))
75476 + peercred = sk->sk_peercred;
75477 + if (copy_to_user(optval, &peercred, len))
75478 return -EFAULT;
75479 goto lenout;
75480 + }
75481
75482 case SO_PEERNAME:
75483 {
75484 @@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
75485 */
75486 smp_wmb();
75487 atomic_set(&sk->sk_refcnt, 1);
75488 - atomic_set(&sk->sk_drops, 0);
75489 + atomic_set_unchecked(&sk->sk_drops, 0);
75490 }
75491 EXPORT_SYMBOL(sock_init_data);
75492
75493 diff -urNp linux-2.6.32.46/net/decnet/sysctl_net_decnet.c linux-2.6.32.46/net/decnet/sysctl_net_decnet.c
75494 --- linux-2.6.32.46/net/decnet/sysctl_net_decnet.c 2011-03-27 14:31:47.000000000 -0400
75495 +++ linux-2.6.32.46/net/decnet/sysctl_net_decnet.c 2011-04-17 15:56:46.000000000 -0400
75496 @@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
75497
75498 if (len > *lenp) len = *lenp;
75499
75500 - if (copy_to_user(buffer, addr, len))
75501 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
75502 return -EFAULT;
75503
75504 *lenp = len;
75505 @@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
75506
75507 if (len > *lenp) len = *lenp;
75508
75509 - if (copy_to_user(buffer, devname, len))
75510 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
75511 return -EFAULT;
75512
75513 *lenp = len;
75514 diff -urNp linux-2.6.32.46/net/econet/Kconfig linux-2.6.32.46/net/econet/Kconfig
75515 --- linux-2.6.32.46/net/econet/Kconfig 2011-03-27 14:31:47.000000000 -0400
75516 +++ linux-2.6.32.46/net/econet/Kconfig 2011-04-17 15:56:46.000000000 -0400
75517 @@ -4,7 +4,7 @@
75518
75519 config ECONET
75520 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
75521 - depends on EXPERIMENTAL && INET
75522 + depends on EXPERIMENTAL && INET && BROKEN
75523 ---help---
75524 Econet is a fairly old and slow networking protocol mainly used by
75525 Acorn computers to access file and print servers. It uses native
75526 diff -urNp linux-2.6.32.46/net/ieee802154/dgram.c linux-2.6.32.46/net/ieee802154/dgram.c
75527 --- linux-2.6.32.46/net/ieee802154/dgram.c 2011-03-27 14:31:47.000000000 -0400
75528 +++ linux-2.6.32.46/net/ieee802154/dgram.c 2011-05-04 17:56:28.000000000 -0400
75529 @@ -318,7 +318,7 @@ out:
75530 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
75531 {
75532 if (sock_queue_rcv_skb(sk, skb) < 0) {
75533 - atomic_inc(&sk->sk_drops);
75534 + atomic_inc_unchecked(&sk->sk_drops);
75535 kfree_skb(skb);
75536 return NET_RX_DROP;
75537 }
75538 diff -urNp linux-2.6.32.46/net/ieee802154/raw.c linux-2.6.32.46/net/ieee802154/raw.c
75539 --- linux-2.6.32.46/net/ieee802154/raw.c 2011-03-27 14:31:47.000000000 -0400
75540 +++ linux-2.6.32.46/net/ieee802154/raw.c 2011-05-04 17:56:28.000000000 -0400
75541 @@ -206,7 +206,7 @@ out:
75542 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
75543 {
75544 if (sock_queue_rcv_skb(sk, skb) < 0) {
75545 - atomic_inc(&sk->sk_drops);
75546 + atomic_inc_unchecked(&sk->sk_drops);
75547 kfree_skb(skb);
75548 return NET_RX_DROP;
75549 }
75550 diff -urNp linux-2.6.32.46/net/ipv4/inet_diag.c linux-2.6.32.46/net/ipv4/inet_diag.c
75551 --- linux-2.6.32.46/net/ipv4/inet_diag.c 2011-07-13 17:23:04.000000000 -0400
75552 +++ linux-2.6.32.46/net/ipv4/inet_diag.c 2011-06-20 19:31:13.000000000 -0400
75553 @@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
75554 r->idiag_retrans = 0;
75555
75556 r->id.idiag_if = sk->sk_bound_dev_if;
75557 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75558 + r->id.idiag_cookie[0] = 0;
75559 + r->id.idiag_cookie[1] = 0;
75560 +#else
75561 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
75562 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
75563 +#endif
75564
75565 r->id.idiag_sport = inet->sport;
75566 r->id.idiag_dport = inet->dport;
75567 @@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
75568 r->idiag_family = tw->tw_family;
75569 r->idiag_retrans = 0;
75570 r->id.idiag_if = tw->tw_bound_dev_if;
75571 +
75572 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75573 + r->id.idiag_cookie[0] = 0;
75574 + r->id.idiag_cookie[1] = 0;
75575 +#else
75576 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
75577 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
75578 +#endif
75579 +
75580 r->id.idiag_sport = tw->tw_sport;
75581 r->id.idiag_dport = tw->tw_dport;
75582 r->id.idiag_src[0] = tw->tw_rcv_saddr;
75583 @@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
75584 if (sk == NULL)
75585 goto unlock;
75586
75587 +#ifndef CONFIG_GRKERNSEC_HIDESYM
75588 err = -ESTALE;
75589 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
75590 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
75591 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
75592 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
75593 goto out;
75594 +#endif
75595
75596 err = -ENOMEM;
75597 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
75598 @@ -579,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
75599 r->idiag_retrans = req->retrans;
75600
75601 r->id.idiag_if = sk->sk_bound_dev_if;
75602 +
75603 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75604 + r->id.idiag_cookie[0] = 0;
75605 + r->id.idiag_cookie[1] = 0;
75606 +#else
75607 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
75608 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
75609 +#endif
75610
75611 tmo = req->expires - jiffies;
75612 if (tmo < 0)
75613 diff -urNp linux-2.6.32.46/net/ipv4/inet_hashtables.c linux-2.6.32.46/net/ipv4/inet_hashtables.c
75614 --- linux-2.6.32.46/net/ipv4/inet_hashtables.c 2011-08-16 20:37:25.000000000 -0400
75615 +++ linux-2.6.32.46/net/ipv4/inet_hashtables.c 2011-08-16 20:42:30.000000000 -0400
75616 @@ -18,12 +18,15 @@
75617 #include <linux/sched.h>
75618 #include <linux/slab.h>
75619 #include <linux/wait.h>
75620 +#include <linux/security.h>
75621
75622 #include <net/inet_connection_sock.h>
75623 #include <net/inet_hashtables.h>
75624 #include <net/secure_seq.h>
75625 #include <net/ip.h>
75626
75627 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
75628 +
75629 /*
75630 * Allocate and initialize a new local port bind bucket.
75631 * The bindhash mutex for snum's hash chain must be held here.
75632 @@ -491,6 +494,8 @@ ok:
75633 }
75634 spin_unlock(&head->lock);
75635
75636 + gr_update_task_in_ip_table(current, inet_sk(sk));
75637 +
75638 if (tw) {
75639 inet_twsk_deschedule(tw, death_row);
75640 inet_twsk_put(tw);
75641 diff -urNp linux-2.6.32.46/net/ipv4/inetpeer.c linux-2.6.32.46/net/ipv4/inetpeer.c
75642 --- linux-2.6.32.46/net/ipv4/inetpeer.c 2011-08-16 20:37:25.000000000 -0400
75643 +++ linux-2.6.32.46/net/ipv4/inetpeer.c 2011-08-07 19:48:09.000000000 -0400
75644 @@ -367,6 +367,8 @@ struct inet_peer *inet_getpeer(__be32 da
75645 struct inet_peer *p, *n;
75646 struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
75647
75648 + pax_track_stack();
75649 +
75650 /* Look up for the address quickly. */
75651 read_lock_bh(&peer_pool_lock);
75652 p = lookup(daddr, NULL);
75653 @@ -390,7 +392,7 @@ struct inet_peer *inet_getpeer(__be32 da
75654 return NULL;
75655 n->v4daddr = daddr;
75656 atomic_set(&n->refcnt, 1);
75657 - atomic_set(&n->rid, 0);
75658 + atomic_set_unchecked(&n->rid, 0);
75659 n->ip_id_count = secure_ip_id(daddr);
75660 n->tcp_ts_stamp = 0;
75661
75662 diff -urNp linux-2.6.32.46/net/ipv4/ipconfig.c linux-2.6.32.46/net/ipv4/ipconfig.c
75663 --- linux-2.6.32.46/net/ipv4/ipconfig.c 2011-03-27 14:31:47.000000000 -0400
75664 +++ linux-2.6.32.46/net/ipv4/ipconfig.c 2011-10-06 09:37:14.000000000 -0400
75665 @@ -295,7 +295,7 @@ static int __init ic_devinet_ioctl(unsig
75666
75667 mm_segment_t oldfs = get_fs();
75668 set_fs(get_ds());
75669 - res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
75670 + res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
75671 set_fs(oldfs);
75672 return res;
75673 }
75674 @@ -306,7 +306,7 @@ static int __init ic_dev_ioctl(unsigned
75675
75676 mm_segment_t oldfs = get_fs();
75677 set_fs(get_ds());
75678 - res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
75679 + res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
75680 set_fs(oldfs);
75681 return res;
75682 }
75683 @@ -317,7 +317,7 @@ static int __init ic_route_ioctl(unsigne
75684
75685 mm_segment_t oldfs = get_fs();
75686 set_fs(get_ds());
75687 - res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
75688 + res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
75689 set_fs(oldfs);
75690 return res;
75691 }
75692 diff -urNp linux-2.6.32.46/net/ipv4/ip_fragment.c linux-2.6.32.46/net/ipv4/ip_fragment.c
75693 --- linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-03-27 14:31:47.000000000 -0400
75694 +++ linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-04-17 15:56:46.000000000 -0400
75695 @@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
75696 return 0;
75697
75698 start = qp->rid;
75699 - end = atomic_inc_return(&peer->rid);
75700 + end = atomic_inc_return_unchecked(&peer->rid);
75701 qp->rid = end;
75702
75703 rc = qp->q.fragments && (end - start) > max;
75704 diff -urNp linux-2.6.32.46/net/ipv4/ip_sockglue.c linux-2.6.32.46/net/ipv4/ip_sockglue.c
75705 --- linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-03-27 14:31:47.000000000 -0400
75706 +++ linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-10-06 09:37:14.000000000 -0400
75707 @@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
75708 int val;
75709 int len;
75710
75711 + pax_track_stack();
75712 +
75713 if (level != SOL_IP)
75714 return -EOPNOTSUPP;
75715
75716 @@ -1173,7 +1175,7 @@ static int do_ip_getsockopt(struct sock
75717 if (sk->sk_type != SOCK_STREAM)
75718 return -ENOPROTOOPT;
75719
75720 - msg.msg_control = optval;
75721 + msg.msg_control = (void __force_kernel *)optval;
75722 msg.msg_controllen = len;
75723 msg.msg_flags = 0;
75724
75725 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c
75726 --- linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:00:52.000000000 -0400
75727 +++ linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:04:18.000000000 -0400
75728 @@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
75729 private = &tmp;
75730 }
75731 #endif
75732 + memset(&info, 0, sizeof(info));
75733 info.valid_hooks = t->valid_hooks;
75734 memcpy(info.hook_entry, private->hook_entry,
75735 sizeof(info.hook_entry));
75736 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c
75737 --- linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c 2011-03-27 14:31:47.000000000 -0400
75738 +++ linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c 2011-08-21 18:42:53.000000000 -0400
75739 @@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
75740
75741 if (v->data_len < sizeof(*user_iph))
75742 return 0;
75743 + if (v->data_len > 65535)
75744 + return -EMSGSIZE;
75745 +
75746 diff = v->data_len - e->skb->len;
75747 if (diff < 0) {
75748 if (pskb_trim(e->skb, v->data_len))
75749 @@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex)
75750 static inline void
75751 __ipq_rcv_skb(struct sk_buff *skb)
75752 {
75753 - int status, type, pid, flags, nlmsglen, skblen;
75754 + int status, type, pid, flags;
75755 + unsigned int nlmsglen, skblen;
75756 struct nlmsghdr *nlh;
75757
75758 skblen = skb->len;
75759 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c
75760 --- linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:00:52.000000000 -0400
75761 +++ linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:04:18.000000000 -0400
75762 @@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
75763 private = &tmp;
75764 }
75765 #endif
75766 + memset(&info, 0, sizeof(info));
75767 info.valid_hooks = t->valid_hooks;
75768 memcpy(info.hook_entry, private->hook_entry,
75769 sizeof(info.hook_entry));
75770 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c
75771 --- linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-27 14:31:47.000000000 -0400
75772 +++ linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:56:46.000000000 -0400
75773 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
75774
75775 *len = 0;
75776
75777 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
75778 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
75779 if (*octets == NULL) {
75780 if (net_ratelimit())
75781 printk("OOM in bsalg (%d)\n", __LINE__);
75782 diff -urNp linux-2.6.32.46/net/ipv4/raw.c linux-2.6.32.46/net/ipv4/raw.c
75783 --- linux-2.6.32.46/net/ipv4/raw.c 2011-03-27 14:31:47.000000000 -0400
75784 +++ linux-2.6.32.46/net/ipv4/raw.c 2011-08-14 11:46:51.000000000 -0400
75785 @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
75786 /* Charge it to the socket. */
75787
75788 if (sock_queue_rcv_skb(sk, skb) < 0) {
75789 - atomic_inc(&sk->sk_drops);
75790 + atomic_inc_unchecked(&sk->sk_drops);
75791 kfree_skb(skb);
75792 return NET_RX_DROP;
75793 }
75794 @@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
75795 int raw_rcv(struct sock *sk, struct sk_buff *skb)
75796 {
75797 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
75798 - atomic_inc(&sk->sk_drops);
75799 + atomic_inc_unchecked(&sk->sk_drops);
75800 kfree_skb(skb);
75801 return NET_RX_DROP;
75802 }
75803 @@ -724,16 +724,23 @@ static int raw_init(struct sock *sk)
75804
75805 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
75806 {
75807 + struct icmp_filter filter;
75808 +
75809 + if (optlen < 0)
75810 + return -EINVAL;
75811 if (optlen > sizeof(struct icmp_filter))
75812 optlen = sizeof(struct icmp_filter);
75813 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
75814 + if (copy_from_user(&filter, optval, optlen))
75815 return -EFAULT;
75816 + raw_sk(sk)->filter = filter;
75817 +
75818 return 0;
75819 }
75820
75821 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
75822 {
75823 int len, ret = -EFAULT;
75824 + struct icmp_filter filter;
75825
75826 if (get_user(len, optlen))
75827 goto out;
75828 @@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
75829 if (len > sizeof(struct icmp_filter))
75830 len = sizeof(struct icmp_filter);
75831 ret = -EFAULT;
75832 - if (put_user(len, optlen) ||
75833 - copy_to_user(optval, &raw_sk(sk)->filter, len))
75834 + filter = raw_sk(sk)->filter;
75835 + if (put_user(len, optlen) || len > sizeof filter ||
75836 + copy_to_user(optval, &filter, len))
75837 goto out;
75838 ret = 0;
75839 out: return ret;
75840 @@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
75841 sk_wmem_alloc_get(sp),
75842 sk_rmem_alloc_get(sp),
75843 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
75844 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
75845 + atomic_read(&sp->sk_refcnt),
75846 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75847 + NULL,
75848 +#else
75849 + sp,
75850 +#endif
75851 + atomic_read_unchecked(&sp->sk_drops));
75852 }
75853
75854 static int raw_seq_show(struct seq_file *seq, void *v)
75855 diff -urNp linux-2.6.32.46/net/ipv4/route.c linux-2.6.32.46/net/ipv4/route.c
75856 --- linux-2.6.32.46/net/ipv4/route.c 2011-08-16 20:37:25.000000000 -0400
75857 +++ linux-2.6.32.46/net/ipv4/route.c 2011-08-07 19:48:09.000000000 -0400
75858 @@ -269,7 +269,7 @@ static inline unsigned int rt_hash(__be3
75859
75860 static inline int rt_genid(struct net *net)
75861 {
75862 - return atomic_read(&net->ipv4.rt_genid);
75863 + return atomic_read_unchecked(&net->ipv4.rt_genid);
75864 }
75865
75866 #ifdef CONFIG_PROC_FS
75867 @@ -889,7 +889,7 @@ static void rt_cache_invalidate(struct n
75868 unsigned char shuffle;
75869
75870 get_random_bytes(&shuffle, sizeof(shuffle));
75871 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
75872 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
75873 }
75874
75875 /*
75876 @@ -3357,7 +3357,7 @@ static __net_initdata struct pernet_oper
75877
75878 static __net_init int rt_secret_timer_init(struct net *net)
75879 {
75880 - atomic_set(&net->ipv4.rt_genid,
75881 + atomic_set_unchecked(&net->ipv4.rt_genid,
75882 (int) ((num_physpages ^ (num_physpages>>8)) ^
75883 (jiffies ^ (jiffies >> 7))));
75884
75885 diff -urNp linux-2.6.32.46/net/ipv4/tcp.c linux-2.6.32.46/net/ipv4/tcp.c
75886 --- linux-2.6.32.46/net/ipv4/tcp.c 2011-03-27 14:31:47.000000000 -0400
75887 +++ linux-2.6.32.46/net/ipv4/tcp.c 2011-05-16 21:46:57.000000000 -0400
75888 @@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
75889 int val;
75890 int err = 0;
75891
75892 + pax_track_stack();
75893 +
75894 /* This is a string value all the others are int's */
75895 if (optname == TCP_CONGESTION) {
75896 char name[TCP_CA_NAME_MAX];
75897 @@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
75898 struct tcp_sock *tp = tcp_sk(sk);
75899 int val, len;
75900
75901 + pax_track_stack();
75902 +
75903 if (get_user(len, optlen))
75904 return -EFAULT;
75905
75906 diff -urNp linux-2.6.32.46/net/ipv4/tcp_ipv4.c linux-2.6.32.46/net/ipv4/tcp_ipv4.c
75907 --- linux-2.6.32.46/net/ipv4/tcp_ipv4.c 2011-08-16 20:37:25.000000000 -0400
75908 +++ linux-2.6.32.46/net/ipv4/tcp_ipv4.c 2011-08-23 21:22:32.000000000 -0400
75909 @@ -85,6 +85,9 @@
75910 int sysctl_tcp_tw_reuse __read_mostly;
75911 int sysctl_tcp_low_latency __read_mostly;
75912
75913 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
75914 +extern int grsec_enable_blackhole;
75915 +#endif
75916
75917 #ifdef CONFIG_TCP_MD5SIG
75918 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
75919 @@ -1543,6 +1546,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
75920 return 0;
75921
75922 reset:
75923 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
75924 + if (!grsec_enable_blackhole)
75925 +#endif
75926 tcp_v4_send_reset(rsk, skb);
75927 discard:
75928 kfree_skb(skb);
75929 @@ -1604,12 +1610,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
75930 TCP_SKB_CB(skb)->sacked = 0;
75931
75932 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
75933 - if (!sk)
75934 + if (!sk) {
75935 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
75936 + ret = 1;
75937 +#endif
75938 goto no_tcp_socket;
75939 + }
75940
75941 process:
75942 - if (sk->sk_state == TCP_TIME_WAIT)
75943 + if (sk->sk_state == TCP_TIME_WAIT) {
75944 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
75945 + ret = 2;
75946 +#endif
75947 goto do_time_wait;
75948 + }
75949
75950 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
75951 goto discard_and_relse;
75952 @@ -1651,6 +1665,10 @@ no_tcp_socket:
75953 bad_packet:
75954 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
75955 } else {
75956 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
75957 + if (!grsec_enable_blackhole || (ret == 1 &&
75958 + (skb->dev->flags & IFF_LOOPBACK)))
75959 +#endif
75960 tcp_v4_send_reset(NULL, skb);
75961 }
75962
75963 @@ -2238,7 +2256,11 @@ static void get_openreq4(struct sock *sk
75964 0, /* non standard timer */
75965 0, /* open_requests have no inode */
75966 atomic_read(&sk->sk_refcnt),
75967 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75968 + NULL,
75969 +#else
75970 req,
75971 +#endif
75972 len);
75973 }
75974
75975 @@ -2280,7 +2302,12 @@ static void get_tcp4_sock(struct sock *s
75976 sock_i_uid(sk),
75977 icsk->icsk_probes_out,
75978 sock_i_ino(sk),
75979 - atomic_read(&sk->sk_refcnt), sk,
75980 + atomic_read(&sk->sk_refcnt),
75981 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75982 + NULL,
75983 +#else
75984 + sk,
75985 +#endif
75986 jiffies_to_clock_t(icsk->icsk_rto),
75987 jiffies_to_clock_t(icsk->icsk_ack.ato),
75988 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
75989 @@ -2308,7 +2335,13 @@ static void get_timewait4_sock(struct in
75990 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
75991 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
75992 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
75993 - atomic_read(&tw->tw_refcnt), tw, len);
75994 + atomic_read(&tw->tw_refcnt),
75995 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75996 + NULL,
75997 +#else
75998 + tw,
75999 +#endif
76000 + len);
76001 }
76002
76003 #define TMPSZ 150
76004 diff -urNp linux-2.6.32.46/net/ipv4/tcp_minisocks.c linux-2.6.32.46/net/ipv4/tcp_minisocks.c
76005 --- linux-2.6.32.46/net/ipv4/tcp_minisocks.c 2011-03-27 14:31:47.000000000 -0400
76006 +++ linux-2.6.32.46/net/ipv4/tcp_minisocks.c 2011-04-17 15:56:46.000000000 -0400
76007 @@ -26,6 +26,10 @@
76008 #include <net/inet_common.h>
76009 #include <net/xfrm.h>
76010
76011 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76012 +extern int grsec_enable_blackhole;
76013 +#endif
76014 +
76015 #ifdef CONFIG_SYSCTL
76016 #define SYNC_INIT 0 /* let the user enable it */
76017 #else
76018 @@ -672,6 +676,10 @@ listen_overflow:
76019
76020 embryonic_reset:
76021 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
76022 +
76023 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76024 + if (!grsec_enable_blackhole)
76025 +#endif
76026 if (!(flg & TCP_FLAG_RST))
76027 req->rsk_ops->send_reset(sk, skb);
76028
76029 diff -urNp linux-2.6.32.46/net/ipv4/tcp_output.c linux-2.6.32.46/net/ipv4/tcp_output.c
76030 --- linux-2.6.32.46/net/ipv4/tcp_output.c 2011-03-27 14:31:47.000000000 -0400
76031 +++ linux-2.6.32.46/net/ipv4/tcp_output.c 2011-05-16 21:46:57.000000000 -0400
76032 @@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
76033 __u8 *md5_hash_location;
76034 int mss;
76035
76036 + pax_track_stack();
76037 +
76038 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
76039 if (skb == NULL)
76040 return NULL;
76041 diff -urNp linux-2.6.32.46/net/ipv4/tcp_probe.c linux-2.6.32.46/net/ipv4/tcp_probe.c
76042 --- linux-2.6.32.46/net/ipv4/tcp_probe.c 2011-03-27 14:31:47.000000000 -0400
76043 +++ linux-2.6.32.46/net/ipv4/tcp_probe.c 2011-04-17 15:56:46.000000000 -0400
76044 @@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
76045 if (cnt + width >= len)
76046 break;
76047
76048 - if (copy_to_user(buf + cnt, tbuf, width))
76049 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
76050 return -EFAULT;
76051 cnt += width;
76052 }
76053 diff -urNp linux-2.6.32.46/net/ipv4/tcp_timer.c linux-2.6.32.46/net/ipv4/tcp_timer.c
76054 --- linux-2.6.32.46/net/ipv4/tcp_timer.c 2011-03-27 14:31:47.000000000 -0400
76055 +++ linux-2.6.32.46/net/ipv4/tcp_timer.c 2011-04-17 15:56:46.000000000 -0400
76056 @@ -21,6 +21,10 @@
76057 #include <linux/module.h>
76058 #include <net/tcp.h>
76059
76060 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76061 +extern int grsec_lastack_retries;
76062 +#endif
76063 +
76064 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
76065 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
76066 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
76067 @@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
76068 }
76069 }
76070
76071 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76072 + if ((sk->sk_state == TCP_LAST_ACK) &&
76073 + (grsec_lastack_retries > 0) &&
76074 + (grsec_lastack_retries < retry_until))
76075 + retry_until = grsec_lastack_retries;
76076 +#endif
76077 +
76078 if (retransmits_timed_out(sk, retry_until)) {
76079 /* Has it gone just too far? */
76080 tcp_write_err(sk);
76081 diff -urNp linux-2.6.32.46/net/ipv4/udp.c linux-2.6.32.46/net/ipv4/udp.c
76082 --- linux-2.6.32.46/net/ipv4/udp.c 2011-07-13 17:23:04.000000000 -0400
76083 +++ linux-2.6.32.46/net/ipv4/udp.c 2011-08-23 21:22:32.000000000 -0400
76084 @@ -86,6 +86,7 @@
76085 #include <linux/types.h>
76086 #include <linux/fcntl.h>
76087 #include <linux/module.h>
76088 +#include <linux/security.h>
76089 #include <linux/socket.h>
76090 #include <linux/sockios.h>
76091 #include <linux/igmp.h>
76092 @@ -106,6 +107,10 @@
76093 #include <net/xfrm.h>
76094 #include "udp_impl.h"
76095
76096 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76097 +extern int grsec_enable_blackhole;
76098 +#endif
76099 +
76100 struct udp_table udp_table;
76101 EXPORT_SYMBOL(udp_table);
76102
76103 @@ -371,6 +376,9 @@ found:
76104 return s;
76105 }
76106
76107 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
76108 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
76109 +
76110 /*
76111 * This routine is called by the ICMP module when it gets some
76112 * sort of error condition. If err < 0 then the socket should
76113 @@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
76114 dport = usin->sin_port;
76115 if (dport == 0)
76116 return -EINVAL;
76117 +
76118 + err = gr_search_udp_sendmsg(sk, usin);
76119 + if (err)
76120 + return err;
76121 } else {
76122 if (sk->sk_state != TCP_ESTABLISHED)
76123 return -EDESTADDRREQ;
76124 +
76125 + err = gr_search_udp_sendmsg(sk, NULL);
76126 + if (err)
76127 + return err;
76128 +
76129 daddr = inet->daddr;
76130 dport = inet->dport;
76131 /* Open fast path for connected socket.
76132 @@ -945,6 +962,10 @@ try_again:
76133 if (!skb)
76134 goto out;
76135
76136 + err = gr_search_udp_recvmsg(sk, skb);
76137 + if (err)
76138 + goto out_free;
76139 +
76140 ulen = skb->len - sizeof(struct udphdr);
76141 copied = len;
76142 if (copied > ulen)
76143 @@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct so
76144 if (rc == -ENOMEM) {
76145 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
76146 is_udplite);
76147 - atomic_inc(&sk->sk_drops);
76148 + atomic_inc_unchecked(&sk->sk_drops);
76149 }
76150 goto drop;
76151 }
76152 @@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
76153 goto csum_error;
76154
76155 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
76156 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76157 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
76158 +#endif
76159 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
76160
76161 /*
76162 @@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock
76163 sk_wmem_alloc_get(sp),
76164 sk_rmem_alloc_get(sp),
76165 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
76166 - atomic_read(&sp->sk_refcnt), sp,
76167 - atomic_read(&sp->sk_drops), len);
76168 + atomic_read(&sp->sk_refcnt),
76169 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76170 + NULL,
76171 +#else
76172 + sp,
76173 +#endif
76174 + atomic_read_unchecked(&sp->sk_drops), len);
76175 }
76176
76177 int udp4_seq_show(struct seq_file *seq, void *v)
76178 diff -urNp linux-2.6.32.46/net/ipv6/addrconf.c linux-2.6.32.46/net/ipv6/addrconf.c
76179 --- linux-2.6.32.46/net/ipv6/addrconf.c 2011-05-10 22:12:02.000000000 -0400
76180 +++ linux-2.6.32.46/net/ipv6/addrconf.c 2011-10-06 09:37:14.000000000 -0400
76181 @@ -2053,7 +2053,7 @@ int addrconf_set_dstaddr(struct net *net
76182 p.iph.ihl = 5;
76183 p.iph.protocol = IPPROTO_IPV6;
76184 p.iph.ttl = 64;
76185 - ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
76186 + ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
76187
76188 if (ops->ndo_do_ioctl) {
76189 mm_segment_t oldfs = get_fs();
76190 diff -urNp linux-2.6.32.46/net/ipv6/inet6_connection_sock.c linux-2.6.32.46/net/ipv6/inet6_connection_sock.c
76191 --- linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-03-27 14:31:47.000000000 -0400
76192 +++ linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-05-04 17:56:28.000000000 -0400
76193 @@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
76194 #ifdef CONFIG_XFRM
76195 {
76196 struct rt6_info *rt = (struct rt6_info *)dst;
76197 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
76198 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
76199 }
76200 #endif
76201 }
76202 @@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
76203 #ifdef CONFIG_XFRM
76204 if (dst) {
76205 struct rt6_info *rt = (struct rt6_info *)dst;
76206 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
76207 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
76208 sk->sk_dst_cache = NULL;
76209 dst_release(dst);
76210 dst = NULL;
76211 diff -urNp linux-2.6.32.46/net/ipv6/inet6_hashtables.c linux-2.6.32.46/net/ipv6/inet6_hashtables.c
76212 --- linux-2.6.32.46/net/ipv6/inet6_hashtables.c 2011-08-16 20:37:25.000000000 -0400
76213 +++ linux-2.6.32.46/net/ipv6/inet6_hashtables.c 2011-08-07 19:48:09.000000000 -0400
76214 @@ -119,7 +119,7 @@ out:
76215 }
76216 EXPORT_SYMBOL(__inet6_lookup_established);
76217
76218 -static int inline compute_score(struct sock *sk, struct net *net,
76219 +static inline int compute_score(struct sock *sk, struct net *net,
76220 const unsigned short hnum,
76221 const struct in6_addr *daddr,
76222 const int dif)
76223 diff -urNp linux-2.6.32.46/net/ipv6/ip6_tunnel.c linux-2.6.32.46/net/ipv6/ip6_tunnel.c
76224 --- linux-2.6.32.46/net/ipv6/ip6_tunnel.c 2011-08-09 18:35:30.000000000 -0400
76225 +++ linux-2.6.32.46/net/ipv6/ip6_tunnel.c 2011-08-24 18:52:25.000000000 -0400
76226 @@ -1466,7 +1466,7 @@ static int __init ip6_tunnel_init(void)
76227 {
76228 int err;
76229
76230 - err = register_pernet_device(&ip6_tnl_net_ops);
76231 + err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
76232 if (err < 0)
76233 goto out_pernet;
76234
76235 @@ -1487,7 +1487,7 @@ static int __init ip6_tunnel_init(void)
76236 out_ip6ip6:
76237 xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
76238 out_ip4ip6:
76239 - unregister_pernet_device(&ip6_tnl_net_ops);
76240 + unregister_pernet_gen_device(ip6_tnl_net_id, &ip6_tnl_net_ops);
76241 out_pernet:
76242 return err;
76243 }
76244 diff -urNp linux-2.6.32.46/net/ipv6/ipv6_sockglue.c linux-2.6.32.46/net/ipv6/ipv6_sockglue.c
76245 --- linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-03-27 14:31:47.000000000 -0400
76246 +++ linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-10-06 09:37:16.000000000 -0400
76247 @@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
76248 int val, valbool;
76249 int retv = -ENOPROTOOPT;
76250
76251 + pax_track_stack();
76252 +
76253 if (optval == NULL)
76254 val=0;
76255 else {
76256 @@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
76257 int len;
76258 int val;
76259
76260 + pax_track_stack();
76261 +
76262 if (ip6_mroute_opt(optname))
76263 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
76264
76265 @@ -922,7 +926,7 @@ static int do_ipv6_getsockopt(struct soc
76266 if (sk->sk_type != SOCK_STREAM)
76267 return -ENOPROTOOPT;
76268
76269 - msg.msg_control = optval;
76270 + msg.msg_control = (void __force_kernel *)optval;
76271 msg.msg_controllen = len;
76272 msg.msg_flags = 0;
76273
76274 diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c
76275 --- linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-03-27 14:31:47.000000000 -0400
76276 +++ linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-08-21 18:43:32.000000000 -0400
76277 @@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
76278
76279 if (v->data_len < sizeof(*user_iph))
76280 return 0;
76281 + if (v->data_len > 65535)
76282 + return -EMSGSIZE;
76283 +
76284 diff = v->data_len - e->skb->len;
76285 if (diff < 0) {
76286 if (pskb_trim(e->skb, v->data_len))
76287 @@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex)
76288 static inline void
76289 __ipq_rcv_skb(struct sk_buff *skb)
76290 {
76291 - int status, type, pid, flags, nlmsglen, skblen;
76292 + int status, type, pid, flags;
76293 + unsigned int nlmsglen, skblen;
76294 struct nlmsghdr *nlh;
76295
76296 skblen = skb->len;
76297 diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c
76298 --- linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:00:52.000000000 -0400
76299 +++ linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:04:18.000000000 -0400
76300 @@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
76301 private = &tmp;
76302 }
76303 #endif
76304 + memset(&info, 0, sizeof(info));
76305 info.valid_hooks = t->valid_hooks;
76306 memcpy(info.hook_entry, private->hook_entry,
76307 sizeof(info.hook_entry));
76308 diff -urNp linux-2.6.32.46/net/ipv6/raw.c linux-2.6.32.46/net/ipv6/raw.c
76309 --- linux-2.6.32.46/net/ipv6/raw.c 2011-03-27 14:31:47.000000000 -0400
76310 +++ linux-2.6.32.46/net/ipv6/raw.c 2011-08-14 11:48:20.000000000 -0400
76311 @@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
76312 {
76313 if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
76314 skb_checksum_complete(skb)) {
76315 - atomic_inc(&sk->sk_drops);
76316 + atomic_inc_unchecked(&sk->sk_drops);
76317 kfree_skb(skb);
76318 return NET_RX_DROP;
76319 }
76320
76321 /* Charge it to the socket. */
76322 if (sock_queue_rcv_skb(sk,skb)<0) {
76323 - atomic_inc(&sk->sk_drops);
76324 + atomic_inc_unchecked(&sk->sk_drops);
76325 kfree_skb(skb);
76326 return NET_RX_DROP;
76327 }
76328 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
76329 struct raw6_sock *rp = raw6_sk(sk);
76330
76331 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
76332 - atomic_inc(&sk->sk_drops);
76333 + atomic_inc_unchecked(&sk->sk_drops);
76334 kfree_skb(skb);
76335 return NET_RX_DROP;
76336 }
76337 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
76338
76339 if (inet->hdrincl) {
76340 if (skb_checksum_complete(skb)) {
76341 - atomic_inc(&sk->sk_drops);
76342 + atomic_inc_unchecked(&sk->sk_drops);
76343 kfree_skb(skb);
76344 return NET_RX_DROP;
76345 }
76346 @@ -518,7 +518,7 @@ csum_copy_err:
76347 as some normal condition.
76348 */
76349 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
76350 - atomic_inc(&sk->sk_drops);
76351 + atomic_inc_unchecked(&sk->sk_drops);
76352 goto out;
76353 }
76354
76355 @@ -600,7 +600,7 @@ out:
76356 return err;
76357 }
76358
76359 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
76360 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
76361 struct flowi *fl, struct rt6_info *rt,
76362 unsigned int flags)
76363 {
76364 @@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
76365 u16 proto;
76366 int err;
76367
76368 + pax_track_stack();
76369 +
76370 /* Rough check on arithmetic overflow,
76371 better check is made in ip6_append_data().
76372 */
76373 @@ -916,12 +918,17 @@ do_confirm:
76374 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
76375 char __user *optval, int optlen)
76376 {
76377 + struct icmp6_filter filter;
76378 +
76379 switch (optname) {
76380 case ICMPV6_FILTER:
76381 + if (optlen < 0)
76382 + return -EINVAL;
76383 if (optlen > sizeof(struct icmp6_filter))
76384 optlen = sizeof(struct icmp6_filter);
76385 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
76386 + if (copy_from_user(&filter, optval, optlen))
76387 return -EFAULT;
76388 + raw6_sk(sk)->filter = filter;
76389 return 0;
76390 default:
76391 return -ENOPROTOOPT;
76392 @@ -934,6 +941,7 @@ static int rawv6_geticmpfilter(struct so
76393 char __user *optval, int __user *optlen)
76394 {
76395 int len;
76396 + struct icmp6_filter filter;
76397
76398 switch (optname) {
76399 case ICMPV6_FILTER:
76400 @@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
76401 len = sizeof(struct icmp6_filter);
76402 if (put_user(len, optlen))
76403 return -EFAULT;
76404 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
76405 + filter = raw6_sk(sk)->filter;
76406 + if (len > sizeof filter || copy_to_user(optval, &filter, len))
76407 return -EFAULT;
76408 return 0;
76409 default:
76410 @@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
76411 0, 0L, 0,
76412 sock_i_uid(sp), 0,
76413 sock_i_ino(sp),
76414 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
76415 + atomic_read(&sp->sk_refcnt),
76416 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76417 + NULL,
76418 +#else
76419 + sp,
76420 +#endif
76421 + atomic_read_unchecked(&sp->sk_drops));
76422 }
76423
76424 static int raw6_seq_show(struct seq_file *seq, void *v)
76425 diff -urNp linux-2.6.32.46/net/ipv6/tcp_ipv6.c linux-2.6.32.46/net/ipv6/tcp_ipv6.c
76426 --- linux-2.6.32.46/net/ipv6/tcp_ipv6.c 2011-08-16 20:37:25.000000000 -0400
76427 +++ linux-2.6.32.46/net/ipv6/tcp_ipv6.c 2011-08-07 19:48:09.000000000 -0400
76428 @@ -89,6 +89,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
76429 }
76430 #endif
76431
76432 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76433 +extern int grsec_enable_blackhole;
76434 +#endif
76435 +
76436 static void tcp_v6_hash(struct sock *sk)
76437 {
76438 if (sk->sk_state != TCP_CLOSE) {
76439 @@ -1579,6 +1583,9 @@ static int tcp_v6_do_rcv(struct sock *sk
76440 return 0;
76441
76442 reset:
76443 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76444 + if (!grsec_enable_blackhole)
76445 +#endif
76446 tcp_v6_send_reset(sk, skb);
76447 discard:
76448 if (opt_skb)
76449 @@ -1656,12 +1663,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
76450 TCP_SKB_CB(skb)->sacked = 0;
76451
76452 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
76453 - if (!sk)
76454 + if (!sk) {
76455 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76456 + ret = 1;
76457 +#endif
76458 goto no_tcp_socket;
76459 + }
76460
76461 process:
76462 - if (sk->sk_state == TCP_TIME_WAIT)
76463 + if (sk->sk_state == TCP_TIME_WAIT) {
76464 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76465 + ret = 2;
76466 +#endif
76467 goto do_time_wait;
76468 + }
76469
76470 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
76471 goto discard_and_relse;
76472 @@ -1701,6 +1716,10 @@ no_tcp_socket:
76473 bad_packet:
76474 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
76475 } else {
76476 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76477 + if (!grsec_enable_blackhole || (ret == 1 &&
76478 + (skb->dev->flags & IFF_LOOPBACK)))
76479 +#endif
76480 tcp_v6_send_reset(NULL, skb);
76481 }
76482
76483 @@ -1916,7 +1935,13 @@ static void get_openreq6(struct seq_file
76484 uid,
76485 0, /* non standard timer */
76486 0, /* open_requests have no inode */
76487 - 0, req);
76488 + 0,
76489 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76490 + NULL
76491 +#else
76492 + req
76493 +#endif
76494 + );
76495 }
76496
76497 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
76498 @@ -1966,7 +1991,12 @@ static void get_tcp6_sock(struct seq_fil
76499 sock_i_uid(sp),
76500 icsk->icsk_probes_out,
76501 sock_i_ino(sp),
76502 - atomic_read(&sp->sk_refcnt), sp,
76503 + atomic_read(&sp->sk_refcnt),
76504 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76505 + NULL,
76506 +#else
76507 + sp,
76508 +#endif
76509 jiffies_to_clock_t(icsk->icsk_rto),
76510 jiffies_to_clock_t(icsk->icsk_ack.ato),
76511 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
76512 @@ -2001,7 +2031,13 @@ static void get_timewait6_sock(struct se
76513 dest->s6_addr32[2], dest->s6_addr32[3], destp,
76514 tw->tw_substate, 0, 0,
76515 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
76516 - atomic_read(&tw->tw_refcnt), tw);
76517 + atomic_read(&tw->tw_refcnt),
76518 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76519 + NULL
76520 +#else
76521 + tw
76522 +#endif
76523 + );
76524 }
76525
76526 static int tcp6_seq_show(struct seq_file *seq, void *v)
76527 diff -urNp linux-2.6.32.46/net/ipv6/udp.c linux-2.6.32.46/net/ipv6/udp.c
76528 --- linux-2.6.32.46/net/ipv6/udp.c 2011-07-13 17:23:04.000000000 -0400
76529 +++ linux-2.6.32.46/net/ipv6/udp.c 2011-07-13 17:23:27.000000000 -0400
76530 @@ -49,6 +49,10 @@
76531 #include <linux/seq_file.h>
76532 #include "udp_impl.h"
76533
76534 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76535 +extern int grsec_enable_blackhole;
76536 +#endif
76537 +
76538 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
76539 {
76540 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
76541 @@ -391,7 +395,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
76542 if (rc == -ENOMEM) {
76543 UDP6_INC_STATS_BH(sock_net(sk),
76544 UDP_MIB_RCVBUFERRORS, is_udplite);
76545 - atomic_inc(&sk->sk_drops);
76546 + atomic_inc_unchecked(&sk->sk_drops);
76547 }
76548 goto drop;
76549 }
76550 @@ -590,6 +594,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
76551 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
76552 proto == IPPROTO_UDPLITE);
76553
76554 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
76555 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
76556 +#endif
76557 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
76558
76559 kfree_skb(skb);
76560 @@ -1209,8 +1216,13 @@ static void udp6_sock_seq_show(struct se
76561 0, 0L, 0,
76562 sock_i_uid(sp), 0,
76563 sock_i_ino(sp),
76564 - atomic_read(&sp->sk_refcnt), sp,
76565 - atomic_read(&sp->sk_drops));
76566 + atomic_read(&sp->sk_refcnt),
76567 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76568 + NULL,
76569 +#else
76570 + sp,
76571 +#endif
76572 + atomic_read_unchecked(&sp->sk_drops));
76573 }
76574
76575 int udp6_seq_show(struct seq_file *seq, void *v)
76576 diff -urNp linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c
76577 --- linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c 2011-03-27 14:31:47.000000000 -0400
76578 +++ linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:56:46.000000000 -0400
76579 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
76580 add_wait_queue(&self->open_wait, &wait);
76581
76582 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
76583 - __FILE__,__LINE__, tty->driver->name, self->open_count );
76584 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
76585
76586 /* As far as I can see, we protect open_count - Jean II */
76587 spin_lock_irqsave(&self->spinlock, flags);
76588 if (!tty_hung_up_p(filp)) {
76589 extra_count = 1;
76590 - self->open_count--;
76591 + local_dec(&self->open_count);
76592 }
76593 spin_unlock_irqrestore(&self->spinlock, flags);
76594 - self->blocked_open++;
76595 + local_inc(&self->blocked_open);
76596
76597 while (1) {
76598 if (tty->termios->c_cflag & CBAUD) {
76599 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
76600 }
76601
76602 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
76603 - __FILE__,__LINE__, tty->driver->name, self->open_count );
76604 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
76605
76606 schedule();
76607 }
76608 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
76609 if (extra_count) {
76610 /* ++ is not atomic, so this should be protected - Jean II */
76611 spin_lock_irqsave(&self->spinlock, flags);
76612 - self->open_count++;
76613 + local_inc(&self->open_count);
76614 spin_unlock_irqrestore(&self->spinlock, flags);
76615 }
76616 - self->blocked_open--;
76617 + local_dec(&self->blocked_open);
76618
76619 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
76620 - __FILE__,__LINE__, tty->driver->name, self->open_count);
76621 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
76622
76623 if (!retval)
76624 self->flags |= ASYNC_NORMAL_ACTIVE;
76625 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
76626 }
76627 /* ++ is not atomic, so this should be protected - Jean II */
76628 spin_lock_irqsave(&self->spinlock, flags);
76629 - self->open_count++;
76630 + local_inc(&self->open_count);
76631
76632 tty->driver_data = self;
76633 self->tty = tty;
76634 spin_unlock_irqrestore(&self->spinlock, flags);
76635
76636 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
76637 - self->line, self->open_count);
76638 + self->line, local_read(&self->open_count));
76639
76640 /* Not really used by us, but lets do it anyway */
76641 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
76642 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
76643 return;
76644 }
76645
76646 - if ((tty->count == 1) && (self->open_count != 1)) {
76647 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
76648 /*
76649 * Uh, oh. tty->count is 1, which means that the tty
76650 * structure will be freed. state->count should always
76651 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
76652 */
76653 IRDA_DEBUG(0, "%s(), bad serial port count; "
76654 "tty->count is 1, state->count is %d\n", __func__ ,
76655 - self->open_count);
76656 - self->open_count = 1;
76657 + local_read(&self->open_count));
76658 + local_set(&self->open_count, 1);
76659 }
76660
76661 - if (--self->open_count < 0) {
76662 + if (local_dec_return(&self->open_count) < 0) {
76663 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
76664 - __func__, self->line, self->open_count);
76665 - self->open_count = 0;
76666 + __func__, self->line, local_read(&self->open_count));
76667 + local_set(&self->open_count, 0);
76668 }
76669 - if (self->open_count) {
76670 + if (local_read(&self->open_count)) {
76671 spin_unlock_irqrestore(&self->spinlock, flags);
76672
76673 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
76674 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
76675 tty->closing = 0;
76676 self->tty = NULL;
76677
76678 - if (self->blocked_open) {
76679 + if (local_read(&self->blocked_open)) {
76680 if (self->close_delay)
76681 schedule_timeout_interruptible(self->close_delay);
76682 wake_up_interruptible(&self->open_wait);
76683 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
76684 spin_lock_irqsave(&self->spinlock, flags);
76685 self->flags &= ~ASYNC_NORMAL_ACTIVE;
76686 self->tty = NULL;
76687 - self->open_count = 0;
76688 + local_set(&self->open_count, 0);
76689 spin_unlock_irqrestore(&self->spinlock, flags);
76690
76691 wake_up_interruptible(&self->open_wait);
76692 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
76693 seq_putc(m, '\n');
76694
76695 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
76696 - seq_printf(m, "Open count: %d\n", self->open_count);
76697 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
76698 seq_printf(m, "Max data size: %d\n", self->max_data_size);
76699 seq_printf(m, "Max header size: %d\n", self->max_header_size);
76700
76701 diff -urNp linux-2.6.32.46/net/iucv/af_iucv.c linux-2.6.32.46/net/iucv/af_iucv.c
76702 --- linux-2.6.32.46/net/iucv/af_iucv.c 2011-03-27 14:31:47.000000000 -0400
76703 +++ linux-2.6.32.46/net/iucv/af_iucv.c 2011-05-04 17:56:28.000000000 -0400
76704 @@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
76705
76706 write_lock_bh(&iucv_sk_list.lock);
76707
76708 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
76709 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
76710 while (__iucv_get_sock_by_name(name)) {
76711 sprintf(name, "%08x",
76712 - atomic_inc_return(&iucv_sk_list.autobind_name));
76713 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
76714 }
76715
76716 write_unlock_bh(&iucv_sk_list.lock);
76717 diff -urNp linux-2.6.32.46/net/key/af_key.c linux-2.6.32.46/net/key/af_key.c
76718 --- linux-2.6.32.46/net/key/af_key.c 2011-03-27 14:31:47.000000000 -0400
76719 +++ linux-2.6.32.46/net/key/af_key.c 2011-05-16 21:46:57.000000000 -0400
76720 @@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
76721 struct xfrm_migrate m[XFRM_MAX_DEPTH];
76722 struct xfrm_kmaddress k;
76723
76724 + pax_track_stack();
76725 +
76726 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
76727 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
76728 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
76729 @@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
76730 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
76731 else
76732 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
76733 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76734 + NULL,
76735 +#else
76736 s,
76737 +#endif
76738 atomic_read(&s->sk_refcnt),
76739 sk_rmem_alloc_get(s),
76740 sk_wmem_alloc_get(s),
76741 diff -urNp linux-2.6.32.46/net/lapb/lapb_iface.c linux-2.6.32.46/net/lapb/lapb_iface.c
76742 --- linux-2.6.32.46/net/lapb/lapb_iface.c 2011-03-27 14:31:47.000000000 -0400
76743 +++ linux-2.6.32.46/net/lapb/lapb_iface.c 2011-08-05 20:33:55.000000000 -0400
76744 @@ -157,7 +157,7 @@ int lapb_register(struct net_device *dev
76745 goto out;
76746
76747 lapb->dev = dev;
76748 - lapb->callbacks = *callbacks;
76749 + lapb->callbacks = callbacks;
76750
76751 __lapb_insert_cb(lapb);
76752
76753 @@ -379,32 +379,32 @@ int lapb_data_received(struct net_device
76754
76755 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
76756 {
76757 - if (lapb->callbacks.connect_confirmation)
76758 - lapb->callbacks.connect_confirmation(lapb->dev, reason);
76759 + if (lapb->callbacks->connect_confirmation)
76760 + lapb->callbacks->connect_confirmation(lapb->dev, reason);
76761 }
76762
76763 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
76764 {
76765 - if (lapb->callbacks.connect_indication)
76766 - lapb->callbacks.connect_indication(lapb->dev, reason);
76767 + if (lapb->callbacks->connect_indication)
76768 + lapb->callbacks->connect_indication(lapb->dev, reason);
76769 }
76770
76771 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
76772 {
76773 - if (lapb->callbacks.disconnect_confirmation)
76774 - lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
76775 + if (lapb->callbacks->disconnect_confirmation)
76776 + lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
76777 }
76778
76779 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
76780 {
76781 - if (lapb->callbacks.disconnect_indication)
76782 - lapb->callbacks.disconnect_indication(lapb->dev, reason);
76783 + if (lapb->callbacks->disconnect_indication)
76784 + lapb->callbacks->disconnect_indication(lapb->dev, reason);
76785 }
76786
76787 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
76788 {
76789 - if (lapb->callbacks.data_indication)
76790 - return lapb->callbacks.data_indication(lapb->dev, skb);
76791 + if (lapb->callbacks->data_indication)
76792 + return lapb->callbacks->data_indication(lapb->dev, skb);
76793
76794 kfree_skb(skb);
76795 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
76796 @@ -414,8 +414,8 @@ int lapb_data_transmit(struct lapb_cb *l
76797 {
76798 int used = 0;
76799
76800 - if (lapb->callbacks.data_transmit) {
76801 - lapb->callbacks.data_transmit(lapb->dev, skb);
76802 + if (lapb->callbacks->data_transmit) {
76803 + lapb->callbacks->data_transmit(lapb->dev, skb);
76804 used = 1;
76805 }
76806
76807 diff -urNp linux-2.6.32.46/net/mac80211/cfg.c linux-2.6.32.46/net/mac80211/cfg.c
76808 --- linux-2.6.32.46/net/mac80211/cfg.c 2011-03-27 14:31:47.000000000 -0400
76809 +++ linux-2.6.32.46/net/mac80211/cfg.c 2011-04-17 15:56:46.000000000 -0400
76810 @@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
76811 return err;
76812 }
76813
76814 -struct cfg80211_ops mac80211_config_ops = {
76815 +const struct cfg80211_ops mac80211_config_ops = {
76816 .add_virtual_intf = ieee80211_add_iface,
76817 .del_virtual_intf = ieee80211_del_iface,
76818 .change_virtual_intf = ieee80211_change_iface,
76819 diff -urNp linux-2.6.32.46/net/mac80211/cfg.h linux-2.6.32.46/net/mac80211/cfg.h
76820 --- linux-2.6.32.46/net/mac80211/cfg.h 2011-03-27 14:31:47.000000000 -0400
76821 +++ linux-2.6.32.46/net/mac80211/cfg.h 2011-04-17 15:56:46.000000000 -0400
76822 @@ -4,6 +4,6 @@
76823 #ifndef __CFG_H
76824 #define __CFG_H
76825
76826 -extern struct cfg80211_ops mac80211_config_ops;
76827 +extern const struct cfg80211_ops mac80211_config_ops;
76828
76829 #endif /* __CFG_H */
76830 diff -urNp linux-2.6.32.46/net/mac80211/debugfs_key.c linux-2.6.32.46/net/mac80211/debugfs_key.c
76831 --- linux-2.6.32.46/net/mac80211/debugfs_key.c 2011-03-27 14:31:47.000000000 -0400
76832 +++ linux-2.6.32.46/net/mac80211/debugfs_key.c 2011-04-17 15:56:46.000000000 -0400
76833 @@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
76834 size_t count, loff_t *ppos)
76835 {
76836 struct ieee80211_key *key = file->private_data;
76837 - int i, res, bufsize = 2 * key->conf.keylen + 2;
76838 + int i, bufsize = 2 * key->conf.keylen + 2;
76839 char *buf = kmalloc(bufsize, GFP_KERNEL);
76840 char *p = buf;
76841 + ssize_t res;
76842 +
76843 + if (buf == NULL)
76844 + return -ENOMEM;
76845
76846 for (i = 0; i < key->conf.keylen; i++)
76847 p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
76848 diff -urNp linux-2.6.32.46/net/mac80211/debugfs_sta.c linux-2.6.32.46/net/mac80211/debugfs_sta.c
76849 --- linux-2.6.32.46/net/mac80211/debugfs_sta.c 2011-03-27 14:31:47.000000000 -0400
76850 +++ linux-2.6.32.46/net/mac80211/debugfs_sta.c 2011-05-16 21:46:57.000000000 -0400
76851 @@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
76852 int i;
76853 struct sta_info *sta = file->private_data;
76854
76855 + pax_track_stack();
76856 +
76857 spin_lock_bh(&sta->lock);
76858 p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
76859 sta->ampdu_mlme.dialog_token_allocator + 1);
76860 diff -urNp linux-2.6.32.46/net/mac80211/ieee80211_i.h linux-2.6.32.46/net/mac80211/ieee80211_i.h
76861 --- linux-2.6.32.46/net/mac80211/ieee80211_i.h 2011-03-27 14:31:47.000000000 -0400
76862 +++ linux-2.6.32.46/net/mac80211/ieee80211_i.h 2011-04-17 15:56:46.000000000 -0400
76863 @@ -25,6 +25,7 @@
76864 #include <linux/etherdevice.h>
76865 #include <net/cfg80211.h>
76866 #include <net/mac80211.h>
76867 +#include <asm/local.h>
76868 #include "key.h"
76869 #include "sta_info.h"
76870
76871 @@ -635,7 +636,7 @@ struct ieee80211_local {
76872 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
76873 spinlock_t queue_stop_reason_lock;
76874
76875 - int open_count;
76876 + local_t open_count;
76877 int monitors, cooked_mntrs;
76878 /* number of interfaces with corresponding FIF_ flags */
76879 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
76880 diff -urNp linux-2.6.32.46/net/mac80211/iface.c linux-2.6.32.46/net/mac80211/iface.c
76881 --- linux-2.6.32.46/net/mac80211/iface.c 2011-03-27 14:31:47.000000000 -0400
76882 +++ linux-2.6.32.46/net/mac80211/iface.c 2011-04-17 15:56:46.000000000 -0400
76883 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
76884 break;
76885 }
76886
76887 - if (local->open_count == 0) {
76888 + if (local_read(&local->open_count) == 0) {
76889 res = drv_start(local);
76890 if (res)
76891 goto err_del_bss;
76892 @@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
76893 * Validate the MAC address for this device.
76894 */
76895 if (!is_valid_ether_addr(dev->dev_addr)) {
76896 - if (!local->open_count)
76897 + if (!local_read(&local->open_count))
76898 drv_stop(local);
76899 return -EADDRNOTAVAIL;
76900 }
76901 @@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
76902
76903 hw_reconf_flags |= __ieee80211_recalc_idle(local);
76904
76905 - local->open_count++;
76906 + local_inc(&local->open_count);
76907 if (hw_reconf_flags) {
76908 ieee80211_hw_config(local, hw_reconf_flags);
76909 /*
76910 @@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
76911 err_del_interface:
76912 drv_remove_interface(local, &conf);
76913 err_stop:
76914 - if (!local->open_count)
76915 + if (!local_read(&local->open_count))
76916 drv_stop(local);
76917 err_del_bss:
76918 sdata->bss = NULL;
76919 @@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
76920 WARN_ON(!list_empty(&sdata->u.ap.vlans));
76921 }
76922
76923 - local->open_count--;
76924 + local_dec(&local->open_count);
76925
76926 switch (sdata->vif.type) {
76927 case NL80211_IFTYPE_AP_VLAN:
76928 @@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
76929
76930 ieee80211_recalc_ps(local, -1);
76931
76932 - if (local->open_count == 0) {
76933 + if (local_read(&local->open_count) == 0) {
76934 ieee80211_clear_tx_pending(local);
76935 ieee80211_stop_device(local);
76936
76937 diff -urNp linux-2.6.32.46/net/mac80211/main.c linux-2.6.32.46/net/mac80211/main.c
76938 --- linux-2.6.32.46/net/mac80211/main.c 2011-05-10 22:12:02.000000000 -0400
76939 +++ linux-2.6.32.46/net/mac80211/main.c 2011-05-10 22:12:34.000000000 -0400
76940 @@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
76941 local->hw.conf.power_level = power;
76942 }
76943
76944 - if (changed && local->open_count) {
76945 + if (changed && local_read(&local->open_count)) {
76946 ret = drv_config(local, changed);
76947 /*
76948 * Goal:
76949 diff -urNp linux-2.6.32.46/net/mac80211/mlme.c linux-2.6.32.46/net/mac80211/mlme.c
76950 --- linux-2.6.32.46/net/mac80211/mlme.c 2011-08-09 18:35:30.000000000 -0400
76951 +++ linux-2.6.32.46/net/mac80211/mlme.c 2011-08-09 18:34:01.000000000 -0400
76952 @@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
76953 bool have_higher_than_11mbit = false, newsta = false;
76954 u16 ap_ht_cap_flags;
76955
76956 + pax_track_stack();
76957 +
76958 /*
76959 * AssocResp and ReassocResp have identical structure, so process both
76960 * of them in this function.
76961 diff -urNp linux-2.6.32.46/net/mac80211/pm.c linux-2.6.32.46/net/mac80211/pm.c
76962 --- linux-2.6.32.46/net/mac80211/pm.c 2011-03-27 14:31:47.000000000 -0400
76963 +++ linux-2.6.32.46/net/mac80211/pm.c 2011-04-17 15:56:46.000000000 -0400
76964 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
76965 }
76966
76967 /* stop hardware - this must stop RX */
76968 - if (local->open_count)
76969 + if (local_read(&local->open_count))
76970 ieee80211_stop_device(local);
76971
76972 local->suspended = true;
76973 diff -urNp linux-2.6.32.46/net/mac80211/rate.c linux-2.6.32.46/net/mac80211/rate.c
76974 --- linux-2.6.32.46/net/mac80211/rate.c 2011-03-27 14:31:47.000000000 -0400
76975 +++ linux-2.6.32.46/net/mac80211/rate.c 2011-04-17 15:56:46.000000000 -0400
76976 @@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
76977 struct rate_control_ref *ref, *old;
76978
76979 ASSERT_RTNL();
76980 - if (local->open_count)
76981 + if (local_read(&local->open_count))
76982 return -EBUSY;
76983
76984 ref = rate_control_alloc(name, local);
76985 diff -urNp linux-2.6.32.46/net/mac80211/tx.c linux-2.6.32.46/net/mac80211/tx.c
76986 --- linux-2.6.32.46/net/mac80211/tx.c 2011-03-27 14:31:47.000000000 -0400
76987 +++ linux-2.6.32.46/net/mac80211/tx.c 2011-04-17 15:56:46.000000000 -0400
76988 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
76989 return cpu_to_le16(dur);
76990 }
76991
76992 -static int inline is_ieee80211_device(struct ieee80211_local *local,
76993 +static inline int is_ieee80211_device(struct ieee80211_local *local,
76994 struct net_device *dev)
76995 {
76996 return local == wdev_priv(dev->ieee80211_ptr);
76997 diff -urNp linux-2.6.32.46/net/mac80211/util.c linux-2.6.32.46/net/mac80211/util.c
76998 --- linux-2.6.32.46/net/mac80211/util.c 2011-03-27 14:31:47.000000000 -0400
76999 +++ linux-2.6.32.46/net/mac80211/util.c 2011-04-17 15:56:46.000000000 -0400
77000 @@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
77001 local->resuming = true;
77002
77003 /* restart hardware */
77004 - if (local->open_count) {
77005 + if (local_read(&local->open_count)) {
77006 /*
77007 * Upon resume hardware can sometimes be goofy due to
77008 * various platform / driver / bus issues, so restarting
77009 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c
77010 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c 2011-03-27 14:31:47.000000000 -0400
77011 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c 2011-05-17 19:26:34.000000000 -0400
77012 @@ -564,7 +564,7 @@ static const struct file_operations ip_v
77013 .open = ip_vs_app_open,
77014 .read = seq_read,
77015 .llseek = seq_lseek,
77016 - .release = seq_release,
77017 + .release = seq_release_net,
77018 };
77019 #endif
77020
77021 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c
77022 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c 2011-03-27 14:31:47.000000000 -0400
77023 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c 2011-05-17 19:26:34.000000000 -0400
77024 @@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
77025 /* if the connection is not template and is created
77026 * by sync, preserve the activity flag.
77027 */
77028 - cp->flags |= atomic_read(&dest->conn_flags) &
77029 + cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
77030 (~IP_VS_CONN_F_INACTIVE);
77031 else
77032 - cp->flags |= atomic_read(&dest->conn_flags);
77033 + cp->flags |= atomic_read_unchecked(&dest->conn_flags);
77034 cp->dest = dest;
77035
77036 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
77037 @@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
77038 atomic_set(&cp->refcnt, 1);
77039
77040 atomic_set(&cp->n_control, 0);
77041 - atomic_set(&cp->in_pkts, 0);
77042 + atomic_set_unchecked(&cp->in_pkts, 0);
77043
77044 atomic_inc(&ip_vs_conn_count);
77045 if (flags & IP_VS_CONN_F_NO_CPORT)
77046 @@ -871,7 +871,7 @@ static const struct file_operations ip_v
77047 .open = ip_vs_conn_open,
77048 .read = seq_read,
77049 .llseek = seq_lseek,
77050 - .release = seq_release,
77051 + .release = seq_release_net,
77052 };
77053
77054 static const char *ip_vs_origin_name(unsigned flags)
77055 @@ -934,7 +934,7 @@ static const struct file_operations ip_v
77056 .open = ip_vs_conn_sync_open,
77057 .read = seq_read,
77058 .llseek = seq_lseek,
77059 - .release = seq_release,
77060 + .release = seq_release_net,
77061 };
77062
77063 #endif
77064 @@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
77065
77066 /* Don't drop the entry if its number of incoming packets is not
77067 located in [0, 8] */
77068 - i = atomic_read(&cp->in_pkts);
77069 + i = atomic_read_unchecked(&cp->in_pkts);
77070 if (i > 8 || i < 0) return 0;
77071
77072 if (!todrop_rate[i]) return 0;
77073 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c
77074 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c 2011-03-27 14:31:47.000000000 -0400
77075 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c 2011-05-04 17:56:28.000000000 -0400
77076 @@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
77077 ret = cp->packet_xmit(skb, cp, pp);
77078 /* do not touch skb anymore */
77079
77080 - atomic_inc(&cp->in_pkts);
77081 + atomic_inc_unchecked(&cp->in_pkts);
77082 ip_vs_conn_put(cp);
77083 return ret;
77084 }
77085 @@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
77086 * Sync connection if it is about to close to
77087 * encorage the standby servers to update the connections timeout
77088 */
77089 - pkts = atomic_add_return(1, &cp->in_pkts);
77090 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
77091 if (af == AF_INET &&
77092 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
77093 (((cp->protocol != IPPROTO_TCP ||
77094 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c
77095 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c 2011-03-27 14:31:47.000000000 -0400
77096 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-17 19:26:34.000000000 -0400
77097 @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
77098 ip_vs_rs_hash(dest);
77099 write_unlock_bh(&__ip_vs_rs_lock);
77100 }
77101 - atomic_set(&dest->conn_flags, conn_flags);
77102 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
77103
77104 /* bind the service */
77105 if (!dest->svc) {
77106 @@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
77107 " %-7s %-6d %-10d %-10d\n",
77108 &dest->addr.in6,
77109 ntohs(dest->port),
77110 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77111 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77112 atomic_read(&dest->weight),
77113 atomic_read(&dest->activeconns),
77114 atomic_read(&dest->inactconns));
77115 @@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
77116 "%-7s %-6d %-10d %-10d\n",
77117 ntohl(dest->addr.ip),
77118 ntohs(dest->port),
77119 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
77120 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
77121 atomic_read(&dest->weight),
77122 atomic_read(&dest->activeconns),
77123 atomic_read(&dest->inactconns));
77124 @@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
77125 .open = ip_vs_info_open,
77126 .read = seq_read,
77127 .llseek = seq_lseek,
77128 - .release = seq_release_private,
77129 + .release = seq_release_net,
77130 };
77131
77132 #endif
77133 @@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
77134 .open = ip_vs_stats_seq_open,
77135 .read = seq_read,
77136 .llseek = seq_lseek,
77137 - .release = single_release,
77138 + .release = single_release_net,
77139 };
77140
77141 #endif
77142 @@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
77143
77144 entry.addr = dest->addr.ip;
77145 entry.port = dest->port;
77146 - entry.conn_flags = atomic_read(&dest->conn_flags);
77147 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
77148 entry.weight = atomic_read(&dest->weight);
77149 entry.u_threshold = dest->u_threshold;
77150 entry.l_threshold = dest->l_threshold;
77151 @@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
77152 unsigned char arg[128];
77153 int ret = 0;
77154
77155 + pax_track_stack();
77156 +
77157 if (!capable(CAP_NET_ADMIN))
77158 return -EPERM;
77159
77160 @@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
77161 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
77162
77163 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
77164 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77165 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
77166 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
77167 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
77168 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
77169 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c
77170 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c 2011-03-27 14:31:47.000000000 -0400
77171 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c 2011-05-04 17:56:28.000000000 -0400
77172 @@ -438,7 +438,7 @@ static void ip_vs_process_message(const
77173
77174 if (opt)
77175 memcpy(&cp->in_seq, opt, sizeof(*opt));
77176 - atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
77177 + atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
77178 cp->state = state;
77179 cp->old_state = cp->state;
77180 /*
77181 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c
77182 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c 2011-03-27 14:31:47.000000000 -0400
77183 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-04 17:56:28.000000000 -0400
77184 @@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
77185 else
77186 rc = NF_ACCEPT;
77187 /* do not touch skb anymore */
77188 - atomic_inc(&cp->in_pkts);
77189 + atomic_inc_unchecked(&cp->in_pkts);
77190 goto out;
77191 }
77192
77193 @@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
77194 else
77195 rc = NF_ACCEPT;
77196 /* do not touch skb anymore */
77197 - atomic_inc(&cp->in_pkts);
77198 + atomic_inc_unchecked(&cp->in_pkts);
77199 goto out;
77200 }
77201
77202 diff -urNp linux-2.6.32.46/net/netfilter/Kconfig linux-2.6.32.46/net/netfilter/Kconfig
77203 --- linux-2.6.32.46/net/netfilter/Kconfig 2011-03-27 14:31:47.000000000 -0400
77204 +++ linux-2.6.32.46/net/netfilter/Kconfig 2011-04-17 15:56:46.000000000 -0400
77205 @@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
77206
77207 To compile it as a module, choose M here. If unsure, say N.
77208
77209 +config NETFILTER_XT_MATCH_GRADM
77210 + tristate '"gradm" match support'
77211 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
77212 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
77213 + ---help---
77214 + The gradm match allows to match on grsecurity RBAC being enabled.
77215 + It is useful when iptables rules are applied early on bootup to
77216 + prevent connections to the machine (except from a trusted host)
77217 + while the RBAC system is disabled.
77218 +
77219 config NETFILTER_XT_MATCH_HASHLIMIT
77220 tristate '"hashlimit" match support'
77221 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
77222 diff -urNp linux-2.6.32.46/net/netfilter/Makefile linux-2.6.32.46/net/netfilter/Makefile
77223 --- linux-2.6.32.46/net/netfilter/Makefile 2011-03-27 14:31:47.000000000 -0400
77224 +++ linux-2.6.32.46/net/netfilter/Makefile 2011-04-17 15:56:46.000000000 -0400
77225 @@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
77226 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
77227 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
77228 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
77229 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
77230 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
77231 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
77232 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
77233 diff -urNp linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c
77234 --- linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c 2011-03-27 14:31:47.000000000 -0400
77235 +++ linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:56:46.000000000 -0400
77236 @@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
77237 static int
77238 ctnetlink_parse_tuple(const struct nlattr * const cda[],
77239 struct nf_conntrack_tuple *tuple,
77240 - enum ctattr_tuple type, u_int8_t l3num)
77241 + enum ctattr_type type, u_int8_t l3num)
77242 {
77243 struct nlattr *tb[CTA_TUPLE_MAX+1];
77244 int err;
77245 diff -urNp linux-2.6.32.46/net/netfilter/nfnetlink_log.c linux-2.6.32.46/net/netfilter/nfnetlink_log.c
77246 --- linux-2.6.32.46/net/netfilter/nfnetlink_log.c 2011-03-27 14:31:47.000000000 -0400
77247 +++ linux-2.6.32.46/net/netfilter/nfnetlink_log.c 2011-05-04 17:56:28.000000000 -0400
77248 @@ -68,7 +68,7 @@ struct nfulnl_instance {
77249 };
77250
77251 static DEFINE_RWLOCK(instances_lock);
77252 -static atomic_t global_seq;
77253 +static atomic_unchecked_t global_seq;
77254
77255 #define INSTANCE_BUCKETS 16
77256 static struct hlist_head instance_table[INSTANCE_BUCKETS];
77257 @@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
77258 /* global sequence number */
77259 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
77260 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
77261 - htonl(atomic_inc_return(&global_seq)));
77262 + htonl(atomic_inc_return_unchecked(&global_seq)));
77263
77264 if (data_len) {
77265 struct nlattr *nla;
77266 diff -urNp linux-2.6.32.46/net/netfilter/xt_gradm.c linux-2.6.32.46/net/netfilter/xt_gradm.c
77267 --- linux-2.6.32.46/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
77268 +++ linux-2.6.32.46/net/netfilter/xt_gradm.c 2011-04-17 15:56:46.000000000 -0400
77269 @@ -0,0 +1,51 @@
77270 +/*
77271 + * gradm match for netfilter
77272 + * Copyright © Zbigniew Krzystolik, 2010
77273 + *
77274 + * This program is free software; you can redistribute it and/or modify
77275 + * it under the terms of the GNU General Public License; either version
77276 + * 2 or 3 as published by the Free Software Foundation.
77277 + */
77278 +#include <linux/module.h>
77279 +#include <linux/moduleparam.h>
77280 +#include <linux/skbuff.h>
77281 +#include <linux/netfilter/x_tables.h>
77282 +#include <linux/grsecurity.h>
77283 +#include <linux/netfilter/xt_gradm.h>
77284 +
77285 +static bool
77286 +gradm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77287 +{
77288 + const struct xt_gradm_mtinfo *info = par->matchinfo;
77289 + bool retval = false;
77290 + if (gr_acl_is_enabled())
77291 + retval = true;
77292 + return retval ^ info->invflags;
77293 +}
77294 +
77295 +static struct xt_match gradm_mt_reg __read_mostly = {
77296 + .name = "gradm",
77297 + .revision = 0,
77298 + .family = NFPROTO_UNSPEC,
77299 + .match = gradm_mt,
77300 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
77301 + .me = THIS_MODULE,
77302 +};
77303 +
77304 +static int __init gradm_mt_init(void)
77305 +{
77306 + return xt_register_match(&gradm_mt_reg);
77307 +}
77308 +
77309 +static void __exit gradm_mt_exit(void)
77310 +{
77311 + xt_unregister_match(&gradm_mt_reg);
77312 +}
77313 +
77314 +module_init(gradm_mt_init);
77315 +module_exit(gradm_mt_exit);
77316 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
77317 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
77318 +MODULE_LICENSE("GPL");
77319 +MODULE_ALIAS("ipt_gradm");
77320 +MODULE_ALIAS("ip6t_gradm");
77321 diff -urNp linux-2.6.32.46/net/netlink/af_netlink.c linux-2.6.32.46/net/netlink/af_netlink.c
77322 --- linux-2.6.32.46/net/netlink/af_netlink.c 2011-03-27 14:31:47.000000000 -0400
77323 +++ linux-2.6.32.46/net/netlink/af_netlink.c 2011-05-04 17:56:28.000000000 -0400
77324 @@ -733,7 +733,7 @@ static void netlink_overrun(struct sock
77325 sk->sk_error_report(sk);
77326 }
77327 }
77328 - atomic_inc(&sk->sk_drops);
77329 + atomic_inc_unchecked(&sk->sk_drops);
77330 }
77331
77332 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
77333 @@ -1964,15 +1964,23 @@ static int netlink_seq_show(struct seq_f
77334 struct netlink_sock *nlk = nlk_sk(s);
77335
77336 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\n",
77337 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77338 + NULL,
77339 +#else
77340 s,
77341 +#endif
77342 s->sk_protocol,
77343 nlk->pid,
77344 nlk->groups ? (u32)nlk->groups[0] : 0,
77345 sk_rmem_alloc_get(s),
77346 sk_wmem_alloc_get(s),
77347 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77348 + NULL,
77349 +#else
77350 nlk->cb,
77351 +#endif
77352 atomic_read(&s->sk_refcnt),
77353 - atomic_read(&s->sk_drops)
77354 + atomic_read_unchecked(&s->sk_drops)
77355 );
77356
77357 }
77358 diff -urNp linux-2.6.32.46/net/netrom/af_netrom.c linux-2.6.32.46/net/netrom/af_netrom.c
77359 --- linux-2.6.32.46/net/netrom/af_netrom.c 2011-03-27 14:31:47.000000000 -0400
77360 +++ linux-2.6.32.46/net/netrom/af_netrom.c 2011-04-17 15:56:46.000000000 -0400
77361 @@ -838,6 +838,7 @@ static int nr_getname(struct socket *soc
77362 struct sock *sk = sock->sk;
77363 struct nr_sock *nr = nr_sk(sk);
77364
77365 + memset(sax, 0, sizeof(*sax));
77366 lock_sock(sk);
77367 if (peer != 0) {
77368 if (sk->sk_state != TCP_ESTABLISHED) {
77369 @@ -852,7 +853,6 @@ static int nr_getname(struct socket *soc
77370 *uaddr_len = sizeof(struct full_sockaddr_ax25);
77371 } else {
77372 sax->fsa_ax25.sax25_family = AF_NETROM;
77373 - sax->fsa_ax25.sax25_ndigis = 0;
77374 sax->fsa_ax25.sax25_call = nr->source_addr;
77375 *uaddr_len = sizeof(struct sockaddr_ax25);
77376 }
77377 diff -urNp linux-2.6.32.46/net/packet/af_packet.c linux-2.6.32.46/net/packet/af_packet.c
77378 --- linux-2.6.32.46/net/packet/af_packet.c 2011-07-13 17:23:04.000000000 -0400
77379 +++ linux-2.6.32.46/net/packet/af_packet.c 2011-07-13 17:23:27.000000000 -0400
77380 @@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_fi
77381
77382 seq_printf(seq,
77383 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
77384 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77385 + NULL,
77386 +#else
77387 s,
77388 +#endif
77389 atomic_read(&s->sk_refcnt),
77390 s->sk_type,
77391 ntohs(po->num),
77392 diff -urNp linux-2.6.32.46/net/phonet/af_phonet.c linux-2.6.32.46/net/phonet/af_phonet.c
77393 --- linux-2.6.32.46/net/phonet/af_phonet.c 2011-03-27 14:31:47.000000000 -0400
77394 +++ linux-2.6.32.46/net/phonet/af_phonet.c 2011-04-17 15:56:46.000000000 -0400
77395 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
77396 {
77397 struct phonet_protocol *pp;
77398
77399 - if (protocol >= PHONET_NPROTO)
77400 + if (protocol < 0 || protocol >= PHONET_NPROTO)
77401 return NULL;
77402
77403 spin_lock(&proto_tab_lock);
77404 @@ -402,7 +402,7 @@ int __init_or_module phonet_proto_regist
77405 {
77406 int err = 0;
77407
77408 - if (protocol >= PHONET_NPROTO)
77409 + if (protocol < 0 || protocol >= PHONET_NPROTO)
77410 return -EINVAL;
77411
77412 err = proto_register(pp->prot, 1);
77413 diff -urNp linux-2.6.32.46/net/phonet/datagram.c linux-2.6.32.46/net/phonet/datagram.c
77414 --- linux-2.6.32.46/net/phonet/datagram.c 2011-03-27 14:31:47.000000000 -0400
77415 +++ linux-2.6.32.46/net/phonet/datagram.c 2011-05-04 17:56:28.000000000 -0400
77416 @@ -162,7 +162,7 @@ static int pn_backlog_rcv(struct sock *s
77417 if (err < 0) {
77418 kfree_skb(skb);
77419 if (err == -ENOMEM)
77420 - atomic_inc(&sk->sk_drops);
77421 + atomic_inc_unchecked(&sk->sk_drops);
77422 }
77423 return err ? NET_RX_DROP : NET_RX_SUCCESS;
77424 }
77425 diff -urNp linux-2.6.32.46/net/phonet/pep.c linux-2.6.32.46/net/phonet/pep.c
77426 --- linux-2.6.32.46/net/phonet/pep.c 2011-03-27 14:31:47.000000000 -0400
77427 +++ linux-2.6.32.46/net/phonet/pep.c 2011-05-04 17:56:28.000000000 -0400
77428 @@ -348,7 +348,7 @@ static int pipe_do_rcv(struct sock *sk,
77429
77430 case PNS_PEP_CTRL_REQ:
77431 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
77432 - atomic_inc(&sk->sk_drops);
77433 + atomic_inc_unchecked(&sk->sk_drops);
77434 break;
77435 }
77436 __skb_pull(skb, 4);
77437 @@ -362,12 +362,12 @@ static int pipe_do_rcv(struct sock *sk,
77438 if (!err)
77439 return 0;
77440 if (err == -ENOMEM)
77441 - atomic_inc(&sk->sk_drops);
77442 + atomic_inc_unchecked(&sk->sk_drops);
77443 break;
77444 }
77445
77446 if (pn->rx_credits == 0) {
77447 - atomic_inc(&sk->sk_drops);
77448 + atomic_inc_unchecked(&sk->sk_drops);
77449 err = -ENOBUFS;
77450 break;
77451 }
77452 diff -urNp linux-2.6.32.46/net/phonet/socket.c linux-2.6.32.46/net/phonet/socket.c
77453 --- linux-2.6.32.46/net/phonet/socket.c 2011-03-27 14:31:47.000000000 -0400
77454 +++ linux-2.6.32.46/net/phonet/socket.c 2011-05-04 17:57:07.000000000 -0400
77455 @@ -482,8 +482,13 @@ static int pn_sock_seq_show(struct seq_f
77456 sk->sk_state,
77457 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
77458 sock_i_uid(sk), sock_i_ino(sk),
77459 - atomic_read(&sk->sk_refcnt), sk,
77460 - atomic_read(&sk->sk_drops), &len);
77461 + atomic_read(&sk->sk_refcnt),
77462 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77463 + NULL,
77464 +#else
77465 + sk,
77466 +#endif
77467 + atomic_read_unchecked(&sk->sk_drops), &len);
77468 }
77469 seq_printf(seq, "%*s\n", 127 - len, "");
77470 return 0;
77471 diff -urNp linux-2.6.32.46/net/rds/cong.c linux-2.6.32.46/net/rds/cong.c
77472 --- linux-2.6.32.46/net/rds/cong.c 2011-03-27 14:31:47.000000000 -0400
77473 +++ linux-2.6.32.46/net/rds/cong.c 2011-05-04 17:56:28.000000000 -0400
77474 @@ -77,7 +77,7 @@
77475 * finds that the saved generation number is smaller than the global generation
77476 * number, it wakes up the process.
77477 */
77478 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
77479 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
77480
77481 /*
77482 * Congestion monitoring
77483 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
77484 rdsdebug("waking map %p for %pI4\n",
77485 map, &map->m_addr);
77486 rds_stats_inc(s_cong_update_received);
77487 - atomic_inc(&rds_cong_generation);
77488 + atomic_inc_unchecked(&rds_cong_generation);
77489 if (waitqueue_active(&map->m_waitq))
77490 wake_up(&map->m_waitq);
77491 if (waitqueue_active(&rds_poll_waitq))
77492 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
77493
77494 int rds_cong_updated_since(unsigned long *recent)
77495 {
77496 - unsigned long gen = atomic_read(&rds_cong_generation);
77497 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
77498
77499 if (likely(*recent == gen))
77500 return 0;
77501 diff -urNp linux-2.6.32.46/net/rds/iw_rdma.c linux-2.6.32.46/net/rds/iw_rdma.c
77502 --- linux-2.6.32.46/net/rds/iw_rdma.c 2011-03-27 14:31:47.000000000 -0400
77503 +++ linux-2.6.32.46/net/rds/iw_rdma.c 2011-05-16 21:46:57.000000000 -0400
77504 @@ -181,6 +181,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
77505 struct rdma_cm_id *pcm_id;
77506 int rc;
77507
77508 + pax_track_stack();
77509 +
77510 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
77511 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
77512
77513 diff -urNp linux-2.6.32.46/net/rds/Kconfig linux-2.6.32.46/net/rds/Kconfig
77514 --- linux-2.6.32.46/net/rds/Kconfig 2011-03-27 14:31:47.000000000 -0400
77515 +++ linux-2.6.32.46/net/rds/Kconfig 2011-04-17 15:56:46.000000000 -0400
77516 @@ -1,7 +1,7 @@
77517
77518 config RDS
77519 tristate "The RDS Protocol (EXPERIMENTAL)"
77520 - depends on INET && EXPERIMENTAL
77521 + depends on INET && EXPERIMENTAL && BROKEN
77522 ---help---
77523 The RDS (Reliable Datagram Sockets) protocol provides reliable,
77524 sequenced delivery of datagrams over Infiniband, iWARP,
77525 diff -urNp linux-2.6.32.46/net/rds/tcp.c linux-2.6.32.46/net/rds/tcp.c
77526 --- linux-2.6.32.46/net/rds/tcp.c 2011-03-27 14:31:47.000000000 -0400
77527 +++ linux-2.6.32.46/net/rds/tcp.c 2011-10-06 09:37:16.000000000 -0400
77528 @@ -57,7 +57,7 @@ void rds_tcp_nonagle(struct socket *sock
77529 int val = 1;
77530
77531 set_fs(KERNEL_DS);
77532 - sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val,
77533 + sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val,
77534 sizeof(val));
77535 set_fs(oldfs);
77536 }
77537 diff -urNp linux-2.6.32.46/net/rds/tcp_send.c linux-2.6.32.46/net/rds/tcp_send.c
77538 --- linux-2.6.32.46/net/rds/tcp_send.c 2011-03-27 14:31:47.000000000 -0400
77539 +++ linux-2.6.32.46/net/rds/tcp_send.c 2011-10-06 09:37:16.000000000 -0400
77540 @@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket *
77541
77542 oldfs = get_fs();
77543 set_fs(KERNEL_DS);
77544 - sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val,
77545 + sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val,
77546 sizeof(val));
77547 set_fs(oldfs);
77548 }
77549 diff -urNp linux-2.6.32.46/net/rxrpc/af_rxrpc.c linux-2.6.32.46/net/rxrpc/af_rxrpc.c
77550 --- linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-03-27 14:31:47.000000000 -0400
77551 +++ linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-05-04 17:56:28.000000000 -0400
77552 @@ -38,7 +38,7 @@ static const struct proto_ops rxrpc_rpc_
77553 __be32 rxrpc_epoch;
77554
77555 /* current debugging ID */
77556 -atomic_t rxrpc_debug_id;
77557 +atomic_unchecked_t rxrpc_debug_id;
77558
77559 /* count of skbs currently in use */
77560 atomic_t rxrpc_n_skbs;
77561 diff -urNp linux-2.6.32.46/net/rxrpc/ar-ack.c linux-2.6.32.46/net/rxrpc/ar-ack.c
77562 --- linux-2.6.32.46/net/rxrpc/ar-ack.c 2011-03-27 14:31:47.000000000 -0400
77563 +++ linux-2.6.32.46/net/rxrpc/ar-ack.c 2011-05-16 21:46:57.000000000 -0400
77564 @@ -174,7 +174,7 @@ static void rxrpc_resend(struct rxrpc_ca
77565
77566 _enter("{%d,%d,%d,%d},",
77567 call->acks_hard, call->acks_unacked,
77568 - atomic_read(&call->sequence),
77569 + atomic_read_unchecked(&call->sequence),
77570 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
77571
77572 stop = 0;
77573 @@ -198,7 +198,7 @@ static void rxrpc_resend(struct rxrpc_ca
77574
77575 /* each Tx packet has a new serial number */
77576 sp->hdr.serial =
77577 - htonl(atomic_inc_return(&call->conn->serial));
77578 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
77579
77580 hdr = (struct rxrpc_header *) txb->head;
77581 hdr->serial = sp->hdr.serial;
77582 @@ -401,7 +401,7 @@ static void rxrpc_rotate_tx_window(struc
77583 */
77584 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
77585 {
77586 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
77587 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
77588 }
77589
77590 /*
77591 @@ -627,7 +627,7 @@ process_further:
77592
77593 latest = ntohl(sp->hdr.serial);
77594 hard = ntohl(ack.firstPacket);
77595 - tx = atomic_read(&call->sequence);
77596 + tx = atomic_read_unchecked(&call->sequence);
77597
77598 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
77599 latest,
77600 @@ -840,6 +840,8 @@ void rxrpc_process_call(struct work_stru
77601 u32 abort_code = RX_PROTOCOL_ERROR;
77602 u8 *acks = NULL;
77603
77604 + pax_track_stack();
77605 +
77606 //printk("\n--------------------\n");
77607 _enter("{%d,%s,%lx} [%lu]",
77608 call->debug_id, rxrpc_call_states[call->state], call->events,
77609 @@ -1159,7 +1161,7 @@ void rxrpc_process_call(struct work_stru
77610 goto maybe_reschedule;
77611
77612 send_ACK_with_skew:
77613 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
77614 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
77615 ntohl(ack.serial));
77616 send_ACK:
77617 mtu = call->conn->trans->peer->if_mtu;
77618 @@ -1171,7 +1173,7 @@ send_ACK:
77619 ackinfo.rxMTU = htonl(5692);
77620 ackinfo.jumbo_max = htonl(4);
77621
77622 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
77623 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
77624 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
77625 ntohl(hdr.serial),
77626 ntohs(ack.maxSkew),
77627 @@ -1189,7 +1191,7 @@ send_ACK:
77628 send_message:
77629 _debug("send message");
77630
77631 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
77632 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
77633 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
77634 send_message_2:
77635
77636 diff -urNp linux-2.6.32.46/net/rxrpc/ar-call.c linux-2.6.32.46/net/rxrpc/ar-call.c
77637 --- linux-2.6.32.46/net/rxrpc/ar-call.c 2011-03-27 14:31:47.000000000 -0400
77638 +++ linux-2.6.32.46/net/rxrpc/ar-call.c 2011-05-04 17:56:28.000000000 -0400
77639 @@ -82,7 +82,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
77640 spin_lock_init(&call->lock);
77641 rwlock_init(&call->state_lock);
77642 atomic_set(&call->usage, 1);
77643 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
77644 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
77645 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
77646
77647 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
77648 diff -urNp linux-2.6.32.46/net/rxrpc/ar-connection.c linux-2.6.32.46/net/rxrpc/ar-connection.c
77649 --- linux-2.6.32.46/net/rxrpc/ar-connection.c 2011-03-27 14:31:47.000000000 -0400
77650 +++ linux-2.6.32.46/net/rxrpc/ar-connection.c 2011-05-04 17:56:28.000000000 -0400
77651 @@ -205,7 +205,7 @@ static struct rxrpc_connection *rxrpc_al
77652 rwlock_init(&conn->lock);
77653 spin_lock_init(&conn->state_lock);
77654 atomic_set(&conn->usage, 1);
77655 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
77656 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
77657 conn->avail_calls = RXRPC_MAXCALLS;
77658 conn->size_align = 4;
77659 conn->header_size = sizeof(struct rxrpc_header);
77660 diff -urNp linux-2.6.32.46/net/rxrpc/ar-connevent.c linux-2.6.32.46/net/rxrpc/ar-connevent.c
77661 --- linux-2.6.32.46/net/rxrpc/ar-connevent.c 2011-03-27 14:31:47.000000000 -0400
77662 +++ linux-2.6.32.46/net/rxrpc/ar-connevent.c 2011-05-04 17:56:28.000000000 -0400
77663 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
77664
77665 len = iov[0].iov_len + iov[1].iov_len;
77666
77667 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
77668 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
77669 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
77670
77671 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
77672 diff -urNp linux-2.6.32.46/net/rxrpc/ar-input.c linux-2.6.32.46/net/rxrpc/ar-input.c
77673 --- linux-2.6.32.46/net/rxrpc/ar-input.c 2011-03-27 14:31:47.000000000 -0400
77674 +++ linux-2.6.32.46/net/rxrpc/ar-input.c 2011-05-04 17:56:28.000000000 -0400
77675 @@ -339,9 +339,9 @@ void rxrpc_fast_process_packet(struct rx
77676 /* track the latest serial number on this connection for ACK packet
77677 * information */
77678 serial = ntohl(sp->hdr.serial);
77679 - hi_serial = atomic_read(&call->conn->hi_serial);
77680 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
77681 while (serial > hi_serial)
77682 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
77683 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
77684 serial);
77685
77686 /* request ACK generation for any ACK or DATA packet that requests
77687 diff -urNp linux-2.6.32.46/net/rxrpc/ar-internal.h linux-2.6.32.46/net/rxrpc/ar-internal.h
77688 --- linux-2.6.32.46/net/rxrpc/ar-internal.h 2011-03-27 14:31:47.000000000 -0400
77689 +++ linux-2.6.32.46/net/rxrpc/ar-internal.h 2011-05-04 17:56:28.000000000 -0400
77690 @@ -272,8 +272,8 @@ struct rxrpc_connection {
77691 int error; /* error code for local abort */
77692 int debug_id; /* debug ID for printks */
77693 unsigned call_counter; /* call ID counter */
77694 - atomic_t serial; /* packet serial number counter */
77695 - atomic_t hi_serial; /* highest serial number received */
77696 + atomic_unchecked_t serial; /* packet serial number counter */
77697 + atomic_unchecked_t hi_serial; /* highest serial number received */
77698 u8 avail_calls; /* number of calls available */
77699 u8 size_align; /* data size alignment (for security) */
77700 u8 header_size; /* rxrpc + security header size */
77701 @@ -346,7 +346,7 @@ struct rxrpc_call {
77702 spinlock_t lock;
77703 rwlock_t state_lock; /* lock for state transition */
77704 atomic_t usage;
77705 - atomic_t sequence; /* Tx data packet sequence counter */
77706 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
77707 u32 abort_code; /* local/remote abort code */
77708 enum { /* current state of call */
77709 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
77710 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
77711 */
77712 extern atomic_t rxrpc_n_skbs;
77713 extern __be32 rxrpc_epoch;
77714 -extern atomic_t rxrpc_debug_id;
77715 +extern atomic_unchecked_t rxrpc_debug_id;
77716 extern struct workqueue_struct *rxrpc_workqueue;
77717
77718 /*
77719 diff -urNp linux-2.6.32.46/net/rxrpc/ar-key.c linux-2.6.32.46/net/rxrpc/ar-key.c
77720 --- linux-2.6.32.46/net/rxrpc/ar-key.c 2011-03-27 14:31:47.000000000 -0400
77721 +++ linux-2.6.32.46/net/rxrpc/ar-key.c 2011-04-17 15:56:46.000000000 -0400
77722 @@ -88,11 +88,11 @@ static int rxrpc_instantiate_xdr_rxkad(s
77723 return ret;
77724
77725 plen -= sizeof(*token);
77726 - token = kmalloc(sizeof(*token), GFP_KERNEL);
77727 + token = kzalloc(sizeof(*token), GFP_KERNEL);
77728 if (!token)
77729 return -ENOMEM;
77730
77731 - token->kad = kmalloc(plen, GFP_KERNEL);
77732 + token->kad = kzalloc(plen, GFP_KERNEL);
77733 if (!token->kad) {
77734 kfree(token);
77735 return -ENOMEM;
77736 @@ -730,10 +730,10 @@ static int rxrpc_instantiate(struct key
77737 goto error;
77738
77739 ret = -ENOMEM;
77740 - token = kmalloc(sizeof(*token), GFP_KERNEL);
77741 + token = kzalloc(sizeof(*token), GFP_KERNEL);
77742 if (!token)
77743 goto error;
77744 - token->kad = kmalloc(plen, GFP_KERNEL);
77745 + token->kad = kzalloc(plen, GFP_KERNEL);
77746 if (!token->kad)
77747 goto error_free;
77748
77749 diff -urNp linux-2.6.32.46/net/rxrpc/ar-local.c linux-2.6.32.46/net/rxrpc/ar-local.c
77750 --- linux-2.6.32.46/net/rxrpc/ar-local.c 2011-03-27 14:31:47.000000000 -0400
77751 +++ linux-2.6.32.46/net/rxrpc/ar-local.c 2011-05-04 17:56:28.000000000 -0400
77752 @@ -44,7 +44,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
77753 spin_lock_init(&local->lock);
77754 rwlock_init(&local->services_lock);
77755 atomic_set(&local->usage, 1);
77756 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
77757 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
77758 memcpy(&local->srx, srx, sizeof(*srx));
77759 }
77760
77761 diff -urNp linux-2.6.32.46/net/rxrpc/ar-output.c linux-2.6.32.46/net/rxrpc/ar-output.c
77762 --- linux-2.6.32.46/net/rxrpc/ar-output.c 2011-03-27 14:31:47.000000000 -0400
77763 +++ linux-2.6.32.46/net/rxrpc/ar-output.c 2011-05-04 17:56:28.000000000 -0400
77764 @@ -680,9 +680,9 @@ static int rxrpc_send_data(struct kiocb
77765 sp->hdr.cid = call->cid;
77766 sp->hdr.callNumber = call->call_id;
77767 sp->hdr.seq =
77768 - htonl(atomic_inc_return(&call->sequence));
77769 + htonl(atomic_inc_return_unchecked(&call->sequence));
77770 sp->hdr.serial =
77771 - htonl(atomic_inc_return(&conn->serial));
77772 + htonl(atomic_inc_return_unchecked(&conn->serial));
77773 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
77774 sp->hdr.userStatus = 0;
77775 sp->hdr.securityIndex = conn->security_ix;
77776 diff -urNp linux-2.6.32.46/net/rxrpc/ar-peer.c linux-2.6.32.46/net/rxrpc/ar-peer.c
77777 --- linux-2.6.32.46/net/rxrpc/ar-peer.c 2011-03-27 14:31:47.000000000 -0400
77778 +++ linux-2.6.32.46/net/rxrpc/ar-peer.c 2011-05-04 17:56:28.000000000 -0400
77779 @@ -86,7 +86,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
77780 INIT_LIST_HEAD(&peer->error_targets);
77781 spin_lock_init(&peer->lock);
77782 atomic_set(&peer->usage, 1);
77783 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
77784 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
77785 memcpy(&peer->srx, srx, sizeof(*srx));
77786
77787 rxrpc_assess_MTU_size(peer);
77788 diff -urNp linux-2.6.32.46/net/rxrpc/ar-proc.c linux-2.6.32.46/net/rxrpc/ar-proc.c
77789 --- linux-2.6.32.46/net/rxrpc/ar-proc.c 2011-03-27 14:31:47.000000000 -0400
77790 +++ linux-2.6.32.46/net/rxrpc/ar-proc.c 2011-05-04 17:56:28.000000000 -0400
77791 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
77792 atomic_read(&conn->usage),
77793 rxrpc_conn_states[conn->state],
77794 key_serial(conn->key),
77795 - atomic_read(&conn->serial),
77796 - atomic_read(&conn->hi_serial));
77797 + atomic_read_unchecked(&conn->serial),
77798 + atomic_read_unchecked(&conn->hi_serial));
77799
77800 return 0;
77801 }
77802 diff -urNp linux-2.6.32.46/net/rxrpc/ar-transport.c linux-2.6.32.46/net/rxrpc/ar-transport.c
77803 --- linux-2.6.32.46/net/rxrpc/ar-transport.c 2011-03-27 14:31:47.000000000 -0400
77804 +++ linux-2.6.32.46/net/rxrpc/ar-transport.c 2011-05-04 17:56:28.000000000 -0400
77805 @@ -46,7 +46,7 @@ static struct rxrpc_transport *rxrpc_all
77806 spin_lock_init(&trans->client_lock);
77807 rwlock_init(&trans->conn_lock);
77808 atomic_set(&trans->usage, 1);
77809 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
77810 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
77811
77812 if (peer->srx.transport.family == AF_INET) {
77813 switch (peer->srx.transport_type) {
77814 diff -urNp linux-2.6.32.46/net/rxrpc/rxkad.c linux-2.6.32.46/net/rxrpc/rxkad.c
77815 --- linux-2.6.32.46/net/rxrpc/rxkad.c 2011-03-27 14:31:47.000000000 -0400
77816 +++ linux-2.6.32.46/net/rxrpc/rxkad.c 2011-05-16 21:46:57.000000000 -0400
77817 @@ -210,6 +210,8 @@ static int rxkad_secure_packet_encrypt(c
77818 u16 check;
77819 int nsg;
77820
77821 + pax_track_stack();
77822 +
77823 sp = rxrpc_skb(skb);
77824
77825 _enter("");
77826 @@ -337,6 +339,8 @@ static int rxkad_verify_packet_auth(cons
77827 u16 check;
77828 int nsg;
77829
77830 + pax_track_stack();
77831 +
77832 _enter("");
77833
77834 sp = rxrpc_skb(skb);
77835 @@ -609,7 +613,7 @@ static int rxkad_issue_challenge(struct
77836
77837 len = iov[0].iov_len + iov[1].iov_len;
77838
77839 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
77840 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
77841 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
77842
77843 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
77844 @@ -659,7 +663,7 @@ static int rxkad_send_response(struct rx
77845
77846 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
77847
77848 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
77849 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
77850 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
77851
77852 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
77853 diff -urNp linux-2.6.32.46/net/sctp/proc.c linux-2.6.32.46/net/sctp/proc.c
77854 --- linux-2.6.32.46/net/sctp/proc.c 2011-03-27 14:31:47.000000000 -0400
77855 +++ linux-2.6.32.46/net/sctp/proc.c 2011-04-17 15:56:46.000000000 -0400
77856 @@ -213,7 +213,12 @@ static int sctp_eps_seq_show(struct seq_
77857 sctp_for_each_hentry(epb, node, &head->chain) {
77858 ep = sctp_ep(epb);
77859 sk = epb->sk;
77860 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
77861 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
77862 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77863 + NULL, NULL,
77864 +#else
77865 + ep, sk,
77866 +#endif
77867 sctp_sk(sk)->type, sk->sk_state, hash,
77868 epb->bind_addr.port,
77869 sock_i_uid(sk), sock_i_ino(sk));
77870 @@ -320,7 +325,12 @@ static int sctp_assocs_seq_show(struct s
77871 seq_printf(seq,
77872 "%8p %8p %-3d %-3d %-2d %-4d "
77873 "%4d %8d %8d %7d %5lu %-5d %5d ",
77874 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
77875 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77876 + NULL, NULL,
77877 +#else
77878 + assoc, sk,
77879 +#endif
77880 + sctp_sk(sk)->type, sk->sk_state,
77881 assoc->state, hash,
77882 assoc->assoc_id,
77883 assoc->sndbuf_used,
77884 diff -urNp linux-2.6.32.46/net/sctp/socket.c linux-2.6.32.46/net/sctp/socket.c
77885 --- linux-2.6.32.46/net/sctp/socket.c 2011-03-27 14:31:47.000000000 -0400
77886 +++ linux-2.6.32.46/net/sctp/socket.c 2011-04-23 12:56:11.000000000 -0400
77887 @@ -5802,7 +5802,6 @@ pp_found:
77888 */
77889 int reuse = sk->sk_reuse;
77890 struct sock *sk2;
77891 - struct hlist_node *node;
77892
77893 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
77894 if (pp->fastreuse && sk->sk_reuse &&
77895 diff -urNp linux-2.6.32.46/net/socket.c linux-2.6.32.46/net/socket.c
77896 --- linux-2.6.32.46/net/socket.c 2011-03-27 14:31:47.000000000 -0400
77897 +++ linux-2.6.32.46/net/socket.c 2011-10-06 09:37:16.000000000 -0400
77898 @@ -87,6 +87,7 @@
77899 #include <linux/wireless.h>
77900 #include <linux/nsproxy.h>
77901 #include <linux/magic.h>
77902 +#include <linux/in.h>
77903
77904 #include <asm/uaccess.h>
77905 #include <asm/unistd.h>
77906 @@ -97,6 +98,21 @@
77907 #include <net/sock.h>
77908 #include <linux/netfilter.h>
77909
77910 +extern void gr_attach_curr_ip(const struct sock *sk);
77911 +extern int gr_handle_sock_all(const int family, const int type,
77912 + const int protocol);
77913 +extern int gr_handle_sock_server(const struct sockaddr *sck);
77914 +extern int gr_handle_sock_server_other(const struct sock *sck);
77915 +extern int gr_handle_sock_client(const struct sockaddr *sck);
77916 +extern int gr_search_connect(struct socket * sock,
77917 + struct sockaddr_in * addr);
77918 +extern int gr_search_bind(struct socket * sock,
77919 + struct sockaddr_in * addr);
77920 +extern int gr_search_listen(struct socket * sock);
77921 +extern int gr_search_accept(struct socket * sock);
77922 +extern int gr_search_socket(const int domain, const int type,
77923 + const int protocol);
77924 +
77925 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
77926 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
77927 unsigned long nr_segs, loff_t pos);
77928 @@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
77929 mnt);
77930 }
77931
77932 -static struct vfsmount *sock_mnt __read_mostly;
77933 +struct vfsmount *sock_mnt __read_mostly;
77934
77935 static struct file_system_type sock_fs_type = {
77936 .name = "sockfs",
77937 @@ -1154,6 +1170,8 @@ static int __sock_create(struct net *net
77938 return -EAFNOSUPPORT;
77939 if (type < 0 || type >= SOCK_MAX)
77940 return -EINVAL;
77941 + if (protocol < 0)
77942 + return -EINVAL;
77943
77944 /* Compatibility.
77945
77946 @@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int
77947 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
77948 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
77949
77950 + if(!gr_search_socket(family, type, protocol)) {
77951 + retval = -EACCES;
77952 + goto out;
77953 + }
77954 +
77955 + if (gr_handle_sock_all(family, type, protocol)) {
77956 + retval = -EACCES;
77957 + goto out;
77958 + }
77959 +
77960 retval = sock_create(family, type, protocol, &sock);
77961 if (retval < 0)
77962 goto out;
77963 @@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
77964 if (sock) {
77965 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
77966 if (err >= 0) {
77967 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
77968 + err = -EACCES;
77969 + goto error;
77970 + }
77971 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
77972 + if (err)
77973 + goto error;
77974 +
77975 err = security_socket_bind(sock,
77976 (struct sockaddr *)&address,
77977 addrlen);
77978 @@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
77979 (struct sockaddr *)
77980 &address, addrlen);
77981 }
77982 +error:
77983 fput_light(sock->file, fput_needed);
77984 }
77985 return err;
77986 @@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
77987 if ((unsigned)backlog > somaxconn)
77988 backlog = somaxconn;
77989
77990 + if (gr_handle_sock_server_other(sock->sk)) {
77991 + err = -EPERM;
77992 + goto error;
77993 + }
77994 +
77995 + err = gr_search_listen(sock);
77996 + if (err)
77997 + goto error;
77998 +
77999 err = security_socket_listen(sock, backlog);
78000 if (!err)
78001 err = sock->ops->listen(sock, backlog);
78002
78003 +error:
78004 fput_light(sock->file, fput_needed);
78005 }
78006 return err;
78007 @@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78008 newsock->type = sock->type;
78009 newsock->ops = sock->ops;
78010
78011 + if (gr_handle_sock_server_other(sock->sk)) {
78012 + err = -EPERM;
78013 + sock_release(newsock);
78014 + goto out_put;
78015 + }
78016 +
78017 + err = gr_search_accept(sock);
78018 + if (err) {
78019 + sock_release(newsock);
78020 + goto out_put;
78021 + }
78022 +
78023 /*
78024 * We don't need try_module_get here, as the listening socket (sock)
78025 * has the protocol module (sock->ops->owner) held.
78026 @@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
78027 fd_install(newfd, newfile);
78028 err = newfd;
78029
78030 + gr_attach_curr_ip(newsock->sk);
78031 +
78032 out_put:
78033 fput_light(sock->file, fput_needed);
78034 out:
78035 @@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78036 int, addrlen)
78037 {
78038 struct socket *sock;
78039 + struct sockaddr *sck;
78040 struct sockaddr_storage address;
78041 int err, fput_needed;
78042
78043 @@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
78044 if (err < 0)
78045 goto out_put;
78046
78047 + sck = (struct sockaddr *)&address;
78048 +
78049 + if (gr_handle_sock_client(sck)) {
78050 + err = -EACCES;
78051 + goto out_put;
78052 + }
78053 +
78054 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
78055 + if (err)
78056 + goto out_put;
78057 +
78058 err =
78059 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
78060 if (err)
78061 @@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
78062 int err, ctl_len, iov_size, total_len;
78063 int fput_needed;
78064
78065 + pax_track_stack();
78066 +
78067 err = -EFAULT;
78068 if (MSG_CMSG_COMPAT & flags) {
78069 if (get_compat_msghdr(&msg_sys, msg_compat))
78070 @@ -2022,7 +2097,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct
78071 * kernel msghdr to use the kernel address space)
78072 */
78073
78074 - uaddr = (__force void __user *)msg_sys.msg_name;
78075 + uaddr = (void __force_user *)msg_sys.msg_name;
78076 uaddr_len = COMPAT_NAMELEN(msg);
78077 if (MSG_CMSG_COMPAT & flags) {
78078 err = verify_compat_iovec(&msg_sys, iov,
78079 diff -urNp linux-2.6.32.46/net/sunrpc/sched.c linux-2.6.32.46/net/sunrpc/sched.c
78080 --- linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:35:30.000000000 -0400
78081 +++ linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:34:01.000000000 -0400
78082 @@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w
78083 #ifdef RPC_DEBUG
78084 static void rpc_task_set_debuginfo(struct rpc_task *task)
78085 {
78086 - static atomic_t rpc_pid;
78087 + static atomic_unchecked_t rpc_pid;
78088
78089 task->tk_magic = RPC_TASK_MAGIC_ID;
78090 - task->tk_pid = atomic_inc_return(&rpc_pid);
78091 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
78092 }
78093 #else
78094 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
78095 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c
78096 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-27 14:31:47.000000000 -0400
78097 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-04 17:56:20.000000000 -0400
78098 @@ -59,15 +59,15 @@ unsigned int svcrdma_max_req_size = RPCR
78099 static unsigned int min_max_inline = 4096;
78100 static unsigned int max_max_inline = 65536;
78101
78102 -atomic_t rdma_stat_recv;
78103 -atomic_t rdma_stat_read;
78104 -atomic_t rdma_stat_write;
78105 -atomic_t rdma_stat_sq_starve;
78106 -atomic_t rdma_stat_rq_starve;
78107 -atomic_t rdma_stat_rq_poll;
78108 -atomic_t rdma_stat_rq_prod;
78109 -atomic_t rdma_stat_sq_poll;
78110 -atomic_t rdma_stat_sq_prod;
78111 +atomic_unchecked_t rdma_stat_recv;
78112 +atomic_unchecked_t rdma_stat_read;
78113 +atomic_unchecked_t rdma_stat_write;
78114 +atomic_unchecked_t rdma_stat_sq_starve;
78115 +atomic_unchecked_t rdma_stat_rq_starve;
78116 +atomic_unchecked_t rdma_stat_rq_poll;
78117 +atomic_unchecked_t rdma_stat_rq_prod;
78118 +atomic_unchecked_t rdma_stat_sq_poll;
78119 +atomic_unchecked_t rdma_stat_sq_prod;
78120
78121 /* Temporary NFS request map and context caches */
78122 struct kmem_cache *svc_rdma_map_cachep;
78123 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
78124 len -= *ppos;
78125 if (len > *lenp)
78126 len = *lenp;
78127 - if (len && copy_to_user(buffer, str_buf, len))
78128 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
78129 return -EFAULT;
78130 *lenp = len;
78131 *ppos += len;
78132 @@ -149,63 +149,63 @@ static ctl_table svcrdma_parm_table[] =
78133 {
78134 .procname = "rdma_stat_read",
78135 .data = &rdma_stat_read,
78136 - .maxlen = sizeof(atomic_t),
78137 + .maxlen = sizeof(atomic_unchecked_t),
78138 .mode = 0644,
78139 .proc_handler = &read_reset_stat,
78140 },
78141 {
78142 .procname = "rdma_stat_recv",
78143 .data = &rdma_stat_recv,
78144 - .maxlen = sizeof(atomic_t),
78145 + .maxlen = sizeof(atomic_unchecked_t),
78146 .mode = 0644,
78147 .proc_handler = &read_reset_stat,
78148 },
78149 {
78150 .procname = "rdma_stat_write",
78151 .data = &rdma_stat_write,
78152 - .maxlen = sizeof(atomic_t),
78153 + .maxlen = sizeof(atomic_unchecked_t),
78154 .mode = 0644,
78155 .proc_handler = &read_reset_stat,
78156 },
78157 {
78158 .procname = "rdma_stat_sq_starve",
78159 .data = &rdma_stat_sq_starve,
78160 - .maxlen = sizeof(atomic_t),
78161 + .maxlen = sizeof(atomic_unchecked_t),
78162 .mode = 0644,
78163 .proc_handler = &read_reset_stat,
78164 },
78165 {
78166 .procname = "rdma_stat_rq_starve",
78167 .data = &rdma_stat_rq_starve,
78168 - .maxlen = sizeof(atomic_t),
78169 + .maxlen = sizeof(atomic_unchecked_t),
78170 .mode = 0644,
78171 .proc_handler = &read_reset_stat,
78172 },
78173 {
78174 .procname = "rdma_stat_rq_poll",
78175 .data = &rdma_stat_rq_poll,
78176 - .maxlen = sizeof(atomic_t),
78177 + .maxlen = sizeof(atomic_unchecked_t),
78178 .mode = 0644,
78179 .proc_handler = &read_reset_stat,
78180 },
78181 {
78182 .procname = "rdma_stat_rq_prod",
78183 .data = &rdma_stat_rq_prod,
78184 - .maxlen = sizeof(atomic_t),
78185 + .maxlen = sizeof(atomic_unchecked_t),
78186 .mode = 0644,
78187 .proc_handler = &read_reset_stat,
78188 },
78189 {
78190 .procname = "rdma_stat_sq_poll",
78191 .data = &rdma_stat_sq_poll,
78192 - .maxlen = sizeof(atomic_t),
78193 + .maxlen = sizeof(atomic_unchecked_t),
78194 .mode = 0644,
78195 .proc_handler = &read_reset_stat,
78196 },
78197 {
78198 .procname = "rdma_stat_sq_prod",
78199 .data = &rdma_stat_sq_prod,
78200 - .maxlen = sizeof(atomic_t),
78201 + .maxlen = sizeof(atomic_unchecked_t),
78202 .mode = 0644,
78203 .proc_handler = &read_reset_stat,
78204 },
78205 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
78206 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-03-27 14:31:47.000000000 -0400
78207 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-04 17:56:28.000000000 -0400
78208 @@ -495,7 +495,7 @@ next_sge:
78209 svc_rdma_put_context(ctxt, 0);
78210 goto out;
78211 }
78212 - atomic_inc(&rdma_stat_read);
78213 + atomic_inc_unchecked(&rdma_stat_read);
78214
78215 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
78216 chl_map->ch[ch_no].count -= read_wr.num_sge;
78217 @@ -606,7 +606,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
78218 dto_q);
78219 list_del_init(&ctxt->dto_q);
78220 } else {
78221 - atomic_inc(&rdma_stat_rq_starve);
78222 + atomic_inc_unchecked(&rdma_stat_rq_starve);
78223 clear_bit(XPT_DATA, &xprt->xpt_flags);
78224 ctxt = NULL;
78225 }
78226 @@ -626,7 +626,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
78227 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
78228 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
78229 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
78230 - atomic_inc(&rdma_stat_recv);
78231 + atomic_inc_unchecked(&rdma_stat_recv);
78232
78233 /* Build up the XDR from the receive buffers. */
78234 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
78235 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c
78236 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-03-27 14:31:47.000000000 -0400
78237 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-04 17:56:28.000000000 -0400
78238 @@ -328,7 +328,7 @@ static int send_write(struct svcxprt_rdm
78239 write_wr.wr.rdma.remote_addr = to;
78240
78241 /* Post It */
78242 - atomic_inc(&rdma_stat_write);
78243 + atomic_inc_unchecked(&rdma_stat_write);
78244 if (svc_rdma_send(xprt, &write_wr))
78245 goto err;
78246 return 0;
78247 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c
78248 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-03-27 14:31:47.000000000 -0400
78249 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-04 17:56:28.000000000 -0400
78250 @@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rd
78251 return;
78252
78253 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
78254 - atomic_inc(&rdma_stat_rq_poll);
78255 + atomic_inc_unchecked(&rdma_stat_rq_poll);
78256
78257 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
78258 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
78259 @@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rd
78260 }
78261
78262 if (ctxt)
78263 - atomic_inc(&rdma_stat_rq_prod);
78264 + atomic_inc_unchecked(&rdma_stat_rq_prod);
78265
78266 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
78267 /*
78268 @@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rd
78269 return;
78270
78271 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
78272 - atomic_inc(&rdma_stat_sq_poll);
78273 + atomic_inc_unchecked(&rdma_stat_sq_poll);
78274 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
78275 if (wc.status != IB_WC_SUCCESS)
78276 /* Close the transport */
78277 @@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rd
78278 }
78279
78280 if (ctxt)
78281 - atomic_inc(&rdma_stat_sq_prod);
78282 + atomic_inc_unchecked(&rdma_stat_sq_prod);
78283 }
78284
78285 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
78286 @@ -1260,7 +1260,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
78287 spin_lock_bh(&xprt->sc_lock);
78288 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
78289 spin_unlock_bh(&xprt->sc_lock);
78290 - atomic_inc(&rdma_stat_sq_starve);
78291 + atomic_inc_unchecked(&rdma_stat_sq_starve);
78292
78293 /* See if we can opportunistically reap SQ WR to make room */
78294 sq_cq_reap(xprt);
78295 diff -urNp linux-2.6.32.46/net/sysctl_net.c linux-2.6.32.46/net/sysctl_net.c
78296 --- linux-2.6.32.46/net/sysctl_net.c 2011-03-27 14:31:47.000000000 -0400
78297 +++ linux-2.6.32.46/net/sysctl_net.c 2011-04-17 15:56:46.000000000 -0400
78298 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
78299 struct ctl_table *table)
78300 {
78301 /* Allow network administrator to have same access as root. */
78302 - if (capable(CAP_NET_ADMIN)) {
78303 + if (capable_nolog(CAP_NET_ADMIN)) {
78304 int mode = (table->mode >> 6) & 7;
78305 return (mode << 6) | (mode << 3) | mode;
78306 }
78307 diff -urNp linux-2.6.32.46/net/tipc/link.c linux-2.6.32.46/net/tipc/link.c
78308 --- linux-2.6.32.46/net/tipc/link.c 2011-03-27 14:31:47.000000000 -0400
78309 +++ linux-2.6.32.46/net/tipc/link.c 2011-10-06 09:37:16.000000000 -0400
78310 @@ -1418,7 +1418,7 @@ again:
78311
78312 if (!sect_rest) {
78313 sect_rest = msg_sect[++curr_sect].iov_len;
78314 - sect_crs = (const unchar *)msg_sect[curr_sect].iov_base;
78315 + sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base;
78316 }
78317
78318 if (sect_rest < fragm_rest)
78319 @@ -1437,7 +1437,7 @@ error:
78320 }
78321 } else
78322 skb_copy_to_linear_data_offset(buf, fragm_crs,
78323 - sect_crs, sz);
78324 + (const void __force_kernel *)sect_crs, sz);
78325 sect_crs += sz;
78326 sect_rest -= sz;
78327 fragm_crs += sz;
78328 diff -urNp linux-2.6.32.46/net/tipc/subscr.c linux-2.6.32.46/net/tipc/subscr.c
78329 --- linux-2.6.32.46/net/tipc/subscr.c 2011-03-27 14:31:47.000000000 -0400
78330 +++ linux-2.6.32.46/net/tipc/subscr.c 2011-10-06 09:37:16.000000000 -0400
78331 @@ -104,7 +104,7 @@ static void subscr_send_event(struct sub
78332 {
78333 struct iovec msg_sect;
78334
78335 - msg_sect.iov_base = (void *)&sub->evt;
78336 + msg_sect.iov_base = (void __force_user *)&sub->evt;
78337 msg_sect.iov_len = sizeof(struct tipc_event);
78338
78339 sub->evt.event = htohl(event, sub->swap);
78340 diff -urNp linux-2.6.32.46/net/unix/af_unix.c linux-2.6.32.46/net/unix/af_unix.c
78341 --- linux-2.6.32.46/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -0400
78342 +++ linux-2.6.32.46/net/unix/af_unix.c 2011-07-18 18:17:33.000000000 -0400
78343 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
78344 err = -ECONNREFUSED;
78345 if (!S_ISSOCK(inode->i_mode))
78346 goto put_fail;
78347 +
78348 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
78349 + err = -EACCES;
78350 + goto put_fail;
78351 + }
78352 +
78353 u = unix_find_socket_byinode(net, inode);
78354 if (!u)
78355 goto put_fail;
78356 @@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
78357 if (u) {
78358 struct dentry *dentry;
78359 dentry = unix_sk(u)->dentry;
78360 +
78361 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
78362 + err = -EPERM;
78363 + sock_put(u);
78364 + goto fail;
78365 + }
78366 +
78367 if (dentry)
78368 touch_atime(unix_sk(u)->mnt, dentry);
78369 } else
78370 @@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
78371 err = security_path_mknod(&nd.path, dentry, mode, 0);
78372 if (err)
78373 goto out_mknod_drop_write;
78374 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
78375 + err = -EACCES;
78376 + goto out_mknod_drop_write;
78377 + }
78378 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
78379 out_mknod_drop_write:
78380 mnt_drop_write(nd.path.mnt);
78381 if (err)
78382 goto out_mknod_dput;
78383 +
78384 + gr_handle_create(dentry, nd.path.mnt);
78385 +
78386 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
78387 dput(nd.path.dentry);
78388 nd.path.dentry = dentry;
78389 @@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file
78390 unix_state_lock(s);
78391
78392 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
78393 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78394 + NULL,
78395 +#else
78396 s,
78397 +#endif
78398 atomic_read(&s->sk_refcnt),
78399 0,
78400 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
78401 diff -urNp linux-2.6.32.46/net/wireless/core.h linux-2.6.32.46/net/wireless/core.h
78402 --- linux-2.6.32.46/net/wireless/core.h 2011-03-27 14:31:47.000000000 -0400
78403 +++ linux-2.6.32.46/net/wireless/core.h 2011-08-23 21:22:38.000000000 -0400
78404 @@ -27,7 +27,7 @@ struct cfg80211_registered_device {
78405 struct mutex mtx;
78406
78407 /* rfkill support */
78408 - struct rfkill_ops rfkill_ops;
78409 + rfkill_ops_no_const rfkill_ops;
78410 struct rfkill *rfkill;
78411 struct work_struct rfkill_sync;
78412
78413 diff -urNp linux-2.6.32.46/net/wireless/wext.c linux-2.6.32.46/net/wireless/wext.c
78414 --- linux-2.6.32.46/net/wireless/wext.c 2011-03-27 14:31:47.000000000 -0400
78415 +++ linux-2.6.32.46/net/wireless/wext.c 2011-04-17 15:56:46.000000000 -0400
78416 @@ -816,8 +816,7 @@ static int ioctl_standard_iw_point(struc
78417 */
78418
78419 /* Support for very large requests */
78420 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
78421 - (user_length > descr->max_tokens)) {
78422 + if (user_length > descr->max_tokens) {
78423 /* Allow userspace to GET more than max so
78424 * we can support any size GET requests.
78425 * There is still a limit : -ENOMEM.
78426 @@ -854,22 +853,6 @@ static int ioctl_standard_iw_point(struc
78427 }
78428 }
78429
78430 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
78431 - /*
78432 - * If this is a GET, but not NOMAX, it means that the extra
78433 - * data is not bounded by userspace, but by max_tokens. Thus
78434 - * set the length to max_tokens. This matches the extra data
78435 - * allocation.
78436 - * The driver should fill it with the number of tokens it
78437 - * provided, and it may check iwp->length rather than having
78438 - * knowledge of max_tokens. If the driver doesn't change the
78439 - * iwp->length, this ioctl just copies back max_token tokens
78440 - * filled with zeroes. Hopefully the driver isn't claiming
78441 - * them to be valid data.
78442 - */
78443 - iwp->length = descr->max_tokens;
78444 - }
78445 -
78446 err = handler(dev, info, (union iwreq_data *) iwp, extra);
78447
78448 iwp->length += essid_compat;
78449 diff -urNp linux-2.6.32.46/net/xfrm/xfrm_policy.c linux-2.6.32.46/net/xfrm/xfrm_policy.c
78450 --- linux-2.6.32.46/net/xfrm/xfrm_policy.c 2011-03-27 14:31:47.000000000 -0400
78451 +++ linux-2.6.32.46/net/xfrm/xfrm_policy.c 2011-05-04 17:56:20.000000000 -0400
78452 @@ -586,7 +586,7 @@ int xfrm_policy_insert(int dir, struct x
78453 hlist_add_head(&policy->bydst, chain);
78454 xfrm_pol_hold(policy);
78455 net->xfrm.policy_count[dir]++;
78456 - atomic_inc(&flow_cache_genid);
78457 + atomic_inc_unchecked(&flow_cache_genid);
78458 if (delpol)
78459 __xfrm_policy_unlink(delpol, dir);
78460 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
78461 @@ -669,7 +669,7 @@ struct xfrm_policy *xfrm_policy_bysel_ct
78462 write_unlock_bh(&xfrm_policy_lock);
78463
78464 if (ret && delete) {
78465 - atomic_inc(&flow_cache_genid);
78466 + atomic_inc_unchecked(&flow_cache_genid);
78467 xfrm_policy_kill(ret);
78468 }
78469 return ret;
78470 @@ -710,7 +710,7 @@ struct xfrm_policy *xfrm_policy_byid(str
78471 write_unlock_bh(&xfrm_policy_lock);
78472
78473 if (ret && delete) {
78474 - atomic_inc(&flow_cache_genid);
78475 + atomic_inc_unchecked(&flow_cache_genid);
78476 xfrm_policy_kill(ret);
78477 }
78478 return ret;
78479 @@ -824,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u
78480 }
78481
78482 }
78483 - atomic_inc(&flow_cache_genid);
78484 + atomic_inc_unchecked(&flow_cache_genid);
78485 out:
78486 write_unlock_bh(&xfrm_policy_lock);
78487 return err;
78488 @@ -1088,7 +1088,7 @@ int xfrm_policy_delete(struct xfrm_polic
78489 write_unlock_bh(&xfrm_policy_lock);
78490 if (pol) {
78491 if (dir < XFRM_POLICY_MAX)
78492 - atomic_inc(&flow_cache_genid);
78493 + atomic_inc_unchecked(&flow_cache_genid);
78494 xfrm_policy_kill(pol);
78495 return 0;
78496 }
78497 @@ -1477,7 +1477,7 @@ free_dst:
78498 goto out;
78499 }
78500
78501 -static int inline
78502 +static inline int
78503 xfrm_dst_alloc_copy(void **target, void *src, int size)
78504 {
78505 if (!*target) {
78506 @@ -1489,7 +1489,7 @@ xfrm_dst_alloc_copy(void **target, void
78507 return 0;
78508 }
78509
78510 -static int inline
78511 +static inline int
78512 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
78513 {
78514 #ifdef CONFIG_XFRM_SUB_POLICY
78515 @@ -1501,7 +1501,7 @@ xfrm_dst_update_parent(struct dst_entry
78516 #endif
78517 }
78518
78519 -static int inline
78520 +static inline int
78521 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
78522 {
78523 #ifdef CONFIG_XFRM_SUB_POLICY
78524 @@ -1537,7 +1537,7 @@ int __xfrm_lookup(struct net *net, struc
78525 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
78526
78527 restart:
78528 - genid = atomic_read(&flow_cache_genid);
78529 + genid = atomic_read_unchecked(&flow_cache_genid);
78530 policy = NULL;
78531 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
78532 pols[pi] = NULL;
78533 @@ -1680,7 +1680,7 @@ restart:
78534 goto error;
78535 }
78536 if (nx == -EAGAIN ||
78537 - genid != atomic_read(&flow_cache_genid)) {
78538 + genid != atomic_read_unchecked(&flow_cache_genid)) {
78539 xfrm_pols_put(pols, npols);
78540 goto restart;
78541 }
78542 diff -urNp linux-2.6.32.46/net/xfrm/xfrm_user.c linux-2.6.32.46/net/xfrm/xfrm_user.c
78543 --- linux-2.6.32.46/net/xfrm/xfrm_user.c 2011-03-27 14:31:47.000000000 -0400
78544 +++ linux-2.6.32.46/net/xfrm/xfrm_user.c 2011-05-16 21:46:57.000000000 -0400
78545 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm
78546 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
78547 int i;
78548
78549 + pax_track_stack();
78550 +
78551 if (xp->xfrm_nr == 0)
78552 return 0;
78553
78554 @@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buf
78555 int err;
78556 int n = 0;
78557
78558 + pax_track_stack();
78559 +
78560 if (attrs[XFRMA_MIGRATE] == NULL)
78561 return -EINVAL;
78562
78563 diff -urNp linux-2.6.32.46/samples/kobject/kset-example.c linux-2.6.32.46/samples/kobject/kset-example.c
78564 --- linux-2.6.32.46/samples/kobject/kset-example.c 2011-03-27 14:31:47.000000000 -0400
78565 +++ linux-2.6.32.46/samples/kobject/kset-example.c 2011-04-17 15:56:46.000000000 -0400
78566 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
78567 }
78568
78569 /* Our custom sysfs_ops that we will associate with our ktype later on */
78570 -static struct sysfs_ops foo_sysfs_ops = {
78571 +static const struct sysfs_ops foo_sysfs_ops = {
78572 .show = foo_attr_show,
78573 .store = foo_attr_store,
78574 };
78575 diff -urNp linux-2.6.32.46/scripts/basic/fixdep.c linux-2.6.32.46/scripts/basic/fixdep.c
78576 --- linux-2.6.32.46/scripts/basic/fixdep.c 2011-03-27 14:31:47.000000000 -0400
78577 +++ linux-2.6.32.46/scripts/basic/fixdep.c 2011-10-06 09:37:14.000000000 -0400
78578 @@ -162,7 +162,7 @@ static void grow_config(int len)
78579 /*
78580 * Lookup a value in the configuration string.
78581 */
78582 -static int is_defined_config(const char * name, int len)
78583 +static int is_defined_config(const char * name, unsigned int len)
78584 {
78585 const char * pconfig;
78586 const char * plast = str_config + len_config - len;
78587 @@ -199,7 +199,7 @@ static void clear_config(void)
78588 /*
78589 * Record the use of a CONFIG_* word.
78590 */
78591 -static void use_config(char *m, int slen)
78592 +static void use_config(char *m, unsigned int slen)
78593 {
78594 char s[PATH_MAX];
78595 char *p;
78596 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
78597
78598 static void parse_config_file(char *map, size_t len)
78599 {
78600 - int *end = (int *) (map + len);
78601 + unsigned int *end = (unsigned int *) (map + len);
78602 /* start at +1, so that p can never be < map */
78603 - int *m = (int *) map + 1;
78604 + unsigned int *m = (unsigned int *) map + 1;
78605 char *p, *q;
78606
78607 for (; m < end; m++) {
78608 @@ -371,7 +371,7 @@ static void print_deps(void)
78609 static void traps(void)
78610 {
78611 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
78612 - int *p = (int *)test;
78613 + unsigned int *p = (unsigned int *)test;
78614
78615 if (*p != INT_CONF) {
78616 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
78617 diff -urNp linux-2.6.32.46/scripts/gcc-plugin.sh linux-2.6.32.46/scripts/gcc-plugin.sh
78618 --- linux-2.6.32.46/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
78619 +++ linux-2.6.32.46/scripts/gcc-plugin.sh 2011-10-06 09:37:14.000000000 -0400
78620 @@ -0,0 +1,2 @@
78621 +#!/bin/sh
78622 +echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
78623 diff -urNp linux-2.6.32.46/scripts/Makefile.build linux-2.6.32.46/scripts/Makefile.build
78624 --- linux-2.6.32.46/scripts/Makefile.build 2011-03-27 14:31:47.000000000 -0400
78625 +++ linux-2.6.32.46/scripts/Makefile.build 2011-08-23 20:45:11.000000000 -0400
78626 @@ -59,7 +59,7 @@ endif
78627 endif
78628
78629 # Do not include host rules unless needed
78630 -ifneq ($(hostprogs-y)$(hostprogs-m),)
78631 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
78632 include scripts/Makefile.host
78633 endif
78634
78635 diff -urNp linux-2.6.32.46/scripts/Makefile.clean linux-2.6.32.46/scripts/Makefile.clean
78636 --- linux-2.6.32.46/scripts/Makefile.clean 2011-03-27 14:31:47.000000000 -0400
78637 +++ linux-2.6.32.46/scripts/Makefile.clean 2011-06-04 20:47:19.000000000 -0400
78638 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
78639 __clean-files := $(extra-y) $(always) \
78640 $(targets) $(clean-files) \
78641 $(host-progs) \
78642 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
78643 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
78644 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
78645
78646 # as clean-files is given relative to the current directory, this adds
78647 # a $(obj) prefix, except for absolute paths
78648 diff -urNp linux-2.6.32.46/scripts/Makefile.host linux-2.6.32.46/scripts/Makefile.host
78649 --- linux-2.6.32.46/scripts/Makefile.host 2011-03-27 14:31:47.000000000 -0400
78650 +++ linux-2.6.32.46/scripts/Makefile.host 2011-06-04 20:48:22.000000000 -0400
78651 @@ -31,6 +31,7 @@
78652 # Note: Shared libraries consisting of C++ files are not supported
78653
78654 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
78655 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
78656
78657 # C code
78658 # Executables compiled from a single .c file
78659 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
78660 # Shared libaries (only .c supported)
78661 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
78662 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
78663 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
78664 # Remove .so files from "xxx-objs"
78665 host-cobjs := $(filter-out %.so,$(host-cobjs))
78666
78667 diff -urNp linux-2.6.32.46/scripts/mod/file2alias.c linux-2.6.32.46/scripts/mod/file2alias.c
78668 --- linux-2.6.32.46/scripts/mod/file2alias.c 2011-03-27 14:31:47.000000000 -0400
78669 +++ linux-2.6.32.46/scripts/mod/file2alias.c 2011-10-06 09:37:14.000000000 -0400
78670 @@ -72,7 +72,7 @@ static void device_id_check(const char *
78671 unsigned long size, unsigned long id_size,
78672 void *symval)
78673 {
78674 - int i;
78675 + unsigned int i;
78676
78677 if (size % id_size || size < id_size) {
78678 if (cross_build != 0)
78679 @@ -102,7 +102,7 @@ static void device_id_check(const char *
78680 /* USB is special because the bcdDevice can be matched against a numeric range */
78681 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
78682 static void do_usb_entry(struct usb_device_id *id,
78683 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
78684 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
78685 unsigned char range_lo, unsigned char range_hi,
78686 struct module *mod)
78687 {
78688 @@ -151,7 +151,7 @@ static void do_usb_entry_multi(struct us
78689 {
78690 unsigned int devlo, devhi;
78691 unsigned char chi, clo;
78692 - int ndigits;
78693 + unsigned int ndigits;
78694
78695 id->match_flags = TO_NATIVE(id->match_flags);
78696 id->idVendor = TO_NATIVE(id->idVendor);
78697 @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
78698 for (i = 0; i < count; i++) {
78699 const char *id = (char *)devs[i].id;
78700 char acpi_id[sizeof(devs[0].id)];
78701 - int j;
78702 + unsigned int j;
78703
78704 buf_printf(&mod->dev_table_buf,
78705 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
78706 @@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
78707
78708 for (j = 0; j < PNP_MAX_DEVICES; j++) {
78709 const char *id = (char *)card->devs[j].id;
78710 - int i2, j2;
78711 + unsigned int i2, j2;
78712 int dup = 0;
78713
78714 if (!id[0])
78715 @@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
78716 /* add an individual alias for every device entry */
78717 if (!dup) {
78718 char acpi_id[sizeof(card->devs[0].id)];
78719 - int k;
78720 + unsigned int k;
78721
78722 buf_printf(&mod->dev_table_buf,
78723 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
78724 @@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
78725 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
78726 char *alias)
78727 {
78728 - int i, j;
78729 + unsigned int i, j;
78730
78731 sprintf(alias, "dmi*");
78732
78733 diff -urNp linux-2.6.32.46/scripts/mod/modpost.c linux-2.6.32.46/scripts/mod/modpost.c
78734 --- linux-2.6.32.46/scripts/mod/modpost.c 2011-03-27 14:31:47.000000000 -0400
78735 +++ linux-2.6.32.46/scripts/mod/modpost.c 2011-07-06 19:53:33.000000000 -0400
78736 @@ -835,6 +835,7 @@ enum mismatch {
78737 INIT_TO_EXIT,
78738 EXIT_TO_INIT,
78739 EXPORT_TO_INIT_EXIT,
78740 + DATA_TO_TEXT
78741 };
78742
78743 struct sectioncheck {
78744 @@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
78745 .fromsec = { "__ksymtab*", NULL },
78746 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
78747 .mismatch = EXPORT_TO_INIT_EXIT
78748 +},
78749 +/* Do not reference code from writable data */
78750 +{
78751 + .fromsec = { DATA_SECTIONS, NULL },
78752 + .tosec = { TEXT_SECTIONS, NULL },
78753 + .mismatch = DATA_TO_TEXT
78754 }
78755 };
78756
78757 @@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
78758 continue;
78759 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
78760 continue;
78761 - if (sym->st_value == addr)
78762 - return sym;
78763 /* Find a symbol nearby - addr are maybe negative */
78764 d = sym->st_value - addr;
78765 + if (d == 0)
78766 + return sym;
78767 if (d < 0)
78768 d = addr - sym->st_value;
78769 if (d < distance) {
78770 @@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
78771 "Fix this by removing the %sannotation of %s "
78772 "or drop the export.\n",
78773 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
78774 + case DATA_TO_TEXT:
78775 +/*
78776 + fprintf(stderr,
78777 + "The variable %s references\n"
78778 + "the %s %s%s%s\n",
78779 + fromsym, to, sec2annotation(tosec), tosym, to_p);
78780 +*/
78781 + break;
78782 case NO_MISMATCH:
78783 /* To get warnings on missing members */
78784 break;
78785 @@ -1495,7 +1510,7 @@ static void section_rel(const char *modn
78786 static void check_sec_ref(struct module *mod, const char *modname,
78787 struct elf_info *elf)
78788 {
78789 - int i;
78790 + unsigned int i;
78791 Elf_Shdr *sechdrs = elf->sechdrs;
78792
78793 /* Walk through all sections */
78794 @@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
78795 va_end(ap);
78796 }
78797
78798 -void buf_write(struct buffer *buf, const char *s, int len)
78799 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
78800 {
78801 if (buf->size - buf->pos < len) {
78802 buf->size += len + SZ;
78803 @@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
78804 if (fstat(fileno(file), &st) < 0)
78805 goto close_write;
78806
78807 - if (st.st_size != b->pos)
78808 + if (st.st_size != (off_t)b->pos)
78809 goto close_write;
78810
78811 tmp = NOFAIL(malloc(b->pos));
78812 diff -urNp linux-2.6.32.46/scripts/mod/modpost.h linux-2.6.32.46/scripts/mod/modpost.h
78813 --- linux-2.6.32.46/scripts/mod/modpost.h 2011-03-27 14:31:47.000000000 -0400
78814 +++ linux-2.6.32.46/scripts/mod/modpost.h 2011-04-17 15:56:46.000000000 -0400
78815 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
78816
78817 struct buffer {
78818 char *p;
78819 - int pos;
78820 - int size;
78821 + unsigned int pos;
78822 + unsigned int size;
78823 };
78824
78825 void __attribute__((format(printf, 2, 3)))
78826 buf_printf(struct buffer *buf, const char *fmt, ...);
78827
78828 void
78829 -buf_write(struct buffer *buf, const char *s, int len);
78830 +buf_write(struct buffer *buf, const char *s, unsigned int len);
78831
78832 struct module {
78833 struct module *next;
78834 diff -urNp linux-2.6.32.46/scripts/mod/sumversion.c linux-2.6.32.46/scripts/mod/sumversion.c
78835 --- linux-2.6.32.46/scripts/mod/sumversion.c 2011-03-27 14:31:47.000000000 -0400
78836 +++ linux-2.6.32.46/scripts/mod/sumversion.c 2011-04-17 15:56:46.000000000 -0400
78837 @@ -455,7 +455,7 @@ static void write_version(const char *fi
78838 goto out;
78839 }
78840
78841 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
78842 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
78843 warn("writing sum in %s failed: %s\n",
78844 filename, strerror(errno));
78845 goto out;
78846 diff -urNp linux-2.6.32.46/scripts/package/mkspec linux-2.6.32.46/scripts/package/mkspec
78847 --- linux-2.6.32.46/scripts/package/mkspec 2011-03-27 14:31:47.000000000 -0400
78848 +++ linux-2.6.32.46/scripts/package/mkspec 2011-07-19 18:19:12.000000000 -0400
78849 @@ -70,7 +70,7 @@ echo 'mkdir -p $RPM_BUILD_ROOT/boot $RPM
78850 echo 'mkdir -p $RPM_BUILD_ROOT/lib/firmware'
78851 echo "%endif"
78852
78853 -echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{_smp_mflags} KBUILD_SRC= modules_install'
78854 +echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{?_smp_mflags} KBUILD_SRC= modules_install'
78855 echo "%ifarch ia64"
78856 echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEASE"
78857 echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/"
78858 diff -urNp linux-2.6.32.46/scripts/pnmtologo.c linux-2.6.32.46/scripts/pnmtologo.c
78859 --- linux-2.6.32.46/scripts/pnmtologo.c 2011-03-27 14:31:47.000000000 -0400
78860 +++ linux-2.6.32.46/scripts/pnmtologo.c 2011-04-17 15:56:46.000000000 -0400
78861 @@ -237,14 +237,14 @@ static void write_header(void)
78862 fprintf(out, " * Linux logo %s\n", logoname);
78863 fputs(" */\n\n", out);
78864 fputs("#include <linux/linux_logo.h>\n\n", out);
78865 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
78866 + fprintf(out, "static unsigned char %s_data[] = {\n",
78867 logoname);
78868 }
78869
78870 static void write_footer(void)
78871 {
78872 fputs("\n};\n\n", out);
78873 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
78874 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
78875 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
78876 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
78877 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
78878 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
78879 fputs("\n};\n\n", out);
78880
78881 /* write logo clut */
78882 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
78883 + fprintf(out, "static unsigned char %s_clut[] = {\n",
78884 logoname);
78885 write_hex_cnt = 0;
78886 for (i = 0; i < logo_clutsize; i++) {
78887 diff -urNp linux-2.6.32.46/scripts/tags.sh linux-2.6.32.46/scripts/tags.sh
78888 --- linux-2.6.32.46/scripts/tags.sh 2011-03-27 14:31:47.000000000 -0400
78889 +++ linux-2.6.32.46/scripts/tags.sh 2011-06-07 18:06:04.000000000 -0400
78890 @@ -93,6 +93,11 @@ docscope()
78891 cscope -b -f cscope.out
78892 }
78893
78894 +dogtags()
78895 +{
78896 + all_sources | gtags -f -
78897 +}
78898 +
78899 exuberant()
78900 {
78901 all_sources | xargs $1 -a \
78902 @@ -164,6 +169,10 @@ case "$1" in
78903 docscope
78904 ;;
78905
78906 + "gtags")
78907 + dogtags
78908 + ;;
78909 +
78910 "tags")
78911 rm -f tags
78912 xtags ctags
78913 diff -urNp linux-2.6.32.46/security/capability.c linux-2.6.32.46/security/capability.c
78914 --- linux-2.6.32.46/security/capability.c 2011-03-27 14:31:47.000000000 -0400
78915 +++ linux-2.6.32.46/security/capability.c 2011-04-17 15:56:46.000000000 -0400
78916 @@ -890,7 +890,7 @@ static void cap_audit_rule_free(void *ls
78917 }
78918 #endif /* CONFIG_AUDIT */
78919
78920 -struct security_operations default_security_ops = {
78921 +struct security_operations default_security_ops __read_only = {
78922 .name = "default",
78923 };
78924
78925 diff -urNp linux-2.6.32.46/security/commoncap.c linux-2.6.32.46/security/commoncap.c
78926 --- linux-2.6.32.46/security/commoncap.c 2011-03-27 14:31:47.000000000 -0400
78927 +++ linux-2.6.32.46/security/commoncap.c 2011-08-17 19:22:13.000000000 -0400
78928 @@ -27,7 +27,7 @@
78929 #include <linux/sched.h>
78930 #include <linux/prctl.h>
78931 #include <linux/securebits.h>
78932 -
78933 +#include <net/sock.h>
78934 /*
78935 * If a non-root user executes a setuid-root binary in
78936 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
78937 @@ -50,9 +50,18 @@ static void warn_setuid_and_fcaps_mixed(
78938 }
78939 }
78940
78941 +#ifdef CONFIG_NET
78942 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
78943 +#endif
78944 +
78945 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
78946 {
78947 +#ifdef CONFIG_NET
78948 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
78949 +#else
78950 NETLINK_CB(skb).eff_cap = current_cap();
78951 +#endif
78952 +
78953 return 0;
78954 }
78955
78956 @@ -582,6 +591,9 @@ int cap_bprm_secureexec(struct linux_bin
78957 {
78958 const struct cred *cred = current_cred();
78959
78960 + if (gr_acl_enable_at_secure())
78961 + return 1;
78962 +
78963 if (cred->uid != 0) {
78964 if (bprm->cap_effective)
78965 return 1;
78966 diff -urNp linux-2.6.32.46/security/integrity/ima/ima_api.c linux-2.6.32.46/security/integrity/ima/ima_api.c
78967 --- linux-2.6.32.46/security/integrity/ima/ima_api.c 2011-03-27 14:31:47.000000000 -0400
78968 +++ linux-2.6.32.46/security/integrity/ima/ima_api.c 2011-04-17 15:56:46.000000000 -0400
78969 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
78970 int result;
78971
78972 /* can overflow, only indicator */
78973 - atomic_long_inc(&ima_htable.violations);
78974 + atomic_long_inc_unchecked(&ima_htable.violations);
78975
78976 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
78977 if (!entry) {
78978 diff -urNp linux-2.6.32.46/security/integrity/ima/ima_fs.c linux-2.6.32.46/security/integrity/ima/ima_fs.c
78979 --- linux-2.6.32.46/security/integrity/ima/ima_fs.c 2011-03-27 14:31:47.000000000 -0400
78980 +++ linux-2.6.32.46/security/integrity/ima/ima_fs.c 2011-04-17 15:56:46.000000000 -0400
78981 @@ -27,12 +27,12 @@
78982 static int valid_policy = 1;
78983 #define TMPBUFLEN 12
78984 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
78985 - loff_t *ppos, atomic_long_t *val)
78986 + loff_t *ppos, atomic_long_unchecked_t *val)
78987 {
78988 char tmpbuf[TMPBUFLEN];
78989 ssize_t len;
78990
78991 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
78992 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
78993 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
78994 }
78995
78996 diff -urNp linux-2.6.32.46/security/integrity/ima/ima.h linux-2.6.32.46/security/integrity/ima/ima.h
78997 --- linux-2.6.32.46/security/integrity/ima/ima.h 2011-03-27 14:31:47.000000000 -0400
78998 +++ linux-2.6.32.46/security/integrity/ima/ima.h 2011-04-17 15:56:46.000000000 -0400
78999 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
79000 extern spinlock_t ima_queue_lock;
79001
79002 struct ima_h_table {
79003 - atomic_long_t len; /* number of stored measurements in the list */
79004 - atomic_long_t violations;
79005 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
79006 + atomic_long_unchecked_t violations;
79007 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
79008 };
79009 extern struct ima_h_table ima_htable;
79010 diff -urNp linux-2.6.32.46/security/integrity/ima/ima_queue.c linux-2.6.32.46/security/integrity/ima/ima_queue.c
79011 --- linux-2.6.32.46/security/integrity/ima/ima_queue.c 2011-03-27 14:31:47.000000000 -0400
79012 +++ linux-2.6.32.46/security/integrity/ima/ima_queue.c 2011-04-17 15:56:46.000000000 -0400
79013 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
79014 INIT_LIST_HEAD(&qe->later);
79015 list_add_tail_rcu(&qe->later, &ima_measurements);
79016
79017 - atomic_long_inc(&ima_htable.len);
79018 + atomic_long_inc_unchecked(&ima_htable.len);
79019 key = ima_hash_key(entry->digest);
79020 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
79021 return 0;
79022 diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig
79023 --- linux-2.6.32.46/security/Kconfig 2011-03-27 14:31:47.000000000 -0400
79024 +++ linux-2.6.32.46/security/Kconfig 2011-10-06 09:38:20.000000000 -0400
79025 @@ -4,6 +4,559 @@
79026
79027 menu "Security options"
79028
79029 +source grsecurity/Kconfig
79030 +
79031 +menu "PaX"
79032 +
79033 + config ARCH_TRACK_EXEC_LIMIT
79034 + bool
79035 +
79036 + config PAX_KERNEXEC_PLUGIN
79037 + bool
79038 +
79039 + config PAX_PER_CPU_PGD
79040 + bool
79041 +
79042 + config TASK_SIZE_MAX_SHIFT
79043 + int
79044 + depends on X86_64
79045 + default 47 if !PAX_PER_CPU_PGD
79046 + default 42 if PAX_PER_CPU_PGD
79047 +
79048 + config PAX_ENABLE_PAE
79049 + bool
79050 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
79051 +
79052 +config PAX
79053 + bool "Enable various PaX features"
79054 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
79055 + help
79056 + This allows you to enable various PaX features. PaX adds
79057 + intrusion prevention mechanisms to the kernel that reduce
79058 + the risks posed by exploitable memory corruption bugs.
79059 +
79060 +menu "PaX Control"
79061 + depends on PAX
79062 +
79063 +config PAX_SOFTMODE
79064 + bool 'Support soft mode'
79065 + select PAX_PT_PAX_FLAGS
79066 + help
79067 + Enabling this option will allow you to run PaX in soft mode, that
79068 + is, PaX features will not be enforced by default, only on executables
79069 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
79070 + is the only way to mark executables for soft mode use.
79071 +
79072 + Soft mode can be activated by using the "pax_softmode=1" kernel command
79073 + line option on boot. Furthermore you can control various PaX features
79074 + at runtime via the entries in /proc/sys/kernel/pax.
79075 +
79076 +config PAX_EI_PAX
79077 + bool 'Use legacy ELF header marking'
79078 + help
79079 + Enabling this option will allow you to control PaX features on
79080 + a per executable basis via the 'chpax' utility available at
79081 + http://pax.grsecurity.net/. The control flags will be read from
79082 + an otherwise reserved part of the ELF header. This marking has
79083 + numerous drawbacks (no support for soft-mode, toolchain does not
79084 + know about the non-standard use of the ELF header) therefore it
79085 + has been deprecated in favour of PT_PAX_FLAGS support.
79086 +
79087 + Note that if you enable PT_PAX_FLAGS marking support as well,
79088 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
79089 +
79090 +config PAX_PT_PAX_FLAGS
79091 + bool 'Use ELF program header marking'
79092 + help
79093 + Enabling this option will allow you to control PaX features on
79094 + a per executable basis via the 'paxctl' utility available at
79095 + http://pax.grsecurity.net/. The control flags will be read from
79096 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
79097 + has the benefits of supporting both soft mode and being fully
79098 + integrated into the toolchain (the binutils patch is available
79099 + from http://pax.grsecurity.net).
79100 +
79101 + If your toolchain does not support PT_PAX_FLAGS markings,
79102 + you can create one in most cases with 'paxctl -C'.
79103 +
79104 + Note that if you enable the legacy EI_PAX marking support as well,
79105 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
79106 +
79107 +choice
79108 + prompt 'MAC system integration'
79109 + default PAX_HAVE_ACL_FLAGS
79110 + help
79111 + Mandatory Access Control systems have the option of controlling
79112 + PaX flags on a per executable basis, choose the method supported
79113 + by your particular system.
79114 +
79115 + - "none": if your MAC system does not interact with PaX,
79116 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
79117 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
79118 +
79119 + NOTE: this option is for developers/integrators only.
79120 +
79121 + config PAX_NO_ACL_FLAGS
79122 + bool 'none'
79123 +
79124 + config PAX_HAVE_ACL_FLAGS
79125 + bool 'direct'
79126 +
79127 + config PAX_HOOK_ACL_FLAGS
79128 + bool 'hook'
79129 +endchoice
79130 +
79131 +endmenu
79132 +
79133 +menu "Non-executable pages"
79134 + depends on PAX
79135 +
79136 +config PAX_NOEXEC
79137 + bool "Enforce non-executable pages"
79138 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
79139 + help
79140 + By design some architectures do not allow for protecting memory
79141 + pages against execution or even if they do, Linux does not make
79142 + use of this feature. In practice this means that if a page is
79143 + readable (such as the stack or heap) it is also executable.
79144 +
79145 + There is a well known exploit technique that makes use of this
79146 + fact and a common programming mistake where an attacker can
79147 + introduce code of his choice somewhere in the attacked program's
79148 + memory (typically the stack or the heap) and then execute it.
79149 +
79150 + If the attacked program was running with different (typically
79151 + higher) privileges than that of the attacker, then he can elevate
79152 + his own privilege level (e.g. get a root shell, write to files for
79153 + which he does not have write access to, etc).
79154 +
79155 + Enabling this option will let you choose from various features
79156 + that prevent the injection and execution of 'foreign' code in
79157 + a program.
79158 +
79159 + This will also break programs that rely on the old behaviour and
79160 + expect that dynamically allocated memory via the malloc() family
79161 + of functions is executable (which it is not). Notable examples
79162 + are the XFree86 4.x server, the java runtime and wine.
79163 +
79164 +config PAX_PAGEEXEC
79165 + bool "Paging based non-executable pages"
79166 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
79167 + select S390_SWITCH_AMODE if S390
79168 + select S390_EXEC_PROTECT if S390
79169 + select ARCH_TRACK_EXEC_LIMIT if X86_32
79170 + help
79171 + This implementation is based on the paging feature of the CPU.
79172 + On i386 without hardware non-executable bit support there is a
79173 + variable but usually low performance impact, however on Intel's
79174 + P4 core based CPUs it is very high so you should not enable this
79175 + for kernels meant to be used on such CPUs.
79176 +
79177 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
79178 + with hardware non-executable bit support there is no performance
79179 + impact, on ppc the impact is negligible.
79180 +
79181 + Note that several architectures require various emulations due to
79182 + badly designed userland ABIs, this will cause a performance impact
79183 + but will disappear as soon as userland is fixed. For example, ppc
79184 + userland MUST have been built with secure-plt by a recent toolchain.
79185 +
79186 +config PAX_SEGMEXEC
79187 + bool "Segmentation based non-executable pages"
79188 + depends on PAX_NOEXEC && X86_32
79189 + help
79190 + This implementation is based on the segmentation feature of the
79191 + CPU and has a very small performance impact, however applications
79192 + will be limited to a 1.5 GB address space instead of the normal
79193 + 3 GB.
79194 +
79195 +config PAX_EMUTRAMP
79196 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
79197 + default y if PARISC
79198 + help
79199 + There are some programs and libraries that for one reason or
79200 + another attempt to execute special small code snippets from
79201 + non-executable memory pages. Most notable examples are the
79202 + signal handler return code generated by the kernel itself and
79203 + the GCC trampolines.
79204 +
79205 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
79206 + such programs will no longer work under your kernel.
79207 +
79208 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
79209 + utilities to enable trampoline emulation for the affected programs
79210 + yet still have the protection provided by the non-executable pages.
79211 +
79212 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
79213 + your system will not even boot.
79214 +
79215 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
79216 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
79217 + for the affected files.
79218 +
79219 + NOTE: enabling this feature *may* open up a loophole in the
79220 + protection provided by non-executable pages that an attacker
79221 + could abuse. Therefore the best solution is to not have any
79222 + files on your system that would require this option. This can
79223 + be achieved by not using libc5 (which relies on the kernel
79224 + signal handler return code) and not using or rewriting programs
79225 + that make use of the nested function implementation of GCC.
79226 + Skilled users can just fix GCC itself so that it implements
79227 + nested function calls in a way that does not interfere with PaX.
79228 +
79229 +config PAX_EMUSIGRT
79230 + bool "Automatically emulate sigreturn trampolines"
79231 + depends on PAX_EMUTRAMP && PARISC
79232 + default y
79233 + help
79234 + Enabling this option will have the kernel automatically detect
79235 + and emulate signal return trampolines executing on the stack
79236 + that would otherwise lead to task termination.
79237 +
79238 + This solution is intended as a temporary one for users with
79239 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
79240 + Modula-3 runtime, etc) or executables linked to such, basically
79241 + everything that does not specify its own SA_RESTORER function in
79242 + normal executable memory like glibc 2.1+ does.
79243 +
79244 + On parisc you MUST enable this option, otherwise your system will
79245 + not even boot.
79246 +
79247 + NOTE: this feature cannot be disabled on a per executable basis
79248 + and since it *does* open up a loophole in the protection provided
79249 + by non-executable pages, the best solution is to not have any
79250 + files on your system that would require this option.
79251 +
79252 +config PAX_MPROTECT
79253 + bool "Restrict mprotect()"
79254 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
79255 + help
79256 + Enabling this option will prevent programs from
79257 + - changing the executable status of memory pages that were
79258 + not originally created as executable,
79259 + - making read-only executable pages writable again,
79260 + - creating executable pages from anonymous memory,
79261 + - making read-only-after-relocations (RELRO) data pages writable again.
79262 +
79263 + You should say Y here to complete the protection provided by
79264 + the enforcement of non-executable pages.
79265 +
79266 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
79267 + this feature on a per file basis.
79268 +
79269 +config PAX_MPROTECT_COMPAT
79270 + bool "Use legacy/compat protection demoting (read help)"
79271 + depends on PAX_MPROTECT
79272 + default n
79273 + help
79274 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
79275 + by sending the proper error code to the application. For some broken
79276 + userland, this can cause problems with Python or other applications. The
79277 + current implementation however allows for applications like clamav to
79278 + detect if JIT compilation/execution is allowed and to fall back gracefully
79279 + to an interpreter-based mode if it does not. While we encourage everyone
79280 + to use the current implementation as-is and push upstream to fix broken
79281 + userland (note that the RWX logging option can assist with this), in some
79282 + environments this may not be possible. Having to disable MPROTECT
79283 + completely on certain binaries reduces the security benefit of PaX,
79284 + so this option is provided for those environments to revert to the old
79285 + behavior.
79286 +
79287 +config PAX_ELFRELOCS
79288 + bool "Allow ELF text relocations (read help)"
79289 + depends on PAX_MPROTECT
79290 + default n
79291 + help
79292 + Non-executable pages and mprotect() restrictions are effective
79293 + in preventing the introduction of new executable code into an
79294 + attacked task's address space. There remain only two venues
79295 + for this kind of attack: if the attacker can execute already
79296 + existing code in the attacked task then he can either have it
79297 + create and mmap() a file containing his code or have it mmap()
79298 + an already existing ELF library that does not have position
79299 + independent code in it and use mprotect() on it to make it
79300 + writable and copy his code there. While protecting against
79301 + the former approach is beyond PaX, the latter can be prevented
79302 + by having only PIC ELF libraries on one's system (which do not
79303 + need to relocate their code). If you are sure this is your case,
79304 + as is the case with all modern Linux distributions, then leave
79305 + this option disabled. You should say 'n' here.
79306 +
79307 +config PAX_ETEXECRELOCS
79308 + bool "Allow ELF ET_EXEC text relocations"
79309 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
79310 + select PAX_ELFRELOCS
79311 + default y
79312 + help
79313 + On some architectures there are incorrectly created applications
79314 + that require text relocations and would not work without enabling
79315 + this option. If you are an alpha, ia64 or parisc user, you should
79316 + enable this option and disable it once you have made sure that
79317 + none of your applications need it.
79318 +
79319 +config PAX_EMUPLT
79320 + bool "Automatically emulate ELF PLT"
79321 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
79322 + default y
79323 + help
79324 + Enabling this option will have the kernel automatically detect
79325 + and emulate the Procedure Linkage Table entries in ELF files.
79326 + On some architectures such entries are in writable memory, and
79327 + become non-executable leading to task termination. Therefore
79328 + it is mandatory that you enable this option on alpha, parisc,
79329 + sparc and sparc64, otherwise your system would not even boot.
79330 +
79331 + NOTE: this feature *does* open up a loophole in the protection
79332 + provided by the non-executable pages, therefore the proper
79333 + solution is to modify the toolchain to produce a PLT that does
79334 + not need to be writable.
79335 +
79336 +config PAX_DLRESOLVE
79337 + bool 'Emulate old glibc resolver stub'
79338 + depends on PAX_EMUPLT && SPARC
79339 + default n
79340 + help
79341 + This option is needed if userland has an old glibc (before 2.4)
79342 + that puts a 'save' instruction into the runtime generated resolver
79343 + stub that needs special emulation.
79344 +
79345 +config PAX_KERNEXEC
79346 + bool "Enforce non-executable kernel pages"
79347 + depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
79348 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
79349 + select PAX_KERNEXEC_PLUGIN if X86_64
79350 + help
79351 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
79352 + that is, enabling this option will make it harder to inject
79353 + and execute 'foreign' code in kernel memory itself.
79354 +
79355 + Note that on x86_64 kernels there is a known regression when
79356 + this feature and KVM/VMX are both enabled in the host kernel.
79357 +
79358 +config PAX_KERNEXEC_MODULE_TEXT
79359 + int "Minimum amount of memory reserved for module code"
79360 + default "4"
79361 + depends on PAX_KERNEXEC && X86_32 && MODULES
79362 + help
79363 + Due to implementation details the kernel must reserve a fixed
79364 + amount of memory for module code at compile time that cannot be
79365 + changed at runtime. Here you can specify the minimum amount
79366 + in MB that will be reserved. Due to the same implementation
79367 + details this size will always be rounded up to the next 2/4 MB
79368 + boundary (depends on PAE) so the actually available memory for
79369 + module code will usually be more than this minimum.
79370 +
79371 + The default 4 MB should be enough for most users but if you have
79372 + an excessive number of modules (e.g., most distribution configs
79373 + compile many drivers as modules) or use huge modules such as
79374 + nvidia's kernel driver, you will need to adjust this amount.
79375 + A good rule of thumb is to look at your currently loaded kernel
79376 + modules and add up their sizes.
79377 +
79378 +endmenu
79379 +
79380 +menu "Address Space Layout Randomization"
79381 + depends on PAX
79382 +
79383 +config PAX_ASLR
79384 + bool "Address Space Layout Randomization"
79385 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
79386 + help
79387 + Many if not most exploit techniques rely on the knowledge of
79388 + certain addresses in the attacked program. The following options
79389 + will allow the kernel to apply a certain amount of randomization
79390 + to specific parts of the program thereby forcing an attacker to
79391 + guess them in most cases. Any failed guess will most likely crash
79392 + the attacked program which allows the kernel to detect such attempts
79393 + and react on them. PaX itself provides no reaction mechanisms,
79394 + instead it is strongly encouraged that you make use of Nergal's
79395 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
79396 + (http://www.grsecurity.net/) built-in crash detection features or
79397 + develop one yourself.
79398 +
79399 + By saying Y here you can choose to randomize the following areas:
79400 + - top of the task's kernel stack
79401 + - top of the task's userland stack
79402 + - base address for mmap() requests that do not specify one
79403 + (this includes all libraries)
79404 + - base address of the main executable
79405 +
79406 + It is strongly recommended to say Y here as address space layout
79407 + randomization has negligible impact on performance yet it provides
79408 + a very effective protection.
79409 +
79410 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
79411 + this feature on a per file basis.
79412 +
79413 +config PAX_RANDKSTACK
79414 + bool "Randomize kernel stack base"
79415 + depends on X86_TSC && X86
79416 + help
79417 + By saying Y here the kernel will randomize every task's kernel
79418 + stack on every system call. This will not only force an attacker
79419 + to guess it but also prevent him from making use of possible
79420 + leaked information about it.
79421 +
79422 + Since the kernel stack is a rather scarce resource, randomization
79423 + may cause unexpected stack overflows, therefore you should very
79424 + carefully test your system. Note that once enabled in the kernel
79425 + configuration, this feature cannot be disabled on a per file basis.
79426 +
79427 +config PAX_RANDUSTACK
79428 + bool "Randomize user stack base"
79429 + depends on PAX_ASLR
79430 + help
79431 + By saying Y here the kernel will randomize every task's userland
79432 + stack. The randomization is done in two steps where the second
79433 + one may apply a big amount of shift to the top of the stack and
79434 + cause problems for programs that want to use lots of memory (more
79435 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
79436 + For this reason the second step can be controlled by 'chpax' or
79437 + 'paxctl' on a per file basis.
79438 +
79439 +config PAX_RANDMMAP
79440 + bool "Randomize mmap() base"
79441 + depends on PAX_ASLR
79442 + help
79443 + By saying Y here the kernel will use a randomized base address for
79444 + mmap() requests that do not specify one themselves. As a result
79445 + all dynamically loaded libraries will appear at random addresses
79446 + and therefore be harder to exploit by a technique where an attacker
79447 + attempts to execute library code for his purposes (e.g. spawn a
79448 + shell from an exploited program that is running at an elevated
79449 + privilege level).
79450 +
79451 + Furthermore, if a program is relinked as a dynamic ELF file, its
79452 + base address will be randomized as well, completing the full
79453 + randomization of the address space layout. Attacking such programs
79454 + becomes a guess game. You can find an example of doing this at
79455 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
79456 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
79457 +
79458 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
79459 + feature on a per file basis.
79460 +
79461 +endmenu
79462 +
79463 +menu "Miscellaneous hardening features"
79464 +
79465 +config PAX_MEMORY_SANITIZE
79466 + bool "Sanitize all freed memory"
79467 + help
79468 + By saying Y here the kernel will erase memory pages as soon as they
79469 + are freed. This in turn reduces the lifetime of data stored in the
79470 + pages, making it less likely that sensitive information such as
79471 + passwords, cryptographic secrets, etc stay in memory for too long.
79472 +
79473 + This is especially useful for programs whose runtime is short, long
79474 + lived processes and the kernel itself benefit from this as long as
79475 + they operate on whole memory pages and ensure timely freeing of pages
79476 + that may hold sensitive information.
79477 +
79478 + The tradeoff is performance impact, on a single CPU system kernel
79479 + compilation sees a 3% slowdown, other systems and workloads may vary
79480 + and you are advised to test this feature on your expected workload
79481 + before deploying it.
79482 +
79483 + Note that this feature does not protect data stored in live pages,
79484 + e.g., process memory swapped to disk may stay there for a long time.
79485 +
79486 +config PAX_MEMORY_STACKLEAK
79487 + bool "Sanitize kernel stack"
79488 + depends on X86
79489 + help
79490 + By saying Y here the kernel will erase the kernel stack before it
79491 + returns from a system call. This in turn reduces the information
79492 + that a kernel stack leak bug can reveal.
79493 +
79494 + Note that such a bug can still leak information that was put on
79495 + the stack by the current system call (the one eventually triggering
79496 + the bug) but traces of earlier system calls on the kernel stack
79497 + cannot leak anymore.
79498 +
79499 + The tradeoff is performance impact, on a single CPU system kernel
79500 + compilation sees a 1% slowdown, other systems and workloads may vary
79501 + and you are advised to test this feature on your expected workload
79502 + before deploying it.
79503 +
79504 + Note: full support for this feature requires gcc with plugin support
79505 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
79506 + is not supported). Using older gcc versions means that functions
79507 + with large enough stack frames may leave uninitialized memory behind
79508 + that may be exposed to a later syscall leaking the stack.
79509 +
79510 +config PAX_MEMORY_UDEREF
79511 + bool "Prevent invalid userland pointer dereference"
79512 + depends on X86 && !UML_X86 && !XEN
79513 + select PAX_PER_CPU_PGD if X86_64
79514 + help
79515 + By saying Y here the kernel will be prevented from dereferencing
79516 + userland pointers in contexts where the kernel expects only kernel
79517 + pointers. This is both a useful runtime debugging feature and a
79518 + security measure that prevents exploiting a class of kernel bugs.
79519 +
79520 + The tradeoff is that some virtualization solutions may experience
79521 + a huge slowdown and therefore you should not enable this feature
79522 + for kernels meant to run in such environments. Whether a given VM
79523 + solution is affected or not is best determined by simply trying it
79524 + out, the performance impact will be obvious right on boot as this
79525 + mechanism engages from very early on. A good rule of thumb is that
79526 + VMs running on CPUs without hardware virtualization support (i.e.,
79527 + the majority of IA-32 CPUs) will likely experience the slowdown.
79528 +
79529 +config PAX_REFCOUNT
79530 + bool "Prevent various kernel object reference counter overflows"
79531 + depends on GRKERNSEC && (X86 || SPARC64)
79532 + help
79533 + By saying Y here the kernel will detect and prevent overflowing
79534 + various (but not all) kinds of object reference counters. Such
79535 + overflows can normally occur due to bugs only and are often, if
79536 + not always, exploitable.
79537 +
79538 + The tradeoff is that data structures protected by an overflowed
79539 + refcount will never be freed and therefore will leak memory. Note
79540 + that this leak also happens even without this protection but in
79541 + that case the overflow can eventually trigger the freeing of the
79542 + data structure while it is still being used elsewhere, resulting
79543 + in the exploitable situation that this feature prevents.
79544 +
79545 + Since this has a negligible performance impact, you should enable
79546 + this feature.
79547 +
79548 +config PAX_USERCOPY
79549 + bool "Harden heap object copies between kernel and userland"
79550 + depends on X86 || PPC || SPARC || ARM
79551 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
79552 + help
79553 + By saying Y here the kernel will enforce the size of heap objects
79554 + when they are copied in either direction between the kernel and
79555 + userland, even if only a part of the heap object is copied.
79556 +
79557 + Specifically, this checking prevents information leaking from the
79558 + kernel heap during kernel to userland copies (if the kernel heap
79559 + object is otherwise fully initialized) and prevents kernel heap
79560 + overflows during userland to kernel copies.
79561 +
79562 + Note that the current implementation provides the strictest bounds
79563 + checks for the SLUB allocator.
79564 +
79565 + Enabling this option also enables per-slab cache protection against
79566 + data in a given cache being copied into/out of via userland
79567 + accessors. Though the whitelist of regions will be reduced over
79568 + time, it notably protects important data structures like task structs.
79569 +
79570 +
79571 + If frame pointers are enabled on x86, this option will also
79572 + restrict copies into and out of the kernel stack to local variables
79573 + within a single frame.
79574 +
79575 + Since this has a negligible performance impact, you should enable
79576 + this feature.
79577 +
79578 +endmenu
79579 +
79580 +endmenu
79581 +
79582 config KEYS
79583 bool "Enable access key retention support"
79584 help
79585 @@ -146,7 +699,7 @@ config INTEL_TXT
79586 config LSM_MMAP_MIN_ADDR
79587 int "Low address space for LSM to protect from user allocation"
79588 depends on SECURITY && SECURITY_SELINUX
79589 - default 65536
79590 + default 32768
79591 help
79592 This is the portion of low virtual memory which should be protected
79593 from userspace allocation. Keeping a user from writing to low pages
79594 diff -urNp linux-2.6.32.46/security/keys/keyring.c linux-2.6.32.46/security/keys/keyring.c
79595 --- linux-2.6.32.46/security/keys/keyring.c 2011-03-27 14:31:47.000000000 -0400
79596 +++ linux-2.6.32.46/security/keys/keyring.c 2011-04-18 22:03:00.000000000 -0400
79597 @@ -214,15 +214,15 @@ static long keyring_read(const struct ke
79598 ret = -EFAULT;
79599
79600 for (loop = 0; loop < klist->nkeys; loop++) {
79601 + key_serial_t serial;
79602 key = klist->keys[loop];
79603 + serial = key->serial;
79604
79605 tmp = sizeof(key_serial_t);
79606 if (tmp > buflen)
79607 tmp = buflen;
79608
79609 - if (copy_to_user(buffer,
79610 - &key->serial,
79611 - tmp) != 0)
79612 + if (copy_to_user(buffer, &serial, tmp))
79613 goto error;
79614
79615 buflen -= tmp;
79616 diff -urNp linux-2.6.32.46/security/min_addr.c linux-2.6.32.46/security/min_addr.c
79617 --- linux-2.6.32.46/security/min_addr.c 2011-03-27 14:31:47.000000000 -0400
79618 +++ linux-2.6.32.46/security/min_addr.c 2011-04-17 15:56:46.000000000 -0400
79619 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
79620 */
79621 static void update_mmap_min_addr(void)
79622 {
79623 +#ifndef SPARC
79624 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
79625 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
79626 mmap_min_addr = dac_mmap_min_addr;
79627 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
79628 #else
79629 mmap_min_addr = dac_mmap_min_addr;
79630 #endif
79631 +#endif
79632 }
79633
79634 /*
79635 diff -urNp linux-2.6.32.46/security/root_plug.c linux-2.6.32.46/security/root_plug.c
79636 --- linux-2.6.32.46/security/root_plug.c 2011-03-27 14:31:47.000000000 -0400
79637 +++ linux-2.6.32.46/security/root_plug.c 2011-04-17 15:56:46.000000000 -0400
79638 @@ -70,7 +70,7 @@ static int rootplug_bprm_check_security
79639 return 0;
79640 }
79641
79642 -static struct security_operations rootplug_security_ops = {
79643 +static struct security_operations rootplug_security_ops __read_only = {
79644 .bprm_check_security = rootplug_bprm_check_security,
79645 };
79646
79647 diff -urNp linux-2.6.32.46/security/security.c linux-2.6.32.46/security/security.c
79648 --- linux-2.6.32.46/security/security.c 2011-03-27 14:31:47.000000000 -0400
79649 +++ linux-2.6.32.46/security/security.c 2011-04-17 15:56:46.000000000 -0400
79650 @@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURI
79651 extern struct security_operations default_security_ops;
79652 extern void security_fixup_ops(struct security_operations *ops);
79653
79654 -struct security_operations *security_ops; /* Initialized to NULL */
79655 +struct security_operations *security_ops __read_only; /* Initialized to NULL */
79656
79657 static inline int verify(struct security_operations *ops)
79658 {
79659 @@ -106,7 +106,7 @@ int __init security_module_enable(struct
79660 * If there is already a security module registered with the kernel,
79661 * an error will be returned. Otherwise %0 is returned on success.
79662 */
79663 -int register_security(struct security_operations *ops)
79664 +int __init register_security(struct security_operations *ops)
79665 {
79666 if (verify(ops)) {
79667 printk(KERN_DEBUG "%s could not verify "
79668 diff -urNp linux-2.6.32.46/security/selinux/hooks.c linux-2.6.32.46/security/selinux/hooks.c
79669 --- linux-2.6.32.46/security/selinux/hooks.c 2011-03-27 14:31:47.000000000 -0400
79670 +++ linux-2.6.32.46/security/selinux/hooks.c 2011-04-17 15:56:46.000000000 -0400
79671 @@ -131,7 +131,7 @@ int selinux_enabled = 1;
79672 * Minimal support for a secondary security module,
79673 * just to allow the use of the capability module.
79674 */
79675 -static struct security_operations *secondary_ops;
79676 +static struct security_operations *secondary_ops __read_only;
79677
79678 /* Lists of inode and superblock security structures initialized
79679 before the policy was loaded. */
79680 @@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struc
79681
79682 #endif
79683
79684 -static struct security_operations selinux_ops = {
79685 +static struct security_operations selinux_ops __read_only = {
79686 .name = "selinux",
79687
79688 .ptrace_access_check = selinux_ptrace_access_check,
79689 @@ -5841,7 +5841,9 @@ int selinux_disable(void)
79690 avc_disable();
79691
79692 /* Reset security_ops to the secondary module, dummy or capability. */
79693 + pax_open_kernel();
79694 security_ops = secondary_ops;
79695 + pax_close_kernel();
79696
79697 /* Unregister netfilter hooks. */
79698 selinux_nf_ip_exit();
79699 diff -urNp linux-2.6.32.46/security/selinux/include/xfrm.h linux-2.6.32.46/security/selinux/include/xfrm.h
79700 --- linux-2.6.32.46/security/selinux/include/xfrm.h 2011-03-27 14:31:47.000000000 -0400
79701 +++ linux-2.6.32.46/security/selinux/include/xfrm.h 2011-05-18 20:09:37.000000000 -0400
79702 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
79703
79704 static inline void selinux_xfrm_notify_policyload(void)
79705 {
79706 - atomic_inc(&flow_cache_genid);
79707 + atomic_inc_unchecked(&flow_cache_genid);
79708 }
79709 #else
79710 static inline int selinux_xfrm_enabled(void)
79711 diff -urNp linux-2.6.32.46/security/selinux/ss/services.c linux-2.6.32.46/security/selinux/ss/services.c
79712 --- linux-2.6.32.46/security/selinux/ss/services.c 2011-03-27 14:31:47.000000000 -0400
79713 +++ linux-2.6.32.46/security/selinux/ss/services.c 2011-05-16 21:46:57.000000000 -0400
79714 @@ -1715,6 +1715,8 @@ int security_load_policy(void *data, siz
79715 int rc = 0;
79716 struct policy_file file = { data, len }, *fp = &file;
79717
79718 + pax_track_stack();
79719 +
79720 if (!ss_initialized) {
79721 avtab_cache_init();
79722 if (policydb_read(&policydb, fp)) {
79723 diff -urNp linux-2.6.32.46/security/smack/smack_lsm.c linux-2.6.32.46/security/smack/smack_lsm.c
79724 --- linux-2.6.32.46/security/smack/smack_lsm.c 2011-03-27 14:31:47.000000000 -0400
79725 +++ linux-2.6.32.46/security/smack/smack_lsm.c 2011-04-17 15:56:46.000000000 -0400
79726 @@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct
79727 return 0;
79728 }
79729
79730 -struct security_operations smack_ops = {
79731 +struct security_operations smack_ops __read_only = {
79732 .name = "smack",
79733
79734 .ptrace_access_check = smack_ptrace_access_check,
79735 diff -urNp linux-2.6.32.46/security/tomoyo/tomoyo.c linux-2.6.32.46/security/tomoyo/tomoyo.c
79736 --- linux-2.6.32.46/security/tomoyo/tomoyo.c 2011-03-27 14:31:47.000000000 -0400
79737 +++ linux-2.6.32.46/security/tomoyo/tomoyo.c 2011-04-17 15:56:46.000000000 -0400
79738 @@ -275,7 +275,7 @@ static int tomoyo_dentry_open(struct fil
79739 * tomoyo_security_ops is a "struct security_operations" which is used for
79740 * registering TOMOYO.
79741 */
79742 -static struct security_operations tomoyo_security_ops = {
79743 +static struct security_operations tomoyo_security_ops __read_only = {
79744 .name = "tomoyo",
79745 .cred_alloc_blank = tomoyo_cred_alloc_blank,
79746 .cred_prepare = tomoyo_cred_prepare,
79747 diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.c linux-2.6.32.46/sound/aoa/codecs/onyx.c
79748 --- linux-2.6.32.46/sound/aoa/codecs/onyx.c 2011-03-27 14:31:47.000000000 -0400
79749 +++ linux-2.6.32.46/sound/aoa/codecs/onyx.c 2011-04-17 15:56:46.000000000 -0400
79750 @@ -53,7 +53,7 @@ struct onyx {
79751 spdif_locked:1,
79752 analog_locked:1,
79753 original_mute:2;
79754 - int open_count;
79755 + local_t open_count;
79756 struct codec_info *codec_info;
79757
79758 /* mutex serializes concurrent access to the device
79759 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
79760 struct onyx *onyx = cii->codec_data;
79761
79762 mutex_lock(&onyx->mutex);
79763 - onyx->open_count++;
79764 + local_inc(&onyx->open_count);
79765 mutex_unlock(&onyx->mutex);
79766
79767 return 0;
79768 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
79769 struct onyx *onyx = cii->codec_data;
79770
79771 mutex_lock(&onyx->mutex);
79772 - onyx->open_count--;
79773 - if (!onyx->open_count)
79774 + if (local_dec_and_test(&onyx->open_count))
79775 onyx->spdif_locked = onyx->analog_locked = 0;
79776 mutex_unlock(&onyx->mutex);
79777
79778 diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.h linux-2.6.32.46/sound/aoa/codecs/onyx.h
79779 --- linux-2.6.32.46/sound/aoa/codecs/onyx.h 2011-03-27 14:31:47.000000000 -0400
79780 +++ linux-2.6.32.46/sound/aoa/codecs/onyx.h 2011-04-17 15:56:46.000000000 -0400
79781 @@ -11,6 +11,7 @@
79782 #include <linux/i2c.h>
79783 #include <asm/pmac_low_i2c.h>
79784 #include <asm/prom.h>
79785 +#include <asm/local.h>
79786
79787 /* PCM3052 register definitions */
79788
79789 diff -urNp linux-2.6.32.46/sound/core/oss/pcm_oss.c linux-2.6.32.46/sound/core/oss/pcm_oss.c
79790 --- linux-2.6.32.46/sound/core/oss/pcm_oss.c 2011-03-27 14:31:47.000000000 -0400
79791 +++ linux-2.6.32.46/sound/core/oss/pcm_oss.c 2011-10-06 09:37:16.000000000 -0400
79792 @@ -1395,7 +1395,7 @@ static ssize_t snd_pcm_oss_write1(struct
79793 }
79794 } else {
79795 tmp = snd_pcm_oss_write2(substream,
79796 - (const char __force *)buf,
79797 + (const char __force_kernel *)buf,
79798 runtime->oss.period_bytes, 0);
79799 if (tmp <= 0)
79800 goto err;
79801 @@ -1483,7 +1483,7 @@ static ssize_t snd_pcm_oss_read1(struct
79802 xfer += tmp;
79803 runtime->oss.buffer_used -= tmp;
79804 } else {
79805 - tmp = snd_pcm_oss_read2(substream, (char __force *)buf,
79806 + tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf,
79807 runtime->oss.period_bytes, 0);
79808 if (tmp <= 0)
79809 goto err;
79810 diff -urNp linux-2.6.32.46/sound/core/pcm_compat.c linux-2.6.32.46/sound/core/pcm_compat.c
79811 --- linux-2.6.32.46/sound/core/pcm_compat.c 2011-08-09 18:35:30.000000000 -0400
79812 +++ linux-2.6.32.46/sound/core/pcm_compat.c 2011-10-06 09:37:16.000000000 -0400
79813 @@ -30,7 +30,7 @@ static int snd_pcm_ioctl_delay_compat(st
79814 int err;
79815
79816 fs = snd_enter_user();
79817 - err = snd_pcm_delay(substream, &delay);
79818 + err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay);
79819 snd_leave_user(fs);
79820 if (err < 0)
79821 return err;
79822 diff -urNp linux-2.6.32.46/sound/core/pcm_native.c linux-2.6.32.46/sound/core/pcm_native.c
79823 --- linux-2.6.32.46/sound/core/pcm_native.c 2011-03-27 14:31:47.000000000 -0400
79824 +++ linux-2.6.32.46/sound/core/pcm_native.c 2011-10-06 09:37:16.000000000 -0400
79825 @@ -2747,11 +2747,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_
79826 switch (substream->stream) {
79827 case SNDRV_PCM_STREAM_PLAYBACK:
79828 result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
79829 - (void __user *)arg);
79830 + (void __force_user *)arg);
79831 break;
79832 case SNDRV_PCM_STREAM_CAPTURE:
79833 result = snd_pcm_capture_ioctl1(NULL, substream, cmd,
79834 - (void __user *)arg);
79835 + (void __force_user *)arg);
79836 break;
79837 default:
79838 result = -EINVAL;
79839 diff -urNp linux-2.6.32.46/sound/core/seq/seq_device.c linux-2.6.32.46/sound/core/seq/seq_device.c
79840 --- linux-2.6.32.46/sound/core/seq/seq_device.c 2011-03-27 14:31:47.000000000 -0400
79841 +++ linux-2.6.32.46/sound/core/seq/seq_device.c 2011-08-05 20:33:55.000000000 -0400
79842 @@ -63,7 +63,7 @@ struct ops_list {
79843 int argsize; /* argument size */
79844
79845 /* operators */
79846 - struct snd_seq_dev_ops ops;
79847 + struct snd_seq_dev_ops *ops;
79848
79849 /* registred devices */
79850 struct list_head dev_list; /* list of devices */
79851 @@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
79852
79853 mutex_lock(&ops->reg_mutex);
79854 /* copy driver operators */
79855 - ops->ops = *entry;
79856 + ops->ops = entry;
79857 ops->driver |= DRIVER_LOADED;
79858 ops->argsize = argsize;
79859
79860 @@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
79861 dev->name, ops->id, ops->argsize, dev->argsize);
79862 return -EINVAL;
79863 }
79864 - if (ops->ops.init_device(dev) >= 0) {
79865 + if (ops->ops->init_device(dev) >= 0) {
79866 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
79867 ops->num_init_devices++;
79868 } else {
79869 @@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
79870 dev->name, ops->id, ops->argsize, dev->argsize);
79871 return -EINVAL;
79872 }
79873 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
79874 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
79875 dev->status = SNDRV_SEQ_DEVICE_FREE;
79876 dev->driver_data = NULL;
79877 ops->num_init_devices--;
79878 diff -urNp linux-2.6.32.46/sound/drivers/mts64.c linux-2.6.32.46/sound/drivers/mts64.c
79879 --- linux-2.6.32.46/sound/drivers/mts64.c 2011-03-27 14:31:47.000000000 -0400
79880 +++ linux-2.6.32.46/sound/drivers/mts64.c 2011-04-17 15:56:46.000000000 -0400
79881 @@ -27,6 +27,7 @@
79882 #include <sound/initval.h>
79883 #include <sound/rawmidi.h>
79884 #include <sound/control.h>
79885 +#include <asm/local.h>
79886
79887 #define CARD_NAME "Miditerminal 4140"
79888 #define DRIVER_NAME "MTS64"
79889 @@ -65,7 +66,7 @@ struct mts64 {
79890 struct pardevice *pardev;
79891 int pardev_claimed;
79892
79893 - int open_count;
79894 + local_t open_count;
79895 int current_midi_output_port;
79896 int current_midi_input_port;
79897 u8 mode[MTS64_NUM_INPUT_PORTS];
79898 @@ -695,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
79899 {
79900 struct mts64 *mts = substream->rmidi->private_data;
79901
79902 - if (mts->open_count == 0) {
79903 + if (local_read(&mts->open_count) == 0) {
79904 /* We don't need a spinlock here, because this is just called
79905 if the device has not been opened before.
79906 So there aren't any IRQs from the device */
79907 @@ -703,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
79908
79909 msleep(50);
79910 }
79911 - ++(mts->open_count);
79912 + local_inc(&mts->open_count);
79913
79914 return 0;
79915 }
79916 @@ -713,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
79917 struct mts64 *mts = substream->rmidi->private_data;
79918 unsigned long flags;
79919
79920 - --(mts->open_count);
79921 - if (mts->open_count == 0) {
79922 + if (local_dec_return(&mts->open_count) == 0) {
79923 /* We need the spinlock_irqsave here because we can still
79924 have IRQs at this point */
79925 spin_lock_irqsave(&mts->lock, flags);
79926 @@ -723,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
79927
79928 msleep(500);
79929
79930 - } else if (mts->open_count < 0)
79931 - mts->open_count = 0;
79932 + } else if (local_read(&mts->open_count) < 0)
79933 + local_set(&mts->open_count, 0);
79934
79935 return 0;
79936 }
79937 diff -urNp linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c
79938 --- linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c 2011-03-27 14:31:47.000000000 -0400
79939 +++ linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c 2011-08-05 20:33:55.000000000 -0400
79940 @@ -27,7 +27,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
79941 MODULE_DESCRIPTION("OPL4 driver");
79942 MODULE_LICENSE("GPL");
79943
79944 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
79945 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
79946 {
79947 int timeout = 10;
79948 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
79949 diff -urNp linux-2.6.32.46/sound/drivers/portman2x4.c linux-2.6.32.46/sound/drivers/portman2x4.c
79950 --- linux-2.6.32.46/sound/drivers/portman2x4.c 2011-03-27 14:31:47.000000000 -0400
79951 +++ linux-2.6.32.46/sound/drivers/portman2x4.c 2011-04-17 15:56:46.000000000 -0400
79952 @@ -46,6 +46,7 @@
79953 #include <sound/initval.h>
79954 #include <sound/rawmidi.h>
79955 #include <sound/control.h>
79956 +#include <asm/local.h>
79957
79958 #define CARD_NAME "Portman 2x4"
79959 #define DRIVER_NAME "portman"
79960 @@ -83,7 +84,7 @@ struct portman {
79961 struct pardevice *pardev;
79962 int pardev_claimed;
79963
79964 - int open_count;
79965 + local_t open_count;
79966 int mode[PORTMAN_NUM_INPUT_PORTS];
79967 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
79968 };
79969 diff -urNp linux-2.6.32.46/sound/isa/cmi8330.c linux-2.6.32.46/sound/isa/cmi8330.c
79970 --- linux-2.6.32.46/sound/isa/cmi8330.c 2011-03-27 14:31:47.000000000 -0400
79971 +++ linux-2.6.32.46/sound/isa/cmi8330.c 2011-08-23 21:22:32.000000000 -0400
79972 @@ -173,7 +173,7 @@ struct snd_cmi8330 {
79973
79974 struct snd_pcm *pcm;
79975 struct snd_cmi8330_stream {
79976 - struct snd_pcm_ops ops;
79977 + snd_pcm_ops_no_const ops;
79978 snd_pcm_open_callback_t open;
79979 void *private_data; /* sb or wss */
79980 } streams[2];
79981 diff -urNp linux-2.6.32.46/sound/oss/sb_audio.c linux-2.6.32.46/sound/oss/sb_audio.c
79982 --- linux-2.6.32.46/sound/oss/sb_audio.c 2011-03-27 14:31:47.000000000 -0400
79983 +++ linux-2.6.32.46/sound/oss/sb_audio.c 2011-04-17 15:56:46.000000000 -0400
79984 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
79985 buf16 = (signed short *)(localbuf + localoffs);
79986 while (c)
79987 {
79988 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
79989 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
79990 if (copy_from_user(lbuf8,
79991 userbuf+useroffs + p,
79992 locallen))
79993 diff -urNp linux-2.6.32.46/sound/oss/swarm_cs4297a.c linux-2.6.32.46/sound/oss/swarm_cs4297a.c
79994 --- linux-2.6.32.46/sound/oss/swarm_cs4297a.c 2011-03-27 14:31:47.000000000 -0400
79995 +++ linux-2.6.32.46/sound/oss/swarm_cs4297a.c 2011-04-17 15:56:46.000000000 -0400
79996 @@ -2577,7 +2577,6 @@ static int __init cs4297a_init(void)
79997 {
79998 struct cs4297a_state *s;
79999 u32 pwr, id;
80000 - mm_segment_t fs;
80001 int rval;
80002 #ifndef CONFIG_BCM_CS4297A_CSWARM
80003 u64 cfg;
80004 @@ -2667,22 +2666,23 @@ static int __init cs4297a_init(void)
80005 if (!rval) {
80006 char *sb1250_duart_present;
80007
80008 +#if 0
80009 + mm_segment_t fs;
80010 fs = get_fs();
80011 set_fs(KERNEL_DS);
80012 -#if 0
80013 val = SOUND_MASK_LINE;
80014 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
80015 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
80016 val = initvol[i].vol;
80017 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
80018 }
80019 + set_fs(fs);
80020 // cs4297a_write_ac97(s, 0x18, 0x0808);
80021 #else
80022 // cs4297a_write_ac97(s, 0x5e, 0x180);
80023 cs4297a_write_ac97(s, 0x02, 0x0808);
80024 cs4297a_write_ac97(s, 0x18, 0x0808);
80025 #endif
80026 - set_fs(fs);
80027
80028 list_add(&s->list, &cs4297a_devs);
80029
80030 diff -urNp linux-2.6.32.46/sound/pci/ac97/ac97_codec.c linux-2.6.32.46/sound/pci/ac97/ac97_codec.c
80031 --- linux-2.6.32.46/sound/pci/ac97/ac97_codec.c 2011-03-27 14:31:47.000000000 -0400
80032 +++ linux-2.6.32.46/sound/pci/ac97/ac97_codec.c 2011-04-17 15:56:46.000000000 -0400
80033 @@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
80034 }
80035
80036 /* build_ops to do nothing */
80037 -static struct snd_ac97_build_ops null_build_ops;
80038 +static const struct snd_ac97_build_ops null_build_ops;
80039
80040 #ifdef CONFIG_SND_AC97_POWER_SAVE
80041 static void do_update_power(struct work_struct *work)
80042 diff -urNp linux-2.6.32.46/sound/pci/ac97/ac97_patch.c linux-2.6.32.46/sound/pci/ac97/ac97_patch.c
80043 --- linux-2.6.32.46/sound/pci/ac97/ac97_patch.c 2011-08-29 22:24:44.000000000 -0400
80044 +++ linux-2.6.32.46/sound/pci/ac97/ac97_patch.c 2011-08-29 22:25:07.000000000 -0400
80045 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
80046 return 0;
80047 }
80048
80049 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
80050 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
80051 .build_spdif = patch_yamaha_ymf743_build_spdif,
80052 .build_3d = patch_yamaha_ymf7x3_3d,
80053 };
80054 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
80055 return 0;
80056 }
80057
80058 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
80059 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
80060 .build_3d = patch_yamaha_ymf7x3_3d,
80061 .build_post_spdif = patch_yamaha_ymf753_post_spdif
80062 };
80063 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
80064 return 0;
80065 }
80066
80067 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
80068 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
80069 .build_specific = patch_wolfson_wm9703_specific,
80070 };
80071
80072 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
80073 return 0;
80074 }
80075
80076 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
80077 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
80078 .build_specific = patch_wolfson_wm9704_specific,
80079 };
80080
80081 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
80082 return 0;
80083 }
80084
80085 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
80086 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
80087 .build_specific = patch_wolfson_wm9705_specific,
80088 };
80089
80090 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
80091 return 0;
80092 }
80093
80094 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
80095 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
80096 .build_specific = patch_wolfson_wm9711_specific,
80097 };
80098
80099 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
80100 }
80101 #endif
80102
80103 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
80104 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
80105 .build_specific = patch_wolfson_wm9713_specific,
80106 .build_3d = patch_wolfson_wm9713_3d,
80107 #ifdef CONFIG_PM
80108 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
80109 return 0;
80110 }
80111
80112 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
80113 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
80114 .build_3d = patch_sigmatel_stac9700_3d,
80115 .build_specific = patch_sigmatel_stac97xx_specific
80116 };
80117 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
80118 return patch_sigmatel_stac97xx_specific(ac97);
80119 }
80120
80121 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
80122 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
80123 .build_3d = patch_sigmatel_stac9708_3d,
80124 .build_specific = patch_sigmatel_stac9708_specific
80125 };
80126 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
80127 return 0;
80128 }
80129
80130 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
80131 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
80132 .build_3d = patch_sigmatel_stac9700_3d,
80133 .build_specific = patch_sigmatel_stac9758_specific
80134 };
80135 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
80136 return 0;
80137 }
80138
80139 -static struct snd_ac97_build_ops patch_cirrus_ops = {
80140 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
80141 .build_spdif = patch_cirrus_build_spdif
80142 };
80143
80144 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
80145 return 0;
80146 }
80147
80148 -static struct snd_ac97_build_ops patch_conexant_ops = {
80149 +static const struct snd_ac97_build_ops patch_conexant_ops = {
80150 .build_spdif = patch_conexant_build_spdif
80151 };
80152
80153 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
80154 }
80155 }
80156
80157 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
80158 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
80159 #ifdef CONFIG_PM
80160 .resume = ad18xx_resume
80161 #endif
80162 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
80163 return 0;
80164 }
80165
80166 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
80167 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
80168 .build_specific = &patch_ad1885_specific,
80169 #ifdef CONFIG_PM
80170 .resume = ad18xx_resume
80171 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
80172 return 0;
80173 }
80174
80175 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
80176 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
80177 .build_specific = &patch_ad1886_specific,
80178 #ifdef CONFIG_PM
80179 .resume = ad18xx_resume
80180 @@ -1896,7 +1896,7 @@ static int patch_ad1981a_specific(struct
80181 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
80182 }
80183
80184 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
80185 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
80186 .build_post_spdif = patch_ad198x_post_spdif,
80187 .build_specific = patch_ad1981a_specific,
80188 #ifdef CONFIG_PM
80189 @@ -1952,7 +1952,7 @@ static int patch_ad1981b_specific(struct
80190 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
80191 }
80192
80193 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
80194 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
80195 .build_post_spdif = patch_ad198x_post_spdif,
80196 .build_specific = patch_ad1981b_specific,
80197 #ifdef CONFIG_PM
80198 @@ -2091,7 +2091,7 @@ static int patch_ad1888_specific(struct
80199 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
80200 }
80201
80202 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
80203 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
80204 .build_post_spdif = patch_ad198x_post_spdif,
80205 .build_specific = patch_ad1888_specific,
80206 #ifdef CONFIG_PM
80207 @@ -2140,7 +2140,7 @@ static int patch_ad1980_specific(struct
80208 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
80209 }
80210
80211 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
80212 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
80213 .build_post_spdif = patch_ad198x_post_spdif,
80214 .build_specific = patch_ad1980_specific,
80215 #ifdef CONFIG_PM
80216 @@ -2255,7 +2255,7 @@ static int patch_ad1985_specific(struct
80217 ARRAY_SIZE(snd_ac97_ad1985_controls));
80218 }
80219
80220 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
80221 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
80222 .build_post_spdif = patch_ad198x_post_spdif,
80223 .build_specific = patch_ad1985_specific,
80224 #ifdef CONFIG_PM
80225 @@ -2547,7 +2547,7 @@ static int patch_ad1986_specific(struct
80226 ARRAY_SIZE(snd_ac97_ad1985_controls));
80227 }
80228
80229 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
80230 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
80231 .build_post_spdif = patch_ad198x_post_spdif,
80232 .build_specific = patch_ad1986_specific,
80233 #ifdef CONFIG_PM
80234 @@ -2652,7 +2652,7 @@ static int patch_alc650_specific(struct
80235 return 0;
80236 }
80237
80238 -static struct snd_ac97_build_ops patch_alc650_ops = {
80239 +static const struct snd_ac97_build_ops patch_alc650_ops = {
80240 .build_specific = patch_alc650_specific,
80241 .update_jacks = alc650_update_jacks
80242 };
80243 @@ -2804,7 +2804,7 @@ static int patch_alc655_specific(struct
80244 return 0;
80245 }
80246
80247 -static struct snd_ac97_build_ops patch_alc655_ops = {
80248 +static const struct snd_ac97_build_ops patch_alc655_ops = {
80249 .build_specific = patch_alc655_specific,
80250 .update_jacks = alc655_update_jacks
80251 };
80252 @@ -2916,7 +2916,7 @@ static int patch_alc850_specific(struct
80253 return 0;
80254 }
80255
80256 -static struct snd_ac97_build_ops patch_alc850_ops = {
80257 +static const struct snd_ac97_build_ops patch_alc850_ops = {
80258 .build_specific = patch_alc850_specific,
80259 .update_jacks = alc850_update_jacks
80260 };
80261 @@ -2978,7 +2978,7 @@ static int patch_cm9738_specific(struct
80262 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
80263 }
80264
80265 -static struct snd_ac97_build_ops patch_cm9738_ops = {
80266 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
80267 .build_specific = patch_cm9738_specific,
80268 .update_jacks = cm9738_update_jacks
80269 };
80270 @@ -3069,7 +3069,7 @@ static int patch_cm9739_post_spdif(struc
80271 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
80272 }
80273
80274 -static struct snd_ac97_build_ops patch_cm9739_ops = {
80275 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
80276 .build_specific = patch_cm9739_specific,
80277 .build_post_spdif = patch_cm9739_post_spdif,
80278 .update_jacks = cm9739_update_jacks
80279 @@ -3243,7 +3243,7 @@ static int patch_cm9761_specific(struct
80280 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
80281 }
80282
80283 -static struct snd_ac97_build_ops patch_cm9761_ops = {
80284 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
80285 .build_specific = patch_cm9761_specific,
80286 .build_post_spdif = patch_cm9761_post_spdif,
80287 .update_jacks = cm9761_update_jacks
80288 @@ -3339,7 +3339,7 @@ static int patch_cm9780_specific(struct
80289 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
80290 }
80291
80292 -static struct snd_ac97_build_ops patch_cm9780_ops = {
80293 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
80294 .build_specific = patch_cm9780_specific,
80295 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
80296 };
80297 @@ -3459,7 +3459,7 @@ static int patch_vt1616_specific(struct
80298 return 0;
80299 }
80300
80301 -static struct snd_ac97_build_ops patch_vt1616_ops = {
80302 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
80303 .build_specific = patch_vt1616_specific
80304 };
80305
80306 @@ -3813,7 +3813,7 @@ static int patch_it2646_specific(struct
80307 return 0;
80308 }
80309
80310 -static struct snd_ac97_build_ops patch_it2646_ops = {
80311 +static const struct snd_ac97_build_ops patch_it2646_ops = {
80312 .build_specific = patch_it2646_specific,
80313 .update_jacks = it2646_update_jacks
80314 };
80315 @@ -3847,7 +3847,7 @@ static int patch_si3036_specific(struct
80316 return 0;
80317 }
80318
80319 -static struct snd_ac97_build_ops patch_si3036_ops = {
80320 +static const struct snd_ac97_build_ops patch_si3036_ops = {
80321 .build_specific = patch_si3036_specific,
80322 };
80323
80324 @@ -3914,7 +3914,7 @@ static int patch_ucb1400_specific(struct
80325 return 0;
80326 }
80327
80328 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
80329 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
80330 .build_specific = patch_ucb1400_specific,
80331 };
80332
80333 diff -urNp linux-2.6.32.46/sound/pci/hda/hda_codec.h linux-2.6.32.46/sound/pci/hda/hda_codec.h
80334 --- linux-2.6.32.46/sound/pci/hda/hda_codec.h 2011-03-27 14:31:47.000000000 -0400
80335 +++ linux-2.6.32.46/sound/pci/hda/hda_codec.h 2011-08-23 21:22:32.000000000 -0400
80336 @@ -580,7 +580,7 @@ struct hda_bus_ops {
80337 /* notify power-up/down from codec to controller */
80338 void (*pm_notify)(struct hda_bus *bus);
80339 #endif
80340 -};
80341 +} __no_const;
80342
80343 /* template to pass to the bus constructor */
80344 struct hda_bus_template {
80345 @@ -675,6 +675,7 @@ struct hda_codec_ops {
80346 int (*check_power_status)(struct hda_codec *codec, hda_nid_t nid);
80347 #endif
80348 };
80349 +typedef struct hda_codec_ops __no_const hda_codec_ops_no_const;
80350
80351 /* record for amp information cache */
80352 struct hda_cache_head {
80353 @@ -705,7 +706,7 @@ struct hda_pcm_ops {
80354 struct snd_pcm_substream *substream);
80355 int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
80356 struct snd_pcm_substream *substream);
80357 -};
80358 +} __no_const;
80359
80360 /* PCM information for each substream */
80361 struct hda_pcm_stream {
80362 @@ -760,7 +761,7 @@ struct hda_codec {
80363 const char *modelname; /* model name for preset */
80364
80365 /* set by patch */
80366 - struct hda_codec_ops patch_ops;
80367 + hda_codec_ops_no_const patch_ops;
80368
80369 /* PCM to create, set by patch_ops.build_pcms callback */
80370 unsigned int num_pcms;
80371 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c
80372 --- linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c 2011-03-27 14:31:47.000000000 -0400
80373 +++ linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c 2011-08-05 20:33:55.000000000 -0400
80374 @@ -177,7 +177,7 @@ static int patch_atihdmi(struct hda_code
80375 */
80376 spec->multiout.dig_out_nid = CVT_NID;
80377
80378 - codec->patch_ops = atihdmi_patch_ops;
80379 + memcpy((void *)&codec->patch_ops, &atihdmi_patch_ops, sizeof(atihdmi_patch_ops));
80380
80381 return 0;
80382 }
80383 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c
80384 --- linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c 2011-03-27 14:31:47.000000000 -0400
80385 +++ linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c 2011-08-05 20:33:55.000000000 -0400
80386 @@ -511,10 +511,10 @@ static void hdmi_non_intrinsic_event(str
80387 cp_ready);
80388
80389 /* TODO */
80390 - if (cp_state)
80391 - ;
80392 - if (cp_ready)
80393 - ;
80394 + if (cp_state) {
80395 + }
80396 + if (cp_ready) {
80397 + }
80398 }
80399
80400
80401 @@ -656,7 +656,7 @@ static int do_patch_intel_hdmi(struct hd
80402 spec->multiout.dig_out_nid = cvt_nid;
80403
80404 codec->spec = spec;
80405 - codec->patch_ops = intel_hdmi_patch_ops;
80406 + memcpy((void *)&codec->patch_ops, &intel_hdmi_patch_ops, sizeof(intel_hdmi_patch_ops));
80407
80408 snd_hda_eld_proc_new(codec, &spec->sink_eld);
80409
80410 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c
80411 --- linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c 2011-03-27 14:31:47.000000000 -0400
80412 +++ linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c 2011-08-05 20:33:55.000000000 -0400
80413 @@ -367,7 +367,7 @@ static int patch_nvhdmi_8ch(struct hda_c
80414 spec->multiout.max_channels = 8;
80415 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
80416
80417 - codec->patch_ops = nvhdmi_patch_ops_8ch;
80418 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_8ch, sizeof(nvhdmi_patch_ops_8ch));
80419
80420 return 0;
80421 }
80422 @@ -386,7 +386,7 @@ static int patch_nvhdmi_2ch(struct hda_c
80423 spec->multiout.max_channels = 2;
80424 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
80425
80426 - codec->patch_ops = nvhdmi_patch_ops_2ch;
80427 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_2ch, sizeof(nvhdmi_patch_ops_2ch));
80428
80429 return 0;
80430 }
80431 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c
80432 --- linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c 2011-06-25 12:55:35.000000000 -0400
80433 +++ linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c 2011-08-23 21:22:32.000000000 -0400
80434 @@ -5220,7 +5220,7 @@ again:
80435 snd_hda_codec_write_cache(codec, nid, 0,
80436 AC_VERB_SET_CONNECT_SEL, num_dacs);
80437
80438 - codec->patch_ops = stac92xx_patch_ops;
80439 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
80440
80441 codec->proc_widget_hook = stac92hd_proc_hook;
80442
80443 @@ -5294,7 +5294,7 @@ static int patch_stac92hd71bxx(struct hd
80444 return -ENOMEM;
80445
80446 codec->spec = spec;
80447 - codec->patch_ops = stac92xx_patch_ops;
80448 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
80449 spec->num_pins = STAC92HD71BXX_NUM_PINS;
80450 switch (codec->vendor_id) {
80451 case 0x111d76b6:
80452 diff -urNp linux-2.6.32.46/sound/pci/ice1712/ice1712.h linux-2.6.32.46/sound/pci/ice1712/ice1712.h
80453 --- linux-2.6.32.46/sound/pci/ice1712/ice1712.h 2011-03-27 14:31:47.000000000 -0400
80454 +++ linux-2.6.32.46/sound/pci/ice1712/ice1712.h 2011-08-05 20:33:55.000000000 -0400
80455 @@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
80456 unsigned int mask_flags; /* total mask bits */
80457 struct snd_akm4xxx_ops {
80458 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
80459 - } ops;
80460 + } __no_const ops;
80461 };
80462
80463 struct snd_ice1712_spdif {
80464 @@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
80465 int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
80466 void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
80467 int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
80468 - } ops;
80469 + } __no_const ops;
80470 };
80471
80472
80473 diff -urNp linux-2.6.32.46/sound/pci/intel8x0m.c linux-2.6.32.46/sound/pci/intel8x0m.c
80474 --- linux-2.6.32.46/sound/pci/intel8x0m.c 2011-03-27 14:31:47.000000000 -0400
80475 +++ linux-2.6.32.46/sound/pci/intel8x0m.c 2011-04-23 12:56:12.000000000 -0400
80476 @@ -1264,7 +1264,7 @@ static struct shortname_table {
80477 { 0x5455, "ALi M5455" },
80478 { 0x746d, "AMD AMD8111" },
80479 #endif
80480 - { 0 },
80481 + { 0, },
80482 };
80483
80484 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
80485 diff -urNp linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c
80486 --- linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c 2011-03-27 14:31:47.000000000 -0400
80487 +++ linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c 2011-05-04 17:56:28.000000000 -0400
80488 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
80489 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
80490 break;
80491 }
80492 - if (atomic_read(&chip->interrupt_sleep_count)) {
80493 - atomic_set(&chip->interrupt_sleep_count, 0);
80494 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
80495 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
80496 wake_up(&chip->interrupt_sleep);
80497 }
80498 __end:
80499 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
80500 continue;
80501 init_waitqueue_entry(&wait, current);
80502 add_wait_queue(&chip->interrupt_sleep, &wait);
80503 - atomic_inc(&chip->interrupt_sleep_count);
80504 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
80505 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
80506 remove_wait_queue(&chip->interrupt_sleep, &wait);
80507 }
80508 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
80509 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
80510 spin_unlock(&chip->reg_lock);
80511
80512 - if (atomic_read(&chip->interrupt_sleep_count)) {
80513 - atomic_set(&chip->interrupt_sleep_count, 0);
80514 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
80515 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
80516 wake_up(&chip->interrupt_sleep);
80517 }
80518 }
80519 @@ -2369,7 +2369,7 @@ int __devinit snd_ymfpci_create(struct s
80520 spin_lock_init(&chip->reg_lock);
80521 spin_lock_init(&chip->voice_lock);
80522 init_waitqueue_head(&chip->interrupt_sleep);
80523 - atomic_set(&chip->interrupt_sleep_count, 0);
80524 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
80525 chip->card = card;
80526 chip->pci = pci;
80527 chip->irq = -1;
80528 diff -urNp linux-2.6.32.46/sound/soc/soc-core.c linux-2.6.32.46/sound/soc/soc-core.c
80529 --- linux-2.6.32.46/sound/soc/soc-core.c 2011-03-27 14:31:47.000000000 -0400
80530 +++ linux-2.6.32.46/sound/soc/soc-core.c 2011-08-23 21:22:32.000000000 -0400
80531 @@ -609,7 +609,7 @@ static int soc_pcm_trigger(struct snd_pc
80532 }
80533
80534 /* ASoC PCM operations */
80535 -static struct snd_pcm_ops soc_pcm_ops = {
80536 +static snd_pcm_ops_no_const soc_pcm_ops = {
80537 .open = soc_pcm_open,
80538 .close = soc_codec_close,
80539 .hw_params = soc_pcm_hw_params,
80540 diff -urNp linux-2.6.32.46/sound/usb/usbaudio.c linux-2.6.32.46/sound/usb/usbaudio.c
80541 --- linux-2.6.32.46/sound/usb/usbaudio.c 2011-03-27 14:31:47.000000000 -0400
80542 +++ linux-2.6.32.46/sound/usb/usbaudio.c 2011-08-05 20:33:55.000000000 -0400
80543 @@ -963,12 +963,12 @@ static int snd_usb_pcm_playback_trigger(
80544 switch (cmd) {
80545 case SNDRV_PCM_TRIGGER_START:
80546 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
80547 - subs->ops.prepare = prepare_playback_urb;
80548 + *(void **)&subs->ops.prepare = prepare_playback_urb;
80549 return 0;
80550 case SNDRV_PCM_TRIGGER_STOP:
80551 return deactivate_urbs(subs, 0, 0);
80552 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
80553 - subs->ops.prepare = prepare_nodata_playback_urb;
80554 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
80555 return 0;
80556 default:
80557 return -EINVAL;
80558 @@ -985,15 +985,15 @@ static int snd_usb_pcm_capture_trigger(s
80559
80560 switch (cmd) {
80561 case SNDRV_PCM_TRIGGER_START:
80562 - subs->ops.retire = retire_capture_urb;
80563 + *(void **)&subs->ops.retire = retire_capture_urb;
80564 return start_urbs(subs, substream->runtime);
80565 case SNDRV_PCM_TRIGGER_STOP:
80566 return deactivate_urbs(subs, 0, 0);
80567 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
80568 - subs->ops.retire = retire_paused_capture_urb;
80569 + *(void **)&subs->ops.retire = retire_paused_capture_urb;
80570 return 0;
80571 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
80572 - subs->ops.retire = retire_capture_urb;
80573 + *(void **)&subs->ops.retire = retire_capture_urb;
80574 return 0;
80575 default:
80576 return -EINVAL;
80577 @@ -1542,7 +1542,7 @@ static int snd_usb_pcm_prepare(struct sn
80578 /* for playback, submit the URBs now; otherwise, the first hwptr_done
80579 * updates for all URBs would happen at the same time when starting */
80580 if (subs->direction == SNDRV_PCM_STREAM_PLAYBACK) {
80581 - subs->ops.prepare = prepare_nodata_playback_urb;
80582 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
80583 return start_urbs(subs, runtime);
80584 } else
80585 return 0;
80586 @@ -2228,14 +2228,14 @@ static void init_substream(struct snd_us
80587 subs->direction = stream;
80588 subs->dev = as->chip->dev;
80589 if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL) {
80590 - subs->ops = audio_urb_ops[stream];
80591 + memcpy((void *)&subs->ops, &audio_urb_ops[stream], sizeof(subs->ops));
80592 } else {
80593 - subs->ops = audio_urb_ops_high_speed[stream];
80594 + memcpy((void *)&subs->ops, &audio_urb_ops_high_speed[stream], sizeof(subs->ops));
80595 switch (as->chip->usb_id) {
80596 case USB_ID(0x041e, 0x3f02): /* E-Mu 0202 USB */
80597 case USB_ID(0x041e, 0x3f04): /* E-Mu 0404 USB */
80598 case USB_ID(0x041e, 0x3f0a): /* E-Mu Tracker Pre */
80599 - subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
80600 + *(void **)&subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
80601 break;
80602 }
80603 }
80604 diff -urNp linux-2.6.32.46/tools/gcc/checker_plugin.c linux-2.6.32.46/tools/gcc/checker_plugin.c
80605 --- linux-2.6.32.46/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500
80606 +++ linux-2.6.32.46/tools/gcc/checker_plugin.c 2011-10-06 09:37:16.000000000 -0400
80607 @@ -0,0 +1,169 @@
80608 +/*
80609 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
80610 + * Licensed under the GPL v2
80611 + *
80612 + * Note: the choice of the license means that the compilation process is
80613 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
80614 + * but for the kernel it doesn't matter since it doesn't link against
80615 + * any of the gcc libraries
80616 + *
80617 + * gcc plugin to implement various sparse (source code checker) features
80618 + *
80619 + * TODO:
80620 + * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch)
80621 + *
80622 + * BUGS:
80623 + * - none known
80624 + */
80625 +#include "gcc-plugin.h"
80626 +#include "config.h"
80627 +#include "system.h"
80628 +#include "coretypes.h"
80629 +#include "tree.h"
80630 +#include "tree-pass.h"
80631 +#include "intl.h"
80632 +#include "plugin-version.h"
80633 +#include "tm.h"
80634 +#include "toplev.h"
80635 +#include "basic-block.h"
80636 +#include "gimple.h"
80637 +//#include "expr.h" where are you...
80638 +#include "diagnostic.h"
80639 +#include "rtl.h"
80640 +#include "emit-rtl.h"
80641 +#include "function.h"
80642 +#include "tree-flow.h"
80643 +#include "target.h"
80644 +
80645 +extern void c_register_addr_space (const char *str, addr_space_t as);
80646 +extern enum machine_mode default_addr_space_pointer_mode (addr_space_t);
80647 +extern enum machine_mode default_addr_space_address_mode (addr_space_t);
80648 +extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as);
80649 +extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as);
80650 +extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as);
80651 +
80652 +extern void print_gimple_stmt(FILE *, gimple, int, int);
80653 +extern rtx emit_move_insn(rtx x, rtx y);
80654 +
80655 +int plugin_is_GPL_compatible;
80656 +
80657 +static struct plugin_info checker_plugin_info = {
80658 + .version = "201110031940",
80659 +};
80660 +
80661 +#define ADDR_SPACE_KERNEL 0
80662 +#define ADDR_SPACE_FORCE_KERNEL 1
80663 +#define ADDR_SPACE_USER 2
80664 +#define ADDR_SPACE_FORCE_USER 3
80665 +#define ADDR_SPACE_IOMEM 0
80666 +#define ADDR_SPACE_FORCE_IOMEM 0
80667 +#define ADDR_SPACE_PERCPU 0
80668 +#define ADDR_SPACE_FORCE_PERCPU 0
80669 +#define ADDR_SPACE_RCU 0
80670 +#define ADDR_SPACE_FORCE_RCU 0
80671 +
80672 +static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace)
80673 +{
80674 + return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC);
80675 +}
80676 +
80677 +static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace)
80678 +{
80679 + return default_addr_space_address_mode(ADDR_SPACE_GENERIC);
80680 +}
80681 +
80682 +static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as)
80683 +{
80684 + return default_addr_space_valid_pointer_mode(mode, as);
80685 +}
80686 +
80687 +static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as)
80688 +{
80689 + return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC);
80690 +}
80691 +
80692 +static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as)
80693 +{
80694 + return default_addr_space_legitimize_address(x, oldx, mode, as);
80695 +}
80696 +
80697 +static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset)
80698 +{
80699 + if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL)
80700 + return true;
80701 +
80702 + if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER)
80703 + return true;
80704 +
80705 + if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM)
80706 + return true;
80707 +
80708 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER)
80709 + return true;
80710 +
80711 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM)
80712 + return true;
80713 +
80714 + if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL)
80715 + return true;
80716 +
80717 + if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL)
80718 + return true;
80719 +
80720 + return subset == superset;
80721 +}
80722 +
80723 +static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type)
80724 +{
80725 +// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type));
80726 +// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type));
80727 +
80728 + return op;
80729 +}
80730 +
80731 +static void register_checker_address_spaces(void *event_data, void *data)
80732 +{
80733 + c_register_addr_space("__kernel", ADDR_SPACE_KERNEL);
80734 + c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL);
80735 + c_register_addr_space("__user", ADDR_SPACE_USER);
80736 + c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER);
80737 +// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM);
80738 +// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM);
80739 +// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU);
80740 +// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU);
80741 +// c_register_addr_space("__rcu", ADDR_SPACE_RCU);
80742 +// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU);
80743 +
80744 + targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode;
80745 + targetm.addr_space.address_mode = checker_addr_space_address_mode;
80746 + targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode;
80747 + targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p;
80748 +// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address;
80749 + targetm.addr_space.subset_p = checker_addr_space_subset_p;
80750 + targetm.addr_space.convert = checker_addr_space_convert;
80751 +}
80752 +
80753 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
80754 +{
80755 + const char * const plugin_name = plugin_info->base_name;
80756 + const int argc = plugin_info->argc;
80757 + const struct plugin_argument * const argv = plugin_info->argv;
80758 + int i;
80759 +
80760 + if (!plugin_default_version_check(version, &gcc_version)) {
80761 + error(G_("incompatible gcc/plugin versions"));
80762 + return 1;
80763 + }
80764 +
80765 + register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
80766 +
80767 + for (i = 0; i < argc; ++i)
80768 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
80769 +
80770 + if (TARGET_64BIT == 0)
80771 + return 0;
80772 +
80773 + register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
80774 +
80775 + return 0;
80776 +}
80777 diff -urNp linux-2.6.32.46/tools/gcc/constify_plugin.c linux-2.6.32.46/tools/gcc/constify_plugin.c
80778 --- linux-2.6.32.46/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
80779 +++ linux-2.6.32.46/tools/gcc/constify_plugin.c 2011-08-30 18:19:52.000000000 -0400
80780 @@ -0,0 +1,293 @@
80781 +/*
80782 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
80783 + * Copyright 2011 by PaX Team <pageexec@freemail.hu>
80784 + * Licensed under the GPL v2, or (at your option) v3
80785 + *
80786 + * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification.
80787 + *
80788 + * Homepage:
80789 + * http://www.grsecurity.net/~ephox/const_plugin/
80790 + *
80791 + * Usage:
80792 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
80793 + * $ gcc -fplugin=constify_plugin.so test.c -O2
80794 + */
80795 +
80796 +#include "gcc-plugin.h"
80797 +#include "config.h"
80798 +#include "system.h"
80799 +#include "coretypes.h"
80800 +#include "tree.h"
80801 +#include "tree-pass.h"
80802 +#include "intl.h"
80803 +#include "plugin-version.h"
80804 +#include "tm.h"
80805 +#include "toplev.h"
80806 +#include "function.h"
80807 +#include "tree-flow.h"
80808 +#include "plugin.h"
80809 +#include "diagnostic.h"
80810 +//#include "c-tree.h"
80811 +
80812 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
80813 +
80814 +int plugin_is_GPL_compatible;
80815 +
80816 +static struct plugin_info const_plugin_info = {
80817 + .version = "20110826",
80818 + .help = "no-constify\tturn off constification\n",
80819 +};
80820 +
80821 +static void constify_type(tree type);
80822 +static bool walk_struct(tree node);
80823 +
80824 +static tree deconstify_type(tree old_type)
80825 +{
80826 + tree new_type, field;
80827 +
80828 + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
80829 + TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
80830 + for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
80831 + DECL_FIELD_CONTEXT(field) = new_type;
80832 + TYPE_READONLY(new_type) = 0;
80833 + C_TYPE_FIELDS_READONLY(new_type) = 0;
80834 + return new_type;
80835 +}
80836 +
80837 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
80838 +{
80839 + tree type;
80840 +
80841 + *no_add_attrs = true;
80842 + if (TREE_CODE(*node) == FUNCTION_DECL) {
80843 + error("%qE attribute does not apply to functions", name);
80844 + return NULL_TREE;
80845 + }
80846 +
80847 + if (TREE_CODE(*node) == VAR_DECL) {
80848 + error("%qE attribute does not apply to variables", name);
80849 + return NULL_TREE;
80850 + }
80851 +
80852 + if (TYPE_P(*node)) {
80853 + if (TREE_CODE(*node) == RECORD_TYPE || TREE_CODE(*node) == UNION_TYPE)
80854 + *no_add_attrs = false;
80855 + else
80856 + error("%qE attribute applies to struct and union types only", name);
80857 + return NULL_TREE;
80858 + }
80859 +
80860 + type = TREE_TYPE(*node);
80861 +
80862 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
80863 + error("%qE attribute applies to struct and union types only", name);
80864 + return NULL_TREE;
80865 + }
80866 +
80867 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
80868 + error("%qE attribute is already applied to the type", name);
80869 + return NULL_TREE;
80870 + }
80871 +
80872 + if (TREE_CODE(*node) == TYPE_DECL && !TYPE_READONLY(type)) {
80873 + error("%qE attribute used on type that is not constified", name);
80874 + return NULL_TREE;
80875 + }
80876 +
80877 + if (TREE_CODE(*node) == TYPE_DECL) {
80878 + TREE_TYPE(*node) = deconstify_type(type);
80879 + TREE_READONLY(*node) = 0;
80880 + return NULL_TREE;
80881 + }
80882 +
80883 + return NULL_TREE;
80884 +}
80885 +
80886 +static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
80887 +{
80888 + *no_add_attrs = true;
80889 + if (!TYPE_P(*node)) {
80890 + error("%qE attribute applies to types only", name);
80891 + return NULL_TREE;
80892 + }
80893 +
80894 + if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
80895 + error("%qE attribute applies to struct and union types only", name);
80896 + return NULL_TREE;
80897 + }
80898 +
80899 + *no_add_attrs = false;
80900 + constify_type(*node);
80901 + return NULL_TREE;
80902 +}
80903 +
80904 +static struct attribute_spec no_const_attr = {
80905 + .name = "no_const",
80906 + .min_length = 0,
80907 + .max_length = 0,
80908 + .decl_required = false,
80909 + .type_required = false,
80910 + .function_type_required = false,
80911 + .handler = handle_no_const_attribute
80912 +};
80913 +
80914 +static struct attribute_spec do_const_attr = {
80915 + .name = "do_const",
80916 + .min_length = 0,
80917 + .max_length = 0,
80918 + .decl_required = false,
80919 + .type_required = false,
80920 + .function_type_required = false,
80921 + .handler = handle_do_const_attribute
80922 +};
80923 +
80924 +static void register_attributes(void *event_data, void *data)
80925 +{
80926 + register_attribute(&no_const_attr);
80927 + register_attribute(&do_const_attr);
80928 +}
80929 +
80930 +static void constify_type(tree type)
80931 +{
80932 + TYPE_READONLY(type) = 1;
80933 + C_TYPE_FIELDS_READONLY(type) = 1;
80934 +}
80935 +
80936 +static bool is_fptr(tree field)
80937 +{
80938 + tree ptr = TREE_TYPE(field);
80939 +
80940 + if (TREE_CODE(ptr) != POINTER_TYPE)
80941 + return false;
80942 +
80943 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
80944 +}
80945 +
80946 +static bool walk_struct(tree node)
80947 +{
80948 + tree field;
80949 +
80950 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
80951 + return false;
80952 +
80953 + if (TYPE_FIELDS(node) == NULL_TREE)
80954 + return false;
80955 +
80956 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
80957 + tree type = TREE_TYPE(field);
80958 + enum tree_code code = TREE_CODE(type);
80959 + if (code == RECORD_TYPE || code == UNION_TYPE) {
80960 + if (!(walk_struct(type)))
80961 + return false;
80962 + } else if (!is_fptr(field) && !TREE_READONLY(field))
80963 + return false;
80964 + }
80965 + return true;
80966 +}
80967 +
80968 +static void finish_type(void *event_data, void *data)
80969 +{
80970 + tree type = (tree)event_data;
80971 +
80972 + if (type == NULL_TREE)
80973 + return;
80974 +
80975 + if (TYPE_READONLY(type))
80976 + return;
80977 +
80978 + if (walk_struct(type))
80979 + constify_type(type);
80980 +}
80981 +
80982 +static unsigned int check_local_variables(void);
80983 +
80984 +struct gimple_opt_pass pass_local_variable = {
80985 + {
80986 + .type = GIMPLE_PASS,
80987 + .name = "check_local_variables",
80988 + .gate = NULL,
80989 + .execute = check_local_variables,
80990 + .sub = NULL,
80991 + .next = NULL,
80992 + .static_pass_number = 0,
80993 + .tv_id = TV_NONE,
80994 + .properties_required = 0,
80995 + .properties_provided = 0,
80996 + .properties_destroyed = 0,
80997 + .todo_flags_start = 0,
80998 + .todo_flags_finish = 0
80999 + }
81000 +};
81001 +
81002 +static unsigned int check_local_variables(void)
81003 +{
81004 + tree var;
81005 + referenced_var_iterator rvi;
81006 +
81007 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
81008 + FOR_EACH_REFERENCED_VAR(var, rvi) {
81009 +#else
81010 + FOR_EACH_REFERENCED_VAR(cfun, var, rvi) {
81011 +#endif
81012 + tree type = TREE_TYPE(var);
81013 +
81014 + if (!DECL_P(var) || TREE_STATIC(var) || DECL_EXTERNAL(var))
81015 + continue;
81016 +
81017 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
81018 + continue;
81019 +
81020 + if (!TYPE_READONLY(type))
81021 + continue;
81022 +
81023 +// if (lookup_attribute("no_const", DECL_ATTRIBUTES(var)))
81024 +// continue;
81025 +
81026 +// if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
81027 +// continue;
81028 +
81029 + if (walk_struct(type)) {
81030 + error("constified variable %qE cannot be local", var);
81031 + return 1;
81032 + }
81033 + }
81034 + return 0;
81035 +}
81036 +
81037 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81038 +{
81039 + const char * const plugin_name = plugin_info->base_name;
81040 + const int argc = plugin_info->argc;
81041 + const struct plugin_argument * const argv = plugin_info->argv;
81042 + int i;
81043 + bool constify = true;
81044 +
81045 + struct register_pass_info local_variable_pass_info = {
81046 + .pass = &pass_local_variable.pass,
81047 + .reference_pass_name = "*referenced_vars",
81048 + .ref_pass_instance_number = 0,
81049 + .pos_op = PASS_POS_INSERT_AFTER
81050 + };
81051 +
81052 + if (!plugin_default_version_check(version, &gcc_version)) {
81053 + error(G_("incompatible gcc/plugin versions"));
81054 + return 1;
81055 + }
81056 +
81057 + for (i = 0; i < argc; ++i) {
81058 + if (!(strcmp(argv[i].key, "no-constify"))) {
81059 + constify = false;
81060 + continue;
81061 + }
81062 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
81063 + }
81064 +
81065 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
81066 + if (constify) {
81067 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
81068 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
81069 + }
81070 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
81071 +
81072 + return 0;
81073 +}
81074 diff -urNp linux-2.6.32.46/tools/gcc/kallocstat_plugin.c linux-2.6.32.46/tools/gcc/kallocstat_plugin.c
81075 --- linux-2.6.32.46/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500
81076 +++ linux-2.6.32.46/tools/gcc/kallocstat_plugin.c 2011-10-06 09:37:16.000000000 -0400
81077 @@ -0,0 +1,165 @@
81078 +/*
81079 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
81080 + * Licensed under the GPL v2
81081 + *
81082 + * Note: the choice of the license means that the compilation process is
81083 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
81084 + * but for the kernel it doesn't matter since it doesn't link against
81085 + * any of the gcc libraries
81086 + *
81087 + * gcc plugin to find the distribution of k*alloc sizes
81088 + *
81089 + * TODO:
81090 + *
81091 + * BUGS:
81092 + * - none known
81093 + */
81094 +#include "gcc-plugin.h"
81095 +#include "config.h"
81096 +#include "system.h"
81097 +#include "coretypes.h"
81098 +#include "tree.h"
81099 +#include "tree-pass.h"
81100 +#include "intl.h"
81101 +#include "plugin-version.h"
81102 +#include "tm.h"
81103 +#include "toplev.h"
81104 +#include "basic-block.h"
81105 +#include "gimple.h"
81106 +//#include "expr.h" where are you...
81107 +#include "diagnostic.h"
81108 +#include "rtl.h"
81109 +#include "emit-rtl.h"
81110 +#include "function.h"
81111 +
81112 +extern void print_gimple_stmt(FILE *, gimple, int, int);
81113 +
81114 +int plugin_is_GPL_compatible;
81115 +
81116 +static const char * const kalloc_functions[] = {
81117 + "__kmalloc",
81118 + "kmalloc",
81119 + "kmalloc_large",
81120 + "kmalloc_node",
81121 + "kmalloc_order",
81122 + "kmalloc_order_trace",
81123 + "kmalloc_slab",
81124 + "kzalloc",
81125 + "kzalloc_node",
81126 +};
81127 +
81128 +static struct plugin_info kallocstat_plugin_info = {
81129 + .version = "201109121100",
81130 +};
81131 +
81132 +static unsigned int execute_kallocstat(void);
81133 +
81134 +static struct gimple_opt_pass kallocstat_pass = {
81135 + .pass = {
81136 + .type = GIMPLE_PASS,
81137 + .name = "kallocstat",
81138 + .gate = NULL,
81139 + .execute = execute_kallocstat,
81140 + .sub = NULL,
81141 + .next = NULL,
81142 + .static_pass_number = 0,
81143 + .tv_id = TV_NONE,
81144 + .properties_required = 0,
81145 + .properties_provided = 0,
81146 + .properties_destroyed = 0,
81147 + .todo_flags_start = 0,
81148 + .todo_flags_finish = 0
81149 + }
81150 +};
81151 +
81152 +static bool is_kalloc(const char *fnname)
81153 +{
81154 + size_t i;
81155 +
81156 + for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
81157 + if (!strcmp(fnname, kalloc_functions[i]))
81158 + return true;
81159 + return false;
81160 +}
81161 +
81162 +static unsigned int execute_kallocstat(void)
81163 +{
81164 + basic_block bb;
81165 +
81166 + // 1. loop through BBs and GIMPLE statements
81167 + FOR_EACH_BB(bb) {
81168 + gimple_stmt_iterator gsi;
81169 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
81170 + // gimple match:
81171 + tree fndecl, size;
81172 + gimple call_stmt;
81173 + const char *fnname;
81174 +
81175 + // is it a call
81176 + call_stmt = gsi_stmt(gsi);
81177 + if (!is_gimple_call(call_stmt))
81178 + continue;
81179 + fndecl = gimple_call_fndecl(call_stmt);
81180 + if (fndecl == NULL_TREE)
81181 + continue;
81182 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
81183 + continue;
81184 +
81185 + // is it a call to k*alloc
81186 + fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
81187 + if (!is_kalloc(fnname))
81188 + continue;
81189 +
81190 + // is the size arg the result of a simple const assignment
81191 + size = gimple_call_arg(call_stmt, 0);
81192 + while (true) {
81193 + gimple def_stmt;
81194 + expanded_location xloc;
81195 + size_t size_val;
81196 +
81197 + if (TREE_CODE(size) != SSA_NAME)
81198 + break;
81199 + def_stmt = SSA_NAME_DEF_STMT(size);
81200 + if (!def_stmt || !is_gimple_assign(def_stmt))
81201 + break;
81202 + if (gimple_num_ops(def_stmt) != 2)
81203 + break;
81204 + size = gimple_assign_rhs1(def_stmt);
81205 + if (!TREE_CONSTANT(size))
81206 + continue;
81207 + xloc = expand_location(gimple_location(def_stmt));
81208 + if (!xloc.file)
81209 + xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
81210 + size_val = TREE_INT_CST_LOW(size);
81211 + fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
81212 + break;
81213 + }
81214 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
81215 +//debug_tree(gimple_call_fn(call_stmt));
81216 +//print_node(stderr, "pax", fndecl, 4);
81217 + }
81218 + }
81219 +
81220 + return 0;
81221 +}
81222 +
81223 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81224 +{
81225 + const char * const plugin_name = plugin_info->base_name;
81226 + struct register_pass_info kallocstat_pass_info = {
81227 + .pass = &kallocstat_pass.pass,
81228 + .reference_pass_name = "ssa",
81229 + .ref_pass_instance_number = 0,
81230 + .pos_op = PASS_POS_INSERT_AFTER
81231 + };
81232 +
81233 + if (!plugin_default_version_check(version, &gcc_version)) {
81234 + error(G_("incompatible gcc/plugin versions"));
81235 + return 1;
81236 + }
81237 +
81238 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
81239 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
81240 +
81241 + return 0;
81242 +}
81243 diff -urNp linux-2.6.32.46/tools/gcc/kernexec_plugin.c linux-2.6.32.46/tools/gcc/kernexec_plugin.c
81244 --- linux-2.6.32.46/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500
81245 +++ linux-2.6.32.46/tools/gcc/kernexec_plugin.c 2011-10-06 09:37:16.000000000 -0400
81246 @@ -0,0 +1,273 @@
81247 +/*
81248 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
81249 + * Licensed under the GPL v2
81250 + *
81251 + * Note: the choice of the license means that the compilation process is
81252 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
81253 + * but for the kernel it doesn't matter since it doesn't link against
81254 + * any of the gcc libraries
81255 + *
81256 + * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386
81257 + *
81258 + * TODO:
81259 + *
81260 + * BUGS:
81261 + * - none known
81262 + */
81263 +#include "gcc-plugin.h"
81264 +#include "config.h"
81265 +#include "system.h"
81266 +#include "coretypes.h"
81267 +#include "tree.h"
81268 +#include "tree-pass.h"
81269 +#include "intl.h"
81270 +#include "plugin-version.h"
81271 +#include "tm.h"
81272 +#include "toplev.h"
81273 +#include "basic-block.h"
81274 +#include "gimple.h"
81275 +//#include "expr.h" where are you...
81276 +#include "diagnostic.h"
81277 +#include "rtl.h"
81278 +#include "emit-rtl.h"
81279 +#include "function.h"
81280 +#include "tree-flow.h"
81281 +
81282 +extern void print_gimple_stmt(FILE *, gimple, int, int);
81283 +extern rtx emit_move_insn(rtx x, rtx y);
81284 +
81285 +int plugin_is_GPL_compatible;
81286 +
81287 +static struct plugin_info kernexec_plugin_info = {
81288 + .version = "201110032145",
81289 +};
81290 +
81291 +static unsigned int execute_kernexec_fptr(void);
81292 +static unsigned int execute_kernexec_retaddr(void);
81293 +static bool kernexec_cmodel_check(void);
81294 +
81295 +static struct gimple_opt_pass kernexec_fptr_pass = {
81296 + .pass = {
81297 + .type = GIMPLE_PASS,
81298 + .name = "kernexec_fptr",
81299 + .gate = kernexec_cmodel_check,
81300 + .execute = execute_kernexec_fptr,
81301 + .sub = NULL,
81302 + .next = NULL,
81303 + .static_pass_number = 0,
81304 + .tv_id = TV_NONE,
81305 + .properties_required = 0,
81306 + .properties_provided = 0,
81307 + .properties_destroyed = 0,
81308 + .todo_flags_start = 0,
81309 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
81310 + }
81311 +};
81312 +
81313 +static struct rtl_opt_pass kernexec_retaddr_pass = {
81314 + .pass = {
81315 + .type = RTL_PASS,
81316 + .name = "kernexec_retaddr",
81317 + .gate = kernexec_cmodel_check,
81318 + .execute = execute_kernexec_retaddr,
81319 + .sub = NULL,
81320 + .next = NULL,
81321 + .static_pass_number = 0,
81322 + .tv_id = TV_NONE,
81323 + .properties_required = 0,
81324 + .properties_provided = 0,
81325 + .properties_destroyed = 0,
81326 + .todo_flags_start = 0,
81327 + .todo_flags_finish = TODO_dump_func | TODO_ggc_collect
81328 + }
81329 +};
81330 +
81331 +static bool kernexec_cmodel_check(void)
81332 +{
81333 + tree section;
81334 +
81335 + if (ix86_cmodel != CM_KERNEL)
81336 + return false;
81337 +
81338 + section = lookup_attribute("__section__", DECL_ATTRIBUTES(current_function_decl));
81339 + if (!section || !TREE_VALUE(section))
81340 + return true;
81341 +
81342 + section = TREE_VALUE(TREE_VALUE(section));
81343 + if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10))
81344 + return true;
81345 +
81346 + return false;
81347 +}
81348 +
81349 +/*
81350 + * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce
81351 + * a non-canonical address from a userland ptr and will just trigger a GPF on dereference
81352 + */
81353 +static void kernexec_instrument_fptr(gimple_stmt_iterator gsi)
81354 +{
81355 + gimple assign_intptr, assign_new_fptr, call_stmt;
81356 + tree intptr, old_fptr, new_fptr, kernexec_mask;
81357 +
81358 + call_stmt = gsi_stmt(gsi);
81359 + old_fptr = gimple_call_fn(call_stmt);
81360 +
81361 + // create temporary unsigned long variable used for bitops and cast fptr to it
81362 + intptr = create_tmp_var(long_unsigned_type_node, NULL);
81363 + add_referenced_var(intptr);
81364 + mark_sym_for_renaming(intptr);
81365 + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
81366 + update_stmt(assign_intptr);
81367 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
81368 +
81369 + // apply logical or to temporary unsigned long and bitmask
81370 + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
81371 +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
81372 + assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
81373 + update_stmt(assign_intptr);
81374 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
81375 +
81376 + // cast temporary unsigned long back to a temporary fptr variable
81377 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL);
81378 + add_referenced_var(new_fptr);
81379 + mark_sym_for_renaming(new_fptr);
81380 + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
81381 + update_stmt(assign_new_fptr);
81382 + gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT);
81383 +
81384 + // replace call stmt fn with the new fptr
81385 + gimple_call_set_fn(call_stmt, new_fptr);
81386 + update_stmt(call_stmt);
81387 +}
81388 +
81389 +/*
81390 + * find all C level function pointer dereferences and forcibly set the highest bit of the pointer
81391 + */
81392 +static unsigned int execute_kernexec_fptr(void)
81393 +{
81394 + basic_block bb;
81395 + gimple_stmt_iterator gsi;
81396 +
81397 + // 1. loop through BBs and GIMPLE statements
81398 + FOR_EACH_BB(bb) {
81399 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
81400 + // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D));
81401 + tree fn;
81402 + gimple call_stmt;
81403 +
81404 + // is it a call ...
81405 + call_stmt = gsi_stmt(gsi);
81406 + if (!is_gimple_call(call_stmt))
81407 + continue;
81408 + fn = gimple_call_fn(call_stmt);
81409 + if (TREE_CODE(fn) == ADDR_EXPR)
81410 + continue;
81411 + if (TREE_CODE(fn) != SSA_NAME)
81412 + gcc_unreachable();
81413 +
81414 + // ... through a function pointer
81415 + fn = SSA_NAME_VAR(fn);
81416 + if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL)
81417 + continue;
81418 + fn = TREE_TYPE(fn);
81419 + if (TREE_CODE(fn) != POINTER_TYPE)
81420 + continue;
81421 + fn = TREE_TYPE(fn);
81422 + if (TREE_CODE(fn) != FUNCTION_TYPE)
81423 + continue;
81424 +
81425 + kernexec_instrument_fptr(gsi);
81426 +
81427 +//debug_tree(gimple_call_fn(call_stmt));
81428 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
81429 + }
81430 + }
81431 +
81432 + return 0;
81433 +}
81434 +
81435 +// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn
81436 +static void kernexec_instrument_retaddr(rtx insn)
81437 +{
81438 + rtx btsq;
81439 + rtvec argvec, constraintvec, labelvec;
81440 + int line;
81441 +
81442 + // create asm volatile("btsq $63,(%%rsp)":::)
81443 + argvec = rtvec_alloc(0);
81444 + constraintvec = rtvec_alloc(0);
81445 + labelvec = rtvec_alloc(0);
81446 + line = expand_location(RTL_LOCATION(insn)).line;
81447 + btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
81448 + MEM_VOLATILE_P(btsq) = 1;
81449 + RTX_FRAME_RELATED_P(btsq) = 1;
81450 + emit_insn_before(btsq, insn);
81451 +}
81452 +
81453 +/*
81454 + * find all asm level function returns and forcibly set the highest bit of the return address
81455 + */
81456 +static unsigned int execute_kernexec_retaddr(void)
81457 +{
81458 + rtx insn;
81459 +
81460 + // 1. find function returns
81461 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
81462 + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil))
81463 + // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil))
81464 + rtx body;
81465 +
81466 + // is it a retn
81467 + if (!JUMP_P(insn))
81468 + continue;
81469 + body = PATTERN(insn);
81470 + if (GET_CODE(body) == PARALLEL)
81471 + body = XVECEXP(body, 0, 0);
81472 + if (GET_CODE(body) != RETURN)
81473 + continue;
81474 + kernexec_instrument_retaddr(insn);
81475 + }
81476 +
81477 +// print_simple_rtl(stderr, get_insns());
81478 +// print_rtl(stderr, get_insns());
81479 +
81480 + return 0;
81481 +}
81482 +
81483 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81484 +{
81485 + const char * const plugin_name = plugin_info->base_name;
81486 + const int argc = plugin_info->argc;
81487 + const struct plugin_argument * const argv = plugin_info->argv;
81488 + int i;
81489 + struct register_pass_info kernexec_fptr_pass_info = {
81490 + .pass = &kernexec_fptr_pass.pass,
81491 + .reference_pass_name = "ssa",
81492 + .ref_pass_instance_number = 0,
81493 + .pos_op = PASS_POS_INSERT_AFTER
81494 + };
81495 + struct register_pass_info kernexec_retaddr_pass_info = {
81496 + .pass = &kernexec_retaddr_pass.pass,
81497 + .reference_pass_name = "pro_and_epilogue",
81498 + .ref_pass_instance_number = 0,
81499 + .pos_op = PASS_POS_INSERT_AFTER
81500 + };
81501 +
81502 + if (!plugin_default_version_check(version, &gcc_version)) {
81503 + error(G_("incompatible gcc/plugin versions"));
81504 + return 1;
81505 + }
81506 +
81507 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info);
81508 +
81509 + for (i = 0; i < argc; ++i)
81510 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
81511 +
81512 + if (TARGET_64BIT == 0)
81513 + return 0;
81514 +
81515 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info);
81516 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info);
81517 +
81518 + return 0;
81519 +}
81520 diff -urNp linux-2.6.32.46/tools/gcc/Makefile linux-2.6.32.46/tools/gcc/Makefile
81521 --- linux-2.6.32.46/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
81522 +++ linux-2.6.32.46/tools/gcc/Makefile 2011-10-06 09:37:14.000000000 -0400
81523 @@ -0,0 +1,21 @@
81524 +#CC := gcc
81525 +#PLUGIN_SOURCE_FILES := pax_plugin.c
81526 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
81527 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
81528 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
81529 +
81530 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
81531 +
81532 +hostlibs-y := constify_plugin.so
81533 +hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
81534 +hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so
81535 +hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
81536 +hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
81537 +
81538 +always := $(hostlibs-y)
81539 +
81540 +stackleak_plugin-objs := stackleak_plugin.o
81541 +constify_plugin-objs := constify_plugin.o
81542 +kallocstat_plugin-objs := kallocstat_plugin.o
81543 +kernexec_plugin-objs := kernexec_plugin.o
81544 +checker_plugin-objs := checker_plugin.o
81545 diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gcc/stackleak_plugin.c
81546 --- linux-2.6.32.46/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
81547 +++ linux-2.6.32.46/tools/gcc/stackleak_plugin.c 2011-10-06 09:37:14.000000000 -0400
81548 @@ -0,0 +1,251 @@
81549 +/*
81550 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
81551 + * Licensed under the GPL v2
81552 + *
81553 + * Note: the choice of the license means that the compilation process is
81554 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
81555 + * but for the kernel it doesn't matter since it doesn't link against
81556 + * any of the gcc libraries
81557 + *
81558 + * gcc plugin to help implement various PaX features
81559 + *
81560 + * - track lowest stack pointer
81561 + *
81562 + * TODO:
81563 + * - initialize all local variables
81564 + *
81565 + * BUGS:
81566 + * - none known
81567 + */
81568 +#include "gcc-plugin.h"
81569 +#include "config.h"
81570 +#include "system.h"
81571 +#include "coretypes.h"
81572 +#include "tree.h"
81573 +#include "tree-pass.h"
81574 +#include "intl.h"
81575 +#include "plugin-version.h"
81576 +#include "tm.h"
81577 +#include "toplev.h"
81578 +#include "basic-block.h"
81579 +#include "gimple.h"
81580 +//#include "expr.h" where are you...
81581 +#include "diagnostic.h"
81582 +#include "rtl.h"
81583 +#include "emit-rtl.h"
81584 +#include "function.h"
81585 +
81586 +int plugin_is_GPL_compatible;
81587 +
81588 +static int track_frame_size = -1;
81589 +static const char track_function[] = "pax_track_stack";
81590 +static bool init_locals;
81591 +
81592 +static struct plugin_info stackleak_plugin_info = {
81593 + .version = "201109112100",
81594 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
81595 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
81596 +};
81597 +
81598 +static bool gate_stackleak_track_stack(void);
81599 +static unsigned int execute_stackleak_tree_instrument(void);
81600 +static unsigned int execute_stackleak_final(void);
81601 +
81602 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
81603 + .pass = {
81604 + .type = GIMPLE_PASS,
81605 + .name = "stackleak_tree_instrument",
81606 + .gate = gate_stackleak_track_stack,
81607 + .execute = execute_stackleak_tree_instrument,
81608 + .sub = NULL,
81609 + .next = NULL,
81610 + .static_pass_number = 0,
81611 + .tv_id = TV_NONE,
81612 + .properties_required = PROP_gimple_leh | PROP_cfg,
81613 + .properties_provided = 0,
81614 + .properties_destroyed = 0,
81615 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
81616 + .todo_flags_finish = TODO_verify_stmts | TODO_dump_func
81617 + }
81618 +};
81619 +
81620 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
81621 + .pass = {
81622 + .type = RTL_PASS,
81623 + .name = "stackleak_final",
81624 + .gate = gate_stackleak_track_stack,
81625 + .execute = execute_stackleak_final,
81626 + .sub = NULL,
81627 + .next = NULL,
81628 + .static_pass_number = 0,
81629 + .tv_id = TV_NONE,
81630 + .properties_required = 0,
81631 + .properties_provided = 0,
81632 + .properties_destroyed = 0,
81633 + .todo_flags_start = 0,
81634 + .todo_flags_finish = TODO_dump_func
81635 + }
81636 +};
81637 +
81638 +static bool gate_stackleak_track_stack(void)
81639 +{
81640 + return track_frame_size >= 0;
81641 +}
81642 +
81643 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
81644 +{
81645 + gimple call;
81646 + tree fndecl, type;
81647 +
81648 + // insert call to void pax_track_stack(void)
81649 + type = build_function_type_list(void_type_node, NULL_TREE);
81650 + fndecl = build_fn_decl(track_function, type);
81651 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
81652 + call = gimple_build_call(fndecl, 0);
81653 + if (before)
81654 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
81655 + else
81656 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
81657 +}
81658 +
81659 +static unsigned int execute_stackleak_tree_instrument(void)
81660 +{
81661 + basic_block bb, entry_bb;
81662 + gimple_stmt_iterator gsi;
81663 + bool prologue_instrumented = false;
81664 +
81665 + entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
81666 +
81667 + // 1. loop through BBs and GIMPLE statements
81668 + FOR_EACH_BB(bb) {
81669 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
81670 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
81671 + tree fndecl;
81672 + gimple stmt = gsi_stmt(gsi);
81673 +
81674 + if (!is_gimple_call(stmt))
81675 + continue;
81676 + fndecl = gimple_call_fndecl(stmt);
81677 + if (!fndecl)
81678 + continue;
81679 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
81680 + continue;
81681 + if (!DECL_BUILT_IN(fndecl))
81682 + continue;
81683 + if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
81684 + continue;
81685 + if (DECL_FUNCTION_CODE(fndecl) != BUILT_IN_ALLOCA)
81686 + continue;
81687 +
81688 + // 2. insert track call after each __builtin_alloca call
81689 + stackleak_add_instrumentation(&gsi, false);
81690 + if (bb == entry_bb)
81691 + prologue_instrumented = true;
81692 +// print_node(stderr, "pax", fndecl, 4);
81693 + }
81694 + }
81695 +
81696 + // 3. insert track call at the beginning
81697 + if (!prologue_instrumented) {
81698 + gsi = gsi_start_bb(entry_bb);
81699 + stackleak_add_instrumentation(&gsi, true);
81700 + }
81701 +
81702 + return 0;
81703 +}
81704 +
81705 +static unsigned int execute_stackleak_final(void)
81706 +{
81707 + rtx insn;
81708 +
81709 + if (cfun->calls_alloca)
81710 + return 0;
81711 +
81712 + // keep calls only if function frame is big enough
81713 + if (get_frame_size() >= track_frame_size)
81714 + return 0;
81715 +
81716 + // 1. find pax_track_stack calls
81717 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
81718 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
81719 + rtx body;
81720 +
81721 + if (!CALL_P(insn))
81722 + continue;
81723 + body = PATTERN(insn);
81724 + if (GET_CODE(body) != CALL)
81725 + continue;
81726 + body = XEXP(body, 0);
81727 + if (GET_CODE(body) != MEM)
81728 + continue;
81729 + body = XEXP(body, 0);
81730 + if (GET_CODE(body) != SYMBOL_REF)
81731 + continue;
81732 + if (strcmp(XSTR(body, 0), track_function))
81733 + continue;
81734 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
81735 + // 2. delete call
81736 + delete_insn_and_edges(insn);
81737 + }
81738 +
81739 +// print_simple_rtl(stderr, get_insns());
81740 +// print_rtl(stderr, get_insns());
81741 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
81742 +
81743 + return 0;
81744 +}
81745 +
81746 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
81747 +{
81748 + const char * const plugin_name = plugin_info->base_name;
81749 + const int argc = plugin_info->argc;
81750 + const struct plugin_argument * const argv = plugin_info->argv;
81751 + int i;
81752 + struct register_pass_info stackleak_tree_instrument_pass_info = {
81753 + .pass = &stackleak_tree_instrument_pass.pass,
81754 +// .reference_pass_name = "tree_profile",
81755 + .reference_pass_name = "optimized",
81756 + .ref_pass_instance_number = 0,
81757 + .pos_op = PASS_POS_INSERT_AFTER
81758 + };
81759 + struct register_pass_info stackleak_final_pass_info = {
81760 + .pass = &stackleak_final_rtl_opt_pass.pass,
81761 + .reference_pass_name = "final",
81762 + .ref_pass_instance_number = 0,
81763 + .pos_op = PASS_POS_INSERT_BEFORE
81764 + };
81765 +
81766 + if (!plugin_default_version_check(version, &gcc_version)) {
81767 + error(G_("incompatible gcc/plugin versions"));
81768 + return 1;
81769 + }
81770 +
81771 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
81772 +
81773 + for (i = 0; i < argc; ++i) {
81774 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
81775 + if (!argv[i].value) {
81776 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
81777 + continue;
81778 + }
81779 + track_frame_size = atoi(argv[i].value);
81780 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
81781 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
81782 + continue;
81783 + }
81784 + if (!strcmp(argv[i].key, "initialize-locals")) {
81785 + if (argv[i].value) {
81786 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
81787 + continue;
81788 + }
81789 + init_locals = true;
81790 + continue;
81791 + }
81792 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
81793 + }
81794 +
81795 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
81796 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
81797 +
81798 + return 0;
81799 +}
81800 diff -urNp linux-2.6.32.46/usr/gen_init_cpio.c linux-2.6.32.46/usr/gen_init_cpio.c
81801 --- linux-2.6.32.46/usr/gen_init_cpio.c 2011-03-27 14:31:47.000000000 -0400
81802 +++ linux-2.6.32.46/usr/gen_init_cpio.c 2011-04-17 15:56:46.000000000 -0400
81803 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
81804 int retval;
81805 int rc = -1;
81806 int namesize;
81807 - int i;
81808 + unsigned int i;
81809
81810 mode |= S_IFREG;
81811
81812 @@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
81813 *env_var = *expanded = '\0';
81814 strncat(env_var, start + 2, end - start - 2);
81815 strncat(expanded, new_location, start - new_location);
81816 - strncat(expanded, getenv(env_var), PATH_MAX);
81817 - strncat(expanded, end + 1, PATH_MAX);
81818 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
81819 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
81820 strncpy(new_location, expanded, PATH_MAX);
81821 + new_location[PATH_MAX] = 0;
81822 } else
81823 break;
81824 }
81825 diff -urNp linux-2.6.32.46/virt/kvm/kvm_main.c linux-2.6.32.46/virt/kvm/kvm_main.c
81826 --- linux-2.6.32.46/virt/kvm/kvm_main.c 2011-03-27 14:31:47.000000000 -0400
81827 +++ linux-2.6.32.46/virt/kvm/kvm_main.c 2011-08-05 20:33:55.000000000 -0400
81828 @@ -2494,7 +2494,7 @@ asmlinkage void kvm_handle_fault_on_rebo
81829 if (kvm_rebooting)
81830 /* spin while reset goes on */
81831 while (true)
81832 - ;
81833 + cpu_relax();
81834 /* Fault while not rebooting. We want the trace. */
81835 BUG();
81836 }
81837 @@ -2714,7 +2714,7 @@ static void kvm_sched_out(struct preempt
81838 kvm_arch_vcpu_put(vcpu);
81839 }
81840
81841 -int kvm_init(void *opaque, unsigned int vcpu_size,
81842 +int kvm_init(const void *opaque, unsigned int vcpu_size,
81843 struct module *module)
81844 {
81845 int r;
81846 @@ -2767,15 +2767,17 @@ int kvm_init(void *opaque, unsigned int
81847 /* A kmem cache lets us meet the alignment requirements of fx_save. */
81848 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size,
81849 __alignof__(struct kvm_vcpu),
81850 - 0, NULL);
81851 + SLAB_USERCOPY, NULL);
81852 if (!kvm_vcpu_cache) {
81853 r = -ENOMEM;
81854 goto out_free_5;
81855 }
81856
81857 - kvm_chardev_ops.owner = module;
81858 - kvm_vm_fops.owner = module;
81859 - kvm_vcpu_fops.owner = module;
81860 + pax_open_kernel();
81861 + *(void **)&kvm_chardev_ops.owner = module;
81862 + *(void **)&kvm_vm_fops.owner = module;
81863 + *(void **)&kvm_vcpu_fops.owner = module;
81864 + pax_close_kernel();
81865
81866 r = misc_register(&kvm_dev);
81867 if (r) {
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)