]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.32.49-201111292107.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.32.49-201111292107.patch
1 diff -urNp linux-2.6.32.49/arch/alpha/include/asm/elf.h linux-2.6.32.49/arch/alpha/include/asm/elf.h
2 --- linux-2.6.32.49/arch/alpha/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
3 +++ linux-2.6.32.49/arch/alpha/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
4 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10 +
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13 +#endif
14 +
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.32.49/arch/alpha/include/asm/pgtable.h linux-2.6.32.49/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.32.49/arch/alpha/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
20 +++ linux-2.6.32.49/arch/alpha/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25 +
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30 +#else
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
34 +#endif
35 +
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.32.49/arch/alpha/kernel/module.c linux-2.6.32.49/arch/alpha/kernel/module.c
40 --- linux-2.6.32.49/arch/alpha/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
41 +++ linux-2.6.32.49/arch/alpha/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.32.49/arch/alpha/kernel/osf_sys.c linux-2.6.32.49/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.32.49/arch/alpha/kernel/osf_sys.c 2011-11-08 19:02:43.000000000 -0500
53 +++ linux-2.6.32.49/arch/alpha/kernel/osf_sys.c 2011-11-15 19:59:42.000000000 -0500
54 @@ -1172,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
57 return -ENOMEM;
58 - if (!vma || addr + len <= vma->vm_start)
59 + if (check_heap_stack_gap(vma, addr, len))
60 return addr;
61 addr = vma->vm_end;
62 vma = vma->vm_next;
63 @@ -1208,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
66
67 +#ifdef CONFIG_PAX_RANDMMAP
68 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
69 +#endif
70 +
71 if (addr) {
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74 @@ -1215,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
75 }
76
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
79 - len, limit);
80 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
81 +
82 if (addr != (unsigned long) -ENOMEM)
83 return addr;
84
85 diff -urNp linux-2.6.32.49/arch/alpha/mm/fault.c linux-2.6.32.49/arch/alpha/mm/fault.c
86 --- linux-2.6.32.49/arch/alpha/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
87 +++ linux-2.6.32.49/arch/alpha/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
88 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
89 __reload_thread(pcb);
90 }
91
92 +#ifdef CONFIG_PAX_PAGEEXEC
93 +/*
94 + * PaX: decide what to do with offenders (regs->pc = fault address)
95 + *
96 + * returns 1 when task should be killed
97 + * 2 when patched PLT trampoline was detected
98 + * 3 when unpatched PLT trampoline was detected
99 + */
100 +static int pax_handle_fetch_fault(struct pt_regs *regs)
101 +{
102 +
103 +#ifdef CONFIG_PAX_EMUPLT
104 + int err;
105 +
106 + do { /* PaX: patched PLT emulation #1 */
107 + unsigned int ldah, ldq, jmp;
108 +
109 + err = get_user(ldah, (unsigned int *)regs->pc);
110 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
112 +
113 + if (err)
114 + break;
115 +
116 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118 + jmp == 0x6BFB0000U)
119 + {
120 + unsigned long r27, addr;
121 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
123 +
124 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125 + err = get_user(r27, (unsigned long *)addr);
126 + if (err)
127 + break;
128 +
129 + regs->r27 = r27;
130 + regs->pc = r27;
131 + return 2;
132 + }
133 + } while (0);
134 +
135 + do { /* PaX: patched PLT emulation #2 */
136 + unsigned int ldah, lda, br;
137 +
138 + err = get_user(ldah, (unsigned int *)regs->pc);
139 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
140 + err |= get_user(br, (unsigned int *)(regs->pc+8));
141 +
142 + if (err)
143 + break;
144 +
145 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
147 + (br & 0xFFE00000U) == 0xC3E00000U)
148 + {
149 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
152 +
153 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
155 + return 2;
156 + }
157 + } while (0);
158 +
159 + do { /* PaX: unpatched PLT emulation */
160 + unsigned int br;
161 +
162 + err = get_user(br, (unsigned int *)regs->pc);
163 +
164 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165 + unsigned int br2, ldq, nop, jmp;
166 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
167 +
168 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169 + err = get_user(br2, (unsigned int *)addr);
170 + err |= get_user(ldq, (unsigned int *)(addr+4));
171 + err |= get_user(nop, (unsigned int *)(addr+8));
172 + err |= get_user(jmp, (unsigned int *)(addr+12));
173 + err |= get_user(resolver, (unsigned long *)(addr+16));
174 +
175 + if (err)
176 + break;
177 +
178 + if (br2 == 0xC3600000U &&
179 + ldq == 0xA77B000CU &&
180 + nop == 0x47FF041FU &&
181 + jmp == 0x6B7B0000U)
182 + {
183 + regs->r28 = regs->pc+4;
184 + regs->r27 = addr+16;
185 + regs->pc = resolver;
186 + return 3;
187 + }
188 + }
189 + } while (0);
190 +#endif
191 +
192 + return 1;
193 +}
194 +
195 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
196 +{
197 + unsigned long i;
198 +
199 + printk(KERN_ERR "PAX: bytes at PC: ");
200 + for (i = 0; i < 5; i++) {
201 + unsigned int c;
202 + if (get_user(c, (unsigned int *)pc+i))
203 + printk(KERN_CONT "???????? ");
204 + else
205 + printk(KERN_CONT "%08x ", c);
206 + }
207 + printk("\n");
208 +}
209 +#endif
210
211 /*
212 * This routine handles page faults. It determines the address,
213 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
214 good_area:
215 si_code = SEGV_ACCERR;
216 if (cause < 0) {
217 - if (!(vma->vm_flags & VM_EXEC))
218 + if (!(vma->vm_flags & VM_EXEC)) {
219 +
220 +#ifdef CONFIG_PAX_PAGEEXEC
221 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
222 + goto bad_area;
223 +
224 + up_read(&mm->mmap_sem);
225 + switch (pax_handle_fetch_fault(regs)) {
226 +
227 +#ifdef CONFIG_PAX_EMUPLT
228 + case 2:
229 + case 3:
230 + return;
231 +#endif
232 +
233 + }
234 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235 + do_group_exit(SIGKILL);
236 +#else
237 goto bad_area;
238 +#endif
239 +
240 + }
241 } else if (!cause) {
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244 diff -urNp linux-2.6.32.49/arch/arm/include/asm/elf.h linux-2.6.32.49/arch/arm/include/asm/elf.h
245 --- linux-2.6.32.49/arch/arm/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
246 +++ linux-2.6.32.49/arch/arm/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
247 @@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
250
251 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
253 +
254 +#ifdef CONFIG_PAX_ASLR
255 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
256 +
257 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
259 +#endif
260
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263 diff -urNp linux-2.6.32.49/arch/arm/include/asm/kmap_types.h linux-2.6.32.49/arch/arm/include/asm/kmap_types.h
264 --- linux-2.6.32.49/arch/arm/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
265 +++ linux-2.6.32.49/arch/arm/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
266 @@ -19,6 +19,7 @@ enum km_type {
267 KM_SOFTIRQ0,
268 KM_SOFTIRQ1,
269 KM_L2_CACHE,
270 + KM_CLEARPAGE,
271 KM_TYPE_NR
272 };
273
274 diff -urNp linux-2.6.32.49/arch/arm/include/asm/uaccess.h linux-2.6.32.49/arch/arm/include/asm/uaccess.h
275 --- linux-2.6.32.49/arch/arm/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
276 +++ linux-2.6.32.49/arch/arm/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
277 @@ -22,6 +22,8 @@
278 #define VERIFY_READ 0
279 #define VERIFY_WRITE 1
280
281 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
282 +
283 /*
284 * The exception table consists of pairs of addresses: the first is the
285 * address of an instruction that is allowed to fault, and the second is
286 @@ -387,8 +389,23 @@ do { \
287
288
289 #ifdef CONFIG_MMU
290 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
291 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
292 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
293 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
294 +
295 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
296 +{
297 + if (!__builtin_constant_p(n))
298 + check_object_size(to, n, false);
299 + return ___copy_from_user(to, from, n);
300 +}
301 +
302 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
303 +{
304 + if (!__builtin_constant_p(n))
305 + check_object_size(from, n, true);
306 + return ___copy_to_user(to, from, n);
307 +}
308 +
309 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
310 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
311 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
312 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
313
314 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
315 {
316 + if ((long)n < 0)
317 + return n;
318 +
319 if (access_ok(VERIFY_READ, from, n))
320 n = __copy_from_user(to, from, n);
321 else /* security hole - plug it */
322 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
323
324 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
325 {
326 + if ((long)n < 0)
327 + return n;
328 +
329 if (access_ok(VERIFY_WRITE, to, n))
330 n = __copy_to_user(to, from, n);
331 return n;
332 diff -urNp linux-2.6.32.49/arch/arm/kernel/armksyms.c linux-2.6.32.49/arch/arm/kernel/armksyms.c
333 --- linux-2.6.32.49/arch/arm/kernel/armksyms.c 2011-11-08 19:02:43.000000000 -0500
334 +++ linux-2.6.32.49/arch/arm/kernel/armksyms.c 2011-11-15 19:59:42.000000000 -0500
335 @@ -118,8 +118,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
336 #ifdef CONFIG_MMU
337 EXPORT_SYMBOL(copy_page);
338
339 -EXPORT_SYMBOL(__copy_from_user);
340 -EXPORT_SYMBOL(__copy_to_user);
341 +EXPORT_SYMBOL(___copy_from_user);
342 +EXPORT_SYMBOL(___copy_to_user);
343 EXPORT_SYMBOL(__clear_user);
344
345 EXPORT_SYMBOL(__get_user_1);
346 diff -urNp linux-2.6.32.49/arch/arm/kernel/kgdb.c linux-2.6.32.49/arch/arm/kernel/kgdb.c
347 --- linux-2.6.32.49/arch/arm/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
348 +++ linux-2.6.32.49/arch/arm/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
349 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
350 * and we handle the normal undef case within the do_undefinstr
351 * handler.
352 */
353 -struct kgdb_arch arch_kgdb_ops = {
354 +const struct kgdb_arch arch_kgdb_ops = {
355 #ifndef __ARMEB__
356 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
357 #else /* ! __ARMEB__ */
358 diff -urNp linux-2.6.32.49/arch/arm/kernel/traps.c linux-2.6.32.49/arch/arm/kernel/traps.c
359 --- linux-2.6.32.49/arch/arm/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
360 +++ linux-2.6.32.49/arch/arm/kernel/traps.c 2011-11-15 19:59:42.000000000 -0500
361 @@ -247,6 +247,8 @@ static void __die(const char *str, int e
362
363 DEFINE_SPINLOCK(die_lock);
364
365 +extern void gr_handle_kernel_exploit(void);
366 +
367 /*
368 * This function is protected against re-entrancy.
369 */
370 @@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
371 if (panic_on_oops)
372 panic("Fatal exception");
373
374 + gr_handle_kernel_exploit();
375 +
376 do_exit(SIGSEGV);
377 }
378
379 diff -urNp linux-2.6.32.49/arch/arm/lib/copy_from_user.S linux-2.6.32.49/arch/arm/lib/copy_from_user.S
380 --- linux-2.6.32.49/arch/arm/lib/copy_from_user.S 2011-11-08 19:02:43.000000000 -0500
381 +++ linux-2.6.32.49/arch/arm/lib/copy_from_user.S 2011-11-15 19:59:42.000000000 -0500
382 @@ -16,7 +16,7 @@
383 /*
384 * Prototype:
385 *
386 - * size_t __copy_from_user(void *to, const void *from, size_t n)
387 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
388 *
389 * Purpose:
390 *
391 @@ -84,11 +84,11 @@
392
393 .text
394
395 -ENTRY(__copy_from_user)
396 +ENTRY(___copy_from_user)
397
398 #include "copy_template.S"
399
400 -ENDPROC(__copy_from_user)
401 +ENDPROC(___copy_from_user)
402
403 .section .fixup,"ax"
404 .align 0
405 diff -urNp linux-2.6.32.49/arch/arm/lib/copy_to_user.S linux-2.6.32.49/arch/arm/lib/copy_to_user.S
406 --- linux-2.6.32.49/arch/arm/lib/copy_to_user.S 2011-11-08 19:02:43.000000000 -0500
407 +++ linux-2.6.32.49/arch/arm/lib/copy_to_user.S 2011-11-15 19:59:42.000000000 -0500
408 @@ -16,7 +16,7 @@
409 /*
410 * Prototype:
411 *
412 - * size_t __copy_to_user(void *to, const void *from, size_t n)
413 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
414 *
415 * Purpose:
416 *
417 @@ -88,11 +88,11 @@
418 .text
419
420 ENTRY(__copy_to_user_std)
421 -WEAK(__copy_to_user)
422 +WEAK(___copy_to_user)
423
424 #include "copy_template.S"
425
426 -ENDPROC(__copy_to_user)
427 +ENDPROC(___copy_to_user)
428
429 .section .fixup,"ax"
430 .align 0
431 diff -urNp linux-2.6.32.49/arch/arm/lib/uaccess.S linux-2.6.32.49/arch/arm/lib/uaccess.S
432 --- linux-2.6.32.49/arch/arm/lib/uaccess.S 2011-11-08 19:02:43.000000000 -0500
433 +++ linux-2.6.32.49/arch/arm/lib/uaccess.S 2011-11-15 19:59:42.000000000 -0500
434 @@ -19,7 +19,7 @@
435
436 #define PAGE_SHIFT 12
437
438 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
439 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
440 * Purpose : copy a block to user memory from kernel memory
441 * Params : to - user memory
442 * : from - kernel memory
443 @@ -39,7 +39,7 @@ USER( strgtbt r3, [r0], #1) @ May fau
444 sub r2, r2, ip
445 b .Lc2u_dest_aligned
446
447 -ENTRY(__copy_to_user)
448 +ENTRY(___copy_to_user)
449 stmfd sp!, {r2, r4 - r7, lr}
450 cmp r2, #4
451 blt .Lc2u_not_enough
452 @@ -277,14 +277,14 @@ USER( strgebt r3, [r0], #1) @ May fau
453 ldrgtb r3, [r1], #0
454 USER( strgtbt r3, [r0], #1) @ May fault
455 b .Lc2u_finished
456 -ENDPROC(__copy_to_user)
457 +ENDPROC(___copy_to_user)
458
459 .section .fixup,"ax"
460 .align 0
461 9001: ldmfd sp!, {r0, r4 - r7, pc}
462 .previous
463
464 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
465 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
466 * Purpose : copy a block from user memory to kernel memory
467 * Params : to - kernel memory
468 * : from - user memory
469 @@ -303,7 +303,7 @@ USER( ldrgtbt r3, [r1], #1) @ May fau
470 sub r2, r2, ip
471 b .Lcfu_dest_aligned
472
473 -ENTRY(__copy_from_user)
474 +ENTRY(___copy_from_user)
475 stmfd sp!, {r0, r2, r4 - r7, lr}
476 cmp r2, #4
477 blt .Lcfu_not_enough
478 @@ -543,7 +543,7 @@ USER( ldrgebt r3, [r1], #1) @ May fau
479 USER( ldrgtbt r3, [r1], #1) @ May fault
480 strgtb r3, [r0], #1
481 b .Lcfu_finished
482 -ENDPROC(__copy_from_user)
483 +ENDPROC(___copy_from_user)
484
485 .section .fixup,"ax"
486 .align 0
487 diff -urNp linux-2.6.32.49/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.32.49/arch/arm/lib/uaccess_with_memcpy.c
488 --- linux-2.6.32.49/arch/arm/lib/uaccess_with_memcpy.c 2011-11-08 19:02:43.000000000 -0500
489 +++ linux-2.6.32.49/arch/arm/lib/uaccess_with_memcpy.c 2011-11-15 19:59:42.000000000 -0500
490 @@ -97,7 +97,7 @@ out:
491 }
492
493 unsigned long
494 -__copy_to_user(void __user *to, const void *from, unsigned long n)
495 +___copy_to_user(void __user *to, const void *from, unsigned long n)
496 {
497 /*
498 * This test is stubbed out of the main function above to keep
499 diff -urNp linux-2.6.32.49/arch/arm/mach-at91/pm.c linux-2.6.32.49/arch/arm/mach-at91/pm.c
500 --- linux-2.6.32.49/arch/arm/mach-at91/pm.c 2011-11-08 19:02:43.000000000 -0500
501 +++ linux-2.6.32.49/arch/arm/mach-at91/pm.c 2011-11-15 19:59:42.000000000 -0500
502 @@ -348,7 +348,7 @@ static void at91_pm_end(void)
503 }
504
505
506 -static struct platform_suspend_ops at91_pm_ops ={
507 +static const struct platform_suspend_ops at91_pm_ops ={
508 .valid = at91_pm_valid_state,
509 .begin = at91_pm_begin,
510 .enter = at91_pm_enter,
511 diff -urNp linux-2.6.32.49/arch/arm/mach-omap1/pm.c linux-2.6.32.49/arch/arm/mach-omap1/pm.c
512 --- linux-2.6.32.49/arch/arm/mach-omap1/pm.c 2011-11-08 19:02:43.000000000 -0500
513 +++ linux-2.6.32.49/arch/arm/mach-omap1/pm.c 2011-11-15 19:59:42.000000000 -0500
514 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
515
516
517
518 -static struct platform_suspend_ops omap_pm_ops ={
519 +static const struct platform_suspend_ops omap_pm_ops ={
520 .prepare = omap_pm_prepare,
521 .enter = omap_pm_enter,
522 .finish = omap_pm_finish,
523 diff -urNp linux-2.6.32.49/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.49/arch/arm/mach-omap2/pm24xx.c
524 --- linux-2.6.32.49/arch/arm/mach-omap2/pm24xx.c 2011-11-08 19:02:43.000000000 -0500
525 +++ linux-2.6.32.49/arch/arm/mach-omap2/pm24xx.c 2011-11-15 19:59:42.000000000 -0500
526 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
527 enable_hlt();
528 }
529
530 -static struct platform_suspend_ops omap_pm_ops = {
531 +static const struct platform_suspend_ops omap_pm_ops = {
532 .prepare = omap2_pm_prepare,
533 .enter = omap2_pm_enter,
534 .finish = omap2_pm_finish,
535 diff -urNp linux-2.6.32.49/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.49/arch/arm/mach-omap2/pm34xx.c
536 --- linux-2.6.32.49/arch/arm/mach-omap2/pm34xx.c 2011-11-08 19:02:43.000000000 -0500
537 +++ linux-2.6.32.49/arch/arm/mach-omap2/pm34xx.c 2011-11-15 19:59:42.000000000 -0500
538 @@ -401,7 +401,7 @@ static void omap3_pm_end(void)
539 return;
540 }
541
542 -static struct platform_suspend_ops omap_pm_ops = {
543 +static const struct platform_suspend_ops omap_pm_ops = {
544 .begin = omap3_pm_begin,
545 .end = omap3_pm_end,
546 .prepare = omap3_pm_prepare,
547 diff -urNp linux-2.6.32.49/arch/arm/mach-pnx4008/pm.c linux-2.6.32.49/arch/arm/mach-pnx4008/pm.c
548 --- linux-2.6.32.49/arch/arm/mach-pnx4008/pm.c 2011-11-08 19:02:43.000000000 -0500
549 +++ linux-2.6.32.49/arch/arm/mach-pnx4008/pm.c 2011-11-15 19:59:42.000000000 -0500
550 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
551 (state == PM_SUSPEND_MEM);
552 }
553
554 -static struct platform_suspend_ops pnx4008_pm_ops = {
555 +static const struct platform_suspend_ops pnx4008_pm_ops = {
556 .enter = pnx4008_pm_enter,
557 .valid = pnx4008_pm_valid,
558 };
559 diff -urNp linux-2.6.32.49/arch/arm/mach-pxa/pm.c linux-2.6.32.49/arch/arm/mach-pxa/pm.c
560 --- linux-2.6.32.49/arch/arm/mach-pxa/pm.c 2011-11-08 19:02:43.000000000 -0500
561 +++ linux-2.6.32.49/arch/arm/mach-pxa/pm.c 2011-11-15 19:59:42.000000000 -0500
562 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
563 pxa_cpu_pm_fns->finish();
564 }
565
566 -static struct platform_suspend_ops pxa_pm_ops = {
567 +static const struct platform_suspend_ops pxa_pm_ops = {
568 .valid = pxa_pm_valid,
569 .enter = pxa_pm_enter,
570 .prepare = pxa_pm_prepare,
571 diff -urNp linux-2.6.32.49/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.49/arch/arm/mach-pxa/sharpsl_pm.c
572 --- linux-2.6.32.49/arch/arm/mach-pxa/sharpsl_pm.c 2011-11-08 19:02:43.000000000 -0500
573 +++ linux-2.6.32.49/arch/arm/mach-pxa/sharpsl_pm.c 2011-11-15 19:59:42.000000000 -0500
574 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
575 }
576
577 #ifdef CONFIG_PM
578 -static struct platform_suspend_ops sharpsl_pm_ops = {
579 +static const struct platform_suspend_ops sharpsl_pm_ops = {
580 .prepare = pxa_pm_prepare,
581 .finish = pxa_pm_finish,
582 .enter = corgi_pxa_pm_enter,
583 diff -urNp linux-2.6.32.49/arch/arm/mach-sa1100/pm.c linux-2.6.32.49/arch/arm/mach-sa1100/pm.c
584 --- linux-2.6.32.49/arch/arm/mach-sa1100/pm.c 2011-11-08 19:02:43.000000000 -0500
585 +++ linux-2.6.32.49/arch/arm/mach-sa1100/pm.c 2011-11-15 19:59:42.000000000 -0500
586 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
587 return virt_to_phys(sp);
588 }
589
590 -static struct platform_suspend_ops sa11x0_pm_ops = {
591 +static const struct platform_suspend_ops sa11x0_pm_ops = {
592 .enter = sa11x0_pm_enter,
593 .valid = suspend_valid_only_mem,
594 };
595 diff -urNp linux-2.6.32.49/arch/arm/mm/fault.c linux-2.6.32.49/arch/arm/mm/fault.c
596 --- linux-2.6.32.49/arch/arm/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
597 +++ linux-2.6.32.49/arch/arm/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
598 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
599 }
600 #endif
601
602 +#ifdef CONFIG_PAX_PAGEEXEC
603 + if (fsr & FSR_LNX_PF) {
604 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
605 + do_group_exit(SIGKILL);
606 + }
607 +#endif
608 +
609 tsk->thread.address = addr;
610 tsk->thread.error_code = fsr;
611 tsk->thread.trap_no = 14;
612 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
613 }
614 #endif /* CONFIG_MMU */
615
616 +#ifdef CONFIG_PAX_PAGEEXEC
617 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
618 +{
619 + long i;
620 +
621 + printk(KERN_ERR "PAX: bytes at PC: ");
622 + for (i = 0; i < 20; i++) {
623 + unsigned char c;
624 + if (get_user(c, (__force unsigned char __user *)pc+i))
625 + printk(KERN_CONT "?? ");
626 + else
627 + printk(KERN_CONT "%02x ", c);
628 + }
629 + printk("\n");
630 +
631 + printk(KERN_ERR "PAX: bytes at SP-4: ");
632 + for (i = -1; i < 20; i++) {
633 + unsigned long c;
634 + if (get_user(c, (__force unsigned long __user *)sp+i))
635 + printk(KERN_CONT "???????? ");
636 + else
637 + printk(KERN_CONT "%08lx ", c);
638 + }
639 + printk("\n");
640 +}
641 +#endif
642 +
643 /*
644 * First Level Translation Fault Handler
645 *
646 diff -urNp linux-2.6.32.49/arch/arm/mm/mmap.c linux-2.6.32.49/arch/arm/mm/mmap.c
647 --- linux-2.6.32.49/arch/arm/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
648 +++ linux-2.6.32.49/arch/arm/mm/mmap.c 2011-11-15 19:59:42.000000000 -0500
649 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
650 if (len > TASK_SIZE)
651 return -ENOMEM;
652
653 +#ifdef CONFIG_PAX_RANDMMAP
654 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
655 +#endif
656 +
657 if (addr) {
658 if (do_align)
659 addr = COLOUR_ALIGN(addr, pgoff);
660 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
661 addr = PAGE_ALIGN(addr);
662
663 vma = find_vma(mm, addr);
664 - if (TASK_SIZE - len >= addr &&
665 - (!vma || addr + len <= vma->vm_start))
666 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
667 return addr;
668 }
669 if (len > mm->cached_hole_size) {
670 - start_addr = addr = mm->free_area_cache;
671 + start_addr = addr = mm->free_area_cache;
672 } else {
673 - start_addr = addr = TASK_UNMAPPED_BASE;
674 - mm->cached_hole_size = 0;
675 + start_addr = addr = mm->mmap_base;
676 + mm->cached_hole_size = 0;
677 }
678
679 full_search:
680 @@ -94,14 +97,14 @@ full_search:
681 * Start a new search - just in case we missed
682 * some holes.
683 */
684 - if (start_addr != TASK_UNMAPPED_BASE) {
685 - start_addr = addr = TASK_UNMAPPED_BASE;
686 + if (start_addr != mm->mmap_base) {
687 + start_addr = addr = mm->mmap_base;
688 mm->cached_hole_size = 0;
689 goto full_search;
690 }
691 return -ENOMEM;
692 }
693 - if (!vma || addr + len <= vma->vm_start) {
694 + if (check_heap_stack_gap(vma, addr, len)) {
695 /*
696 * Remember the place where we stopped the search:
697 */
698 diff -urNp linux-2.6.32.49/arch/arm/plat-s3c/pm.c linux-2.6.32.49/arch/arm/plat-s3c/pm.c
699 --- linux-2.6.32.49/arch/arm/plat-s3c/pm.c 2011-11-08 19:02:43.000000000 -0500
700 +++ linux-2.6.32.49/arch/arm/plat-s3c/pm.c 2011-11-15 19:59:42.000000000 -0500
701 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
702 s3c_pm_check_cleanup();
703 }
704
705 -static struct platform_suspend_ops s3c_pm_ops = {
706 +static const struct platform_suspend_ops s3c_pm_ops = {
707 .enter = s3c_pm_enter,
708 .prepare = s3c_pm_prepare,
709 .finish = s3c_pm_finish,
710 diff -urNp linux-2.6.32.49/arch/avr32/include/asm/elf.h linux-2.6.32.49/arch/avr32/include/asm/elf.h
711 --- linux-2.6.32.49/arch/avr32/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
712 +++ linux-2.6.32.49/arch/avr32/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
713 @@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
714 the loader. We need to make sure that it is out of the way of the program
715 that it will "exec", and that there is sufficient room for the brk. */
716
717 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
718 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
719
720 +#ifdef CONFIG_PAX_ASLR
721 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
722 +
723 +#define PAX_DELTA_MMAP_LEN 15
724 +#define PAX_DELTA_STACK_LEN 15
725 +#endif
726
727 /* This yields a mask that user programs can use to figure out what
728 instruction set this CPU supports. This could be done in user space,
729 diff -urNp linux-2.6.32.49/arch/avr32/include/asm/kmap_types.h linux-2.6.32.49/arch/avr32/include/asm/kmap_types.h
730 --- linux-2.6.32.49/arch/avr32/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
731 +++ linux-2.6.32.49/arch/avr32/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
732 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
733 D(11) KM_IRQ1,
734 D(12) KM_SOFTIRQ0,
735 D(13) KM_SOFTIRQ1,
736 -D(14) KM_TYPE_NR
737 +D(14) KM_CLEARPAGE,
738 +D(15) KM_TYPE_NR
739 };
740
741 #undef D
742 diff -urNp linux-2.6.32.49/arch/avr32/mach-at32ap/pm.c linux-2.6.32.49/arch/avr32/mach-at32ap/pm.c
743 --- linux-2.6.32.49/arch/avr32/mach-at32ap/pm.c 2011-11-08 19:02:43.000000000 -0500
744 +++ linux-2.6.32.49/arch/avr32/mach-at32ap/pm.c 2011-11-15 19:59:42.000000000 -0500
745 @@ -176,7 +176,7 @@ out:
746 return 0;
747 }
748
749 -static struct platform_suspend_ops avr32_pm_ops = {
750 +static const struct platform_suspend_ops avr32_pm_ops = {
751 .valid = avr32_pm_valid_state,
752 .enter = avr32_pm_enter,
753 };
754 diff -urNp linux-2.6.32.49/arch/avr32/mm/fault.c linux-2.6.32.49/arch/avr32/mm/fault.c
755 --- linux-2.6.32.49/arch/avr32/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
756 +++ linux-2.6.32.49/arch/avr32/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
757 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
758
759 int exception_trace = 1;
760
761 +#ifdef CONFIG_PAX_PAGEEXEC
762 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
763 +{
764 + unsigned long i;
765 +
766 + printk(KERN_ERR "PAX: bytes at PC: ");
767 + for (i = 0; i < 20; i++) {
768 + unsigned char c;
769 + if (get_user(c, (unsigned char *)pc+i))
770 + printk(KERN_CONT "???????? ");
771 + else
772 + printk(KERN_CONT "%02x ", c);
773 + }
774 + printk("\n");
775 +}
776 +#endif
777 +
778 /*
779 * This routine handles page faults. It determines the address and the
780 * problem, and then passes it off to one of the appropriate routines.
781 @@ -157,6 +174,16 @@ bad_area:
782 up_read(&mm->mmap_sem);
783
784 if (user_mode(regs)) {
785 +
786 +#ifdef CONFIG_PAX_PAGEEXEC
787 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
788 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
789 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
790 + do_group_exit(SIGKILL);
791 + }
792 + }
793 +#endif
794 +
795 if (exception_trace && printk_ratelimit())
796 printk("%s%s[%d]: segfault at %08lx pc %08lx "
797 "sp %08lx ecr %lu\n",
798 diff -urNp linux-2.6.32.49/arch/blackfin/kernel/kgdb.c linux-2.6.32.49/arch/blackfin/kernel/kgdb.c
799 --- linux-2.6.32.49/arch/blackfin/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
800 +++ linux-2.6.32.49/arch/blackfin/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
801 @@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
802 return -1; /* this means that we do not want to exit from the handler */
803 }
804
805 -struct kgdb_arch arch_kgdb_ops = {
806 +const struct kgdb_arch arch_kgdb_ops = {
807 .gdb_bpt_instr = {0xa1},
808 #ifdef CONFIG_SMP
809 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
810 diff -urNp linux-2.6.32.49/arch/blackfin/mach-common/pm.c linux-2.6.32.49/arch/blackfin/mach-common/pm.c
811 --- linux-2.6.32.49/arch/blackfin/mach-common/pm.c 2011-11-08 19:02:43.000000000 -0500
812 +++ linux-2.6.32.49/arch/blackfin/mach-common/pm.c 2011-11-15 19:59:42.000000000 -0500
813 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
814 return 0;
815 }
816
817 -struct platform_suspend_ops bfin_pm_ops = {
818 +const struct platform_suspend_ops bfin_pm_ops = {
819 .enter = bfin_pm_enter,
820 .valid = bfin_pm_valid,
821 };
822 diff -urNp linux-2.6.32.49/arch/frv/include/asm/kmap_types.h linux-2.6.32.49/arch/frv/include/asm/kmap_types.h
823 --- linux-2.6.32.49/arch/frv/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
824 +++ linux-2.6.32.49/arch/frv/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
825 @@ -23,6 +23,7 @@ enum km_type {
826 KM_IRQ1,
827 KM_SOFTIRQ0,
828 KM_SOFTIRQ1,
829 + KM_CLEARPAGE,
830 KM_TYPE_NR
831 };
832
833 diff -urNp linux-2.6.32.49/arch/frv/mm/elf-fdpic.c linux-2.6.32.49/arch/frv/mm/elf-fdpic.c
834 --- linux-2.6.32.49/arch/frv/mm/elf-fdpic.c 2011-11-08 19:02:43.000000000 -0500
835 +++ linux-2.6.32.49/arch/frv/mm/elf-fdpic.c 2011-11-15 19:59:42.000000000 -0500
836 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
837 if (addr) {
838 addr = PAGE_ALIGN(addr);
839 vma = find_vma(current->mm, addr);
840 - if (TASK_SIZE - len >= addr &&
841 - (!vma || addr + len <= vma->vm_start))
842 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
843 goto success;
844 }
845
846 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
847 for (; vma; vma = vma->vm_next) {
848 if (addr > limit)
849 break;
850 - if (addr + len <= vma->vm_start)
851 + if (check_heap_stack_gap(vma, addr, len))
852 goto success;
853 addr = vma->vm_end;
854 }
855 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
856 for (; vma; vma = vma->vm_next) {
857 if (addr > limit)
858 break;
859 - if (addr + len <= vma->vm_start)
860 + if (check_heap_stack_gap(vma, addr, len))
861 goto success;
862 addr = vma->vm_end;
863 }
864 diff -urNp linux-2.6.32.49/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.49/arch/ia64/hp/common/hwsw_iommu.c
865 --- linux-2.6.32.49/arch/ia64/hp/common/hwsw_iommu.c 2011-11-08 19:02:43.000000000 -0500
866 +++ linux-2.6.32.49/arch/ia64/hp/common/hwsw_iommu.c 2011-11-15 19:59:42.000000000 -0500
867 @@ -17,7 +17,7 @@
868 #include <linux/swiotlb.h>
869 #include <asm/machvec.h>
870
871 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
872 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
873
874 /* swiotlb declarations & definitions: */
875 extern int swiotlb_late_init_with_default_size (size_t size);
876 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
877 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
878 }
879
880 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
881 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
882 {
883 if (use_swiotlb(dev))
884 return &swiotlb_dma_ops;
885 diff -urNp linux-2.6.32.49/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.49/arch/ia64/hp/common/sba_iommu.c
886 --- linux-2.6.32.49/arch/ia64/hp/common/sba_iommu.c 2011-11-08 19:02:43.000000000 -0500
887 +++ linux-2.6.32.49/arch/ia64/hp/common/sba_iommu.c 2011-11-15 19:59:42.000000000 -0500
888 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
889 },
890 };
891
892 -extern struct dma_map_ops swiotlb_dma_ops;
893 +extern const struct dma_map_ops swiotlb_dma_ops;
894
895 static int __init
896 sba_init(void)
897 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
898
899 __setup("sbapagesize=",sba_page_override);
900
901 -struct dma_map_ops sba_dma_ops = {
902 +const struct dma_map_ops sba_dma_ops = {
903 .alloc_coherent = sba_alloc_coherent,
904 .free_coherent = sba_free_coherent,
905 .map_page = sba_map_page,
906 diff -urNp linux-2.6.32.49/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.49/arch/ia64/ia32/binfmt_elf32.c
907 --- linux-2.6.32.49/arch/ia64/ia32/binfmt_elf32.c 2011-11-08 19:02:43.000000000 -0500
908 +++ linux-2.6.32.49/arch/ia64/ia32/binfmt_elf32.c 2011-11-15 19:59:42.000000000 -0500
909 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
910
911 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
912
913 +#ifdef CONFIG_PAX_ASLR
914 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
915 +
916 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
917 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
918 +#endif
919 +
920 /* Ugly but avoids duplication */
921 #include "../../../fs/binfmt_elf.c"
922
923 diff -urNp linux-2.6.32.49/arch/ia64/ia32/ia32priv.h linux-2.6.32.49/arch/ia64/ia32/ia32priv.h
924 --- linux-2.6.32.49/arch/ia64/ia32/ia32priv.h 2011-11-08 19:02:43.000000000 -0500
925 +++ linux-2.6.32.49/arch/ia64/ia32/ia32priv.h 2011-11-15 19:59:42.000000000 -0500
926 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
927 #define ELF_DATA ELFDATA2LSB
928 #define ELF_ARCH EM_386
929
930 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
931 +#ifdef CONFIG_PAX_RANDUSTACK
932 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
933 +#else
934 +#define __IA32_DELTA_STACK 0UL
935 +#endif
936 +
937 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
938 +
939 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
940 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
941
942 diff -urNp linux-2.6.32.49/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.49/arch/ia64/include/asm/dma-mapping.h
943 --- linux-2.6.32.49/arch/ia64/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
944 +++ linux-2.6.32.49/arch/ia64/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
945 @@ -12,7 +12,7 @@
946
947 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
948
949 -extern struct dma_map_ops *dma_ops;
950 +extern const struct dma_map_ops *dma_ops;
951 extern struct ia64_machine_vector ia64_mv;
952 extern void set_iommu_machvec(void);
953
954 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
955 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
956 dma_addr_t *daddr, gfp_t gfp)
957 {
958 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
959 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
960 void *caddr;
961
962 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
963 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
964 static inline void dma_free_coherent(struct device *dev, size_t size,
965 void *caddr, dma_addr_t daddr)
966 {
967 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
968 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
969 debug_dma_free_coherent(dev, size, caddr, daddr);
970 ops->free_coherent(dev, size, caddr, daddr);
971 }
972 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
973
974 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
975 {
976 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
977 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
978 return ops->mapping_error(dev, daddr);
979 }
980
981 static inline int dma_supported(struct device *dev, u64 mask)
982 {
983 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
984 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
985 return ops->dma_supported(dev, mask);
986 }
987
988 diff -urNp linux-2.6.32.49/arch/ia64/include/asm/elf.h linux-2.6.32.49/arch/ia64/include/asm/elf.h
989 --- linux-2.6.32.49/arch/ia64/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
990 +++ linux-2.6.32.49/arch/ia64/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
991 @@ -43,6 +43,13 @@
992 */
993 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
994
995 +#ifdef CONFIG_PAX_ASLR
996 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
997 +
998 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
999 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1000 +#endif
1001 +
1002 #define PT_IA_64_UNWIND 0x70000001
1003
1004 /* IA-64 relocations: */
1005 diff -urNp linux-2.6.32.49/arch/ia64/include/asm/machvec.h linux-2.6.32.49/arch/ia64/include/asm/machvec.h
1006 --- linux-2.6.32.49/arch/ia64/include/asm/machvec.h 2011-11-08 19:02:43.000000000 -0500
1007 +++ linux-2.6.32.49/arch/ia64/include/asm/machvec.h 2011-11-15 19:59:42.000000000 -0500
1008 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1009 /* DMA-mapping interface: */
1010 typedef void ia64_mv_dma_init (void);
1011 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1012 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1013 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1014
1015 /*
1016 * WARNING: The legacy I/O space is _architected_. Platforms are
1017 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1018 # endif /* CONFIG_IA64_GENERIC */
1019
1020 extern void swiotlb_dma_init(void);
1021 -extern struct dma_map_ops *dma_get_ops(struct device *);
1022 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1023
1024 /*
1025 * Define default versions so we can extend machvec for new platforms without having
1026 diff -urNp linux-2.6.32.49/arch/ia64/include/asm/pgtable.h linux-2.6.32.49/arch/ia64/include/asm/pgtable.h
1027 --- linux-2.6.32.49/arch/ia64/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
1028 +++ linux-2.6.32.49/arch/ia64/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
1029 @@ -12,7 +12,7 @@
1030 * David Mosberger-Tang <davidm@hpl.hp.com>
1031 */
1032
1033 -
1034 +#include <linux/const.h>
1035 #include <asm/mman.h>
1036 #include <asm/page.h>
1037 #include <asm/processor.h>
1038 @@ -143,6 +143,17 @@
1039 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1040 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1041 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1042 +
1043 +#ifdef CONFIG_PAX_PAGEEXEC
1044 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1045 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1046 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1047 +#else
1048 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1049 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1050 +# define PAGE_COPY_NOEXEC PAGE_COPY
1051 +#endif
1052 +
1053 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1054 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1055 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1056 diff -urNp linux-2.6.32.49/arch/ia64/include/asm/spinlock.h linux-2.6.32.49/arch/ia64/include/asm/spinlock.h
1057 --- linux-2.6.32.49/arch/ia64/include/asm/spinlock.h 2011-11-08 19:02:43.000000000 -0500
1058 +++ linux-2.6.32.49/arch/ia64/include/asm/spinlock.h 2011-11-15 19:59:42.000000000 -0500
1059 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1060 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1061
1062 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1063 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1064 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1065 }
1066
1067 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
1068 diff -urNp linux-2.6.32.49/arch/ia64/include/asm/uaccess.h linux-2.6.32.49/arch/ia64/include/asm/uaccess.h
1069 --- linux-2.6.32.49/arch/ia64/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
1070 +++ linux-2.6.32.49/arch/ia64/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
1071 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1072 const void *__cu_from = (from); \
1073 long __cu_len = (n); \
1074 \
1075 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1076 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1077 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1078 __cu_len; \
1079 })
1080 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1081 long __cu_len = (n); \
1082 \
1083 __chk_user_ptr(__cu_from); \
1084 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1085 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1086 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1087 __cu_len; \
1088 })
1089 diff -urNp linux-2.6.32.49/arch/ia64/kernel/dma-mapping.c linux-2.6.32.49/arch/ia64/kernel/dma-mapping.c
1090 --- linux-2.6.32.49/arch/ia64/kernel/dma-mapping.c 2011-11-08 19:02:43.000000000 -0500
1091 +++ linux-2.6.32.49/arch/ia64/kernel/dma-mapping.c 2011-11-15 19:59:42.000000000 -0500
1092 @@ -3,7 +3,7 @@
1093 /* Set this to 1 if there is a HW IOMMU in the system */
1094 int iommu_detected __read_mostly;
1095
1096 -struct dma_map_ops *dma_ops;
1097 +const struct dma_map_ops *dma_ops;
1098 EXPORT_SYMBOL(dma_ops);
1099
1100 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1101 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1102 }
1103 fs_initcall(dma_init);
1104
1105 -struct dma_map_ops *dma_get_ops(struct device *dev)
1106 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1107 {
1108 return dma_ops;
1109 }
1110 diff -urNp linux-2.6.32.49/arch/ia64/kernel/module.c linux-2.6.32.49/arch/ia64/kernel/module.c
1111 --- linux-2.6.32.49/arch/ia64/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
1112 +++ linux-2.6.32.49/arch/ia64/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
1113 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1114 void
1115 module_free (struct module *mod, void *module_region)
1116 {
1117 - if (mod && mod->arch.init_unw_table &&
1118 - module_region == mod->module_init) {
1119 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1120 unw_remove_unwind_table(mod->arch.init_unw_table);
1121 mod->arch.init_unw_table = NULL;
1122 }
1123 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1124 }
1125
1126 static inline int
1127 +in_init_rx (const struct module *mod, uint64_t addr)
1128 +{
1129 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1130 +}
1131 +
1132 +static inline int
1133 +in_init_rw (const struct module *mod, uint64_t addr)
1134 +{
1135 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1136 +}
1137 +
1138 +static inline int
1139 in_init (const struct module *mod, uint64_t addr)
1140 {
1141 - return addr - (uint64_t) mod->module_init < mod->init_size;
1142 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1143 +}
1144 +
1145 +static inline int
1146 +in_core_rx (const struct module *mod, uint64_t addr)
1147 +{
1148 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1149 +}
1150 +
1151 +static inline int
1152 +in_core_rw (const struct module *mod, uint64_t addr)
1153 +{
1154 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1155 }
1156
1157 static inline int
1158 in_core (const struct module *mod, uint64_t addr)
1159 {
1160 - return addr - (uint64_t) mod->module_core < mod->core_size;
1161 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1162 }
1163
1164 static inline int
1165 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1166 break;
1167
1168 case RV_BDREL:
1169 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1170 + if (in_init_rx(mod, val))
1171 + val -= (uint64_t) mod->module_init_rx;
1172 + else if (in_init_rw(mod, val))
1173 + val -= (uint64_t) mod->module_init_rw;
1174 + else if (in_core_rx(mod, val))
1175 + val -= (uint64_t) mod->module_core_rx;
1176 + else if (in_core_rw(mod, val))
1177 + val -= (uint64_t) mod->module_core_rw;
1178 break;
1179
1180 case RV_LTV:
1181 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1182 * addresses have been selected...
1183 */
1184 uint64_t gp;
1185 - if (mod->core_size > MAX_LTOFF)
1186 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1187 /*
1188 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1189 * at the end of the module.
1190 */
1191 - gp = mod->core_size - MAX_LTOFF / 2;
1192 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1193 else
1194 - gp = mod->core_size / 2;
1195 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1196 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1197 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1198 mod->arch.gp = gp;
1199 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1200 }
1201 diff -urNp linux-2.6.32.49/arch/ia64/kernel/pci-dma.c linux-2.6.32.49/arch/ia64/kernel/pci-dma.c
1202 --- linux-2.6.32.49/arch/ia64/kernel/pci-dma.c 2011-11-08 19:02:43.000000000 -0500
1203 +++ linux-2.6.32.49/arch/ia64/kernel/pci-dma.c 2011-11-15 19:59:42.000000000 -0500
1204 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1205 .dma_mask = &fallback_dev.coherent_dma_mask,
1206 };
1207
1208 -extern struct dma_map_ops intel_dma_ops;
1209 +extern const struct dma_map_ops intel_dma_ops;
1210
1211 static int __init pci_iommu_init(void)
1212 {
1213 @@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1214 }
1215 EXPORT_SYMBOL(iommu_dma_supported);
1216
1217 +extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1218 +extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1219 +extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1220 +extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1221 +extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1222 +extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1223 +extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1224 +
1225 +static const struct dma_map_ops intel_iommu_dma_ops = {
1226 + /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1227 + .alloc_coherent = intel_alloc_coherent,
1228 + .free_coherent = intel_free_coherent,
1229 + .map_sg = intel_map_sg,
1230 + .unmap_sg = intel_unmap_sg,
1231 + .map_page = intel_map_page,
1232 + .unmap_page = intel_unmap_page,
1233 + .mapping_error = intel_mapping_error,
1234 +
1235 + .sync_single_for_cpu = machvec_dma_sync_single,
1236 + .sync_sg_for_cpu = machvec_dma_sync_sg,
1237 + .sync_single_for_device = machvec_dma_sync_single,
1238 + .sync_sg_for_device = machvec_dma_sync_sg,
1239 + .dma_supported = iommu_dma_supported,
1240 +};
1241 +
1242 void __init pci_iommu_alloc(void)
1243 {
1244 - dma_ops = &intel_dma_ops;
1245 -
1246 - dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1247 - dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1248 - dma_ops->sync_single_for_device = machvec_dma_sync_single;
1249 - dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1250 - dma_ops->dma_supported = iommu_dma_supported;
1251 + dma_ops = &intel_iommu_dma_ops;
1252
1253 /*
1254 * The order of these functions is important for
1255 diff -urNp linux-2.6.32.49/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.49/arch/ia64/kernel/pci-swiotlb.c
1256 --- linux-2.6.32.49/arch/ia64/kernel/pci-swiotlb.c 2011-11-08 19:02:43.000000000 -0500
1257 +++ linux-2.6.32.49/arch/ia64/kernel/pci-swiotlb.c 2011-11-15 19:59:42.000000000 -0500
1258 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1259 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1260 }
1261
1262 -struct dma_map_ops swiotlb_dma_ops = {
1263 +const struct dma_map_ops swiotlb_dma_ops = {
1264 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1265 .free_coherent = swiotlb_free_coherent,
1266 .map_page = swiotlb_map_page,
1267 diff -urNp linux-2.6.32.49/arch/ia64/kernel/sys_ia64.c linux-2.6.32.49/arch/ia64/kernel/sys_ia64.c
1268 --- linux-2.6.32.49/arch/ia64/kernel/sys_ia64.c 2011-11-08 19:02:43.000000000 -0500
1269 +++ linux-2.6.32.49/arch/ia64/kernel/sys_ia64.c 2011-11-15 19:59:42.000000000 -0500
1270 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1271 if (REGION_NUMBER(addr) == RGN_HPAGE)
1272 addr = 0;
1273 #endif
1274 +
1275 +#ifdef CONFIG_PAX_RANDMMAP
1276 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1277 + addr = mm->free_area_cache;
1278 + else
1279 +#endif
1280 +
1281 if (!addr)
1282 addr = mm->free_area_cache;
1283
1284 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1285 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1286 /* At this point: (!vma || addr < vma->vm_end). */
1287 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1288 - if (start_addr != TASK_UNMAPPED_BASE) {
1289 + if (start_addr != mm->mmap_base) {
1290 /* Start a new search --- just in case we missed some holes. */
1291 - addr = TASK_UNMAPPED_BASE;
1292 + addr = mm->mmap_base;
1293 goto full_search;
1294 }
1295 return -ENOMEM;
1296 }
1297 - if (!vma || addr + len <= vma->vm_start) {
1298 + if (check_heap_stack_gap(vma, addr, len)) {
1299 /* Remember the address where we stopped this search: */
1300 mm->free_area_cache = addr + len;
1301 return addr;
1302 diff -urNp linux-2.6.32.49/arch/ia64/kernel/topology.c linux-2.6.32.49/arch/ia64/kernel/topology.c
1303 --- linux-2.6.32.49/arch/ia64/kernel/topology.c 2011-11-08 19:02:43.000000000 -0500
1304 +++ linux-2.6.32.49/arch/ia64/kernel/topology.c 2011-11-15 19:59:42.000000000 -0500
1305 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1306 return ret;
1307 }
1308
1309 -static struct sysfs_ops cache_sysfs_ops = {
1310 +static const struct sysfs_ops cache_sysfs_ops = {
1311 .show = cache_show
1312 };
1313
1314 diff -urNp linux-2.6.32.49/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.49/arch/ia64/kernel/vmlinux.lds.S
1315 --- linux-2.6.32.49/arch/ia64/kernel/vmlinux.lds.S 2011-11-08 19:02:43.000000000 -0500
1316 +++ linux-2.6.32.49/arch/ia64/kernel/vmlinux.lds.S 2011-11-15 19:59:42.000000000 -0500
1317 @@ -190,7 +190,7 @@ SECTIONS
1318 /* Per-cpu data: */
1319 . = ALIGN(PERCPU_PAGE_SIZE);
1320 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1321 - __phys_per_cpu_start = __per_cpu_load;
1322 + __phys_per_cpu_start = per_cpu_load;
1323 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1324 * into percpu page size
1325 */
1326 diff -urNp linux-2.6.32.49/arch/ia64/mm/fault.c linux-2.6.32.49/arch/ia64/mm/fault.c
1327 --- linux-2.6.32.49/arch/ia64/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
1328 +++ linux-2.6.32.49/arch/ia64/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
1329 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1330 return pte_present(pte);
1331 }
1332
1333 +#ifdef CONFIG_PAX_PAGEEXEC
1334 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1335 +{
1336 + unsigned long i;
1337 +
1338 + printk(KERN_ERR "PAX: bytes at PC: ");
1339 + for (i = 0; i < 8; i++) {
1340 + unsigned int c;
1341 + if (get_user(c, (unsigned int *)pc+i))
1342 + printk(KERN_CONT "???????? ");
1343 + else
1344 + printk(KERN_CONT "%08x ", c);
1345 + }
1346 + printk("\n");
1347 +}
1348 +#endif
1349 +
1350 void __kprobes
1351 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1352 {
1353 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1354 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1355 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1356
1357 - if ((vma->vm_flags & mask) != mask)
1358 + if ((vma->vm_flags & mask) != mask) {
1359 +
1360 +#ifdef CONFIG_PAX_PAGEEXEC
1361 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1362 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1363 + goto bad_area;
1364 +
1365 + up_read(&mm->mmap_sem);
1366 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1367 + do_group_exit(SIGKILL);
1368 + }
1369 +#endif
1370 +
1371 goto bad_area;
1372
1373 + }
1374 +
1375 survive:
1376 /*
1377 * If for any reason at all we couldn't handle the fault, make
1378 diff -urNp linux-2.6.32.49/arch/ia64/mm/hugetlbpage.c linux-2.6.32.49/arch/ia64/mm/hugetlbpage.c
1379 --- linux-2.6.32.49/arch/ia64/mm/hugetlbpage.c 2011-11-08 19:02:43.000000000 -0500
1380 +++ linux-2.6.32.49/arch/ia64/mm/hugetlbpage.c 2011-11-15 19:59:42.000000000 -0500
1381 @@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
1382 /* At this point: (!vmm || addr < vmm->vm_end). */
1383 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1384 return -ENOMEM;
1385 - if (!vmm || (addr + len) <= vmm->vm_start)
1386 + if (check_heap_stack_gap(vmm, addr, len))
1387 return addr;
1388 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1389 }
1390 diff -urNp linux-2.6.32.49/arch/ia64/mm/init.c linux-2.6.32.49/arch/ia64/mm/init.c
1391 --- linux-2.6.32.49/arch/ia64/mm/init.c 2011-11-08 19:02:43.000000000 -0500
1392 +++ linux-2.6.32.49/arch/ia64/mm/init.c 2011-11-15 19:59:42.000000000 -0500
1393 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1394 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1395 vma->vm_end = vma->vm_start + PAGE_SIZE;
1396 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1397 +
1398 +#ifdef CONFIG_PAX_PAGEEXEC
1399 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1400 + vma->vm_flags &= ~VM_EXEC;
1401 +
1402 +#ifdef CONFIG_PAX_MPROTECT
1403 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1404 + vma->vm_flags &= ~VM_MAYEXEC;
1405 +#endif
1406 +
1407 + }
1408 +#endif
1409 +
1410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1411 down_write(&current->mm->mmap_sem);
1412 if (insert_vm_struct(current->mm, vma)) {
1413 diff -urNp linux-2.6.32.49/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.49/arch/ia64/sn/pci/pci_dma.c
1414 --- linux-2.6.32.49/arch/ia64/sn/pci/pci_dma.c 2011-11-08 19:02:43.000000000 -0500
1415 +++ linux-2.6.32.49/arch/ia64/sn/pci/pci_dma.c 2011-11-15 19:59:42.000000000 -0500
1416 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1417 return ret;
1418 }
1419
1420 -static struct dma_map_ops sn_dma_ops = {
1421 +static const struct dma_map_ops sn_dma_ops = {
1422 .alloc_coherent = sn_dma_alloc_coherent,
1423 .free_coherent = sn_dma_free_coherent,
1424 .map_page = sn_dma_map_page,
1425 diff -urNp linux-2.6.32.49/arch/m32r/lib/usercopy.c linux-2.6.32.49/arch/m32r/lib/usercopy.c
1426 --- linux-2.6.32.49/arch/m32r/lib/usercopy.c 2011-11-08 19:02:43.000000000 -0500
1427 +++ linux-2.6.32.49/arch/m32r/lib/usercopy.c 2011-11-15 19:59:42.000000000 -0500
1428 @@ -14,6 +14,9 @@
1429 unsigned long
1430 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1431 {
1432 + if ((long)n < 0)
1433 + return n;
1434 +
1435 prefetch(from);
1436 if (access_ok(VERIFY_WRITE, to, n))
1437 __copy_user(to,from,n);
1438 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1439 unsigned long
1440 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1441 {
1442 + if ((long)n < 0)
1443 + return n;
1444 +
1445 prefetchw(to);
1446 if (access_ok(VERIFY_READ, from, n))
1447 __copy_user_zeroing(to,from,n);
1448 diff -urNp linux-2.6.32.49/arch/mips/alchemy/devboards/pm.c linux-2.6.32.49/arch/mips/alchemy/devboards/pm.c
1449 --- linux-2.6.32.49/arch/mips/alchemy/devboards/pm.c 2011-11-08 19:02:43.000000000 -0500
1450 +++ linux-2.6.32.49/arch/mips/alchemy/devboards/pm.c 2011-11-15 19:59:42.000000000 -0500
1451 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1452
1453 }
1454
1455 -static struct platform_suspend_ops db1x_pm_ops = {
1456 +static const struct platform_suspend_ops db1x_pm_ops = {
1457 .valid = suspend_valid_only_mem,
1458 .begin = db1x_pm_begin,
1459 .enter = db1x_pm_enter,
1460 diff -urNp linux-2.6.32.49/arch/mips/include/asm/elf.h linux-2.6.32.49/arch/mips/include/asm/elf.h
1461 --- linux-2.6.32.49/arch/mips/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
1462 +++ linux-2.6.32.49/arch/mips/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
1463 @@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1464 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1465 #endif
1466
1467 +#ifdef CONFIG_PAX_ASLR
1468 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1469 +
1470 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472 +#endif
1473 +
1474 #endif /* _ASM_ELF_H */
1475 diff -urNp linux-2.6.32.49/arch/mips/include/asm/page.h linux-2.6.32.49/arch/mips/include/asm/page.h
1476 --- linux-2.6.32.49/arch/mips/include/asm/page.h 2011-11-08 19:02:43.000000000 -0500
1477 +++ linux-2.6.32.49/arch/mips/include/asm/page.h 2011-11-15 19:59:42.000000000 -0500
1478 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1479 #ifdef CONFIG_CPU_MIPS32
1480 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1481 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1482 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1483 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1484 #else
1485 typedef struct { unsigned long long pte; } pte_t;
1486 #define pte_val(x) ((x).pte)
1487 diff -urNp linux-2.6.32.49/arch/mips/include/asm/reboot.h linux-2.6.32.49/arch/mips/include/asm/reboot.h
1488 --- linux-2.6.32.49/arch/mips/include/asm/reboot.h 2011-11-08 19:02:43.000000000 -0500
1489 +++ linux-2.6.32.49/arch/mips/include/asm/reboot.h 2011-11-15 19:59:42.000000000 -0500
1490 @@ -9,7 +9,7 @@
1491 #ifndef _ASM_REBOOT_H
1492 #define _ASM_REBOOT_H
1493
1494 -extern void (*_machine_restart)(char *command);
1495 -extern void (*_machine_halt)(void);
1496 +extern void (*__noreturn _machine_restart)(char *command);
1497 +extern void (*__noreturn _machine_halt)(void);
1498
1499 #endif /* _ASM_REBOOT_H */
1500 diff -urNp linux-2.6.32.49/arch/mips/include/asm/system.h linux-2.6.32.49/arch/mips/include/asm/system.h
1501 --- linux-2.6.32.49/arch/mips/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
1502 +++ linux-2.6.32.49/arch/mips/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
1503 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1504 */
1505 #define __ARCH_WANT_UNLOCKED_CTXSW
1506
1507 -extern unsigned long arch_align_stack(unsigned long sp);
1508 +#define arch_align_stack(x) ((x) & ~0xfUL)
1509
1510 #endif /* _ASM_SYSTEM_H */
1511 diff -urNp linux-2.6.32.49/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.49/arch/mips/kernel/binfmt_elfn32.c
1512 --- linux-2.6.32.49/arch/mips/kernel/binfmt_elfn32.c 2011-11-08 19:02:43.000000000 -0500
1513 +++ linux-2.6.32.49/arch/mips/kernel/binfmt_elfn32.c 2011-11-15 19:59:42.000000000 -0500
1514 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1515 #undef ELF_ET_DYN_BASE
1516 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1517
1518 +#ifdef CONFIG_PAX_ASLR
1519 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1520 +
1521 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1522 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1523 +#endif
1524 +
1525 #include <asm/processor.h>
1526 #include <linux/module.h>
1527 #include <linux/elfcore.h>
1528 diff -urNp linux-2.6.32.49/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.49/arch/mips/kernel/binfmt_elfo32.c
1529 --- linux-2.6.32.49/arch/mips/kernel/binfmt_elfo32.c 2011-11-08 19:02:43.000000000 -0500
1530 +++ linux-2.6.32.49/arch/mips/kernel/binfmt_elfo32.c 2011-11-15 19:59:42.000000000 -0500
1531 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1532 #undef ELF_ET_DYN_BASE
1533 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1534
1535 +#ifdef CONFIG_PAX_ASLR
1536 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1537 +
1538 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1539 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1540 +#endif
1541 +
1542 #include <asm/processor.h>
1543
1544 /*
1545 diff -urNp linux-2.6.32.49/arch/mips/kernel/kgdb.c linux-2.6.32.49/arch/mips/kernel/kgdb.c
1546 --- linux-2.6.32.49/arch/mips/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
1547 +++ linux-2.6.32.49/arch/mips/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
1548 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1549 return -1;
1550 }
1551
1552 +/* cannot be const */
1553 struct kgdb_arch arch_kgdb_ops;
1554
1555 /*
1556 diff -urNp linux-2.6.32.49/arch/mips/kernel/process.c linux-2.6.32.49/arch/mips/kernel/process.c
1557 --- linux-2.6.32.49/arch/mips/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
1558 +++ linux-2.6.32.49/arch/mips/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
1559 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1560 out:
1561 return pc;
1562 }
1563 -
1564 -/*
1565 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1566 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1567 - */
1568 -unsigned long arch_align_stack(unsigned long sp)
1569 -{
1570 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1571 - sp -= get_random_int() & ~PAGE_MASK;
1572 -
1573 - return sp & ALMASK;
1574 -}
1575 diff -urNp linux-2.6.32.49/arch/mips/kernel/reset.c linux-2.6.32.49/arch/mips/kernel/reset.c
1576 --- linux-2.6.32.49/arch/mips/kernel/reset.c 2011-11-08 19:02:43.000000000 -0500
1577 +++ linux-2.6.32.49/arch/mips/kernel/reset.c 2011-11-15 19:59:42.000000000 -0500
1578 @@ -19,8 +19,8 @@
1579 * So handle all using function pointers to machine specific
1580 * functions.
1581 */
1582 -void (*_machine_restart)(char *command);
1583 -void (*_machine_halt)(void);
1584 +void (*__noreturn _machine_restart)(char *command);
1585 +void (*__noreturn _machine_halt)(void);
1586 void (*pm_power_off)(void);
1587
1588 EXPORT_SYMBOL(pm_power_off);
1589 @@ -29,16 +29,19 @@ void machine_restart(char *command)
1590 {
1591 if (_machine_restart)
1592 _machine_restart(command);
1593 + BUG();
1594 }
1595
1596 void machine_halt(void)
1597 {
1598 if (_machine_halt)
1599 _machine_halt();
1600 + BUG();
1601 }
1602
1603 void machine_power_off(void)
1604 {
1605 if (pm_power_off)
1606 pm_power_off();
1607 + BUG();
1608 }
1609 diff -urNp linux-2.6.32.49/arch/mips/kernel/syscall.c linux-2.6.32.49/arch/mips/kernel/syscall.c
1610 --- linux-2.6.32.49/arch/mips/kernel/syscall.c 2011-11-08 19:02:43.000000000 -0500
1611 +++ linux-2.6.32.49/arch/mips/kernel/syscall.c 2011-11-15 19:59:42.000000000 -0500
1612 @@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
1613 do_color_align = 0;
1614 if (filp || (flags & MAP_SHARED))
1615 do_color_align = 1;
1616 +
1617 +#ifdef CONFIG_PAX_RANDMMAP
1618 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1619 +#endif
1620 +
1621 if (addr) {
1622 if (do_color_align)
1623 addr = COLOUR_ALIGN(addr, pgoff);
1624 else
1625 addr = PAGE_ALIGN(addr);
1626 vmm = find_vma(current->mm, addr);
1627 - if (task_size - len >= addr &&
1628 - (!vmm || addr + len <= vmm->vm_start))
1629 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1630 return addr;
1631 }
1632 - addr = TASK_UNMAPPED_BASE;
1633 + addr = current->mm->mmap_base;
1634 if (do_color_align)
1635 addr = COLOUR_ALIGN(addr, pgoff);
1636 else
1637 @@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
1638 /* At this point: (!vmm || addr < vmm->vm_end). */
1639 if (task_size - len < addr)
1640 return -ENOMEM;
1641 - if (!vmm || addr + len <= vmm->vm_start)
1642 + if (check_heap_stack_gap(vmm, addr, len))
1643 return addr;
1644 addr = vmm->vm_end;
1645 if (do_color_align)
1646 diff -urNp linux-2.6.32.49/arch/mips/Makefile linux-2.6.32.49/arch/mips/Makefile
1647 --- linux-2.6.32.49/arch/mips/Makefile 2011-11-08 19:02:43.000000000 -0500
1648 +++ linux-2.6.32.49/arch/mips/Makefile 2011-11-15 19:59:42.000000000 -0500
1649 @@ -51,6 +51,8 @@ endif
1650 cflags-y := -ffunction-sections
1651 cflags-y += $(call cc-option, -mno-check-zero-division)
1652
1653 +cflags-y += -Wno-sign-compare -Wno-extra
1654 +
1655 ifdef CONFIG_32BIT
1656 ld-emul = $(32bit-emul)
1657 vmlinux-32 = vmlinux
1658 diff -urNp linux-2.6.32.49/arch/mips/mm/fault.c linux-2.6.32.49/arch/mips/mm/fault.c
1659 --- linux-2.6.32.49/arch/mips/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
1660 +++ linux-2.6.32.49/arch/mips/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
1661 @@ -26,6 +26,23 @@
1662 #include <asm/ptrace.h>
1663 #include <asm/highmem.h> /* For VMALLOC_END */
1664
1665 +#ifdef CONFIG_PAX_PAGEEXEC
1666 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1667 +{
1668 + unsigned long i;
1669 +
1670 + printk(KERN_ERR "PAX: bytes at PC: ");
1671 + for (i = 0; i < 5; i++) {
1672 + unsigned int c;
1673 + if (get_user(c, (unsigned int *)pc+i))
1674 + printk(KERN_CONT "???????? ");
1675 + else
1676 + printk(KERN_CONT "%08x ", c);
1677 + }
1678 + printk("\n");
1679 +}
1680 +#endif
1681 +
1682 /*
1683 * This routine handles page faults. It determines the address,
1684 * and the problem, and then passes it off to one of the appropriate
1685 diff -urNp linux-2.6.32.49/arch/parisc/include/asm/elf.h linux-2.6.32.49/arch/parisc/include/asm/elf.h
1686 --- linux-2.6.32.49/arch/parisc/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
1687 +++ linux-2.6.32.49/arch/parisc/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
1688 @@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1689
1690 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1691
1692 +#ifdef CONFIG_PAX_ASLR
1693 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1694 +
1695 +#define PAX_DELTA_MMAP_LEN 16
1696 +#define PAX_DELTA_STACK_LEN 16
1697 +#endif
1698 +
1699 /* This yields a mask that user programs can use to figure out what
1700 instruction set this CPU supports. This could be done in user space,
1701 but it's not easy, and we've already done it here. */
1702 diff -urNp linux-2.6.32.49/arch/parisc/include/asm/pgtable.h linux-2.6.32.49/arch/parisc/include/asm/pgtable.h
1703 --- linux-2.6.32.49/arch/parisc/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
1704 +++ linux-2.6.32.49/arch/parisc/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
1705 @@ -207,6 +207,17 @@
1706 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1707 #define PAGE_COPY PAGE_EXECREAD
1708 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1709 +
1710 +#ifdef CONFIG_PAX_PAGEEXEC
1711 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1712 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1713 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1714 +#else
1715 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1716 +# define PAGE_COPY_NOEXEC PAGE_COPY
1717 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1718 +#endif
1719 +
1720 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1721 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1722 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1723 diff -urNp linux-2.6.32.49/arch/parisc/kernel/module.c linux-2.6.32.49/arch/parisc/kernel/module.c
1724 --- linux-2.6.32.49/arch/parisc/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
1725 +++ linux-2.6.32.49/arch/parisc/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
1726 @@ -95,16 +95,38 @@
1727
1728 /* three functions to determine where in the module core
1729 * or init pieces the location is */
1730 +static inline int in_init_rx(struct module *me, void *loc)
1731 +{
1732 + return (loc >= me->module_init_rx &&
1733 + loc < (me->module_init_rx + me->init_size_rx));
1734 +}
1735 +
1736 +static inline int in_init_rw(struct module *me, void *loc)
1737 +{
1738 + return (loc >= me->module_init_rw &&
1739 + loc < (me->module_init_rw + me->init_size_rw));
1740 +}
1741 +
1742 static inline int in_init(struct module *me, void *loc)
1743 {
1744 - return (loc >= me->module_init &&
1745 - loc <= (me->module_init + me->init_size));
1746 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1747 +}
1748 +
1749 +static inline int in_core_rx(struct module *me, void *loc)
1750 +{
1751 + return (loc >= me->module_core_rx &&
1752 + loc < (me->module_core_rx + me->core_size_rx));
1753 +}
1754 +
1755 +static inline int in_core_rw(struct module *me, void *loc)
1756 +{
1757 + return (loc >= me->module_core_rw &&
1758 + loc < (me->module_core_rw + me->core_size_rw));
1759 }
1760
1761 static inline int in_core(struct module *me, void *loc)
1762 {
1763 - return (loc >= me->module_core &&
1764 - loc <= (me->module_core + me->core_size));
1765 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1766 }
1767
1768 static inline int in_local(struct module *me, void *loc)
1769 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1770 }
1771
1772 /* align things a bit */
1773 - me->core_size = ALIGN(me->core_size, 16);
1774 - me->arch.got_offset = me->core_size;
1775 - me->core_size += gots * sizeof(struct got_entry);
1776 -
1777 - me->core_size = ALIGN(me->core_size, 16);
1778 - me->arch.fdesc_offset = me->core_size;
1779 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1780 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1781 + me->arch.got_offset = me->core_size_rw;
1782 + me->core_size_rw += gots * sizeof(struct got_entry);
1783 +
1784 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1785 + me->arch.fdesc_offset = me->core_size_rw;
1786 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1787
1788 me->arch.got_max = gots;
1789 me->arch.fdesc_max = fdescs;
1790 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1791
1792 BUG_ON(value == 0);
1793
1794 - got = me->module_core + me->arch.got_offset;
1795 + got = me->module_core_rw + me->arch.got_offset;
1796 for (i = 0; got[i].addr; i++)
1797 if (got[i].addr == value)
1798 goto out;
1799 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1800 #ifdef CONFIG_64BIT
1801 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1802 {
1803 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1804 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1805
1806 if (!value) {
1807 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1808 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1809
1810 /* Create new one */
1811 fdesc->addr = value;
1812 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1813 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1814 return (Elf_Addr)fdesc;
1815 }
1816 #endif /* CONFIG_64BIT */
1817 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1818
1819 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1820 end = table + sechdrs[me->arch.unwind_section].sh_size;
1821 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1822 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1823
1824 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1825 me->arch.unwind_section, table, end, gp);
1826 diff -urNp linux-2.6.32.49/arch/parisc/kernel/sys_parisc.c linux-2.6.32.49/arch/parisc/kernel/sys_parisc.c
1827 --- linux-2.6.32.49/arch/parisc/kernel/sys_parisc.c 2011-11-08 19:02:43.000000000 -0500
1828 +++ linux-2.6.32.49/arch/parisc/kernel/sys_parisc.c 2011-11-15 19:59:42.000000000 -0500
1829 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1830 /* At this point: (!vma || addr < vma->vm_end). */
1831 if (TASK_SIZE - len < addr)
1832 return -ENOMEM;
1833 - if (!vma || addr + len <= vma->vm_start)
1834 + if (check_heap_stack_gap(vma, addr, len))
1835 return addr;
1836 addr = vma->vm_end;
1837 }
1838 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1839 /* At this point: (!vma || addr < vma->vm_end). */
1840 if (TASK_SIZE - len < addr)
1841 return -ENOMEM;
1842 - if (!vma || addr + len <= vma->vm_start)
1843 + if (check_heap_stack_gap(vma, addr, len))
1844 return addr;
1845 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1846 if (addr < vma->vm_end) /* handle wraparound */
1847 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1848 if (flags & MAP_FIXED)
1849 return addr;
1850 if (!addr)
1851 - addr = TASK_UNMAPPED_BASE;
1852 + addr = current->mm->mmap_base;
1853
1854 if (filp) {
1855 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1856 diff -urNp linux-2.6.32.49/arch/parisc/kernel/traps.c linux-2.6.32.49/arch/parisc/kernel/traps.c
1857 --- linux-2.6.32.49/arch/parisc/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
1858 +++ linux-2.6.32.49/arch/parisc/kernel/traps.c 2011-11-15 19:59:42.000000000 -0500
1859 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1860
1861 down_read(&current->mm->mmap_sem);
1862 vma = find_vma(current->mm,regs->iaoq[0]);
1863 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1864 - && (vma->vm_flags & VM_EXEC)) {
1865 -
1866 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1867 fault_address = regs->iaoq[0];
1868 fault_space = regs->iasq[0];
1869
1870 diff -urNp linux-2.6.32.49/arch/parisc/mm/fault.c linux-2.6.32.49/arch/parisc/mm/fault.c
1871 --- linux-2.6.32.49/arch/parisc/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
1872 +++ linux-2.6.32.49/arch/parisc/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
1873 @@ -15,6 +15,7 @@
1874 #include <linux/sched.h>
1875 #include <linux/interrupt.h>
1876 #include <linux/module.h>
1877 +#include <linux/unistd.h>
1878
1879 #include <asm/uaccess.h>
1880 #include <asm/traps.h>
1881 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1882 static unsigned long
1883 parisc_acctyp(unsigned long code, unsigned int inst)
1884 {
1885 - if (code == 6 || code == 16)
1886 + if (code == 6 || code == 7 || code == 16)
1887 return VM_EXEC;
1888
1889 switch (inst & 0xf0000000) {
1890 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1891 }
1892 #endif
1893
1894 +#ifdef CONFIG_PAX_PAGEEXEC
1895 +/*
1896 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1897 + *
1898 + * returns 1 when task should be killed
1899 + * 2 when rt_sigreturn trampoline was detected
1900 + * 3 when unpatched PLT trampoline was detected
1901 + */
1902 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1903 +{
1904 +
1905 +#ifdef CONFIG_PAX_EMUPLT
1906 + int err;
1907 +
1908 + do { /* PaX: unpatched PLT emulation */
1909 + unsigned int bl, depwi;
1910 +
1911 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1912 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1913 +
1914 + if (err)
1915 + break;
1916 +
1917 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1918 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1919 +
1920 + err = get_user(ldw, (unsigned int *)addr);
1921 + err |= get_user(bv, (unsigned int *)(addr+4));
1922 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1923 +
1924 + if (err)
1925 + break;
1926 +
1927 + if (ldw == 0x0E801096U &&
1928 + bv == 0xEAC0C000U &&
1929 + ldw2 == 0x0E881095U)
1930 + {
1931 + unsigned int resolver, map;
1932 +
1933 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1934 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1935 + if (err)
1936 + break;
1937 +
1938 + regs->gr[20] = instruction_pointer(regs)+8;
1939 + regs->gr[21] = map;
1940 + regs->gr[22] = resolver;
1941 + regs->iaoq[0] = resolver | 3UL;
1942 + regs->iaoq[1] = regs->iaoq[0] + 4;
1943 + return 3;
1944 + }
1945 + }
1946 + } while (0);
1947 +#endif
1948 +
1949 +#ifdef CONFIG_PAX_EMUTRAMP
1950 +
1951 +#ifndef CONFIG_PAX_EMUSIGRT
1952 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1953 + return 1;
1954 +#endif
1955 +
1956 + do { /* PaX: rt_sigreturn emulation */
1957 + unsigned int ldi1, ldi2, bel, nop;
1958 +
1959 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1960 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1961 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1962 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1963 +
1964 + if (err)
1965 + break;
1966 +
1967 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1968 + ldi2 == 0x3414015AU &&
1969 + bel == 0xE4008200U &&
1970 + nop == 0x08000240U)
1971 + {
1972 + regs->gr[25] = (ldi1 & 2) >> 1;
1973 + regs->gr[20] = __NR_rt_sigreturn;
1974 + regs->gr[31] = regs->iaoq[1] + 16;
1975 + regs->sr[0] = regs->iasq[1];
1976 + regs->iaoq[0] = 0x100UL;
1977 + regs->iaoq[1] = regs->iaoq[0] + 4;
1978 + regs->iasq[0] = regs->sr[2];
1979 + regs->iasq[1] = regs->sr[2];
1980 + return 2;
1981 + }
1982 + } while (0);
1983 +#endif
1984 +
1985 + return 1;
1986 +}
1987 +
1988 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1989 +{
1990 + unsigned long i;
1991 +
1992 + printk(KERN_ERR "PAX: bytes at PC: ");
1993 + for (i = 0; i < 5; i++) {
1994 + unsigned int c;
1995 + if (get_user(c, (unsigned int *)pc+i))
1996 + printk(KERN_CONT "???????? ");
1997 + else
1998 + printk(KERN_CONT "%08x ", c);
1999 + }
2000 + printk("\n");
2001 +}
2002 +#endif
2003 +
2004 int fixup_exception(struct pt_regs *regs)
2005 {
2006 const struct exception_table_entry *fix;
2007 @@ -192,8 +303,33 @@ good_area:
2008
2009 acc_type = parisc_acctyp(code,regs->iir);
2010
2011 - if ((vma->vm_flags & acc_type) != acc_type)
2012 + if ((vma->vm_flags & acc_type) != acc_type) {
2013 +
2014 +#ifdef CONFIG_PAX_PAGEEXEC
2015 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2016 + (address & ~3UL) == instruction_pointer(regs))
2017 + {
2018 + up_read(&mm->mmap_sem);
2019 + switch (pax_handle_fetch_fault(regs)) {
2020 +
2021 +#ifdef CONFIG_PAX_EMUPLT
2022 + case 3:
2023 + return;
2024 +#endif
2025 +
2026 +#ifdef CONFIG_PAX_EMUTRAMP
2027 + case 2:
2028 + return;
2029 +#endif
2030 +
2031 + }
2032 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2033 + do_group_exit(SIGKILL);
2034 + }
2035 +#endif
2036 +
2037 goto bad_area;
2038 + }
2039
2040 /*
2041 * If for any reason at all we couldn't handle the fault, make
2042 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/device.h linux-2.6.32.49/arch/powerpc/include/asm/device.h
2043 --- linux-2.6.32.49/arch/powerpc/include/asm/device.h 2011-11-08 19:02:43.000000000 -0500
2044 +++ linux-2.6.32.49/arch/powerpc/include/asm/device.h 2011-11-15 19:59:42.000000000 -0500
2045 @@ -14,7 +14,7 @@ struct dev_archdata {
2046 struct device_node *of_node;
2047
2048 /* DMA operations on that device */
2049 - struct dma_map_ops *dma_ops;
2050 + const struct dma_map_ops *dma_ops;
2051
2052 /*
2053 * When an iommu is in use, dma_data is used as a ptr to the base of the
2054 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.49/arch/powerpc/include/asm/dma-mapping.h
2055 --- linux-2.6.32.49/arch/powerpc/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
2056 +++ linux-2.6.32.49/arch/powerpc/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
2057 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
2058 #ifdef CONFIG_PPC64
2059 extern struct dma_map_ops dma_iommu_ops;
2060 #endif
2061 -extern struct dma_map_ops dma_direct_ops;
2062 +extern const struct dma_map_ops dma_direct_ops;
2063
2064 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2065 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2066 {
2067 /* We don't handle the NULL dev case for ISA for now. We could
2068 * do it via an out of line call but it is not needed for now. The
2069 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
2070 return dev->archdata.dma_ops;
2071 }
2072
2073 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2074 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2075 {
2076 dev->archdata.dma_ops = ops;
2077 }
2078 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
2079
2080 static inline int dma_supported(struct device *dev, u64 mask)
2081 {
2082 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2083 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2084
2085 if (unlikely(dma_ops == NULL))
2086 return 0;
2087 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
2088
2089 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2090 {
2091 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2092 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2093
2094 if (unlikely(dma_ops == NULL))
2095 return -EIO;
2096 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
2097 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2098 dma_addr_t *dma_handle, gfp_t flag)
2099 {
2100 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2101 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2102 void *cpu_addr;
2103
2104 BUG_ON(!dma_ops);
2105 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
2106 static inline void dma_free_coherent(struct device *dev, size_t size,
2107 void *cpu_addr, dma_addr_t dma_handle)
2108 {
2109 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2110 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2111
2112 BUG_ON(!dma_ops);
2113
2114 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
2115
2116 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2117 {
2118 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2119 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2120
2121 if (dma_ops->mapping_error)
2122 return dma_ops->mapping_error(dev, dma_addr);
2123 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/elf.h linux-2.6.32.49/arch/powerpc/include/asm/elf.h
2124 --- linux-2.6.32.49/arch/powerpc/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
2125 +++ linux-2.6.32.49/arch/powerpc/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
2126 @@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2127 the loader. We need to make sure that it is out of the way of the program
2128 that it will "exec", and that there is sufficient room for the brk. */
2129
2130 -extern unsigned long randomize_et_dyn(unsigned long base);
2131 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2132 +#define ELF_ET_DYN_BASE (0x20000000)
2133 +
2134 +#ifdef CONFIG_PAX_ASLR
2135 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2136 +
2137 +#ifdef __powerpc64__
2138 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2139 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2140 +#else
2141 +#define PAX_DELTA_MMAP_LEN 15
2142 +#define PAX_DELTA_STACK_LEN 15
2143 +#endif
2144 +#endif
2145
2146 /*
2147 * Our registers are always unsigned longs, whether we're a 32 bit
2148 @@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
2149 (0x7ff >> (PAGE_SHIFT - 12)) : \
2150 (0x3ffff >> (PAGE_SHIFT - 12)))
2151
2152 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2153 -#define arch_randomize_brk arch_randomize_brk
2154 -
2155 #endif /* __KERNEL__ */
2156
2157 /*
2158 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/iommu.h linux-2.6.32.49/arch/powerpc/include/asm/iommu.h
2159 --- linux-2.6.32.49/arch/powerpc/include/asm/iommu.h 2011-11-08 19:02:43.000000000 -0500
2160 +++ linux-2.6.32.49/arch/powerpc/include/asm/iommu.h 2011-11-15 19:59:42.000000000 -0500
2161 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2162 extern void iommu_init_early_dart(void);
2163 extern void iommu_init_early_pasemi(void);
2164
2165 +/* dma-iommu.c */
2166 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2167 +
2168 #ifdef CONFIG_PCI
2169 extern void pci_iommu_init(void);
2170 extern void pci_direct_iommu_init(void);
2171 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.49/arch/powerpc/include/asm/kmap_types.h
2172 --- linux-2.6.32.49/arch/powerpc/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
2173 +++ linux-2.6.32.49/arch/powerpc/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
2174 @@ -26,6 +26,7 @@ enum km_type {
2175 KM_SOFTIRQ1,
2176 KM_PPC_SYNC_PAGE,
2177 KM_PPC_SYNC_ICACHE,
2178 + KM_CLEARPAGE,
2179 KM_TYPE_NR
2180 };
2181
2182 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/page_64.h linux-2.6.32.49/arch/powerpc/include/asm/page_64.h
2183 --- linux-2.6.32.49/arch/powerpc/include/asm/page_64.h 2011-11-08 19:02:43.000000000 -0500
2184 +++ linux-2.6.32.49/arch/powerpc/include/asm/page_64.h 2011-11-15 19:59:42.000000000 -0500
2185 @@ -180,15 +180,18 @@ do { \
2186 * stack by default, so in the absense of a PT_GNU_STACK program header
2187 * we turn execute permission off.
2188 */
2189 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2190 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2191 +#define VM_STACK_DEFAULT_FLAGS32 \
2192 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2193 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2194
2195 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2196 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2197
2198 +#ifndef CONFIG_PAX_PAGEEXEC
2199 #define VM_STACK_DEFAULT_FLAGS \
2200 (test_thread_flag(TIF_32BIT) ? \
2201 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2202 +#endif
2203
2204 #include <asm-generic/getorder.h>
2205
2206 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/page.h linux-2.6.32.49/arch/powerpc/include/asm/page.h
2207 --- linux-2.6.32.49/arch/powerpc/include/asm/page.h 2011-11-08 19:02:43.000000000 -0500
2208 +++ linux-2.6.32.49/arch/powerpc/include/asm/page.h 2011-11-15 19:59:42.000000000 -0500
2209 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2210 * and needs to be executable. This means the whole heap ends
2211 * up being executable.
2212 */
2213 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2214 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2215 +#define VM_DATA_DEFAULT_FLAGS32 \
2216 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2217 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2218
2219 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2220 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2221 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2222 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2223 #endif
2224
2225 +#define ktla_ktva(addr) (addr)
2226 +#define ktva_ktla(addr) (addr)
2227 +
2228 #ifndef __ASSEMBLY__
2229
2230 #undef STRICT_MM_TYPECHECKS
2231 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/pci.h linux-2.6.32.49/arch/powerpc/include/asm/pci.h
2232 --- linux-2.6.32.49/arch/powerpc/include/asm/pci.h 2011-11-08 19:02:43.000000000 -0500
2233 +++ linux-2.6.32.49/arch/powerpc/include/asm/pci.h 2011-11-15 19:59:42.000000000 -0500
2234 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2235 }
2236
2237 #ifdef CONFIG_PCI
2238 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2239 -extern struct dma_map_ops *get_pci_dma_ops(void);
2240 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2241 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2242 #else /* CONFIG_PCI */
2243 #define set_pci_dma_ops(d)
2244 #define get_pci_dma_ops() NULL
2245 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/pgtable.h linux-2.6.32.49/arch/powerpc/include/asm/pgtable.h
2246 --- linux-2.6.32.49/arch/powerpc/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
2247 +++ linux-2.6.32.49/arch/powerpc/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
2248 @@ -2,6 +2,7 @@
2249 #define _ASM_POWERPC_PGTABLE_H
2250 #ifdef __KERNEL__
2251
2252 +#include <linux/const.h>
2253 #ifndef __ASSEMBLY__
2254 #include <asm/processor.h> /* For TASK_SIZE */
2255 #include <asm/mmu.h>
2256 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.49/arch/powerpc/include/asm/pte-hash32.h
2257 --- linux-2.6.32.49/arch/powerpc/include/asm/pte-hash32.h 2011-11-08 19:02:43.000000000 -0500
2258 +++ linux-2.6.32.49/arch/powerpc/include/asm/pte-hash32.h 2011-11-15 19:59:42.000000000 -0500
2259 @@ -21,6 +21,7 @@
2260 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2261 #define _PAGE_USER 0x004 /* usermode access allowed */
2262 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2263 +#define _PAGE_EXEC _PAGE_GUARDED
2264 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2265 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2266 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2267 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/ptrace.h linux-2.6.32.49/arch/powerpc/include/asm/ptrace.h
2268 --- linux-2.6.32.49/arch/powerpc/include/asm/ptrace.h 2011-11-08 19:02:43.000000000 -0500
2269 +++ linux-2.6.32.49/arch/powerpc/include/asm/ptrace.h 2011-11-15 19:59:42.000000000 -0500
2270 @@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p
2271 } while(0)
2272
2273 struct task_struct;
2274 -extern unsigned long ptrace_get_reg(struct task_struct *task, int regno);
2275 +extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno);
2276 extern int ptrace_put_reg(struct task_struct *task, int regno,
2277 unsigned long data);
2278
2279 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/reg.h linux-2.6.32.49/arch/powerpc/include/asm/reg.h
2280 --- linux-2.6.32.49/arch/powerpc/include/asm/reg.h 2011-11-08 19:02:43.000000000 -0500
2281 +++ linux-2.6.32.49/arch/powerpc/include/asm/reg.h 2011-11-15 19:59:42.000000000 -0500
2282 @@ -191,6 +191,7 @@
2283 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2284 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2285 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2286 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2287 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2288 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2289 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2290 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.49/arch/powerpc/include/asm/swiotlb.h
2291 --- linux-2.6.32.49/arch/powerpc/include/asm/swiotlb.h 2011-11-08 19:02:43.000000000 -0500
2292 +++ linux-2.6.32.49/arch/powerpc/include/asm/swiotlb.h 2011-11-15 19:59:42.000000000 -0500
2293 @@ -13,7 +13,7 @@
2294
2295 #include <linux/swiotlb.h>
2296
2297 -extern struct dma_map_ops swiotlb_dma_ops;
2298 +extern const struct dma_map_ops swiotlb_dma_ops;
2299
2300 static inline void dma_mark_clean(void *addr, size_t size) {}
2301
2302 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/system.h linux-2.6.32.49/arch/powerpc/include/asm/system.h
2303 --- linux-2.6.32.49/arch/powerpc/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
2304 +++ linux-2.6.32.49/arch/powerpc/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
2305 @@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2306 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2307 #endif
2308
2309 -extern unsigned long arch_align_stack(unsigned long sp);
2310 +#define arch_align_stack(x) ((x) & ~0xfUL)
2311
2312 /* Used in very early kernel initialization. */
2313 extern unsigned long reloc_offset(void);
2314 diff -urNp linux-2.6.32.49/arch/powerpc/include/asm/uaccess.h linux-2.6.32.49/arch/powerpc/include/asm/uaccess.h
2315 --- linux-2.6.32.49/arch/powerpc/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
2316 +++ linux-2.6.32.49/arch/powerpc/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
2317 @@ -13,6 +13,8 @@
2318 #define VERIFY_READ 0
2319 #define VERIFY_WRITE 1
2320
2321 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2322 +
2323 /*
2324 * The fs value determines whether argument validity checking should be
2325 * performed or not. If get_fs() == USER_DS, checking is performed, with
2326 @@ -327,52 +329,6 @@ do { \
2327 extern unsigned long __copy_tofrom_user(void __user *to,
2328 const void __user *from, unsigned long size);
2329
2330 -#ifndef __powerpc64__
2331 -
2332 -static inline unsigned long copy_from_user(void *to,
2333 - const void __user *from, unsigned long n)
2334 -{
2335 - unsigned long over;
2336 -
2337 - if (access_ok(VERIFY_READ, from, n))
2338 - return __copy_tofrom_user((__force void __user *)to, from, n);
2339 - if ((unsigned long)from < TASK_SIZE) {
2340 - over = (unsigned long)from + n - TASK_SIZE;
2341 - return __copy_tofrom_user((__force void __user *)to, from,
2342 - n - over) + over;
2343 - }
2344 - return n;
2345 -}
2346 -
2347 -static inline unsigned long copy_to_user(void __user *to,
2348 - const void *from, unsigned long n)
2349 -{
2350 - unsigned long over;
2351 -
2352 - if (access_ok(VERIFY_WRITE, to, n))
2353 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2354 - if ((unsigned long)to < TASK_SIZE) {
2355 - over = (unsigned long)to + n - TASK_SIZE;
2356 - return __copy_tofrom_user(to, (__force void __user *)from,
2357 - n - over) + over;
2358 - }
2359 - return n;
2360 -}
2361 -
2362 -#else /* __powerpc64__ */
2363 -
2364 -#define __copy_in_user(to, from, size) \
2365 - __copy_tofrom_user((to), (from), (size))
2366 -
2367 -extern unsigned long copy_from_user(void *to, const void __user *from,
2368 - unsigned long n);
2369 -extern unsigned long copy_to_user(void __user *to, const void *from,
2370 - unsigned long n);
2371 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2372 - unsigned long n);
2373 -
2374 -#endif /* __powerpc64__ */
2375 -
2376 static inline unsigned long __copy_from_user_inatomic(void *to,
2377 const void __user *from, unsigned long n)
2378 {
2379 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2380 if (ret == 0)
2381 return 0;
2382 }
2383 +
2384 + if (!__builtin_constant_p(n))
2385 + check_object_size(to, n, false);
2386 +
2387 return __copy_tofrom_user((__force void __user *)to, from, n);
2388 }
2389
2390 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2391 if (ret == 0)
2392 return 0;
2393 }
2394 +
2395 + if (!__builtin_constant_p(n))
2396 + check_object_size(from, n, true);
2397 +
2398 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2399 }
2400
2401 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2402 return __copy_to_user_inatomic(to, from, size);
2403 }
2404
2405 +#ifndef __powerpc64__
2406 +
2407 +static inline unsigned long __must_check copy_from_user(void *to,
2408 + const void __user *from, unsigned long n)
2409 +{
2410 + unsigned long over;
2411 +
2412 + if ((long)n < 0)
2413 + return n;
2414 +
2415 + if (access_ok(VERIFY_READ, from, n)) {
2416 + if (!__builtin_constant_p(n))
2417 + check_object_size(to, n, false);
2418 + return __copy_tofrom_user((__force void __user *)to, from, n);
2419 + }
2420 + if ((unsigned long)from < TASK_SIZE) {
2421 + over = (unsigned long)from + n - TASK_SIZE;
2422 + if (!__builtin_constant_p(n - over))
2423 + check_object_size(to, n - over, false);
2424 + return __copy_tofrom_user((__force void __user *)to, from,
2425 + n - over) + over;
2426 + }
2427 + return n;
2428 +}
2429 +
2430 +static inline unsigned long __must_check copy_to_user(void __user *to,
2431 + const void *from, unsigned long n)
2432 +{
2433 + unsigned long over;
2434 +
2435 + if ((long)n < 0)
2436 + return n;
2437 +
2438 + if (access_ok(VERIFY_WRITE, to, n)) {
2439 + if (!__builtin_constant_p(n))
2440 + check_object_size(from, n, true);
2441 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2442 + }
2443 + if ((unsigned long)to < TASK_SIZE) {
2444 + over = (unsigned long)to + n - TASK_SIZE;
2445 + if (!__builtin_constant_p(n))
2446 + check_object_size(from, n - over, true);
2447 + return __copy_tofrom_user(to, (__force void __user *)from,
2448 + n - over) + over;
2449 + }
2450 + return n;
2451 +}
2452 +
2453 +#else /* __powerpc64__ */
2454 +
2455 +#define __copy_in_user(to, from, size) \
2456 + __copy_tofrom_user((to), (from), (size))
2457 +
2458 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2459 +{
2460 + if ((long)n < 0 || n > INT_MAX)
2461 + return n;
2462 +
2463 + if (!__builtin_constant_p(n))
2464 + check_object_size(to, n, false);
2465 +
2466 + if (likely(access_ok(VERIFY_READ, from, n)))
2467 + n = __copy_from_user(to, from, n);
2468 + else
2469 + memset(to, 0, n);
2470 + return n;
2471 +}
2472 +
2473 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2474 +{
2475 + if ((long)n < 0 || n > INT_MAX)
2476 + return n;
2477 +
2478 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2479 + if (!__builtin_constant_p(n))
2480 + check_object_size(from, n, true);
2481 + n = __copy_to_user(to, from, n);
2482 + }
2483 + return n;
2484 +}
2485 +
2486 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2487 + unsigned long n);
2488 +
2489 +#endif /* __powerpc64__ */
2490 +
2491 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2492
2493 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2494 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.49/arch/powerpc/kernel/cacheinfo.c
2495 --- linux-2.6.32.49/arch/powerpc/kernel/cacheinfo.c 2011-11-08 19:02:43.000000000 -0500
2496 +++ linux-2.6.32.49/arch/powerpc/kernel/cacheinfo.c 2011-11-15 19:59:42.000000000 -0500
2497 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2498 &cache_assoc_attr,
2499 };
2500
2501 -static struct sysfs_ops cache_index_ops = {
2502 +static const struct sysfs_ops cache_index_ops = {
2503 .show = cache_index_show,
2504 };
2505
2506 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/dma.c linux-2.6.32.49/arch/powerpc/kernel/dma.c
2507 --- linux-2.6.32.49/arch/powerpc/kernel/dma.c 2011-11-08 19:02:43.000000000 -0500
2508 +++ linux-2.6.32.49/arch/powerpc/kernel/dma.c 2011-11-15 19:59:42.000000000 -0500
2509 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2510 }
2511 #endif
2512
2513 -struct dma_map_ops dma_direct_ops = {
2514 +const struct dma_map_ops dma_direct_ops = {
2515 .alloc_coherent = dma_direct_alloc_coherent,
2516 .free_coherent = dma_direct_free_coherent,
2517 .map_sg = dma_direct_map_sg,
2518 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.49/arch/powerpc/kernel/dma-iommu.c
2519 --- linux-2.6.32.49/arch/powerpc/kernel/dma-iommu.c 2011-11-08 19:02:43.000000000 -0500
2520 +++ linux-2.6.32.49/arch/powerpc/kernel/dma-iommu.c 2011-11-15 19:59:42.000000000 -0500
2521 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2522 }
2523
2524 /* We support DMA to/from any memory page via the iommu */
2525 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2526 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2527 {
2528 struct iommu_table *tbl = get_iommu_table_base(dev);
2529
2530 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.49/arch/powerpc/kernel/dma-swiotlb.c
2531 --- linux-2.6.32.49/arch/powerpc/kernel/dma-swiotlb.c 2011-11-08 19:02:43.000000000 -0500
2532 +++ linux-2.6.32.49/arch/powerpc/kernel/dma-swiotlb.c 2011-11-15 19:59:42.000000000 -0500
2533 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2534 * map_page, and unmap_page on highmem, use normal dma_ops
2535 * for everything else.
2536 */
2537 -struct dma_map_ops swiotlb_dma_ops = {
2538 +const struct dma_map_ops swiotlb_dma_ops = {
2539 .alloc_coherent = dma_direct_alloc_coherent,
2540 .free_coherent = dma_direct_free_coherent,
2541 .map_sg = swiotlb_map_sg_attrs,
2542 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.49/arch/powerpc/kernel/exceptions-64e.S
2543 --- linux-2.6.32.49/arch/powerpc/kernel/exceptions-64e.S 2011-11-08 19:02:43.000000000 -0500
2544 +++ linux-2.6.32.49/arch/powerpc/kernel/exceptions-64e.S 2011-11-15 19:59:42.000000000 -0500
2545 @@ -455,6 +455,7 @@ storage_fault_common:
2546 std r14,_DAR(r1)
2547 std r15,_DSISR(r1)
2548 addi r3,r1,STACK_FRAME_OVERHEAD
2549 + bl .save_nvgprs
2550 mr r4,r14
2551 mr r5,r15
2552 ld r14,PACA_EXGEN+EX_R14(r13)
2553 @@ -464,8 +465,7 @@ storage_fault_common:
2554 cmpdi r3,0
2555 bne- 1f
2556 b .ret_from_except_lite
2557 -1: bl .save_nvgprs
2558 - mr r5,r3
2559 +1: mr r5,r3
2560 addi r3,r1,STACK_FRAME_OVERHEAD
2561 ld r4,_DAR(r1)
2562 bl .bad_page_fault
2563 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.49/arch/powerpc/kernel/exceptions-64s.S
2564 --- linux-2.6.32.49/arch/powerpc/kernel/exceptions-64s.S 2011-11-08 19:02:43.000000000 -0500
2565 +++ linux-2.6.32.49/arch/powerpc/kernel/exceptions-64s.S 2011-11-15 19:59:42.000000000 -0500
2566 @@ -818,10 +818,10 @@ handle_page_fault:
2567 11: ld r4,_DAR(r1)
2568 ld r5,_DSISR(r1)
2569 addi r3,r1,STACK_FRAME_OVERHEAD
2570 + bl .save_nvgprs
2571 bl .do_page_fault
2572 cmpdi r3,0
2573 beq+ 13f
2574 - bl .save_nvgprs
2575 mr r5,r3
2576 addi r3,r1,STACK_FRAME_OVERHEAD
2577 lwz r4,_DAR(r1)
2578 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/ibmebus.c linux-2.6.32.49/arch/powerpc/kernel/ibmebus.c
2579 --- linux-2.6.32.49/arch/powerpc/kernel/ibmebus.c 2011-11-08 19:02:43.000000000 -0500
2580 +++ linux-2.6.32.49/arch/powerpc/kernel/ibmebus.c 2011-11-15 19:59:42.000000000 -0500
2581 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2582 return 1;
2583 }
2584
2585 -static struct dma_map_ops ibmebus_dma_ops = {
2586 +static const struct dma_map_ops ibmebus_dma_ops = {
2587 .alloc_coherent = ibmebus_alloc_coherent,
2588 .free_coherent = ibmebus_free_coherent,
2589 .map_sg = ibmebus_map_sg,
2590 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/kgdb.c linux-2.6.32.49/arch/powerpc/kernel/kgdb.c
2591 --- linux-2.6.32.49/arch/powerpc/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
2592 +++ linux-2.6.32.49/arch/powerpc/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
2593 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2594 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2595 return 0;
2596
2597 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2598 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2599 regs->nip += 4;
2600
2601 return 1;
2602 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2603 /*
2604 * Global data
2605 */
2606 -struct kgdb_arch arch_kgdb_ops = {
2607 +const struct kgdb_arch arch_kgdb_ops = {
2608 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2609 };
2610
2611 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/module_32.c linux-2.6.32.49/arch/powerpc/kernel/module_32.c
2612 --- linux-2.6.32.49/arch/powerpc/kernel/module_32.c 2011-11-08 19:02:43.000000000 -0500
2613 +++ linux-2.6.32.49/arch/powerpc/kernel/module_32.c 2011-11-15 19:59:42.000000000 -0500
2614 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2615 me->arch.core_plt_section = i;
2616 }
2617 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2618 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2619 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2620 return -ENOEXEC;
2621 }
2622
2623 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2624
2625 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2626 /* Init, or core PLT? */
2627 - if (location >= mod->module_core
2628 - && location < mod->module_core + mod->core_size)
2629 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2630 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2631 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2632 - else
2633 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2634 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2635 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2636 + else {
2637 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2638 + return ~0UL;
2639 + }
2640
2641 /* Find this entry, or if that fails, the next avail. entry */
2642 while (entry->jump[0]) {
2643 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/module.c linux-2.6.32.49/arch/powerpc/kernel/module.c
2644 --- linux-2.6.32.49/arch/powerpc/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
2645 +++ linux-2.6.32.49/arch/powerpc/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
2646 @@ -31,11 +31,24 @@
2647
2648 LIST_HEAD(module_bug_list);
2649
2650 +#ifdef CONFIG_PAX_KERNEXEC
2651 void *module_alloc(unsigned long size)
2652 {
2653 if (size == 0)
2654 return NULL;
2655
2656 + return vmalloc(size);
2657 +}
2658 +
2659 +void *module_alloc_exec(unsigned long size)
2660 +#else
2661 +void *module_alloc(unsigned long size)
2662 +#endif
2663 +
2664 +{
2665 + if (size == 0)
2666 + return NULL;
2667 +
2668 return vmalloc_exec(size);
2669 }
2670
2671 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2672 vfree(module_region);
2673 }
2674
2675 +#ifdef CONFIG_PAX_KERNEXEC
2676 +void module_free_exec(struct module *mod, void *module_region)
2677 +{
2678 + module_free(mod, module_region);
2679 +}
2680 +#endif
2681 +
2682 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2683 const Elf_Shdr *sechdrs,
2684 const char *name)
2685 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/pci-common.c linux-2.6.32.49/arch/powerpc/kernel/pci-common.c
2686 --- linux-2.6.32.49/arch/powerpc/kernel/pci-common.c 2011-11-08 19:02:43.000000000 -0500
2687 +++ linux-2.6.32.49/arch/powerpc/kernel/pci-common.c 2011-11-15 19:59:42.000000000 -0500
2688 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2689 unsigned int ppc_pci_flags = 0;
2690
2691
2692 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2693 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2694
2695 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2696 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2697 {
2698 pci_dma_ops = dma_ops;
2699 }
2700
2701 -struct dma_map_ops *get_pci_dma_ops(void)
2702 +const struct dma_map_ops *get_pci_dma_ops(void)
2703 {
2704 return pci_dma_ops;
2705 }
2706 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/process.c linux-2.6.32.49/arch/powerpc/kernel/process.c
2707 --- linux-2.6.32.49/arch/powerpc/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
2708 +++ linux-2.6.32.49/arch/powerpc/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
2709 @@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
2710 * Lookup NIP late so we have the best change of getting the
2711 * above info out without failing
2712 */
2713 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2714 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2715 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2716 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2717 #endif
2718 show_stack(current, (unsigned long *) regs->gpr[1]);
2719 if (!user_mode(regs))
2720 @@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
2721 newsp = stack[0];
2722 ip = stack[STACK_FRAME_LR_SAVE];
2723 if (!firstframe || ip != lr) {
2724 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2725 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2726 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2727 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2728 - printk(" (%pS)",
2729 + printk(" (%pA)",
2730 (void *)current->ret_stack[curr_frame].ret);
2731 curr_frame--;
2732 }
2733 @@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
2734 struct pt_regs *regs = (struct pt_regs *)
2735 (sp + STACK_FRAME_OVERHEAD);
2736 lr = regs->link;
2737 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2738 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2739 regs->trap, (void *)regs->nip, (void *)lr);
2740 firstframe = 1;
2741 }
2742 @@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
2743 }
2744
2745 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2746 -
2747 -unsigned long arch_align_stack(unsigned long sp)
2748 -{
2749 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2750 - sp -= get_random_int() & ~PAGE_MASK;
2751 - return sp & ~0xf;
2752 -}
2753 -
2754 -static inline unsigned long brk_rnd(void)
2755 -{
2756 - unsigned long rnd = 0;
2757 -
2758 - /* 8MB for 32bit, 1GB for 64bit */
2759 - if (is_32bit_task())
2760 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2761 - else
2762 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2763 -
2764 - return rnd << PAGE_SHIFT;
2765 -}
2766 -
2767 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2768 -{
2769 - unsigned long base = mm->brk;
2770 - unsigned long ret;
2771 -
2772 -#ifdef CONFIG_PPC_STD_MMU_64
2773 - /*
2774 - * If we are using 1TB segments and we are allowed to randomise
2775 - * the heap, we can put it above 1TB so it is backed by a 1TB
2776 - * segment. Otherwise the heap will be in the bottom 1TB
2777 - * which always uses 256MB segments and this may result in a
2778 - * performance penalty.
2779 - */
2780 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2781 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2782 -#endif
2783 -
2784 - ret = PAGE_ALIGN(base + brk_rnd());
2785 -
2786 - if (ret < mm->brk)
2787 - return mm->brk;
2788 -
2789 - return ret;
2790 -}
2791 -
2792 -unsigned long randomize_et_dyn(unsigned long base)
2793 -{
2794 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2795 -
2796 - if (ret < base)
2797 - return base;
2798 -
2799 - return ret;
2800 -}
2801 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/ptrace.c linux-2.6.32.49/arch/powerpc/kernel/ptrace.c
2802 --- linux-2.6.32.49/arch/powerpc/kernel/ptrace.c 2011-11-08 19:02:43.000000000 -0500
2803 +++ linux-2.6.32.49/arch/powerpc/kernel/ptrace.c 2011-11-15 19:59:42.000000000 -0500
2804 @@ -86,7 +86,7 @@ static int set_user_trap(struct task_str
2805 /*
2806 * Get contents of register REGNO in task TASK.
2807 */
2808 -unsigned long ptrace_get_reg(struct task_struct *task, int regno)
2809 +unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno)
2810 {
2811 if (task->thread.regs == NULL)
2812 return -EIO;
2813 @@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi
2814
2815 CHECK_FULL_REGS(child->thread.regs);
2816 if (index < PT_FPR0) {
2817 - tmp = ptrace_get_reg(child, (int) index);
2818 + tmp = ptrace_get_reg(child, index);
2819 } else {
2820 flush_fp_to_thread(child);
2821 tmp = ((unsigned long *)child->thread.fpr)
2822 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/signal_32.c linux-2.6.32.49/arch/powerpc/kernel/signal_32.c
2823 --- linux-2.6.32.49/arch/powerpc/kernel/signal_32.c 2011-11-08 19:02:43.000000000 -0500
2824 +++ linux-2.6.32.49/arch/powerpc/kernel/signal_32.c 2011-11-15 19:59:42.000000000 -0500
2825 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2826 /* Save user registers on the stack */
2827 frame = &rt_sf->uc.uc_mcontext;
2828 addr = frame;
2829 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2830 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2831 if (save_user_regs(regs, frame, 0, 1))
2832 goto badframe;
2833 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2834 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/signal_64.c linux-2.6.32.49/arch/powerpc/kernel/signal_64.c
2835 --- linux-2.6.32.49/arch/powerpc/kernel/signal_64.c 2011-11-08 19:02:43.000000000 -0500
2836 +++ linux-2.6.32.49/arch/powerpc/kernel/signal_64.c 2011-11-15 19:59:42.000000000 -0500
2837 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2838 current->thread.fpscr.val = 0;
2839
2840 /* Set up to return from userspace. */
2841 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2842 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2843 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2844 } else {
2845 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2846 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.49/arch/powerpc/kernel/sys_ppc32.c
2847 --- linux-2.6.32.49/arch/powerpc/kernel/sys_ppc32.c 2011-11-08 19:02:43.000000000 -0500
2848 +++ linux-2.6.32.49/arch/powerpc/kernel/sys_ppc32.c 2011-11-15 19:59:42.000000000 -0500
2849 @@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2850 if (oldlenp) {
2851 if (!error) {
2852 if (get_user(oldlen, oldlenp) ||
2853 - put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2854 + put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2855 + copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2856 error = -EFAULT;
2857 }
2858 - copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2859 }
2860 return error;
2861 }
2862 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/traps.c linux-2.6.32.49/arch/powerpc/kernel/traps.c
2863 --- linux-2.6.32.49/arch/powerpc/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
2864 +++ linux-2.6.32.49/arch/powerpc/kernel/traps.c 2011-11-15 19:59:42.000000000 -0500
2865 @@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
2866 static inline void pmac_backlight_unblank(void) { }
2867 #endif
2868
2869 +extern void gr_handle_kernel_exploit(void);
2870 +
2871 int die(const char *str, struct pt_regs *regs, long err)
2872 {
2873 static struct {
2874 @@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
2875 if (panic_on_oops)
2876 panic("Fatal exception");
2877
2878 + gr_handle_kernel_exploit();
2879 +
2880 oops_exit();
2881 do_exit(err);
2882
2883 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/vdso.c linux-2.6.32.49/arch/powerpc/kernel/vdso.c
2884 --- linux-2.6.32.49/arch/powerpc/kernel/vdso.c 2011-11-08 19:02:43.000000000 -0500
2885 +++ linux-2.6.32.49/arch/powerpc/kernel/vdso.c 2011-11-15 19:59:42.000000000 -0500
2886 @@ -36,6 +36,7 @@
2887 #include <asm/firmware.h>
2888 #include <asm/vdso.h>
2889 #include <asm/vdso_datapage.h>
2890 +#include <asm/mman.h>
2891
2892 #include "setup.h"
2893
2894 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2895 vdso_base = VDSO32_MBASE;
2896 #endif
2897
2898 - current->mm->context.vdso_base = 0;
2899 + current->mm->context.vdso_base = ~0UL;
2900
2901 /* vDSO has a problem and was disabled, just don't "enable" it for the
2902 * process
2903 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2904 vdso_base = get_unmapped_area(NULL, vdso_base,
2905 (vdso_pages << PAGE_SHIFT) +
2906 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2907 - 0, 0);
2908 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2909 if (IS_ERR_VALUE(vdso_base)) {
2910 rc = vdso_base;
2911 goto fail_mmapsem;
2912 diff -urNp linux-2.6.32.49/arch/powerpc/kernel/vio.c linux-2.6.32.49/arch/powerpc/kernel/vio.c
2913 --- linux-2.6.32.49/arch/powerpc/kernel/vio.c 2011-11-08 19:02:43.000000000 -0500
2914 +++ linux-2.6.32.49/arch/powerpc/kernel/vio.c 2011-11-15 19:59:42.000000000 -0500
2915 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2916 vio_cmo_dealloc(viodev, alloc_size);
2917 }
2918
2919 -struct dma_map_ops vio_dma_mapping_ops = {
2920 +static const struct dma_map_ops vio_dma_mapping_ops = {
2921 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2922 .free_coherent = vio_dma_iommu_free_coherent,
2923 .map_sg = vio_dma_iommu_map_sg,
2924 .unmap_sg = vio_dma_iommu_unmap_sg,
2925 + .dma_supported = dma_iommu_dma_supported,
2926 .map_page = vio_dma_iommu_map_page,
2927 .unmap_page = vio_dma_iommu_unmap_page,
2928
2929 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2930
2931 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2932 {
2933 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2934 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2935 }
2936
2937 diff -urNp linux-2.6.32.49/arch/powerpc/lib/usercopy_64.c linux-2.6.32.49/arch/powerpc/lib/usercopy_64.c
2938 --- linux-2.6.32.49/arch/powerpc/lib/usercopy_64.c 2011-11-08 19:02:43.000000000 -0500
2939 +++ linux-2.6.32.49/arch/powerpc/lib/usercopy_64.c 2011-11-15 19:59:42.000000000 -0500
2940 @@ -9,22 +9,6 @@
2941 #include <linux/module.h>
2942 #include <asm/uaccess.h>
2943
2944 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2945 -{
2946 - if (likely(access_ok(VERIFY_READ, from, n)))
2947 - n = __copy_from_user(to, from, n);
2948 - else
2949 - memset(to, 0, n);
2950 - return n;
2951 -}
2952 -
2953 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2954 -{
2955 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2956 - n = __copy_to_user(to, from, n);
2957 - return n;
2958 -}
2959 -
2960 unsigned long copy_in_user(void __user *to, const void __user *from,
2961 unsigned long n)
2962 {
2963 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2964 return n;
2965 }
2966
2967 -EXPORT_SYMBOL(copy_from_user);
2968 -EXPORT_SYMBOL(copy_to_user);
2969 EXPORT_SYMBOL(copy_in_user);
2970
2971 diff -urNp linux-2.6.32.49/arch/powerpc/Makefile linux-2.6.32.49/arch/powerpc/Makefile
2972 --- linux-2.6.32.49/arch/powerpc/Makefile 2011-11-08 19:02:43.000000000 -0500
2973 +++ linux-2.6.32.49/arch/powerpc/Makefile 2011-11-15 19:59:42.000000000 -0500
2974 @@ -74,6 +74,8 @@ KBUILD_AFLAGS += -Iarch/$(ARCH)
2975 KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
2976 CPP = $(CC) -E $(KBUILD_CFLAGS)
2977
2978 +cflags-y += -Wno-sign-compare -Wno-extra
2979 +
2980 CHECKFLAGS += -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__
2981
2982 ifeq ($(CONFIG_PPC64),y)
2983 diff -urNp linux-2.6.32.49/arch/powerpc/mm/fault.c linux-2.6.32.49/arch/powerpc/mm/fault.c
2984 --- linux-2.6.32.49/arch/powerpc/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
2985 +++ linux-2.6.32.49/arch/powerpc/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
2986 @@ -30,6 +30,10 @@
2987 #include <linux/kprobes.h>
2988 #include <linux/kdebug.h>
2989 #include <linux/perf_event.h>
2990 +#include <linux/slab.h>
2991 +#include <linux/pagemap.h>
2992 +#include <linux/compiler.h>
2993 +#include <linux/unistd.h>
2994
2995 #include <asm/firmware.h>
2996 #include <asm/page.h>
2997 @@ -40,6 +44,7 @@
2998 #include <asm/uaccess.h>
2999 #include <asm/tlbflush.h>
3000 #include <asm/siginfo.h>
3001 +#include <asm/ptrace.h>
3002
3003
3004 #ifdef CONFIG_KPROBES
3005 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
3006 }
3007 #endif
3008
3009 +#ifdef CONFIG_PAX_PAGEEXEC
3010 +/*
3011 + * PaX: decide what to do with offenders (regs->nip = fault address)
3012 + *
3013 + * returns 1 when task should be killed
3014 + */
3015 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3016 +{
3017 + return 1;
3018 +}
3019 +
3020 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
3021 +{
3022 + unsigned long i;
3023 +
3024 + printk(KERN_ERR "PAX: bytes at PC: ");
3025 + for (i = 0; i < 5; i++) {
3026 + unsigned int c;
3027 + if (get_user(c, (unsigned int __user *)pc+i))
3028 + printk(KERN_CONT "???????? ");
3029 + else
3030 + printk(KERN_CONT "%08x ", c);
3031 + }
3032 + printk("\n");
3033 +}
3034 +#endif
3035 +
3036 /*
3037 * Check whether the instruction at regs->nip is a store using
3038 * an update addressing form which will update r1.
3039 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
3040 * indicate errors in DSISR but can validly be set in SRR1.
3041 */
3042 if (trap == 0x400)
3043 - error_code &= 0x48200000;
3044 + error_code &= 0x58200000;
3045 else
3046 is_write = error_code & DSISR_ISSTORE;
3047 #else
3048 @@ -250,7 +282,7 @@ good_area:
3049 * "undefined". Of those that can be set, this is the only
3050 * one which seems bad.
3051 */
3052 - if (error_code & 0x10000000)
3053 + if (error_code & DSISR_GUARDED)
3054 /* Guarded storage error. */
3055 goto bad_area;
3056 #endif /* CONFIG_8xx */
3057 @@ -265,7 +297,7 @@ good_area:
3058 * processors use the same I/D cache coherency mechanism
3059 * as embedded.
3060 */
3061 - if (error_code & DSISR_PROTFAULT)
3062 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3063 goto bad_area;
3064 #endif /* CONFIG_PPC_STD_MMU */
3065
3066 @@ -335,6 +367,23 @@ bad_area:
3067 bad_area_nosemaphore:
3068 /* User mode accesses cause a SIGSEGV */
3069 if (user_mode(regs)) {
3070 +
3071 +#ifdef CONFIG_PAX_PAGEEXEC
3072 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3073 +#ifdef CONFIG_PPC_STD_MMU
3074 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3075 +#else
3076 + if (is_exec && regs->nip == address) {
3077 +#endif
3078 + switch (pax_handle_fetch_fault(regs)) {
3079 + }
3080 +
3081 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3082 + do_group_exit(SIGKILL);
3083 + }
3084 + }
3085 +#endif
3086 +
3087 _exception(SIGSEGV, regs, code, address);
3088 return 0;
3089 }
3090 diff -urNp linux-2.6.32.49/arch/powerpc/mm/mem.c linux-2.6.32.49/arch/powerpc/mm/mem.c
3091 --- linux-2.6.32.49/arch/powerpc/mm/mem.c 2011-11-08 19:02:43.000000000 -0500
3092 +++ linux-2.6.32.49/arch/powerpc/mm/mem.c 2011-11-15 19:59:42.000000000 -0500
3093 @@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi
3094 {
3095 unsigned long lmb_next_region_start_pfn,
3096 lmb_region_max_pfn;
3097 - int i;
3098 + unsigned int i;
3099
3100 for (i = 0; i < lmb.memory.cnt - 1; i++) {
3101 lmb_region_max_pfn =
3102 diff -urNp linux-2.6.32.49/arch/powerpc/mm/mmap_64.c linux-2.6.32.49/arch/powerpc/mm/mmap_64.c
3103 --- linux-2.6.32.49/arch/powerpc/mm/mmap_64.c 2011-11-08 19:02:43.000000000 -0500
3104 +++ linux-2.6.32.49/arch/powerpc/mm/mmap_64.c 2011-11-15 19:59:42.000000000 -0500
3105 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3106 */
3107 if (mmap_is_legacy()) {
3108 mm->mmap_base = TASK_UNMAPPED_BASE;
3109 +
3110 +#ifdef CONFIG_PAX_RANDMMAP
3111 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3112 + mm->mmap_base += mm->delta_mmap;
3113 +#endif
3114 +
3115 mm->get_unmapped_area = arch_get_unmapped_area;
3116 mm->unmap_area = arch_unmap_area;
3117 } else {
3118 mm->mmap_base = mmap_base();
3119 +
3120 +#ifdef CONFIG_PAX_RANDMMAP
3121 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3122 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3123 +#endif
3124 +
3125 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3126 mm->unmap_area = arch_unmap_area_topdown;
3127 }
3128 diff -urNp linux-2.6.32.49/arch/powerpc/mm/slice.c linux-2.6.32.49/arch/powerpc/mm/slice.c
3129 --- linux-2.6.32.49/arch/powerpc/mm/slice.c 2011-11-08 19:02:43.000000000 -0500
3130 +++ linux-2.6.32.49/arch/powerpc/mm/slice.c 2011-11-15 19:59:42.000000000 -0500
3131 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3132 if ((mm->task_size - len) < addr)
3133 return 0;
3134 vma = find_vma(mm, addr);
3135 - return (!vma || (addr + len) <= vma->vm_start);
3136 + return check_heap_stack_gap(vma, addr, len);
3137 }
3138
3139 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3140 @@ -256,7 +256,7 @@ full_search:
3141 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3142 continue;
3143 }
3144 - if (!vma || addr + len <= vma->vm_start) {
3145 + if (check_heap_stack_gap(vma, addr, len)) {
3146 /*
3147 * Remember the place where we stopped the search:
3148 */
3149 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3150 }
3151 }
3152
3153 - addr = mm->mmap_base;
3154 - while (addr > len) {
3155 + if (mm->mmap_base < len)
3156 + addr = -ENOMEM;
3157 + else
3158 + addr = mm->mmap_base - len;
3159 +
3160 + while (!IS_ERR_VALUE(addr)) {
3161 /* Go down by chunk size */
3162 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3163 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3164
3165 /* Check for hit with different page size */
3166 mask = slice_range_to_mask(addr, len);
3167 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3168 * return with success:
3169 */
3170 vma = find_vma(mm, addr);
3171 - if (!vma || (addr + len) <= vma->vm_start) {
3172 + if (check_heap_stack_gap(vma, addr, len)) {
3173 /* remember the address as a hint for next time */
3174 if (use_cache)
3175 mm->free_area_cache = addr;
3176 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3177 mm->cached_hole_size = vma->vm_start - addr;
3178
3179 /* try just below the current vma->vm_start */
3180 - addr = vma->vm_start;
3181 + addr = skip_heap_stack_gap(vma, len);
3182 }
3183
3184 /*
3185 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3186 if (fixed && addr > (mm->task_size - len))
3187 return -EINVAL;
3188
3189 +#ifdef CONFIG_PAX_RANDMMAP
3190 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3191 + addr = 0;
3192 +#endif
3193 +
3194 /* If hint, make sure it matches our alignment restrictions */
3195 if (!fixed && addr) {
3196 addr = _ALIGN_UP(addr, 1ul << pshift);
3197 diff -urNp linux-2.6.32.49/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.49/arch/powerpc/platforms/52xx/lite5200_pm.c
3198 --- linux-2.6.32.49/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-11-08 19:02:43.000000000 -0500
3199 +++ linux-2.6.32.49/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-11-15 19:59:42.000000000 -0500
3200 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
3201 lite5200_pm_target_state = PM_SUSPEND_ON;
3202 }
3203
3204 -static struct platform_suspend_ops lite5200_pm_ops = {
3205 +static const struct platform_suspend_ops lite5200_pm_ops = {
3206 .valid = lite5200_pm_valid,
3207 .begin = lite5200_pm_begin,
3208 .prepare = lite5200_pm_prepare,
3209 diff -urNp linux-2.6.32.49/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.49/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3210 --- linux-2.6.32.49/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-11-08 19:02:43.000000000 -0500
3211 +++ linux-2.6.32.49/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-11-15 19:59:42.000000000 -0500
3212 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
3213 iounmap(mbar);
3214 }
3215
3216 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3217 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3218 .valid = mpc52xx_pm_valid,
3219 .prepare = mpc52xx_pm_prepare,
3220 .enter = mpc52xx_pm_enter,
3221 diff -urNp linux-2.6.32.49/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.49/arch/powerpc/platforms/83xx/suspend.c
3222 --- linux-2.6.32.49/arch/powerpc/platforms/83xx/suspend.c 2011-11-08 19:02:43.000000000 -0500
3223 +++ linux-2.6.32.49/arch/powerpc/platforms/83xx/suspend.c 2011-11-15 19:59:42.000000000 -0500
3224 @@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
3225 return ret;
3226 }
3227
3228 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3229 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3230 .valid = mpc83xx_suspend_valid,
3231 .begin = mpc83xx_suspend_begin,
3232 .enter = mpc83xx_suspend_enter,
3233 diff -urNp linux-2.6.32.49/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.49/arch/powerpc/platforms/cell/iommu.c
3234 --- linux-2.6.32.49/arch/powerpc/platforms/cell/iommu.c 2011-11-08 19:02:43.000000000 -0500
3235 +++ linux-2.6.32.49/arch/powerpc/platforms/cell/iommu.c 2011-11-15 19:59:42.000000000 -0500
3236 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3237
3238 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3239
3240 -struct dma_map_ops dma_iommu_fixed_ops = {
3241 +const struct dma_map_ops dma_iommu_fixed_ops = {
3242 .alloc_coherent = dma_fixed_alloc_coherent,
3243 .free_coherent = dma_fixed_free_coherent,
3244 .map_sg = dma_fixed_map_sg,
3245 diff -urNp linux-2.6.32.49/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.49/arch/powerpc/platforms/ps3/system-bus.c
3246 --- linux-2.6.32.49/arch/powerpc/platforms/ps3/system-bus.c 2011-11-08 19:02:43.000000000 -0500
3247 +++ linux-2.6.32.49/arch/powerpc/platforms/ps3/system-bus.c 2011-11-15 19:59:42.000000000 -0500
3248 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3249 return mask >= DMA_BIT_MASK(32);
3250 }
3251
3252 -static struct dma_map_ops ps3_sb_dma_ops = {
3253 +static const struct dma_map_ops ps3_sb_dma_ops = {
3254 .alloc_coherent = ps3_alloc_coherent,
3255 .free_coherent = ps3_free_coherent,
3256 .map_sg = ps3_sb_map_sg,
3257 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3258 .unmap_page = ps3_unmap_page,
3259 };
3260
3261 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3262 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3263 .alloc_coherent = ps3_alloc_coherent,
3264 .free_coherent = ps3_free_coherent,
3265 .map_sg = ps3_ioc0_map_sg,
3266 diff -urNp linux-2.6.32.49/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.49/arch/powerpc/platforms/pseries/Kconfig
3267 --- linux-2.6.32.49/arch/powerpc/platforms/pseries/Kconfig 2011-11-08 19:02:43.000000000 -0500
3268 +++ linux-2.6.32.49/arch/powerpc/platforms/pseries/Kconfig 2011-11-15 19:59:42.000000000 -0500
3269 @@ -2,6 +2,8 @@ config PPC_PSERIES
3270 depends on PPC64 && PPC_BOOK3S
3271 bool "IBM pSeries & new (POWER5-based) iSeries"
3272 select MPIC
3273 + select PCI_MSI
3274 + select XICS
3275 select PPC_I8259
3276 select PPC_RTAS
3277 select RTAS_ERROR_LOGGING
3278 diff -urNp linux-2.6.32.49/arch/s390/include/asm/elf.h linux-2.6.32.49/arch/s390/include/asm/elf.h
3279 --- linux-2.6.32.49/arch/s390/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
3280 +++ linux-2.6.32.49/arch/s390/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
3281 @@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
3282 that it will "exec", and that there is sufficient room for the brk. */
3283 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3284
3285 +#ifdef CONFIG_PAX_ASLR
3286 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3287 +
3288 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3289 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3290 +#endif
3291 +
3292 /* This yields a mask that user programs can use to figure out what
3293 instruction set this CPU supports. */
3294
3295 diff -urNp linux-2.6.32.49/arch/s390/include/asm/setup.h linux-2.6.32.49/arch/s390/include/asm/setup.h
3296 --- linux-2.6.32.49/arch/s390/include/asm/setup.h 2011-11-08 19:02:43.000000000 -0500
3297 +++ linux-2.6.32.49/arch/s390/include/asm/setup.h 2011-11-15 19:59:42.000000000 -0500
3298 @@ -50,13 +50,13 @@ extern unsigned long memory_end;
3299 void detect_memory_layout(struct mem_chunk chunk[]);
3300
3301 #ifdef CONFIG_S390_SWITCH_AMODE
3302 -extern unsigned int switch_amode;
3303 +#define switch_amode (1)
3304 #else
3305 #define switch_amode (0)
3306 #endif
3307
3308 #ifdef CONFIG_S390_EXEC_PROTECT
3309 -extern unsigned int s390_noexec;
3310 +#define s390_noexec (1)
3311 #else
3312 #define s390_noexec (0)
3313 #endif
3314 diff -urNp linux-2.6.32.49/arch/s390/include/asm/uaccess.h linux-2.6.32.49/arch/s390/include/asm/uaccess.h
3315 --- linux-2.6.32.49/arch/s390/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
3316 +++ linux-2.6.32.49/arch/s390/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
3317 @@ -232,6 +232,10 @@ static inline unsigned long __must_check
3318 copy_to_user(void __user *to, const void *from, unsigned long n)
3319 {
3320 might_fault();
3321 +
3322 + if ((long)n < 0)
3323 + return n;
3324 +
3325 if (access_ok(VERIFY_WRITE, to, n))
3326 n = __copy_to_user(to, from, n);
3327 return n;
3328 @@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
3329 static inline unsigned long __must_check
3330 __copy_from_user(void *to, const void __user *from, unsigned long n)
3331 {
3332 + if ((long)n < 0)
3333 + return n;
3334 +
3335 if (__builtin_constant_p(n) && (n <= 256))
3336 return uaccess.copy_from_user_small(n, from, to);
3337 else
3338 @@ -283,6 +290,10 @@ static inline unsigned long __must_check
3339 copy_from_user(void *to, const void __user *from, unsigned long n)
3340 {
3341 might_fault();
3342 +
3343 + if ((long)n < 0)
3344 + return n;
3345 +
3346 if (access_ok(VERIFY_READ, from, n))
3347 n = __copy_from_user(to, from, n);
3348 else
3349 diff -urNp linux-2.6.32.49/arch/s390/Kconfig linux-2.6.32.49/arch/s390/Kconfig
3350 --- linux-2.6.32.49/arch/s390/Kconfig 2011-11-08 19:02:43.000000000 -0500
3351 +++ linux-2.6.32.49/arch/s390/Kconfig 2011-11-15 19:59:42.000000000 -0500
3352 @@ -194,28 +194,26 @@ config AUDIT_ARCH
3353
3354 config S390_SWITCH_AMODE
3355 bool "Switch kernel/user addressing modes"
3356 + default y
3357 help
3358 This option allows to switch the addressing modes of kernel and user
3359 - space. The kernel parameter switch_amode=on will enable this feature,
3360 - default is disabled. Enabling this (via kernel parameter) on machines
3361 - earlier than IBM System z9-109 EC/BC will reduce system performance.
3362 + space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3363 + will reduce system performance.
3364
3365 Note that this option will also be selected by selecting the execute
3366 - protection option below. Enabling the execute protection via the
3367 - noexec kernel parameter will also switch the addressing modes,
3368 - independent of the switch_amode kernel parameter.
3369 + protection option below. Enabling the execute protection will also
3370 + switch the addressing modes, independent of this option.
3371
3372
3373 config S390_EXEC_PROTECT
3374 bool "Data execute protection"
3375 + default y
3376 select S390_SWITCH_AMODE
3377 help
3378 This option allows to enable a buffer overflow protection for user
3379 space programs and it also selects the addressing mode option above.
3380 - The kernel parameter noexec=on will enable this feature and also
3381 - switch the addressing modes, default is disabled. Enabling this (via
3382 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3383 - will reduce system performance.
3384 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3385 + reduce system performance.
3386
3387 comment "Code generation options"
3388
3389 diff -urNp linux-2.6.32.49/arch/s390/kernel/module.c linux-2.6.32.49/arch/s390/kernel/module.c
3390 --- linux-2.6.32.49/arch/s390/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
3391 +++ linux-2.6.32.49/arch/s390/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
3392 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3393
3394 /* Increase core size by size of got & plt and set start
3395 offsets for got and plt. */
3396 - me->core_size = ALIGN(me->core_size, 4);
3397 - me->arch.got_offset = me->core_size;
3398 - me->core_size += me->arch.got_size;
3399 - me->arch.plt_offset = me->core_size;
3400 - me->core_size += me->arch.plt_size;
3401 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3402 + me->arch.got_offset = me->core_size_rw;
3403 + me->core_size_rw += me->arch.got_size;
3404 + me->arch.plt_offset = me->core_size_rx;
3405 + me->core_size_rx += me->arch.plt_size;
3406 return 0;
3407 }
3408
3409 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3410 if (info->got_initialized == 0) {
3411 Elf_Addr *gotent;
3412
3413 - gotent = me->module_core + me->arch.got_offset +
3414 + gotent = me->module_core_rw + me->arch.got_offset +
3415 info->got_offset;
3416 *gotent = val;
3417 info->got_initialized = 1;
3418 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3419 else if (r_type == R_390_GOTENT ||
3420 r_type == R_390_GOTPLTENT)
3421 *(unsigned int *) loc =
3422 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3423 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3424 else if (r_type == R_390_GOT64 ||
3425 r_type == R_390_GOTPLT64)
3426 *(unsigned long *) loc = val;
3427 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3428 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3429 if (info->plt_initialized == 0) {
3430 unsigned int *ip;
3431 - ip = me->module_core + me->arch.plt_offset +
3432 + ip = me->module_core_rx + me->arch.plt_offset +
3433 info->plt_offset;
3434 #ifndef CONFIG_64BIT
3435 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3436 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3437 val - loc + 0xffffUL < 0x1ffffeUL) ||
3438 (r_type == R_390_PLT32DBL &&
3439 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3440 - val = (Elf_Addr) me->module_core +
3441 + val = (Elf_Addr) me->module_core_rx +
3442 me->arch.plt_offset +
3443 info->plt_offset;
3444 val += rela->r_addend - loc;
3445 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3446 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3447 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3448 val = val + rela->r_addend -
3449 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3450 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3451 if (r_type == R_390_GOTOFF16)
3452 *(unsigned short *) loc = val;
3453 else if (r_type == R_390_GOTOFF32)
3454 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3455 break;
3456 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3457 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3458 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3459 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3460 rela->r_addend - loc;
3461 if (r_type == R_390_GOTPC)
3462 *(unsigned int *) loc = val;
3463 diff -urNp linux-2.6.32.49/arch/s390/kernel/setup.c linux-2.6.32.49/arch/s390/kernel/setup.c
3464 --- linux-2.6.32.49/arch/s390/kernel/setup.c 2011-11-08 19:02:43.000000000 -0500
3465 +++ linux-2.6.32.49/arch/s390/kernel/setup.c 2011-11-15 19:59:42.000000000 -0500
3466 @@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
3467 early_param("mem", early_parse_mem);
3468
3469 #ifdef CONFIG_S390_SWITCH_AMODE
3470 -unsigned int switch_amode = 0;
3471 -EXPORT_SYMBOL_GPL(switch_amode);
3472 -
3473 static int set_amode_and_uaccess(unsigned long user_amode,
3474 unsigned long user32_amode)
3475 {
3476 @@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
3477 return 0;
3478 }
3479 }
3480 -
3481 -/*
3482 - * Switch kernel/user addressing modes?
3483 - */
3484 -static int __init early_parse_switch_amode(char *p)
3485 -{
3486 - switch_amode = 1;
3487 - return 0;
3488 -}
3489 -early_param("switch_amode", early_parse_switch_amode);
3490 -
3491 #else /* CONFIG_S390_SWITCH_AMODE */
3492 static inline int set_amode_and_uaccess(unsigned long user_amode,
3493 unsigned long user32_amode)
3494 @@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
3495 }
3496 #endif /* CONFIG_S390_SWITCH_AMODE */
3497
3498 -#ifdef CONFIG_S390_EXEC_PROTECT
3499 -unsigned int s390_noexec = 0;
3500 -EXPORT_SYMBOL_GPL(s390_noexec);
3501 -
3502 -/*
3503 - * Enable execute protection?
3504 - */
3505 -static int __init early_parse_noexec(char *p)
3506 -{
3507 - if (!strncmp(p, "off", 3))
3508 - return 0;
3509 - switch_amode = 1;
3510 - s390_noexec = 1;
3511 - return 0;
3512 -}
3513 -early_param("noexec", early_parse_noexec);
3514 -#endif /* CONFIG_S390_EXEC_PROTECT */
3515 -
3516 static void setup_addressing_mode(void)
3517 {
3518 if (s390_noexec) {
3519 diff -urNp linux-2.6.32.49/arch/s390/mm/mmap.c linux-2.6.32.49/arch/s390/mm/mmap.c
3520 --- linux-2.6.32.49/arch/s390/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
3521 +++ linux-2.6.32.49/arch/s390/mm/mmap.c 2011-11-15 19:59:42.000000000 -0500
3522 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3523 */
3524 if (mmap_is_legacy()) {
3525 mm->mmap_base = TASK_UNMAPPED_BASE;
3526 +
3527 +#ifdef CONFIG_PAX_RANDMMAP
3528 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3529 + mm->mmap_base += mm->delta_mmap;
3530 +#endif
3531 +
3532 mm->get_unmapped_area = arch_get_unmapped_area;
3533 mm->unmap_area = arch_unmap_area;
3534 } else {
3535 mm->mmap_base = mmap_base();
3536 +
3537 +#ifdef CONFIG_PAX_RANDMMAP
3538 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3539 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3540 +#endif
3541 +
3542 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3543 mm->unmap_area = arch_unmap_area_topdown;
3544 }
3545 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3546 */
3547 if (mmap_is_legacy()) {
3548 mm->mmap_base = TASK_UNMAPPED_BASE;
3549 +
3550 +#ifdef CONFIG_PAX_RANDMMAP
3551 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3552 + mm->mmap_base += mm->delta_mmap;
3553 +#endif
3554 +
3555 mm->get_unmapped_area = s390_get_unmapped_area;
3556 mm->unmap_area = arch_unmap_area;
3557 } else {
3558 mm->mmap_base = mmap_base();
3559 +
3560 +#ifdef CONFIG_PAX_RANDMMAP
3561 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3562 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3563 +#endif
3564 +
3565 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3566 mm->unmap_area = arch_unmap_area_topdown;
3567 }
3568 diff -urNp linux-2.6.32.49/arch/score/include/asm/system.h linux-2.6.32.49/arch/score/include/asm/system.h
3569 --- linux-2.6.32.49/arch/score/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
3570 +++ linux-2.6.32.49/arch/score/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
3571 @@ -17,7 +17,7 @@ do { \
3572 #define finish_arch_switch(prev) do {} while (0)
3573
3574 typedef void (*vi_handler_t)(void);
3575 -extern unsigned long arch_align_stack(unsigned long sp);
3576 +#define arch_align_stack(x) (x)
3577
3578 #define mb() barrier()
3579 #define rmb() barrier()
3580 diff -urNp linux-2.6.32.49/arch/score/kernel/process.c linux-2.6.32.49/arch/score/kernel/process.c
3581 --- linux-2.6.32.49/arch/score/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
3582 +++ linux-2.6.32.49/arch/score/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
3583 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3584
3585 return task_pt_regs(task)->cp0_epc;
3586 }
3587 -
3588 -unsigned long arch_align_stack(unsigned long sp)
3589 -{
3590 - return sp;
3591 -}
3592 diff -urNp linux-2.6.32.49/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.49/arch/sh/boards/mach-hp6xx/pm.c
3593 --- linux-2.6.32.49/arch/sh/boards/mach-hp6xx/pm.c 2011-11-08 19:02:43.000000000 -0500
3594 +++ linux-2.6.32.49/arch/sh/boards/mach-hp6xx/pm.c 2011-11-15 19:59:42.000000000 -0500
3595 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3596 return 0;
3597 }
3598
3599 -static struct platform_suspend_ops hp6x0_pm_ops = {
3600 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3601 .enter = hp6x0_pm_enter,
3602 .valid = suspend_valid_only_mem,
3603 };
3604 diff -urNp linux-2.6.32.49/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.49/arch/sh/kernel/cpu/sh4/sq.c
3605 --- linux-2.6.32.49/arch/sh/kernel/cpu/sh4/sq.c 2011-11-08 19:02:43.000000000 -0500
3606 +++ linux-2.6.32.49/arch/sh/kernel/cpu/sh4/sq.c 2011-11-15 19:59:42.000000000 -0500
3607 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3608 NULL,
3609 };
3610
3611 -static struct sysfs_ops sq_sysfs_ops = {
3612 +static const struct sysfs_ops sq_sysfs_ops = {
3613 .show = sq_sysfs_show,
3614 .store = sq_sysfs_store,
3615 };
3616 diff -urNp linux-2.6.32.49/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.49/arch/sh/kernel/cpu/shmobile/pm.c
3617 --- linux-2.6.32.49/arch/sh/kernel/cpu/shmobile/pm.c 2011-11-08 19:02:43.000000000 -0500
3618 +++ linux-2.6.32.49/arch/sh/kernel/cpu/shmobile/pm.c 2011-11-15 19:59:42.000000000 -0500
3619 @@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
3620 return 0;
3621 }
3622
3623 -static struct platform_suspend_ops sh_pm_ops = {
3624 +static const struct platform_suspend_ops sh_pm_ops = {
3625 .enter = sh_pm_enter,
3626 .valid = suspend_valid_only_mem,
3627 };
3628 diff -urNp linux-2.6.32.49/arch/sh/kernel/kgdb.c linux-2.6.32.49/arch/sh/kernel/kgdb.c
3629 --- linux-2.6.32.49/arch/sh/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
3630 +++ linux-2.6.32.49/arch/sh/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
3631 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3632 {
3633 }
3634
3635 -struct kgdb_arch arch_kgdb_ops = {
3636 +const struct kgdb_arch arch_kgdb_ops = {
3637 /* Breakpoint instruction: trapa #0x3c */
3638 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3639 .gdb_bpt_instr = { 0x3c, 0xc3 },
3640 diff -urNp linux-2.6.32.49/arch/sh/mm/mmap.c linux-2.6.32.49/arch/sh/mm/mmap.c
3641 --- linux-2.6.32.49/arch/sh/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
3642 +++ linux-2.6.32.49/arch/sh/mm/mmap.c 2011-11-15 19:59:42.000000000 -0500
3643 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3644 addr = PAGE_ALIGN(addr);
3645
3646 vma = find_vma(mm, addr);
3647 - if (TASK_SIZE - len >= addr &&
3648 - (!vma || addr + len <= vma->vm_start))
3649 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3650 return addr;
3651 }
3652
3653 @@ -106,7 +105,7 @@ full_search:
3654 }
3655 return -ENOMEM;
3656 }
3657 - if (likely(!vma || addr + len <= vma->vm_start)) {
3658 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3659 /*
3660 * Remember the place where we stopped the search:
3661 */
3662 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3663 addr = PAGE_ALIGN(addr);
3664
3665 vma = find_vma(mm, addr);
3666 - if (TASK_SIZE - len >= addr &&
3667 - (!vma || addr + len <= vma->vm_start))
3668 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3669 return addr;
3670 }
3671
3672 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3673 /* make sure it can fit in the remaining address space */
3674 if (likely(addr > len)) {
3675 vma = find_vma(mm, addr-len);
3676 - if (!vma || addr <= vma->vm_start) {
3677 + if (check_heap_stack_gap(vma, addr - len, len)) {
3678 /* remember the address as a hint for next time */
3679 return (mm->free_area_cache = addr-len);
3680 }
3681 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3682 if (unlikely(mm->mmap_base < len))
3683 goto bottomup;
3684
3685 - addr = mm->mmap_base-len;
3686 - if (do_colour_align)
3687 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3688 + addr = mm->mmap_base - len;
3689
3690 do {
3691 + if (do_colour_align)
3692 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3693 /*
3694 * Lookup failure means no vma is above this address,
3695 * else if new region fits below vma->vm_start,
3696 * return with success:
3697 */
3698 vma = find_vma(mm, addr);
3699 - if (likely(!vma || addr+len <= vma->vm_start)) {
3700 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3701 /* remember the address as a hint for next time */
3702 return (mm->free_area_cache = addr);
3703 }
3704 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3705 mm->cached_hole_size = vma->vm_start - addr;
3706
3707 /* try just below the current vma->vm_start */
3708 - addr = vma->vm_start-len;
3709 - if (do_colour_align)
3710 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3711 - } while (likely(len < vma->vm_start));
3712 + addr = skip_heap_stack_gap(vma, len);
3713 + } while (!IS_ERR_VALUE(addr));
3714
3715 bottomup:
3716 /*
3717 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/atomic_64.h linux-2.6.32.49/arch/sparc/include/asm/atomic_64.h
3718 --- linux-2.6.32.49/arch/sparc/include/asm/atomic_64.h 2011-11-08 19:02:43.000000000 -0500
3719 +++ linux-2.6.32.49/arch/sparc/include/asm/atomic_64.h 2011-11-15 19:59:42.000000000 -0500
3720 @@ -14,18 +14,40 @@
3721 #define ATOMIC64_INIT(i) { (i) }
3722
3723 #define atomic_read(v) ((v)->counter)
3724 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3725 +{
3726 + return v->counter;
3727 +}
3728 #define atomic64_read(v) ((v)->counter)
3729 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3730 +{
3731 + return v->counter;
3732 +}
3733
3734 #define atomic_set(v, i) (((v)->counter) = i)
3735 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3736 +{
3737 + v->counter = i;
3738 +}
3739 #define atomic64_set(v, i) (((v)->counter) = i)
3740 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3741 +{
3742 + v->counter = i;
3743 +}
3744
3745 extern void atomic_add(int, atomic_t *);
3746 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3747 extern void atomic64_add(long, atomic64_t *);
3748 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3749 extern void atomic_sub(int, atomic_t *);
3750 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3751 extern void atomic64_sub(long, atomic64_t *);
3752 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3753
3754 extern int atomic_add_ret(int, atomic_t *);
3755 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3756 extern long atomic64_add_ret(long, atomic64_t *);
3757 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3758 extern int atomic_sub_ret(int, atomic_t *);
3759 extern long atomic64_sub_ret(long, atomic64_t *);
3760
3761 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
3762 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3763
3764 #define atomic_inc_return(v) atomic_add_ret(1, v)
3765 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3766 +{
3767 + return atomic_add_ret_unchecked(1, v);
3768 +}
3769 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3770 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3771 +{
3772 + return atomic64_add_ret_unchecked(1, v);
3773 +}
3774
3775 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3776 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3777
3778 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3779 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3780 +{
3781 + return atomic_add_ret_unchecked(i, v);
3782 +}
3783 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3784 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
3785 +{
3786 + return atomic64_add_ret_unchecked(i, v);
3787 +}
3788
3789 /*
3790 * atomic_inc_and_test - increment and test
3791 @@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
3792 * other cases.
3793 */
3794 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3795 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
3796 +{
3797 + return atomic_inc_return_unchecked(v) == 0;
3798 +}
3799 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3800
3801 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3802 @@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
3803 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3804
3805 #define atomic_inc(v) atomic_add(1, v)
3806 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3807 +{
3808 + atomic_add_unchecked(1, v);
3809 +}
3810 #define atomic64_inc(v) atomic64_add(1, v)
3811 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3812 +{
3813 + atomic64_add_unchecked(1, v);
3814 +}
3815
3816 #define atomic_dec(v) atomic_sub(1, v)
3817 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3818 +{
3819 + atomic_sub_unchecked(1, v);
3820 +}
3821 #define atomic64_dec(v) atomic64_sub(1, v)
3822 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3823 +{
3824 + atomic64_sub_unchecked(1, v);
3825 +}
3826
3827 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3828 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3829
3830 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3831 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
3832 +{
3833 + return cmpxchg(&v->counter, old, new);
3834 +}
3835 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3836 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
3837 +{
3838 + return xchg(&v->counter, new);
3839 +}
3840
3841 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3842 {
3843 - int c, old;
3844 + int c, old, new;
3845 c = atomic_read(v);
3846 for (;;) {
3847 - if (unlikely(c == (u)))
3848 + if (unlikely(c == u))
3849 break;
3850 - old = atomic_cmpxchg((v), c, c + (a));
3851 +
3852 + asm volatile("addcc %2, %0, %0\n"
3853 +
3854 +#ifdef CONFIG_PAX_REFCOUNT
3855 + "tvs %%icc, 6\n"
3856 +#endif
3857 +
3858 + : "=r" (new)
3859 + : "0" (c), "ir" (a)
3860 + : "cc");
3861 +
3862 + old = atomic_cmpxchg(v, c, new);
3863 if (likely(old == c))
3864 break;
3865 c = old;
3866 }
3867 - return c != (u);
3868 + return c != u;
3869 }
3870
3871 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3872 @@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
3873 #define atomic64_cmpxchg(v, o, n) \
3874 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
3875 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
3876 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
3877 +{
3878 + return xchg(&v->counter, new);
3879 +}
3880
3881 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3882 {
3883 - long c, old;
3884 + long c, old, new;
3885 c = atomic64_read(v);
3886 for (;;) {
3887 - if (unlikely(c == (u)))
3888 + if (unlikely(c == u))
3889 break;
3890 - old = atomic64_cmpxchg((v), c, c + (a));
3891 +
3892 + asm volatile("addcc %2, %0, %0\n"
3893 +
3894 +#ifdef CONFIG_PAX_REFCOUNT
3895 + "tvs %%xcc, 6\n"
3896 +#endif
3897 +
3898 + : "=r" (new)
3899 + : "0" (c), "ir" (a)
3900 + : "cc");
3901 +
3902 + old = atomic64_cmpxchg(v, c, new);
3903 if (likely(old == c))
3904 break;
3905 c = old;
3906 }
3907 - return c != (u);
3908 + return c != u;
3909 }
3910
3911 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3912 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/cache.h linux-2.6.32.49/arch/sparc/include/asm/cache.h
3913 --- linux-2.6.32.49/arch/sparc/include/asm/cache.h 2011-11-08 19:02:43.000000000 -0500
3914 +++ linux-2.6.32.49/arch/sparc/include/asm/cache.h 2011-11-15 19:59:42.000000000 -0500
3915 @@ -8,7 +8,7 @@
3916 #define _SPARC_CACHE_H
3917
3918 #define L1_CACHE_SHIFT 5
3919 -#define L1_CACHE_BYTES 32
3920 +#define L1_CACHE_BYTES 32UL
3921 #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
3922
3923 #ifdef CONFIG_SPARC32
3924 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.49/arch/sparc/include/asm/dma-mapping.h
3925 --- linux-2.6.32.49/arch/sparc/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
3926 +++ linux-2.6.32.49/arch/sparc/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
3927 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3928 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3929 #define dma_is_consistent(d, h) (1)
3930
3931 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3932 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3933 extern struct bus_type pci_bus_type;
3934
3935 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3936 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3937 {
3938 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3939 if (dev->bus == &pci_bus_type)
3940 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3941 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3942 dma_addr_t *dma_handle, gfp_t flag)
3943 {
3944 - struct dma_map_ops *ops = get_dma_ops(dev);
3945 + const struct dma_map_ops *ops = get_dma_ops(dev);
3946 void *cpu_addr;
3947
3948 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3949 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3950 static inline void dma_free_coherent(struct device *dev, size_t size,
3951 void *cpu_addr, dma_addr_t dma_handle)
3952 {
3953 - struct dma_map_ops *ops = get_dma_ops(dev);
3954 + const struct dma_map_ops *ops = get_dma_ops(dev);
3955
3956 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3957 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3958 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/elf_32.h linux-2.6.32.49/arch/sparc/include/asm/elf_32.h
3959 --- linux-2.6.32.49/arch/sparc/include/asm/elf_32.h 2011-11-08 19:02:43.000000000 -0500
3960 +++ linux-2.6.32.49/arch/sparc/include/asm/elf_32.h 2011-11-15 19:59:42.000000000 -0500
3961 @@ -116,6 +116,13 @@ typedef struct {
3962
3963 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3964
3965 +#ifdef CONFIG_PAX_ASLR
3966 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3967 +
3968 +#define PAX_DELTA_MMAP_LEN 16
3969 +#define PAX_DELTA_STACK_LEN 16
3970 +#endif
3971 +
3972 /* This yields a mask that user programs can use to figure out what
3973 instruction set this cpu supports. This can NOT be done in userspace
3974 on Sparc. */
3975 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/elf_64.h linux-2.6.32.49/arch/sparc/include/asm/elf_64.h
3976 --- linux-2.6.32.49/arch/sparc/include/asm/elf_64.h 2011-11-08 19:02:43.000000000 -0500
3977 +++ linux-2.6.32.49/arch/sparc/include/asm/elf_64.h 2011-11-15 19:59:42.000000000 -0500
3978 @@ -163,6 +163,12 @@ typedef struct {
3979 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3980 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3981
3982 +#ifdef CONFIG_PAX_ASLR
3983 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3984 +
3985 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3986 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3987 +#endif
3988
3989 /* This yields a mask that user programs can use to figure out what
3990 instruction set this cpu supports. */
3991 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.49/arch/sparc/include/asm/pgtable_32.h
3992 --- linux-2.6.32.49/arch/sparc/include/asm/pgtable_32.h 2011-11-08 19:02:43.000000000 -0500
3993 +++ linux-2.6.32.49/arch/sparc/include/asm/pgtable_32.h 2011-11-15 19:59:42.000000000 -0500
3994 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3995 BTFIXUPDEF_INT(page_none)
3996 BTFIXUPDEF_INT(page_copy)
3997 BTFIXUPDEF_INT(page_readonly)
3998 +
3999 +#ifdef CONFIG_PAX_PAGEEXEC
4000 +BTFIXUPDEF_INT(page_shared_noexec)
4001 +BTFIXUPDEF_INT(page_copy_noexec)
4002 +BTFIXUPDEF_INT(page_readonly_noexec)
4003 +#endif
4004 +
4005 BTFIXUPDEF_INT(page_kernel)
4006
4007 #define PMD_SHIFT SUN4C_PMD_SHIFT
4008 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
4009 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
4010 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
4011
4012 +#ifdef CONFIG_PAX_PAGEEXEC
4013 +extern pgprot_t PAGE_SHARED_NOEXEC;
4014 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
4015 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
4016 +#else
4017 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
4018 +# define PAGE_COPY_NOEXEC PAGE_COPY
4019 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
4020 +#endif
4021 +
4022 extern unsigned long page_kernel;
4023
4024 #ifdef MODULE
4025 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.49/arch/sparc/include/asm/pgtsrmmu.h
4026 --- linux-2.6.32.49/arch/sparc/include/asm/pgtsrmmu.h 2011-11-08 19:02:43.000000000 -0500
4027 +++ linux-2.6.32.49/arch/sparc/include/asm/pgtsrmmu.h 2011-11-15 19:59:42.000000000 -0500
4028 @@ -115,6 +115,13 @@
4029 SRMMU_EXEC | SRMMU_REF)
4030 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4031 SRMMU_EXEC | SRMMU_REF)
4032 +
4033 +#ifdef CONFIG_PAX_PAGEEXEC
4034 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4035 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4036 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4037 +#endif
4038 +
4039 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4040 SRMMU_DIRTY | SRMMU_REF)
4041
4042 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.49/arch/sparc/include/asm/spinlock_64.h
4043 --- linux-2.6.32.49/arch/sparc/include/asm/spinlock_64.h 2011-11-08 19:02:43.000000000 -0500
4044 +++ linux-2.6.32.49/arch/sparc/include/asm/spinlock_64.h 2011-11-15 19:59:42.000000000 -0500
4045 @@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
4046
4047 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
4048
4049 -static void inline arch_read_lock(raw_rwlock_t *lock)
4050 +static inline void arch_read_lock(raw_rwlock_t *lock)
4051 {
4052 unsigned long tmp1, tmp2;
4053
4054 __asm__ __volatile__ (
4055 "1: ldsw [%2], %0\n"
4056 " brlz,pn %0, 2f\n"
4057 -"4: add %0, 1, %1\n"
4058 +"4: addcc %0, 1, %1\n"
4059 +
4060 +#ifdef CONFIG_PAX_REFCOUNT
4061 +" tvs %%icc, 6\n"
4062 +#endif
4063 +
4064 " cas [%2], %0, %1\n"
4065 " cmp %0, %1\n"
4066 " bne,pn %%icc, 1b\n"
4067 @@ -112,10 +117,10 @@ static void inline arch_read_lock(raw_rw
4068 " .previous"
4069 : "=&r" (tmp1), "=&r" (tmp2)
4070 : "r" (lock)
4071 - : "memory");
4072 + : "memory", "cc");
4073 }
4074
4075 -static int inline arch_read_trylock(raw_rwlock_t *lock)
4076 +static inline int arch_read_trylock(raw_rwlock_t *lock)
4077 {
4078 int tmp1, tmp2;
4079
4080 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
4081 "1: ldsw [%2], %0\n"
4082 " brlz,a,pn %0, 2f\n"
4083 " mov 0, %0\n"
4084 -" add %0, 1, %1\n"
4085 +" addcc %0, 1, %1\n"
4086 +
4087 +#ifdef CONFIG_PAX_REFCOUNT
4088 +" tvs %%icc, 6\n"
4089 +#endif
4090 +
4091 " cas [%2], %0, %1\n"
4092 " cmp %0, %1\n"
4093 " bne,pn %%icc, 1b\n"
4094 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
4095 return tmp1;
4096 }
4097
4098 -static void inline arch_read_unlock(raw_rwlock_t *lock)
4099 +static inline void arch_read_unlock(raw_rwlock_t *lock)
4100 {
4101 unsigned long tmp1, tmp2;
4102
4103 __asm__ __volatile__(
4104 "1: lduw [%2], %0\n"
4105 -" sub %0, 1, %1\n"
4106 +" subcc %0, 1, %1\n"
4107 +
4108 +#ifdef CONFIG_PAX_REFCOUNT
4109 +" tvs %%icc, 6\n"
4110 +#endif
4111 +
4112 " cas [%2], %0, %1\n"
4113 " cmp %0, %1\n"
4114 " bne,pn %%xcc, 1b\n"
4115 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
4116 : "memory");
4117 }
4118
4119 -static void inline arch_write_lock(raw_rwlock_t *lock)
4120 +static inline void arch_write_lock(raw_rwlock_t *lock)
4121 {
4122 unsigned long mask, tmp1, tmp2;
4123
4124 @@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
4125 : "memory");
4126 }
4127
4128 -static void inline arch_write_unlock(raw_rwlock_t *lock)
4129 +static inline void arch_write_unlock(raw_rwlock_t *lock)
4130 {
4131 __asm__ __volatile__(
4132 " stw %%g0, [%0]"
4133 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(raw
4134 : "memory");
4135 }
4136
4137 -static int inline arch_write_trylock(raw_rwlock_t *lock)
4138 +static inline int arch_write_trylock(raw_rwlock_t *lock)
4139 {
4140 unsigned long mask, tmp1, tmp2, result;
4141
4142 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.49/arch/sparc/include/asm/thread_info_32.h
4143 --- linux-2.6.32.49/arch/sparc/include/asm/thread_info_32.h 2011-11-08 19:02:43.000000000 -0500
4144 +++ linux-2.6.32.49/arch/sparc/include/asm/thread_info_32.h 2011-11-15 19:59:42.000000000 -0500
4145 @@ -50,6 +50,8 @@ struct thread_info {
4146 unsigned long w_saved;
4147
4148 struct restart_block restart_block;
4149 +
4150 + unsigned long lowest_stack;
4151 };
4152
4153 /*
4154 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.49/arch/sparc/include/asm/thread_info_64.h
4155 --- linux-2.6.32.49/arch/sparc/include/asm/thread_info_64.h 2011-11-08 19:02:43.000000000 -0500
4156 +++ linux-2.6.32.49/arch/sparc/include/asm/thread_info_64.h 2011-11-15 19:59:42.000000000 -0500
4157 @@ -68,6 +68,8 @@ struct thread_info {
4158 struct pt_regs *kern_una_regs;
4159 unsigned int kern_una_insn;
4160
4161 + unsigned long lowest_stack;
4162 +
4163 unsigned long fpregs[0] __attribute__ ((aligned(64)));
4164 };
4165
4166 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.49/arch/sparc/include/asm/uaccess_32.h
4167 --- linux-2.6.32.49/arch/sparc/include/asm/uaccess_32.h 2011-11-08 19:02:43.000000000 -0500
4168 +++ linux-2.6.32.49/arch/sparc/include/asm/uaccess_32.h 2011-11-15 19:59:42.000000000 -0500
4169 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4170
4171 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4172 {
4173 - if (n && __access_ok((unsigned long) to, n))
4174 + if ((long)n < 0)
4175 + return n;
4176 +
4177 + if (n && __access_ok((unsigned long) to, n)) {
4178 + if (!__builtin_constant_p(n))
4179 + check_object_size(from, n, true);
4180 return __copy_user(to, (__force void __user *) from, n);
4181 - else
4182 + } else
4183 return n;
4184 }
4185
4186 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4187 {
4188 + if ((long)n < 0)
4189 + return n;
4190 +
4191 + if (!__builtin_constant_p(n))
4192 + check_object_size(from, n, true);
4193 +
4194 return __copy_user(to, (__force void __user *) from, n);
4195 }
4196
4197 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4198 {
4199 - if (n && __access_ok((unsigned long) from, n))
4200 + if ((long)n < 0)
4201 + return n;
4202 +
4203 + if (n && __access_ok((unsigned long) from, n)) {
4204 + if (!__builtin_constant_p(n))
4205 + check_object_size(to, n, false);
4206 return __copy_user((__force void __user *) to, from, n);
4207 - else
4208 + } else
4209 return n;
4210 }
4211
4212 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4213 {
4214 + if ((long)n < 0)
4215 + return n;
4216 +
4217 return __copy_user((__force void __user *) to, from, n);
4218 }
4219
4220 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.49/arch/sparc/include/asm/uaccess_64.h
4221 --- linux-2.6.32.49/arch/sparc/include/asm/uaccess_64.h 2011-11-08 19:02:43.000000000 -0500
4222 +++ linux-2.6.32.49/arch/sparc/include/asm/uaccess_64.h 2011-11-15 19:59:42.000000000 -0500
4223 @@ -9,6 +9,7 @@
4224 #include <linux/compiler.h>
4225 #include <linux/string.h>
4226 #include <linux/thread_info.h>
4227 +#include <linux/kernel.h>
4228 #include <asm/asi.h>
4229 #include <asm/system.h>
4230 #include <asm/spitfire.h>
4231 @@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
4232 static inline unsigned long __must_check
4233 copy_from_user(void *to, const void __user *from, unsigned long size)
4234 {
4235 - unsigned long ret = ___copy_from_user(to, from, size);
4236 + unsigned long ret;
4237
4238 + if ((long)size < 0 || size > INT_MAX)
4239 + return size;
4240 +
4241 + if (!__builtin_constant_p(size))
4242 + check_object_size(to, size, false);
4243 +
4244 + ret = ___copy_from_user(to, from, size);
4245 if (unlikely(ret))
4246 ret = copy_from_user_fixup(to, from, size);
4247 return ret;
4248 @@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
4249 static inline unsigned long __must_check
4250 copy_to_user(void __user *to, const void *from, unsigned long size)
4251 {
4252 - unsigned long ret = ___copy_to_user(to, from, size);
4253 + unsigned long ret;
4254 +
4255 + if ((long)size < 0 || size > INT_MAX)
4256 + return size;
4257 +
4258 + if (!__builtin_constant_p(size))
4259 + check_object_size(from, size, true);
4260
4261 + ret = ___copy_to_user(to, from, size);
4262 if (unlikely(ret))
4263 ret = copy_to_user_fixup(to, from, size);
4264 return ret;
4265 diff -urNp linux-2.6.32.49/arch/sparc/include/asm/uaccess.h linux-2.6.32.49/arch/sparc/include/asm/uaccess.h
4266 --- linux-2.6.32.49/arch/sparc/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
4267 +++ linux-2.6.32.49/arch/sparc/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
4268 @@ -1,5 +1,13 @@
4269 #ifndef ___ASM_SPARC_UACCESS_H
4270 #define ___ASM_SPARC_UACCESS_H
4271 +
4272 +#ifdef __KERNEL__
4273 +#ifndef __ASSEMBLY__
4274 +#include <linux/types.h>
4275 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4276 +#endif
4277 +#endif
4278 +
4279 #if defined(__sparc__) && defined(__arch64__)
4280 #include <asm/uaccess_64.h>
4281 #else
4282 diff -urNp linux-2.6.32.49/arch/sparc/kernel/iommu.c linux-2.6.32.49/arch/sparc/kernel/iommu.c
4283 --- linux-2.6.32.49/arch/sparc/kernel/iommu.c 2011-11-08 19:02:43.000000000 -0500
4284 +++ linux-2.6.32.49/arch/sparc/kernel/iommu.c 2011-11-15 19:59:42.000000000 -0500
4285 @@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4286 spin_unlock_irqrestore(&iommu->lock, flags);
4287 }
4288
4289 -static struct dma_map_ops sun4u_dma_ops = {
4290 +static const struct dma_map_ops sun4u_dma_ops = {
4291 .alloc_coherent = dma_4u_alloc_coherent,
4292 .free_coherent = dma_4u_free_coherent,
4293 .map_page = dma_4u_map_page,
4294 @@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
4295 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4296 };
4297
4298 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4299 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4300 EXPORT_SYMBOL(dma_ops);
4301
4302 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4303 diff -urNp linux-2.6.32.49/arch/sparc/kernel/ioport.c linux-2.6.32.49/arch/sparc/kernel/ioport.c
4304 --- linux-2.6.32.49/arch/sparc/kernel/ioport.c 2011-11-08 19:02:43.000000000 -0500
4305 +++ linux-2.6.32.49/arch/sparc/kernel/ioport.c 2011-11-15 19:59:42.000000000 -0500
4306 @@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
4307 BUG();
4308 }
4309
4310 -struct dma_map_ops sbus_dma_ops = {
4311 +const struct dma_map_ops sbus_dma_ops = {
4312 .alloc_coherent = sbus_alloc_coherent,
4313 .free_coherent = sbus_free_coherent,
4314 .map_page = sbus_map_page,
4315 @@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
4316 .sync_sg_for_device = sbus_sync_sg_for_device,
4317 };
4318
4319 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4320 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4321 EXPORT_SYMBOL(dma_ops);
4322
4323 static int __init sparc_register_ioport(void)
4324 @@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
4325 }
4326 }
4327
4328 -struct dma_map_ops pci32_dma_ops = {
4329 +const struct dma_map_ops pci32_dma_ops = {
4330 .alloc_coherent = pci32_alloc_coherent,
4331 .free_coherent = pci32_free_coherent,
4332 .map_page = pci32_map_page,
4333 diff -urNp linux-2.6.32.49/arch/sparc/kernel/kgdb_32.c linux-2.6.32.49/arch/sparc/kernel/kgdb_32.c
4334 --- linux-2.6.32.49/arch/sparc/kernel/kgdb_32.c 2011-11-08 19:02:43.000000000 -0500
4335 +++ linux-2.6.32.49/arch/sparc/kernel/kgdb_32.c 2011-11-15 19:59:42.000000000 -0500
4336 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
4337 {
4338 }
4339
4340 -struct kgdb_arch arch_kgdb_ops = {
4341 +const struct kgdb_arch arch_kgdb_ops = {
4342 /* Breakpoint instruction: ta 0x7d */
4343 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4344 };
4345 diff -urNp linux-2.6.32.49/arch/sparc/kernel/kgdb_64.c linux-2.6.32.49/arch/sparc/kernel/kgdb_64.c
4346 --- linux-2.6.32.49/arch/sparc/kernel/kgdb_64.c 2011-11-08 19:02:43.000000000 -0500
4347 +++ linux-2.6.32.49/arch/sparc/kernel/kgdb_64.c 2011-11-15 19:59:42.000000000 -0500
4348 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
4349 {
4350 }
4351
4352 -struct kgdb_arch arch_kgdb_ops = {
4353 +const struct kgdb_arch arch_kgdb_ops = {
4354 /* Breakpoint instruction: ta 0x72 */
4355 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4356 };
4357 diff -urNp linux-2.6.32.49/arch/sparc/kernel/Makefile linux-2.6.32.49/arch/sparc/kernel/Makefile
4358 --- linux-2.6.32.49/arch/sparc/kernel/Makefile 2011-11-08 19:02:43.000000000 -0500
4359 +++ linux-2.6.32.49/arch/sparc/kernel/Makefile 2011-11-15 19:59:42.000000000 -0500
4360 @@ -3,7 +3,7 @@
4361 #
4362
4363 asflags-y := -ansi
4364 -ccflags-y := -Werror
4365 +#ccflags-y := -Werror
4366
4367 extra-y := head_$(BITS).o
4368 extra-y += init_task.o
4369 diff -urNp linux-2.6.32.49/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.49/arch/sparc/kernel/pci_sun4v.c
4370 --- linux-2.6.32.49/arch/sparc/kernel/pci_sun4v.c 2011-11-08 19:02:43.000000000 -0500
4371 +++ linux-2.6.32.49/arch/sparc/kernel/pci_sun4v.c 2011-11-15 19:59:42.000000000 -0500
4372 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4373 spin_unlock_irqrestore(&iommu->lock, flags);
4374 }
4375
4376 -static struct dma_map_ops sun4v_dma_ops = {
4377 +static const struct dma_map_ops sun4v_dma_ops = {
4378 .alloc_coherent = dma_4v_alloc_coherent,
4379 .free_coherent = dma_4v_free_coherent,
4380 .map_page = dma_4v_map_page,
4381 diff -urNp linux-2.6.32.49/arch/sparc/kernel/process_32.c linux-2.6.32.49/arch/sparc/kernel/process_32.c
4382 --- linux-2.6.32.49/arch/sparc/kernel/process_32.c 2011-11-08 19:02:43.000000000 -0500
4383 +++ linux-2.6.32.49/arch/sparc/kernel/process_32.c 2011-11-15 19:59:42.000000000 -0500
4384 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4385 rw->ins[4], rw->ins[5],
4386 rw->ins[6],
4387 rw->ins[7]);
4388 - printk("%pS\n", (void *) rw->ins[7]);
4389 + printk("%pA\n", (void *) rw->ins[7]);
4390 rw = (struct reg_window32 *) rw->ins[6];
4391 }
4392 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4393 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4394
4395 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4396 r->psr, r->pc, r->npc, r->y, print_tainted());
4397 - printk("PC: <%pS>\n", (void *) r->pc);
4398 + printk("PC: <%pA>\n", (void *) r->pc);
4399 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4400 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4401 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4402 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4403 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4404 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4405 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4406 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4407
4408 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4409 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4410 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4411 rw = (struct reg_window32 *) fp;
4412 pc = rw->ins[7];
4413 printk("[%08lx : ", pc);
4414 - printk("%pS ] ", (void *) pc);
4415 + printk("%pA ] ", (void *) pc);
4416 fp = rw->ins[6];
4417 } while (++count < 16);
4418 printk("\n");
4419 diff -urNp linux-2.6.32.49/arch/sparc/kernel/process_64.c linux-2.6.32.49/arch/sparc/kernel/process_64.c
4420 --- linux-2.6.32.49/arch/sparc/kernel/process_64.c 2011-11-08 19:02:43.000000000 -0500
4421 +++ linux-2.6.32.49/arch/sparc/kernel/process_64.c 2011-11-15 19:59:42.000000000 -0500
4422 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4423 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4424 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4425 if (regs->tstate & TSTATE_PRIV)
4426 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4427 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4428 }
4429
4430 void show_regs(struct pt_regs *regs)
4431 {
4432 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4433 regs->tpc, regs->tnpc, regs->y, print_tainted());
4434 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4435 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4436 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4437 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4438 regs->u_regs[3]);
4439 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4440 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4441 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4442 regs->u_regs[15]);
4443 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4444 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4445 show_regwindow(regs);
4446 }
4447
4448 @@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
4449 ((tp && tp->task) ? tp->task->pid : -1));
4450
4451 if (gp->tstate & TSTATE_PRIV) {
4452 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4453 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4454 (void *) gp->tpc,
4455 (void *) gp->o7,
4456 (void *) gp->i7,
4457 diff -urNp linux-2.6.32.49/arch/sparc/kernel/sigutil_64.c linux-2.6.32.49/arch/sparc/kernel/sigutil_64.c
4458 --- linux-2.6.32.49/arch/sparc/kernel/sigutil_64.c 2011-11-08 19:02:43.000000000 -0500
4459 +++ linux-2.6.32.49/arch/sparc/kernel/sigutil_64.c 2011-11-29 18:13:57.000000000 -0500
4460 @@ -2,6 +2,7 @@
4461 #include <linux/types.h>
4462 #include <linux/thread_info.h>
4463 #include <linux/uaccess.h>
4464 +#include <linux/errno.h>
4465
4466 #include <asm/sigcontext.h>
4467 #include <asm/fpumacro.h>
4468 diff -urNp linux-2.6.32.49/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.49/arch/sparc/kernel/sys_sparc_32.c
4469 --- linux-2.6.32.49/arch/sparc/kernel/sys_sparc_32.c 2011-11-08 19:02:43.000000000 -0500
4470 +++ linux-2.6.32.49/arch/sparc/kernel/sys_sparc_32.c 2011-11-15 19:59:42.000000000 -0500
4471 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4472 if (ARCH_SUN4C && len > 0x20000000)
4473 return -ENOMEM;
4474 if (!addr)
4475 - addr = TASK_UNMAPPED_BASE;
4476 + addr = current->mm->mmap_base;
4477
4478 if (flags & MAP_SHARED)
4479 addr = COLOUR_ALIGN(addr);
4480 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4481 }
4482 if (TASK_SIZE - PAGE_SIZE - len < addr)
4483 return -ENOMEM;
4484 - if (!vmm || addr + len <= vmm->vm_start)
4485 + if (check_heap_stack_gap(vmm, addr, len))
4486 return addr;
4487 addr = vmm->vm_end;
4488 if (flags & MAP_SHARED)
4489 diff -urNp linux-2.6.32.49/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.49/arch/sparc/kernel/sys_sparc_64.c
4490 --- linux-2.6.32.49/arch/sparc/kernel/sys_sparc_64.c 2011-11-08 19:02:43.000000000 -0500
4491 +++ linux-2.6.32.49/arch/sparc/kernel/sys_sparc_64.c 2011-11-15 19:59:42.000000000 -0500
4492 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
4493 /* We do not accept a shared mapping if it would violate
4494 * cache aliasing constraints.
4495 */
4496 - if ((flags & MAP_SHARED) &&
4497 + if ((filp || (flags & MAP_SHARED)) &&
4498 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4499 return -EINVAL;
4500 return addr;
4501 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
4502 if (filp || (flags & MAP_SHARED))
4503 do_color_align = 1;
4504
4505 +#ifdef CONFIG_PAX_RANDMMAP
4506 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4507 +#endif
4508 +
4509 if (addr) {
4510 if (do_color_align)
4511 addr = COLOUR_ALIGN(addr, pgoff);
4512 @@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
4513 addr = PAGE_ALIGN(addr);
4514
4515 vma = find_vma(mm, addr);
4516 - if (task_size - len >= addr &&
4517 - (!vma || addr + len <= vma->vm_start))
4518 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4519 return addr;
4520 }
4521
4522 if (len > mm->cached_hole_size) {
4523 - start_addr = addr = mm->free_area_cache;
4524 + start_addr = addr = mm->free_area_cache;
4525 } else {
4526 - start_addr = addr = TASK_UNMAPPED_BASE;
4527 + start_addr = addr = mm->mmap_base;
4528 mm->cached_hole_size = 0;
4529 }
4530
4531 @@ -175,14 +178,14 @@ full_search:
4532 vma = find_vma(mm, VA_EXCLUDE_END);
4533 }
4534 if (unlikely(task_size < addr)) {
4535 - if (start_addr != TASK_UNMAPPED_BASE) {
4536 - start_addr = addr = TASK_UNMAPPED_BASE;
4537 + if (start_addr != mm->mmap_base) {
4538 + start_addr = addr = mm->mmap_base;
4539 mm->cached_hole_size = 0;
4540 goto full_search;
4541 }
4542 return -ENOMEM;
4543 }
4544 - if (likely(!vma || addr + len <= vma->vm_start)) {
4545 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4546 /*
4547 * Remember the place where we stopped the search:
4548 */
4549 @@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
4550 /* We do not accept a shared mapping if it would violate
4551 * cache aliasing constraints.
4552 */
4553 - if ((flags & MAP_SHARED) &&
4554 + if ((filp || (flags & MAP_SHARED)) &&
4555 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4556 return -EINVAL;
4557 return addr;
4558 @@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
4559 addr = PAGE_ALIGN(addr);
4560
4561 vma = find_vma(mm, addr);
4562 - if (task_size - len >= addr &&
4563 - (!vma || addr + len <= vma->vm_start))
4564 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4565 return addr;
4566 }
4567
4568 @@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
4569 /* make sure it can fit in the remaining address space */
4570 if (likely(addr > len)) {
4571 vma = find_vma(mm, addr-len);
4572 - if (!vma || addr <= vma->vm_start) {
4573 + if (check_heap_stack_gap(vma, addr - len, len)) {
4574 /* remember the address as a hint for next time */
4575 return (mm->free_area_cache = addr-len);
4576 }
4577 @@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
4578 if (unlikely(mm->mmap_base < len))
4579 goto bottomup;
4580
4581 - addr = mm->mmap_base-len;
4582 - if (do_color_align)
4583 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4584 + addr = mm->mmap_base - len;
4585
4586 do {
4587 + if (do_color_align)
4588 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4589 /*
4590 * Lookup failure means no vma is above this address,
4591 * else if new region fits below vma->vm_start,
4592 * return with success:
4593 */
4594 vma = find_vma(mm, addr);
4595 - if (likely(!vma || addr+len <= vma->vm_start)) {
4596 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4597 /* remember the address as a hint for next time */
4598 return (mm->free_area_cache = addr);
4599 }
4600 @@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
4601 mm->cached_hole_size = vma->vm_start - addr;
4602
4603 /* try just below the current vma->vm_start */
4604 - addr = vma->vm_start-len;
4605 - if (do_color_align)
4606 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4607 - } while (likely(len < vma->vm_start));
4608 + addr = skip_heap_stack_gap(vma, len);
4609 + } while (!IS_ERR_VALUE(addr));
4610
4611 bottomup:
4612 /*
4613 @@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
4614 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
4615 sysctl_legacy_va_layout) {
4616 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4617 +
4618 +#ifdef CONFIG_PAX_RANDMMAP
4619 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4620 + mm->mmap_base += mm->delta_mmap;
4621 +#endif
4622 +
4623 mm->get_unmapped_area = arch_get_unmapped_area;
4624 mm->unmap_area = arch_unmap_area;
4625 } else {
4626 @@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
4627 gap = (task_size / 6 * 5);
4628
4629 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4630 +
4631 +#ifdef CONFIG_PAX_RANDMMAP
4632 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4633 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4634 +#endif
4635 +
4636 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4637 mm->unmap_area = arch_unmap_area_topdown;
4638 }
4639 diff -urNp linux-2.6.32.49/arch/sparc/kernel/traps_32.c linux-2.6.32.49/arch/sparc/kernel/traps_32.c
4640 --- linux-2.6.32.49/arch/sparc/kernel/traps_32.c 2011-11-08 19:02:43.000000000 -0500
4641 +++ linux-2.6.32.49/arch/sparc/kernel/traps_32.c 2011-11-15 19:59:42.000000000 -0500
4642 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
4643 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
4644 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
4645
4646 +extern void gr_handle_kernel_exploit(void);
4647 +
4648 void die_if_kernel(char *str, struct pt_regs *regs)
4649 {
4650 static int die_counter;
4651 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
4652 count++ < 30 &&
4653 (((unsigned long) rw) >= PAGE_OFFSET) &&
4654 !(((unsigned long) rw) & 0x7)) {
4655 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4656 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4657 (void *) rw->ins[7]);
4658 rw = (struct reg_window32 *)rw->ins[6];
4659 }
4660 }
4661 printk("Instruction DUMP:");
4662 instruction_dump ((unsigned long *) regs->pc);
4663 - if(regs->psr & PSR_PS)
4664 + if(regs->psr & PSR_PS) {
4665 + gr_handle_kernel_exploit();
4666 do_exit(SIGKILL);
4667 + }
4668 do_exit(SIGSEGV);
4669 }
4670
4671 diff -urNp linux-2.6.32.49/arch/sparc/kernel/traps_64.c linux-2.6.32.49/arch/sparc/kernel/traps_64.c
4672 --- linux-2.6.32.49/arch/sparc/kernel/traps_64.c 2011-11-08 19:02:43.000000000 -0500
4673 +++ linux-2.6.32.49/arch/sparc/kernel/traps_64.c 2011-11-15 19:59:42.000000000 -0500
4674 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
4675 i + 1,
4676 p->trapstack[i].tstate, p->trapstack[i].tpc,
4677 p->trapstack[i].tnpc, p->trapstack[i].tt);
4678 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4679 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4680 }
4681 }
4682
4683 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
4684
4685 lvl -= 0x100;
4686 if (regs->tstate & TSTATE_PRIV) {
4687 +
4688 +#ifdef CONFIG_PAX_REFCOUNT
4689 + if (lvl == 6)
4690 + pax_report_refcount_overflow(regs);
4691 +#endif
4692 +
4693 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4694 die_if_kernel(buffer, regs);
4695 }
4696 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
4697 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4698 {
4699 char buffer[32];
4700 -
4701 +
4702 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4703 0, lvl, SIGTRAP) == NOTIFY_STOP)
4704 return;
4705
4706 +#ifdef CONFIG_PAX_REFCOUNT
4707 + if (lvl == 6)
4708 + pax_report_refcount_overflow(regs);
4709 +#endif
4710 +
4711 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4712
4713 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4714 @@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
4715 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4716 printk("%s" "ERROR(%d): ",
4717 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4718 - printk("TPC<%pS>\n", (void *) regs->tpc);
4719 + printk("TPC<%pA>\n", (void *) regs->tpc);
4720 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4721 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4722 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4723 @@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
4724 smp_processor_id(),
4725 (type & 0x1) ? 'I' : 'D',
4726 regs->tpc);
4727 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4728 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4729 panic("Irrecoverable Cheetah+ parity error.");
4730 }
4731
4732 @@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
4733 smp_processor_id(),
4734 (type & 0x1) ? 'I' : 'D',
4735 regs->tpc);
4736 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4737 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4738 }
4739
4740 struct sun4v_error_entry {
4741 @@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
4742
4743 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4744 regs->tpc, tl);
4745 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4746 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4747 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4748 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4749 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4750 (void *) regs->u_regs[UREG_I7]);
4751 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4752 "pte[%lx] error[%lx]\n",
4753 @@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
4754
4755 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4756 regs->tpc, tl);
4757 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4758 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4759 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4760 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4761 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4762 (void *) regs->u_regs[UREG_I7]);
4763 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4764 "pte[%lx] error[%lx]\n",
4765 @@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
4766 fp = (unsigned long)sf->fp + STACK_BIAS;
4767 }
4768
4769 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4770 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4771 } while (++count < 16);
4772 }
4773
4774 @@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
4775 return (struct reg_window *) (fp + STACK_BIAS);
4776 }
4777
4778 +extern void gr_handle_kernel_exploit(void);
4779 +
4780 void die_if_kernel(char *str, struct pt_regs *regs)
4781 {
4782 static int die_counter;
4783 @@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
4784 while (rw &&
4785 count++ < 30&&
4786 is_kernel_stack(current, rw)) {
4787 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4788 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4789 (void *) rw->ins[7]);
4790
4791 rw = kernel_stack_up(rw);
4792 @@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
4793 }
4794 user_instruction_dump ((unsigned int __user *) regs->tpc);
4795 }
4796 - if (regs->tstate & TSTATE_PRIV)
4797 + if (regs->tstate & TSTATE_PRIV) {
4798 + gr_handle_kernel_exploit();
4799 do_exit(SIGKILL);
4800 + }
4801 +
4802 do_exit(SIGSEGV);
4803 }
4804 EXPORT_SYMBOL(die_if_kernel);
4805 diff -urNp linux-2.6.32.49/arch/sparc/kernel/una_asm_64.S linux-2.6.32.49/arch/sparc/kernel/una_asm_64.S
4806 --- linux-2.6.32.49/arch/sparc/kernel/una_asm_64.S 2011-11-08 19:02:43.000000000 -0500
4807 +++ linux-2.6.32.49/arch/sparc/kernel/una_asm_64.S 2011-11-15 19:59:42.000000000 -0500
4808 @@ -127,7 +127,7 @@ do_int_load:
4809 wr %o5, 0x0, %asi
4810 retl
4811 mov 0, %o0
4812 - .size __do_int_load, .-__do_int_load
4813 + .size do_int_load, .-do_int_load
4814
4815 .section __ex_table,"a"
4816 .word 4b, __retl_efault
4817 diff -urNp linux-2.6.32.49/arch/sparc/kernel/unaligned_64.c linux-2.6.32.49/arch/sparc/kernel/unaligned_64.c
4818 --- linux-2.6.32.49/arch/sparc/kernel/unaligned_64.c 2011-11-08 19:02:43.000000000 -0500
4819 +++ linux-2.6.32.49/arch/sparc/kernel/unaligned_64.c 2011-11-15 19:59:42.000000000 -0500
4820 @@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
4821 if (count < 5) {
4822 last_time = jiffies;
4823 count++;
4824 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4825 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4826 regs->tpc, (void *) regs->tpc);
4827 }
4828 }
4829 diff -urNp linux-2.6.32.49/arch/sparc/lib/atomic_64.S linux-2.6.32.49/arch/sparc/lib/atomic_64.S
4830 --- linux-2.6.32.49/arch/sparc/lib/atomic_64.S 2011-11-08 19:02:43.000000000 -0500
4831 +++ linux-2.6.32.49/arch/sparc/lib/atomic_64.S 2011-11-15 19:59:42.000000000 -0500
4832 @@ -18,7 +18,12 @@
4833 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4834 BACKOFF_SETUP(%o2)
4835 1: lduw [%o1], %g1
4836 - add %g1, %o0, %g7
4837 + addcc %g1, %o0, %g7
4838 +
4839 +#ifdef CONFIG_PAX_REFCOUNT
4840 + tvs %icc, 6
4841 +#endif
4842 +
4843 cas [%o1], %g1, %g7
4844 cmp %g1, %g7
4845 bne,pn %icc, 2f
4846 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4847 2: BACKOFF_SPIN(%o2, %o3, 1b)
4848 .size atomic_add, .-atomic_add
4849
4850 + .globl atomic_add_unchecked
4851 + .type atomic_add_unchecked,#function
4852 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4853 + BACKOFF_SETUP(%o2)
4854 +1: lduw [%o1], %g1
4855 + add %g1, %o0, %g7
4856 + cas [%o1], %g1, %g7
4857 + cmp %g1, %g7
4858 + bne,pn %icc, 2f
4859 + nop
4860 + retl
4861 + nop
4862 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4863 + .size atomic_add_unchecked, .-atomic_add_unchecked
4864 +
4865 .globl atomic_sub
4866 .type atomic_sub,#function
4867 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4868 BACKOFF_SETUP(%o2)
4869 1: lduw [%o1], %g1
4870 - sub %g1, %o0, %g7
4871 + subcc %g1, %o0, %g7
4872 +
4873 +#ifdef CONFIG_PAX_REFCOUNT
4874 + tvs %icc, 6
4875 +#endif
4876 +
4877 cas [%o1], %g1, %g7
4878 cmp %g1, %g7
4879 bne,pn %icc, 2f
4880 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4881 2: BACKOFF_SPIN(%o2, %o3, 1b)
4882 .size atomic_sub, .-atomic_sub
4883
4884 + .globl atomic_sub_unchecked
4885 + .type atomic_sub_unchecked,#function
4886 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4887 + BACKOFF_SETUP(%o2)
4888 +1: lduw [%o1], %g1
4889 + sub %g1, %o0, %g7
4890 + cas [%o1], %g1, %g7
4891 + cmp %g1, %g7
4892 + bne,pn %icc, 2f
4893 + nop
4894 + retl
4895 + nop
4896 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4897 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4898 +
4899 .globl atomic_add_ret
4900 .type atomic_add_ret,#function
4901 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4902 BACKOFF_SETUP(%o2)
4903 1: lduw [%o1], %g1
4904 - add %g1, %o0, %g7
4905 + addcc %g1, %o0, %g7
4906 +
4907 +#ifdef CONFIG_PAX_REFCOUNT
4908 + tvs %icc, 6
4909 +#endif
4910 +
4911 cas [%o1], %g1, %g7
4912 cmp %g1, %g7
4913 bne,pn %icc, 2f
4914 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4915 2: BACKOFF_SPIN(%o2, %o3, 1b)
4916 .size atomic_add_ret, .-atomic_add_ret
4917
4918 + .globl atomic_add_ret_unchecked
4919 + .type atomic_add_ret_unchecked,#function
4920 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4921 + BACKOFF_SETUP(%o2)
4922 +1: lduw [%o1], %g1
4923 + addcc %g1, %o0, %g7
4924 + cas [%o1], %g1, %g7
4925 + cmp %g1, %g7
4926 + bne,pn %icc, 2f
4927 + add %g7, %o0, %g7
4928 + sra %g7, 0, %o0
4929 + retl
4930 + nop
4931 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4932 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4933 +
4934 .globl atomic_sub_ret
4935 .type atomic_sub_ret,#function
4936 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4937 BACKOFF_SETUP(%o2)
4938 1: lduw [%o1], %g1
4939 - sub %g1, %o0, %g7
4940 + subcc %g1, %o0, %g7
4941 +
4942 +#ifdef CONFIG_PAX_REFCOUNT
4943 + tvs %icc, 6
4944 +#endif
4945 +
4946 cas [%o1], %g1, %g7
4947 cmp %g1, %g7
4948 bne,pn %icc, 2f
4949 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4950 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4951 BACKOFF_SETUP(%o2)
4952 1: ldx [%o1], %g1
4953 - add %g1, %o0, %g7
4954 + addcc %g1, %o0, %g7
4955 +
4956 +#ifdef CONFIG_PAX_REFCOUNT
4957 + tvs %xcc, 6
4958 +#endif
4959 +
4960 casx [%o1], %g1, %g7
4961 cmp %g1, %g7
4962 bne,pn %xcc, 2f
4963 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4964 2: BACKOFF_SPIN(%o2, %o3, 1b)
4965 .size atomic64_add, .-atomic64_add
4966
4967 + .globl atomic64_add_unchecked
4968 + .type atomic64_add_unchecked,#function
4969 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4970 + BACKOFF_SETUP(%o2)
4971 +1: ldx [%o1], %g1
4972 + addcc %g1, %o0, %g7
4973 + casx [%o1], %g1, %g7
4974 + cmp %g1, %g7
4975 + bne,pn %xcc, 2f
4976 + nop
4977 + retl
4978 + nop
4979 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4980 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4981 +
4982 .globl atomic64_sub
4983 .type atomic64_sub,#function
4984 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4985 BACKOFF_SETUP(%o2)
4986 1: ldx [%o1], %g1
4987 - sub %g1, %o0, %g7
4988 + subcc %g1, %o0, %g7
4989 +
4990 +#ifdef CONFIG_PAX_REFCOUNT
4991 + tvs %xcc, 6
4992 +#endif
4993 +
4994 casx [%o1], %g1, %g7
4995 cmp %g1, %g7
4996 bne,pn %xcc, 2f
4997 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4998 2: BACKOFF_SPIN(%o2, %o3, 1b)
4999 .size atomic64_sub, .-atomic64_sub
5000
5001 + .globl atomic64_sub_unchecked
5002 + .type atomic64_sub_unchecked,#function
5003 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
5004 + BACKOFF_SETUP(%o2)
5005 +1: ldx [%o1], %g1
5006 + subcc %g1, %o0, %g7
5007 + casx [%o1], %g1, %g7
5008 + cmp %g1, %g7
5009 + bne,pn %xcc, 2f
5010 + nop
5011 + retl
5012 + nop
5013 +2: BACKOFF_SPIN(%o2, %o3, 1b)
5014 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
5015 +
5016 .globl atomic64_add_ret
5017 .type atomic64_add_ret,#function
5018 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
5019 BACKOFF_SETUP(%o2)
5020 1: ldx [%o1], %g1
5021 - add %g1, %o0, %g7
5022 + addcc %g1, %o0, %g7
5023 +
5024 +#ifdef CONFIG_PAX_REFCOUNT
5025 + tvs %xcc, 6
5026 +#endif
5027 +
5028 casx [%o1], %g1, %g7
5029 cmp %g1, %g7
5030 bne,pn %xcc, 2f
5031 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
5032 2: BACKOFF_SPIN(%o2, %o3, 1b)
5033 .size atomic64_add_ret, .-atomic64_add_ret
5034
5035 + .globl atomic64_add_ret_unchecked
5036 + .type atomic64_add_ret_unchecked,#function
5037 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5038 + BACKOFF_SETUP(%o2)
5039 +1: ldx [%o1], %g1
5040 + addcc %g1, %o0, %g7
5041 + casx [%o1], %g1, %g7
5042 + cmp %g1, %g7
5043 + bne,pn %xcc, 2f
5044 + add %g7, %o0, %g7
5045 + mov %g7, %o0
5046 + retl
5047 + nop
5048 +2: BACKOFF_SPIN(%o2, %o3, 1b)
5049 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
5050 +
5051 .globl atomic64_sub_ret
5052 .type atomic64_sub_ret,#function
5053 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
5054 BACKOFF_SETUP(%o2)
5055 1: ldx [%o1], %g1
5056 - sub %g1, %o0, %g7
5057 + subcc %g1, %o0, %g7
5058 +
5059 +#ifdef CONFIG_PAX_REFCOUNT
5060 + tvs %xcc, 6
5061 +#endif
5062 +
5063 casx [%o1], %g1, %g7
5064 cmp %g1, %g7
5065 bne,pn %xcc, 2f
5066 diff -urNp linux-2.6.32.49/arch/sparc/lib/ksyms.c linux-2.6.32.49/arch/sparc/lib/ksyms.c
5067 --- linux-2.6.32.49/arch/sparc/lib/ksyms.c 2011-11-08 19:02:43.000000000 -0500
5068 +++ linux-2.6.32.49/arch/sparc/lib/ksyms.c 2011-11-15 19:59:42.000000000 -0500
5069 @@ -144,12 +144,18 @@ EXPORT_SYMBOL(__downgrade_write);
5070
5071 /* Atomic counter implementation. */
5072 EXPORT_SYMBOL(atomic_add);
5073 +EXPORT_SYMBOL(atomic_add_unchecked);
5074 EXPORT_SYMBOL(atomic_add_ret);
5075 +EXPORT_SYMBOL(atomic_add_ret_unchecked);
5076 EXPORT_SYMBOL(atomic_sub);
5077 +EXPORT_SYMBOL(atomic_sub_unchecked);
5078 EXPORT_SYMBOL(atomic_sub_ret);
5079 EXPORT_SYMBOL(atomic64_add);
5080 +EXPORT_SYMBOL(atomic64_add_unchecked);
5081 EXPORT_SYMBOL(atomic64_add_ret);
5082 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
5083 EXPORT_SYMBOL(atomic64_sub);
5084 +EXPORT_SYMBOL(atomic64_sub_unchecked);
5085 EXPORT_SYMBOL(atomic64_sub_ret);
5086
5087 /* Atomic bit operations. */
5088 diff -urNp linux-2.6.32.49/arch/sparc/lib/Makefile linux-2.6.32.49/arch/sparc/lib/Makefile
5089 --- linux-2.6.32.49/arch/sparc/lib/Makefile 2011-11-08 19:02:43.000000000 -0500
5090 +++ linux-2.6.32.49/arch/sparc/lib/Makefile 2011-11-15 19:59:42.000000000 -0500
5091 @@ -2,7 +2,7 @@
5092 #
5093
5094 asflags-y := -ansi -DST_DIV0=0x02
5095 -ccflags-y := -Werror
5096 +#ccflags-y := -Werror
5097
5098 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
5099 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
5100 diff -urNp linux-2.6.32.49/arch/sparc/lib/rwsem_64.S linux-2.6.32.49/arch/sparc/lib/rwsem_64.S
5101 --- linux-2.6.32.49/arch/sparc/lib/rwsem_64.S 2011-11-08 19:02:43.000000000 -0500
5102 +++ linux-2.6.32.49/arch/sparc/lib/rwsem_64.S 2011-11-15 19:59:42.000000000 -0500
5103 @@ -11,7 +11,12 @@
5104 .globl __down_read
5105 __down_read:
5106 1: lduw [%o0], %g1
5107 - add %g1, 1, %g7
5108 + addcc %g1, 1, %g7
5109 +
5110 +#ifdef CONFIG_PAX_REFCOUNT
5111 + tvs %icc, 6
5112 +#endif
5113 +
5114 cas [%o0], %g1, %g7
5115 cmp %g1, %g7
5116 bne,pn %icc, 1b
5117 @@ -33,7 +38,12 @@ __down_read:
5118 .globl __down_read_trylock
5119 __down_read_trylock:
5120 1: lduw [%o0], %g1
5121 - add %g1, 1, %g7
5122 + addcc %g1, 1, %g7
5123 +
5124 +#ifdef CONFIG_PAX_REFCOUNT
5125 + tvs %icc, 6
5126 +#endif
5127 +
5128 cmp %g7, 0
5129 bl,pn %icc, 2f
5130 mov 0, %o1
5131 @@ -51,7 +61,12 @@ __down_write:
5132 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5133 1:
5134 lduw [%o0], %g3
5135 - add %g3, %g1, %g7
5136 + addcc %g3, %g1, %g7
5137 +
5138 +#ifdef CONFIG_PAX_REFCOUNT
5139 + tvs %icc, 6
5140 +#endif
5141 +
5142 cas [%o0], %g3, %g7
5143 cmp %g3, %g7
5144 bne,pn %icc, 1b
5145 @@ -77,7 +92,12 @@ __down_write_trylock:
5146 cmp %g3, 0
5147 bne,pn %icc, 2f
5148 mov 0, %o1
5149 - add %g3, %g1, %g7
5150 + addcc %g3, %g1, %g7
5151 +
5152 +#ifdef CONFIG_PAX_REFCOUNT
5153 + tvs %icc, 6
5154 +#endif
5155 +
5156 cas [%o0], %g3, %g7
5157 cmp %g3, %g7
5158 bne,pn %icc, 1b
5159 @@ -90,7 +110,12 @@ __down_write_trylock:
5160 __up_read:
5161 1:
5162 lduw [%o0], %g1
5163 - sub %g1, 1, %g7
5164 + subcc %g1, 1, %g7
5165 +
5166 +#ifdef CONFIG_PAX_REFCOUNT
5167 + tvs %icc, 6
5168 +#endif
5169 +
5170 cas [%o0], %g1, %g7
5171 cmp %g1, %g7
5172 bne,pn %icc, 1b
5173 @@ -118,7 +143,12 @@ __up_write:
5174 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5175 1:
5176 lduw [%o0], %g3
5177 - sub %g3, %g1, %g7
5178 + subcc %g3, %g1, %g7
5179 +
5180 +#ifdef CONFIG_PAX_REFCOUNT
5181 + tvs %icc, 6
5182 +#endif
5183 +
5184 cas [%o0], %g3, %g7
5185 cmp %g3, %g7
5186 bne,pn %icc, 1b
5187 @@ -143,7 +173,12 @@ __downgrade_write:
5188 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
5189 1:
5190 lduw [%o0], %g3
5191 - sub %g3, %g1, %g7
5192 + subcc %g3, %g1, %g7
5193 +
5194 +#ifdef CONFIG_PAX_REFCOUNT
5195 + tvs %icc, 6
5196 +#endif
5197 +
5198 cas [%o0], %g3, %g7
5199 cmp %g3, %g7
5200 bne,pn %icc, 1b
5201 diff -urNp linux-2.6.32.49/arch/sparc/Makefile linux-2.6.32.49/arch/sparc/Makefile
5202 --- linux-2.6.32.49/arch/sparc/Makefile 2011-11-08 19:02:43.000000000 -0500
5203 +++ linux-2.6.32.49/arch/sparc/Makefile 2011-11-15 19:59:42.000000000 -0500
5204 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5205 # Export what is needed by arch/sparc/boot/Makefile
5206 export VMLINUX_INIT VMLINUX_MAIN
5207 VMLINUX_INIT := $(head-y) $(init-y)
5208 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
5209 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
5210 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
5211 VMLINUX_MAIN += $(drivers-y) $(net-y)
5212
5213 diff -urNp linux-2.6.32.49/arch/sparc/mm/fault_32.c linux-2.6.32.49/arch/sparc/mm/fault_32.c
5214 --- linux-2.6.32.49/arch/sparc/mm/fault_32.c 2011-11-08 19:02:43.000000000 -0500
5215 +++ linux-2.6.32.49/arch/sparc/mm/fault_32.c 2011-11-18 18:01:52.000000000 -0500
5216 @@ -21,6 +21,9 @@
5217 #include <linux/interrupt.h>
5218 #include <linux/module.h>
5219 #include <linux/kdebug.h>
5220 +#include <linux/slab.h>
5221 +#include <linux/pagemap.h>
5222 +#include <linux/compiler.h>
5223
5224 #include <asm/system.h>
5225 #include <asm/page.h>
5226 @@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
5227 return safe_compute_effective_address(regs, insn);
5228 }
5229
5230 +#ifdef CONFIG_PAX_PAGEEXEC
5231 +#ifdef CONFIG_PAX_DLRESOLVE
5232 +static void pax_emuplt_close(struct vm_area_struct *vma)
5233 +{
5234 + vma->vm_mm->call_dl_resolve = 0UL;
5235 +}
5236 +
5237 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5238 +{
5239 + unsigned int *kaddr;
5240 +
5241 + vmf->page = alloc_page(GFP_HIGHUSER);
5242 + if (!vmf->page)
5243 + return VM_FAULT_OOM;
5244 +
5245 + kaddr = kmap(vmf->page);
5246 + memset(kaddr, 0, PAGE_SIZE);
5247 + kaddr[0] = 0x9DE3BFA8U; /* save */
5248 + flush_dcache_page(vmf->page);
5249 + kunmap(vmf->page);
5250 + return VM_FAULT_MAJOR;
5251 +}
5252 +
5253 +static const struct vm_operations_struct pax_vm_ops = {
5254 + .close = pax_emuplt_close,
5255 + .fault = pax_emuplt_fault
5256 +};
5257 +
5258 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5259 +{
5260 + int ret;
5261 +
5262 + vma->vm_mm = current->mm;
5263 + vma->vm_start = addr;
5264 + vma->vm_end = addr + PAGE_SIZE;
5265 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5266 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5267 + vma->vm_ops = &pax_vm_ops;
5268 +
5269 + ret = insert_vm_struct(current->mm, vma);
5270 + if (ret)
5271 + return ret;
5272 +
5273 + ++current->mm->total_vm;
5274 + return 0;
5275 +}
5276 +#endif
5277 +
5278 +/*
5279 + * PaX: decide what to do with offenders (regs->pc = fault address)
5280 + *
5281 + * returns 1 when task should be killed
5282 + * 2 when patched PLT trampoline was detected
5283 + * 3 when unpatched PLT trampoline was detected
5284 + */
5285 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5286 +{
5287 +
5288 +#ifdef CONFIG_PAX_EMUPLT
5289 + int err;
5290 +
5291 + do { /* PaX: patched PLT emulation #1 */
5292 + unsigned int sethi1, sethi2, jmpl;
5293 +
5294 + err = get_user(sethi1, (unsigned int *)regs->pc);
5295 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5296 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5297 +
5298 + if (err)
5299 + break;
5300 +
5301 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5302 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5303 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5304 + {
5305 + unsigned int addr;
5306 +
5307 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5308 + addr = regs->u_regs[UREG_G1];
5309 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5310 + regs->pc = addr;
5311 + regs->npc = addr+4;
5312 + return 2;
5313 + }
5314 + } while (0);
5315 +
5316 + { /* PaX: patched PLT emulation #2 */
5317 + unsigned int ba;
5318 +
5319 + err = get_user(ba, (unsigned int *)regs->pc);
5320 +
5321 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5322 + unsigned int addr;
5323 +
5324 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5325 + regs->pc = addr;
5326 + regs->npc = addr+4;
5327 + return 2;
5328 + }
5329 + }
5330 +
5331 + do { /* PaX: patched PLT emulation #3 */
5332 + unsigned int sethi, jmpl, nop;
5333 +
5334 + err = get_user(sethi, (unsigned int *)regs->pc);
5335 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5336 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5337 +
5338 + if (err)
5339 + break;
5340 +
5341 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5342 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5343 + nop == 0x01000000U)
5344 + {
5345 + unsigned int addr;
5346 +
5347 + addr = (sethi & 0x003FFFFFU) << 10;
5348 + regs->u_regs[UREG_G1] = addr;
5349 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5350 + regs->pc = addr;
5351 + regs->npc = addr+4;
5352 + return 2;
5353 + }
5354 + } while (0);
5355 +
5356 + do { /* PaX: unpatched PLT emulation step 1 */
5357 + unsigned int sethi, ba, nop;
5358 +
5359 + err = get_user(sethi, (unsigned int *)regs->pc);
5360 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5361 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5362 +
5363 + if (err)
5364 + break;
5365 +
5366 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5367 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5368 + nop == 0x01000000U)
5369 + {
5370 + unsigned int addr, save, call;
5371 +
5372 + if ((ba & 0xFFC00000U) == 0x30800000U)
5373 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5374 + else
5375 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5376 +
5377 + err = get_user(save, (unsigned int *)addr);
5378 + err |= get_user(call, (unsigned int *)(addr+4));
5379 + err |= get_user(nop, (unsigned int *)(addr+8));
5380 + if (err)
5381 + break;
5382 +
5383 +#ifdef CONFIG_PAX_DLRESOLVE
5384 + if (save == 0x9DE3BFA8U &&
5385 + (call & 0xC0000000U) == 0x40000000U &&
5386 + nop == 0x01000000U)
5387 + {
5388 + struct vm_area_struct *vma;
5389 + unsigned long call_dl_resolve;
5390 +
5391 + down_read(&current->mm->mmap_sem);
5392 + call_dl_resolve = current->mm->call_dl_resolve;
5393 + up_read(&current->mm->mmap_sem);
5394 + if (likely(call_dl_resolve))
5395 + goto emulate;
5396 +
5397 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5398 +
5399 + down_write(&current->mm->mmap_sem);
5400 + if (current->mm->call_dl_resolve) {
5401 + call_dl_resolve = current->mm->call_dl_resolve;
5402 + up_write(&current->mm->mmap_sem);
5403 + if (vma)
5404 + kmem_cache_free(vm_area_cachep, vma);
5405 + goto emulate;
5406 + }
5407 +
5408 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5409 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5410 + up_write(&current->mm->mmap_sem);
5411 + if (vma)
5412 + kmem_cache_free(vm_area_cachep, vma);
5413 + return 1;
5414 + }
5415 +
5416 + if (pax_insert_vma(vma, call_dl_resolve)) {
5417 + up_write(&current->mm->mmap_sem);
5418 + kmem_cache_free(vm_area_cachep, vma);
5419 + return 1;
5420 + }
5421 +
5422 + current->mm->call_dl_resolve = call_dl_resolve;
5423 + up_write(&current->mm->mmap_sem);
5424 +
5425 +emulate:
5426 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5427 + regs->pc = call_dl_resolve;
5428 + regs->npc = addr+4;
5429 + return 3;
5430 + }
5431 +#endif
5432 +
5433 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5434 + if ((save & 0xFFC00000U) == 0x05000000U &&
5435 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5436 + nop == 0x01000000U)
5437 + {
5438 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5439 + regs->u_regs[UREG_G2] = addr + 4;
5440 + addr = (save & 0x003FFFFFU) << 10;
5441 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5442 + regs->pc = addr;
5443 + regs->npc = addr+4;
5444 + return 3;
5445 + }
5446 + }
5447 + } while (0);
5448 +
5449 + do { /* PaX: unpatched PLT emulation step 2 */
5450 + unsigned int save, call, nop;
5451 +
5452 + err = get_user(save, (unsigned int *)(regs->pc-4));
5453 + err |= get_user(call, (unsigned int *)regs->pc);
5454 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5455 + if (err)
5456 + break;
5457 +
5458 + if (save == 0x9DE3BFA8U &&
5459 + (call & 0xC0000000U) == 0x40000000U &&
5460 + nop == 0x01000000U)
5461 + {
5462 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5463 +
5464 + regs->u_regs[UREG_RETPC] = regs->pc;
5465 + regs->pc = dl_resolve;
5466 + regs->npc = dl_resolve+4;
5467 + return 3;
5468 + }
5469 + } while (0);
5470 +#endif
5471 +
5472 + return 1;
5473 +}
5474 +
5475 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5476 +{
5477 + unsigned long i;
5478 +
5479 + printk(KERN_ERR "PAX: bytes at PC: ");
5480 + for (i = 0; i < 8; i++) {
5481 + unsigned int c;
5482 + if (get_user(c, (unsigned int *)pc+i))
5483 + printk(KERN_CONT "???????? ");
5484 + else
5485 + printk(KERN_CONT "%08x ", c);
5486 + }
5487 + printk("\n");
5488 +}
5489 +#endif
5490 +
5491 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5492 unsigned long address)
5493 {
5494 @@ -231,6 +495,24 @@ good_area:
5495 if(!(vma->vm_flags & VM_WRITE))
5496 goto bad_area;
5497 } else {
5498 +
5499 +#ifdef CONFIG_PAX_PAGEEXEC
5500 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5501 + up_read(&mm->mmap_sem);
5502 + switch (pax_handle_fetch_fault(regs)) {
5503 +
5504 +#ifdef CONFIG_PAX_EMUPLT
5505 + case 2:
5506 + case 3:
5507 + return;
5508 +#endif
5509 +
5510 + }
5511 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5512 + do_group_exit(SIGKILL);
5513 + }
5514 +#endif
5515 +
5516 /* Allow reads even for write-only mappings */
5517 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5518 goto bad_area;
5519 diff -urNp linux-2.6.32.49/arch/sparc/mm/fault_64.c linux-2.6.32.49/arch/sparc/mm/fault_64.c
5520 --- linux-2.6.32.49/arch/sparc/mm/fault_64.c 2011-11-08 19:02:43.000000000 -0500
5521 +++ linux-2.6.32.49/arch/sparc/mm/fault_64.c 2011-11-18 18:01:52.000000000 -0500
5522 @@ -20,6 +20,9 @@
5523 #include <linux/kprobes.h>
5524 #include <linux/kdebug.h>
5525 #include <linux/percpu.h>
5526 +#include <linux/slab.h>
5527 +#include <linux/pagemap.h>
5528 +#include <linux/compiler.h>
5529
5530 #include <asm/page.h>
5531 #include <asm/pgtable.h>
5532 @@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
5533 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5534 regs->tpc);
5535 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5536 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5537 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5538 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5539 dump_stack();
5540 unhandled_fault(regs->tpc, current, regs);
5541 @@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
5542 show_regs(regs);
5543 }
5544
5545 +#ifdef CONFIG_PAX_PAGEEXEC
5546 +#ifdef CONFIG_PAX_DLRESOLVE
5547 +static void pax_emuplt_close(struct vm_area_struct *vma)
5548 +{
5549 + vma->vm_mm->call_dl_resolve = 0UL;
5550 +}
5551 +
5552 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5553 +{
5554 + unsigned int *kaddr;
5555 +
5556 + vmf->page = alloc_page(GFP_HIGHUSER);
5557 + if (!vmf->page)
5558 + return VM_FAULT_OOM;
5559 +
5560 + kaddr = kmap(vmf->page);
5561 + memset(kaddr, 0, PAGE_SIZE);
5562 + kaddr[0] = 0x9DE3BFA8U; /* save */
5563 + flush_dcache_page(vmf->page);
5564 + kunmap(vmf->page);
5565 + return VM_FAULT_MAJOR;
5566 +}
5567 +
5568 +static const struct vm_operations_struct pax_vm_ops = {
5569 + .close = pax_emuplt_close,
5570 + .fault = pax_emuplt_fault
5571 +};
5572 +
5573 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5574 +{
5575 + int ret;
5576 +
5577 + vma->vm_mm = current->mm;
5578 + vma->vm_start = addr;
5579 + vma->vm_end = addr + PAGE_SIZE;
5580 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5581 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5582 + vma->vm_ops = &pax_vm_ops;
5583 +
5584 + ret = insert_vm_struct(current->mm, vma);
5585 + if (ret)
5586 + return ret;
5587 +
5588 + ++current->mm->total_vm;
5589 + return 0;
5590 +}
5591 +#endif
5592 +
5593 +/*
5594 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5595 + *
5596 + * returns 1 when task should be killed
5597 + * 2 when patched PLT trampoline was detected
5598 + * 3 when unpatched PLT trampoline was detected
5599 + */
5600 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5601 +{
5602 +
5603 +#ifdef CONFIG_PAX_EMUPLT
5604 + int err;
5605 +
5606 + do { /* PaX: patched PLT emulation #1 */
5607 + unsigned int sethi1, sethi2, jmpl;
5608 +
5609 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5610 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5611 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5612 +
5613 + if (err)
5614 + break;
5615 +
5616 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5617 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5618 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5619 + {
5620 + unsigned long addr;
5621 +
5622 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5623 + addr = regs->u_regs[UREG_G1];
5624 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5625 +
5626 + if (test_thread_flag(TIF_32BIT))
5627 + addr &= 0xFFFFFFFFUL;
5628 +
5629 + regs->tpc = addr;
5630 + regs->tnpc = addr+4;
5631 + return 2;
5632 + }
5633 + } while (0);
5634 +
5635 + { /* PaX: patched PLT emulation #2 */
5636 + unsigned int ba;
5637 +
5638 + err = get_user(ba, (unsigned int *)regs->tpc);
5639 +
5640 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5641 + unsigned long addr;
5642 +
5643 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5644 +
5645 + if (test_thread_flag(TIF_32BIT))
5646 + addr &= 0xFFFFFFFFUL;
5647 +
5648 + regs->tpc = addr;
5649 + regs->tnpc = addr+4;
5650 + return 2;
5651 + }
5652 + }
5653 +
5654 + do { /* PaX: patched PLT emulation #3 */
5655 + unsigned int sethi, jmpl, nop;
5656 +
5657 + err = get_user(sethi, (unsigned int *)regs->tpc);
5658 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5659 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5660 +
5661 + if (err)
5662 + break;
5663 +
5664 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5665 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5666 + nop == 0x01000000U)
5667 + {
5668 + unsigned long addr;
5669 +
5670 + addr = (sethi & 0x003FFFFFU) << 10;
5671 + regs->u_regs[UREG_G1] = addr;
5672 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5673 +
5674 + if (test_thread_flag(TIF_32BIT))
5675 + addr &= 0xFFFFFFFFUL;
5676 +
5677 + regs->tpc = addr;
5678 + regs->tnpc = addr+4;
5679 + return 2;
5680 + }
5681 + } while (0);
5682 +
5683 + do { /* PaX: patched PLT emulation #4 */
5684 + unsigned int sethi, mov1, call, mov2;
5685 +
5686 + err = get_user(sethi, (unsigned int *)regs->tpc);
5687 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5688 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5689 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5690 +
5691 + if (err)
5692 + break;
5693 +
5694 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5695 + mov1 == 0x8210000FU &&
5696 + (call & 0xC0000000U) == 0x40000000U &&
5697 + mov2 == 0x9E100001U)
5698 + {
5699 + unsigned long addr;
5700 +
5701 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5702 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5703 +
5704 + if (test_thread_flag(TIF_32BIT))
5705 + addr &= 0xFFFFFFFFUL;
5706 +
5707 + regs->tpc = addr;
5708 + regs->tnpc = addr+4;
5709 + return 2;
5710 + }
5711 + } while (0);
5712 +
5713 + do { /* PaX: patched PLT emulation #5 */
5714 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5715 +
5716 + err = get_user(sethi, (unsigned int *)regs->tpc);
5717 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5718 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5719 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5720 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5721 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5722 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5723 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5724 +
5725 + if (err)
5726 + break;
5727 +
5728 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5729 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5730 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5731 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5732 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5733 + sllx == 0x83287020U &&
5734 + jmpl == 0x81C04005U &&
5735 + nop == 0x01000000U)
5736 + {
5737 + unsigned long addr;
5738 +
5739 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5740 + regs->u_regs[UREG_G1] <<= 32;
5741 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5742 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5743 + regs->tpc = addr;
5744 + regs->tnpc = addr+4;
5745 + return 2;
5746 + }
5747 + } while (0);
5748 +
5749 + do { /* PaX: patched PLT emulation #6 */
5750 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5751 +
5752 + err = get_user(sethi, (unsigned int *)regs->tpc);
5753 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5754 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5755 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5756 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5757 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5758 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5759 +
5760 + if (err)
5761 + break;
5762 +
5763 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5764 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5765 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5766 + sllx == 0x83287020U &&
5767 + (or & 0xFFFFE000U) == 0x8A116000U &&
5768 + jmpl == 0x81C04005U &&
5769 + nop == 0x01000000U)
5770 + {
5771 + unsigned long addr;
5772 +
5773 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5774 + regs->u_regs[UREG_G1] <<= 32;
5775 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5776 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5777 + regs->tpc = addr;
5778 + regs->tnpc = addr+4;
5779 + return 2;
5780 + }
5781 + } while (0);
5782 +
5783 + do { /* PaX: unpatched PLT emulation step 1 */
5784 + unsigned int sethi, ba, nop;
5785 +
5786 + err = get_user(sethi, (unsigned int *)regs->tpc);
5787 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5788 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5789 +
5790 + if (err)
5791 + break;
5792 +
5793 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5794 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5795 + nop == 0x01000000U)
5796 + {
5797 + unsigned long addr;
5798 + unsigned int save, call;
5799 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5800 +
5801 + if ((ba & 0xFFC00000U) == 0x30800000U)
5802 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5803 + else
5804 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5805 +
5806 + if (test_thread_flag(TIF_32BIT))
5807 + addr &= 0xFFFFFFFFUL;
5808 +
5809 + err = get_user(save, (unsigned int *)addr);
5810 + err |= get_user(call, (unsigned int *)(addr+4));
5811 + err |= get_user(nop, (unsigned int *)(addr+8));
5812 + if (err)
5813 + break;
5814 +
5815 +#ifdef CONFIG_PAX_DLRESOLVE
5816 + if (save == 0x9DE3BFA8U &&
5817 + (call & 0xC0000000U) == 0x40000000U &&
5818 + nop == 0x01000000U)
5819 + {
5820 + struct vm_area_struct *vma;
5821 + unsigned long call_dl_resolve;
5822 +
5823 + down_read(&current->mm->mmap_sem);
5824 + call_dl_resolve = current->mm->call_dl_resolve;
5825 + up_read(&current->mm->mmap_sem);
5826 + if (likely(call_dl_resolve))
5827 + goto emulate;
5828 +
5829 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5830 +
5831 + down_write(&current->mm->mmap_sem);
5832 + if (current->mm->call_dl_resolve) {
5833 + call_dl_resolve = current->mm->call_dl_resolve;
5834 + up_write(&current->mm->mmap_sem);
5835 + if (vma)
5836 + kmem_cache_free(vm_area_cachep, vma);
5837 + goto emulate;
5838 + }
5839 +
5840 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5841 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5842 + up_write(&current->mm->mmap_sem);
5843 + if (vma)
5844 + kmem_cache_free(vm_area_cachep, vma);
5845 + return 1;
5846 + }
5847 +
5848 + if (pax_insert_vma(vma, call_dl_resolve)) {
5849 + up_write(&current->mm->mmap_sem);
5850 + kmem_cache_free(vm_area_cachep, vma);
5851 + return 1;
5852 + }
5853 +
5854 + current->mm->call_dl_resolve = call_dl_resolve;
5855 + up_write(&current->mm->mmap_sem);
5856 +
5857 +emulate:
5858 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5859 + regs->tpc = call_dl_resolve;
5860 + regs->tnpc = addr+4;
5861 + return 3;
5862 + }
5863 +#endif
5864 +
5865 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5866 + if ((save & 0xFFC00000U) == 0x05000000U &&
5867 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5868 + nop == 0x01000000U)
5869 + {
5870 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5871 + regs->u_regs[UREG_G2] = addr + 4;
5872 + addr = (save & 0x003FFFFFU) << 10;
5873 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5874 +
5875 + if (test_thread_flag(TIF_32BIT))
5876 + addr &= 0xFFFFFFFFUL;
5877 +
5878 + regs->tpc = addr;
5879 + regs->tnpc = addr+4;
5880 + return 3;
5881 + }
5882 +
5883 + /* PaX: 64-bit PLT stub */
5884 + err = get_user(sethi1, (unsigned int *)addr);
5885 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5886 + err |= get_user(or1, (unsigned int *)(addr+8));
5887 + err |= get_user(or2, (unsigned int *)(addr+12));
5888 + err |= get_user(sllx, (unsigned int *)(addr+16));
5889 + err |= get_user(add, (unsigned int *)(addr+20));
5890 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5891 + err |= get_user(nop, (unsigned int *)(addr+28));
5892 + if (err)
5893 + break;
5894 +
5895 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5896 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5897 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5898 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5899 + sllx == 0x89293020U &&
5900 + add == 0x8A010005U &&
5901 + jmpl == 0x89C14000U &&
5902 + nop == 0x01000000U)
5903 + {
5904 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5905 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5906 + regs->u_regs[UREG_G4] <<= 32;
5907 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5908 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5909 + regs->u_regs[UREG_G4] = addr + 24;
5910 + addr = regs->u_regs[UREG_G5];
5911 + regs->tpc = addr;
5912 + regs->tnpc = addr+4;
5913 + return 3;
5914 + }
5915 + }
5916 + } while (0);
5917 +
5918 +#ifdef CONFIG_PAX_DLRESOLVE
5919 + do { /* PaX: unpatched PLT emulation step 2 */
5920 + unsigned int save, call, nop;
5921 +
5922 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5923 + err |= get_user(call, (unsigned int *)regs->tpc);
5924 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5925 + if (err)
5926 + break;
5927 +
5928 + if (save == 0x9DE3BFA8U &&
5929 + (call & 0xC0000000U) == 0x40000000U &&
5930 + nop == 0x01000000U)
5931 + {
5932 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5933 +
5934 + if (test_thread_flag(TIF_32BIT))
5935 + dl_resolve &= 0xFFFFFFFFUL;
5936 +
5937 + regs->u_regs[UREG_RETPC] = regs->tpc;
5938 + regs->tpc = dl_resolve;
5939 + regs->tnpc = dl_resolve+4;
5940 + return 3;
5941 + }
5942 + } while (0);
5943 +#endif
5944 +
5945 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5946 + unsigned int sethi, ba, nop;
5947 +
5948 + err = get_user(sethi, (unsigned int *)regs->tpc);
5949 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5950 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5951 +
5952 + if (err)
5953 + break;
5954 +
5955 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5956 + (ba & 0xFFF00000U) == 0x30600000U &&
5957 + nop == 0x01000000U)
5958 + {
5959 + unsigned long addr;
5960 +
5961 + addr = (sethi & 0x003FFFFFU) << 10;
5962 + regs->u_regs[UREG_G1] = addr;
5963 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5964 +
5965 + if (test_thread_flag(TIF_32BIT))
5966 + addr &= 0xFFFFFFFFUL;
5967 +
5968 + regs->tpc = addr;
5969 + regs->tnpc = addr+4;
5970 + return 2;
5971 + }
5972 + } while (0);
5973 +
5974 +#endif
5975 +
5976 + return 1;
5977 +}
5978 +
5979 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5980 +{
5981 + unsigned long i;
5982 +
5983 + printk(KERN_ERR "PAX: bytes at PC: ");
5984 + for (i = 0; i < 8; i++) {
5985 + unsigned int c;
5986 + if (get_user(c, (unsigned int *)pc+i))
5987 + printk(KERN_CONT "???????? ");
5988 + else
5989 + printk(KERN_CONT "%08x ", c);
5990 + }
5991 + printk("\n");
5992 +}
5993 +#endif
5994 +
5995 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5996 {
5997 struct mm_struct *mm = current->mm;
5998 @@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
5999 if (!vma)
6000 goto bad_area;
6001
6002 +#ifdef CONFIG_PAX_PAGEEXEC
6003 + /* PaX: detect ITLB misses on non-exec pages */
6004 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
6005 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
6006 + {
6007 + if (address != regs->tpc)
6008 + goto good_area;
6009 +
6010 + up_read(&mm->mmap_sem);
6011 + switch (pax_handle_fetch_fault(regs)) {
6012 +
6013 +#ifdef CONFIG_PAX_EMUPLT
6014 + case 2:
6015 + case 3:
6016 + return;
6017 +#endif
6018 +
6019 + }
6020 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
6021 + do_group_exit(SIGKILL);
6022 + }
6023 +#endif
6024 +
6025 /* Pure DTLB misses do not tell us whether the fault causing
6026 * load/store/atomic was a write or not, it only says that there
6027 * was no match. So in such a case we (carefully) read the
6028 diff -urNp linux-2.6.32.49/arch/sparc/mm/hugetlbpage.c linux-2.6.32.49/arch/sparc/mm/hugetlbpage.c
6029 --- linux-2.6.32.49/arch/sparc/mm/hugetlbpage.c 2011-11-08 19:02:43.000000000 -0500
6030 +++ linux-2.6.32.49/arch/sparc/mm/hugetlbpage.c 2011-11-15 19:59:42.000000000 -0500
6031 @@ -69,7 +69,7 @@ full_search:
6032 }
6033 return -ENOMEM;
6034 }
6035 - if (likely(!vma || addr + len <= vma->vm_start)) {
6036 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6037 /*
6038 * Remember the place where we stopped the search:
6039 */
6040 @@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
6041 /* make sure it can fit in the remaining address space */
6042 if (likely(addr > len)) {
6043 vma = find_vma(mm, addr-len);
6044 - if (!vma || addr <= vma->vm_start) {
6045 + if (check_heap_stack_gap(vma, addr - len, len)) {
6046 /* remember the address as a hint for next time */
6047 return (mm->free_area_cache = addr-len);
6048 }
6049 @@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
6050 if (unlikely(mm->mmap_base < len))
6051 goto bottomup;
6052
6053 - addr = (mm->mmap_base-len) & HPAGE_MASK;
6054 + addr = mm->mmap_base - len;
6055
6056 do {
6057 + addr &= HPAGE_MASK;
6058 /*
6059 * Lookup failure means no vma is above this address,
6060 * else if new region fits below vma->vm_start,
6061 * return with success:
6062 */
6063 vma = find_vma(mm, addr);
6064 - if (likely(!vma || addr+len <= vma->vm_start)) {
6065 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6066 /* remember the address as a hint for next time */
6067 return (mm->free_area_cache = addr);
6068 }
6069 @@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
6070 mm->cached_hole_size = vma->vm_start - addr;
6071
6072 /* try just below the current vma->vm_start */
6073 - addr = (vma->vm_start-len) & HPAGE_MASK;
6074 - } while (likely(len < vma->vm_start));
6075 + addr = skip_heap_stack_gap(vma, len);
6076 + } while (!IS_ERR_VALUE(addr));
6077
6078 bottomup:
6079 /*
6080 @@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
6081 if (addr) {
6082 addr = ALIGN(addr, HPAGE_SIZE);
6083 vma = find_vma(mm, addr);
6084 - if (task_size - len >= addr &&
6085 - (!vma || addr + len <= vma->vm_start))
6086 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6087 return addr;
6088 }
6089 if (mm->get_unmapped_area == arch_get_unmapped_area)
6090 diff -urNp linux-2.6.32.49/arch/sparc/mm/init_32.c linux-2.6.32.49/arch/sparc/mm/init_32.c
6091 --- linux-2.6.32.49/arch/sparc/mm/init_32.c 2011-11-08 19:02:43.000000000 -0500
6092 +++ linux-2.6.32.49/arch/sparc/mm/init_32.c 2011-11-15 19:59:42.000000000 -0500
6093 @@ -317,6 +317,9 @@ extern void device_scan(void);
6094 pgprot_t PAGE_SHARED __read_mostly;
6095 EXPORT_SYMBOL(PAGE_SHARED);
6096
6097 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
6098 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
6099 +
6100 void __init paging_init(void)
6101 {
6102 switch(sparc_cpu_model) {
6103 @@ -345,17 +348,17 @@ void __init paging_init(void)
6104
6105 /* Initialize the protection map with non-constant, MMU dependent values. */
6106 protection_map[0] = PAGE_NONE;
6107 - protection_map[1] = PAGE_READONLY;
6108 - protection_map[2] = PAGE_COPY;
6109 - protection_map[3] = PAGE_COPY;
6110 + protection_map[1] = PAGE_READONLY_NOEXEC;
6111 + protection_map[2] = PAGE_COPY_NOEXEC;
6112 + protection_map[3] = PAGE_COPY_NOEXEC;
6113 protection_map[4] = PAGE_READONLY;
6114 protection_map[5] = PAGE_READONLY;
6115 protection_map[6] = PAGE_COPY;
6116 protection_map[7] = PAGE_COPY;
6117 protection_map[8] = PAGE_NONE;
6118 - protection_map[9] = PAGE_READONLY;
6119 - protection_map[10] = PAGE_SHARED;
6120 - protection_map[11] = PAGE_SHARED;
6121 + protection_map[9] = PAGE_READONLY_NOEXEC;
6122 + protection_map[10] = PAGE_SHARED_NOEXEC;
6123 + protection_map[11] = PAGE_SHARED_NOEXEC;
6124 protection_map[12] = PAGE_READONLY;
6125 protection_map[13] = PAGE_READONLY;
6126 protection_map[14] = PAGE_SHARED;
6127 diff -urNp linux-2.6.32.49/arch/sparc/mm/Makefile linux-2.6.32.49/arch/sparc/mm/Makefile
6128 --- linux-2.6.32.49/arch/sparc/mm/Makefile 2011-11-08 19:02:43.000000000 -0500
6129 +++ linux-2.6.32.49/arch/sparc/mm/Makefile 2011-11-15 19:59:42.000000000 -0500
6130 @@ -2,7 +2,7 @@
6131 #
6132
6133 asflags-y := -ansi
6134 -ccflags-y := -Werror
6135 +#ccflags-y := -Werror
6136
6137 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
6138 obj-y += fault_$(BITS).o
6139 diff -urNp linux-2.6.32.49/arch/sparc/mm/srmmu.c linux-2.6.32.49/arch/sparc/mm/srmmu.c
6140 --- linux-2.6.32.49/arch/sparc/mm/srmmu.c 2011-11-08 19:02:43.000000000 -0500
6141 +++ linux-2.6.32.49/arch/sparc/mm/srmmu.c 2011-11-15 19:59:42.000000000 -0500
6142 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
6143 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
6144 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
6145 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
6146 +
6147 +#ifdef CONFIG_PAX_PAGEEXEC
6148 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
6149 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
6150 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
6151 +#endif
6152 +
6153 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
6154 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
6155
6156 diff -urNp linux-2.6.32.49/arch/um/include/asm/kmap_types.h linux-2.6.32.49/arch/um/include/asm/kmap_types.h
6157 --- linux-2.6.32.49/arch/um/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
6158 +++ linux-2.6.32.49/arch/um/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
6159 @@ -23,6 +23,7 @@ enum km_type {
6160 KM_IRQ1,
6161 KM_SOFTIRQ0,
6162 KM_SOFTIRQ1,
6163 + KM_CLEARPAGE,
6164 KM_TYPE_NR
6165 };
6166
6167 diff -urNp linux-2.6.32.49/arch/um/include/asm/page.h linux-2.6.32.49/arch/um/include/asm/page.h
6168 --- linux-2.6.32.49/arch/um/include/asm/page.h 2011-11-08 19:02:43.000000000 -0500
6169 +++ linux-2.6.32.49/arch/um/include/asm/page.h 2011-11-15 19:59:42.000000000 -0500
6170 @@ -14,6 +14,9 @@
6171 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
6172 #define PAGE_MASK (~(PAGE_SIZE-1))
6173
6174 +#define ktla_ktva(addr) (addr)
6175 +#define ktva_ktla(addr) (addr)
6176 +
6177 #ifndef __ASSEMBLY__
6178
6179 struct page;
6180 diff -urNp linux-2.6.32.49/arch/um/kernel/process.c linux-2.6.32.49/arch/um/kernel/process.c
6181 --- linux-2.6.32.49/arch/um/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
6182 +++ linux-2.6.32.49/arch/um/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
6183 @@ -393,22 +393,6 @@ int singlestepping(void * t)
6184 return 2;
6185 }
6186
6187 -/*
6188 - * Only x86 and x86_64 have an arch_align_stack().
6189 - * All other arches have "#define arch_align_stack(x) (x)"
6190 - * in their asm/system.h
6191 - * As this is included in UML from asm-um/system-generic.h,
6192 - * we can use it to behave as the subarch does.
6193 - */
6194 -#ifndef arch_align_stack
6195 -unsigned long arch_align_stack(unsigned long sp)
6196 -{
6197 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6198 - sp -= get_random_int() % 8192;
6199 - return sp & ~0xf;
6200 -}
6201 -#endif
6202 -
6203 unsigned long get_wchan(struct task_struct *p)
6204 {
6205 unsigned long stack_page, sp, ip;
6206 diff -urNp linux-2.6.32.49/arch/um/Makefile linux-2.6.32.49/arch/um/Makefile
6207 --- linux-2.6.32.49/arch/um/Makefile 2011-11-08 19:02:43.000000000 -0500
6208 +++ linux-2.6.32.49/arch/um/Makefile 2011-11-18 18:01:52.000000000 -0500
6209 @@ -49,6 +49,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINE
6210 $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \
6211 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64
6212
6213 +ifdef CONSTIFY_PLUGIN
6214 +USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6215 +endif
6216 +
6217 include $(srctree)/$(ARCH_DIR)/Makefile-$(SUBARCH)
6218
6219 #This will adjust *FLAGS accordingly to the platform.
6220 diff -urNp linux-2.6.32.49/arch/um/sys-i386/shared/sysdep/system.h linux-2.6.32.49/arch/um/sys-i386/shared/sysdep/system.h
6221 --- linux-2.6.32.49/arch/um/sys-i386/shared/sysdep/system.h 2011-11-08 19:02:43.000000000 -0500
6222 +++ linux-2.6.32.49/arch/um/sys-i386/shared/sysdep/system.h 2011-11-18 18:01:52.000000000 -0500
6223 @@ -17,7 +17,7 @@
6224 # define AT_VECTOR_SIZE_ARCH 1
6225 #endif
6226
6227 -extern unsigned long arch_align_stack(unsigned long sp);
6228 +#define arch_align_stack(x) ((x) & ~0xfUL)
6229
6230 void default_idle(void);
6231
6232 diff -urNp linux-2.6.32.49/arch/um/sys-i386/syscalls.c linux-2.6.32.49/arch/um/sys-i386/syscalls.c
6233 --- linux-2.6.32.49/arch/um/sys-i386/syscalls.c 2011-11-08 19:02:43.000000000 -0500
6234 +++ linux-2.6.32.49/arch/um/sys-i386/syscalls.c 2011-11-15 19:59:42.000000000 -0500
6235 @@ -11,6 +11,21 @@
6236 #include "asm/uaccess.h"
6237 #include "asm/unistd.h"
6238
6239 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
6240 +{
6241 + unsigned long pax_task_size = TASK_SIZE;
6242 +
6243 +#ifdef CONFIG_PAX_SEGMEXEC
6244 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6245 + pax_task_size = SEGMEXEC_TASK_SIZE;
6246 +#endif
6247 +
6248 + if (len > pax_task_size || addr > pax_task_size - len)
6249 + return -EINVAL;
6250 +
6251 + return 0;
6252 +}
6253 +
6254 /*
6255 * Perform the select(nd, in, out, ex, tv) and mmap() system
6256 * calls. Linux/i386 didn't use to be able to handle more than
6257 diff -urNp linux-2.6.32.49/arch/um/sys-x86_64/shared/sysdep/system.h linux-2.6.32.49/arch/um/sys-x86_64/shared/sysdep/system.h
6258 --- linux-2.6.32.49/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-08 19:02:43.000000000 -0500
6259 +++ linux-2.6.32.49/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-18 18:01:52.000000000 -0500
6260 @@ -17,7 +17,7 @@
6261 # define AT_VECTOR_SIZE_ARCH 1
6262 #endif
6263
6264 -extern unsigned long arch_align_stack(unsigned long sp);
6265 +#define arch_align_stack(x) ((x) & ~0xfUL)
6266
6267 void default_idle(void);
6268
6269 diff -urNp linux-2.6.32.49/arch/x86/boot/bitops.h linux-2.6.32.49/arch/x86/boot/bitops.h
6270 --- linux-2.6.32.49/arch/x86/boot/bitops.h 2011-11-08 19:02:43.000000000 -0500
6271 +++ linux-2.6.32.49/arch/x86/boot/bitops.h 2011-11-15 19:59:42.000000000 -0500
6272 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
6273 u8 v;
6274 const u32 *p = (const u32 *)addr;
6275
6276 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6277 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6278 return v;
6279 }
6280
6281 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
6282
6283 static inline void set_bit(int nr, void *addr)
6284 {
6285 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6286 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6287 }
6288
6289 #endif /* BOOT_BITOPS_H */
6290 diff -urNp linux-2.6.32.49/arch/x86/boot/boot.h linux-2.6.32.49/arch/x86/boot/boot.h
6291 --- linux-2.6.32.49/arch/x86/boot/boot.h 2011-11-08 19:02:43.000000000 -0500
6292 +++ linux-2.6.32.49/arch/x86/boot/boot.h 2011-11-15 19:59:42.000000000 -0500
6293 @@ -82,7 +82,7 @@ static inline void io_delay(void)
6294 static inline u16 ds(void)
6295 {
6296 u16 seg;
6297 - asm("movw %%ds,%0" : "=rm" (seg));
6298 + asm volatile("movw %%ds,%0" : "=rm" (seg));
6299 return seg;
6300 }
6301
6302 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
6303 static inline int memcmp(const void *s1, const void *s2, size_t len)
6304 {
6305 u8 diff;
6306 - asm("repe; cmpsb; setnz %0"
6307 + asm volatile("repe; cmpsb; setnz %0"
6308 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
6309 return diff;
6310 }
6311 diff -urNp linux-2.6.32.49/arch/x86/boot/compressed/head_32.S linux-2.6.32.49/arch/x86/boot/compressed/head_32.S
6312 --- linux-2.6.32.49/arch/x86/boot/compressed/head_32.S 2011-11-08 19:02:43.000000000 -0500
6313 +++ linux-2.6.32.49/arch/x86/boot/compressed/head_32.S 2011-11-15 19:59:42.000000000 -0500
6314 @@ -76,7 +76,7 @@ ENTRY(startup_32)
6315 notl %eax
6316 andl %eax, %ebx
6317 #else
6318 - movl $LOAD_PHYSICAL_ADDR, %ebx
6319 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6320 #endif
6321
6322 /* Target address to relocate to for decompression */
6323 @@ -149,7 +149,7 @@ relocated:
6324 * and where it was actually loaded.
6325 */
6326 movl %ebp, %ebx
6327 - subl $LOAD_PHYSICAL_ADDR, %ebx
6328 + subl $____LOAD_PHYSICAL_ADDR, %ebx
6329 jz 2f /* Nothing to be done if loaded at compiled addr. */
6330 /*
6331 * Process relocations.
6332 @@ -157,8 +157,7 @@ relocated:
6333
6334 1: subl $4, %edi
6335 movl (%edi), %ecx
6336 - testl %ecx, %ecx
6337 - jz 2f
6338 + jecxz 2f
6339 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
6340 jmp 1b
6341 2:
6342 diff -urNp linux-2.6.32.49/arch/x86/boot/compressed/head_64.S linux-2.6.32.49/arch/x86/boot/compressed/head_64.S
6343 --- linux-2.6.32.49/arch/x86/boot/compressed/head_64.S 2011-11-08 19:02:43.000000000 -0500
6344 +++ linux-2.6.32.49/arch/x86/boot/compressed/head_64.S 2011-11-15 19:59:42.000000000 -0500
6345 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6346 notl %eax
6347 andl %eax, %ebx
6348 #else
6349 - movl $LOAD_PHYSICAL_ADDR, %ebx
6350 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6351 #endif
6352
6353 /* Target address to relocate to for decompression */
6354 @@ -183,7 +183,7 @@ no_longmode:
6355 hlt
6356 jmp 1b
6357
6358 -#include "../../kernel/verify_cpu_64.S"
6359 +#include "../../kernel/verify_cpu.S"
6360
6361 /*
6362 * Be careful here startup_64 needs to be at a predictable
6363 @@ -234,7 +234,7 @@ ENTRY(startup_64)
6364 notq %rax
6365 andq %rax, %rbp
6366 #else
6367 - movq $LOAD_PHYSICAL_ADDR, %rbp
6368 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6369 #endif
6370
6371 /* Target address to relocate to for decompression */
6372 diff -urNp linux-2.6.32.49/arch/x86/boot/compressed/Makefile linux-2.6.32.49/arch/x86/boot/compressed/Makefile
6373 --- linux-2.6.32.49/arch/x86/boot/compressed/Makefile 2011-11-08 19:02:43.000000000 -0500
6374 +++ linux-2.6.32.49/arch/x86/boot/compressed/Makefile 2011-11-15 19:59:42.000000000 -0500
6375 @@ -13,6 +13,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
6376 KBUILD_CFLAGS += $(cflags-y)
6377 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
6378 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
6379 +ifdef CONSTIFY_PLUGIN
6380 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6381 +endif
6382
6383 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6384 GCOV_PROFILE := n
6385 diff -urNp linux-2.6.32.49/arch/x86/boot/compressed/misc.c linux-2.6.32.49/arch/x86/boot/compressed/misc.c
6386 --- linux-2.6.32.49/arch/x86/boot/compressed/misc.c 2011-11-08 19:02:43.000000000 -0500
6387 +++ linux-2.6.32.49/arch/x86/boot/compressed/misc.c 2011-11-15 19:59:42.000000000 -0500
6388 @@ -288,7 +288,7 @@ static void parse_elf(void *output)
6389 case PT_LOAD:
6390 #ifdef CONFIG_RELOCATABLE
6391 dest = output;
6392 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6393 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6394 #else
6395 dest = (void *)(phdr->p_paddr);
6396 #endif
6397 @@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
6398 error("Destination address too large");
6399 #endif
6400 #ifndef CONFIG_RELOCATABLE
6401 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6402 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6403 error("Wrong destination address");
6404 #endif
6405
6406 diff -urNp linux-2.6.32.49/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.49/arch/x86/boot/compressed/mkpiggy.c
6407 --- linux-2.6.32.49/arch/x86/boot/compressed/mkpiggy.c 2011-11-08 19:02:43.000000000 -0500
6408 +++ linux-2.6.32.49/arch/x86/boot/compressed/mkpiggy.c 2011-11-15 19:59:42.000000000 -0500
6409 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6410
6411 offs = (olen > ilen) ? olen - ilen : 0;
6412 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6413 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6414 + offs += 64*1024; /* Add 64K bytes slack */
6415 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6416
6417 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
6418 diff -urNp linux-2.6.32.49/arch/x86/boot/compressed/relocs.c linux-2.6.32.49/arch/x86/boot/compressed/relocs.c
6419 --- linux-2.6.32.49/arch/x86/boot/compressed/relocs.c 2011-11-08 19:02:43.000000000 -0500
6420 +++ linux-2.6.32.49/arch/x86/boot/compressed/relocs.c 2011-11-15 19:59:42.000000000 -0500
6421 @@ -10,8 +10,11 @@
6422 #define USE_BSD
6423 #include <endian.h>
6424
6425 +#include "../../../../include/linux/autoconf.h"
6426 +
6427 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6428 static Elf32_Ehdr ehdr;
6429 +static Elf32_Phdr *phdr;
6430 static unsigned long reloc_count, reloc_idx;
6431 static unsigned long *relocs;
6432
6433 @@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
6434
6435 static int is_safe_abs_reloc(const char* sym_name)
6436 {
6437 - int i;
6438 + unsigned int i;
6439
6440 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
6441 if (!strcmp(sym_name, safe_abs_relocs[i]))
6442 @@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
6443 }
6444 }
6445
6446 +static void read_phdrs(FILE *fp)
6447 +{
6448 + unsigned int i;
6449 +
6450 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6451 + if (!phdr) {
6452 + die("Unable to allocate %d program headers\n",
6453 + ehdr.e_phnum);
6454 + }
6455 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6456 + die("Seek to %d failed: %s\n",
6457 + ehdr.e_phoff, strerror(errno));
6458 + }
6459 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6460 + die("Cannot read ELF program headers: %s\n",
6461 + strerror(errno));
6462 + }
6463 + for(i = 0; i < ehdr.e_phnum; i++) {
6464 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6465 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6466 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6467 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6468 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6469 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6470 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6471 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6472 + }
6473 +
6474 +}
6475 +
6476 static void read_shdrs(FILE *fp)
6477 {
6478 - int i;
6479 + unsigned int i;
6480 Elf32_Shdr shdr;
6481
6482 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6483 @@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
6484
6485 static void read_strtabs(FILE *fp)
6486 {
6487 - int i;
6488 + unsigned int i;
6489 for (i = 0; i < ehdr.e_shnum; i++) {
6490 struct section *sec = &secs[i];
6491 if (sec->shdr.sh_type != SHT_STRTAB) {
6492 @@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
6493
6494 static void read_symtabs(FILE *fp)
6495 {
6496 - int i,j;
6497 + unsigned int i,j;
6498 for (i = 0; i < ehdr.e_shnum; i++) {
6499 struct section *sec = &secs[i];
6500 if (sec->shdr.sh_type != SHT_SYMTAB) {
6501 @@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
6502
6503 static void read_relocs(FILE *fp)
6504 {
6505 - int i,j;
6506 + unsigned int i,j;
6507 + uint32_t base;
6508 +
6509 for (i = 0; i < ehdr.e_shnum; i++) {
6510 struct section *sec = &secs[i];
6511 if (sec->shdr.sh_type != SHT_REL) {
6512 @@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
6513 die("Cannot read symbol table: %s\n",
6514 strerror(errno));
6515 }
6516 + base = 0;
6517 + for (j = 0; j < ehdr.e_phnum; j++) {
6518 + if (phdr[j].p_type != PT_LOAD )
6519 + continue;
6520 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6521 + continue;
6522 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6523 + break;
6524 + }
6525 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6526 Elf32_Rel *rel = &sec->reltab[j];
6527 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6528 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6529 rel->r_info = elf32_to_cpu(rel->r_info);
6530 }
6531 }
6532 @@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
6533
6534 static void print_absolute_symbols(void)
6535 {
6536 - int i;
6537 + unsigned int i;
6538 printf("Absolute symbols\n");
6539 printf(" Num: Value Size Type Bind Visibility Name\n");
6540 for (i = 0; i < ehdr.e_shnum; i++) {
6541 struct section *sec = &secs[i];
6542 char *sym_strtab;
6543 Elf32_Sym *sh_symtab;
6544 - int j;
6545 + unsigned int j;
6546
6547 if (sec->shdr.sh_type != SHT_SYMTAB) {
6548 continue;
6549 @@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
6550
6551 static void print_absolute_relocs(void)
6552 {
6553 - int i, printed = 0;
6554 + unsigned int i, printed = 0;
6555
6556 for (i = 0; i < ehdr.e_shnum; i++) {
6557 struct section *sec = &secs[i];
6558 struct section *sec_applies, *sec_symtab;
6559 char *sym_strtab;
6560 Elf32_Sym *sh_symtab;
6561 - int j;
6562 + unsigned int j;
6563 if (sec->shdr.sh_type != SHT_REL) {
6564 continue;
6565 }
6566 @@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
6567
6568 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6569 {
6570 - int i;
6571 + unsigned int i;
6572 /* Walk through the relocations */
6573 for (i = 0; i < ehdr.e_shnum; i++) {
6574 char *sym_strtab;
6575 Elf32_Sym *sh_symtab;
6576 struct section *sec_applies, *sec_symtab;
6577 - int j;
6578 + unsigned int j;
6579 struct section *sec = &secs[i];
6580
6581 if (sec->shdr.sh_type != SHT_REL) {
6582 @@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
6583 if (sym->st_shndx == SHN_ABS) {
6584 continue;
6585 }
6586 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6587 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6588 + continue;
6589 +
6590 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6591 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6592 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6593 + continue;
6594 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6595 + continue;
6596 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6597 + continue;
6598 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6599 + continue;
6600 +#endif
6601 if (r_type == R_386_NONE || r_type == R_386_PC32) {
6602 /*
6603 * NONE can be ignored and and PC relative
6604 @@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
6605
6606 static void emit_relocs(int as_text)
6607 {
6608 - int i;
6609 + unsigned int i;
6610 /* Count how many relocations I have and allocate space for them. */
6611 reloc_count = 0;
6612 walk_relocs(count_reloc);
6613 @@ -634,6 +693,7 @@ int main(int argc, char **argv)
6614 fname, strerror(errno));
6615 }
6616 read_ehdr(fp);
6617 + read_phdrs(fp);
6618 read_shdrs(fp);
6619 read_strtabs(fp);
6620 read_symtabs(fp);
6621 diff -urNp linux-2.6.32.49/arch/x86/boot/cpucheck.c linux-2.6.32.49/arch/x86/boot/cpucheck.c
6622 --- linux-2.6.32.49/arch/x86/boot/cpucheck.c 2011-11-08 19:02:43.000000000 -0500
6623 +++ linux-2.6.32.49/arch/x86/boot/cpucheck.c 2011-11-15 19:59:42.000000000 -0500
6624 @@ -74,7 +74,7 @@ static int has_fpu(void)
6625 u16 fcw = -1, fsw = -1;
6626 u32 cr0;
6627
6628 - asm("movl %%cr0,%0" : "=r" (cr0));
6629 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6630 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6631 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6632 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6633 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6634 {
6635 u32 f0, f1;
6636
6637 - asm("pushfl ; "
6638 + asm volatile("pushfl ; "
6639 "pushfl ; "
6640 "popl %0 ; "
6641 "movl %0,%1 ; "
6642 @@ -115,7 +115,7 @@ static void get_flags(void)
6643 set_bit(X86_FEATURE_FPU, cpu.flags);
6644
6645 if (has_eflag(X86_EFLAGS_ID)) {
6646 - asm("cpuid"
6647 + asm volatile("cpuid"
6648 : "=a" (max_intel_level),
6649 "=b" (cpu_vendor[0]),
6650 "=d" (cpu_vendor[1]),
6651 @@ -124,7 +124,7 @@ static void get_flags(void)
6652
6653 if (max_intel_level >= 0x00000001 &&
6654 max_intel_level <= 0x0000ffff) {
6655 - asm("cpuid"
6656 + asm volatile("cpuid"
6657 : "=a" (tfms),
6658 "=c" (cpu.flags[4]),
6659 "=d" (cpu.flags[0])
6660 @@ -136,7 +136,7 @@ static void get_flags(void)
6661 cpu.model += ((tfms >> 16) & 0xf) << 4;
6662 }
6663
6664 - asm("cpuid"
6665 + asm volatile("cpuid"
6666 : "=a" (max_amd_level)
6667 : "a" (0x80000000)
6668 : "ebx", "ecx", "edx");
6669 @@ -144,7 +144,7 @@ static void get_flags(void)
6670 if (max_amd_level >= 0x80000001 &&
6671 max_amd_level <= 0x8000ffff) {
6672 u32 eax = 0x80000001;
6673 - asm("cpuid"
6674 + asm volatile("cpuid"
6675 : "+a" (eax),
6676 "=c" (cpu.flags[6]),
6677 "=d" (cpu.flags[1])
6678 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6679 u32 ecx = MSR_K7_HWCR;
6680 u32 eax, edx;
6681
6682 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6683 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6684 eax &= ~(1 << 15);
6685 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6686 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6687
6688 get_flags(); /* Make sure it really did something */
6689 err = check_flags();
6690 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6691 u32 ecx = MSR_VIA_FCR;
6692 u32 eax, edx;
6693
6694 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6695 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6696 eax |= (1<<1)|(1<<7);
6697 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6698 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6699
6700 set_bit(X86_FEATURE_CX8, cpu.flags);
6701 err = check_flags();
6702 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6703 u32 eax, edx;
6704 u32 level = 1;
6705
6706 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6707 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6708 - asm("cpuid"
6709 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6710 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6711 + asm volatile("cpuid"
6712 : "+a" (level), "=d" (cpu.flags[0])
6713 : : "ecx", "ebx");
6714 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6715 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6716
6717 err = check_flags();
6718 }
6719 diff -urNp linux-2.6.32.49/arch/x86/boot/header.S linux-2.6.32.49/arch/x86/boot/header.S
6720 --- linux-2.6.32.49/arch/x86/boot/header.S 2011-11-08 19:02:43.000000000 -0500
6721 +++ linux-2.6.32.49/arch/x86/boot/header.S 2011-11-15 19:59:42.000000000 -0500
6722 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6723 # single linked list of
6724 # struct setup_data
6725
6726 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6727 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6728
6729 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6730 #define VO_INIT_SIZE (VO__end - VO__text)
6731 diff -urNp linux-2.6.32.49/arch/x86/boot/Makefile linux-2.6.32.49/arch/x86/boot/Makefile
6732 --- linux-2.6.32.49/arch/x86/boot/Makefile 2011-11-08 19:02:43.000000000 -0500
6733 +++ linux-2.6.32.49/arch/x86/boot/Makefile 2011-11-15 19:59:42.000000000 -0500
6734 @@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
6735 $(call cc-option, -fno-stack-protector) \
6736 $(call cc-option, -mpreferred-stack-boundary=2)
6737 KBUILD_CFLAGS += $(call cc-option, -m32)
6738 +ifdef CONSTIFY_PLUGIN
6739 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6740 +endif
6741 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6742 GCOV_PROFILE := n
6743
6744 diff -urNp linux-2.6.32.49/arch/x86/boot/memory.c linux-2.6.32.49/arch/x86/boot/memory.c
6745 --- linux-2.6.32.49/arch/x86/boot/memory.c 2011-11-08 19:02:43.000000000 -0500
6746 +++ linux-2.6.32.49/arch/x86/boot/memory.c 2011-11-15 19:59:42.000000000 -0500
6747 @@ -19,7 +19,7 @@
6748
6749 static int detect_memory_e820(void)
6750 {
6751 - int count = 0;
6752 + unsigned int count = 0;
6753 struct biosregs ireg, oreg;
6754 struct e820entry *desc = boot_params.e820_map;
6755 static struct e820entry buf; /* static so it is zeroed */
6756 diff -urNp linux-2.6.32.49/arch/x86/boot/video.c linux-2.6.32.49/arch/x86/boot/video.c
6757 --- linux-2.6.32.49/arch/x86/boot/video.c 2011-11-08 19:02:43.000000000 -0500
6758 +++ linux-2.6.32.49/arch/x86/boot/video.c 2011-11-15 19:59:42.000000000 -0500
6759 @@ -90,7 +90,7 @@ static void store_mode_params(void)
6760 static unsigned int get_entry(void)
6761 {
6762 char entry_buf[4];
6763 - int i, len = 0;
6764 + unsigned int i, len = 0;
6765 int key;
6766 unsigned int v;
6767
6768 diff -urNp linux-2.6.32.49/arch/x86/boot/video-vesa.c linux-2.6.32.49/arch/x86/boot/video-vesa.c
6769 --- linux-2.6.32.49/arch/x86/boot/video-vesa.c 2011-11-08 19:02:43.000000000 -0500
6770 +++ linux-2.6.32.49/arch/x86/boot/video-vesa.c 2011-11-15 19:59:42.000000000 -0500
6771 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6772
6773 boot_params.screen_info.vesapm_seg = oreg.es;
6774 boot_params.screen_info.vesapm_off = oreg.di;
6775 + boot_params.screen_info.vesapm_size = oreg.cx;
6776 }
6777
6778 /*
6779 diff -urNp linux-2.6.32.49/arch/x86/crypto/aes-x86_64-asm_64.S linux-2.6.32.49/arch/x86/crypto/aes-x86_64-asm_64.S
6780 --- linux-2.6.32.49/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-08 19:02:43.000000000 -0500
6781 +++ linux-2.6.32.49/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-15 19:59:42.000000000 -0500
6782 @@ -8,6 +8,8 @@
6783 * including this sentence is retained in full.
6784 */
6785
6786 +#include <asm/alternative-asm.h>
6787 +
6788 .extern crypto_ft_tab
6789 .extern crypto_it_tab
6790 .extern crypto_fl_tab
6791 @@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
6792 je B192; \
6793 leaq 32(r9),r9;
6794
6795 +#define ret pax_force_retaddr; ret
6796 +
6797 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
6798 movq r1,r2; \
6799 movq r3,r4; \
6800 diff -urNp linux-2.6.32.49/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-2.6.32.49/arch/x86/crypto/salsa20-x86_64-asm_64.S
6801 --- linux-2.6.32.49/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-08 19:02:43.000000000 -0500
6802 +++ linux-2.6.32.49/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-15 19:59:42.000000000 -0500
6803 @@ -1,3 +1,5 @@
6804 +#include <asm/alternative-asm.h>
6805 +
6806 # enter ECRYPT_encrypt_bytes
6807 .text
6808 .p2align 5
6809 @@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
6810 add %r11,%rsp
6811 mov %rdi,%rax
6812 mov %rsi,%rdx
6813 + pax_force_retaddr
6814 ret
6815 # bytesatleast65:
6816 ._bytesatleast65:
6817 @@ -891,6 +894,7 @@ ECRYPT_keysetup:
6818 add %r11,%rsp
6819 mov %rdi,%rax
6820 mov %rsi,%rdx
6821 + pax_force_retaddr
6822 ret
6823 # enter ECRYPT_ivsetup
6824 .text
6825 @@ -917,4 +921,5 @@ ECRYPT_ivsetup:
6826 add %r11,%rsp
6827 mov %rdi,%rax
6828 mov %rsi,%rdx
6829 + pax_force_retaddr
6830 ret
6831 diff -urNp linux-2.6.32.49/arch/x86/crypto/twofish-x86_64-asm_64.S linux-2.6.32.49/arch/x86/crypto/twofish-x86_64-asm_64.S
6832 --- linux-2.6.32.49/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-08 19:02:43.000000000 -0500
6833 +++ linux-2.6.32.49/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-15 19:59:42.000000000 -0500
6834 @@ -21,6 +21,7 @@
6835 .text
6836
6837 #include <asm/asm-offsets.h>
6838 +#include <asm/alternative-asm.h>
6839
6840 #define a_offset 0
6841 #define b_offset 4
6842 @@ -269,6 +270,7 @@ twofish_enc_blk:
6843
6844 popq R1
6845 movq $1,%rax
6846 + pax_force_retaddr
6847 ret
6848
6849 twofish_dec_blk:
6850 @@ -321,4 +323,5 @@ twofish_dec_blk:
6851
6852 popq R1
6853 movq $1,%rax
6854 + pax_force_retaddr
6855 ret
6856 diff -urNp linux-2.6.32.49/arch/x86/ia32/ia32_aout.c linux-2.6.32.49/arch/x86/ia32/ia32_aout.c
6857 --- linux-2.6.32.49/arch/x86/ia32/ia32_aout.c 2011-11-08 19:02:43.000000000 -0500
6858 +++ linux-2.6.32.49/arch/x86/ia32/ia32_aout.c 2011-11-15 19:59:42.000000000 -0500
6859 @@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
6860 unsigned long dump_start, dump_size;
6861 struct user32 dump;
6862
6863 + memset(&dump, 0, sizeof(dump));
6864 +
6865 fs = get_fs();
6866 set_fs(KERNEL_DS);
6867 has_dumped = 1;
6868 @@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
6869 dump_size = dump.u_ssize << PAGE_SHIFT;
6870 DUMP_WRITE(dump_start, dump_size);
6871 }
6872 - /*
6873 - * Finally dump the task struct. Not be used by gdb, but
6874 - * could be useful
6875 - */
6876 - set_fs(KERNEL_DS);
6877 - DUMP_WRITE(current, sizeof(*current));
6878 end_coredump:
6879 set_fs(fs);
6880 return has_dumped;
6881 diff -urNp linux-2.6.32.49/arch/x86/ia32/ia32entry.S linux-2.6.32.49/arch/x86/ia32/ia32entry.S
6882 --- linux-2.6.32.49/arch/x86/ia32/ia32entry.S 2011-11-08 19:02:43.000000000 -0500
6883 +++ linux-2.6.32.49/arch/x86/ia32/ia32entry.S 2011-11-18 18:01:52.000000000 -0500
6884 @@ -13,7 +13,9 @@
6885 #include <asm/thread_info.h>
6886 #include <asm/segment.h>
6887 #include <asm/irqflags.h>
6888 +#include <asm/pgtable.h>
6889 #include <linux/linkage.h>
6890 +#include <asm/alternative-asm.h>
6891
6892 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6893 #include <linux/elf-em.h>
6894 @@ -93,6 +95,29 @@ ENTRY(native_irq_enable_sysexit)
6895 ENDPROC(native_irq_enable_sysexit)
6896 #endif
6897
6898 + .macro pax_enter_kernel_user
6899 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6900 + call pax_enter_kernel_user
6901 +#endif
6902 + .endm
6903 +
6904 + .macro pax_exit_kernel_user
6905 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6906 + call pax_exit_kernel_user
6907 +#endif
6908 +#ifdef CONFIG_PAX_RANDKSTACK
6909 + pushq %rax
6910 + call pax_randomize_kstack
6911 + popq %rax
6912 +#endif
6913 + .endm
6914 +
6915 +.macro pax_erase_kstack
6916 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6917 + call pax_erase_kstack
6918 +#endif
6919 +.endm
6920 +
6921 /*
6922 * 32bit SYSENTER instruction entry.
6923 *
6924 @@ -119,7 +144,7 @@ ENTRY(ia32_sysenter_target)
6925 CFI_REGISTER rsp,rbp
6926 SWAPGS_UNSAFE_STACK
6927 movq PER_CPU_VAR(kernel_stack), %rsp
6928 - addq $(KERNEL_STACK_OFFSET),%rsp
6929 + pax_enter_kernel_user
6930 /*
6931 * No need to follow this irqs on/off section: the syscall
6932 * disabled irqs, here we enable it straight after entry:
6933 @@ -135,7 +160,8 @@ ENTRY(ia32_sysenter_target)
6934 pushfq
6935 CFI_ADJUST_CFA_OFFSET 8
6936 /*CFI_REL_OFFSET rflags,0*/
6937 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6938 + GET_THREAD_INFO(%r10)
6939 + movl TI_sysenter_return(%r10), %r10d
6940 CFI_REGISTER rip,r10
6941 pushq $__USER32_CS
6942 CFI_ADJUST_CFA_OFFSET 8
6943 @@ -150,6 +176,12 @@ ENTRY(ia32_sysenter_target)
6944 SAVE_ARGS 0,0,1
6945 /* no need to do an access_ok check here because rbp has been
6946 32bit zero extended */
6947 +
6948 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6949 + mov $PAX_USER_SHADOW_BASE,%r10
6950 + add %r10,%rbp
6951 +#endif
6952 +
6953 1: movl (%rbp),%ebp
6954 .section __ex_table,"a"
6955 .quad 1b,ia32_badarg
6956 @@ -172,6 +204,8 @@ sysenter_dispatch:
6957 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6958 jnz sysexit_audit
6959 sysexit_from_sys_call:
6960 + pax_exit_kernel_user
6961 + pax_erase_kstack
6962 andl $~TS_COMPAT,TI_status(%r10)
6963 /* clear IF, that popfq doesn't enable interrupts early */
6964 andl $~0x200,EFLAGS-R11(%rsp)
6965 @@ -200,6 +234,9 @@ sysexit_from_sys_call:
6966 movl %eax,%esi /* 2nd arg: syscall number */
6967 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6968 call audit_syscall_entry
6969 +
6970 + pax_erase_kstack
6971 +
6972 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6973 cmpq $(IA32_NR_syscalls-1),%rax
6974 ja ia32_badsys
6975 @@ -252,6 +289,9 @@ sysenter_tracesys:
6976 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6977 movq %rsp,%rdi /* &pt_regs -> arg1 */
6978 call syscall_trace_enter
6979 +
6980 + pax_erase_kstack
6981 +
6982 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6983 RESTORE_REST
6984 cmpq $(IA32_NR_syscalls-1),%rax
6985 @@ -283,19 +323,24 @@ ENDPROC(ia32_sysenter_target)
6986 ENTRY(ia32_cstar_target)
6987 CFI_STARTPROC32 simple
6988 CFI_SIGNAL_FRAME
6989 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6990 + CFI_DEF_CFA rsp,0
6991 CFI_REGISTER rip,rcx
6992 /*CFI_REGISTER rflags,r11*/
6993 SWAPGS_UNSAFE_STACK
6994 movl %esp,%r8d
6995 CFI_REGISTER rsp,r8
6996 movq PER_CPU_VAR(kernel_stack),%rsp
6997 +
6998 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6999 + pax_enter_kernel_user
7000 +#endif
7001 +
7002 /*
7003 * No need to follow this irqs on/off section: the syscall
7004 * disabled irqs and here we enable it straight after entry:
7005 */
7006 ENABLE_INTERRUPTS(CLBR_NONE)
7007 - SAVE_ARGS 8,1,1
7008 + SAVE_ARGS 8*6,1,1
7009 movl %eax,%eax /* zero extension */
7010 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
7011 movq %rcx,RIP-ARGOFFSET(%rsp)
7012 @@ -311,6 +356,12 @@ ENTRY(ia32_cstar_target)
7013 /* no need to do an access_ok check here because r8 has been
7014 32bit zero extended */
7015 /* hardware stack frame is complete now */
7016 +
7017 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7018 + mov $PAX_USER_SHADOW_BASE,%r10
7019 + add %r10,%r8
7020 +#endif
7021 +
7022 1: movl (%r8),%r9d
7023 .section __ex_table,"a"
7024 .quad 1b,ia32_badarg
7025 @@ -333,6 +384,8 @@ cstar_dispatch:
7026 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
7027 jnz sysretl_audit
7028 sysretl_from_sys_call:
7029 + pax_exit_kernel_user
7030 + pax_erase_kstack
7031 andl $~TS_COMPAT,TI_status(%r10)
7032 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
7033 movl RIP-ARGOFFSET(%rsp),%ecx
7034 @@ -370,6 +423,9 @@ cstar_tracesys:
7035 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7036 movq %rsp,%rdi /* &pt_regs -> arg1 */
7037 call syscall_trace_enter
7038 +
7039 + pax_erase_kstack
7040 +
7041 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
7042 RESTORE_REST
7043 xchgl %ebp,%r9d
7044 @@ -415,6 +471,7 @@ ENTRY(ia32_syscall)
7045 CFI_REL_OFFSET rip,RIP-RIP
7046 PARAVIRT_ADJUST_EXCEPTION_FRAME
7047 SWAPGS
7048 + pax_enter_kernel_user
7049 /*
7050 * No need to follow this irqs on/off section: the syscall
7051 * disabled irqs and here we enable it straight after entry:
7052 @@ -448,6 +505,9 @@ ia32_tracesys:
7053 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7054 movq %rsp,%rdi /* &pt_regs -> arg1 */
7055 call syscall_trace_enter
7056 +
7057 + pax_erase_kstack
7058 +
7059 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
7060 RESTORE_REST
7061 cmpq $(IA32_NR_syscalls-1),%rax
7062 @@ -462,6 +522,7 @@ ia32_badsys:
7063
7064 quiet_ni_syscall:
7065 movq $-ENOSYS,%rax
7066 + pax_force_retaddr
7067 ret
7068 CFI_ENDPROC
7069
7070 diff -urNp linux-2.6.32.49/arch/x86/ia32/ia32_signal.c linux-2.6.32.49/arch/x86/ia32/ia32_signal.c
7071 --- linux-2.6.32.49/arch/x86/ia32/ia32_signal.c 2011-11-08 19:02:43.000000000 -0500
7072 +++ linux-2.6.32.49/arch/x86/ia32/ia32_signal.c 2011-11-15 19:59:42.000000000 -0500
7073 @@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const
7074 }
7075 seg = get_fs();
7076 set_fs(KERNEL_DS);
7077 - ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
7078 + ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
7079 set_fs(seg);
7080 if (ret >= 0 && uoss_ptr) {
7081 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
7082 @@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct
7083 */
7084 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
7085 size_t frame_size,
7086 - void **fpstate)
7087 + void __user **fpstate)
7088 {
7089 unsigned long sp;
7090
7091 @@ -395,7 +395,7 @@ static void __user *get_sigframe(struct
7092
7093 if (used_math()) {
7094 sp = sp - sig_xstate_ia32_size;
7095 - *fpstate = (struct _fpstate_ia32 *) sp;
7096 + *fpstate = (struct _fpstate_ia32 __user *) sp;
7097 if (save_i387_xstate_ia32(*fpstate) < 0)
7098 return (void __user *) -1L;
7099 }
7100 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
7101 sp -= frame_size;
7102 /* Align the stack pointer according to the i386 ABI,
7103 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
7104 - sp = ((sp + 4) & -16ul) - 4;
7105 + sp = ((sp - 12) & -16ul) - 4;
7106 return (void __user *) sp;
7107 }
7108
7109 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
7110 * These are actually not used anymore, but left because some
7111 * gdb versions depend on them as a marker.
7112 */
7113 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7114 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7115 } put_user_catch(err);
7116
7117 if (err)
7118 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
7119 0xb8,
7120 __NR_ia32_rt_sigreturn,
7121 0x80cd,
7122 - 0,
7123 + 0
7124 };
7125
7126 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
7127 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
7128
7129 if (ka->sa.sa_flags & SA_RESTORER)
7130 restorer = ka->sa.sa_restorer;
7131 + else if (current->mm->context.vdso)
7132 + /* Return stub is in 32bit vsyscall page */
7133 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
7134 else
7135 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
7136 - rt_sigreturn);
7137 + restorer = &frame->retcode;
7138 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
7139
7140 /*
7141 * Not actually used anymore, but left because some gdb
7142 * versions need it.
7143 */
7144 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7145 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7146 } put_user_catch(err);
7147
7148 if (err)
7149 diff -urNp linux-2.6.32.49/arch/x86/ia32/sys_ia32.c linux-2.6.32.49/arch/x86/ia32/sys_ia32.c
7150 --- linux-2.6.32.49/arch/x86/ia32/sys_ia32.c 2011-11-08 19:02:43.000000000 -0500
7151 +++ linux-2.6.32.49/arch/x86/ia32/sys_ia32.c 2011-11-15 19:59:42.000000000 -0500
7152 @@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
7153 */
7154 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
7155 {
7156 - typeof(ubuf->st_uid) uid = 0;
7157 - typeof(ubuf->st_gid) gid = 0;
7158 + typeof(((struct stat64 *)0)->st_uid) uid = 0;
7159 + typeof(((struct stat64 *)0)->st_gid) gid = 0;
7160 SET_UID(uid, stat->uid);
7161 SET_GID(gid, stat->gid);
7162 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
7163 @@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
7164 }
7165 set_fs(KERNEL_DS);
7166 ret = sys_rt_sigprocmask(how,
7167 - set ? (sigset_t __user *)&s : NULL,
7168 - oset ? (sigset_t __user *)&s : NULL,
7169 + set ? (sigset_t __force_user *)&s : NULL,
7170 + oset ? (sigset_t __force_user *)&s : NULL,
7171 sigsetsize);
7172 set_fs(old_fs);
7173 if (ret)
7174 @@ -371,7 +371,7 @@ asmlinkage long sys32_sched_rr_get_inter
7175 mm_segment_t old_fs = get_fs();
7176
7177 set_fs(KERNEL_DS);
7178 - ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
7179 + ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
7180 set_fs(old_fs);
7181 if (put_compat_timespec(&t, interval))
7182 return -EFAULT;
7183 @@ -387,7 +387,7 @@ asmlinkage long sys32_rt_sigpending(comp
7184 mm_segment_t old_fs = get_fs();
7185
7186 set_fs(KERNEL_DS);
7187 - ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
7188 + ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
7189 set_fs(old_fs);
7190 if (!ret) {
7191 switch (_NSIG_WORDS) {
7192 @@ -412,7 +412,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
7193 if (copy_siginfo_from_user32(&info, uinfo))
7194 return -EFAULT;
7195 set_fs(KERNEL_DS);
7196 - ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
7197 + ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
7198 set_fs(old_fs);
7199 return ret;
7200 }
7201 @@ -513,7 +513,7 @@ asmlinkage long sys32_sendfile(int out_f
7202 return -EFAULT;
7203
7204 set_fs(KERNEL_DS);
7205 - ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
7206 + ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
7207 count);
7208 set_fs(old_fs);
7209
7210 diff -urNp linux-2.6.32.49/arch/x86/include/asm/alternative-asm.h linux-2.6.32.49/arch/x86/include/asm/alternative-asm.h
7211 --- linux-2.6.32.49/arch/x86/include/asm/alternative-asm.h 2011-11-08 19:02:43.000000000 -0500
7212 +++ linux-2.6.32.49/arch/x86/include/asm/alternative-asm.h 2011-11-15 19:59:42.000000000 -0500
7213 @@ -19,4 +19,18 @@
7214 .endm
7215 #endif
7216
7217 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
7218 + .macro pax_force_retaddr rip=0
7219 + btsq $63,\rip(%rsp)
7220 + .endm
7221 + .macro pax_force_fptr ptr
7222 + btsq $63,\ptr
7223 + .endm
7224 +#else
7225 + .macro pax_force_retaddr rip=0
7226 + .endm
7227 + .macro pax_force_fptr ptr
7228 + .endm
7229 +#endif
7230 +
7231 #endif /* __ASSEMBLY__ */
7232 diff -urNp linux-2.6.32.49/arch/x86/include/asm/alternative.h linux-2.6.32.49/arch/x86/include/asm/alternative.h
7233 --- linux-2.6.32.49/arch/x86/include/asm/alternative.h 2011-11-08 19:02:43.000000000 -0500
7234 +++ linux-2.6.32.49/arch/x86/include/asm/alternative.h 2011-11-15 19:59:42.000000000 -0500
7235 @@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
7236 " .byte 662b-661b\n" /* sourcelen */ \
7237 " .byte 664f-663f\n" /* replacementlen */ \
7238 ".previous\n" \
7239 - ".section .altinstr_replacement, \"ax\"\n" \
7240 + ".section .altinstr_replacement, \"a\"\n" \
7241 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
7242 ".previous"
7243
7244 diff -urNp linux-2.6.32.49/arch/x86/include/asm/apic.h linux-2.6.32.49/arch/x86/include/asm/apic.h
7245 --- linux-2.6.32.49/arch/x86/include/asm/apic.h 2011-11-08 19:02:43.000000000 -0500
7246 +++ linux-2.6.32.49/arch/x86/include/asm/apic.h 2011-11-15 19:59:42.000000000 -0500
7247 @@ -46,7 +46,7 @@ static inline void generic_apic_probe(vo
7248
7249 #ifdef CONFIG_X86_LOCAL_APIC
7250
7251 -extern unsigned int apic_verbosity;
7252 +extern int apic_verbosity;
7253 extern int local_apic_timer_c2_ok;
7254
7255 extern int disable_apic;
7256 diff -urNp linux-2.6.32.49/arch/x86/include/asm/apm.h linux-2.6.32.49/arch/x86/include/asm/apm.h
7257 --- linux-2.6.32.49/arch/x86/include/asm/apm.h 2011-11-08 19:02:43.000000000 -0500
7258 +++ linux-2.6.32.49/arch/x86/include/asm/apm.h 2011-11-15 19:59:42.000000000 -0500
7259 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
7260 __asm__ __volatile__(APM_DO_ZERO_SEGS
7261 "pushl %%edi\n\t"
7262 "pushl %%ebp\n\t"
7263 - "lcall *%%cs:apm_bios_entry\n\t"
7264 + "lcall *%%ss:apm_bios_entry\n\t"
7265 "setc %%al\n\t"
7266 "popl %%ebp\n\t"
7267 "popl %%edi\n\t"
7268 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
7269 __asm__ __volatile__(APM_DO_ZERO_SEGS
7270 "pushl %%edi\n\t"
7271 "pushl %%ebp\n\t"
7272 - "lcall *%%cs:apm_bios_entry\n\t"
7273 + "lcall *%%ss:apm_bios_entry\n\t"
7274 "setc %%bl\n\t"
7275 "popl %%ebp\n\t"
7276 "popl %%edi\n\t"
7277 diff -urNp linux-2.6.32.49/arch/x86/include/asm/atomic_32.h linux-2.6.32.49/arch/x86/include/asm/atomic_32.h
7278 --- linux-2.6.32.49/arch/x86/include/asm/atomic_32.h 2011-11-08 19:02:43.000000000 -0500
7279 +++ linux-2.6.32.49/arch/x86/include/asm/atomic_32.h 2011-11-15 19:59:42.000000000 -0500
7280 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
7281 }
7282
7283 /**
7284 + * atomic_read_unchecked - read atomic variable
7285 + * @v: pointer of type atomic_unchecked_t
7286 + *
7287 + * Atomically reads the value of @v.
7288 + */
7289 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7290 +{
7291 + return v->counter;
7292 +}
7293 +
7294 +/**
7295 * atomic_set - set atomic variable
7296 * @v: pointer of type atomic_t
7297 * @i: required value
7298 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
7299 }
7300
7301 /**
7302 + * atomic_set_unchecked - set atomic variable
7303 + * @v: pointer of type atomic_unchecked_t
7304 + * @i: required value
7305 + *
7306 + * Atomically sets the value of @v to @i.
7307 + */
7308 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7309 +{
7310 + v->counter = i;
7311 +}
7312 +
7313 +/**
7314 * atomic_add - add integer to atomic variable
7315 * @i: integer value to add
7316 * @v: pointer of type atomic_t
7317 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
7318 */
7319 static inline void atomic_add(int i, atomic_t *v)
7320 {
7321 - asm volatile(LOCK_PREFIX "addl %1,%0"
7322 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7323 +
7324 +#ifdef CONFIG_PAX_REFCOUNT
7325 + "jno 0f\n"
7326 + LOCK_PREFIX "subl %1,%0\n"
7327 + "int $4\n0:\n"
7328 + _ASM_EXTABLE(0b, 0b)
7329 +#endif
7330 +
7331 + : "+m" (v->counter)
7332 + : "ir" (i));
7333 +}
7334 +
7335 +/**
7336 + * atomic_add_unchecked - add integer to atomic variable
7337 + * @i: integer value to add
7338 + * @v: pointer of type atomic_unchecked_t
7339 + *
7340 + * Atomically adds @i to @v.
7341 + */
7342 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7343 +{
7344 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7345 : "+m" (v->counter)
7346 : "ir" (i));
7347 }
7348 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
7349 */
7350 static inline void atomic_sub(int i, atomic_t *v)
7351 {
7352 - asm volatile(LOCK_PREFIX "subl %1,%0"
7353 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7354 +
7355 +#ifdef CONFIG_PAX_REFCOUNT
7356 + "jno 0f\n"
7357 + LOCK_PREFIX "addl %1,%0\n"
7358 + "int $4\n0:\n"
7359 + _ASM_EXTABLE(0b, 0b)
7360 +#endif
7361 +
7362 + : "+m" (v->counter)
7363 + : "ir" (i));
7364 +}
7365 +
7366 +/**
7367 + * atomic_sub_unchecked - subtract integer from atomic variable
7368 + * @i: integer value to subtract
7369 + * @v: pointer of type atomic_unchecked_t
7370 + *
7371 + * Atomically subtracts @i from @v.
7372 + */
7373 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7374 +{
7375 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7376 : "+m" (v->counter)
7377 : "ir" (i));
7378 }
7379 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
7380 {
7381 unsigned char c;
7382
7383 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7384 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7385 +
7386 +#ifdef CONFIG_PAX_REFCOUNT
7387 + "jno 0f\n"
7388 + LOCK_PREFIX "addl %2,%0\n"
7389 + "int $4\n0:\n"
7390 + _ASM_EXTABLE(0b, 0b)
7391 +#endif
7392 +
7393 + "sete %1\n"
7394 : "+m" (v->counter), "=qm" (c)
7395 : "ir" (i) : "memory");
7396 return c;
7397 @@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
7398 */
7399 static inline void atomic_inc(atomic_t *v)
7400 {
7401 - asm volatile(LOCK_PREFIX "incl %0"
7402 + asm volatile(LOCK_PREFIX "incl %0\n"
7403 +
7404 +#ifdef CONFIG_PAX_REFCOUNT
7405 + "jno 0f\n"
7406 + LOCK_PREFIX "decl %0\n"
7407 + "int $4\n0:\n"
7408 + _ASM_EXTABLE(0b, 0b)
7409 +#endif
7410 +
7411 + : "+m" (v->counter));
7412 +}
7413 +
7414 +/**
7415 + * atomic_inc_unchecked - increment atomic variable
7416 + * @v: pointer of type atomic_unchecked_t
7417 + *
7418 + * Atomically increments @v by 1.
7419 + */
7420 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7421 +{
7422 + asm volatile(LOCK_PREFIX "incl %0\n"
7423 : "+m" (v->counter));
7424 }
7425
7426 @@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
7427 */
7428 static inline void atomic_dec(atomic_t *v)
7429 {
7430 - asm volatile(LOCK_PREFIX "decl %0"
7431 + asm volatile(LOCK_PREFIX "decl %0\n"
7432 +
7433 +#ifdef CONFIG_PAX_REFCOUNT
7434 + "jno 0f\n"
7435 + LOCK_PREFIX "incl %0\n"
7436 + "int $4\n0:\n"
7437 + _ASM_EXTABLE(0b, 0b)
7438 +#endif
7439 +
7440 + : "+m" (v->counter));
7441 +}
7442 +
7443 +/**
7444 + * atomic_dec_unchecked - decrement atomic variable
7445 + * @v: pointer of type atomic_unchecked_t
7446 + *
7447 + * Atomically decrements @v by 1.
7448 + */
7449 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7450 +{
7451 + asm volatile(LOCK_PREFIX "decl %0\n"
7452 : "+m" (v->counter));
7453 }
7454
7455 @@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
7456 {
7457 unsigned char c;
7458
7459 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7460 + asm volatile(LOCK_PREFIX "decl %0\n"
7461 +
7462 +#ifdef CONFIG_PAX_REFCOUNT
7463 + "jno 0f\n"
7464 + LOCK_PREFIX "incl %0\n"
7465 + "int $4\n0:\n"
7466 + _ASM_EXTABLE(0b, 0b)
7467 +#endif
7468 +
7469 + "sete %1\n"
7470 : "+m" (v->counter), "=qm" (c)
7471 : : "memory");
7472 return c != 0;
7473 @@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
7474 {
7475 unsigned char c;
7476
7477 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7478 + asm volatile(LOCK_PREFIX "incl %0\n"
7479 +
7480 +#ifdef CONFIG_PAX_REFCOUNT
7481 + "jno 0f\n"
7482 + LOCK_PREFIX "decl %0\n"
7483 + "into\n0:\n"
7484 + _ASM_EXTABLE(0b, 0b)
7485 +#endif
7486 +
7487 + "sete %1\n"
7488 + : "+m" (v->counter), "=qm" (c)
7489 + : : "memory");
7490 + return c != 0;
7491 +}
7492 +
7493 +/**
7494 + * atomic_inc_and_test_unchecked - increment and test
7495 + * @v: pointer of type atomic_unchecked_t
7496 + *
7497 + * Atomically increments @v by 1
7498 + * and returns true if the result is zero, or false for all
7499 + * other cases.
7500 + */
7501 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7502 +{
7503 + unsigned char c;
7504 +
7505 + asm volatile(LOCK_PREFIX "incl %0\n"
7506 + "sete %1\n"
7507 : "+m" (v->counter), "=qm" (c)
7508 : : "memory");
7509 return c != 0;
7510 @@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
7511 {
7512 unsigned char c;
7513
7514 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7515 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7516 +
7517 +#ifdef CONFIG_PAX_REFCOUNT
7518 + "jno 0f\n"
7519 + LOCK_PREFIX "subl %2,%0\n"
7520 + "int $4\n0:\n"
7521 + _ASM_EXTABLE(0b, 0b)
7522 +#endif
7523 +
7524 + "sets %1\n"
7525 : "+m" (v->counter), "=qm" (c)
7526 : "ir" (i) : "memory");
7527 return c;
7528 @@ -179,6 +341,46 @@ static inline int atomic_add_return(int
7529 #endif
7530 /* Modern 486+ processor */
7531 __i = i;
7532 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7533 +
7534 +#ifdef CONFIG_PAX_REFCOUNT
7535 + "jno 0f\n"
7536 + "movl %0, %1\n"
7537 + "int $4\n0:\n"
7538 + _ASM_EXTABLE(0b, 0b)
7539 +#endif
7540 +
7541 + : "+r" (i), "+m" (v->counter)
7542 + : : "memory");
7543 + return i + __i;
7544 +
7545 +#ifdef CONFIG_M386
7546 +no_xadd: /* Legacy 386 processor */
7547 + local_irq_save(flags);
7548 + __i = atomic_read(v);
7549 + atomic_set(v, i + __i);
7550 + local_irq_restore(flags);
7551 + return i + __i;
7552 +#endif
7553 +}
7554 +
7555 +/**
7556 + * atomic_add_return_unchecked - add integer and return
7557 + * @v: pointer of type atomic_unchecked_t
7558 + * @i: integer value to add
7559 + *
7560 + * Atomically adds @i to @v and returns @i + @v
7561 + */
7562 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7563 +{
7564 + int __i;
7565 +#ifdef CONFIG_M386
7566 + unsigned long flags;
7567 + if (unlikely(boot_cpu_data.x86 <= 3))
7568 + goto no_xadd;
7569 +#endif
7570 + /* Modern 486+ processor */
7571 + __i = i;
7572 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7573 : "+r" (i), "+m" (v->counter)
7574 : : "memory");
7575 @@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
7576 return cmpxchg(&v->counter, old, new);
7577 }
7578
7579 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7580 +{
7581 + return cmpxchg(&v->counter, old, new);
7582 +}
7583 +
7584 static inline int atomic_xchg(atomic_t *v, int new)
7585 {
7586 return xchg(&v->counter, new);
7587 }
7588
7589 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7590 +{
7591 + return xchg(&v->counter, new);
7592 +}
7593 +
7594 /**
7595 * atomic_add_unless - add unless the number is already a given value
7596 * @v: pointer of type atomic_t
7597 @@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
7598 */
7599 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7600 {
7601 - int c, old;
7602 + int c, old, new;
7603 c = atomic_read(v);
7604 for (;;) {
7605 - if (unlikely(c == (u)))
7606 + if (unlikely(c == u))
7607 break;
7608 - old = atomic_cmpxchg((v), c, c + (a));
7609 +
7610 + asm volatile("addl %2,%0\n"
7611 +
7612 +#ifdef CONFIG_PAX_REFCOUNT
7613 + "jno 0f\n"
7614 + "subl %2,%0\n"
7615 + "int $4\n0:\n"
7616 + _ASM_EXTABLE(0b, 0b)
7617 +#endif
7618 +
7619 + : "=r" (new)
7620 + : "0" (c), "ir" (a));
7621 +
7622 + old = atomic_cmpxchg(v, c, new);
7623 if (likely(old == c))
7624 break;
7625 c = old;
7626 }
7627 - return c != (u);
7628 + return c != u;
7629 }
7630
7631 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7632
7633 #define atomic_inc_return(v) (atomic_add_return(1, v))
7634 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7635 +{
7636 + return atomic_add_return_unchecked(1, v);
7637 +}
7638 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7639
7640 /* These are x86-specific, used by some header files */
7641 @@ -266,9 +495,18 @@ typedef struct {
7642 u64 __aligned(8) counter;
7643 } atomic64_t;
7644
7645 +#ifdef CONFIG_PAX_REFCOUNT
7646 +typedef struct {
7647 + u64 __aligned(8) counter;
7648 +} atomic64_unchecked_t;
7649 +#else
7650 +typedef atomic64_t atomic64_unchecked_t;
7651 +#endif
7652 +
7653 #define ATOMIC64_INIT(val) { (val) }
7654
7655 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
7656 +extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
7657
7658 /**
7659 * atomic64_xchg - xchg atomic64 variable
7660 @@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
7661 * the old value.
7662 */
7663 extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
7664 +extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7665
7666 /**
7667 * atomic64_set - set atomic64 variable
7668 @@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
7669 extern void atomic64_set(atomic64_t *ptr, u64 new_val);
7670
7671 /**
7672 + * atomic64_unchecked_set - set atomic64 variable
7673 + * @ptr: pointer to type atomic64_unchecked_t
7674 + * @new_val: value to assign
7675 + *
7676 + * Atomically sets the value of @ptr to @new_val.
7677 + */
7678 +extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7679 +
7680 +/**
7681 * atomic64_read - read atomic64 variable
7682 * @ptr: pointer to type atomic64_t
7683 *
7684 @@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
7685 return res;
7686 }
7687
7688 -extern u64 atomic64_read(atomic64_t *ptr);
7689 +/**
7690 + * atomic64_read_unchecked - read atomic64 variable
7691 + * @ptr: pointer to type atomic64_unchecked_t
7692 + *
7693 + * Atomically reads the value of @ptr and returns it.
7694 + */
7695 +static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
7696 +{
7697 + u64 res;
7698 +
7699 + /*
7700 + * Note, we inline this atomic64_unchecked_t primitive because
7701 + * it only clobbers EAX/EDX and leaves the others
7702 + * untouched. We also (somewhat subtly) rely on the
7703 + * fact that cmpxchg8b returns the current 64-bit value
7704 + * of the memory location we are touching:
7705 + */
7706 + asm volatile(
7707 + "mov %%ebx, %%eax\n\t"
7708 + "mov %%ecx, %%edx\n\t"
7709 + LOCK_PREFIX "cmpxchg8b %1\n"
7710 + : "=&A" (res)
7711 + : "m" (*ptr)
7712 + );
7713 +
7714 + return res;
7715 +}
7716
7717 /**
7718 * atomic64_add_return - add and return
7719 @@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
7720 * Other variants with different arithmetic operators:
7721 */
7722 extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
7723 +extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7724 extern u64 atomic64_inc_return(atomic64_t *ptr);
7725 +extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
7726 extern u64 atomic64_dec_return(atomic64_t *ptr);
7727 +extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
7728
7729 /**
7730 * atomic64_add - add integer to atomic64 variable
7731 @@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
7732 extern void atomic64_add(u64 delta, atomic64_t *ptr);
7733
7734 /**
7735 + * atomic64_add_unchecked - add integer to atomic64 variable
7736 + * @delta: integer value to add
7737 + * @ptr: pointer to type atomic64_unchecked_t
7738 + *
7739 + * Atomically adds @delta to @ptr.
7740 + */
7741 +extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7742 +
7743 +/**
7744 * atomic64_sub - subtract the atomic64 variable
7745 * @delta: integer value to subtract
7746 * @ptr: pointer to type atomic64_t
7747 @@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
7748 extern void atomic64_sub(u64 delta, atomic64_t *ptr);
7749
7750 /**
7751 + * atomic64_sub_unchecked - subtract the atomic64 variable
7752 + * @delta: integer value to subtract
7753 + * @ptr: pointer to type atomic64_unchecked_t
7754 + *
7755 + * Atomically subtracts @delta from @ptr.
7756 + */
7757 +extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7758 +
7759 +/**
7760 * atomic64_sub_and_test - subtract value from variable and test result
7761 * @delta: integer value to subtract
7762 * @ptr: pointer to type atomic64_t
7763 @@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
7764 extern void atomic64_inc(atomic64_t *ptr);
7765
7766 /**
7767 + * atomic64_inc_unchecked - increment atomic64 variable
7768 + * @ptr: pointer to type atomic64_unchecked_t
7769 + *
7770 + * Atomically increments @ptr by 1.
7771 + */
7772 +extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
7773 +
7774 +/**
7775 * atomic64_dec - decrement atomic64 variable
7776 * @ptr: pointer to type atomic64_t
7777 *
7778 @@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
7779 extern void atomic64_dec(atomic64_t *ptr);
7780
7781 /**
7782 + * atomic64_dec_unchecked - decrement atomic64 variable
7783 + * @ptr: pointer to type atomic64_unchecked_t
7784 + *
7785 + * Atomically decrements @ptr by 1.
7786 + */
7787 +extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
7788 +
7789 +/**
7790 * atomic64_dec_and_test - decrement and test
7791 * @ptr: pointer to type atomic64_t
7792 *
7793 diff -urNp linux-2.6.32.49/arch/x86/include/asm/atomic_64.h linux-2.6.32.49/arch/x86/include/asm/atomic_64.h
7794 --- linux-2.6.32.49/arch/x86/include/asm/atomic_64.h 2011-11-08 19:02:43.000000000 -0500
7795 +++ linux-2.6.32.49/arch/x86/include/asm/atomic_64.h 2011-11-15 19:59:42.000000000 -0500
7796 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
7797 }
7798
7799 /**
7800 + * atomic_read_unchecked - read atomic variable
7801 + * @v: pointer of type atomic_unchecked_t
7802 + *
7803 + * Atomically reads the value of @v.
7804 + */
7805 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7806 +{
7807 + return v->counter;
7808 +}
7809 +
7810 +/**
7811 * atomic_set - set atomic variable
7812 * @v: pointer of type atomic_t
7813 * @i: required value
7814 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
7815 }
7816
7817 /**
7818 + * atomic_set_unchecked - set atomic variable
7819 + * @v: pointer of type atomic_unchecked_t
7820 + * @i: required value
7821 + *
7822 + * Atomically sets the value of @v to @i.
7823 + */
7824 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7825 +{
7826 + v->counter = i;
7827 +}
7828 +
7829 +/**
7830 * atomic_add - add integer to atomic variable
7831 * @i: integer value to add
7832 * @v: pointer of type atomic_t
7833 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
7834 */
7835 static inline void atomic_add(int i, atomic_t *v)
7836 {
7837 - asm volatile(LOCK_PREFIX "addl %1,%0"
7838 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7839 +
7840 +#ifdef CONFIG_PAX_REFCOUNT
7841 + "jno 0f\n"
7842 + LOCK_PREFIX "subl %1,%0\n"
7843 + "int $4\n0:\n"
7844 + _ASM_EXTABLE(0b, 0b)
7845 +#endif
7846 +
7847 + : "=m" (v->counter)
7848 + : "ir" (i), "m" (v->counter));
7849 +}
7850 +
7851 +/**
7852 + * atomic_add_unchecked - add integer to atomic variable
7853 + * @i: integer value to add
7854 + * @v: pointer of type atomic_unchecked_t
7855 + *
7856 + * Atomically adds @i to @v.
7857 + */
7858 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7859 +{
7860 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7861 : "=m" (v->counter)
7862 : "ir" (i), "m" (v->counter));
7863 }
7864 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
7865 */
7866 static inline void atomic_sub(int i, atomic_t *v)
7867 {
7868 - asm volatile(LOCK_PREFIX "subl %1,%0"
7869 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7870 +
7871 +#ifdef CONFIG_PAX_REFCOUNT
7872 + "jno 0f\n"
7873 + LOCK_PREFIX "addl %1,%0\n"
7874 + "int $4\n0:\n"
7875 + _ASM_EXTABLE(0b, 0b)
7876 +#endif
7877 +
7878 + : "=m" (v->counter)
7879 + : "ir" (i), "m" (v->counter));
7880 +}
7881 +
7882 +/**
7883 + * atomic_sub_unchecked - subtract the atomic variable
7884 + * @i: integer value to subtract
7885 + * @v: pointer of type atomic_unchecked_t
7886 + *
7887 + * Atomically subtracts @i from @v.
7888 + */
7889 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7890 +{
7891 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7892 : "=m" (v->counter)
7893 : "ir" (i), "m" (v->counter));
7894 }
7895 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
7896 {
7897 unsigned char c;
7898
7899 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7900 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7901 +
7902 +#ifdef CONFIG_PAX_REFCOUNT
7903 + "jno 0f\n"
7904 + LOCK_PREFIX "addl %2,%0\n"
7905 + "int $4\n0:\n"
7906 + _ASM_EXTABLE(0b, 0b)
7907 +#endif
7908 +
7909 + "sete %1\n"
7910 : "=m" (v->counter), "=qm" (c)
7911 : "ir" (i), "m" (v->counter) : "memory");
7912 return c;
7913 @@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
7914 */
7915 static inline void atomic_inc(atomic_t *v)
7916 {
7917 - asm volatile(LOCK_PREFIX "incl %0"
7918 + asm volatile(LOCK_PREFIX "incl %0\n"
7919 +
7920 +#ifdef CONFIG_PAX_REFCOUNT
7921 + "jno 0f\n"
7922 + LOCK_PREFIX "decl %0\n"
7923 + "int $4\n0:\n"
7924 + _ASM_EXTABLE(0b, 0b)
7925 +#endif
7926 +
7927 + : "=m" (v->counter)
7928 + : "m" (v->counter));
7929 +}
7930 +
7931 +/**
7932 + * atomic_inc_unchecked - increment atomic variable
7933 + * @v: pointer of type atomic_unchecked_t
7934 + *
7935 + * Atomically increments @v by 1.
7936 + */
7937 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7938 +{
7939 + asm volatile(LOCK_PREFIX "incl %0\n"
7940 : "=m" (v->counter)
7941 : "m" (v->counter));
7942 }
7943 @@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
7944 */
7945 static inline void atomic_dec(atomic_t *v)
7946 {
7947 - asm volatile(LOCK_PREFIX "decl %0"
7948 + asm volatile(LOCK_PREFIX "decl %0\n"
7949 +
7950 +#ifdef CONFIG_PAX_REFCOUNT
7951 + "jno 0f\n"
7952 + LOCK_PREFIX "incl %0\n"
7953 + "int $4\n0:\n"
7954 + _ASM_EXTABLE(0b, 0b)
7955 +#endif
7956 +
7957 + : "=m" (v->counter)
7958 + : "m" (v->counter));
7959 +}
7960 +
7961 +/**
7962 + * atomic_dec_unchecked - decrement atomic variable
7963 + * @v: pointer of type atomic_unchecked_t
7964 + *
7965 + * Atomically decrements @v by 1.
7966 + */
7967 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7968 +{
7969 + asm volatile(LOCK_PREFIX "decl %0\n"
7970 : "=m" (v->counter)
7971 : "m" (v->counter));
7972 }
7973 @@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
7974 {
7975 unsigned char c;
7976
7977 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7978 + asm volatile(LOCK_PREFIX "decl %0\n"
7979 +
7980 +#ifdef CONFIG_PAX_REFCOUNT
7981 + "jno 0f\n"
7982 + LOCK_PREFIX "incl %0\n"
7983 + "int $4\n0:\n"
7984 + _ASM_EXTABLE(0b, 0b)
7985 +#endif
7986 +
7987 + "sete %1\n"
7988 : "=m" (v->counter), "=qm" (c)
7989 : "m" (v->counter) : "memory");
7990 return c != 0;
7991 @@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
7992 {
7993 unsigned char c;
7994
7995 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7996 + asm volatile(LOCK_PREFIX "incl %0\n"
7997 +
7998 +#ifdef CONFIG_PAX_REFCOUNT
7999 + "jno 0f\n"
8000 + LOCK_PREFIX "decl %0\n"
8001 + "int $4\n0:\n"
8002 + _ASM_EXTABLE(0b, 0b)
8003 +#endif
8004 +
8005 + "sete %1\n"
8006 + : "=m" (v->counter), "=qm" (c)
8007 + : "m" (v->counter) : "memory");
8008 + return c != 0;
8009 +}
8010 +
8011 +/**
8012 + * atomic_inc_and_test_unchecked - increment and test
8013 + * @v: pointer of type atomic_unchecked_t
8014 + *
8015 + * Atomically increments @v by 1
8016 + * and returns true if the result is zero, or false for all
8017 + * other cases.
8018 + */
8019 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8020 +{
8021 + unsigned char c;
8022 +
8023 + asm volatile(LOCK_PREFIX "incl %0\n"
8024 + "sete %1\n"
8025 : "=m" (v->counter), "=qm" (c)
8026 : "m" (v->counter) : "memory");
8027 return c != 0;
8028 @@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
8029 {
8030 unsigned char c;
8031
8032 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
8033 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
8034 +
8035 +#ifdef CONFIG_PAX_REFCOUNT
8036 + "jno 0f\n"
8037 + LOCK_PREFIX "subl %2,%0\n"
8038 + "int $4\n0:\n"
8039 + _ASM_EXTABLE(0b, 0b)
8040 +#endif
8041 +
8042 + "sets %1\n"
8043 : "=m" (v->counter), "=qm" (c)
8044 : "ir" (i), "m" (v->counter) : "memory");
8045 return c;
8046 @@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
8047 static inline int atomic_add_return(int i, atomic_t *v)
8048 {
8049 int __i = i;
8050 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
8051 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8052 +
8053 +#ifdef CONFIG_PAX_REFCOUNT
8054 + "jno 0f\n"
8055 + "movl %0, %1\n"
8056 + "int $4\n0:\n"
8057 + _ASM_EXTABLE(0b, 0b)
8058 +#endif
8059 +
8060 + : "+r" (i), "+m" (v->counter)
8061 + : : "memory");
8062 + return i + __i;
8063 +}
8064 +
8065 +/**
8066 + * atomic_add_return_unchecked - add and return
8067 + * @i: integer value to add
8068 + * @v: pointer of type atomic_unchecked_t
8069 + *
8070 + * Atomically adds @i to @v and returns @i + @v
8071 + */
8072 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
8073 +{
8074 + int __i = i;
8075 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8076 : "+r" (i), "+m" (v->counter)
8077 : : "memory");
8078 return i + __i;
8079 @@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
8080 }
8081
8082 #define atomic_inc_return(v) (atomic_add_return(1, v))
8083 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8084 +{
8085 + return atomic_add_return_unchecked(1, v);
8086 +}
8087 #define atomic_dec_return(v) (atomic_sub_return(1, v))
8088
8089 /* The 64-bit atomic type */
8090 @@ -204,6 +396,18 @@ static inline long atomic64_read(const a
8091 }
8092
8093 /**
8094 + * atomic64_read_unchecked - read atomic64 variable
8095 + * @v: pointer of type atomic64_unchecked_t
8096 + *
8097 + * Atomically reads the value of @v.
8098 + * Doesn't imply a read memory barrier.
8099 + */
8100 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8101 +{
8102 + return v->counter;
8103 +}
8104 +
8105 +/**
8106 * atomic64_set - set atomic64 variable
8107 * @v: pointer to type atomic64_t
8108 * @i: required value
8109 @@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
8110 }
8111
8112 /**
8113 + * atomic64_set_unchecked - set atomic64 variable
8114 + * @v: pointer to type atomic64_unchecked_t
8115 + * @i: required value
8116 + *
8117 + * Atomically sets the value of @v to @i.
8118 + */
8119 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8120 +{
8121 + v->counter = i;
8122 +}
8123 +
8124 +/**
8125 * atomic64_add - add integer to atomic64 variable
8126 * @i: integer value to add
8127 * @v: pointer to type atomic64_t
8128 @@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
8129 */
8130 static inline void atomic64_add(long i, atomic64_t *v)
8131 {
8132 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
8133 +
8134 +#ifdef CONFIG_PAX_REFCOUNT
8135 + "jno 0f\n"
8136 + LOCK_PREFIX "subq %1,%0\n"
8137 + "int $4\n0:\n"
8138 + _ASM_EXTABLE(0b, 0b)
8139 +#endif
8140 +
8141 + : "=m" (v->counter)
8142 + : "er" (i), "m" (v->counter));
8143 +}
8144 +
8145 +/**
8146 + * atomic64_add_unchecked - add integer to atomic64 variable
8147 + * @i: integer value to add
8148 + * @v: pointer to type atomic64_unchecked_t
8149 + *
8150 + * Atomically adds @i to @v.
8151 + */
8152 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8153 +{
8154 asm volatile(LOCK_PREFIX "addq %1,%0"
8155 : "=m" (v->counter)
8156 : "er" (i), "m" (v->counter));
8157 @@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
8158 */
8159 static inline void atomic64_sub(long i, atomic64_t *v)
8160 {
8161 - asm volatile(LOCK_PREFIX "subq %1,%0"
8162 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
8163 +
8164 +#ifdef CONFIG_PAX_REFCOUNT
8165 + "jno 0f\n"
8166 + LOCK_PREFIX "addq %1,%0\n"
8167 + "int $4\n0:\n"
8168 + _ASM_EXTABLE(0b, 0b)
8169 +#endif
8170 +
8171 : "=m" (v->counter)
8172 : "er" (i), "m" (v->counter));
8173 }
8174 @@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
8175 {
8176 unsigned char c;
8177
8178 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8179 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
8180 +
8181 +#ifdef CONFIG_PAX_REFCOUNT
8182 + "jno 0f\n"
8183 + LOCK_PREFIX "addq %2,%0\n"
8184 + "int $4\n0:\n"
8185 + _ASM_EXTABLE(0b, 0b)
8186 +#endif
8187 +
8188 + "sete %1\n"
8189 : "=m" (v->counter), "=qm" (c)
8190 : "er" (i), "m" (v->counter) : "memory");
8191 return c;
8192 @@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
8193 */
8194 static inline void atomic64_inc(atomic64_t *v)
8195 {
8196 + asm volatile(LOCK_PREFIX "incq %0\n"
8197 +
8198 +#ifdef CONFIG_PAX_REFCOUNT
8199 + "jno 0f\n"
8200 + LOCK_PREFIX "decq %0\n"
8201 + "int $4\n0:\n"
8202 + _ASM_EXTABLE(0b, 0b)
8203 +#endif
8204 +
8205 + : "=m" (v->counter)
8206 + : "m" (v->counter));
8207 +}
8208 +
8209 +/**
8210 + * atomic64_inc_unchecked - increment atomic64 variable
8211 + * @v: pointer to type atomic64_unchecked_t
8212 + *
8213 + * Atomically increments @v by 1.
8214 + */
8215 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8216 +{
8217 asm volatile(LOCK_PREFIX "incq %0"
8218 : "=m" (v->counter)
8219 : "m" (v->counter));
8220 @@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
8221 */
8222 static inline void atomic64_dec(atomic64_t *v)
8223 {
8224 - asm volatile(LOCK_PREFIX "decq %0"
8225 + asm volatile(LOCK_PREFIX "decq %0\n"
8226 +
8227 +#ifdef CONFIG_PAX_REFCOUNT
8228 + "jno 0f\n"
8229 + LOCK_PREFIX "incq %0\n"
8230 + "int $4\n0:\n"
8231 + _ASM_EXTABLE(0b, 0b)
8232 +#endif
8233 +
8234 + : "=m" (v->counter)
8235 + : "m" (v->counter));
8236 +}
8237 +
8238 +/**
8239 + * atomic64_dec_unchecked - decrement atomic64 variable
8240 + * @v: pointer to type atomic64_t
8241 + *
8242 + * Atomically decrements @v by 1.
8243 + */
8244 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8245 +{
8246 + asm volatile(LOCK_PREFIX "decq %0\n"
8247 : "=m" (v->counter)
8248 : "m" (v->counter));
8249 }
8250 @@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
8251 {
8252 unsigned char c;
8253
8254 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8255 + asm volatile(LOCK_PREFIX "decq %0\n"
8256 +
8257 +#ifdef CONFIG_PAX_REFCOUNT
8258 + "jno 0f\n"
8259 + LOCK_PREFIX "incq %0\n"
8260 + "int $4\n0:\n"
8261 + _ASM_EXTABLE(0b, 0b)
8262 +#endif
8263 +
8264 + "sete %1\n"
8265 : "=m" (v->counter), "=qm" (c)
8266 : "m" (v->counter) : "memory");
8267 return c != 0;
8268 @@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
8269 {
8270 unsigned char c;
8271
8272 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8273 + asm volatile(LOCK_PREFIX "incq %0\n"
8274 +
8275 +#ifdef CONFIG_PAX_REFCOUNT
8276 + "jno 0f\n"
8277 + LOCK_PREFIX "decq %0\n"
8278 + "int $4\n0:\n"
8279 + _ASM_EXTABLE(0b, 0b)
8280 +#endif
8281 +
8282 + "sete %1\n"
8283 : "=m" (v->counter), "=qm" (c)
8284 : "m" (v->counter) : "memory");
8285 return c != 0;
8286 @@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
8287 {
8288 unsigned char c;
8289
8290 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8291 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8292 +
8293 +#ifdef CONFIG_PAX_REFCOUNT
8294 + "jno 0f\n"
8295 + LOCK_PREFIX "subq %2,%0\n"
8296 + "int $4\n0:\n"
8297 + _ASM_EXTABLE(0b, 0b)
8298 +#endif
8299 +
8300 + "sets %1\n"
8301 : "=m" (v->counter), "=qm" (c)
8302 : "er" (i), "m" (v->counter) : "memory");
8303 return c;
8304 @@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
8305 static inline long atomic64_add_return(long i, atomic64_t *v)
8306 {
8307 long __i = i;
8308 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8309 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8310 +
8311 +#ifdef CONFIG_PAX_REFCOUNT
8312 + "jno 0f\n"
8313 + "movq %0, %1\n"
8314 + "int $4\n0:\n"
8315 + _ASM_EXTABLE(0b, 0b)
8316 +#endif
8317 +
8318 + : "+r" (i), "+m" (v->counter)
8319 + : : "memory");
8320 + return i + __i;
8321 +}
8322 +
8323 +/**
8324 + * atomic64_add_return_unchecked - add and return
8325 + * @i: integer value to add
8326 + * @v: pointer to type atomic64_unchecked_t
8327 + *
8328 + * Atomically adds @i to @v and returns @i + @v
8329 + */
8330 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8331 +{
8332 + long __i = i;
8333 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8334 : "+r" (i), "+m" (v->counter)
8335 : : "memory");
8336 return i + __i;
8337 @@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
8338 }
8339
8340 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8341 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8342 +{
8343 + return atomic64_add_return_unchecked(1, v);
8344 +}
8345 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8346
8347 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8348 @@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
8349 return cmpxchg(&v->counter, old, new);
8350 }
8351
8352 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8353 +{
8354 + return cmpxchg(&v->counter, old, new);
8355 +}
8356 +
8357 static inline long atomic64_xchg(atomic64_t *v, long new)
8358 {
8359 return xchg(&v->counter, new);
8360 }
8361
8362 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8363 +{
8364 + return xchg(&v->counter, new);
8365 +}
8366 +
8367 static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
8368 {
8369 return cmpxchg(&v->counter, old, new);
8370 }
8371
8372 +static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8373 +{
8374 + return cmpxchg(&v->counter, old, new);
8375 +}
8376 +
8377 static inline long atomic_xchg(atomic_t *v, int new)
8378 {
8379 return xchg(&v->counter, new);
8380 }
8381
8382 +static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8383 +{
8384 + return xchg(&v->counter, new);
8385 +}
8386 +
8387 /**
8388 * atomic_add_unless - add unless the number is a given value
8389 * @v: pointer of type atomic_t
8390 @@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
8391 */
8392 static inline int atomic_add_unless(atomic_t *v, int a, int u)
8393 {
8394 - int c, old;
8395 + int c, old, new;
8396 c = atomic_read(v);
8397 for (;;) {
8398 - if (unlikely(c == (u)))
8399 + if (unlikely(c == u))
8400 break;
8401 - old = atomic_cmpxchg((v), c, c + (a));
8402 +
8403 + asm volatile("addl %2,%0\n"
8404 +
8405 +#ifdef CONFIG_PAX_REFCOUNT
8406 + "jno 0f\n"
8407 + "subl %2,%0\n"
8408 + "int $4\n0:\n"
8409 + _ASM_EXTABLE(0b, 0b)
8410 +#endif
8411 +
8412 + : "=r" (new)
8413 + : "0" (c), "ir" (a));
8414 +
8415 + old = atomic_cmpxchg(v, c, new);
8416 if (likely(old == c))
8417 break;
8418 c = old;
8419 }
8420 - return c != (u);
8421 + return c != u;
8422 }
8423
8424 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
8425 @@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
8426 */
8427 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8428 {
8429 - long c, old;
8430 + long c, old, new;
8431 c = atomic64_read(v);
8432 for (;;) {
8433 - if (unlikely(c == (u)))
8434 + if (unlikely(c == u))
8435 break;
8436 - old = atomic64_cmpxchg((v), c, c + (a));
8437 +
8438 + asm volatile("addq %2,%0\n"
8439 +
8440 +#ifdef CONFIG_PAX_REFCOUNT
8441 + "jno 0f\n"
8442 + "subq %2,%0\n"
8443 + "int $4\n0:\n"
8444 + _ASM_EXTABLE(0b, 0b)
8445 +#endif
8446 +
8447 + : "=r" (new)
8448 + : "0" (c), "er" (a));
8449 +
8450 + old = atomic64_cmpxchg(v, c, new);
8451 if (likely(old == c))
8452 break;
8453 c = old;
8454 }
8455 - return c != (u);
8456 + return c != u;
8457 }
8458
8459 /**
8460 diff -urNp linux-2.6.32.49/arch/x86/include/asm/bitops.h linux-2.6.32.49/arch/x86/include/asm/bitops.h
8461 --- linux-2.6.32.49/arch/x86/include/asm/bitops.h 2011-11-08 19:02:43.000000000 -0500
8462 +++ linux-2.6.32.49/arch/x86/include/asm/bitops.h 2011-11-15 19:59:42.000000000 -0500
8463 @@ -38,7 +38,7 @@
8464 * a mask operation on a byte.
8465 */
8466 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
8467 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
8468 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
8469 #define CONST_MASK(nr) (1 << ((nr) & 7))
8470
8471 /**
8472 diff -urNp linux-2.6.32.49/arch/x86/include/asm/boot.h linux-2.6.32.49/arch/x86/include/asm/boot.h
8473 --- linux-2.6.32.49/arch/x86/include/asm/boot.h 2011-11-08 19:02:43.000000000 -0500
8474 +++ linux-2.6.32.49/arch/x86/include/asm/boot.h 2011-11-15 19:59:42.000000000 -0500
8475 @@ -11,10 +11,15 @@
8476 #include <asm/pgtable_types.h>
8477
8478 /* Physical address where kernel should be loaded. */
8479 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8480 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8481 + (CONFIG_PHYSICAL_ALIGN - 1)) \
8482 & ~(CONFIG_PHYSICAL_ALIGN - 1))
8483
8484 +#ifndef __ASSEMBLY__
8485 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
8486 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
8487 +#endif
8488 +
8489 /* Minimum kernel alignment, as a power of two */
8490 #ifdef CONFIG_X86_64
8491 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
8492 diff -urNp linux-2.6.32.49/arch/x86/include/asm/cacheflush.h linux-2.6.32.49/arch/x86/include/asm/cacheflush.h
8493 --- linux-2.6.32.49/arch/x86/include/asm/cacheflush.h 2011-11-08 19:02:43.000000000 -0500
8494 +++ linux-2.6.32.49/arch/x86/include/asm/cacheflush.h 2011-11-15 19:59:42.000000000 -0500
8495 @@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
8496 static inline unsigned long get_page_memtype(struct page *pg)
8497 {
8498 if (!PageUncached(pg) && !PageWC(pg))
8499 - return -1;
8500 + return ~0UL;
8501 else if (!PageUncached(pg) && PageWC(pg))
8502 return _PAGE_CACHE_WC;
8503 else if (PageUncached(pg) && !PageWC(pg))
8504 @@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
8505 SetPageWC(pg);
8506 break;
8507 default:
8508 - case -1:
8509 + case ~0UL:
8510 ClearPageUncached(pg);
8511 ClearPageWC(pg);
8512 break;
8513 diff -urNp linux-2.6.32.49/arch/x86/include/asm/cache.h linux-2.6.32.49/arch/x86/include/asm/cache.h
8514 --- linux-2.6.32.49/arch/x86/include/asm/cache.h 2011-11-08 19:02:43.000000000 -0500
8515 +++ linux-2.6.32.49/arch/x86/include/asm/cache.h 2011-11-15 19:59:42.000000000 -0500
8516 @@ -5,9 +5,10 @@
8517
8518 /* L1 cache line size */
8519 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
8520 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8521 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8522
8523 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
8524 +#define __read_only __attribute__((__section__(".data.read_only")))
8525
8526 #ifdef CONFIG_X86_VSMP
8527 /* vSMP Internode cacheline shift */
8528 diff -urNp linux-2.6.32.49/arch/x86/include/asm/calling.h linux-2.6.32.49/arch/x86/include/asm/calling.h
8529 --- linux-2.6.32.49/arch/x86/include/asm/calling.h 2011-11-08 19:02:43.000000000 -0500
8530 +++ linux-2.6.32.49/arch/x86/include/asm/calling.h 2011-11-15 19:59:42.000000000 -0500
8531 @@ -52,32 +52,32 @@ For 32-bit we have the following convent
8532 * for assembly code:
8533 */
8534
8535 -#define R15 0
8536 -#define R14 8
8537 -#define R13 16
8538 -#define R12 24
8539 -#define RBP 32
8540 -#define RBX 40
8541 +#define R15 (0)
8542 +#define R14 (8)
8543 +#define R13 (16)
8544 +#define R12 (24)
8545 +#define RBP (32)
8546 +#define RBX (40)
8547
8548 /* arguments: interrupts/non tracing syscalls only save up to here: */
8549 -#define R11 48
8550 -#define R10 56
8551 -#define R9 64
8552 -#define R8 72
8553 -#define RAX 80
8554 -#define RCX 88
8555 -#define RDX 96
8556 -#define RSI 104
8557 -#define RDI 112
8558 -#define ORIG_RAX 120 /* + error_code */
8559 +#define R11 (48)
8560 +#define R10 (56)
8561 +#define R9 (64)
8562 +#define R8 (72)
8563 +#define RAX (80)
8564 +#define RCX (88)
8565 +#define RDX (96)
8566 +#define RSI (104)
8567 +#define RDI (112)
8568 +#define ORIG_RAX (120) /* + error_code */
8569 /* end of arguments */
8570
8571 /* cpu exception frame or undefined in case of fast syscall: */
8572 -#define RIP 128
8573 -#define CS 136
8574 -#define EFLAGS 144
8575 -#define RSP 152
8576 -#define SS 160
8577 +#define RIP (128)
8578 +#define CS (136)
8579 +#define EFLAGS (144)
8580 +#define RSP (152)
8581 +#define SS (160)
8582
8583 #define ARGOFFSET R11
8584 #define SWFRAME ORIG_RAX
8585 diff -urNp linux-2.6.32.49/arch/x86/include/asm/checksum_32.h linux-2.6.32.49/arch/x86/include/asm/checksum_32.h
8586 --- linux-2.6.32.49/arch/x86/include/asm/checksum_32.h 2011-11-08 19:02:43.000000000 -0500
8587 +++ linux-2.6.32.49/arch/x86/include/asm/checksum_32.h 2011-11-15 19:59:42.000000000 -0500
8588 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
8589 int len, __wsum sum,
8590 int *src_err_ptr, int *dst_err_ptr);
8591
8592 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
8593 + int len, __wsum sum,
8594 + int *src_err_ptr, int *dst_err_ptr);
8595 +
8596 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
8597 + int len, __wsum sum,
8598 + int *src_err_ptr, int *dst_err_ptr);
8599 +
8600 /*
8601 * Note: when you get a NULL pointer exception here this means someone
8602 * passed in an incorrect kernel address to one of these functions.
8603 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
8604 int *err_ptr)
8605 {
8606 might_sleep();
8607 - return csum_partial_copy_generic((__force void *)src, dst,
8608 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
8609 len, sum, err_ptr, NULL);
8610 }
8611
8612 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
8613 {
8614 might_sleep();
8615 if (access_ok(VERIFY_WRITE, dst, len))
8616 - return csum_partial_copy_generic(src, (__force void *)dst,
8617 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
8618 len, sum, NULL, err_ptr);
8619
8620 if (len)
8621 diff -urNp linux-2.6.32.49/arch/x86/include/asm/desc_defs.h linux-2.6.32.49/arch/x86/include/asm/desc_defs.h
8622 --- linux-2.6.32.49/arch/x86/include/asm/desc_defs.h 2011-11-08 19:02:43.000000000 -0500
8623 +++ linux-2.6.32.49/arch/x86/include/asm/desc_defs.h 2011-11-15 19:59:42.000000000 -0500
8624 @@ -31,6 +31,12 @@ struct desc_struct {
8625 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
8626 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
8627 };
8628 + struct {
8629 + u16 offset_low;
8630 + u16 seg;
8631 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
8632 + unsigned offset_high: 16;
8633 + } gate;
8634 };
8635 } __attribute__((packed));
8636
8637 diff -urNp linux-2.6.32.49/arch/x86/include/asm/desc.h linux-2.6.32.49/arch/x86/include/asm/desc.h
8638 --- linux-2.6.32.49/arch/x86/include/asm/desc.h 2011-11-08 19:02:43.000000000 -0500
8639 +++ linux-2.6.32.49/arch/x86/include/asm/desc.h 2011-11-15 19:59:42.000000000 -0500
8640 @@ -4,6 +4,7 @@
8641 #include <asm/desc_defs.h>
8642 #include <asm/ldt.h>
8643 #include <asm/mmu.h>
8644 +#include <asm/pgtable.h>
8645 #include <linux/smp.h>
8646
8647 static inline void fill_ldt(struct desc_struct *desc,
8648 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
8649 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
8650 desc->type = (info->read_exec_only ^ 1) << 1;
8651 desc->type |= info->contents << 2;
8652 + desc->type |= info->seg_not_present ^ 1;
8653 desc->s = 1;
8654 desc->dpl = 0x3;
8655 desc->p = info->seg_not_present ^ 1;
8656 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
8657 }
8658
8659 extern struct desc_ptr idt_descr;
8660 -extern gate_desc idt_table[];
8661 -
8662 -struct gdt_page {
8663 - struct desc_struct gdt[GDT_ENTRIES];
8664 -} __attribute__((aligned(PAGE_SIZE)));
8665 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
8666 +extern gate_desc idt_table[256];
8667
8668 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
8669 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
8670 {
8671 - return per_cpu(gdt_page, cpu).gdt;
8672 + return cpu_gdt_table[cpu];
8673 }
8674
8675 #ifdef CONFIG_X86_64
8676 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
8677 unsigned long base, unsigned dpl, unsigned flags,
8678 unsigned short seg)
8679 {
8680 - gate->a = (seg << 16) | (base & 0xffff);
8681 - gate->b = (base & 0xffff0000) |
8682 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
8683 + gate->gate.offset_low = base;
8684 + gate->gate.seg = seg;
8685 + gate->gate.reserved = 0;
8686 + gate->gate.type = type;
8687 + gate->gate.s = 0;
8688 + gate->gate.dpl = dpl;
8689 + gate->gate.p = 1;
8690 + gate->gate.offset_high = base >> 16;
8691 }
8692
8693 #endif
8694 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
8695 static inline void native_write_idt_entry(gate_desc *idt, int entry,
8696 const gate_desc *gate)
8697 {
8698 + pax_open_kernel();
8699 memcpy(&idt[entry], gate, sizeof(*gate));
8700 + pax_close_kernel();
8701 }
8702
8703 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
8704 const void *desc)
8705 {
8706 + pax_open_kernel();
8707 memcpy(&ldt[entry], desc, 8);
8708 + pax_close_kernel();
8709 }
8710
8711 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
8712 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
8713 size = sizeof(struct desc_struct);
8714 break;
8715 }
8716 +
8717 + pax_open_kernel();
8718 memcpy(&gdt[entry], desc, size);
8719 + pax_close_kernel();
8720 }
8721
8722 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
8723 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
8724
8725 static inline void native_load_tr_desc(void)
8726 {
8727 + pax_open_kernel();
8728 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
8729 + pax_close_kernel();
8730 }
8731
8732 static inline void native_load_gdt(const struct desc_ptr *dtr)
8733 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
8734 unsigned int i;
8735 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8736
8737 + pax_open_kernel();
8738 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
8739 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
8740 + pax_close_kernel();
8741 }
8742
8743 #define _LDT_empty(info) \
8744 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
8745 desc->limit = (limit >> 16) & 0xf;
8746 }
8747
8748 -static inline void _set_gate(int gate, unsigned type, void *addr,
8749 +static inline void _set_gate(int gate, unsigned type, const void *addr,
8750 unsigned dpl, unsigned ist, unsigned seg)
8751 {
8752 gate_desc s;
8753 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
8754 * Pentium F0 0F bugfix can have resulted in the mapped
8755 * IDT being write-protected.
8756 */
8757 -static inline void set_intr_gate(unsigned int n, void *addr)
8758 +static inline void set_intr_gate(unsigned int n, const void *addr)
8759 {
8760 BUG_ON((unsigned)n > 0xFF);
8761 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
8762 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
8763 /*
8764 * This routine sets up an interrupt gate at directory privilege level 3.
8765 */
8766 -static inline void set_system_intr_gate(unsigned int n, void *addr)
8767 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
8768 {
8769 BUG_ON((unsigned)n > 0xFF);
8770 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
8771 }
8772
8773 -static inline void set_system_trap_gate(unsigned int n, void *addr)
8774 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
8775 {
8776 BUG_ON((unsigned)n > 0xFF);
8777 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
8778 }
8779
8780 -static inline void set_trap_gate(unsigned int n, void *addr)
8781 +static inline void set_trap_gate(unsigned int n, const void *addr)
8782 {
8783 BUG_ON((unsigned)n > 0xFF);
8784 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
8785 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
8786 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
8787 {
8788 BUG_ON((unsigned)n > 0xFF);
8789 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
8790 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
8791 }
8792
8793 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
8794 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
8795 {
8796 BUG_ON((unsigned)n > 0xFF);
8797 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
8798 }
8799
8800 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
8801 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
8802 {
8803 BUG_ON((unsigned)n > 0xFF);
8804 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
8805 }
8806
8807 +#ifdef CONFIG_X86_32
8808 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
8809 +{
8810 + struct desc_struct d;
8811 +
8812 + if (likely(limit))
8813 + limit = (limit - 1UL) >> PAGE_SHIFT;
8814 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
8815 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
8816 +}
8817 +#endif
8818 +
8819 #endif /* _ASM_X86_DESC_H */
8820 diff -urNp linux-2.6.32.49/arch/x86/include/asm/device.h linux-2.6.32.49/arch/x86/include/asm/device.h
8821 --- linux-2.6.32.49/arch/x86/include/asm/device.h 2011-11-08 19:02:43.000000000 -0500
8822 +++ linux-2.6.32.49/arch/x86/include/asm/device.h 2011-11-15 19:59:42.000000000 -0500
8823 @@ -6,7 +6,7 @@ struct dev_archdata {
8824 void *acpi_handle;
8825 #endif
8826 #ifdef CONFIG_X86_64
8827 -struct dma_map_ops *dma_ops;
8828 + const struct dma_map_ops *dma_ops;
8829 #endif
8830 #ifdef CONFIG_DMAR
8831 void *iommu; /* hook for IOMMU specific extension */
8832 diff -urNp linux-2.6.32.49/arch/x86/include/asm/dma-mapping.h linux-2.6.32.49/arch/x86/include/asm/dma-mapping.h
8833 --- linux-2.6.32.49/arch/x86/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
8834 +++ linux-2.6.32.49/arch/x86/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
8835 @@ -25,9 +25,9 @@ extern int iommu_merge;
8836 extern struct device x86_dma_fallback_dev;
8837 extern int panic_on_overflow;
8838
8839 -extern struct dma_map_ops *dma_ops;
8840 +extern const struct dma_map_ops *dma_ops;
8841
8842 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
8843 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
8844 {
8845 #ifdef CONFIG_X86_32
8846 return dma_ops;
8847 @@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
8848 /* Make sure we keep the same behaviour */
8849 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
8850 {
8851 - struct dma_map_ops *ops = get_dma_ops(dev);
8852 + const struct dma_map_ops *ops = get_dma_ops(dev);
8853 if (ops->mapping_error)
8854 return ops->mapping_error(dev, dma_addr);
8855
8856 @@ -122,7 +122,7 @@ static inline void *
8857 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
8858 gfp_t gfp)
8859 {
8860 - struct dma_map_ops *ops = get_dma_ops(dev);
8861 + const struct dma_map_ops *ops = get_dma_ops(dev);
8862 void *memory;
8863
8864 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
8865 @@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
8866 static inline void dma_free_coherent(struct device *dev, size_t size,
8867 void *vaddr, dma_addr_t bus)
8868 {
8869 - struct dma_map_ops *ops = get_dma_ops(dev);
8870 + const struct dma_map_ops *ops = get_dma_ops(dev);
8871
8872 WARN_ON(irqs_disabled()); /* for portability */
8873
8874 diff -urNp linux-2.6.32.49/arch/x86/include/asm/e820.h linux-2.6.32.49/arch/x86/include/asm/e820.h
8875 --- linux-2.6.32.49/arch/x86/include/asm/e820.h 2011-11-08 19:02:43.000000000 -0500
8876 +++ linux-2.6.32.49/arch/x86/include/asm/e820.h 2011-11-15 19:59:42.000000000 -0500
8877 @@ -133,7 +133,7 @@ extern char *default_machine_specific_me
8878 #define ISA_END_ADDRESS 0x100000
8879 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
8880
8881 -#define BIOS_BEGIN 0x000a0000
8882 +#define BIOS_BEGIN 0x000c0000
8883 #define BIOS_END 0x00100000
8884
8885 #ifdef __KERNEL__
8886 diff -urNp linux-2.6.32.49/arch/x86/include/asm/elf.h linux-2.6.32.49/arch/x86/include/asm/elf.h
8887 --- linux-2.6.32.49/arch/x86/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
8888 +++ linux-2.6.32.49/arch/x86/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
8889 @@ -257,7 +257,25 @@ extern int force_personality32;
8890 the loader. We need to make sure that it is out of the way of the program
8891 that it will "exec", and that there is sufficient room for the brk. */
8892
8893 +#ifdef CONFIG_PAX_SEGMEXEC
8894 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
8895 +#else
8896 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
8897 +#endif
8898 +
8899 +#ifdef CONFIG_PAX_ASLR
8900 +#ifdef CONFIG_X86_32
8901 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
8902 +
8903 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8904 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8905 +#else
8906 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
8907 +
8908 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8909 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8910 +#endif
8911 +#endif
8912
8913 /* This yields a mask that user programs can use to figure out what
8914 instruction set this CPU supports. This could be done in user space,
8915 @@ -310,9 +328,7 @@ do { \
8916
8917 #define ARCH_DLINFO \
8918 do { \
8919 - if (vdso_enabled) \
8920 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
8921 - (unsigned long)current->mm->context.vdso); \
8922 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
8923 } while (0)
8924
8925 #define AT_SYSINFO 32
8926 @@ -323,7 +339,7 @@ do { \
8927
8928 #endif /* !CONFIG_X86_32 */
8929
8930 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
8931 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
8932
8933 #define VDSO_ENTRY \
8934 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
8935 @@ -337,7 +353,4 @@ extern int arch_setup_additional_pages(s
8936 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
8937 #define compat_arch_setup_additional_pages syscall32_setup_pages
8938
8939 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
8940 -#define arch_randomize_brk arch_randomize_brk
8941 -
8942 #endif /* _ASM_X86_ELF_H */
8943 diff -urNp linux-2.6.32.49/arch/x86/include/asm/emergency-restart.h linux-2.6.32.49/arch/x86/include/asm/emergency-restart.h
8944 --- linux-2.6.32.49/arch/x86/include/asm/emergency-restart.h 2011-11-08 19:02:43.000000000 -0500
8945 +++ linux-2.6.32.49/arch/x86/include/asm/emergency-restart.h 2011-11-15 19:59:42.000000000 -0500
8946 @@ -15,6 +15,6 @@ enum reboot_type {
8947
8948 extern enum reboot_type reboot_type;
8949
8950 -extern void machine_emergency_restart(void);
8951 +extern void machine_emergency_restart(void) __noreturn;
8952
8953 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
8954 diff -urNp linux-2.6.32.49/arch/x86/include/asm/futex.h linux-2.6.32.49/arch/x86/include/asm/futex.h
8955 --- linux-2.6.32.49/arch/x86/include/asm/futex.h 2011-11-08 19:02:43.000000000 -0500
8956 +++ linux-2.6.32.49/arch/x86/include/asm/futex.h 2011-11-15 19:59:42.000000000 -0500
8957 @@ -12,16 +12,18 @@
8958 #include <asm/system.h>
8959
8960 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
8961 + typecheck(u32 __user *, uaddr); \
8962 asm volatile("1:\t" insn "\n" \
8963 "2:\t.section .fixup,\"ax\"\n" \
8964 "3:\tmov\t%3, %1\n" \
8965 "\tjmp\t2b\n" \
8966 "\t.previous\n" \
8967 _ASM_EXTABLE(1b, 3b) \
8968 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
8969 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
8970 : "i" (-EFAULT), "0" (oparg), "1" (0))
8971
8972 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
8973 + typecheck(u32 __user *, uaddr); \
8974 asm volatile("1:\tmovl %2, %0\n" \
8975 "\tmovl\t%0, %3\n" \
8976 "\t" insn "\n" \
8977 @@ -34,10 +36,10 @@
8978 _ASM_EXTABLE(1b, 4b) \
8979 _ASM_EXTABLE(2b, 4b) \
8980 : "=&a" (oldval), "=&r" (ret), \
8981 - "+m" (*uaddr), "=&r" (tem) \
8982 + "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
8983 : "r" (oparg), "i" (-EFAULT), "1" (0))
8984
8985 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
8986 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
8987 {
8988 int op = (encoded_op >> 28) & 7;
8989 int cmp = (encoded_op >> 24) & 15;
8990 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
8991
8992 switch (op) {
8993 case FUTEX_OP_SET:
8994 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
8995 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
8996 break;
8997 case FUTEX_OP_ADD:
8998 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
8999 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
9000 uaddr, oparg);
9001 break;
9002 case FUTEX_OP_OR:
9003 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
9004 return ret;
9005 }
9006
9007 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
9008 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
9009 int newval)
9010 {
9011
9012 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
9013 return -ENOSYS;
9014 #endif
9015
9016 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
9017 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9018 return -EFAULT;
9019
9020 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
9021 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
9022 "2:\t.section .fixup, \"ax\"\n"
9023 "3:\tmov %2, %0\n"
9024 "\tjmp 2b\n"
9025 "\t.previous\n"
9026 _ASM_EXTABLE(1b, 3b)
9027 - : "=a" (oldval), "+m" (*uaddr)
9028 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9029 : "i" (-EFAULT), "r" (newval), "0" (oldval)
9030 : "memory"
9031 );
9032 diff -urNp linux-2.6.32.49/arch/x86/include/asm/hw_irq.h linux-2.6.32.49/arch/x86/include/asm/hw_irq.h
9033 --- linux-2.6.32.49/arch/x86/include/asm/hw_irq.h 2011-11-08 19:02:43.000000000 -0500
9034 +++ linux-2.6.32.49/arch/x86/include/asm/hw_irq.h 2011-11-15 19:59:42.000000000 -0500
9035 @@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
9036 extern void enable_IO_APIC(void);
9037
9038 /* Statistics */
9039 -extern atomic_t irq_err_count;
9040 -extern atomic_t irq_mis_count;
9041 +extern atomic_unchecked_t irq_err_count;
9042 +extern atomic_unchecked_t irq_mis_count;
9043
9044 /* EISA */
9045 extern void eisa_set_level_irq(unsigned int irq);
9046 diff -urNp linux-2.6.32.49/arch/x86/include/asm/i387.h linux-2.6.32.49/arch/x86/include/asm/i387.h
9047 --- linux-2.6.32.49/arch/x86/include/asm/i387.h 2011-11-08 19:02:43.000000000 -0500
9048 +++ linux-2.6.32.49/arch/x86/include/asm/i387.h 2011-11-15 19:59:42.000000000 -0500
9049 @@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
9050 {
9051 int err;
9052
9053 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9054 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9055 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9056 +#endif
9057 +
9058 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
9059 "2:\n"
9060 ".section .fixup,\"ax\"\n"
9061 @@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
9062 {
9063 int err;
9064
9065 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9066 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9067 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9068 +#endif
9069 +
9070 asm volatile("1: rex64/fxsave (%[fx])\n\t"
9071 "2:\n"
9072 ".section .fixup,\"ax\"\n"
9073 @@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
9074 }
9075
9076 /* We need a safe address that is cheap to find and that is already
9077 - in L1 during context switch. The best choices are unfortunately
9078 - different for UP and SMP */
9079 -#ifdef CONFIG_SMP
9080 -#define safe_address (__per_cpu_offset[0])
9081 -#else
9082 -#define safe_address (kstat_cpu(0).cpustat.user)
9083 -#endif
9084 + in L1 during context switch. */
9085 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9086
9087 /*
9088 * These must be called with preempt disabled
9089 @@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
9090 struct thread_info *me = current_thread_info();
9091 preempt_disable();
9092 if (me->status & TS_USEDFPU)
9093 - __save_init_fpu(me->task);
9094 + __save_init_fpu(current);
9095 else
9096 clts();
9097 }
9098 diff -urNp linux-2.6.32.49/arch/x86/include/asm/io_32.h linux-2.6.32.49/arch/x86/include/asm/io_32.h
9099 --- linux-2.6.32.49/arch/x86/include/asm/io_32.h 2011-11-08 19:02:43.000000000 -0500
9100 +++ linux-2.6.32.49/arch/x86/include/asm/io_32.h 2011-11-15 19:59:42.000000000 -0500
9101 @@ -3,6 +3,7 @@
9102
9103 #include <linux/string.h>
9104 #include <linux/compiler.h>
9105 +#include <asm/processor.h>
9106
9107 /*
9108 * This file contains the definitions for the x86 IO instructions
9109 @@ -42,6 +43,17 @@
9110
9111 #ifdef __KERNEL__
9112
9113 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9114 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9115 +{
9116 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9117 +}
9118 +
9119 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9120 +{
9121 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9122 +}
9123 +
9124 #include <asm-generic/iomap.h>
9125
9126 #include <linux/vmalloc.h>
9127 diff -urNp linux-2.6.32.49/arch/x86/include/asm/io_64.h linux-2.6.32.49/arch/x86/include/asm/io_64.h
9128 --- linux-2.6.32.49/arch/x86/include/asm/io_64.h 2011-11-08 19:02:43.000000000 -0500
9129 +++ linux-2.6.32.49/arch/x86/include/asm/io_64.h 2011-11-15 19:59:42.000000000 -0500
9130 @@ -140,6 +140,17 @@ __OUTS(l)
9131
9132 #include <linux/vmalloc.h>
9133
9134 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9135 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9136 +{
9137 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9138 +}
9139 +
9140 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9141 +{
9142 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9143 +}
9144 +
9145 #include <asm-generic/iomap.h>
9146
9147 void __memcpy_fromio(void *, unsigned long, unsigned);
9148 diff -urNp linux-2.6.32.49/arch/x86/include/asm/iommu.h linux-2.6.32.49/arch/x86/include/asm/iommu.h
9149 --- linux-2.6.32.49/arch/x86/include/asm/iommu.h 2011-11-08 19:02:43.000000000 -0500
9150 +++ linux-2.6.32.49/arch/x86/include/asm/iommu.h 2011-11-15 19:59:42.000000000 -0500
9151 @@ -3,7 +3,7 @@
9152
9153 extern void pci_iommu_shutdown(void);
9154 extern void no_iommu_init(void);
9155 -extern struct dma_map_ops nommu_dma_ops;
9156 +extern const struct dma_map_ops nommu_dma_ops;
9157 extern int force_iommu, no_iommu;
9158 extern int iommu_detected;
9159 extern int iommu_pass_through;
9160 diff -urNp linux-2.6.32.49/arch/x86/include/asm/irqflags.h linux-2.6.32.49/arch/x86/include/asm/irqflags.h
9161 --- linux-2.6.32.49/arch/x86/include/asm/irqflags.h 2011-11-08 19:02:43.000000000 -0500
9162 +++ linux-2.6.32.49/arch/x86/include/asm/irqflags.h 2011-11-15 19:59:42.000000000 -0500
9163 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
9164 sti; \
9165 sysexit
9166
9167 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
9168 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
9169 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
9170 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
9171 +
9172 #else
9173 #define INTERRUPT_RETURN iret
9174 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
9175 diff -urNp linux-2.6.32.49/arch/x86/include/asm/kprobes.h linux-2.6.32.49/arch/x86/include/asm/kprobes.h
9176 --- linux-2.6.32.49/arch/x86/include/asm/kprobes.h 2011-11-08 19:02:43.000000000 -0500
9177 +++ linux-2.6.32.49/arch/x86/include/asm/kprobes.h 2011-11-15 19:59:42.000000000 -0500
9178 @@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
9179 #define BREAKPOINT_INSTRUCTION 0xcc
9180 #define RELATIVEJUMP_INSTRUCTION 0xe9
9181 #define MAX_INSN_SIZE 16
9182 -#define MAX_STACK_SIZE 64
9183 -#define MIN_STACK_SIZE(ADDR) \
9184 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
9185 - THREAD_SIZE - (unsigned long)(ADDR))) \
9186 - ? (MAX_STACK_SIZE) \
9187 - : (((unsigned long)current_thread_info()) + \
9188 - THREAD_SIZE - (unsigned long)(ADDR)))
9189 +#define MAX_STACK_SIZE 64UL
9190 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
9191
9192 #define flush_insn_slot(p) do { } while (0)
9193
9194 diff -urNp linux-2.6.32.49/arch/x86/include/asm/kvm_host.h linux-2.6.32.49/arch/x86/include/asm/kvm_host.h
9195 --- linux-2.6.32.49/arch/x86/include/asm/kvm_host.h 2011-11-08 19:02:43.000000000 -0500
9196 +++ linux-2.6.32.49/arch/x86/include/asm/kvm_host.h 2011-11-15 19:59:42.000000000 -0500
9197 @@ -534,9 +534,9 @@ struct kvm_x86_ops {
9198 bool (*gb_page_enable)(void);
9199
9200 const struct trace_print_flags *exit_reasons_str;
9201 -};
9202 +} __do_const;
9203
9204 -extern struct kvm_x86_ops *kvm_x86_ops;
9205 +extern const struct kvm_x86_ops *kvm_x86_ops;
9206
9207 int kvm_mmu_module_init(void);
9208 void kvm_mmu_module_exit(void);
9209 diff -urNp linux-2.6.32.49/arch/x86/include/asm/local.h linux-2.6.32.49/arch/x86/include/asm/local.h
9210 --- linux-2.6.32.49/arch/x86/include/asm/local.h 2011-11-08 19:02:43.000000000 -0500
9211 +++ linux-2.6.32.49/arch/x86/include/asm/local.h 2011-11-15 19:59:42.000000000 -0500
9212 @@ -18,26 +18,58 @@ typedef struct {
9213
9214 static inline void local_inc(local_t *l)
9215 {
9216 - asm volatile(_ASM_INC "%0"
9217 + asm volatile(_ASM_INC "%0\n"
9218 +
9219 +#ifdef CONFIG_PAX_REFCOUNT
9220 + "jno 0f\n"
9221 + _ASM_DEC "%0\n"
9222 + "int $4\n0:\n"
9223 + _ASM_EXTABLE(0b, 0b)
9224 +#endif
9225 +
9226 : "+m" (l->a.counter));
9227 }
9228
9229 static inline void local_dec(local_t *l)
9230 {
9231 - asm volatile(_ASM_DEC "%0"
9232 + asm volatile(_ASM_DEC "%0\n"
9233 +
9234 +#ifdef CONFIG_PAX_REFCOUNT
9235 + "jno 0f\n"
9236 + _ASM_INC "%0\n"
9237 + "int $4\n0:\n"
9238 + _ASM_EXTABLE(0b, 0b)
9239 +#endif
9240 +
9241 : "+m" (l->a.counter));
9242 }
9243
9244 static inline void local_add(long i, local_t *l)
9245 {
9246 - asm volatile(_ASM_ADD "%1,%0"
9247 + asm volatile(_ASM_ADD "%1,%0\n"
9248 +
9249 +#ifdef CONFIG_PAX_REFCOUNT
9250 + "jno 0f\n"
9251 + _ASM_SUB "%1,%0\n"
9252 + "int $4\n0:\n"
9253 + _ASM_EXTABLE(0b, 0b)
9254 +#endif
9255 +
9256 : "+m" (l->a.counter)
9257 : "ir" (i));
9258 }
9259
9260 static inline void local_sub(long i, local_t *l)
9261 {
9262 - asm volatile(_ASM_SUB "%1,%0"
9263 + asm volatile(_ASM_SUB "%1,%0\n"
9264 +
9265 +#ifdef CONFIG_PAX_REFCOUNT
9266 + "jno 0f\n"
9267 + _ASM_ADD "%1,%0\n"
9268 + "int $4\n0:\n"
9269 + _ASM_EXTABLE(0b, 0b)
9270 +#endif
9271 +
9272 : "+m" (l->a.counter)
9273 : "ir" (i));
9274 }
9275 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
9276 {
9277 unsigned char c;
9278
9279 - asm volatile(_ASM_SUB "%2,%0; sete %1"
9280 + asm volatile(_ASM_SUB "%2,%0\n"
9281 +
9282 +#ifdef CONFIG_PAX_REFCOUNT
9283 + "jno 0f\n"
9284 + _ASM_ADD "%2,%0\n"
9285 + "int $4\n0:\n"
9286 + _ASM_EXTABLE(0b, 0b)
9287 +#endif
9288 +
9289 + "sete %1\n"
9290 : "+m" (l->a.counter), "=qm" (c)
9291 : "ir" (i) : "memory");
9292 return c;
9293 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
9294 {
9295 unsigned char c;
9296
9297 - asm volatile(_ASM_DEC "%0; sete %1"
9298 + asm volatile(_ASM_DEC "%0\n"
9299 +
9300 +#ifdef CONFIG_PAX_REFCOUNT
9301 + "jno 0f\n"
9302 + _ASM_INC "%0\n"
9303 + "int $4\n0:\n"
9304 + _ASM_EXTABLE(0b, 0b)
9305 +#endif
9306 +
9307 + "sete %1\n"
9308 : "+m" (l->a.counter), "=qm" (c)
9309 : : "memory");
9310 return c != 0;
9311 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
9312 {
9313 unsigned char c;
9314
9315 - asm volatile(_ASM_INC "%0; sete %1"
9316 + asm volatile(_ASM_INC "%0\n"
9317 +
9318 +#ifdef CONFIG_PAX_REFCOUNT
9319 + "jno 0f\n"
9320 + _ASM_DEC "%0\n"
9321 + "int $4\n0:\n"
9322 + _ASM_EXTABLE(0b, 0b)
9323 +#endif
9324 +
9325 + "sete %1\n"
9326 : "+m" (l->a.counter), "=qm" (c)
9327 : : "memory");
9328 return c != 0;
9329 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
9330 {
9331 unsigned char c;
9332
9333 - asm volatile(_ASM_ADD "%2,%0; sets %1"
9334 + asm volatile(_ASM_ADD "%2,%0\n"
9335 +
9336 +#ifdef CONFIG_PAX_REFCOUNT
9337 + "jno 0f\n"
9338 + _ASM_SUB "%2,%0\n"
9339 + "int $4\n0:\n"
9340 + _ASM_EXTABLE(0b, 0b)
9341 +#endif
9342 +
9343 + "sets %1\n"
9344 : "+m" (l->a.counter), "=qm" (c)
9345 : "ir" (i) : "memory");
9346 return c;
9347 @@ -133,7 +201,15 @@ static inline long local_add_return(long
9348 #endif
9349 /* Modern 486+ processor */
9350 __i = i;
9351 - asm volatile(_ASM_XADD "%0, %1;"
9352 + asm volatile(_ASM_XADD "%0, %1\n"
9353 +
9354 +#ifdef CONFIG_PAX_REFCOUNT
9355 + "jno 0f\n"
9356 + _ASM_MOV "%0,%1\n"
9357 + "int $4\n0:\n"
9358 + _ASM_EXTABLE(0b, 0b)
9359 +#endif
9360 +
9361 : "+r" (i), "+m" (l->a.counter)
9362 : : "memory");
9363 return i + __i;
9364 diff -urNp linux-2.6.32.49/arch/x86/include/asm/microcode.h linux-2.6.32.49/arch/x86/include/asm/microcode.h
9365 --- linux-2.6.32.49/arch/x86/include/asm/microcode.h 2011-11-08 19:02:43.000000000 -0500
9366 +++ linux-2.6.32.49/arch/x86/include/asm/microcode.h 2011-11-15 19:59:42.000000000 -0500
9367 @@ -12,13 +12,13 @@ struct device;
9368 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
9369
9370 struct microcode_ops {
9371 - enum ucode_state (*request_microcode_user) (int cpu,
9372 + enum ucode_state (* const request_microcode_user) (int cpu,
9373 const void __user *buf, size_t size);
9374
9375 - enum ucode_state (*request_microcode_fw) (int cpu,
9376 + enum ucode_state (* const request_microcode_fw) (int cpu,
9377 struct device *device);
9378
9379 - void (*microcode_fini_cpu) (int cpu);
9380 + void (* const microcode_fini_cpu) (int cpu);
9381
9382 /*
9383 * The generic 'microcode_core' part guarantees that
9384 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
9385 extern struct ucode_cpu_info ucode_cpu_info[];
9386
9387 #ifdef CONFIG_MICROCODE_INTEL
9388 -extern struct microcode_ops * __init init_intel_microcode(void);
9389 +extern const struct microcode_ops * __init init_intel_microcode(void);
9390 #else
9391 -static inline struct microcode_ops * __init init_intel_microcode(void)
9392 +static inline const struct microcode_ops * __init init_intel_microcode(void)
9393 {
9394 return NULL;
9395 }
9396 #endif /* CONFIG_MICROCODE_INTEL */
9397
9398 #ifdef CONFIG_MICROCODE_AMD
9399 -extern struct microcode_ops * __init init_amd_microcode(void);
9400 +extern const struct microcode_ops * __init init_amd_microcode(void);
9401 #else
9402 -static inline struct microcode_ops * __init init_amd_microcode(void)
9403 +static inline const struct microcode_ops * __init init_amd_microcode(void)
9404 {
9405 return NULL;
9406 }
9407 diff -urNp linux-2.6.32.49/arch/x86/include/asm/mman.h linux-2.6.32.49/arch/x86/include/asm/mman.h
9408 --- linux-2.6.32.49/arch/x86/include/asm/mman.h 2011-11-08 19:02:43.000000000 -0500
9409 +++ linux-2.6.32.49/arch/x86/include/asm/mman.h 2011-11-15 19:59:42.000000000 -0500
9410 @@ -5,4 +5,14 @@
9411
9412 #include <asm-generic/mman.h>
9413
9414 +#ifdef __KERNEL__
9415 +#ifndef __ASSEMBLY__
9416 +#ifdef CONFIG_X86_32
9417 +#define arch_mmap_check i386_mmap_check
9418 +int i386_mmap_check(unsigned long addr, unsigned long len,
9419 + unsigned long flags);
9420 +#endif
9421 +#endif
9422 +#endif
9423 +
9424 #endif /* _ASM_X86_MMAN_H */
9425 diff -urNp linux-2.6.32.49/arch/x86/include/asm/mmu_context.h linux-2.6.32.49/arch/x86/include/asm/mmu_context.h
9426 --- linux-2.6.32.49/arch/x86/include/asm/mmu_context.h 2011-11-08 19:02:43.000000000 -0500
9427 +++ linux-2.6.32.49/arch/x86/include/asm/mmu_context.h 2011-11-15 19:59:42.000000000 -0500
9428 @@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
9429
9430 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
9431 {
9432 +
9433 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9434 + unsigned int i;
9435 + pgd_t *pgd;
9436 +
9437 + pax_open_kernel();
9438 + pgd = get_cpu_pgd(smp_processor_id());
9439 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
9440 + set_pgd_batched(pgd+i, native_make_pgd(0));
9441 + pax_close_kernel();
9442 +#endif
9443 +
9444 #ifdef CONFIG_SMP
9445 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
9446 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
9447 @@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
9448 struct task_struct *tsk)
9449 {
9450 unsigned cpu = smp_processor_id();
9451 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) && defined(CONFIG_SMP)
9452 + int tlbstate = TLBSTATE_OK;
9453 +#endif
9454
9455 if (likely(prev != next)) {
9456 #ifdef CONFIG_SMP
9457 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9458 + tlbstate = percpu_read(cpu_tlbstate.state);
9459 +#endif
9460 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9461 percpu_write(cpu_tlbstate.active_mm, next);
9462 #endif
9463 cpumask_set_cpu(cpu, mm_cpumask(next));
9464
9465 /* Re-load page tables */
9466 +#ifdef CONFIG_PAX_PER_CPU_PGD
9467 + pax_open_kernel();
9468 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9469 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9470 + pax_close_kernel();
9471 + load_cr3(get_cpu_pgd(cpu));
9472 +#else
9473 load_cr3(next->pgd);
9474 +#endif
9475
9476 /* stop flush ipis for the previous mm */
9477 cpumask_clear_cpu(cpu, mm_cpumask(prev));
9478 @@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
9479 */
9480 if (unlikely(prev->context.ldt != next->context.ldt))
9481 load_LDT_nolock(&next->context);
9482 - }
9483 +
9484 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9485 + if (!nx_enabled) {
9486 + smp_mb__before_clear_bit();
9487 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
9488 + smp_mb__after_clear_bit();
9489 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9490 + }
9491 +#endif
9492 +
9493 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9494 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
9495 + prev->context.user_cs_limit != next->context.user_cs_limit))
9496 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9497 #ifdef CONFIG_SMP
9498 + else if (unlikely(tlbstate != TLBSTATE_OK))
9499 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9500 +#endif
9501 +#endif
9502 +
9503 + }
9504 else {
9505 +
9506 +#ifdef CONFIG_PAX_PER_CPU_PGD
9507 + pax_open_kernel();
9508 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9509 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9510 + pax_close_kernel();
9511 + load_cr3(get_cpu_pgd(cpu));
9512 +#endif
9513 +
9514 +#ifdef CONFIG_SMP
9515 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9516 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
9517
9518 @@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
9519 * tlb flush IPI delivery. We must reload CR3
9520 * to make sure to use no freed page tables.
9521 */
9522 +
9523 +#ifndef CONFIG_PAX_PER_CPU_PGD
9524 load_cr3(next->pgd);
9525 +#endif
9526 +
9527 load_LDT_nolock(&next->context);
9528 +
9529 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
9530 + if (!nx_enabled)
9531 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9532 +#endif
9533 +
9534 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9535 +#ifdef CONFIG_PAX_PAGEEXEC
9536 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
9537 +#endif
9538 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9539 +#endif
9540 +
9541 }
9542 - }
9543 #endif
9544 + }
9545 }
9546
9547 #define activate_mm(prev, next) \
9548 diff -urNp linux-2.6.32.49/arch/x86/include/asm/mmu.h linux-2.6.32.49/arch/x86/include/asm/mmu.h
9549 --- linux-2.6.32.49/arch/x86/include/asm/mmu.h 2011-11-08 19:02:43.000000000 -0500
9550 +++ linux-2.6.32.49/arch/x86/include/asm/mmu.h 2011-11-15 19:59:42.000000000 -0500
9551 @@ -9,10 +9,23 @@
9552 * we put the segment information here.
9553 */
9554 typedef struct {
9555 - void *ldt;
9556 + struct desc_struct *ldt;
9557 int size;
9558 struct mutex lock;
9559 - void *vdso;
9560 + unsigned long vdso;
9561 +
9562 +#ifdef CONFIG_X86_32
9563 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
9564 + unsigned long user_cs_base;
9565 + unsigned long user_cs_limit;
9566 +
9567 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9568 + cpumask_t cpu_user_cs_mask;
9569 +#endif
9570 +
9571 +#endif
9572 +#endif
9573 +
9574 } mm_context_t;
9575
9576 #ifdef CONFIG_SMP
9577 diff -urNp linux-2.6.32.49/arch/x86/include/asm/module.h linux-2.6.32.49/arch/x86/include/asm/module.h
9578 --- linux-2.6.32.49/arch/x86/include/asm/module.h 2011-11-08 19:02:43.000000000 -0500
9579 +++ linux-2.6.32.49/arch/x86/include/asm/module.h 2011-11-15 19:59:42.000000000 -0500
9580 @@ -5,6 +5,7 @@
9581
9582 #ifdef CONFIG_X86_64
9583 /* X86_64 does not define MODULE_PROC_FAMILY */
9584 +#define MODULE_PROC_FAMILY ""
9585 #elif defined CONFIG_M386
9586 #define MODULE_PROC_FAMILY "386 "
9587 #elif defined CONFIG_M486
9588 @@ -59,13 +60,24 @@
9589 #error unknown processor family
9590 #endif
9591
9592 -#ifdef CONFIG_X86_32
9593 -# ifdef CONFIG_4KSTACKS
9594 -# define MODULE_STACKSIZE "4KSTACKS "
9595 -# else
9596 -# define MODULE_STACKSIZE ""
9597 -# endif
9598 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
9599 +#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
9600 +#define MODULE_STACKSIZE "4KSTACKS "
9601 +#else
9602 +#define MODULE_STACKSIZE ""
9603 +#endif
9604 +
9605 +#ifdef CONFIG_PAX_KERNEXEC
9606 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
9607 +#else
9608 +#define MODULE_PAX_KERNEXEC ""
9609 #endif
9610
9611 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9612 +#define MODULE_PAX_UDEREF "UDEREF "
9613 +#else
9614 +#define MODULE_PAX_UDEREF ""
9615 +#endif
9616 +
9617 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
9618 +
9619 #endif /* _ASM_X86_MODULE_H */
9620 diff -urNp linux-2.6.32.49/arch/x86/include/asm/page_64_types.h linux-2.6.32.49/arch/x86/include/asm/page_64_types.h
9621 --- linux-2.6.32.49/arch/x86/include/asm/page_64_types.h 2011-11-08 19:02:43.000000000 -0500
9622 +++ linux-2.6.32.49/arch/x86/include/asm/page_64_types.h 2011-11-15 19:59:42.000000000 -0500
9623 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
9624
9625 /* duplicated to the one in bootmem.h */
9626 extern unsigned long max_pfn;
9627 -extern unsigned long phys_base;
9628 +extern const unsigned long phys_base;
9629
9630 extern unsigned long __phys_addr(unsigned long);
9631 #define __phys_reloc_hide(x) (x)
9632 diff -urNp linux-2.6.32.49/arch/x86/include/asm/paravirt.h linux-2.6.32.49/arch/x86/include/asm/paravirt.h
9633 --- linux-2.6.32.49/arch/x86/include/asm/paravirt.h 2011-11-08 19:02:43.000000000 -0500
9634 +++ linux-2.6.32.49/arch/x86/include/asm/paravirt.h 2011-11-15 19:59:42.000000000 -0500
9635 @@ -648,6 +648,18 @@ static inline void set_pgd(pgd_t *pgdp,
9636 val);
9637 }
9638
9639 +static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9640 +{
9641 + pgdval_t val = native_pgd_val(pgd);
9642 +
9643 + if (sizeof(pgdval_t) > sizeof(long))
9644 + PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
9645 + val, (u64)val >> 32);
9646 + else
9647 + PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
9648 + val);
9649 +}
9650 +
9651 static inline void pgd_clear(pgd_t *pgdp)
9652 {
9653 set_pgd(pgdp, __pgd(0));
9654 @@ -729,6 +741,21 @@ static inline void __set_fixmap(unsigned
9655 pv_mmu_ops.set_fixmap(idx, phys, flags);
9656 }
9657
9658 +#ifdef CONFIG_PAX_KERNEXEC
9659 +static inline unsigned long pax_open_kernel(void)
9660 +{
9661 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
9662 +}
9663 +
9664 +static inline unsigned long pax_close_kernel(void)
9665 +{
9666 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
9667 +}
9668 +#else
9669 +static inline unsigned long pax_open_kernel(void) { return 0; }
9670 +static inline unsigned long pax_close_kernel(void) { return 0; }
9671 +#endif
9672 +
9673 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
9674
9675 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
9676 @@ -945,7 +972,7 @@ extern void default_banner(void);
9677
9678 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
9679 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
9680 -#define PARA_INDIRECT(addr) *%cs:addr
9681 +#define PARA_INDIRECT(addr) *%ss:addr
9682 #endif
9683
9684 #define INTERRUPT_RETURN \
9685 @@ -1022,6 +1049,21 @@ extern void default_banner(void);
9686 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
9687 CLBR_NONE, \
9688 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
9689 +
9690 +#define GET_CR0_INTO_RDI \
9691 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
9692 + mov %rax,%rdi
9693 +
9694 +#define SET_RDI_INTO_CR0 \
9695 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
9696 +
9697 +#define GET_CR3_INTO_RDI \
9698 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
9699 + mov %rax,%rdi
9700 +
9701 +#define SET_RDI_INTO_CR3 \
9702 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
9703 +
9704 #endif /* CONFIG_X86_32 */
9705
9706 #endif /* __ASSEMBLY__ */
9707 diff -urNp linux-2.6.32.49/arch/x86/include/asm/paravirt_types.h linux-2.6.32.49/arch/x86/include/asm/paravirt_types.h
9708 --- linux-2.6.32.49/arch/x86/include/asm/paravirt_types.h 2011-11-08 19:02:43.000000000 -0500
9709 +++ linux-2.6.32.49/arch/x86/include/asm/paravirt_types.h 2011-11-15 19:59:42.000000000 -0500
9710 @@ -78,19 +78,19 @@ struct pv_init_ops {
9711 */
9712 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
9713 unsigned long addr, unsigned len);
9714 -};
9715 +} __no_const;
9716
9717
9718 struct pv_lazy_ops {
9719 /* Set deferred update mode, used for batching operations. */
9720 void (*enter)(void);
9721 void (*leave)(void);
9722 -};
9723 +} __no_const;
9724
9725 struct pv_time_ops {
9726 unsigned long long (*sched_clock)(void);
9727 unsigned long (*get_tsc_khz)(void);
9728 -};
9729 +} __no_const;
9730
9731 struct pv_cpu_ops {
9732 /* hooks for various privileged instructions */
9733 @@ -186,7 +186,7 @@ struct pv_cpu_ops {
9734
9735 void (*start_context_switch)(struct task_struct *prev);
9736 void (*end_context_switch)(struct task_struct *next);
9737 -};
9738 +} __no_const;
9739
9740 struct pv_irq_ops {
9741 /*
9742 @@ -217,7 +217,7 @@ struct pv_apic_ops {
9743 unsigned long start_eip,
9744 unsigned long start_esp);
9745 #endif
9746 -};
9747 +} __no_const;
9748
9749 struct pv_mmu_ops {
9750 unsigned long (*read_cr2)(void);
9751 @@ -301,6 +301,7 @@ struct pv_mmu_ops {
9752 struct paravirt_callee_save make_pud;
9753
9754 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
9755 + void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
9756 #endif /* PAGETABLE_LEVELS == 4 */
9757 #endif /* PAGETABLE_LEVELS >= 3 */
9758
9759 @@ -316,6 +317,12 @@ struct pv_mmu_ops {
9760 an mfn. We can tell which is which from the index. */
9761 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
9762 phys_addr_t phys, pgprot_t flags);
9763 +
9764 +#ifdef CONFIG_PAX_KERNEXEC
9765 + unsigned long (*pax_open_kernel)(void);
9766 + unsigned long (*pax_close_kernel)(void);
9767 +#endif
9768 +
9769 };
9770
9771 struct raw_spinlock;
9772 @@ -326,7 +333,7 @@ struct pv_lock_ops {
9773 void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags);
9774 int (*spin_trylock)(struct raw_spinlock *lock);
9775 void (*spin_unlock)(struct raw_spinlock *lock);
9776 -};
9777 +} __no_const;
9778
9779 /* This contains all the paravirt structures: we get a convenient
9780 * number for each function using the offset which we use to indicate
9781 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pci_x86.h linux-2.6.32.49/arch/x86/include/asm/pci_x86.h
9782 --- linux-2.6.32.49/arch/x86/include/asm/pci_x86.h 2011-11-08 19:02:43.000000000 -0500
9783 +++ linux-2.6.32.49/arch/x86/include/asm/pci_x86.h 2011-11-15 19:59:42.000000000 -0500
9784 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
9785 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
9786
9787 struct pci_raw_ops {
9788 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9789 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9790 int reg, int len, u32 *val);
9791 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9792 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9793 int reg, int len, u32 val);
9794 };
9795
9796 -extern struct pci_raw_ops *raw_pci_ops;
9797 -extern struct pci_raw_ops *raw_pci_ext_ops;
9798 +extern const struct pci_raw_ops *raw_pci_ops;
9799 +extern const struct pci_raw_ops *raw_pci_ext_ops;
9800
9801 -extern struct pci_raw_ops pci_direct_conf1;
9802 +extern const struct pci_raw_ops pci_direct_conf1;
9803 extern bool port_cf9_safe;
9804
9805 /* arch_initcall level */
9806 diff -urNp linux-2.6.32.49/arch/x86/include/asm/percpu.h linux-2.6.32.49/arch/x86/include/asm/percpu.h
9807 --- linux-2.6.32.49/arch/x86/include/asm/percpu.h 2011-11-08 19:02:43.000000000 -0500
9808 +++ linux-2.6.32.49/arch/x86/include/asm/percpu.h 2011-11-15 19:59:42.000000000 -0500
9809 @@ -78,6 +78,7 @@ do { \
9810 if (0) { \
9811 T__ tmp__; \
9812 tmp__ = (val); \
9813 + (void)tmp__; \
9814 } \
9815 switch (sizeof(var)) { \
9816 case 1: \
9817 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgalloc.h linux-2.6.32.49/arch/x86/include/asm/pgalloc.h
9818 --- linux-2.6.32.49/arch/x86/include/asm/pgalloc.h 2011-11-08 19:02:43.000000000 -0500
9819 +++ linux-2.6.32.49/arch/x86/include/asm/pgalloc.h 2011-11-15 19:59:42.000000000 -0500
9820 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
9821 pmd_t *pmd, pte_t *pte)
9822 {
9823 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9824 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
9825 +}
9826 +
9827 +static inline void pmd_populate_user(struct mm_struct *mm,
9828 + pmd_t *pmd, pte_t *pte)
9829 +{
9830 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9831 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
9832 }
9833
9834 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.49/arch/x86/include/asm/pgtable-2level.h
9835 --- linux-2.6.32.49/arch/x86/include/asm/pgtable-2level.h 2011-11-08 19:02:43.000000000 -0500
9836 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable-2level.h 2011-11-15 19:59:42.000000000 -0500
9837 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
9838
9839 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9840 {
9841 + pax_open_kernel();
9842 *pmdp = pmd;
9843 + pax_close_kernel();
9844 }
9845
9846 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
9847 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable_32.h linux-2.6.32.49/arch/x86/include/asm/pgtable_32.h
9848 --- linux-2.6.32.49/arch/x86/include/asm/pgtable_32.h 2011-11-08 19:02:43.000000000 -0500
9849 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable_32.h 2011-11-15 19:59:42.000000000 -0500
9850 @@ -26,9 +26,6 @@
9851 struct mm_struct;
9852 struct vm_area_struct;
9853
9854 -extern pgd_t swapper_pg_dir[1024];
9855 -extern pgd_t trampoline_pg_dir[1024];
9856 -
9857 static inline void pgtable_cache_init(void) { }
9858 static inline void check_pgt_cache(void) { }
9859 void paging_init(void);
9860 @@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
9861 # include <asm/pgtable-2level.h>
9862 #endif
9863
9864 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
9865 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
9866 +#ifdef CONFIG_X86_PAE
9867 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
9868 +#endif
9869 +
9870 #if defined(CONFIG_HIGHPTE)
9871 #define __KM_PTE \
9872 (in_nmi() ? KM_NMI_PTE : \
9873 @@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
9874 /* Clear a kernel PTE and flush it from the TLB */
9875 #define kpte_clear_flush(ptep, vaddr) \
9876 do { \
9877 + pax_open_kernel(); \
9878 pte_clear(&init_mm, (vaddr), (ptep)); \
9879 + pax_close_kernel(); \
9880 __flush_tlb_one((vaddr)); \
9881 } while (0)
9882
9883 @@ -85,6 +90,9 @@ do { \
9884
9885 #endif /* !__ASSEMBLY__ */
9886
9887 +#define HAVE_ARCH_UNMAPPED_AREA
9888 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
9889 +
9890 /*
9891 * kern_addr_valid() is (1) for FLATMEM and (0) for
9892 * SPARSEMEM and DISCONTIGMEM
9893 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.49/arch/x86/include/asm/pgtable_32_types.h
9894 --- linux-2.6.32.49/arch/x86/include/asm/pgtable_32_types.h 2011-11-08 19:02:43.000000000 -0500
9895 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable_32_types.h 2011-11-15 19:59:42.000000000 -0500
9896 @@ -8,7 +8,7 @@
9897 */
9898 #ifdef CONFIG_X86_PAE
9899 # include <asm/pgtable-3level_types.h>
9900 -# define PMD_SIZE (1UL << PMD_SHIFT)
9901 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
9902 # define PMD_MASK (~(PMD_SIZE - 1))
9903 #else
9904 # include <asm/pgtable-2level_types.h>
9905 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
9906 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
9907 #endif
9908
9909 +#ifdef CONFIG_PAX_KERNEXEC
9910 +#ifndef __ASSEMBLY__
9911 +extern unsigned char MODULES_EXEC_VADDR[];
9912 +extern unsigned char MODULES_EXEC_END[];
9913 +#endif
9914 +#include <asm/boot.h>
9915 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
9916 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
9917 +#else
9918 +#define ktla_ktva(addr) (addr)
9919 +#define ktva_ktla(addr) (addr)
9920 +#endif
9921 +
9922 #define MODULES_VADDR VMALLOC_START
9923 #define MODULES_END VMALLOC_END
9924 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
9925 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.49/arch/x86/include/asm/pgtable-3level.h
9926 --- linux-2.6.32.49/arch/x86/include/asm/pgtable-3level.h 2011-11-08 19:02:43.000000000 -0500
9927 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable-3level.h 2011-11-15 19:59:42.000000000 -0500
9928 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
9929
9930 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9931 {
9932 + pax_open_kernel();
9933 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
9934 + pax_close_kernel();
9935 }
9936
9937 static inline void native_set_pud(pud_t *pudp, pud_t pud)
9938 {
9939 + pax_open_kernel();
9940 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
9941 + pax_close_kernel();
9942 }
9943
9944 /*
9945 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable_64.h linux-2.6.32.49/arch/x86/include/asm/pgtable_64.h
9946 --- linux-2.6.32.49/arch/x86/include/asm/pgtable_64.h 2011-11-08 19:02:43.000000000 -0500
9947 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable_64.h 2011-11-15 19:59:42.000000000 -0500
9948 @@ -16,10 +16,13 @@
9949
9950 extern pud_t level3_kernel_pgt[512];
9951 extern pud_t level3_ident_pgt[512];
9952 +extern pud_t level3_vmalloc_pgt[512];
9953 +extern pud_t level3_vmemmap_pgt[512];
9954 +extern pud_t level2_vmemmap_pgt[512];
9955 extern pmd_t level2_kernel_pgt[512];
9956 extern pmd_t level2_fixmap_pgt[512];
9957 -extern pmd_t level2_ident_pgt[512];
9958 -extern pgd_t init_level4_pgt[];
9959 +extern pmd_t level2_ident_pgt[512*2];
9960 +extern pgd_t init_level4_pgt[512];
9961
9962 #define swapper_pg_dir init_level4_pgt
9963
9964 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
9965
9966 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9967 {
9968 + pax_open_kernel();
9969 *pmdp = pmd;
9970 + pax_close_kernel();
9971 }
9972
9973 static inline void native_pmd_clear(pmd_t *pmd)
9974 @@ -94,6 +99,13 @@ static inline void native_pud_clear(pud_
9975
9976 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
9977 {
9978 + pax_open_kernel();
9979 + *pgdp = pgd;
9980 + pax_close_kernel();
9981 +}
9982 +
9983 +static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9984 +{
9985 *pgdp = pgd;
9986 }
9987
9988 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.49/arch/x86/include/asm/pgtable_64_types.h
9989 --- linux-2.6.32.49/arch/x86/include/asm/pgtable_64_types.h 2011-11-08 19:02:43.000000000 -0500
9990 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable_64_types.h 2011-11-15 19:59:42.000000000 -0500
9991 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
9992 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
9993 #define MODULES_END _AC(0xffffffffff000000, UL)
9994 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
9995 +#define MODULES_EXEC_VADDR MODULES_VADDR
9996 +#define MODULES_EXEC_END MODULES_END
9997 +
9998 +#define ktla_ktva(addr) (addr)
9999 +#define ktva_ktla(addr) (addr)
10000
10001 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
10002 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable.h linux-2.6.32.49/arch/x86/include/asm/pgtable.h
10003 --- linux-2.6.32.49/arch/x86/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
10004 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
10005 @@ -39,6 +39,7 @@ extern struct list_head pgd_list;
10006
10007 #ifndef __PAGETABLE_PUD_FOLDED
10008 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
10009 +#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
10010 #define pgd_clear(pgd) native_pgd_clear(pgd)
10011 #endif
10012
10013 @@ -74,12 +75,51 @@ extern struct list_head pgd_list;
10014
10015 #define arch_end_context_switch(prev) do {} while(0)
10016
10017 +#define pax_open_kernel() native_pax_open_kernel()
10018 +#define pax_close_kernel() native_pax_close_kernel()
10019 #endif /* CONFIG_PARAVIRT */
10020
10021 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
10022 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10023 +
10024 +#ifdef CONFIG_PAX_KERNEXEC
10025 +static inline unsigned long native_pax_open_kernel(void)
10026 +{
10027 + unsigned long cr0;
10028 +
10029 + preempt_disable();
10030 + barrier();
10031 + cr0 = read_cr0() ^ X86_CR0_WP;
10032 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
10033 + write_cr0(cr0);
10034 + return cr0 ^ X86_CR0_WP;
10035 +}
10036 +
10037 +static inline unsigned long native_pax_close_kernel(void)
10038 +{
10039 + unsigned long cr0;
10040 +
10041 + cr0 = read_cr0() ^ X86_CR0_WP;
10042 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10043 + write_cr0(cr0);
10044 + barrier();
10045 + preempt_enable_no_resched();
10046 + return cr0 ^ X86_CR0_WP;
10047 +}
10048 +#else
10049 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
10050 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
10051 +#endif
10052 +
10053 /*
10054 * The following only work if pte_present() is true.
10055 * Undefined behaviour if not..
10056 */
10057 +static inline int pte_user(pte_t pte)
10058 +{
10059 + return pte_val(pte) & _PAGE_USER;
10060 +}
10061 +
10062 static inline int pte_dirty(pte_t pte)
10063 {
10064 return pte_flags(pte) & _PAGE_DIRTY;
10065 @@ -167,9 +207,29 @@ static inline pte_t pte_wrprotect(pte_t
10066 return pte_clear_flags(pte, _PAGE_RW);
10067 }
10068
10069 +static inline pte_t pte_mkread(pte_t pte)
10070 +{
10071 + return __pte(pte_val(pte) | _PAGE_USER);
10072 +}
10073 +
10074 static inline pte_t pte_mkexec(pte_t pte)
10075 {
10076 - return pte_clear_flags(pte, _PAGE_NX);
10077 +#ifdef CONFIG_X86_PAE
10078 + if (__supported_pte_mask & _PAGE_NX)
10079 + return pte_clear_flags(pte, _PAGE_NX);
10080 + else
10081 +#endif
10082 + return pte_set_flags(pte, _PAGE_USER);
10083 +}
10084 +
10085 +static inline pte_t pte_exprotect(pte_t pte)
10086 +{
10087 +#ifdef CONFIG_X86_PAE
10088 + if (__supported_pte_mask & _PAGE_NX)
10089 + return pte_set_flags(pte, _PAGE_NX);
10090 + else
10091 +#endif
10092 + return pte_clear_flags(pte, _PAGE_USER);
10093 }
10094
10095 static inline pte_t pte_mkdirty(pte_t pte)
10096 @@ -302,6 +362,15 @@ pte_t *populate_extra_pte(unsigned long
10097 #endif
10098
10099 #ifndef __ASSEMBLY__
10100 +
10101 +#ifdef CONFIG_PAX_PER_CPU_PGD
10102 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10103 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10104 +{
10105 + return cpu_pgd[cpu];
10106 +}
10107 +#endif
10108 +
10109 #include <linux/mm_types.h>
10110
10111 static inline int pte_none(pte_t pte)
10112 @@ -472,7 +541,7 @@ static inline pud_t *pud_offset(pgd_t *p
10113
10114 static inline int pgd_bad(pgd_t pgd)
10115 {
10116 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10117 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10118 }
10119
10120 static inline int pgd_none(pgd_t pgd)
10121 @@ -495,7 +564,12 @@ static inline int pgd_none(pgd_t pgd)
10122 * pgd_offset() returns a (pgd_t *)
10123 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10124 */
10125 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10126 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10127 +
10128 +#ifdef CONFIG_PAX_PER_CPU_PGD
10129 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10130 +#endif
10131 +
10132 /*
10133 * a shortcut which implies the use of the kernel's pgd, instead
10134 * of a process's
10135 @@ -506,6 +580,20 @@ static inline int pgd_none(pgd_t pgd)
10136 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10137 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10138
10139 +#ifdef CONFIG_X86_32
10140 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10141 +#else
10142 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10143 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10144 +
10145 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10146 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10147 +#else
10148 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10149 +#endif
10150 +
10151 +#endif
10152 +
10153 #ifndef __ASSEMBLY__
10154
10155 extern int direct_gbpages;
10156 @@ -611,11 +699,23 @@ static inline void ptep_set_wrprotect(st
10157 * dst and src can be on the same page, but the range must not overlap,
10158 * and must not cross a page boundary.
10159 */
10160 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10161 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10162 {
10163 - memcpy(dst, src, count * sizeof(pgd_t));
10164 + pax_open_kernel();
10165 + while (count--)
10166 + *dst++ = *src++;
10167 + pax_close_kernel();
10168 }
10169
10170 +#ifdef CONFIG_PAX_PER_CPU_PGD
10171 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10172 +#endif
10173 +
10174 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10175 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10176 +#else
10177 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10178 +#endif
10179
10180 #include <asm-generic/pgtable.h>
10181 #endif /* __ASSEMBLY__ */
10182 diff -urNp linux-2.6.32.49/arch/x86/include/asm/pgtable_types.h linux-2.6.32.49/arch/x86/include/asm/pgtable_types.h
10183 --- linux-2.6.32.49/arch/x86/include/asm/pgtable_types.h 2011-11-08 19:02:43.000000000 -0500
10184 +++ linux-2.6.32.49/arch/x86/include/asm/pgtable_types.h 2011-11-15 19:59:42.000000000 -0500
10185 @@ -16,12 +16,11 @@
10186 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10187 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10188 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10189 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10190 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10191 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10192 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10193 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10194 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10195 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10196 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10197 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10198
10199 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10200 @@ -39,7 +38,6 @@
10201 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10202 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10203 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10204 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10205 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10206 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10207 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10208 @@ -55,8 +53,10 @@
10209
10210 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10211 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10212 -#else
10213 +#elif defined(CONFIG_KMEMCHECK)
10214 #define _PAGE_NX (_AT(pteval_t, 0))
10215 +#else
10216 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10217 #endif
10218
10219 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10220 @@ -93,6 +93,9 @@
10221 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
10222 _PAGE_ACCESSED)
10223
10224 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
10225 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
10226 +
10227 #define __PAGE_KERNEL_EXEC \
10228 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
10229 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
10230 @@ -103,8 +106,8 @@
10231 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
10232 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
10233 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
10234 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
10235 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
10236 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
10237 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
10238 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
10239 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
10240 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
10241 @@ -163,8 +166,8 @@
10242 * bits are combined, this will alow user to access the high address mapped
10243 * VDSO in the presence of CONFIG_COMPAT_VDSO
10244 */
10245 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
10246 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
10247 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10248 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10249 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
10250 #endif
10251
10252 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
10253 {
10254 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
10255 }
10256 +#endif
10257
10258 +#if PAGETABLE_LEVELS == 3
10259 +#include <asm-generic/pgtable-nopud.h>
10260 +#endif
10261 +
10262 +#if PAGETABLE_LEVELS == 2
10263 +#include <asm-generic/pgtable-nopmd.h>
10264 +#endif
10265 +
10266 +#ifndef __ASSEMBLY__
10267 #if PAGETABLE_LEVELS > 3
10268 typedef struct { pudval_t pud; } pud_t;
10269
10270 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
10271 return pud.pud;
10272 }
10273 #else
10274 -#include <asm-generic/pgtable-nopud.h>
10275 -
10276 static inline pudval_t native_pud_val(pud_t pud)
10277 {
10278 return native_pgd_val(pud.pgd);
10279 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
10280 return pmd.pmd;
10281 }
10282 #else
10283 -#include <asm-generic/pgtable-nopmd.h>
10284 -
10285 static inline pmdval_t native_pmd_val(pmd_t pmd)
10286 {
10287 return native_pgd_val(pmd.pud.pgd);
10288 @@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
10289
10290 extern pteval_t __supported_pte_mask;
10291 extern void set_nx(void);
10292 +
10293 +#ifdef CONFIG_X86_32
10294 +#ifdef CONFIG_X86_PAE
10295 extern int nx_enabled;
10296 +#else
10297 +#define nx_enabled (0)
10298 +#endif
10299 +#else
10300 +#define nx_enabled (1)
10301 +#endif
10302
10303 #define pgprot_writecombine pgprot_writecombine
10304 extern pgprot_t pgprot_writecombine(pgprot_t prot);
10305 diff -urNp linux-2.6.32.49/arch/x86/include/asm/processor.h linux-2.6.32.49/arch/x86/include/asm/processor.h
10306 --- linux-2.6.32.49/arch/x86/include/asm/processor.h 2011-11-08 19:02:43.000000000 -0500
10307 +++ linux-2.6.32.49/arch/x86/include/asm/processor.h 2011-11-15 19:59:42.000000000 -0500
10308 @@ -272,7 +272,7 @@ struct tss_struct {
10309
10310 } ____cacheline_aligned;
10311
10312 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
10313 +extern struct tss_struct init_tss[NR_CPUS];
10314
10315 /*
10316 * Save the original ist values for checking stack pointers during debugging
10317 @@ -911,11 +911,18 @@ static inline void spin_lock_prefetch(co
10318 */
10319 #define TASK_SIZE PAGE_OFFSET
10320 #define TASK_SIZE_MAX TASK_SIZE
10321 +
10322 +#ifdef CONFIG_PAX_SEGMEXEC
10323 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
10324 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
10325 +#else
10326 #define STACK_TOP TASK_SIZE
10327 -#define STACK_TOP_MAX STACK_TOP
10328 +#endif
10329 +
10330 +#define STACK_TOP_MAX TASK_SIZE
10331
10332 #define INIT_THREAD { \
10333 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10334 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10335 .vm86_info = NULL, \
10336 .sysenter_cs = __KERNEL_CS, \
10337 .io_bitmap_ptr = NULL, \
10338 @@ -929,7 +936,7 @@ static inline void spin_lock_prefetch(co
10339 */
10340 #define INIT_TSS { \
10341 .x86_tss = { \
10342 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10343 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10344 .ss0 = __KERNEL_DS, \
10345 .ss1 = __KERNEL_CS, \
10346 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
10347 @@ -940,11 +947,7 @@ static inline void spin_lock_prefetch(co
10348 extern unsigned long thread_saved_pc(struct task_struct *tsk);
10349
10350 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
10351 -#define KSTK_TOP(info) \
10352 -({ \
10353 - unsigned long *__ptr = (unsigned long *)(info); \
10354 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
10355 -})
10356 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
10357
10358 /*
10359 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
10360 @@ -959,7 +962,7 @@ extern unsigned long thread_saved_pc(str
10361 #define task_pt_regs(task) \
10362 ({ \
10363 struct pt_regs *__regs__; \
10364 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
10365 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
10366 __regs__ - 1; \
10367 })
10368
10369 @@ -969,13 +972,13 @@ extern unsigned long thread_saved_pc(str
10370 /*
10371 * User space process size. 47bits minus one guard page.
10372 */
10373 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
10374 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
10375
10376 /* This decides where the kernel will search for a free chunk of vm
10377 * space during mmap's.
10378 */
10379 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
10380 - 0xc0000000 : 0xFFFFe000)
10381 + 0xc0000000 : 0xFFFFf000)
10382
10383 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
10384 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
10385 @@ -986,11 +989,11 @@ extern unsigned long thread_saved_pc(str
10386 #define STACK_TOP_MAX TASK_SIZE_MAX
10387
10388 #define INIT_THREAD { \
10389 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10390 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10391 }
10392
10393 #define INIT_TSS { \
10394 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10395 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10396 }
10397
10398 /*
10399 @@ -1012,6 +1015,10 @@ extern void start_thread(struct pt_regs
10400 */
10401 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
10402
10403 +#ifdef CONFIG_PAX_SEGMEXEC
10404 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
10405 +#endif
10406 +
10407 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
10408
10409 /* Get/set a process' ability to use the timestamp counter instruction */
10410 diff -urNp linux-2.6.32.49/arch/x86/include/asm/ptrace.h linux-2.6.32.49/arch/x86/include/asm/ptrace.h
10411 --- linux-2.6.32.49/arch/x86/include/asm/ptrace.h 2011-11-08 19:02:43.000000000 -0500
10412 +++ linux-2.6.32.49/arch/x86/include/asm/ptrace.h 2011-11-15 19:59:42.000000000 -0500
10413 @@ -151,28 +151,29 @@ static inline unsigned long regs_return_
10414 }
10415
10416 /*
10417 - * user_mode_vm(regs) determines whether a register set came from user mode.
10418 + * user_mode(regs) determines whether a register set came from user mode.
10419 * This is true if V8086 mode was enabled OR if the register set was from
10420 * protected mode with RPL-3 CS value. This tricky test checks that with
10421 * one comparison. Many places in the kernel can bypass this full check
10422 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
10423 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
10424 + * be used.
10425 */
10426 -static inline int user_mode(struct pt_regs *regs)
10427 +static inline int user_mode_novm(struct pt_regs *regs)
10428 {
10429 #ifdef CONFIG_X86_32
10430 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
10431 #else
10432 - return !!(regs->cs & 3);
10433 + return !!(regs->cs & SEGMENT_RPL_MASK);
10434 #endif
10435 }
10436
10437 -static inline int user_mode_vm(struct pt_regs *regs)
10438 +static inline int user_mode(struct pt_regs *regs)
10439 {
10440 #ifdef CONFIG_X86_32
10441 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
10442 USER_RPL;
10443 #else
10444 - return user_mode(regs);
10445 + return user_mode_novm(regs);
10446 #endif
10447 }
10448
10449 diff -urNp linux-2.6.32.49/arch/x86/include/asm/reboot.h linux-2.6.32.49/arch/x86/include/asm/reboot.h
10450 --- linux-2.6.32.49/arch/x86/include/asm/reboot.h 2011-11-08 19:02:43.000000000 -0500
10451 +++ linux-2.6.32.49/arch/x86/include/asm/reboot.h 2011-11-15 19:59:42.000000000 -0500
10452 @@ -6,19 +6,19 @@
10453 struct pt_regs;
10454
10455 struct machine_ops {
10456 - void (*restart)(char *cmd);
10457 - void (*halt)(void);
10458 - void (*power_off)(void);
10459 + void (* __noreturn restart)(char *cmd);
10460 + void (* __noreturn halt)(void);
10461 + void (* __noreturn power_off)(void);
10462 void (*shutdown)(void);
10463 void (*crash_shutdown)(struct pt_regs *);
10464 - void (*emergency_restart)(void);
10465 -};
10466 + void (* __noreturn emergency_restart)(void);
10467 +} __no_const;
10468
10469 extern struct machine_ops machine_ops;
10470
10471 void native_machine_crash_shutdown(struct pt_regs *regs);
10472 void native_machine_shutdown(void);
10473 -void machine_real_restart(const unsigned char *code, int length);
10474 +void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
10475
10476 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
10477 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
10478 diff -urNp linux-2.6.32.49/arch/x86/include/asm/rwsem.h linux-2.6.32.49/arch/x86/include/asm/rwsem.h
10479 --- linux-2.6.32.49/arch/x86/include/asm/rwsem.h 2011-11-08 19:02:43.000000000 -0500
10480 +++ linux-2.6.32.49/arch/x86/include/asm/rwsem.h 2011-11-15 19:59:42.000000000 -0500
10481 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
10482 {
10483 asm volatile("# beginning down_read\n\t"
10484 LOCK_PREFIX _ASM_INC "(%1)\n\t"
10485 +
10486 +#ifdef CONFIG_PAX_REFCOUNT
10487 + "jno 0f\n"
10488 + LOCK_PREFIX _ASM_DEC "(%1)\n\t"
10489 + "int $4\n0:\n"
10490 + _ASM_EXTABLE(0b, 0b)
10491 +#endif
10492 +
10493 /* adds 0x00000001, returns the old value */
10494 " jns 1f\n"
10495 " call call_rwsem_down_read_failed\n"
10496 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
10497 "1:\n\t"
10498 " mov %1,%2\n\t"
10499 " add %3,%2\n\t"
10500 +
10501 +#ifdef CONFIG_PAX_REFCOUNT
10502 + "jno 0f\n"
10503 + "sub %3,%2\n"
10504 + "int $4\n0:\n"
10505 + _ASM_EXTABLE(0b, 0b)
10506 +#endif
10507 +
10508 " jle 2f\n\t"
10509 LOCK_PREFIX " cmpxchg %2,%0\n\t"
10510 " jnz 1b\n\t"
10511 @@ -160,6 +176,14 @@ static inline void __down_write_nested(s
10512 tmp = RWSEM_ACTIVE_WRITE_BIAS;
10513 asm volatile("# beginning down_write\n\t"
10514 LOCK_PREFIX " xadd %1,(%2)\n\t"
10515 +
10516 +#ifdef CONFIG_PAX_REFCOUNT
10517 + "jno 0f\n"
10518 + "mov %1,(%2)\n"
10519 + "int $4\n0:\n"
10520 + _ASM_EXTABLE(0b, 0b)
10521 +#endif
10522 +
10523 /* subtract 0x0000ffff, returns the old value */
10524 " test %1,%1\n\t"
10525 /* was the count 0 before? */
10526 @@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
10527 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
10528 asm volatile("# beginning __up_read\n\t"
10529 LOCK_PREFIX " xadd %1,(%2)\n\t"
10530 +
10531 +#ifdef CONFIG_PAX_REFCOUNT
10532 + "jno 0f\n"
10533 + "mov %1,(%2)\n"
10534 + "int $4\n0:\n"
10535 + _ASM_EXTABLE(0b, 0b)
10536 +#endif
10537 +
10538 /* subtracts 1, returns the old value */
10539 " jns 1f\n\t"
10540 " call call_rwsem_wake\n"
10541 @@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
10542 rwsem_count_t tmp;
10543 asm volatile("# beginning __up_write\n\t"
10544 LOCK_PREFIX " xadd %1,(%2)\n\t"
10545 +
10546 +#ifdef CONFIG_PAX_REFCOUNT
10547 + "jno 0f\n"
10548 + "mov %1,(%2)\n"
10549 + "int $4\n0:\n"
10550 + _ASM_EXTABLE(0b, 0b)
10551 +#endif
10552 +
10553 /* tries to transition
10554 0xffff0001 -> 0x00000000 */
10555 " jz 1f\n"
10556 @@ -234,6 +274,14 @@ static inline void __downgrade_write(str
10557 {
10558 asm volatile("# beginning __downgrade_write\n\t"
10559 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
10560 +
10561 +#ifdef CONFIG_PAX_REFCOUNT
10562 + "jno 0f\n"
10563 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
10564 + "int $4\n0:\n"
10565 + _ASM_EXTABLE(0b, 0b)
10566 +#endif
10567 +
10568 /*
10569 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
10570 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
10571 @@ -253,7 +301,15 @@ static inline void __downgrade_write(str
10572 static inline void rwsem_atomic_add(rwsem_count_t delta,
10573 struct rw_semaphore *sem)
10574 {
10575 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
10576 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
10577 +
10578 +#ifdef CONFIG_PAX_REFCOUNT
10579 + "jno 0f\n"
10580 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
10581 + "int $4\n0:\n"
10582 + _ASM_EXTABLE(0b, 0b)
10583 +#endif
10584 +
10585 : "+m" (sem->count)
10586 : "er" (delta));
10587 }
10588 @@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
10589 {
10590 rwsem_count_t tmp = delta;
10591
10592 - asm volatile(LOCK_PREFIX "xadd %0,%1"
10593 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
10594 +
10595 +#ifdef CONFIG_PAX_REFCOUNT
10596 + "jno 0f\n"
10597 + "mov %0,%1\n"
10598 + "int $4\n0:\n"
10599 + _ASM_EXTABLE(0b, 0b)
10600 +#endif
10601 +
10602 : "+r" (tmp), "+m" (sem->count)
10603 : : "memory");
10604
10605 diff -urNp linux-2.6.32.49/arch/x86/include/asm/segment.h linux-2.6.32.49/arch/x86/include/asm/segment.h
10606 --- linux-2.6.32.49/arch/x86/include/asm/segment.h 2011-11-08 19:02:43.000000000 -0500
10607 +++ linux-2.6.32.49/arch/x86/include/asm/segment.h 2011-11-15 19:59:42.000000000 -0500
10608 @@ -62,10 +62,15 @@
10609 * 26 - ESPFIX small SS
10610 * 27 - per-cpu [ offset to per-cpu data area ]
10611 * 28 - stack_canary-20 [ for stack protector ]
10612 - * 29 - unused
10613 - * 30 - unused
10614 + * 29 - PCI BIOS CS
10615 + * 30 - PCI BIOS DS
10616 * 31 - TSS for double fault handler
10617 */
10618 +#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
10619 +#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
10620 +#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
10621 +#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
10622 +
10623 #define GDT_ENTRY_TLS_MIN 6
10624 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
10625
10626 @@ -77,6 +82,8 @@
10627
10628 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
10629
10630 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
10631 +
10632 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
10633
10634 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
10635 @@ -88,7 +95,7 @@
10636 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
10637 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
10638
10639 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10640 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10641 #ifdef CONFIG_SMP
10642 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
10643 #else
10644 @@ -102,6 +109,12 @@
10645 #define __KERNEL_STACK_CANARY 0
10646 #endif
10647
10648 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
10649 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
10650 +
10651 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
10652 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
10653 +
10654 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
10655
10656 /*
10657 @@ -139,7 +152,7 @@
10658 */
10659
10660 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
10661 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
10662 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
10663
10664
10665 #else
10666 @@ -163,6 +176,8 @@
10667 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
10668 #define __USER32_DS __USER_DS
10669
10670 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
10671 +
10672 #define GDT_ENTRY_TSS 8 /* needs two entries */
10673 #define GDT_ENTRY_LDT 10 /* needs two entries */
10674 #define GDT_ENTRY_TLS_MIN 12
10675 @@ -183,6 +198,7 @@
10676 #endif
10677
10678 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
10679 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
10680 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
10681 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
10682 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
10683 diff -urNp linux-2.6.32.49/arch/x86/include/asm/smp.h linux-2.6.32.49/arch/x86/include/asm/smp.h
10684 --- linux-2.6.32.49/arch/x86/include/asm/smp.h 2011-11-08 19:02:43.000000000 -0500
10685 +++ linux-2.6.32.49/arch/x86/include/asm/smp.h 2011-11-15 19:59:42.000000000 -0500
10686 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
10687 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
10688 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
10689 DECLARE_PER_CPU(u16, cpu_llc_id);
10690 -DECLARE_PER_CPU(int, cpu_number);
10691 +DECLARE_PER_CPU(unsigned int, cpu_number);
10692
10693 static inline struct cpumask *cpu_sibling_mask(int cpu)
10694 {
10695 @@ -40,10 +40,7 @@ DECLARE_EARLY_PER_CPU(u16, x86_cpu_to_ap
10696 DECLARE_EARLY_PER_CPU(u16, x86_bios_cpu_apicid);
10697
10698 /* Static state in head.S used to set up a CPU */
10699 -extern struct {
10700 - void *sp;
10701 - unsigned short ss;
10702 -} stack_start;
10703 +extern unsigned long stack_start; /* Initial stack pointer address */
10704
10705 struct smp_ops {
10706 void (*smp_prepare_boot_cpu)(void);
10707 @@ -60,7 +57,7 @@ struct smp_ops {
10708
10709 void (*send_call_func_ipi)(const struct cpumask *mask);
10710 void (*send_call_func_single_ipi)(int cpu);
10711 -};
10712 +} __no_const;
10713
10714 /* Globals due to paravirt */
10715 extern void set_cpu_sibling_map(int cpu);
10716 @@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
10717 extern int safe_smp_processor_id(void);
10718
10719 #elif defined(CONFIG_X86_64_SMP)
10720 -#define raw_smp_processor_id() (percpu_read(cpu_number))
10721 -
10722 -#define stack_smp_processor_id() \
10723 -({ \
10724 - struct thread_info *ti; \
10725 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
10726 - ti->cpu; \
10727 -})
10728 +#define raw_smp_processor_id() (percpu_read(cpu_number))
10729 +#define stack_smp_processor_id() raw_smp_processor_id()
10730 #define safe_smp_processor_id() smp_processor_id()
10731
10732 #endif
10733 diff -urNp linux-2.6.32.49/arch/x86/include/asm/spinlock.h linux-2.6.32.49/arch/x86/include/asm/spinlock.h
10734 --- linux-2.6.32.49/arch/x86/include/asm/spinlock.h 2011-11-08 19:02:43.000000000 -0500
10735 +++ linux-2.6.32.49/arch/x86/include/asm/spinlock.h 2011-11-15 19:59:42.000000000 -0500
10736 @@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
10737 static inline void __raw_read_lock(raw_rwlock_t *rw)
10738 {
10739 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
10740 +
10741 +#ifdef CONFIG_PAX_REFCOUNT
10742 + "jno 0f\n"
10743 + LOCK_PREFIX " addl $1,(%0)\n"
10744 + "int $4\n0:\n"
10745 + _ASM_EXTABLE(0b, 0b)
10746 +#endif
10747 +
10748 "jns 1f\n"
10749 "call __read_lock_failed\n\t"
10750 "1:\n"
10751 @@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
10752 static inline void __raw_write_lock(raw_rwlock_t *rw)
10753 {
10754 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
10755 +
10756 +#ifdef CONFIG_PAX_REFCOUNT
10757 + "jno 0f\n"
10758 + LOCK_PREFIX " addl %1,(%0)\n"
10759 + "int $4\n0:\n"
10760 + _ASM_EXTABLE(0b, 0b)
10761 +#endif
10762 +
10763 "jz 1f\n"
10764 "call __write_lock_failed\n\t"
10765 "1:\n"
10766 @@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
10767
10768 static inline void __raw_read_unlock(raw_rwlock_t *rw)
10769 {
10770 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
10771 + asm volatile(LOCK_PREFIX "incl %0\n"
10772 +
10773 +#ifdef CONFIG_PAX_REFCOUNT
10774 + "jno 0f\n"
10775 + LOCK_PREFIX "decl %0\n"
10776 + "int $4\n0:\n"
10777 + _ASM_EXTABLE(0b, 0b)
10778 +#endif
10779 +
10780 + :"+m" (rw->lock) : : "memory");
10781 }
10782
10783 static inline void __raw_write_unlock(raw_rwlock_t *rw)
10784 {
10785 - asm volatile(LOCK_PREFIX "addl %1, %0"
10786 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
10787 +
10788 +#ifdef CONFIG_PAX_REFCOUNT
10789 + "jno 0f\n"
10790 + LOCK_PREFIX "subl %1, %0\n"
10791 + "int $4\n0:\n"
10792 + _ASM_EXTABLE(0b, 0b)
10793 +#endif
10794 +
10795 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
10796 }
10797
10798 diff -urNp linux-2.6.32.49/arch/x86/include/asm/stackprotector.h linux-2.6.32.49/arch/x86/include/asm/stackprotector.h
10799 --- linux-2.6.32.49/arch/x86/include/asm/stackprotector.h 2011-11-08 19:02:43.000000000 -0500
10800 +++ linux-2.6.32.49/arch/x86/include/asm/stackprotector.h 2011-11-15 19:59:42.000000000 -0500
10801 @@ -48,7 +48,7 @@
10802 * head_32 for boot CPU and setup_per_cpu_areas() for others.
10803 */
10804 #define GDT_STACK_CANARY_INIT \
10805 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
10806 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
10807
10808 /*
10809 * Initialize the stackprotector canary value.
10810 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
10811
10812 static inline void load_stack_canary_segment(void)
10813 {
10814 -#ifdef CONFIG_X86_32
10815 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
10816 asm volatile ("mov %0, %%gs" : : "r" (0));
10817 #endif
10818 }
10819 diff -urNp linux-2.6.32.49/arch/x86/include/asm/system.h linux-2.6.32.49/arch/x86/include/asm/system.h
10820 --- linux-2.6.32.49/arch/x86/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
10821 +++ linux-2.6.32.49/arch/x86/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
10822 @@ -132,7 +132,7 @@ do { \
10823 "thread_return:\n\t" \
10824 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
10825 __switch_canary \
10826 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
10827 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
10828 "movq %%rax,%%rdi\n\t" \
10829 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
10830 "jnz ret_from_fork\n\t" \
10831 @@ -143,7 +143,7 @@ do { \
10832 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
10833 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
10834 [_tif_fork] "i" (_TIF_FORK), \
10835 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
10836 + [thread_info] "m" (per_cpu_var(current_tinfo)), \
10837 [current_task] "m" (per_cpu_var(current_task)) \
10838 __switch_canary_iparam \
10839 : "memory", "cc" __EXTRA_CLOBBER)
10840 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
10841 {
10842 unsigned long __limit;
10843 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
10844 - return __limit + 1;
10845 + return __limit;
10846 }
10847
10848 static inline void native_clts(void)
10849 @@ -340,12 +340,12 @@ void enable_hlt(void);
10850
10851 void cpu_idle_wait(void);
10852
10853 -extern unsigned long arch_align_stack(unsigned long sp);
10854 +#define arch_align_stack(x) ((x) & ~0xfUL)
10855 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
10856
10857 void default_idle(void);
10858
10859 -void stop_this_cpu(void *dummy);
10860 +void stop_this_cpu(void *dummy) __noreturn;
10861
10862 /*
10863 * Force strict CPU ordering.
10864 diff -urNp linux-2.6.32.49/arch/x86/include/asm/thread_info.h linux-2.6.32.49/arch/x86/include/asm/thread_info.h
10865 --- linux-2.6.32.49/arch/x86/include/asm/thread_info.h 2011-11-08 19:02:43.000000000 -0500
10866 +++ linux-2.6.32.49/arch/x86/include/asm/thread_info.h 2011-11-15 19:59:42.000000000 -0500
10867 @@ -10,6 +10,7 @@
10868 #include <linux/compiler.h>
10869 #include <asm/page.h>
10870 #include <asm/types.h>
10871 +#include <asm/percpu.h>
10872
10873 /*
10874 * low level task data that entry.S needs immediate access to
10875 @@ -24,7 +25,6 @@ struct exec_domain;
10876 #include <asm/atomic.h>
10877
10878 struct thread_info {
10879 - struct task_struct *task; /* main task structure */
10880 struct exec_domain *exec_domain; /* execution domain */
10881 __u32 flags; /* low level flags */
10882 __u32 status; /* thread synchronous flags */
10883 @@ -34,18 +34,12 @@ struct thread_info {
10884 mm_segment_t addr_limit;
10885 struct restart_block restart_block;
10886 void __user *sysenter_return;
10887 -#ifdef CONFIG_X86_32
10888 - unsigned long previous_esp; /* ESP of the previous stack in
10889 - case of nested (IRQ) stacks
10890 - */
10891 - __u8 supervisor_stack[0];
10892 -#endif
10893 + unsigned long lowest_stack;
10894 int uaccess_err;
10895 };
10896
10897 -#define INIT_THREAD_INFO(tsk) \
10898 +#define INIT_THREAD_INFO \
10899 { \
10900 - .task = &tsk, \
10901 .exec_domain = &default_exec_domain, \
10902 .flags = 0, \
10903 .cpu = 0, \
10904 @@ -56,7 +50,7 @@ struct thread_info {
10905 }, \
10906 }
10907
10908 -#define init_thread_info (init_thread_union.thread_info)
10909 +#define init_thread_info (init_thread_union.stack)
10910 #define init_stack (init_thread_union.stack)
10911
10912 #else /* !__ASSEMBLY__ */
10913 @@ -163,6 +157,23 @@ struct thread_info {
10914 #define alloc_thread_info(tsk) \
10915 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
10916
10917 +#ifdef __ASSEMBLY__
10918 +/* how to get the thread information struct from ASM */
10919 +#define GET_THREAD_INFO(reg) \
10920 + mov PER_CPU_VAR(current_tinfo), reg
10921 +
10922 +/* use this one if reg already contains %esp */
10923 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
10924 +#else
10925 +/* how to get the thread information struct from C */
10926 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
10927 +
10928 +static __always_inline struct thread_info *current_thread_info(void)
10929 +{
10930 + return percpu_read_stable(current_tinfo);
10931 +}
10932 +#endif
10933 +
10934 #ifdef CONFIG_X86_32
10935
10936 #define STACK_WARN (THREAD_SIZE/8)
10937 @@ -173,35 +184,13 @@ struct thread_info {
10938 */
10939 #ifndef __ASSEMBLY__
10940
10941 -
10942 /* how to get the current stack pointer from C */
10943 register unsigned long current_stack_pointer asm("esp") __used;
10944
10945 -/* how to get the thread information struct from C */
10946 -static inline struct thread_info *current_thread_info(void)
10947 -{
10948 - return (struct thread_info *)
10949 - (current_stack_pointer & ~(THREAD_SIZE - 1));
10950 -}
10951 -
10952 -#else /* !__ASSEMBLY__ */
10953 -
10954 -/* how to get the thread information struct from ASM */
10955 -#define GET_THREAD_INFO(reg) \
10956 - movl $-THREAD_SIZE, reg; \
10957 - andl %esp, reg
10958 -
10959 -/* use this one if reg already contains %esp */
10960 -#define GET_THREAD_INFO_WITH_ESP(reg) \
10961 - andl $-THREAD_SIZE, reg
10962 -
10963 #endif
10964
10965 #else /* X86_32 */
10966
10967 -#include <asm/percpu.h>
10968 -#define KERNEL_STACK_OFFSET (5*8)
10969 -
10970 /*
10971 * macros/functions for gaining access to the thread information structure
10972 * preempt_count needs to be 1 initially, until the scheduler is functional.
10973 @@ -209,21 +198,8 @@ static inline struct thread_info *curren
10974 #ifndef __ASSEMBLY__
10975 DECLARE_PER_CPU(unsigned long, kernel_stack);
10976
10977 -static inline struct thread_info *current_thread_info(void)
10978 -{
10979 - struct thread_info *ti;
10980 - ti = (void *)(percpu_read_stable(kernel_stack) +
10981 - KERNEL_STACK_OFFSET - THREAD_SIZE);
10982 - return ti;
10983 -}
10984 -
10985 -#else /* !__ASSEMBLY__ */
10986 -
10987 -/* how to get the thread information struct from ASM */
10988 -#define GET_THREAD_INFO(reg) \
10989 - movq PER_CPU_VAR(kernel_stack),reg ; \
10990 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
10991 -
10992 +/* how to get the current stack pointer from C */
10993 +register unsigned long current_stack_pointer asm("rsp") __used;
10994 #endif
10995
10996 #endif /* !X86_32 */
10997 @@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
10998 extern void free_thread_info(struct thread_info *ti);
10999 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
11000 #define arch_task_cache_init arch_task_cache_init
11001 +
11002 +#define __HAVE_THREAD_FUNCTIONS
11003 +#define task_thread_info(task) (&(task)->tinfo)
11004 +#define task_stack_page(task) ((task)->stack)
11005 +#define setup_thread_stack(p, org) do {} while (0)
11006 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
11007 +
11008 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
11009 +extern struct task_struct *alloc_task_struct(void);
11010 +extern void free_task_struct(struct task_struct *);
11011 +
11012 #endif
11013 #endif /* _ASM_X86_THREAD_INFO_H */
11014 diff -urNp linux-2.6.32.49/arch/x86/include/asm/uaccess_32.h linux-2.6.32.49/arch/x86/include/asm/uaccess_32.h
11015 --- linux-2.6.32.49/arch/x86/include/asm/uaccess_32.h 2011-11-08 19:02:43.000000000 -0500
11016 +++ linux-2.6.32.49/arch/x86/include/asm/uaccess_32.h 2011-11-15 19:59:42.000000000 -0500
11017 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11018 static __always_inline unsigned long __must_check
11019 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11020 {
11021 + pax_track_stack();
11022 +
11023 + if ((long)n < 0)
11024 + return n;
11025 +
11026 if (__builtin_constant_p(n)) {
11027 unsigned long ret;
11028
11029 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11030 return ret;
11031 }
11032 }
11033 + if (!__builtin_constant_p(n))
11034 + check_object_size(from, n, true);
11035 return __copy_to_user_ll(to, from, n);
11036 }
11037
11038 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11039 __copy_to_user(void __user *to, const void *from, unsigned long n)
11040 {
11041 might_fault();
11042 +
11043 return __copy_to_user_inatomic(to, from, n);
11044 }
11045
11046 static __always_inline unsigned long
11047 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11048 {
11049 + if ((long)n < 0)
11050 + return n;
11051 +
11052 /* Avoid zeroing the tail if the copy fails..
11053 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11054 * but as the zeroing behaviour is only significant when n is not
11055 @@ -138,6 +149,12 @@ static __always_inline unsigned long
11056 __copy_from_user(void *to, const void __user *from, unsigned long n)
11057 {
11058 might_fault();
11059 +
11060 + pax_track_stack();
11061 +
11062 + if ((long)n < 0)
11063 + return n;
11064 +
11065 if (__builtin_constant_p(n)) {
11066 unsigned long ret;
11067
11068 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11069 return ret;
11070 }
11071 }
11072 + if (!__builtin_constant_p(n))
11073 + check_object_size(to, n, false);
11074 return __copy_from_user_ll(to, from, n);
11075 }
11076
11077 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11078 const void __user *from, unsigned long n)
11079 {
11080 might_fault();
11081 +
11082 + if ((long)n < 0)
11083 + return n;
11084 +
11085 if (__builtin_constant_p(n)) {
11086 unsigned long ret;
11087
11088 @@ -182,14 +205,62 @@ static __always_inline unsigned long
11089 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11090 unsigned long n)
11091 {
11092 - return __copy_from_user_ll_nocache_nozero(to, from, n);
11093 + if ((long)n < 0)
11094 + return n;
11095 +
11096 + return __copy_from_user_ll_nocache_nozero(to, from, n);
11097 +}
11098 +
11099 +/**
11100 + * copy_to_user: - Copy a block of data into user space.
11101 + * @to: Destination address, in user space.
11102 + * @from: Source address, in kernel space.
11103 + * @n: Number of bytes to copy.
11104 + *
11105 + * Context: User context only. This function may sleep.
11106 + *
11107 + * Copy data from kernel space to user space.
11108 + *
11109 + * Returns number of bytes that could not be copied.
11110 + * On success, this will be zero.
11111 + */
11112 +static __always_inline unsigned long __must_check
11113 +copy_to_user(void __user *to, const void *from, unsigned long n)
11114 +{
11115 + if (access_ok(VERIFY_WRITE, to, n))
11116 + n = __copy_to_user(to, from, n);
11117 + return n;
11118 +}
11119 +
11120 +/**
11121 + * copy_from_user: - Copy a block of data from user space.
11122 + * @to: Destination address, in kernel space.
11123 + * @from: Source address, in user space.
11124 + * @n: Number of bytes to copy.
11125 + *
11126 + * Context: User context only. This function may sleep.
11127 + *
11128 + * Copy data from user space to kernel space.
11129 + *
11130 + * Returns number of bytes that could not be copied.
11131 + * On success, this will be zero.
11132 + *
11133 + * If some data could not be copied, this function will pad the copied
11134 + * data to the requested size using zero bytes.
11135 + */
11136 +static __always_inline unsigned long __must_check
11137 +copy_from_user(void *to, const void __user *from, unsigned long n)
11138 +{
11139 + if (access_ok(VERIFY_READ, from, n))
11140 + n = __copy_from_user(to, from, n);
11141 + else if ((long)n > 0) {
11142 + if (!__builtin_constant_p(n))
11143 + check_object_size(to, n, false);
11144 + memset(to, 0, n);
11145 + }
11146 + return n;
11147 }
11148
11149 -unsigned long __must_check copy_to_user(void __user *to,
11150 - const void *from, unsigned long n);
11151 -unsigned long __must_check copy_from_user(void *to,
11152 - const void __user *from,
11153 - unsigned long n);
11154 long __must_check strncpy_from_user(char *dst, const char __user *src,
11155 long count);
11156 long __must_check __strncpy_from_user(char *dst,
11157 diff -urNp linux-2.6.32.49/arch/x86/include/asm/uaccess_64.h linux-2.6.32.49/arch/x86/include/asm/uaccess_64.h
11158 --- linux-2.6.32.49/arch/x86/include/asm/uaccess_64.h 2011-11-08 19:02:43.000000000 -0500
11159 +++ linux-2.6.32.49/arch/x86/include/asm/uaccess_64.h 2011-11-15 19:59:42.000000000 -0500
11160 @@ -9,6 +9,9 @@
11161 #include <linux/prefetch.h>
11162 #include <linux/lockdep.h>
11163 #include <asm/page.h>
11164 +#include <asm/pgtable.h>
11165 +
11166 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
11167
11168 /*
11169 * Copy To/From Userspace
11170 @@ -19,113 +22,203 @@ __must_check unsigned long
11171 copy_user_generic(void *to, const void *from, unsigned len);
11172
11173 __must_check unsigned long
11174 -copy_to_user(void __user *to, const void *from, unsigned len);
11175 -__must_check unsigned long
11176 -copy_from_user(void *to, const void __user *from, unsigned len);
11177 -__must_check unsigned long
11178 copy_in_user(void __user *to, const void __user *from, unsigned len);
11179
11180 static __always_inline __must_check
11181 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
11182 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
11183 {
11184 - int ret = 0;
11185 + unsigned ret = 0;
11186
11187 might_fault();
11188 - if (!__builtin_constant_p(size))
11189 - return copy_user_generic(dst, (__force void *)src, size);
11190 +
11191 + if ((int)size < 0)
11192 + return size;
11193 +
11194 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11195 + if (!__access_ok(VERIFY_READ, src, size))
11196 + return size;
11197 +#endif
11198 +
11199 + if (!__builtin_constant_p(size)) {
11200 + check_object_size(dst, size, false);
11201 +
11202 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11203 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11204 + src += PAX_USER_SHADOW_BASE;
11205 +#endif
11206 +
11207 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
11208 + }
11209 switch (size) {
11210 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
11211 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
11212 ret, "b", "b", "=q", 1);
11213 return ret;
11214 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
11215 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
11216 ret, "w", "w", "=r", 2);
11217 return ret;
11218 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
11219 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
11220 ret, "l", "k", "=r", 4);
11221 return ret;
11222 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
11223 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11224 ret, "q", "", "=r", 8);
11225 return ret;
11226 case 10:
11227 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11228 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11229 ret, "q", "", "=r", 10);
11230 if (unlikely(ret))
11231 return ret;
11232 __get_user_asm(*(u16 *)(8 + (char *)dst),
11233 - (u16 __user *)(8 + (char __user *)src),
11234 + (const u16 __user *)(8 + (const char __user *)src),
11235 ret, "w", "w", "=r", 2);
11236 return ret;
11237 case 16:
11238 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11239 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11240 ret, "q", "", "=r", 16);
11241 if (unlikely(ret))
11242 return ret;
11243 __get_user_asm(*(u64 *)(8 + (char *)dst),
11244 - (u64 __user *)(8 + (char __user *)src),
11245 + (const u64 __user *)(8 + (const char __user *)src),
11246 ret, "q", "", "=r", 8);
11247 return ret;
11248 default:
11249 - return copy_user_generic(dst, (__force void *)src, size);
11250 +
11251 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11252 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11253 + src += PAX_USER_SHADOW_BASE;
11254 +#endif
11255 +
11256 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
11257 }
11258 }
11259
11260 static __always_inline __must_check
11261 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
11262 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
11263 {
11264 - int ret = 0;
11265 + unsigned ret = 0;
11266
11267 might_fault();
11268 - if (!__builtin_constant_p(size))
11269 - return copy_user_generic((__force void *)dst, src, size);
11270 +
11271 + pax_track_stack();
11272 +
11273 + if ((int)size < 0)
11274 + return size;
11275 +
11276 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11277 + if (!__access_ok(VERIFY_WRITE, dst, size))
11278 + return size;
11279 +#endif
11280 +
11281 + if (!__builtin_constant_p(size)) {
11282 + check_object_size(src, size, true);
11283 +
11284 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11285 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11286 + dst += PAX_USER_SHADOW_BASE;
11287 +#endif
11288 +
11289 + return copy_user_generic((__force_kernel void *)dst, src, size);
11290 + }
11291 switch (size) {
11292 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
11293 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
11294 ret, "b", "b", "iq", 1);
11295 return ret;
11296 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
11297 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
11298 ret, "w", "w", "ir", 2);
11299 return ret;
11300 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
11301 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
11302 ret, "l", "k", "ir", 4);
11303 return ret;
11304 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
11305 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11306 ret, "q", "", "er", 8);
11307 return ret;
11308 case 10:
11309 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11310 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11311 ret, "q", "", "er", 10);
11312 if (unlikely(ret))
11313 return ret;
11314 asm("":::"memory");
11315 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
11316 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
11317 ret, "w", "w", "ir", 2);
11318 return ret;
11319 case 16:
11320 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11321 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11322 ret, "q", "", "er", 16);
11323 if (unlikely(ret))
11324 return ret;
11325 asm("":::"memory");
11326 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
11327 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
11328 ret, "q", "", "er", 8);
11329 return ret;
11330 default:
11331 - return copy_user_generic((__force void *)dst, src, size);
11332 +
11333 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11334 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11335 + dst += PAX_USER_SHADOW_BASE;
11336 +#endif
11337 +
11338 + return copy_user_generic((__force_kernel void *)dst, src, size);
11339 + }
11340 +}
11341 +
11342 +static __always_inline __must_check
11343 +unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
11344 +{
11345 + if (access_ok(VERIFY_WRITE, to, len))
11346 + len = __copy_to_user(to, from, len);
11347 + return len;
11348 +}
11349 +
11350 +static __always_inline __must_check
11351 +unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
11352 +{
11353 + if ((int)len < 0)
11354 + return len;
11355 +
11356 + if (access_ok(VERIFY_READ, from, len))
11357 + len = __copy_from_user(to, from, len);
11358 + else if ((int)len > 0) {
11359 + if (!__builtin_constant_p(len))
11360 + check_object_size(to, len, false);
11361 + memset(to, 0, len);
11362 }
11363 + return len;
11364 }
11365
11366 static __always_inline __must_check
11367 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11368 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11369 {
11370 - int ret = 0;
11371 + unsigned ret = 0;
11372
11373 might_fault();
11374 - if (!__builtin_constant_p(size))
11375 - return copy_user_generic((__force void *)dst,
11376 - (__force void *)src, size);
11377 +
11378 + pax_track_stack();
11379 +
11380 + if ((int)size < 0)
11381 + return size;
11382 +
11383 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11384 + if (!__access_ok(VERIFY_READ, src, size))
11385 + return size;
11386 + if (!__access_ok(VERIFY_WRITE, dst, size))
11387 + return size;
11388 +#endif
11389 +
11390 + if (!__builtin_constant_p(size)) {
11391 +
11392 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11393 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11394 + src += PAX_USER_SHADOW_BASE;
11395 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11396 + dst += PAX_USER_SHADOW_BASE;
11397 +#endif
11398 +
11399 + return copy_user_generic((__force_kernel void *)dst,
11400 + (__force_kernel const void *)src, size);
11401 + }
11402 switch (size) {
11403 case 1: {
11404 u8 tmp;
11405 - __get_user_asm(tmp, (u8 __user *)src,
11406 + __get_user_asm(tmp, (const u8 __user *)src,
11407 ret, "b", "b", "=q", 1);
11408 if (likely(!ret))
11409 __put_user_asm(tmp, (u8 __user *)dst,
11410 @@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
11411 }
11412 case 2: {
11413 u16 tmp;
11414 - __get_user_asm(tmp, (u16 __user *)src,
11415 + __get_user_asm(tmp, (const u16 __user *)src,
11416 ret, "w", "w", "=r", 2);
11417 if (likely(!ret))
11418 __put_user_asm(tmp, (u16 __user *)dst,
11419 @@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
11420
11421 case 4: {
11422 u32 tmp;
11423 - __get_user_asm(tmp, (u32 __user *)src,
11424 + __get_user_asm(tmp, (const u32 __user *)src,
11425 ret, "l", "k", "=r", 4);
11426 if (likely(!ret))
11427 __put_user_asm(tmp, (u32 __user *)dst,
11428 @@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
11429 }
11430 case 8: {
11431 u64 tmp;
11432 - __get_user_asm(tmp, (u64 __user *)src,
11433 + __get_user_asm(tmp, (const u64 __user *)src,
11434 ret, "q", "", "=r", 8);
11435 if (likely(!ret))
11436 __put_user_asm(tmp, (u64 __user *)dst,
11437 @@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
11438 return ret;
11439 }
11440 default:
11441 - return copy_user_generic((__force void *)dst,
11442 - (__force void *)src, size);
11443 +
11444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11445 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11446 + src += PAX_USER_SHADOW_BASE;
11447 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11448 + dst += PAX_USER_SHADOW_BASE;
11449 +#endif
11450 +
11451 + return copy_user_generic((__force_kernel void *)dst,
11452 + (__force_kernel const void *)src, size);
11453 }
11454 }
11455
11456 @@ -176,33 +277,75 @@ __must_check long strlen_user(const char
11457 __must_check unsigned long clear_user(void __user *mem, unsigned long len);
11458 __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
11459
11460 -__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
11461 - unsigned size);
11462 +static __must_check __always_inline unsigned long
11463 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
11464 +{
11465 + pax_track_stack();
11466 +
11467 + if ((int)size < 0)
11468 + return size;
11469 +
11470 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11471 + if (!__access_ok(VERIFY_READ, src, size))
11472 + return size;
11473 +
11474 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11475 + src += PAX_USER_SHADOW_BASE;
11476 +#endif
11477
11478 -static __must_check __always_inline int
11479 + return copy_user_generic(dst, (__force_kernel const void *)src, size);
11480 +}
11481 +
11482 +static __must_check __always_inline unsigned long
11483 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
11484 {
11485 - return copy_user_generic((__force void *)dst, src, size);
11486 + if ((int)size < 0)
11487 + return size;
11488 +
11489 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11490 + if (!__access_ok(VERIFY_WRITE, dst, size))
11491 + return size;
11492 +
11493 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11494 + dst += PAX_USER_SHADOW_BASE;
11495 +#endif
11496 +
11497 + return copy_user_generic((__force_kernel void *)dst, src, size);
11498 }
11499
11500 -extern long __copy_user_nocache(void *dst, const void __user *src,
11501 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
11502 unsigned size, int zerorest);
11503
11504 -static inline int
11505 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11506 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11507 {
11508 might_sleep();
11509 +
11510 + if ((int)size < 0)
11511 + return size;
11512 +
11513 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11514 + if (!__access_ok(VERIFY_READ, src, size))
11515 + return size;
11516 +#endif
11517 +
11518 return __copy_user_nocache(dst, src, size, 1);
11519 }
11520
11521 -static inline int
11522 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11523 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11524 unsigned size)
11525 {
11526 + if ((int)size < 0)
11527 + return size;
11528 +
11529 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11530 + if (!__access_ok(VERIFY_READ, src, size))
11531 + return size;
11532 +#endif
11533 +
11534 return __copy_user_nocache(dst, src, size, 0);
11535 }
11536
11537 -unsigned long
11538 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
11539 +extern unsigned long
11540 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
11541
11542 #endif /* _ASM_X86_UACCESS_64_H */
11543 diff -urNp linux-2.6.32.49/arch/x86/include/asm/uaccess.h linux-2.6.32.49/arch/x86/include/asm/uaccess.h
11544 --- linux-2.6.32.49/arch/x86/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
11545 +++ linux-2.6.32.49/arch/x86/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
11546 @@ -8,12 +8,15 @@
11547 #include <linux/thread_info.h>
11548 #include <linux/prefetch.h>
11549 #include <linux/string.h>
11550 +#include <linux/sched.h>
11551 #include <asm/asm.h>
11552 #include <asm/page.h>
11553
11554 #define VERIFY_READ 0
11555 #define VERIFY_WRITE 1
11556
11557 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
11558 +
11559 /*
11560 * The fs value determines whether argument validity checking should be
11561 * performed or not. If get_fs() == USER_DS, checking is performed, with
11562 @@ -29,7 +32,12 @@
11563
11564 #define get_ds() (KERNEL_DS)
11565 #define get_fs() (current_thread_info()->addr_limit)
11566 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11567 +void __set_fs(mm_segment_t x);
11568 +void set_fs(mm_segment_t x);
11569 +#else
11570 #define set_fs(x) (current_thread_info()->addr_limit = (x))
11571 +#endif
11572
11573 #define segment_eq(a, b) ((a).seg == (b).seg)
11574
11575 @@ -77,7 +85,33 @@
11576 * checks that the pointer is in the user space range - after calling
11577 * this function, memory access functions may still return -EFAULT.
11578 */
11579 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11580 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11581 +#define access_ok(type, addr, size) \
11582 +({ \
11583 + long __size = size; \
11584 + unsigned long __addr = (unsigned long)addr; \
11585 + unsigned long __addr_ao = __addr & PAGE_MASK; \
11586 + unsigned long __end_ao = __addr + __size - 1; \
11587 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
11588 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
11589 + while(__addr_ao <= __end_ao) { \
11590 + char __c_ao; \
11591 + __addr_ao += PAGE_SIZE; \
11592 + if (__size > PAGE_SIZE) \
11593 + cond_resched(); \
11594 + if (__get_user(__c_ao, (char __user *)__addr)) \
11595 + break; \
11596 + if (type != VERIFY_WRITE) { \
11597 + __addr = __addr_ao; \
11598 + continue; \
11599 + } \
11600 + if (__put_user(__c_ao, (char __user *)__addr)) \
11601 + break; \
11602 + __addr = __addr_ao; \
11603 + } \
11604 + } \
11605 + __ret_ao; \
11606 +})
11607
11608 /*
11609 * The exception table consists of pairs of addresses: the first is the
11610 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
11611 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
11612 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
11613
11614 -
11615 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11616 +#define __copyuser_seg "gs;"
11617 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
11618 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
11619 +#else
11620 +#define __copyuser_seg
11621 +#define __COPYUSER_SET_ES
11622 +#define __COPYUSER_RESTORE_ES
11623 +#endif
11624
11625 #ifdef CONFIG_X86_32
11626 #define __put_user_asm_u64(x, addr, err, errret) \
11627 - asm volatile("1: movl %%eax,0(%2)\n" \
11628 - "2: movl %%edx,4(%2)\n" \
11629 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
11630 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
11631 "3:\n" \
11632 ".section .fixup,\"ax\"\n" \
11633 "4: movl %3,%0\n" \
11634 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
11635 : "A" (x), "r" (addr), "i" (errret), "0" (err))
11636
11637 #define __put_user_asm_ex_u64(x, addr) \
11638 - asm volatile("1: movl %%eax,0(%1)\n" \
11639 - "2: movl %%edx,4(%1)\n" \
11640 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
11641 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
11642 "3:\n" \
11643 _ASM_EXTABLE(1b, 2b - 1b) \
11644 _ASM_EXTABLE(2b, 3b - 2b) \
11645 @@ -253,7 +295,7 @@ extern void __put_user_8(void);
11646 __typeof__(*(ptr)) __pu_val; \
11647 __chk_user_ptr(ptr); \
11648 might_fault(); \
11649 - __pu_val = x; \
11650 + __pu_val = (x); \
11651 switch (sizeof(*(ptr))) { \
11652 case 1: \
11653 __put_user_x(1, __pu_val, ptr, __ret_pu); \
11654 @@ -374,7 +416,7 @@ do { \
11655 } while (0)
11656
11657 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11658 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
11659 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
11660 "2:\n" \
11661 ".section .fixup,\"ax\"\n" \
11662 "3: mov %3,%0\n" \
11663 @@ -382,7 +424,7 @@ do { \
11664 " jmp 2b\n" \
11665 ".previous\n" \
11666 _ASM_EXTABLE(1b, 3b) \
11667 - : "=r" (err), ltype(x) \
11668 + : "=r" (err), ltype (x) \
11669 : "m" (__m(addr)), "i" (errret), "0" (err))
11670
11671 #define __get_user_size_ex(x, ptr, size) \
11672 @@ -407,7 +449,7 @@ do { \
11673 } while (0)
11674
11675 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
11676 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
11677 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
11678 "2:\n" \
11679 _ASM_EXTABLE(1b, 2b - 1b) \
11680 : ltype(x) : "m" (__m(addr)))
11681 @@ -424,13 +466,24 @@ do { \
11682 int __gu_err; \
11683 unsigned long __gu_val; \
11684 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
11685 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
11686 + (x) = (__typeof__(*(ptr)))__gu_val; \
11687 __gu_err; \
11688 })
11689
11690 /* FIXME: this hack is definitely wrong -AK */
11691 struct __large_struct { unsigned long buf[100]; };
11692 -#define __m(x) (*(struct __large_struct __user *)(x))
11693 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11694 +#define ____m(x) \
11695 +({ \
11696 + unsigned long ____x = (unsigned long)(x); \
11697 + if (____x < PAX_USER_SHADOW_BASE) \
11698 + ____x += PAX_USER_SHADOW_BASE; \
11699 + (void __user *)____x; \
11700 +})
11701 +#else
11702 +#define ____m(x) (x)
11703 +#endif
11704 +#define __m(x) (*(struct __large_struct __user *)____m(x))
11705
11706 /*
11707 * Tell gcc we read from memory instead of writing: this is because
11708 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
11709 * aliasing issues.
11710 */
11711 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11712 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
11713 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
11714 "2:\n" \
11715 ".section .fixup,\"ax\"\n" \
11716 "3: mov %3,%0\n" \
11717 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
11718 ".previous\n" \
11719 _ASM_EXTABLE(1b, 3b) \
11720 : "=r"(err) \
11721 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
11722 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
11723
11724 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
11725 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
11726 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
11727 "2:\n" \
11728 _ASM_EXTABLE(1b, 2b - 1b) \
11729 : : ltype(x), "m" (__m(addr)))
11730 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
11731 * On error, the variable @x is set to zero.
11732 */
11733
11734 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11735 +#define __get_user(x, ptr) get_user((x), (ptr))
11736 +#else
11737 #define __get_user(x, ptr) \
11738 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
11739 +#endif
11740
11741 /**
11742 * __put_user: - Write a simple value into user space, with less checking.
11743 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
11744 * Returns zero on success, or -EFAULT on error.
11745 */
11746
11747 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11748 +#define __put_user(x, ptr) put_user((x), (ptr))
11749 +#else
11750 #define __put_user(x, ptr) \
11751 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
11752 +#endif
11753
11754 #define __get_user_unaligned __get_user
11755 #define __put_user_unaligned __put_user
11756 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
11757 #define get_user_ex(x, ptr) do { \
11758 unsigned long __gue_val; \
11759 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
11760 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
11761 + (x) = (__typeof__(*(ptr)))__gue_val; \
11762 } while (0)
11763
11764 #ifdef CONFIG_X86_WP_WORKS_OK
11765 @@ -567,6 +628,7 @@ extern struct movsl_mask {
11766
11767 #define ARCH_HAS_NOCACHE_UACCESS 1
11768
11769 +#define ARCH_HAS_SORT_EXTABLE
11770 #ifdef CONFIG_X86_32
11771 # include "uaccess_32.h"
11772 #else
11773 diff -urNp linux-2.6.32.49/arch/x86/include/asm/vdso.h linux-2.6.32.49/arch/x86/include/asm/vdso.h
11774 --- linux-2.6.32.49/arch/x86/include/asm/vdso.h 2011-11-08 19:02:43.000000000 -0500
11775 +++ linux-2.6.32.49/arch/x86/include/asm/vdso.h 2011-11-15 19:59:42.000000000 -0500
11776 @@ -25,7 +25,7 @@ extern const char VDSO32_PRELINK[];
11777 #define VDSO32_SYMBOL(base, name) \
11778 ({ \
11779 extern const char VDSO32_##name[]; \
11780 - (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
11781 + (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
11782 })
11783 #endif
11784
11785 diff -urNp linux-2.6.32.49/arch/x86/include/asm/vgtod.h linux-2.6.32.49/arch/x86/include/asm/vgtod.h
11786 --- linux-2.6.32.49/arch/x86/include/asm/vgtod.h 2011-11-08 19:02:43.000000000 -0500
11787 +++ linux-2.6.32.49/arch/x86/include/asm/vgtod.h 2011-11-15 19:59:42.000000000 -0500
11788 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
11789 int sysctl_enabled;
11790 struct timezone sys_tz;
11791 struct { /* extract of a clocksource struct */
11792 + char name[8];
11793 cycle_t (*vread)(void);
11794 cycle_t cycle_last;
11795 cycle_t mask;
11796 diff -urNp linux-2.6.32.49/arch/x86/include/asm/vmi.h linux-2.6.32.49/arch/x86/include/asm/vmi.h
11797 --- linux-2.6.32.49/arch/x86/include/asm/vmi.h 2011-11-08 19:02:43.000000000 -0500
11798 +++ linux-2.6.32.49/arch/x86/include/asm/vmi.h 2011-11-15 19:59:42.000000000 -0500
11799 @@ -191,6 +191,7 @@ struct vrom_header {
11800 u8 reserved[96]; /* Reserved for headers */
11801 char vmi_init[8]; /* VMI_Init jump point */
11802 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
11803 + char rom_data[8048]; /* rest of the option ROM */
11804 } __attribute__((packed));
11805
11806 struct pnp_header {
11807 diff -urNp linux-2.6.32.49/arch/x86/include/asm/vmi_time.h linux-2.6.32.49/arch/x86/include/asm/vmi_time.h
11808 --- linux-2.6.32.49/arch/x86/include/asm/vmi_time.h 2011-11-08 19:02:43.000000000 -0500
11809 +++ linux-2.6.32.49/arch/x86/include/asm/vmi_time.h 2011-11-15 19:59:42.000000000 -0500
11810 @@ -43,7 +43,7 @@ extern struct vmi_timer_ops {
11811 int (*wallclock_updated)(void);
11812 void (*set_alarm)(u32 flags, u64 expiry, u64 period);
11813 void (*cancel_alarm)(u32 flags);
11814 -} vmi_timer_ops;
11815 +} __no_const vmi_timer_ops;
11816
11817 /* Prototypes */
11818 extern void __init vmi_time_init(void);
11819 diff -urNp linux-2.6.32.49/arch/x86/include/asm/vsyscall.h linux-2.6.32.49/arch/x86/include/asm/vsyscall.h
11820 --- linux-2.6.32.49/arch/x86/include/asm/vsyscall.h 2011-11-08 19:02:43.000000000 -0500
11821 +++ linux-2.6.32.49/arch/x86/include/asm/vsyscall.h 2011-11-15 19:59:42.000000000 -0500
11822 @@ -15,9 +15,10 @@ enum vsyscall_num {
11823
11824 #ifdef __KERNEL__
11825 #include <linux/seqlock.h>
11826 +#include <linux/getcpu.h>
11827 +#include <linux/time.h>
11828
11829 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
11830 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
11831
11832 /* Definitions for CONFIG_GENERIC_TIME definitions */
11833 #define __section_vsyscall_gtod_data __attribute__ \
11834 @@ -31,7 +32,6 @@ enum vsyscall_num {
11835 #define VGETCPU_LSL 2
11836
11837 extern int __vgetcpu_mode;
11838 -extern volatile unsigned long __jiffies;
11839
11840 /* kernel space (writeable) */
11841 extern int vgetcpu_mode;
11842 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
11843
11844 extern void map_vsyscall(void);
11845
11846 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
11847 +extern time_t vtime(time_t *t);
11848 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
11849 #endif /* __KERNEL__ */
11850
11851 #endif /* _ASM_X86_VSYSCALL_H */
11852 diff -urNp linux-2.6.32.49/arch/x86/include/asm/x86_init.h linux-2.6.32.49/arch/x86/include/asm/x86_init.h
11853 --- linux-2.6.32.49/arch/x86/include/asm/x86_init.h 2011-11-08 19:02:43.000000000 -0500
11854 +++ linux-2.6.32.49/arch/x86/include/asm/x86_init.h 2011-11-15 19:59:42.000000000 -0500
11855 @@ -28,7 +28,7 @@ struct x86_init_mpparse {
11856 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
11857 void (*find_smp_config)(unsigned int reserve);
11858 void (*get_smp_config)(unsigned int early);
11859 -};
11860 +} __no_const;
11861
11862 /**
11863 * struct x86_init_resources - platform specific resource related ops
11864 @@ -42,7 +42,7 @@ struct x86_init_resources {
11865 void (*probe_roms)(void);
11866 void (*reserve_resources)(void);
11867 char *(*memory_setup)(void);
11868 -};
11869 +} __no_const;
11870
11871 /**
11872 * struct x86_init_irqs - platform specific interrupt setup
11873 @@ -55,7 +55,7 @@ struct x86_init_irqs {
11874 void (*pre_vector_init)(void);
11875 void (*intr_init)(void);
11876 void (*trap_init)(void);
11877 -};
11878 +} __no_const;
11879
11880 /**
11881 * struct x86_init_oem - oem platform specific customizing functions
11882 @@ -65,7 +65,7 @@ struct x86_init_irqs {
11883 struct x86_init_oem {
11884 void (*arch_setup)(void);
11885 void (*banner)(void);
11886 -};
11887 +} __no_const;
11888
11889 /**
11890 * struct x86_init_paging - platform specific paging functions
11891 @@ -75,7 +75,7 @@ struct x86_init_oem {
11892 struct x86_init_paging {
11893 void (*pagetable_setup_start)(pgd_t *base);
11894 void (*pagetable_setup_done)(pgd_t *base);
11895 -};
11896 +} __no_const;
11897
11898 /**
11899 * struct x86_init_timers - platform specific timer setup
11900 @@ -88,7 +88,7 @@ struct x86_init_timers {
11901 void (*setup_percpu_clockev)(void);
11902 void (*tsc_pre_init)(void);
11903 void (*timer_init)(void);
11904 -};
11905 +} __no_const;
11906
11907 /**
11908 * struct x86_init_ops - functions for platform specific setup
11909 @@ -101,7 +101,7 @@ struct x86_init_ops {
11910 struct x86_init_oem oem;
11911 struct x86_init_paging paging;
11912 struct x86_init_timers timers;
11913 -};
11914 +} __no_const;
11915
11916 /**
11917 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
11918 @@ -109,7 +109,7 @@ struct x86_init_ops {
11919 */
11920 struct x86_cpuinit_ops {
11921 void (*setup_percpu_clockev)(void);
11922 -};
11923 +} __no_const;
11924
11925 /**
11926 * struct x86_platform_ops - platform specific runtime functions
11927 @@ -121,7 +121,7 @@ struct x86_platform_ops {
11928 unsigned long (*calibrate_tsc)(void);
11929 unsigned long (*get_wallclock)(void);
11930 int (*set_wallclock)(unsigned long nowtime);
11931 -};
11932 +} __no_const;
11933
11934 extern struct x86_init_ops x86_init;
11935 extern struct x86_cpuinit_ops x86_cpuinit;
11936 diff -urNp linux-2.6.32.49/arch/x86/include/asm/xsave.h linux-2.6.32.49/arch/x86/include/asm/xsave.h
11937 --- linux-2.6.32.49/arch/x86/include/asm/xsave.h 2011-11-08 19:02:43.000000000 -0500
11938 +++ linux-2.6.32.49/arch/x86/include/asm/xsave.h 2011-11-15 19:59:42.000000000 -0500
11939 @@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
11940 static inline int xsave_user(struct xsave_struct __user *buf)
11941 {
11942 int err;
11943 +
11944 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11945 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
11946 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
11947 +#endif
11948 +
11949 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
11950 "2:\n"
11951 ".section .fixup,\"ax\"\n"
11952 @@ -78,10 +84,15 @@ static inline int xsave_user(struct xsav
11953 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
11954 {
11955 int err;
11956 - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
11957 + struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
11958 u32 lmask = mask;
11959 u32 hmask = mask >> 32;
11960
11961 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11962 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
11963 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
11964 +#endif
11965 +
11966 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
11967 "2:\n"
11968 ".section .fixup,\"ax\"\n"
11969 diff -urNp linux-2.6.32.49/arch/x86/Kconfig linux-2.6.32.49/arch/x86/Kconfig
11970 --- linux-2.6.32.49/arch/x86/Kconfig 2011-11-08 19:02:43.000000000 -0500
11971 +++ linux-2.6.32.49/arch/x86/Kconfig 2011-11-15 19:59:42.000000000 -0500
11972 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
11973
11974 config X86_32_LAZY_GS
11975 def_bool y
11976 - depends on X86_32 && !CC_STACKPROTECTOR
11977 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
11978
11979 config KTIME_SCALAR
11980 def_bool X86_32
11981 @@ -1008,7 +1008,7 @@ choice
11982
11983 config NOHIGHMEM
11984 bool "off"
11985 - depends on !X86_NUMAQ
11986 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11987 ---help---
11988 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
11989 However, the address space of 32-bit x86 processors is only 4
11990 @@ -1045,7 +1045,7 @@ config NOHIGHMEM
11991
11992 config HIGHMEM4G
11993 bool "4GB"
11994 - depends on !X86_NUMAQ
11995 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11996 ---help---
11997 Select this if you have a 32-bit processor and between 1 and 4
11998 gigabytes of physical RAM.
11999 @@ -1099,7 +1099,7 @@ config PAGE_OFFSET
12000 hex
12001 default 0xB0000000 if VMSPLIT_3G_OPT
12002 default 0x80000000 if VMSPLIT_2G
12003 - default 0x78000000 if VMSPLIT_2G_OPT
12004 + default 0x70000000 if VMSPLIT_2G_OPT
12005 default 0x40000000 if VMSPLIT_1G
12006 default 0xC0000000
12007 depends on X86_32
12008 @@ -1460,6 +1460,7 @@ config SECCOMP
12009
12010 config CC_STACKPROTECTOR
12011 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12012 + depends on X86_64 || !PAX_MEMORY_UDEREF
12013 ---help---
12014 This option turns on the -fstack-protector GCC feature. This
12015 feature puts, at the beginning of functions, a canary value on
12016 @@ -1517,6 +1518,7 @@ config KEXEC_JUMP
12017 config PHYSICAL_START
12018 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
12019 default "0x1000000"
12020 + range 0x400000 0x40000000
12021 ---help---
12022 This gives the physical address where the kernel is loaded.
12023
12024 @@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
12025 hex
12026 prompt "Alignment value to which kernel should be aligned" if X86_32
12027 default "0x1000000"
12028 + range 0x400000 0x1000000 if PAX_KERNEXEC
12029 range 0x2000 0x1000000
12030 ---help---
12031 This value puts the alignment restrictions on physical address
12032 @@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
12033 Say N if you want to disable CPU hotplug.
12034
12035 config COMPAT_VDSO
12036 - def_bool y
12037 + def_bool n
12038 prompt "Compat VDSO support"
12039 depends on X86_32 || IA32_EMULATION
12040 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12041 ---help---
12042 Map the 32-bit VDSO to the predictable old-style address too.
12043 ---help---
12044 diff -urNp linux-2.6.32.49/arch/x86/Kconfig.cpu linux-2.6.32.49/arch/x86/Kconfig.cpu
12045 --- linux-2.6.32.49/arch/x86/Kconfig.cpu 2011-11-08 19:02:43.000000000 -0500
12046 +++ linux-2.6.32.49/arch/x86/Kconfig.cpu 2011-11-15 19:59:42.000000000 -0500
12047 @@ -340,7 +340,7 @@ config X86_PPRO_FENCE
12048
12049 config X86_F00F_BUG
12050 def_bool y
12051 - depends on M586MMX || M586TSC || M586 || M486 || M386
12052 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12053
12054 config X86_WP_WORKS_OK
12055 def_bool y
12056 @@ -360,7 +360,7 @@ config X86_POPAD_OK
12057
12058 config X86_ALIGNMENT_16
12059 def_bool y
12060 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12061 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12062
12063 config X86_INTEL_USERCOPY
12064 def_bool y
12065 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
12066 # generates cmov.
12067 config X86_CMOV
12068 def_bool y
12069 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
12070 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
12071
12072 config X86_MINIMUM_CPU_FAMILY
12073 int
12074 diff -urNp linux-2.6.32.49/arch/x86/Kconfig.debug linux-2.6.32.49/arch/x86/Kconfig.debug
12075 --- linux-2.6.32.49/arch/x86/Kconfig.debug 2011-11-08 19:02:43.000000000 -0500
12076 +++ linux-2.6.32.49/arch/x86/Kconfig.debug 2011-11-15 19:59:42.000000000 -0500
12077 @@ -99,7 +99,7 @@ config X86_PTDUMP
12078 config DEBUG_RODATA
12079 bool "Write protect kernel read-only data structures"
12080 default y
12081 - depends on DEBUG_KERNEL
12082 + depends on DEBUG_KERNEL && BROKEN
12083 ---help---
12084 Mark the kernel read-only data as write-protected in the pagetables,
12085 in order to catch accidental (and incorrect) writes to such const
12086 diff -urNp linux-2.6.32.49/arch/x86/kernel/acpi/realmode/Makefile linux-2.6.32.49/arch/x86/kernel/acpi/realmode/Makefile
12087 --- linux-2.6.32.49/arch/x86/kernel/acpi/realmode/Makefile 2011-11-08 19:02:43.000000000 -0500
12088 +++ linux-2.6.32.49/arch/x86/kernel/acpi/realmode/Makefile 2011-11-15 19:59:42.000000000 -0500
12089 @@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
12090 $(call cc-option, -fno-stack-protector) \
12091 $(call cc-option, -mpreferred-stack-boundary=2)
12092 KBUILD_CFLAGS += $(call cc-option, -m32)
12093 +ifdef CONSTIFY_PLUGIN
12094 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
12095 +endif
12096 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12097 GCOV_PROFILE := n
12098
12099 diff -urNp linux-2.6.32.49/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.49/arch/x86/kernel/acpi/realmode/wakeup.S
12100 --- linux-2.6.32.49/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-08 19:02:43.000000000 -0500
12101 +++ linux-2.6.32.49/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-15 19:59:42.000000000 -0500
12102 @@ -91,6 +91,9 @@ _start:
12103 /* Do any other stuff... */
12104
12105 #ifndef CONFIG_64BIT
12106 + /* Recheck NX bit overrides (64bit path does this in trampoline) */
12107 + call verify_cpu
12108 +
12109 /* This could also be done in C code... */
12110 movl pmode_cr3, %eax
12111 movl %eax, %cr3
12112 @@ -104,7 +107,7 @@ _start:
12113 movl %eax, %ecx
12114 orl %edx, %ecx
12115 jz 1f
12116 - movl $0xc0000080, %ecx
12117 + mov $MSR_EFER, %ecx
12118 wrmsr
12119 1:
12120
12121 @@ -114,6 +117,7 @@ _start:
12122 movl pmode_cr0, %eax
12123 movl %eax, %cr0
12124 jmp pmode_return
12125 +# include "../../verify_cpu.S"
12126 #else
12127 pushw $0
12128 pushw trampoline_segment
12129 diff -urNp linux-2.6.32.49/arch/x86/kernel/acpi/sleep.c linux-2.6.32.49/arch/x86/kernel/acpi/sleep.c
12130 --- linux-2.6.32.49/arch/x86/kernel/acpi/sleep.c 2011-11-08 19:02:43.000000000 -0500
12131 +++ linux-2.6.32.49/arch/x86/kernel/acpi/sleep.c 2011-11-15 19:59:42.000000000 -0500
12132 @@ -11,11 +11,12 @@
12133 #include <linux/cpumask.h>
12134 #include <asm/segment.h>
12135 #include <asm/desc.h>
12136 +#include <asm/e820.h>
12137
12138 #include "realmode/wakeup.h"
12139 #include "sleep.h"
12140
12141 -unsigned long acpi_wakeup_address;
12142 +unsigned long acpi_wakeup_address = 0x2000;
12143 unsigned long acpi_realmode_flags;
12144
12145 /* address in low memory of the wakeup routine. */
12146 @@ -98,9 +99,13 @@ int acpi_save_state_mem(void)
12147 #else /* CONFIG_64BIT */
12148 header->trampoline_segment = setup_trampoline() >> 4;
12149 #ifdef CONFIG_SMP
12150 - stack_start.sp = temp_stack + sizeof(temp_stack);
12151 + stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12152 +
12153 + pax_open_kernel();
12154 early_gdt_descr.address =
12155 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12156 + pax_close_kernel();
12157 +
12158 initial_gs = per_cpu_offset(smp_processor_id());
12159 #endif
12160 initial_code = (unsigned long)wakeup_long64;
12161 @@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
12162 return;
12163 }
12164
12165 - acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
12166 -
12167 - if (!acpi_realmode) {
12168 - printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
12169 - return;
12170 - }
12171 -
12172 - acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
12173 + reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
12174 + acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
12175 }
12176
12177
12178 diff -urNp linux-2.6.32.49/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.49/arch/x86/kernel/acpi/wakeup_32.S
12179 --- linux-2.6.32.49/arch/x86/kernel/acpi/wakeup_32.S 2011-11-08 19:02:43.000000000 -0500
12180 +++ linux-2.6.32.49/arch/x86/kernel/acpi/wakeup_32.S 2011-11-15 19:59:42.000000000 -0500
12181 @@ -30,13 +30,11 @@ wakeup_pmode_return:
12182 # and restore the stack ... but you need gdt for this to work
12183 movl saved_context_esp, %esp
12184
12185 - movl %cs:saved_magic, %eax
12186 - cmpl $0x12345678, %eax
12187 + cmpl $0x12345678, saved_magic
12188 jne bogus_magic
12189
12190 # jump to place where we left off
12191 - movl saved_eip, %eax
12192 - jmp *%eax
12193 + jmp *(saved_eip)
12194
12195 bogus_magic:
12196 jmp bogus_magic
12197 diff -urNp linux-2.6.32.49/arch/x86/kernel/alternative.c linux-2.6.32.49/arch/x86/kernel/alternative.c
12198 --- linux-2.6.32.49/arch/x86/kernel/alternative.c 2011-11-08 19:02:43.000000000 -0500
12199 +++ linux-2.6.32.49/arch/x86/kernel/alternative.c 2011-11-15 19:59:42.000000000 -0500
12200 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
12201
12202 BUG_ON(p->len > MAX_PATCH_LEN);
12203 /* prep the buffer with the original instructions */
12204 - memcpy(insnbuf, p->instr, p->len);
12205 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12206 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12207 (unsigned long)p->instr, p->len);
12208
12209 @@ -475,7 +475,7 @@ void __init alternative_instructions(voi
12210 if (smp_alt_once)
12211 free_init_pages("SMP alternatives",
12212 (unsigned long)__smp_locks,
12213 - (unsigned long)__smp_locks_end);
12214 + PAGE_ALIGN((unsigned long)__smp_locks_end));
12215
12216 restart_nmi();
12217 }
12218 @@ -492,13 +492,17 @@ void __init alternative_instructions(voi
12219 * instructions. And on the local CPU you need to be protected again NMI or MCE
12220 * handlers seeing an inconsistent instruction while you patch.
12221 */
12222 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
12223 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
12224 size_t len)
12225 {
12226 unsigned long flags;
12227 local_irq_save(flags);
12228 - memcpy(addr, opcode, len);
12229 +
12230 + pax_open_kernel();
12231 + memcpy(ktla_ktva(addr), opcode, len);
12232 sync_core();
12233 + pax_close_kernel();
12234 +
12235 local_irq_restore(flags);
12236 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12237 that causes hangs on some VIA CPUs. */
12238 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
12239 */
12240 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12241 {
12242 - unsigned long flags;
12243 - char *vaddr;
12244 + unsigned char *vaddr = ktla_ktva(addr);
12245 struct page *pages[2];
12246 - int i;
12247 + size_t i;
12248
12249 if (!core_kernel_text((unsigned long)addr)) {
12250 - pages[0] = vmalloc_to_page(addr);
12251 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12252 + pages[0] = vmalloc_to_page(vaddr);
12253 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12254 } else {
12255 - pages[0] = virt_to_page(addr);
12256 + pages[0] = virt_to_page(vaddr);
12257 WARN_ON(!PageReserved(pages[0]));
12258 - pages[1] = virt_to_page(addr + PAGE_SIZE);
12259 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12260 }
12261 BUG_ON(!pages[0]);
12262 - local_irq_save(flags);
12263 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12264 - if (pages[1])
12265 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12266 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12267 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12268 - clear_fixmap(FIX_TEXT_POKE0);
12269 - if (pages[1])
12270 - clear_fixmap(FIX_TEXT_POKE1);
12271 - local_flush_tlb();
12272 - sync_core();
12273 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
12274 - that causes hangs on some VIA CPUs. */
12275 + text_poke_early(addr, opcode, len);
12276 for (i = 0; i < len; i++)
12277 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12278 - local_irq_restore(flags);
12279 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12280 return addr;
12281 }
12282 diff -urNp linux-2.6.32.49/arch/x86/kernel/amd_iommu.c linux-2.6.32.49/arch/x86/kernel/amd_iommu.c
12283 --- linux-2.6.32.49/arch/x86/kernel/amd_iommu.c 2011-11-08 19:02:43.000000000 -0500
12284 +++ linux-2.6.32.49/arch/x86/kernel/amd_iommu.c 2011-11-15 19:59:42.000000000 -0500
12285 @@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
12286 }
12287 }
12288
12289 -static struct dma_map_ops amd_iommu_dma_ops = {
12290 +static const struct dma_map_ops amd_iommu_dma_ops = {
12291 .alloc_coherent = alloc_coherent,
12292 .free_coherent = free_coherent,
12293 .map_page = map_page,
12294 diff -urNp linux-2.6.32.49/arch/x86/kernel/apic/apic.c linux-2.6.32.49/arch/x86/kernel/apic/apic.c
12295 --- linux-2.6.32.49/arch/x86/kernel/apic/apic.c 2011-11-08 19:02:43.000000000 -0500
12296 +++ linux-2.6.32.49/arch/x86/kernel/apic/apic.c 2011-11-15 19:59:42.000000000 -0500
12297 @@ -170,7 +170,7 @@ int first_system_vector = 0xfe;
12298 /*
12299 * Debug level, exported for io_apic.c
12300 */
12301 -unsigned int apic_verbosity;
12302 +int apic_verbosity;
12303
12304 int pic_mode;
12305
12306 @@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
12307 apic_write(APIC_ESR, 0);
12308 v1 = apic_read(APIC_ESR);
12309 ack_APIC_irq();
12310 - atomic_inc(&irq_err_count);
12311 + atomic_inc_unchecked(&irq_err_count);
12312
12313 /*
12314 * Here is what the APIC error bits mean:
12315 @@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
12316 u16 *bios_cpu_apicid;
12317 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
12318
12319 + pax_track_stack();
12320 +
12321 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12322 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12323
12324 diff -urNp linux-2.6.32.49/arch/x86/kernel/apic/io_apic.c linux-2.6.32.49/arch/x86/kernel/apic/io_apic.c
12325 --- linux-2.6.32.49/arch/x86/kernel/apic/io_apic.c 2011-11-08 19:02:43.000000000 -0500
12326 +++ linux-2.6.32.49/arch/x86/kernel/apic/io_apic.c 2011-11-15 19:59:42.000000000 -0500
12327 @@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12328 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12329 GFP_ATOMIC);
12330 if (!ioapic_entries)
12331 - return 0;
12332 + return NULL;
12333
12334 for (apic = 0; apic < nr_ioapics; apic++) {
12335 ioapic_entries[apic] =
12336 @@ -733,7 +733,7 @@ nomem:
12337 kfree(ioapic_entries[apic]);
12338 kfree(ioapic_entries);
12339
12340 - return 0;
12341 + return NULL;
12342 }
12343
12344 /*
12345 @@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
12346 }
12347 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
12348
12349 -void lock_vector_lock(void)
12350 +void lock_vector_lock(void) __acquires(vector_lock)
12351 {
12352 /* Used to the online set of cpus does not change
12353 * during assign_irq_vector.
12354 @@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
12355 spin_lock(&vector_lock);
12356 }
12357
12358 -void unlock_vector_lock(void)
12359 +void unlock_vector_lock(void) __releases(vector_lock)
12360 {
12361 spin_unlock(&vector_lock);
12362 }
12363 @@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
12364 ack_APIC_irq();
12365 }
12366
12367 -atomic_t irq_mis_count;
12368 +atomic_unchecked_t irq_mis_count;
12369
12370 static void ack_apic_level(unsigned int irq)
12371 {
12372 @@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
12373
12374 /* Tail end of version 0x11 I/O APIC bug workaround */
12375 if (!(v & (1 << (i & 0x1f)))) {
12376 - atomic_inc(&irq_mis_count);
12377 + atomic_inc_unchecked(&irq_mis_count);
12378 spin_lock(&ioapic_lock);
12379 __mask_and_edge_IO_APIC_irq(cfg);
12380 __unmask_and_level_IO_APIC_irq(cfg);
12381 diff -urNp linux-2.6.32.49/arch/x86/kernel/apm_32.c linux-2.6.32.49/arch/x86/kernel/apm_32.c
12382 --- linux-2.6.32.49/arch/x86/kernel/apm_32.c 2011-11-08 19:02:43.000000000 -0500
12383 +++ linux-2.6.32.49/arch/x86/kernel/apm_32.c 2011-11-15 19:59:42.000000000 -0500
12384 @@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
12385 * This is for buggy BIOS's that refer to (real mode) segment 0x40
12386 * even though they are called in protected mode.
12387 */
12388 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
12389 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
12390 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
12391
12392 static const char driver_version[] = "1.16ac"; /* no spaces */
12393 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
12394 BUG_ON(cpu != 0);
12395 gdt = get_cpu_gdt_table(cpu);
12396 save_desc_40 = gdt[0x40 / 8];
12397 +
12398 + pax_open_kernel();
12399 gdt[0x40 / 8] = bad_bios_desc;
12400 + pax_close_kernel();
12401
12402 apm_irq_save(flags);
12403 APM_DO_SAVE_SEGS;
12404 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
12405 &call->esi);
12406 APM_DO_RESTORE_SEGS;
12407 apm_irq_restore(flags);
12408 +
12409 + pax_open_kernel();
12410 gdt[0x40 / 8] = save_desc_40;
12411 + pax_close_kernel();
12412 +
12413 put_cpu();
12414
12415 return call->eax & 0xff;
12416 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
12417 BUG_ON(cpu != 0);
12418 gdt = get_cpu_gdt_table(cpu);
12419 save_desc_40 = gdt[0x40 / 8];
12420 +
12421 + pax_open_kernel();
12422 gdt[0x40 / 8] = bad_bios_desc;
12423 + pax_close_kernel();
12424
12425 apm_irq_save(flags);
12426 APM_DO_SAVE_SEGS;
12427 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
12428 &call->eax);
12429 APM_DO_RESTORE_SEGS;
12430 apm_irq_restore(flags);
12431 +
12432 + pax_open_kernel();
12433 gdt[0x40 / 8] = save_desc_40;
12434 + pax_close_kernel();
12435 +
12436 put_cpu();
12437 return error;
12438 }
12439 @@ -975,7 +989,7 @@ recalc:
12440
12441 static void apm_power_off(void)
12442 {
12443 - unsigned char po_bios_call[] = {
12444 + const unsigned char po_bios_call[] = {
12445 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
12446 0x8e, 0xd0, /* movw ax,ss */
12447 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
12448 @@ -2357,12 +2371,15 @@ static int __init apm_init(void)
12449 * code to that CPU.
12450 */
12451 gdt = get_cpu_gdt_table(0);
12452 +
12453 + pax_open_kernel();
12454 set_desc_base(&gdt[APM_CS >> 3],
12455 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
12456 set_desc_base(&gdt[APM_CS_16 >> 3],
12457 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
12458 set_desc_base(&gdt[APM_DS >> 3],
12459 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
12460 + pax_close_kernel();
12461
12462 proc_create("apm", 0, NULL, &apm_file_ops);
12463
12464 diff -urNp linux-2.6.32.49/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.49/arch/x86/kernel/asm-offsets_32.c
12465 --- linux-2.6.32.49/arch/x86/kernel/asm-offsets_32.c 2011-11-08 19:02:43.000000000 -0500
12466 +++ linux-2.6.32.49/arch/x86/kernel/asm-offsets_32.c 2011-11-15 19:59:42.000000000 -0500
12467 @@ -51,7 +51,6 @@ void foo(void)
12468 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
12469 BLANK();
12470
12471 - OFFSET(TI_task, thread_info, task);
12472 OFFSET(TI_exec_domain, thread_info, exec_domain);
12473 OFFSET(TI_flags, thread_info, flags);
12474 OFFSET(TI_status, thread_info, status);
12475 @@ -60,6 +59,8 @@ void foo(void)
12476 OFFSET(TI_restart_block, thread_info, restart_block);
12477 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
12478 OFFSET(TI_cpu, thread_info, cpu);
12479 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
12480 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12481 BLANK();
12482
12483 OFFSET(GDS_size, desc_ptr, size);
12484 @@ -99,6 +100,7 @@ void foo(void)
12485
12486 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12487 DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
12488 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12489 DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
12490 DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
12491 DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
12492 @@ -115,6 +117,11 @@ void foo(void)
12493 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
12494 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12495 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12496 +
12497 +#ifdef CONFIG_PAX_KERNEXEC
12498 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12499 +#endif
12500 +
12501 #endif
12502
12503 #ifdef CONFIG_XEN
12504 diff -urNp linux-2.6.32.49/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.49/arch/x86/kernel/asm-offsets_64.c
12505 --- linux-2.6.32.49/arch/x86/kernel/asm-offsets_64.c 2011-11-08 19:02:43.000000000 -0500
12506 +++ linux-2.6.32.49/arch/x86/kernel/asm-offsets_64.c 2011-11-15 19:59:42.000000000 -0500
12507 @@ -44,6 +44,8 @@ int main(void)
12508 ENTRY(addr_limit);
12509 ENTRY(preempt_count);
12510 ENTRY(status);
12511 + ENTRY(lowest_stack);
12512 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12513 #ifdef CONFIG_IA32_EMULATION
12514 ENTRY(sysenter_return);
12515 #endif
12516 @@ -63,6 +65,18 @@ int main(void)
12517 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12518 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
12519 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
12520 +
12521 +#ifdef CONFIG_PAX_KERNEXEC
12522 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12523 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12524 +#endif
12525 +
12526 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12527 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
12528 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
12529 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
12530 +#endif
12531 +
12532 #endif
12533
12534
12535 @@ -115,6 +129,7 @@ int main(void)
12536 ENTRY(cr8);
12537 BLANK();
12538 #undef ENTRY
12539 + DEFINE(TSS_size, sizeof(struct tss_struct));
12540 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
12541 BLANK();
12542 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
12543 @@ -130,6 +145,7 @@ int main(void)
12544
12545 BLANK();
12546 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12547 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12548 #ifdef CONFIG_XEN
12549 BLANK();
12550 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
12551 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/amd.c linux-2.6.32.49/arch/x86/kernel/cpu/amd.c
12552 --- linux-2.6.32.49/arch/x86/kernel/cpu/amd.c 2011-11-08 19:02:43.000000000 -0500
12553 +++ linux-2.6.32.49/arch/x86/kernel/cpu/amd.c 2011-11-15 19:59:42.000000000 -0500
12554 @@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
12555 unsigned int size)
12556 {
12557 /* AMD errata T13 (order #21922) */
12558 - if ((c->x86 == 6)) {
12559 + if (c->x86 == 6) {
12560 /* Duron Rev A0 */
12561 if (c->x86_model == 3 && c->x86_mask == 0)
12562 size = 64;
12563 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/common.c linux-2.6.32.49/arch/x86/kernel/cpu/common.c
12564 --- linux-2.6.32.49/arch/x86/kernel/cpu/common.c 2011-11-08 19:02:43.000000000 -0500
12565 +++ linux-2.6.32.49/arch/x86/kernel/cpu/common.c 2011-11-15 19:59:42.000000000 -0500
12566 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
12567
12568 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
12569
12570 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
12571 -#ifdef CONFIG_X86_64
12572 - /*
12573 - * We need valid kernel segments for data and code in long mode too
12574 - * IRET will check the segment types kkeil 2000/10/28
12575 - * Also sysret mandates a special GDT layout
12576 - *
12577 - * TLS descriptors are currently at a different place compared to i386.
12578 - * Hopefully nobody expects them at a fixed place (Wine?)
12579 - */
12580 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
12581 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
12582 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
12583 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
12584 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
12585 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
12586 -#else
12587 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
12588 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12589 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
12590 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
12591 - /*
12592 - * Segments used for calling PnP BIOS have byte granularity.
12593 - * They code segments and data segments have fixed 64k limits,
12594 - * the transfer segment sizes are set at run time.
12595 - */
12596 - /* 32-bit code */
12597 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12598 - /* 16-bit code */
12599 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12600 - /* 16-bit data */
12601 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
12602 - /* 16-bit data */
12603 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
12604 - /* 16-bit data */
12605 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
12606 - /*
12607 - * The APM segments have byte granularity and their bases
12608 - * are set at run time. All have 64k limits.
12609 - */
12610 - /* 32-bit code */
12611 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12612 - /* 16-bit code */
12613 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12614 - /* data */
12615 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
12616 -
12617 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12618 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12619 - GDT_STACK_CANARY_INIT
12620 -#endif
12621 -} };
12622 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
12623 -
12624 static int __init x86_xsave_setup(char *s)
12625 {
12626 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
12627 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
12628 {
12629 struct desc_ptr gdt_descr;
12630
12631 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
12632 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12633 gdt_descr.size = GDT_SIZE - 1;
12634 load_gdt(&gdt_descr);
12635 /* Reload the per-cpu base */
12636 @@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
12637 /* Filter out anything that depends on CPUID levels we don't have */
12638 filter_cpuid_features(c, true);
12639
12640 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
12641 + setup_clear_cpu_cap(X86_FEATURE_SEP);
12642 +#endif
12643 +
12644 /* If the model name is still unset, do table lookup. */
12645 if (!c->x86_model_id[0]) {
12646 const char *p;
12647 @@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
12648 }
12649 __setup("clearcpuid=", setup_disablecpuid);
12650
12651 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
12652 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
12653 +
12654 #ifdef CONFIG_X86_64
12655 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
12656
12657 @@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
12658 EXPORT_PER_CPU_SYMBOL(current_task);
12659
12660 DEFINE_PER_CPU(unsigned long, kernel_stack) =
12661 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
12662 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
12663 EXPORT_PER_CPU_SYMBOL(kernel_stack);
12664
12665 DEFINE_PER_CPU(char *, irq_stack_ptr) =
12666 @@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
12667 {
12668 memset(regs, 0, sizeof(struct pt_regs));
12669 regs->fs = __KERNEL_PERCPU;
12670 - regs->gs = __KERNEL_STACK_CANARY;
12671 + savesegment(gs, regs->gs);
12672
12673 return regs;
12674 }
12675 @@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
12676 int i;
12677
12678 cpu = stack_smp_processor_id();
12679 - t = &per_cpu(init_tss, cpu);
12680 + t = init_tss + cpu;
12681 orig_ist = &per_cpu(orig_ist, cpu);
12682
12683 #ifdef CONFIG_NUMA
12684 @@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
12685 switch_to_new_gdt(cpu);
12686 loadsegment(fs, 0);
12687
12688 - load_idt((const struct desc_ptr *)&idt_descr);
12689 + load_idt(&idt_descr);
12690
12691 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
12692 syscall_init();
12693 @@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
12694 wrmsrl(MSR_KERNEL_GS_BASE, 0);
12695 barrier();
12696
12697 - check_efer();
12698 if (cpu != 0)
12699 enable_x2apic();
12700
12701 @@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
12702 {
12703 int cpu = smp_processor_id();
12704 struct task_struct *curr = current;
12705 - struct tss_struct *t = &per_cpu(init_tss, cpu);
12706 + struct tss_struct *t = init_tss + cpu;
12707 struct thread_struct *thread = &curr->thread;
12708
12709 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
12710 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/intel.c linux-2.6.32.49/arch/x86/kernel/cpu/intel.c
12711 --- linux-2.6.32.49/arch/x86/kernel/cpu/intel.c 2011-11-08 19:02:43.000000000 -0500
12712 +++ linux-2.6.32.49/arch/x86/kernel/cpu/intel.c 2011-11-15 19:59:42.000000000 -0500
12713 @@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
12714 * Update the IDT descriptor and reload the IDT so that
12715 * it uses the read-only mapped virtual address.
12716 */
12717 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
12718 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
12719 load_idt(&idt_descr);
12720 }
12721 #endif
12722 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.49/arch/x86/kernel/cpu/intel_cacheinfo.c
12723 --- linux-2.6.32.49/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-11-08 19:02:43.000000000 -0500
12724 +++ linux-2.6.32.49/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-11-15 19:59:42.000000000 -0500
12725 @@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
12726 return ret;
12727 }
12728
12729 -static struct sysfs_ops sysfs_ops = {
12730 +static const struct sysfs_ops sysfs_ops = {
12731 .show = show,
12732 .store = store,
12733 };
12734 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/Makefile linux-2.6.32.49/arch/x86/kernel/cpu/Makefile
12735 --- linux-2.6.32.49/arch/x86/kernel/cpu/Makefile 2011-11-08 19:02:43.000000000 -0500
12736 +++ linux-2.6.32.49/arch/x86/kernel/cpu/Makefile 2011-11-15 19:59:42.000000000 -0500
12737 @@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
12738 CFLAGS_REMOVE_common.o = -pg
12739 endif
12740
12741 -# Make sure load_percpu_segment has no stackprotector
12742 -nostackp := $(call cc-option, -fno-stack-protector)
12743 -CFLAGS_common.o := $(nostackp)
12744 -
12745 obj-y := intel_cacheinfo.o addon_cpuid_features.o
12746 obj-y += proc.o capflags.o powerflags.o common.o
12747 obj-y += vmware.o hypervisor.o sched.o
12748 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce_amd.c
12749 --- linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-11-08 19:02:43.000000000 -0500
12750 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-11-15 19:59:42.000000000 -0500
12751 @@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
12752 return ret;
12753 }
12754
12755 -static struct sysfs_ops threshold_ops = {
12756 +static const struct sysfs_ops threshold_ops = {
12757 .show = show,
12758 .store = store,
12759 };
12760 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce.c
12761 --- linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-08 19:02:43.000000000 -0500
12762 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-15 19:59:42.000000000 -0500
12763 @@ -43,6 +43,7 @@
12764 #include <asm/ipi.h>
12765 #include <asm/mce.h>
12766 #include <asm/msr.h>
12767 +#include <asm/local.h>
12768
12769 #include "mce-internal.h"
12770
12771 @@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
12772 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
12773 m->cs, m->ip);
12774
12775 - if (m->cs == __KERNEL_CS)
12776 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
12777 print_symbol("{%s}", m->ip);
12778 pr_cont("\n");
12779 }
12780 @@ -221,10 +222,10 @@ static void print_mce_tail(void)
12781
12782 #define PANIC_TIMEOUT 5 /* 5 seconds */
12783
12784 -static atomic_t mce_paniced;
12785 +static atomic_unchecked_t mce_paniced;
12786
12787 static int fake_panic;
12788 -static atomic_t mce_fake_paniced;
12789 +static atomic_unchecked_t mce_fake_paniced;
12790
12791 /* Panic in progress. Enable interrupts and wait for final IPI */
12792 static void wait_for_panic(void)
12793 @@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
12794 /*
12795 * Make sure only one CPU runs in machine check panic
12796 */
12797 - if (atomic_inc_return(&mce_paniced) > 1)
12798 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
12799 wait_for_panic();
12800 barrier();
12801
12802 @@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
12803 console_verbose();
12804 } else {
12805 /* Don't log too much for fake panic */
12806 - if (atomic_inc_return(&mce_fake_paniced) > 1)
12807 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
12808 return;
12809 }
12810 print_mce_head();
12811 @@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
12812 * might have been modified by someone else.
12813 */
12814 rmb();
12815 - if (atomic_read(&mce_paniced))
12816 + if (atomic_read_unchecked(&mce_paniced))
12817 wait_for_panic();
12818 if (!monarch_timeout)
12819 goto out;
12820 @@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
12821 */
12822
12823 static DEFINE_SPINLOCK(mce_state_lock);
12824 -static int open_count; /* #times opened */
12825 +static local_t open_count; /* #times opened */
12826 static int open_exclu; /* already open exclusive? */
12827
12828 static int mce_open(struct inode *inode, struct file *file)
12829 {
12830 spin_lock(&mce_state_lock);
12831
12832 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
12833 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
12834 spin_unlock(&mce_state_lock);
12835
12836 return -EBUSY;
12837 @@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
12838
12839 if (file->f_flags & O_EXCL)
12840 open_exclu = 1;
12841 - open_count++;
12842 + local_inc(&open_count);
12843
12844 spin_unlock(&mce_state_lock);
12845
12846 @@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
12847 {
12848 spin_lock(&mce_state_lock);
12849
12850 - open_count--;
12851 + local_dec(&open_count);
12852 open_exclu = 0;
12853
12854 spin_unlock(&mce_state_lock);
12855 @@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
12856 static void mce_reset(void)
12857 {
12858 cpu_missing = 0;
12859 - atomic_set(&mce_fake_paniced, 0);
12860 + atomic_set_unchecked(&mce_fake_paniced, 0);
12861 atomic_set(&mce_executing, 0);
12862 atomic_set(&mce_callin, 0);
12863 atomic_set(&global_nwo, 0);
12864 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce-inject.c
12865 --- linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-08 19:02:43.000000000 -0500
12866 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-15 19:59:42.000000000 -0500
12867 @@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *fi
12868 static int inject_init(void)
12869 {
12870 printk(KERN_INFO "Machine check injector initialized\n");
12871 - mce_chrdev_ops.write = mce_write;
12872 + pax_open_kernel();
12873 + *(void **)&mce_chrdev_ops.write = mce_write;
12874 + pax_close_kernel();
12875 register_die_notifier(&mce_raise_nb);
12876 return 0;
12877 }
12878 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/amd.c
12879 --- linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/amd.c 2011-11-08 19:02:43.000000000 -0500
12880 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/amd.c 2011-11-15 19:59:42.000000000 -0500
12881 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
12882 return 0;
12883 }
12884
12885 -static struct mtrr_ops amd_mtrr_ops = {
12886 +static const struct mtrr_ops amd_mtrr_ops = {
12887 .vendor = X86_VENDOR_AMD,
12888 .set = amd_set_mtrr,
12889 .get = amd_get_mtrr,
12890 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/centaur.c
12891 --- linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/centaur.c 2011-11-08 19:02:43.000000000 -0500
12892 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/centaur.c 2011-11-15 19:59:42.000000000 -0500
12893 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
12894 return 0;
12895 }
12896
12897 -static struct mtrr_ops centaur_mtrr_ops = {
12898 +static const struct mtrr_ops centaur_mtrr_ops = {
12899 .vendor = X86_VENDOR_CENTAUR,
12900 .set = centaur_set_mcr,
12901 .get = centaur_get_mcr,
12902 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/cyrix.c
12903 --- linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-11-08 19:02:43.000000000 -0500
12904 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-11-15 19:59:42.000000000 -0500
12905 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
12906 post_set();
12907 }
12908
12909 -static struct mtrr_ops cyrix_mtrr_ops = {
12910 +static const struct mtrr_ops cyrix_mtrr_ops = {
12911 .vendor = X86_VENDOR_CYRIX,
12912 .set_all = cyrix_set_all,
12913 .set = cyrix_set_arr,
12914 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/generic.c
12915 --- linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/generic.c 2011-11-08 19:02:43.000000000 -0500
12916 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/generic.c 2011-11-15 19:59:42.000000000 -0500
12917 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
12918 /*
12919 * Generic structure...
12920 */
12921 -struct mtrr_ops generic_mtrr_ops = {
12922 +const struct mtrr_ops generic_mtrr_ops = {
12923 .use_intel_if = 1,
12924 .set_all = generic_set_all,
12925 .get = generic_get_mtrr,
12926 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/main.c
12927 --- linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/main.c 2011-11-08 19:02:43.000000000 -0500
12928 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/main.c 2011-11-15 19:59:42.000000000 -0500
12929 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
12930 u64 size_or_mask, size_and_mask;
12931 static bool mtrr_aps_delayed_init;
12932
12933 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
12934 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
12935
12936 -struct mtrr_ops *mtrr_if;
12937 +const struct mtrr_ops *mtrr_if;
12938
12939 static void set_mtrr(unsigned int reg, unsigned long base,
12940 unsigned long size, mtrr_type type);
12941
12942 -void set_mtrr_ops(struct mtrr_ops *ops)
12943 +void set_mtrr_ops(const struct mtrr_ops *ops)
12944 {
12945 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
12946 mtrr_ops[ops->vendor] = ops;
12947 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/mtrr.h
12948 --- linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-08 19:02:43.000000000 -0500
12949 +++ linux-2.6.32.49/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-15 19:59:42.000000000 -0500
12950 @@ -25,14 +25,14 @@ struct mtrr_ops {
12951 int (*validate_add_page)(unsigned long base, unsigned long size,
12952 unsigned int type);
12953 int (*have_wrcomb)(void);
12954 -};
12955 +} __do_const;
12956
12957 extern int generic_get_free_region(unsigned long base, unsigned long size,
12958 int replace_reg);
12959 extern int generic_validate_add_page(unsigned long base, unsigned long size,
12960 unsigned int type);
12961
12962 -extern struct mtrr_ops generic_mtrr_ops;
12963 +extern const struct mtrr_ops generic_mtrr_ops;
12964
12965 extern int positive_have_wrcomb(void);
12966
12967 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
12968 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
12969 void get_mtrr_state(void);
12970
12971 -extern void set_mtrr_ops(struct mtrr_ops *ops);
12972 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
12973
12974 extern u64 size_or_mask, size_and_mask;
12975 -extern struct mtrr_ops *mtrr_if;
12976 +extern const struct mtrr_ops *mtrr_if;
12977
12978 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
12979 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
12980 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.49/arch/x86/kernel/cpu/perfctr-watchdog.c
12981 --- linux-2.6.32.49/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-11-08 19:02:43.000000000 -0500
12982 +++ linux-2.6.32.49/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-11-15 19:59:42.000000000 -0500
12983 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
12984
12985 /* Interface defining a CPU specific perfctr watchdog */
12986 struct wd_ops {
12987 - int (*reserve)(void);
12988 - void (*unreserve)(void);
12989 - int (*setup)(unsigned nmi_hz);
12990 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12991 - void (*stop)(void);
12992 + int (* const reserve)(void);
12993 + void (* const unreserve)(void);
12994 + int (* const setup)(unsigned nmi_hz);
12995 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12996 + void (* const stop)(void);
12997 unsigned perfctr;
12998 unsigned evntsel;
12999 u64 checkbit;
13000 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
13001 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
13002 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
13003
13004 +/* cannot be const */
13005 static struct wd_ops intel_arch_wd_ops;
13006
13007 static int setup_intel_arch_watchdog(unsigned nmi_hz)
13008 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
13009 return 1;
13010 }
13011
13012 +/* cannot be const */
13013 static struct wd_ops intel_arch_wd_ops __read_mostly = {
13014 .reserve = single_msr_reserve,
13015 .unreserve = single_msr_unreserve,
13016 diff -urNp linux-2.6.32.49/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.49/arch/x86/kernel/cpu/perf_event.c
13017 --- linux-2.6.32.49/arch/x86/kernel/cpu/perf_event.c 2011-11-08 19:02:43.000000000 -0500
13018 +++ linux-2.6.32.49/arch/x86/kernel/cpu/perf_event.c 2011-11-15 19:59:42.000000000 -0500
13019 @@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
13020 * count to the generic event atomically:
13021 */
13022 again:
13023 - prev_raw_count = atomic64_read(&hwc->prev_count);
13024 + prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
13025 rdmsrl(hwc->event_base + idx, new_raw_count);
13026
13027 - if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
13028 + if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
13029 new_raw_count) != prev_raw_count)
13030 goto again;
13031
13032 @@ -741,7 +741,7 @@ again:
13033 delta = (new_raw_count << shift) - (prev_raw_count << shift);
13034 delta >>= shift;
13035
13036 - atomic64_add(delta, &event->count);
13037 + atomic64_add_unchecked(delta, &event->count);
13038 atomic64_sub(delta, &hwc->period_left);
13039
13040 return new_raw_count;
13041 @@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
13042 * The hw event starts counting from this event offset,
13043 * mark it to be able to extra future deltas:
13044 */
13045 - atomic64_set(&hwc->prev_count, (u64)-left);
13046 + atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
13047
13048 err = checking_wrmsrl(hwc->event_base + idx,
13049 (u64)(-left) & x86_pmu.event_mask);
13050 @@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
13051 break;
13052
13053 callchain_store(entry, frame.return_address);
13054 - fp = frame.next_frame;
13055 + fp = (__force const void __user *)frame.next_frame;
13056 }
13057 }
13058
13059 diff -urNp linux-2.6.32.49/arch/x86/kernel/crash.c linux-2.6.32.49/arch/x86/kernel/crash.c
13060 --- linux-2.6.32.49/arch/x86/kernel/crash.c 2011-11-08 19:02:43.000000000 -0500
13061 +++ linux-2.6.32.49/arch/x86/kernel/crash.c 2011-11-15 19:59:42.000000000 -0500
13062 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
13063 regs = args->regs;
13064
13065 #ifdef CONFIG_X86_32
13066 - if (!user_mode_vm(regs)) {
13067 + if (!user_mode(regs)) {
13068 crash_fixup_ss_esp(&fixed_regs, regs);
13069 regs = &fixed_regs;
13070 }
13071 diff -urNp linux-2.6.32.49/arch/x86/kernel/doublefault_32.c linux-2.6.32.49/arch/x86/kernel/doublefault_32.c
13072 --- linux-2.6.32.49/arch/x86/kernel/doublefault_32.c 2011-11-08 19:02:43.000000000 -0500
13073 +++ linux-2.6.32.49/arch/x86/kernel/doublefault_32.c 2011-11-15 19:59:42.000000000 -0500
13074 @@ -11,7 +11,7 @@
13075
13076 #define DOUBLEFAULT_STACKSIZE (1024)
13077 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13078 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13079 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13080
13081 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13082
13083 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
13084 unsigned long gdt, tss;
13085
13086 store_gdt(&gdt_desc);
13087 - gdt = gdt_desc.address;
13088 + gdt = (unsigned long)gdt_desc.address;
13089
13090 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13091
13092 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13093 /* 0x2 bit is always set */
13094 .flags = X86_EFLAGS_SF | 0x2,
13095 .sp = STACK_START,
13096 - .es = __USER_DS,
13097 + .es = __KERNEL_DS,
13098 .cs = __KERNEL_CS,
13099 .ss = __KERNEL_DS,
13100 - .ds = __USER_DS,
13101 + .ds = __KERNEL_DS,
13102 .fs = __KERNEL_PERCPU,
13103
13104 .__cr3 = __pa_nodebug(swapper_pg_dir),
13105 diff -urNp linux-2.6.32.49/arch/x86/kernel/dumpstack_32.c linux-2.6.32.49/arch/x86/kernel/dumpstack_32.c
13106 --- linux-2.6.32.49/arch/x86/kernel/dumpstack_32.c 2011-11-08 19:02:43.000000000 -0500
13107 +++ linux-2.6.32.49/arch/x86/kernel/dumpstack_32.c 2011-11-18 18:10:09.000000000 -0500
13108 @@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
13109 #endif
13110
13111 for (;;) {
13112 - struct thread_info *context;
13113 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13114 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13115
13116 - context = (struct thread_info *)
13117 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13118 - bp = print_context_stack(context, stack, bp, ops,
13119 - data, NULL, &graph);
13120 -
13121 - stack = (unsigned long *)context->previous_esp;
13122 - if (!stack)
13123 + if (stack_start == task_stack_page(task))
13124 break;
13125 + stack = *(unsigned long **)stack_start;
13126 if (ops->stack(data, "IRQ") < 0)
13127 break;
13128 touch_nmi_watchdog();
13129 @@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
13130 * When in-kernel, we also print out the stack and code at the
13131 * time of the fault..
13132 */
13133 - if (!user_mode_vm(regs)) {
13134 + if (!user_mode(regs)) {
13135 unsigned int code_prologue = code_bytes * 43 / 64;
13136 unsigned int code_len = code_bytes;
13137 unsigned char c;
13138 u8 *ip;
13139 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13140
13141 printk(KERN_EMERG "Stack:\n");
13142 show_stack_log_lvl(NULL, regs, &regs->sp,
13143 @@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
13144
13145 printk(KERN_EMERG "Code: ");
13146
13147 - ip = (u8 *)regs->ip - code_prologue;
13148 + ip = (u8 *)regs->ip - code_prologue + cs_base;
13149 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13150 /* try starting at IP */
13151 - ip = (u8 *)regs->ip;
13152 + ip = (u8 *)regs->ip + cs_base;
13153 code_len = code_len - code_prologue + 1;
13154 }
13155 for (i = 0; i < code_len; i++, ip++) {
13156 @@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
13157 printk(" Bad EIP value.");
13158 break;
13159 }
13160 - if (ip == (u8 *)regs->ip)
13161 + if (ip == (u8 *)regs->ip + cs_base)
13162 printk("<%02x> ", c);
13163 else
13164 printk("%02x ", c);
13165 @@ -145,10 +142,23 @@ void show_registers(struct pt_regs *regs
13166 printk("\n");
13167 }
13168
13169 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13170 +void pax_check_alloca(unsigned long size)
13171 +{
13172 + unsigned long sp = (unsigned long)&sp, stack_left;
13173 +
13174 + /* all kernel stacks are of the same size */
13175 + stack_left = sp & (THREAD_SIZE - 1);
13176 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
13177 +}
13178 +EXPORT_SYMBOL(pax_check_alloca);
13179 +#endif
13180 +
13181 int is_valid_bugaddr(unsigned long ip)
13182 {
13183 unsigned short ud2;
13184
13185 + ip = ktla_ktva(ip);
13186 if (ip < PAGE_OFFSET)
13187 return 0;
13188 if (probe_kernel_address((unsigned short *)ip, ud2))
13189 diff -urNp linux-2.6.32.49/arch/x86/kernel/dumpstack_64.c linux-2.6.32.49/arch/x86/kernel/dumpstack_64.c
13190 --- linux-2.6.32.49/arch/x86/kernel/dumpstack_64.c 2011-11-08 19:02:43.000000000 -0500
13191 +++ linux-2.6.32.49/arch/x86/kernel/dumpstack_64.c 2011-11-18 18:01:52.000000000 -0500
13192 @@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
13193 unsigned long *irq_stack_end =
13194 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13195 unsigned used = 0;
13196 - struct thread_info *tinfo;
13197 int graph = 0;
13198 + void *stack_start;
13199
13200 if (!task)
13201 task = current;
13202 @@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
13203 * current stack address. If the stacks consist of nested
13204 * exceptions
13205 */
13206 - tinfo = task_thread_info(task);
13207 for (;;) {
13208 char *id;
13209 unsigned long *estack_end;
13210 +
13211 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13212 &used, &id);
13213
13214 @@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
13215 if (ops->stack(data, id) < 0)
13216 break;
13217
13218 - bp = print_context_stack(tinfo, stack, bp, ops,
13219 + bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13220 data, estack_end, &graph);
13221 ops->stack(data, "<EOE>");
13222 /*
13223 @@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
13224 if (stack >= irq_stack && stack < irq_stack_end) {
13225 if (ops->stack(data, "IRQ") < 0)
13226 break;
13227 - bp = print_context_stack(tinfo, stack, bp,
13228 + bp = print_context_stack(task, irq_stack, stack, bp,
13229 ops, data, irq_stack_end, &graph);
13230 /*
13231 * We link to the next stack (which would be
13232 @@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
13233 /*
13234 * This handles the process stack:
13235 */
13236 - bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13237 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13238 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13239 put_cpu();
13240 }
13241 EXPORT_SYMBOL(dump_trace);
13242 @@ -304,3 +305,50 @@ int is_valid_bugaddr(unsigned long ip)
13243 return ud2 == 0x0b0f;
13244 }
13245
13246 +
13247 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13248 +void pax_check_alloca(unsigned long size)
13249 +{
13250 + unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
13251 + unsigned cpu, used;
13252 + char *id;
13253 +
13254 + /* check the process stack first */
13255 + stack_start = (unsigned long)task_stack_page(current);
13256 + stack_end = stack_start + THREAD_SIZE;
13257 + if (likely(stack_start <= sp && sp < stack_end)) {
13258 + unsigned long stack_left = sp & (THREAD_SIZE - 1);
13259 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
13260 + return;
13261 + }
13262 +
13263 + cpu = get_cpu();
13264 +
13265 + /* check the irq stacks */
13266 + stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
13267 + stack_start = stack_end - IRQ_STACK_SIZE;
13268 + if (stack_start <= sp && sp < stack_end) {
13269 + unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
13270 + put_cpu();
13271 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
13272 + return;
13273 + }
13274 +
13275 + /* check the exception stacks */
13276 + used = 0;
13277 + stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
13278 + stack_start = stack_end - EXCEPTION_STKSZ;
13279 + if (stack_end && stack_start <= sp && sp < stack_end) {
13280 + unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
13281 + put_cpu();
13282 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
13283 + return;
13284 + }
13285 +
13286 + put_cpu();
13287 +
13288 + /* unknown stack */
13289 + BUG();
13290 +}
13291 +EXPORT_SYMBOL(pax_check_alloca);
13292 +#endif
13293 diff -urNp linux-2.6.32.49/arch/x86/kernel/dumpstack.c linux-2.6.32.49/arch/x86/kernel/dumpstack.c
13294 --- linux-2.6.32.49/arch/x86/kernel/dumpstack.c 2011-11-08 19:02:43.000000000 -0500
13295 +++ linux-2.6.32.49/arch/x86/kernel/dumpstack.c 2011-11-15 19:59:43.000000000 -0500
13296 @@ -2,6 +2,9 @@
13297 * Copyright (C) 1991, 1992 Linus Torvalds
13298 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13299 */
13300 +#ifdef CONFIG_GRKERNSEC_HIDESYM
13301 +#define __INCLUDED_BY_HIDESYM 1
13302 +#endif
13303 #include <linux/kallsyms.h>
13304 #include <linux/kprobes.h>
13305 #include <linux/uaccess.h>
13306 @@ -28,7 +31,7 @@ static int die_counter;
13307
13308 void printk_address(unsigned long address, int reliable)
13309 {
13310 - printk(" [<%p>] %s%pS\n", (void *) address,
13311 + printk(" [<%p>] %s%pA\n", (void *) address,
13312 reliable ? "" : "? ", (void *) address);
13313 }
13314
13315 @@ -36,9 +39,8 @@ void printk_address(unsigned long addres
13316 static void
13317 print_ftrace_graph_addr(unsigned long addr, void *data,
13318 const struct stacktrace_ops *ops,
13319 - struct thread_info *tinfo, int *graph)
13320 + struct task_struct *task, int *graph)
13321 {
13322 - struct task_struct *task = tinfo->task;
13323 unsigned long ret_addr;
13324 int index = task->curr_ret_stack;
13325
13326 @@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
13327 static inline void
13328 print_ftrace_graph_addr(unsigned long addr, void *data,
13329 const struct stacktrace_ops *ops,
13330 - struct thread_info *tinfo, int *graph)
13331 + struct task_struct *task, int *graph)
13332 { }
13333 #endif
13334
13335 @@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
13336 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13337 */
13338
13339 -static inline int valid_stack_ptr(struct thread_info *tinfo,
13340 - void *p, unsigned int size, void *end)
13341 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13342 {
13343 - void *t = tinfo;
13344 if (end) {
13345 if (p < end && p >= (end-THREAD_SIZE))
13346 return 1;
13347 @@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
13348 }
13349
13350 unsigned long
13351 -print_context_stack(struct thread_info *tinfo,
13352 +print_context_stack(struct task_struct *task, void *stack_start,
13353 unsigned long *stack, unsigned long bp,
13354 const struct stacktrace_ops *ops, void *data,
13355 unsigned long *end, int *graph)
13356 {
13357 struct stack_frame *frame = (struct stack_frame *)bp;
13358
13359 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13360 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13361 unsigned long addr;
13362
13363 addr = *stack;
13364 @@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
13365 } else {
13366 ops->address(data, addr, 0);
13367 }
13368 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13369 + print_ftrace_graph_addr(addr, data, ops, task, graph);
13370 }
13371 stack++;
13372 }
13373 @@ -180,7 +180,7 @@ void dump_stack(void)
13374 #endif
13375
13376 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13377 - current->pid, current->comm, print_tainted(),
13378 + task_pid_nr(current), current->comm, print_tainted(),
13379 init_utsname()->release,
13380 (int)strcspn(init_utsname()->version, " "),
13381 init_utsname()->version);
13382 @@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
13383 return flags;
13384 }
13385
13386 +extern void gr_handle_kernel_exploit(void);
13387 +
13388 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13389 {
13390 if (regs && kexec_should_crash(current))
13391 @@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
13392 panic("Fatal exception in interrupt");
13393 if (panic_on_oops)
13394 panic("Fatal exception");
13395 - do_exit(signr);
13396 +
13397 + gr_handle_kernel_exploit();
13398 +
13399 + do_group_exit(signr);
13400 }
13401
13402 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13403 @@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
13404 unsigned long flags = oops_begin();
13405 int sig = SIGSEGV;
13406
13407 - if (!user_mode_vm(regs))
13408 + if (!user_mode(regs))
13409 report_bug(regs->ip, regs);
13410
13411 if (__die(str, regs, err))
13412 diff -urNp linux-2.6.32.49/arch/x86/kernel/dumpstack.h linux-2.6.32.49/arch/x86/kernel/dumpstack.h
13413 --- linux-2.6.32.49/arch/x86/kernel/dumpstack.h 2011-11-08 19:02:43.000000000 -0500
13414 +++ linux-2.6.32.49/arch/x86/kernel/dumpstack.h 2011-11-15 19:59:43.000000000 -0500
13415 @@ -15,7 +15,7 @@
13416 #endif
13417
13418 extern unsigned long
13419 -print_context_stack(struct thread_info *tinfo,
13420 +print_context_stack(struct task_struct *task, void *stack_start,
13421 unsigned long *stack, unsigned long bp,
13422 const struct stacktrace_ops *ops, void *data,
13423 unsigned long *end, int *graph);
13424 diff -urNp linux-2.6.32.49/arch/x86/kernel/e820.c linux-2.6.32.49/arch/x86/kernel/e820.c
13425 --- linux-2.6.32.49/arch/x86/kernel/e820.c 2011-11-08 19:02:43.000000000 -0500
13426 +++ linux-2.6.32.49/arch/x86/kernel/e820.c 2011-11-15 19:59:43.000000000 -0500
13427 @@ -733,7 +733,7 @@ struct early_res {
13428 };
13429 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
13430 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
13431 - {}
13432 + { 0, 0, {0}, 0 }
13433 };
13434
13435 static int __init find_overlapped_early(u64 start, u64 end)
13436 diff -urNp linux-2.6.32.49/arch/x86/kernel/early_printk.c linux-2.6.32.49/arch/x86/kernel/early_printk.c
13437 --- linux-2.6.32.49/arch/x86/kernel/early_printk.c 2011-11-08 19:02:43.000000000 -0500
13438 +++ linux-2.6.32.49/arch/x86/kernel/early_printk.c 2011-11-15 19:59:43.000000000 -0500
13439 @@ -7,6 +7,7 @@
13440 #include <linux/pci_regs.h>
13441 #include <linux/pci_ids.h>
13442 #include <linux/errno.h>
13443 +#include <linux/sched.h>
13444 #include <asm/io.h>
13445 #include <asm/processor.h>
13446 #include <asm/fcntl.h>
13447 @@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
13448 int n;
13449 va_list ap;
13450
13451 + pax_track_stack();
13452 +
13453 va_start(ap, fmt);
13454 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13455 early_console->write(early_console, buf, n);
13456 diff -urNp linux-2.6.32.49/arch/x86/kernel/efi_32.c linux-2.6.32.49/arch/x86/kernel/efi_32.c
13457 --- linux-2.6.32.49/arch/x86/kernel/efi_32.c 2011-11-08 19:02:43.000000000 -0500
13458 +++ linux-2.6.32.49/arch/x86/kernel/efi_32.c 2011-11-15 19:59:43.000000000 -0500
13459 @@ -38,70 +38,56 @@
13460 */
13461
13462 static unsigned long efi_rt_eflags;
13463 -static pgd_t efi_bak_pg_dir_pointer[2];
13464 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
13465
13466 -void efi_call_phys_prelog(void)
13467 +void __init efi_call_phys_prelog(void)
13468 {
13469 - unsigned long cr4;
13470 - unsigned long temp;
13471 struct desc_ptr gdt_descr;
13472
13473 - local_irq_save(efi_rt_eflags);
13474 +#ifdef CONFIG_PAX_KERNEXEC
13475 + struct desc_struct d;
13476 +#endif
13477
13478 - /*
13479 - * If I don't have PAE, I should just duplicate two entries in page
13480 - * directory. If I have PAE, I just need to duplicate one entry in
13481 - * page directory.
13482 - */
13483 - cr4 = read_cr4_safe();
13484 + local_irq_save(efi_rt_eflags);
13485
13486 - if (cr4 & X86_CR4_PAE) {
13487 - efi_bak_pg_dir_pointer[0].pgd =
13488 - swapper_pg_dir[pgd_index(0)].pgd;
13489 - swapper_pg_dir[0].pgd =
13490 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13491 - } else {
13492 - efi_bak_pg_dir_pointer[0].pgd =
13493 - swapper_pg_dir[pgd_index(0)].pgd;
13494 - efi_bak_pg_dir_pointer[1].pgd =
13495 - swapper_pg_dir[pgd_index(0x400000)].pgd;
13496 - swapper_pg_dir[pgd_index(0)].pgd =
13497 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13498 - temp = PAGE_OFFSET + 0x400000;
13499 - swapper_pg_dir[pgd_index(0x400000)].pgd =
13500 - swapper_pg_dir[pgd_index(temp)].pgd;
13501 - }
13502 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
13503 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13504 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13505
13506 /*
13507 * After the lock is released, the original page table is restored.
13508 */
13509 __flush_tlb_all();
13510
13511 +#ifdef CONFIG_PAX_KERNEXEC
13512 + pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
13513 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
13514 + pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
13515 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
13516 +#endif
13517 +
13518 gdt_descr.address = __pa(get_cpu_gdt_table(0));
13519 gdt_descr.size = GDT_SIZE - 1;
13520 load_gdt(&gdt_descr);
13521 }
13522
13523 -void efi_call_phys_epilog(void)
13524 +void __init efi_call_phys_epilog(void)
13525 {
13526 - unsigned long cr4;
13527 struct desc_ptr gdt_descr;
13528
13529 +#ifdef CONFIG_PAX_KERNEXEC
13530 + struct desc_struct d;
13531 +
13532 + memset(&d, 0, sizeof d);
13533 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
13534 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
13535 +#endif
13536 +
13537 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
13538 gdt_descr.size = GDT_SIZE - 1;
13539 load_gdt(&gdt_descr);
13540
13541 - cr4 = read_cr4_safe();
13542 -
13543 - if (cr4 & X86_CR4_PAE) {
13544 - swapper_pg_dir[pgd_index(0)].pgd =
13545 - efi_bak_pg_dir_pointer[0].pgd;
13546 - } else {
13547 - swapper_pg_dir[pgd_index(0)].pgd =
13548 - efi_bak_pg_dir_pointer[0].pgd;
13549 - swapper_pg_dir[pgd_index(0x400000)].pgd =
13550 - efi_bak_pg_dir_pointer[1].pgd;
13551 - }
13552 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
13553
13554 /*
13555 * After the lock is released, the original page table is restored.
13556 diff -urNp linux-2.6.32.49/arch/x86/kernel/efi_stub_32.S linux-2.6.32.49/arch/x86/kernel/efi_stub_32.S
13557 --- linux-2.6.32.49/arch/x86/kernel/efi_stub_32.S 2011-11-08 19:02:43.000000000 -0500
13558 +++ linux-2.6.32.49/arch/x86/kernel/efi_stub_32.S 2011-11-15 19:59:43.000000000 -0500
13559 @@ -6,7 +6,9 @@
13560 */
13561
13562 #include <linux/linkage.h>
13563 +#include <linux/init.h>
13564 #include <asm/page_types.h>
13565 +#include <asm/segment.h>
13566
13567 /*
13568 * efi_call_phys(void *, ...) is a function with variable parameters.
13569 @@ -20,7 +22,7 @@
13570 * service functions will comply with gcc calling convention, too.
13571 */
13572
13573 -.text
13574 +__INIT
13575 ENTRY(efi_call_phys)
13576 /*
13577 * 0. The function can only be called in Linux kernel. So CS has been
13578 @@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
13579 * The mapping of lower virtual memory has been created in prelog and
13580 * epilog.
13581 */
13582 - movl $1f, %edx
13583 - subl $__PAGE_OFFSET, %edx
13584 - jmp *%edx
13585 + movl $(__KERNEXEC_EFI_DS), %edx
13586 + mov %edx, %ds
13587 + mov %edx, %es
13588 + mov %edx, %ss
13589 + ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
13590 1:
13591
13592 /*
13593 @@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
13594 * parameter 2, ..., param n. To make things easy, we save the return
13595 * address of efi_call_phys in a global variable.
13596 */
13597 - popl %edx
13598 - movl %edx, saved_return_addr
13599 - /* get the function pointer into ECX*/
13600 - popl %ecx
13601 - movl %ecx, efi_rt_function_ptr
13602 - movl $2f, %edx
13603 - subl $__PAGE_OFFSET, %edx
13604 - pushl %edx
13605 + popl (saved_return_addr)
13606 + popl (efi_rt_function_ptr)
13607
13608 /*
13609 * 3. Clear PG bit in %CR0.
13610 @@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
13611 /*
13612 * 5. Call the physical function.
13613 */
13614 - jmp *%ecx
13615 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
13616
13617 -2:
13618 /*
13619 * 6. After EFI runtime service returns, control will return to
13620 * following instruction. We'd better readjust stack pointer first.
13621 @@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
13622 movl %cr0, %edx
13623 orl $0x80000000, %edx
13624 movl %edx, %cr0
13625 - jmp 1f
13626 -1:
13627 +
13628 /*
13629 * 8. Now restore the virtual mode from flat mode by
13630 * adding EIP with PAGE_OFFSET.
13631 */
13632 - movl $1f, %edx
13633 - jmp *%edx
13634 + ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
13635 1:
13636 + movl $(__KERNEL_DS), %edx
13637 + mov %edx, %ds
13638 + mov %edx, %es
13639 + mov %edx, %ss
13640
13641 /*
13642 * 9. Balance the stack. And because EAX contain the return value,
13643 * we'd better not clobber it.
13644 */
13645 - leal efi_rt_function_ptr, %edx
13646 - movl (%edx), %ecx
13647 - pushl %ecx
13648 + pushl (efi_rt_function_ptr)
13649
13650 /*
13651 - * 10. Push the saved return address onto the stack and return.
13652 + * 10. Return to the saved return address.
13653 */
13654 - leal saved_return_addr, %edx
13655 - movl (%edx), %ecx
13656 - pushl %ecx
13657 - ret
13658 + jmpl *(saved_return_addr)
13659 ENDPROC(efi_call_phys)
13660 .previous
13661
13662 -.data
13663 +__INITDATA
13664 saved_return_addr:
13665 .long 0
13666 efi_rt_function_ptr:
13667 diff -urNp linux-2.6.32.49/arch/x86/kernel/efi_stub_64.S linux-2.6.32.49/arch/x86/kernel/efi_stub_64.S
13668 --- linux-2.6.32.49/arch/x86/kernel/efi_stub_64.S 2011-11-08 19:02:43.000000000 -0500
13669 +++ linux-2.6.32.49/arch/x86/kernel/efi_stub_64.S 2011-11-15 19:59:43.000000000 -0500
13670 @@ -7,6 +7,7 @@
13671 */
13672
13673 #include <linux/linkage.h>
13674 +#include <asm/alternative-asm.h>
13675
13676 #define SAVE_XMM \
13677 mov %rsp, %rax; \
13678 @@ -40,6 +41,7 @@ ENTRY(efi_call0)
13679 call *%rdi
13680 addq $32, %rsp
13681 RESTORE_XMM
13682 + pax_force_retaddr
13683 ret
13684 ENDPROC(efi_call0)
13685
13686 @@ -50,6 +52,7 @@ ENTRY(efi_call1)
13687 call *%rdi
13688 addq $32, %rsp
13689 RESTORE_XMM
13690 + pax_force_retaddr
13691 ret
13692 ENDPROC(efi_call1)
13693
13694 @@ -60,6 +63,7 @@ ENTRY(efi_call2)
13695 call *%rdi
13696 addq $32, %rsp
13697 RESTORE_XMM
13698 + pax_force_retaddr
13699 ret
13700 ENDPROC(efi_call2)
13701
13702 @@ -71,6 +75,7 @@ ENTRY(efi_call3)
13703 call *%rdi
13704 addq $32, %rsp
13705 RESTORE_XMM
13706 + pax_force_retaddr
13707 ret
13708 ENDPROC(efi_call3)
13709
13710 @@ -83,6 +88,7 @@ ENTRY(efi_call4)
13711 call *%rdi
13712 addq $32, %rsp
13713 RESTORE_XMM
13714 + pax_force_retaddr
13715 ret
13716 ENDPROC(efi_call4)
13717
13718 @@ -96,6 +102,7 @@ ENTRY(efi_call5)
13719 call *%rdi
13720 addq $48, %rsp
13721 RESTORE_XMM
13722 + pax_force_retaddr
13723 ret
13724 ENDPROC(efi_call5)
13725
13726 @@ -112,5 +119,6 @@ ENTRY(efi_call6)
13727 call *%rdi
13728 addq $48, %rsp
13729 RESTORE_XMM
13730 + pax_force_retaddr
13731 ret
13732 ENDPROC(efi_call6)
13733 diff -urNp linux-2.6.32.49/arch/x86/kernel/entry_32.S linux-2.6.32.49/arch/x86/kernel/entry_32.S
13734 --- linux-2.6.32.49/arch/x86/kernel/entry_32.S 2011-11-08 19:02:43.000000000 -0500
13735 +++ linux-2.6.32.49/arch/x86/kernel/entry_32.S 2011-11-18 18:01:52.000000000 -0500
13736 @@ -185,13 +185,146 @@
13737 /*CFI_REL_OFFSET gs, PT_GS*/
13738 .endm
13739 .macro SET_KERNEL_GS reg
13740 +
13741 +#ifdef CONFIG_CC_STACKPROTECTOR
13742 movl $(__KERNEL_STACK_CANARY), \reg
13743 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13744 + movl $(__USER_DS), \reg
13745 +#else
13746 + xorl \reg, \reg
13747 +#endif
13748 +
13749 movl \reg, %gs
13750 .endm
13751
13752 #endif /* CONFIG_X86_32_LAZY_GS */
13753
13754 -.macro SAVE_ALL
13755 +.macro pax_enter_kernel
13756 +#ifdef CONFIG_PAX_KERNEXEC
13757 + call pax_enter_kernel
13758 +#endif
13759 +.endm
13760 +
13761 +.macro pax_exit_kernel
13762 +#ifdef CONFIG_PAX_KERNEXEC
13763 + call pax_exit_kernel
13764 +#endif
13765 +.endm
13766 +
13767 +#ifdef CONFIG_PAX_KERNEXEC
13768 +ENTRY(pax_enter_kernel)
13769 +#ifdef CONFIG_PARAVIRT
13770 + pushl %eax
13771 + pushl %ecx
13772 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13773 + mov %eax, %esi
13774 +#else
13775 + mov %cr0, %esi
13776 +#endif
13777 + bts $16, %esi
13778 + jnc 1f
13779 + mov %cs, %esi
13780 + cmp $__KERNEL_CS, %esi
13781 + jz 3f
13782 + ljmp $__KERNEL_CS, $3f
13783 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13784 +2:
13785 +#ifdef CONFIG_PARAVIRT
13786 + mov %esi, %eax
13787 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13788 +#else
13789 + mov %esi, %cr0
13790 +#endif
13791 +3:
13792 +#ifdef CONFIG_PARAVIRT
13793 + popl %ecx
13794 + popl %eax
13795 +#endif
13796 + ret
13797 +ENDPROC(pax_enter_kernel)
13798 +
13799 +ENTRY(pax_exit_kernel)
13800 +#ifdef CONFIG_PARAVIRT
13801 + pushl %eax
13802 + pushl %ecx
13803 +#endif
13804 + mov %cs, %esi
13805 + cmp $__KERNEXEC_KERNEL_CS, %esi
13806 + jnz 2f
13807 +#ifdef CONFIG_PARAVIRT
13808 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13809 + mov %eax, %esi
13810 +#else
13811 + mov %cr0, %esi
13812 +#endif
13813 + btr $16, %esi
13814 + ljmp $__KERNEL_CS, $1f
13815 +1:
13816 +#ifdef CONFIG_PARAVIRT
13817 + mov %esi, %eax
13818 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13819 +#else
13820 + mov %esi, %cr0
13821 +#endif
13822 +2:
13823 +#ifdef CONFIG_PARAVIRT
13824 + popl %ecx
13825 + popl %eax
13826 +#endif
13827 + ret
13828 +ENDPROC(pax_exit_kernel)
13829 +#endif
13830 +
13831 +.macro pax_erase_kstack
13832 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13833 + call pax_erase_kstack
13834 +#endif
13835 +.endm
13836 +
13837 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13838 +/*
13839 + * ebp: thread_info
13840 + * ecx, edx: can be clobbered
13841 + */
13842 +ENTRY(pax_erase_kstack)
13843 + pushl %edi
13844 + pushl %eax
13845 +
13846 + mov TI_lowest_stack(%ebp), %edi
13847 + mov $-0xBEEF, %eax
13848 + std
13849 +
13850 +1: mov %edi, %ecx
13851 + and $THREAD_SIZE_asm - 1, %ecx
13852 + shr $2, %ecx
13853 + repne scasl
13854 + jecxz 2f
13855 +
13856 + cmp $2*16, %ecx
13857 + jc 2f
13858 +
13859 + mov $2*16, %ecx
13860 + repe scasl
13861 + jecxz 2f
13862 + jne 1b
13863 +
13864 +2: cld
13865 + mov %esp, %ecx
13866 + sub %edi, %ecx
13867 + shr $2, %ecx
13868 + rep stosl
13869 +
13870 + mov TI_task_thread_sp0(%ebp), %edi
13871 + sub $128, %edi
13872 + mov %edi, TI_lowest_stack(%ebp)
13873 +
13874 + popl %eax
13875 + popl %edi
13876 + ret
13877 +ENDPROC(pax_erase_kstack)
13878 +#endif
13879 +
13880 +.macro __SAVE_ALL _DS
13881 cld
13882 PUSH_GS
13883 pushl %fs
13884 @@ -224,7 +357,7 @@
13885 pushl %ebx
13886 CFI_ADJUST_CFA_OFFSET 4
13887 CFI_REL_OFFSET ebx, 0
13888 - movl $(__USER_DS), %edx
13889 + movl $\_DS, %edx
13890 movl %edx, %ds
13891 movl %edx, %es
13892 movl $(__KERNEL_PERCPU), %edx
13893 @@ -232,6 +365,15 @@
13894 SET_KERNEL_GS %edx
13895 .endm
13896
13897 +.macro SAVE_ALL
13898 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
13899 + __SAVE_ALL __KERNEL_DS
13900 + pax_enter_kernel
13901 +#else
13902 + __SAVE_ALL __USER_DS
13903 +#endif
13904 +.endm
13905 +
13906 .macro RESTORE_INT_REGS
13907 popl %ebx
13908 CFI_ADJUST_CFA_OFFSET -4
13909 @@ -331,7 +473,7 @@ ENTRY(ret_from_fork)
13910 CFI_ADJUST_CFA_OFFSET -4
13911 jmp syscall_exit
13912 CFI_ENDPROC
13913 -END(ret_from_fork)
13914 +ENDPROC(ret_from_fork)
13915
13916 /*
13917 * Return to user mode is not as complex as all this looks,
13918 @@ -352,7 +494,15 @@ check_userspace:
13919 movb PT_CS(%esp), %al
13920 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
13921 cmpl $USER_RPL, %eax
13922 +
13923 +#ifdef CONFIG_PAX_KERNEXEC
13924 + jae resume_userspace
13925 +
13926 + PAX_EXIT_KERNEL
13927 + jmp resume_kernel
13928 +#else
13929 jb resume_kernel # not returning to v8086 or userspace
13930 +#endif
13931
13932 ENTRY(resume_userspace)
13933 LOCKDEP_SYS_EXIT
13934 @@ -364,8 +514,8 @@ ENTRY(resume_userspace)
13935 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
13936 # int/exception return?
13937 jne work_pending
13938 - jmp restore_all
13939 -END(ret_from_exception)
13940 + jmp restore_all_pax
13941 +ENDPROC(ret_from_exception)
13942
13943 #ifdef CONFIG_PREEMPT
13944 ENTRY(resume_kernel)
13945 @@ -380,7 +530,7 @@ need_resched:
13946 jz restore_all
13947 call preempt_schedule_irq
13948 jmp need_resched
13949 -END(resume_kernel)
13950 +ENDPROC(resume_kernel)
13951 #endif
13952 CFI_ENDPROC
13953
13954 @@ -414,25 +564,36 @@ sysenter_past_esp:
13955 /*CFI_REL_OFFSET cs, 0*/
13956 /*
13957 * Push current_thread_info()->sysenter_return to the stack.
13958 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
13959 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
13960 */
13961 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
13962 + pushl $0
13963 CFI_ADJUST_CFA_OFFSET 4
13964 CFI_REL_OFFSET eip, 0
13965
13966 pushl %eax
13967 CFI_ADJUST_CFA_OFFSET 4
13968 SAVE_ALL
13969 + GET_THREAD_INFO(%ebp)
13970 + movl TI_sysenter_return(%ebp),%ebp
13971 + movl %ebp,PT_EIP(%esp)
13972 ENABLE_INTERRUPTS(CLBR_NONE)
13973
13974 /*
13975 * Load the potential sixth argument from user stack.
13976 * Careful about security.
13977 */
13978 + movl PT_OLDESP(%esp),%ebp
13979 +
13980 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13981 + mov PT_OLDSS(%esp),%ds
13982 +1: movl %ds:(%ebp),%ebp
13983 + push %ss
13984 + pop %ds
13985 +#else
13986 cmpl $__PAGE_OFFSET-3,%ebp
13987 jae syscall_fault
13988 1: movl (%ebp),%ebp
13989 +#endif
13990 +
13991 movl %ebp,PT_EBP(%esp)
13992 .section __ex_table,"a"
13993 .align 4
13994 @@ -455,12 +616,24 @@ sysenter_do_call:
13995 testl $_TIF_ALLWORK_MASK, %ecx
13996 jne sysexit_audit
13997 sysenter_exit:
13998 +
13999 +#ifdef CONFIG_PAX_RANDKSTACK
14000 + pushl_cfi %eax
14001 + movl %esp, %eax
14002 + call pax_randomize_kstack
14003 + popl_cfi %eax
14004 +#endif
14005 +
14006 + pax_erase_kstack
14007 +
14008 /* if something modifies registers it must also disable sysexit */
14009 movl PT_EIP(%esp), %edx
14010 movl PT_OLDESP(%esp), %ecx
14011 xorl %ebp,%ebp
14012 TRACE_IRQS_ON
14013 1: mov PT_FS(%esp), %fs
14014 +2: mov PT_DS(%esp), %ds
14015 +3: mov PT_ES(%esp), %es
14016 PTGS_TO_GS
14017 ENABLE_INTERRUPTS_SYSEXIT
14018
14019 @@ -477,6 +650,9 @@ sysenter_audit:
14020 movl %eax,%edx /* 2nd arg: syscall number */
14021 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14022 call audit_syscall_entry
14023 +
14024 + pax_erase_kstack
14025 +
14026 pushl %ebx
14027 CFI_ADJUST_CFA_OFFSET 4
14028 movl PT_EAX(%esp),%eax /* reload syscall number */
14029 @@ -504,11 +680,17 @@ sysexit_audit:
14030
14031 CFI_ENDPROC
14032 .pushsection .fixup,"ax"
14033 -2: movl $0,PT_FS(%esp)
14034 +4: movl $0,PT_FS(%esp)
14035 + jmp 1b
14036 +5: movl $0,PT_DS(%esp)
14037 + jmp 1b
14038 +6: movl $0,PT_ES(%esp)
14039 jmp 1b
14040 .section __ex_table,"a"
14041 .align 4
14042 - .long 1b,2b
14043 + .long 1b,4b
14044 + .long 2b,5b
14045 + .long 3b,6b
14046 .popsection
14047 PTGS_TO_GS_EX
14048 ENDPROC(ia32_sysenter_target)
14049 @@ -538,6 +720,15 @@ syscall_exit:
14050 testl $_TIF_ALLWORK_MASK, %ecx # current->work
14051 jne syscall_exit_work
14052
14053 +restore_all_pax:
14054 +
14055 +#ifdef CONFIG_PAX_RANDKSTACK
14056 + movl %esp, %eax
14057 + call pax_randomize_kstack
14058 +#endif
14059 +
14060 + pax_erase_kstack
14061 +
14062 restore_all:
14063 TRACE_IRQS_IRET
14064 restore_all_notrace:
14065 @@ -602,10 +793,29 @@ ldt_ss:
14066 mov PT_OLDESP(%esp), %eax /* load userspace esp */
14067 mov %dx, %ax /* eax: new kernel esp */
14068 sub %eax, %edx /* offset (low word is 0) */
14069 - PER_CPU(gdt_page, %ebx)
14070 +#ifdef CONFIG_SMP
14071 + movl PER_CPU_VAR(cpu_number), %ebx
14072 + shll $PAGE_SHIFT_asm, %ebx
14073 + addl $cpu_gdt_table, %ebx
14074 +#else
14075 + movl $cpu_gdt_table, %ebx
14076 +#endif
14077 shr $16, %edx
14078 +
14079 +#ifdef CONFIG_PAX_KERNEXEC
14080 + mov %cr0, %esi
14081 + btr $16, %esi
14082 + mov %esi, %cr0
14083 +#endif
14084 +
14085 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
14086 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
14087 +
14088 +#ifdef CONFIG_PAX_KERNEXEC
14089 + bts $16, %esi
14090 + mov %esi, %cr0
14091 +#endif
14092 +
14093 pushl $__ESPFIX_SS
14094 CFI_ADJUST_CFA_OFFSET 4
14095 push %eax /* new kernel esp */
14096 @@ -636,36 +846,30 @@ work_resched:
14097 movl TI_flags(%ebp), %ecx
14098 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14099 # than syscall tracing?
14100 - jz restore_all
14101 + jz restore_all_pax
14102 testb $_TIF_NEED_RESCHED, %cl
14103 jnz work_resched
14104
14105 work_notifysig: # deal with pending signals and
14106 # notify-resume requests
14107 + movl %esp, %eax
14108 #ifdef CONFIG_VM86
14109 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14110 - movl %esp, %eax
14111 - jne work_notifysig_v86 # returning to kernel-space or
14112 + jz 1f # returning to kernel-space or
14113 # vm86-space
14114 - xorl %edx, %edx
14115 - call do_notify_resume
14116 - jmp resume_userspace_sig
14117
14118 - ALIGN
14119 -work_notifysig_v86:
14120 pushl %ecx # save ti_flags for do_notify_resume
14121 CFI_ADJUST_CFA_OFFSET 4
14122 call save_v86_state # %eax contains pt_regs pointer
14123 popl %ecx
14124 CFI_ADJUST_CFA_OFFSET -4
14125 movl %eax, %esp
14126 -#else
14127 - movl %esp, %eax
14128 +1:
14129 #endif
14130 xorl %edx, %edx
14131 call do_notify_resume
14132 jmp resume_userspace_sig
14133 -END(work_pending)
14134 +ENDPROC(work_pending)
14135
14136 # perform syscall exit tracing
14137 ALIGN
14138 @@ -673,11 +877,14 @@ syscall_trace_entry:
14139 movl $-ENOSYS,PT_EAX(%esp)
14140 movl %esp, %eax
14141 call syscall_trace_enter
14142 +
14143 + pax_erase_kstack
14144 +
14145 /* What it returned is what we'll actually use. */
14146 cmpl $(nr_syscalls), %eax
14147 jnae syscall_call
14148 jmp syscall_exit
14149 -END(syscall_trace_entry)
14150 +ENDPROC(syscall_trace_entry)
14151
14152 # perform syscall exit tracing
14153 ALIGN
14154 @@ -690,20 +897,24 @@ syscall_exit_work:
14155 movl %esp, %eax
14156 call syscall_trace_leave
14157 jmp resume_userspace
14158 -END(syscall_exit_work)
14159 +ENDPROC(syscall_exit_work)
14160 CFI_ENDPROC
14161
14162 RING0_INT_FRAME # can't unwind into user space anyway
14163 syscall_fault:
14164 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14165 + push %ss
14166 + pop %ds
14167 +#endif
14168 GET_THREAD_INFO(%ebp)
14169 movl $-EFAULT,PT_EAX(%esp)
14170 jmp resume_userspace
14171 -END(syscall_fault)
14172 +ENDPROC(syscall_fault)
14173
14174 syscall_badsys:
14175 movl $-ENOSYS,PT_EAX(%esp)
14176 jmp resume_userspace
14177 -END(syscall_badsys)
14178 +ENDPROC(syscall_badsys)
14179 CFI_ENDPROC
14180
14181 /*
14182 @@ -726,6 +937,33 @@ PTREGSCALL(rt_sigreturn)
14183 PTREGSCALL(vm86)
14184 PTREGSCALL(vm86old)
14185
14186 + ALIGN;
14187 +ENTRY(kernel_execve)
14188 + push %ebp
14189 + sub $PT_OLDSS+4,%esp
14190 + push %edi
14191 + push %ecx
14192 + push %eax
14193 + lea 3*4(%esp),%edi
14194 + mov $PT_OLDSS/4+1,%ecx
14195 + xorl %eax,%eax
14196 + rep stosl
14197 + pop %eax
14198 + pop %ecx
14199 + pop %edi
14200 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14201 + mov %eax,PT_EBX(%esp)
14202 + mov %edx,PT_ECX(%esp)
14203 + mov %ecx,PT_EDX(%esp)
14204 + mov %esp,%eax
14205 + call sys_execve
14206 + GET_THREAD_INFO(%ebp)
14207 + test %eax,%eax
14208 + jz syscall_exit
14209 + add $PT_OLDSS+4,%esp
14210 + pop %ebp
14211 + ret
14212 +
14213 .macro FIXUP_ESPFIX_STACK
14214 /*
14215 * Switch back for ESPFIX stack to the normal zerobased stack
14216 @@ -735,7 +973,13 @@ PTREGSCALL(vm86old)
14217 * normal stack and adjusts ESP with the matching offset.
14218 */
14219 /* fixup the stack */
14220 - PER_CPU(gdt_page, %ebx)
14221 +#ifdef CONFIG_SMP
14222 + movl PER_CPU_VAR(cpu_number), %ebx
14223 + shll $PAGE_SHIFT_asm, %ebx
14224 + addl $cpu_gdt_table, %ebx
14225 +#else
14226 + movl $cpu_gdt_table, %ebx
14227 +#endif
14228 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
14229 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
14230 shl $16, %eax
14231 @@ -793,7 +1037,7 @@ vector=vector+1
14232 .endr
14233 2: jmp common_interrupt
14234 .endr
14235 -END(irq_entries_start)
14236 +ENDPROC(irq_entries_start)
14237
14238 .previous
14239 END(interrupt)
14240 @@ -840,7 +1084,7 @@ ENTRY(coprocessor_error)
14241 CFI_ADJUST_CFA_OFFSET 4
14242 jmp error_code
14243 CFI_ENDPROC
14244 -END(coprocessor_error)
14245 +ENDPROC(coprocessor_error)
14246
14247 ENTRY(simd_coprocessor_error)
14248 RING0_INT_FRAME
14249 @@ -850,7 +1094,7 @@ ENTRY(simd_coprocessor_error)
14250 CFI_ADJUST_CFA_OFFSET 4
14251 jmp error_code
14252 CFI_ENDPROC
14253 -END(simd_coprocessor_error)
14254 +ENDPROC(simd_coprocessor_error)
14255
14256 ENTRY(device_not_available)
14257 RING0_INT_FRAME
14258 @@ -860,7 +1104,7 @@ ENTRY(device_not_available)
14259 CFI_ADJUST_CFA_OFFSET 4
14260 jmp error_code
14261 CFI_ENDPROC
14262 -END(device_not_available)
14263 +ENDPROC(device_not_available)
14264
14265 #ifdef CONFIG_PARAVIRT
14266 ENTRY(native_iret)
14267 @@ -869,12 +1113,12 @@ ENTRY(native_iret)
14268 .align 4
14269 .long native_iret, iret_exc
14270 .previous
14271 -END(native_iret)
14272 +ENDPROC(native_iret)
14273
14274 ENTRY(native_irq_enable_sysexit)
14275 sti
14276 sysexit
14277 -END(native_irq_enable_sysexit)
14278 +ENDPROC(native_irq_enable_sysexit)
14279 #endif
14280
14281 ENTRY(overflow)
14282 @@ -885,7 +1129,7 @@ ENTRY(overflow)
14283 CFI_ADJUST_CFA_OFFSET 4
14284 jmp error_code
14285 CFI_ENDPROC
14286 -END(overflow)
14287 +ENDPROC(overflow)
14288
14289 ENTRY(bounds)
14290 RING0_INT_FRAME
14291 @@ -895,7 +1139,7 @@ ENTRY(bounds)
14292 CFI_ADJUST_CFA_OFFSET 4
14293 jmp error_code
14294 CFI_ENDPROC
14295 -END(bounds)
14296 +ENDPROC(bounds)
14297
14298 ENTRY(invalid_op)
14299 RING0_INT_FRAME
14300 @@ -905,7 +1149,7 @@ ENTRY(invalid_op)
14301 CFI_ADJUST_CFA_OFFSET 4
14302 jmp error_code
14303 CFI_ENDPROC
14304 -END(invalid_op)
14305 +ENDPROC(invalid_op)
14306
14307 ENTRY(coprocessor_segment_overrun)
14308 RING0_INT_FRAME
14309 @@ -915,7 +1159,7 @@ ENTRY(coprocessor_segment_overrun)
14310 CFI_ADJUST_CFA_OFFSET 4
14311 jmp error_code
14312 CFI_ENDPROC
14313 -END(coprocessor_segment_overrun)
14314 +ENDPROC(coprocessor_segment_overrun)
14315
14316 ENTRY(invalid_TSS)
14317 RING0_EC_FRAME
14318 @@ -923,7 +1167,7 @@ ENTRY(invalid_TSS)
14319 CFI_ADJUST_CFA_OFFSET 4
14320 jmp error_code
14321 CFI_ENDPROC
14322 -END(invalid_TSS)
14323 +ENDPROC(invalid_TSS)
14324
14325 ENTRY(segment_not_present)
14326 RING0_EC_FRAME
14327 @@ -931,7 +1175,7 @@ ENTRY(segment_not_present)
14328 CFI_ADJUST_CFA_OFFSET 4
14329 jmp error_code
14330 CFI_ENDPROC
14331 -END(segment_not_present)
14332 +ENDPROC(segment_not_present)
14333
14334 ENTRY(stack_segment)
14335 RING0_EC_FRAME
14336 @@ -939,7 +1183,7 @@ ENTRY(stack_segment)
14337 CFI_ADJUST_CFA_OFFSET 4
14338 jmp error_code
14339 CFI_ENDPROC
14340 -END(stack_segment)
14341 +ENDPROC(stack_segment)
14342
14343 ENTRY(alignment_check)
14344 RING0_EC_FRAME
14345 @@ -947,7 +1191,7 @@ ENTRY(alignment_check)
14346 CFI_ADJUST_CFA_OFFSET 4
14347 jmp error_code
14348 CFI_ENDPROC
14349 -END(alignment_check)
14350 +ENDPROC(alignment_check)
14351
14352 ENTRY(divide_error)
14353 RING0_INT_FRAME
14354 @@ -957,7 +1201,7 @@ ENTRY(divide_error)
14355 CFI_ADJUST_CFA_OFFSET 4
14356 jmp error_code
14357 CFI_ENDPROC
14358 -END(divide_error)
14359 +ENDPROC(divide_error)
14360
14361 #ifdef CONFIG_X86_MCE
14362 ENTRY(machine_check)
14363 @@ -968,7 +1212,7 @@ ENTRY(machine_check)
14364 CFI_ADJUST_CFA_OFFSET 4
14365 jmp error_code
14366 CFI_ENDPROC
14367 -END(machine_check)
14368 +ENDPROC(machine_check)
14369 #endif
14370
14371 ENTRY(spurious_interrupt_bug)
14372 @@ -979,7 +1223,7 @@ ENTRY(spurious_interrupt_bug)
14373 CFI_ADJUST_CFA_OFFSET 4
14374 jmp error_code
14375 CFI_ENDPROC
14376 -END(spurious_interrupt_bug)
14377 +ENDPROC(spurious_interrupt_bug)
14378
14379 ENTRY(kernel_thread_helper)
14380 pushl $0 # fake return address for unwinder
14381 @@ -1095,7 +1339,7 @@ ENDPROC(xen_failsafe_callback)
14382
14383 ENTRY(mcount)
14384 ret
14385 -END(mcount)
14386 +ENDPROC(mcount)
14387
14388 ENTRY(ftrace_caller)
14389 cmpl $0, function_trace_stop
14390 @@ -1124,7 +1368,7 @@ ftrace_graph_call:
14391 .globl ftrace_stub
14392 ftrace_stub:
14393 ret
14394 -END(ftrace_caller)
14395 +ENDPROC(ftrace_caller)
14396
14397 #else /* ! CONFIG_DYNAMIC_FTRACE */
14398
14399 @@ -1160,7 +1404,7 @@ trace:
14400 popl %ecx
14401 popl %eax
14402 jmp ftrace_stub
14403 -END(mcount)
14404 +ENDPROC(mcount)
14405 #endif /* CONFIG_DYNAMIC_FTRACE */
14406 #endif /* CONFIG_FUNCTION_TRACER */
14407
14408 @@ -1181,7 +1425,7 @@ ENTRY(ftrace_graph_caller)
14409 popl %ecx
14410 popl %eax
14411 ret
14412 -END(ftrace_graph_caller)
14413 +ENDPROC(ftrace_graph_caller)
14414
14415 .globl return_to_handler
14416 return_to_handler:
14417 @@ -1198,7 +1442,6 @@ return_to_handler:
14418 ret
14419 #endif
14420
14421 -.section .rodata,"a"
14422 #include "syscall_table_32.S"
14423
14424 syscall_table_size=(.-sys_call_table)
14425 @@ -1255,15 +1498,18 @@ error_code:
14426 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14427 REG_TO_PTGS %ecx
14428 SET_KERNEL_GS %ecx
14429 - movl $(__USER_DS), %ecx
14430 + movl $(__KERNEL_DS), %ecx
14431 movl %ecx, %ds
14432 movl %ecx, %es
14433 +
14434 + pax_enter_kernel
14435 +
14436 TRACE_IRQS_OFF
14437 movl %esp,%eax # pt_regs pointer
14438 call *%edi
14439 jmp ret_from_exception
14440 CFI_ENDPROC
14441 -END(page_fault)
14442 +ENDPROC(page_fault)
14443
14444 /*
14445 * Debug traps and NMI can happen at the one SYSENTER instruction
14446 @@ -1309,7 +1555,7 @@ debug_stack_correct:
14447 call do_debug
14448 jmp ret_from_exception
14449 CFI_ENDPROC
14450 -END(debug)
14451 +ENDPROC(debug)
14452
14453 /*
14454 * NMI is doubly nasty. It can happen _while_ we're handling
14455 @@ -1351,6 +1597,9 @@ nmi_stack_correct:
14456 xorl %edx,%edx # zero error code
14457 movl %esp,%eax # pt_regs pointer
14458 call do_nmi
14459 +
14460 + pax_exit_kernel
14461 +
14462 jmp restore_all_notrace
14463 CFI_ENDPROC
14464
14465 @@ -1391,12 +1640,15 @@ nmi_espfix_stack:
14466 FIXUP_ESPFIX_STACK # %eax == %esp
14467 xorl %edx,%edx # zero error code
14468 call do_nmi
14469 +
14470 + pax_exit_kernel
14471 +
14472 RESTORE_REGS
14473 lss 12+4(%esp), %esp # back to espfix stack
14474 CFI_ADJUST_CFA_OFFSET -24
14475 jmp irq_return
14476 CFI_ENDPROC
14477 -END(nmi)
14478 +ENDPROC(nmi)
14479
14480 ENTRY(int3)
14481 RING0_INT_FRAME
14482 @@ -1409,7 +1661,7 @@ ENTRY(int3)
14483 call do_int3
14484 jmp ret_from_exception
14485 CFI_ENDPROC
14486 -END(int3)
14487 +ENDPROC(int3)
14488
14489 ENTRY(general_protection)
14490 RING0_EC_FRAME
14491 @@ -1417,7 +1669,7 @@ ENTRY(general_protection)
14492 CFI_ADJUST_CFA_OFFSET 4
14493 jmp error_code
14494 CFI_ENDPROC
14495 -END(general_protection)
14496 +ENDPROC(general_protection)
14497
14498 /*
14499 * End of kprobes section
14500 diff -urNp linux-2.6.32.49/arch/x86/kernel/entry_64.S linux-2.6.32.49/arch/x86/kernel/entry_64.S
14501 --- linux-2.6.32.49/arch/x86/kernel/entry_64.S 2011-11-08 19:02:43.000000000 -0500
14502 +++ linux-2.6.32.49/arch/x86/kernel/entry_64.S 2011-11-18 18:01:52.000000000 -0500
14503 @@ -53,6 +53,8 @@
14504 #include <asm/paravirt.h>
14505 #include <asm/ftrace.h>
14506 #include <asm/percpu.h>
14507 +#include <asm/pgtable.h>
14508 +#include <asm/alternative-asm.h>
14509
14510 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14511 #include <linux/elf-em.h>
14512 @@ -64,8 +66,9 @@
14513 #ifdef CONFIG_FUNCTION_TRACER
14514 #ifdef CONFIG_DYNAMIC_FTRACE
14515 ENTRY(mcount)
14516 + pax_force_retaddr
14517 retq
14518 -END(mcount)
14519 +ENDPROC(mcount)
14520
14521 ENTRY(ftrace_caller)
14522 cmpl $0, function_trace_stop
14523 @@ -88,8 +91,9 @@ GLOBAL(ftrace_graph_call)
14524 #endif
14525
14526 GLOBAL(ftrace_stub)
14527 + pax_force_retaddr
14528 retq
14529 -END(ftrace_caller)
14530 +ENDPROC(ftrace_caller)
14531
14532 #else /* ! CONFIG_DYNAMIC_FTRACE */
14533 ENTRY(mcount)
14534 @@ -108,6 +112,7 @@ ENTRY(mcount)
14535 #endif
14536
14537 GLOBAL(ftrace_stub)
14538 + pax_force_retaddr
14539 retq
14540
14541 trace:
14542 @@ -117,12 +122,13 @@ trace:
14543 movq 8(%rbp), %rsi
14544 subq $MCOUNT_INSN_SIZE, %rdi
14545
14546 + pax_force_fptr ftrace_trace_function
14547 call *ftrace_trace_function
14548
14549 MCOUNT_RESTORE_FRAME
14550
14551 jmp ftrace_stub
14552 -END(mcount)
14553 +ENDPROC(mcount)
14554 #endif /* CONFIG_DYNAMIC_FTRACE */
14555 #endif /* CONFIG_FUNCTION_TRACER */
14556
14557 @@ -142,8 +148,9 @@ ENTRY(ftrace_graph_caller)
14558
14559 MCOUNT_RESTORE_FRAME
14560
14561 + pax_force_retaddr
14562 retq
14563 -END(ftrace_graph_caller)
14564 +ENDPROC(ftrace_graph_caller)
14565
14566 GLOBAL(return_to_handler)
14567 subq $24, %rsp
14568 @@ -159,6 +166,7 @@ GLOBAL(return_to_handler)
14569 movq 8(%rsp), %rdx
14570 movq (%rsp), %rax
14571 addq $16, %rsp
14572 + pax_force_retaddr
14573 retq
14574 #endif
14575
14576 @@ -174,6 +182,269 @@ ENTRY(native_usergs_sysret64)
14577 ENDPROC(native_usergs_sysret64)
14578 #endif /* CONFIG_PARAVIRT */
14579
14580 + .macro ljmpq sel, off
14581 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14582 + .byte 0x48; ljmp *1234f(%rip)
14583 + .pushsection .rodata
14584 + .align 16
14585 + 1234: .quad \off; .word \sel
14586 + .popsection
14587 +#else
14588 + pushq $\sel
14589 + pushq $\off
14590 + lretq
14591 +#endif
14592 + .endm
14593 +
14594 + .macro pax_enter_kernel
14595 +#ifdef CONFIG_PAX_KERNEXEC
14596 + call pax_enter_kernel
14597 +#endif
14598 + .endm
14599 +
14600 + .macro pax_exit_kernel
14601 +#ifdef CONFIG_PAX_KERNEXEC
14602 + call pax_exit_kernel
14603 +#endif
14604 + .endm
14605 +
14606 +#ifdef CONFIG_PAX_KERNEXEC
14607 +ENTRY(pax_enter_kernel)
14608 + pushq %rdi
14609 +
14610 +#ifdef CONFIG_PARAVIRT
14611 + PV_SAVE_REGS(CLBR_RDI)
14612 +#endif
14613 +
14614 + GET_CR0_INTO_RDI
14615 + bts $16,%rdi
14616 + jnc 1f
14617 + mov %cs,%edi
14618 + cmp $__KERNEL_CS,%edi
14619 + jz 3f
14620 + ljmpq __KERNEL_CS,3f
14621 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
14622 +2: SET_RDI_INTO_CR0
14623 +3:
14624 +
14625 +#ifdef CONFIG_PARAVIRT
14626 + PV_RESTORE_REGS(CLBR_RDI)
14627 +#endif
14628 +
14629 + popq %rdi
14630 + pax_force_retaddr
14631 + retq
14632 +ENDPROC(pax_enter_kernel)
14633 +
14634 +ENTRY(pax_exit_kernel)
14635 + pushq %rdi
14636 +
14637 +#ifdef CONFIG_PARAVIRT
14638 + PV_SAVE_REGS(CLBR_RDI)
14639 +#endif
14640 +
14641 + mov %cs,%rdi
14642 + cmp $__KERNEXEC_KERNEL_CS,%edi
14643 + jnz 2f
14644 + GET_CR0_INTO_RDI
14645 + btr $16,%rdi
14646 + ljmpq __KERNEL_CS,1f
14647 +1: SET_RDI_INTO_CR0
14648 +2:
14649 +
14650 +#ifdef CONFIG_PARAVIRT
14651 + PV_RESTORE_REGS(CLBR_RDI);
14652 +#endif
14653 +
14654 + popq %rdi
14655 + pax_force_retaddr
14656 + retq
14657 +ENDPROC(pax_exit_kernel)
14658 +#endif
14659 +
14660 + .macro pax_enter_kernel_user
14661 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14662 + call pax_enter_kernel_user
14663 +#endif
14664 + .endm
14665 +
14666 + .macro pax_exit_kernel_user
14667 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14668 + call pax_exit_kernel_user
14669 +#endif
14670 +#ifdef CONFIG_PAX_RANDKSTACK
14671 + push %rax
14672 + call pax_randomize_kstack
14673 + pop %rax
14674 +#endif
14675 + .endm
14676 +
14677 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14678 +ENTRY(pax_enter_kernel_user)
14679 + pushq %rdi
14680 + pushq %rbx
14681 +
14682 +#ifdef CONFIG_PARAVIRT
14683 + PV_SAVE_REGS(CLBR_RDI)
14684 +#endif
14685 +
14686 + GET_CR3_INTO_RDI
14687 + mov %rdi,%rbx
14688 + add $__START_KERNEL_map,%rbx
14689 + sub phys_base(%rip),%rbx
14690 +
14691 +#ifdef CONFIG_PARAVIRT
14692 + pushq %rdi
14693 + cmpl $0, pv_info+PARAVIRT_enabled
14694 + jz 1f
14695 + i = 0
14696 + .rept USER_PGD_PTRS
14697 + mov i*8(%rbx),%rsi
14698 + mov $0,%sil
14699 + lea i*8(%rbx),%rdi
14700 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
14701 + i = i + 1
14702 + .endr
14703 + jmp 2f
14704 +1:
14705 +#endif
14706 +
14707 + i = 0
14708 + .rept USER_PGD_PTRS
14709 + movb $0,i*8(%rbx)
14710 + i = i + 1
14711 + .endr
14712 +
14713 +#ifdef CONFIG_PARAVIRT
14714 +2: popq %rdi
14715 +#endif
14716 + SET_RDI_INTO_CR3
14717 +
14718 +#ifdef CONFIG_PAX_KERNEXEC
14719 + GET_CR0_INTO_RDI
14720 + bts $16,%rdi
14721 + SET_RDI_INTO_CR0
14722 +#endif
14723 +
14724 +#ifdef CONFIG_PARAVIRT
14725 + PV_RESTORE_REGS(CLBR_RDI)
14726 +#endif
14727 +
14728 + popq %rbx
14729 + popq %rdi
14730 + pax_force_retaddr
14731 + retq
14732 +ENDPROC(pax_enter_kernel_user)
14733 +
14734 +ENTRY(pax_exit_kernel_user)
14735 + push %rdi
14736 +
14737 +#ifdef CONFIG_PARAVIRT
14738 + pushq %rbx
14739 + PV_SAVE_REGS(CLBR_RDI)
14740 +#endif
14741 +
14742 +#ifdef CONFIG_PAX_KERNEXEC
14743 + GET_CR0_INTO_RDI
14744 + btr $16,%rdi
14745 + SET_RDI_INTO_CR0
14746 +#endif
14747 +
14748 + GET_CR3_INTO_RDI
14749 + add $__START_KERNEL_map,%rdi
14750 + sub phys_base(%rip),%rdi
14751 +
14752 +#ifdef CONFIG_PARAVIRT
14753 + cmpl $0, pv_info+PARAVIRT_enabled
14754 + jz 1f
14755 + mov %rdi,%rbx
14756 + i = 0
14757 + .rept USER_PGD_PTRS
14758 + mov i*8(%rbx),%rsi
14759 + mov $0x67,%sil
14760 + lea i*8(%rbx),%rdi
14761 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
14762 + i = i + 1
14763 + .endr
14764 + jmp 2f
14765 +1:
14766 +#endif
14767 +
14768 + i = 0
14769 + .rept USER_PGD_PTRS
14770 + movb $0x67,i*8(%rdi)
14771 + i = i + 1
14772 + .endr
14773 +
14774 +#ifdef CONFIG_PARAVIRT
14775 +2: PV_RESTORE_REGS(CLBR_RDI)
14776 + popq %rbx
14777 +#endif
14778 +
14779 + popq %rdi
14780 + pax_force_retaddr
14781 + retq
14782 +ENDPROC(pax_exit_kernel_user)
14783 +#endif
14784 +
14785 +.macro pax_erase_kstack
14786 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14787 + call pax_erase_kstack
14788 +#endif
14789 +.endm
14790 +
14791 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14792 +/*
14793 + * r10: thread_info
14794 + * rcx, rdx: can be clobbered
14795 + */
14796 +ENTRY(pax_erase_kstack)
14797 + pushq %rdi
14798 + pushq %rax
14799 + pushq %r10
14800 +
14801 + GET_THREAD_INFO(%r10)
14802 + mov TI_lowest_stack(%r10), %rdi
14803 + mov $-0xBEEF, %rax
14804 + std
14805 +
14806 +1: mov %edi, %ecx
14807 + and $THREAD_SIZE_asm - 1, %ecx
14808 + shr $3, %ecx
14809 + repne scasq
14810 + jecxz 2f
14811 +
14812 + cmp $2*8, %ecx
14813 + jc 2f
14814 +
14815 + mov $2*8, %ecx
14816 + repe scasq
14817 + jecxz 2f
14818 + jne 1b
14819 +
14820 +2: cld
14821 + mov %esp, %ecx
14822 + sub %edi, %ecx
14823 +
14824 + cmp $THREAD_SIZE_asm, %rcx
14825 + jb 3f
14826 + ud2
14827 +3:
14828 +
14829 + shr $3, %ecx
14830 + rep stosq
14831 +
14832 + mov TI_task_thread_sp0(%r10), %rdi
14833 + sub $256, %rdi
14834 + mov %rdi, TI_lowest_stack(%r10)
14835 +
14836 + popq %r10
14837 + popq %rax
14838 + popq %rdi
14839 + pax_force_retaddr
14840 + ret
14841 +ENDPROC(pax_erase_kstack)
14842 +#endif
14843
14844 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14845 #ifdef CONFIG_TRACE_IRQFLAGS
14846 @@ -317,7 +588,7 @@ ENTRY(save_args)
14847 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
14848 movq_cfi rbp, 8 /* push %rbp */
14849 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14850 - testl $3, CS(%rdi)
14851 + testb $3, CS(%rdi)
14852 je 1f
14853 SWAPGS
14854 /*
14855 @@ -337,9 +608,10 @@ ENTRY(save_args)
14856 * We entered an interrupt context - irqs are off:
14857 */
14858 2: TRACE_IRQS_OFF
14859 + pax_force_retaddr
14860 ret
14861 CFI_ENDPROC
14862 -END(save_args)
14863 +ENDPROC(save_args)
14864
14865 ENTRY(save_rest)
14866 PARTIAL_FRAME 1 REST_SKIP+8
14867 @@ -352,9 +624,10 @@ ENTRY(save_rest)
14868 movq_cfi r15, R15+16
14869 movq %r11, 8(%rsp) /* return address */
14870 FIXUP_TOP_OF_STACK %r11, 16
14871 + pax_force_retaddr
14872 ret
14873 CFI_ENDPROC
14874 -END(save_rest)
14875 +ENDPROC(save_rest)
14876
14877 /* save complete stack frame */
14878 .pushsection .kprobes.text, "ax"
14879 @@ -383,9 +656,10 @@ ENTRY(save_paranoid)
14880 js 1f /* negative -> in kernel */
14881 SWAPGS
14882 xorl %ebx,%ebx
14883 -1: ret
14884 +1: pax_force_retaddr
14885 + ret
14886 CFI_ENDPROC
14887 -END(save_paranoid)
14888 +ENDPROC(save_paranoid)
14889 .popsection
14890
14891 /*
14892 @@ -409,7 +683,7 @@ ENTRY(ret_from_fork)
14893
14894 RESTORE_REST
14895
14896 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14897 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14898 je int_ret_from_sys_call
14899
14900 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14901 @@ -419,7 +693,7 @@ ENTRY(ret_from_fork)
14902 jmp ret_from_sys_call # go to the SYSRET fastpath
14903
14904 CFI_ENDPROC
14905 -END(ret_from_fork)
14906 +ENDPROC(ret_from_fork)
14907
14908 /*
14909 * System call entry. Upto 6 arguments in registers are supported.
14910 @@ -455,7 +729,7 @@ END(ret_from_fork)
14911 ENTRY(system_call)
14912 CFI_STARTPROC simple
14913 CFI_SIGNAL_FRAME
14914 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14915 + CFI_DEF_CFA rsp,0
14916 CFI_REGISTER rip,rcx
14917 /*CFI_REGISTER rflags,r11*/
14918 SWAPGS_UNSAFE_STACK
14919 @@ -468,12 +742,13 @@ ENTRY(system_call_after_swapgs)
14920
14921 movq %rsp,PER_CPU_VAR(old_rsp)
14922 movq PER_CPU_VAR(kernel_stack),%rsp
14923 + pax_enter_kernel_user
14924 /*
14925 * No need to follow this irqs off/on section - it's straight
14926 * and short:
14927 */
14928 ENABLE_INTERRUPTS(CLBR_NONE)
14929 - SAVE_ARGS 8,1
14930 + SAVE_ARGS 8*6,1
14931 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14932 movq %rcx,RIP-ARGOFFSET(%rsp)
14933 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14934 @@ -502,6 +777,8 @@ sysret_check:
14935 andl %edi,%edx
14936 jnz sysret_careful
14937 CFI_REMEMBER_STATE
14938 + pax_exit_kernel_user
14939 + pax_erase_kstack
14940 /*
14941 * sysretq will re-enable interrupts:
14942 */
14943 @@ -562,6 +839,9 @@ auditsys:
14944 movq %rax,%rsi /* 2nd arg: syscall number */
14945 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14946 call audit_syscall_entry
14947 +
14948 + pax_erase_kstack
14949 +
14950 LOAD_ARGS 0 /* reload call-clobbered registers */
14951 jmp system_call_fastpath
14952
14953 @@ -592,6 +872,9 @@ tracesys:
14954 FIXUP_TOP_OF_STACK %rdi
14955 movq %rsp,%rdi
14956 call syscall_trace_enter
14957 +
14958 + pax_erase_kstack
14959 +
14960 /*
14961 * Reload arg registers from stack in case ptrace changed them.
14962 * We don't reload %rax because syscall_trace_enter() returned
14963 @@ -613,7 +896,7 @@ tracesys:
14964 GLOBAL(int_ret_from_sys_call)
14965 DISABLE_INTERRUPTS(CLBR_NONE)
14966 TRACE_IRQS_OFF
14967 - testl $3,CS-ARGOFFSET(%rsp)
14968 + testb $3,CS-ARGOFFSET(%rsp)
14969 je retint_restore_args
14970 movl $_TIF_ALLWORK_MASK,%edi
14971 /* edi: mask to check */
14972 @@ -674,7 +957,7 @@ int_restore_rest:
14973 TRACE_IRQS_OFF
14974 jmp int_with_check
14975 CFI_ENDPROC
14976 -END(system_call)
14977 +ENDPROC(system_call)
14978
14979 /*
14980 * Certain special system calls that need to save a complete full stack frame.
14981 @@ -690,7 +973,7 @@ ENTRY(\label)
14982 call \func
14983 jmp ptregscall_common
14984 CFI_ENDPROC
14985 -END(\label)
14986 +ENDPROC(\label)
14987 .endm
14988
14989 PTREGSCALL stub_clone, sys_clone, %r8
14990 @@ -708,9 +991,10 @@ ENTRY(ptregscall_common)
14991 movq_cfi_restore R12+8, r12
14992 movq_cfi_restore RBP+8, rbp
14993 movq_cfi_restore RBX+8, rbx
14994 + pax_force_retaddr
14995 ret $REST_SKIP /* pop extended registers */
14996 CFI_ENDPROC
14997 -END(ptregscall_common)
14998 +ENDPROC(ptregscall_common)
14999
15000 ENTRY(stub_execve)
15001 CFI_STARTPROC
15002 @@ -726,7 +1010,7 @@ ENTRY(stub_execve)
15003 RESTORE_REST
15004 jmp int_ret_from_sys_call
15005 CFI_ENDPROC
15006 -END(stub_execve)
15007 +ENDPROC(stub_execve)
15008
15009 /*
15010 * sigreturn is special because it needs to restore all registers on return.
15011 @@ -744,7 +1028,7 @@ ENTRY(stub_rt_sigreturn)
15012 RESTORE_REST
15013 jmp int_ret_from_sys_call
15014 CFI_ENDPROC
15015 -END(stub_rt_sigreturn)
15016 +ENDPROC(stub_rt_sigreturn)
15017
15018 /*
15019 * Build the entry stubs and pointer table with some assembler magic.
15020 @@ -780,7 +1064,7 @@ vector=vector+1
15021 2: jmp common_interrupt
15022 .endr
15023 CFI_ENDPROC
15024 -END(irq_entries_start)
15025 +ENDPROC(irq_entries_start)
15026
15027 .previous
15028 END(interrupt)
15029 @@ -800,6 +1084,16 @@ END(interrupt)
15030 CFI_ADJUST_CFA_OFFSET 10*8
15031 call save_args
15032 PARTIAL_FRAME 0
15033 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15034 + testb $3, CS(%rdi)
15035 + jnz 1f
15036 + pax_enter_kernel
15037 + jmp 2f
15038 +1: pax_enter_kernel_user
15039 +2:
15040 +#else
15041 + pax_enter_kernel
15042 +#endif
15043 call \func
15044 .endm
15045
15046 @@ -822,7 +1116,7 @@ ret_from_intr:
15047 CFI_ADJUST_CFA_OFFSET -8
15048 exit_intr:
15049 GET_THREAD_INFO(%rcx)
15050 - testl $3,CS-ARGOFFSET(%rsp)
15051 + testb $3,CS-ARGOFFSET(%rsp)
15052 je retint_kernel
15053
15054 /* Interrupt came from user space */
15055 @@ -844,12 +1138,16 @@ retint_swapgs: /* return to user-space
15056 * The iretq could re-enable interrupts:
15057 */
15058 DISABLE_INTERRUPTS(CLBR_ANY)
15059 + pax_exit_kernel_user
15060 + pax_erase_kstack
15061 TRACE_IRQS_IRETQ
15062 SWAPGS
15063 jmp restore_args
15064
15065 retint_restore_args: /* return to kernel space */
15066 DISABLE_INTERRUPTS(CLBR_ANY)
15067 + pax_exit_kernel
15068 + pax_force_retaddr RIP-ARGOFFSET
15069 /*
15070 * The iretq could re-enable interrupts:
15071 */
15072 @@ -940,7 +1238,7 @@ ENTRY(retint_kernel)
15073 #endif
15074
15075 CFI_ENDPROC
15076 -END(common_interrupt)
15077 +ENDPROC(common_interrupt)
15078
15079 /*
15080 * APIC interrupts.
15081 @@ -953,7 +1251,7 @@ ENTRY(\sym)
15082 interrupt \do_sym
15083 jmp ret_from_intr
15084 CFI_ENDPROC
15085 -END(\sym)
15086 +ENDPROC(\sym)
15087 .endm
15088
15089 #ifdef CONFIG_SMP
15090 @@ -1032,12 +1330,22 @@ ENTRY(\sym)
15091 CFI_ADJUST_CFA_OFFSET 15*8
15092 call error_entry
15093 DEFAULT_FRAME 0
15094 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15095 + testb $3, CS(%rsp)
15096 + jnz 1f
15097 + pax_enter_kernel
15098 + jmp 2f
15099 +1: pax_enter_kernel_user
15100 +2:
15101 +#else
15102 + pax_enter_kernel
15103 +#endif
15104 movq %rsp,%rdi /* pt_regs pointer */
15105 xorl %esi,%esi /* no error code */
15106 call \do_sym
15107 jmp error_exit /* %ebx: no swapgs flag */
15108 CFI_ENDPROC
15109 -END(\sym)
15110 +ENDPROC(\sym)
15111 .endm
15112
15113 .macro paranoidzeroentry sym do_sym
15114 @@ -1049,12 +1357,22 @@ ENTRY(\sym)
15115 subq $15*8, %rsp
15116 call save_paranoid
15117 TRACE_IRQS_OFF
15118 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15119 + testb $3, CS(%rsp)
15120 + jnz 1f
15121 + pax_enter_kernel
15122 + jmp 2f
15123 +1: pax_enter_kernel_user
15124 +2:
15125 +#else
15126 + pax_enter_kernel
15127 +#endif
15128 movq %rsp,%rdi /* pt_regs pointer */
15129 xorl %esi,%esi /* no error code */
15130 call \do_sym
15131 jmp paranoid_exit /* %ebx: no swapgs flag */
15132 CFI_ENDPROC
15133 -END(\sym)
15134 +ENDPROC(\sym)
15135 .endm
15136
15137 .macro paranoidzeroentry_ist sym do_sym ist
15138 @@ -1066,15 +1384,30 @@ ENTRY(\sym)
15139 subq $15*8, %rsp
15140 call save_paranoid
15141 TRACE_IRQS_OFF
15142 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15143 + testb $3, CS(%rsp)
15144 + jnz 1f
15145 + pax_enter_kernel
15146 + jmp 2f
15147 +1: pax_enter_kernel_user
15148 +2:
15149 +#else
15150 + pax_enter_kernel
15151 +#endif
15152 movq %rsp,%rdi /* pt_regs pointer */
15153 xorl %esi,%esi /* no error code */
15154 - PER_CPU(init_tss, %rbp)
15155 +#ifdef CONFIG_SMP
15156 + imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
15157 + lea init_tss(%rbp), %rbp
15158 +#else
15159 + lea init_tss(%rip), %rbp
15160 +#endif
15161 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
15162 call \do_sym
15163 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
15164 jmp paranoid_exit /* %ebx: no swapgs flag */
15165 CFI_ENDPROC
15166 -END(\sym)
15167 +ENDPROC(\sym)
15168 .endm
15169
15170 .macro errorentry sym do_sym
15171 @@ -1085,13 +1418,23 @@ ENTRY(\sym)
15172 CFI_ADJUST_CFA_OFFSET 15*8
15173 call error_entry
15174 DEFAULT_FRAME 0
15175 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15176 + testb $3, CS(%rsp)
15177 + jnz 1f
15178 + pax_enter_kernel
15179 + jmp 2f
15180 +1: pax_enter_kernel_user
15181 +2:
15182 +#else
15183 + pax_enter_kernel
15184 +#endif
15185 movq %rsp,%rdi /* pt_regs pointer */
15186 movq ORIG_RAX(%rsp),%rsi /* get error code */
15187 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
15188 call \do_sym
15189 jmp error_exit /* %ebx: no swapgs flag */
15190 CFI_ENDPROC
15191 -END(\sym)
15192 +ENDPROC(\sym)
15193 .endm
15194
15195 /* error code is on the stack already */
15196 @@ -1104,13 +1447,23 @@ ENTRY(\sym)
15197 call save_paranoid
15198 DEFAULT_FRAME 0
15199 TRACE_IRQS_OFF
15200 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15201 + testb $3, CS(%rsp)
15202 + jnz 1f
15203 + pax_enter_kernel
15204 + jmp 2f
15205 +1: pax_enter_kernel_user
15206 +2:
15207 +#else
15208 + pax_enter_kernel
15209 +#endif
15210 movq %rsp,%rdi /* pt_regs pointer */
15211 movq ORIG_RAX(%rsp),%rsi /* get error code */
15212 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
15213 call \do_sym
15214 jmp paranoid_exit /* %ebx: no swapgs flag */
15215 CFI_ENDPROC
15216 -END(\sym)
15217 +ENDPROC(\sym)
15218 .endm
15219
15220 zeroentry divide_error do_divide_error
15221 @@ -1141,9 +1494,10 @@ gs_change:
15222 SWAPGS
15223 popf
15224 CFI_ADJUST_CFA_OFFSET -8
15225 + pax_force_retaddr
15226 ret
15227 CFI_ENDPROC
15228 -END(native_load_gs_index)
15229 +ENDPROC(native_load_gs_index)
15230
15231 .section __ex_table,"a"
15232 .align 8
15233 @@ -1195,9 +1549,10 @@ ENTRY(kernel_thread)
15234 */
15235 RESTORE_ALL
15236 UNFAKE_STACK_FRAME
15237 + pax_force_retaddr
15238 ret
15239 CFI_ENDPROC
15240 -END(kernel_thread)
15241 +ENDPROC(kernel_thread)
15242
15243 ENTRY(child_rip)
15244 pushq $0 # fake return address
15245 @@ -1208,13 +1563,14 @@ ENTRY(child_rip)
15246 */
15247 movq %rdi, %rax
15248 movq %rsi, %rdi
15249 + pax_force_fptr %rax
15250 call *%rax
15251 # exit
15252 mov %eax, %edi
15253 call do_exit
15254 ud2 # padding for call trace
15255 CFI_ENDPROC
15256 -END(child_rip)
15257 +ENDPROC(child_rip)
15258
15259 /*
15260 * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
15261 @@ -1243,9 +1599,10 @@ ENTRY(kernel_execve)
15262 je int_ret_from_sys_call
15263 RESTORE_ARGS
15264 UNFAKE_STACK_FRAME
15265 + pax_force_retaddr
15266 ret
15267 CFI_ENDPROC
15268 -END(kernel_execve)
15269 +ENDPROC(kernel_execve)
15270
15271 /* Call softirq on interrupt stack. Interrupts are off. */
15272 ENTRY(call_softirq)
15273 @@ -1263,9 +1620,10 @@ ENTRY(call_softirq)
15274 CFI_DEF_CFA_REGISTER rsp
15275 CFI_ADJUST_CFA_OFFSET -8
15276 decl PER_CPU_VAR(irq_count)
15277 + pax_force_retaddr
15278 ret
15279 CFI_ENDPROC
15280 -END(call_softirq)
15281 +ENDPROC(call_softirq)
15282
15283 #ifdef CONFIG_XEN
15284 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
15285 @@ -1303,7 +1661,7 @@ ENTRY(xen_do_hypervisor_callback) # do
15286 decl PER_CPU_VAR(irq_count)
15287 jmp error_exit
15288 CFI_ENDPROC
15289 -END(xen_do_hypervisor_callback)
15290 +ENDPROC(xen_do_hypervisor_callback)
15291
15292 /*
15293 * Hypervisor uses this for application faults while it executes.
15294 @@ -1362,7 +1720,7 @@ ENTRY(xen_failsafe_callback)
15295 SAVE_ALL
15296 jmp error_exit
15297 CFI_ENDPROC
15298 -END(xen_failsafe_callback)
15299 +ENDPROC(xen_failsafe_callback)
15300
15301 #endif /* CONFIG_XEN */
15302
15303 @@ -1405,16 +1763,31 @@ ENTRY(paranoid_exit)
15304 TRACE_IRQS_OFF
15305 testl %ebx,%ebx /* swapgs needed? */
15306 jnz paranoid_restore
15307 - testl $3,CS(%rsp)
15308 + testb $3,CS(%rsp)
15309 jnz paranoid_userspace
15310 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15311 + pax_exit_kernel
15312 + TRACE_IRQS_IRETQ 0
15313 + SWAPGS_UNSAFE_STACK
15314 + RESTORE_ALL 8
15315 + pax_force_retaddr
15316 + jmp irq_return
15317 +#endif
15318 paranoid_swapgs:
15319 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15320 + pax_exit_kernel_user
15321 +#else
15322 + pax_exit_kernel
15323 +#endif
15324 TRACE_IRQS_IRETQ 0
15325 SWAPGS_UNSAFE_STACK
15326 RESTORE_ALL 8
15327 jmp irq_return
15328 paranoid_restore:
15329 + pax_exit_kernel
15330 TRACE_IRQS_IRETQ 0
15331 RESTORE_ALL 8
15332 + pax_force_retaddr
15333 jmp irq_return
15334 paranoid_userspace:
15335 GET_THREAD_INFO(%rcx)
15336 @@ -1443,7 +1816,7 @@ paranoid_schedule:
15337 TRACE_IRQS_OFF
15338 jmp paranoid_userspace
15339 CFI_ENDPROC
15340 -END(paranoid_exit)
15341 +ENDPROC(paranoid_exit)
15342
15343 /*
15344 * Exception entry point. This expects an error code/orig_rax on the stack.
15345 @@ -1470,12 +1843,13 @@ ENTRY(error_entry)
15346 movq_cfi r14, R14+8
15347 movq_cfi r15, R15+8
15348 xorl %ebx,%ebx
15349 - testl $3,CS+8(%rsp)
15350 + testb $3,CS+8(%rsp)
15351 je error_kernelspace
15352 error_swapgs:
15353 SWAPGS
15354 error_sti:
15355 TRACE_IRQS_OFF
15356 + pax_force_retaddr
15357 ret
15358 CFI_ENDPROC
15359
15360 @@ -1497,7 +1871,7 @@ error_kernelspace:
15361 cmpq $gs_change,RIP+8(%rsp)
15362 je error_swapgs
15363 jmp error_sti
15364 -END(error_entry)
15365 +ENDPROC(error_entry)
15366
15367
15368 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
15369 @@ -1517,7 +1891,7 @@ ENTRY(error_exit)
15370 jnz retint_careful
15371 jmp retint_swapgs
15372 CFI_ENDPROC
15373 -END(error_exit)
15374 +ENDPROC(error_exit)
15375
15376
15377 /* runs on exception stack */
15378 @@ -1529,6 +1903,16 @@ ENTRY(nmi)
15379 CFI_ADJUST_CFA_OFFSET 15*8
15380 call save_paranoid
15381 DEFAULT_FRAME 0
15382 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15383 + testb $3, CS(%rsp)
15384 + jnz 1f
15385 + pax_enter_kernel
15386 + jmp 2f
15387 +1: pax_enter_kernel_user
15388 +2:
15389 +#else
15390 + pax_enter_kernel
15391 +#endif
15392 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
15393 movq %rsp,%rdi
15394 movq $-1,%rsi
15395 @@ -1539,12 +1923,28 @@ ENTRY(nmi)
15396 DISABLE_INTERRUPTS(CLBR_NONE)
15397 testl %ebx,%ebx /* swapgs needed? */
15398 jnz nmi_restore
15399 - testl $3,CS(%rsp)
15400 + testb $3,CS(%rsp)
15401 jnz nmi_userspace
15402 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15403 + pax_exit_kernel
15404 + SWAPGS_UNSAFE_STACK
15405 + RESTORE_ALL 8
15406 + pax_force_retaddr
15407 + jmp irq_return
15408 +#endif
15409 nmi_swapgs:
15410 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15411 + pax_exit_kernel_user
15412 +#else
15413 + pax_exit_kernel
15414 +#endif
15415 SWAPGS_UNSAFE_STACK
15416 + RESTORE_ALL 8
15417 + jmp irq_return
15418 nmi_restore:
15419 + pax_exit_kernel
15420 RESTORE_ALL 8
15421 + pax_force_retaddr
15422 jmp irq_return
15423 nmi_userspace:
15424 GET_THREAD_INFO(%rcx)
15425 @@ -1573,14 +1973,14 @@ nmi_schedule:
15426 jmp paranoid_exit
15427 CFI_ENDPROC
15428 #endif
15429 -END(nmi)
15430 +ENDPROC(nmi)
15431
15432 ENTRY(ignore_sysret)
15433 CFI_STARTPROC
15434 mov $-ENOSYS,%eax
15435 sysret
15436 CFI_ENDPROC
15437 -END(ignore_sysret)
15438 +ENDPROC(ignore_sysret)
15439
15440 /*
15441 * End of kprobes section
15442 diff -urNp linux-2.6.32.49/arch/x86/kernel/ftrace.c linux-2.6.32.49/arch/x86/kernel/ftrace.c
15443 --- linux-2.6.32.49/arch/x86/kernel/ftrace.c 2011-11-08 19:02:43.000000000 -0500
15444 +++ linux-2.6.32.49/arch/x86/kernel/ftrace.c 2011-11-15 19:59:43.000000000 -0500
15445 @@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
15446 static void *mod_code_newcode; /* holds the text to write to the IP */
15447
15448 static unsigned nmi_wait_count;
15449 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
15450 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
15451
15452 int ftrace_arch_read_dyn_info(char *buf, int size)
15453 {
15454 @@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
15455
15456 r = snprintf(buf, size, "%u %u",
15457 nmi_wait_count,
15458 - atomic_read(&nmi_update_count));
15459 + atomic_read_unchecked(&nmi_update_count));
15460 return r;
15461 }
15462
15463 @@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
15464 {
15465 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
15466 smp_rmb();
15467 + pax_open_kernel();
15468 ftrace_mod_code();
15469 - atomic_inc(&nmi_update_count);
15470 + pax_close_kernel();
15471 + atomic_inc_unchecked(&nmi_update_count);
15472 }
15473 /* Must have previous changes seen before executions */
15474 smp_mb();
15475 @@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
15476
15477
15478
15479 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
15480 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
15481
15482 static unsigned char *ftrace_nop_replace(void)
15483 {
15484 @@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
15485 {
15486 unsigned char replaced[MCOUNT_INSN_SIZE];
15487
15488 + ip = ktla_ktva(ip);
15489 +
15490 /*
15491 * Note: Due to modules and __init, code can
15492 * disappear and change, we need to protect against faulting
15493 @@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
15494 unsigned char old[MCOUNT_INSN_SIZE], *new;
15495 int ret;
15496
15497 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
15498 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
15499 new = ftrace_call_replace(ip, (unsigned long)func);
15500 ret = ftrace_modify_code(ip, old, new);
15501
15502 @@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
15503 switch (faulted) {
15504 case 0:
15505 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
15506 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
15507 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
15508 break;
15509 case 1:
15510 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
15511 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
15512 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
15513 break;
15514 case 2:
15515 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
15516 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
15517 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
15518 break;
15519 }
15520
15521 @@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
15522 {
15523 unsigned char code[MCOUNT_INSN_SIZE];
15524
15525 + ip = ktla_ktva(ip);
15526 +
15527 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
15528 return -EFAULT;
15529
15530 diff -urNp linux-2.6.32.49/arch/x86/kernel/head32.c linux-2.6.32.49/arch/x86/kernel/head32.c
15531 --- linux-2.6.32.49/arch/x86/kernel/head32.c 2011-11-08 19:02:43.000000000 -0500
15532 +++ linux-2.6.32.49/arch/x86/kernel/head32.c 2011-11-15 19:59:43.000000000 -0500
15533 @@ -16,6 +16,7 @@
15534 #include <asm/apic.h>
15535 #include <asm/io_apic.h>
15536 #include <asm/bios_ebda.h>
15537 +#include <asm/boot.h>
15538
15539 static void __init i386_default_early_setup(void)
15540 {
15541 @@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
15542 {
15543 reserve_trampoline_memory();
15544
15545 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15546 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15547
15548 #ifdef CONFIG_BLK_DEV_INITRD
15549 /* Reserve INITRD */
15550 diff -urNp linux-2.6.32.49/arch/x86/kernel/head_32.S linux-2.6.32.49/arch/x86/kernel/head_32.S
15551 --- linux-2.6.32.49/arch/x86/kernel/head_32.S 2011-11-08 19:02:43.000000000 -0500
15552 +++ linux-2.6.32.49/arch/x86/kernel/head_32.S 2011-11-15 19:59:43.000000000 -0500
15553 @@ -19,10 +19,17 @@
15554 #include <asm/setup.h>
15555 #include <asm/processor-flags.h>
15556 #include <asm/percpu.h>
15557 +#include <asm/msr-index.h>
15558
15559 /* Physical address */
15560 #define pa(X) ((X) - __PAGE_OFFSET)
15561
15562 +#ifdef CONFIG_PAX_KERNEXEC
15563 +#define ta(X) (X)
15564 +#else
15565 +#define ta(X) ((X) - __PAGE_OFFSET)
15566 +#endif
15567 +
15568 /*
15569 * References to members of the new_cpu_data structure.
15570 */
15571 @@ -52,11 +59,7 @@
15572 * and small than max_low_pfn, otherwise will waste some page table entries
15573 */
15574
15575 -#if PTRS_PER_PMD > 1
15576 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15577 -#else
15578 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15579 -#endif
15580 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15581
15582 /* Enough space to fit pagetables for the low memory linear map */
15583 MAPPING_BEYOND_END = \
15584 @@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15585 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15586
15587 /*
15588 + * Real beginning of normal "text" segment
15589 + */
15590 +ENTRY(stext)
15591 +ENTRY(_stext)
15592 +
15593 +/*
15594 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15595 * %esi points to the real-mode code as a 32-bit pointer.
15596 * CS and DS must be 4 GB flat segments, but we don't depend on
15597 @@ -80,7 +89,16 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15598 * can.
15599 */
15600 __HEAD
15601 +
15602 +#ifdef CONFIG_PAX_KERNEXEC
15603 + jmp startup_32
15604 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15605 +.fill PAGE_SIZE-5,1,0xcc
15606 +#endif
15607 +
15608 ENTRY(startup_32)
15609 + movl pa(stack_start),%ecx
15610 +
15611 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
15612 us to not reload segments */
15613 testb $(1<<6), BP_loadflags(%esi)
15614 @@ -95,7 +113,60 @@ ENTRY(startup_32)
15615 movl %eax,%es
15616 movl %eax,%fs
15617 movl %eax,%gs
15618 + movl %eax,%ss
15619 2:
15620 + leal -__PAGE_OFFSET(%ecx),%esp
15621 +
15622 +#ifdef CONFIG_SMP
15623 + movl $pa(cpu_gdt_table),%edi
15624 + movl $__per_cpu_load,%eax
15625 + movw %ax,__KERNEL_PERCPU + 2(%edi)
15626 + rorl $16,%eax
15627 + movb %al,__KERNEL_PERCPU + 4(%edi)
15628 + movb %ah,__KERNEL_PERCPU + 7(%edi)
15629 + movl $__per_cpu_end - 1,%eax
15630 + subl $__per_cpu_start,%eax
15631 + movw %ax,__KERNEL_PERCPU + 0(%edi)
15632 +#endif
15633 +
15634 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15635 + movl $NR_CPUS,%ecx
15636 + movl $pa(cpu_gdt_table),%edi
15637 +1:
15638 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15639 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15640 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15641 + addl $PAGE_SIZE_asm,%edi
15642 + loop 1b
15643 +#endif
15644 +
15645 +#ifdef CONFIG_PAX_KERNEXEC
15646 + movl $pa(boot_gdt),%edi
15647 + movl $__LOAD_PHYSICAL_ADDR,%eax
15648 + movw %ax,__BOOT_CS + 2(%edi)
15649 + rorl $16,%eax
15650 + movb %al,__BOOT_CS + 4(%edi)
15651 + movb %ah,__BOOT_CS + 7(%edi)
15652 + rorl $16,%eax
15653 +
15654 + ljmp $(__BOOT_CS),$1f
15655 +1:
15656 +
15657 + movl $NR_CPUS,%ecx
15658 + movl $pa(cpu_gdt_table),%edi
15659 + addl $__PAGE_OFFSET,%eax
15660 +1:
15661 + movw %ax,__KERNEL_CS + 2(%edi)
15662 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15663 + rorl $16,%eax
15664 + movb %al,__KERNEL_CS + 4(%edi)
15665 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15666 + movb %ah,__KERNEL_CS + 7(%edi)
15667 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15668 + rorl $16,%eax
15669 + addl $PAGE_SIZE_asm,%edi
15670 + loop 1b
15671 +#endif
15672
15673 /*
15674 * Clear BSS first so that there are no surprises...
15675 @@ -140,9 +211,7 @@ ENTRY(startup_32)
15676 cmpl $num_subarch_entries, %eax
15677 jae bad_subarch
15678
15679 - movl pa(subarch_entries)(,%eax,4), %eax
15680 - subl $__PAGE_OFFSET, %eax
15681 - jmp *%eax
15682 + jmp *pa(subarch_entries)(,%eax,4)
15683
15684 bad_subarch:
15685 WEAK(lguest_entry)
15686 @@ -154,10 +223,10 @@ WEAK(xen_entry)
15687 __INITDATA
15688
15689 subarch_entries:
15690 - .long default_entry /* normal x86/PC */
15691 - .long lguest_entry /* lguest hypervisor */
15692 - .long xen_entry /* Xen hypervisor */
15693 - .long default_entry /* Moorestown MID */
15694 + .long ta(default_entry) /* normal x86/PC */
15695 + .long ta(lguest_entry) /* lguest hypervisor */
15696 + .long ta(xen_entry) /* Xen hypervisor */
15697 + .long ta(default_entry) /* Moorestown MID */
15698 num_subarch_entries = (. - subarch_entries) / 4
15699 .previous
15700 #endif /* CONFIG_PARAVIRT */
15701 @@ -218,8 +287,11 @@ default_entry:
15702 movl %eax, pa(max_pfn_mapped)
15703
15704 /* Do early initialization of the fixmap area */
15705 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
15706 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15707 +#ifdef CONFIG_COMPAT_VDSO
15708 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15709 +#else
15710 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15711 +#endif
15712 #else /* Not PAE */
15713
15714 page_pde_offset = (__PAGE_OFFSET >> 20);
15715 @@ -249,8 +321,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15716 movl %eax, pa(max_pfn_mapped)
15717
15718 /* Do early initialization of the fixmap area */
15719 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
15720 - movl %eax,pa(swapper_pg_dir+0xffc)
15721 +#ifdef CONFIG_COMPAT_VDSO
15722 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
15723 +#else
15724 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
15725 +#endif
15726 #endif
15727 jmp 3f
15728 /*
15729 @@ -272,6 +347,9 @@ ENTRY(startup_32_smp)
15730 movl %eax,%es
15731 movl %eax,%fs
15732 movl %eax,%gs
15733 + movl pa(stack_start),%ecx
15734 + movl %eax,%ss
15735 + leal -__PAGE_OFFSET(%ecx),%esp
15736 #endif /* CONFIG_SMP */
15737 3:
15738
15739 @@ -297,6 +375,7 @@ ENTRY(startup_32_smp)
15740 orl %edx,%eax
15741 movl %eax,%cr4
15742
15743 +#ifdef CONFIG_X86_PAE
15744 btl $5, %eax # check if PAE is enabled
15745 jnc 6f
15746
15747 @@ -305,6 +384,10 @@ ENTRY(startup_32_smp)
15748 cpuid
15749 cmpl $0x80000000, %eax
15750 jbe 6f
15751 +
15752 + /* Clear bogus XD_DISABLE bits */
15753 + call verify_cpu
15754 +
15755 mov $0x80000001, %eax
15756 cpuid
15757 /* Execute Disable bit supported? */
15758 @@ -312,13 +395,17 @@ ENTRY(startup_32_smp)
15759 jnc 6f
15760
15761 /* Setup EFER (Extended Feature Enable Register) */
15762 - movl $0xc0000080, %ecx
15763 + movl $MSR_EFER, %ecx
15764 rdmsr
15765
15766 btsl $11, %eax
15767 /* Make changes effective */
15768 wrmsr
15769
15770 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15771 + movl $1,pa(nx_enabled)
15772 +#endif
15773 +
15774 6:
15775
15776 /*
15777 @@ -331,8 +418,8 @@ ENTRY(startup_32_smp)
15778 movl %eax,%cr0 /* ..and set paging (PG) bit */
15779 ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
15780 1:
15781 - /* Set up the stack pointer */
15782 - lss stack_start,%esp
15783 + /* Shift the stack pointer to a virtual address */
15784 + addl $__PAGE_OFFSET, %esp
15785
15786 /*
15787 * Initialize eflags. Some BIOS's leave bits like NT set. This would
15788 @@ -344,9 +431,7 @@ ENTRY(startup_32_smp)
15789
15790 #ifdef CONFIG_SMP
15791 cmpb $0, ready
15792 - jz 1f /* Initial CPU cleans BSS */
15793 - jmp checkCPUtype
15794 -1:
15795 + jnz checkCPUtype
15796 #endif /* CONFIG_SMP */
15797
15798 /*
15799 @@ -424,7 +509,7 @@ is386: movl $2,%ecx # set MP
15800 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15801 movl %eax,%ss # after changing gdt.
15802
15803 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
15804 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15805 movl %eax,%ds
15806 movl %eax,%es
15807
15808 @@ -438,15 +523,22 @@ is386: movl $2,%ecx # set MP
15809 */
15810 cmpb $0,ready
15811 jne 1f
15812 - movl $per_cpu__gdt_page,%eax
15813 + movl $cpu_gdt_table,%eax
15814 movl $per_cpu__stack_canary,%ecx
15815 +#ifdef CONFIG_SMP
15816 + addl $__per_cpu_load,%ecx
15817 +#endif
15818 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15819 shrl $16, %ecx
15820 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15821 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15822 1:
15823 -#endif
15824 movl $(__KERNEL_STACK_CANARY),%eax
15825 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15826 + movl $(__USER_DS),%eax
15827 +#else
15828 + xorl %eax,%eax
15829 +#endif
15830 movl %eax,%gs
15831
15832 xorl %eax,%eax # Clear LDT
15833 @@ -454,14 +546,7 @@ is386: movl $2,%ecx # set MP
15834
15835 cld # gcc2 wants the direction flag cleared at all times
15836 pushl $0 # fake return address for unwinder
15837 -#ifdef CONFIG_SMP
15838 - movb ready, %cl
15839 movb $1, ready
15840 - cmpb $0,%cl # the first CPU calls start_kernel
15841 - je 1f
15842 - movl (stack_start), %esp
15843 -1:
15844 -#endif /* CONFIG_SMP */
15845 jmp *(initial_code)
15846
15847 /*
15848 @@ -546,22 +631,22 @@ early_page_fault:
15849 jmp early_fault
15850
15851 early_fault:
15852 - cld
15853 #ifdef CONFIG_PRINTK
15854 + cmpl $1,%ss:early_recursion_flag
15855 + je hlt_loop
15856 + incl %ss:early_recursion_flag
15857 + cld
15858 pusha
15859 movl $(__KERNEL_DS),%eax
15860 movl %eax,%ds
15861 movl %eax,%es
15862 - cmpl $2,early_recursion_flag
15863 - je hlt_loop
15864 - incl early_recursion_flag
15865 movl %cr2,%eax
15866 pushl %eax
15867 pushl %edx /* trapno */
15868 pushl $fault_msg
15869 call printk
15870 +; call dump_stack
15871 #endif
15872 - call dump_stack
15873 hlt_loop:
15874 hlt
15875 jmp hlt_loop
15876 @@ -569,8 +654,11 @@ hlt_loop:
15877 /* This is the default interrupt "handler" :-) */
15878 ALIGN
15879 ignore_int:
15880 - cld
15881 #ifdef CONFIG_PRINTK
15882 + cmpl $2,%ss:early_recursion_flag
15883 + je hlt_loop
15884 + incl %ss:early_recursion_flag
15885 + cld
15886 pushl %eax
15887 pushl %ecx
15888 pushl %edx
15889 @@ -579,9 +667,6 @@ ignore_int:
15890 movl $(__KERNEL_DS),%eax
15891 movl %eax,%ds
15892 movl %eax,%es
15893 - cmpl $2,early_recursion_flag
15894 - je hlt_loop
15895 - incl early_recursion_flag
15896 pushl 16(%esp)
15897 pushl 24(%esp)
15898 pushl 32(%esp)
15899 @@ -600,6 +685,8 @@ ignore_int:
15900 #endif
15901 iret
15902
15903 +#include "verify_cpu.S"
15904 +
15905 __REFDATA
15906 .align 4
15907 ENTRY(initial_code)
15908 @@ -610,31 +697,47 @@ ENTRY(initial_page_table)
15909 /*
15910 * BSS section
15911 */
15912 -__PAGE_ALIGNED_BSS
15913 - .align PAGE_SIZE_asm
15914 #ifdef CONFIG_X86_PAE
15915 +.section .swapper_pg_pmd,"a",@progbits
15916 swapper_pg_pmd:
15917 .fill 1024*KPMDS,4,0
15918 #else
15919 +.section .swapper_pg_dir,"a",@progbits
15920 ENTRY(swapper_pg_dir)
15921 .fill 1024,4,0
15922 #endif
15923 +.section .swapper_pg_fixmap,"a",@progbits
15924 swapper_pg_fixmap:
15925 .fill 1024,4,0
15926 #ifdef CONFIG_X86_TRAMPOLINE
15927 +.section .trampoline_pg_dir,"a",@progbits
15928 ENTRY(trampoline_pg_dir)
15929 +#ifdef CONFIG_X86_PAE
15930 + .fill 4,8,0
15931 +#else
15932 .fill 1024,4,0
15933 #endif
15934 +#endif
15935 +
15936 +.section .empty_zero_page,"a",@progbits
15937 ENTRY(empty_zero_page)
15938 .fill 4096,1,0
15939
15940 /*
15941 + * The IDT has to be page-aligned to simplify the Pentium
15942 + * F0 0F bug workaround.. We have a special link segment
15943 + * for this.
15944 + */
15945 +.section .idt,"a",@progbits
15946 +ENTRY(idt_table)
15947 + .fill 256,8,0
15948 +
15949 +/*
15950 * This starts the data section.
15951 */
15952 #ifdef CONFIG_X86_PAE
15953 -__PAGE_ALIGNED_DATA
15954 - /* Page-aligned for the benefit of paravirt? */
15955 - .align PAGE_SIZE_asm
15956 +.section .swapper_pg_dir,"a",@progbits
15957 +
15958 ENTRY(swapper_pg_dir)
15959 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15960 # if KPMDS == 3
15961 @@ -653,15 +756,24 @@ ENTRY(swapper_pg_dir)
15962 # error "Kernel PMDs should be 1, 2 or 3"
15963 # endif
15964 .align PAGE_SIZE_asm /* needs to be page-sized too */
15965 +
15966 +#ifdef CONFIG_PAX_PER_CPU_PGD
15967 +ENTRY(cpu_pgd)
15968 + .rept NR_CPUS
15969 + .fill 4,8,0
15970 + .endr
15971 +#endif
15972 +
15973 #endif
15974
15975 .data
15976 +.balign 4
15977 ENTRY(stack_start)
15978 - .long init_thread_union+THREAD_SIZE
15979 - .long __BOOT_DS
15980 + .long init_thread_union+THREAD_SIZE-8
15981
15982 ready: .byte 0
15983
15984 +.section .rodata,"a",@progbits
15985 early_recursion_flag:
15986 .long 0
15987
15988 @@ -697,7 +809,7 @@ fault_msg:
15989 .word 0 # 32 bit align gdt_desc.address
15990 boot_gdt_descr:
15991 .word __BOOT_DS+7
15992 - .long boot_gdt - __PAGE_OFFSET
15993 + .long pa(boot_gdt)
15994
15995 .word 0 # 32-bit align idt_desc.address
15996 idt_descr:
15997 @@ -708,7 +820,7 @@ idt_descr:
15998 .word 0 # 32 bit align gdt_desc.address
15999 ENTRY(early_gdt_descr)
16000 .word GDT_ENTRIES*8-1
16001 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
16002 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
16003
16004 /*
16005 * The boot_gdt must mirror the equivalent in setup.S and is
16006 @@ -717,5 +829,65 @@ ENTRY(early_gdt_descr)
16007 .align L1_CACHE_BYTES
16008 ENTRY(boot_gdt)
16009 .fill GDT_ENTRY_BOOT_CS,8,0
16010 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
16011 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
16012 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
16013 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
16014 +
16015 + .align PAGE_SIZE_asm
16016 +ENTRY(cpu_gdt_table)
16017 + .rept NR_CPUS
16018 + .quad 0x0000000000000000 /* NULL descriptor */
16019 + .quad 0x0000000000000000 /* 0x0b reserved */
16020 + .quad 0x0000000000000000 /* 0x13 reserved */
16021 + .quad 0x0000000000000000 /* 0x1b reserved */
16022 +
16023 +#ifdef CONFIG_PAX_KERNEXEC
16024 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
16025 +#else
16026 + .quad 0x0000000000000000 /* 0x20 unused */
16027 +#endif
16028 +
16029 + .quad 0x0000000000000000 /* 0x28 unused */
16030 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
16031 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
16032 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
16033 + .quad 0x0000000000000000 /* 0x4b reserved */
16034 + .quad 0x0000000000000000 /* 0x53 reserved */
16035 + .quad 0x0000000000000000 /* 0x5b reserved */
16036 +
16037 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
16038 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
16039 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
16040 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
16041 +
16042 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
16043 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
16044 +
16045 + /*
16046 + * Segments used for calling PnP BIOS have byte granularity.
16047 + * The code segments and data segments have fixed 64k limits,
16048 + * the transfer segment sizes are set at run time.
16049 + */
16050 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
16051 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
16052 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
16053 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
16054 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
16055 +
16056 + /*
16057 + * The APM segments have byte granularity and their bases
16058 + * are set at run time. All have 64k limits.
16059 + */
16060 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
16061 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
16062 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
16063 +
16064 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
16065 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
16066 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
16067 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
16068 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
16069 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
16070 +
16071 + /* Be sure this is zeroed to avoid false validations in Xen */
16072 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
16073 + .endr
16074 diff -urNp linux-2.6.32.49/arch/x86/kernel/head_64.S linux-2.6.32.49/arch/x86/kernel/head_64.S
16075 --- linux-2.6.32.49/arch/x86/kernel/head_64.S 2011-11-08 19:02:43.000000000 -0500
16076 +++ linux-2.6.32.49/arch/x86/kernel/head_64.S 2011-11-15 19:59:43.000000000 -0500
16077 @@ -19,6 +19,7 @@
16078 #include <asm/cache.h>
16079 #include <asm/processor-flags.h>
16080 #include <asm/percpu.h>
16081 +#include <asm/cpufeature.h>
16082
16083 #ifdef CONFIG_PARAVIRT
16084 #include <asm/asm-offsets.h>
16085 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
16086 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
16087 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
16088 L3_START_KERNEL = pud_index(__START_KERNEL_map)
16089 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
16090 +L3_VMALLOC_START = pud_index(VMALLOC_START)
16091 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
16092 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
16093
16094 .text
16095 __HEAD
16096 @@ -85,35 +90,22 @@ startup_64:
16097 */
16098 addq %rbp, init_level4_pgt + 0(%rip)
16099 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
16100 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
16101 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
16102 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
16103
16104 addq %rbp, level3_ident_pgt + 0(%rip)
16105 +#ifndef CONFIG_XEN
16106 + addq %rbp, level3_ident_pgt + 8(%rip)
16107 +#endif
16108
16109 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
16110 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
16111 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
16112
16113 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
16114 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
16115 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
16116
16117 - /* Add an Identity mapping if I am above 1G */
16118 - leaq _text(%rip), %rdi
16119 - andq $PMD_PAGE_MASK, %rdi
16120 -
16121 - movq %rdi, %rax
16122 - shrq $PUD_SHIFT, %rax
16123 - andq $(PTRS_PER_PUD - 1), %rax
16124 - jz ident_complete
16125 -
16126 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
16127 - leaq level3_ident_pgt(%rip), %rbx
16128 - movq %rdx, 0(%rbx, %rax, 8)
16129 -
16130 - movq %rdi, %rax
16131 - shrq $PMD_SHIFT, %rax
16132 - andq $(PTRS_PER_PMD - 1), %rax
16133 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
16134 - leaq level2_spare_pgt(%rip), %rbx
16135 - movq %rdx, 0(%rbx, %rax, 8)
16136 -ident_complete:
16137 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
16138 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
16139
16140 /*
16141 * Fixup the kernel text+data virtual addresses. Note that
16142 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
16143 * after the boot processor executes this code.
16144 */
16145
16146 - /* Enable PAE mode and PGE */
16147 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
16148 + /* Enable PAE mode and PSE/PGE */
16149 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16150 movq %rax, %cr4
16151
16152 /* Setup early boot stage 4 level pagetables. */
16153 @@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
16154 movl $MSR_EFER, %ecx
16155 rdmsr
16156 btsl $_EFER_SCE, %eax /* Enable System Call */
16157 - btl $20,%edi /* No Execute supported? */
16158 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
16159 jnc 1f
16160 btsl $_EFER_NX, %eax
16161 + leaq init_level4_pgt(%rip), %rdi
16162 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
16163 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
16164 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
16165 1: wrmsr /* Make changes effective */
16166
16167 /* Setup cr0 */
16168 @@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
16169 .quad x86_64_start_kernel
16170 ENTRY(initial_gs)
16171 .quad INIT_PER_CPU_VAR(irq_stack_union)
16172 - __FINITDATA
16173
16174 ENTRY(stack_start)
16175 .quad init_thread_union+THREAD_SIZE-8
16176 .word 0
16177 + __FINITDATA
16178
16179 bad_address:
16180 jmp bad_address
16181
16182 - .section ".init.text","ax"
16183 + __INIT
16184 #ifdef CONFIG_EARLY_PRINTK
16185 .globl early_idt_handlers
16186 early_idt_handlers:
16187 @@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
16188 #endif /* EARLY_PRINTK */
16189 1: hlt
16190 jmp 1b
16191 + .previous
16192
16193 #ifdef CONFIG_EARLY_PRINTK
16194 + __INITDATA
16195 early_recursion_flag:
16196 .long 0
16197 + .previous
16198
16199 + .section .rodata,"a",@progbits
16200 early_idt_msg:
16201 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
16202 early_idt_ripmsg:
16203 .asciz "RIP %s\n"
16204 -#endif /* CONFIG_EARLY_PRINTK */
16205 .previous
16206 +#endif /* CONFIG_EARLY_PRINTK */
16207
16208 + .section .rodata,"a",@progbits
16209 #define NEXT_PAGE(name) \
16210 .balign PAGE_SIZE; \
16211 ENTRY(name)
16212 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
16213 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16214 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
16215 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16216 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
16217 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
16218 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
16219 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
16220 .org init_level4_pgt + L4_START_KERNEL*8, 0
16221 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
16222 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
16223
16224 +#ifdef CONFIG_PAX_PER_CPU_PGD
16225 +NEXT_PAGE(cpu_pgd)
16226 + .rept NR_CPUS
16227 + .fill 512,8,0
16228 + .endr
16229 +#endif
16230 +
16231 NEXT_PAGE(level3_ident_pgt)
16232 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16233 +#ifdef CONFIG_XEN
16234 .fill 511,8,0
16235 +#else
16236 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
16237 + .fill 510,8,0
16238 +#endif
16239 +
16240 +NEXT_PAGE(level3_vmalloc_pgt)
16241 + .fill 512,8,0
16242 +
16243 +NEXT_PAGE(level3_vmemmap_pgt)
16244 + .fill L3_VMEMMAP_START,8,0
16245 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
16246
16247 NEXT_PAGE(level3_kernel_pgt)
16248 .fill L3_START_KERNEL,8,0
16249 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
16250 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
16251 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
16252
16253 +NEXT_PAGE(level2_vmemmap_pgt)
16254 + .fill 512,8,0
16255 +
16256 NEXT_PAGE(level2_fixmap_pgt)
16257 - .fill 506,8,0
16258 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
16259 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
16260 - .fill 5,8,0
16261 + .fill 507,8,0
16262 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
16263 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
16264 + .fill 4,8,0
16265
16266 -NEXT_PAGE(level1_fixmap_pgt)
16267 +NEXT_PAGE(level1_vsyscall_pgt)
16268 .fill 512,8,0
16269
16270 -NEXT_PAGE(level2_ident_pgt)
16271 - /* Since I easily can, map the first 1G.
16272 + /* Since I easily can, map the first 2G.
16273 * Don't set NX because code runs from these pages.
16274 */
16275 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
16276 +NEXT_PAGE(level2_ident_pgt)
16277 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
16278
16279 NEXT_PAGE(level2_kernel_pgt)
16280 /*
16281 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
16282 * If you want to increase this then increase MODULES_VADDR
16283 * too.)
16284 */
16285 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
16286 - KERNEL_IMAGE_SIZE/PMD_SIZE)
16287 -
16288 -NEXT_PAGE(level2_spare_pgt)
16289 - .fill 512, 8, 0
16290 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
16291
16292 #undef PMDS
16293 #undef NEXT_PAGE
16294
16295 - .data
16296 + .align PAGE_SIZE
16297 +ENTRY(cpu_gdt_table)
16298 + .rept NR_CPUS
16299 + .quad 0x0000000000000000 /* NULL descriptor */
16300 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
16301 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
16302 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
16303 + .quad 0x00cffb000000ffff /* __USER32_CS */
16304 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
16305 + .quad 0x00affb000000ffff /* __USER_CS */
16306 +
16307 +#ifdef CONFIG_PAX_KERNEXEC
16308 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
16309 +#else
16310 + .quad 0x0 /* unused */
16311 +#endif
16312 +
16313 + .quad 0,0 /* TSS */
16314 + .quad 0,0 /* LDT */
16315 + .quad 0,0,0 /* three TLS descriptors */
16316 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
16317 + /* asm/segment.h:GDT_ENTRIES must match this */
16318 +
16319 + /* zero the remaining page */
16320 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
16321 + .endr
16322 +
16323 .align 16
16324 .globl early_gdt_descr
16325 early_gdt_descr:
16326 .word GDT_ENTRIES*8-1
16327 early_gdt_descr_base:
16328 - .quad INIT_PER_CPU_VAR(gdt_page)
16329 + .quad cpu_gdt_table
16330
16331 ENTRY(phys_base)
16332 /* This must match the first entry in level2_kernel_pgt */
16333 .quad 0x0000000000000000
16334
16335 #include "../../x86/xen/xen-head.S"
16336 -
16337 - .section .bss, "aw", @nobits
16338 +
16339 + .section .rodata,"a",@progbits
16340 .align L1_CACHE_BYTES
16341 ENTRY(idt_table)
16342 - .skip IDT_ENTRIES * 16
16343 + .fill 512,8,0
16344
16345 __PAGE_ALIGNED_BSS
16346 .align PAGE_SIZE
16347 diff -urNp linux-2.6.32.49/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.49/arch/x86/kernel/i386_ksyms_32.c
16348 --- linux-2.6.32.49/arch/x86/kernel/i386_ksyms_32.c 2011-11-08 19:02:43.000000000 -0500
16349 +++ linux-2.6.32.49/arch/x86/kernel/i386_ksyms_32.c 2011-11-15 19:59:43.000000000 -0500
16350 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
16351 EXPORT_SYMBOL(cmpxchg8b_emu);
16352 #endif
16353
16354 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
16355 +
16356 /* Networking helper routines. */
16357 EXPORT_SYMBOL(csum_partial_copy_generic);
16358 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
16359 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
16360
16361 EXPORT_SYMBOL(__get_user_1);
16362 EXPORT_SYMBOL(__get_user_2);
16363 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
16364
16365 EXPORT_SYMBOL(csum_partial);
16366 EXPORT_SYMBOL(empty_zero_page);
16367 +
16368 +#ifdef CONFIG_PAX_KERNEXEC
16369 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
16370 +#endif
16371 diff -urNp linux-2.6.32.49/arch/x86/kernel/i8259.c linux-2.6.32.49/arch/x86/kernel/i8259.c
16372 --- linux-2.6.32.49/arch/x86/kernel/i8259.c 2011-11-08 19:02:43.000000000 -0500
16373 +++ linux-2.6.32.49/arch/x86/kernel/i8259.c 2011-11-15 19:59:43.000000000 -0500
16374 @@ -208,7 +208,7 @@ spurious_8259A_irq:
16375 "spurious 8259A interrupt: IRQ%d.\n", irq);
16376 spurious_irq_mask |= irqmask;
16377 }
16378 - atomic_inc(&irq_err_count);
16379 + atomic_inc_unchecked(&irq_err_count);
16380 /*
16381 * Theoretically we do not have to handle this IRQ,
16382 * but in Linux this does not cause problems and is
16383 diff -urNp linux-2.6.32.49/arch/x86/kernel/init_task.c linux-2.6.32.49/arch/x86/kernel/init_task.c
16384 --- linux-2.6.32.49/arch/x86/kernel/init_task.c 2011-11-08 19:02:43.000000000 -0500
16385 +++ linux-2.6.32.49/arch/x86/kernel/init_task.c 2011-11-15 19:59:43.000000000 -0500
16386 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
16387 * way process stacks are handled. This is done by having a special
16388 * "init_task" linker map entry..
16389 */
16390 -union thread_union init_thread_union __init_task_data =
16391 - { INIT_THREAD_INFO(init_task) };
16392 +union thread_union init_thread_union __init_task_data;
16393
16394 /*
16395 * Initial task structure.
16396 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
16397 * section. Since TSS's are completely CPU-local, we want them
16398 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
16399 */
16400 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
16401 -
16402 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
16403 +EXPORT_SYMBOL(init_tss);
16404 diff -urNp linux-2.6.32.49/arch/x86/kernel/ioport.c linux-2.6.32.49/arch/x86/kernel/ioport.c
16405 --- linux-2.6.32.49/arch/x86/kernel/ioport.c 2011-11-08 19:02:43.000000000 -0500
16406 +++ linux-2.6.32.49/arch/x86/kernel/ioport.c 2011-11-15 19:59:43.000000000 -0500
16407 @@ -6,6 +6,7 @@
16408 #include <linux/sched.h>
16409 #include <linux/kernel.h>
16410 #include <linux/capability.h>
16411 +#include <linux/security.h>
16412 #include <linux/errno.h>
16413 #include <linux/types.h>
16414 #include <linux/ioport.h>
16415 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
16416
16417 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
16418 return -EINVAL;
16419 +#ifdef CONFIG_GRKERNSEC_IO
16420 + if (turn_on && grsec_disable_privio) {
16421 + gr_handle_ioperm();
16422 + return -EPERM;
16423 + }
16424 +#endif
16425 if (turn_on && !capable(CAP_SYS_RAWIO))
16426 return -EPERM;
16427
16428 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
16429 * because the ->io_bitmap_max value must match the bitmap
16430 * contents:
16431 */
16432 - tss = &per_cpu(init_tss, get_cpu());
16433 + tss = init_tss + get_cpu();
16434
16435 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
16436
16437 @@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
16438 return -EINVAL;
16439 /* Trying to gain more privileges? */
16440 if (level > old) {
16441 +#ifdef CONFIG_GRKERNSEC_IO
16442 + if (grsec_disable_privio) {
16443 + gr_handle_iopl();
16444 + return -EPERM;
16445 + }
16446 +#endif
16447 if (!capable(CAP_SYS_RAWIO))
16448 return -EPERM;
16449 }
16450 diff -urNp linux-2.6.32.49/arch/x86/kernel/irq_32.c linux-2.6.32.49/arch/x86/kernel/irq_32.c
16451 --- linux-2.6.32.49/arch/x86/kernel/irq_32.c 2011-11-08 19:02:43.000000000 -0500
16452 +++ linux-2.6.32.49/arch/x86/kernel/irq_32.c 2011-11-15 19:59:43.000000000 -0500
16453 @@ -35,7 +35,7 @@ static int check_stack_overflow(void)
16454 __asm__ __volatile__("andl %%esp,%0" :
16455 "=r" (sp) : "0" (THREAD_SIZE - 1));
16456
16457 - return sp < (sizeof(struct thread_info) + STACK_WARN);
16458 + return sp < STACK_WARN;
16459 }
16460
16461 static void print_stack_overflow(void)
16462 @@ -54,9 +54,9 @@ static inline void print_stack_overflow(
16463 * per-CPU IRQ handling contexts (thread information and stack)
16464 */
16465 union irq_ctx {
16466 - struct thread_info tinfo;
16467 - u32 stack[THREAD_SIZE/sizeof(u32)];
16468 -} __attribute__((aligned(PAGE_SIZE)));
16469 + unsigned long previous_esp;
16470 + u32 stack[THREAD_SIZE/sizeof(u32)];
16471 +} __attribute__((aligned(THREAD_SIZE)));
16472
16473 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
16474 static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
16475 @@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
16476 static inline int
16477 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
16478 {
16479 - union irq_ctx *curctx, *irqctx;
16480 + union irq_ctx *irqctx;
16481 u32 *isp, arg1, arg2;
16482
16483 - curctx = (union irq_ctx *) current_thread_info();
16484 irqctx = __get_cpu_var(hardirq_ctx);
16485
16486 /*
16487 @@ -90,21 +89,16 @@ execute_on_irq_stack(int overflow, struc
16488 * handler) we can't do that and just have to keep using the
16489 * current stack (which is the irq stack already after all)
16490 */
16491 - if (unlikely(curctx == irqctx))
16492 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
16493 return 0;
16494
16495 /* build the stack frame on the IRQ stack */
16496 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
16497 - irqctx->tinfo.task = curctx->tinfo.task;
16498 - irqctx->tinfo.previous_esp = current_stack_pointer;
16499 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
16500 + irqctx->previous_esp = current_stack_pointer;
16501
16502 - /*
16503 - * Copy the softirq bits in preempt_count so that the
16504 - * softirq checks work in the hardirq context.
16505 - */
16506 - irqctx->tinfo.preempt_count =
16507 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
16508 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
16509 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16510 + __set_fs(MAKE_MM_SEG(0));
16511 +#endif
16512
16513 if (unlikely(overflow))
16514 call_on_stack(print_stack_overflow, isp);
16515 @@ -116,6 +110,11 @@ execute_on_irq_stack(int overflow, struc
16516 : "0" (irq), "1" (desc), "2" (isp),
16517 "D" (desc->handle_irq)
16518 : "memory", "cc", "ecx");
16519 +
16520 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16521 + __set_fs(current_thread_info()->addr_limit);
16522 +#endif
16523 +
16524 return 1;
16525 }
16526
16527 @@ -124,28 +123,11 @@ execute_on_irq_stack(int overflow, struc
16528 */
16529 void __cpuinit irq_ctx_init(int cpu)
16530 {
16531 - union irq_ctx *irqctx;
16532 -
16533 if (per_cpu(hardirq_ctx, cpu))
16534 return;
16535
16536 - irqctx = &per_cpu(hardirq_stack, cpu);
16537 - irqctx->tinfo.task = NULL;
16538 - irqctx->tinfo.exec_domain = NULL;
16539 - irqctx->tinfo.cpu = cpu;
16540 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
16541 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
16542 -
16543 - per_cpu(hardirq_ctx, cpu) = irqctx;
16544 -
16545 - irqctx = &per_cpu(softirq_stack, cpu);
16546 - irqctx->tinfo.task = NULL;
16547 - irqctx->tinfo.exec_domain = NULL;
16548 - irqctx->tinfo.cpu = cpu;
16549 - irqctx->tinfo.preempt_count = 0;
16550 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
16551 -
16552 - per_cpu(softirq_ctx, cpu) = irqctx;
16553 + per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
16554 + per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
16555
16556 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
16557 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
16558 @@ -159,7 +141,6 @@ void irq_ctx_exit(int cpu)
16559 asmlinkage void do_softirq(void)
16560 {
16561 unsigned long flags;
16562 - struct thread_info *curctx;
16563 union irq_ctx *irqctx;
16564 u32 *isp;
16565
16566 @@ -169,15 +150,22 @@ asmlinkage void do_softirq(void)
16567 local_irq_save(flags);
16568
16569 if (local_softirq_pending()) {
16570 - curctx = current_thread_info();
16571 irqctx = __get_cpu_var(softirq_ctx);
16572 - irqctx->tinfo.task = curctx->task;
16573 - irqctx->tinfo.previous_esp = current_stack_pointer;
16574 + irqctx->previous_esp = current_stack_pointer;
16575
16576 /* build the stack frame on the softirq stack */
16577 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
16578 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
16579 +
16580 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16581 + __set_fs(MAKE_MM_SEG(0));
16582 +#endif
16583
16584 call_on_stack(__do_softirq, isp);
16585 +
16586 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16587 + __set_fs(current_thread_info()->addr_limit);
16588 +#endif
16589 +
16590 /*
16591 * Shouldnt happen, we returned above if in_interrupt():
16592 */
16593 diff -urNp linux-2.6.32.49/arch/x86/kernel/irq.c linux-2.6.32.49/arch/x86/kernel/irq.c
16594 --- linux-2.6.32.49/arch/x86/kernel/irq.c 2011-11-08 19:02:43.000000000 -0500
16595 +++ linux-2.6.32.49/arch/x86/kernel/irq.c 2011-11-15 19:59:43.000000000 -0500
16596 @@ -15,7 +15,7 @@
16597 #include <asm/mce.h>
16598 #include <asm/hw_irq.h>
16599
16600 -atomic_t irq_err_count;
16601 +atomic_unchecked_t irq_err_count;
16602
16603 /* Function pointer for generic interrupt vector handling */
16604 void (*generic_interrupt_extension)(void) = NULL;
16605 @@ -114,9 +114,9 @@ static int show_other_interrupts(struct
16606 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
16607 seq_printf(p, " Machine check polls\n");
16608 #endif
16609 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
16610 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
16611 #if defined(CONFIG_X86_IO_APIC)
16612 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
16613 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
16614 #endif
16615 return 0;
16616 }
16617 @@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
16618
16619 u64 arch_irq_stat(void)
16620 {
16621 - u64 sum = atomic_read(&irq_err_count);
16622 + u64 sum = atomic_read_unchecked(&irq_err_count);
16623
16624 #ifdef CONFIG_X86_IO_APIC
16625 - sum += atomic_read(&irq_mis_count);
16626 + sum += atomic_read_unchecked(&irq_mis_count);
16627 #endif
16628 return sum;
16629 }
16630 diff -urNp linux-2.6.32.49/arch/x86/kernel/kgdb.c linux-2.6.32.49/arch/x86/kernel/kgdb.c
16631 --- linux-2.6.32.49/arch/x86/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
16632 +++ linux-2.6.32.49/arch/x86/kernel/kgdb.c 2011-11-15 19:59:43.000000000 -0500
16633 @@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
16634
16635 /* clear the trace bit */
16636 linux_regs->flags &= ~X86_EFLAGS_TF;
16637 - atomic_set(&kgdb_cpu_doing_single_step, -1);
16638 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16639
16640 /* set the trace bit if we're stepping */
16641 if (remcomInBuffer[0] == 's') {
16642 linux_regs->flags |= X86_EFLAGS_TF;
16643 kgdb_single_step = 1;
16644 - atomic_set(&kgdb_cpu_doing_single_step,
16645 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16646 raw_smp_processor_id());
16647 }
16648
16649 @@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
16650 break;
16651
16652 case DIE_DEBUG:
16653 - if (atomic_read(&kgdb_cpu_doing_single_step) ==
16654 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
16655 raw_smp_processor_id()) {
16656 if (user_mode(regs))
16657 return single_step_cont(regs, args);
16658 @@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
16659 return instruction_pointer(regs);
16660 }
16661
16662 -struct kgdb_arch arch_kgdb_ops = {
16663 +const struct kgdb_arch arch_kgdb_ops = {
16664 /* Breakpoint instruction: */
16665 .gdb_bpt_instr = { 0xcc },
16666 .flags = KGDB_HW_BREAKPOINT,
16667 diff -urNp linux-2.6.32.49/arch/x86/kernel/kprobes.c linux-2.6.32.49/arch/x86/kernel/kprobes.c
16668 --- linux-2.6.32.49/arch/x86/kernel/kprobes.c 2011-11-08 19:02:43.000000000 -0500
16669 +++ linux-2.6.32.49/arch/x86/kernel/kprobes.c 2011-11-18 18:01:52.000000000 -0500
16670 @@ -168,9 +168,13 @@ static void __kprobes set_jmp_op(void *f
16671 char op;
16672 s32 raddr;
16673 } __attribute__((packed)) * jop;
16674 - jop = (struct __arch_jmp_op *)from;
16675 +
16676 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
16677 +
16678 + pax_open_kernel();
16679 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
16680 jop->op = RELATIVEJUMP_INSTRUCTION;
16681 + pax_close_kernel();
16682 }
16683
16684 /*
16685 @@ -195,7 +199,7 @@ static int __kprobes can_boost(kprobe_op
16686 kprobe_opcode_t opcode;
16687 kprobe_opcode_t *orig_opcodes = opcodes;
16688
16689 - if (search_exception_tables((unsigned long)opcodes))
16690 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16691 return 0; /* Page fault may occur on this address. */
16692
16693 retry:
16694 @@ -339,7 +343,9 @@ static void __kprobes fix_riprel(struct
16695 disp = (u8 *) p->addr + *((s32 *) insn) -
16696 (u8 *) p->ainsn.insn;
16697 BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
16698 + pax_open_kernel();
16699 *(s32 *)insn = (s32) disp;
16700 + pax_close_kernel();
16701 }
16702 }
16703 #endif
16704 @@ -347,16 +353,18 @@ static void __kprobes fix_riprel(struct
16705
16706 static void __kprobes arch_copy_kprobe(struct kprobe *p)
16707 {
16708 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
16709 + pax_open_kernel();
16710 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
16711 + pax_close_kernel();
16712
16713 fix_riprel(p);
16714
16715 - if (can_boost(p->addr))
16716 + if (can_boost(ktla_ktva(p->addr)))
16717 p->ainsn.boostable = 0;
16718 else
16719 p->ainsn.boostable = -1;
16720
16721 - p->opcode = *p->addr;
16722 + p->opcode = *(ktla_ktva(p->addr));
16723 }
16724
16725 int __kprobes arch_prepare_kprobe(struct kprobe *p)
16726 @@ -434,7 +442,7 @@ static void __kprobes prepare_singlestep
16727 if (p->opcode == BREAKPOINT_INSTRUCTION)
16728 regs->ip = (unsigned long)p->addr;
16729 else
16730 - regs->ip = (unsigned long)p->ainsn.insn;
16731 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16732 }
16733
16734 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
16735 @@ -455,7 +463,7 @@ static void __kprobes setup_singlestep(s
16736 if (p->ainsn.boostable == 1 && !p->post_handler) {
16737 /* Boost up -- we can execute copied instructions directly */
16738 reset_current_kprobe();
16739 - regs->ip = (unsigned long)p->ainsn.insn;
16740 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16741 preempt_enable_no_resched();
16742 return;
16743 }
16744 @@ -525,7 +533,7 @@ static int __kprobes kprobe_handler(stru
16745 struct kprobe_ctlblk *kcb;
16746
16747 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
16748 - if (*addr != BREAKPOINT_INSTRUCTION) {
16749 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16750 /*
16751 * The breakpoint instruction was removed right
16752 * after we hit it. Another cpu has removed
16753 @@ -637,6 +645,9 @@ static void __used __kprobes kretprobe_t
16754 /* Skip orig_ax, ip, cs */
16755 " addq $24, %rsp\n"
16756 " popfq\n"
16757 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
16758 + " btsq $63,(%rsp)\n"
16759 +#endif
16760 #else
16761 " pushf\n"
16762 /*
16763 @@ -777,7 +788,7 @@ static void __kprobes resume_execution(s
16764 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16765 {
16766 unsigned long *tos = stack_addr(regs);
16767 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16768 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16769 unsigned long orig_ip = (unsigned long)p->addr;
16770 kprobe_opcode_t *insn = p->ainsn.insn;
16771
16772 @@ -960,7 +971,7 @@ int __kprobes kprobe_exceptions_notify(s
16773 struct die_args *args = data;
16774 int ret = NOTIFY_DONE;
16775
16776 - if (args->regs && user_mode_vm(args->regs))
16777 + if (args->regs && user_mode(args->regs))
16778 return ret;
16779
16780 switch (val) {
16781 diff -urNp linux-2.6.32.49/arch/x86/kernel/kvm.c linux-2.6.32.49/arch/x86/kernel/kvm.c
16782 --- linux-2.6.32.49/arch/x86/kernel/kvm.c 2011-11-08 19:02:43.000000000 -0500
16783 +++ linux-2.6.32.49/arch/x86/kernel/kvm.c 2011-11-15 19:59:43.000000000 -0500
16784 @@ -216,6 +216,7 @@ static void __init paravirt_ops_setup(vo
16785 pv_mmu_ops.set_pud = kvm_set_pud;
16786 #if PAGETABLE_LEVELS == 4
16787 pv_mmu_ops.set_pgd = kvm_set_pgd;
16788 + pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
16789 #endif
16790 #endif
16791 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
16792 diff -urNp linux-2.6.32.49/arch/x86/kernel/ldt.c linux-2.6.32.49/arch/x86/kernel/ldt.c
16793 --- linux-2.6.32.49/arch/x86/kernel/ldt.c 2011-11-08 19:02:43.000000000 -0500
16794 +++ linux-2.6.32.49/arch/x86/kernel/ldt.c 2011-11-15 19:59:43.000000000 -0500
16795 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
16796 if (reload) {
16797 #ifdef CONFIG_SMP
16798 preempt_disable();
16799 - load_LDT(pc);
16800 + load_LDT_nolock(pc);
16801 if (!cpumask_equal(mm_cpumask(current->mm),
16802 cpumask_of(smp_processor_id())))
16803 smp_call_function(flush_ldt, current->mm, 1);
16804 preempt_enable();
16805 #else
16806 - load_LDT(pc);
16807 + load_LDT_nolock(pc);
16808 #endif
16809 }
16810 if (oldsize) {
16811 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
16812 return err;
16813
16814 for (i = 0; i < old->size; i++)
16815 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16816 + write_ldt_entry(new->ldt, i, old->ldt + i);
16817 return 0;
16818 }
16819
16820 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
16821 retval = copy_ldt(&mm->context, &old_mm->context);
16822 mutex_unlock(&old_mm->context.lock);
16823 }
16824 +
16825 + if (tsk == current) {
16826 + mm->context.vdso = 0;
16827 +
16828 +#ifdef CONFIG_X86_32
16829 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16830 + mm->context.user_cs_base = 0UL;
16831 + mm->context.user_cs_limit = ~0UL;
16832 +
16833 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16834 + cpus_clear(mm->context.cpu_user_cs_mask);
16835 +#endif
16836 +
16837 +#endif
16838 +#endif
16839 +
16840 + }
16841 +
16842 return retval;
16843 }
16844
16845 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
16846 }
16847 }
16848
16849 +#ifdef CONFIG_PAX_SEGMEXEC
16850 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16851 + error = -EINVAL;
16852 + goto out_unlock;
16853 + }
16854 +#endif
16855 +
16856 fill_ldt(&ldt, &ldt_info);
16857 if (oldmode)
16858 ldt.avl = 0;
16859 diff -urNp linux-2.6.32.49/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.49/arch/x86/kernel/machine_kexec_32.c
16860 --- linux-2.6.32.49/arch/x86/kernel/machine_kexec_32.c 2011-11-08 19:02:43.000000000 -0500
16861 +++ linux-2.6.32.49/arch/x86/kernel/machine_kexec_32.c 2011-11-15 19:59:43.000000000 -0500
16862 @@ -26,7 +26,7 @@
16863 #include <asm/system.h>
16864 #include <asm/cacheflush.h>
16865
16866 -static void set_idt(void *newidt, __u16 limit)
16867 +static void set_idt(struct desc_struct *newidt, __u16 limit)
16868 {
16869 struct desc_ptr curidt;
16870
16871 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
16872 }
16873
16874
16875 -static void set_gdt(void *newgdt, __u16 limit)
16876 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16877 {
16878 struct desc_ptr curgdt;
16879
16880 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16881 }
16882
16883 control_page = page_address(image->control_code_page);
16884 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16885 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16886
16887 relocate_kernel_ptr = control_page;
16888 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16889 diff -urNp linux-2.6.32.49/arch/x86/kernel/microcode_amd.c linux-2.6.32.49/arch/x86/kernel/microcode_amd.c
16890 --- linux-2.6.32.49/arch/x86/kernel/microcode_amd.c 2011-11-08 19:02:43.000000000 -0500
16891 +++ linux-2.6.32.49/arch/x86/kernel/microcode_amd.c 2011-11-15 19:59:43.000000000 -0500
16892 @@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
16893 uci->mc = NULL;
16894 }
16895
16896 -static struct microcode_ops microcode_amd_ops = {
16897 +static const struct microcode_ops microcode_amd_ops = {
16898 .request_microcode_user = request_microcode_user,
16899 .request_microcode_fw = request_microcode_fw,
16900 .collect_cpu_info = collect_cpu_info_amd,
16901 @@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
16902 .microcode_fini_cpu = microcode_fini_cpu_amd,
16903 };
16904
16905 -struct microcode_ops * __init init_amd_microcode(void)
16906 +const struct microcode_ops * __init init_amd_microcode(void)
16907 {
16908 return &microcode_amd_ops;
16909 }
16910 diff -urNp linux-2.6.32.49/arch/x86/kernel/microcode_core.c linux-2.6.32.49/arch/x86/kernel/microcode_core.c
16911 --- linux-2.6.32.49/arch/x86/kernel/microcode_core.c 2011-11-08 19:02:43.000000000 -0500
16912 +++ linux-2.6.32.49/arch/x86/kernel/microcode_core.c 2011-11-15 19:59:43.000000000 -0500
16913 @@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
16914
16915 #define MICROCODE_VERSION "2.00"
16916
16917 -static struct microcode_ops *microcode_ops;
16918 +static const struct microcode_ops *microcode_ops;
16919
16920 /*
16921 * Synchronization.
16922 diff -urNp linux-2.6.32.49/arch/x86/kernel/microcode_intel.c linux-2.6.32.49/arch/x86/kernel/microcode_intel.c
16923 --- linux-2.6.32.49/arch/x86/kernel/microcode_intel.c 2011-11-08 19:02:43.000000000 -0500
16924 +++ linux-2.6.32.49/arch/x86/kernel/microcode_intel.c 2011-11-15 19:59:43.000000000 -0500
16925 @@ -443,13 +443,13 @@ static enum ucode_state request_microcod
16926
16927 static int get_ucode_user(void *to, const void *from, size_t n)
16928 {
16929 - return copy_from_user(to, from, n);
16930 + return copy_from_user(to, (const void __force_user *)from, n);
16931 }
16932
16933 static enum ucode_state
16934 request_microcode_user(int cpu, const void __user *buf, size_t size)
16935 {
16936 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16937 + return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
16938 }
16939
16940 static void microcode_fini_cpu(int cpu)
16941 @@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
16942 uci->mc = NULL;
16943 }
16944
16945 -static struct microcode_ops microcode_intel_ops = {
16946 +static const struct microcode_ops microcode_intel_ops = {
16947 .request_microcode_user = request_microcode_user,
16948 .request_microcode_fw = request_microcode_fw,
16949 .collect_cpu_info = collect_cpu_info,
16950 @@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
16951 .microcode_fini_cpu = microcode_fini_cpu,
16952 };
16953
16954 -struct microcode_ops * __init init_intel_microcode(void)
16955 +const struct microcode_ops * __init init_intel_microcode(void)
16956 {
16957 return &microcode_intel_ops;
16958 }
16959 diff -urNp linux-2.6.32.49/arch/x86/kernel/module.c linux-2.6.32.49/arch/x86/kernel/module.c
16960 --- linux-2.6.32.49/arch/x86/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
16961 +++ linux-2.6.32.49/arch/x86/kernel/module.c 2011-11-15 19:59:43.000000000 -0500
16962 @@ -34,7 +34,7 @@
16963 #define DEBUGP(fmt...)
16964 #endif
16965
16966 -void *module_alloc(unsigned long size)
16967 +static void *__module_alloc(unsigned long size, pgprot_t prot)
16968 {
16969 struct vm_struct *area;
16970
16971 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
16972 if (!area)
16973 return NULL;
16974
16975 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
16976 - PAGE_KERNEL_EXEC);
16977 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
16978 +}
16979 +
16980 +void *module_alloc(unsigned long size)
16981 +{
16982 +
16983 +#ifdef CONFIG_PAX_KERNEXEC
16984 + return __module_alloc(size, PAGE_KERNEL);
16985 +#else
16986 + return __module_alloc(size, PAGE_KERNEL_EXEC);
16987 +#endif
16988 +
16989 }
16990
16991 /* Free memory returned from module_alloc */
16992 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
16993 vfree(module_region);
16994 }
16995
16996 +#ifdef CONFIG_PAX_KERNEXEC
16997 +#ifdef CONFIG_X86_32
16998 +void *module_alloc_exec(unsigned long size)
16999 +{
17000 + struct vm_struct *area;
17001 +
17002 + if (size == 0)
17003 + return NULL;
17004 +
17005 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
17006 + return area ? area->addr : NULL;
17007 +}
17008 +EXPORT_SYMBOL(module_alloc_exec);
17009 +
17010 +void module_free_exec(struct module *mod, void *module_region)
17011 +{
17012 + vunmap(module_region);
17013 +}
17014 +EXPORT_SYMBOL(module_free_exec);
17015 +#else
17016 +void module_free_exec(struct module *mod, void *module_region)
17017 +{
17018 + module_free(mod, module_region);
17019 +}
17020 +EXPORT_SYMBOL(module_free_exec);
17021 +
17022 +void *module_alloc_exec(unsigned long size)
17023 +{
17024 + return __module_alloc(size, PAGE_KERNEL_RX);
17025 +}
17026 +EXPORT_SYMBOL(module_alloc_exec);
17027 +#endif
17028 +#endif
17029 +
17030 /* We don't need anything special. */
17031 int module_frob_arch_sections(Elf_Ehdr *hdr,
17032 Elf_Shdr *sechdrs,
17033 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
17034 unsigned int i;
17035 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
17036 Elf32_Sym *sym;
17037 - uint32_t *location;
17038 + uint32_t *plocation, location;
17039
17040 DEBUGP("Applying relocate section %u to %u\n", relsec,
17041 sechdrs[relsec].sh_info);
17042 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
17043 /* This is where to make the change */
17044 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
17045 - + rel[i].r_offset;
17046 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
17047 + location = (uint32_t)plocation;
17048 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
17049 + plocation = ktla_ktva((void *)plocation);
17050 /* This is the symbol it is referring to. Note that all
17051 undefined symbols have been resolved. */
17052 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
17053 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
17054 switch (ELF32_R_TYPE(rel[i].r_info)) {
17055 case R_386_32:
17056 /* We add the value into the location given */
17057 - *location += sym->st_value;
17058 + pax_open_kernel();
17059 + *plocation += sym->st_value;
17060 + pax_close_kernel();
17061 break;
17062 case R_386_PC32:
17063 /* Add the value, subtract its postition */
17064 - *location += sym->st_value - (uint32_t)location;
17065 + pax_open_kernel();
17066 + *plocation += sym->st_value - location;
17067 + pax_close_kernel();
17068 break;
17069 default:
17070 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
17071 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
17072 case R_X86_64_NONE:
17073 break;
17074 case R_X86_64_64:
17075 + pax_open_kernel();
17076 *(u64 *)loc = val;
17077 + pax_close_kernel();
17078 break;
17079 case R_X86_64_32:
17080 + pax_open_kernel();
17081 *(u32 *)loc = val;
17082 + pax_close_kernel();
17083 if (val != *(u32 *)loc)
17084 goto overflow;
17085 break;
17086 case R_X86_64_32S:
17087 + pax_open_kernel();
17088 *(s32 *)loc = val;
17089 + pax_close_kernel();
17090 if ((s64)val != *(s32 *)loc)
17091 goto overflow;
17092 break;
17093 case R_X86_64_PC32:
17094 val -= (u64)loc;
17095 + pax_open_kernel();
17096 *(u32 *)loc = val;
17097 + pax_close_kernel();
17098 +
17099 #if 0
17100 if ((s64)val != *(s32 *)loc)
17101 goto overflow;
17102 diff -urNp linux-2.6.32.49/arch/x86/kernel/paravirt.c linux-2.6.32.49/arch/x86/kernel/paravirt.c
17103 --- linux-2.6.32.49/arch/x86/kernel/paravirt.c 2011-11-08 19:02:43.000000000 -0500
17104 +++ linux-2.6.32.49/arch/x86/kernel/paravirt.c 2011-11-15 19:59:43.000000000 -0500
17105 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
17106 {
17107 return x;
17108 }
17109 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17110 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
17111 +#endif
17112
17113 void __init default_banner(void)
17114 {
17115 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
17116 * corresponding structure. */
17117 static void *get_call_destination(u8 type)
17118 {
17119 - struct paravirt_patch_template tmpl = {
17120 + const struct paravirt_patch_template tmpl = {
17121 .pv_init_ops = pv_init_ops,
17122 .pv_time_ops = pv_time_ops,
17123 .pv_cpu_ops = pv_cpu_ops,
17124 @@ -133,6 +136,8 @@ static void *get_call_destination(u8 typ
17125 .pv_lock_ops = pv_lock_ops,
17126 #endif
17127 };
17128 +
17129 + pax_track_stack();
17130 return *((void **)&tmpl + type);
17131 }
17132
17133 @@ -145,15 +150,19 @@ unsigned paravirt_patch_default(u8 type,
17134 if (opfunc == NULL)
17135 /* If there's no function, patch it with a ud2a (BUG) */
17136 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
17137 - else if (opfunc == _paravirt_nop)
17138 + else if (opfunc == (void *)_paravirt_nop)
17139 /* If the operation is a nop, then nop the callsite */
17140 ret = paravirt_patch_nop();
17141
17142 /* identity functions just return their single argument */
17143 - else if (opfunc == _paravirt_ident_32)
17144 + else if (opfunc == (void *)_paravirt_ident_32)
17145 ret = paravirt_patch_ident_32(insnbuf, len);
17146 - else if (opfunc == _paravirt_ident_64)
17147 + else if (opfunc == (void *)_paravirt_ident_64)
17148 + ret = paravirt_patch_ident_64(insnbuf, len);
17149 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17150 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
17151 ret = paravirt_patch_ident_64(insnbuf, len);
17152 +#endif
17153
17154 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
17155 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
17156 @@ -178,7 +187,7 @@ unsigned paravirt_patch_insns(void *insn
17157 if (insn_len > len || start == NULL)
17158 insn_len = len;
17159 else
17160 - memcpy(insnbuf, start, insn_len);
17161 + memcpy(insnbuf, ktla_ktva(start), insn_len);
17162
17163 return insn_len;
17164 }
17165 @@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void)
17166 preempt_enable();
17167 }
17168
17169 -struct pv_info pv_info = {
17170 +struct pv_info pv_info __read_only = {
17171 .name = "bare hardware",
17172 .paravirt_enabled = 0,
17173 .kernel_rpl = 0,
17174 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
17175 };
17176
17177 -struct pv_init_ops pv_init_ops = {
17178 +struct pv_init_ops pv_init_ops __read_only = {
17179 .patch = native_patch,
17180 };
17181
17182 -struct pv_time_ops pv_time_ops = {
17183 +struct pv_time_ops pv_time_ops __read_only = {
17184 .sched_clock = native_sched_clock,
17185 };
17186
17187 -struct pv_irq_ops pv_irq_ops = {
17188 +struct pv_irq_ops pv_irq_ops __read_only = {
17189 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
17190 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
17191 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
17192 @@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = {
17193 #endif
17194 };
17195
17196 -struct pv_cpu_ops pv_cpu_ops = {
17197 +struct pv_cpu_ops pv_cpu_ops __read_only = {
17198 .cpuid = native_cpuid,
17199 .get_debugreg = native_get_debugreg,
17200 .set_debugreg = native_set_debugreg,
17201 @@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = {
17202 .end_context_switch = paravirt_nop,
17203 };
17204
17205 -struct pv_apic_ops pv_apic_ops = {
17206 +struct pv_apic_ops pv_apic_ops __read_only = {
17207 #ifdef CONFIG_X86_LOCAL_APIC
17208 .startup_ipi_hook = paravirt_nop,
17209 #endif
17210 };
17211
17212 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
17213 +#ifdef CONFIG_X86_32
17214 +#ifdef CONFIG_X86_PAE
17215 +/* 64-bit pagetable entries */
17216 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
17217 +#else
17218 /* 32-bit pagetable entries */
17219 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
17220 +#endif
17221 #else
17222 /* 64-bit pagetable entries */
17223 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
17224 #endif
17225
17226 -struct pv_mmu_ops pv_mmu_ops = {
17227 +struct pv_mmu_ops pv_mmu_ops __read_only = {
17228
17229 .read_cr2 = native_read_cr2,
17230 .write_cr2 = native_write_cr2,
17231 @@ -448,6 +462,7 @@ struct pv_mmu_ops pv_mmu_ops = {
17232 .make_pud = PTE_IDENT,
17233
17234 .set_pgd = native_set_pgd,
17235 + .set_pgd_batched = native_set_pgd_batched,
17236 #endif
17237 #endif /* PAGETABLE_LEVELS >= 3 */
17238
17239 @@ -467,6 +482,12 @@ struct pv_mmu_ops pv_mmu_ops = {
17240 },
17241
17242 .set_fixmap = native_set_fixmap,
17243 +
17244 +#ifdef CONFIG_PAX_KERNEXEC
17245 + .pax_open_kernel = native_pax_open_kernel,
17246 + .pax_close_kernel = native_pax_close_kernel,
17247 +#endif
17248 +
17249 };
17250
17251 EXPORT_SYMBOL_GPL(pv_time_ops);
17252 diff -urNp linux-2.6.32.49/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.49/arch/x86/kernel/paravirt-spinlocks.c
17253 --- linux-2.6.32.49/arch/x86/kernel/paravirt-spinlocks.c 2011-11-08 19:02:43.000000000 -0500
17254 +++ linux-2.6.32.49/arch/x86/kernel/paravirt-spinlocks.c 2011-11-15 19:59:43.000000000 -0500
17255 @@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
17256 __raw_spin_lock(lock);
17257 }
17258
17259 -struct pv_lock_ops pv_lock_ops = {
17260 +struct pv_lock_ops pv_lock_ops __read_only = {
17261 #ifdef CONFIG_SMP
17262 .spin_is_locked = __ticket_spin_is_locked,
17263 .spin_is_contended = __ticket_spin_is_contended,
17264 diff -urNp linux-2.6.32.49/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.49/arch/x86/kernel/pci-calgary_64.c
17265 --- linux-2.6.32.49/arch/x86/kernel/pci-calgary_64.c 2011-11-08 19:02:43.000000000 -0500
17266 +++ linux-2.6.32.49/arch/x86/kernel/pci-calgary_64.c 2011-11-15 19:59:43.000000000 -0500
17267 @@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
17268 free_pages((unsigned long)vaddr, get_order(size));
17269 }
17270
17271 -static struct dma_map_ops calgary_dma_ops = {
17272 +static const struct dma_map_ops calgary_dma_ops = {
17273 .alloc_coherent = calgary_alloc_coherent,
17274 .free_coherent = calgary_free_coherent,
17275 .map_sg = calgary_map_sg,
17276 diff -urNp linux-2.6.32.49/arch/x86/kernel/pci-dma.c linux-2.6.32.49/arch/x86/kernel/pci-dma.c
17277 --- linux-2.6.32.49/arch/x86/kernel/pci-dma.c 2011-11-08 19:02:43.000000000 -0500
17278 +++ linux-2.6.32.49/arch/x86/kernel/pci-dma.c 2011-11-15 19:59:43.000000000 -0500
17279 @@ -14,7 +14,7 @@
17280
17281 static int forbid_dac __read_mostly;
17282
17283 -struct dma_map_ops *dma_ops;
17284 +const struct dma_map_ops *dma_ops;
17285 EXPORT_SYMBOL(dma_ops);
17286
17287 static int iommu_sac_force __read_mostly;
17288 @@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
17289
17290 int dma_supported(struct device *dev, u64 mask)
17291 {
17292 - struct dma_map_ops *ops = get_dma_ops(dev);
17293 + const struct dma_map_ops *ops = get_dma_ops(dev);
17294
17295 #ifdef CONFIG_PCI
17296 if (mask > 0xffffffff && forbid_dac > 0) {
17297 diff -urNp linux-2.6.32.49/arch/x86/kernel/pci-gart_64.c linux-2.6.32.49/arch/x86/kernel/pci-gart_64.c
17298 --- linux-2.6.32.49/arch/x86/kernel/pci-gart_64.c 2011-11-08 19:02:43.000000000 -0500
17299 +++ linux-2.6.32.49/arch/x86/kernel/pci-gart_64.c 2011-11-15 19:59:43.000000000 -0500
17300 @@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
17301 return -1;
17302 }
17303
17304 -static struct dma_map_ops gart_dma_ops = {
17305 +static const struct dma_map_ops gart_dma_ops = {
17306 .map_sg = gart_map_sg,
17307 .unmap_sg = gart_unmap_sg,
17308 .map_page = gart_map_page,
17309 diff -urNp linux-2.6.32.49/arch/x86/kernel/pci-nommu.c linux-2.6.32.49/arch/x86/kernel/pci-nommu.c
17310 --- linux-2.6.32.49/arch/x86/kernel/pci-nommu.c 2011-11-08 19:02:43.000000000 -0500
17311 +++ linux-2.6.32.49/arch/x86/kernel/pci-nommu.c 2011-11-15 19:59:43.000000000 -0500
17312 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
17313 flush_write_buffers();
17314 }
17315
17316 -struct dma_map_ops nommu_dma_ops = {
17317 +const struct dma_map_ops nommu_dma_ops = {
17318 .alloc_coherent = dma_generic_alloc_coherent,
17319 .free_coherent = nommu_free_coherent,
17320 .map_sg = nommu_map_sg,
17321 diff -urNp linux-2.6.32.49/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.49/arch/x86/kernel/pci-swiotlb.c
17322 --- linux-2.6.32.49/arch/x86/kernel/pci-swiotlb.c 2011-11-08 19:02:43.000000000 -0500
17323 +++ linux-2.6.32.49/arch/x86/kernel/pci-swiotlb.c 2011-11-15 19:59:43.000000000 -0500
17324 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
17325 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
17326 }
17327
17328 -static struct dma_map_ops swiotlb_dma_ops = {
17329 +static const struct dma_map_ops swiotlb_dma_ops = {
17330 .mapping_error = swiotlb_dma_mapping_error,
17331 .alloc_coherent = x86_swiotlb_alloc_coherent,
17332 .free_coherent = swiotlb_free_coherent,
17333 diff -urNp linux-2.6.32.49/arch/x86/kernel/process_32.c linux-2.6.32.49/arch/x86/kernel/process_32.c
17334 --- linux-2.6.32.49/arch/x86/kernel/process_32.c 2011-11-08 19:02:43.000000000 -0500
17335 +++ linux-2.6.32.49/arch/x86/kernel/process_32.c 2011-11-15 19:59:43.000000000 -0500
17336 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
17337 unsigned long thread_saved_pc(struct task_struct *tsk)
17338 {
17339 return ((unsigned long *)tsk->thread.sp)[3];
17340 +//XXX return tsk->thread.eip;
17341 }
17342
17343 #ifndef CONFIG_SMP
17344 @@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
17345 unsigned short ss, gs;
17346 const char *board;
17347
17348 - if (user_mode_vm(regs)) {
17349 + if (user_mode(regs)) {
17350 sp = regs->sp;
17351 ss = regs->ss & 0xffff;
17352 - gs = get_user_gs(regs);
17353 } else {
17354 sp = (unsigned long) (&regs->sp);
17355 savesegment(ss, ss);
17356 - savesegment(gs, gs);
17357 }
17358 + gs = get_user_gs(regs);
17359
17360 printk("\n");
17361
17362 @@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
17363 regs.bx = (unsigned long) fn;
17364 regs.dx = (unsigned long) arg;
17365
17366 - regs.ds = __USER_DS;
17367 - regs.es = __USER_DS;
17368 + regs.ds = __KERNEL_DS;
17369 + regs.es = __KERNEL_DS;
17370 regs.fs = __KERNEL_PERCPU;
17371 - regs.gs = __KERNEL_STACK_CANARY;
17372 + savesegment(gs, regs.gs);
17373 regs.orig_ax = -1;
17374 regs.ip = (unsigned long) kernel_thread_helper;
17375 regs.cs = __KERNEL_CS | get_kernel_rpl();
17376 @@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
17377 struct task_struct *tsk;
17378 int err;
17379
17380 - childregs = task_pt_regs(p);
17381 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
17382 *childregs = *regs;
17383 childregs->ax = 0;
17384 childregs->sp = sp;
17385
17386 p->thread.sp = (unsigned long) childregs;
17387 p->thread.sp0 = (unsigned long) (childregs+1);
17388 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
17389
17390 p->thread.ip = (unsigned long) ret_from_fork;
17391
17392 @@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
17393 struct thread_struct *prev = &prev_p->thread,
17394 *next = &next_p->thread;
17395 int cpu = smp_processor_id();
17396 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
17397 + struct tss_struct *tss = init_tss + cpu;
17398 bool preload_fpu;
17399
17400 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
17401 @@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
17402 */
17403 lazy_save_gs(prev->gs);
17404
17405 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17406 + __set_fs(task_thread_info(next_p)->addr_limit);
17407 +#endif
17408 +
17409 /*
17410 * Load the per-thread Thread-Local Storage descriptor.
17411 */
17412 @@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
17413 */
17414 arch_end_context_switch(next_p);
17415
17416 + percpu_write(current_task, next_p);
17417 + percpu_write(current_tinfo, &next_p->tinfo);
17418 +
17419 if (preload_fpu)
17420 __math_state_restore();
17421
17422 @@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
17423 if (prev->gs | next->gs)
17424 lazy_load_gs(next->gs);
17425
17426 - percpu_write(current_task, next_p);
17427 -
17428 return prev_p;
17429 }
17430
17431 @@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
17432 } while (count++ < 16);
17433 return 0;
17434 }
17435 -
17436 diff -urNp linux-2.6.32.49/arch/x86/kernel/process_64.c linux-2.6.32.49/arch/x86/kernel/process_64.c
17437 --- linux-2.6.32.49/arch/x86/kernel/process_64.c 2011-11-08 19:02:43.000000000 -0500
17438 +++ linux-2.6.32.49/arch/x86/kernel/process_64.c 2011-11-15 19:59:43.000000000 -0500
17439 @@ -91,7 +91,7 @@ static void __exit_idle(void)
17440 void exit_idle(void)
17441 {
17442 /* idle loop has pid 0 */
17443 - if (current->pid)
17444 + if (task_pid_nr(current))
17445 return;
17446 __exit_idle();
17447 }
17448 @@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
17449 if (!board)
17450 board = "";
17451 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
17452 - current->pid, current->comm, print_tainted(),
17453 + task_pid_nr(current), current->comm, print_tainted(),
17454 init_utsname()->release,
17455 (int)strcspn(init_utsname()->version, " "),
17456 init_utsname()->version, board);
17457 @@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
17458 struct pt_regs *childregs;
17459 struct task_struct *me = current;
17460
17461 - childregs = ((struct pt_regs *)
17462 - (THREAD_SIZE + task_stack_page(p))) - 1;
17463 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
17464 *childregs = *regs;
17465
17466 childregs->ax = 0;
17467 @@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
17468 p->thread.sp = (unsigned long) childregs;
17469 p->thread.sp0 = (unsigned long) (childregs+1);
17470 p->thread.usersp = me->thread.usersp;
17471 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
17472
17473 set_tsk_thread_flag(p, TIF_FORK);
17474
17475 @@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
17476 struct thread_struct *prev = &prev_p->thread;
17477 struct thread_struct *next = &next_p->thread;
17478 int cpu = smp_processor_id();
17479 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
17480 + struct tss_struct *tss = init_tss + cpu;
17481 unsigned fsindex, gsindex;
17482 bool preload_fpu;
17483
17484 @@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
17485 prev->usersp = percpu_read(old_rsp);
17486 percpu_write(old_rsp, next->usersp);
17487 percpu_write(current_task, next_p);
17488 + percpu_write(current_tinfo, &next_p->tinfo);
17489
17490 - percpu_write(kernel_stack,
17491 - (unsigned long)task_stack_page(next_p) +
17492 - THREAD_SIZE - KERNEL_STACK_OFFSET);
17493 + percpu_write(kernel_stack, next->sp0);
17494
17495 /*
17496 * Now maybe reload the debug registers and handle I/O bitmaps
17497 @@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
17498 if (!p || p == current || p->state == TASK_RUNNING)
17499 return 0;
17500 stack = (unsigned long)task_stack_page(p);
17501 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
17502 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
17503 return 0;
17504 fp = *(u64 *)(p->thread.sp);
17505 do {
17506 - if (fp < (unsigned long)stack ||
17507 - fp >= (unsigned long)stack+THREAD_SIZE)
17508 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
17509 return 0;
17510 ip = *(u64 *)(fp+8);
17511 if (!in_sched_functions(ip))
17512 diff -urNp linux-2.6.32.49/arch/x86/kernel/process.c linux-2.6.32.49/arch/x86/kernel/process.c
17513 --- linux-2.6.32.49/arch/x86/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
17514 +++ linux-2.6.32.49/arch/x86/kernel/process.c 2011-11-15 19:59:43.000000000 -0500
17515 @@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
17516
17517 void free_thread_info(struct thread_info *ti)
17518 {
17519 - free_thread_xstate(ti->task);
17520 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
17521 }
17522
17523 +static struct kmem_cache *task_struct_cachep;
17524 +
17525 void arch_task_cache_init(void)
17526 {
17527 - task_xstate_cachep =
17528 - kmem_cache_create("task_xstate", xstate_size,
17529 + /* create a slab on which task_structs can be allocated */
17530 + task_struct_cachep =
17531 + kmem_cache_create("task_struct", sizeof(struct task_struct),
17532 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
17533 +
17534 + task_xstate_cachep =
17535 + kmem_cache_create("task_xstate", xstate_size,
17536 __alignof__(union thread_xstate),
17537 - SLAB_PANIC | SLAB_NOTRACK, NULL);
17538 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
17539 +}
17540 +
17541 +struct task_struct *alloc_task_struct(void)
17542 +{
17543 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
17544 +}
17545 +
17546 +void free_task_struct(struct task_struct *task)
17547 +{
17548 + free_thread_xstate(task);
17549 + kmem_cache_free(task_struct_cachep, task);
17550 }
17551
17552 /*
17553 @@ -73,7 +90,7 @@ void exit_thread(void)
17554 unsigned long *bp = t->io_bitmap_ptr;
17555
17556 if (bp) {
17557 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
17558 + struct tss_struct *tss = init_tss + get_cpu();
17559
17560 t->io_bitmap_ptr = NULL;
17561 clear_thread_flag(TIF_IO_BITMAP);
17562 @@ -93,6 +110,9 @@ void flush_thread(void)
17563
17564 clear_tsk_thread_flag(tsk, TIF_DEBUG);
17565
17566 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
17567 + loadsegment(gs, 0);
17568 +#endif
17569 tsk->thread.debugreg0 = 0;
17570 tsk->thread.debugreg1 = 0;
17571 tsk->thread.debugreg2 = 0;
17572 @@ -307,7 +327,7 @@ void default_idle(void)
17573 EXPORT_SYMBOL(default_idle);
17574 #endif
17575
17576 -void stop_this_cpu(void *dummy)
17577 +__noreturn void stop_this_cpu(void *dummy)
17578 {
17579 local_irq_disable();
17580 /*
17581 @@ -568,16 +588,38 @@ static int __init idle_setup(char *str)
17582 }
17583 early_param("idle", idle_setup);
17584
17585 -unsigned long arch_align_stack(unsigned long sp)
17586 +#ifdef CONFIG_PAX_RANDKSTACK
17587 +void pax_randomize_kstack(struct pt_regs *regs)
17588 {
17589 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
17590 - sp -= get_random_int() % 8192;
17591 - return sp & ~0xf;
17592 -}
17593 + struct thread_struct *thread = &current->thread;
17594 + unsigned long time;
17595
17596 -unsigned long arch_randomize_brk(struct mm_struct *mm)
17597 -{
17598 - unsigned long range_end = mm->brk + 0x02000000;
17599 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
17600 + if (!randomize_va_space)
17601 + return;
17602 +
17603 + if (v8086_mode(regs))
17604 + return;
17605 +
17606 + rdtscl(time);
17607 +
17608 + /* P4 seems to return a 0 LSB, ignore it */
17609 +#ifdef CONFIG_MPENTIUM4
17610 + time &= 0x3EUL;
17611 + time <<= 2;
17612 +#elif defined(CONFIG_X86_64)
17613 + time &= 0xFUL;
17614 + time <<= 4;
17615 +#else
17616 + time &= 0x1FUL;
17617 + time <<= 3;
17618 +#endif
17619 +
17620 + thread->sp0 ^= time;
17621 + load_sp0(init_tss + smp_processor_id(), thread);
17622 +
17623 +#ifdef CONFIG_X86_64
17624 + percpu_write(kernel_stack, thread->sp0);
17625 +#endif
17626 }
17627 +#endif
17628
17629 diff -urNp linux-2.6.32.49/arch/x86/kernel/ptrace.c linux-2.6.32.49/arch/x86/kernel/ptrace.c
17630 --- linux-2.6.32.49/arch/x86/kernel/ptrace.c 2011-11-08 19:02:43.000000000 -0500
17631 +++ linux-2.6.32.49/arch/x86/kernel/ptrace.c 2011-11-15 19:59:43.000000000 -0500
17632 @@ -925,7 +925,7 @@ static const struct user_regset_view use
17633 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
17634 {
17635 int ret;
17636 - unsigned long __user *datap = (unsigned long __user *)data;
17637 + unsigned long __user *datap = (__force unsigned long __user *)data;
17638
17639 switch (request) {
17640 /* read the word at location addr in the USER area. */
17641 @@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
17642 if (addr < 0)
17643 return -EIO;
17644 ret = do_get_thread_area(child, addr,
17645 - (struct user_desc __user *) data);
17646 + (__force struct user_desc __user *) data);
17647 break;
17648
17649 case PTRACE_SET_THREAD_AREA:
17650 if (addr < 0)
17651 return -EIO;
17652 ret = do_set_thread_area(child, addr,
17653 - (struct user_desc __user *) data, 0);
17654 + (__force struct user_desc __user *) data, 0);
17655 break;
17656 #endif
17657
17658 @@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
17659 #ifdef CONFIG_X86_PTRACE_BTS
17660 case PTRACE_BTS_CONFIG:
17661 ret = ptrace_bts_config
17662 - (child, data, (struct ptrace_bts_config __user *)addr);
17663 + (child, data, (__force struct ptrace_bts_config __user *)addr);
17664 break;
17665
17666 case PTRACE_BTS_STATUS:
17667 ret = ptrace_bts_status
17668 - (child, data, (struct ptrace_bts_config __user *)addr);
17669 + (child, data, (__force struct ptrace_bts_config __user *)addr);
17670 break;
17671
17672 case PTRACE_BTS_SIZE:
17673 @@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
17674
17675 case PTRACE_BTS_GET:
17676 ret = ptrace_bts_read_record
17677 - (child, data, (struct bts_struct __user *) addr);
17678 + (child, data, (__force struct bts_struct __user *) addr);
17679 break;
17680
17681 case PTRACE_BTS_CLEAR:
17682 @@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
17683
17684 case PTRACE_BTS_DRAIN:
17685 ret = ptrace_bts_drain
17686 - (child, data, (struct bts_struct __user *) addr);
17687 + (child, data, (__force struct bts_struct __user *) addr);
17688 break;
17689 #endif /* CONFIG_X86_PTRACE_BTS */
17690
17691 @@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
17692 info.si_code = si_code;
17693
17694 /* User-mode ip? */
17695 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
17696 + info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
17697
17698 /* Send us the fake SIGTRAP */
17699 force_sig_info(SIGTRAP, &info, tsk);
17700 @@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
17701 * We must return the syscall number to actually look up in the table.
17702 * This can be -1L to skip running any syscall at all.
17703 */
17704 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
17705 +long syscall_trace_enter(struct pt_regs *regs)
17706 {
17707 long ret = 0;
17708
17709 @@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
17710 return ret ?: regs->orig_ax;
17711 }
17712
17713 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
17714 +void syscall_trace_leave(struct pt_regs *regs)
17715 {
17716 if (unlikely(current->audit_context))
17717 audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
17718 diff -urNp linux-2.6.32.49/arch/x86/kernel/reboot.c linux-2.6.32.49/arch/x86/kernel/reboot.c
17719 --- linux-2.6.32.49/arch/x86/kernel/reboot.c 2011-11-08 19:02:43.000000000 -0500
17720 +++ linux-2.6.32.49/arch/x86/kernel/reboot.c 2011-11-15 19:59:43.000000000 -0500
17721 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
17722 EXPORT_SYMBOL(pm_power_off);
17723
17724 static const struct desc_ptr no_idt = {};
17725 -static int reboot_mode;
17726 +static unsigned short reboot_mode;
17727 enum reboot_type reboot_type = BOOT_KBD;
17728 int reboot_force;
17729
17730 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
17731 controller to pulse the CPU reset line, which is more thorough, but
17732 doesn't work with at least one type of 486 motherboard. It is easy
17733 to stop this code working; hence the copious comments. */
17734 -static const unsigned long long
17735 -real_mode_gdt_entries [3] =
17736 +static struct desc_struct
17737 +real_mode_gdt_entries [3] __read_only =
17738 {
17739 - 0x0000000000000000ULL, /* Null descriptor */
17740 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
17741 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
17742 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
17743 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
17744 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
17745 };
17746
17747 static const struct desc_ptr
17748 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
17749 * specified by the code and length parameters.
17750 * We assume that length will aways be less that 100!
17751 */
17752 -void machine_real_restart(const unsigned char *code, int length)
17753 +__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
17754 {
17755 local_irq_disable();
17756
17757 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
17758 /* Remap the kernel at virtual address zero, as well as offset zero
17759 from the kernel segment. This assumes the kernel segment starts at
17760 virtual address PAGE_OFFSET. */
17761 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17762 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
17763 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17764 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
17765
17766 /*
17767 * Use `swapper_pg_dir' as our page directory.
17768 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
17769 boot)". This seems like a fairly standard thing that gets set by
17770 REBOOT.COM programs, and the previous reset routine did this
17771 too. */
17772 - *((unsigned short *)0x472) = reboot_mode;
17773 + *(unsigned short *)(__va(0x472)) = reboot_mode;
17774
17775 /* For the switch to real mode, copy some code to low memory. It has
17776 to be in the first 64k because it is running in 16-bit mode, and it
17777 has to have the same physical and virtual address, because it turns
17778 off paging. Copy it near the end of the first page, out of the way
17779 of BIOS variables. */
17780 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
17781 - real_mode_switch, sizeof (real_mode_switch));
17782 - memcpy((void *)(0x1000 - 100), code, length);
17783 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
17784 + memcpy(__va(0x1000 - 100), code, length);
17785
17786 /* Set up the IDT for real mode. */
17787 load_idt(&real_mode_idt);
17788 @@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
17789 __asm__ __volatile__ ("ljmp $0x0008,%0"
17790 :
17791 : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
17792 + do { } while (1);
17793 }
17794 #ifdef CONFIG_APM_MODULE
17795 EXPORT_SYMBOL(machine_real_restart);
17796 @@ -544,7 +544,7 @@ void __attribute__((weak)) mach_reboot_f
17797 {
17798 }
17799
17800 -static void native_machine_emergency_restart(void)
17801 +__noreturn static void native_machine_emergency_restart(void)
17802 {
17803 int i;
17804
17805 @@ -659,13 +659,13 @@ void native_machine_shutdown(void)
17806 #endif
17807 }
17808
17809 -static void __machine_emergency_restart(int emergency)
17810 +static __noreturn void __machine_emergency_restart(int emergency)
17811 {
17812 reboot_emergency = emergency;
17813 machine_ops.emergency_restart();
17814 }
17815
17816 -static void native_machine_restart(char *__unused)
17817 +static __noreturn void native_machine_restart(char *__unused)
17818 {
17819 printk("machine restart\n");
17820
17821 @@ -674,7 +674,7 @@ static void native_machine_restart(char
17822 __machine_emergency_restart(0);
17823 }
17824
17825 -static void native_machine_halt(void)
17826 +static __noreturn void native_machine_halt(void)
17827 {
17828 /* stop other cpus and apics */
17829 machine_shutdown();
17830 @@ -685,7 +685,7 @@ static void native_machine_halt(void)
17831 stop_this_cpu(NULL);
17832 }
17833
17834 -static void native_machine_power_off(void)
17835 +__noreturn static void native_machine_power_off(void)
17836 {
17837 if (pm_power_off) {
17838 if (!reboot_force)
17839 @@ -694,6 +694,7 @@ static void native_machine_power_off(voi
17840 }
17841 /* a fallback in case there is no PM info available */
17842 tboot_shutdown(TB_SHUTDOWN_HALT);
17843 + do { } while (1);
17844 }
17845
17846 struct machine_ops machine_ops = {
17847 diff -urNp linux-2.6.32.49/arch/x86/kernel/setup.c linux-2.6.32.49/arch/x86/kernel/setup.c
17848 --- linux-2.6.32.49/arch/x86/kernel/setup.c 2011-11-08 19:02:43.000000000 -0500
17849 +++ linux-2.6.32.49/arch/x86/kernel/setup.c 2011-11-15 19:59:43.000000000 -0500
17850 @@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
17851
17852 if (!boot_params.hdr.root_flags)
17853 root_mountflags &= ~MS_RDONLY;
17854 - init_mm.start_code = (unsigned long) _text;
17855 - init_mm.end_code = (unsigned long) _etext;
17856 + init_mm.start_code = ktla_ktva((unsigned long) _text);
17857 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
17858 init_mm.end_data = (unsigned long) _edata;
17859 init_mm.brk = _brk_end;
17860
17861 - code_resource.start = virt_to_phys(_text);
17862 - code_resource.end = virt_to_phys(_etext)-1;
17863 - data_resource.start = virt_to_phys(_etext);
17864 + code_resource.start = virt_to_phys(ktla_ktva(_text));
17865 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17866 + data_resource.start = virt_to_phys(_sdata);
17867 data_resource.end = virt_to_phys(_edata)-1;
17868 bss_resource.start = virt_to_phys(&__bss_start);
17869 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17870 diff -urNp linux-2.6.32.49/arch/x86/kernel/setup_percpu.c linux-2.6.32.49/arch/x86/kernel/setup_percpu.c
17871 --- linux-2.6.32.49/arch/x86/kernel/setup_percpu.c 2011-11-08 19:02:43.000000000 -0500
17872 +++ linux-2.6.32.49/arch/x86/kernel/setup_percpu.c 2011-11-15 19:59:43.000000000 -0500
17873 @@ -25,19 +25,17 @@
17874 # define DBG(x...)
17875 #endif
17876
17877 -DEFINE_PER_CPU(int, cpu_number);
17878 +#ifdef CONFIG_SMP
17879 +DEFINE_PER_CPU(unsigned int, cpu_number);
17880 EXPORT_PER_CPU_SYMBOL(cpu_number);
17881 +#endif
17882
17883 -#ifdef CONFIG_X86_64
17884 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17885 -#else
17886 -#define BOOT_PERCPU_OFFSET 0
17887 -#endif
17888
17889 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17890 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17891
17892 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17893 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17894 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17895 };
17896 EXPORT_SYMBOL(__per_cpu_offset);
17897 @@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
17898 {
17899 #ifdef CONFIG_X86_32
17900 struct desc_struct gdt;
17901 + unsigned long base = per_cpu_offset(cpu);
17902
17903 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17904 - 0x2 | DESCTYPE_S, 0x8);
17905 - gdt.s = 1;
17906 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17907 + 0x83 | DESCTYPE_S, 0xC);
17908 write_gdt_entry(get_cpu_gdt_table(cpu),
17909 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17910 #endif
17911 @@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
17912 /* alrighty, percpu areas up and running */
17913 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17914 for_each_possible_cpu(cpu) {
17915 +#ifdef CONFIG_CC_STACKPROTECTOR
17916 +#ifdef CONFIG_X86_32
17917 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
17918 +#endif
17919 +#endif
17920 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17921 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17922 per_cpu(cpu_number, cpu) = cpu;
17923 @@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
17924 early_per_cpu_map(x86_cpu_to_node_map, cpu);
17925 #endif
17926 #endif
17927 +#ifdef CONFIG_CC_STACKPROTECTOR
17928 +#ifdef CONFIG_X86_32
17929 + if (!cpu)
17930 + per_cpu(stack_canary.canary, cpu) = canary;
17931 +#endif
17932 +#endif
17933 /*
17934 * Up to this point, the boot CPU has been using .data.init
17935 * area. Reload any changed state for the boot CPU.
17936 diff -urNp linux-2.6.32.49/arch/x86/kernel/signal.c linux-2.6.32.49/arch/x86/kernel/signal.c
17937 --- linux-2.6.32.49/arch/x86/kernel/signal.c 2011-11-08 19:02:43.000000000 -0500
17938 +++ linux-2.6.32.49/arch/x86/kernel/signal.c 2011-11-15 19:59:43.000000000 -0500
17939 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
17940 * Align the stack pointer according to the i386 ABI,
17941 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17942 */
17943 - sp = ((sp + 4) & -16ul) - 4;
17944 + sp = ((sp - 12) & -16ul) - 4;
17945 #else /* !CONFIG_X86_32 */
17946 sp = round_down(sp, 16) - 8;
17947 #endif
17948 @@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
17949 * Return an always-bogus address instead so we will die with SIGSEGV.
17950 */
17951 if (onsigstack && !likely(on_sig_stack(sp)))
17952 - return (void __user *)-1L;
17953 + return (__force void __user *)-1L;
17954
17955 /* save i387 state */
17956 if (used_math() && save_i387_xstate(*fpstate) < 0)
17957 - return (void __user *)-1L;
17958 + return (__force void __user *)-1L;
17959
17960 return (void __user *)sp;
17961 }
17962 @@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
17963 }
17964
17965 if (current->mm->context.vdso)
17966 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17967 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17968 else
17969 - restorer = &frame->retcode;
17970 + restorer = (void __user *)&frame->retcode;
17971 if (ka->sa.sa_flags & SA_RESTORER)
17972 restorer = ka->sa.sa_restorer;
17973
17974 @@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
17975 * reasons and because gdb uses it as a signature to notice
17976 * signal handler stack frames.
17977 */
17978 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17979 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17980
17981 if (err)
17982 return -EFAULT;
17983 @@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
17984 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17985
17986 /* Set up to return from userspace. */
17987 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17988 + if (current->mm->context.vdso)
17989 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17990 + else
17991 + restorer = (void __user *)&frame->retcode;
17992 if (ka->sa.sa_flags & SA_RESTORER)
17993 restorer = ka->sa.sa_restorer;
17994 put_user_ex(restorer, &frame->pretcode);
17995 @@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
17996 * reasons and because gdb uses it as a signature to notice
17997 * signal handler stack frames.
17998 */
17999 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
18000 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
18001 } put_user_catch(err);
18002
18003 if (err)
18004 @@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
18005 int signr;
18006 sigset_t *oldset;
18007
18008 + pax_track_stack();
18009 +
18010 /*
18011 * We want the common case to go fast, which is why we may in certain
18012 * cases get here from kernel mode. Just return without doing anything
18013 @@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
18014 * X86_32: vm86 regs switched out by assembly code before reaching
18015 * here, so testing against kernel CS suffices.
18016 */
18017 - if (!user_mode(regs))
18018 + if (!user_mode_novm(regs))
18019 return;
18020
18021 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
18022 diff -urNp linux-2.6.32.49/arch/x86/kernel/smpboot.c linux-2.6.32.49/arch/x86/kernel/smpboot.c
18023 --- linux-2.6.32.49/arch/x86/kernel/smpboot.c 2011-11-08 19:02:43.000000000 -0500
18024 +++ linux-2.6.32.49/arch/x86/kernel/smpboot.c 2011-11-15 19:59:43.000000000 -0500
18025 @@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
18026 */
18027 static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
18028
18029 -void cpu_hotplug_driver_lock()
18030 +void cpu_hotplug_driver_lock(void)
18031 {
18032 - mutex_lock(&x86_cpu_hotplug_driver_mutex);
18033 + mutex_lock(&x86_cpu_hotplug_driver_mutex);
18034 }
18035
18036 -void cpu_hotplug_driver_unlock()
18037 +void cpu_hotplug_driver_unlock(void)
18038 {
18039 - mutex_unlock(&x86_cpu_hotplug_driver_mutex);
18040 + mutex_unlock(&x86_cpu_hotplug_driver_mutex);
18041 }
18042
18043 ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
18044 @@ -625,7 +625,7 @@ wakeup_secondary_cpu_via_init(int phys_a
18045 * target processor state.
18046 */
18047 startup_ipi_hook(phys_apicid, (unsigned long) start_secondary,
18048 - (unsigned long)stack_start.sp);
18049 + stack_start);
18050
18051 /*
18052 * Run STARTUP IPI loop.
18053 @@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
18054 set_idle_for_cpu(cpu, c_idle.idle);
18055 do_rest:
18056 per_cpu(current_task, cpu) = c_idle.idle;
18057 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
18058 #ifdef CONFIG_X86_32
18059 /* Stack for startup_32 can be just as for start_secondary onwards */
18060 irq_ctx_init(cpu);
18061 @@ -750,13 +751,15 @@ do_rest:
18062 #else
18063 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
18064 initial_gs = per_cpu_offset(cpu);
18065 - per_cpu(kernel_stack, cpu) =
18066 - (unsigned long)task_stack_page(c_idle.idle) -
18067 - KERNEL_STACK_OFFSET + THREAD_SIZE;
18068 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
18069 #endif
18070 +
18071 + pax_open_kernel();
18072 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
18073 + pax_close_kernel();
18074 +
18075 initial_code = (unsigned long)start_secondary;
18076 - stack_start.sp = (void *) c_idle.idle->thread.sp;
18077 + stack_start = c_idle.idle->thread.sp;
18078
18079 /* start_ip had better be page-aligned! */
18080 start_ip = setup_trampoline();
18081 @@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
18082
18083 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
18084
18085 +#ifdef CONFIG_PAX_PER_CPU_PGD
18086 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
18087 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18088 + KERNEL_PGD_PTRS);
18089 +#endif
18090 +
18091 err = do_boot_cpu(apicid, cpu);
18092
18093 if (err) {
18094 diff -urNp linux-2.6.32.49/arch/x86/kernel/step.c linux-2.6.32.49/arch/x86/kernel/step.c
18095 --- linux-2.6.32.49/arch/x86/kernel/step.c 2011-11-08 19:02:43.000000000 -0500
18096 +++ linux-2.6.32.49/arch/x86/kernel/step.c 2011-11-15 19:59:43.000000000 -0500
18097 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
18098 struct desc_struct *desc;
18099 unsigned long base;
18100
18101 - seg &= ~7UL;
18102 + seg >>= 3;
18103
18104 mutex_lock(&child->mm->context.lock);
18105 - if (unlikely((seg >> 3) >= child->mm->context.size))
18106 + if (unlikely(seg >= child->mm->context.size))
18107 addr = -1L; /* bogus selector, access would fault */
18108 else {
18109 desc = child->mm->context.ldt + seg;
18110 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
18111 addr += base;
18112 }
18113 mutex_unlock(&child->mm->context.lock);
18114 - }
18115 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
18116 + addr = ktla_ktva(addr);
18117
18118 return addr;
18119 }
18120 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
18121 unsigned char opcode[15];
18122 unsigned long addr = convert_ip_to_linear(child, regs);
18123
18124 + if (addr == -EINVAL)
18125 + return 0;
18126 +
18127 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
18128 for (i = 0; i < copied; i++) {
18129 switch (opcode[i]) {
18130 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
18131
18132 #ifdef CONFIG_X86_64
18133 case 0x40 ... 0x4f:
18134 - if (regs->cs != __USER_CS)
18135 + if ((regs->cs & 0xffff) != __USER_CS)
18136 /* 32-bit mode: register increment */
18137 return 0;
18138 /* 64-bit mode: REX prefix */
18139 diff -urNp linux-2.6.32.49/arch/x86/kernel/syscall_table_32.S linux-2.6.32.49/arch/x86/kernel/syscall_table_32.S
18140 --- linux-2.6.32.49/arch/x86/kernel/syscall_table_32.S 2011-11-08 19:02:43.000000000 -0500
18141 +++ linux-2.6.32.49/arch/x86/kernel/syscall_table_32.S 2011-11-15 19:59:43.000000000 -0500
18142 @@ -1,3 +1,4 @@
18143 +.section .rodata,"a",@progbits
18144 ENTRY(sys_call_table)
18145 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
18146 .long sys_exit
18147 diff -urNp linux-2.6.32.49/arch/x86/kernel/sys_i386_32.c linux-2.6.32.49/arch/x86/kernel/sys_i386_32.c
18148 --- linux-2.6.32.49/arch/x86/kernel/sys_i386_32.c 2011-11-08 19:02:43.000000000 -0500
18149 +++ linux-2.6.32.49/arch/x86/kernel/sys_i386_32.c 2011-11-15 19:59:43.000000000 -0500
18150 @@ -24,6 +24,21 @@
18151
18152 #include <asm/syscalls.h>
18153
18154 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
18155 +{
18156 + unsigned long pax_task_size = TASK_SIZE;
18157 +
18158 +#ifdef CONFIG_PAX_SEGMEXEC
18159 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
18160 + pax_task_size = SEGMEXEC_TASK_SIZE;
18161 +#endif
18162 +
18163 + if (len > pax_task_size || addr > pax_task_size - len)
18164 + return -EINVAL;
18165 +
18166 + return 0;
18167 +}
18168 +
18169 /*
18170 * Perform the select(nd, in, out, ex, tv) and mmap() system
18171 * calls. Linux/i386 didn't use to be able to handle more than
18172 @@ -58,6 +73,212 @@ out:
18173 return err;
18174 }
18175
18176 +unsigned long
18177 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
18178 + unsigned long len, unsigned long pgoff, unsigned long flags)
18179 +{
18180 + struct mm_struct *mm = current->mm;
18181 + struct vm_area_struct *vma;
18182 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18183 +
18184 +#ifdef CONFIG_PAX_SEGMEXEC
18185 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18186 + pax_task_size = SEGMEXEC_TASK_SIZE;
18187 +#endif
18188 +
18189 + pax_task_size -= PAGE_SIZE;
18190 +
18191 + if (len > pax_task_size)
18192 + return -ENOMEM;
18193 +
18194 + if (flags & MAP_FIXED)
18195 + return addr;
18196 +
18197 +#ifdef CONFIG_PAX_RANDMMAP
18198 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18199 +#endif
18200 +
18201 + if (addr) {
18202 + addr = PAGE_ALIGN(addr);
18203 + if (pax_task_size - len >= addr) {
18204 + vma = find_vma(mm, addr);
18205 + if (check_heap_stack_gap(vma, addr, len))
18206 + return addr;
18207 + }
18208 + }
18209 + if (len > mm->cached_hole_size) {
18210 + start_addr = addr = mm->free_area_cache;
18211 + } else {
18212 + start_addr = addr = mm->mmap_base;
18213 + mm->cached_hole_size = 0;
18214 + }
18215 +
18216 +#ifdef CONFIG_PAX_PAGEEXEC
18217 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
18218 + start_addr = 0x00110000UL;
18219 +
18220 +#ifdef CONFIG_PAX_RANDMMAP
18221 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18222 + start_addr += mm->delta_mmap & 0x03FFF000UL;
18223 +#endif
18224 +
18225 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
18226 + start_addr = addr = mm->mmap_base;
18227 + else
18228 + addr = start_addr;
18229 + }
18230 +#endif
18231 +
18232 +full_search:
18233 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18234 + /* At this point: (!vma || addr < vma->vm_end). */
18235 + if (pax_task_size - len < addr) {
18236 + /*
18237 + * Start a new search - just in case we missed
18238 + * some holes.
18239 + */
18240 + if (start_addr != mm->mmap_base) {
18241 + start_addr = addr = mm->mmap_base;
18242 + mm->cached_hole_size = 0;
18243 + goto full_search;
18244 + }
18245 + return -ENOMEM;
18246 + }
18247 + if (check_heap_stack_gap(vma, addr, len))
18248 + break;
18249 + if (addr + mm->cached_hole_size < vma->vm_start)
18250 + mm->cached_hole_size = vma->vm_start - addr;
18251 + addr = vma->vm_end;
18252 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
18253 + start_addr = addr = mm->mmap_base;
18254 + mm->cached_hole_size = 0;
18255 + goto full_search;
18256 + }
18257 + }
18258 +
18259 + /*
18260 + * Remember the place where we stopped the search:
18261 + */
18262 + mm->free_area_cache = addr + len;
18263 + return addr;
18264 +}
18265 +
18266 +unsigned long
18267 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
18268 + const unsigned long len, const unsigned long pgoff,
18269 + const unsigned long flags)
18270 +{
18271 + struct vm_area_struct *vma;
18272 + struct mm_struct *mm = current->mm;
18273 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
18274 +
18275 +#ifdef CONFIG_PAX_SEGMEXEC
18276 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18277 + pax_task_size = SEGMEXEC_TASK_SIZE;
18278 +#endif
18279 +
18280 + pax_task_size -= PAGE_SIZE;
18281 +
18282 + /* requested length too big for entire address space */
18283 + if (len > pax_task_size)
18284 + return -ENOMEM;
18285 +
18286 + if (flags & MAP_FIXED)
18287 + return addr;
18288 +
18289 +#ifdef CONFIG_PAX_PAGEEXEC
18290 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
18291 + goto bottomup;
18292 +#endif
18293 +
18294 +#ifdef CONFIG_PAX_RANDMMAP
18295 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18296 +#endif
18297 +
18298 + /* requesting a specific address */
18299 + if (addr) {
18300 + addr = PAGE_ALIGN(addr);
18301 + if (pax_task_size - len >= addr) {
18302 + vma = find_vma(mm, addr);
18303 + if (check_heap_stack_gap(vma, addr, len))
18304 + return addr;
18305 + }
18306 + }
18307 +
18308 + /* check if free_area_cache is useful for us */
18309 + if (len <= mm->cached_hole_size) {
18310 + mm->cached_hole_size = 0;
18311 + mm->free_area_cache = mm->mmap_base;
18312 + }
18313 +
18314 + /* either no address requested or can't fit in requested address hole */
18315 + addr = mm->free_area_cache;
18316 +
18317 + /* make sure it can fit in the remaining address space */
18318 + if (addr > len) {
18319 + vma = find_vma(mm, addr-len);
18320 + if (check_heap_stack_gap(vma, addr - len, len))
18321 + /* remember the address as a hint for next time */
18322 + return (mm->free_area_cache = addr-len);
18323 + }
18324 +
18325 + if (mm->mmap_base < len)
18326 + goto bottomup;
18327 +
18328 + addr = mm->mmap_base-len;
18329 +
18330 + do {
18331 + /*
18332 + * Lookup failure means no vma is above this address,
18333 + * else if new region fits below vma->vm_start,
18334 + * return with success:
18335 + */
18336 + vma = find_vma(mm, addr);
18337 + if (check_heap_stack_gap(vma, addr, len))
18338 + /* remember the address as a hint for next time */
18339 + return (mm->free_area_cache = addr);
18340 +
18341 + /* remember the largest hole we saw so far */
18342 + if (addr + mm->cached_hole_size < vma->vm_start)
18343 + mm->cached_hole_size = vma->vm_start - addr;
18344 +
18345 + /* try just below the current vma->vm_start */
18346 + addr = skip_heap_stack_gap(vma, len);
18347 + } while (!IS_ERR_VALUE(addr));
18348 +
18349 +bottomup:
18350 + /*
18351 + * A failed mmap() very likely causes application failure,
18352 + * so fall back to the bottom-up function here. This scenario
18353 + * can happen with large stack limits and large mmap()
18354 + * allocations.
18355 + */
18356 +
18357 +#ifdef CONFIG_PAX_SEGMEXEC
18358 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18359 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18360 + else
18361 +#endif
18362 +
18363 + mm->mmap_base = TASK_UNMAPPED_BASE;
18364 +
18365 +#ifdef CONFIG_PAX_RANDMMAP
18366 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18367 + mm->mmap_base += mm->delta_mmap;
18368 +#endif
18369 +
18370 + mm->free_area_cache = mm->mmap_base;
18371 + mm->cached_hole_size = ~0UL;
18372 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
18373 + /*
18374 + * Restore the topdown base:
18375 + */
18376 + mm->mmap_base = base;
18377 + mm->free_area_cache = base;
18378 + mm->cached_hole_size = ~0UL;
18379 +
18380 + return addr;
18381 +}
18382
18383 struct sel_arg_struct {
18384 unsigned long n;
18385 @@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
18386 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
18387 case SEMTIMEDOP:
18388 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
18389 - (const struct timespec __user *)fifth);
18390 + (__force const struct timespec __user *)fifth);
18391
18392 case SEMGET:
18393 return sys_semget(first, second, third);
18394 @@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
18395 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
18396 if (ret)
18397 return ret;
18398 - return put_user(raddr, (ulong __user *) third);
18399 + return put_user(raddr, (__force ulong __user *) third);
18400 }
18401 case 1: /* iBCS2 emulator entry point */
18402 if (!segment_eq(get_fs(), get_ds()))
18403 @@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
18404
18405 return error;
18406 }
18407 -
18408 -
18409 -/*
18410 - * Do a system call from kernel instead of calling sys_execve so we
18411 - * end up with proper pt_regs.
18412 - */
18413 -int kernel_execve(const char *filename, char *const argv[], char *const envp[])
18414 -{
18415 - long __res;
18416 - asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
18417 - : "=a" (__res)
18418 - : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
18419 - return __res;
18420 -}
18421 diff -urNp linux-2.6.32.49/arch/x86/kernel/sys_x86_64.c linux-2.6.32.49/arch/x86/kernel/sys_x86_64.c
18422 --- linux-2.6.32.49/arch/x86/kernel/sys_x86_64.c 2011-11-08 19:02:43.000000000 -0500
18423 +++ linux-2.6.32.49/arch/x86/kernel/sys_x86_64.c 2011-11-15 19:59:43.000000000 -0500
18424 @@ -32,8 +32,8 @@ out:
18425 return error;
18426 }
18427
18428 -static void find_start_end(unsigned long flags, unsigned long *begin,
18429 - unsigned long *end)
18430 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
18431 + unsigned long *begin, unsigned long *end)
18432 {
18433 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
18434 unsigned long new_begin;
18435 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
18436 *begin = new_begin;
18437 }
18438 } else {
18439 - *begin = TASK_UNMAPPED_BASE;
18440 + *begin = mm->mmap_base;
18441 *end = TASK_SIZE;
18442 }
18443 }
18444 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
18445 if (flags & MAP_FIXED)
18446 return addr;
18447
18448 - find_start_end(flags, &begin, &end);
18449 + find_start_end(mm, flags, &begin, &end);
18450
18451 if (len > end)
18452 return -ENOMEM;
18453
18454 +#ifdef CONFIG_PAX_RANDMMAP
18455 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18456 +#endif
18457 +
18458 if (addr) {
18459 addr = PAGE_ALIGN(addr);
18460 vma = find_vma(mm, addr);
18461 - if (end - len >= addr &&
18462 - (!vma || addr + len <= vma->vm_start))
18463 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
18464 return addr;
18465 }
18466 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
18467 @@ -106,7 +109,7 @@ full_search:
18468 }
18469 return -ENOMEM;
18470 }
18471 - if (!vma || addr + len <= vma->vm_start) {
18472 + if (check_heap_stack_gap(vma, addr, len)) {
18473 /*
18474 * Remember the place where we stopped the search:
18475 */
18476 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
18477 {
18478 struct vm_area_struct *vma;
18479 struct mm_struct *mm = current->mm;
18480 - unsigned long addr = addr0;
18481 + unsigned long base = mm->mmap_base, addr = addr0;
18482
18483 /* requested length too big for entire address space */
18484 if (len > TASK_SIZE)
18485 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
18486 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
18487 goto bottomup;
18488
18489 +#ifdef CONFIG_PAX_RANDMMAP
18490 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18491 +#endif
18492 +
18493 /* requesting a specific address */
18494 if (addr) {
18495 addr = PAGE_ALIGN(addr);
18496 - vma = find_vma(mm, addr);
18497 - if (TASK_SIZE - len >= addr &&
18498 - (!vma || addr + len <= vma->vm_start))
18499 - return addr;
18500 + if (TASK_SIZE - len >= addr) {
18501 + vma = find_vma(mm, addr);
18502 + if (check_heap_stack_gap(vma, addr, len))
18503 + return addr;
18504 + }
18505 }
18506
18507 /* check if free_area_cache is useful for us */
18508 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
18509 /* make sure it can fit in the remaining address space */
18510 if (addr > len) {
18511 vma = find_vma(mm, addr-len);
18512 - if (!vma || addr <= vma->vm_start)
18513 + if (check_heap_stack_gap(vma, addr - len, len))
18514 /* remember the address as a hint for next time */
18515 return mm->free_area_cache = addr-len;
18516 }
18517 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
18518 * return with success:
18519 */
18520 vma = find_vma(mm, addr);
18521 - if (!vma || addr+len <= vma->vm_start)
18522 + if (check_heap_stack_gap(vma, addr, len))
18523 /* remember the address as a hint for next time */
18524 return mm->free_area_cache = addr;
18525
18526 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
18527 mm->cached_hole_size = vma->vm_start - addr;
18528
18529 /* try just below the current vma->vm_start */
18530 - addr = vma->vm_start-len;
18531 - } while (len < vma->vm_start);
18532 + addr = skip_heap_stack_gap(vma, len);
18533 + } while (!IS_ERR_VALUE(addr));
18534
18535 bottomup:
18536 /*
18537 @@ -198,13 +206,21 @@ bottomup:
18538 * can happen with large stack limits and large mmap()
18539 * allocations.
18540 */
18541 + mm->mmap_base = TASK_UNMAPPED_BASE;
18542 +
18543 +#ifdef CONFIG_PAX_RANDMMAP
18544 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18545 + mm->mmap_base += mm->delta_mmap;
18546 +#endif
18547 +
18548 + mm->free_area_cache = mm->mmap_base;
18549 mm->cached_hole_size = ~0UL;
18550 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18551 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
18552 /*
18553 * Restore the topdown base:
18554 */
18555 - mm->free_area_cache = mm->mmap_base;
18556 + mm->mmap_base = base;
18557 + mm->free_area_cache = base;
18558 mm->cached_hole_size = ~0UL;
18559
18560 return addr;
18561 diff -urNp linux-2.6.32.49/arch/x86/kernel/tboot.c linux-2.6.32.49/arch/x86/kernel/tboot.c
18562 --- linux-2.6.32.49/arch/x86/kernel/tboot.c 2011-11-08 19:02:43.000000000 -0500
18563 +++ linux-2.6.32.49/arch/x86/kernel/tboot.c 2011-11-15 19:59:43.000000000 -0500
18564 @@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
18565
18566 void tboot_shutdown(u32 shutdown_type)
18567 {
18568 - void (*shutdown)(void);
18569 + void (* __noreturn shutdown)(void);
18570
18571 if (!tboot_enabled())
18572 return;
18573 @@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
18574
18575 switch_to_tboot_pt();
18576
18577 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
18578 + shutdown = (void *)tboot->shutdown_entry;
18579 shutdown();
18580
18581 /* should not reach here */
18582 @@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
18583 tboot_shutdown(acpi_shutdown_map[sleep_state]);
18584 }
18585
18586 -static atomic_t ap_wfs_count;
18587 +static atomic_unchecked_t ap_wfs_count;
18588
18589 static int tboot_wait_for_aps(int num_aps)
18590 {
18591 @@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
18592 {
18593 switch (action) {
18594 case CPU_DYING:
18595 - atomic_inc(&ap_wfs_count);
18596 + atomic_inc_unchecked(&ap_wfs_count);
18597 if (num_online_cpus() == 1)
18598 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
18599 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
18600 return NOTIFY_BAD;
18601 break;
18602 }
18603 @@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
18604
18605 tboot_create_trampoline();
18606
18607 - atomic_set(&ap_wfs_count, 0);
18608 + atomic_set_unchecked(&ap_wfs_count, 0);
18609 register_hotcpu_notifier(&tboot_cpu_notifier);
18610 return 0;
18611 }
18612 diff -urNp linux-2.6.32.49/arch/x86/kernel/time.c linux-2.6.32.49/arch/x86/kernel/time.c
18613 --- linux-2.6.32.49/arch/x86/kernel/time.c 2011-11-08 19:02:43.000000000 -0500
18614 +++ linux-2.6.32.49/arch/x86/kernel/time.c 2011-11-15 19:59:43.000000000 -0500
18615 @@ -26,17 +26,13 @@
18616 int timer_ack;
18617 #endif
18618
18619 -#ifdef CONFIG_X86_64
18620 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
18621 -#endif
18622 -
18623 unsigned long profile_pc(struct pt_regs *regs)
18624 {
18625 unsigned long pc = instruction_pointer(regs);
18626
18627 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
18628 + if (!user_mode(regs) && in_lock_functions(pc)) {
18629 #ifdef CONFIG_FRAME_POINTER
18630 - return *(unsigned long *)(regs->bp + sizeof(long));
18631 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
18632 #else
18633 unsigned long *sp =
18634 (unsigned long *)kernel_stack_pointer(regs);
18635 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
18636 * or above a saved flags. Eflags has bits 22-31 zero,
18637 * kernel addresses don't.
18638 */
18639 +
18640 +#ifdef CONFIG_PAX_KERNEXEC
18641 + return ktla_ktva(sp[0]);
18642 +#else
18643 if (sp[0] >> 22)
18644 return sp[0];
18645 if (sp[1] >> 22)
18646 return sp[1];
18647 #endif
18648 +
18649 +#endif
18650 }
18651 return pc;
18652 }
18653 diff -urNp linux-2.6.32.49/arch/x86/kernel/tls.c linux-2.6.32.49/arch/x86/kernel/tls.c
18654 --- linux-2.6.32.49/arch/x86/kernel/tls.c 2011-11-08 19:02:43.000000000 -0500
18655 +++ linux-2.6.32.49/arch/x86/kernel/tls.c 2011-11-15 19:59:43.000000000 -0500
18656 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
18657 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
18658 return -EINVAL;
18659
18660 +#ifdef CONFIG_PAX_SEGMEXEC
18661 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
18662 + return -EINVAL;
18663 +#endif
18664 +
18665 set_tls_desc(p, idx, &info, 1);
18666
18667 return 0;
18668 diff -urNp linux-2.6.32.49/arch/x86/kernel/trampoline_32.S linux-2.6.32.49/arch/x86/kernel/trampoline_32.S
18669 --- linux-2.6.32.49/arch/x86/kernel/trampoline_32.S 2011-11-08 19:02:43.000000000 -0500
18670 +++ linux-2.6.32.49/arch/x86/kernel/trampoline_32.S 2011-11-15 19:59:43.000000000 -0500
18671 @@ -32,6 +32,12 @@
18672 #include <asm/segment.h>
18673 #include <asm/page_types.h>
18674
18675 +#ifdef CONFIG_PAX_KERNEXEC
18676 +#define ta(X) (X)
18677 +#else
18678 +#define ta(X) ((X) - __PAGE_OFFSET)
18679 +#endif
18680 +
18681 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
18682 __CPUINITRODATA
18683 .code16
18684 @@ -60,7 +66,7 @@ r_base = .
18685 inc %ax # protected mode (PE) bit
18686 lmsw %ax # into protected mode
18687 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18688 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18689 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
18690
18691 # These need to be in the same 64K segment as the above;
18692 # hence we don't use the boot_gdt_descr defined in head.S
18693 diff -urNp linux-2.6.32.49/arch/x86/kernel/trampoline_64.S linux-2.6.32.49/arch/x86/kernel/trampoline_64.S
18694 --- linux-2.6.32.49/arch/x86/kernel/trampoline_64.S 2011-11-08 19:02:43.000000000 -0500
18695 +++ linux-2.6.32.49/arch/x86/kernel/trampoline_64.S 2011-11-15 19:59:43.000000000 -0500
18696 @@ -91,7 +91,7 @@ startup_32:
18697 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18698 movl %eax, %ds
18699
18700 - movl $X86_CR4_PAE, %eax
18701 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18702 movl %eax, %cr4 # Enable PAE mode
18703
18704 # Setup trampoline 4 level pagetables
18705 @@ -127,7 +127,7 @@ startup_64:
18706 no_longmode:
18707 hlt
18708 jmp no_longmode
18709 -#include "verify_cpu_64.S"
18710 +#include "verify_cpu.S"
18711
18712 # Careful these need to be in the same 64K segment as the above;
18713 tidt:
18714 @@ -138,7 +138,7 @@ tidt:
18715 # so the kernel can live anywhere
18716 .balign 4
18717 tgdt:
18718 - .short tgdt_end - tgdt # gdt limit
18719 + .short tgdt_end - tgdt - 1 # gdt limit
18720 .long tgdt - r_base
18721 .short 0
18722 .quad 0x00cf9b000000ffff # __KERNEL32_CS
18723 diff -urNp linux-2.6.32.49/arch/x86/kernel/traps.c linux-2.6.32.49/arch/x86/kernel/traps.c
18724 --- linux-2.6.32.49/arch/x86/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
18725 +++ linux-2.6.32.49/arch/x86/kernel/traps.c 2011-11-15 19:59:43.000000000 -0500
18726 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
18727
18728 /* Do we ignore FPU interrupts ? */
18729 char ignore_fpu_irq;
18730 -
18731 -/*
18732 - * The IDT has to be page-aligned to simplify the Pentium
18733 - * F0 0F bug workaround.
18734 - */
18735 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18736 #endif
18737
18738 DECLARE_BITMAP(used_vectors, NR_VECTORS);
18739 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
18740 static inline void
18741 die_if_kernel(const char *str, struct pt_regs *regs, long err)
18742 {
18743 - if (!user_mode_vm(regs))
18744 + if (!user_mode(regs))
18745 die(str, regs, err);
18746 }
18747 #endif
18748
18749 static void __kprobes
18750 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18751 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18752 long error_code, siginfo_t *info)
18753 {
18754 struct task_struct *tsk = current;
18755
18756 #ifdef CONFIG_X86_32
18757 - if (regs->flags & X86_VM_MASK) {
18758 + if (v8086_mode(regs)) {
18759 /*
18760 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18761 * On nmi (interrupt 2), do_trap should not be called.
18762 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
18763 }
18764 #endif
18765
18766 - if (!user_mode(regs))
18767 + if (!user_mode_novm(regs))
18768 goto kernel_trap;
18769
18770 #ifdef CONFIG_X86_32
18771 @@ -158,7 +152,7 @@ trap_signal:
18772 printk_ratelimit()) {
18773 printk(KERN_INFO
18774 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18775 - tsk->comm, tsk->pid, str,
18776 + tsk->comm, task_pid_nr(tsk), str,
18777 regs->ip, regs->sp, error_code);
18778 print_vma_addr(" in ", regs->ip);
18779 printk("\n");
18780 @@ -175,8 +169,20 @@ kernel_trap:
18781 if (!fixup_exception(regs)) {
18782 tsk->thread.error_code = error_code;
18783 tsk->thread.trap_no = trapnr;
18784 +
18785 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18786 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18787 + str = "PAX: suspicious stack segment fault";
18788 +#endif
18789 +
18790 die(str, regs, error_code);
18791 }
18792 +
18793 +#ifdef CONFIG_PAX_REFCOUNT
18794 + if (trapnr == 4)
18795 + pax_report_refcount_overflow(regs);
18796 +#endif
18797 +
18798 return;
18799
18800 #ifdef CONFIG_X86_32
18801 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
18802 conditional_sti(regs);
18803
18804 #ifdef CONFIG_X86_32
18805 - if (regs->flags & X86_VM_MASK)
18806 + if (v8086_mode(regs))
18807 goto gp_in_vm86;
18808 #endif
18809
18810 tsk = current;
18811 - if (!user_mode(regs))
18812 + if (!user_mode_novm(regs))
18813 goto gp_in_kernel;
18814
18815 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18816 + if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18817 + struct mm_struct *mm = tsk->mm;
18818 + unsigned long limit;
18819 +
18820 + down_write(&mm->mmap_sem);
18821 + limit = mm->context.user_cs_limit;
18822 + if (limit < TASK_SIZE) {
18823 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18824 + up_write(&mm->mmap_sem);
18825 + return;
18826 + }
18827 + up_write(&mm->mmap_sem);
18828 + }
18829 +#endif
18830 +
18831 tsk->thread.error_code = error_code;
18832 tsk->thread.trap_no = 13;
18833
18834 @@ -305,6 +327,13 @@ gp_in_kernel:
18835 if (notify_die(DIE_GPF, "general protection fault", regs,
18836 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18837 return;
18838 +
18839 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18840 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18841 + die("PAX: suspicious general protection fault", regs, error_code);
18842 + else
18843 +#endif
18844 +
18845 die("general protection fault", regs, error_code);
18846 }
18847
18848 @@ -435,6 +464,17 @@ static notrace __kprobes void default_do
18849 dotraplinkage notrace __kprobes void
18850 do_nmi(struct pt_regs *regs, long error_code)
18851 {
18852 +
18853 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18854 + if (!user_mode(regs)) {
18855 + unsigned long cs = regs->cs & 0xFFFF;
18856 + unsigned long ip = ktva_ktla(regs->ip);
18857 +
18858 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18859 + regs->ip = ip;
18860 + }
18861 +#endif
18862 +
18863 nmi_enter();
18864
18865 inc_irq_stat(__nmi_count);
18866 @@ -558,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
18867 }
18868
18869 #ifdef CONFIG_X86_32
18870 - if (regs->flags & X86_VM_MASK)
18871 + if (v8086_mode(regs))
18872 goto debug_vm86;
18873 #endif
18874
18875 @@ -570,7 +610,7 @@ dotraplinkage void __kprobes do_debug(st
18876 * kernel space (but re-enable TF when returning to user mode).
18877 */
18878 if (condition & DR_STEP) {
18879 - if (!user_mode(regs))
18880 + if (!user_mode_novm(regs))
18881 goto clear_TF_reenable;
18882 }
18883
18884 @@ -757,7 +797,7 @@ do_simd_coprocessor_error(struct pt_regs
18885 * Handle strange cache flush from user space exception
18886 * in all other cases. This is undocumented behaviour.
18887 */
18888 - if (regs->flags & X86_VM_MASK) {
18889 + if (v8086_mode(regs)) {
18890 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
18891 return;
18892 }
18893 @@ -798,7 +838,7 @@ asmlinkage void __attribute__((weak)) sm
18894 void __math_state_restore(void)
18895 {
18896 struct thread_info *thread = current_thread_info();
18897 - struct task_struct *tsk = thread->task;
18898 + struct task_struct *tsk = current;
18899
18900 /*
18901 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18902 @@ -825,8 +865,7 @@ void __math_state_restore(void)
18903 */
18904 asmlinkage void math_state_restore(void)
18905 {
18906 - struct thread_info *thread = current_thread_info();
18907 - struct task_struct *tsk = thread->task;
18908 + struct task_struct *tsk = current;
18909
18910 if (!tsk_used_math(tsk)) {
18911 local_irq_enable();
18912 diff -urNp linux-2.6.32.49/arch/x86/kernel/verify_cpu_64.S linux-2.6.32.49/arch/x86/kernel/verify_cpu_64.S
18913 --- linux-2.6.32.49/arch/x86/kernel/verify_cpu_64.S 2011-11-08 19:02:43.000000000 -0500
18914 +++ linux-2.6.32.49/arch/x86/kernel/verify_cpu_64.S 1969-12-31 19:00:00.000000000 -0500
18915 @@ -1,105 +0,0 @@
18916 -/*
18917 - *
18918 - * verify_cpu.S - Code for cpu long mode and SSE verification. This
18919 - * code has been borrowed from boot/setup.S and was introduced by
18920 - * Andi Kleen.
18921 - *
18922 - * Copyright (c) 2007 Andi Kleen (ak@suse.de)
18923 - * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
18924 - * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
18925 - *
18926 - * This source code is licensed under the GNU General Public License,
18927 - * Version 2. See the file COPYING for more details.
18928 - *
18929 - * This is a common code for verification whether CPU supports
18930 - * long mode and SSE or not. It is not called directly instead this
18931 - * file is included at various places and compiled in that context.
18932 - * Following are the current usage.
18933 - *
18934 - * This file is included by both 16bit and 32bit code.
18935 - *
18936 - * arch/x86_64/boot/setup.S : Boot cpu verification (16bit)
18937 - * arch/x86_64/boot/compressed/head.S: Boot cpu verification (32bit)
18938 - * arch/x86_64/kernel/trampoline.S: secondary processor verfication (16bit)
18939 - * arch/x86_64/kernel/acpi/wakeup.S:Verfication at resume (16bit)
18940 - *
18941 - * verify_cpu, returns the status of cpu check in register %eax.
18942 - * 0: Success 1: Failure
18943 - *
18944 - * The caller needs to check for the error code and take the action
18945 - * appropriately. Either display a message or halt.
18946 - */
18947 -
18948 -#include <asm/cpufeature.h>
18949 -
18950 -verify_cpu:
18951 - pushfl # Save caller passed flags
18952 - pushl $0 # Kill any dangerous flags
18953 - popfl
18954 -
18955 - pushfl # standard way to check for cpuid
18956 - popl %eax
18957 - movl %eax,%ebx
18958 - xorl $0x200000,%eax
18959 - pushl %eax
18960 - popfl
18961 - pushfl
18962 - popl %eax
18963 - cmpl %eax,%ebx
18964 - jz verify_cpu_no_longmode # cpu has no cpuid
18965 -
18966 - movl $0x0,%eax # See if cpuid 1 is implemented
18967 - cpuid
18968 - cmpl $0x1,%eax
18969 - jb verify_cpu_no_longmode # no cpuid 1
18970 -
18971 - xor %di,%di
18972 - cmpl $0x68747541,%ebx # AuthenticAMD
18973 - jnz verify_cpu_noamd
18974 - cmpl $0x69746e65,%edx
18975 - jnz verify_cpu_noamd
18976 - cmpl $0x444d4163,%ecx
18977 - jnz verify_cpu_noamd
18978 - mov $1,%di # cpu is from AMD
18979 -
18980 -verify_cpu_noamd:
18981 - movl $0x1,%eax # Does the cpu have what it takes
18982 - cpuid
18983 - andl $REQUIRED_MASK0,%edx
18984 - xorl $REQUIRED_MASK0,%edx
18985 - jnz verify_cpu_no_longmode
18986 -
18987 - movl $0x80000000,%eax # See if extended cpuid is implemented
18988 - cpuid
18989 - cmpl $0x80000001,%eax
18990 - jb verify_cpu_no_longmode # no extended cpuid
18991 -
18992 - movl $0x80000001,%eax # Does the cpu have what it takes
18993 - cpuid
18994 - andl $REQUIRED_MASK1,%edx
18995 - xorl $REQUIRED_MASK1,%edx
18996 - jnz verify_cpu_no_longmode
18997 -
18998 -verify_cpu_sse_test:
18999 - movl $1,%eax
19000 - cpuid
19001 - andl $SSE_MASK,%edx
19002 - cmpl $SSE_MASK,%edx
19003 - je verify_cpu_sse_ok
19004 - test %di,%di
19005 - jz verify_cpu_no_longmode # only try to force SSE on AMD
19006 - movl $0xc0010015,%ecx # HWCR
19007 - rdmsr
19008 - btr $15,%eax # enable SSE
19009 - wrmsr
19010 - xor %di,%di # don't loop
19011 - jmp verify_cpu_sse_test # try again
19012 -
19013 -verify_cpu_no_longmode:
19014 - popfl # Restore caller passed flags
19015 - movl $1,%eax
19016 - ret
19017 -verify_cpu_sse_ok:
19018 - popfl # Restore caller passed flags
19019 - xorl %eax, %eax
19020 - ret
19021 diff -urNp linux-2.6.32.49/arch/x86/kernel/verify_cpu.S linux-2.6.32.49/arch/x86/kernel/verify_cpu.S
19022 --- linux-2.6.32.49/arch/x86/kernel/verify_cpu.S 1969-12-31 19:00:00.000000000 -0500
19023 +++ linux-2.6.32.49/arch/x86/kernel/verify_cpu.S 2011-11-15 19:59:43.000000000 -0500
19024 @@ -0,0 +1,140 @@
19025 +/*
19026 + *
19027 + * verify_cpu.S - Code for cpu long mode and SSE verification. This
19028 + * code has been borrowed from boot/setup.S and was introduced by
19029 + * Andi Kleen.
19030 + *
19031 + * Copyright (c) 2007 Andi Kleen (ak@suse.de)
19032 + * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
19033 + * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
19034 + * Copyright (c) 2010 Kees Cook (kees.cook@canonical.com)
19035 + *
19036 + * This source code is licensed under the GNU General Public License,
19037 + * Version 2. See the file COPYING for more details.
19038 + *
19039 + * This is a common code for verification whether CPU supports
19040 + * long mode and SSE or not. It is not called directly instead this
19041 + * file is included at various places and compiled in that context.
19042 + * This file is expected to run in 32bit code. Currently:
19043 + *
19044 + * arch/x86/boot/compressed/head_64.S: Boot cpu verification
19045 + * arch/x86/kernel/trampoline_64.S: secondary processor verification
19046 + * arch/x86/kernel/head_32.S: processor startup
19047 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
19048 + *
19049 + * verify_cpu, returns the status of longmode and SSE in register %eax.
19050 + * 0: Success 1: Failure
19051 + *
19052 + * On Intel, the XD_DISABLE flag will be cleared as a side-effect.
19053 + *
19054 + * The caller needs to check for the error code and take the action
19055 + * appropriately. Either display a message or halt.
19056 + */
19057 +
19058 +#include <asm/cpufeature.h>
19059 +#include <asm/msr-index.h>
19060 +
19061 +verify_cpu:
19062 + pushfl # Save caller passed flags
19063 + pushl $0 # Kill any dangerous flags
19064 + popfl
19065 +
19066 + pushfl # standard way to check for cpuid
19067 + popl %eax
19068 + movl %eax,%ebx
19069 + xorl $0x200000,%eax
19070 + pushl %eax
19071 + popfl
19072 + pushfl
19073 + popl %eax
19074 + cmpl %eax,%ebx
19075 + jz verify_cpu_no_longmode # cpu has no cpuid
19076 +
19077 + movl $0x0,%eax # See if cpuid 1 is implemented
19078 + cpuid
19079 + cmpl $0x1,%eax
19080 + jb verify_cpu_no_longmode # no cpuid 1
19081 +
19082 + xor %di,%di
19083 + cmpl $0x68747541,%ebx # AuthenticAMD
19084 + jnz verify_cpu_noamd
19085 + cmpl $0x69746e65,%edx
19086 + jnz verify_cpu_noamd
19087 + cmpl $0x444d4163,%ecx
19088 + jnz verify_cpu_noamd
19089 + mov $1,%di # cpu is from AMD
19090 + jmp verify_cpu_check
19091 +
19092 +verify_cpu_noamd:
19093 + cmpl $0x756e6547,%ebx # GenuineIntel?
19094 + jnz verify_cpu_check
19095 + cmpl $0x49656e69,%edx
19096 + jnz verify_cpu_check
19097 + cmpl $0x6c65746e,%ecx
19098 + jnz verify_cpu_check
19099 +
19100 + # only call IA32_MISC_ENABLE when:
19101 + # family > 6 || (family == 6 && model >= 0xd)
19102 + movl $0x1, %eax # check CPU family and model
19103 + cpuid
19104 + movl %eax, %ecx
19105 +
19106 + andl $0x0ff00f00, %eax # mask family and extended family
19107 + shrl $8, %eax
19108 + cmpl $6, %eax
19109 + ja verify_cpu_clear_xd # family > 6, ok
19110 + jb verify_cpu_check # family < 6, skip
19111 +
19112 + andl $0x000f00f0, %ecx # mask model and extended model
19113 + shrl $4, %ecx
19114 + cmpl $0xd, %ecx
19115 + jb verify_cpu_check # family == 6, model < 0xd, skip
19116 +
19117 +verify_cpu_clear_xd:
19118 + movl $MSR_IA32_MISC_ENABLE, %ecx
19119 + rdmsr
19120 + btrl $2, %edx # clear MSR_IA32_MISC_ENABLE_XD_DISABLE
19121 + jnc verify_cpu_check # only write MSR if bit was changed
19122 + wrmsr
19123 +
19124 +verify_cpu_check:
19125 + movl $0x1,%eax # Does the cpu have what it takes
19126 + cpuid
19127 + andl $REQUIRED_MASK0,%edx
19128 + xorl $REQUIRED_MASK0,%edx
19129 + jnz verify_cpu_no_longmode
19130 +
19131 + movl $0x80000000,%eax # See if extended cpuid is implemented
19132 + cpuid
19133 + cmpl $0x80000001,%eax
19134 + jb verify_cpu_no_longmode # no extended cpuid
19135 +
19136 + movl $0x80000001,%eax # Does the cpu have what it takes
19137 + cpuid
19138 + andl $REQUIRED_MASK1,%edx
19139 + xorl $REQUIRED_MASK1,%edx
19140 + jnz verify_cpu_no_longmode
19141 +
19142 +verify_cpu_sse_test:
19143 + movl $1,%eax
19144 + cpuid
19145 + andl $SSE_MASK,%edx
19146 + cmpl $SSE_MASK,%edx
19147 + je verify_cpu_sse_ok
19148 + test %di,%di
19149 + jz verify_cpu_no_longmode # only try to force SSE on AMD
19150 + movl $MSR_K7_HWCR,%ecx
19151 + rdmsr
19152 + btr $15,%eax # enable SSE
19153 + wrmsr
19154 + xor %di,%di # don't loop
19155 + jmp verify_cpu_sse_test # try again
19156 +
19157 +verify_cpu_no_longmode:
19158 + popfl # Restore caller passed flags
19159 + movl $1,%eax
19160 + ret
19161 +verify_cpu_sse_ok:
19162 + popfl # Restore caller passed flags
19163 + xorl %eax, %eax
19164 + ret
19165 diff -urNp linux-2.6.32.49/arch/x86/kernel/vm86_32.c linux-2.6.32.49/arch/x86/kernel/vm86_32.c
19166 --- linux-2.6.32.49/arch/x86/kernel/vm86_32.c 2011-11-08 19:02:43.000000000 -0500
19167 +++ linux-2.6.32.49/arch/x86/kernel/vm86_32.c 2011-11-15 19:59:43.000000000 -0500
19168 @@ -41,6 +41,7 @@
19169 #include <linux/ptrace.h>
19170 #include <linux/audit.h>
19171 #include <linux/stddef.h>
19172 +#include <linux/grsecurity.h>
19173
19174 #include <asm/uaccess.h>
19175 #include <asm/io.h>
19176 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
19177 do_exit(SIGSEGV);
19178 }
19179
19180 - tss = &per_cpu(init_tss, get_cpu());
19181 + tss = init_tss + get_cpu();
19182 current->thread.sp0 = current->thread.saved_sp0;
19183 current->thread.sysenter_cs = __KERNEL_CS;
19184 load_sp0(tss, &current->thread);
19185 @@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
19186 struct task_struct *tsk;
19187 int tmp, ret = -EPERM;
19188
19189 +#ifdef CONFIG_GRKERNSEC_VM86
19190 + if (!capable(CAP_SYS_RAWIO)) {
19191 + gr_handle_vm86();
19192 + goto out;
19193 + }
19194 +#endif
19195 +
19196 tsk = current;
19197 if (tsk->thread.saved_sp0)
19198 goto out;
19199 @@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
19200 int tmp, ret;
19201 struct vm86plus_struct __user *v86;
19202
19203 +#ifdef CONFIG_GRKERNSEC_VM86
19204 + if (!capable(CAP_SYS_RAWIO)) {
19205 + gr_handle_vm86();
19206 + ret = -EPERM;
19207 + goto out;
19208 + }
19209 +#endif
19210 +
19211 tsk = current;
19212 switch (regs->bx) {
19213 case VM86_REQUEST_IRQ:
19214 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
19215 tsk->thread.saved_fs = info->regs32->fs;
19216 tsk->thread.saved_gs = get_user_gs(info->regs32);
19217
19218 - tss = &per_cpu(init_tss, get_cpu());
19219 + tss = init_tss + get_cpu();
19220 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
19221 if (cpu_has_sep)
19222 tsk->thread.sysenter_cs = 0;
19223 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
19224 goto cannot_handle;
19225 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
19226 goto cannot_handle;
19227 - intr_ptr = (unsigned long __user *) (i << 2);
19228 + intr_ptr = (__force unsigned long __user *) (i << 2);
19229 if (get_user(segoffs, intr_ptr))
19230 goto cannot_handle;
19231 if ((segoffs >> 16) == BIOSSEG)
19232 diff -urNp linux-2.6.32.49/arch/x86/kernel/vmi_32.c linux-2.6.32.49/arch/x86/kernel/vmi_32.c
19233 --- linux-2.6.32.49/arch/x86/kernel/vmi_32.c 2011-11-08 19:02:43.000000000 -0500
19234 +++ linux-2.6.32.49/arch/x86/kernel/vmi_32.c 2011-11-15 19:59:43.000000000 -0500
19235 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
19236 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
19237
19238 #define call_vrom_func(rom,func) \
19239 - (((VROMFUNC *)(rom->func))())
19240 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
19241
19242 #define call_vrom_long_func(rom,func,arg) \
19243 - (((VROMLONGFUNC *)(rom->func)) (arg))
19244 +({\
19245 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
19246 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
19247 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
19248 + __reloc;\
19249 +})
19250
19251 -static struct vrom_header *vmi_rom;
19252 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
19253 static int disable_pge;
19254 static int disable_pse;
19255 static int disable_sep;
19256 @@ -76,10 +81,10 @@ static struct {
19257 void (*set_initial_ap_state)(int, int);
19258 void (*halt)(void);
19259 void (*set_lazy_mode)(int mode);
19260 -} vmi_ops;
19261 +} __no_const vmi_ops __read_only;
19262
19263 /* Cached VMI operations */
19264 -struct vmi_timer_ops vmi_timer_ops;
19265 +struct vmi_timer_ops vmi_timer_ops __read_only;
19266
19267 /*
19268 * VMI patching routines.
19269 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
19270 static inline void patch_offset(void *insnbuf,
19271 unsigned long ip, unsigned long dest)
19272 {
19273 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
19274 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
19275 }
19276
19277 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
19278 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
19279 {
19280 u64 reloc;
19281 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
19282 +
19283 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
19284 switch(rel->type) {
19285 case VMI_RELOCATION_CALL_REL:
19286 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
19287
19288 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
19289 {
19290 - const pte_t pte = { .pte = 0 };
19291 + const pte_t pte = __pte(0ULL);
19292 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
19293 }
19294
19295 static void vmi_pmd_clear(pmd_t *pmd)
19296 {
19297 - const pte_t pte = { .pte = 0 };
19298 + const pte_t pte = __pte(0ULL);
19299 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
19300 }
19301 #endif
19302 @@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
19303 ap.ss = __KERNEL_DS;
19304 ap.esp = (unsigned long) start_esp;
19305
19306 - ap.ds = __USER_DS;
19307 - ap.es = __USER_DS;
19308 + ap.ds = __KERNEL_DS;
19309 + ap.es = __KERNEL_DS;
19310 ap.fs = __KERNEL_PERCPU;
19311 - ap.gs = __KERNEL_STACK_CANARY;
19312 + savesegment(gs, ap.gs);
19313
19314 ap.eflags = 0;
19315
19316 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
19317 paravirt_leave_lazy_mmu();
19318 }
19319
19320 +#ifdef CONFIG_PAX_KERNEXEC
19321 +static unsigned long vmi_pax_open_kernel(void)
19322 +{
19323 + return 0;
19324 +}
19325 +
19326 +static unsigned long vmi_pax_close_kernel(void)
19327 +{
19328 + return 0;
19329 +}
19330 +#endif
19331 +
19332 static inline int __init check_vmi_rom(struct vrom_header *rom)
19333 {
19334 struct pci_header *pci;
19335 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
19336 return 0;
19337 if (rom->vrom_signature != VMI_SIGNATURE)
19338 return 0;
19339 + if (rom->rom_length * 512 > sizeof(*rom)) {
19340 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
19341 + return 0;
19342 + }
19343 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
19344 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
19345 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
19346 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
19347 struct vrom_header *romstart;
19348 romstart = (struct vrom_header *)isa_bus_to_virt(base);
19349 if (check_vmi_rom(romstart)) {
19350 - vmi_rom = romstart;
19351 + vmi_rom = *romstart;
19352 return 1;
19353 }
19354 }
19355 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
19356
19357 para_fill(pv_irq_ops.safe_halt, Halt);
19358
19359 +#ifdef CONFIG_PAX_KERNEXEC
19360 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
19361 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
19362 +#endif
19363 +
19364 /*
19365 * Alternative instruction rewriting doesn't happen soon enough
19366 * to convert VMI_IRET to a call instead of a jump; so we have
19367 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
19368
19369 void __init vmi_init(void)
19370 {
19371 - if (!vmi_rom)
19372 + if (!vmi_rom.rom_signature)
19373 probe_vmi_rom();
19374 else
19375 - check_vmi_rom(vmi_rom);
19376 + check_vmi_rom(&vmi_rom);
19377
19378 /* In case probing for or validating the ROM failed, basil */
19379 - if (!vmi_rom)
19380 + if (!vmi_rom.rom_signature)
19381 return;
19382
19383 - reserve_top_address(-vmi_rom->virtual_top);
19384 + reserve_top_address(-vmi_rom.virtual_top);
19385
19386 #ifdef CONFIG_X86_IO_APIC
19387 /* This is virtual hardware; timer routing is wired correctly */
19388 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
19389 {
19390 unsigned long flags;
19391
19392 - if (!vmi_rom)
19393 + if (!vmi_rom.rom_signature)
19394 return;
19395
19396 local_irq_save(flags);
19397 diff -urNp linux-2.6.32.49/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.49/arch/x86/kernel/vmlinux.lds.S
19398 --- linux-2.6.32.49/arch/x86/kernel/vmlinux.lds.S 2011-11-08 19:02:43.000000000 -0500
19399 +++ linux-2.6.32.49/arch/x86/kernel/vmlinux.lds.S 2011-11-15 19:59:43.000000000 -0500
19400 @@ -26,6 +26,13 @@
19401 #include <asm/page_types.h>
19402 #include <asm/cache.h>
19403 #include <asm/boot.h>
19404 +#include <asm/segment.h>
19405 +
19406 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19407 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
19408 +#else
19409 +#define __KERNEL_TEXT_OFFSET 0
19410 +#endif
19411
19412 #undef i386 /* in case the preprocessor is a 32bit one */
19413
19414 @@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
19415 #ifdef CONFIG_X86_32
19416 OUTPUT_ARCH(i386)
19417 ENTRY(phys_startup_32)
19418 -jiffies = jiffies_64;
19419 #else
19420 OUTPUT_ARCH(i386:x86-64)
19421 ENTRY(phys_startup_64)
19422 -jiffies_64 = jiffies;
19423 #endif
19424
19425 PHDRS {
19426 text PT_LOAD FLAGS(5); /* R_E */
19427 - data PT_LOAD FLAGS(7); /* RWE */
19428 +#ifdef CONFIG_X86_32
19429 + module PT_LOAD FLAGS(5); /* R_E */
19430 +#endif
19431 +#ifdef CONFIG_XEN
19432 + rodata PT_LOAD FLAGS(5); /* R_E */
19433 +#else
19434 + rodata PT_LOAD FLAGS(4); /* R__ */
19435 +#endif
19436 + data PT_LOAD FLAGS(6); /* RW_ */
19437 #ifdef CONFIG_X86_64
19438 user PT_LOAD FLAGS(5); /* R_E */
19439 +#endif
19440 + init.begin PT_LOAD FLAGS(6); /* RW_ */
19441 #ifdef CONFIG_SMP
19442 percpu PT_LOAD FLAGS(6); /* RW_ */
19443 #endif
19444 + text.init PT_LOAD FLAGS(5); /* R_E */
19445 + text.exit PT_LOAD FLAGS(5); /* R_E */
19446 init PT_LOAD FLAGS(7); /* RWE */
19447 -#endif
19448 note PT_NOTE FLAGS(0); /* ___ */
19449 }
19450
19451 SECTIONS
19452 {
19453 #ifdef CONFIG_X86_32
19454 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
19455 - phys_startup_32 = startup_32 - LOAD_OFFSET;
19456 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
19457 #else
19458 - . = __START_KERNEL;
19459 - phys_startup_64 = startup_64 - LOAD_OFFSET;
19460 + . = __START_KERNEL;
19461 #endif
19462
19463 /* Text and read-only data */
19464 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
19465 - _text = .;
19466 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
19467 /* bootstrapping code */
19468 +#ifdef CONFIG_X86_32
19469 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19470 +#else
19471 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19472 +#endif
19473 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19474 + _text = .;
19475 HEAD_TEXT
19476 #ifdef CONFIG_X86_32
19477 . = ALIGN(PAGE_SIZE);
19478 @@ -82,28 +102,71 @@ SECTIONS
19479 IRQENTRY_TEXT
19480 *(.fixup)
19481 *(.gnu.warning)
19482 - /* End of text section */
19483 - _etext = .;
19484 } :text = 0x9090
19485
19486 - NOTES :text :note
19487 + . += __KERNEL_TEXT_OFFSET;
19488 +
19489 +#ifdef CONFIG_X86_32
19490 + . = ALIGN(PAGE_SIZE);
19491 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
19492 + *(.vmi.rom)
19493 + } :module
19494 +
19495 + . = ALIGN(PAGE_SIZE);
19496 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
19497 +
19498 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
19499 + MODULES_EXEC_VADDR = .;
19500 + BYTE(0)
19501 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
19502 + . = ALIGN(HPAGE_SIZE);
19503 + MODULES_EXEC_END = . - 1;
19504 +#endif
19505 +
19506 + } :module
19507 +#endif
19508
19509 - EXCEPTION_TABLE(16) :text = 0x9090
19510 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
19511 + /* End of text section */
19512 + _etext = . - __KERNEL_TEXT_OFFSET;
19513 + }
19514 +
19515 +#ifdef CONFIG_X86_32
19516 + . = ALIGN(PAGE_SIZE);
19517 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
19518 + *(.idt)
19519 + . = ALIGN(PAGE_SIZE);
19520 + *(.empty_zero_page)
19521 + *(.swapper_pg_fixmap)
19522 + *(.swapper_pg_pmd)
19523 + *(.swapper_pg_dir)
19524 + *(.trampoline_pg_dir)
19525 + } :rodata
19526 +#endif
19527 +
19528 + . = ALIGN(PAGE_SIZE);
19529 + NOTES :rodata :note
19530 +
19531 + EXCEPTION_TABLE(16) :rodata
19532
19533 RO_DATA(PAGE_SIZE)
19534
19535 /* Data */
19536 .data : AT(ADDR(.data) - LOAD_OFFSET) {
19537 +
19538 +#ifdef CONFIG_PAX_KERNEXEC
19539 + . = ALIGN(HPAGE_SIZE);
19540 +#else
19541 + . = ALIGN(PAGE_SIZE);
19542 +#endif
19543 +
19544 /* Start of data section */
19545 _sdata = .;
19546
19547 /* init_task */
19548 INIT_TASK_DATA(THREAD_SIZE)
19549
19550 -#ifdef CONFIG_X86_32
19551 - /* 32 bit has nosave before _edata */
19552 NOSAVE_DATA
19553 -#endif
19554
19555 PAGE_ALIGNED_DATA(PAGE_SIZE)
19556
19557 @@ -112,6 +175,8 @@ SECTIONS
19558 DATA_DATA
19559 CONSTRUCTORS
19560
19561 + jiffies = jiffies_64;
19562 +
19563 /* rarely changed data like cpu maps */
19564 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
19565
19566 @@ -166,12 +231,6 @@ SECTIONS
19567 }
19568 vgetcpu_mode = VVIRT(.vgetcpu_mode);
19569
19570 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
19571 - .jiffies : AT(VLOAD(.jiffies)) {
19572 - *(.jiffies)
19573 - }
19574 - jiffies = VVIRT(.jiffies);
19575 -
19576 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
19577 *(.vsyscall_3)
19578 }
19579 @@ -187,12 +246,19 @@ SECTIONS
19580 #endif /* CONFIG_X86_64 */
19581
19582 /* Init code and data - will be freed after init */
19583 - . = ALIGN(PAGE_SIZE);
19584 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
19585 + BYTE(0)
19586 +
19587 +#ifdef CONFIG_PAX_KERNEXEC
19588 + . = ALIGN(HPAGE_SIZE);
19589 +#else
19590 + . = ALIGN(PAGE_SIZE);
19591 +#endif
19592 +
19593 __init_begin = .; /* paired with __init_end */
19594 - }
19595 + } :init.begin
19596
19597 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
19598 +#ifdef CONFIG_SMP
19599 /*
19600 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
19601 * output PHDR, so the next output section - .init.text - should
19602 @@ -201,12 +267,27 @@ SECTIONS
19603 PERCPU_VADDR(0, :percpu)
19604 #endif
19605
19606 - INIT_TEXT_SECTION(PAGE_SIZE)
19607 -#ifdef CONFIG_X86_64
19608 - :init
19609 -#endif
19610 + . = ALIGN(PAGE_SIZE);
19611 + init_begin = .;
19612 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
19613 + VMLINUX_SYMBOL(_sinittext) = .;
19614 + INIT_TEXT
19615 + VMLINUX_SYMBOL(_einittext) = .;
19616 + . = ALIGN(PAGE_SIZE);
19617 + } :text.init
19618
19619 - INIT_DATA_SECTION(16)
19620 + /*
19621 + * .exit.text is discard at runtime, not link time, to deal with
19622 + * references from .altinstructions and .eh_frame
19623 + */
19624 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
19625 + EXIT_TEXT
19626 + . = ALIGN(16);
19627 + } :text.exit
19628 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
19629 +
19630 + . = ALIGN(PAGE_SIZE);
19631 + INIT_DATA_SECTION(16) :init
19632
19633 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
19634 __x86_cpu_dev_start = .;
19635 @@ -232,19 +313,11 @@ SECTIONS
19636 *(.altinstr_replacement)
19637 }
19638
19639 - /*
19640 - * .exit.text is discard at runtime, not link time, to deal with
19641 - * references from .altinstructions and .eh_frame
19642 - */
19643 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
19644 - EXIT_TEXT
19645 - }
19646 -
19647 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
19648 EXIT_DATA
19649 }
19650
19651 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
19652 +#ifndef CONFIG_SMP
19653 PERCPU(PAGE_SIZE)
19654 #endif
19655
19656 @@ -267,12 +340,6 @@ SECTIONS
19657 . = ALIGN(PAGE_SIZE);
19658 }
19659
19660 -#ifdef CONFIG_X86_64
19661 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
19662 - NOSAVE_DATA
19663 - }
19664 -#endif
19665 -
19666 /* BSS */
19667 . = ALIGN(PAGE_SIZE);
19668 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
19669 @@ -288,6 +355,7 @@ SECTIONS
19670 __brk_base = .;
19671 . += 64 * 1024; /* 64k alignment slop space */
19672 *(.brk_reservation) /* areas brk users have reserved */
19673 + . = ALIGN(HPAGE_SIZE);
19674 __brk_limit = .;
19675 }
19676
19677 @@ -316,13 +384,12 @@ SECTIONS
19678 * for the boot processor.
19679 */
19680 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
19681 -INIT_PER_CPU(gdt_page);
19682 INIT_PER_CPU(irq_stack_union);
19683
19684 /*
19685 * Build-time check on the image size:
19686 */
19687 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
19688 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
19689 "kernel image bigger than KERNEL_IMAGE_SIZE");
19690
19691 #ifdef CONFIG_SMP
19692 diff -urNp linux-2.6.32.49/arch/x86/kernel/vsyscall_64.c linux-2.6.32.49/arch/x86/kernel/vsyscall_64.c
19693 --- linux-2.6.32.49/arch/x86/kernel/vsyscall_64.c 2011-11-08 19:02:43.000000000 -0500
19694 +++ linux-2.6.32.49/arch/x86/kernel/vsyscall_64.c 2011-11-15 19:59:43.000000000 -0500
19695 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
19696
19697 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
19698 /* copy vsyscall data */
19699 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
19700 vsyscall_gtod_data.clock.vread = clock->vread;
19701 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
19702 vsyscall_gtod_data.clock.mask = clock->mask;
19703 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
19704 We do this here because otherwise user space would do it on
19705 its own in a likely inferior way (no access to jiffies).
19706 If you don't like it pass NULL. */
19707 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
19708 + if (tcache && tcache->blob[0] == (j = jiffies)) {
19709 p = tcache->blob[1];
19710 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
19711 /* Load per CPU data from RDTSCP */
19712 diff -urNp linux-2.6.32.49/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.49/arch/x86/kernel/x8664_ksyms_64.c
19713 --- linux-2.6.32.49/arch/x86/kernel/x8664_ksyms_64.c 2011-11-08 19:02:43.000000000 -0500
19714 +++ linux-2.6.32.49/arch/x86/kernel/x8664_ksyms_64.c 2011-11-15 19:59:43.000000000 -0500
19715 @@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
19716
19717 EXPORT_SYMBOL(copy_user_generic);
19718 EXPORT_SYMBOL(__copy_user_nocache);
19719 -EXPORT_SYMBOL(copy_from_user);
19720 -EXPORT_SYMBOL(copy_to_user);
19721 EXPORT_SYMBOL(__copy_from_user_inatomic);
19722
19723 EXPORT_SYMBOL(copy_page);
19724 diff -urNp linux-2.6.32.49/arch/x86/kernel/xsave.c linux-2.6.32.49/arch/x86/kernel/xsave.c
19725 --- linux-2.6.32.49/arch/x86/kernel/xsave.c 2011-11-08 19:02:43.000000000 -0500
19726 +++ linux-2.6.32.49/arch/x86/kernel/xsave.c 2011-11-15 19:59:43.000000000 -0500
19727 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
19728 fx_sw_user->xstate_size > fx_sw_user->extended_size)
19729 return -1;
19730
19731 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
19732 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
19733 fx_sw_user->extended_size -
19734 FP_XSTATE_MAGIC2_SIZE));
19735 /*
19736 @@ -196,7 +196,7 @@ fx_only:
19737 * the other extended state.
19738 */
19739 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
19740 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
19741 + return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
19742 }
19743
19744 /*
19745 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
19746 if (task_thread_info(tsk)->status & TS_XSAVE)
19747 err = restore_user_xstate(buf);
19748 else
19749 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
19750 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
19751 buf);
19752 if (unlikely(err)) {
19753 /*
19754 diff -urNp linux-2.6.32.49/arch/x86/kvm/emulate.c linux-2.6.32.49/arch/x86/kvm/emulate.c
19755 --- linux-2.6.32.49/arch/x86/kvm/emulate.c 2011-11-08 19:02:43.000000000 -0500
19756 +++ linux-2.6.32.49/arch/x86/kvm/emulate.c 2011-11-15 19:59:43.000000000 -0500
19757 @@ -81,8 +81,8 @@
19758 #define Src2CL (1<<29)
19759 #define Src2ImmByte (2<<29)
19760 #define Src2One (3<<29)
19761 -#define Src2Imm16 (4<<29)
19762 -#define Src2Mask (7<<29)
19763 +#define Src2Imm16 (4U<<29)
19764 +#define Src2Mask (7U<<29)
19765
19766 enum {
19767 Group1_80, Group1_81, Group1_82, Group1_83,
19768 @@ -411,6 +411,7 @@ static u32 group2_table[] = {
19769
19770 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
19771 do { \
19772 + unsigned long _tmp; \
19773 __asm__ __volatile__ ( \
19774 _PRE_EFLAGS("0", "4", "2") \
19775 _op _suffix " %"_x"3,%1; " \
19776 @@ -424,8 +425,6 @@ static u32 group2_table[] = {
19777 /* Raw emulation: instruction has two explicit operands. */
19778 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
19779 do { \
19780 - unsigned long _tmp; \
19781 - \
19782 switch ((_dst).bytes) { \
19783 case 2: \
19784 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
19785 @@ -441,7 +440,6 @@ static u32 group2_table[] = {
19786
19787 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
19788 do { \
19789 - unsigned long _tmp; \
19790 switch ((_dst).bytes) { \
19791 case 1: \
19792 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
19793 diff -urNp linux-2.6.32.49/arch/x86/kvm/lapic.c linux-2.6.32.49/arch/x86/kvm/lapic.c
19794 --- linux-2.6.32.49/arch/x86/kvm/lapic.c 2011-11-08 19:02:43.000000000 -0500
19795 +++ linux-2.6.32.49/arch/x86/kvm/lapic.c 2011-11-15 19:59:43.000000000 -0500
19796 @@ -52,7 +52,7 @@
19797 #define APIC_BUS_CYCLE_NS 1
19798
19799 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
19800 -#define apic_debug(fmt, arg...)
19801 +#define apic_debug(fmt, arg...) do {} while (0)
19802
19803 #define APIC_LVT_NUM 6
19804 /* 14 is the version for Xeon and Pentium 8.4.8*/
19805 diff -urNp linux-2.6.32.49/arch/x86/kvm/paging_tmpl.h linux-2.6.32.49/arch/x86/kvm/paging_tmpl.h
19806 --- linux-2.6.32.49/arch/x86/kvm/paging_tmpl.h 2011-11-08 19:02:43.000000000 -0500
19807 +++ linux-2.6.32.49/arch/x86/kvm/paging_tmpl.h 2011-11-18 18:01:55.000000000 -0500
19808 @@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
19809 int level = PT_PAGE_TABLE_LEVEL;
19810 unsigned long mmu_seq;
19811
19812 + pax_track_stack();
19813 +
19814 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
19815 kvm_mmu_audit(vcpu, "pre page fault");
19816
19817 @@ -461,6 +463,7 @@ static int FNAME(page_fault)(struct kvm_
19818 kvm_mmu_free_some_pages(vcpu);
19819 sptep = FNAME(fetch)(vcpu, addr, &walker, user_fault, write_fault,
19820 level, &write_pt, pfn);
19821 + (void)sptep;
19822 pgprintk("%s: shadow pte %p %llx ptwrite %d\n", __func__,
19823 sptep, *sptep, write_pt);
19824
19825 diff -urNp linux-2.6.32.49/arch/x86/kvm/svm.c linux-2.6.32.49/arch/x86/kvm/svm.c
19826 --- linux-2.6.32.49/arch/x86/kvm/svm.c 2011-11-08 19:02:43.000000000 -0500
19827 +++ linux-2.6.32.49/arch/x86/kvm/svm.c 2011-11-15 19:59:43.000000000 -0500
19828 @@ -2486,7 +2486,11 @@ static void reload_tss(struct kvm_vcpu *
19829 int cpu = raw_smp_processor_id();
19830
19831 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
19832 +
19833 + pax_open_kernel();
19834 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
19835 + pax_close_kernel();
19836 +
19837 load_TR_desc();
19838 }
19839
19840 @@ -2947,7 +2951,7 @@ static bool svm_gb_page_enable(void)
19841 return true;
19842 }
19843
19844 -static struct kvm_x86_ops svm_x86_ops = {
19845 +static const struct kvm_x86_ops svm_x86_ops = {
19846 .cpu_has_kvm_support = has_svm,
19847 .disabled_by_bios = is_disabled,
19848 .hardware_setup = svm_hardware_setup,
19849 diff -urNp linux-2.6.32.49/arch/x86/kvm/vmx.c linux-2.6.32.49/arch/x86/kvm/vmx.c
19850 --- linux-2.6.32.49/arch/x86/kvm/vmx.c 2011-11-08 19:02:43.000000000 -0500
19851 +++ linux-2.6.32.49/arch/x86/kvm/vmx.c 2011-11-15 19:59:43.000000000 -0500
19852 @@ -570,7 +570,11 @@ static void reload_tss(void)
19853
19854 kvm_get_gdt(&gdt);
19855 descs = (void *)gdt.base;
19856 +
19857 + pax_open_kernel();
19858 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
19859 + pax_close_kernel();
19860 +
19861 load_TR_desc();
19862 }
19863
19864 @@ -1410,8 +1414,11 @@ static __init int hardware_setup(void)
19865 if (!cpu_has_vmx_flexpriority())
19866 flexpriority_enabled = 0;
19867
19868 - if (!cpu_has_vmx_tpr_shadow())
19869 - kvm_x86_ops->update_cr8_intercept = NULL;
19870 + if (!cpu_has_vmx_tpr_shadow()) {
19871 + pax_open_kernel();
19872 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
19873 + pax_close_kernel();
19874 + }
19875
19876 if (enable_ept && !cpu_has_vmx_ept_2m_page())
19877 kvm_disable_largepages();
19878 @@ -2362,7 +2369,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
19879 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
19880
19881 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
19882 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
19883 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
19884 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
19885 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
19886 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
19887 @@ -3718,6 +3725,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
19888 "jmp .Lkvm_vmx_return \n\t"
19889 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
19890 ".Lkvm_vmx_return: "
19891 +
19892 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19893 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
19894 + ".Lkvm_vmx_return2: "
19895 +#endif
19896 +
19897 /* Save guest registers, load host registers, keep flags */
19898 "xchg %0, (%%"R"sp) \n\t"
19899 "mov %%"R"ax, %c[rax](%0) \n\t"
19900 @@ -3764,8 +3777,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
19901 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
19902 #endif
19903 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
19904 +
19905 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19906 + ,[cs]"i"(__KERNEL_CS)
19907 +#endif
19908 +
19909 : "cc", "memory"
19910 - , R"bx", R"di", R"si"
19911 + , R"ax", R"bx", R"di", R"si"
19912 #ifdef CONFIG_X86_64
19913 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
19914 #endif
19915 @@ -3782,7 +3800,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
19916 if (vmx->rmode.irq.pending)
19917 fixup_rmode_irq(vmx);
19918
19919 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
19920 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
19921 +
19922 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19923 + loadsegment(fs, __KERNEL_PERCPU);
19924 +#endif
19925 +
19926 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19927 + __set_fs(current_thread_info()->addr_limit);
19928 +#endif
19929 +
19930 vmx->launched = 1;
19931
19932 vmx_complete_interrupts(vmx);
19933 @@ -3957,7 +3984,7 @@ static bool vmx_gb_page_enable(void)
19934 return false;
19935 }
19936
19937 -static struct kvm_x86_ops vmx_x86_ops = {
19938 +static const struct kvm_x86_ops vmx_x86_ops = {
19939 .cpu_has_kvm_support = cpu_has_kvm_support,
19940 .disabled_by_bios = vmx_disabled_by_bios,
19941 .hardware_setup = hardware_setup,
19942 diff -urNp linux-2.6.32.49/arch/x86/kvm/x86.c linux-2.6.32.49/arch/x86/kvm/x86.c
19943 --- linux-2.6.32.49/arch/x86/kvm/x86.c 2011-11-08 19:02:43.000000000 -0500
19944 +++ linux-2.6.32.49/arch/x86/kvm/x86.c 2011-11-15 19:59:43.000000000 -0500
19945 @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
19946 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
19947 struct kvm_cpuid_entry2 __user *entries);
19948
19949 -struct kvm_x86_ops *kvm_x86_ops;
19950 +const struct kvm_x86_ops *kvm_x86_ops;
19951 EXPORT_SYMBOL_GPL(kvm_x86_ops);
19952
19953 int ignore_msrs = 0;
19954 @@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
19955 struct kvm_cpuid2 *cpuid,
19956 struct kvm_cpuid_entry2 __user *entries)
19957 {
19958 - int r;
19959 + int r, i;
19960
19961 r = -E2BIG;
19962 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
19963 goto out;
19964 r = -EFAULT;
19965 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
19966 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
19967 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
19968 goto out;
19969 + for (i = 0; i < cpuid->nent; ++i) {
19970 + struct kvm_cpuid_entry2 cpuid_entry;
19971 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
19972 + goto out;
19973 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
19974 + }
19975 vcpu->arch.cpuid_nent = cpuid->nent;
19976 kvm_apic_set_version(vcpu);
19977 return 0;
19978 @@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
19979 struct kvm_cpuid2 *cpuid,
19980 struct kvm_cpuid_entry2 __user *entries)
19981 {
19982 - int r;
19983 + int r, i;
19984
19985 vcpu_load(vcpu);
19986 r = -E2BIG;
19987 if (cpuid->nent < vcpu->arch.cpuid_nent)
19988 goto out;
19989 r = -EFAULT;
19990 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
19991 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19992 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19993 goto out;
19994 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
19995 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
19996 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
19997 + goto out;
19998 + }
19999 return 0;
20000
20001 out:
20002 @@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
20003 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
20004 struct kvm_interrupt *irq)
20005 {
20006 - if (irq->irq < 0 || irq->irq >= 256)
20007 + if (irq->irq >= 256)
20008 return -EINVAL;
20009 if (irqchip_in_kernel(vcpu->kvm))
20010 return -ENXIO;
20011 @@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
20012 .notifier_call = kvmclock_cpufreq_notifier
20013 };
20014
20015 -int kvm_arch_init(void *opaque)
20016 +int kvm_arch_init(const void *opaque)
20017 {
20018 int r, cpu;
20019 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
20020 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
20021
20022 if (kvm_x86_ops) {
20023 printk(KERN_ERR "kvm: already loaded the other module\n");
20024 diff -urNp linux-2.6.32.49/arch/x86/lguest/boot.c linux-2.6.32.49/arch/x86/lguest/boot.c
20025 --- linux-2.6.32.49/arch/x86/lguest/boot.c 2011-11-08 19:02:43.000000000 -0500
20026 +++ linux-2.6.32.49/arch/x86/lguest/boot.c 2011-11-15 19:59:43.000000000 -0500
20027 @@ -1172,9 +1172,10 @@ static __init int early_put_chars(u32 vt
20028 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
20029 * Launcher to reboot us.
20030 */
20031 -static void lguest_restart(char *reason)
20032 +static __noreturn void lguest_restart(char *reason)
20033 {
20034 kvm_hypercall2(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART);
20035 + BUG();
20036 }
20037
20038 /*G:050
20039 diff -urNp linux-2.6.32.49/arch/x86/lib/atomic64_32.c linux-2.6.32.49/arch/x86/lib/atomic64_32.c
20040 --- linux-2.6.32.49/arch/x86/lib/atomic64_32.c 2011-11-08 19:02:43.000000000 -0500
20041 +++ linux-2.6.32.49/arch/x86/lib/atomic64_32.c 2011-11-15 19:59:43.000000000 -0500
20042 @@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
20043 }
20044 EXPORT_SYMBOL(atomic64_cmpxchg);
20045
20046 +u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
20047 +{
20048 + return cmpxchg8b(&ptr->counter, old_val, new_val);
20049 +}
20050 +EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
20051 +
20052 /**
20053 * atomic64_xchg - xchg atomic64 variable
20054 * @ptr: pointer to type atomic64_t
20055 @@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
20056 EXPORT_SYMBOL(atomic64_xchg);
20057
20058 /**
20059 + * atomic64_xchg_unchecked - xchg atomic64 variable
20060 + * @ptr: pointer to type atomic64_unchecked_t
20061 + * @new_val: value to assign
20062 + *
20063 + * Atomically xchgs the value of @ptr to @new_val and returns
20064 + * the old value.
20065 + */
20066 +u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
20067 +{
20068 + /*
20069 + * Try first with a (possibly incorrect) assumption about
20070 + * what we have there. We'll do two loops most likely,
20071 + * but we'll get an ownership MESI transaction straight away
20072 + * instead of a read transaction followed by a
20073 + * flush-for-ownership transaction:
20074 + */
20075 + u64 old_val, real_val = 0;
20076 +
20077 + do {
20078 + old_val = real_val;
20079 +
20080 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
20081 +
20082 + } while (real_val != old_val);
20083 +
20084 + return old_val;
20085 +}
20086 +EXPORT_SYMBOL(atomic64_xchg_unchecked);
20087 +
20088 +/**
20089 * atomic64_set - set atomic64 variable
20090 * @ptr: pointer to type atomic64_t
20091 * @new_val: value to assign
20092 @@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
20093 EXPORT_SYMBOL(atomic64_set);
20094
20095 /**
20096 -EXPORT_SYMBOL(atomic64_read);
20097 + * atomic64_unchecked_set - set atomic64 variable
20098 + * @ptr: pointer to type atomic64_unchecked_t
20099 + * @new_val: value to assign
20100 + *
20101 + * Atomically sets the value of @ptr to @new_val.
20102 + */
20103 +void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
20104 +{
20105 + atomic64_xchg_unchecked(ptr, new_val);
20106 +}
20107 +EXPORT_SYMBOL(atomic64_set_unchecked);
20108 +
20109 +/**
20110 * atomic64_add_return - add and return
20111 * @delta: integer value to add
20112 * @ptr: pointer to type atomic64_t
20113 @@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
20114 }
20115 EXPORT_SYMBOL(atomic64_add_return);
20116
20117 +/**
20118 + * atomic64_add_return_unchecked - add and return
20119 + * @delta: integer value to add
20120 + * @ptr: pointer to type atomic64_unchecked_t
20121 + *
20122 + * Atomically adds @delta to @ptr and returns @delta + *@ptr
20123 + */
20124 +noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20125 +{
20126 + /*
20127 + * Try first with a (possibly incorrect) assumption about
20128 + * what we have there. We'll do two loops most likely,
20129 + * but we'll get an ownership MESI transaction straight away
20130 + * instead of a read transaction followed by a
20131 + * flush-for-ownership transaction:
20132 + */
20133 + u64 old_val, new_val, real_val = 0;
20134 +
20135 + do {
20136 + old_val = real_val;
20137 + new_val = old_val + delta;
20138 +
20139 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
20140 +
20141 + } while (real_val != old_val);
20142 +
20143 + return new_val;
20144 +}
20145 +EXPORT_SYMBOL(atomic64_add_return_unchecked);
20146 +
20147 u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
20148 {
20149 return atomic64_add_return(-delta, ptr);
20150 }
20151 EXPORT_SYMBOL(atomic64_sub_return);
20152
20153 +u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20154 +{
20155 + return atomic64_add_return_unchecked(-delta, ptr);
20156 +}
20157 +EXPORT_SYMBOL(atomic64_sub_return_unchecked);
20158 +
20159 u64 atomic64_inc_return(atomic64_t *ptr)
20160 {
20161 return atomic64_add_return(1, ptr);
20162 }
20163 EXPORT_SYMBOL(atomic64_inc_return);
20164
20165 +u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
20166 +{
20167 + return atomic64_add_return_unchecked(1, ptr);
20168 +}
20169 +EXPORT_SYMBOL(atomic64_inc_return_unchecked);
20170 +
20171 u64 atomic64_dec_return(atomic64_t *ptr)
20172 {
20173 return atomic64_sub_return(1, ptr);
20174 }
20175 EXPORT_SYMBOL(atomic64_dec_return);
20176
20177 +u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
20178 +{
20179 + return atomic64_sub_return_unchecked(1, ptr);
20180 +}
20181 +EXPORT_SYMBOL(atomic64_dec_return_unchecked);
20182 +
20183 /**
20184 * atomic64_add - add integer to atomic64 variable
20185 * @delta: integer value to add
20186 @@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
20187 EXPORT_SYMBOL(atomic64_add);
20188
20189 /**
20190 + * atomic64_add_unchecked - add integer to atomic64 variable
20191 + * @delta: integer value to add
20192 + * @ptr: pointer to type atomic64_unchecked_t
20193 + *
20194 + * Atomically adds @delta to @ptr.
20195 + */
20196 +void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20197 +{
20198 + atomic64_add_return_unchecked(delta, ptr);
20199 +}
20200 +EXPORT_SYMBOL(atomic64_add_unchecked);
20201 +
20202 +/**
20203 * atomic64_sub - subtract the atomic64 variable
20204 * @delta: integer value to subtract
20205 * @ptr: pointer to type atomic64_t
20206 @@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
20207 EXPORT_SYMBOL(atomic64_sub);
20208
20209 /**
20210 + * atomic64_sub_unchecked - subtract the atomic64 variable
20211 + * @delta: integer value to subtract
20212 + * @ptr: pointer to type atomic64_unchecked_t
20213 + *
20214 + * Atomically subtracts @delta from @ptr.
20215 + */
20216 +void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20217 +{
20218 + atomic64_add_unchecked(-delta, ptr);
20219 +}
20220 +EXPORT_SYMBOL(atomic64_sub_unchecked);
20221 +
20222 +/**
20223 * atomic64_sub_and_test - subtract value from variable and test result
20224 * @delta: integer value to subtract
20225 * @ptr: pointer to type atomic64_t
20226 @@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
20227 EXPORT_SYMBOL(atomic64_inc);
20228
20229 /**
20230 + * atomic64_inc_unchecked - increment atomic64 variable
20231 + * @ptr: pointer to type atomic64_unchecked_t
20232 + *
20233 + * Atomically increments @ptr by 1.
20234 + */
20235 +void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
20236 +{
20237 + atomic64_add_unchecked(1, ptr);
20238 +}
20239 +EXPORT_SYMBOL(atomic64_inc_unchecked);
20240 +
20241 +/**
20242 * atomic64_dec - decrement atomic64 variable
20243 * @ptr: pointer to type atomic64_t
20244 *
20245 @@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
20246 EXPORT_SYMBOL(atomic64_dec);
20247
20248 /**
20249 + * atomic64_dec_unchecked - decrement atomic64 variable
20250 + * @ptr: pointer to type atomic64_unchecked_t
20251 + *
20252 + * Atomically decrements @ptr by 1.
20253 + */
20254 +void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
20255 +{
20256 + atomic64_sub_unchecked(1, ptr);
20257 +}
20258 +EXPORT_SYMBOL(atomic64_dec_unchecked);
20259 +
20260 +/**
20261 * atomic64_dec_and_test - decrement and test
20262 * @ptr: pointer to type atomic64_t
20263 *
20264 diff -urNp linux-2.6.32.49/arch/x86/lib/checksum_32.S linux-2.6.32.49/arch/x86/lib/checksum_32.S
20265 --- linux-2.6.32.49/arch/x86/lib/checksum_32.S 2011-11-08 19:02:43.000000000 -0500
20266 +++ linux-2.6.32.49/arch/x86/lib/checksum_32.S 2011-11-15 19:59:43.000000000 -0500
20267 @@ -28,7 +28,8 @@
20268 #include <linux/linkage.h>
20269 #include <asm/dwarf2.h>
20270 #include <asm/errno.h>
20271 -
20272 +#include <asm/segment.h>
20273 +
20274 /*
20275 * computes a partial checksum, e.g. for TCP/UDP fragments
20276 */
20277 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
20278
20279 #define ARGBASE 16
20280 #define FP 12
20281 -
20282 -ENTRY(csum_partial_copy_generic)
20283 +
20284 +ENTRY(csum_partial_copy_generic_to_user)
20285 CFI_STARTPROC
20286 +
20287 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20288 + pushl %gs
20289 + CFI_ADJUST_CFA_OFFSET 4
20290 + popl %es
20291 + CFI_ADJUST_CFA_OFFSET -4
20292 + jmp csum_partial_copy_generic
20293 +#endif
20294 +
20295 +ENTRY(csum_partial_copy_generic_from_user)
20296 +
20297 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20298 + pushl %gs
20299 + CFI_ADJUST_CFA_OFFSET 4
20300 + popl %ds
20301 + CFI_ADJUST_CFA_OFFSET -4
20302 +#endif
20303 +
20304 +ENTRY(csum_partial_copy_generic)
20305 subl $4,%esp
20306 CFI_ADJUST_CFA_OFFSET 4
20307 pushl %edi
20308 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
20309 jmp 4f
20310 SRC(1: movw (%esi), %bx )
20311 addl $2, %esi
20312 -DST( movw %bx, (%edi) )
20313 +DST( movw %bx, %es:(%edi) )
20314 addl $2, %edi
20315 addw %bx, %ax
20316 adcl $0, %eax
20317 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
20318 SRC(1: movl (%esi), %ebx )
20319 SRC( movl 4(%esi), %edx )
20320 adcl %ebx, %eax
20321 -DST( movl %ebx, (%edi) )
20322 +DST( movl %ebx, %es:(%edi) )
20323 adcl %edx, %eax
20324 -DST( movl %edx, 4(%edi) )
20325 +DST( movl %edx, %es:4(%edi) )
20326
20327 SRC( movl 8(%esi), %ebx )
20328 SRC( movl 12(%esi), %edx )
20329 adcl %ebx, %eax
20330 -DST( movl %ebx, 8(%edi) )
20331 +DST( movl %ebx, %es:8(%edi) )
20332 adcl %edx, %eax
20333 -DST( movl %edx, 12(%edi) )
20334 +DST( movl %edx, %es:12(%edi) )
20335
20336 SRC( movl 16(%esi), %ebx )
20337 SRC( movl 20(%esi), %edx )
20338 adcl %ebx, %eax
20339 -DST( movl %ebx, 16(%edi) )
20340 +DST( movl %ebx, %es:16(%edi) )
20341 adcl %edx, %eax
20342 -DST( movl %edx, 20(%edi) )
20343 +DST( movl %edx, %es:20(%edi) )
20344
20345 SRC( movl 24(%esi), %ebx )
20346 SRC( movl 28(%esi), %edx )
20347 adcl %ebx, %eax
20348 -DST( movl %ebx, 24(%edi) )
20349 +DST( movl %ebx, %es:24(%edi) )
20350 adcl %edx, %eax
20351 -DST( movl %edx, 28(%edi) )
20352 +DST( movl %edx, %es:28(%edi) )
20353
20354 lea 32(%esi), %esi
20355 lea 32(%edi), %edi
20356 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
20357 shrl $2, %edx # This clears CF
20358 SRC(3: movl (%esi), %ebx )
20359 adcl %ebx, %eax
20360 -DST( movl %ebx, (%edi) )
20361 +DST( movl %ebx, %es:(%edi) )
20362 lea 4(%esi), %esi
20363 lea 4(%edi), %edi
20364 dec %edx
20365 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
20366 jb 5f
20367 SRC( movw (%esi), %cx )
20368 leal 2(%esi), %esi
20369 -DST( movw %cx, (%edi) )
20370 +DST( movw %cx, %es:(%edi) )
20371 leal 2(%edi), %edi
20372 je 6f
20373 shll $16,%ecx
20374 SRC(5: movb (%esi), %cl )
20375 -DST( movb %cl, (%edi) )
20376 +DST( movb %cl, %es:(%edi) )
20377 6: addl %ecx, %eax
20378 adcl $0, %eax
20379 7:
20380 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
20381
20382 6001:
20383 movl ARGBASE+20(%esp), %ebx # src_err_ptr
20384 - movl $-EFAULT, (%ebx)
20385 + movl $-EFAULT, %ss:(%ebx)
20386
20387 # zero the complete destination - computing the rest
20388 # is too much work
20389 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
20390
20391 6002:
20392 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
20393 - movl $-EFAULT,(%ebx)
20394 + movl $-EFAULT,%ss:(%ebx)
20395 jmp 5000b
20396
20397 .previous
20398
20399 + pushl %ss
20400 + CFI_ADJUST_CFA_OFFSET 4
20401 + popl %ds
20402 + CFI_ADJUST_CFA_OFFSET -4
20403 + pushl %ss
20404 + CFI_ADJUST_CFA_OFFSET 4
20405 + popl %es
20406 + CFI_ADJUST_CFA_OFFSET -4
20407 popl %ebx
20408 CFI_ADJUST_CFA_OFFSET -4
20409 CFI_RESTORE ebx
20410 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
20411 CFI_ADJUST_CFA_OFFSET -4
20412 ret
20413 CFI_ENDPROC
20414 -ENDPROC(csum_partial_copy_generic)
20415 +ENDPROC(csum_partial_copy_generic_to_user)
20416
20417 #else
20418
20419 /* Version for PentiumII/PPro */
20420
20421 #define ROUND1(x) \
20422 + nop; nop; nop; \
20423 SRC(movl x(%esi), %ebx ) ; \
20424 addl %ebx, %eax ; \
20425 - DST(movl %ebx, x(%edi) ) ;
20426 + DST(movl %ebx, %es:x(%edi)) ;
20427
20428 #define ROUND(x) \
20429 + nop; nop; nop; \
20430 SRC(movl x(%esi), %ebx ) ; \
20431 adcl %ebx, %eax ; \
20432 - DST(movl %ebx, x(%edi) ) ;
20433 + DST(movl %ebx, %es:x(%edi)) ;
20434
20435 #define ARGBASE 12
20436 -
20437 -ENTRY(csum_partial_copy_generic)
20438 +
20439 +ENTRY(csum_partial_copy_generic_to_user)
20440 CFI_STARTPROC
20441 +
20442 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20443 + pushl %gs
20444 + CFI_ADJUST_CFA_OFFSET 4
20445 + popl %es
20446 + CFI_ADJUST_CFA_OFFSET -4
20447 + jmp csum_partial_copy_generic
20448 +#endif
20449 +
20450 +ENTRY(csum_partial_copy_generic_from_user)
20451 +
20452 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20453 + pushl %gs
20454 + CFI_ADJUST_CFA_OFFSET 4
20455 + popl %ds
20456 + CFI_ADJUST_CFA_OFFSET -4
20457 +#endif
20458 +
20459 +ENTRY(csum_partial_copy_generic)
20460 pushl %ebx
20461 CFI_ADJUST_CFA_OFFSET 4
20462 CFI_REL_OFFSET ebx, 0
20463 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
20464 subl %ebx, %edi
20465 lea -1(%esi),%edx
20466 andl $-32,%edx
20467 - lea 3f(%ebx,%ebx), %ebx
20468 + lea 3f(%ebx,%ebx,2), %ebx
20469 testl %esi, %esi
20470 jmp *%ebx
20471 1: addl $64,%esi
20472 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
20473 jb 5f
20474 SRC( movw (%esi), %dx )
20475 leal 2(%esi), %esi
20476 -DST( movw %dx, (%edi) )
20477 +DST( movw %dx, %es:(%edi) )
20478 leal 2(%edi), %edi
20479 je 6f
20480 shll $16,%edx
20481 5:
20482 SRC( movb (%esi), %dl )
20483 -DST( movb %dl, (%edi) )
20484 +DST( movb %dl, %es:(%edi) )
20485 6: addl %edx, %eax
20486 adcl $0, %eax
20487 7:
20488 .section .fixup, "ax"
20489 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
20490 - movl $-EFAULT, (%ebx)
20491 + movl $-EFAULT, %ss:(%ebx)
20492 # zero the complete destination (computing the rest is too much work)
20493 movl ARGBASE+8(%esp),%edi # dst
20494 movl ARGBASE+12(%esp),%ecx # len
20495 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
20496 rep; stosb
20497 jmp 7b
20498 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
20499 - movl $-EFAULT, (%ebx)
20500 + movl $-EFAULT, %ss:(%ebx)
20501 jmp 7b
20502 .previous
20503
20504 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20505 + pushl %ss
20506 + CFI_ADJUST_CFA_OFFSET 4
20507 + popl %ds
20508 + CFI_ADJUST_CFA_OFFSET -4
20509 + pushl %ss
20510 + CFI_ADJUST_CFA_OFFSET 4
20511 + popl %es
20512 + CFI_ADJUST_CFA_OFFSET -4
20513 +#endif
20514 +
20515 popl %esi
20516 CFI_ADJUST_CFA_OFFSET -4
20517 CFI_RESTORE esi
20518 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
20519 CFI_RESTORE ebx
20520 ret
20521 CFI_ENDPROC
20522 -ENDPROC(csum_partial_copy_generic)
20523 +ENDPROC(csum_partial_copy_generic_to_user)
20524
20525 #undef ROUND
20526 #undef ROUND1
20527 diff -urNp linux-2.6.32.49/arch/x86/lib/clear_page_64.S linux-2.6.32.49/arch/x86/lib/clear_page_64.S
20528 --- linux-2.6.32.49/arch/x86/lib/clear_page_64.S 2011-11-08 19:02:43.000000000 -0500
20529 +++ linux-2.6.32.49/arch/x86/lib/clear_page_64.S 2011-11-15 19:59:43.000000000 -0500
20530 @@ -1,5 +1,6 @@
20531 #include <linux/linkage.h>
20532 #include <asm/dwarf2.h>
20533 +#include <asm/alternative-asm.h>
20534
20535 /*
20536 * Zero a page.
20537 @@ -10,6 +11,7 @@ ENTRY(clear_page_c)
20538 movl $4096/8,%ecx
20539 xorl %eax,%eax
20540 rep stosq
20541 + pax_force_retaddr
20542 ret
20543 CFI_ENDPROC
20544 ENDPROC(clear_page_c)
20545 @@ -33,6 +35,7 @@ ENTRY(clear_page)
20546 leaq 64(%rdi),%rdi
20547 jnz .Lloop
20548 nop
20549 + pax_force_retaddr
20550 ret
20551 CFI_ENDPROC
20552 .Lclear_page_end:
20553 @@ -43,7 +46,7 @@ ENDPROC(clear_page)
20554
20555 #include <asm/cpufeature.h>
20556
20557 - .section .altinstr_replacement,"ax"
20558 + .section .altinstr_replacement,"a"
20559 1: .byte 0xeb /* jmp <disp8> */
20560 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
20561 2:
20562 diff -urNp linux-2.6.32.49/arch/x86/lib/copy_page_64.S linux-2.6.32.49/arch/x86/lib/copy_page_64.S
20563 --- linux-2.6.32.49/arch/x86/lib/copy_page_64.S 2011-11-08 19:02:43.000000000 -0500
20564 +++ linux-2.6.32.49/arch/x86/lib/copy_page_64.S 2011-11-15 19:59:43.000000000 -0500
20565 @@ -2,12 +2,14 @@
20566
20567 #include <linux/linkage.h>
20568 #include <asm/dwarf2.h>
20569 +#include <asm/alternative-asm.h>
20570
20571 ALIGN
20572 copy_page_c:
20573 CFI_STARTPROC
20574 movl $4096/8,%ecx
20575 rep movsq
20576 + pax_force_retaddr
20577 ret
20578 CFI_ENDPROC
20579 ENDPROC(copy_page_c)
20580 @@ -94,6 +96,7 @@ ENTRY(copy_page)
20581 CFI_RESTORE r13
20582 addq $3*8,%rsp
20583 CFI_ADJUST_CFA_OFFSET -3*8
20584 + pax_force_retaddr
20585 ret
20586 .Lcopy_page_end:
20587 CFI_ENDPROC
20588 @@ -104,7 +107,7 @@ ENDPROC(copy_page)
20589
20590 #include <asm/cpufeature.h>
20591
20592 - .section .altinstr_replacement,"ax"
20593 + .section .altinstr_replacement,"a"
20594 1: .byte 0xeb /* jmp <disp8> */
20595 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
20596 2:
20597 diff -urNp linux-2.6.32.49/arch/x86/lib/copy_user_64.S linux-2.6.32.49/arch/x86/lib/copy_user_64.S
20598 --- linux-2.6.32.49/arch/x86/lib/copy_user_64.S 2011-11-08 19:02:43.000000000 -0500
20599 +++ linux-2.6.32.49/arch/x86/lib/copy_user_64.S 2011-11-15 19:59:43.000000000 -0500
20600 @@ -15,13 +15,15 @@
20601 #include <asm/asm-offsets.h>
20602 #include <asm/thread_info.h>
20603 #include <asm/cpufeature.h>
20604 +#include <asm/pgtable.h>
20605 +#include <asm/alternative-asm.h>
20606
20607 .macro ALTERNATIVE_JUMP feature,orig,alt
20608 0:
20609 .byte 0xe9 /* 32bit jump */
20610 .long \orig-1f /* by default jump to orig */
20611 1:
20612 - .section .altinstr_replacement,"ax"
20613 + .section .altinstr_replacement,"a"
20614 2: .byte 0xe9 /* near jump with 32bit immediate */
20615 .long \alt-1b /* offset */ /* or alternatively to alt */
20616 .previous
20617 @@ -64,55 +66,26 @@
20618 #endif
20619 .endm
20620
20621 -/* Standard copy_to_user with segment limit checking */
20622 -ENTRY(copy_to_user)
20623 - CFI_STARTPROC
20624 - GET_THREAD_INFO(%rax)
20625 - movq %rdi,%rcx
20626 - addq %rdx,%rcx
20627 - jc bad_to_user
20628 - cmpq TI_addr_limit(%rax),%rcx
20629 - ja bad_to_user
20630 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20631 - CFI_ENDPROC
20632 -ENDPROC(copy_to_user)
20633 -
20634 -/* Standard copy_from_user with segment limit checking */
20635 -ENTRY(copy_from_user)
20636 - CFI_STARTPROC
20637 - GET_THREAD_INFO(%rax)
20638 - movq %rsi,%rcx
20639 - addq %rdx,%rcx
20640 - jc bad_from_user
20641 - cmpq TI_addr_limit(%rax),%rcx
20642 - ja bad_from_user
20643 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20644 - CFI_ENDPROC
20645 -ENDPROC(copy_from_user)
20646 -
20647 ENTRY(copy_user_generic)
20648 CFI_STARTPROC
20649 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20650 CFI_ENDPROC
20651 ENDPROC(copy_user_generic)
20652
20653 -ENTRY(__copy_from_user_inatomic)
20654 - CFI_STARTPROC
20655 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20656 - CFI_ENDPROC
20657 -ENDPROC(__copy_from_user_inatomic)
20658 -
20659 .section .fixup,"ax"
20660 /* must zero dest */
20661 ENTRY(bad_from_user)
20662 bad_from_user:
20663 CFI_STARTPROC
20664 + testl %edx,%edx
20665 + js bad_to_user
20666 movl %edx,%ecx
20667 xorl %eax,%eax
20668 rep
20669 stosb
20670 bad_to_user:
20671 movl %edx,%eax
20672 + pax_force_retaddr
20673 ret
20674 CFI_ENDPROC
20675 ENDPROC(bad_from_user)
20676 @@ -180,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
20677 decl %ecx
20678 jnz 21b
20679 23: xor %eax,%eax
20680 + pax_force_retaddr
20681 ret
20682
20683 .section .fixup,"ax"
20684 @@ -252,6 +226,7 @@ ENTRY(copy_user_generic_string)
20685 3: rep
20686 movsb
20687 4: xorl %eax,%eax
20688 + pax_force_retaddr
20689 ret
20690
20691 .section .fixup,"ax"
20692 diff -urNp linux-2.6.32.49/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.49/arch/x86/lib/copy_user_nocache_64.S
20693 --- linux-2.6.32.49/arch/x86/lib/copy_user_nocache_64.S 2011-11-08 19:02:43.000000000 -0500
20694 +++ linux-2.6.32.49/arch/x86/lib/copy_user_nocache_64.S 2011-11-15 19:59:43.000000000 -0500
20695 @@ -8,12 +8,14 @@
20696
20697 #include <linux/linkage.h>
20698 #include <asm/dwarf2.h>
20699 +#include <asm/alternative-asm.h>
20700
20701 #define FIX_ALIGNMENT 1
20702
20703 #include <asm/current.h>
20704 #include <asm/asm-offsets.h>
20705 #include <asm/thread_info.h>
20706 +#include <asm/pgtable.h>
20707
20708 .macro ALIGN_DESTINATION
20709 #ifdef FIX_ALIGNMENT
20710 @@ -50,6 +52,15 @@
20711 */
20712 ENTRY(__copy_user_nocache)
20713 CFI_STARTPROC
20714 +
20715 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20716 + mov $PAX_USER_SHADOW_BASE,%rcx
20717 + cmp %rcx,%rsi
20718 + jae 1f
20719 + add %rcx,%rsi
20720 +1:
20721 +#endif
20722 +
20723 cmpl $8,%edx
20724 jb 20f /* less then 8 bytes, go to byte copy loop */
20725 ALIGN_DESTINATION
20726 @@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
20727 jnz 21b
20728 23: xorl %eax,%eax
20729 sfence
20730 + pax_force_retaddr
20731 ret
20732
20733 .section .fixup,"ax"
20734 diff -urNp linux-2.6.32.49/arch/x86/lib/csum-copy_64.S linux-2.6.32.49/arch/x86/lib/csum-copy_64.S
20735 --- linux-2.6.32.49/arch/x86/lib/csum-copy_64.S 2011-11-08 19:02:43.000000000 -0500
20736 +++ linux-2.6.32.49/arch/x86/lib/csum-copy_64.S 2011-11-15 19:59:43.000000000 -0500
20737 @@ -8,6 +8,7 @@
20738 #include <linux/linkage.h>
20739 #include <asm/dwarf2.h>
20740 #include <asm/errno.h>
20741 +#include <asm/alternative-asm.h>
20742
20743 /*
20744 * Checksum copy with exception handling.
20745 @@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
20746 CFI_RESTORE rbp
20747 addq $7*8,%rsp
20748 CFI_ADJUST_CFA_OFFSET -7*8
20749 + pax_force_retaddr
20750 ret
20751 CFI_RESTORE_STATE
20752
20753 diff -urNp linux-2.6.32.49/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.49/arch/x86/lib/csum-wrappers_64.c
20754 --- linux-2.6.32.49/arch/x86/lib/csum-wrappers_64.c 2011-11-08 19:02:43.000000000 -0500
20755 +++ linux-2.6.32.49/arch/x86/lib/csum-wrappers_64.c 2011-11-15 19:59:43.000000000 -0500
20756 @@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
20757 len -= 2;
20758 }
20759 }
20760 - isum = csum_partial_copy_generic((__force const void *)src,
20761 +
20762 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20763 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20764 + src += PAX_USER_SHADOW_BASE;
20765 +#endif
20766 +
20767 + isum = csum_partial_copy_generic((const void __force_kernel *)src,
20768 dst, len, isum, errp, NULL);
20769 if (unlikely(*errp))
20770 goto out_err;
20771 @@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
20772 }
20773
20774 *errp = 0;
20775 - return csum_partial_copy_generic(src, (void __force *)dst,
20776 +
20777 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20778 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
20779 + dst += PAX_USER_SHADOW_BASE;
20780 +#endif
20781 +
20782 + return csum_partial_copy_generic(src, (void __force_kernel *)dst,
20783 len, isum, NULL, errp);
20784 }
20785 EXPORT_SYMBOL(csum_partial_copy_to_user);
20786 diff -urNp linux-2.6.32.49/arch/x86/lib/getuser.S linux-2.6.32.49/arch/x86/lib/getuser.S
20787 --- linux-2.6.32.49/arch/x86/lib/getuser.S 2011-11-08 19:02:43.000000000 -0500
20788 +++ linux-2.6.32.49/arch/x86/lib/getuser.S 2011-11-15 19:59:43.000000000 -0500
20789 @@ -33,15 +33,38 @@
20790 #include <asm/asm-offsets.h>
20791 #include <asm/thread_info.h>
20792 #include <asm/asm.h>
20793 +#include <asm/segment.h>
20794 +#include <asm/pgtable.h>
20795 +#include <asm/alternative-asm.h>
20796 +
20797 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20798 +#define __copyuser_seg gs;
20799 +#else
20800 +#define __copyuser_seg
20801 +#endif
20802
20803 .text
20804 ENTRY(__get_user_1)
20805 CFI_STARTPROC
20806 +
20807 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20808 GET_THREAD_INFO(%_ASM_DX)
20809 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20810 jae bad_get_user
20811 -1: movzb (%_ASM_AX),%edx
20812 +
20813 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20814 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20815 + cmp %_ASM_DX,%_ASM_AX
20816 + jae 1234f
20817 + add %_ASM_DX,%_ASM_AX
20818 +1234:
20819 +#endif
20820 +
20821 +#endif
20822 +
20823 +1: __copyuser_seg movzb (%_ASM_AX),%edx
20824 xor %eax,%eax
20825 + pax_force_retaddr
20826 ret
20827 CFI_ENDPROC
20828 ENDPROC(__get_user_1)
20829 @@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
20830 ENTRY(__get_user_2)
20831 CFI_STARTPROC
20832 add $1,%_ASM_AX
20833 +
20834 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20835 jc bad_get_user
20836 GET_THREAD_INFO(%_ASM_DX)
20837 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20838 jae bad_get_user
20839 -2: movzwl -1(%_ASM_AX),%edx
20840 +
20841 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20842 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20843 + cmp %_ASM_DX,%_ASM_AX
20844 + jae 1234f
20845 + add %_ASM_DX,%_ASM_AX
20846 +1234:
20847 +#endif
20848 +
20849 +#endif
20850 +
20851 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
20852 xor %eax,%eax
20853 + pax_force_retaddr
20854 ret
20855 CFI_ENDPROC
20856 ENDPROC(__get_user_2)
20857 @@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
20858 ENTRY(__get_user_4)
20859 CFI_STARTPROC
20860 add $3,%_ASM_AX
20861 +
20862 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20863 jc bad_get_user
20864 GET_THREAD_INFO(%_ASM_DX)
20865 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20866 jae bad_get_user
20867 -3: mov -3(%_ASM_AX),%edx
20868 +
20869 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20870 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20871 + cmp %_ASM_DX,%_ASM_AX
20872 + jae 1234f
20873 + add %_ASM_DX,%_ASM_AX
20874 +1234:
20875 +#endif
20876 +
20877 +#endif
20878 +
20879 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
20880 xor %eax,%eax
20881 + pax_force_retaddr
20882 ret
20883 CFI_ENDPROC
20884 ENDPROC(__get_user_4)
20885 @@ -80,8 +131,18 @@ ENTRY(__get_user_8)
20886 GET_THREAD_INFO(%_ASM_DX)
20887 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20888 jae bad_get_user
20889 +
20890 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20891 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20892 + cmp %_ASM_DX,%_ASM_AX
20893 + jae 1234f
20894 + add %_ASM_DX,%_ASM_AX
20895 +1234:
20896 +#endif
20897 +
20898 4: movq -7(%_ASM_AX),%_ASM_DX
20899 xor %eax,%eax
20900 + pax_force_retaddr
20901 ret
20902 CFI_ENDPROC
20903 ENDPROC(__get_user_8)
20904 @@ -91,6 +152,7 @@ bad_get_user:
20905 CFI_STARTPROC
20906 xor %edx,%edx
20907 mov $(-EFAULT),%_ASM_AX
20908 + pax_force_retaddr
20909 ret
20910 CFI_ENDPROC
20911 END(bad_get_user)
20912 diff -urNp linux-2.6.32.49/arch/x86/lib/iomap_copy_64.S linux-2.6.32.49/arch/x86/lib/iomap_copy_64.S
20913 --- linux-2.6.32.49/arch/x86/lib/iomap_copy_64.S 2011-11-08 19:02:43.000000000 -0500
20914 +++ linux-2.6.32.49/arch/x86/lib/iomap_copy_64.S 2011-11-15 19:59:43.000000000 -0500
20915 @@ -17,6 +17,7 @@
20916
20917 #include <linux/linkage.h>
20918 #include <asm/dwarf2.h>
20919 +#include <asm/alternative-asm.h>
20920
20921 /*
20922 * override generic version in lib/iomap_copy.c
20923 @@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
20924 CFI_STARTPROC
20925 movl %edx,%ecx
20926 rep movsd
20927 + pax_force_retaddr
20928 ret
20929 CFI_ENDPROC
20930 ENDPROC(__iowrite32_copy)
20931 diff -urNp linux-2.6.32.49/arch/x86/lib/memcpy_64.S linux-2.6.32.49/arch/x86/lib/memcpy_64.S
20932 --- linux-2.6.32.49/arch/x86/lib/memcpy_64.S 2011-11-08 19:02:43.000000000 -0500
20933 +++ linux-2.6.32.49/arch/x86/lib/memcpy_64.S 2011-11-15 19:59:43.000000000 -0500
20934 @@ -4,6 +4,7 @@
20935
20936 #include <asm/cpufeature.h>
20937 #include <asm/dwarf2.h>
20938 +#include <asm/alternative-asm.h>
20939
20940 /*
20941 * memcpy - Copy a memory block.
20942 @@ -34,6 +35,7 @@ memcpy_c:
20943 rep movsq
20944 movl %edx, %ecx
20945 rep movsb
20946 + pax_force_retaddr
20947 ret
20948 CFI_ENDPROC
20949 ENDPROC(memcpy_c)
20950 @@ -118,6 +120,7 @@ ENTRY(memcpy)
20951 jnz .Lloop_1
20952
20953 .Lend:
20954 + pax_force_retaddr
20955 ret
20956 CFI_ENDPROC
20957 ENDPROC(memcpy)
20958 @@ -128,7 +131,7 @@ ENDPROC(__memcpy)
20959 * It is also a lot simpler. Use this when possible:
20960 */
20961
20962 - .section .altinstr_replacement, "ax"
20963 + .section .altinstr_replacement, "a"
20964 1: .byte 0xeb /* jmp <disp8> */
20965 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
20966 2:
20967 diff -urNp linux-2.6.32.49/arch/x86/lib/memset_64.S linux-2.6.32.49/arch/x86/lib/memset_64.S
20968 --- linux-2.6.32.49/arch/x86/lib/memset_64.S 2011-11-08 19:02:43.000000000 -0500
20969 +++ linux-2.6.32.49/arch/x86/lib/memset_64.S 2011-11-15 19:59:43.000000000 -0500
20970 @@ -2,6 +2,7 @@
20971
20972 #include <linux/linkage.h>
20973 #include <asm/dwarf2.h>
20974 +#include <asm/alternative-asm.h>
20975
20976 /*
20977 * ISO C memset - set a memory block to a byte value.
20978 @@ -28,6 +29,7 @@ memset_c:
20979 movl %r8d,%ecx
20980 rep stosb
20981 movq %r9,%rax
20982 + pax_force_retaddr
20983 ret
20984 CFI_ENDPROC
20985 ENDPROC(memset_c)
20986 @@ -96,6 +98,7 @@ ENTRY(__memset)
20987
20988 .Lende:
20989 movq %r10,%rax
20990 + pax_force_retaddr
20991 ret
20992
20993 CFI_RESTORE_STATE
20994 @@ -118,7 +121,7 @@ ENDPROC(__memset)
20995
20996 #include <asm/cpufeature.h>
20997
20998 - .section .altinstr_replacement,"ax"
20999 + .section .altinstr_replacement,"a"
21000 1: .byte 0xeb /* jmp <disp8> */
21001 .byte (memset_c - memset) - (2f - 1b) /* offset */
21002 2:
21003 diff -urNp linux-2.6.32.49/arch/x86/lib/mmx_32.c linux-2.6.32.49/arch/x86/lib/mmx_32.c
21004 --- linux-2.6.32.49/arch/x86/lib/mmx_32.c 2011-11-08 19:02:43.000000000 -0500
21005 +++ linux-2.6.32.49/arch/x86/lib/mmx_32.c 2011-11-15 19:59:43.000000000 -0500
21006 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
21007 {
21008 void *p;
21009 int i;
21010 + unsigned long cr0;
21011
21012 if (unlikely(in_interrupt()))
21013 return __memcpy(to, from, len);
21014 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
21015 kernel_fpu_begin();
21016
21017 __asm__ __volatile__ (
21018 - "1: prefetch (%0)\n" /* This set is 28 bytes */
21019 - " prefetch 64(%0)\n"
21020 - " prefetch 128(%0)\n"
21021 - " prefetch 192(%0)\n"
21022 - " prefetch 256(%0)\n"
21023 + "1: prefetch (%1)\n" /* This set is 28 bytes */
21024 + " prefetch 64(%1)\n"
21025 + " prefetch 128(%1)\n"
21026 + " prefetch 192(%1)\n"
21027 + " prefetch 256(%1)\n"
21028 "2: \n"
21029 ".section .fixup, \"ax\"\n"
21030 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21031 + "3: \n"
21032 +
21033 +#ifdef CONFIG_PAX_KERNEXEC
21034 + " movl %%cr0, %0\n"
21035 + " movl %0, %%eax\n"
21036 + " andl $0xFFFEFFFF, %%eax\n"
21037 + " movl %%eax, %%cr0\n"
21038 +#endif
21039 +
21040 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21041 +
21042 +#ifdef CONFIG_PAX_KERNEXEC
21043 + " movl %0, %%cr0\n"
21044 +#endif
21045 +
21046 " jmp 2b\n"
21047 ".previous\n"
21048 _ASM_EXTABLE(1b, 3b)
21049 - : : "r" (from));
21050 + : "=&r" (cr0) : "r" (from) : "ax");
21051
21052 for ( ; i > 5; i--) {
21053 __asm__ __volatile__ (
21054 - "1: prefetch 320(%0)\n"
21055 - "2: movq (%0), %%mm0\n"
21056 - " movq 8(%0), %%mm1\n"
21057 - " movq 16(%0), %%mm2\n"
21058 - " movq 24(%0), %%mm3\n"
21059 - " movq %%mm0, (%1)\n"
21060 - " movq %%mm1, 8(%1)\n"
21061 - " movq %%mm2, 16(%1)\n"
21062 - " movq %%mm3, 24(%1)\n"
21063 - " movq 32(%0), %%mm0\n"
21064 - " movq 40(%0), %%mm1\n"
21065 - " movq 48(%0), %%mm2\n"
21066 - " movq 56(%0), %%mm3\n"
21067 - " movq %%mm0, 32(%1)\n"
21068 - " movq %%mm1, 40(%1)\n"
21069 - " movq %%mm2, 48(%1)\n"
21070 - " movq %%mm3, 56(%1)\n"
21071 + "1: prefetch 320(%1)\n"
21072 + "2: movq (%1), %%mm0\n"
21073 + " movq 8(%1), %%mm1\n"
21074 + " movq 16(%1), %%mm2\n"
21075 + " movq 24(%1), %%mm3\n"
21076 + " movq %%mm0, (%2)\n"
21077 + " movq %%mm1, 8(%2)\n"
21078 + " movq %%mm2, 16(%2)\n"
21079 + " movq %%mm3, 24(%2)\n"
21080 + " movq 32(%1), %%mm0\n"
21081 + " movq 40(%1), %%mm1\n"
21082 + " movq 48(%1), %%mm2\n"
21083 + " movq 56(%1), %%mm3\n"
21084 + " movq %%mm0, 32(%2)\n"
21085 + " movq %%mm1, 40(%2)\n"
21086 + " movq %%mm2, 48(%2)\n"
21087 + " movq %%mm3, 56(%2)\n"
21088 ".section .fixup, \"ax\"\n"
21089 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21090 + "3:\n"
21091 +
21092 +#ifdef CONFIG_PAX_KERNEXEC
21093 + " movl %%cr0, %0\n"
21094 + " movl %0, %%eax\n"
21095 + " andl $0xFFFEFFFF, %%eax\n"
21096 + " movl %%eax, %%cr0\n"
21097 +#endif
21098 +
21099 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21100 +
21101 +#ifdef CONFIG_PAX_KERNEXEC
21102 + " movl %0, %%cr0\n"
21103 +#endif
21104 +
21105 " jmp 2b\n"
21106 ".previous\n"
21107 _ASM_EXTABLE(1b, 3b)
21108 - : : "r" (from), "r" (to) : "memory");
21109 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21110
21111 from += 64;
21112 to += 64;
21113 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
21114 static void fast_copy_page(void *to, void *from)
21115 {
21116 int i;
21117 + unsigned long cr0;
21118
21119 kernel_fpu_begin();
21120
21121 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
21122 * but that is for later. -AV
21123 */
21124 __asm__ __volatile__(
21125 - "1: prefetch (%0)\n"
21126 - " prefetch 64(%0)\n"
21127 - " prefetch 128(%0)\n"
21128 - " prefetch 192(%0)\n"
21129 - " prefetch 256(%0)\n"
21130 + "1: prefetch (%1)\n"
21131 + " prefetch 64(%1)\n"
21132 + " prefetch 128(%1)\n"
21133 + " prefetch 192(%1)\n"
21134 + " prefetch 256(%1)\n"
21135 "2: \n"
21136 ".section .fixup, \"ax\"\n"
21137 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21138 + "3: \n"
21139 +
21140 +#ifdef CONFIG_PAX_KERNEXEC
21141 + " movl %%cr0, %0\n"
21142 + " movl %0, %%eax\n"
21143 + " andl $0xFFFEFFFF, %%eax\n"
21144 + " movl %%eax, %%cr0\n"
21145 +#endif
21146 +
21147 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21148 +
21149 +#ifdef CONFIG_PAX_KERNEXEC
21150 + " movl %0, %%cr0\n"
21151 +#endif
21152 +
21153 " jmp 2b\n"
21154 ".previous\n"
21155 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
21156 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
21157
21158 for (i = 0; i < (4096-320)/64; i++) {
21159 __asm__ __volatile__ (
21160 - "1: prefetch 320(%0)\n"
21161 - "2: movq (%0), %%mm0\n"
21162 - " movntq %%mm0, (%1)\n"
21163 - " movq 8(%0), %%mm1\n"
21164 - " movntq %%mm1, 8(%1)\n"
21165 - " movq 16(%0), %%mm2\n"
21166 - " movntq %%mm2, 16(%1)\n"
21167 - " movq 24(%0), %%mm3\n"
21168 - " movntq %%mm3, 24(%1)\n"
21169 - " movq 32(%0), %%mm4\n"
21170 - " movntq %%mm4, 32(%1)\n"
21171 - " movq 40(%0), %%mm5\n"
21172 - " movntq %%mm5, 40(%1)\n"
21173 - " movq 48(%0), %%mm6\n"
21174 - " movntq %%mm6, 48(%1)\n"
21175 - " movq 56(%0), %%mm7\n"
21176 - " movntq %%mm7, 56(%1)\n"
21177 + "1: prefetch 320(%1)\n"
21178 + "2: movq (%1), %%mm0\n"
21179 + " movntq %%mm0, (%2)\n"
21180 + " movq 8(%1), %%mm1\n"
21181 + " movntq %%mm1, 8(%2)\n"
21182 + " movq 16(%1), %%mm2\n"
21183 + " movntq %%mm2, 16(%2)\n"
21184 + " movq 24(%1), %%mm3\n"
21185 + " movntq %%mm3, 24(%2)\n"
21186 + " movq 32(%1), %%mm4\n"
21187 + " movntq %%mm4, 32(%2)\n"
21188 + " movq 40(%1), %%mm5\n"
21189 + " movntq %%mm5, 40(%2)\n"
21190 + " movq 48(%1), %%mm6\n"
21191 + " movntq %%mm6, 48(%2)\n"
21192 + " movq 56(%1), %%mm7\n"
21193 + " movntq %%mm7, 56(%2)\n"
21194 ".section .fixup, \"ax\"\n"
21195 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21196 + "3:\n"
21197 +
21198 +#ifdef CONFIG_PAX_KERNEXEC
21199 + " movl %%cr0, %0\n"
21200 + " movl %0, %%eax\n"
21201 + " andl $0xFFFEFFFF, %%eax\n"
21202 + " movl %%eax, %%cr0\n"
21203 +#endif
21204 +
21205 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21206 +
21207 +#ifdef CONFIG_PAX_KERNEXEC
21208 + " movl %0, %%cr0\n"
21209 +#endif
21210 +
21211 " jmp 2b\n"
21212 ".previous\n"
21213 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
21214 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21215
21216 from += 64;
21217 to += 64;
21218 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
21219 static void fast_copy_page(void *to, void *from)
21220 {
21221 int i;
21222 + unsigned long cr0;
21223
21224 kernel_fpu_begin();
21225
21226 __asm__ __volatile__ (
21227 - "1: prefetch (%0)\n"
21228 - " prefetch 64(%0)\n"
21229 - " prefetch 128(%0)\n"
21230 - " prefetch 192(%0)\n"
21231 - " prefetch 256(%0)\n"
21232 + "1: prefetch (%1)\n"
21233 + " prefetch 64(%1)\n"
21234 + " prefetch 128(%1)\n"
21235 + " prefetch 192(%1)\n"
21236 + " prefetch 256(%1)\n"
21237 "2: \n"
21238 ".section .fixup, \"ax\"\n"
21239 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21240 + "3: \n"
21241 +
21242 +#ifdef CONFIG_PAX_KERNEXEC
21243 + " movl %%cr0, %0\n"
21244 + " movl %0, %%eax\n"
21245 + " andl $0xFFFEFFFF, %%eax\n"
21246 + " movl %%eax, %%cr0\n"
21247 +#endif
21248 +
21249 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21250 +
21251 +#ifdef CONFIG_PAX_KERNEXEC
21252 + " movl %0, %%cr0\n"
21253 +#endif
21254 +
21255 " jmp 2b\n"
21256 ".previous\n"
21257 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
21258 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
21259
21260 for (i = 0; i < 4096/64; i++) {
21261 __asm__ __volatile__ (
21262 - "1: prefetch 320(%0)\n"
21263 - "2: movq (%0), %%mm0\n"
21264 - " movq 8(%0), %%mm1\n"
21265 - " movq 16(%0), %%mm2\n"
21266 - " movq 24(%0), %%mm3\n"
21267 - " movq %%mm0, (%1)\n"
21268 - " movq %%mm1, 8(%1)\n"
21269 - " movq %%mm2, 16(%1)\n"
21270 - " movq %%mm3, 24(%1)\n"
21271 - " movq 32(%0), %%mm0\n"
21272 - " movq 40(%0), %%mm1\n"
21273 - " movq 48(%0), %%mm2\n"
21274 - " movq 56(%0), %%mm3\n"
21275 - " movq %%mm0, 32(%1)\n"
21276 - " movq %%mm1, 40(%1)\n"
21277 - " movq %%mm2, 48(%1)\n"
21278 - " movq %%mm3, 56(%1)\n"
21279 + "1: prefetch 320(%1)\n"
21280 + "2: movq (%1), %%mm0\n"
21281 + " movq 8(%1), %%mm1\n"
21282 + " movq 16(%1), %%mm2\n"
21283 + " movq 24(%1), %%mm3\n"
21284 + " movq %%mm0, (%2)\n"
21285 + " movq %%mm1, 8(%2)\n"
21286 + " movq %%mm2, 16(%2)\n"
21287 + " movq %%mm3, 24(%2)\n"
21288 + " movq 32(%1), %%mm0\n"
21289 + " movq 40(%1), %%mm1\n"
21290 + " movq 48(%1), %%mm2\n"
21291 + " movq 56(%1), %%mm3\n"
21292 + " movq %%mm0, 32(%2)\n"
21293 + " movq %%mm1, 40(%2)\n"
21294 + " movq %%mm2, 48(%2)\n"
21295 + " movq %%mm3, 56(%2)\n"
21296 ".section .fixup, \"ax\"\n"
21297 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21298 + "3:\n"
21299 +
21300 +#ifdef CONFIG_PAX_KERNEXEC
21301 + " movl %%cr0, %0\n"
21302 + " movl %0, %%eax\n"
21303 + " andl $0xFFFEFFFF, %%eax\n"
21304 + " movl %%eax, %%cr0\n"
21305 +#endif
21306 +
21307 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21308 +
21309 +#ifdef CONFIG_PAX_KERNEXEC
21310 + " movl %0, %%cr0\n"
21311 +#endif
21312 +
21313 " jmp 2b\n"
21314 ".previous\n"
21315 _ASM_EXTABLE(1b, 3b)
21316 - : : "r" (from), "r" (to) : "memory");
21317 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21318
21319 from += 64;
21320 to += 64;
21321 diff -urNp linux-2.6.32.49/arch/x86/lib/msr-reg.S linux-2.6.32.49/arch/x86/lib/msr-reg.S
21322 --- linux-2.6.32.49/arch/x86/lib/msr-reg.S 2011-11-08 19:02:43.000000000 -0500
21323 +++ linux-2.6.32.49/arch/x86/lib/msr-reg.S 2011-11-15 19:59:43.000000000 -0500
21324 @@ -3,6 +3,7 @@
21325 #include <asm/dwarf2.h>
21326 #include <asm/asm.h>
21327 #include <asm/msr.h>
21328 +#include <asm/alternative-asm.h>
21329
21330 #ifdef CONFIG_X86_64
21331 /*
21332 @@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
21333 movl %edi, 28(%r10)
21334 popq_cfi %rbp
21335 popq_cfi %rbx
21336 + pax_force_retaddr
21337 ret
21338 3:
21339 CFI_RESTORE_STATE
21340 diff -urNp linux-2.6.32.49/arch/x86/lib/putuser.S linux-2.6.32.49/arch/x86/lib/putuser.S
21341 --- linux-2.6.32.49/arch/x86/lib/putuser.S 2011-11-08 19:02:43.000000000 -0500
21342 +++ linux-2.6.32.49/arch/x86/lib/putuser.S 2011-11-15 19:59:43.000000000 -0500
21343 @@ -15,7 +15,9 @@
21344 #include <asm/thread_info.h>
21345 #include <asm/errno.h>
21346 #include <asm/asm.h>
21347 -
21348 +#include <asm/segment.h>
21349 +#include <asm/pgtable.h>
21350 +#include <asm/alternative-asm.h>
21351
21352 /*
21353 * __put_user_X
21354 @@ -29,52 +31,119 @@
21355 * as they get called from within inline assembly.
21356 */
21357
21358 -#define ENTER CFI_STARTPROC ; \
21359 - GET_THREAD_INFO(%_ASM_BX)
21360 -#define EXIT ret ; \
21361 +#define ENTER CFI_STARTPROC
21362 +#define EXIT pax_force_retaddr; ret ; \
21363 CFI_ENDPROC
21364
21365 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21366 +#define _DEST %_ASM_CX,%_ASM_BX
21367 +#else
21368 +#define _DEST %_ASM_CX
21369 +#endif
21370 +
21371 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
21372 +#define __copyuser_seg gs;
21373 +#else
21374 +#define __copyuser_seg
21375 +#endif
21376 +
21377 .text
21378 ENTRY(__put_user_1)
21379 ENTER
21380 +
21381 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21382 + GET_THREAD_INFO(%_ASM_BX)
21383 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
21384 jae bad_put_user
21385 -1: movb %al,(%_ASM_CX)
21386 +
21387 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21388 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21389 + cmp %_ASM_BX,%_ASM_CX
21390 + jb 1234f
21391 + xor %ebx,%ebx
21392 +1234:
21393 +#endif
21394 +
21395 +#endif
21396 +
21397 +1: __copyuser_seg movb %al,(_DEST)
21398 xor %eax,%eax
21399 EXIT
21400 ENDPROC(__put_user_1)
21401
21402 ENTRY(__put_user_2)
21403 ENTER
21404 +
21405 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21406 + GET_THREAD_INFO(%_ASM_BX)
21407 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21408 sub $1,%_ASM_BX
21409 cmp %_ASM_BX,%_ASM_CX
21410 jae bad_put_user
21411 -2: movw %ax,(%_ASM_CX)
21412 +
21413 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21414 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21415 + cmp %_ASM_BX,%_ASM_CX
21416 + jb 1234f
21417 + xor %ebx,%ebx
21418 +1234:
21419 +#endif
21420 +
21421 +#endif
21422 +
21423 +2: __copyuser_seg movw %ax,(_DEST)
21424 xor %eax,%eax
21425 EXIT
21426 ENDPROC(__put_user_2)
21427
21428 ENTRY(__put_user_4)
21429 ENTER
21430 +
21431 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21432 + GET_THREAD_INFO(%_ASM_BX)
21433 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21434 sub $3,%_ASM_BX
21435 cmp %_ASM_BX,%_ASM_CX
21436 jae bad_put_user
21437 -3: movl %eax,(%_ASM_CX)
21438 +
21439 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21440 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21441 + cmp %_ASM_BX,%_ASM_CX
21442 + jb 1234f
21443 + xor %ebx,%ebx
21444 +1234:
21445 +#endif
21446 +
21447 +#endif
21448 +
21449 +3: __copyuser_seg movl %eax,(_DEST)
21450 xor %eax,%eax
21451 EXIT
21452 ENDPROC(__put_user_4)
21453
21454 ENTRY(__put_user_8)
21455 ENTER
21456 +
21457 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21458 + GET_THREAD_INFO(%_ASM_BX)
21459 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21460 sub $7,%_ASM_BX
21461 cmp %_ASM_BX,%_ASM_CX
21462 jae bad_put_user
21463 -4: mov %_ASM_AX,(%_ASM_CX)
21464 +
21465 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21466 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21467 + cmp %_ASM_BX,%_ASM_CX
21468 + jb 1234f
21469 + xor %ebx,%ebx
21470 +1234:
21471 +#endif
21472 +
21473 +#endif
21474 +
21475 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
21476 #ifdef CONFIG_X86_32
21477 -5: movl %edx,4(%_ASM_CX)
21478 +5: __copyuser_seg movl %edx,4(_DEST)
21479 #endif
21480 xor %eax,%eax
21481 EXIT
21482 diff -urNp linux-2.6.32.49/arch/x86/lib/rwlock_64.S linux-2.6.32.49/arch/x86/lib/rwlock_64.S
21483 --- linux-2.6.32.49/arch/x86/lib/rwlock_64.S 2011-11-08 19:02:43.000000000 -0500
21484 +++ linux-2.6.32.49/arch/x86/lib/rwlock_64.S 2011-11-15 19:59:43.000000000 -0500
21485 @@ -17,6 +17,7 @@ ENTRY(__write_lock_failed)
21486 LOCK_PREFIX
21487 subl $RW_LOCK_BIAS,(%rdi)
21488 jnz __write_lock_failed
21489 + pax_force_retaddr
21490 ret
21491 CFI_ENDPROC
21492 END(__write_lock_failed)
21493 @@ -33,6 +34,7 @@ ENTRY(__read_lock_failed)
21494 LOCK_PREFIX
21495 decl (%rdi)
21496 js __read_lock_failed
21497 + pax_force_retaddr
21498 ret
21499 CFI_ENDPROC
21500 END(__read_lock_failed)
21501 diff -urNp linux-2.6.32.49/arch/x86/lib/rwsem_64.S linux-2.6.32.49/arch/x86/lib/rwsem_64.S
21502 --- linux-2.6.32.49/arch/x86/lib/rwsem_64.S 2011-11-08 19:02:43.000000000 -0500
21503 +++ linux-2.6.32.49/arch/x86/lib/rwsem_64.S 2011-11-15 19:59:43.000000000 -0500
21504 @@ -48,6 +48,7 @@ ENTRY(call_rwsem_down_read_failed)
21505 call rwsem_down_read_failed
21506 popq %rdx
21507 restore_common_regs
21508 + pax_force_retaddr
21509 ret
21510 ENDPROC(call_rwsem_down_read_failed)
21511
21512 @@ -56,6 +57,7 @@ ENTRY(call_rwsem_down_write_failed)
21513 movq %rax,%rdi
21514 call rwsem_down_write_failed
21515 restore_common_regs
21516 + pax_force_retaddr
21517 ret
21518 ENDPROC(call_rwsem_down_write_failed)
21519
21520 @@ -66,7 +68,8 @@ ENTRY(call_rwsem_wake)
21521 movq %rax,%rdi
21522 call rwsem_wake
21523 restore_common_regs
21524 -1: ret
21525 +1: pax_force_retaddr
21526 + ret
21527 ENDPROC(call_rwsem_wake)
21528
21529 /* Fix up special calling conventions */
21530 @@ -77,5 +80,6 @@ ENTRY(call_rwsem_downgrade_wake)
21531 call rwsem_downgrade_wake
21532 popq %rdx
21533 restore_common_regs
21534 + pax_force_retaddr
21535 ret
21536 ENDPROC(call_rwsem_downgrade_wake)
21537 diff -urNp linux-2.6.32.49/arch/x86/lib/thunk_64.S linux-2.6.32.49/arch/x86/lib/thunk_64.S
21538 --- linux-2.6.32.49/arch/x86/lib/thunk_64.S 2011-11-08 19:02:43.000000000 -0500
21539 +++ linux-2.6.32.49/arch/x86/lib/thunk_64.S 2011-11-15 19:59:43.000000000 -0500
21540 @@ -10,7 +10,8 @@
21541 #include <asm/dwarf2.h>
21542 #include <asm/calling.h>
21543 #include <asm/rwlock.h>
21544 -
21545 + #include <asm/alternative-asm.h>
21546 +
21547 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
21548 .macro thunk name,func
21549 .globl \name
21550 @@ -70,6 +71,7 @@
21551 SAVE_ARGS
21552 restore:
21553 RESTORE_ARGS
21554 + pax_force_retaddr
21555 ret
21556 CFI_ENDPROC
21557
21558 @@ -77,5 +79,6 @@ restore:
21559 SAVE_ARGS
21560 restore_norax:
21561 RESTORE_ARGS 1
21562 + pax_force_retaddr
21563 ret
21564 CFI_ENDPROC
21565 diff -urNp linux-2.6.32.49/arch/x86/lib/usercopy_32.c linux-2.6.32.49/arch/x86/lib/usercopy_32.c
21566 --- linux-2.6.32.49/arch/x86/lib/usercopy_32.c 2011-11-08 19:02:43.000000000 -0500
21567 +++ linux-2.6.32.49/arch/x86/lib/usercopy_32.c 2011-11-15 19:59:43.000000000 -0500
21568 @@ -43,7 +43,7 @@ do { \
21569 __asm__ __volatile__( \
21570 " testl %1,%1\n" \
21571 " jz 2f\n" \
21572 - "0: lodsb\n" \
21573 + "0: "__copyuser_seg"lodsb\n" \
21574 " stosb\n" \
21575 " testb %%al,%%al\n" \
21576 " jz 1f\n" \
21577 @@ -128,10 +128,12 @@ do { \
21578 int __d0; \
21579 might_fault(); \
21580 __asm__ __volatile__( \
21581 + __COPYUSER_SET_ES \
21582 "0: rep; stosl\n" \
21583 " movl %2,%0\n" \
21584 "1: rep; stosb\n" \
21585 "2:\n" \
21586 + __COPYUSER_RESTORE_ES \
21587 ".section .fixup,\"ax\"\n" \
21588 "3: lea 0(%2,%0,4),%0\n" \
21589 " jmp 2b\n" \
21590 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
21591 might_fault();
21592
21593 __asm__ __volatile__(
21594 + __COPYUSER_SET_ES
21595 " testl %0, %0\n"
21596 " jz 3f\n"
21597 " andl %0,%%ecx\n"
21598 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
21599 " subl %%ecx,%0\n"
21600 " addl %0,%%eax\n"
21601 "1:\n"
21602 + __COPYUSER_RESTORE_ES
21603 ".section .fixup,\"ax\"\n"
21604 "2: xorl %%eax,%%eax\n"
21605 " jmp 1b\n"
21606 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
21607
21608 #ifdef CONFIG_X86_INTEL_USERCOPY
21609 static unsigned long
21610 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
21611 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
21612 {
21613 int d0, d1;
21614 __asm__ __volatile__(
21615 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
21616 " .align 2,0x90\n"
21617 "3: movl 0(%4), %%eax\n"
21618 "4: movl 4(%4), %%edx\n"
21619 - "5: movl %%eax, 0(%3)\n"
21620 - "6: movl %%edx, 4(%3)\n"
21621 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
21622 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
21623 "7: movl 8(%4), %%eax\n"
21624 "8: movl 12(%4),%%edx\n"
21625 - "9: movl %%eax, 8(%3)\n"
21626 - "10: movl %%edx, 12(%3)\n"
21627 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
21628 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
21629 "11: movl 16(%4), %%eax\n"
21630 "12: movl 20(%4), %%edx\n"
21631 - "13: movl %%eax, 16(%3)\n"
21632 - "14: movl %%edx, 20(%3)\n"
21633 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
21634 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
21635 "15: movl 24(%4), %%eax\n"
21636 "16: movl 28(%4), %%edx\n"
21637 - "17: movl %%eax, 24(%3)\n"
21638 - "18: movl %%edx, 28(%3)\n"
21639 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
21640 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
21641 "19: movl 32(%4), %%eax\n"
21642 "20: movl 36(%4), %%edx\n"
21643 - "21: movl %%eax, 32(%3)\n"
21644 - "22: movl %%edx, 36(%3)\n"
21645 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
21646 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
21647 "23: movl 40(%4), %%eax\n"
21648 "24: movl 44(%4), %%edx\n"
21649 - "25: movl %%eax, 40(%3)\n"
21650 - "26: movl %%edx, 44(%3)\n"
21651 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
21652 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
21653 "27: movl 48(%4), %%eax\n"
21654 "28: movl 52(%4), %%edx\n"
21655 - "29: movl %%eax, 48(%3)\n"
21656 - "30: movl %%edx, 52(%3)\n"
21657 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
21658 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
21659 "31: movl 56(%4), %%eax\n"
21660 "32: movl 60(%4), %%edx\n"
21661 - "33: movl %%eax, 56(%3)\n"
21662 - "34: movl %%edx, 60(%3)\n"
21663 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
21664 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
21665 " addl $-64, %0\n"
21666 " addl $64, %4\n"
21667 " addl $64, %3\n"
21668 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
21669 " shrl $2, %0\n"
21670 " andl $3, %%eax\n"
21671 " cld\n"
21672 + __COPYUSER_SET_ES
21673 "99: rep; movsl\n"
21674 "36: movl %%eax, %0\n"
21675 "37: rep; movsb\n"
21676 "100:\n"
21677 + __COPYUSER_RESTORE_ES
21678 + ".section .fixup,\"ax\"\n"
21679 + "101: lea 0(%%eax,%0,4),%0\n"
21680 + " jmp 100b\n"
21681 + ".previous\n"
21682 + ".section __ex_table,\"a\"\n"
21683 + " .align 4\n"
21684 + " .long 1b,100b\n"
21685 + " .long 2b,100b\n"
21686 + " .long 3b,100b\n"
21687 + " .long 4b,100b\n"
21688 + " .long 5b,100b\n"
21689 + " .long 6b,100b\n"
21690 + " .long 7b,100b\n"
21691 + " .long 8b,100b\n"
21692 + " .long 9b,100b\n"
21693 + " .long 10b,100b\n"
21694 + " .long 11b,100b\n"
21695 + " .long 12b,100b\n"
21696 + " .long 13b,100b\n"
21697 + " .long 14b,100b\n"
21698 + " .long 15b,100b\n"
21699 + " .long 16b,100b\n"
21700 + " .long 17b,100b\n"
21701 + " .long 18b,100b\n"
21702 + " .long 19b,100b\n"
21703 + " .long 20b,100b\n"
21704 + " .long 21b,100b\n"
21705 + " .long 22b,100b\n"
21706 + " .long 23b,100b\n"
21707 + " .long 24b,100b\n"
21708 + " .long 25b,100b\n"
21709 + " .long 26b,100b\n"
21710 + " .long 27b,100b\n"
21711 + " .long 28b,100b\n"
21712 + " .long 29b,100b\n"
21713 + " .long 30b,100b\n"
21714 + " .long 31b,100b\n"
21715 + " .long 32b,100b\n"
21716 + " .long 33b,100b\n"
21717 + " .long 34b,100b\n"
21718 + " .long 35b,100b\n"
21719 + " .long 36b,100b\n"
21720 + " .long 37b,100b\n"
21721 + " .long 99b,101b\n"
21722 + ".previous"
21723 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
21724 + : "1"(to), "2"(from), "0"(size)
21725 + : "eax", "edx", "memory");
21726 + return size;
21727 +}
21728 +
21729 +static unsigned long
21730 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
21731 +{
21732 + int d0, d1;
21733 + __asm__ __volatile__(
21734 + " .align 2,0x90\n"
21735 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
21736 + " cmpl $67, %0\n"
21737 + " jbe 3f\n"
21738 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
21739 + " .align 2,0x90\n"
21740 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
21741 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
21742 + "5: movl %%eax, 0(%3)\n"
21743 + "6: movl %%edx, 4(%3)\n"
21744 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
21745 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
21746 + "9: movl %%eax, 8(%3)\n"
21747 + "10: movl %%edx, 12(%3)\n"
21748 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
21749 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
21750 + "13: movl %%eax, 16(%3)\n"
21751 + "14: movl %%edx, 20(%3)\n"
21752 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
21753 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
21754 + "17: movl %%eax, 24(%3)\n"
21755 + "18: movl %%edx, 28(%3)\n"
21756 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
21757 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
21758 + "21: movl %%eax, 32(%3)\n"
21759 + "22: movl %%edx, 36(%3)\n"
21760 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
21761 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
21762 + "25: movl %%eax, 40(%3)\n"
21763 + "26: movl %%edx, 44(%3)\n"
21764 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
21765 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
21766 + "29: movl %%eax, 48(%3)\n"
21767 + "30: movl %%edx, 52(%3)\n"
21768 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
21769 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
21770 + "33: movl %%eax, 56(%3)\n"
21771 + "34: movl %%edx, 60(%3)\n"
21772 + " addl $-64, %0\n"
21773 + " addl $64, %4\n"
21774 + " addl $64, %3\n"
21775 + " cmpl $63, %0\n"
21776 + " ja 1b\n"
21777 + "35: movl %0, %%eax\n"
21778 + " shrl $2, %0\n"
21779 + " andl $3, %%eax\n"
21780 + " cld\n"
21781 + "99: rep; "__copyuser_seg" movsl\n"
21782 + "36: movl %%eax, %0\n"
21783 + "37: rep; "__copyuser_seg" movsb\n"
21784 + "100:\n"
21785 ".section .fixup,\"ax\"\n"
21786 "101: lea 0(%%eax,%0,4),%0\n"
21787 " jmp 100b\n"
21788 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
21789 int d0, d1;
21790 __asm__ __volatile__(
21791 " .align 2,0x90\n"
21792 - "0: movl 32(%4), %%eax\n"
21793 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21794 " cmpl $67, %0\n"
21795 " jbe 2f\n"
21796 - "1: movl 64(%4), %%eax\n"
21797 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21798 " .align 2,0x90\n"
21799 - "2: movl 0(%4), %%eax\n"
21800 - "21: movl 4(%4), %%edx\n"
21801 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21802 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21803 " movl %%eax, 0(%3)\n"
21804 " movl %%edx, 4(%3)\n"
21805 - "3: movl 8(%4), %%eax\n"
21806 - "31: movl 12(%4),%%edx\n"
21807 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21808 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21809 " movl %%eax, 8(%3)\n"
21810 " movl %%edx, 12(%3)\n"
21811 - "4: movl 16(%4), %%eax\n"
21812 - "41: movl 20(%4), %%edx\n"
21813 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21814 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21815 " movl %%eax, 16(%3)\n"
21816 " movl %%edx, 20(%3)\n"
21817 - "10: movl 24(%4), %%eax\n"
21818 - "51: movl 28(%4), %%edx\n"
21819 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21820 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21821 " movl %%eax, 24(%3)\n"
21822 " movl %%edx, 28(%3)\n"
21823 - "11: movl 32(%4), %%eax\n"
21824 - "61: movl 36(%4), %%edx\n"
21825 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21826 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21827 " movl %%eax, 32(%3)\n"
21828 " movl %%edx, 36(%3)\n"
21829 - "12: movl 40(%4), %%eax\n"
21830 - "71: movl 44(%4), %%edx\n"
21831 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21832 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21833 " movl %%eax, 40(%3)\n"
21834 " movl %%edx, 44(%3)\n"
21835 - "13: movl 48(%4), %%eax\n"
21836 - "81: movl 52(%4), %%edx\n"
21837 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21838 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21839 " movl %%eax, 48(%3)\n"
21840 " movl %%edx, 52(%3)\n"
21841 - "14: movl 56(%4), %%eax\n"
21842 - "91: movl 60(%4), %%edx\n"
21843 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21844 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21845 " movl %%eax, 56(%3)\n"
21846 " movl %%edx, 60(%3)\n"
21847 " addl $-64, %0\n"
21848 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
21849 " shrl $2, %0\n"
21850 " andl $3, %%eax\n"
21851 " cld\n"
21852 - "6: rep; movsl\n"
21853 + "6: rep; "__copyuser_seg" movsl\n"
21854 " movl %%eax,%0\n"
21855 - "7: rep; movsb\n"
21856 + "7: rep; "__copyuser_seg" movsb\n"
21857 "8:\n"
21858 ".section .fixup,\"ax\"\n"
21859 "9: lea 0(%%eax,%0,4),%0\n"
21860 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
21861
21862 __asm__ __volatile__(
21863 " .align 2,0x90\n"
21864 - "0: movl 32(%4), %%eax\n"
21865 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21866 " cmpl $67, %0\n"
21867 " jbe 2f\n"
21868 - "1: movl 64(%4), %%eax\n"
21869 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21870 " .align 2,0x90\n"
21871 - "2: movl 0(%4), %%eax\n"
21872 - "21: movl 4(%4), %%edx\n"
21873 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21874 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21875 " movnti %%eax, 0(%3)\n"
21876 " movnti %%edx, 4(%3)\n"
21877 - "3: movl 8(%4), %%eax\n"
21878 - "31: movl 12(%4),%%edx\n"
21879 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21880 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21881 " movnti %%eax, 8(%3)\n"
21882 " movnti %%edx, 12(%3)\n"
21883 - "4: movl 16(%4), %%eax\n"
21884 - "41: movl 20(%4), %%edx\n"
21885 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21886 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21887 " movnti %%eax, 16(%3)\n"
21888 " movnti %%edx, 20(%3)\n"
21889 - "10: movl 24(%4), %%eax\n"
21890 - "51: movl 28(%4), %%edx\n"
21891 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21892 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21893 " movnti %%eax, 24(%3)\n"
21894 " movnti %%edx, 28(%3)\n"
21895 - "11: movl 32(%4), %%eax\n"
21896 - "61: movl 36(%4), %%edx\n"
21897 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21898 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21899 " movnti %%eax, 32(%3)\n"
21900 " movnti %%edx, 36(%3)\n"
21901 - "12: movl 40(%4), %%eax\n"
21902 - "71: movl 44(%4), %%edx\n"
21903 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21904 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21905 " movnti %%eax, 40(%3)\n"
21906 " movnti %%edx, 44(%3)\n"
21907 - "13: movl 48(%4), %%eax\n"
21908 - "81: movl 52(%4), %%edx\n"
21909 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21910 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21911 " movnti %%eax, 48(%3)\n"
21912 " movnti %%edx, 52(%3)\n"
21913 - "14: movl 56(%4), %%eax\n"
21914 - "91: movl 60(%4), %%edx\n"
21915 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21916 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21917 " movnti %%eax, 56(%3)\n"
21918 " movnti %%edx, 60(%3)\n"
21919 " addl $-64, %0\n"
21920 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
21921 " shrl $2, %0\n"
21922 " andl $3, %%eax\n"
21923 " cld\n"
21924 - "6: rep; movsl\n"
21925 + "6: rep; "__copyuser_seg" movsl\n"
21926 " movl %%eax,%0\n"
21927 - "7: rep; movsb\n"
21928 + "7: rep; "__copyuser_seg" movsb\n"
21929 "8:\n"
21930 ".section .fixup,\"ax\"\n"
21931 "9: lea 0(%%eax,%0,4),%0\n"
21932 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
21933
21934 __asm__ __volatile__(
21935 " .align 2,0x90\n"
21936 - "0: movl 32(%4), %%eax\n"
21937 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21938 " cmpl $67, %0\n"
21939 " jbe 2f\n"
21940 - "1: movl 64(%4), %%eax\n"
21941 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21942 " .align 2,0x90\n"
21943 - "2: movl 0(%4), %%eax\n"
21944 - "21: movl 4(%4), %%edx\n"
21945 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21946 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21947 " movnti %%eax, 0(%3)\n"
21948 " movnti %%edx, 4(%3)\n"
21949 - "3: movl 8(%4), %%eax\n"
21950 - "31: movl 12(%4),%%edx\n"
21951 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21952 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21953 " movnti %%eax, 8(%3)\n"
21954 " movnti %%edx, 12(%3)\n"
21955 - "4: movl 16(%4), %%eax\n"
21956 - "41: movl 20(%4), %%edx\n"
21957 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21958 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21959 " movnti %%eax, 16(%3)\n"
21960 " movnti %%edx, 20(%3)\n"
21961 - "10: movl 24(%4), %%eax\n"
21962 - "51: movl 28(%4), %%edx\n"
21963 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21964 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21965 " movnti %%eax, 24(%3)\n"
21966 " movnti %%edx, 28(%3)\n"
21967 - "11: movl 32(%4), %%eax\n"
21968 - "61: movl 36(%4), %%edx\n"
21969 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21970 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21971 " movnti %%eax, 32(%3)\n"
21972 " movnti %%edx, 36(%3)\n"
21973 - "12: movl 40(%4), %%eax\n"
21974 - "71: movl 44(%4), %%edx\n"
21975 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21976 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21977 " movnti %%eax, 40(%3)\n"
21978 " movnti %%edx, 44(%3)\n"
21979 - "13: movl 48(%4), %%eax\n"
21980 - "81: movl 52(%4), %%edx\n"
21981 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21982 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21983 " movnti %%eax, 48(%3)\n"
21984 " movnti %%edx, 52(%3)\n"
21985 - "14: movl 56(%4), %%eax\n"
21986 - "91: movl 60(%4), %%edx\n"
21987 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21988 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21989 " movnti %%eax, 56(%3)\n"
21990 " movnti %%edx, 60(%3)\n"
21991 " addl $-64, %0\n"
21992 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
21993 " shrl $2, %0\n"
21994 " andl $3, %%eax\n"
21995 " cld\n"
21996 - "6: rep; movsl\n"
21997 + "6: rep; "__copyuser_seg" movsl\n"
21998 " movl %%eax,%0\n"
21999 - "7: rep; movsb\n"
22000 + "7: rep; "__copyuser_seg" movsb\n"
22001 "8:\n"
22002 ".section .fixup,\"ax\"\n"
22003 "9: lea 0(%%eax,%0,4),%0\n"
22004 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
22005 */
22006 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
22007 unsigned long size);
22008 -unsigned long __copy_user_intel(void __user *to, const void *from,
22009 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
22010 + unsigned long size);
22011 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
22012 unsigned long size);
22013 unsigned long __copy_user_zeroing_intel_nocache(void *to,
22014 const void __user *from, unsigned long size);
22015 #endif /* CONFIG_X86_INTEL_USERCOPY */
22016
22017 /* Generic arbitrary sized copy. */
22018 -#define __copy_user(to, from, size) \
22019 +#define __copy_user(to, from, size, prefix, set, restore) \
22020 do { \
22021 int __d0, __d1, __d2; \
22022 __asm__ __volatile__( \
22023 + set \
22024 " cmp $7,%0\n" \
22025 " jbe 1f\n" \
22026 " movl %1,%0\n" \
22027 " negl %0\n" \
22028 " andl $7,%0\n" \
22029 " subl %0,%3\n" \
22030 - "4: rep; movsb\n" \
22031 + "4: rep; "prefix"movsb\n" \
22032 " movl %3,%0\n" \
22033 " shrl $2,%0\n" \
22034 " andl $3,%3\n" \
22035 " .align 2,0x90\n" \
22036 - "0: rep; movsl\n" \
22037 + "0: rep; "prefix"movsl\n" \
22038 " movl %3,%0\n" \
22039 - "1: rep; movsb\n" \
22040 + "1: rep; "prefix"movsb\n" \
22041 "2:\n" \
22042 + restore \
22043 ".section .fixup,\"ax\"\n" \
22044 "5: addl %3,%0\n" \
22045 " jmp 2b\n" \
22046 @@ -682,14 +799,14 @@ do { \
22047 " negl %0\n" \
22048 " andl $7,%0\n" \
22049 " subl %0,%3\n" \
22050 - "4: rep; movsb\n" \
22051 + "4: rep; "__copyuser_seg"movsb\n" \
22052 " movl %3,%0\n" \
22053 " shrl $2,%0\n" \
22054 " andl $3,%3\n" \
22055 " .align 2,0x90\n" \
22056 - "0: rep; movsl\n" \
22057 + "0: rep; "__copyuser_seg"movsl\n" \
22058 " movl %3,%0\n" \
22059 - "1: rep; movsb\n" \
22060 + "1: rep; "__copyuser_seg"movsb\n" \
22061 "2:\n" \
22062 ".section .fixup,\"ax\"\n" \
22063 "5: addl %3,%0\n" \
22064 @@ -775,9 +892,9 @@ survive:
22065 }
22066 #endif
22067 if (movsl_is_ok(to, from, n))
22068 - __copy_user(to, from, n);
22069 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
22070 else
22071 - n = __copy_user_intel(to, from, n);
22072 + n = __generic_copy_to_user_intel(to, from, n);
22073 return n;
22074 }
22075 EXPORT_SYMBOL(__copy_to_user_ll);
22076 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
22077 unsigned long n)
22078 {
22079 if (movsl_is_ok(to, from, n))
22080 - __copy_user(to, from, n);
22081 + __copy_user(to, from, n, __copyuser_seg, "", "");
22082 else
22083 - n = __copy_user_intel((void __user *)to,
22084 - (const void *)from, n);
22085 + n = __generic_copy_from_user_intel(to, from, n);
22086 return n;
22087 }
22088 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
22089 @@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
22090 if (n > 64 && cpu_has_xmm2)
22091 n = __copy_user_intel_nocache(to, from, n);
22092 else
22093 - __copy_user(to, from, n);
22094 + __copy_user(to, from, n, __copyuser_seg, "", "");
22095 #else
22096 - __copy_user(to, from, n);
22097 + __copy_user(to, from, n, __copyuser_seg, "", "");
22098 #endif
22099 return n;
22100 }
22101 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
22102
22103 -/**
22104 - * copy_to_user: - Copy a block of data into user space.
22105 - * @to: Destination address, in user space.
22106 - * @from: Source address, in kernel space.
22107 - * @n: Number of bytes to copy.
22108 - *
22109 - * Context: User context only. This function may sleep.
22110 - *
22111 - * Copy data from kernel space to user space.
22112 - *
22113 - * Returns number of bytes that could not be copied.
22114 - * On success, this will be zero.
22115 - */
22116 -unsigned long
22117 -copy_to_user(void __user *to, const void *from, unsigned long n)
22118 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22119 +void __set_fs(mm_segment_t x)
22120 {
22121 - if (access_ok(VERIFY_WRITE, to, n))
22122 - n = __copy_to_user(to, from, n);
22123 - return n;
22124 + switch (x.seg) {
22125 + case 0:
22126 + loadsegment(gs, 0);
22127 + break;
22128 + case TASK_SIZE_MAX:
22129 + loadsegment(gs, __USER_DS);
22130 + break;
22131 + case -1UL:
22132 + loadsegment(gs, __KERNEL_DS);
22133 + break;
22134 + default:
22135 + BUG();
22136 + }
22137 + return;
22138 }
22139 -EXPORT_SYMBOL(copy_to_user);
22140 +EXPORT_SYMBOL(__set_fs);
22141
22142 -/**
22143 - * copy_from_user: - Copy a block of data from user space.
22144 - * @to: Destination address, in kernel space.
22145 - * @from: Source address, in user space.
22146 - * @n: Number of bytes to copy.
22147 - *
22148 - * Context: User context only. This function may sleep.
22149 - *
22150 - * Copy data from user space to kernel space.
22151 - *
22152 - * Returns number of bytes that could not be copied.
22153 - * On success, this will be zero.
22154 - *
22155 - * If some data could not be copied, this function will pad the copied
22156 - * data to the requested size using zero bytes.
22157 - */
22158 -unsigned long
22159 -copy_from_user(void *to, const void __user *from, unsigned long n)
22160 +void set_fs(mm_segment_t x)
22161 {
22162 - if (access_ok(VERIFY_READ, from, n))
22163 - n = __copy_from_user(to, from, n);
22164 - else
22165 - memset(to, 0, n);
22166 - return n;
22167 + current_thread_info()->addr_limit = x;
22168 + __set_fs(x);
22169 }
22170 -EXPORT_SYMBOL(copy_from_user);
22171 +EXPORT_SYMBOL(set_fs);
22172 +#endif
22173 diff -urNp linux-2.6.32.49/arch/x86/lib/usercopy_64.c linux-2.6.32.49/arch/x86/lib/usercopy_64.c
22174 --- linux-2.6.32.49/arch/x86/lib/usercopy_64.c 2011-11-08 19:02:43.000000000 -0500
22175 +++ linux-2.6.32.49/arch/x86/lib/usercopy_64.c 2011-11-15 19:59:43.000000000 -0500
22176 @@ -42,6 +42,12 @@ long
22177 __strncpy_from_user(char *dst, const char __user *src, long count)
22178 {
22179 long res;
22180 +
22181 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22182 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
22183 + src += PAX_USER_SHADOW_BASE;
22184 +#endif
22185 +
22186 __do_strncpy_from_user(dst, src, count, res);
22187 return res;
22188 }
22189 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
22190 {
22191 long __d0;
22192 might_fault();
22193 +
22194 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22195 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
22196 + addr += PAX_USER_SHADOW_BASE;
22197 +#endif
22198 +
22199 /* no memory constraint because it doesn't change any memory gcc knows
22200 about */
22201 asm volatile(
22202 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
22203
22204 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
22205 {
22206 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
22207 - return copy_user_generic((__force void *)to, (__force void *)from, len);
22208 - }
22209 - return len;
22210 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
22211 +
22212 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22213 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
22214 + to += PAX_USER_SHADOW_BASE;
22215 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
22216 + from += PAX_USER_SHADOW_BASE;
22217 +#endif
22218 +
22219 + return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
22220 + }
22221 + return len;
22222 }
22223 EXPORT_SYMBOL(copy_in_user);
22224
22225 @@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
22226 * it is not necessary to optimize tail handling.
22227 */
22228 unsigned long
22229 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
22230 +copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
22231 {
22232 char c;
22233 unsigned zero_len;
22234 diff -urNp linux-2.6.32.49/arch/x86/Makefile linux-2.6.32.49/arch/x86/Makefile
22235 --- linux-2.6.32.49/arch/x86/Makefile 2011-11-08 19:02:43.000000000 -0500
22236 +++ linux-2.6.32.49/arch/x86/Makefile 2011-11-15 19:59:43.000000000 -0500
22237 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
22238 else
22239 BITS := 64
22240 UTS_MACHINE := x86_64
22241 + biarch := $(call cc-option,-m64)
22242 CHECKFLAGS += -D__x86_64__ -m64
22243
22244 KBUILD_AFLAGS += -m64
22245 @@ -189,3 +190,12 @@ define archhelp
22246 echo ' FDARGS="..." arguments for the booted kernel'
22247 echo ' FDINITRD=file initrd for the booted kernel'
22248 endef
22249 +
22250 +define OLD_LD
22251 +
22252 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
22253 +*** Please upgrade your binutils to 2.18 or newer
22254 +endef
22255 +
22256 +archprepare:
22257 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
22258 diff -urNp linux-2.6.32.49/arch/x86/mm/extable.c linux-2.6.32.49/arch/x86/mm/extable.c
22259 --- linux-2.6.32.49/arch/x86/mm/extable.c 2011-11-08 19:02:43.000000000 -0500
22260 +++ linux-2.6.32.49/arch/x86/mm/extable.c 2011-11-15 19:59:43.000000000 -0500
22261 @@ -1,14 +1,71 @@
22262 #include <linux/module.h>
22263 #include <linux/spinlock.h>
22264 +#include <linux/sort.h>
22265 #include <asm/uaccess.h>
22266 +#include <asm/pgtable.h>
22267
22268 +/*
22269 + * The exception table needs to be sorted so that the binary
22270 + * search that we use to find entries in it works properly.
22271 + * This is used both for the kernel exception table and for
22272 + * the exception tables of modules that get loaded.
22273 + */
22274 +static int cmp_ex(const void *a, const void *b)
22275 +{
22276 + const struct exception_table_entry *x = a, *y = b;
22277 +
22278 + /* avoid overflow */
22279 + if (x->insn > y->insn)
22280 + return 1;
22281 + if (x->insn < y->insn)
22282 + return -1;
22283 + return 0;
22284 +}
22285 +
22286 +static void swap_ex(void *a, void *b, int size)
22287 +{
22288 + struct exception_table_entry t, *x = a, *y = b;
22289 +
22290 + t = *x;
22291 +
22292 + pax_open_kernel();
22293 + *x = *y;
22294 + *y = t;
22295 + pax_close_kernel();
22296 +}
22297 +
22298 +void sort_extable(struct exception_table_entry *start,
22299 + struct exception_table_entry *finish)
22300 +{
22301 + sort(start, finish - start, sizeof(struct exception_table_entry),
22302 + cmp_ex, swap_ex);
22303 +}
22304 +
22305 +#ifdef CONFIG_MODULES
22306 +/*
22307 + * If the exception table is sorted, any referring to the module init
22308 + * will be at the beginning or the end.
22309 + */
22310 +void trim_init_extable(struct module *m)
22311 +{
22312 + /*trim the beginning*/
22313 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
22314 + m->extable++;
22315 + m->num_exentries--;
22316 + }
22317 + /*trim the end*/
22318 + while (m->num_exentries &&
22319 + within_module_init(m->extable[m->num_exentries-1].insn, m))
22320 + m->num_exentries--;
22321 +}
22322 +#endif /* CONFIG_MODULES */
22323
22324 int fixup_exception(struct pt_regs *regs)
22325 {
22326 const struct exception_table_entry *fixup;
22327
22328 #ifdef CONFIG_PNPBIOS
22329 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
22330 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
22331 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
22332 extern u32 pnp_bios_is_utter_crap;
22333 pnp_bios_is_utter_crap = 1;
22334 diff -urNp linux-2.6.32.49/arch/x86/mm/fault.c linux-2.6.32.49/arch/x86/mm/fault.c
22335 --- linux-2.6.32.49/arch/x86/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
22336 +++ linux-2.6.32.49/arch/x86/mm/fault.c 2011-11-18 18:07:11.000000000 -0500
22337 @@ -11,10 +11,19 @@
22338 #include <linux/kprobes.h> /* __kprobes, ... */
22339 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
22340 #include <linux/perf_event.h> /* perf_sw_event */
22341 +#include <linux/unistd.h>
22342 +#include <linux/compiler.h>
22343
22344 #include <asm/traps.h> /* dotraplinkage, ... */
22345 #include <asm/pgalloc.h> /* pgd_*(), ... */
22346 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
22347 +#include <asm/vsyscall.h>
22348 +#include <asm/tlbflush.h>
22349 +
22350 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22351 +#include <asm/stacktrace.h>
22352 +#include "../kernel/dumpstack.h"
22353 +#endif
22354
22355 /*
22356 * Page fault error code bits:
22357 @@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
22358 int ret = 0;
22359
22360 /* kprobe_running() needs smp_processor_id() */
22361 - if (kprobes_built_in() && !user_mode_vm(regs)) {
22362 + if (kprobes_built_in() && !user_mode(regs)) {
22363 preempt_disable();
22364 if (kprobe_running() && kprobe_fault_handler(regs, 14))
22365 ret = 1;
22366 @@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
22367 return !instr_lo || (instr_lo>>1) == 1;
22368 case 0x00:
22369 /* Prefetch instruction is 0x0F0D or 0x0F18 */
22370 - if (probe_kernel_address(instr, opcode))
22371 + if (user_mode(regs)) {
22372 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
22373 + return 0;
22374 + } else if (probe_kernel_address(instr, opcode))
22375 return 0;
22376
22377 *prefetch = (instr_lo == 0xF) &&
22378 @@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
22379 while (instr < max_instr) {
22380 unsigned char opcode;
22381
22382 - if (probe_kernel_address(instr, opcode))
22383 + if (user_mode(regs)) {
22384 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
22385 + break;
22386 + } else if (probe_kernel_address(instr, opcode))
22387 break;
22388
22389 instr++;
22390 @@ -172,6 +187,34 @@ force_sig_info_fault(int si_signo, int s
22391 force_sig_info(si_signo, &info, tsk);
22392 }
22393
22394 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22395 +static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
22396 +#endif
22397 +
22398 +#ifdef CONFIG_PAX_EMUTRAMP
22399 +static int pax_handle_fetch_fault(struct pt_regs *regs);
22400 +#endif
22401 +
22402 +#ifdef CONFIG_PAX_PAGEEXEC
22403 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
22404 +{
22405 + pgd_t *pgd;
22406 + pud_t *pud;
22407 + pmd_t *pmd;
22408 +
22409 + pgd = pgd_offset(mm, address);
22410 + if (!pgd_present(*pgd))
22411 + return NULL;
22412 + pud = pud_offset(pgd, address);
22413 + if (!pud_present(*pud))
22414 + return NULL;
22415 + pmd = pmd_offset(pud, address);
22416 + if (!pmd_present(*pmd))
22417 + return NULL;
22418 + return pmd;
22419 +}
22420 +#endif
22421 +
22422 DEFINE_SPINLOCK(pgd_lock);
22423 LIST_HEAD(pgd_list);
22424
22425 @@ -224,11 +267,24 @@ void vmalloc_sync_all(void)
22426 address += PMD_SIZE) {
22427
22428 unsigned long flags;
22429 +
22430 +#ifdef CONFIG_PAX_PER_CPU_PGD
22431 + unsigned long cpu;
22432 +#else
22433 struct page *page;
22434 +#endif
22435
22436 spin_lock_irqsave(&pgd_lock, flags);
22437 +
22438 +#ifdef CONFIG_PAX_PER_CPU_PGD
22439 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22440 + pgd_t *pgd = get_cpu_pgd(cpu);
22441 +#else
22442 list_for_each_entry(page, &pgd_list, lru) {
22443 - if (!vmalloc_sync_one(page_address(page), address))
22444 + pgd_t *pgd = page_address(page);
22445 +#endif
22446 +
22447 + if (!vmalloc_sync_one(pgd, address))
22448 break;
22449 }
22450 spin_unlock_irqrestore(&pgd_lock, flags);
22451 @@ -258,6 +314,11 @@ static noinline int vmalloc_fault(unsign
22452 * an interrupt in the middle of a task switch..
22453 */
22454 pgd_paddr = read_cr3();
22455 +
22456 +#ifdef CONFIG_PAX_PER_CPU_PGD
22457 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
22458 +#endif
22459 +
22460 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
22461 if (!pmd_k)
22462 return -1;
22463 @@ -332,15 +393,27 @@ void vmalloc_sync_all(void)
22464
22465 const pgd_t *pgd_ref = pgd_offset_k(address);
22466 unsigned long flags;
22467 +
22468 +#ifdef CONFIG_PAX_PER_CPU_PGD
22469 + unsigned long cpu;
22470 +#else
22471 struct page *page;
22472 +#endif
22473
22474 if (pgd_none(*pgd_ref))
22475 continue;
22476
22477 spin_lock_irqsave(&pgd_lock, flags);
22478 +
22479 +#ifdef CONFIG_PAX_PER_CPU_PGD
22480 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22481 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
22482 +#else
22483 list_for_each_entry(page, &pgd_list, lru) {
22484 pgd_t *pgd;
22485 pgd = (pgd_t *)page_address(page) + pgd_index(address);
22486 +#endif
22487 +
22488 if (pgd_none(*pgd))
22489 set_pgd(pgd, *pgd_ref);
22490 else
22491 @@ -373,7 +446,14 @@ static noinline int vmalloc_fault(unsign
22492 * happen within a race in page table update. In the later
22493 * case just flush:
22494 */
22495 +
22496 +#ifdef CONFIG_PAX_PER_CPU_PGD
22497 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
22498 + pgd = pgd_offset_cpu(smp_processor_id(), address);
22499 +#else
22500 pgd = pgd_offset(current->active_mm, address);
22501 +#endif
22502 +
22503 pgd_ref = pgd_offset_k(address);
22504 if (pgd_none(*pgd_ref))
22505 return -1;
22506 @@ -535,7 +615,7 @@ static int is_errata93(struct pt_regs *r
22507 static int is_errata100(struct pt_regs *regs, unsigned long address)
22508 {
22509 #ifdef CONFIG_X86_64
22510 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
22511 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
22512 return 1;
22513 #endif
22514 return 0;
22515 @@ -562,7 +642,7 @@ static int is_f00f_bug(struct pt_regs *r
22516 }
22517
22518 static const char nx_warning[] = KERN_CRIT
22519 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
22520 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
22521
22522 static void
22523 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
22524 @@ -571,15 +651,26 @@ show_fault_oops(struct pt_regs *regs, un
22525 if (!oops_may_print())
22526 return;
22527
22528 - if (error_code & PF_INSTR) {
22529 + if (nx_enabled && (error_code & PF_INSTR)) {
22530 unsigned int level;
22531
22532 pte_t *pte = lookup_address(address, &level);
22533
22534 if (pte && pte_present(*pte) && !pte_exec(*pte))
22535 - printk(nx_warning, current_uid());
22536 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
22537 }
22538
22539 +#ifdef CONFIG_PAX_KERNEXEC
22540 + if (init_mm.start_code <= address && address < init_mm.end_code) {
22541 + if (current->signal->curr_ip)
22542 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
22543 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
22544 + else
22545 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
22546 + current->comm, task_pid_nr(current), current_uid(), current_euid());
22547 + }
22548 +#endif
22549 +
22550 printk(KERN_ALERT "BUG: unable to handle kernel ");
22551 if (address < PAGE_SIZE)
22552 printk(KERN_CONT "NULL pointer dereference");
22553 @@ -705,6 +796,23 @@ __bad_area_nosemaphore(struct pt_regs *r
22554 {
22555 struct task_struct *tsk = current;
22556
22557 +#ifdef CONFIG_X86_64
22558 + struct mm_struct *mm = tsk->mm;
22559 +
22560 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
22561 + if (regs->ip == (unsigned long)vgettimeofday) {
22562 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
22563 + return;
22564 + } else if (regs->ip == (unsigned long)vtime) {
22565 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
22566 + return;
22567 + } else if (regs->ip == (unsigned long)vgetcpu) {
22568 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
22569 + return;
22570 + }
22571 + }
22572 +#endif
22573 +
22574 /* User mode accesses just cause a SIGSEGV */
22575 if (error_code & PF_USER) {
22576 /*
22577 @@ -722,6 +830,21 @@ __bad_area_nosemaphore(struct pt_regs *r
22578 if (is_errata100(regs, address))
22579 return;
22580
22581 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22582 + if (pax_is_fetch_fault(regs, error_code, address)) {
22583 +
22584 +#ifdef CONFIG_PAX_EMUTRAMP
22585 + switch (pax_handle_fetch_fault(regs)) {
22586 + case 2:
22587 + return;
22588 + }
22589 +#endif
22590 +
22591 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
22592 + do_group_exit(SIGKILL);
22593 + }
22594 +#endif
22595 +
22596 if (unlikely(show_unhandled_signals))
22597 show_signal_msg(regs, error_code, address, tsk);
22598
22599 @@ -818,7 +941,7 @@ do_sigbus(struct pt_regs *regs, unsigned
22600 if (fault & VM_FAULT_HWPOISON) {
22601 printk(KERN_ERR
22602 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
22603 - tsk->comm, tsk->pid, address);
22604 + tsk->comm, task_pid_nr(tsk), address);
22605 code = BUS_MCEERR_AR;
22606 }
22607 #endif
22608 @@ -857,6 +980,99 @@ static int spurious_fault_check(unsigned
22609 return 1;
22610 }
22611
22612 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
22613 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
22614 +{
22615 + pte_t *pte;
22616 + pmd_t *pmd;
22617 + spinlock_t *ptl;
22618 + unsigned char pte_mask;
22619 +
22620 + if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
22621 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
22622 + return 0;
22623 +
22624 + /* PaX: it's our fault, let's handle it if we can */
22625 +
22626 + /* PaX: take a look at read faults before acquiring any locks */
22627 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
22628 + /* instruction fetch attempt from a protected page in user mode */
22629 + up_read(&mm->mmap_sem);
22630 +
22631 +#ifdef CONFIG_PAX_EMUTRAMP
22632 + switch (pax_handle_fetch_fault(regs)) {
22633 + case 2:
22634 + return 1;
22635 + }
22636 +#endif
22637 +
22638 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
22639 + do_group_exit(SIGKILL);
22640 + }
22641 +
22642 + pmd = pax_get_pmd(mm, address);
22643 + if (unlikely(!pmd))
22644 + return 0;
22645 +
22646 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
22647 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
22648 + pte_unmap_unlock(pte, ptl);
22649 + return 0;
22650 + }
22651 +
22652 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
22653 + /* write attempt to a protected page in user mode */
22654 + pte_unmap_unlock(pte, ptl);
22655 + return 0;
22656 + }
22657 +
22658 +#ifdef CONFIG_SMP
22659 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
22660 +#else
22661 + if (likely(address > get_limit(regs->cs)))
22662 +#endif
22663 + {
22664 + set_pte(pte, pte_mkread(*pte));
22665 + __flush_tlb_one(address);
22666 + pte_unmap_unlock(pte, ptl);
22667 + up_read(&mm->mmap_sem);
22668 + return 1;
22669 + }
22670 +
22671 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
22672 +
22673 + /*
22674 + * PaX: fill DTLB with user rights and retry
22675 + */
22676 + __asm__ __volatile__ (
22677 + "orb %2,(%1)\n"
22678 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
22679 +/*
22680 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
22681 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
22682 + * page fault when examined during a TLB load attempt. this is true not only
22683 + * for PTEs holding a non-present entry but also present entries that will
22684 + * raise a page fault (such as those set up by PaX, or the copy-on-write
22685 + * mechanism). in effect it means that we do *not* need to flush the TLBs
22686 + * for our target pages since their PTEs are simply not in the TLBs at all.
22687 +
22688 + * the best thing in omitting it is that we gain around 15-20% speed in the
22689 + * fast path of the page fault handler and can get rid of tracing since we
22690 + * can no longer flush unintended entries.
22691 + */
22692 + "invlpg (%0)\n"
22693 +#endif
22694 + __copyuser_seg"testb $0,(%0)\n"
22695 + "xorb %3,(%1)\n"
22696 + :
22697 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
22698 + : "memory", "cc");
22699 + pte_unmap_unlock(pte, ptl);
22700 + up_read(&mm->mmap_sem);
22701 + return 1;
22702 +}
22703 +#endif
22704 +
22705 /*
22706 * Handle a spurious fault caused by a stale TLB entry.
22707 *
22708 @@ -923,6 +1139,9 @@ int show_unhandled_signals = 1;
22709 static inline int
22710 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
22711 {
22712 + if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
22713 + return 1;
22714 +
22715 if (write) {
22716 /* write, present and write, not present: */
22717 if (unlikely(!(vma->vm_flags & VM_WRITE)))
22718 @@ -956,17 +1175,31 @@ do_page_fault(struct pt_regs *regs, unsi
22719 {
22720 struct vm_area_struct *vma;
22721 struct task_struct *tsk;
22722 - unsigned long address;
22723 struct mm_struct *mm;
22724 int write;
22725 int fault;
22726
22727 + /* Get the faulting address: */
22728 + unsigned long address = read_cr2();
22729 +
22730 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22731 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
22732 + if (!search_exception_tables(regs->ip)) {
22733 + bad_area_nosemaphore(regs, error_code, address);
22734 + return;
22735 + }
22736 + if (address < PAX_USER_SHADOW_BASE) {
22737 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
22738 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
22739 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
22740 + } else
22741 + address -= PAX_USER_SHADOW_BASE;
22742 + }
22743 +#endif
22744 +
22745 tsk = current;
22746 mm = tsk->mm;
22747
22748 - /* Get the faulting address: */
22749 - address = read_cr2();
22750 -
22751 /*
22752 * Detect and handle instructions that would cause a page fault for
22753 * both a tracked kernel page and a userspace page.
22754 @@ -1026,7 +1259,7 @@ do_page_fault(struct pt_regs *regs, unsi
22755 * User-mode registers count as a user access even for any
22756 * potential system fault or CPU buglet:
22757 */
22758 - if (user_mode_vm(regs)) {
22759 + if (user_mode(regs)) {
22760 local_irq_enable();
22761 error_code |= PF_USER;
22762 } else {
22763 @@ -1080,6 +1313,11 @@ do_page_fault(struct pt_regs *regs, unsi
22764 might_sleep();
22765 }
22766
22767 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
22768 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
22769 + return;
22770 +#endif
22771 +
22772 vma = find_vma(mm, address);
22773 if (unlikely(!vma)) {
22774 bad_area(regs, error_code, address);
22775 @@ -1091,18 +1329,24 @@ do_page_fault(struct pt_regs *regs, unsi
22776 bad_area(regs, error_code, address);
22777 return;
22778 }
22779 - if (error_code & PF_USER) {
22780 - /*
22781 - * Accessing the stack below %sp is always a bug.
22782 - * The large cushion allows instructions like enter
22783 - * and pusha to work. ("enter $65535, $31" pushes
22784 - * 32 pointers and then decrements %sp by 65535.)
22785 - */
22786 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
22787 - bad_area(regs, error_code, address);
22788 - return;
22789 - }
22790 + /*
22791 + * Accessing the stack below %sp is always a bug.
22792 + * The large cushion allows instructions like enter
22793 + * and pusha to work. ("enter $65535, $31" pushes
22794 + * 32 pointers and then decrements %sp by 65535.)
22795 + */
22796 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
22797 + bad_area(regs, error_code, address);
22798 + return;
22799 + }
22800 +
22801 +#ifdef CONFIG_PAX_SEGMEXEC
22802 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
22803 + bad_area(regs, error_code, address);
22804 + return;
22805 }
22806 +#endif
22807 +
22808 if (unlikely(expand_stack(vma, address))) {
22809 bad_area(regs, error_code, address);
22810 return;
22811 @@ -1146,3 +1390,240 @@ good_area:
22812
22813 up_read(&mm->mmap_sem);
22814 }
22815 +
22816 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22817 +static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
22818 +{
22819 + struct mm_struct *mm = current->mm;
22820 + unsigned long ip = regs->ip;
22821 +
22822 + if (v8086_mode(regs))
22823 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
22824 +
22825 +#ifdef CONFIG_PAX_PAGEEXEC
22826 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
22827 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
22828 + return true;
22829 + if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
22830 + return true;
22831 + return false;
22832 + }
22833 +#endif
22834 +
22835 +#ifdef CONFIG_PAX_SEGMEXEC
22836 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
22837 + if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
22838 + return true;
22839 + return false;
22840 + }
22841 +#endif
22842 +
22843 + return false;
22844 +}
22845 +#endif
22846 +
22847 +#ifdef CONFIG_PAX_EMUTRAMP
22848 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
22849 +{
22850 + int err;
22851 +
22852 + do { /* PaX: gcc trampoline emulation #1 */
22853 + unsigned char mov1, mov2;
22854 + unsigned short jmp;
22855 + unsigned int addr1, addr2;
22856 +
22857 +#ifdef CONFIG_X86_64
22858 + if ((regs->ip + 11) >> 32)
22859 + break;
22860 +#endif
22861 +
22862 + err = get_user(mov1, (unsigned char __user *)regs->ip);
22863 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22864 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
22865 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22866 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
22867 +
22868 + if (err)
22869 + break;
22870 +
22871 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
22872 + regs->cx = addr1;
22873 + regs->ax = addr2;
22874 + regs->ip = addr2;
22875 + return 2;
22876 + }
22877 + } while (0);
22878 +
22879 + do { /* PaX: gcc trampoline emulation #2 */
22880 + unsigned char mov, jmp;
22881 + unsigned int addr1, addr2;
22882 +
22883 +#ifdef CONFIG_X86_64
22884 + if ((regs->ip + 9) >> 32)
22885 + break;
22886 +#endif
22887 +
22888 + err = get_user(mov, (unsigned char __user *)regs->ip);
22889 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22890 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
22891 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22892 +
22893 + if (err)
22894 + break;
22895 +
22896 + if (mov == 0xB9 && jmp == 0xE9) {
22897 + regs->cx = addr1;
22898 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
22899 + return 2;
22900 + }
22901 + } while (0);
22902 +
22903 + return 1; /* PaX in action */
22904 +}
22905 +
22906 +#ifdef CONFIG_X86_64
22907 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
22908 +{
22909 + int err;
22910 +
22911 + do { /* PaX: gcc trampoline emulation #1 */
22912 + unsigned short mov1, mov2, jmp1;
22913 + unsigned char jmp2;
22914 + unsigned int addr1;
22915 + unsigned long addr2;
22916 +
22917 + err = get_user(mov1, (unsigned short __user *)regs->ip);
22918 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
22919 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
22920 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
22921 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
22922 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
22923 +
22924 + if (err)
22925 + break;
22926 +
22927 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22928 + regs->r11 = addr1;
22929 + regs->r10 = addr2;
22930 + regs->ip = addr1;
22931 + return 2;
22932 + }
22933 + } while (0);
22934 +
22935 + do { /* PaX: gcc trampoline emulation #2 */
22936 + unsigned short mov1, mov2, jmp1;
22937 + unsigned char jmp2;
22938 + unsigned long addr1, addr2;
22939 +
22940 + err = get_user(mov1, (unsigned short __user *)regs->ip);
22941 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
22942 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
22943 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
22944 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
22945 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
22946 +
22947 + if (err)
22948 + break;
22949 +
22950 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22951 + regs->r11 = addr1;
22952 + regs->r10 = addr2;
22953 + regs->ip = addr1;
22954 + return 2;
22955 + }
22956 + } while (0);
22957 +
22958 + return 1; /* PaX in action */
22959 +}
22960 +#endif
22961 +
22962 +/*
22963 + * PaX: decide what to do with offenders (regs->ip = fault address)
22964 + *
22965 + * returns 1 when task should be killed
22966 + * 2 when gcc trampoline was detected
22967 + */
22968 +static int pax_handle_fetch_fault(struct pt_regs *regs)
22969 +{
22970 + if (v8086_mode(regs))
22971 + return 1;
22972 +
22973 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
22974 + return 1;
22975 +
22976 +#ifdef CONFIG_X86_32
22977 + return pax_handle_fetch_fault_32(regs);
22978 +#else
22979 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
22980 + return pax_handle_fetch_fault_32(regs);
22981 + else
22982 + return pax_handle_fetch_fault_64(regs);
22983 +#endif
22984 +}
22985 +#endif
22986 +
22987 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22988 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
22989 +{
22990 + long i;
22991 +
22992 + printk(KERN_ERR "PAX: bytes at PC: ");
22993 + for (i = 0; i < 20; i++) {
22994 + unsigned char c;
22995 + if (get_user(c, (unsigned char __force_user *)pc+i))
22996 + printk(KERN_CONT "?? ");
22997 + else
22998 + printk(KERN_CONT "%02x ", c);
22999 + }
23000 + printk("\n");
23001 +
23002 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
23003 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
23004 + unsigned long c;
23005 + if (get_user(c, (unsigned long __force_user *)sp+i)) {
23006 +#ifdef CONFIG_X86_32
23007 + printk(KERN_CONT "???????? ");
23008 +#else
23009 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
23010 + printk(KERN_CONT "???????? ???????? ");
23011 + else
23012 + printk(KERN_CONT "???????????????? ");
23013 +#endif
23014 + } else {
23015 +#ifdef CONFIG_X86_64
23016 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
23017 + printk(KERN_CONT "%08x ", (unsigned int)c);
23018 + printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
23019 + } else
23020 +#endif
23021 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
23022 + }
23023 + }
23024 + printk("\n");
23025 +}
23026 +#endif
23027 +
23028 +/**
23029 + * probe_kernel_write(): safely attempt to write to a location
23030 + * @dst: address to write to
23031 + * @src: pointer to the data that shall be written
23032 + * @size: size of the data chunk
23033 + *
23034 + * Safely write to address @dst from the buffer at @src. If a kernel fault
23035 + * happens, handle that and return -EFAULT.
23036 + */
23037 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
23038 +{
23039 + long ret;
23040 + mm_segment_t old_fs = get_fs();
23041 +
23042 + set_fs(KERNEL_DS);
23043 + pagefault_disable();
23044 + pax_open_kernel();
23045 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
23046 + pax_close_kernel();
23047 + pagefault_enable();
23048 + set_fs(old_fs);
23049 +
23050 + return ret ? -EFAULT : 0;
23051 +}
23052 diff -urNp linux-2.6.32.49/arch/x86/mm/gup.c linux-2.6.32.49/arch/x86/mm/gup.c
23053 --- linux-2.6.32.49/arch/x86/mm/gup.c 2011-11-08 19:02:43.000000000 -0500
23054 +++ linux-2.6.32.49/arch/x86/mm/gup.c 2011-11-15 19:59:43.000000000 -0500
23055 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
23056 addr = start;
23057 len = (unsigned long) nr_pages << PAGE_SHIFT;
23058 end = start + len;
23059 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
23060 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
23061 (void __user *)start, len)))
23062 return 0;
23063
23064 diff -urNp linux-2.6.32.49/arch/x86/mm/highmem_32.c linux-2.6.32.49/arch/x86/mm/highmem_32.c
23065 --- linux-2.6.32.49/arch/x86/mm/highmem_32.c 2011-11-08 19:02:43.000000000 -0500
23066 +++ linux-2.6.32.49/arch/x86/mm/highmem_32.c 2011-11-15 19:59:43.000000000 -0500
23067 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
23068 idx = type + KM_TYPE_NR*smp_processor_id();
23069 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
23070 BUG_ON(!pte_none(*(kmap_pte-idx)));
23071 +
23072 + pax_open_kernel();
23073 set_pte(kmap_pte-idx, mk_pte(page, prot));
23074 + pax_close_kernel();
23075
23076 return (void *)vaddr;
23077 }
23078 diff -urNp linux-2.6.32.49/arch/x86/mm/hugetlbpage.c linux-2.6.32.49/arch/x86/mm/hugetlbpage.c
23079 --- linux-2.6.32.49/arch/x86/mm/hugetlbpage.c 2011-11-08 19:02:43.000000000 -0500
23080 +++ linux-2.6.32.49/arch/x86/mm/hugetlbpage.c 2011-11-15 19:59:43.000000000 -0500
23081 @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
23082 struct hstate *h = hstate_file(file);
23083 struct mm_struct *mm = current->mm;
23084 struct vm_area_struct *vma;
23085 - unsigned long start_addr;
23086 + unsigned long start_addr, pax_task_size = TASK_SIZE;
23087 +
23088 +#ifdef CONFIG_PAX_SEGMEXEC
23089 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23090 + pax_task_size = SEGMEXEC_TASK_SIZE;
23091 +#endif
23092 +
23093 + pax_task_size -= PAGE_SIZE;
23094
23095 if (len > mm->cached_hole_size) {
23096 - start_addr = mm->free_area_cache;
23097 + start_addr = mm->free_area_cache;
23098 } else {
23099 - start_addr = TASK_UNMAPPED_BASE;
23100 - mm->cached_hole_size = 0;
23101 + start_addr = mm->mmap_base;
23102 + mm->cached_hole_size = 0;
23103 }
23104
23105 full_search:
23106 @@ -281,26 +288,27 @@ full_search:
23107
23108 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
23109 /* At this point: (!vma || addr < vma->vm_end). */
23110 - if (TASK_SIZE - len < addr) {
23111 + if (pax_task_size - len < addr) {
23112 /*
23113 * Start a new search - just in case we missed
23114 * some holes.
23115 */
23116 - if (start_addr != TASK_UNMAPPED_BASE) {
23117 - start_addr = TASK_UNMAPPED_BASE;
23118 + if (start_addr != mm->mmap_base) {
23119 + start_addr = mm->mmap_base;
23120 mm->cached_hole_size = 0;
23121 goto full_search;
23122 }
23123 return -ENOMEM;
23124 }
23125 - if (!vma || addr + len <= vma->vm_start) {
23126 - mm->free_area_cache = addr + len;
23127 - return addr;
23128 - }
23129 + if (check_heap_stack_gap(vma, addr, len))
23130 + break;
23131 if (addr + mm->cached_hole_size < vma->vm_start)
23132 mm->cached_hole_size = vma->vm_start - addr;
23133 addr = ALIGN(vma->vm_end, huge_page_size(h));
23134 }
23135 +
23136 + mm->free_area_cache = addr + len;
23137 + return addr;
23138 }
23139
23140 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
23141 @@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
23142 {
23143 struct hstate *h = hstate_file(file);
23144 struct mm_struct *mm = current->mm;
23145 - struct vm_area_struct *vma, *prev_vma;
23146 - unsigned long base = mm->mmap_base, addr = addr0;
23147 + struct vm_area_struct *vma;
23148 + unsigned long base = mm->mmap_base, addr;
23149 unsigned long largest_hole = mm->cached_hole_size;
23150 - int first_time = 1;
23151
23152 /* don't allow allocations above current base */
23153 if (mm->free_area_cache > base)
23154 @@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
23155 largest_hole = 0;
23156 mm->free_area_cache = base;
23157 }
23158 -try_again:
23159 +
23160 /* make sure it can fit in the remaining address space */
23161 if (mm->free_area_cache < len)
23162 goto fail;
23163
23164 /* either no address requested or cant fit in requested address hole */
23165 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
23166 + addr = (mm->free_area_cache - len);
23167 do {
23168 + addr &= huge_page_mask(h);
23169 + vma = find_vma(mm, addr);
23170 /*
23171 * Lookup failure means no vma is above this address,
23172 * i.e. return with success:
23173 - */
23174 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
23175 - return addr;
23176 -
23177 - /*
23178 * new region fits between prev_vma->vm_end and
23179 * vma->vm_start, use it:
23180 */
23181 - if (addr + len <= vma->vm_start &&
23182 - (!prev_vma || (addr >= prev_vma->vm_end))) {
23183 + if (check_heap_stack_gap(vma, addr, len)) {
23184 /* remember the address as a hint for next time */
23185 - mm->cached_hole_size = largest_hole;
23186 - return (mm->free_area_cache = addr);
23187 - } else {
23188 - /* pull free_area_cache down to the first hole */
23189 - if (mm->free_area_cache == vma->vm_end) {
23190 - mm->free_area_cache = vma->vm_start;
23191 - mm->cached_hole_size = largest_hole;
23192 - }
23193 + mm->cached_hole_size = largest_hole;
23194 + return (mm->free_area_cache = addr);
23195 + }
23196 + /* pull free_area_cache down to the first hole */
23197 + if (mm->free_area_cache == vma->vm_end) {
23198 + mm->free_area_cache = vma->vm_start;
23199 + mm->cached_hole_size = largest_hole;
23200 }
23201
23202 /* remember the largest hole we saw so far */
23203 if (addr + largest_hole < vma->vm_start)
23204 - largest_hole = vma->vm_start - addr;
23205 + largest_hole = vma->vm_start - addr;
23206
23207 /* try just below the current vma->vm_start */
23208 - addr = (vma->vm_start - len) & huge_page_mask(h);
23209 - } while (len <= vma->vm_start);
23210 + addr = skip_heap_stack_gap(vma, len);
23211 + } while (!IS_ERR_VALUE(addr));
23212
23213 fail:
23214 /*
23215 - * if hint left us with no space for the requested
23216 - * mapping then try again:
23217 - */
23218 - if (first_time) {
23219 - mm->free_area_cache = base;
23220 - largest_hole = 0;
23221 - first_time = 0;
23222 - goto try_again;
23223 - }
23224 - /*
23225 * A failed mmap() very likely causes application failure,
23226 * so fall back to the bottom-up function here. This scenario
23227 * can happen with large stack limits and large mmap()
23228 * allocations.
23229 */
23230 - mm->free_area_cache = TASK_UNMAPPED_BASE;
23231 +
23232 +#ifdef CONFIG_PAX_SEGMEXEC
23233 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23234 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
23235 + else
23236 +#endif
23237 +
23238 + mm->mmap_base = TASK_UNMAPPED_BASE;
23239 +
23240 +#ifdef CONFIG_PAX_RANDMMAP
23241 + if (mm->pax_flags & MF_PAX_RANDMMAP)
23242 + mm->mmap_base += mm->delta_mmap;
23243 +#endif
23244 +
23245 + mm->free_area_cache = mm->mmap_base;
23246 mm->cached_hole_size = ~0UL;
23247 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
23248 len, pgoff, flags);
23249 @@ -387,6 +393,7 @@ fail:
23250 /*
23251 * Restore the topdown base:
23252 */
23253 + mm->mmap_base = base;
23254 mm->free_area_cache = base;
23255 mm->cached_hole_size = ~0UL;
23256
23257 @@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
23258 struct hstate *h = hstate_file(file);
23259 struct mm_struct *mm = current->mm;
23260 struct vm_area_struct *vma;
23261 + unsigned long pax_task_size = TASK_SIZE;
23262
23263 if (len & ~huge_page_mask(h))
23264 return -EINVAL;
23265 - if (len > TASK_SIZE)
23266 +
23267 +#ifdef CONFIG_PAX_SEGMEXEC
23268 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23269 + pax_task_size = SEGMEXEC_TASK_SIZE;
23270 +#endif
23271 +
23272 + pax_task_size -= PAGE_SIZE;
23273 +
23274 + if (len > pax_task_size)
23275 return -ENOMEM;
23276
23277 if (flags & MAP_FIXED) {
23278 @@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
23279 if (addr) {
23280 addr = ALIGN(addr, huge_page_size(h));
23281 vma = find_vma(mm, addr);
23282 - if (TASK_SIZE - len >= addr &&
23283 - (!vma || addr + len <= vma->vm_start))
23284 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
23285 return addr;
23286 }
23287 if (mm->get_unmapped_area == arch_get_unmapped_area)
23288 diff -urNp linux-2.6.32.49/arch/x86/mm/init_32.c linux-2.6.32.49/arch/x86/mm/init_32.c
23289 --- linux-2.6.32.49/arch/x86/mm/init_32.c 2011-11-08 19:02:43.000000000 -0500
23290 +++ linux-2.6.32.49/arch/x86/mm/init_32.c 2011-11-15 19:59:43.000000000 -0500
23291 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
23292 }
23293
23294 /*
23295 - * Creates a middle page table and puts a pointer to it in the
23296 - * given global directory entry. This only returns the gd entry
23297 - * in non-PAE compilation mode, since the middle layer is folded.
23298 - */
23299 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
23300 -{
23301 - pud_t *pud;
23302 - pmd_t *pmd_table;
23303 -
23304 -#ifdef CONFIG_X86_PAE
23305 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
23306 - if (after_bootmem)
23307 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
23308 - else
23309 - pmd_table = (pmd_t *)alloc_low_page();
23310 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
23311 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
23312 - pud = pud_offset(pgd, 0);
23313 - BUG_ON(pmd_table != pmd_offset(pud, 0));
23314 -
23315 - return pmd_table;
23316 - }
23317 -#endif
23318 - pud = pud_offset(pgd, 0);
23319 - pmd_table = pmd_offset(pud, 0);
23320 -
23321 - return pmd_table;
23322 -}
23323 -
23324 -/*
23325 * Create a page table and place a pointer to it in a middle page
23326 * directory entry:
23327 */
23328 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
23329 page_table = (pte_t *)alloc_low_page();
23330
23331 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
23332 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23333 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
23334 +#else
23335 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
23336 +#endif
23337 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
23338 }
23339
23340 return pte_offset_kernel(pmd, 0);
23341 }
23342
23343 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
23344 +{
23345 + pud_t *pud;
23346 + pmd_t *pmd_table;
23347 +
23348 + pud = pud_offset(pgd, 0);
23349 + pmd_table = pmd_offset(pud, 0);
23350 +
23351 + return pmd_table;
23352 +}
23353 +
23354 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
23355 {
23356 int pgd_idx = pgd_index(vaddr);
23357 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
23358 int pgd_idx, pmd_idx;
23359 unsigned long vaddr;
23360 pgd_t *pgd;
23361 + pud_t *pud;
23362 pmd_t *pmd;
23363 pte_t *pte = NULL;
23364
23365 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
23366 pgd = pgd_base + pgd_idx;
23367
23368 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
23369 - pmd = one_md_table_init(pgd);
23370 - pmd = pmd + pmd_index(vaddr);
23371 + pud = pud_offset(pgd, vaddr);
23372 + pmd = pmd_offset(pud, vaddr);
23373 +
23374 +#ifdef CONFIG_X86_PAE
23375 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
23376 +#endif
23377 +
23378 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
23379 pmd++, pmd_idx++) {
23380 pte = page_table_kmap_check(one_page_table_init(pmd),
23381 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
23382 }
23383 }
23384
23385 -static inline int is_kernel_text(unsigned long addr)
23386 +static inline int is_kernel_text(unsigned long start, unsigned long end)
23387 {
23388 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
23389 - return 1;
23390 - return 0;
23391 + if ((start > ktla_ktva((unsigned long)_etext) ||
23392 + end <= ktla_ktva((unsigned long)_stext)) &&
23393 + (start > ktla_ktva((unsigned long)_einittext) ||
23394 + end <= ktla_ktva((unsigned long)_sinittext)) &&
23395 +
23396 +#ifdef CONFIG_ACPI_SLEEP
23397 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
23398 +#endif
23399 +
23400 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
23401 + return 0;
23402 + return 1;
23403 }
23404
23405 /*
23406 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
23407 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
23408 unsigned long start_pfn, end_pfn;
23409 pgd_t *pgd_base = swapper_pg_dir;
23410 - int pgd_idx, pmd_idx, pte_ofs;
23411 + unsigned int pgd_idx, pmd_idx, pte_ofs;
23412 unsigned long pfn;
23413 pgd_t *pgd;
23414 + pud_t *pud;
23415 pmd_t *pmd;
23416 pte_t *pte;
23417 unsigned pages_2m, pages_4k;
23418 @@ -278,8 +279,13 @@ repeat:
23419 pfn = start_pfn;
23420 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
23421 pgd = pgd_base + pgd_idx;
23422 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
23423 - pmd = one_md_table_init(pgd);
23424 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
23425 + pud = pud_offset(pgd, 0);
23426 + pmd = pmd_offset(pud, 0);
23427 +
23428 +#ifdef CONFIG_X86_PAE
23429 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
23430 +#endif
23431
23432 if (pfn >= end_pfn)
23433 continue;
23434 @@ -291,14 +297,13 @@ repeat:
23435 #endif
23436 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
23437 pmd++, pmd_idx++) {
23438 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
23439 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
23440
23441 /*
23442 * Map with big pages if possible, otherwise
23443 * create normal page tables:
23444 */
23445 if (use_pse) {
23446 - unsigned int addr2;
23447 pgprot_t prot = PAGE_KERNEL_LARGE;
23448 /*
23449 * first pass will use the same initial
23450 @@ -308,11 +313,7 @@ repeat:
23451 __pgprot(PTE_IDENT_ATTR |
23452 _PAGE_PSE);
23453
23454 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
23455 - PAGE_OFFSET + PAGE_SIZE-1;
23456 -
23457 - if (is_kernel_text(addr) ||
23458 - is_kernel_text(addr2))
23459 + if (is_kernel_text(address, address + PMD_SIZE))
23460 prot = PAGE_KERNEL_LARGE_EXEC;
23461
23462 pages_2m++;
23463 @@ -329,7 +330,7 @@ repeat:
23464 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
23465 pte += pte_ofs;
23466 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
23467 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
23468 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
23469 pgprot_t prot = PAGE_KERNEL;
23470 /*
23471 * first pass will use the same initial
23472 @@ -337,7 +338,7 @@ repeat:
23473 */
23474 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
23475
23476 - if (is_kernel_text(addr))
23477 + if (is_kernel_text(address, address + PAGE_SIZE))
23478 prot = PAGE_KERNEL_EXEC;
23479
23480 pages_4k++;
23481 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
23482
23483 pud = pud_offset(pgd, va);
23484 pmd = pmd_offset(pud, va);
23485 - if (!pmd_present(*pmd))
23486 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
23487 break;
23488
23489 pte = pte_offset_kernel(pmd, va);
23490 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
23491
23492 static void __init pagetable_init(void)
23493 {
23494 - pgd_t *pgd_base = swapper_pg_dir;
23495 -
23496 - permanent_kmaps_init(pgd_base);
23497 + permanent_kmaps_init(swapper_pg_dir);
23498 }
23499
23500 #ifdef CONFIG_ACPI_SLEEP
23501 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
23502 * ACPI suspend needs this for resume, because things like the intel-agp
23503 * driver might have split up a kernel 4MB mapping.
23504 */
23505 -char swsusp_pg_dir[PAGE_SIZE]
23506 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
23507 __attribute__ ((aligned(PAGE_SIZE)));
23508
23509 static inline void save_pg_dir(void)
23510 {
23511 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
23512 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
23513 }
23514 #else /* !CONFIG_ACPI_SLEEP */
23515 static inline void save_pg_dir(void)
23516 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
23517 flush_tlb_all();
23518 }
23519
23520 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
23521 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
23522 EXPORT_SYMBOL_GPL(__supported_pte_mask);
23523
23524 /* user-defined highmem size */
23525 @@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
23526 * Initialize the boot-time allocator (with low memory only):
23527 */
23528 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
23529 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
23530 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
23531 PAGE_SIZE);
23532 if (bootmap == -1L)
23533 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
23534 @@ -864,6 +863,12 @@ void __init mem_init(void)
23535
23536 pci_iommu_alloc();
23537
23538 +#ifdef CONFIG_PAX_PER_CPU_PGD
23539 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
23540 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23541 + KERNEL_PGD_PTRS);
23542 +#endif
23543 +
23544 #ifdef CONFIG_FLATMEM
23545 BUG_ON(!mem_map);
23546 #endif
23547 @@ -881,7 +886,7 @@ void __init mem_init(void)
23548 set_highmem_pages_init();
23549
23550 codesize = (unsigned long) &_etext - (unsigned long) &_text;
23551 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
23552 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
23553 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
23554
23555 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
23556 @@ -923,10 +928,10 @@ void __init mem_init(void)
23557 ((unsigned long)&__init_end -
23558 (unsigned long)&__init_begin) >> 10,
23559
23560 - (unsigned long)&_etext, (unsigned long)&_edata,
23561 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
23562 + (unsigned long)&_sdata, (unsigned long)&_edata,
23563 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
23564
23565 - (unsigned long)&_text, (unsigned long)&_etext,
23566 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
23567 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
23568
23569 /*
23570 @@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
23571 if (!kernel_set_to_readonly)
23572 return;
23573
23574 + start = ktla_ktva(start);
23575 pr_debug("Set kernel text: %lx - %lx for read write\n",
23576 start, start+size);
23577
23578 @@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
23579 if (!kernel_set_to_readonly)
23580 return;
23581
23582 + start = ktla_ktva(start);
23583 pr_debug("Set kernel text: %lx - %lx for read only\n",
23584 start, start+size);
23585
23586 @@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
23587 unsigned long start = PFN_ALIGN(_text);
23588 unsigned long size = PFN_ALIGN(_etext) - start;
23589
23590 + start = ktla_ktva(start);
23591 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
23592 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
23593 size >> 10);
23594 diff -urNp linux-2.6.32.49/arch/x86/mm/init_64.c linux-2.6.32.49/arch/x86/mm/init_64.c
23595 --- linux-2.6.32.49/arch/x86/mm/init_64.c 2011-11-08 19:02:43.000000000 -0500
23596 +++ linux-2.6.32.49/arch/x86/mm/init_64.c 2011-11-15 19:59:43.000000000 -0500
23597 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
23598 pmd = fill_pmd(pud, vaddr);
23599 pte = fill_pte(pmd, vaddr);
23600
23601 + pax_open_kernel();
23602 set_pte(pte, new_pte);
23603 + pax_close_kernel();
23604
23605 /*
23606 * It's enough to flush this one mapping.
23607 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
23608 pgd = pgd_offset_k((unsigned long)__va(phys));
23609 if (pgd_none(*pgd)) {
23610 pud = (pud_t *) spp_getpage();
23611 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
23612 - _PAGE_USER));
23613 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
23614 }
23615 pud = pud_offset(pgd, (unsigned long)__va(phys));
23616 if (pud_none(*pud)) {
23617 pmd = (pmd_t *) spp_getpage();
23618 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
23619 - _PAGE_USER));
23620 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
23621 }
23622 pmd = pmd_offset(pud, phys);
23623 BUG_ON(!pmd_none(*pmd));
23624 @@ -675,6 +675,12 @@ void __init mem_init(void)
23625
23626 pci_iommu_alloc();
23627
23628 +#ifdef CONFIG_PAX_PER_CPU_PGD
23629 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
23630 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23631 + KERNEL_PGD_PTRS);
23632 +#endif
23633 +
23634 /* clear_bss() already clear the empty_zero_page */
23635
23636 reservedpages = 0;
23637 @@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
23638 static struct vm_area_struct gate_vma = {
23639 .vm_start = VSYSCALL_START,
23640 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
23641 - .vm_page_prot = PAGE_READONLY_EXEC,
23642 - .vm_flags = VM_READ | VM_EXEC
23643 + .vm_page_prot = PAGE_READONLY,
23644 + .vm_flags = VM_READ
23645 };
23646
23647 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
23648 @@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
23649
23650 const char *arch_vma_name(struct vm_area_struct *vma)
23651 {
23652 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
23653 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
23654 return "[vdso]";
23655 if (vma == &gate_vma)
23656 return "[vsyscall]";
23657 diff -urNp linux-2.6.32.49/arch/x86/mm/init.c linux-2.6.32.49/arch/x86/mm/init.c
23658 --- linux-2.6.32.49/arch/x86/mm/init.c 2011-11-08 19:02:43.000000000 -0500
23659 +++ linux-2.6.32.49/arch/x86/mm/init.c 2011-11-15 19:59:43.000000000 -0500
23660 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
23661 * cause a hotspot and fill up ZONE_DMA. The page tables
23662 * need roughly 0.5KB per GB.
23663 */
23664 -#ifdef CONFIG_X86_32
23665 - start = 0x7000;
23666 -#else
23667 - start = 0x8000;
23668 -#endif
23669 + start = 0x100000;
23670 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
23671 tables, PAGE_SIZE);
23672 if (e820_table_start == -1UL)
23673 @@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
23674 #endif
23675
23676 set_nx();
23677 - if (nx_enabled)
23678 + if (nx_enabled && cpu_has_nx)
23679 printk(KERN_INFO "NX (Execute Disable) protection: active\n");
23680
23681 /* Enable PSE if available */
23682 @@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
23683 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
23684 * mmio resources as well as potential bios/acpi data regions.
23685 */
23686 +
23687 int devmem_is_allowed(unsigned long pagenr)
23688 {
23689 +#ifdef CONFIG_GRKERNSEC_KMEM
23690 + /* allow BDA */
23691 + if (!pagenr)
23692 + return 1;
23693 + /* allow EBDA */
23694 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
23695 + return 1;
23696 + /* allow ISA/video mem */
23697 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
23698 + return 1;
23699 + /* throw out everything else below 1MB */
23700 + if (pagenr <= 256)
23701 + return 0;
23702 +#else
23703 if (pagenr <= 256)
23704 return 1;
23705 +#endif
23706 +
23707 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
23708 return 0;
23709 if (!page_is_ram(pagenr))
23710 @@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
23711
23712 void free_initmem(void)
23713 {
23714 +
23715 +#ifdef CONFIG_PAX_KERNEXEC
23716 +#ifdef CONFIG_X86_32
23717 + /* PaX: limit KERNEL_CS to actual size */
23718 + unsigned long addr, limit;
23719 + struct desc_struct d;
23720 + int cpu;
23721 +
23722 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
23723 + limit = (limit - 1UL) >> PAGE_SHIFT;
23724 +
23725 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
23726 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23727 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
23728 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
23729 + }
23730 +
23731 + /* PaX: make KERNEL_CS read-only */
23732 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
23733 + if (!paravirt_enabled())
23734 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
23735 +/*
23736 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
23737 + pgd = pgd_offset_k(addr);
23738 + pud = pud_offset(pgd, addr);
23739 + pmd = pmd_offset(pud, addr);
23740 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23741 + }
23742 +*/
23743 +#ifdef CONFIG_X86_PAE
23744 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
23745 +/*
23746 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
23747 + pgd = pgd_offset_k(addr);
23748 + pud = pud_offset(pgd, addr);
23749 + pmd = pmd_offset(pud, addr);
23750 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
23751 + }
23752 +*/
23753 +#endif
23754 +
23755 +#ifdef CONFIG_MODULES
23756 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
23757 +#endif
23758 +
23759 +#else
23760 + pgd_t *pgd;
23761 + pud_t *pud;
23762 + pmd_t *pmd;
23763 + unsigned long addr, end;
23764 +
23765 + /* PaX: make kernel code/rodata read-only, rest non-executable */
23766 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
23767 + pgd = pgd_offset_k(addr);
23768 + pud = pud_offset(pgd, addr);
23769 + pmd = pmd_offset(pud, addr);
23770 + if (!pmd_present(*pmd))
23771 + continue;
23772 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
23773 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23774 + else
23775 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
23776 + }
23777 +
23778 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
23779 + end = addr + KERNEL_IMAGE_SIZE;
23780 + for (; addr < end; addr += PMD_SIZE) {
23781 + pgd = pgd_offset_k(addr);
23782 + pud = pud_offset(pgd, addr);
23783 + pmd = pmd_offset(pud, addr);
23784 + if (!pmd_present(*pmd))
23785 + continue;
23786 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
23787 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23788 + }
23789 +#endif
23790 +
23791 + flush_tlb_all();
23792 +#endif
23793 +
23794 free_init_pages("unused kernel memory",
23795 (unsigned long)(&__init_begin),
23796 (unsigned long)(&__init_end));
23797 diff -urNp linux-2.6.32.49/arch/x86/mm/iomap_32.c linux-2.6.32.49/arch/x86/mm/iomap_32.c
23798 --- linux-2.6.32.49/arch/x86/mm/iomap_32.c 2011-11-08 19:02:43.000000000 -0500
23799 +++ linux-2.6.32.49/arch/x86/mm/iomap_32.c 2011-11-15 19:59:43.000000000 -0500
23800 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
23801 debug_kmap_atomic(type);
23802 idx = type + KM_TYPE_NR * smp_processor_id();
23803 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
23804 +
23805 + pax_open_kernel();
23806 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
23807 + pax_close_kernel();
23808 +
23809 arch_flush_lazy_mmu_mode();
23810
23811 return (void *)vaddr;
23812 diff -urNp linux-2.6.32.49/arch/x86/mm/ioremap.c linux-2.6.32.49/arch/x86/mm/ioremap.c
23813 --- linux-2.6.32.49/arch/x86/mm/ioremap.c 2011-11-08 19:02:43.000000000 -0500
23814 +++ linux-2.6.32.49/arch/x86/mm/ioremap.c 2011-11-15 19:59:43.000000000 -0500
23815 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
23816 * Second special case: Some BIOSen report the PC BIOS
23817 * area (640->1Mb) as ram even though it is not.
23818 */
23819 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
23820 - pagenr < (BIOS_END >> PAGE_SHIFT))
23821 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
23822 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
23823 return 0;
23824
23825 for (i = 0; i < e820.nr_map; i++) {
23826 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
23827 /*
23828 * Don't allow anybody to remap normal RAM that we're using..
23829 */
23830 - for (pfn = phys_addr >> PAGE_SHIFT;
23831 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
23832 - pfn++) {
23833 -
23834 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
23835 int is_ram = page_is_ram(pfn);
23836
23837 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
23838 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
23839 return NULL;
23840 WARN_ON_ONCE(is_ram);
23841 }
23842 @@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
23843 early_param("early_ioremap_debug", early_ioremap_debug_setup);
23844
23845 static __initdata int after_paging_init;
23846 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
23847 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
23848
23849 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
23850 {
23851 @@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
23852 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
23853
23854 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
23855 - memset(bm_pte, 0, sizeof(bm_pte));
23856 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
23857 + pmd_populate_user(&init_mm, pmd, bm_pte);
23858
23859 /*
23860 * The boot-ioremap range spans multiple pmds, for which
23861 diff -urNp linux-2.6.32.49/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.49/arch/x86/mm/kmemcheck/kmemcheck.c
23862 --- linux-2.6.32.49/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-08 19:02:43.000000000 -0500
23863 +++ linux-2.6.32.49/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-15 19:59:43.000000000 -0500
23864 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
23865 * memory (e.g. tracked pages)? For now, we need this to avoid
23866 * invoking kmemcheck for PnP BIOS calls.
23867 */
23868 - if (regs->flags & X86_VM_MASK)
23869 + if (v8086_mode(regs))
23870 return false;
23871 - if (regs->cs != __KERNEL_CS)
23872 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
23873 return false;
23874
23875 pte = kmemcheck_pte_lookup(address);
23876 diff -urNp linux-2.6.32.49/arch/x86/mm/mmap.c linux-2.6.32.49/arch/x86/mm/mmap.c
23877 --- linux-2.6.32.49/arch/x86/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
23878 +++ linux-2.6.32.49/arch/x86/mm/mmap.c 2011-11-15 19:59:43.000000000 -0500
23879 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
23880 * Leave an at least ~128 MB hole with possible stack randomization.
23881 */
23882 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
23883 -#define MAX_GAP (TASK_SIZE/6*5)
23884 +#define MAX_GAP (pax_task_size/6*5)
23885
23886 /*
23887 * True on X86_32 or when emulating IA32 on X86_64
23888 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
23889 return rnd << PAGE_SHIFT;
23890 }
23891
23892 -static unsigned long mmap_base(void)
23893 +static unsigned long mmap_base(struct mm_struct *mm)
23894 {
23895 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
23896 + unsigned long pax_task_size = TASK_SIZE;
23897 +
23898 +#ifdef CONFIG_PAX_SEGMEXEC
23899 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23900 + pax_task_size = SEGMEXEC_TASK_SIZE;
23901 +#endif
23902
23903 if (gap < MIN_GAP)
23904 gap = MIN_GAP;
23905 else if (gap > MAX_GAP)
23906 gap = MAX_GAP;
23907
23908 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
23909 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
23910 }
23911
23912 /*
23913 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
23914 * does, but not when emulating X86_32
23915 */
23916 -static unsigned long mmap_legacy_base(void)
23917 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
23918 {
23919 - if (mmap_is_ia32())
23920 + if (mmap_is_ia32()) {
23921 +
23922 +#ifdef CONFIG_PAX_SEGMEXEC
23923 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
23924 + return SEGMEXEC_TASK_UNMAPPED_BASE;
23925 + else
23926 +#endif
23927 +
23928 return TASK_UNMAPPED_BASE;
23929 - else
23930 + } else
23931 return TASK_UNMAPPED_BASE + mmap_rnd();
23932 }
23933
23934 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
23935 void arch_pick_mmap_layout(struct mm_struct *mm)
23936 {
23937 if (mmap_is_legacy()) {
23938 - mm->mmap_base = mmap_legacy_base();
23939 + mm->mmap_base = mmap_legacy_base(mm);
23940 +
23941 +#ifdef CONFIG_PAX_RANDMMAP
23942 + if (mm->pax_flags & MF_PAX_RANDMMAP)
23943 + mm->mmap_base += mm->delta_mmap;
23944 +#endif
23945 +
23946 mm->get_unmapped_area = arch_get_unmapped_area;
23947 mm->unmap_area = arch_unmap_area;
23948 } else {
23949 - mm->mmap_base = mmap_base();
23950 + mm->mmap_base = mmap_base(mm);
23951 +
23952 +#ifdef CONFIG_PAX_RANDMMAP
23953 + if (mm->pax_flags & MF_PAX_RANDMMAP)
23954 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
23955 +#endif
23956 +
23957 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
23958 mm->unmap_area = arch_unmap_area_topdown;
23959 }
23960 diff -urNp linux-2.6.32.49/arch/x86/mm/mmio-mod.c linux-2.6.32.49/arch/x86/mm/mmio-mod.c
23961 --- linux-2.6.32.49/arch/x86/mm/mmio-mod.c 2011-11-08 19:02:43.000000000 -0500
23962 +++ linux-2.6.32.49/arch/x86/mm/mmio-mod.c 2011-11-15 19:59:43.000000000 -0500
23963 @@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, s
23964 break;
23965 default:
23966 {
23967 - unsigned char *ip = (unsigned char *)instptr;
23968 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
23969 my_trace->opcode = MMIO_UNKNOWN_OP;
23970 my_trace->width = 0;
23971 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
23972 @@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
23973 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
23974 void __iomem *addr)
23975 {
23976 - static atomic_t next_id;
23977 + static atomic_unchecked_t next_id;
23978 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
23979 /* These are page-unaligned. */
23980 struct mmiotrace_map map = {
23981 @@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
23982 .private = trace
23983 },
23984 .phys = offset,
23985 - .id = atomic_inc_return(&next_id)
23986 + .id = atomic_inc_return_unchecked(&next_id)
23987 };
23988 map.map_id = trace->id;
23989
23990 diff -urNp linux-2.6.32.49/arch/x86/mm/numa_32.c linux-2.6.32.49/arch/x86/mm/numa_32.c
23991 --- linux-2.6.32.49/arch/x86/mm/numa_32.c 2011-11-08 19:02:43.000000000 -0500
23992 +++ linux-2.6.32.49/arch/x86/mm/numa_32.c 2011-11-15 19:59:43.000000000 -0500
23993 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
23994 }
23995 #endif
23996
23997 -extern unsigned long find_max_low_pfn(void);
23998 extern unsigned long highend_pfn, highstart_pfn;
23999
24000 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
24001 diff -urNp linux-2.6.32.49/arch/x86/mm/pageattr.c linux-2.6.32.49/arch/x86/mm/pageattr.c
24002 --- linux-2.6.32.49/arch/x86/mm/pageattr.c 2011-11-08 19:02:43.000000000 -0500
24003 +++ linux-2.6.32.49/arch/x86/mm/pageattr.c 2011-11-15 19:59:43.000000000 -0500
24004 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
24005 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
24006 */
24007 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
24008 - pgprot_val(forbidden) |= _PAGE_NX;
24009 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24010
24011 /*
24012 * The kernel text needs to be executable for obvious reasons
24013 * Does not cover __inittext since that is gone later on. On
24014 * 64bit we do not enforce !NX on the low mapping
24015 */
24016 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
24017 - pgprot_val(forbidden) |= _PAGE_NX;
24018 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
24019 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24020
24021 +#ifdef CONFIG_DEBUG_RODATA
24022 /*
24023 * The .rodata section needs to be read-only. Using the pfn
24024 * catches all aliases.
24025 @@ -278,6 +279,14 @@ static inline pgprot_t static_protection
24026 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
24027 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
24028 pgprot_val(forbidden) |= _PAGE_RW;
24029 +#endif
24030 +
24031 +#ifdef CONFIG_PAX_KERNEXEC
24032 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
24033 + pgprot_val(forbidden) |= _PAGE_RW;
24034 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24035 + }
24036 +#endif
24037
24038 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
24039
24040 @@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
24041 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
24042 {
24043 /* change init_mm */
24044 + pax_open_kernel();
24045 set_pte_atomic(kpte, pte);
24046 +
24047 #ifdef CONFIG_X86_32
24048 if (!SHARED_KERNEL_PMD) {
24049 +
24050 +#ifdef CONFIG_PAX_PER_CPU_PGD
24051 + unsigned long cpu;
24052 +#else
24053 struct page *page;
24054 +#endif
24055
24056 +#ifdef CONFIG_PAX_PER_CPU_PGD
24057 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
24058 + pgd_t *pgd = get_cpu_pgd(cpu);
24059 +#else
24060 list_for_each_entry(page, &pgd_list, lru) {
24061 - pgd_t *pgd;
24062 + pgd_t *pgd = (pgd_t *)page_address(page);
24063 +#endif
24064 +
24065 pud_t *pud;
24066 pmd_t *pmd;
24067
24068 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
24069 + pgd += pgd_index(address);
24070 pud = pud_offset(pgd, address);
24071 pmd = pmd_offset(pud, address);
24072 set_pte_atomic((pte_t *)pmd, pte);
24073 }
24074 }
24075 #endif
24076 + pax_close_kernel();
24077 }
24078
24079 static int
24080 diff -urNp linux-2.6.32.49/arch/x86/mm/pageattr-test.c linux-2.6.32.49/arch/x86/mm/pageattr-test.c
24081 --- linux-2.6.32.49/arch/x86/mm/pageattr-test.c 2011-11-08 19:02:43.000000000 -0500
24082 +++ linux-2.6.32.49/arch/x86/mm/pageattr-test.c 2011-11-15 19:59:43.000000000 -0500
24083 @@ -36,7 +36,7 @@ enum {
24084
24085 static int pte_testbit(pte_t pte)
24086 {
24087 - return pte_flags(pte) & _PAGE_UNUSED1;
24088 + return pte_flags(pte) & _PAGE_CPA_TEST;
24089 }
24090
24091 struct split_state {
24092 diff -urNp linux-2.6.32.49/arch/x86/mm/pat.c linux-2.6.32.49/arch/x86/mm/pat.c
24093 --- linux-2.6.32.49/arch/x86/mm/pat.c 2011-11-08 19:02:43.000000000 -0500
24094 +++ linux-2.6.32.49/arch/x86/mm/pat.c 2011-11-15 19:59:43.000000000 -0500
24095 @@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
24096
24097 conflict:
24098 printk(KERN_INFO "%s:%d conflicting memory types "
24099 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
24100 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
24101 new->end, cattr_name(new->type), cattr_name(entry->type));
24102 return -EBUSY;
24103 }
24104 @@ -559,7 +559,7 @@ unlock_ret:
24105
24106 if (err) {
24107 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
24108 - current->comm, current->pid, start, end);
24109 + current->comm, task_pid_nr(current), start, end);
24110 }
24111
24112 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
24113 @@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
24114 while (cursor < to) {
24115 if (!devmem_is_allowed(pfn)) {
24116 printk(KERN_INFO
24117 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
24118 - current->comm, from, to);
24119 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
24120 + current->comm, from, to, cursor);
24121 return 0;
24122 }
24123 cursor += PAGE_SIZE;
24124 @@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
24125 printk(KERN_INFO
24126 "%s:%d ioremap_change_attr failed %s "
24127 "for %Lx-%Lx\n",
24128 - current->comm, current->pid,
24129 + current->comm, task_pid_nr(current),
24130 cattr_name(flags),
24131 base, (unsigned long long)(base + size));
24132 return -EINVAL;
24133 @@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
24134 free_memtype(paddr, paddr + size);
24135 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
24136 " for %Lx-%Lx, got %s\n",
24137 - current->comm, current->pid,
24138 + current->comm, task_pid_nr(current),
24139 cattr_name(want_flags),
24140 (unsigned long long)paddr,
24141 (unsigned long long)(paddr + size),
24142 diff -urNp linux-2.6.32.49/arch/x86/mm/pf_in.c linux-2.6.32.49/arch/x86/mm/pf_in.c
24143 --- linux-2.6.32.49/arch/x86/mm/pf_in.c 2011-11-08 19:02:43.000000000 -0500
24144 +++ linux-2.6.32.49/arch/x86/mm/pf_in.c 2011-11-15 19:59:43.000000000 -0500
24145 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
24146 int i;
24147 enum reason_type rv = OTHERS;
24148
24149 - p = (unsigned char *)ins_addr;
24150 + p = (unsigned char *)ktla_ktva(ins_addr);
24151 p += skip_prefix(p, &prf);
24152 p += get_opcode(p, &opcode);
24153
24154 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
24155 struct prefix_bits prf;
24156 int i;
24157
24158 - p = (unsigned char *)ins_addr;
24159 + p = (unsigned char *)ktla_ktva(ins_addr);
24160 p += skip_prefix(p, &prf);
24161 p += get_opcode(p, &opcode);
24162
24163 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
24164 struct prefix_bits prf;
24165 int i;
24166
24167 - p = (unsigned char *)ins_addr;
24168 + p = (unsigned char *)ktla_ktva(ins_addr);
24169 p += skip_prefix(p, &prf);
24170 p += get_opcode(p, &opcode);
24171
24172 @@ -417,7 +417,7 @@ unsigned long get_ins_reg_val(unsigned l
24173 int i;
24174 unsigned long rv;
24175
24176 - p = (unsigned char *)ins_addr;
24177 + p = (unsigned char *)ktla_ktva(ins_addr);
24178 p += skip_prefix(p, &prf);
24179 p += get_opcode(p, &opcode);
24180 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
24181 @@ -472,7 +472,7 @@ unsigned long get_ins_imm_val(unsigned l
24182 int i;
24183 unsigned long rv;
24184
24185 - p = (unsigned char *)ins_addr;
24186 + p = (unsigned char *)ktla_ktva(ins_addr);
24187 p += skip_prefix(p, &prf);
24188 p += get_opcode(p, &opcode);
24189 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
24190 diff -urNp linux-2.6.32.49/arch/x86/mm/pgtable_32.c linux-2.6.32.49/arch/x86/mm/pgtable_32.c
24191 --- linux-2.6.32.49/arch/x86/mm/pgtable_32.c 2011-11-08 19:02:43.000000000 -0500
24192 +++ linux-2.6.32.49/arch/x86/mm/pgtable_32.c 2011-11-15 19:59:43.000000000 -0500
24193 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
24194 return;
24195 }
24196 pte = pte_offset_kernel(pmd, vaddr);
24197 +
24198 + pax_open_kernel();
24199 if (pte_val(pteval))
24200 set_pte_at(&init_mm, vaddr, pte, pteval);
24201 else
24202 pte_clear(&init_mm, vaddr, pte);
24203 + pax_close_kernel();
24204
24205 /*
24206 * It's enough to flush this one mapping.
24207 diff -urNp linux-2.6.32.49/arch/x86/mm/pgtable.c linux-2.6.32.49/arch/x86/mm/pgtable.c
24208 --- linux-2.6.32.49/arch/x86/mm/pgtable.c 2011-11-08 19:02:43.000000000 -0500
24209 +++ linux-2.6.32.49/arch/x86/mm/pgtable.c 2011-11-15 19:59:43.000000000 -0500
24210 @@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
24211 list_del(&page->lru);
24212 }
24213
24214 -#define UNSHARED_PTRS_PER_PGD \
24215 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
24216 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
24217 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
24218
24219 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
24220 +{
24221 + while (count--)
24222 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
24223 +}
24224 +#endif
24225 +
24226 +#ifdef CONFIG_PAX_PER_CPU_PGD
24227 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
24228 +{
24229 + while (count--)
24230 +
24231 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
24232 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
24233 +#else
24234 + *dst++ = *src++;
24235 +#endif
24236 +
24237 +}
24238 +#endif
24239 +
24240 +#ifdef CONFIG_X86_64
24241 +#define pxd_t pud_t
24242 +#define pyd_t pgd_t
24243 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
24244 +#define pxd_free(mm, pud) pud_free((mm), (pud))
24245 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
24246 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
24247 +#define PYD_SIZE PGDIR_SIZE
24248 +#else
24249 +#define pxd_t pmd_t
24250 +#define pyd_t pud_t
24251 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
24252 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
24253 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
24254 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
24255 +#define PYD_SIZE PUD_SIZE
24256 +#endif
24257 +
24258 +#ifdef CONFIG_PAX_PER_CPU_PGD
24259 +static inline void pgd_ctor(pgd_t *pgd) {}
24260 +static inline void pgd_dtor(pgd_t *pgd) {}
24261 +#else
24262 static void pgd_ctor(pgd_t *pgd)
24263 {
24264 /* If the pgd points to a shared pagetable level (either the
24265 @@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
24266 pgd_list_del(pgd);
24267 spin_unlock_irqrestore(&pgd_lock, flags);
24268 }
24269 +#endif
24270
24271 /*
24272 * List of all pgd's needed for non-PAE so it can invalidate entries
24273 @@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
24274 * -- wli
24275 */
24276
24277 -#ifdef CONFIG_X86_PAE
24278 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
24279 /*
24280 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
24281 * updating the top-level pagetable entries to guarantee the
24282 @@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
24283 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
24284 * and initialize the kernel pmds here.
24285 */
24286 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
24287 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
24288
24289 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
24290 {
24291 @@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
24292 */
24293 flush_tlb_mm(mm);
24294 }
24295 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
24296 +#define PREALLOCATED_PXDS USER_PGD_PTRS
24297 #else /* !CONFIG_X86_PAE */
24298
24299 /* No need to prepopulate any pagetable entries in non-PAE modes. */
24300 -#define PREALLOCATED_PMDS 0
24301 +#define PREALLOCATED_PXDS 0
24302
24303 #endif /* CONFIG_X86_PAE */
24304
24305 -static void free_pmds(pmd_t *pmds[])
24306 +static void free_pxds(pxd_t *pxds[])
24307 {
24308 int i;
24309
24310 - for(i = 0; i < PREALLOCATED_PMDS; i++)
24311 - if (pmds[i])
24312 - free_page((unsigned long)pmds[i]);
24313 + for(i = 0; i < PREALLOCATED_PXDS; i++)
24314 + if (pxds[i])
24315 + free_page((unsigned long)pxds[i]);
24316 }
24317
24318 -static int preallocate_pmds(pmd_t *pmds[])
24319 +static int preallocate_pxds(pxd_t *pxds[])
24320 {
24321 int i;
24322 bool failed = false;
24323
24324 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
24325 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
24326 - if (pmd == NULL)
24327 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
24328 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
24329 + if (pxd == NULL)
24330 failed = true;
24331 - pmds[i] = pmd;
24332 + pxds[i] = pxd;
24333 }
24334
24335 if (failed) {
24336 - free_pmds(pmds);
24337 + free_pxds(pxds);
24338 return -ENOMEM;
24339 }
24340
24341 @@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
24342 * preallocate which never got a corresponding vma will need to be
24343 * freed manually.
24344 */
24345 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
24346 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
24347 {
24348 int i;
24349
24350 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
24351 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
24352 pgd_t pgd = pgdp[i];
24353
24354 if (pgd_val(pgd) != 0) {
24355 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
24356 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
24357
24358 - pgdp[i] = native_make_pgd(0);
24359 + set_pgd(pgdp + i, native_make_pgd(0));
24360
24361 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
24362 - pmd_free(mm, pmd);
24363 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
24364 + pxd_free(mm, pxd);
24365 }
24366 }
24367 }
24368
24369 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
24370 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
24371 {
24372 - pud_t *pud;
24373 + pyd_t *pyd;
24374 unsigned long addr;
24375 int i;
24376
24377 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
24378 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
24379 return;
24380
24381 - pud = pud_offset(pgd, 0);
24382 +#ifdef CONFIG_X86_64
24383 + pyd = pyd_offset(mm, 0L);
24384 +#else
24385 + pyd = pyd_offset(pgd, 0L);
24386 +#endif
24387
24388 - for (addr = i = 0; i < PREALLOCATED_PMDS;
24389 - i++, pud++, addr += PUD_SIZE) {
24390 - pmd_t *pmd = pmds[i];
24391 + for (addr = i = 0; i < PREALLOCATED_PXDS;
24392 + i++, pyd++, addr += PYD_SIZE) {
24393 + pxd_t *pxd = pxds[i];
24394
24395 if (i >= KERNEL_PGD_BOUNDARY)
24396 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
24397 - sizeof(pmd_t) * PTRS_PER_PMD);
24398 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
24399 + sizeof(pxd_t) * PTRS_PER_PMD);
24400
24401 - pud_populate(mm, pud, pmd);
24402 + pyd_populate(mm, pyd, pxd);
24403 }
24404 }
24405
24406 pgd_t *pgd_alloc(struct mm_struct *mm)
24407 {
24408 pgd_t *pgd;
24409 - pmd_t *pmds[PREALLOCATED_PMDS];
24410 + pxd_t *pxds[PREALLOCATED_PXDS];
24411 +
24412 unsigned long flags;
24413
24414 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
24415 @@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
24416
24417 mm->pgd = pgd;
24418
24419 - if (preallocate_pmds(pmds) != 0)
24420 + if (preallocate_pxds(pxds) != 0)
24421 goto out_free_pgd;
24422
24423 if (paravirt_pgd_alloc(mm) != 0)
24424 - goto out_free_pmds;
24425 + goto out_free_pxds;
24426
24427 /*
24428 * Make sure that pre-populating the pmds is atomic with
24429 @@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
24430 spin_lock_irqsave(&pgd_lock, flags);
24431
24432 pgd_ctor(pgd);
24433 - pgd_prepopulate_pmd(mm, pgd, pmds);
24434 + pgd_prepopulate_pxd(mm, pgd, pxds);
24435
24436 spin_unlock_irqrestore(&pgd_lock, flags);
24437
24438 return pgd;
24439
24440 -out_free_pmds:
24441 - free_pmds(pmds);
24442 +out_free_pxds:
24443 + free_pxds(pxds);
24444 out_free_pgd:
24445 free_page((unsigned long)pgd);
24446 out:
24447 @@ -287,7 +338,7 @@ out:
24448
24449 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
24450 {
24451 - pgd_mop_up_pmds(mm, pgd);
24452 + pgd_mop_up_pxds(mm, pgd);
24453 pgd_dtor(pgd);
24454 paravirt_pgd_free(mm, pgd);
24455 free_page((unsigned long)pgd);
24456 diff -urNp linux-2.6.32.49/arch/x86/mm/setup_nx.c linux-2.6.32.49/arch/x86/mm/setup_nx.c
24457 --- linux-2.6.32.49/arch/x86/mm/setup_nx.c 2011-11-08 19:02:43.000000000 -0500
24458 +++ linux-2.6.32.49/arch/x86/mm/setup_nx.c 2011-11-15 19:59:43.000000000 -0500
24459 @@ -4,11 +4,10 @@
24460
24461 #include <asm/pgtable.h>
24462
24463 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
24464 int nx_enabled;
24465
24466 -#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24467 -static int disable_nx __cpuinitdata;
24468 -
24469 +#ifndef CONFIG_PAX_PAGEEXEC
24470 /*
24471 * noexec = on|off
24472 *
24473 @@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
24474 if (!str)
24475 return -EINVAL;
24476 if (!strncmp(str, "on", 2)) {
24477 - __supported_pte_mask |= _PAGE_NX;
24478 - disable_nx = 0;
24479 + nx_enabled = 1;
24480 } else if (!strncmp(str, "off", 3)) {
24481 - disable_nx = 1;
24482 - __supported_pte_mask &= ~_PAGE_NX;
24483 + nx_enabled = 0;
24484 }
24485 return 0;
24486 }
24487 early_param("noexec", noexec_setup);
24488 #endif
24489 +#endif
24490
24491 #ifdef CONFIG_X86_PAE
24492 void __init set_nx(void)
24493 {
24494 - unsigned int v[4], l, h;
24495 + if (!nx_enabled && cpu_has_nx) {
24496 + unsigned l, h;
24497
24498 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
24499 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
24500 -
24501 - if ((v[3] & (1 << 20)) && !disable_nx) {
24502 - rdmsr(MSR_EFER, l, h);
24503 - l |= EFER_NX;
24504 - wrmsr(MSR_EFER, l, h);
24505 - nx_enabled = 1;
24506 - __supported_pte_mask |= _PAGE_NX;
24507 - }
24508 + __supported_pte_mask &= ~_PAGE_NX;
24509 + rdmsr(MSR_EFER, l, h);
24510 + l &= ~EFER_NX;
24511 + wrmsr(MSR_EFER, l, h);
24512 }
24513 }
24514 #else
24515 @@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
24516 unsigned long efer;
24517
24518 rdmsrl(MSR_EFER, efer);
24519 - if (!(efer & EFER_NX) || disable_nx)
24520 + if (!(efer & EFER_NX) || !nx_enabled)
24521 __supported_pte_mask &= ~_PAGE_NX;
24522 }
24523 #endif
24524 diff -urNp linux-2.6.32.49/arch/x86/mm/tlb.c linux-2.6.32.49/arch/x86/mm/tlb.c
24525 --- linux-2.6.32.49/arch/x86/mm/tlb.c 2011-11-08 19:02:43.000000000 -0500
24526 +++ linux-2.6.32.49/arch/x86/mm/tlb.c 2011-11-15 19:59:43.000000000 -0500
24527 @@ -61,7 +61,11 @@ void leave_mm(int cpu)
24528 BUG();
24529 cpumask_clear_cpu(cpu,
24530 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
24531 +
24532 +#ifndef CONFIG_PAX_PER_CPU_PGD
24533 load_cr3(swapper_pg_dir);
24534 +#endif
24535 +
24536 }
24537 EXPORT_SYMBOL_GPL(leave_mm);
24538
24539 diff -urNp linux-2.6.32.49/arch/x86/oprofile/backtrace.c linux-2.6.32.49/arch/x86/oprofile/backtrace.c
24540 --- linux-2.6.32.49/arch/x86/oprofile/backtrace.c 2011-11-08 19:02:43.000000000 -0500
24541 +++ linux-2.6.32.49/arch/x86/oprofile/backtrace.c 2011-11-15 19:59:43.000000000 -0500
24542 @@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
24543 struct frame_head bufhead[2];
24544
24545 /* Also check accessibility of one struct frame_head beyond */
24546 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
24547 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
24548 return NULL;
24549 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
24550 return NULL;
24551 @@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
24552 {
24553 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
24554
24555 - if (!user_mode_vm(regs)) {
24556 + if (!user_mode(regs)) {
24557 unsigned long stack = kernel_stack_pointer(regs);
24558 if (depth)
24559 dump_trace(NULL, regs, (unsigned long *)stack, 0,
24560 diff -urNp linux-2.6.32.49/arch/x86/oprofile/op_model_p4.c linux-2.6.32.49/arch/x86/oprofile/op_model_p4.c
24561 --- linux-2.6.32.49/arch/x86/oprofile/op_model_p4.c 2011-11-08 19:02:43.000000000 -0500
24562 +++ linux-2.6.32.49/arch/x86/oprofile/op_model_p4.c 2011-11-15 19:59:43.000000000 -0500
24563 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
24564 #endif
24565 }
24566
24567 -static int inline addr_increment(void)
24568 +static inline int addr_increment(void)
24569 {
24570 #ifdef CONFIG_SMP
24571 return smp_num_siblings == 2 ? 2 : 1;
24572 diff -urNp linux-2.6.32.49/arch/x86/pci/common.c linux-2.6.32.49/arch/x86/pci/common.c
24573 --- linux-2.6.32.49/arch/x86/pci/common.c 2011-11-08 19:02:43.000000000 -0500
24574 +++ linux-2.6.32.49/arch/x86/pci/common.c 2011-11-15 19:59:43.000000000 -0500
24575 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
24576 int pcibios_last_bus = -1;
24577 unsigned long pirq_table_addr;
24578 struct pci_bus *pci_root_bus;
24579 -struct pci_raw_ops *raw_pci_ops;
24580 -struct pci_raw_ops *raw_pci_ext_ops;
24581 +const struct pci_raw_ops *raw_pci_ops;
24582 +const struct pci_raw_ops *raw_pci_ext_ops;
24583
24584 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
24585 int reg, int len, u32 *val)
24586 diff -urNp linux-2.6.32.49/arch/x86/pci/direct.c linux-2.6.32.49/arch/x86/pci/direct.c
24587 --- linux-2.6.32.49/arch/x86/pci/direct.c 2011-11-08 19:02:43.000000000 -0500
24588 +++ linux-2.6.32.49/arch/x86/pci/direct.c 2011-11-15 19:59:43.000000000 -0500
24589 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
24590
24591 #undef PCI_CONF1_ADDRESS
24592
24593 -struct pci_raw_ops pci_direct_conf1 = {
24594 +const struct pci_raw_ops pci_direct_conf1 = {
24595 .read = pci_conf1_read,
24596 .write = pci_conf1_write,
24597 };
24598 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
24599
24600 #undef PCI_CONF2_ADDRESS
24601
24602 -struct pci_raw_ops pci_direct_conf2 = {
24603 +const struct pci_raw_ops pci_direct_conf2 = {
24604 .read = pci_conf2_read,
24605 .write = pci_conf2_write,
24606 };
24607 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
24608 * This should be close to trivial, but it isn't, because there are buggy
24609 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
24610 */
24611 -static int __init pci_sanity_check(struct pci_raw_ops *o)
24612 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
24613 {
24614 u32 x = 0;
24615 int year, devfn;
24616 diff -urNp linux-2.6.32.49/arch/x86/pci/mmconfig_32.c linux-2.6.32.49/arch/x86/pci/mmconfig_32.c
24617 --- linux-2.6.32.49/arch/x86/pci/mmconfig_32.c 2011-11-08 19:02:43.000000000 -0500
24618 +++ linux-2.6.32.49/arch/x86/pci/mmconfig_32.c 2011-11-15 19:59:43.000000000 -0500
24619 @@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
24620 return 0;
24621 }
24622
24623 -static struct pci_raw_ops pci_mmcfg = {
24624 +static const struct pci_raw_ops pci_mmcfg = {
24625 .read = pci_mmcfg_read,
24626 .write = pci_mmcfg_write,
24627 };
24628 diff -urNp linux-2.6.32.49/arch/x86/pci/mmconfig_64.c linux-2.6.32.49/arch/x86/pci/mmconfig_64.c
24629 --- linux-2.6.32.49/arch/x86/pci/mmconfig_64.c 2011-11-08 19:02:43.000000000 -0500
24630 +++ linux-2.6.32.49/arch/x86/pci/mmconfig_64.c 2011-11-15 19:59:43.000000000 -0500
24631 @@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
24632 return 0;
24633 }
24634
24635 -static struct pci_raw_ops pci_mmcfg = {
24636 +static const struct pci_raw_ops pci_mmcfg = {
24637 .read = pci_mmcfg_read,
24638 .write = pci_mmcfg_write,
24639 };
24640 diff -urNp linux-2.6.32.49/arch/x86/pci/numaq_32.c linux-2.6.32.49/arch/x86/pci/numaq_32.c
24641 --- linux-2.6.32.49/arch/x86/pci/numaq_32.c 2011-11-08 19:02:43.000000000 -0500
24642 +++ linux-2.6.32.49/arch/x86/pci/numaq_32.c 2011-11-15 19:59:43.000000000 -0500
24643 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
24644
24645 #undef PCI_CONF1_MQ_ADDRESS
24646
24647 -static struct pci_raw_ops pci_direct_conf1_mq = {
24648 +static const struct pci_raw_ops pci_direct_conf1_mq = {
24649 .read = pci_conf1_mq_read,
24650 .write = pci_conf1_mq_write
24651 };
24652 diff -urNp linux-2.6.32.49/arch/x86/pci/olpc.c linux-2.6.32.49/arch/x86/pci/olpc.c
24653 --- linux-2.6.32.49/arch/x86/pci/olpc.c 2011-11-08 19:02:43.000000000 -0500
24654 +++ linux-2.6.32.49/arch/x86/pci/olpc.c 2011-11-15 19:59:43.000000000 -0500
24655 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
24656 return 0;
24657 }
24658
24659 -static struct pci_raw_ops pci_olpc_conf = {
24660 +static const struct pci_raw_ops pci_olpc_conf = {
24661 .read = pci_olpc_read,
24662 .write = pci_olpc_write,
24663 };
24664 diff -urNp linux-2.6.32.49/arch/x86/pci/pcbios.c linux-2.6.32.49/arch/x86/pci/pcbios.c
24665 --- linux-2.6.32.49/arch/x86/pci/pcbios.c 2011-11-08 19:02:43.000000000 -0500
24666 +++ linux-2.6.32.49/arch/x86/pci/pcbios.c 2011-11-15 19:59:43.000000000 -0500
24667 @@ -56,50 +56,93 @@ union bios32 {
24668 static struct {
24669 unsigned long address;
24670 unsigned short segment;
24671 -} bios32_indirect = { 0, __KERNEL_CS };
24672 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
24673
24674 /*
24675 * Returns the entry point for the given service, NULL on error
24676 */
24677
24678 -static unsigned long bios32_service(unsigned long service)
24679 +static unsigned long __devinit bios32_service(unsigned long service)
24680 {
24681 unsigned char return_code; /* %al */
24682 unsigned long address; /* %ebx */
24683 unsigned long length; /* %ecx */
24684 unsigned long entry; /* %edx */
24685 unsigned long flags;
24686 + struct desc_struct d, *gdt;
24687
24688 local_irq_save(flags);
24689 - __asm__("lcall *(%%edi); cld"
24690 +
24691 + gdt = get_cpu_gdt_table(smp_processor_id());
24692 +
24693 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
24694 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
24695 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
24696 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
24697 +
24698 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
24699 : "=a" (return_code),
24700 "=b" (address),
24701 "=c" (length),
24702 "=d" (entry)
24703 : "0" (service),
24704 "1" (0),
24705 - "D" (&bios32_indirect));
24706 + "D" (&bios32_indirect),
24707 + "r"(__PCIBIOS_DS)
24708 + : "memory");
24709 +
24710 + pax_open_kernel();
24711 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
24712 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
24713 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
24714 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
24715 + pax_close_kernel();
24716 +
24717 local_irq_restore(flags);
24718
24719 switch (return_code) {
24720 - case 0:
24721 - return address + entry;
24722 - case 0x80: /* Not present */
24723 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
24724 - return 0;
24725 - default: /* Shouldn't happen */
24726 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
24727 - service, return_code);
24728 + case 0: {
24729 + int cpu;
24730 + unsigned char flags;
24731 +
24732 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
24733 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
24734 + printk(KERN_WARNING "bios32_service: not valid\n");
24735 return 0;
24736 + }
24737 + address = address + PAGE_OFFSET;
24738 + length += 16UL; /* some BIOSs underreport this... */
24739 + flags = 4;
24740 + if (length >= 64*1024*1024) {
24741 + length >>= PAGE_SHIFT;
24742 + flags |= 8;
24743 + }
24744 +
24745 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
24746 + gdt = get_cpu_gdt_table(cpu);
24747 + pack_descriptor(&d, address, length, 0x9b, flags);
24748 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
24749 + pack_descriptor(&d, address, length, 0x93, flags);
24750 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
24751 + }
24752 + return entry;
24753 + }
24754 + case 0x80: /* Not present */
24755 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
24756 + return 0;
24757 + default: /* Shouldn't happen */
24758 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
24759 + service, return_code);
24760 + return 0;
24761 }
24762 }
24763
24764 static struct {
24765 unsigned long address;
24766 unsigned short segment;
24767 -} pci_indirect = { 0, __KERNEL_CS };
24768 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
24769
24770 -static int pci_bios_present;
24771 +static int pci_bios_present __read_only;
24772
24773 static int __devinit check_pcibios(void)
24774 {
24775 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
24776 unsigned long flags, pcibios_entry;
24777
24778 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
24779 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
24780 + pci_indirect.address = pcibios_entry;
24781
24782 local_irq_save(flags);
24783 - __asm__(
24784 - "lcall *(%%edi); cld\n\t"
24785 + __asm__("movw %w6, %%ds\n\t"
24786 + "lcall *%%ss:(%%edi); cld\n\t"
24787 + "push %%ss\n\t"
24788 + "pop %%ds\n\t"
24789 "jc 1f\n\t"
24790 "xor %%ah, %%ah\n"
24791 "1:"
24792 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
24793 "=b" (ebx),
24794 "=c" (ecx)
24795 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
24796 - "D" (&pci_indirect)
24797 + "D" (&pci_indirect),
24798 + "r" (__PCIBIOS_DS)
24799 : "memory");
24800 local_irq_restore(flags);
24801
24802 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
24803
24804 switch (len) {
24805 case 1:
24806 - __asm__("lcall *(%%esi); cld\n\t"
24807 + __asm__("movw %w6, %%ds\n\t"
24808 + "lcall *%%ss:(%%esi); cld\n\t"
24809 + "push %%ss\n\t"
24810 + "pop %%ds\n\t"
24811 "jc 1f\n\t"
24812 "xor %%ah, %%ah\n"
24813 "1:"
24814 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
24815 : "1" (PCIBIOS_READ_CONFIG_BYTE),
24816 "b" (bx),
24817 "D" ((long)reg),
24818 - "S" (&pci_indirect));
24819 + "S" (&pci_indirect),
24820 + "r" (__PCIBIOS_DS));
24821 /*
24822 * Zero-extend the result beyond 8 bits, do not trust the
24823 * BIOS having done it:
24824 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
24825 *value &= 0xff;
24826 break;
24827 case 2:
24828 - __asm__("lcall *(%%esi); cld\n\t"
24829 + __asm__("movw %w6, %%ds\n\t"
24830 + "lcall *%%ss:(%%esi); cld\n\t"
24831 + "push %%ss\n\t"
24832 + "pop %%ds\n\t"
24833 "jc 1f\n\t"
24834 "xor %%ah, %%ah\n"
24835 "1:"
24836 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
24837 : "1" (PCIBIOS_READ_CONFIG_WORD),
24838 "b" (bx),
24839 "D" ((long)reg),
24840 - "S" (&pci_indirect));
24841 + "S" (&pci_indirect),
24842 + "r" (__PCIBIOS_DS));
24843 /*
24844 * Zero-extend the result beyond 16 bits, do not trust the
24845 * BIOS having done it:
24846 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
24847 *value &= 0xffff;
24848 break;
24849 case 4:
24850 - __asm__("lcall *(%%esi); cld\n\t"
24851 + __asm__("movw %w6, %%ds\n\t"
24852 + "lcall *%%ss:(%%esi); cld\n\t"
24853 + "push %%ss\n\t"
24854 + "pop %%ds\n\t"
24855 "jc 1f\n\t"
24856 "xor %%ah, %%ah\n"
24857 "1:"
24858 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
24859 : "1" (PCIBIOS_READ_CONFIG_DWORD),
24860 "b" (bx),
24861 "D" ((long)reg),
24862 - "S" (&pci_indirect));
24863 + "S" (&pci_indirect),
24864 + "r" (__PCIBIOS_DS));
24865 break;
24866 }
24867
24868 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
24869
24870 switch (len) {
24871 case 1:
24872 - __asm__("lcall *(%%esi); cld\n\t"
24873 + __asm__("movw %w6, %%ds\n\t"
24874 + "lcall *%%ss:(%%esi); cld\n\t"
24875 + "push %%ss\n\t"
24876 + "pop %%ds\n\t"
24877 "jc 1f\n\t"
24878 "xor %%ah, %%ah\n"
24879 "1:"
24880 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
24881 "c" (value),
24882 "b" (bx),
24883 "D" ((long)reg),
24884 - "S" (&pci_indirect));
24885 + "S" (&pci_indirect),
24886 + "r" (__PCIBIOS_DS));
24887 break;
24888 case 2:
24889 - __asm__("lcall *(%%esi); cld\n\t"
24890 + __asm__("movw %w6, %%ds\n\t"
24891 + "lcall *%%ss:(%%esi); cld\n\t"
24892 + "push %%ss\n\t"
24893 + "pop %%ds\n\t"
24894 "jc 1f\n\t"
24895 "xor %%ah, %%ah\n"
24896 "1:"
24897 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
24898 "c" (value),
24899 "b" (bx),
24900 "D" ((long)reg),
24901 - "S" (&pci_indirect));
24902 + "S" (&pci_indirect),
24903 + "r" (__PCIBIOS_DS));
24904 break;
24905 case 4:
24906 - __asm__("lcall *(%%esi); cld\n\t"
24907 + __asm__("movw %w6, %%ds\n\t"
24908 + "lcall *%%ss:(%%esi); cld\n\t"
24909 + "push %%ss\n\t"
24910 + "pop %%ds\n\t"
24911 "jc 1f\n\t"
24912 "xor %%ah, %%ah\n"
24913 "1:"
24914 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
24915 "c" (value),
24916 "b" (bx),
24917 "D" ((long)reg),
24918 - "S" (&pci_indirect));
24919 + "S" (&pci_indirect),
24920 + "r" (__PCIBIOS_DS));
24921 break;
24922 }
24923
24924 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
24925 * Function table for BIOS32 access
24926 */
24927
24928 -static struct pci_raw_ops pci_bios_access = {
24929 +static const struct pci_raw_ops pci_bios_access = {
24930 .read = pci_bios_read,
24931 .write = pci_bios_write
24932 };
24933 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
24934 * Try to find PCI BIOS.
24935 */
24936
24937 -static struct pci_raw_ops * __devinit pci_find_bios(void)
24938 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
24939 {
24940 union bios32 *check;
24941 unsigned char sum;
24942 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
24943
24944 DBG("PCI: Fetching IRQ routing table... ");
24945 __asm__("push %%es\n\t"
24946 + "movw %w8, %%ds\n\t"
24947 "push %%ds\n\t"
24948 "pop %%es\n\t"
24949 - "lcall *(%%esi); cld\n\t"
24950 + "lcall *%%ss:(%%esi); cld\n\t"
24951 "pop %%es\n\t"
24952 + "push %%ss\n\t"
24953 + "pop %%ds\n"
24954 "jc 1f\n\t"
24955 "xor %%ah, %%ah\n"
24956 "1:"
24957 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
24958 "1" (0),
24959 "D" ((long) &opt),
24960 "S" (&pci_indirect),
24961 - "m" (opt)
24962 + "m" (opt),
24963 + "r" (__PCIBIOS_DS)
24964 : "memory");
24965 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
24966 if (ret & 0xff00)
24967 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
24968 {
24969 int ret;
24970
24971 - __asm__("lcall *(%%esi); cld\n\t"
24972 + __asm__("movw %w5, %%ds\n\t"
24973 + "lcall *%%ss:(%%esi); cld\n\t"
24974 + "push %%ss\n\t"
24975 + "pop %%ds\n"
24976 "jc 1f\n\t"
24977 "xor %%ah, %%ah\n"
24978 "1:"
24979 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
24980 : "0" (PCIBIOS_SET_PCI_HW_INT),
24981 "b" ((dev->bus->number << 8) | dev->devfn),
24982 "c" ((irq << 8) | (pin + 10)),
24983 - "S" (&pci_indirect));
24984 + "S" (&pci_indirect),
24985 + "r" (__PCIBIOS_DS));
24986 return !(ret & 0xff00);
24987 }
24988 EXPORT_SYMBOL(pcibios_set_irq_routing);
24989 diff -urNp linux-2.6.32.49/arch/x86/power/cpu.c linux-2.6.32.49/arch/x86/power/cpu.c
24990 --- linux-2.6.32.49/arch/x86/power/cpu.c 2011-11-08 19:02:43.000000000 -0500
24991 +++ linux-2.6.32.49/arch/x86/power/cpu.c 2011-11-15 19:59:43.000000000 -0500
24992 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
24993 static void fix_processor_context(void)
24994 {
24995 int cpu = smp_processor_id();
24996 - struct tss_struct *t = &per_cpu(init_tss, cpu);
24997 + struct tss_struct *t = init_tss + cpu;
24998
24999 set_tss_desc(cpu, t); /*
25000 * This just modifies memory; should not be
25001 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
25002 */
25003
25004 #ifdef CONFIG_X86_64
25005 + pax_open_kernel();
25006 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
25007 + pax_close_kernel();
25008
25009 syscall_init(); /* This sets MSR_*STAR and related */
25010 #endif
25011 diff -urNp linux-2.6.32.49/arch/x86/vdso/Makefile linux-2.6.32.49/arch/x86/vdso/Makefile
25012 --- linux-2.6.32.49/arch/x86/vdso/Makefile 2011-11-08 19:02:43.000000000 -0500
25013 +++ linux-2.6.32.49/arch/x86/vdso/Makefile 2011-11-15 19:59:43.000000000 -0500
25014 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
25015 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
25016 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
25017
25018 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
25019 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
25020 GCOV_PROFILE := n
25021
25022 #
25023 diff -urNp linux-2.6.32.49/arch/x86/vdso/vclock_gettime.c linux-2.6.32.49/arch/x86/vdso/vclock_gettime.c
25024 --- linux-2.6.32.49/arch/x86/vdso/vclock_gettime.c 2011-11-08 19:02:43.000000000 -0500
25025 +++ linux-2.6.32.49/arch/x86/vdso/vclock_gettime.c 2011-11-15 19:59:43.000000000 -0500
25026 @@ -22,24 +22,48 @@
25027 #include <asm/hpet.h>
25028 #include <asm/unistd.h>
25029 #include <asm/io.h>
25030 +#include <asm/fixmap.h>
25031 #include "vextern.h"
25032
25033 #define gtod vdso_vsyscall_gtod_data
25034
25035 +notrace noinline long __vdso_fallback_time(long *t)
25036 +{
25037 + long secs;
25038 + asm volatile("syscall"
25039 + : "=a" (secs)
25040 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
25041 + return secs;
25042 +}
25043 +
25044 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
25045 {
25046 long ret;
25047 asm("syscall" : "=a" (ret) :
25048 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
25049 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
25050 return ret;
25051 }
25052
25053 +notrace static inline cycle_t __vdso_vread_hpet(void)
25054 +{
25055 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
25056 +}
25057 +
25058 +notrace static inline cycle_t __vdso_vread_tsc(void)
25059 +{
25060 + cycle_t ret = (cycle_t)vget_cycles();
25061 +
25062 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
25063 +}
25064 +
25065 notrace static inline long vgetns(void)
25066 {
25067 long v;
25068 - cycles_t (*vread)(void);
25069 - vread = gtod->clock.vread;
25070 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
25071 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
25072 + v = __vdso_vread_tsc();
25073 + else
25074 + v = __vdso_vread_hpet();
25075 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
25076 return (v * gtod->clock.mult) >> gtod->clock.shift;
25077 }
25078
25079 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
25080
25081 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
25082 {
25083 - if (likely(gtod->sysctl_enabled))
25084 + if (likely(gtod->sysctl_enabled &&
25085 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
25086 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
25087 switch (clock) {
25088 case CLOCK_REALTIME:
25089 if (likely(gtod->clock.vread))
25090 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
25091 int clock_gettime(clockid_t, struct timespec *)
25092 __attribute__((weak, alias("__vdso_clock_gettime")));
25093
25094 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
25095 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
25096 {
25097 long ret;
25098 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
25099 + asm("syscall" : "=a" (ret) :
25100 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
25101 + return ret;
25102 +}
25103 +
25104 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
25105 +{
25106 + if (likely(gtod->sysctl_enabled &&
25107 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
25108 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
25109 + {
25110 if (likely(tv != NULL)) {
25111 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
25112 offsetof(struct timespec, tv_nsec) ||
25113 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
25114 }
25115 return 0;
25116 }
25117 - asm("syscall" : "=a" (ret) :
25118 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
25119 - return ret;
25120 + return __vdso_fallback_gettimeofday(tv, tz);
25121 }
25122 int gettimeofday(struct timeval *, struct timezone *)
25123 __attribute__((weak, alias("__vdso_gettimeofday")));
25124 diff -urNp linux-2.6.32.49/arch/x86/vdso/vdso32-setup.c linux-2.6.32.49/arch/x86/vdso/vdso32-setup.c
25125 --- linux-2.6.32.49/arch/x86/vdso/vdso32-setup.c 2011-11-08 19:02:43.000000000 -0500
25126 +++ linux-2.6.32.49/arch/x86/vdso/vdso32-setup.c 2011-11-15 19:59:43.000000000 -0500
25127 @@ -25,6 +25,7 @@
25128 #include <asm/tlbflush.h>
25129 #include <asm/vdso.h>
25130 #include <asm/proto.h>
25131 +#include <asm/mman.h>
25132
25133 enum {
25134 VDSO_DISABLED = 0,
25135 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
25136 void enable_sep_cpu(void)
25137 {
25138 int cpu = get_cpu();
25139 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
25140 + struct tss_struct *tss = init_tss + cpu;
25141
25142 if (!boot_cpu_has(X86_FEATURE_SEP)) {
25143 put_cpu();
25144 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
25145 gate_vma.vm_start = FIXADDR_USER_START;
25146 gate_vma.vm_end = FIXADDR_USER_END;
25147 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
25148 - gate_vma.vm_page_prot = __P101;
25149 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
25150 /*
25151 * Make sure the vDSO gets into every core dump.
25152 * Dumping its contents makes post-mortem fully interpretable later
25153 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
25154 if (compat)
25155 addr = VDSO_HIGH_BASE;
25156 else {
25157 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
25158 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
25159 if (IS_ERR_VALUE(addr)) {
25160 ret = addr;
25161 goto up_fail;
25162 }
25163 }
25164
25165 - current->mm->context.vdso = (void *)addr;
25166 + current->mm->context.vdso = addr;
25167
25168 if (compat_uses_vma || !compat) {
25169 /*
25170 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
25171 }
25172
25173 current_thread_info()->sysenter_return =
25174 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
25175 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
25176
25177 up_fail:
25178 if (ret)
25179 - current->mm->context.vdso = NULL;
25180 + current->mm->context.vdso = 0;
25181
25182 up_write(&mm->mmap_sem);
25183
25184 @@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
25185
25186 const char *arch_vma_name(struct vm_area_struct *vma)
25187 {
25188 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
25189 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
25190 return "[vdso]";
25191 +
25192 +#ifdef CONFIG_PAX_SEGMEXEC
25193 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
25194 + return "[vdso]";
25195 +#endif
25196 +
25197 return NULL;
25198 }
25199
25200 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
25201 struct mm_struct *mm = tsk->mm;
25202
25203 /* Check to see if this task was created in compat vdso mode */
25204 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
25205 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
25206 return &gate_vma;
25207 return NULL;
25208 }
25209 diff -urNp linux-2.6.32.49/arch/x86/vdso/vdso.lds.S linux-2.6.32.49/arch/x86/vdso/vdso.lds.S
25210 --- linux-2.6.32.49/arch/x86/vdso/vdso.lds.S 2011-11-08 19:02:43.000000000 -0500
25211 +++ linux-2.6.32.49/arch/x86/vdso/vdso.lds.S 2011-11-15 19:59:43.000000000 -0500
25212 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
25213 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
25214 #include "vextern.h"
25215 #undef VEXTERN
25216 +
25217 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
25218 +VEXTERN(fallback_gettimeofday)
25219 +VEXTERN(fallback_time)
25220 +VEXTERN(getcpu)
25221 +#undef VEXTERN
25222 diff -urNp linux-2.6.32.49/arch/x86/vdso/vextern.h linux-2.6.32.49/arch/x86/vdso/vextern.h
25223 --- linux-2.6.32.49/arch/x86/vdso/vextern.h 2011-11-08 19:02:43.000000000 -0500
25224 +++ linux-2.6.32.49/arch/x86/vdso/vextern.h 2011-11-15 19:59:43.000000000 -0500
25225 @@ -11,6 +11,5 @@
25226 put into vextern.h and be referenced as a pointer with vdso prefix.
25227 The main kernel later fills in the values. */
25228
25229 -VEXTERN(jiffies)
25230 VEXTERN(vgetcpu_mode)
25231 VEXTERN(vsyscall_gtod_data)
25232 diff -urNp linux-2.6.32.49/arch/x86/vdso/vma.c linux-2.6.32.49/arch/x86/vdso/vma.c
25233 --- linux-2.6.32.49/arch/x86/vdso/vma.c 2011-11-08 19:02:43.000000000 -0500
25234 +++ linux-2.6.32.49/arch/x86/vdso/vma.c 2011-11-18 18:01:52.000000000 -0500
25235 @@ -17,8 +17,6 @@
25236 #include "vextern.h" /* Just for VMAGIC. */
25237 #undef VEXTERN
25238
25239 -unsigned int __read_mostly vdso_enabled = 1;
25240 -
25241 extern char vdso_start[], vdso_end[];
25242 extern unsigned short vdso_sync_cpuid;
25243
25244 @@ -27,10 +25,8 @@ static unsigned vdso_size;
25245
25246 static inline void *var_ref(void *p, char *name)
25247 {
25248 - if (*(void **)p != (void *)VMAGIC) {
25249 - printk("VDSO: variable %s broken\n", name);
25250 - vdso_enabled = 0;
25251 - }
25252 + if (*(void **)p != (void *)VMAGIC)
25253 + panic("VDSO: variable %s broken\n", name);
25254 return p;
25255 }
25256
25257 @@ -57,21 +53,18 @@ static int __init init_vdso_vars(void)
25258 if (!vbase)
25259 goto oom;
25260
25261 - if (memcmp(vbase, "\177ELF", 4)) {
25262 - printk("VDSO: I'm broken; not ELF\n");
25263 - vdso_enabled = 0;
25264 - }
25265 + if (memcmp(vbase, ELFMAG, SELFMAG))
25266 + panic("VDSO: I'm broken; not ELF\n");
25267
25268 #define VEXTERN(x) \
25269 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
25270 #include "vextern.h"
25271 #undef VEXTERN
25272 + vunmap(vbase);
25273 return 0;
25274
25275 oom:
25276 - printk("Cannot allocate vdso\n");
25277 - vdso_enabled = 0;
25278 - return -ENOMEM;
25279 + panic("Cannot allocate vdso\n");
25280 }
25281 __initcall(init_vdso_vars);
25282
25283 @@ -102,13 +95,15 @@ static unsigned long vdso_addr(unsigned
25284 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
25285 {
25286 struct mm_struct *mm = current->mm;
25287 - unsigned long addr;
25288 + unsigned long addr = 0;
25289 int ret;
25290
25291 - if (!vdso_enabled)
25292 - return 0;
25293 -
25294 down_write(&mm->mmap_sem);
25295 +
25296 +#ifdef CONFIG_PAX_RANDMMAP
25297 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
25298 +#endif
25299 +
25300 addr = vdso_addr(mm->start_stack, vdso_size);
25301 addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
25302 if (IS_ERR_VALUE(addr)) {
25303 @@ -116,7 +111,7 @@ int arch_setup_additional_pages(struct l
25304 goto up_fail;
25305 }
25306
25307 - current->mm->context.vdso = (void *)addr;
25308 + current->mm->context.vdso = addr;
25309
25310 ret = install_special_mapping(mm, addr, vdso_size,
25311 VM_READ|VM_EXEC|
25312 @@ -124,7 +119,7 @@ int arch_setup_additional_pages(struct l
25313 VM_ALWAYSDUMP,
25314 vdso_pages);
25315 if (ret) {
25316 - current->mm->context.vdso = NULL;
25317 + current->mm->context.vdso = 0;
25318 goto up_fail;
25319 }
25320
25321 @@ -132,10 +127,3 @@ up_fail:
25322 up_write(&mm->mmap_sem);
25323 return ret;
25324 }
25325 -
25326 -static __init int vdso_setup(char *s)
25327 -{
25328 - vdso_enabled = simple_strtoul(s, NULL, 0);
25329 - return 0;
25330 -}
25331 -__setup("vdso=", vdso_setup);
25332 diff -urNp linux-2.6.32.49/arch/x86/xen/enlighten.c linux-2.6.32.49/arch/x86/xen/enlighten.c
25333 --- linux-2.6.32.49/arch/x86/xen/enlighten.c 2011-11-08 19:02:43.000000000 -0500
25334 +++ linux-2.6.32.49/arch/x86/xen/enlighten.c 2011-11-15 19:59:43.000000000 -0500
25335 @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
25336
25337 struct shared_info xen_dummy_shared_info;
25338
25339 -void *xen_initial_gdt;
25340 -
25341 /*
25342 * Point at some empty memory to start with. We map the real shared_info
25343 * page as soon as fixmap is up and running.
25344 @@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
25345
25346 preempt_disable();
25347
25348 - start = __get_cpu_var(idt_desc).address;
25349 + start = (unsigned long)__get_cpu_var(idt_desc).address;
25350 end = start + __get_cpu_var(idt_desc).size + 1;
25351
25352 xen_mc_flush();
25353 @@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
25354 #endif
25355 };
25356
25357 -static void xen_reboot(int reason)
25358 +static __noreturn void xen_reboot(int reason)
25359 {
25360 struct sched_shutdown r = { .reason = reason };
25361
25362 @@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
25363 BUG();
25364 }
25365
25366 -static void xen_restart(char *msg)
25367 +static __noreturn void xen_restart(char *msg)
25368 {
25369 xen_reboot(SHUTDOWN_reboot);
25370 }
25371
25372 -static void xen_emergency_restart(void)
25373 +static __noreturn void xen_emergency_restart(void)
25374 {
25375 xen_reboot(SHUTDOWN_reboot);
25376 }
25377
25378 -static void xen_machine_halt(void)
25379 +static __noreturn void xen_machine_halt(void)
25380 {
25381 xen_reboot(SHUTDOWN_poweroff);
25382 }
25383 @@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
25384 */
25385 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
25386
25387 -#ifdef CONFIG_X86_64
25388 /* Work out if we support NX */
25389 - check_efer();
25390 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
25391 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
25392 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
25393 + unsigned l, h;
25394 +
25395 +#ifdef CONFIG_X86_PAE
25396 + nx_enabled = 1;
25397 +#endif
25398 + __supported_pte_mask |= _PAGE_NX;
25399 + rdmsr(MSR_EFER, l, h);
25400 + l |= EFER_NX;
25401 + wrmsr(MSR_EFER, l, h);
25402 + }
25403 #endif
25404
25405 xen_setup_features();
25406 @@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
25407
25408 machine_ops = xen_machine_ops;
25409
25410 - /*
25411 - * The only reliable way to retain the initial address of the
25412 - * percpu gdt_page is to remember it here, so we can go and
25413 - * mark it RW later, when the initial percpu area is freed.
25414 - */
25415 - xen_initial_gdt = &per_cpu(gdt_page, 0);
25416 -
25417 xen_smp_init();
25418
25419 pgd = (pgd_t *)xen_start_info->pt_base;
25420 diff -urNp linux-2.6.32.49/arch/x86/xen/mmu.c linux-2.6.32.49/arch/x86/xen/mmu.c
25421 --- linux-2.6.32.49/arch/x86/xen/mmu.c 2011-11-08 19:02:43.000000000 -0500
25422 +++ linux-2.6.32.49/arch/x86/xen/mmu.c 2011-11-15 19:59:43.000000000 -0500
25423 @@ -1719,6 +1719,8 @@ __init pgd_t *xen_setup_kernel_pagetable
25424 convert_pfn_mfn(init_level4_pgt);
25425 convert_pfn_mfn(level3_ident_pgt);
25426 convert_pfn_mfn(level3_kernel_pgt);
25427 + convert_pfn_mfn(level3_vmalloc_pgt);
25428 + convert_pfn_mfn(level3_vmemmap_pgt);
25429
25430 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
25431 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
25432 @@ -1737,7 +1739,10 @@ __init pgd_t *xen_setup_kernel_pagetable
25433 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
25434 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
25435 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
25436 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
25437 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
25438 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
25439 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
25440 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
25441 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
25442
25443 @@ -1860,6 +1865,7 @@ static __init void xen_post_allocator_in
25444 pv_mmu_ops.set_pud = xen_set_pud;
25445 #if PAGETABLE_LEVELS == 4
25446 pv_mmu_ops.set_pgd = xen_set_pgd;
25447 + pv_mmu_ops.set_pgd_batched = xen_set_pgd;
25448 #endif
25449
25450 /* This will work as long as patching hasn't happened yet
25451 @@ -1946,6 +1952,7 @@ static const struct pv_mmu_ops xen_mmu_o
25452 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
25453 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
25454 .set_pgd = xen_set_pgd_hyper,
25455 + .set_pgd_batched = xen_set_pgd_hyper,
25456
25457 .alloc_pud = xen_alloc_pmd_init,
25458 .release_pud = xen_release_pmd_init,
25459 diff -urNp linux-2.6.32.49/arch/x86/xen/smp.c linux-2.6.32.49/arch/x86/xen/smp.c
25460 --- linux-2.6.32.49/arch/x86/xen/smp.c 2011-11-08 19:02:43.000000000 -0500
25461 +++ linux-2.6.32.49/arch/x86/xen/smp.c 2011-11-15 19:59:43.000000000 -0500
25462 @@ -168,11 +168,6 @@ static void __init xen_smp_prepare_boot_
25463 {
25464 BUG_ON(smp_processor_id() != 0);
25465 native_smp_prepare_boot_cpu();
25466 -
25467 - /* We've switched to the "real" per-cpu gdt, so make sure the
25468 - old memory can be recycled */
25469 - make_lowmem_page_readwrite(xen_initial_gdt);
25470 -
25471 xen_setup_vcpu_info_placement();
25472 }
25473
25474 @@ -241,12 +236,12 @@ cpu_initialize_context(unsigned int cpu,
25475 gdt = get_cpu_gdt_table(cpu);
25476
25477 ctxt->flags = VGCF_IN_KERNEL;
25478 - ctxt->user_regs.ds = __USER_DS;
25479 - ctxt->user_regs.es = __USER_DS;
25480 + ctxt->user_regs.ds = __KERNEL_DS;
25481 + ctxt->user_regs.es = __KERNEL_DS;
25482 ctxt->user_regs.ss = __KERNEL_DS;
25483 #ifdef CONFIG_X86_32
25484 ctxt->user_regs.fs = __KERNEL_PERCPU;
25485 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
25486 + savesegment(gs, ctxt->user_regs.gs);
25487 #else
25488 ctxt->gs_base_kernel = per_cpu_offset(cpu);
25489 #endif
25490 @@ -297,13 +292,12 @@ static int __cpuinit xen_cpu_up(unsigned
25491 int rc;
25492
25493 per_cpu(current_task, cpu) = idle;
25494 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
25495 #ifdef CONFIG_X86_32
25496 irq_ctx_init(cpu);
25497 #else
25498 clear_tsk_thread_flag(idle, TIF_FORK);
25499 - per_cpu(kernel_stack, cpu) =
25500 - (unsigned long)task_stack_page(idle) -
25501 - KERNEL_STACK_OFFSET + THREAD_SIZE;
25502 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
25503 #endif
25504 xen_setup_runstate_info(cpu);
25505 xen_setup_timer(cpu);
25506 diff -urNp linux-2.6.32.49/arch/x86/xen/xen-asm_32.S linux-2.6.32.49/arch/x86/xen/xen-asm_32.S
25507 --- linux-2.6.32.49/arch/x86/xen/xen-asm_32.S 2011-11-08 19:02:43.000000000 -0500
25508 +++ linux-2.6.32.49/arch/x86/xen/xen-asm_32.S 2011-11-15 19:59:43.000000000 -0500
25509 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
25510 ESP_OFFSET=4 # bytes pushed onto stack
25511
25512 /*
25513 - * Store vcpu_info pointer for easy access. Do it this way to
25514 - * avoid having to reload %fs
25515 + * Store vcpu_info pointer for easy access.
25516 */
25517 #ifdef CONFIG_SMP
25518 - GET_THREAD_INFO(%eax)
25519 - movl TI_cpu(%eax), %eax
25520 - movl __per_cpu_offset(,%eax,4), %eax
25521 - mov per_cpu__xen_vcpu(%eax), %eax
25522 + push %fs
25523 + mov $(__KERNEL_PERCPU), %eax
25524 + mov %eax, %fs
25525 + mov PER_CPU_VAR(xen_vcpu), %eax
25526 + pop %fs
25527 #else
25528 movl per_cpu__xen_vcpu, %eax
25529 #endif
25530 diff -urNp linux-2.6.32.49/arch/x86/xen/xen-head.S linux-2.6.32.49/arch/x86/xen/xen-head.S
25531 --- linux-2.6.32.49/arch/x86/xen/xen-head.S 2011-11-08 19:02:43.000000000 -0500
25532 +++ linux-2.6.32.49/arch/x86/xen/xen-head.S 2011-11-15 19:59:43.000000000 -0500
25533 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
25534 #ifdef CONFIG_X86_32
25535 mov %esi,xen_start_info
25536 mov $init_thread_union+THREAD_SIZE,%esp
25537 +#ifdef CONFIG_SMP
25538 + movl $cpu_gdt_table,%edi
25539 + movl $__per_cpu_load,%eax
25540 + movw %ax,__KERNEL_PERCPU + 2(%edi)
25541 + rorl $16,%eax
25542 + movb %al,__KERNEL_PERCPU + 4(%edi)
25543 + movb %ah,__KERNEL_PERCPU + 7(%edi)
25544 + movl $__per_cpu_end - 1,%eax
25545 + subl $__per_cpu_start,%eax
25546 + movw %ax,__KERNEL_PERCPU + 0(%edi)
25547 +#endif
25548 #else
25549 mov %rsi,xen_start_info
25550 mov $init_thread_union+THREAD_SIZE,%rsp
25551 diff -urNp linux-2.6.32.49/arch/x86/xen/xen-ops.h linux-2.6.32.49/arch/x86/xen/xen-ops.h
25552 --- linux-2.6.32.49/arch/x86/xen/xen-ops.h 2011-11-08 19:02:43.000000000 -0500
25553 +++ linux-2.6.32.49/arch/x86/xen/xen-ops.h 2011-11-15 19:59:43.000000000 -0500
25554 @@ -10,8 +10,6 @@
25555 extern const char xen_hypervisor_callback[];
25556 extern const char xen_failsafe_callback[];
25557
25558 -extern void *xen_initial_gdt;
25559 -
25560 struct trap_info;
25561 void xen_copy_trap_info(struct trap_info *traps);
25562
25563 diff -urNp linux-2.6.32.49/block/blk-integrity.c linux-2.6.32.49/block/blk-integrity.c
25564 --- linux-2.6.32.49/block/blk-integrity.c 2011-11-08 19:02:43.000000000 -0500
25565 +++ linux-2.6.32.49/block/blk-integrity.c 2011-11-15 19:59:43.000000000 -0500
25566 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
25567 NULL,
25568 };
25569
25570 -static struct sysfs_ops integrity_ops = {
25571 +static const struct sysfs_ops integrity_ops = {
25572 .show = &integrity_attr_show,
25573 .store = &integrity_attr_store,
25574 };
25575 diff -urNp linux-2.6.32.49/block/blk-iopoll.c linux-2.6.32.49/block/blk-iopoll.c
25576 --- linux-2.6.32.49/block/blk-iopoll.c 2011-11-08 19:02:43.000000000 -0500
25577 +++ linux-2.6.32.49/block/blk-iopoll.c 2011-11-15 19:59:43.000000000 -0500
25578 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
25579 }
25580 EXPORT_SYMBOL(blk_iopoll_complete);
25581
25582 -static void blk_iopoll_softirq(struct softirq_action *h)
25583 +static void blk_iopoll_softirq(void)
25584 {
25585 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
25586 int rearm = 0, budget = blk_iopoll_budget;
25587 diff -urNp linux-2.6.32.49/block/blk-map.c linux-2.6.32.49/block/blk-map.c
25588 --- linux-2.6.32.49/block/blk-map.c 2011-11-08 19:02:43.000000000 -0500
25589 +++ linux-2.6.32.49/block/blk-map.c 2011-11-15 19:59:43.000000000 -0500
25590 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
25591 * direct dma. else, set up kernel bounce buffers
25592 */
25593 uaddr = (unsigned long) ubuf;
25594 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
25595 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
25596 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
25597 else
25598 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
25599 @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
25600 for (i = 0; i < iov_count; i++) {
25601 unsigned long uaddr = (unsigned long)iov[i].iov_base;
25602
25603 + if (!iov[i].iov_len)
25604 + return -EINVAL;
25605 +
25606 if (uaddr & queue_dma_alignment(q)) {
25607 unaligned = 1;
25608 break;
25609 }
25610 - if (!iov[i].iov_len)
25611 - return -EINVAL;
25612 }
25613
25614 if (unaligned || (q->dma_pad_mask & len) || map_data)
25615 @@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
25616 if (!len || !kbuf)
25617 return -EINVAL;
25618
25619 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
25620 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
25621 if (do_copy)
25622 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
25623 else
25624 diff -urNp linux-2.6.32.49/block/blk-softirq.c linux-2.6.32.49/block/blk-softirq.c
25625 --- linux-2.6.32.49/block/blk-softirq.c 2011-11-08 19:02:43.000000000 -0500
25626 +++ linux-2.6.32.49/block/blk-softirq.c 2011-11-15 19:59:43.000000000 -0500
25627 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
25628 * Softirq action handler - move entries to local list and loop over them
25629 * while passing them to the queue registered handler.
25630 */
25631 -static void blk_done_softirq(struct softirq_action *h)
25632 +static void blk_done_softirq(void)
25633 {
25634 struct list_head *cpu_list, local_list;
25635
25636 diff -urNp linux-2.6.32.49/block/blk-sysfs.c linux-2.6.32.49/block/blk-sysfs.c
25637 --- linux-2.6.32.49/block/blk-sysfs.c 2011-11-08 19:02:43.000000000 -0500
25638 +++ linux-2.6.32.49/block/blk-sysfs.c 2011-11-15 19:59:43.000000000 -0500
25639 @@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
25640 kmem_cache_free(blk_requestq_cachep, q);
25641 }
25642
25643 -static struct sysfs_ops queue_sysfs_ops = {
25644 +static const struct sysfs_ops queue_sysfs_ops = {
25645 .show = queue_attr_show,
25646 .store = queue_attr_store,
25647 };
25648 diff -urNp linux-2.6.32.49/block/bsg.c linux-2.6.32.49/block/bsg.c
25649 --- linux-2.6.32.49/block/bsg.c 2011-11-08 19:02:43.000000000 -0500
25650 +++ linux-2.6.32.49/block/bsg.c 2011-11-15 19:59:43.000000000 -0500
25651 @@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
25652 struct sg_io_v4 *hdr, struct bsg_device *bd,
25653 fmode_t has_write_perm)
25654 {
25655 + unsigned char tmpcmd[sizeof(rq->__cmd)];
25656 + unsigned char *cmdptr;
25657 +
25658 if (hdr->request_len > BLK_MAX_CDB) {
25659 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
25660 if (!rq->cmd)
25661 return -ENOMEM;
25662 - }
25663 + cmdptr = rq->cmd;
25664 + } else
25665 + cmdptr = tmpcmd;
25666
25667 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
25668 + if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
25669 hdr->request_len))
25670 return -EFAULT;
25671
25672 + if (cmdptr != rq->cmd)
25673 + memcpy(rq->cmd, cmdptr, hdr->request_len);
25674 +
25675 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
25676 if (blk_verify_command(rq->cmd, has_write_perm))
25677 return -EPERM;
25678 @@ -282,7 +290,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
25679 rq->next_rq = next_rq;
25680 next_rq->cmd_type = rq->cmd_type;
25681
25682 - dxferp = (void*)(unsigned long)hdr->din_xferp;
25683 + dxferp = (void __user *)(unsigned long)hdr->din_xferp;
25684 ret = blk_rq_map_user(q, next_rq, NULL, dxferp,
25685 hdr->din_xfer_len, GFP_KERNEL);
25686 if (ret)
25687 @@ -291,10 +299,10 @@ bsg_map_hdr(struct bsg_device *bd, struc
25688
25689 if (hdr->dout_xfer_len) {
25690 dxfer_len = hdr->dout_xfer_len;
25691 - dxferp = (void*)(unsigned long)hdr->dout_xferp;
25692 + dxferp = (void __user *)(unsigned long)hdr->dout_xferp;
25693 } else if (hdr->din_xfer_len) {
25694 dxfer_len = hdr->din_xfer_len;
25695 - dxferp = (void*)(unsigned long)hdr->din_xferp;
25696 + dxferp = (void __user *)(unsigned long)hdr->din_xferp;
25697 } else
25698 dxfer_len = 0;
25699
25700 @@ -436,7 +444,7 @@ static int blk_complete_sgv4_hdr_rq(stru
25701 int len = min_t(unsigned int, hdr->max_response_len,
25702 rq->sense_len);
25703
25704 - ret = copy_to_user((void*)(unsigned long)hdr->response,
25705 + ret = copy_to_user((void __user *)(unsigned long)hdr->response,
25706 rq->sense, len);
25707 if (!ret)
25708 hdr->response_len = len;
25709 diff -urNp linux-2.6.32.49/block/compat_ioctl.c linux-2.6.32.49/block/compat_ioctl.c
25710 --- linux-2.6.32.49/block/compat_ioctl.c 2011-11-08 19:02:43.000000000 -0500
25711 +++ linux-2.6.32.49/block/compat_ioctl.c 2011-11-15 19:59:43.000000000 -0500
25712 @@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_
25713 err |= __get_user(f->spec1, &uf->spec1);
25714 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
25715 err |= __get_user(name, &uf->name);
25716 - f->name = compat_ptr(name);
25717 + f->name = (void __force_kernel *)compat_ptr(name);
25718 if (err) {
25719 err = -EFAULT;
25720 goto out;
25721 diff -urNp linux-2.6.32.49/block/elevator.c linux-2.6.32.49/block/elevator.c
25722 --- linux-2.6.32.49/block/elevator.c 2011-11-08 19:02:43.000000000 -0500
25723 +++ linux-2.6.32.49/block/elevator.c 2011-11-15 19:59:43.000000000 -0500
25724 @@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
25725 return error;
25726 }
25727
25728 -static struct sysfs_ops elv_sysfs_ops = {
25729 +static const struct sysfs_ops elv_sysfs_ops = {
25730 .show = elv_attr_show,
25731 .store = elv_attr_store,
25732 };
25733 diff -urNp linux-2.6.32.49/block/scsi_ioctl.c linux-2.6.32.49/block/scsi_ioctl.c
25734 --- linux-2.6.32.49/block/scsi_ioctl.c 2011-11-08 19:02:43.000000000 -0500
25735 +++ linux-2.6.32.49/block/scsi_ioctl.c 2011-11-15 19:59:43.000000000 -0500
25736 @@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
25737 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
25738 struct sg_io_hdr *hdr, fmode_t mode)
25739 {
25740 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
25741 + unsigned char tmpcmd[sizeof(rq->__cmd)];
25742 + unsigned char *cmdptr;
25743 +
25744 + if (rq->cmd != rq->__cmd)
25745 + cmdptr = rq->cmd;
25746 + else
25747 + cmdptr = tmpcmd;
25748 +
25749 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
25750 return -EFAULT;
25751 +
25752 + if (cmdptr != rq->cmd)
25753 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
25754 +
25755 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
25756 return -EPERM;
25757
25758 @@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
25759 int err;
25760 unsigned int in_len, out_len, bytes, opcode, cmdlen;
25761 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
25762 + unsigned char tmpcmd[sizeof(rq->__cmd)];
25763 + unsigned char *cmdptr;
25764
25765 if (!sic)
25766 return -EINVAL;
25767 @@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
25768 */
25769 err = -EFAULT;
25770 rq->cmd_len = cmdlen;
25771 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
25772 +
25773 + if (rq->cmd != rq->__cmd)
25774 + cmdptr = rq->cmd;
25775 + else
25776 + cmdptr = tmpcmd;
25777 +
25778 + if (copy_from_user(cmdptr, sic->data, cmdlen))
25779 goto error;
25780
25781 + if (rq->cmd != cmdptr)
25782 + memcpy(rq->cmd, cmdptr, cmdlen);
25783 +
25784 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
25785 goto error;
25786
25787 diff -urNp linux-2.6.32.49/crypto/cryptd.c linux-2.6.32.49/crypto/cryptd.c
25788 --- linux-2.6.32.49/crypto/cryptd.c 2011-11-08 19:02:43.000000000 -0500
25789 +++ linux-2.6.32.49/crypto/cryptd.c 2011-11-15 19:59:43.000000000 -0500
25790 @@ -50,7 +50,7 @@ struct cryptd_blkcipher_ctx {
25791
25792 struct cryptd_blkcipher_request_ctx {
25793 crypto_completion_t complete;
25794 -};
25795 +} __no_const;
25796
25797 struct cryptd_hash_ctx {
25798 struct crypto_shash *child;
25799 diff -urNp linux-2.6.32.49/crypto/gf128mul.c linux-2.6.32.49/crypto/gf128mul.c
25800 --- linux-2.6.32.49/crypto/gf128mul.c 2011-11-08 19:02:43.000000000 -0500
25801 +++ linux-2.6.32.49/crypto/gf128mul.c 2011-11-15 19:59:43.000000000 -0500
25802 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
25803 for (i = 0; i < 7; ++i)
25804 gf128mul_x_lle(&p[i + 1], &p[i]);
25805
25806 - memset(r, 0, sizeof(r));
25807 + memset(r, 0, sizeof(*r));
25808 for (i = 0;;) {
25809 u8 ch = ((u8 *)b)[15 - i];
25810
25811 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
25812 for (i = 0; i < 7; ++i)
25813 gf128mul_x_bbe(&p[i + 1], &p[i]);
25814
25815 - memset(r, 0, sizeof(r));
25816 + memset(r, 0, sizeof(*r));
25817 for (i = 0;;) {
25818 u8 ch = ((u8 *)b)[i];
25819
25820 diff -urNp linux-2.6.32.49/crypto/serpent.c linux-2.6.32.49/crypto/serpent.c
25821 --- linux-2.6.32.49/crypto/serpent.c 2011-11-08 19:02:43.000000000 -0500
25822 +++ linux-2.6.32.49/crypto/serpent.c 2011-11-15 19:59:43.000000000 -0500
25823 @@ -21,6 +21,7 @@
25824 #include <asm/byteorder.h>
25825 #include <linux/crypto.h>
25826 #include <linux/types.h>
25827 +#include <linux/sched.h>
25828
25829 /* Key is padded to the maximum of 256 bits before round key generation.
25830 * Any key length <= 256 bits (32 bytes) is allowed by the algorithm.
25831 @@ -224,6 +225,8 @@ static int serpent_setkey(struct crypto_
25832 u32 r0,r1,r2,r3,r4;
25833 int i;
25834
25835 + pax_track_stack();
25836 +
25837 /* Copy key, add padding */
25838
25839 for (i = 0; i < keylen; ++i)
25840 diff -urNp linux-2.6.32.49/Documentation/dontdiff linux-2.6.32.49/Documentation/dontdiff
25841 --- linux-2.6.32.49/Documentation/dontdiff 2011-11-08 19:02:43.000000000 -0500
25842 +++ linux-2.6.32.49/Documentation/dontdiff 2011-11-18 18:01:52.000000000 -0500
25843 @@ -1,13 +1,16 @@
25844 *.a
25845 *.aux
25846 *.bin
25847 +*.cis
25848 *.cpio
25849 *.csp
25850 +*.dbg
25851 *.dsp
25852 *.dvi
25853 *.elf
25854 *.eps
25855 *.fw
25856 +*.gcno
25857 *.gen.S
25858 *.gif
25859 *.grep
25860 @@ -38,8 +41,10 @@
25861 *.tab.h
25862 *.tex
25863 *.ver
25864 +*.vim
25865 *.xml
25866 *_MODULES
25867 +*_reg_safe.h
25868 *_vga16.c
25869 *~
25870 *.9
25871 @@ -49,11 +54,16 @@
25872 53c700_d.h
25873 CVS
25874 ChangeSet
25875 +GPATH
25876 +GRTAGS
25877 +GSYMS
25878 +GTAGS
25879 Image
25880 Kerntypes
25881 Module.markers
25882 Module.symvers
25883 PENDING
25884 +PERF*
25885 SCCS
25886 System.map*
25887 TAGS
25888 @@ -76,7 +86,11 @@ btfixupprep
25889 build
25890 bvmlinux
25891 bzImage*
25892 +capability_names.h
25893 +capflags.c
25894 classlist.h*
25895 +clut_vga16.c
25896 +common-cmds.h
25897 comp*.log
25898 compile.h*
25899 conf
25900 @@ -84,6 +98,8 @@ config
25901 config-*
25902 config_data.h*
25903 config_data.gz*
25904 +config.c
25905 +config.tmp
25906 conmakehash
25907 consolemap_deftbl.c*
25908 cpustr.h
25909 @@ -97,19 +113,22 @@ elfconfig.h*
25910 fixdep
25911 fore200e_mkfirm
25912 fore200e_pca_fw.c*
25913 +gate.lds
25914 gconf
25915 gen-devlist
25916 gen_crc32table
25917 gen_init_cpio
25918 genksyms
25919 *_gray256.c
25920 +hash
25921 ihex2fw
25922 ikconfig.h*
25923 initramfs_data.cpio
25924 +initramfs_data.cpio.bz2
25925 initramfs_data.cpio.gz
25926 initramfs_list
25927 kallsyms
25928 -kconfig
25929 +kern_constants.h
25930 keywords.c
25931 ksym.c*
25932 ksym.h*
25933 @@ -133,7 +152,9 @@ mkboot
25934 mkbugboot
25935 mkcpustr
25936 mkdep
25937 +mkpiggy
25938 mkprep
25939 +mkregtable
25940 mktables
25941 mktree
25942 modpost
25943 @@ -149,6 +170,7 @@ patches*
25944 pca200e.bin
25945 pca200e_ecd.bin2
25946 piggy.gz
25947 +piggy.S
25948 piggyback
25949 pnmtologo
25950 ppc_defs.h*
25951 @@ -157,12 +179,15 @@ qconf
25952 raid6altivec*.c
25953 raid6int*.c
25954 raid6tables.c
25955 +regdb.c
25956 relocs
25957 +rlim_names.h
25958 series
25959 setup
25960 setup.bin
25961 setup.elf
25962 sImage
25963 +slabinfo
25964 sm_tbl*
25965 split-include
25966 syscalltab.h
25967 @@ -171,6 +196,7 @@ tftpboot.img
25968 timeconst.h
25969 times.h*
25970 trix_boot.h
25971 +user_constants.h
25972 utsrelease.h*
25973 vdso-syms.lds
25974 vdso.lds
25975 @@ -186,14 +212,20 @@ version.h*
25976 vmlinux
25977 vmlinux-*
25978 vmlinux.aout
25979 +vmlinux.bin.all
25980 +vmlinux.bin.bz2
25981 vmlinux.lds
25982 +vmlinux.relocs
25983 +voffset.h
25984 vsyscall.lds
25985 vsyscall_32.lds
25986 wanxlfw.inc
25987 uImage
25988 unifdef
25989 +utsrelease.h
25990 wakeup.bin
25991 wakeup.elf
25992 wakeup.lds
25993 zImage*
25994 zconf.hash.c
25995 +zoffset.h
25996 diff -urNp linux-2.6.32.49/Documentation/kernel-parameters.txt linux-2.6.32.49/Documentation/kernel-parameters.txt
25997 --- linux-2.6.32.49/Documentation/kernel-parameters.txt 2011-11-08 19:02:43.000000000 -0500
25998 +++ linux-2.6.32.49/Documentation/kernel-parameters.txt 2011-11-15 19:59:43.000000000 -0500
25999 @@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
26000 the specified number of seconds. This is to be used if
26001 your oopses keep scrolling off the screen.
26002
26003 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
26004 + virtualization environments that don't cope well with the
26005 + expand down segment used by UDEREF on X86-32 or the frequent
26006 + page table updates on X86-64.
26007 +
26008 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
26009 +
26010 pcbit= [HW,ISDN]
26011
26012 pcd. [PARIDE]
26013 diff -urNp linux-2.6.32.49/drivers/acpi/acpi_pad.c linux-2.6.32.49/drivers/acpi/acpi_pad.c
26014 --- linux-2.6.32.49/drivers/acpi/acpi_pad.c 2011-11-08 19:02:43.000000000 -0500
26015 +++ linux-2.6.32.49/drivers/acpi/acpi_pad.c 2011-11-15 19:59:43.000000000 -0500
26016 @@ -30,7 +30,7 @@
26017 #include <acpi/acpi_bus.h>
26018 #include <acpi/acpi_drivers.h>
26019
26020 -#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
26021 +#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
26022 #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
26023 #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
26024 static DEFINE_MUTEX(isolated_cpus_lock);
26025 diff -urNp linux-2.6.32.49/drivers/acpi/battery.c linux-2.6.32.49/drivers/acpi/battery.c
26026 --- linux-2.6.32.49/drivers/acpi/battery.c 2011-11-08 19:02:43.000000000 -0500
26027 +++ linux-2.6.32.49/drivers/acpi/battery.c 2011-11-15 19:59:43.000000000 -0500
26028 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
26029 }
26030
26031 static struct battery_file {
26032 - struct file_operations ops;
26033 + const struct file_operations ops;
26034 mode_t mode;
26035 const char *name;
26036 } acpi_battery_file[] = {
26037 diff -urNp linux-2.6.32.49/drivers/acpi/dock.c linux-2.6.32.49/drivers/acpi/dock.c
26038 --- linux-2.6.32.49/drivers/acpi/dock.c 2011-11-08 19:02:43.000000000 -0500
26039 +++ linux-2.6.32.49/drivers/acpi/dock.c 2011-11-15 19:59:43.000000000 -0500
26040 @@ -77,7 +77,7 @@ struct dock_dependent_device {
26041 struct list_head list;
26042 struct list_head hotplug_list;
26043 acpi_handle handle;
26044 - struct acpi_dock_ops *ops;
26045 + const struct acpi_dock_ops *ops;
26046 void *context;
26047 };
26048
26049 @@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
26050 * the dock driver after _DCK is executed.
26051 */
26052 int
26053 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
26054 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
26055 void *context)
26056 {
26057 struct dock_dependent_device *dd;
26058 diff -urNp linux-2.6.32.49/drivers/acpi/osl.c linux-2.6.32.49/drivers/acpi/osl.c
26059 --- linux-2.6.32.49/drivers/acpi/osl.c 2011-11-08 19:02:43.000000000 -0500
26060 +++ linux-2.6.32.49/drivers/acpi/osl.c 2011-11-15 19:59:43.000000000 -0500
26061 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
26062 void __iomem *virt_addr;
26063
26064 virt_addr = ioremap(phys_addr, width);
26065 + if (!virt_addr)
26066 + return AE_NO_MEMORY;
26067 if (!value)
26068 value = &dummy;
26069
26070 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
26071 void __iomem *virt_addr;
26072
26073 virt_addr = ioremap(phys_addr, width);
26074 + if (!virt_addr)
26075 + return AE_NO_MEMORY;
26076
26077 switch (width) {
26078 case 8:
26079 diff -urNp linux-2.6.32.49/drivers/acpi/power_meter.c linux-2.6.32.49/drivers/acpi/power_meter.c
26080 --- linux-2.6.32.49/drivers/acpi/power_meter.c 2011-11-08 19:02:43.000000000 -0500
26081 +++ linux-2.6.32.49/drivers/acpi/power_meter.c 2011-11-15 19:59:43.000000000 -0500
26082 @@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
26083 return res;
26084
26085 temp /= 1000;
26086 - if (temp < 0)
26087 - return -EINVAL;
26088
26089 mutex_lock(&resource->lock);
26090 resource->trip[attr->index - 7] = temp;
26091 diff -urNp linux-2.6.32.49/drivers/acpi/proc.c linux-2.6.32.49/drivers/acpi/proc.c
26092 --- linux-2.6.32.49/drivers/acpi/proc.c 2011-11-08 19:02:43.000000000 -0500
26093 +++ linux-2.6.32.49/drivers/acpi/proc.c 2011-11-15 19:59:43.000000000 -0500
26094 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
26095 size_t count, loff_t * ppos)
26096 {
26097 struct list_head *node, *next;
26098 - char strbuf[5];
26099 - char str[5] = "";
26100 - unsigned int len = count;
26101 + char strbuf[5] = {0};
26102 struct acpi_device *found_dev = NULL;
26103
26104 - if (len > 4)
26105 - len = 4;
26106 - if (len < 0)
26107 - return -EFAULT;
26108 + if (count > 4)
26109 + count = 4;
26110
26111 - if (copy_from_user(strbuf, buffer, len))
26112 + if (copy_from_user(strbuf, buffer, count))
26113 return -EFAULT;
26114 - strbuf[len] = '\0';
26115 - sscanf(strbuf, "%s", str);
26116 + strbuf[count] = '\0';
26117
26118 mutex_lock(&acpi_device_lock);
26119 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
26120 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
26121 if (!dev->wakeup.flags.valid)
26122 continue;
26123
26124 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
26125 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
26126 dev->wakeup.state.enabled =
26127 dev->wakeup.state.enabled ? 0 : 1;
26128 found_dev = dev;
26129 diff -urNp linux-2.6.32.49/drivers/acpi/processor_core.c linux-2.6.32.49/drivers/acpi/processor_core.c
26130 --- linux-2.6.32.49/drivers/acpi/processor_core.c 2011-11-08 19:02:43.000000000 -0500
26131 +++ linux-2.6.32.49/drivers/acpi/processor_core.c 2011-11-15 19:59:43.000000000 -0500
26132 @@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
26133 return 0;
26134 }
26135
26136 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
26137 + BUG_ON(pr->id >= nr_cpu_ids);
26138
26139 /*
26140 * Buggy BIOS check
26141 diff -urNp linux-2.6.32.49/drivers/acpi/sbshc.c linux-2.6.32.49/drivers/acpi/sbshc.c
26142 --- linux-2.6.32.49/drivers/acpi/sbshc.c 2011-11-08 19:02:43.000000000 -0500
26143 +++ linux-2.6.32.49/drivers/acpi/sbshc.c 2011-11-15 19:59:43.000000000 -0500
26144 @@ -17,7 +17,7 @@
26145
26146 #define PREFIX "ACPI: "
26147
26148 -#define ACPI_SMB_HC_CLASS "smbus_host_controller"
26149 +#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
26150 #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
26151
26152 struct acpi_smb_hc {
26153 diff -urNp linux-2.6.32.49/drivers/acpi/sleep.c linux-2.6.32.49/drivers/acpi/sleep.c
26154 --- linux-2.6.32.49/drivers/acpi/sleep.c 2011-11-08 19:02:43.000000000 -0500
26155 +++ linux-2.6.32.49/drivers/acpi/sleep.c 2011-11-15 19:59:43.000000000 -0500
26156 @@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
26157 }
26158 }
26159
26160 -static struct platform_suspend_ops acpi_suspend_ops = {
26161 +static const struct platform_suspend_ops acpi_suspend_ops = {
26162 .valid = acpi_suspend_state_valid,
26163 .begin = acpi_suspend_begin,
26164 .prepare_late = acpi_pm_prepare,
26165 @@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
26166 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
26167 * been requested.
26168 */
26169 -static struct platform_suspend_ops acpi_suspend_ops_old = {
26170 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
26171 .valid = acpi_suspend_state_valid,
26172 .begin = acpi_suspend_begin_old,
26173 .prepare_late = acpi_pm_disable_gpes,
26174 @@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
26175 acpi_enable_all_runtime_gpes();
26176 }
26177
26178 -static struct platform_hibernation_ops acpi_hibernation_ops = {
26179 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
26180 .begin = acpi_hibernation_begin,
26181 .end = acpi_pm_end,
26182 .pre_snapshot = acpi_hibernation_pre_snapshot,
26183 @@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
26184 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
26185 * been requested.
26186 */
26187 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
26188 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
26189 .begin = acpi_hibernation_begin_old,
26190 .end = acpi_pm_end,
26191 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
26192 diff -urNp linux-2.6.32.49/drivers/acpi/video.c linux-2.6.32.49/drivers/acpi/video.c
26193 --- linux-2.6.32.49/drivers/acpi/video.c 2011-11-08 19:02:43.000000000 -0500
26194 +++ linux-2.6.32.49/drivers/acpi/video.c 2011-11-15 19:59:43.000000000 -0500
26195 @@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
26196 vd->brightness->levels[request_level]);
26197 }
26198
26199 -static struct backlight_ops acpi_backlight_ops = {
26200 +static const struct backlight_ops acpi_backlight_ops = {
26201 .get_brightness = acpi_video_get_brightness,
26202 .update_status = acpi_video_set_brightness,
26203 };
26204 diff -urNp linux-2.6.32.49/drivers/ata/ahci.c linux-2.6.32.49/drivers/ata/ahci.c
26205 --- linux-2.6.32.49/drivers/ata/ahci.c 2011-11-08 19:02:43.000000000 -0500
26206 +++ linux-2.6.32.49/drivers/ata/ahci.c 2011-11-15 19:59:43.000000000 -0500
26207 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
26208 .sdev_attrs = ahci_sdev_attrs,
26209 };
26210
26211 -static struct ata_port_operations ahci_ops = {
26212 +static const struct ata_port_operations ahci_ops = {
26213 .inherits = &sata_pmp_port_ops,
26214
26215 .qc_defer = sata_pmp_qc_defer_cmd_switch,
26216 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
26217 .port_stop = ahci_port_stop,
26218 };
26219
26220 -static struct ata_port_operations ahci_vt8251_ops = {
26221 +static const struct ata_port_operations ahci_vt8251_ops = {
26222 .inherits = &ahci_ops,
26223 .hardreset = ahci_vt8251_hardreset,
26224 };
26225
26226 -static struct ata_port_operations ahci_p5wdh_ops = {
26227 +static const struct ata_port_operations ahci_p5wdh_ops = {
26228 .inherits = &ahci_ops,
26229 .hardreset = ahci_p5wdh_hardreset,
26230 };
26231
26232 -static struct ata_port_operations ahci_sb600_ops = {
26233 +static const struct ata_port_operations ahci_sb600_ops = {
26234 .inherits = &ahci_ops,
26235 .softreset = ahci_sb600_softreset,
26236 .pmp_softreset = ahci_sb600_softreset,
26237 diff -urNp linux-2.6.32.49/drivers/ata/ata_generic.c linux-2.6.32.49/drivers/ata/ata_generic.c
26238 --- linux-2.6.32.49/drivers/ata/ata_generic.c 2011-11-08 19:02:43.000000000 -0500
26239 +++ linux-2.6.32.49/drivers/ata/ata_generic.c 2011-11-15 19:59:43.000000000 -0500
26240 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
26241 ATA_BMDMA_SHT(DRV_NAME),
26242 };
26243
26244 -static struct ata_port_operations generic_port_ops = {
26245 +static const struct ata_port_operations generic_port_ops = {
26246 .inherits = &ata_bmdma_port_ops,
26247 .cable_detect = ata_cable_unknown,
26248 .set_mode = generic_set_mode,
26249 diff -urNp linux-2.6.32.49/drivers/ata/ata_piix.c linux-2.6.32.49/drivers/ata/ata_piix.c
26250 --- linux-2.6.32.49/drivers/ata/ata_piix.c 2011-11-08 19:02:43.000000000 -0500
26251 +++ linux-2.6.32.49/drivers/ata/ata_piix.c 2011-11-15 19:59:43.000000000 -0500
26252 @@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
26253 ATA_BMDMA_SHT(DRV_NAME),
26254 };
26255
26256 -static struct ata_port_operations piix_pata_ops = {
26257 +static const struct ata_port_operations piix_pata_ops = {
26258 .inherits = &ata_bmdma32_port_ops,
26259 .cable_detect = ata_cable_40wire,
26260 .set_piomode = piix_set_piomode,
26261 @@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
26262 .prereset = piix_pata_prereset,
26263 };
26264
26265 -static struct ata_port_operations piix_vmw_ops = {
26266 +static const struct ata_port_operations piix_vmw_ops = {
26267 .inherits = &piix_pata_ops,
26268 .bmdma_status = piix_vmw_bmdma_status,
26269 };
26270
26271 -static struct ata_port_operations ich_pata_ops = {
26272 +static const struct ata_port_operations ich_pata_ops = {
26273 .inherits = &piix_pata_ops,
26274 .cable_detect = ich_pata_cable_detect,
26275 .set_dmamode = ich_set_dmamode,
26276 };
26277
26278 -static struct ata_port_operations piix_sata_ops = {
26279 +static const struct ata_port_operations piix_sata_ops = {
26280 .inherits = &ata_bmdma_port_ops,
26281 };
26282
26283 -static struct ata_port_operations piix_sidpr_sata_ops = {
26284 +static const struct ata_port_operations piix_sidpr_sata_ops = {
26285 .inherits = &piix_sata_ops,
26286 .hardreset = sata_std_hardreset,
26287 .scr_read = piix_sidpr_scr_read,
26288 diff -urNp linux-2.6.32.49/drivers/ata/libata-acpi.c linux-2.6.32.49/drivers/ata/libata-acpi.c
26289 --- linux-2.6.32.49/drivers/ata/libata-acpi.c 2011-11-08 19:02:43.000000000 -0500
26290 +++ linux-2.6.32.49/drivers/ata/libata-acpi.c 2011-11-15 19:59:43.000000000 -0500
26291 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
26292 ata_acpi_uevent(dev->link->ap, dev, event);
26293 }
26294
26295 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
26296 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
26297 .handler = ata_acpi_dev_notify_dock,
26298 .uevent = ata_acpi_dev_uevent,
26299 };
26300
26301 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
26302 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
26303 .handler = ata_acpi_ap_notify_dock,
26304 .uevent = ata_acpi_ap_uevent,
26305 };
26306 diff -urNp linux-2.6.32.49/drivers/ata/libata-core.c linux-2.6.32.49/drivers/ata/libata-core.c
26307 --- linux-2.6.32.49/drivers/ata/libata-core.c 2011-11-08 19:02:43.000000000 -0500
26308 +++ linux-2.6.32.49/drivers/ata/libata-core.c 2011-11-15 19:59:43.000000000 -0500
26309 @@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
26310 struct ata_port *ap;
26311 unsigned int tag;
26312
26313 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26314 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26315 ap = qc->ap;
26316
26317 qc->flags = 0;
26318 @@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
26319 struct ata_port *ap;
26320 struct ata_link *link;
26321
26322 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26323 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26324 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
26325 ap = qc->ap;
26326 link = qc->dev->link;
26327 @@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
26328 * LOCKING:
26329 * None.
26330 */
26331 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
26332 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
26333 {
26334 static DEFINE_SPINLOCK(lock);
26335 const struct ata_port_operations *cur;
26336 @@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
26337 return;
26338
26339 spin_lock(&lock);
26340 + pax_open_kernel();
26341
26342 for (cur = ops->inherits; cur; cur = cur->inherits) {
26343 void **inherit = (void **)cur;
26344 @@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
26345 if (IS_ERR(*pp))
26346 *pp = NULL;
26347
26348 - ops->inherits = NULL;
26349 + *(struct ata_port_operations **)&ops->inherits = NULL;
26350
26351 + pax_close_kernel();
26352 spin_unlock(&lock);
26353 }
26354
26355 @@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
26356 */
26357 /* KILLME - the only user left is ipr */
26358 void ata_host_init(struct ata_host *host, struct device *dev,
26359 - unsigned long flags, struct ata_port_operations *ops)
26360 + unsigned long flags, const struct ata_port_operations *ops)
26361 {
26362 spin_lock_init(&host->lock);
26363 host->dev = dev;
26364 @@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
26365 /* truly dummy */
26366 }
26367
26368 -struct ata_port_operations ata_dummy_port_ops = {
26369 +const struct ata_port_operations ata_dummy_port_ops = {
26370 .qc_prep = ata_noop_qc_prep,
26371 .qc_issue = ata_dummy_qc_issue,
26372 .error_handler = ata_dummy_error_handler,
26373 diff -urNp linux-2.6.32.49/drivers/ata/libata-eh.c linux-2.6.32.49/drivers/ata/libata-eh.c
26374 --- linux-2.6.32.49/drivers/ata/libata-eh.c 2011-11-08 19:02:43.000000000 -0500
26375 +++ linux-2.6.32.49/drivers/ata/libata-eh.c 2011-11-15 19:59:43.000000000 -0500
26376 @@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
26377 {
26378 struct ata_link *link;
26379
26380 + pax_track_stack();
26381 +
26382 ata_for_each_link(link, ap, HOST_FIRST)
26383 ata_eh_link_report(link);
26384 }
26385 @@ -3594,7 +3596,7 @@ void ata_do_eh(struct ata_port *ap, ata_
26386 */
26387 void ata_std_error_handler(struct ata_port *ap)
26388 {
26389 - struct ata_port_operations *ops = ap->ops;
26390 + const struct ata_port_operations *ops = ap->ops;
26391 ata_reset_fn_t hardreset = ops->hardreset;
26392
26393 /* ignore built-in hardreset if SCR access is not available */
26394 diff -urNp linux-2.6.32.49/drivers/ata/libata-pmp.c linux-2.6.32.49/drivers/ata/libata-pmp.c
26395 --- linux-2.6.32.49/drivers/ata/libata-pmp.c 2011-11-08 19:02:43.000000000 -0500
26396 +++ linux-2.6.32.49/drivers/ata/libata-pmp.c 2011-11-15 19:59:43.000000000 -0500
26397 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
26398 */
26399 static int sata_pmp_eh_recover(struct ata_port *ap)
26400 {
26401 - struct ata_port_operations *ops = ap->ops;
26402 + const struct ata_port_operations *ops = ap->ops;
26403 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
26404 struct ata_link *pmp_link = &ap->link;
26405 struct ata_device *pmp_dev = pmp_link->device;
26406 diff -urNp linux-2.6.32.49/drivers/ata/pata_acpi.c linux-2.6.32.49/drivers/ata/pata_acpi.c
26407 --- linux-2.6.32.49/drivers/ata/pata_acpi.c 2011-11-08 19:02:43.000000000 -0500
26408 +++ linux-2.6.32.49/drivers/ata/pata_acpi.c 2011-11-15 19:59:43.000000000 -0500
26409 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
26410 ATA_BMDMA_SHT(DRV_NAME),
26411 };
26412
26413 -static struct ata_port_operations pacpi_ops = {
26414 +static const struct ata_port_operations pacpi_ops = {
26415 .inherits = &ata_bmdma_port_ops,
26416 .qc_issue = pacpi_qc_issue,
26417 .cable_detect = pacpi_cable_detect,
26418 diff -urNp linux-2.6.32.49/drivers/ata/pata_ali.c linux-2.6.32.49/drivers/ata/pata_ali.c
26419 --- linux-2.6.32.49/drivers/ata/pata_ali.c 2011-11-08 19:02:43.000000000 -0500
26420 +++ linux-2.6.32.49/drivers/ata/pata_ali.c 2011-11-15 19:59:43.000000000 -0500
26421 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
26422 * Port operations for PIO only ALi
26423 */
26424
26425 -static struct ata_port_operations ali_early_port_ops = {
26426 +static const struct ata_port_operations ali_early_port_ops = {
26427 .inherits = &ata_sff_port_ops,
26428 .cable_detect = ata_cable_40wire,
26429 .set_piomode = ali_set_piomode,
26430 @@ -382,7 +382,7 @@ static const struct ata_port_operations
26431 * Port operations for DMA capable ALi without cable
26432 * detect
26433 */
26434 -static struct ata_port_operations ali_20_port_ops = {
26435 +static const struct ata_port_operations ali_20_port_ops = {
26436 .inherits = &ali_dma_base_ops,
26437 .cable_detect = ata_cable_40wire,
26438 .mode_filter = ali_20_filter,
26439 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
26440 /*
26441 * Port operations for DMA capable ALi with cable detect
26442 */
26443 -static struct ata_port_operations ali_c2_port_ops = {
26444 +static const struct ata_port_operations ali_c2_port_ops = {
26445 .inherits = &ali_dma_base_ops,
26446 .check_atapi_dma = ali_check_atapi_dma,
26447 .cable_detect = ali_c2_cable_detect,
26448 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
26449 /*
26450 * Port operations for DMA capable ALi with cable detect
26451 */
26452 -static struct ata_port_operations ali_c4_port_ops = {
26453 +static const struct ata_port_operations ali_c4_port_ops = {
26454 .inherits = &ali_dma_base_ops,
26455 .check_atapi_dma = ali_check_atapi_dma,
26456 .cable_detect = ali_c2_cable_detect,
26457 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
26458 /*
26459 * Port operations for DMA capable ALi with cable detect and LBA48
26460 */
26461 -static struct ata_port_operations ali_c5_port_ops = {
26462 +static const struct ata_port_operations ali_c5_port_ops = {
26463 .inherits = &ali_dma_base_ops,
26464 .check_atapi_dma = ali_check_atapi_dma,
26465 .dev_config = ali_warn_atapi_dma,
26466 diff -urNp linux-2.6.32.49/drivers/ata/pata_amd.c linux-2.6.32.49/drivers/ata/pata_amd.c
26467 --- linux-2.6.32.49/drivers/ata/pata_amd.c 2011-11-08 19:02:43.000000000 -0500
26468 +++ linux-2.6.32.49/drivers/ata/pata_amd.c 2011-11-15 19:59:43.000000000 -0500
26469 @@ -397,28 +397,28 @@ static const struct ata_port_operations
26470 .prereset = amd_pre_reset,
26471 };
26472
26473 -static struct ata_port_operations amd33_port_ops = {
26474 +static const struct ata_port_operations amd33_port_ops = {
26475 .inherits = &amd_base_port_ops,
26476 .cable_detect = ata_cable_40wire,
26477 .set_piomode = amd33_set_piomode,
26478 .set_dmamode = amd33_set_dmamode,
26479 };
26480
26481 -static struct ata_port_operations amd66_port_ops = {
26482 +static const struct ata_port_operations amd66_port_ops = {
26483 .inherits = &amd_base_port_ops,
26484 .cable_detect = ata_cable_unknown,
26485 .set_piomode = amd66_set_piomode,
26486 .set_dmamode = amd66_set_dmamode,
26487 };
26488
26489 -static struct ata_port_operations amd100_port_ops = {
26490 +static const struct ata_port_operations amd100_port_ops = {
26491 .inherits = &amd_base_port_ops,
26492 .cable_detect = ata_cable_unknown,
26493 .set_piomode = amd100_set_piomode,
26494 .set_dmamode = amd100_set_dmamode,
26495 };
26496
26497 -static struct ata_port_operations amd133_port_ops = {
26498 +static const struct ata_port_operations amd133_port_ops = {
26499 .inherits = &amd_base_port_ops,
26500 .cable_detect = amd_cable_detect,
26501 .set_piomode = amd133_set_piomode,
26502 @@ -433,13 +433,13 @@ static const struct ata_port_operations
26503 .host_stop = nv_host_stop,
26504 };
26505
26506 -static struct ata_port_operations nv100_port_ops = {
26507 +static const struct ata_port_operations nv100_port_ops = {
26508 .inherits = &nv_base_port_ops,
26509 .set_piomode = nv100_set_piomode,
26510 .set_dmamode = nv100_set_dmamode,
26511 };
26512
26513 -static struct ata_port_operations nv133_port_ops = {
26514 +static const struct ata_port_operations nv133_port_ops = {
26515 .inherits = &nv_base_port_ops,
26516 .set_piomode = nv133_set_piomode,
26517 .set_dmamode = nv133_set_dmamode,
26518 diff -urNp linux-2.6.32.49/drivers/ata/pata_artop.c linux-2.6.32.49/drivers/ata/pata_artop.c
26519 --- linux-2.6.32.49/drivers/ata/pata_artop.c 2011-11-08 19:02:43.000000000 -0500
26520 +++ linux-2.6.32.49/drivers/ata/pata_artop.c 2011-11-15 19:59:43.000000000 -0500
26521 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
26522 ATA_BMDMA_SHT(DRV_NAME),
26523 };
26524
26525 -static struct ata_port_operations artop6210_ops = {
26526 +static const struct ata_port_operations artop6210_ops = {
26527 .inherits = &ata_bmdma_port_ops,
26528 .cable_detect = ata_cable_40wire,
26529 .set_piomode = artop6210_set_piomode,
26530 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
26531 .qc_defer = artop6210_qc_defer,
26532 };
26533
26534 -static struct ata_port_operations artop6260_ops = {
26535 +static const struct ata_port_operations artop6260_ops = {
26536 .inherits = &ata_bmdma_port_ops,
26537 .cable_detect = artop6260_cable_detect,
26538 .set_piomode = artop6260_set_piomode,
26539 diff -urNp linux-2.6.32.49/drivers/ata/pata_at32.c linux-2.6.32.49/drivers/ata/pata_at32.c
26540 --- linux-2.6.32.49/drivers/ata/pata_at32.c 2011-11-08 19:02:43.000000000 -0500
26541 +++ linux-2.6.32.49/drivers/ata/pata_at32.c 2011-11-15 19:59:43.000000000 -0500
26542 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
26543 ATA_PIO_SHT(DRV_NAME),
26544 };
26545
26546 -static struct ata_port_operations at32_port_ops = {
26547 +static const struct ata_port_operations at32_port_ops = {
26548 .inherits = &ata_sff_port_ops,
26549 .cable_detect = ata_cable_40wire,
26550 .set_piomode = pata_at32_set_piomode,
26551 diff -urNp linux-2.6.32.49/drivers/ata/pata_at91.c linux-2.6.32.49/drivers/ata/pata_at91.c
26552 --- linux-2.6.32.49/drivers/ata/pata_at91.c 2011-11-08 19:02:43.000000000 -0500
26553 +++ linux-2.6.32.49/drivers/ata/pata_at91.c 2011-11-15 19:59:43.000000000 -0500
26554 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
26555 ATA_PIO_SHT(DRV_NAME),
26556 };
26557
26558 -static struct ata_port_operations pata_at91_port_ops = {
26559 +static const struct ata_port_operations pata_at91_port_ops = {
26560 .inherits = &ata_sff_port_ops,
26561
26562 .sff_data_xfer = pata_at91_data_xfer_noirq,
26563 diff -urNp linux-2.6.32.49/drivers/ata/pata_atiixp.c linux-2.6.32.49/drivers/ata/pata_atiixp.c
26564 --- linux-2.6.32.49/drivers/ata/pata_atiixp.c 2011-11-08 19:02:43.000000000 -0500
26565 +++ linux-2.6.32.49/drivers/ata/pata_atiixp.c 2011-11-15 19:59:43.000000000 -0500
26566 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
26567 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26568 };
26569
26570 -static struct ata_port_operations atiixp_port_ops = {
26571 +static const struct ata_port_operations atiixp_port_ops = {
26572 .inherits = &ata_bmdma_port_ops,
26573
26574 .qc_prep = ata_sff_dumb_qc_prep,
26575 diff -urNp linux-2.6.32.49/drivers/ata/pata_atp867x.c linux-2.6.32.49/drivers/ata/pata_atp867x.c
26576 --- linux-2.6.32.49/drivers/ata/pata_atp867x.c 2011-11-08 19:02:43.000000000 -0500
26577 +++ linux-2.6.32.49/drivers/ata/pata_atp867x.c 2011-11-15 19:59:43.000000000 -0500
26578 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
26579 ATA_BMDMA_SHT(DRV_NAME),
26580 };
26581
26582 -static struct ata_port_operations atp867x_ops = {
26583 +static const struct ata_port_operations atp867x_ops = {
26584 .inherits = &ata_bmdma_port_ops,
26585 .cable_detect = atp867x_cable_detect,
26586 .set_piomode = atp867x_set_piomode,
26587 diff -urNp linux-2.6.32.49/drivers/ata/pata_bf54x.c linux-2.6.32.49/drivers/ata/pata_bf54x.c
26588 --- linux-2.6.32.49/drivers/ata/pata_bf54x.c 2011-11-08 19:02:43.000000000 -0500
26589 +++ linux-2.6.32.49/drivers/ata/pata_bf54x.c 2011-11-15 19:59:43.000000000 -0500
26590 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
26591 .dma_boundary = ATA_DMA_BOUNDARY,
26592 };
26593
26594 -static struct ata_port_operations bfin_pata_ops = {
26595 +static const struct ata_port_operations bfin_pata_ops = {
26596 .inherits = &ata_sff_port_ops,
26597
26598 .set_piomode = bfin_set_piomode,
26599 diff -urNp linux-2.6.32.49/drivers/ata/pata_cmd640.c linux-2.6.32.49/drivers/ata/pata_cmd640.c
26600 --- linux-2.6.32.49/drivers/ata/pata_cmd640.c 2011-11-08 19:02:43.000000000 -0500
26601 +++ linux-2.6.32.49/drivers/ata/pata_cmd640.c 2011-11-15 19:59:43.000000000 -0500
26602 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
26603 ATA_BMDMA_SHT(DRV_NAME),
26604 };
26605
26606 -static struct ata_port_operations cmd640_port_ops = {
26607 +static const struct ata_port_operations cmd640_port_ops = {
26608 .inherits = &ata_bmdma_port_ops,
26609 /* In theory xfer_noirq is not needed once we kill the prefetcher */
26610 .sff_data_xfer = ata_sff_data_xfer_noirq,
26611 diff -urNp linux-2.6.32.49/drivers/ata/pata_cmd64x.c linux-2.6.32.49/drivers/ata/pata_cmd64x.c
26612 --- linux-2.6.32.49/drivers/ata/pata_cmd64x.c 2011-11-08 19:02:43.000000000 -0500
26613 +++ linux-2.6.32.49/drivers/ata/pata_cmd64x.c 2011-11-15 19:59:43.000000000 -0500
26614 @@ -271,18 +271,18 @@ static const struct ata_port_operations
26615 .set_dmamode = cmd64x_set_dmamode,
26616 };
26617
26618 -static struct ata_port_operations cmd64x_port_ops = {
26619 +static const struct ata_port_operations cmd64x_port_ops = {
26620 .inherits = &cmd64x_base_ops,
26621 .cable_detect = ata_cable_40wire,
26622 };
26623
26624 -static struct ata_port_operations cmd646r1_port_ops = {
26625 +static const struct ata_port_operations cmd646r1_port_ops = {
26626 .inherits = &cmd64x_base_ops,
26627 .bmdma_stop = cmd646r1_bmdma_stop,
26628 .cable_detect = ata_cable_40wire,
26629 };
26630
26631 -static struct ata_port_operations cmd648_port_ops = {
26632 +static const struct ata_port_operations cmd648_port_ops = {
26633 .inherits = &cmd64x_base_ops,
26634 .bmdma_stop = cmd648_bmdma_stop,
26635 .cable_detect = cmd648_cable_detect,
26636 diff -urNp linux-2.6.32.49/drivers/ata/pata_cs5520.c linux-2.6.32.49/drivers/ata/pata_cs5520.c
26637 --- linux-2.6.32.49/drivers/ata/pata_cs5520.c 2011-11-08 19:02:43.000000000 -0500
26638 +++ linux-2.6.32.49/drivers/ata/pata_cs5520.c 2011-11-15 19:59:43.000000000 -0500
26639 @@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
26640 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26641 };
26642
26643 -static struct ata_port_operations cs5520_port_ops = {
26644 +static const struct ata_port_operations cs5520_port_ops = {
26645 .inherits = &ata_bmdma_port_ops,
26646 .qc_prep = ata_sff_dumb_qc_prep,
26647 .cable_detect = ata_cable_40wire,
26648 diff -urNp linux-2.6.32.49/drivers/ata/pata_cs5530.c linux-2.6.32.49/drivers/ata/pata_cs5530.c
26649 --- linux-2.6.32.49/drivers/ata/pata_cs5530.c 2011-11-08 19:02:43.000000000 -0500
26650 +++ linux-2.6.32.49/drivers/ata/pata_cs5530.c 2011-11-15 19:59:43.000000000 -0500
26651 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
26652 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26653 };
26654
26655 -static struct ata_port_operations cs5530_port_ops = {
26656 +static const struct ata_port_operations cs5530_port_ops = {
26657 .inherits = &ata_bmdma_port_ops,
26658
26659 .qc_prep = ata_sff_dumb_qc_prep,
26660 diff -urNp linux-2.6.32.49/drivers/ata/pata_cs5535.c linux-2.6.32.49/drivers/ata/pata_cs5535.c
26661 --- linux-2.6.32.49/drivers/ata/pata_cs5535.c 2011-11-08 19:02:43.000000000 -0500
26662 +++ linux-2.6.32.49/drivers/ata/pata_cs5535.c 2011-11-15 19:59:43.000000000 -0500
26663 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
26664 ATA_BMDMA_SHT(DRV_NAME),
26665 };
26666
26667 -static struct ata_port_operations cs5535_port_ops = {
26668 +static const struct ata_port_operations cs5535_port_ops = {
26669 .inherits = &ata_bmdma_port_ops,
26670 .cable_detect = cs5535_cable_detect,
26671 .set_piomode = cs5535_set_piomode,
26672 diff -urNp linux-2.6.32.49/drivers/ata/pata_cs5536.c linux-2.6.32.49/drivers/ata/pata_cs5536.c
26673 --- linux-2.6.32.49/drivers/ata/pata_cs5536.c 2011-11-08 19:02:43.000000000 -0500
26674 +++ linux-2.6.32.49/drivers/ata/pata_cs5536.c 2011-11-15 19:59:43.000000000 -0500
26675 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
26676 ATA_BMDMA_SHT(DRV_NAME),
26677 };
26678
26679 -static struct ata_port_operations cs5536_port_ops = {
26680 +static const struct ata_port_operations cs5536_port_ops = {
26681 .inherits = &ata_bmdma_port_ops,
26682 .cable_detect = cs5536_cable_detect,
26683 .set_piomode = cs5536_set_piomode,
26684 diff -urNp linux-2.6.32.49/drivers/ata/pata_cypress.c linux-2.6.32.49/drivers/ata/pata_cypress.c
26685 --- linux-2.6.32.49/drivers/ata/pata_cypress.c 2011-11-08 19:02:43.000000000 -0500
26686 +++ linux-2.6.32.49/drivers/ata/pata_cypress.c 2011-11-15 19:59:43.000000000 -0500
26687 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
26688 ATA_BMDMA_SHT(DRV_NAME),
26689 };
26690
26691 -static struct ata_port_operations cy82c693_port_ops = {
26692 +static const struct ata_port_operations cy82c693_port_ops = {
26693 .inherits = &ata_bmdma_port_ops,
26694 .cable_detect = ata_cable_40wire,
26695 .set_piomode = cy82c693_set_piomode,
26696 diff -urNp linux-2.6.32.49/drivers/ata/pata_efar.c linux-2.6.32.49/drivers/ata/pata_efar.c
26697 --- linux-2.6.32.49/drivers/ata/pata_efar.c 2011-11-08 19:02:43.000000000 -0500
26698 +++ linux-2.6.32.49/drivers/ata/pata_efar.c 2011-11-15 19:59:43.000000000 -0500
26699 @@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
26700 ATA_BMDMA_SHT(DRV_NAME),
26701 };
26702
26703 -static struct ata_port_operations efar_ops = {
26704 +static const struct ata_port_operations efar_ops = {
26705 .inherits = &ata_bmdma_port_ops,
26706 .cable_detect = efar_cable_detect,
26707 .set_piomode = efar_set_piomode,
26708 diff -urNp linux-2.6.32.49/drivers/ata/pata_hpt366.c linux-2.6.32.49/drivers/ata/pata_hpt366.c
26709 --- linux-2.6.32.49/drivers/ata/pata_hpt366.c 2011-11-08 19:02:43.000000000 -0500
26710 +++ linux-2.6.32.49/drivers/ata/pata_hpt366.c 2011-11-15 19:59:43.000000000 -0500
26711 @@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
26712 * Configuration for HPT366/68
26713 */
26714
26715 -static struct ata_port_operations hpt366_port_ops = {
26716 +static const struct ata_port_operations hpt366_port_ops = {
26717 .inherits = &ata_bmdma_port_ops,
26718 .cable_detect = hpt36x_cable_detect,
26719 .mode_filter = hpt366_filter,
26720 diff -urNp linux-2.6.32.49/drivers/ata/pata_hpt37x.c linux-2.6.32.49/drivers/ata/pata_hpt37x.c
26721 --- linux-2.6.32.49/drivers/ata/pata_hpt37x.c 2011-11-08 19:02:43.000000000 -0500
26722 +++ linux-2.6.32.49/drivers/ata/pata_hpt37x.c 2011-11-15 19:59:43.000000000 -0500
26723 @@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
26724 * Configuration for HPT370
26725 */
26726
26727 -static struct ata_port_operations hpt370_port_ops = {
26728 +static const struct ata_port_operations hpt370_port_ops = {
26729 .inherits = &ata_bmdma_port_ops,
26730
26731 .bmdma_stop = hpt370_bmdma_stop,
26732 @@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
26733 * Configuration for HPT370A. Close to 370 but less filters
26734 */
26735
26736 -static struct ata_port_operations hpt370a_port_ops = {
26737 +static const struct ata_port_operations hpt370a_port_ops = {
26738 .inherits = &hpt370_port_ops,
26739 .mode_filter = hpt370a_filter,
26740 };
26741 @@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
26742 * and DMA mode setting functionality.
26743 */
26744
26745 -static struct ata_port_operations hpt372_port_ops = {
26746 +static const struct ata_port_operations hpt372_port_ops = {
26747 .inherits = &ata_bmdma_port_ops,
26748
26749 .bmdma_stop = hpt37x_bmdma_stop,
26750 @@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
26751 * but we have a different cable detection procedure for function 1.
26752 */
26753
26754 -static struct ata_port_operations hpt374_fn1_port_ops = {
26755 +static const struct ata_port_operations hpt374_fn1_port_ops = {
26756 .inherits = &hpt372_port_ops,
26757 .prereset = hpt374_fn1_pre_reset,
26758 };
26759 diff -urNp linux-2.6.32.49/drivers/ata/pata_hpt3x2n.c linux-2.6.32.49/drivers/ata/pata_hpt3x2n.c
26760 --- linux-2.6.32.49/drivers/ata/pata_hpt3x2n.c 2011-11-08 19:02:43.000000000 -0500
26761 +++ linux-2.6.32.49/drivers/ata/pata_hpt3x2n.c 2011-11-15 19:59:43.000000000 -0500
26762 @@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
26763 * Configuration for HPT3x2n.
26764 */
26765
26766 -static struct ata_port_operations hpt3x2n_port_ops = {
26767 +static const struct ata_port_operations hpt3x2n_port_ops = {
26768 .inherits = &ata_bmdma_port_ops,
26769
26770 .bmdma_stop = hpt3x2n_bmdma_stop,
26771 diff -urNp linux-2.6.32.49/drivers/ata/pata_hpt3x3.c linux-2.6.32.49/drivers/ata/pata_hpt3x3.c
26772 --- linux-2.6.32.49/drivers/ata/pata_hpt3x3.c 2011-11-08 19:02:43.000000000 -0500
26773 +++ linux-2.6.32.49/drivers/ata/pata_hpt3x3.c 2011-11-15 19:59:43.000000000 -0500
26774 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
26775 ATA_BMDMA_SHT(DRV_NAME),
26776 };
26777
26778 -static struct ata_port_operations hpt3x3_port_ops = {
26779 +static const struct ata_port_operations hpt3x3_port_ops = {
26780 .inherits = &ata_bmdma_port_ops,
26781 .cable_detect = ata_cable_40wire,
26782 .set_piomode = hpt3x3_set_piomode,
26783 diff -urNp linux-2.6.32.49/drivers/ata/pata_icside.c linux-2.6.32.49/drivers/ata/pata_icside.c
26784 --- linux-2.6.32.49/drivers/ata/pata_icside.c 2011-11-08 19:02:43.000000000 -0500
26785 +++ linux-2.6.32.49/drivers/ata/pata_icside.c 2011-11-15 19:59:43.000000000 -0500
26786 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
26787 }
26788 }
26789
26790 -static struct ata_port_operations pata_icside_port_ops = {
26791 +static const struct ata_port_operations pata_icside_port_ops = {
26792 .inherits = &ata_sff_port_ops,
26793 /* no need to build any PRD tables for DMA */
26794 .qc_prep = ata_noop_qc_prep,
26795 diff -urNp linux-2.6.32.49/drivers/ata/pata_isapnp.c linux-2.6.32.49/drivers/ata/pata_isapnp.c
26796 --- linux-2.6.32.49/drivers/ata/pata_isapnp.c 2011-11-08 19:02:43.000000000 -0500
26797 +++ linux-2.6.32.49/drivers/ata/pata_isapnp.c 2011-11-15 19:59:43.000000000 -0500
26798 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
26799 ATA_PIO_SHT(DRV_NAME),
26800 };
26801
26802 -static struct ata_port_operations isapnp_port_ops = {
26803 +static const struct ata_port_operations isapnp_port_ops = {
26804 .inherits = &ata_sff_port_ops,
26805 .cable_detect = ata_cable_40wire,
26806 };
26807
26808 -static struct ata_port_operations isapnp_noalt_port_ops = {
26809 +static const struct ata_port_operations isapnp_noalt_port_ops = {
26810 .inherits = &ata_sff_port_ops,
26811 .cable_detect = ata_cable_40wire,
26812 /* No altstatus so we don't want to use the lost interrupt poll */
26813 diff -urNp linux-2.6.32.49/drivers/ata/pata_it8213.c linux-2.6.32.49/drivers/ata/pata_it8213.c
26814 --- linux-2.6.32.49/drivers/ata/pata_it8213.c 2011-11-08 19:02:43.000000000 -0500
26815 +++ linux-2.6.32.49/drivers/ata/pata_it8213.c 2011-11-15 19:59:43.000000000 -0500
26816 @@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
26817 };
26818
26819
26820 -static struct ata_port_operations it8213_ops = {
26821 +static const struct ata_port_operations it8213_ops = {
26822 .inherits = &ata_bmdma_port_ops,
26823 .cable_detect = it8213_cable_detect,
26824 .set_piomode = it8213_set_piomode,
26825 diff -urNp linux-2.6.32.49/drivers/ata/pata_it821x.c linux-2.6.32.49/drivers/ata/pata_it821x.c
26826 --- linux-2.6.32.49/drivers/ata/pata_it821x.c 2011-11-08 19:02:43.000000000 -0500
26827 +++ linux-2.6.32.49/drivers/ata/pata_it821x.c 2011-11-15 19:59:43.000000000 -0500
26828 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
26829 ATA_BMDMA_SHT(DRV_NAME),
26830 };
26831
26832 -static struct ata_port_operations it821x_smart_port_ops = {
26833 +static const struct ata_port_operations it821x_smart_port_ops = {
26834 .inherits = &ata_bmdma_port_ops,
26835
26836 .check_atapi_dma= it821x_check_atapi_dma,
26837 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
26838 .port_start = it821x_port_start,
26839 };
26840
26841 -static struct ata_port_operations it821x_passthru_port_ops = {
26842 +static const struct ata_port_operations it821x_passthru_port_ops = {
26843 .inherits = &ata_bmdma_port_ops,
26844
26845 .check_atapi_dma= it821x_check_atapi_dma,
26846 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
26847 .port_start = it821x_port_start,
26848 };
26849
26850 -static struct ata_port_operations it821x_rdc_port_ops = {
26851 +static const struct ata_port_operations it821x_rdc_port_ops = {
26852 .inherits = &ata_bmdma_port_ops,
26853
26854 .check_atapi_dma= it821x_check_atapi_dma,
26855 diff -urNp linux-2.6.32.49/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.49/drivers/ata/pata_ixp4xx_cf.c
26856 --- linux-2.6.32.49/drivers/ata/pata_ixp4xx_cf.c 2011-11-08 19:02:43.000000000 -0500
26857 +++ linux-2.6.32.49/drivers/ata/pata_ixp4xx_cf.c 2011-11-15 19:59:43.000000000 -0500
26858 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
26859 ATA_PIO_SHT(DRV_NAME),
26860 };
26861
26862 -static struct ata_port_operations ixp4xx_port_ops = {
26863 +static const struct ata_port_operations ixp4xx_port_ops = {
26864 .inherits = &ata_sff_port_ops,
26865 .sff_data_xfer = ixp4xx_mmio_data_xfer,
26866 .cable_detect = ata_cable_40wire,
26867 diff -urNp linux-2.6.32.49/drivers/ata/pata_jmicron.c linux-2.6.32.49/drivers/ata/pata_jmicron.c
26868 --- linux-2.6.32.49/drivers/ata/pata_jmicron.c 2011-11-08 19:02:43.000000000 -0500
26869 +++ linux-2.6.32.49/drivers/ata/pata_jmicron.c 2011-11-15 19:59:43.000000000 -0500
26870 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
26871 ATA_BMDMA_SHT(DRV_NAME),
26872 };
26873
26874 -static struct ata_port_operations jmicron_ops = {
26875 +static const struct ata_port_operations jmicron_ops = {
26876 .inherits = &ata_bmdma_port_ops,
26877 .prereset = jmicron_pre_reset,
26878 };
26879 diff -urNp linux-2.6.32.49/drivers/ata/pata_legacy.c linux-2.6.32.49/drivers/ata/pata_legacy.c
26880 --- linux-2.6.32.49/drivers/ata/pata_legacy.c 2011-11-08 19:02:43.000000000 -0500
26881 +++ linux-2.6.32.49/drivers/ata/pata_legacy.c 2011-11-15 19:59:43.000000000 -0500
26882 @@ -106,7 +106,7 @@ struct legacy_probe {
26883
26884 struct legacy_controller {
26885 const char *name;
26886 - struct ata_port_operations *ops;
26887 + const struct ata_port_operations *ops;
26888 unsigned int pio_mask;
26889 unsigned int flags;
26890 unsigned int pflags;
26891 @@ -223,12 +223,12 @@ static const struct ata_port_operations
26892 * pio_mask as well.
26893 */
26894
26895 -static struct ata_port_operations simple_port_ops = {
26896 +static const struct ata_port_operations simple_port_ops = {
26897 .inherits = &legacy_base_port_ops,
26898 .sff_data_xfer = ata_sff_data_xfer_noirq,
26899 };
26900
26901 -static struct ata_port_operations legacy_port_ops = {
26902 +static const struct ata_port_operations legacy_port_ops = {
26903 .inherits = &legacy_base_port_ops,
26904 .sff_data_xfer = ata_sff_data_xfer_noirq,
26905 .set_mode = legacy_set_mode,
26906 @@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
26907 return buflen;
26908 }
26909
26910 -static struct ata_port_operations pdc20230_port_ops = {
26911 +static const struct ata_port_operations pdc20230_port_ops = {
26912 .inherits = &legacy_base_port_ops,
26913 .set_piomode = pdc20230_set_piomode,
26914 .sff_data_xfer = pdc_data_xfer_vlb,
26915 @@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
26916 ioread8(ap->ioaddr.status_addr);
26917 }
26918
26919 -static struct ata_port_operations ht6560a_port_ops = {
26920 +static const struct ata_port_operations ht6560a_port_ops = {
26921 .inherits = &legacy_base_port_ops,
26922 .set_piomode = ht6560a_set_piomode,
26923 };
26924 @@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
26925 ioread8(ap->ioaddr.status_addr);
26926 }
26927
26928 -static struct ata_port_operations ht6560b_port_ops = {
26929 +static const struct ata_port_operations ht6560b_port_ops = {
26930 .inherits = &legacy_base_port_ops,
26931 .set_piomode = ht6560b_set_piomode,
26932 };
26933 @@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
26934 }
26935
26936
26937 -static struct ata_port_operations opti82c611a_port_ops = {
26938 +static const struct ata_port_operations opti82c611a_port_ops = {
26939 .inherits = &legacy_base_port_ops,
26940 .set_piomode = opti82c611a_set_piomode,
26941 };
26942 @@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
26943 return ata_sff_qc_issue(qc);
26944 }
26945
26946 -static struct ata_port_operations opti82c46x_port_ops = {
26947 +static const struct ata_port_operations opti82c46x_port_ops = {
26948 .inherits = &legacy_base_port_ops,
26949 .set_piomode = opti82c46x_set_piomode,
26950 .qc_issue = opti82c46x_qc_issue,
26951 @@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
26952 return 0;
26953 }
26954
26955 -static struct ata_port_operations qdi6500_port_ops = {
26956 +static const struct ata_port_operations qdi6500_port_ops = {
26957 .inherits = &legacy_base_port_ops,
26958 .set_piomode = qdi6500_set_piomode,
26959 .qc_issue = qdi_qc_issue,
26960 .sff_data_xfer = vlb32_data_xfer,
26961 };
26962
26963 -static struct ata_port_operations qdi6580_port_ops = {
26964 +static const struct ata_port_operations qdi6580_port_ops = {
26965 .inherits = &legacy_base_port_ops,
26966 .set_piomode = qdi6580_set_piomode,
26967 .sff_data_xfer = vlb32_data_xfer,
26968 };
26969
26970 -static struct ata_port_operations qdi6580dp_port_ops = {
26971 +static const struct ata_port_operations qdi6580dp_port_ops = {
26972 .inherits = &legacy_base_port_ops,
26973 .set_piomode = qdi6580dp_set_piomode,
26974 .sff_data_xfer = vlb32_data_xfer,
26975 @@ -855,7 +855,7 @@ static int winbond_port(struct platform_
26976 return 0;
26977 }
26978
26979 -static struct ata_port_operations winbond_port_ops = {
26980 +static const struct ata_port_operations winbond_port_ops = {
26981 .inherits = &legacy_base_port_ops,
26982 .set_piomode = winbond_set_piomode,
26983 .sff_data_xfer = vlb32_data_xfer,
26984 @@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
26985 int pio_modes = controller->pio_mask;
26986 unsigned long io = probe->port;
26987 u32 mask = (1 << probe->slot);
26988 - struct ata_port_operations *ops = controller->ops;
26989 + const struct ata_port_operations *ops = controller->ops;
26990 struct legacy_data *ld = &legacy_data[probe->slot];
26991 struct ata_host *host = NULL;
26992 struct ata_port *ap;
26993 diff -urNp linux-2.6.32.49/drivers/ata/pata_marvell.c linux-2.6.32.49/drivers/ata/pata_marvell.c
26994 --- linux-2.6.32.49/drivers/ata/pata_marvell.c 2011-11-08 19:02:43.000000000 -0500
26995 +++ linux-2.6.32.49/drivers/ata/pata_marvell.c 2011-11-15 19:59:43.000000000 -0500
26996 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26997 ATA_BMDMA_SHT(DRV_NAME),
26998 };
26999
27000 -static struct ata_port_operations marvell_ops = {
27001 +static const struct ata_port_operations marvell_ops = {
27002 .inherits = &ata_bmdma_port_ops,
27003 .cable_detect = marvell_cable_detect,
27004 .prereset = marvell_pre_reset,
27005 diff -urNp linux-2.6.32.49/drivers/ata/pata_mpc52xx.c linux-2.6.32.49/drivers/ata/pata_mpc52xx.c
27006 --- linux-2.6.32.49/drivers/ata/pata_mpc52xx.c 2011-11-08 19:02:43.000000000 -0500
27007 +++ linux-2.6.32.49/drivers/ata/pata_mpc52xx.c 2011-11-15 19:59:43.000000000 -0500
27008 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
27009 ATA_PIO_SHT(DRV_NAME),
27010 };
27011
27012 -static struct ata_port_operations mpc52xx_ata_port_ops = {
27013 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
27014 .inherits = &ata_bmdma_port_ops,
27015 .sff_dev_select = mpc52xx_ata_dev_select,
27016 .set_piomode = mpc52xx_ata_set_piomode,
27017 diff -urNp linux-2.6.32.49/drivers/ata/pata_mpiix.c linux-2.6.32.49/drivers/ata/pata_mpiix.c
27018 --- linux-2.6.32.49/drivers/ata/pata_mpiix.c 2011-11-08 19:02:43.000000000 -0500
27019 +++ linux-2.6.32.49/drivers/ata/pata_mpiix.c 2011-11-15 19:59:43.000000000 -0500
27020 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
27021 ATA_PIO_SHT(DRV_NAME),
27022 };
27023
27024 -static struct ata_port_operations mpiix_port_ops = {
27025 +static const struct ata_port_operations mpiix_port_ops = {
27026 .inherits = &ata_sff_port_ops,
27027 .qc_issue = mpiix_qc_issue,
27028 .cable_detect = ata_cable_40wire,
27029 diff -urNp linux-2.6.32.49/drivers/ata/pata_netcell.c linux-2.6.32.49/drivers/ata/pata_netcell.c
27030 --- linux-2.6.32.49/drivers/ata/pata_netcell.c 2011-11-08 19:02:43.000000000 -0500
27031 +++ linux-2.6.32.49/drivers/ata/pata_netcell.c 2011-11-15 19:59:43.000000000 -0500
27032 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
27033 ATA_BMDMA_SHT(DRV_NAME),
27034 };
27035
27036 -static struct ata_port_operations netcell_ops = {
27037 +static const struct ata_port_operations netcell_ops = {
27038 .inherits = &ata_bmdma_port_ops,
27039 .cable_detect = ata_cable_80wire,
27040 .read_id = netcell_read_id,
27041 diff -urNp linux-2.6.32.49/drivers/ata/pata_ninja32.c linux-2.6.32.49/drivers/ata/pata_ninja32.c
27042 --- linux-2.6.32.49/drivers/ata/pata_ninja32.c 2011-11-08 19:02:43.000000000 -0500
27043 +++ linux-2.6.32.49/drivers/ata/pata_ninja32.c 2011-11-15 19:59:43.000000000 -0500
27044 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
27045 ATA_BMDMA_SHT(DRV_NAME),
27046 };
27047
27048 -static struct ata_port_operations ninja32_port_ops = {
27049 +static const struct ata_port_operations ninja32_port_ops = {
27050 .inherits = &ata_bmdma_port_ops,
27051 .sff_dev_select = ninja32_dev_select,
27052 .cable_detect = ata_cable_40wire,
27053 diff -urNp linux-2.6.32.49/drivers/ata/pata_ns87410.c linux-2.6.32.49/drivers/ata/pata_ns87410.c
27054 --- linux-2.6.32.49/drivers/ata/pata_ns87410.c 2011-11-08 19:02:43.000000000 -0500
27055 +++ linux-2.6.32.49/drivers/ata/pata_ns87410.c 2011-11-15 19:59:43.000000000 -0500
27056 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
27057 ATA_PIO_SHT(DRV_NAME),
27058 };
27059
27060 -static struct ata_port_operations ns87410_port_ops = {
27061 +static const struct ata_port_operations ns87410_port_ops = {
27062 .inherits = &ata_sff_port_ops,
27063 .qc_issue = ns87410_qc_issue,
27064 .cable_detect = ata_cable_40wire,
27065 diff -urNp linux-2.6.32.49/drivers/ata/pata_ns87415.c linux-2.6.32.49/drivers/ata/pata_ns87415.c
27066 --- linux-2.6.32.49/drivers/ata/pata_ns87415.c 2011-11-08 19:02:43.000000000 -0500
27067 +++ linux-2.6.32.49/drivers/ata/pata_ns87415.c 2011-11-15 19:59:43.000000000 -0500
27068 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
27069 }
27070 #endif /* 87560 SuperIO Support */
27071
27072 -static struct ata_port_operations ns87415_pata_ops = {
27073 +static const struct ata_port_operations ns87415_pata_ops = {
27074 .inherits = &ata_bmdma_port_ops,
27075
27076 .check_atapi_dma = ns87415_check_atapi_dma,
27077 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
27078 };
27079
27080 #if defined(CONFIG_SUPERIO)
27081 -static struct ata_port_operations ns87560_pata_ops = {
27082 +static const struct ata_port_operations ns87560_pata_ops = {
27083 .inherits = &ns87415_pata_ops,
27084 .sff_tf_read = ns87560_tf_read,
27085 .sff_check_status = ns87560_check_status,
27086 diff -urNp linux-2.6.32.49/drivers/ata/pata_octeon_cf.c linux-2.6.32.49/drivers/ata/pata_octeon_cf.c
27087 --- linux-2.6.32.49/drivers/ata/pata_octeon_cf.c 2011-11-08 19:02:43.000000000 -0500
27088 +++ linux-2.6.32.49/drivers/ata/pata_octeon_cf.c 2011-11-15 19:59:43.000000000 -0500
27089 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
27090 return 0;
27091 }
27092
27093 +/* cannot be const */
27094 static struct ata_port_operations octeon_cf_ops = {
27095 .inherits = &ata_sff_port_ops,
27096 .check_atapi_dma = octeon_cf_check_atapi_dma,
27097 diff -urNp linux-2.6.32.49/drivers/ata/pata_oldpiix.c linux-2.6.32.49/drivers/ata/pata_oldpiix.c
27098 --- linux-2.6.32.49/drivers/ata/pata_oldpiix.c 2011-11-08 19:02:43.000000000 -0500
27099 +++ linux-2.6.32.49/drivers/ata/pata_oldpiix.c 2011-11-15 19:59:43.000000000 -0500
27100 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
27101 ATA_BMDMA_SHT(DRV_NAME),
27102 };
27103
27104 -static struct ata_port_operations oldpiix_pata_ops = {
27105 +static const struct ata_port_operations oldpiix_pata_ops = {
27106 .inherits = &ata_bmdma_port_ops,
27107 .qc_issue = oldpiix_qc_issue,
27108 .cable_detect = ata_cable_40wire,
27109 diff -urNp linux-2.6.32.49/drivers/ata/pata_opti.c linux-2.6.32.49/drivers/ata/pata_opti.c
27110 --- linux-2.6.32.49/drivers/ata/pata_opti.c 2011-11-08 19:02:43.000000000 -0500
27111 +++ linux-2.6.32.49/drivers/ata/pata_opti.c 2011-11-15 19:59:43.000000000 -0500
27112 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
27113 ATA_PIO_SHT(DRV_NAME),
27114 };
27115
27116 -static struct ata_port_operations opti_port_ops = {
27117 +static const struct ata_port_operations opti_port_ops = {
27118 .inherits = &ata_sff_port_ops,
27119 .cable_detect = ata_cable_40wire,
27120 .set_piomode = opti_set_piomode,
27121 diff -urNp linux-2.6.32.49/drivers/ata/pata_optidma.c linux-2.6.32.49/drivers/ata/pata_optidma.c
27122 --- linux-2.6.32.49/drivers/ata/pata_optidma.c 2011-11-08 19:02:43.000000000 -0500
27123 +++ linux-2.6.32.49/drivers/ata/pata_optidma.c 2011-11-15 19:59:43.000000000 -0500
27124 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
27125 ATA_BMDMA_SHT(DRV_NAME),
27126 };
27127
27128 -static struct ata_port_operations optidma_port_ops = {
27129 +static const struct ata_port_operations optidma_port_ops = {
27130 .inherits = &ata_bmdma_port_ops,
27131 .cable_detect = ata_cable_40wire,
27132 .set_piomode = optidma_set_pio_mode,
27133 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
27134 .prereset = optidma_pre_reset,
27135 };
27136
27137 -static struct ata_port_operations optiplus_port_ops = {
27138 +static const struct ata_port_operations optiplus_port_ops = {
27139 .inherits = &optidma_port_ops,
27140 .set_piomode = optiplus_set_pio_mode,
27141 .set_dmamode = optiplus_set_dma_mode,
27142 diff -urNp linux-2.6.32.49/drivers/ata/pata_palmld.c linux-2.6.32.49/drivers/ata/pata_palmld.c
27143 --- linux-2.6.32.49/drivers/ata/pata_palmld.c 2011-11-08 19:02:43.000000000 -0500
27144 +++ linux-2.6.32.49/drivers/ata/pata_palmld.c 2011-11-15 19:59:43.000000000 -0500
27145 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
27146 ATA_PIO_SHT(DRV_NAME),
27147 };
27148
27149 -static struct ata_port_operations palmld_port_ops = {
27150 +static const struct ata_port_operations palmld_port_ops = {
27151 .inherits = &ata_sff_port_ops,
27152 .sff_data_xfer = ata_sff_data_xfer_noirq,
27153 .cable_detect = ata_cable_40wire,
27154 diff -urNp linux-2.6.32.49/drivers/ata/pata_pcmcia.c linux-2.6.32.49/drivers/ata/pata_pcmcia.c
27155 --- linux-2.6.32.49/drivers/ata/pata_pcmcia.c 2011-11-08 19:02:43.000000000 -0500
27156 +++ linux-2.6.32.49/drivers/ata/pata_pcmcia.c 2011-11-15 19:59:43.000000000 -0500
27157 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
27158 ATA_PIO_SHT(DRV_NAME),
27159 };
27160
27161 -static struct ata_port_operations pcmcia_port_ops = {
27162 +static const struct ata_port_operations pcmcia_port_ops = {
27163 .inherits = &ata_sff_port_ops,
27164 .sff_data_xfer = ata_sff_data_xfer_noirq,
27165 .cable_detect = ata_cable_40wire,
27166 .set_mode = pcmcia_set_mode,
27167 };
27168
27169 -static struct ata_port_operations pcmcia_8bit_port_ops = {
27170 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
27171 .inherits = &ata_sff_port_ops,
27172 .sff_data_xfer = ata_data_xfer_8bit,
27173 .cable_detect = ata_cable_40wire,
27174 @@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
27175 unsigned long io_base, ctl_base;
27176 void __iomem *io_addr, *ctl_addr;
27177 int n_ports = 1;
27178 - struct ata_port_operations *ops = &pcmcia_port_ops;
27179 + const struct ata_port_operations *ops = &pcmcia_port_ops;
27180
27181 info = kzalloc(sizeof(*info), GFP_KERNEL);
27182 if (info == NULL)
27183 diff -urNp linux-2.6.32.49/drivers/ata/pata_pdc2027x.c linux-2.6.32.49/drivers/ata/pata_pdc2027x.c
27184 --- linux-2.6.32.49/drivers/ata/pata_pdc2027x.c 2011-11-08 19:02:43.000000000 -0500
27185 +++ linux-2.6.32.49/drivers/ata/pata_pdc2027x.c 2011-11-15 19:59:43.000000000 -0500
27186 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
27187 ATA_BMDMA_SHT(DRV_NAME),
27188 };
27189
27190 -static struct ata_port_operations pdc2027x_pata100_ops = {
27191 +static const struct ata_port_operations pdc2027x_pata100_ops = {
27192 .inherits = &ata_bmdma_port_ops,
27193 .check_atapi_dma = pdc2027x_check_atapi_dma,
27194 .cable_detect = pdc2027x_cable_detect,
27195 .prereset = pdc2027x_prereset,
27196 };
27197
27198 -static struct ata_port_operations pdc2027x_pata133_ops = {
27199 +static const struct ata_port_operations pdc2027x_pata133_ops = {
27200 .inherits = &pdc2027x_pata100_ops,
27201 .mode_filter = pdc2027x_mode_filter,
27202 .set_piomode = pdc2027x_set_piomode,
27203 diff -urNp linux-2.6.32.49/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.49/drivers/ata/pata_pdc202xx_old.c
27204 --- linux-2.6.32.49/drivers/ata/pata_pdc202xx_old.c 2011-11-08 19:02:43.000000000 -0500
27205 +++ linux-2.6.32.49/drivers/ata/pata_pdc202xx_old.c 2011-11-15 19:59:43.000000000 -0500
27206 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
27207 ATA_BMDMA_SHT(DRV_NAME),
27208 };
27209
27210 -static struct ata_port_operations pdc2024x_port_ops = {
27211 +static const struct ata_port_operations pdc2024x_port_ops = {
27212 .inherits = &ata_bmdma_port_ops,
27213
27214 .cable_detect = ata_cable_40wire,
27215 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
27216 .sff_exec_command = pdc202xx_exec_command,
27217 };
27218
27219 -static struct ata_port_operations pdc2026x_port_ops = {
27220 +static const struct ata_port_operations pdc2026x_port_ops = {
27221 .inherits = &pdc2024x_port_ops,
27222
27223 .check_atapi_dma = pdc2026x_check_atapi_dma,
27224 diff -urNp linux-2.6.32.49/drivers/ata/pata_platform.c linux-2.6.32.49/drivers/ata/pata_platform.c
27225 --- linux-2.6.32.49/drivers/ata/pata_platform.c 2011-11-08 19:02:43.000000000 -0500
27226 +++ linux-2.6.32.49/drivers/ata/pata_platform.c 2011-11-15 19:59:43.000000000 -0500
27227 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
27228 ATA_PIO_SHT(DRV_NAME),
27229 };
27230
27231 -static struct ata_port_operations pata_platform_port_ops = {
27232 +static const struct ata_port_operations pata_platform_port_ops = {
27233 .inherits = &ata_sff_port_ops,
27234 .sff_data_xfer = ata_sff_data_xfer_noirq,
27235 .cable_detect = ata_cable_unknown,
27236 diff -urNp linux-2.6.32.49/drivers/ata/pata_qdi.c linux-2.6.32.49/drivers/ata/pata_qdi.c
27237 --- linux-2.6.32.49/drivers/ata/pata_qdi.c 2011-11-08 19:02:43.000000000 -0500
27238 +++ linux-2.6.32.49/drivers/ata/pata_qdi.c 2011-11-15 19:59:43.000000000 -0500
27239 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
27240 ATA_PIO_SHT(DRV_NAME),
27241 };
27242
27243 -static struct ata_port_operations qdi6500_port_ops = {
27244 +static const struct ata_port_operations qdi6500_port_ops = {
27245 .inherits = &ata_sff_port_ops,
27246 .qc_issue = qdi_qc_issue,
27247 .sff_data_xfer = qdi_data_xfer,
27248 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
27249 .set_piomode = qdi6500_set_piomode,
27250 };
27251
27252 -static struct ata_port_operations qdi6580_port_ops = {
27253 +static const struct ata_port_operations qdi6580_port_ops = {
27254 .inherits = &qdi6500_port_ops,
27255 .set_piomode = qdi6580_set_piomode,
27256 };
27257 diff -urNp linux-2.6.32.49/drivers/ata/pata_radisys.c linux-2.6.32.49/drivers/ata/pata_radisys.c
27258 --- linux-2.6.32.49/drivers/ata/pata_radisys.c 2011-11-08 19:02:43.000000000 -0500
27259 +++ linux-2.6.32.49/drivers/ata/pata_radisys.c 2011-11-15 19:59:43.000000000 -0500
27260 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
27261 ATA_BMDMA_SHT(DRV_NAME),
27262 };
27263
27264 -static struct ata_port_operations radisys_pata_ops = {
27265 +static const struct ata_port_operations radisys_pata_ops = {
27266 .inherits = &ata_bmdma_port_ops,
27267 .qc_issue = radisys_qc_issue,
27268 .cable_detect = ata_cable_unknown,
27269 diff -urNp linux-2.6.32.49/drivers/ata/pata_rb532_cf.c linux-2.6.32.49/drivers/ata/pata_rb532_cf.c
27270 --- linux-2.6.32.49/drivers/ata/pata_rb532_cf.c 2011-11-08 19:02:43.000000000 -0500
27271 +++ linux-2.6.32.49/drivers/ata/pata_rb532_cf.c 2011-11-15 19:59:43.000000000 -0500
27272 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
27273 return IRQ_HANDLED;
27274 }
27275
27276 -static struct ata_port_operations rb532_pata_port_ops = {
27277 +static const struct ata_port_operations rb532_pata_port_ops = {
27278 .inherits = &ata_sff_port_ops,
27279 .sff_data_xfer = ata_sff_data_xfer32,
27280 };
27281 diff -urNp linux-2.6.32.49/drivers/ata/pata_rdc.c linux-2.6.32.49/drivers/ata/pata_rdc.c
27282 --- linux-2.6.32.49/drivers/ata/pata_rdc.c 2011-11-08 19:02:43.000000000 -0500
27283 +++ linux-2.6.32.49/drivers/ata/pata_rdc.c 2011-11-15 19:59:43.000000000 -0500
27284 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
27285 pci_write_config_byte(dev, 0x48, udma_enable);
27286 }
27287
27288 -static struct ata_port_operations rdc_pata_ops = {
27289 +static const struct ata_port_operations rdc_pata_ops = {
27290 .inherits = &ata_bmdma32_port_ops,
27291 .cable_detect = rdc_pata_cable_detect,
27292 .set_piomode = rdc_set_piomode,
27293 diff -urNp linux-2.6.32.49/drivers/ata/pata_rz1000.c linux-2.6.32.49/drivers/ata/pata_rz1000.c
27294 --- linux-2.6.32.49/drivers/ata/pata_rz1000.c 2011-11-08 19:02:43.000000000 -0500
27295 +++ linux-2.6.32.49/drivers/ata/pata_rz1000.c 2011-11-15 19:59:43.000000000 -0500
27296 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
27297 ATA_PIO_SHT(DRV_NAME),
27298 };
27299
27300 -static struct ata_port_operations rz1000_port_ops = {
27301 +static const struct ata_port_operations rz1000_port_ops = {
27302 .inherits = &ata_sff_port_ops,
27303 .cable_detect = ata_cable_40wire,
27304 .set_mode = rz1000_set_mode,
27305 diff -urNp linux-2.6.32.49/drivers/ata/pata_sc1200.c linux-2.6.32.49/drivers/ata/pata_sc1200.c
27306 --- linux-2.6.32.49/drivers/ata/pata_sc1200.c 2011-11-08 19:02:43.000000000 -0500
27307 +++ linux-2.6.32.49/drivers/ata/pata_sc1200.c 2011-11-15 19:59:43.000000000 -0500
27308 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
27309 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
27310 };
27311
27312 -static struct ata_port_operations sc1200_port_ops = {
27313 +static const struct ata_port_operations sc1200_port_ops = {
27314 .inherits = &ata_bmdma_port_ops,
27315 .qc_prep = ata_sff_dumb_qc_prep,
27316 .qc_issue = sc1200_qc_issue,
27317 diff -urNp linux-2.6.32.49/drivers/ata/pata_scc.c linux-2.6.32.49/drivers/ata/pata_scc.c
27318 --- linux-2.6.32.49/drivers/ata/pata_scc.c 2011-11-08 19:02:43.000000000 -0500
27319 +++ linux-2.6.32.49/drivers/ata/pata_scc.c 2011-11-15 19:59:43.000000000 -0500
27320 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
27321 ATA_BMDMA_SHT(DRV_NAME),
27322 };
27323
27324 -static struct ata_port_operations scc_pata_ops = {
27325 +static const struct ata_port_operations scc_pata_ops = {
27326 .inherits = &ata_bmdma_port_ops,
27327
27328 .set_piomode = scc_set_piomode,
27329 diff -urNp linux-2.6.32.49/drivers/ata/pata_sch.c linux-2.6.32.49/drivers/ata/pata_sch.c
27330 --- linux-2.6.32.49/drivers/ata/pata_sch.c 2011-11-08 19:02:43.000000000 -0500
27331 +++ linux-2.6.32.49/drivers/ata/pata_sch.c 2011-11-15 19:59:43.000000000 -0500
27332 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
27333 ATA_BMDMA_SHT(DRV_NAME),
27334 };
27335
27336 -static struct ata_port_operations sch_pata_ops = {
27337 +static const struct ata_port_operations sch_pata_ops = {
27338 .inherits = &ata_bmdma_port_ops,
27339 .cable_detect = ata_cable_unknown,
27340 .set_piomode = sch_set_piomode,
27341 diff -urNp linux-2.6.32.49/drivers/ata/pata_serverworks.c linux-2.6.32.49/drivers/ata/pata_serverworks.c
27342 --- linux-2.6.32.49/drivers/ata/pata_serverworks.c 2011-11-08 19:02:43.000000000 -0500
27343 +++ linux-2.6.32.49/drivers/ata/pata_serverworks.c 2011-11-15 19:59:43.000000000 -0500
27344 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
27345 ATA_BMDMA_SHT(DRV_NAME),
27346 };
27347
27348 -static struct ata_port_operations serverworks_osb4_port_ops = {
27349 +static const struct ata_port_operations serverworks_osb4_port_ops = {
27350 .inherits = &ata_bmdma_port_ops,
27351 .cable_detect = serverworks_cable_detect,
27352 .mode_filter = serverworks_osb4_filter,
27353 @@ -307,7 +307,7 @@ static struct ata_port_operations server
27354 .set_dmamode = serverworks_set_dmamode,
27355 };
27356
27357 -static struct ata_port_operations serverworks_csb_port_ops = {
27358 +static const struct ata_port_operations serverworks_csb_port_ops = {
27359 .inherits = &serverworks_osb4_port_ops,
27360 .mode_filter = serverworks_csb_filter,
27361 };
27362 diff -urNp linux-2.6.32.49/drivers/ata/pata_sil680.c linux-2.6.32.49/drivers/ata/pata_sil680.c
27363 --- linux-2.6.32.49/drivers/ata/pata_sil680.c 2011-11-08 19:02:43.000000000 -0500
27364 +++ linux-2.6.32.49/drivers/ata/pata_sil680.c 2011-11-15 19:59:43.000000000 -0500
27365 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
27366 ATA_BMDMA_SHT(DRV_NAME),
27367 };
27368
27369 -static struct ata_port_operations sil680_port_ops = {
27370 +static const struct ata_port_operations sil680_port_ops = {
27371 .inherits = &ata_bmdma32_port_ops,
27372 .cable_detect = sil680_cable_detect,
27373 .set_piomode = sil680_set_piomode,
27374 diff -urNp linux-2.6.32.49/drivers/ata/pata_sis.c linux-2.6.32.49/drivers/ata/pata_sis.c
27375 --- linux-2.6.32.49/drivers/ata/pata_sis.c 2011-11-08 19:02:43.000000000 -0500
27376 +++ linux-2.6.32.49/drivers/ata/pata_sis.c 2011-11-15 19:59:43.000000000 -0500
27377 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
27378 ATA_BMDMA_SHT(DRV_NAME),
27379 };
27380
27381 -static struct ata_port_operations sis_133_for_sata_ops = {
27382 +static const struct ata_port_operations sis_133_for_sata_ops = {
27383 .inherits = &ata_bmdma_port_ops,
27384 .set_piomode = sis_133_set_piomode,
27385 .set_dmamode = sis_133_set_dmamode,
27386 .cable_detect = sis_133_cable_detect,
27387 };
27388
27389 -static struct ata_port_operations sis_base_ops = {
27390 +static const struct ata_port_operations sis_base_ops = {
27391 .inherits = &ata_bmdma_port_ops,
27392 .prereset = sis_pre_reset,
27393 };
27394
27395 -static struct ata_port_operations sis_133_ops = {
27396 +static const struct ata_port_operations sis_133_ops = {
27397 .inherits = &sis_base_ops,
27398 .set_piomode = sis_133_set_piomode,
27399 .set_dmamode = sis_133_set_dmamode,
27400 .cable_detect = sis_133_cable_detect,
27401 };
27402
27403 -static struct ata_port_operations sis_133_early_ops = {
27404 +static const struct ata_port_operations sis_133_early_ops = {
27405 .inherits = &sis_base_ops,
27406 .set_piomode = sis_100_set_piomode,
27407 .set_dmamode = sis_133_early_set_dmamode,
27408 .cable_detect = sis_66_cable_detect,
27409 };
27410
27411 -static struct ata_port_operations sis_100_ops = {
27412 +static const struct ata_port_operations sis_100_ops = {
27413 .inherits = &sis_base_ops,
27414 .set_piomode = sis_100_set_piomode,
27415 .set_dmamode = sis_100_set_dmamode,
27416 .cable_detect = sis_66_cable_detect,
27417 };
27418
27419 -static struct ata_port_operations sis_66_ops = {
27420 +static const struct ata_port_operations sis_66_ops = {
27421 .inherits = &sis_base_ops,
27422 .set_piomode = sis_old_set_piomode,
27423 .set_dmamode = sis_66_set_dmamode,
27424 .cable_detect = sis_66_cable_detect,
27425 };
27426
27427 -static struct ata_port_operations sis_old_ops = {
27428 +static const struct ata_port_operations sis_old_ops = {
27429 .inherits = &sis_base_ops,
27430 .set_piomode = sis_old_set_piomode,
27431 .set_dmamode = sis_old_set_dmamode,
27432 diff -urNp linux-2.6.32.49/drivers/ata/pata_sl82c105.c linux-2.6.32.49/drivers/ata/pata_sl82c105.c
27433 --- linux-2.6.32.49/drivers/ata/pata_sl82c105.c 2011-11-08 19:02:43.000000000 -0500
27434 +++ linux-2.6.32.49/drivers/ata/pata_sl82c105.c 2011-11-15 19:59:43.000000000 -0500
27435 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
27436 ATA_BMDMA_SHT(DRV_NAME),
27437 };
27438
27439 -static struct ata_port_operations sl82c105_port_ops = {
27440 +static const struct ata_port_operations sl82c105_port_ops = {
27441 .inherits = &ata_bmdma_port_ops,
27442 .qc_defer = sl82c105_qc_defer,
27443 .bmdma_start = sl82c105_bmdma_start,
27444 diff -urNp linux-2.6.32.49/drivers/ata/pata_triflex.c linux-2.6.32.49/drivers/ata/pata_triflex.c
27445 --- linux-2.6.32.49/drivers/ata/pata_triflex.c 2011-11-08 19:02:43.000000000 -0500
27446 +++ linux-2.6.32.49/drivers/ata/pata_triflex.c 2011-11-15 19:59:43.000000000 -0500
27447 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
27448 ATA_BMDMA_SHT(DRV_NAME),
27449 };
27450
27451 -static struct ata_port_operations triflex_port_ops = {
27452 +static const struct ata_port_operations triflex_port_ops = {
27453 .inherits = &ata_bmdma_port_ops,
27454 .bmdma_start = triflex_bmdma_start,
27455 .bmdma_stop = triflex_bmdma_stop,
27456 diff -urNp linux-2.6.32.49/drivers/ata/pata_via.c linux-2.6.32.49/drivers/ata/pata_via.c
27457 --- linux-2.6.32.49/drivers/ata/pata_via.c 2011-11-08 19:02:43.000000000 -0500
27458 +++ linux-2.6.32.49/drivers/ata/pata_via.c 2011-11-15 19:59:43.000000000 -0500
27459 @@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
27460 ATA_BMDMA_SHT(DRV_NAME),
27461 };
27462
27463 -static struct ata_port_operations via_port_ops = {
27464 +static const struct ata_port_operations via_port_ops = {
27465 .inherits = &ata_bmdma_port_ops,
27466 .cable_detect = via_cable_detect,
27467 .set_piomode = via_set_piomode,
27468 @@ -429,7 +429,7 @@ static struct ata_port_operations via_po
27469 .port_start = via_port_start,
27470 };
27471
27472 -static struct ata_port_operations via_port_ops_noirq = {
27473 +static const struct ata_port_operations via_port_ops_noirq = {
27474 .inherits = &via_port_ops,
27475 .sff_data_xfer = ata_sff_data_xfer_noirq,
27476 };
27477 diff -urNp linux-2.6.32.49/drivers/ata/pata_winbond.c linux-2.6.32.49/drivers/ata/pata_winbond.c
27478 --- linux-2.6.32.49/drivers/ata/pata_winbond.c 2011-11-08 19:02:43.000000000 -0500
27479 +++ linux-2.6.32.49/drivers/ata/pata_winbond.c 2011-11-15 19:59:43.000000000 -0500
27480 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
27481 ATA_PIO_SHT(DRV_NAME),
27482 };
27483
27484 -static struct ata_port_operations winbond_port_ops = {
27485 +static const struct ata_port_operations winbond_port_ops = {
27486 .inherits = &ata_sff_port_ops,
27487 .sff_data_xfer = winbond_data_xfer,
27488 .cable_detect = ata_cable_40wire,
27489 diff -urNp linux-2.6.32.49/drivers/ata/pdc_adma.c linux-2.6.32.49/drivers/ata/pdc_adma.c
27490 --- linux-2.6.32.49/drivers/ata/pdc_adma.c 2011-11-08 19:02:43.000000000 -0500
27491 +++ linux-2.6.32.49/drivers/ata/pdc_adma.c 2011-11-15 19:59:43.000000000 -0500
27492 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
27493 .dma_boundary = ADMA_DMA_BOUNDARY,
27494 };
27495
27496 -static struct ata_port_operations adma_ata_ops = {
27497 +static const struct ata_port_operations adma_ata_ops = {
27498 .inherits = &ata_sff_port_ops,
27499
27500 .lost_interrupt = ATA_OP_NULL,
27501 diff -urNp linux-2.6.32.49/drivers/ata/sata_fsl.c linux-2.6.32.49/drivers/ata/sata_fsl.c
27502 --- linux-2.6.32.49/drivers/ata/sata_fsl.c 2011-11-08 19:02:43.000000000 -0500
27503 +++ linux-2.6.32.49/drivers/ata/sata_fsl.c 2011-11-15 19:59:43.000000000 -0500
27504 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
27505 .dma_boundary = ATA_DMA_BOUNDARY,
27506 };
27507
27508 -static struct ata_port_operations sata_fsl_ops = {
27509 +static const struct ata_port_operations sata_fsl_ops = {
27510 .inherits = &sata_pmp_port_ops,
27511
27512 .qc_defer = ata_std_qc_defer,
27513 diff -urNp linux-2.6.32.49/drivers/ata/sata_inic162x.c linux-2.6.32.49/drivers/ata/sata_inic162x.c
27514 --- linux-2.6.32.49/drivers/ata/sata_inic162x.c 2011-11-08 19:02:43.000000000 -0500
27515 +++ linux-2.6.32.49/drivers/ata/sata_inic162x.c 2011-11-15 19:59:43.000000000 -0500
27516 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
27517 return 0;
27518 }
27519
27520 -static struct ata_port_operations inic_port_ops = {
27521 +static const struct ata_port_operations inic_port_ops = {
27522 .inherits = &sata_port_ops,
27523
27524 .check_atapi_dma = inic_check_atapi_dma,
27525 diff -urNp linux-2.6.32.49/drivers/ata/sata_mv.c linux-2.6.32.49/drivers/ata/sata_mv.c
27526 --- linux-2.6.32.49/drivers/ata/sata_mv.c 2011-11-08 19:02:43.000000000 -0500
27527 +++ linux-2.6.32.49/drivers/ata/sata_mv.c 2011-11-15 19:59:43.000000000 -0500
27528 @@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
27529 .dma_boundary = MV_DMA_BOUNDARY,
27530 };
27531
27532 -static struct ata_port_operations mv5_ops = {
27533 +static const struct ata_port_operations mv5_ops = {
27534 .inherits = &ata_sff_port_ops,
27535
27536 .lost_interrupt = ATA_OP_NULL,
27537 @@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
27538 .port_stop = mv_port_stop,
27539 };
27540
27541 -static struct ata_port_operations mv6_ops = {
27542 +static const struct ata_port_operations mv6_ops = {
27543 .inherits = &mv5_ops,
27544 .dev_config = mv6_dev_config,
27545 .scr_read = mv_scr_read,
27546 @@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
27547 .bmdma_status = mv_bmdma_status,
27548 };
27549
27550 -static struct ata_port_operations mv_iie_ops = {
27551 +static const struct ata_port_operations mv_iie_ops = {
27552 .inherits = &mv6_ops,
27553 .dev_config = ATA_OP_NULL,
27554 .qc_prep = mv_qc_prep_iie,
27555 diff -urNp linux-2.6.32.49/drivers/ata/sata_nv.c linux-2.6.32.49/drivers/ata/sata_nv.c
27556 --- linux-2.6.32.49/drivers/ata/sata_nv.c 2011-11-08 19:02:43.000000000 -0500
27557 +++ linux-2.6.32.49/drivers/ata/sata_nv.c 2011-11-15 19:59:43.000000000 -0500
27558 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
27559 * cases. Define nv_hardreset() which only kicks in for post-boot
27560 * probing and use it for all variants.
27561 */
27562 -static struct ata_port_operations nv_generic_ops = {
27563 +static const struct ata_port_operations nv_generic_ops = {
27564 .inherits = &ata_bmdma_port_ops,
27565 .lost_interrupt = ATA_OP_NULL,
27566 .scr_read = nv_scr_read,
27567 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
27568 .hardreset = nv_hardreset,
27569 };
27570
27571 -static struct ata_port_operations nv_nf2_ops = {
27572 +static const struct ata_port_operations nv_nf2_ops = {
27573 .inherits = &nv_generic_ops,
27574 .freeze = nv_nf2_freeze,
27575 .thaw = nv_nf2_thaw,
27576 };
27577
27578 -static struct ata_port_operations nv_ck804_ops = {
27579 +static const struct ata_port_operations nv_ck804_ops = {
27580 .inherits = &nv_generic_ops,
27581 .freeze = nv_ck804_freeze,
27582 .thaw = nv_ck804_thaw,
27583 .host_stop = nv_ck804_host_stop,
27584 };
27585
27586 -static struct ata_port_operations nv_adma_ops = {
27587 +static const struct ata_port_operations nv_adma_ops = {
27588 .inherits = &nv_ck804_ops,
27589
27590 .check_atapi_dma = nv_adma_check_atapi_dma,
27591 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
27592 .host_stop = nv_adma_host_stop,
27593 };
27594
27595 -static struct ata_port_operations nv_swncq_ops = {
27596 +static const struct ata_port_operations nv_swncq_ops = {
27597 .inherits = &nv_generic_ops,
27598
27599 .qc_defer = ata_std_qc_defer,
27600 diff -urNp linux-2.6.32.49/drivers/ata/sata_promise.c linux-2.6.32.49/drivers/ata/sata_promise.c
27601 --- linux-2.6.32.49/drivers/ata/sata_promise.c 2011-11-08 19:02:43.000000000 -0500
27602 +++ linux-2.6.32.49/drivers/ata/sata_promise.c 2011-11-15 19:59:43.000000000 -0500
27603 @@ -195,7 +195,7 @@ static const struct ata_port_operations
27604 .error_handler = pdc_error_handler,
27605 };
27606
27607 -static struct ata_port_operations pdc_sata_ops = {
27608 +static const struct ata_port_operations pdc_sata_ops = {
27609 .inherits = &pdc_common_ops,
27610 .cable_detect = pdc_sata_cable_detect,
27611 .freeze = pdc_sata_freeze,
27612 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
27613
27614 /* First-generation chips need a more restrictive ->check_atapi_dma op,
27615 and ->freeze/thaw that ignore the hotplug controls. */
27616 -static struct ata_port_operations pdc_old_sata_ops = {
27617 +static const struct ata_port_operations pdc_old_sata_ops = {
27618 .inherits = &pdc_sata_ops,
27619 .freeze = pdc_freeze,
27620 .thaw = pdc_thaw,
27621 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
27622 };
27623
27624 -static struct ata_port_operations pdc_pata_ops = {
27625 +static const struct ata_port_operations pdc_pata_ops = {
27626 .inherits = &pdc_common_ops,
27627 .cable_detect = pdc_pata_cable_detect,
27628 .freeze = pdc_freeze,
27629 diff -urNp linux-2.6.32.49/drivers/ata/sata_qstor.c linux-2.6.32.49/drivers/ata/sata_qstor.c
27630 --- linux-2.6.32.49/drivers/ata/sata_qstor.c 2011-11-08 19:02:43.000000000 -0500
27631 +++ linux-2.6.32.49/drivers/ata/sata_qstor.c 2011-11-15 19:59:43.000000000 -0500
27632 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
27633 .dma_boundary = QS_DMA_BOUNDARY,
27634 };
27635
27636 -static struct ata_port_operations qs_ata_ops = {
27637 +static const struct ata_port_operations qs_ata_ops = {
27638 .inherits = &ata_sff_port_ops,
27639
27640 .check_atapi_dma = qs_check_atapi_dma,
27641 diff -urNp linux-2.6.32.49/drivers/ata/sata_sil24.c linux-2.6.32.49/drivers/ata/sata_sil24.c
27642 --- linux-2.6.32.49/drivers/ata/sata_sil24.c 2011-11-08 19:02:43.000000000 -0500
27643 +++ linux-2.6.32.49/drivers/ata/sata_sil24.c 2011-11-15 19:59:43.000000000 -0500
27644 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
27645 .dma_boundary = ATA_DMA_BOUNDARY,
27646 };
27647
27648 -static struct ata_port_operations sil24_ops = {
27649 +static const struct ata_port_operations sil24_ops = {
27650 .inherits = &sata_pmp_port_ops,
27651
27652 .qc_defer = sil24_qc_defer,
27653 diff -urNp linux-2.6.32.49/drivers/ata/sata_sil.c linux-2.6.32.49/drivers/ata/sata_sil.c
27654 --- linux-2.6.32.49/drivers/ata/sata_sil.c 2011-11-08 19:02:43.000000000 -0500
27655 +++ linux-2.6.32.49/drivers/ata/sata_sil.c 2011-11-15 19:59:43.000000000 -0500
27656 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
27657 .sg_tablesize = ATA_MAX_PRD
27658 };
27659
27660 -static struct ata_port_operations sil_ops = {
27661 +static const struct ata_port_operations sil_ops = {
27662 .inherits = &ata_bmdma32_port_ops,
27663 .dev_config = sil_dev_config,
27664 .set_mode = sil_set_mode,
27665 diff -urNp linux-2.6.32.49/drivers/ata/sata_sis.c linux-2.6.32.49/drivers/ata/sata_sis.c
27666 --- linux-2.6.32.49/drivers/ata/sata_sis.c 2011-11-08 19:02:43.000000000 -0500
27667 +++ linux-2.6.32.49/drivers/ata/sata_sis.c 2011-11-15 19:59:43.000000000 -0500
27668 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
27669 ATA_BMDMA_SHT(DRV_NAME),
27670 };
27671
27672 -static struct ata_port_operations sis_ops = {
27673 +static const struct ata_port_operations sis_ops = {
27674 .inherits = &ata_bmdma_port_ops,
27675 .scr_read = sis_scr_read,
27676 .scr_write = sis_scr_write,
27677 diff -urNp linux-2.6.32.49/drivers/ata/sata_svw.c linux-2.6.32.49/drivers/ata/sata_svw.c
27678 --- linux-2.6.32.49/drivers/ata/sata_svw.c 2011-11-08 19:02:43.000000000 -0500
27679 +++ linux-2.6.32.49/drivers/ata/sata_svw.c 2011-11-15 19:59:43.000000000 -0500
27680 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
27681 };
27682
27683
27684 -static struct ata_port_operations k2_sata_ops = {
27685 +static const struct ata_port_operations k2_sata_ops = {
27686 .inherits = &ata_bmdma_port_ops,
27687 .sff_tf_load = k2_sata_tf_load,
27688 .sff_tf_read = k2_sata_tf_read,
27689 diff -urNp linux-2.6.32.49/drivers/ata/sata_sx4.c linux-2.6.32.49/drivers/ata/sata_sx4.c
27690 --- linux-2.6.32.49/drivers/ata/sata_sx4.c 2011-11-08 19:02:43.000000000 -0500
27691 +++ linux-2.6.32.49/drivers/ata/sata_sx4.c 2011-11-15 19:59:43.000000000 -0500
27692 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
27693 };
27694
27695 /* TODO: inherit from base port_ops after converting to new EH */
27696 -static struct ata_port_operations pdc_20621_ops = {
27697 +static const struct ata_port_operations pdc_20621_ops = {
27698 .inherits = &ata_sff_port_ops,
27699
27700 .check_atapi_dma = pdc_check_atapi_dma,
27701 diff -urNp linux-2.6.32.49/drivers/ata/sata_uli.c linux-2.6.32.49/drivers/ata/sata_uli.c
27702 --- linux-2.6.32.49/drivers/ata/sata_uli.c 2011-11-08 19:02:43.000000000 -0500
27703 +++ linux-2.6.32.49/drivers/ata/sata_uli.c 2011-11-15 19:59:43.000000000 -0500
27704 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
27705 ATA_BMDMA_SHT(DRV_NAME),
27706 };
27707
27708 -static struct ata_port_operations uli_ops = {
27709 +static const struct ata_port_operations uli_ops = {
27710 .inherits = &ata_bmdma_port_ops,
27711 .scr_read = uli_scr_read,
27712 .scr_write = uli_scr_write,
27713 diff -urNp linux-2.6.32.49/drivers/ata/sata_via.c linux-2.6.32.49/drivers/ata/sata_via.c
27714 --- linux-2.6.32.49/drivers/ata/sata_via.c 2011-11-08 19:02:43.000000000 -0500
27715 +++ linux-2.6.32.49/drivers/ata/sata_via.c 2011-11-15 19:59:43.000000000 -0500
27716 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
27717 ATA_BMDMA_SHT(DRV_NAME),
27718 };
27719
27720 -static struct ata_port_operations svia_base_ops = {
27721 +static const struct ata_port_operations svia_base_ops = {
27722 .inherits = &ata_bmdma_port_ops,
27723 .sff_tf_load = svia_tf_load,
27724 };
27725
27726 -static struct ata_port_operations vt6420_sata_ops = {
27727 +static const struct ata_port_operations vt6420_sata_ops = {
27728 .inherits = &svia_base_ops,
27729 .freeze = svia_noop_freeze,
27730 .prereset = vt6420_prereset,
27731 .bmdma_start = vt6420_bmdma_start,
27732 };
27733
27734 -static struct ata_port_operations vt6421_pata_ops = {
27735 +static const struct ata_port_operations vt6421_pata_ops = {
27736 .inherits = &svia_base_ops,
27737 .cable_detect = vt6421_pata_cable_detect,
27738 .set_piomode = vt6421_set_pio_mode,
27739 .set_dmamode = vt6421_set_dma_mode,
27740 };
27741
27742 -static struct ata_port_operations vt6421_sata_ops = {
27743 +static const struct ata_port_operations vt6421_sata_ops = {
27744 .inherits = &svia_base_ops,
27745 .scr_read = svia_scr_read,
27746 .scr_write = svia_scr_write,
27747 };
27748
27749 -static struct ata_port_operations vt8251_ops = {
27750 +static const struct ata_port_operations vt8251_ops = {
27751 .inherits = &svia_base_ops,
27752 .hardreset = sata_std_hardreset,
27753 .scr_read = vt8251_scr_read,
27754 diff -urNp linux-2.6.32.49/drivers/ata/sata_vsc.c linux-2.6.32.49/drivers/ata/sata_vsc.c
27755 --- linux-2.6.32.49/drivers/ata/sata_vsc.c 2011-11-08 19:02:43.000000000 -0500
27756 +++ linux-2.6.32.49/drivers/ata/sata_vsc.c 2011-11-15 19:59:43.000000000 -0500
27757 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
27758 };
27759
27760
27761 -static struct ata_port_operations vsc_sata_ops = {
27762 +static const struct ata_port_operations vsc_sata_ops = {
27763 .inherits = &ata_bmdma_port_ops,
27764 /* The IRQ handling is not quite standard SFF behaviour so we
27765 cannot use the default lost interrupt handler */
27766 diff -urNp linux-2.6.32.49/drivers/atm/adummy.c linux-2.6.32.49/drivers/atm/adummy.c
27767 --- linux-2.6.32.49/drivers/atm/adummy.c 2011-11-08 19:02:43.000000000 -0500
27768 +++ linux-2.6.32.49/drivers/atm/adummy.c 2011-11-15 19:59:43.000000000 -0500
27769 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
27770 vcc->pop(vcc, skb);
27771 else
27772 dev_kfree_skb_any(skb);
27773 - atomic_inc(&vcc->stats->tx);
27774 + atomic_inc_unchecked(&vcc->stats->tx);
27775
27776 return 0;
27777 }
27778 diff -urNp linux-2.6.32.49/drivers/atm/ambassador.c linux-2.6.32.49/drivers/atm/ambassador.c
27779 --- linux-2.6.32.49/drivers/atm/ambassador.c 2011-11-08 19:02:43.000000000 -0500
27780 +++ linux-2.6.32.49/drivers/atm/ambassador.c 2011-11-15 19:59:43.000000000 -0500
27781 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
27782 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
27783
27784 // VC layer stats
27785 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27786 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27787
27788 // free the descriptor
27789 kfree (tx_descr);
27790 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
27791 dump_skb ("<<<", vc, skb);
27792
27793 // VC layer stats
27794 - atomic_inc(&atm_vcc->stats->rx);
27795 + atomic_inc_unchecked(&atm_vcc->stats->rx);
27796 __net_timestamp(skb);
27797 // end of our responsability
27798 atm_vcc->push (atm_vcc, skb);
27799 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
27800 } else {
27801 PRINTK (KERN_INFO, "dropped over-size frame");
27802 // should we count this?
27803 - atomic_inc(&atm_vcc->stats->rx_drop);
27804 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27805 }
27806
27807 } else {
27808 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
27809 }
27810
27811 if (check_area (skb->data, skb->len)) {
27812 - atomic_inc(&atm_vcc->stats->tx_err);
27813 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
27814 return -ENOMEM; // ?
27815 }
27816
27817 diff -urNp linux-2.6.32.49/drivers/atm/atmtcp.c linux-2.6.32.49/drivers/atm/atmtcp.c
27818 --- linux-2.6.32.49/drivers/atm/atmtcp.c 2011-11-08 19:02:43.000000000 -0500
27819 +++ linux-2.6.32.49/drivers/atm/atmtcp.c 2011-11-15 19:59:43.000000000 -0500
27820 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
27821 if (vcc->pop) vcc->pop(vcc,skb);
27822 else dev_kfree_skb(skb);
27823 if (dev_data) return 0;
27824 - atomic_inc(&vcc->stats->tx_err);
27825 + atomic_inc_unchecked(&vcc->stats->tx_err);
27826 return -ENOLINK;
27827 }
27828 size = skb->len+sizeof(struct atmtcp_hdr);
27829 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
27830 if (!new_skb) {
27831 if (vcc->pop) vcc->pop(vcc,skb);
27832 else dev_kfree_skb(skb);
27833 - atomic_inc(&vcc->stats->tx_err);
27834 + atomic_inc_unchecked(&vcc->stats->tx_err);
27835 return -ENOBUFS;
27836 }
27837 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
27838 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
27839 if (vcc->pop) vcc->pop(vcc,skb);
27840 else dev_kfree_skb(skb);
27841 out_vcc->push(out_vcc,new_skb);
27842 - atomic_inc(&vcc->stats->tx);
27843 - atomic_inc(&out_vcc->stats->rx);
27844 + atomic_inc_unchecked(&vcc->stats->tx);
27845 + atomic_inc_unchecked(&out_vcc->stats->rx);
27846 return 0;
27847 }
27848
27849 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
27850 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
27851 read_unlock(&vcc_sklist_lock);
27852 if (!out_vcc) {
27853 - atomic_inc(&vcc->stats->tx_err);
27854 + atomic_inc_unchecked(&vcc->stats->tx_err);
27855 goto done;
27856 }
27857 skb_pull(skb,sizeof(struct atmtcp_hdr));
27858 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
27859 __net_timestamp(new_skb);
27860 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
27861 out_vcc->push(out_vcc,new_skb);
27862 - atomic_inc(&vcc->stats->tx);
27863 - atomic_inc(&out_vcc->stats->rx);
27864 + atomic_inc_unchecked(&vcc->stats->tx);
27865 + atomic_inc_unchecked(&out_vcc->stats->rx);
27866 done:
27867 if (vcc->pop) vcc->pop(vcc,skb);
27868 else dev_kfree_skb(skb);
27869 diff -urNp linux-2.6.32.49/drivers/atm/eni.c linux-2.6.32.49/drivers/atm/eni.c
27870 --- linux-2.6.32.49/drivers/atm/eni.c 2011-11-08 19:02:43.000000000 -0500
27871 +++ linux-2.6.32.49/drivers/atm/eni.c 2011-11-18 18:01:52.000000000 -0500
27872 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
27873 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
27874 vcc->dev->number);
27875 length = 0;
27876 - atomic_inc(&vcc->stats->rx_err);
27877 + atomic_inc_unchecked(&vcc->stats->rx_err);
27878 }
27879 else {
27880 length = ATM_CELL_SIZE-1; /* no HEC */
27881 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27882 size);
27883 }
27884 eff = length = 0;
27885 - atomic_inc(&vcc->stats->rx_err);
27886 + atomic_inc_unchecked(&vcc->stats->rx_err);
27887 }
27888 else {
27889 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
27890 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27891 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
27892 vcc->dev->number,vcc->vci,length,size << 2,descr);
27893 length = eff = 0;
27894 - atomic_inc(&vcc->stats->rx_err);
27895 + atomic_inc_unchecked(&vcc->stats->rx_err);
27896 }
27897 }
27898 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
27899 @@ -770,7 +770,7 @@ rx_dequeued++;
27900 vcc->push(vcc,skb);
27901 pushed++;
27902 }
27903 - atomic_inc(&vcc->stats->rx);
27904 + atomic_inc_unchecked(&vcc->stats->rx);
27905 }
27906 wake_up(&eni_dev->rx_wait);
27907 }
27908 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
27909 PCI_DMA_TODEVICE);
27910 if (vcc->pop) vcc->pop(vcc,skb);
27911 else dev_kfree_skb_irq(skb);
27912 - atomic_inc(&vcc->stats->tx);
27913 + atomic_inc_unchecked(&vcc->stats->tx);
27914 wake_up(&eni_dev->tx_wait);
27915 dma_complete++;
27916 }
27917 @@ -1570,7 +1570,7 @@ tx_complete++;
27918 /*--------------------------------- entries ---------------------------------*/
27919
27920
27921 -static const char *media_name[] __devinitdata = {
27922 +static const char *media_name[] __devinitconst = {
27923 "MMF", "SMF", "MMF", "03?", /* 0- 3 */
27924 "UTP", "05?", "06?", "07?", /* 4- 7 */
27925 "TAXI","09?", "10?", "11?", /* 8-11 */
27926 diff -urNp linux-2.6.32.49/drivers/atm/firestream.c linux-2.6.32.49/drivers/atm/firestream.c
27927 --- linux-2.6.32.49/drivers/atm/firestream.c 2011-11-08 19:02:43.000000000 -0500
27928 +++ linux-2.6.32.49/drivers/atm/firestream.c 2011-11-15 19:59:43.000000000 -0500
27929 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
27930 }
27931 }
27932
27933 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27934 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27935
27936 fs_dprintk (FS_DEBUG_TXMEM, "i");
27937 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27938 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
27939 #endif
27940 skb_put (skb, qe->p1 & 0xffff);
27941 ATM_SKB(skb)->vcc = atm_vcc;
27942 - atomic_inc(&atm_vcc->stats->rx);
27943 + atomic_inc_unchecked(&atm_vcc->stats->rx);
27944 __net_timestamp(skb);
27945 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27946 atm_vcc->push (atm_vcc, skb);
27947 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
27948 kfree (pe);
27949 }
27950 if (atm_vcc)
27951 - atomic_inc(&atm_vcc->stats->rx_drop);
27952 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27953 break;
27954 case 0x1f: /* Reassembly abort: no buffers. */
27955 /* Silently increment error counter. */
27956 if (atm_vcc)
27957 - atomic_inc(&atm_vcc->stats->rx_drop);
27958 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27959 break;
27960 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27961 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27962 diff -urNp linux-2.6.32.49/drivers/atm/fore200e.c linux-2.6.32.49/drivers/atm/fore200e.c
27963 --- linux-2.6.32.49/drivers/atm/fore200e.c 2011-11-08 19:02:43.000000000 -0500
27964 +++ linux-2.6.32.49/drivers/atm/fore200e.c 2011-11-15 19:59:43.000000000 -0500
27965 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
27966 #endif
27967 /* check error condition */
27968 if (*entry->status & STATUS_ERROR)
27969 - atomic_inc(&vcc->stats->tx_err);
27970 + atomic_inc_unchecked(&vcc->stats->tx_err);
27971 else
27972 - atomic_inc(&vcc->stats->tx);
27973 + atomic_inc_unchecked(&vcc->stats->tx);
27974 }
27975 }
27976
27977 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
27978 if (skb == NULL) {
27979 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27980
27981 - atomic_inc(&vcc->stats->rx_drop);
27982 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27983 return -ENOMEM;
27984 }
27985
27986 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
27987
27988 dev_kfree_skb_any(skb);
27989
27990 - atomic_inc(&vcc->stats->rx_drop);
27991 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27992 return -ENOMEM;
27993 }
27994
27995 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27996
27997 vcc->push(vcc, skb);
27998 - atomic_inc(&vcc->stats->rx);
27999 + atomic_inc_unchecked(&vcc->stats->rx);
28000
28001 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
28002
28003 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
28004 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
28005 fore200e->atm_dev->number,
28006 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
28007 - atomic_inc(&vcc->stats->rx_err);
28008 + atomic_inc_unchecked(&vcc->stats->rx_err);
28009 }
28010 }
28011
28012 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
28013 goto retry_here;
28014 }
28015
28016 - atomic_inc(&vcc->stats->tx_err);
28017 + atomic_inc_unchecked(&vcc->stats->tx_err);
28018
28019 fore200e->tx_sat++;
28020 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
28021 diff -urNp linux-2.6.32.49/drivers/atm/he.c linux-2.6.32.49/drivers/atm/he.c
28022 --- linux-2.6.32.49/drivers/atm/he.c 2011-11-08 19:02:43.000000000 -0500
28023 +++ linux-2.6.32.49/drivers/atm/he.c 2011-11-15 19:59:43.000000000 -0500
28024 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
28025
28026 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
28027 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
28028 - atomic_inc(&vcc->stats->rx_drop);
28029 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28030 goto return_host_buffers;
28031 }
28032
28033 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
28034 RBRQ_LEN_ERR(he_dev->rbrq_head)
28035 ? "LEN_ERR" : "",
28036 vcc->vpi, vcc->vci);
28037 - atomic_inc(&vcc->stats->rx_err);
28038 + atomic_inc_unchecked(&vcc->stats->rx_err);
28039 goto return_host_buffers;
28040 }
28041
28042 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
28043 vcc->push(vcc, skb);
28044 spin_lock(&he_dev->global_lock);
28045
28046 - atomic_inc(&vcc->stats->rx);
28047 + atomic_inc_unchecked(&vcc->stats->rx);
28048
28049 return_host_buffers:
28050 ++pdus_assembled;
28051 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
28052 tpd->vcc->pop(tpd->vcc, tpd->skb);
28053 else
28054 dev_kfree_skb_any(tpd->skb);
28055 - atomic_inc(&tpd->vcc->stats->tx_err);
28056 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
28057 }
28058 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
28059 return;
28060 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28061 vcc->pop(vcc, skb);
28062 else
28063 dev_kfree_skb_any(skb);
28064 - atomic_inc(&vcc->stats->tx_err);
28065 + atomic_inc_unchecked(&vcc->stats->tx_err);
28066 return -EINVAL;
28067 }
28068
28069 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28070 vcc->pop(vcc, skb);
28071 else
28072 dev_kfree_skb_any(skb);
28073 - atomic_inc(&vcc->stats->tx_err);
28074 + atomic_inc_unchecked(&vcc->stats->tx_err);
28075 return -EINVAL;
28076 }
28077 #endif
28078 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28079 vcc->pop(vcc, skb);
28080 else
28081 dev_kfree_skb_any(skb);
28082 - atomic_inc(&vcc->stats->tx_err);
28083 + atomic_inc_unchecked(&vcc->stats->tx_err);
28084 spin_unlock_irqrestore(&he_dev->global_lock, flags);
28085 return -ENOMEM;
28086 }
28087 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28088 vcc->pop(vcc, skb);
28089 else
28090 dev_kfree_skb_any(skb);
28091 - atomic_inc(&vcc->stats->tx_err);
28092 + atomic_inc_unchecked(&vcc->stats->tx_err);
28093 spin_unlock_irqrestore(&he_dev->global_lock, flags);
28094 return -ENOMEM;
28095 }
28096 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28097 __enqueue_tpd(he_dev, tpd, cid);
28098 spin_unlock_irqrestore(&he_dev->global_lock, flags);
28099
28100 - atomic_inc(&vcc->stats->tx);
28101 + atomic_inc_unchecked(&vcc->stats->tx);
28102
28103 return 0;
28104 }
28105 diff -urNp linux-2.6.32.49/drivers/atm/horizon.c linux-2.6.32.49/drivers/atm/horizon.c
28106 --- linux-2.6.32.49/drivers/atm/horizon.c 2011-11-08 19:02:43.000000000 -0500
28107 +++ linux-2.6.32.49/drivers/atm/horizon.c 2011-11-15 19:59:43.000000000 -0500
28108 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
28109 {
28110 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
28111 // VC layer stats
28112 - atomic_inc(&vcc->stats->rx);
28113 + atomic_inc_unchecked(&vcc->stats->rx);
28114 __net_timestamp(skb);
28115 // end of our responsability
28116 vcc->push (vcc, skb);
28117 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
28118 dev->tx_iovec = NULL;
28119
28120 // VC layer stats
28121 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
28122 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
28123
28124 // free the skb
28125 hrz_kfree_skb (skb);
28126 diff -urNp linux-2.6.32.49/drivers/atm/idt77252.c linux-2.6.32.49/drivers/atm/idt77252.c
28127 --- linux-2.6.32.49/drivers/atm/idt77252.c 2011-11-08 19:02:43.000000000 -0500
28128 +++ linux-2.6.32.49/drivers/atm/idt77252.c 2011-11-15 19:59:43.000000000 -0500
28129 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
28130 else
28131 dev_kfree_skb(skb);
28132
28133 - atomic_inc(&vcc->stats->tx);
28134 + atomic_inc_unchecked(&vcc->stats->tx);
28135 }
28136
28137 atomic_dec(&scq->used);
28138 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
28139 if ((sb = dev_alloc_skb(64)) == NULL) {
28140 printk("%s: Can't allocate buffers for aal0.\n",
28141 card->name);
28142 - atomic_add(i, &vcc->stats->rx_drop);
28143 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
28144 break;
28145 }
28146 if (!atm_charge(vcc, sb->truesize)) {
28147 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
28148 card->name);
28149 - atomic_add(i - 1, &vcc->stats->rx_drop);
28150 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
28151 dev_kfree_skb(sb);
28152 break;
28153 }
28154 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
28155 ATM_SKB(sb)->vcc = vcc;
28156 __net_timestamp(sb);
28157 vcc->push(vcc, sb);
28158 - atomic_inc(&vcc->stats->rx);
28159 + atomic_inc_unchecked(&vcc->stats->rx);
28160
28161 cell += ATM_CELL_PAYLOAD;
28162 }
28163 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
28164 "(CDC: %08x)\n",
28165 card->name, len, rpp->len, readl(SAR_REG_CDC));
28166 recycle_rx_pool_skb(card, rpp);
28167 - atomic_inc(&vcc->stats->rx_err);
28168 + atomic_inc_unchecked(&vcc->stats->rx_err);
28169 return;
28170 }
28171 if (stat & SAR_RSQE_CRC) {
28172 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
28173 recycle_rx_pool_skb(card, rpp);
28174 - atomic_inc(&vcc->stats->rx_err);
28175 + atomic_inc_unchecked(&vcc->stats->rx_err);
28176 return;
28177 }
28178 if (skb_queue_len(&rpp->queue) > 1) {
28179 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
28180 RXPRINTK("%s: Can't alloc RX skb.\n",
28181 card->name);
28182 recycle_rx_pool_skb(card, rpp);
28183 - atomic_inc(&vcc->stats->rx_err);
28184 + atomic_inc_unchecked(&vcc->stats->rx_err);
28185 return;
28186 }
28187 if (!atm_charge(vcc, skb->truesize)) {
28188 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
28189 __net_timestamp(skb);
28190
28191 vcc->push(vcc, skb);
28192 - atomic_inc(&vcc->stats->rx);
28193 + atomic_inc_unchecked(&vcc->stats->rx);
28194
28195 return;
28196 }
28197 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
28198 __net_timestamp(skb);
28199
28200 vcc->push(vcc, skb);
28201 - atomic_inc(&vcc->stats->rx);
28202 + atomic_inc_unchecked(&vcc->stats->rx);
28203
28204 if (skb->truesize > SAR_FB_SIZE_3)
28205 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
28206 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
28207 if (vcc->qos.aal != ATM_AAL0) {
28208 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
28209 card->name, vpi, vci);
28210 - atomic_inc(&vcc->stats->rx_drop);
28211 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28212 goto drop;
28213 }
28214
28215 if ((sb = dev_alloc_skb(64)) == NULL) {
28216 printk("%s: Can't allocate buffers for AAL0.\n",
28217 card->name);
28218 - atomic_inc(&vcc->stats->rx_err);
28219 + atomic_inc_unchecked(&vcc->stats->rx_err);
28220 goto drop;
28221 }
28222
28223 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
28224 ATM_SKB(sb)->vcc = vcc;
28225 __net_timestamp(sb);
28226 vcc->push(vcc, sb);
28227 - atomic_inc(&vcc->stats->rx);
28228 + atomic_inc_unchecked(&vcc->stats->rx);
28229
28230 drop:
28231 skb_pull(queue, 64);
28232 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28233
28234 if (vc == NULL) {
28235 printk("%s: NULL connection in send().\n", card->name);
28236 - atomic_inc(&vcc->stats->tx_err);
28237 + atomic_inc_unchecked(&vcc->stats->tx_err);
28238 dev_kfree_skb(skb);
28239 return -EINVAL;
28240 }
28241 if (!test_bit(VCF_TX, &vc->flags)) {
28242 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
28243 - atomic_inc(&vcc->stats->tx_err);
28244 + atomic_inc_unchecked(&vcc->stats->tx_err);
28245 dev_kfree_skb(skb);
28246 return -EINVAL;
28247 }
28248 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28249 break;
28250 default:
28251 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
28252 - atomic_inc(&vcc->stats->tx_err);
28253 + atomic_inc_unchecked(&vcc->stats->tx_err);
28254 dev_kfree_skb(skb);
28255 return -EINVAL;
28256 }
28257
28258 if (skb_shinfo(skb)->nr_frags != 0) {
28259 printk("%s: No scatter-gather yet.\n", card->name);
28260 - atomic_inc(&vcc->stats->tx_err);
28261 + atomic_inc_unchecked(&vcc->stats->tx_err);
28262 dev_kfree_skb(skb);
28263 return -EINVAL;
28264 }
28265 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28266
28267 err = queue_skb(card, vc, skb, oam);
28268 if (err) {
28269 - atomic_inc(&vcc->stats->tx_err);
28270 + atomic_inc_unchecked(&vcc->stats->tx_err);
28271 dev_kfree_skb(skb);
28272 return err;
28273 }
28274 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
28275 skb = dev_alloc_skb(64);
28276 if (!skb) {
28277 printk("%s: Out of memory in send_oam().\n", card->name);
28278 - atomic_inc(&vcc->stats->tx_err);
28279 + atomic_inc_unchecked(&vcc->stats->tx_err);
28280 return -ENOMEM;
28281 }
28282 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
28283 diff -urNp linux-2.6.32.49/drivers/atm/iphase.c linux-2.6.32.49/drivers/atm/iphase.c
28284 --- linux-2.6.32.49/drivers/atm/iphase.c 2011-11-08 19:02:43.000000000 -0500
28285 +++ linux-2.6.32.49/drivers/atm/iphase.c 2011-11-15 19:59:43.000000000 -0500
28286 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
28287 status = (u_short) (buf_desc_ptr->desc_mode);
28288 if (status & (RX_CER | RX_PTE | RX_OFL))
28289 {
28290 - atomic_inc(&vcc->stats->rx_err);
28291 + atomic_inc_unchecked(&vcc->stats->rx_err);
28292 IF_ERR(printk("IA: bad packet, dropping it");)
28293 if (status & RX_CER) {
28294 IF_ERR(printk(" cause: packet CRC error\n");)
28295 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
28296 len = dma_addr - buf_addr;
28297 if (len > iadev->rx_buf_sz) {
28298 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
28299 - atomic_inc(&vcc->stats->rx_err);
28300 + atomic_inc_unchecked(&vcc->stats->rx_err);
28301 goto out_free_desc;
28302 }
28303
28304 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
28305 ia_vcc = INPH_IA_VCC(vcc);
28306 if (ia_vcc == NULL)
28307 {
28308 - atomic_inc(&vcc->stats->rx_err);
28309 + atomic_inc_unchecked(&vcc->stats->rx_err);
28310 dev_kfree_skb_any(skb);
28311 atm_return(vcc, atm_guess_pdu2truesize(len));
28312 goto INCR_DLE;
28313 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
28314 if ((length > iadev->rx_buf_sz) || (length >
28315 (skb->len - sizeof(struct cpcs_trailer))))
28316 {
28317 - atomic_inc(&vcc->stats->rx_err);
28318 + atomic_inc_unchecked(&vcc->stats->rx_err);
28319 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
28320 length, skb->len);)
28321 dev_kfree_skb_any(skb);
28322 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
28323
28324 IF_RX(printk("rx_dle_intr: skb push");)
28325 vcc->push(vcc,skb);
28326 - atomic_inc(&vcc->stats->rx);
28327 + atomic_inc_unchecked(&vcc->stats->rx);
28328 iadev->rx_pkt_cnt++;
28329 }
28330 INCR_DLE:
28331 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
28332 {
28333 struct k_sonet_stats *stats;
28334 stats = &PRIV(_ia_dev[board])->sonet_stats;
28335 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
28336 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
28337 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
28338 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
28339 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
28340 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
28341 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
28342 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
28343 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
28344 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
28345 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
28346 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
28347 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
28348 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
28349 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
28350 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
28351 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
28352 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
28353 }
28354 ia_cmds.status = 0;
28355 break;
28356 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
28357 if ((desc == 0) || (desc > iadev->num_tx_desc))
28358 {
28359 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
28360 - atomic_inc(&vcc->stats->tx);
28361 + atomic_inc_unchecked(&vcc->stats->tx);
28362 if (vcc->pop)
28363 vcc->pop(vcc, skb);
28364 else
28365 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
28366 ATM_DESC(skb) = vcc->vci;
28367 skb_queue_tail(&iadev->tx_dma_q, skb);
28368
28369 - atomic_inc(&vcc->stats->tx);
28370 + atomic_inc_unchecked(&vcc->stats->tx);
28371 iadev->tx_pkt_cnt++;
28372 /* Increment transaction counter */
28373 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
28374
28375 #if 0
28376 /* add flow control logic */
28377 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
28378 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
28379 if (iavcc->vc_desc_cnt > 10) {
28380 vcc->tx_quota = vcc->tx_quota * 3 / 4;
28381 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
28382 diff -urNp linux-2.6.32.49/drivers/atm/lanai.c linux-2.6.32.49/drivers/atm/lanai.c
28383 --- linux-2.6.32.49/drivers/atm/lanai.c 2011-11-08 19:02:43.000000000 -0500
28384 +++ linux-2.6.32.49/drivers/atm/lanai.c 2011-11-15 19:59:43.000000000 -0500
28385 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
28386 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
28387 lanai_endtx(lanai, lvcc);
28388 lanai_free_skb(lvcc->tx.atmvcc, skb);
28389 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
28390 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
28391 }
28392
28393 /* Try to fill the buffer - don't call unless there is backlog */
28394 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
28395 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
28396 __net_timestamp(skb);
28397 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
28398 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
28399 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
28400 out:
28401 lvcc->rx.buf.ptr = end;
28402 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
28403 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
28404 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
28405 "vcc %d\n", lanai->number, (unsigned int) s, vci);
28406 lanai->stats.service_rxnotaal5++;
28407 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28408 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28409 return 0;
28410 }
28411 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
28412 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
28413 int bytes;
28414 read_unlock(&vcc_sklist_lock);
28415 DPRINTK("got trashed rx pdu on vci %d\n", vci);
28416 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28417 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28418 lvcc->stats.x.aal5.service_trash++;
28419 bytes = (SERVICE_GET_END(s) * 16) -
28420 (((unsigned long) lvcc->rx.buf.ptr) -
28421 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
28422 }
28423 if (s & SERVICE_STREAM) {
28424 read_unlock(&vcc_sklist_lock);
28425 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28426 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28427 lvcc->stats.x.aal5.service_stream++;
28428 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
28429 "PDU on VCI %d!\n", lanai->number, vci);
28430 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
28431 return 0;
28432 }
28433 DPRINTK("got rx crc error on vci %d\n", vci);
28434 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28435 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28436 lvcc->stats.x.aal5.service_rxcrc++;
28437 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
28438 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
28439 diff -urNp linux-2.6.32.49/drivers/atm/nicstar.c linux-2.6.32.49/drivers/atm/nicstar.c
28440 --- linux-2.6.32.49/drivers/atm/nicstar.c 2011-11-08 19:02:43.000000000 -0500
28441 +++ linux-2.6.32.49/drivers/atm/nicstar.c 2011-11-15 19:59:43.000000000 -0500
28442 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
28443 if ((vc = (vc_map *) vcc->dev_data) == NULL)
28444 {
28445 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
28446 - atomic_inc(&vcc->stats->tx_err);
28447 + atomic_inc_unchecked(&vcc->stats->tx_err);
28448 dev_kfree_skb_any(skb);
28449 return -EINVAL;
28450 }
28451 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
28452 if (!vc->tx)
28453 {
28454 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
28455 - atomic_inc(&vcc->stats->tx_err);
28456 + atomic_inc_unchecked(&vcc->stats->tx_err);
28457 dev_kfree_skb_any(skb);
28458 return -EINVAL;
28459 }
28460 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
28461 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
28462 {
28463 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
28464 - atomic_inc(&vcc->stats->tx_err);
28465 + atomic_inc_unchecked(&vcc->stats->tx_err);
28466 dev_kfree_skb_any(skb);
28467 return -EINVAL;
28468 }
28469 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
28470 if (skb_shinfo(skb)->nr_frags != 0)
28471 {
28472 printk("nicstar%d: No scatter-gather yet.\n", card->index);
28473 - atomic_inc(&vcc->stats->tx_err);
28474 + atomic_inc_unchecked(&vcc->stats->tx_err);
28475 dev_kfree_skb_any(skb);
28476 return -EINVAL;
28477 }
28478 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
28479
28480 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
28481 {
28482 - atomic_inc(&vcc->stats->tx_err);
28483 + atomic_inc_unchecked(&vcc->stats->tx_err);
28484 dev_kfree_skb_any(skb);
28485 return -EIO;
28486 }
28487 - atomic_inc(&vcc->stats->tx);
28488 + atomic_inc_unchecked(&vcc->stats->tx);
28489
28490 return 0;
28491 }
28492 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
28493 {
28494 printk("nicstar%d: Can't allocate buffers for aal0.\n",
28495 card->index);
28496 - atomic_add(i,&vcc->stats->rx_drop);
28497 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
28498 break;
28499 }
28500 if (!atm_charge(vcc, sb->truesize))
28501 {
28502 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
28503 card->index);
28504 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
28505 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
28506 dev_kfree_skb_any(sb);
28507 break;
28508 }
28509 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
28510 ATM_SKB(sb)->vcc = vcc;
28511 __net_timestamp(sb);
28512 vcc->push(vcc, sb);
28513 - atomic_inc(&vcc->stats->rx);
28514 + atomic_inc_unchecked(&vcc->stats->rx);
28515 cell += ATM_CELL_PAYLOAD;
28516 }
28517
28518 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
28519 if (iovb == NULL)
28520 {
28521 printk("nicstar%d: Out of iovec buffers.\n", card->index);
28522 - atomic_inc(&vcc->stats->rx_drop);
28523 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28524 recycle_rx_buf(card, skb);
28525 return;
28526 }
28527 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
28528 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
28529 {
28530 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
28531 - atomic_inc(&vcc->stats->rx_err);
28532 + atomic_inc_unchecked(&vcc->stats->rx_err);
28533 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
28534 NS_SKB(iovb)->iovcnt = 0;
28535 iovb->len = 0;
28536 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
28537 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
28538 card->index);
28539 which_list(card, skb);
28540 - atomic_inc(&vcc->stats->rx_err);
28541 + atomic_inc_unchecked(&vcc->stats->rx_err);
28542 recycle_rx_buf(card, skb);
28543 vc->rx_iov = NULL;
28544 recycle_iov_buf(card, iovb);
28545 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
28546 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
28547 card->index);
28548 which_list(card, skb);
28549 - atomic_inc(&vcc->stats->rx_err);
28550 + atomic_inc_unchecked(&vcc->stats->rx_err);
28551 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28552 NS_SKB(iovb)->iovcnt);
28553 vc->rx_iov = NULL;
28554 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
28555 printk(" - PDU size mismatch.\n");
28556 else
28557 printk(".\n");
28558 - atomic_inc(&vcc->stats->rx_err);
28559 + atomic_inc_unchecked(&vcc->stats->rx_err);
28560 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28561 NS_SKB(iovb)->iovcnt);
28562 vc->rx_iov = NULL;
28563 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
28564 if (!atm_charge(vcc, skb->truesize))
28565 {
28566 push_rxbufs(card, skb);
28567 - atomic_inc(&vcc->stats->rx_drop);
28568 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28569 }
28570 else
28571 {
28572 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
28573 ATM_SKB(skb)->vcc = vcc;
28574 __net_timestamp(skb);
28575 vcc->push(vcc, skb);
28576 - atomic_inc(&vcc->stats->rx);
28577 + atomic_inc_unchecked(&vcc->stats->rx);
28578 }
28579 }
28580 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
28581 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
28582 if (!atm_charge(vcc, sb->truesize))
28583 {
28584 push_rxbufs(card, sb);
28585 - atomic_inc(&vcc->stats->rx_drop);
28586 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28587 }
28588 else
28589 {
28590 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
28591 ATM_SKB(sb)->vcc = vcc;
28592 __net_timestamp(sb);
28593 vcc->push(vcc, sb);
28594 - atomic_inc(&vcc->stats->rx);
28595 + atomic_inc_unchecked(&vcc->stats->rx);
28596 }
28597
28598 push_rxbufs(card, skb);
28599 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
28600 if (!atm_charge(vcc, skb->truesize))
28601 {
28602 push_rxbufs(card, skb);
28603 - atomic_inc(&vcc->stats->rx_drop);
28604 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28605 }
28606 else
28607 {
28608 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
28609 ATM_SKB(skb)->vcc = vcc;
28610 __net_timestamp(skb);
28611 vcc->push(vcc, skb);
28612 - atomic_inc(&vcc->stats->rx);
28613 + atomic_inc_unchecked(&vcc->stats->rx);
28614 }
28615
28616 push_rxbufs(card, sb);
28617 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
28618 if (hb == NULL)
28619 {
28620 printk("nicstar%d: Out of huge buffers.\n", card->index);
28621 - atomic_inc(&vcc->stats->rx_drop);
28622 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28623 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28624 NS_SKB(iovb)->iovcnt);
28625 vc->rx_iov = NULL;
28626 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
28627 }
28628 else
28629 dev_kfree_skb_any(hb);
28630 - atomic_inc(&vcc->stats->rx_drop);
28631 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28632 }
28633 else
28634 {
28635 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
28636 #endif /* NS_USE_DESTRUCTORS */
28637 __net_timestamp(hb);
28638 vcc->push(vcc, hb);
28639 - atomic_inc(&vcc->stats->rx);
28640 + atomic_inc_unchecked(&vcc->stats->rx);
28641 }
28642 }
28643
28644 diff -urNp linux-2.6.32.49/drivers/atm/solos-pci.c linux-2.6.32.49/drivers/atm/solos-pci.c
28645 --- linux-2.6.32.49/drivers/atm/solos-pci.c 2011-11-08 19:02:43.000000000 -0500
28646 +++ linux-2.6.32.49/drivers/atm/solos-pci.c 2011-11-15 19:59:43.000000000 -0500
28647 @@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
28648 }
28649 atm_charge(vcc, skb->truesize);
28650 vcc->push(vcc, skb);
28651 - atomic_inc(&vcc->stats->rx);
28652 + atomic_inc_unchecked(&vcc->stats->rx);
28653 break;
28654
28655 case PKT_STATUS:
28656 @@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
28657 char msg[500];
28658 char item[10];
28659
28660 + pax_track_stack();
28661 +
28662 len = buf->len;
28663 for (i = 0; i < len; i++){
28664 if(i % 8 == 0)
28665 @@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
28666 vcc = SKB_CB(oldskb)->vcc;
28667
28668 if (vcc) {
28669 - atomic_inc(&vcc->stats->tx);
28670 + atomic_inc_unchecked(&vcc->stats->tx);
28671 solos_pop(vcc, oldskb);
28672 } else
28673 dev_kfree_skb_irq(oldskb);
28674 diff -urNp linux-2.6.32.49/drivers/atm/suni.c linux-2.6.32.49/drivers/atm/suni.c
28675 --- linux-2.6.32.49/drivers/atm/suni.c 2011-11-08 19:02:43.000000000 -0500
28676 +++ linux-2.6.32.49/drivers/atm/suni.c 2011-11-15 19:59:43.000000000 -0500
28677 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
28678
28679
28680 #define ADD_LIMITED(s,v) \
28681 - atomic_add((v),&stats->s); \
28682 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
28683 + atomic_add_unchecked((v),&stats->s); \
28684 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
28685
28686
28687 static void suni_hz(unsigned long from_timer)
28688 diff -urNp linux-2.6.32.49/drivers/atm/uPD98402.c linux-2.6.32.49/drivers/atm/uPD98402.c
28689 --- linux-2.6.32.49/drivers/atm/uPD98402.c 2011-11-08 19:02:43.000000000 -0500
28690 +++ linux-2.6.32.49/drivers/atm/uPD98402.c 2011-11-15 19:59:43.000000000 -0500
28691 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
28692 struct sonet_stats tmp;
28693 int error = 0;
28694
28695 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
28696 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
28697 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
28698 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
28699 if (zero && !error) {
28700 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
28701
28702
28703 #define ADD_LIMITED(s,v) \
28704 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
28705 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
28706 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
28707 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
28708 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
28709 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
28710
28711
28712 static void stat_event(struct atm_dev *dev)
28713 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
28714 if (reason & uPD98402_INT_PFM) stat_event(dev);
28715 if (reason & uPD98402_INT_PCO) {
28716 (void) GET(PCOCR); /* clear interrupt cause */
28717 - atomic_add(GET(HECCT),
28718 + atomic_add_unchecked(GET(HECCT),
28719 &PRIV(dev)->sonet_stats.uncorr_hcs);
28720 }
28721 if ((reason & uPD98402_INT_RFO) &&
28722 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
28723 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
28724 uPD98402_INT_LOS),PIMR); /* enable them */
28725 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
28726 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
28727 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
28728 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
28729 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
28730 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
28731 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
28732 return 0;
28733 }
28734
28735 diff -urNp linux-2.6.32.49/drivers/atm/zatm.c linux-2.6.32.49/drivers/atm/zatm.c
28736 --- linux-2.6.32.49/drivers/atm/zatm.c 2011-11-08 19:02:43.000000000 -0500
28737 +++ linux-2.6.32.49/drivers/atm/zatm.c 2011-11-15 19:59:43.000000000 -0500
28738 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
28739 }
28740 if (!size) {
28741 dev_kfree_skb_irq(skb);
28742 - if (vcc) atomic_inc(&vcc->stats->rx_err);
28743 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
28744 continue;
28745 }
28746 if (!atm_charge(vcc,skb->truesize)) {
28747 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
28748 skb->len = size;
28749 ATM_SKB(skb)->vcc = vcc;
28750 vcc->push(vcc,skb);
28751 - atomic_inc(&vcc->stats->rx);
28752 + atomic_inc_unchecked(&vcc->stats->rx);
28753 }
28754 zout(pos & 0xffff,MTA(mbx));
28755 #if 0 /* probably a stupid idea */
28756 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
28757 skb_queue_head(&zatm_vcc->backlog,skb);
28758 break;
28759 }
28760 - atomic_inc(&vcc->stats->tx);
28761 + atomic_inc_unchecked(&vcc->stats->tx);
28762 wake_up(&zatm_vcc->tx_wait);
28763 }
28764
28765 diff -urNp linux-2.6.32.49/drivers/base/bus.c linux-2.6.32.49/drivers/base/bus.c
28766 --- linux-2.6.32.49/drivers/base/bus.c 2011-11-08 19:02:43.000000000 -0500
28767 +++ linux-2.6.32.49/drivers/base/bus.c 2011-11-15 19:59:43.000000000 -0500
28768 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
28769 return ret;
28770 }
28771
28772 -static struct sysfs_ops driver_sysfs_ops = {
28773 +static const struct sysfs_ops driver_sysfs_ops = {
28774 .show = drv_attr_show,
28775 .store = drv_attr_store,
28776 };
28777 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
28778 return ret;
28779 }
28780
28781 -static struct sysfs_ops bus_sysfs_ops = {
28782 +static const struct sysfs_ops bus_sysfs_ops = {
28783 .show = bus_attr_show,
28784 .store = bus_attr_store,
28785 };
28786 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
28787 return 0;
28788 }
28789
28790 -static struct kset_uevent_ops bus_uevent_ops = {
28791 +static const struct kset_uevent_ops bus_uevent_ops = {
28792 .filter = bus_uevent_filter,
28793 };
28794
28795 diff -urNp linux-2.6.32.49/drivers/base/class.c linux-2.6.32.49/drivers/base/class.c
28796 --- linux-2.6.32.49/drivers/base/class.c 2011-11-08 19:02:43.000000000 -0500
28797 +++ linux-2.6.32.49/drivers/base/class.c 2011-11-15 19:59:43.000000000 -0500
28798 @@ -63,7 +63,7 @@ static void class_release(struct kobject
28799 kfree(cp);
28800 }
28801
28802 -static struct sysfs_ops class_sysfs_ops = {
28803 +static const struct sysfs_ops class_sysfs_ops = {
28804 .show = class_attr_show,
28805 .store = class_attr_store,
28806 };
28807 diff -urNp linux-2.6.32.49/drivers/base/core.c linux-2.6.32.49/drivers/base/core.c
28808 --- linux-2.6.32.49/drivers/base/core.c 2011-11-08 19:02:43.000000000 -0500
28809 +++ linux-2.6.32.49/drivers/base/core.c 2011-11-15 19:59:43.000000000 -0500
28810 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
28811 return ret;
28812 }
28813
28814 -static struct sysfs_ops dev_sysfs_ops = {
28815 +static const struct sysfs_ops dev_sysfs_ops = {
28816 .show = dev_attr_show,
28817 .store = dev_attr_store,
28818 };
28819 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
28820 return retval;
28821 }
28822
28823 -static struct kset_uevent_ops device_uevent_ops = {
28824 +static const struct kset_uevent_ops device_uevent_ops = {
28825 .filter = dev_uevent_filter,
28826 .name = dev_uevent_name,
28827 .uevent = dev_uevent,
28828 diff -urNp linux-2.6.32.49/drivers/base/memory.c linux-2.6.32.49/drivers/base/memory.c
28829 --- linux-2.6.32.49/drivers/base/memory.c 2011-11-08 19:02:43.000000000 -0500
28830 +++ linux-2.6.32.49/drivers/base/memory.c 2011-11-15 19:59:43.000000000 -0500
28831 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
28832 return retval;
28833 }
28834
28835 -static struct kset_uevent_ops memory_uevent_ops = {
28836 +static const struct kset_uevent_ops memory_uevent_ops = {
28837 .name = memory_uevent_name,
28838 .uevent = memory_uevent,
28839 };
28840 diff -urNp linux-2.6.32.49/drivers/base/sys.c linux-2.6.32.49/drivers/base/sys.c
28841 --- linux-2.6.32.49/drivers/base/sys.c 2011-11-26 19:44:53.000000000 -0500
28842 +++ linux-2.6.32.49/drivers/base/sys.c 2011-11-26 19:45:05.000000000 -0500
28843 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
28844 return -EIO;
28845 }
28846
28847 -static struct sysfs_ops sysfs_ops = {
28848 +static const struct sysfs_ops sysfs_ops = {
28849 .show = sysdev_show,
28850 .store = sysdev_store,
28851 };
28852 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
28853 return -EIO;
28854 }
28855
28856 -static struct sysfs_ops sysfs_class_ops = {
28857 +static const struct sysfs_ops sysfs_class_ops = {
28858 .show = sysdev_class_show,
28859 .store = sysdev_class_store,
28860 };
28861 diff -urNp linux-2.6.32.49/drivers/block/cciss.c linux-2.6.32.49/drivers/block/cciss.c
28862 --- linux-2.6.32.49/drivers/block/cciss.c 2011-11-08 19:02:43.000000000 -0500
28863 +++ linux-2.6.32.49/drivers/block/cciss.c 2011-11-15 19:59:43.000000000 -0500
28864 @@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
28865 int err;
28866 u32 cp;
28867
28868 + memset(&arg64, 0, sizeof(arg64));
28869 +
28870 err = 0;
28871 err |=
28872 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
28873 @@ -2852,7 +2854,7 @@ static unsigned long pollcomplete(int ct
28874 /* Wait (up to 20 seconds) for a command to complete */
28875
28876 for (i = 20 * HZ; i > 0; i--) {
28877 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
28878 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
28879 if (done == FIFO_EMPTY)
28880 schedule_timeout_uninterruptible(1);
28881 else
28882 @@ -2876,7 +2878,7 @@ static int sendcmd_core(ctlr_info_t *h,
28883 resend_cmd1:
28884
28885 /* Disable interrupt on the board. */
28886 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
28887 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
28888
28889 /* Make sure there is room in the command FIFO */
28890 /* Actually it should be completely empty at this time */
28891 @@ -2884,13 +2886,13 @@ resend_cmd1:
28892 /* tape side of the driver. */
28893 for (i = 200000; i > 0; i--) {
28894 /* if fifo isn't full go */
28895 - if (!(h->access.fifo_full(h)))
28896 + if (!(h->access->fifo_full(h)))
28897 break;
28898 udelay(10);
28899 printk(KERN_WARNING "cciss cciss%d: SendCmd FIFO full,"
28900 " waiting!\n", h->ctlr);
28901 }
28902 - h->access.submit_command(h, c); /* Send the cmd */
28903 + h->access->submit_command(h, c); /* Send the cmd */
28904 do {
28905 complete = pollcomplete(h->ctlr);
28906
28907 @@ -3023,7 +3025,7 @@ static void start_io(ctlr_info_t *h)
28908 while (!hlist_empty(&h->reqQ)) {
28909 c = hlist_entry(h->reqQ.first, CommandList_struct, list);
28910 /* can't do anything if fifo is full */
28911 - if ((h->access.fifo_full(h))) {
28912 + if ((h->access->fifo_full(h))) {
28913 printk(KERN_WARNING "cciss: fifo full\n");
28914 break;
28915 }
28916 @@ -3033,7 +3035,7 @@ static void start_io(ctlr_info_t *h)
28917 h->Qdepth--;
28918
28919 /* Tell the controller execute command */
28920 - h->access.submit_command(h, c);
28921 + h->access->submit_command(h, c);
28922
28923 /* Put job onto the completed Q */
28924 addQ(&h->cmpQ, c);
28925 @@ -3393,17 +3395,17 @@ startio:
28926
28927 static inline unsigned long get_next_completion(ctlr_info_t *h)
28928 {
28929 - return h->access.command_completed(h);
28930 + return h->access->command_completed(h);
28931 }
28932
28933 static inline int interrupt_pending(ctlr_info_t *h)
28934 {
28935 - return h->access.intr_pending(h);
28936 + return h->access->intr_pending(h);
28937 }
28938
28939 static inline long interrupt_not_for_us(ctlr_info_t *h)
28940 {
28941 - return (((h->access.intr_pending(h) == 0) ||
28942 + return (((h->access->intr_pending(h) == 0) ||
28943 (h->interrupts_enabled == 0)));
28944 }
28945
28946 @@ -3892,7 +3894,7 @@ static int __devinit cciss_pci_init(ctlr
28947 */
28948 c->max_commands = readl(&(c->cfgtable->CmdsOutMax));
28949 c->product_name = products[prod_index].product_name;
28950 - c->access = *(products[prod_index].access);
28951 + c->access = products[prod_index].access;
28952 c->nr_cmds = c->max_commands - 4;
28953 if ((readb(&c->cfgtable->Signature[0]) != 'C') ||
28954 (readb(&c->cfgtable->Signature[1]) != 'I') ||
28955 @@ -4291,7 +4293,7 @@ static int __devinit cciss_init_one(stru
28956 }
28957
28958 /* make sure the board interrupts are off */
28959 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_OFF);
28960 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_OFF);
28961 if (request_irq(hba[i]->intr[SIMPLE_MODE_INT], do_cciss_intr,
28962 IRQF_DISABLED | IRQF_SHARED, hba[i]->devname, hba[i])) {
28963 printk(KERN_ERR "cciss: Unable to get irq %d for %s\n",
28964 @@ -4341,7 +4343,7 @@ static int __devinit cciss_init_one(stru
28965 cciss_scsi_setup(i);
28966
28967 /* Turn the interrupts on so we can service requests */
28968 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_ON);
28969 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_ON);
28970
28971 /* Get the firmware version */
28972 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
28973 diff -urNp linux-2.6.32.49/drivers/block/cciss.h linux-2.6.32.49/drivers/block/cciss.h
28974 --- linux-2.6.32.49/drivers/block/cciss.h 2011-11-08 19:02:43.000000000 -0500
28975 +++ linux-2.6.32.49/drivers/block/cciss.h 2011-11-15 19:59:43.000000000 -0500
28976 @@ -90,7 +90,7 @@ struct ctlr_info
28977 // information about each logical volume
28978 drive_info_struct *drv[CISS_MAX_LUN];
28979
28980 - struct access_method access;
28981 + struct access_method *access;
28982
28983 /* queue and queue Info */
28984 struct hlist_head reqQ;
28985 diff -urNp linux-2.6.32.49/drivers/block/cpqarray.c linux-2.6.32.49/drivers/block/cpqarray.c
28986 --- linux-2.6.32.49/drivers/block/cpqarray.c 2011-11-08 19:02:43.000000000 -0500
28987 +++ linux-2.6.32.49/drivers/block/cpqarray.c 2011-11-15 19:59:43.000000000 -0500
28988 @@ -402,7 +402,7 @@ static int __init cpqarray_register_ctlr
28989 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
28990 goto Enomem4;
28991 }
28992 - hba[i]->access.set_intr_mask(hba[i], 0);
28993 + hba[i]->access->set_intr_mask(hba[i], 0);
28994 if (request_irq(hba[i]->intr, do_ida_intr,
28995 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
28996 {
28997 @@ -460,7 +460,7 @@ static int __init cpqarray_register_ctlr
28998 add_timer(&hba[i]->timer);
28999
29000 /* Enable IRQ now that spinlock and rate limit timer are set up */
29001 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
29002 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
29003
29004 for(j=0; j<NWD; j++) {
29005 struct gendisk *disk = ida_gendisk[i][j];
29006 @@ -695,7 +695,7 @@ DBGINFO(
29007 for(i=0; i<NR_PRODUCTS; i++) {
29008 if (board_id == products[i].board_id) {
29009 c->product_name = products[i].product_name;
29010 - c->access = *(products[i].access);
29011 + c->access = products[i].access;
29012 break;
29013 }
29014 }
29015 @@ -793,7 +793,7 @@ static int __init cpqarray_eisa_detect(v
29016 hba[ctlr]->intr = intr;
29017 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
29018 hba[ctlr]->product_name = products[j].product_name;
29019 - hba[ctlr]->access = *(products[j].access);
29020 + hba[ctlr]->access = products[j].access;
29021 hba[ctlr]->ctlr = ctlr;
29022 hba[ctlr]->board_id = board_id;
29023 hba[ctlr]->pci_dev = NULL; /* not PCI */
29024 @@ -896,6 +896,8 @@ static void do_ida_request(struct reques
29025 struct scatterlist tmp_sg[SG_MAX];
29026 int i, dir, seg;
29027
29028 + pax_track_stack();
29029 +
29030 if (blk_queue_plugged(q))
29031 goto startio;
29032
29033 @@ -968,7 +970,7 @@ static void start_io(ctlr_info_t *h)
29034
29035 while((c = h->reqQ) != NULL) {
29036 /* Can't do anything if we're busy */
29037 - if (h->access.fifo_full(h) == 0)
29038 + if (h->access->fifo_full(h) == 0)
29039 return;
29040
29041 /* Get the first entry from the request Q */
29042 @@ -976,7 +978,7 @@ static void start_io(ctlr_info_t *h)
29043 h->Qdepth--;
29044
29045 /* Tell the controller to do our bidding */
29046 - h->access.submit_command(h, c);
29047 + h->access->submit_command(h, c);
29048
29049 /* Get onto the completion Q */
29050 addQ(&h->cmpQ, c);
29051 @@ -1038,7 +1040,7 @@ static irqreturn_t do_ida_intr(int irq,
29052 unsigned long flags;
29053 __u32 a,a1;
29054
29055 - istat = h->access.intr_pending(h);
29056 + istat = h->access->intr_pending(h);
29057 /* Is this interrupt for us? */
29058 if (istat == 0)
29059 return IRQ_NONE;
29060 @@ -1049,7 +1051,7 @@ static irqreturn_t do_ida_intr(int irq,
29061 */
29062 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
29063 if (istat & FIFO_NOT_EMPTY) {
29064 - while((a = h->access.command_completed(h))) {
29065 + while((a = h->access->command_completed(h))) {
29066 a1 = a; a &= ~3;
29067 if ((c = h->cmpQ) == NULL)
29068 {
29069 @@ -1434,11 +1436,11 @@ static int sendcmd(
29070 /*
29071 * Disable interrupt
29072 */
29073 - info_p->access.set_intr_mask(info_p, 0);
29074 + info_p->access->set_intr_mask(info_p, 0);
29075 /* Make sure there is room in the command FIFO */
29076 /* Actually it should be completely empty at this time. */
29077 for (i = 200000; i > 0; i--) {
29078 - temp = info_p->access.fifo_full(info_p);
29079 + temp = info_p->access->fifo_full(info_p);
29080 if (temp != 0) {
29081 break;
29082 }
29083 @@ -1451,7 +1453,7 @@ DBG(
29084 /*
29085 * Send the cmd
29086 */
29087 - info_p->access.submit_command(info_p, c);
29088 + info_p->access->submit_command(info_p, c);
29089 complete = pollcomplete(ctlr);
29090
29091 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
29092 @@ -1534,9 +1536,9 @@ static int revalidate_allvol(ctlr_info_t
29093 * we check the new geometry. Then turn interrupts back on when
29094 * we're done.
29095 */
29096 - host->access.set_intr_mask(host, 0);
29097 + host->access->set_intr_mask(host, 0);
29098 getgeometry(ctlr);
29099 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
29100 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
29101
29102 for(i=0; i<NWD; i++) {
29103 struct gendisk *disk = ida_gendisk[ctlr][i];
29104 @@ -1576,7 +1578,7 @@ static int pollcomplete(int ctlr)
29105 /* Wait (up to 2 seconds) for a command to complete */
29106
29107 for (i = 200000; i > 0; i--) {
29108 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
29109 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
29110 if (done == 0) {
29111 udelay(10); /* a short fixed delay */
29112 } else
29113 diff -urNp linux-2.6.32.49/drivers/block/cpqarray.h linux-2.6.32.49/drivers/block/cpqarray.h
29114 --- linux-2.6.32.49/drivers/block/cpqarray.h 2011-11-08 19:02:43.000000000 -0500
29115 +++ linux-2.6.32.49/drivers/block/cpqarray.h 2011-11-15 19:59:43.000000000 -0500
29116 @@ -99,7 +99,7 @@ struct ctlr_info {
29117 drv_info_t drv[NWD];
29118 struct proc_dir_entry *proc;
29119
29120 - struct access_method access;
29121 + struct access_method *access;
29122
29123 cmdlist_t *reqQ;
29124 cmdlist_t *cmpQ;
29125 diff -urNp linux-2.6.32.49/drivers/block/DAC960.c linux-2.6.32.49/drivers/block/DAC960.c
29126 --- linux-2.6.32.49/drivers/block/DAC960.c 2011-11-08 19:02:43.000000000 -0500
29127 +++ linux-2.6.32.49/drivers/block/DAC960.c 2011-11-15 19:59:43.000000000 -0500
29128 @@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
29129 unsigned long flags;
29130 int Channel, TargetID;
29131
29132 + pax_track_stack();
29133 +
29134 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
29135 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
29136 sizeof(DAC960_SCSI_Inquiry_T) +
29137 diff -urNp linux-2.6.32.49/drivers/block/loop.c linux-2.6.32.49/drivers/block/loop.c
29138 --- linux-2.6.32.49/drivers/block/loop.c 2011-11-08 19:02:43.000000000 -0500
29139 +++ linux-2.6.32.49/drivers/block/loop.c 2011-11-15 19:59:43.000000000 -0500
29140 @@ -282,7 +282,7 @@ static int __do_lo_send_write(struct fil
29141 mm_segment_t old_fs = get_fs();
29142
29143 set_fs(get_ds());
29144 - bw = file->f_op->write(file, buf, len, &pos);
29145 + bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
29146 set_fs(old_fs);
29147 if (likely(bw == len))
29148 return 0;
29149 diff -urNp linux-2.6.32.49/drivers/block/nbd.c linux-2.6.32.49/drivers/block/nbd.c
29150 --- linux-2.6.32.49/drivers/block/nbd.c 2011-11-08 19:02:43.000000000 -0500
29151 +++ linux-2.6.32.49/drivers/block/nbd.c 2011-11-15 19:59:43.000000000 -0500
29152 @@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
29153 struct kvec iov;
29154 sigset_t blocked, oldset;
29155
29156 + pax_track_stack();
29157 +
29158 if (unlikely(!sock)) {
29159 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
29160 lo->disk->disk_name, (send ? "send" : "recv"));
29161 @@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
29162 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
29163 unsigned int cmd, unsigned long arg)
29164 {
29165 + pax_track_stack();
29166 +
29167 switch (cmd) {
29168 case NBD_DISCONNECT: {
29169 struct request sreq;
29170 diff -urNp linux-2.6.32.49/drivers/block/pktcdvd.c linux-2.6.32.49/drivers/block/pktcdvd.c
29171 --- linux-2.6.32.49/drivers/block/pktcdvd.c 2011-11-08 19:02:43.000000000 -0500
29172 +++ linux-2.6.32.49/drivers/block/pktcdvd.c 2011-11-15 19:59:43.000000000 -0500
29173 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
29174 return len;
29175 }
29176
29177 -static struct sysfs_ops kobj_pkt_ops = {
29178 +static const struct sysfs_ops kobj_pkt_ops = {
29179 .show = kobj_pkt_show,
29180 .store = kobj_pkt_store
29181 };
29182 diff -urNp linux-2.6.32.49/drivers/char/agp/frontend.c linux-2.6.32.49/drivers/char/agp/frontend.c
29183 --- linux-2.6.32.49/drivers/char/agp/frontend.c 2011-11-08 19:02:43.000000000 -0500
29184 +++ linux-2.6.32.49/drivers/char/agp/frontend.c 2011-11-15 19:59:43.000000000 -0500
29185 @@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
29186 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
29187 return -EFAULT;
29188
29189 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
29190 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
29191 return -EFAULT;
29192
29193 client = agp_find_client_by_pid(reserve.pid);
29194 diff -urNp linux-2.6.32.49/drivers/char/briq_panel.c linux-2.6.32.49/drivers/char/briq_panel.c
29195 --- linux-2.6.32.49/drivers/char/briq_panel.c 2011-11-08 19:02:43.000000000 -0500
29196 +++ linux-2.6.32.49/drivers/char/briq_panel.c 2011-11-15 19:59:43.000000000 -0500
29197 @@ -10,6 +10,7 @@
29198 #include <linux/types.h>
29199 #include <linux/errno.h>
29200 #include <linux/tty.h>
29201 +#include <linux/mutex.h>
29202 #include <linux/timer.h>
29203 #include <linux/kernel.h>
29204 #include <linux/wait.h>
29205 @@ -36,6 +37,7 @@ static int vfd_is_open;
29206 static unsigned char vfd[40];
29207 static int vfd_cursor;
29208 static unsigned char ledpb, led;
29209 +static DEFINE_MUTEX(vfd_mutex);
29210
29211 static void update_vfd(void)
29212 {
29213 @@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
29214 if (!vfd_is_open)
29215 return -EBUSY;
29216
29217 + mutex_lock(&vfd_mutex);
29218 for (;;) {
29219 char c;
29220 if (!indx)
29221 break;
29222 - if (get_user(c, buf))
29223 + if (get_user(c, buf)) {
29224 + mutex_unlock(&vfd_mutex);
29225 return -EFAULT;
29226 + }
29227 if (esc) {
29228 set_led(c);
29229 esc = 0;
29230 @@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
29231 buf++;
29232 }
29233 update_vfd();
29234 + mutex_unlock(&vfd_mutex);
29235
29236 return len;
29237 }
29238 diff -urNp linux-2.6.32.49/drivers/char/genrtc.c linux-2.6.32.49/drivers/char/genrtc.c
29239 --- linux-2.6.32.49/drivers/char/genrtc.c 2011-11-08 19:02:43.000000000 -0500
29240 +++ linux-2.6.32.49/drivers/char/genrtc.c 2011-11-15 19:59:43.000000000 -0500
29241 @@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
29242 switch (cmd) {
29243
29244 case RTC_PLL_GET:
29245 + memset(&pll, 0, sizeof(pll));
29246 if (get_rtc_pll(&pll))
29247 return -EINVAL;
29248 else
29249 diff -urNp linux-2.6.32.49/drivers/char/hpet.c linux-2.6.32.49/drivers/char/hpet.c
29250 --- linux-2.6.32.49/drivers/char/hpet.c 2011-11-08 19:02:43.000000000 -0500
29251 +++ linux-2.6.32.49/drivers/char/hpet.c 2011-11-15 19:59:43.000000000 -0500
29252 @@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
29253 return 0;
29254 }
29255
29256 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
29257 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
29258
29259 static int
29260 hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
29261 @@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
29262 }
29263
29264 static int
29265 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
29266 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
29267 {
29268 struct hpet_timer __iomem *timer;
29269 struct hpet __iomem *hpet;
29270 @@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
29271 {
29272 struct hpet_info info;
29273
29274 + memset(&info, 0, sizeof(info));
29275 +
29276 if (devp->hd_ireqfreq)
29277 info.hi_ireqfreq =
29278 hpet_time_div(hpetp, devp->hd_ireqfreq);
29279 - else
29280 - info.hi_ireqfreq = 0;
29281 info.hi_flags =
29282 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
29283 info.hi_hpet = hpetp->hp_which;
29284 diff -urNp linux-2.6.32.49/drivers/char/hvc_beat.c linux-2.6.32.49/drivers/char/hvc_beat.c
29285 --- linux-2.6.32.49/drivers/char/hvc_beat.c 2011-11-08 19:02:43.000000000 -0500
29286 +++ linux-2.6.32.49/drivers/char/hvc_beat.c 2011-11-15 19:59:43.000000000 -0500
29287 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
29288 return cnt;
29289 }
29290
29291 -static struct hv_ops hvc_beat_get_put_ops = {
29292 +static const struct hv_ops hvc_beat_get_put_ops = {
29293 .get_chars = hvc_beat_get_chars,
29294 .put_chars = hvc_beat_put_chars,
29295 };
29296 diff -urNp linux-2.6.32.49/drivers/char/hvc_console.c linux-2.6.32.49/drivers/char/hvc_console.c
29297 --- linux-2.6.32.49/drivers/char/hvc_console.c 2011-11-08 19:02:43.000000000 -0500
29298 +++ linux-2.6.32.49/drivers/char/hvc_console.c 2011-11-15 19:59:43.000000000 -0500
29299 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
29300 * console interfaces but can still be used as a tty device. This has to be
29301 * static because kmalloc will not work during early console init.
29302 */
29303 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
29304 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
29305 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
29306 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
29307
29308 @@ -249,7 +249,7 @@ static void destroy_hvc_struct(struct kr
29309 * vty adapters do NOT get an hvc_instantiate() callback since they
29310 * appear after early console init.
29311 */
29312 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
29313 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
29314 {
29315 struct hvc_struct *hp;
29316
29317 @@ -758,7 +758,7 @@ static const struct tty_operations hvc_o
29318 };
29319
29320 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
29321 - struct hv_ops *ops, int outbuf_size)
29322 + const struct hv_ops *ops, int outbuf_size)
29323 {
29324 struct hvc_struct *hp;
29325 int i;
29326 diff -urNp linux-2.6.32.49/drivers/char/hvc_console.h linux-2.6.32.49/drivers/char/hvc_console.h
29327 --- linux-2.6.32.49/drivers/char/hvc_console.h 2011-11-08 19:02:43.000000000 -0500
29328 +++ linux-2.6.32.49/drivers/char/hvc_console.h 2011-11-15 19:59:43.000000000 -0500
29329 @@ -55,7 +55,7 @@ struct hvc_struct {
29330 int outbuf_size;
29331 int n_outbuf;
29332 uint32_t vtermno;
29333 - struct hv_ops *ops;
29334 + const struct hv_ops *ops;
29335 int irq_requested;
29336 int data;
29337 struct winsize ws;
29338 @@ -76,11 +76,11 @@ struct hv_ops {
29339 };
29340
29341 /* Register a vterm and a slot index for use as a console (console_init) */
29342 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
29343 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
29344
29345 /* register a vterm for hvc tty operation (module_init or hotplug add) */
29346 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
29347 - struct hv_ops *ops, int outbuf_size);
29348 + const struct hv_ops *ops, int outbuf_size);
29349 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
29350 extern int hvc_remove(struct hvc_struct *hp);
29351
29352 diff -urNp linux-2.6.32.49/drivers/char/hvc_iseries.c linux-2.6.32.49/drivers/char/hvc_iseries.c
29353 --- linux-2.6.32.49/drivers/char/hvc_iseries.c 2011-11-08 19:02:43.000000000 -0500
29354 +++ linux-2.6.32.49/drivers/char/hvc_iseries.c 2011-11-15 19:59:43.000000000 -0500
29355 @@ -197,7 +197,7 @@ done:
29356 return sent;
29357 }
29358
29359 -static struct hv_ops hvc_get_put_ops = {
29360 +static const struct hv_ops hvc_get_put_ops = {
29361 .get_chars = get_chars,
29362 .put_chars = put_chars,
29363 .notifier_add = notifier_add_irq,
29364 diff -urNp linux-2.6.32.49/drivers/char/hvc_iucv.c linux-2.6.32.49/drivers/char/hvc_iucv.c
29365 --- linux-2.6.32.49/drivers/char/hvc_iucv.c 2011-11-08 19:02:43.000000000 -0500
29366 +++ linux-2.6.32.49/drivers/char/hvc_iucv.c 2011-11-15 19:59:43.000000000 -0500
29367 @@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
29368
29369
29370 /* HVC operations */
29371 -static struct hv_ops hvc_iucv_ops = {
29372 +static const struct hv_ops hvc_iucv_ops = {
29373 .get_chars = hvc_iucv_get_chars,
29374 .put_chars = hvc_iucv_put_chars,
29375 .notifier_add = hvc_iucv_notifier_add,
29376 diff -urNp linux-2.6.32.49/drivers/char/hvc_rtas.c linux-2.6.32.49/drivers/char/hvc_rtas.c
29377 --- linux-2.6.32.49/drivers/char/hvc_rtas.c 2011-11-08 19:02:43.000000000 -0500
29378 +++ linux-2.6.32.49/drivers/char/hvc_rtas.c 2011-11-15 19:59:43.000000000 -0500
29379 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
29380 return i;
29381 }
29382
29383 -static struct hv_ops hvc_rtas_get_put_ops = {
29384 +static const struct hv_ops hvc_rtas_get_put_ops = {
29385 .get_chars = hvc_rtas_read_console,
29386 .put_chars = hvc_rtas_write_console,
29387 };
29388 diff -urNp linux-2.6.32.49/drivers/char/hvcs.c linux-2.6.32.49/drivers/char/hvcs.c
29389 --- linux-2.6.32.49/drivers/char/hvcs.c 2011-11-08 19:02:43.000000000 -0500
29390 +++ linux-2.6.32.49/drivers/char/hvcs.c 2011-11-15 19:59:43.000000000 -0500
29391 @@ -82,6 +82,7 @@
29392 #include <asm/hvcserver.h>
29393 #include <asm/uaccess.h>
29394 #include <asm/vio.h>
29395 +#include <asm/local.h>
29396
29397 /*
29398 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
29399 @@ -269,7 +270,7 @@ struct hvcs_struct {
29400 unsigned int index;
29401
29402 struct tty_struct *tty;
29403 - int open_count;
29404 + local_t open_count;
29405
29406 /*
29407 * Used to tell the driver kernel_thread what operations need to take
29408 @@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
29409
29410 spin_lock_irqsave(&hvcsd->lock, flags);
29411
29412 - if (hvcsd->open_count > 0) {
29413 + if (local_read(&hvcsd->open_count) > 0) {
29414 spin_unlock_irqrestore(&hvcsd->lock, flags);
29415 printk(KERN_INFO "HVCS: vterm state unchanged. "
29416 "The hvcs device node is still in use.\n");
29417 @@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
29418 if ((retval = hvcs_partner_connect(hvcsd)))
29419 goto error_release;
29420
29421 - hvcsd->open_count = 1;
29422 + local_set(&hvcsd->open_count, 1);
29423 hvcsd->tty = tty;
29424 tty->driver_data = hvcsd;
29425
29426 @@ -1169,7 +1170,7 @@ fast_open:
29427
29428 spin_lock_irqsave(&hvcsd->lock, flags);
29429 kref_get(&hvcsd->kref);
29430 - hvcsd->open_count++;
29431 + local_inc(&hvcsd->open_count);
29432 hvcsd->todo_mask |= HVCS_SCHED_READ;
29433 spin_unlock_irqrestore(&hvcsd->lock, flags);
29434
29435 @@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
29436 hvcsd = tty->driver_data;
29437
29438 spin_lock_irqsave(&hvcsd->lock, flags);
29439 - if (--hvcsd->open_count == 0) {
29440 + if (local_dec_and_test(&hvcsd->open_count)) {
29441
29442 vio_disable_interrupts(hvcsd->vdev);
29443
29444 @@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
29445 free_irq(irq, hvcsd);
29446 kref_put(&hvcsd->kref, destroy_hvcs_struct);
29447 return;
29448 - } else if (hvcsd->open_count < 0) {
29449 + } else if (local_read(&hvcsd->open_count) < 0) {
29450 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
29451 " is missmanaged.\n",
29452 - hvcsd->vdev->unit_address, hvcsd->open_count);
29453 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
29454 }
29455
29456 spin_unlock_irqrestore(&hvcsd->lock, flags);
29457 @@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
29458
29459 spin_lock_irqsave(&hvcsd->lock, flags);
29460 /* Preserve this so that we know how many kref refs to put */
29461 - temp_open_count = hvcsd->open_count;
29462 + temp_open_count = local_read(&hvcsd->open_count);
29463
29464 /*
29465 * Don't kref put inside the spinlock because the destruction
29466 @@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
29467 hvcsd->tty->driver_data = NULL;
29468 hvcsd->tty = NULL;
29469
29470 - hvcsd->open_count = 0;
29471 + local_set(&hvcsd->open_count, 0);
29472
29473 /* This will drop any buffered data on the floor which is OK in a hangup
29474 * scenario. */
29475 @@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
29476 * the middle of a write operation? This is a crummy place to do this
29477 * but we want to keep it all in the spinlock.
29478 */
29479 - if (hvcsd->open_count <= 0) {
29480 + if (local_read(&hvcsd->open_count) <= 0) {
29481 spin_unlock_irqrestore(&hvcsd->lock, flags);
29482 return -ENODEV;
29483 }
29484 @@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
29485 {
29486 struct hvcs_struct *hvcsd = tty->driver_data;
29487
29488 - if (!hvcsd || hvcsd->open_count <= 0)
29489 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
29490 return 0;
29491
29492 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
29493 diff -urNp linux-2.6.32.49/drivers/char/hvc_udbg.c linux-2.6.32.49/drivers/char/hvc_udbg.c
29494 --- linux-2.6.32.49/drivers/char/hvc_udbg.c 2011-11-08 19:02:43.000000000 -0500
29495 +++ linux-2.6.32.49/drivers/char/hvc_udbg.c 2011-11-15 19:59:43.000000000 -0500
29496 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
29497 return i;
29498 }
29499
29500 -static struct hv_ops hvc_udbg_ops = {
29501 +static const struct hv_ops hvc_udbg_ops = {
29502 .get_chars = hvc_udbg_get,
29503 .put_chars = hvc_udbg_put,
29504 };
29505 diff -urNp linux-2.6.32.49/drivers/char/hvc_vio.c linux-2.6.32.49/drivers/char/hvc_vio.c
29506 --- linux-2.6.32.49/drivers/char/hvc_vio.c 2011-11-08 19:02:43.000000000 -0500
29507 +++ linux-2.6.32.49/drivers/char/hvc_vio.c 2011-11-15 19:59:43.000000000 -0500
29508 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
29509 return got;
29510 }
29511
29512 -static struct hv_ops hvc_get_put_ops = {
29513 +static const struct hv_ops hvc_get_put_ops = {
29514 .get_chars = filtered_get_chars,
29515 .put_chars = hvc_put_chars,
29516 .notifier_add = notifier_add_irq,
29517 diff -urNp linux-2.6.32.49/drivers/char/hvc_xen.c linux-2.6.32.49/drivers/char/hvc_xen.c
29518 --- linux-2.6.32.49/drivers/char/hvc_xen.c 2011-11-08 19:02:43.000000000 -0500
29519 +++ linux-2.6.32.49/drivers/char/hvc_xen.c 2011-11-15 19:59:43.000000000 -0500
29520 @@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
29521 return recv;
29522 }
29523
29524 -static struct hv_ops hvc_ops = {
29525 +static const struct hv_ops hvc_ops = {
29526 .get_chars = read_console,
29527 .put_chars = write_console,
29528 .notifier_add = notifier_add_irq,
29529 diff -urNp linux-2.6.32.49/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.49/drivers/char/ipmi/ipmi_msghandler.c
29530 --- linux-2.6.32.49/drivers/char/ipmi/ipmi_msghandler.c 2011-11-08 19:02:43.000000000 -0500
29531 +++ linux-2.6.32.49/drivers/char/ipmi/ipmi_msghandler.c 2011-11-15 19:59:43.000000000 -0500
29532 @@ -414,7 +414,7 @@ struct ipmi_smi {
29533 struct proc_dir_entry *proc_dir;
29534 char proc_dir_name[10];
29535
29536 - atomic_t stats[IPMI_NUM_STATS];
29537 + atomic_unchecked_t stats[IPMI_NUM_STATS];
29538
29539 /*
29540 * run_to_completion duplicate of smb_info, smi_info
29541 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
29542
29543
29544 #define ipmi_inc_stat(intf, stat) \
29545 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
29546 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
29547 #define ipmi_get_stat(intf, stat) \
29548 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
29549 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
29550
29551 static int is_lan_addr(struct ipmi_addr *addr)
29552 {
29553 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
29554 INIT_LIST_HEAD(&intf->cmd_rcvrs);
29555 init_waitqueue_head(&intf->waitq);
29556 for (i = 0; i < IPMI_NUM_STATS; i++)
29557 - atomic_set(&intf->stats[i], 0);
29558 + atomic_set_unchecked(&intf->stats[i], 0);
29559
29560 intf->proc_dir = NULL;
29561
29562 @@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
29563 struct ipmi_smi_msg smi_msg;
29564 struct ipmi_recv_msg recv_msg;
29565
29566 + pax_track_stack();
29567 +
29568 si = (struct ipmi_system_interface_addr *) &addr;
29569 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
29570 si->channel = IPMI_BMC_CHANNEL;
29571 diff -urNp linux-2.6.32.49/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.49/drivers/char/ipmi/ipmi_si_intf.c
29572 --- linux-2.6.32.49/drivers/char/ipmi/ipmi_si_intf.c 2011-11-08 19:02:43.000000000 -0500
29573 +++ linux-2.6.32.49/drivers/char/ipmi/ipmi_si_intf.c 2011-11-15 19:59:43.000000000 -0500
29574 @@ -277,7 +277,7 @@ struct smi_info {
29575 unsigned char slave_addr;
29576
29577 /* Counters and things for the proc filesystem. */
29578 - atomic_t stats[SI_NUM_STATS];
29579 + atomic_unchecked_t stats[SI_NUM_STATS];
29580
29581 struct task_struct *thread;
29582
29583 @@ -285,9 +285,9 @@ struct smi_info {
29584 };
29585
29586 #define smi_inc_stat(smi, stat) \
29587 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
29588 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
29589 #define smi_get_stat(smi, stat) \
29590 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
29591 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
29592
29593 #define SI_MAX_PARMS 4
29594
29595 @@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
29596 atomic_set(&new_smi->req_events, 0);
29597 new_smi->run_to_completion = 0;
29598 for (i = 0; i < SI_NUM_STATS; i++)
29599 - atomic_set(&new_smi->stats[i], 0);
29600 + atomic_set_unchecked(&new_smi->stats[i], 0);
29601
29602 new_smi->interrupt_disabled = 0;
29603 atomic_set(&new_smi->stop_operation, 0);
29604 diff -urNp linux-2.6.32.49/drivers/char/istallion.c linux-2.6.32.49/drivers/char/istallion.c
29605 --- linux-2.6.32.49/drivers/char/istallion.c 2011-11-08 19:02:43.000000000 -0500
29606 +++ linux-2.6.32.49/drivers/char/istallion.c 2011-11-15 19:59:43.000000000 -0500
29607 @@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
29608 * re-used for each stats call.
29609 */
29610 static comstats_t stli_comstats;
29611 -static combrd_t stli_brdstats;
29612 static struct asystats stli_cdkstats;
29613
29614 /*****************************************************************************/
29615 @@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
29616 {
29617 struct stlibrd *brdp;
29618 unsigned int i;
29619 + combrd_t stli_brdstats;
29620
29621 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
29622 return -EFAULT;
29623 @@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
29624 struct stliport stli_dummyport;
29625 struct stliport *portp;
29626
29627 + pax_track_stack();
29628 +
29629 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
29630 return -EFAULT;
29631 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
29632 @@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
29633 struct stlibrd stli_dummybrd;
29634 struct stlibrd *brdp;
29635
29636 + pax_track_stack();
29637 +
29638 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
29639 return -EFAULT;
29640 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
29641 diff -urNp linux-2.6.32.49/drivers/char/Kconfig linux-2.6.32.49/drivers/char/Kconfig
29642 --- linux-2.6.32.49/drivers/char/Kconfig 2011-11-08 19:02:43.000000000 -0500
29643 +++ linux-2.6.32.49/drivers/char/Kconfig 2011-11-15 19:59:43.000000000 -0500
29644 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
29645
29646 config DEVKMEM
29647 bool "/dev/kmem virtual device support"
29648 - default y
29649 + default n
29650 + depends on !GRKERNSEC_KMEM
29651 help
29652 Say Y here if you want to support the /dev/kmem device. The
29653 /dev/kmem device is rarely used, but can be used for certain
29654 @@ -1114,6 +1115,7 @@ config DEVPORT
29655 bool
29656 depends on !M68K
29657 depends on ISA || PCI
29658 + depends on !GRKERNSEC_KMEM
29659 default y
29660
29661 source "drivers/s390/char/Kconfig"
29662 diff -urNp linux-2.6.32.49/drivers/char/keyboard.c linux-2.6.32.49/drivers/char/keyboard.c
29663 --- linux-2.6.32.49/drivers/char/keyboard.c 2011-11-08 19:02:43.000000000 -0500
29664 +++ linux-2.6.32.49/drivers/char/keyboard.c 2011-11-15 19:59:43.000000000 -0500
29665 @@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
29666 kbd->kbdmode == VC_MEDIUMRAW) &&
29667 value != KVAL(K_SAK))
29668 return; /* SAK is allowed even in raw mode */
29669 +
29670 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
29671 + {
29672 + void *func = fn_handler[value];
29673 + if (func == fn_show_state || func == fn_show_ptregs ||
29674 + func == fn_show_mem)
29675 + return;
29676 + }
29677 +#endif
29678 +
29679 fn_handler[value](vc);
29680 }
29681
29682 @@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
29683 .evbit = { BIT_MASK(EV_SND) },
29684 },
29685
29686 - { }, /* Terminating entry */
29687 + { 0 }, /* Terminating entry */
29688 };
29689
29690 MODULE_DEVICE_TABLE(input, kbd_ids);
29691 diff -urNp linux-2.6.32.49/drivers/char/mbcs.c linux-2.6.32.49/drivers/char/mbcs.c
29692 --- linux-2.6.32.49/drivers/char/mbcs.c 2011-11-08 19:02:43.000000000 -0500
29693 +++ linux-2.6.32.49/drivers/char/mbcs.c 2011-11-18 18:01:55.000000000 -0500
29694 @@ -799,7 +799,7 @@ static int mbcs_remove(struct cx_dev *de
29695 return 0;
29696 }
29697
29698 -static const struct cx_device_id __devinitdata mbcs_id_table[] = {
29699 +static const struct cx_device_id __devinitconst mbcs_id_table[] = {
29700 {
29701 .part_num = MBCS_PART_NUM,
29702 .mfg_num = MBCS_MFG_NUM,
29703 diff -urNp linux-2.6.32.49/drivers/char/mem.c linux-2.6.32.49/drivers/char/mem.c
29704 --- linux-2.6.32.49/drivers/char/mem.c 2011-11-08 19:02:43.000000000 -0500
29705 +++ linux-2.6.32.49/drivers/char/mem.c 2011-11-15 19:59:43.000000000 -0500
29706 @@ -18,6 +18,7 @@
29707 #include <linux/raw.h>
29708 #include <linux/tty.h>
29709 #include <linux/capability.h>
29710 +#include <linux/security.h>
29711 #include <linux/ptrace.h>
29712 #include <linux/device.h>
29713 #include <linux/highmem.h>
29714 @@ -35,6 +36,10 @@
29715 # include <linux/efi.h>
29716 #endif
29717
29718 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
29719 +extern struct file_operations grsec_fops;
29720 +#endif
29721 +
29722 static inline unsigned long size_inside_page(unsigned long start,
29723 unsigned long size)
29724 {
29725 @@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
29726
29727 while (cursor < to) {
29728 if (!devmem_is_allowed(pfn)) {
29729 +#ifdef CONFIG_GRKERNSEC_KMEM
29730 + gr_handle_mem_readwrite(from, to);
29731 +#else
29732 printk(KERN_INFO
29733 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
29734 current->comm, from, to);
29735 +#endif
29736 return 0;
29737 }
29738 cursor += PAGE_SIZE;
29739 @@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
29740 }
29741 return 1;
29742 }
29743 +#elif defined(CONFIG_GRKERNSEC_KMEM)
29744 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
29745 +{
29746 + return 0;
29747 +}
29748 #else
29749 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
29750 {
29751 @@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
29752 #endif
29753
29754 while (count > 0) {
29755 + char *temp;
29756 +
29757 /*
29758 * Handle first page in case it's not aligned
29759 */
29760 @@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
29761 if (!ptr)
29762 return -EFAULT;
29763
29764 - if (copy_to_user(buf, ptr, sz)) {
29765 +#ifdef CONFIG_PAX_USERCOPY
29766 + temp = kmalloc(sz, GFP_KERNEL);
29767 + if (!temp) {
29768 + unxlate_dev_mem_ptr(p, ptr);
29769 + return -ENOMEM;
29770 + }
29771 + memcpy(temp, ptr, sz);
29772 +#else
29773 + temp = ptr;
29774 +#endif
29775 +
29776 + if (copy_to_user(buf, temp, sz)) {
29777 +
29778 +#ifdef CONFIG_PAX_USERCOPY
29779 + kfree(temp);
29780 +#endif
29781 +
29782 unxlate_dev_mem_ptr(p, ptr);
29783 return -EFAULT;
29784 }
29785
29786 +#ifdef CONFIG_PAX_USERCOPY
29787 + kfree(temp);
29788 +#endif
29789 +
29790 unxlate_dev_mem_ptr(p, ptr);
29791
29792 buf += sz;
29793 @@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
29794 size_t count, loff_t *ppos)
29795 {
29796 unsigned long p = *ppos;
29797 - ssize_t low_count, read, sz;
29798 + ssize_t low_count, read, sz, err = 0;
29799 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
29800 - int err = 0;
29801
29802 read = 0;
29803 if (p < (unsigned long) high_memory) {
29804 @@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
29805 }
29806 #endif
29807 while (low_count > 0) {
29808 + char *temp;
29809 +
29810 sz = size_inside_page(p, low_count);
29811
29812 /*
29813 @@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
29814 */
29815 kbuf = xlate_dev_kmem_ptr((char *)p);
29816
29817 - if (copy_to_user(buf, kbuf, sz))
29818 +#ifdef CONFIG_PAX_USERCOPY
29819 + temp = kmalloc(sz, GFP_KERNEL);
29820 + if (!temp)
29821 + return -ENOMEM;
29822 + memcpy(temp, kbuf, sz);
29823 +#else
29824 + temp = kbuf;
29825 +#endif
29826 +
29827 + err = copy_to_user(buf, temp, sz);
29828 +
29829 +#ifdef CONFIG_PAX_USERCOPY
29830 + kfree(temp);
29831 +#endif
29832 +
29833 + if (err)
29834 return -EFAULT;
29835 buf += sz;
29836 p += sz;
29837 @@ -889,6 +941,9 @@ static const struct memdev {
29838 #ifdef CONFIG_CRASH_DUMP
29839 [12] = { "oldmem", 0, &oldmem_fops, NULL },
29840 #endif
29841 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
29842 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
29843 +#endif
29844 };
29845
29846 static int memory_open(struct inode *inode, struct file *filp)
29847 diff -urNp linux-2.6.32.49/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.49/drivers/char/pcmcia/ipwireless/tty.c
29848 --- linux-2.6.32.49/drivers/char/pcmcia/ipwireless/tty.c 2011-11-08 19:02:43.000000000 -0500
29849 +++ linux-2.6.32.49/drivers/char/pcmcia/ipwireless/tty.c 2011-11-15 19:59:43.000000000 -0500
29850 @@ -29,6 +29,7 @@
29851 #include <linux/tty_driver.h>
29852 #include <linux/tty_flip.h>
29853 #include <linux/uaccess.h>
29854 +#include <asm/local.h>
29855
29856 #include "tty.h"
29857 #include "network.h"
29858 @@ -51,7 +52,7 @@ struct ipw_tty {
29859 int tty_type;
29860 struct ipw_network *network;
29861 struct tty_struct *linux_tty;
29862 - int open_count;
29863 + local_t open_count;
29864 unsigned int control_lines;
29865 struct mutex ipw_tty_mutex;
29866 int tx_bytes_queued;
29867 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
29868 mutex_unlock(&tty->ipw_tty_mutex);
29869 return -ENODEV;
29870 }
29871 - if (tty->open_count == 0)
29872 + if (local_read(&tty->open_count) == 0)
29873 tty->tx_bytes_queued = 0;
29874
29875 - tty->open_count++;
29876 + local_inc(&tty->open_count);
29877
29878 tty->linux_tty = linux_tty;
29879 linux_tty->driver_data = tty;
29880 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
29881
29882 static void do_ipw_close(struct ipw_tty *tty)
29883 {
29884 - tty->open_count--;
29885 -
29886 - if (tty->open_count == 0) {
29887 + if (local_dec_return(&tty->open_count) == 0) {
29888 struct tty_struct *linux_tty = tty->linux_tty;
29889
29890 if (linux_tty != NULL) {
29891 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
29892 return;
29893
29894 mutex_lock(&tty->ipw_tty_mutex);
29895 - if (tty->open_count == 0) {
29896 + if (local_read(&tty->open_count) == 0) {
29897 mutex_unlock(&tty->ipw_tty_mutex);
29898 return;
29899 }
29900 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
29901 return;
29902 }
29903
29904 - if (!tty->open_count) {
29905 + if (!local_read(&tty->open_count)) {
29906 mutex_unlock(&tty->ipw_tty_mutex);
29907 return;
29908 }
29909 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
29910 return -ENODEV;
29911
29912 mutex_lock(&tty->ipw_tty_mutex);
29913 - if (!tty->open_count) {
29914 + if (!local_read(&tty->open_count)) {
29915 mutex_unlock(&tty->ipw_tty_mutex);
29916 return -EINVAL;
29917 }
29918 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
29919 if (!tty)
29920 return -ENODEV;
29921
29922 - if (!tty->open_count)
29923 + if (!local_read(&tty->open_count))
29924 return -EINVAL;
29925
29926 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
29927 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
29928 if (!tty)
29929 return 0;
29930
29931 - if (!tty->open_count)
29932 + if (!local_read(&tty->open_count))
29933 return 0;
29934
29935 return tty->tx_bytes_queued;
29936 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
29937 if (!tty)
29938 return -ENODEV;
29939
29940 - if (!tty->open_count)
29941 + if (!local_read(&tty->open_count))
29942 return -EINVAL;
29943
29944 return get_control_lines(tty);
29945 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
29946 if (!tty)
29947 return -ENODEV;
29948
29949 - if (!tty->open_count)
29950 + if (!local_read(&tty->open_count))
29951 return -EINVAL;
29952
29953 return set_control_lines(tty, set, clear);
29954 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
29955 if (!tty)
29956 return -ENODEV;
29957
29958 - if (!tty->open_count)
29959 + if (!local_read(&tty->open_count))
29960 return -EINVAL;
29961
29962 /* FIXME: Exactly how is the tty object locked here .. */
29963 @@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
29964 against a parallel ioctl etc */
29965 mutex_lock(&ttyj->ipw_tty_mutex);
29966 }
29967 - while (ttyj->open_count)
29968 + while (local_read(&ttyj->open_count))
29969 do_ipw_close(ttyj);
29970 ipwireless_disassociate_network_ttys(network,
29971 ttyj->channel_idx);
29972 diff -urNp linux-2.6.32.49/drivers/char/pty.c linux-2.6.32.49/drivers/char/pty.c
29973 --- linux-2.6.32.49/drivers/char/pty.c 2011-11-08 19:02:43.000000000 -0500
29974 +++ linux-2.6.32.49/drivers/char/pty.c 2011-11-15 19:59:43.000000000 -0500
29975 @@ -736,8 +736,10 @@ static void __init unix98_pty_init(void)
29976 register_sysctl_table(pty_root_table);
29977
29978 /* Now create the /dev/ptmx special device */
29979 + pax_open_kernel();
29980 tty_default_fops(&ptmx_fops);
29981 - ptmx_fops.open = ptmx_open;
29982 + *(void **)&ptmx_fops.open = ptmx_open;
29983 + pax_close_kernel();
29984
29985 cdev_init(&ptmx_cdev, &ptmx_fops);
29986 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
29987 diff -urNp linux-2.6.32.49/drivers/char/random.c linux-2.6.32.49/drivers/char/random.c
29988 --- linux-2.6.32.49/drivers/char/random.c 2011-11-08 19:02:43.000000000 -0500
29989 +++ linux-2.6.32.49/drivers/char/random.c 2011-11-15 19:59:43.000000000 -0500
29990 @@ -254,8 +254,13 @@
29991 /*
29992 * Configuration information
29993 */
29994 +#ifdef CONFIG_GRKERNSEC_RANDNET
29995 +#define INPUT_POOL_WORDS 512
29996 +#define OUTPUT_POOL_WORDS 128
29997 +#else
29998 #define INPUT_POOL_WORDS 128
29999 #define OUTPUT_POOL_WORDS 32
30000 +#endif
30001 #define SEC_XFER_SIZE 512
30002
30003 /*
30004 @@ -292,10 +297,17 @@ static struct poolinfo {
30005 int poolwords;
30006 int tap1, tap2, tap3, tap4, tap5;
30007 } poolinfo_table[] = {
30008 +#ifdef CONFIG_GRKERNSEC_RANDNET
30009 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
30010 + { 512, 411, 308, 208, 104, 1 },
30011 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
30012 + { 128, 103, 76, 51, 25, 1 },
30013 +#else
30014 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
30015 { 128, 103, 76, 51, 25, 1 },
30016 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
30017 { 32, 26, 20, 14, 7, 1 },
30018 +#endif
30019 #if 0
30020 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
30021 { 2048, 1638, 1231, 819, 411, 1 },
30022 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
30023 #include <linux/sysctl.h>
30024
30025 static int min_read_thresh = 8, min_write_thresh;
30026 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
30027 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
30028 static int max_write_thresh = INPUT_POOL_WORDS * 32;
30029 static char sysctl_bootid[16];
30030
30031 diff -urNp linux-2.6.32.49/drivers/char/rocket.c linux-2.6.32.49/drivers/char/rocket.c
30032 --- linux-2.6.32.49/drivers/char/rocket.c 2011-11-08 19:02:43.000000000 -0500
30033 +++ linux-2.6.32.49/drivers/char/rocket.c 2011-11-15 19:59:43.000000000 -0500
30034 @@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
30035 struct rocket_ports tmp;
30036 int board;
30037
30038 + pax_track_stack();
30039 +
30040 if (!retports)
30041 return -EFAULT;
30042 memset(&tmp, 0, sizeof (tmp));
30043 diff -urNp linux-2.6.32.49/drivers/char/sonypi.c linux-2.6.32.49/drivers/char/sonypi.c
30044 --- linux-2.6.32.49/drivers/char/sonypi.c 2011-11-08 19:02:43.000000000 -0500
30045 +++ linux-2.6.32.49/drivers/char/sonypi.c 2011-11-15 19:59:43.000000000 -0500
30046 @@ -55,6 +55,7 @@
30047 #include <asm/uaccess.h>
30048 #include <asm/io.h>
30049 #include <asm/system.h>
30050 +#include <asm/local.h>
30051
30052 #include <linux/sonypi.h>
30053
30054 @@ -491,7 +492,7 @@ static struct sonypi_device {
30055 spinlock_t fifo_lock;
30056 wait_queue_head_t fifo_proc_list;
30057 struct fasync_struct *fifo_async;
30058 - int open_count;
30059 + local_t open_count;
30060 int model;
30061 struct input_dev *input_jog_dev;
30062 struct input_dev *input_key_dev;
30063 @@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
30064 static int sonypi_misc_release(struct inode *inode, struct file *file)
30065 {
30066 mutex_lock(&sonypi_device.lock);
30067 - sonypi_device.open_count--;
30068 + local_dec(&sonypi_device.open_count);
30069 mutex_unlock(&sonypi_device.lock);
30070 return 0;
30071 }
30072 @@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
30073 lock_kernel();
30074 mutex_lock(&sonypi_device.lock);
30075 /* Flush input queue on first open */
30076 - if (!sonypi_device.open_count)
30077 + if (!local_read(&sonypi_device.open_count))
30078 kfifo_reset(sonypi_device.fifo);
30079 - sonypi_device.open_count++;
30080 + local_inc(&sonypi_device.open_count);
30081 mutex_unlock(&sonypi_device.lock);
30082 unlock_kernel();
30083 return 0;
30084 diff -urNp linux-2.6.32.49/drivers/char/stallion.c linux-2.6.32.49/drivers/char/stallion.c
30085 --- linux-2.6.32.49/drivers/char/stallion.c 2011-11-08 19:02:43.000000000 -0500
30086 +++ linux-2.6.32.49/drivers/char/stallion.c 2011-11-15 19:59:43.000000000 -0500
30087 @@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
30088 struct stlport stl_dummyport;
30089 struct stlport *portp;
30090
30091 + pax_track_stack();
30092 +
30093 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
30094 return -EFAULT;
30095 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
30096 diff -urNp linux-2.6.32.49/drivers/char/tpm/tpm_bios.c linux-2.6.32.49/drivers/char/tpm/tpm_bios.c
30097 --- linux-2.6.32.49/drivers/char/tpm/tpm_bios.c 2011-11-08 19:02:43.000000000 -0500
30098 +++ linux-2.6.32.49/drivers/char/tpm/tpm_bios.c 2011-11-15 19:59:43.000000000 -0500
30099 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
30100 event = addr;
30101
30102 if ((event->event_type == 0 && event->event_size == 0) ||
30103 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
30104 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
30105 return NULL;
30106
30107 return addr;
30108 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
30109 return NULL;
30110
30111 if ((event->event_type == 0 && event->event_size == 0) ||
30112 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
30113 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
30114 return NULL;
30115
30116 (*pos)++;
30117 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
30118 int i;
30119
30120 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
30121 - seq_putc(m, data[i]);
30122 + if (!seq_putc(m, data[i]))
30123 + return -EFAULT;
30124
30125 return 0;
30126 }
30127 @@ -409,8 +410,13 @@ static int read_log(struct tpm_bios_log
30128 log->bios_event_log_end = log->bios_event_log + len;
30129
30130 virt = acpi_os_map_memory(start, len);
30131 + if (!virt) {
30132 + kfree(log->bios_event_log);
30133 + log->bios_event_log = NULL;
30134 + return -EFAULT;
30135 + }
30136
30137 - memcpy(log->bios_event_log, virt, len);
30138 + memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
30139
30140 acpi_os_unmap_memory(virt, len);
30141 return 0;
30142 diff -urNp linux-2.6.32.49/drivers/char/tpm/tpm.c linux-2.6.32.49/drivers/char/tpm/tpm.c
30143 --- linux-2.6.32.49/drivers/char/tpm/tpm.c 2011-11-08 19:02:43.000000000 -0500
30144 +++ linux-2.6.32.49/drivers/char/tpm/tpm.c 2011-11-15 19:59:43.000000000 -0500
30145 @@ -405,7 +405,7 @@ static ssize_t tpm_transmit(struct tpm_c
30146 chip->vendor.req_complete_val)
30147 goto out_recv;
30148
30149 - if ((status == chip->vendor.req_canceled)) {
30150 + if (status == chip->vendor.req_canceled) {
30151 dev_err(chip->dev, "Operation Canceled\n");
30152 rc = -ECANCELED;
30153 goto out;
30154 @@ -824,6 +824,8 @@ ssize_t tpm_show_pubek(struct device *de
30155
30156 struct tpm_chip *chip = dev_get_drvdata(dev);
30157
30158 + pax_track_stack();
30159 +
30160 tpm_cmd.header.in = tpm_readpubek_header;
30161 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
30162 "attempting to read the PUBEK");
30163 diff -urNp linux-2.6.32.49/drivers/char/tty_io.c linux-2.6.32.49/drivers/char/tty_io.c
30164 --- linux-2.6.32.49/drivers/char/tty_io.c 2011-11-26 19:44:53.000000000 -0500
30165 +++ linux-2.6.32.49/drivers/char/tty_io.c 2011-11-26 19:45:05.000000000 -0500
30166 @@ -1774,6 +1774,7 @@ got_driver:
30167
30168 if (IS_ERR(tty)) {
30169 mutex_unlock(&tty_mutex);
30170 + tty_driver_kref_put(driver);
30171 return PTR_ERR(tty);
30172 }
30173 }
30174 @@ -2603,8 +2604,10 @@ long tty_ioctl(struct file *file, unsign
30175 return retval;
30176 }
30177
30178 +EXPORT_SYMBOL(tty_ioctl);
30179 +
30180 #ifdef CONFIG_COMPAT
30181 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
30182 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
30183 unsigned long arg)
30184 {
30185 struct inode *inode = file->f_dentry->d_inode;
30186 @@ -2628,6 +2631,8 @@ static long tty_compat_ioctl(struct file
30187
30188 return retval;
30189 }
30190 +
30191 +EXPORT_SYMBOL(tty_compat_ioctl);
30192 #endif
30193
30194 /*
30195 @@ -3073,7 +3078,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
30196
30197 void tty_default_fops(struct file_operations *fops)
30198 {
30199 - *fops = tty_fops;
30200 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
30201 }
30202
30203 /*
30204 diff -urNp linux-2.6.32.49/drivers/char/tty_ldisc.c linux-2.6.32.49/drivers/char/tty_ldisc.c
30205 --- linux-2.6.32.49/drivers/char/tty_ldisc.c 2011-11-08 19:02:43.000000000 -0500
30206 +++ linux-2.6.32.49/drivers/char/tty_ldisc.c 2011-11-15 19:59:43.000000000 -0500
30207 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
30208 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
30209 struct tty_ldisc_ops *ldo = ld->ops;
30210
30211 - ldo->refcount--;
30212 + atomic_dec(&ldo->refcount);
30213 module_put(ldo->owner);
30214 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30215
30216 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
30217 spin_lock_irqsave(&tty_ldisc_lock, flags);
30218 tty_ldiscs[disc] = new_ldisc;
30219 new_ldisc->num = disc;
30220 - new_ldisc->refcount = 0;
30221 + atomic_set(&new_ldisc->refcount, 0);
30222 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30223
30224 return ret;
30225 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
30226 return -EINVAL;
30227
30228 spin_lock_irqsave(&tty_ldisc_lock, flags);
30229 - if (tty_ldiscs[disc]->refcount)
30230 + if (atomic_read(&tty_ldiscs[disc]->refcount))
30231 ret = -EBUSY;
30232 else
30233 tty_ldiscs[disc] = NULL;
30234 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
30235 if (ldops) {
30236 ret = ERR_PTR(-EAGAIN);
30237 if (try_module_get(ldops->owner)) {
30238 - ldops->refcount++;
30239 + atomic_inc(&ldops->refcount);
30240 ret = ldops;
30241 }
30242 }
30243 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
30244 unsigned long flags;
30245
30246 spin_lock_irqsave(&tty_ldisc_lock, flags);
30247 - ldops->refcount--;
30248 + atomic_dec(&ldops->refcount);
30249 module_put(ldops->owner);
30250 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30251 }
30252 diff -urNp linux-2.6.32.49/drivers/char/virtio_console.c linux-2.6.32.49/drivers/char/virtio_console.c
30253 --- linux-2.6.32.49/drivers/char/virtio_console.c 2011-11-08 19:02:43.000000000 -0500
30254 +++ linux-2.6.32.49/drivers/char/virtio_console.c 2011-11-15 19:59:43.000000000 -0500
30255 @@ -133,7 +133,9 @@ static int get_chars(u32 vtermno, char *
30256 * virtqueue, so we let the drivers do some boutique early-output thing. */
30257 int __init virtio_cons_early_init(int (*put_chars)(u32, const char *, int))
30258 {
30259 - virtio_cons.put_chars = put_chars;
30260 + pax_open_kernel();
30261 + *(void **)&virtio_cons.put_chars = put_chars;
30262 + pax_close_kernel();
30263 return hvc_instantiate(0, 0, &virtio_cons);
30264 }
30265
30266 @@ -213,11 +215,13 @@ static int __devinit virtcons_probe(stru
30267 out_vq = vqs[1];
30268
30269 /* Start using the new console output. */
30270 - virtio_cons.get_chars = get_chars;
30271 - virtio_cons.put_chars = put_chars;
30272 - virtio_cons.notifier_add = notifier_add_vio;
30273 - virtio_cons.notifier_del = notifier_del_vio;
30274 - virtio_cons.notifier_hangup = notifier_del_vio;
30275 + pax_open_kernel();
30276 + *(void **)&virtio_cons.get_chars = get_chars;
30277 + *(void **)&virtio_cons.put_chars = put_chars;
30278 + *(void **)&virtio_cons.notifier_add = notifier_add_vio;
30279 + *(void **)&virtio_cons.notifier_del = notifier_del_vio;
30280 + *(void **)&virtio_cons.notifier_hangup = notifier_del_vio;
30281 + pax_close_kernel();
30282
30283 /* The first argument of hvc_alloc() is the virtual console number, so
30284 * we use zero. The second argument is the parameter for the
30285 diff -urNp linux-2.6.32.49/drivers/char/vt.c linux-2.6.32.49/drivers/char/vt.c
30286 --- linux-2.6.32.49/drivers/char/vt.c 2011-11-08 19:02:43.000000000 -0500
30287 +++ linux-2.6.32.49/drivers/char/vt.c 2011-11-15 19:59:43.000000000 -0500
30288 @@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
30289
30290 static void notify_write(struct vc_data *vc, unsigned int unicode)
30291 {
30292 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
30293 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
30294 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
30295 }
30296
30297 diff -urNp linux-2.6.32.49/drivers/char/vt_ioctl.c linux-2.6.32.49/drivers/char/vt_ioctl.c
30298 --- linux-2.6.32.49/drivers/char/vt_ioctl.c 2011-11-08 19:02:43.000000000 -0500
30299 +++ linux-2.6.32.49/drivers/char/vt_ioctl.c 2011-11-15 19:59:43.000000000 -0500
30300 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
30301 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
30302 return -EFAULT;
30303
30304 - if (!capable(CAP_SYS_TTY_CONFIG))
30305 - perm = 0;
30306 -
30307 switch (cmd) {
30308 case KDGKBENT:
30309 key_map = key_maps[s];
30310 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
30311 val = (i ? K_HOLE : K_NOSUCHMAP);
30312 return put_user(val, &user_kbe->kb_value);
30313 case KDSKBENT:
30314 + if (!capable(CAP_SYS_TTY_CONFIG))
30315 + perm = 0;
30316 +
30317 if (!perm)
30318 return -EPERM;
30319 +
30320 if (!i && v == K_NOSUCHMAP) {
30321 /* deallocate map */
30322 key_map = key_maps[s];
30323 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
30324 int i, j, k;
30325 int ret;
30326
30327 - if (!capable(CAP_SYS_TTY_CONFIG))
30328 - perm = 0;
30329 -
30330 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
30331 if (!kbs) {
30332 ret = -ENOMEM;
30333 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
30334 kfree(kbs);
30335 return ((p && *p) ? -EOVERFLOW : 0);
30336 case KDSKBSENT:
30337 + if (!capable(CAP_SYS_TTY_CONFIG))
30338 + perm = 0;
30339 +
30340 if (!perm) {
30341 ret = -EPERM;
30342 goto reterr;
30343 diff -urNp linux-2.6.32.49/drivers/cpufreq/cpufreq.c linux-2.6.32.49/drivers/cpufreq/cpufreq.c
30344 --- linux-2.6.32.49/drivers/cpufreq/cpufreq.c 2011-11-08 19:02:43.000000000 -0500
30345 +++ linux-2.6.32.49/drivers/cpufreq/cpufreq.c 2011-11-15 19:59:43.000000000 -0500
30346 @@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
30347 complete(&policy->kobj_unregister);
30348 }
30349
30350 -static struct sysfs_ops sysfs_ops = {
30351 +static const struct sysfs_ops sysfs_ops = {
30352 .show = show,
30353 .store = store,
30354 };
30355 diff -urNp linux-2.6.32.49/drivers/cpuidle/sysfs.c linux-2.6.32.49/drivers/cpuidle/sysfs.c
30356 --- linux-2.6.32.49/drivers/cpuidle/sysfs.c 2011-11-08 19:02:43.000000000 -0500
30357 +++ linux-2.6.32.49/drivers/cpuidle/sysfs.c 2011-11-15 19:59:43.000000000 -0500
30358 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
30359 return ret;
30360 }
30361
30362 -static struct sysfs_ops cpuidle_sysfs_ops = {
30363 +static const struct sysfs_ops cpuidle_sysfs_ops = {
30364 .show = cpuidle_show,
30365 .store = cpuidle_store,
30366 };
30367 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
30368 return ret;
30369 }
30370
30371 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
30372 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
30373 .show = cpuidle_state_show,
30374 };
30375
30376 @@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
30377 .release = cpuidle_state_sysfs_release,
30378 };
30379
30380 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
30381 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
30382 {
30383 kobject_put(&device->kobjs[i]->kobj);
30384 wait_for_completion(&device->kobjs[i]->kobj_unregister);
30385 diff -urNp linux-2.6.32.49/drivers/crypto/hifn_795x.c linux-2.6.32.49/drivers/crypto/hifn_795x.c
30386 --- linux-2.6.32.49/drivers/crypto/hifn_795x.c 2011-11-08 19:02:43.000000000 -0500
30387 +++ linux-2.6.32.49/drivers/crypto/hifn_795x.c 2011-11-15 19:59:43.000000000 -0500
30388 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
30389 0xCA, 0x34, 0x2B, 0x2E};
30390 struct scatterlist sg;
30391
30392 + pax_track_stack();
30393 +
30394 memset(src, 0, sizeof(src));
30395 memset(ctx.key, 0, sizeof(ctx.key));
30396
30397 diff -urNp linux-2.6.32.49/drivers/crypto/padlock-aes.c linux-2.6.32.49/drivers/crypto/padlock-aes.c
30398 --- linux-2.6.32.49/drivers/crypto/padlock-aes.c 2011-11-08 19:02:43.000000000 -0500
30399 +++ linux-2.6.32.49/drivers/crypto/padlock-aes.c 2011-11-15 19:59:43.000000000 -0500
30400 @@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
30401 struct crypto_aes_ctx gen_aes;
30402 int cpu;
30403
30404 + pax_track_stack();
30405 +
30406 if (key_len % 8) {
30407 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
30408 return -EINVAL;
30409 diff -urNp linux-2.6.32.49/drivers/dma/ioat/dma.c linux-2.6.32.49/drivers/dma/ioat/dma.c
30410 --- linux-2.6.32.49/drivers/dma/ioat/dma.c 2011-11-08 19:02:43.000000000 -0500
30411 +++ linux-2.6.32.49/drivers/dma/ioat/dma.c 2011-11-15 19:59:43.000000000 -0500
30412 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
30413 return entry->show(&chan->common, page);
30414 }
30415
30416 -struct sysfs_ops ioat_sysfs_ops = {
30417 +const struct sysfs_ops ioat_sysfs_ops = {
30418 .show = ioat_attr_show,
30419 };
30420
30421 diff -urNp linux-2.6.32.49/drivers/dma/ioat/dma.h linux-2.6.32.49/drivers/dma/ioat/dma.h
30422 --- linux-2.6.32.49/drivers/dma/ioat/dma.h 2011-11-08 19:02:43.000000000 -0500
30423 +++ linux-2.6.32.49/drivers/dma/ioat/dma.h 2011-11-15 19:59:43.000000000 -0500
30424 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
30425 unsigned long *phys_complete);
30426 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
30427 void ioat_kobject_del(struct ioatdma_device *device);
30428 -extern struct sysfs_ops ioat_sysfs_ops;
30429 +extern const struct sysfs_ops ioat_sysfs_ops;
30430 extern struct ioat_sysfs_entry ioat_version_attr;
30431 extern struct ioat_sysfs_entry ioat_cap_attr;
30432 #endif /* IOATDMA_H */
30433 diff -urNp linux-2.6.32.49/drivers/dma/ioat/dma_v3.c linux-2.6.32.49/drivers/dma/ioat/dma_v3.c
30434 --- linux-2.6.32.49/drivers/dma/ioat/dma_v3.c 2011-11-08 19:02:43.000000000 -0500
30435 +++ linux-2.6.32.49/drivers/dma/ioat/dma_v3.c 2011-11-18 18:01:55.000000000 -0500
30436 @@ -71,10 +71,10 @@
30437 /* provide a lookup table for setting the source address in the base or
30438 * extended descriptor of an xor or pq descriptor
30439 */
30440 -static const u8 xor_idx_to_desc __read_mostly = 0xd0;
30441 -static const u8 xor_idx_to_field[] __read_mostly = { 1, 4, 5, 6, 7, 0, 1, 2 };
30442 -static const u8 pq_idx_to_desc __read_mostly = 0xf8;
30443 -static const u8 pq_idx_to_field[] __read_mostly = { 1, 4, 5, 0, 1, 2, 4, 5 };
30444 +static const u8 xor_idx_to_desc = 0xd0;
30445 +static const u8 xor_idx_to_field[] = { 1, 4, 5, 6, 7, 0, 1, 2 };
30446 +static const u8 pq_idx_to_desc = 0xf8;
30447 +static const u8 pq_idx_to_field[] = { 1, 4, 5, 0, 1, 2, 4, 5 };
30448
30449 static dma_addr_t xor_get_src(struct ioat_raw_descriptor *descs[2], int idx)
30450 {
30451 diff -urNp linux-2.6.32.49/drivers/edac/amd64_edac.c linux-2.6.32.49/drivers/edac/amd64_edac.c
30452 --- linux-2.6.32.49/drivers/edac/amd64_edac.c 2011-11-08 19:02:43.000000000 -0500
30453 +++ linux-2.6.32.49/drivers/edac/amd64_edac.c 2011-11-18 18:01:55.000000000 -0500
30454 @@ -3099,7 +3099,7 @@ static void __devexit amd64_remove_one_i
30455 * PCI core identifies what devices are on a system during boot, and then
30456 * inquiry this table to see if this driver is for a given device found.
30457 */
30458 -static const struct pci_device_id amd64_pci_table[] __devinitdata = {
30459 +static const struct pci_device_id amd64_pci_table[] __devinitconst = {
30460 {
30461 .vendor = PCI_VENDOR_ID_AMD,
30462 .device = PCI_DEVICE_ID_AMD_K8_NB_MEMCTL,
30463 diff -urNp linux-2.6.32.49/drivers/edac/amd76x_edac.c linux-2.6.32.49/drivers/edac/amd76x_edac.c
30464 --- linux-2.6.32.49/drivers/edac/amd76x_edac.c 2011-11-08 19:02:43.000000000 -0500
30465 +++ linux-2.6.32.49/drivers/edac/amd76x_edac.c 2011-11-18 18:01:55.000000000 -0500
30466 @@ -322,7 +322,7 @@ static void __devexit amd76x_remove_one(
30467 edac_mc_free(mci);
30468 }
30469
30470 -static const struct pci_device_id amd76x_pci_tbl[] __devinitdata = {
30471 +static const struct pci_device_id amd76x_pci_tbl[] __devinitconst = {
30472 {
30473 PCI_VEND_DEV(AMD, FE_GATE_700C), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30474 AMD762},
30475 diff -urNp linux-2.6.32.49/drivers/edac/e752x_edac.c linux-2.6.32.49/drivers/edac/e752x_edac.c
30476 --- linux-2.6.32.49/drivers/edac/e752x_edac.c 2011-11-08 19:02:43.000000000 -0500
30477 +++ linux-2.6.32.49/drivers/edac/e752x_edac.c 2011-11-18 18:01:55.000000000 -0500
30478 @@ -1282,7 +1282,7 @@ static void __devexit e752x_remove_one(s
30479 edac_mc_free(mci);
30480 }
30481
30482 -static const struct pci_device_id e752x_pci_tbl[] __devinitdata = {
30483 +static const struct pci_device_id e752x_pci_tbl[] __devinitconst = {
30484 {
30485 PCI_VEND_DEV(INTEL, 7520_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30486 E7520},
30487 diff -urNp linux-2.6.32.49/drivers/edac/e7xxx_edac.c linux-2.6.32.49/drivers/edac/e7xxx_edac.c
30488 --- linux-2.6.32.49/drivers/edac/e7xxx_edac.c 2011-11-08 19:02:43.000000000 -0500
30489 +++ linux-2.6.32.49/drivers/edac/e7xxx_edac.c 2011-11-18 18:01:55.000000000 -0500
30490 @@ -526,7 +526,7 @@ static void __devexit e7xxx_remove_one(s
30491 edac_mc_free(mci);
30492 }
30493
30494 -static const struct pci_device_id e7xxx_pci_tbl[] __devinitdata = {
30495 +static const struct pci_device_id e7xxx_pci_tbl[] __devinitconst = {
30496 {
30497 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30498 E7205},
30499 diff -urNp linux-2.6.32.49/drivers/edac/edac_device_sysfs.c linux-2.6.32.49/drivers/edac/edac_device_sysfs.c
30500 --- linux-2.6.32.49/drivers/edac/edac_device_sysfs.c 2011-11-08 19:02:43.000000000 -0500
30501 +++ linux-2.6.32.49/drivers/edac/edac_device_sysfs.c 2011-11-15 19:59:43.000000000 -0500
30502 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
30503 }
30504
30505 /* edac_dev file operations for an 'ctl_info' */
30506 -static struct sysfs_ops device_ctl_info_ops = {
30507 +static const struct sysfs_ops device_ctl_info_ops = {
30508 .show = edac_dev_ctl_info_show,
30509 .store = edac_dev_ctl_info_store
30510 };
30511 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
30512 }
30513
30514 /* edac_dev file operations for an 'instance' */
30515 -static struct sysfs_ops device_instance_ops = {
30516 +static const struct sysfs_ops device_instance_ops = {
30517 .show = edac_dev_instance_show,
30518 .store = edac_dev_instance_store
30519 };
30520 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
30521 }
30522
30523 /* edac_dev file operations for a 'block' */
30524 -static struct sysfs_ops device_block_ops = {
30525 +static const struct sysfs_ops device_block_ops = {
30526 .show = edac_dev_block_show,
30527 .store = edac_dev_block_store
30528 };
30529 diff -urNp linux-2.6.32.49/drivers/edac/edac_mc_sysfs.c linux-2.6.32.49/drivers/edac/edac_mc_sysfs.c
30530 --- linux-2.6.32.49/drivers/edac/edac_mc_sysfs.c 2011-11-08 19:02:43.000000000 -0500
30531 +++ linux-2.6.32.49/drivers/edac/edac_mc_sysfs.c 2011-11-15 19:59:43.000000000 -0500
30532 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
30533 return -EIO;
30534 }
30535
30536 -static struct sysfs_ops csrowfs_ops = {
30537 +static const struct sysfs_ops csrowfs_ops = {
30538 .show = csrowdev_show,
30539 .store = csrowdev_store
30540 };
30541 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
30542 }
30543
30544 /* Intermediate show/store table */
30545 -static struct sysfs_ops mci_ops = {
30546 +static const struct sysfs_ops mci_ops = {
30547 .show = mcidev_show,
30548 .store = mcidev_store
30549 };
30550 diff -urNp linux-2.6.32.49/drivers/edac/edac_pci_sysfs.c linux-2.6.32.49/drivers/edac/edac_pci_sysfs.c
30551 --- linux-2.6.32.49/drivers/edac/edac_pci_sysfs.c 2011-11-08 19:02:43.000000000 -0500
30552 +++ linux-2.6.32.49/drivers/edac/edac_pci_sysfs.c 2011-11-15 19:59:43.000000000 -0500
30553 @@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
30554 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
30555 static int edac_pci_poll_msec = 1000; /* one second workq period */
30556
30557 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
30558 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
30559 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
30560 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
30561
30562 static struct kobject *edac_pci_top_main_kobj;
30563 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
30564 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
30565 }
30566
30567 /* fs_ops table */
30568 -static struct sysfs_ops pci_instance_ops = {
30569 +static const struct sysfs_ops pci_instance_ops = {
30570 .show = edac_pci_instance_show,
30571 .store = edac_pci_instance_store
30572 };
30573 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
30574 return -EIO;
30575 }
30576
30577 -static struct sysfs_ops edac_pci_sysfs_ops = {
30578 +static const struct sysfs_ops edac_pci_sysfs_ops = {
30579 .show = edac_pci_dev_show,
30580 .store = edac_pci_dev_store
30581 };
30582 @@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
30583 edac_printk(KERN_CRIT, EDAC_PCI,
30584 "Signaled System Error on %s\n",
30585 pci_name(dev));
30586 - atomic_inc(&pci_nonparity_count);
30587 + atomic_inc_unchecked(&pci_nonparity_count);
30588 }
30589
30590 if (status & (PCI_STATUS_PARITY)) {
30591 @@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
30592 "Master Data Parity Error on %s\n",
30593 pci_name(dev));
30594
30595 - atomic_inc(&pci_parity_count);
30596 + atomic_inc_unchecked(&pci_parity_count);
30597 }
30598
30599 if (status & (PCI_STATUS_DETECTED_PARITY)) {
30600 @@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
30601 "Detected Parity Error on %s\n",
30602 pci_name(dev));
30603
30604 - atomic_inc(&pci_parity_count);
30605 + atomic_inc_unchecked(&pci_parity_count);
30606 }
30607 }
30608
30609 @@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
30610 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
30611 "Signaled System Error on %s\n",
30612 pci_name(dev));
30613 - atomic_inc(&pci_nonparity_count);
30614 + atomic_inc_unchecked(&pci_nonparity_count);
30615 }
30616
30617 if (status & (PCI_STATUS_PARITY)) {
30618 @@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
30619 "Master Data Parity Error on "
30620 "%s\n", pci_name(dev));
30621
30622 - atomic_inc(&pci_parity_count);
30623 + atomic_inc_unchecked(&pci_parity_count);
30624 }
30625
30626 if (status & (PCI_STATUS_DETECTED_PARITY)) {
30627 @@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
30628 "Detected Parity Error on %s\n",
30629 pci_name(dev));
30630
30631 - atomic_inc(&pci_parity_count);
30632 + atomic_inc_unchecked(&pci_parity_count);
30633 }
30634 }
30635 }
30636 @@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
30637 if (!check_pci_errors)
30638 return;
30639
30640 - before_count = atomic_read(&pci_parity_count);
30641 + before_count = atomic_read_unchecked(&pci_parity_count);
30642
30643 /* scan all PCI devices looking for a Parity Error on devices and
30644 * bridges.
30645 @@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
30646 /* Only if operator has selected panic on PCI Error */
30647 if (edac_pci_get_panic_on_pe()) {
30648 /* If the count is different 'after' from 'before' */
30649 - if (before_count != atomic_read(&pci_parity_count))
30650 + if (before_count != atomic_read_unchecked(&pci_parity_count))
30651 panic("EDAC: PCI Parity Error");
30652 }
30653 }
30654 diff -urNp linux-2.6.32.49/drivers/edac/i3000_edac.c linux-2.6.32.49/drivers/edac/i3000_edac.c
30655 --- linux-2.6.32.49/drivers/edac/i3000_edac.c 2011-11-08 19:02:43.000000000 -0500
30656 +++ linux-2.6.32.49/drivers/edac/i3000_edac.c 2011-11-18 18:01:55.000000000 -0500
30657 @@ -471,7 +471,7 @@ static void __devexit i3000_remove_one(s
30658 edac_mc_free(mci);
30659 }
30660
30661 -static const struct pci_device_id i3000_pci_tbl[] __devinitdata = {
30662 +static const struct pci_device_id i3000_pci_tbl[] __devinitconst = {
30663 {
30664 PCI_VEND_DEV(INTEL, 3000_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30665 I3000},
30666 diff -urNp linux-2.6.32.49/drivers/edac/i3200_edac.c linux-2.6.32.49/drivers/edac/i3200_edac.c
30667 --- linux-2.6.32.49/drivers/edac/i3200_edac.c 2011-11-08 19:02:43.000000000 -0500
30668 +++ linux-2.6.32.49/drivers/edac/i3200_edac.c 2011-11-18 18:01:55.000000000 -0500
30669 @@ -444,7 +444,7 @@ static void __devexit i3200_remove_one(s
30670 edac_mc_free(mci);
30671 }
30672
30673 -static const struct pci_device_id i3200_pci_tbl[] __devinitdata = {
30674 +static const struct pci_device_id i3200_pci_tbl[] __devinitconst = {
30675 {
30676 PCI_VEND_DEV(INTEL, 3200_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30677 I3200},
30678 diff -urNp linux-2.6.32.49/drivers/edac/i5000_edac.c linux-2.6.32.49/drivers/edac/i5000_edac.c
30679 --- linux-2.6.32.49/drivers/edac/i5000_edac.c 2011-11-08 19:02:43.000000000 -0500
30680 +++ linux-2.6.32.49/drivers/edac/i5000_edac.c 2011-11-18 18:01:55.000000000 -0500
30681 @@ -1516,7 +1516,7 @@ static void __devexit i5000_remove_one(s
30682 *
30683 * The "E500P" device is the first device supported.
30684 */
30685 -static const struct pci_device_id i5000_pci_tbl[] __devinitdata = {
30686 +static const struct pci_device_id i5000_pci_tbl[] __devinitconst = {
30687 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I5000_DEV16),
30688 .driver_data = I5000P},
30689
30690 diff -urNp linux-2.6.32.49/drivers/edac/i5100_edac.c linux-2.6.32.49/drivers/edac/i5100_edac.c
30691 --- linux-2.6.32.49/drivers/edac/i5100_edac.c 2011-11-08 19:02:43.000000000 -0500
30692 +++ linux-2.6.32.49/drivers/edac/i5100_edac.c 2011-11-18 18:01:55.000000000 -0500
30693 @@ -944,7 +944,7 @@ static void __devexit i5100_remove_one(s
30694 edac_mc_free(mci);
30695 }
30696
30697 -static const struct pci_device_id i5100_pci_tbl[] __devinitdata = {
30698 +static const struct pci_device_id i5100_pci_tbl[] __devinitconst = {
30699 /* Device 16, Function 0, Channel 0 Memory Map, Error Flag/Mask, ... */
30700 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5100_16) },
30701 { 0, }
30702 diff -urNp linux-2.6.32.49/drivers/edac/i5400_edac.c linux-2.6.32.49/drivers/edac/i5400_edac.c
30703 --- linux-2.6.32.49/drivers/edac/i5400_edac.c 2011-11-08 19:02:43.000000000 -0500
30704 +++ linux-2.6.32.49/drivers/edac/i5400_edac.c 2011-11-18 18:01:55.000000000 -0500
30705 @@ -1383,7 +1383,7 @@ static void __devexit i5400_remove_one(s
30706 *
30707 * The "E500P" device is the first device supported.
30708 */
30709 -static const struct pci_device_id i5400_pci_tbl[] __devinitdata = {
30710 +static const struct pci_device_id i5400_pci_tbl[] __devinitconst = {
30711 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5400_ERR)},
30712 {0,} /* 0 terminated list. */
30713 };
30714 diff -urNp linux-2.6.32.49/drivers/edac/i82443bxgx_edac.c linux-2.6.32.49/drivers/edac/i82443bxgx_edac.c
30715 --- linux-2.6.32.49/drivers/edac/i82443bxgx_edac.c 2011-11-08 19:02:43.000000000 -0500
30716 +++ linux-2.6.32.49/drivers/edac/i82443bxgx_edac.c 2011-11-18 18:01:55.000000000 -0500
30717 @@ -381,7 +381,7 @@ static void __devexit i82443bxgx_edacmc_
30718
30719 EXPORT_SYMBOL_GPL(i82443bxgx_edacmc_remove_one);
30720
30721 -static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitdata = {
30722 +static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitconst = {
30723 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_0)},
30724 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_2)},
30725 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0)},
30726 diff -urNp linux-2.6.32.49/drivers/edac/i82860_edac.c linux-2.6.32.49/drivers/edac/i82860_edac.c
30727 --- linux-2.6.32.49/drivers/edac/i82860_edac.c 2011-11-08 19:02:43.000000000 -0500
30728 +++ linux-2.6.32.49/drivers/edac/i82860_edac.c 2011-11-18 18:01:55.000000000 -0500
30729 @@ -271,7 +271,7 @@ static void __devexit i82860_remove_one(
30730 edac_mc_free(mci);
30731 }
30732
30733 -static const struct pci_device_id i82860_pci_tbl[] __devinitdata = {
30734 +static const struct pci_device_id i82860_pci_tbl[] __devinitconst = {
30735 {
30736 PCI_VEND_DEV(INTEL, 82860_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30737 I82860},
30738 diff -urNp linux-2.6.32.49/drivers/edac/i82875p_edac.c linux-2.6.32.49/drivers/edac/i82875p_edac.c
30739 --- linux-2.6.32.49/drivers/edac/i82875p_edac.c 2011-11-08 19:02:43.000000000 -0500
30740 +++ linux-2.6.32.49/drivers/edac/i82875p_edac.c 2011-11-18 18:01:55.000000000 -0500
30741 @@ -512,7 +512,7 @@ static void __devexit i82875p_remove_one
30742 edac_mc_free(mci);
30743 }
30744
30745 -static const struct pci_device_id i82875p_pci_tbl[] __devinitdata = {
30746 +static const struct pci_device_id i82875p_pci_tbl[] __devinitconst = {
30747 {
30748 PCI_VEND_DEV(INTEL, 82875_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30749 I82875P},
30750 diff -urNp linux-2.6.32.49/drivers/edac/i82975x_edac.c linux-2.6.32.49/drivers/edac/i82975x_edac.c
30751 --- linux-2.6.32.49/drivers/edac/i82975x_edac.c 2011-11-08 19:02:43.000000000 -0500
30752 +++ linux-2.6.32.49/drivers/edac/i82975x_edac.c 2011-11-18 18:01:55.000000000 -0500
30753 @@ -586,7 +586,7 @@ static void __devexit i82975x_remove_one
30754 edac_mc_free(mci);
30755 }
30756
30757 -static const struct pci_device_id i82975x_pci_tbl[] __devinitdata = {
30758 +static const struct pci_device_id i82975x_pci_tbl[] __devinitconst = {
30759 {
30760 PCI_VEND_DEV(INTEL, 82975_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30761 I82975X
30762 diff -urNp linux-2.6.32.49/drivers/edac/r82600_edac.c linux-2.6.32.49/drivers/edac/r82600_edac.c
30763 --- linux-2.6.32.49/drivers/edac/r82600_edac.c 2011-11-08 19:02:43.000000000 -0500
30764 +++ linux-2.6.32.49/drivers/edac/r82600_edac.c 2011-11-18 18:01:55.000000000 -0500
30765 @@ -374,7 +374,7 @@ static void __devexit r82600_remove_one(
30766 edac_mc_free(mci);
30767 }
30768
30769 -static const struct pci_device_id r82600_pci_tbl[] __devinitdata = {
30770 +static const struct pci_device_id r82600_pci_tbl[] __devinitconst = {
30771 {
30772 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID)
30773 },
30774 diff -urNp linux-2.6.32.49/drivers/edac/x38_edac.c linux-2.6.32.49/drivers/edac/x38_edac.c
30775 --- linux-2.6.32.49/drivers/edac/x38_edac.c 2011-11-08 19:02:43.000000000 -0500
30776 +++ linux-2.6.32.49/drivers/edac/x38_edac.c 2011-11-18 18:01:55.000000000 -0500
30777 @@ -441,7 +441,7 @@ static void __devexit x38_remove_one(str
30778 edac_mc_free(mci);
30779 }
30780
30781 -static const struct pci_device_id x38_pci_tbl[] __devinitdata = {
30782 +static const struct pci_device_id x38_pci_tbl[] __devinitconst = {
30783 {
30784 PCI_VEND_DEV(INTEL, X38_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30785 X38},
30786 diff -urNp linux-2.6.32.49/drivers/firewire/core-card.c linux-2.6.32.49/drivers/firewire/core-card.c
30787 --- linux-2.6.32.49/drivers/firewire/core-card.c 2011-11-08 19:02:43.000000000 -0500
30788 +++ linux-2.6.32.49/drivers/firewire/core-card.c 2011-11-15 19:59:43.000000000 -0500
30789 @@ -558,7 +558,7 @@ void fw_card_release(struct kref *kref)
30790
30791 void fw_core_remove_card(struct fw_card *card)
30792 {
30793 - struct fw_card_driver dummy_driver = dummy_driver_template;
30794 + fw_card_driver_no_const dummy_driver = dummy_driver_template;
30795
30796 card->driver->update_phy_reg(card, 4,
30797 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
30798 diff -urNp linux-2.6.32.49/drivers/firewire/core-cdev.c linux-2.6.32.49/drivers/firewire/core-cdev.c
30799 --- linux-2.6.32.49/drivers/firewire/core-cdev.c 2011-11-08 19:02:43.000000000 -0500
30800 +++ linux-2.6.32.49/drivers/firewire/core-cdev.c 2011-11-15 19:59:43.000000000 -0500
30801 @@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
30802 int ret;
30803
30804 if ((request->channels == 0 && request->bandwidth == 0) ||
30805 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
30806 - request->bandwidth < 0)
30807 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
30808 return -EINVAL;
30809
30810 r = kmalloc(sizeof(*r), GFP_KERNEL);
30811 diff -urNp linux-2.6.32.49/drivers/firewire/core.h linux-2.6.32.49/drivers/firewire/core.h
30812 --- linux-2.6.32.49/drivers/firewire/core.h 2011-11-08 19:02:43.000000000 -0500
30813 +++ linux-2.6.32.49/drivers/firewire/core.h 2011-11-15 19:59:43.000000000 -0500
30814 @@ -86,6 +86,7 @@ struct fw_card_driver {
30815
30816 int (*stop_iso)(struct fw_iso_context *ctx);
30817 };
30818 +typedef struct fw_card_driver __no_const fw_card_driver_no_const;
30819
30820 void fw_card_initialize(struct fw_card *card,
30821 const struct fw_card_driver *driver, struct device *device);
30822 diff -urNp linux-2.6.32.49/drivers/firewire/core-transaction.c linux-2.6.32.49/drivers/firewire/core-transaction.c
30823 --- linux-2.6.32.49/drivers/firewire/core-transaction.c 2011-11-08 19:02:43.000000000 -0500
30824 +++ linux-2.6.32.49/drivers/firewire/core-transaction.c 2011-11-15 19:59:43.000000000 -0500
30825 @@ -36,6 +36,7 @@
30826 #include <linux/string.h>
30827 #include <linux/timer.h>
30828 #include <linux/types.h>
30829 +#include <linux/sched.h>
30830
30831 #include <asm/byteorder.h>
30832
30833 @@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
30834 struct transaction_callback_data d;
30835 struct fw_transaction t;
30836
30837 + pax_track_stack();
30838 +
30839 init_completion(&d.done);
30840 d.payload = payload;
30841 fw_send_request(card, &t, tcode, destination_id, generation, speed,
30842 diff -urNp linux-2.6.32.49/drivers/firmware/dmi_scan.c linux-2.6.32.49/drivers/firmware/dmi_scan.c
30843 --- linux-2.6.32.49/drivers/firmware/dmi_scan.c 2011-11-08 19:02:43.000000000 -0500
30844 +++ linux-2.6.32.49/drivers/firmware/dmi_scan.c 2011-11-15 19:59:43.000000000 -0500
30845 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
30846 }
30847 }
30848 else {
30849 - /*
30850 - * no iounmap() for that ioremap(); it would be a no-op, but
30851 - * it's so early in setup that sucker gets confused into doing
30852 - * what it shouldn't if we actually call it.
30853 - */
30854 p = dmi_ioremap(0xF0000, 0x10000);
30855 if (p == NULL)
30856 goto error;
30857 @@ -667,7 +662,7 @@ int dmi_walk(void (*decode)(const struct
30858 if (buf == NULL)
30859 return -1;
30860
30861 - dmi_table(buf, dmi_len, dmi_num, decode, private_data);
30862 + dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
30863
30864 iounmap(buf);
30865 return 0;
30866 diff -urNp linux-2.6.32.49/drivers/firmware/edd.c linux-2.6.32.49/drivers/firmware/edd.c
30867 --- linux-2.6.32.49/drivers/firmware/edd.c 2011-11-08 19:02:43.000000000 -0500
30868 +++ linux-2.6.32.49/drivers/firmware/edd.c 2011-11-15 19:59:43.000000000 -0500
30869 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
30870 return ret;
30871 }
30872
30873 -static struct sysfs_ops edd_attr_ops = {
30874 +static const struct sysfs_ops edd_attr_ops = {
30875 .show = edd_attr_show,
30876 };
30877
30878 diff -urNp linux-2.6.32.49/drivers/firmware/efivars.c linux-2.6.32.49/drivers/firmware/efivars.c
30879 --- linux-2.6.32.49/drivers/firmware/efivars.c 2011-11-08 19:02:43.000000000 -0500
30880 +++ linux-2.6.32.49/drivers/firmware/efivars.c 2011-11-15 19:59:43.000000000 -0500
30881 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
30882 return ret;
30883 }
30884
30885 -static struct sysfs_ops efivar_attr_ops = {
30886 +static const struct sysfs_ops efivar_attr_ops = {
30887 .show = efivar_attr_show,
30888 .store = efivar_attr_store,
30889 };
30890 diff -urNp linux-2.6.32.49/drivers/firmware/iscsi_ibft.c linux-2.6.32.49/drivers/firmware/iscsi_ibft.c
30891 --- linux-2.6.32.49/drivers/firmware/iscsi_ibft.c 2011-11-08 19:02:43.000000000 -0500
30892 +++ linux-2.6.32.49/drivers/firmware/iscsi_ibft.c 2011-11-15 19:59:43.000000000 -0500
30893 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
30894 return ret;
30895 }
30896
30897 -static struct sysfs_ops ibft_attr_ops = {
30898 +static const struct sysfs_ops ibft_attr_ops = {
30899 .show = ibft_show_attribute,
30900 };
30901
30902 diff -urNp linux-2.6.32.49/drivers/firmware/memmap.c linux-2.6.32.49/drivers/firmware/memmap.c
30903 --- linux-2.6.32.49/drivers/firmware/memmap.c 2011-11-08 19:02:43.000000000 -0500
30904 +++ linux-2.6.32.49/drivers/firmware/memmap.c 2011-11-15 19:59:43.000000000 -0500
30905 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
30906 NULL
30907 };
30908
30909 -static struct sysfs_ops memmap_attr_ops = {
30910 +static const struct sysfs_ops memmap_attr_ops = {
30911 .show = memmap_attr_show,
30912 };
30913
30914 diff -urNp linux-2.6.32.49/drivers/gpio/vr41xx_giu.c linux-2.6.32.49/drivers/gpio/vr41xx_giu.c
30915 --- linux-2.6.32.49/drivers/gpio/vr41xx_giu.c 2011-11-08 19:02:43.000000000 -0500
30916 +++ linux-2.6.32.49/drivers/gpio/vr41xx_giu.c 2011-11-15 19:59:43.000000000 -0500
30917 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
30918 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
30919 maskl, pendl, maskh, pendh);
30920
30921 - atomic_inc(&irq_err_count);
30922 + atomic_inc_unchecked(&irq_err_count);
30923
30924 return -EINVAL;
30925 }
30926 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_crtc.c linux-2.6.32.49/drivers/gpu/drm/drm_crtc.c
30927 --- linux-2.6.32.49/drivers/gpu/drm/drm_crtc.c 2011-11-08 19:02:43.000000000 -0500
30928 +++ linux-2.6.32.49/drivers/gpu/drm/drm_crtc.c 2011-11-15 19:59:43.000000000 -0500
30929 @@ -1323,7 +1323,7 @@ int drm_mode_getconnector(struct drm_dev
30930 */
30931 if ((out_resp->count_modes >= mode_count) && mode_count) {
30932 copied = 0;
30933 - mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
30934 + mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
30935 list_for_each_entry(mode, &connector->modes, head) {
30936 drm_crtc_convert_to_umode(&u_mode, mode);
30937 if (copy_to_user(mode_ptr + copied,
30938 @@ -1338,8 +1338,8 @@ int drm_mode_getconnector(struct drm_dev
30939
30940 if ((out_resp->count_props >= props_count) && props_count) {
30941 copied = 0;
30942 - prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
30943 - prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
30944 + prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
30945 + prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
30946 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
30947 if (connector->property_ids[i] != 0) {
30948 if (put_user(connector->property_ids[i],
30949 @@ -1361,7 +1361,7 @@ int drm_mode_getconnector(struct drm_dev
30950
30951 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
30952 copied = 0;
30953 - encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
30954 + encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
30955 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
30956 if (connector->encoder_ids[i] != 0) {
30957 if (put_user(connector->encoder_ids[i],
30958 @@ -1513,7 +1513,7 @@ int drm_mode_setcrtc(struct drm_device *
30959 }
30960
30961 for (i = 0; i < crtc_req->count_connectors; i++) {
30962 - set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
30963 + set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
30964 if (get_user(out_id, &set_connectors_ptr[i])) {
30965 ret = -EFAULT;
30966 goto out;
30967 @@ -2118,7 +2118,7 @@ int drm_mode_getproperty_ioctl(struct dr
30968 out_resp->flags = property->flags;
30969
30970 if ((out_resp->count_values >= value_count) && value_count) {
30971 - values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
30972 + values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
30973 for (i = 0; i < value_count; i++) {
30974 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
30975 ret = -EFAULT;
30976 @@ -2131,7 +2131,7 @@ int drm_mode_getproperty_ioctl(struct dr
30977 if (property->flags & DRM_MODE_PROP_ENUM) {
30978 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
30979 copied = 0;
30980 - enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
30981 + enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
30982 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
30983
30984 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
30985 @@ -2154,7 +2154,7 @@ int drm_mode_getproperty_ioctl(struct dr
30986 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
30987 copied = 0;
30988 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
30989 - blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
30990 + blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
30991
30992 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
30993 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
30994 @@ -2226,7 +2226,7 @@ int drm_mode_getblob_ioctl(struct drm_de
30995 blob = obj_to_blob(obj);
30996
30997 if (out_resp->length == blob->length) {
30998 - blob_ptr = (void *)(unsigned long)out_resp->data;
30999 + blob_ptr = (void __user *)(unsigned long)out_resp->data;
31000 if (copy_to_user(blob_ptr, blob->data, blob->length)){
31001 ret = -EFAULT;
31002 goto done;
31003 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.49/drivers/gpu/drm/drm_crtc_helper.c
31004 --- linux-2.6.32.49/drivers/gpu/drm/drm_crtc_helper.c 2011-11-08 19:02:43.000000000 -0500
31005 +++ linux-2.6.32.49/drivers/gpu/drm/drm_crtc_helper.c 2011-11-15 19:59:43.000000000 -0500
31006 @@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
31007 struct drm_crtc *tmp;
31008 int crtc_mask = 1;
31009
31010 - WARN(!crtc, "checking null crtc?");
31011 + BUG_ON(!crtc);
31012
31013 dev = crtc->dev;
31014
31015 @@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
31016
31017 adjusted_mode = drm_mode_duplicate(dev, mode);
31018
31019 + pax_track_stack();
31020 +
31021 crtc->enabled = drm_helper_crtc_in_use(crtc);
31022
31023 if (!crtc->enabled)
31024 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_drv.c linux-2.6.32.49/drivers/gpu/drm/drm_drv.c
31025 --- linux-2.6.32.49/drivers/gpu/drm/drm_drv.c 2011-11-08 19:02:43.000000000 -0500
31026 +++ linux-2.6.32.49/drivers/gpu/drm/drm_drv.c 2011-11-15 19:59:43.000000000 -0500
31027 @@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
31028 char *kdata = NULL;
31029
31030 atomic_inc(&dev->ioctl_count);
31031 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
31032 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
31033 ++file_priv->ioctl_count;
31034
31035 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
31036 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_fops.c linux-2.6.32.49/drivers/gpu/drm/drm_fops.c
31037 --- linux-2.6.32.49/drivers/gpu/drm/drm_fops.c 2011-11-08 19:02:43.000000000 -0500
31038 +++ linux-2.6.32.49/drivers/gpu/drm/drm_fops.c 2011-11-15 19:59:43.000000000 -0500
31039 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
31040 }
31041
31042 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
31043 - atomic_set(&dev->counts[i], 0);
31044 + atomic_set_unchecked(&dev->counts[i], 0);
31045
31046 dev->sigdata.lock = NULL;
31047
31048 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
31049
31050 retcode = drm_open_helper(inode, filp, dev);
31051 if (!retcode) {
31052 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
31053 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
31054 spin_lock(&dev->count_lock);
31055 - if (!dev->open_count++) {
31056 + if (local_inc_return(&dev->open_count) == 1) {
31057 spin_unlock(&dev->count_lock);
31058 retcode = drm_setup(dev);
31059 goto out;
31060 @@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
31061
31062 lock_kernel();
31063
31064 - DRM_DEBUG("open_count = %d\n", dev->open_count);
31065 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
31066
31067 if (dev->driver->preclose)
31068 dev->driver->preclose(dev, file_priv);
31069 @@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
31070 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
31071 task_pid_nr(current),
31072 (long)old_encode_dev(file_priv->minor->device),
31073 - dev->open_count);
31074 + local_read(&dev->open_count));
31075
31076 /* if the master has gone away we can't do anything with the lock */
31077 if (file_priv->minor->master)
31078 @@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
31079 * End inline drm_release
31080 */
31081
31082 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
31083 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
31084 spin_lock(&dev->count_lock);
31085 - if (!--dev->open_count) {
31086 + if (local_dec_and_test(&dev->open_count)) {
31087 if (atomic_read(&dev->ioctl_count)) {
31088 DRM_ERROR("Device busy: %d\n",
31089 atomic_read(&dev->ioctl_count));
31090 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_gem.c linux-2.6.32.49/drivers/gpu/drm/drm_gem.c
31091 --- linux-2.6.32.49/drivers/gpu/drm/drm_gem.c 2011-11-08 19:02:43.000000000 -0500
31092 +++ linux-2.6.32.49/drivers/gpu/drm/drm_gem.c 2011-11-15 19:59:43.000000000 -0500
31093 @@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
31094 spin_lock_init(&dev->object_name_lock);
31095 idr_init(&dev->object_name_idr);
31096 atomic_set(&dev->object_count, 0);
31097 - atomic_set(&dev->object_memory, 0);
31098 + atomic_set_unchecked(&dev->object_memory, 0);
31099 atomic_set(&dev->pin_count, 0);
31100 - atomic_set(&dev->pin_memory, 0);
31101 + atomic_set_unchecked(&dev->pin_memory, 0);
31102 atomic_set(&dev->gtt_count, 0);
31103 - atomic_set(&dev->gtt_memory, 0);
31104 + atomic_set_unchecked(&dev->gtt_memory, 0);
31105
31106 mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
31107 if (!mm) {
31108 @@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
31109 goto fput;
31110 }
31111 atomic_inc(&dev->object_count);
31112 - atomic_add(obj->size, &dev->object_memory);
31113 + atomic_add_unchecked(obj->size, &dev->object_memory);
31114 return obj;
31115 fput:
31116 fput(obj->filp);
31117 @@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
31118
31119 fput(obj->filp);
31120 atomic_dec(&dev->object_count);
31121 - atomic_sub(obj->size, &dev->object_memory);
31122 + atomic_sub_unchecked(obj->size, &dev->object_memory);
31123 kfree(obj);
31124 }
31125 EXPORT_SYMBOL(drm_gem_object_free);
31126 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_info.c linux-2.6.32.49/drivers/gpu/drm/drm_info.c
31127 --- linux-2.6.32.49/drivers/gpu/drm/drm_info.c 2011-11-08 19:02:43.000000000 -0500
31128 +++ linux-2.6.32.49/drivers/gpu/drm/drm_info.c 2011-11-15 19:59:43.000000000 -0500
31129 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
31130 struct drm_local_map *map;
31131 struct drm_map_list *r_list;
31132
31133 - /* Hardcoded from _DRM_FRAME_BUFFER,
31134 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
31135 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
31136 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
31137 + static const char * const types[] = {
31138 + [_DRM_FRAME_BUFFER] = "FB",
31139 + [_DRM_REGISTERS] = "REG",
31140 + [_DRM_SHM] = "SHM",
31141 + [_DRM_AGP] = "AGP",
31142 + [_DRM_SCATTER_GATHER] = "SG",
31143 + [_DRM_CONSISTENT] = "PCI",
31144 + [_DRM_GEM] = "GEM" };
31145 const char *type;
31146 int i;
31147
31148 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
31149 map = r_list->map;
31150 if (!map)
31151 continue;
31152 - if (map->type < 0 || map->type > 5)
31153 + if (map->type >= ARRAY_SIZE(types))
31154 type = "??";
31155 else
31156 type = types[map->type];
31157 @@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
31158 struct drm_device *dev = node->minor->dev;
31159
31160 seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
31161 - seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
31162 + seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
31163 seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
31164 - seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
31165 - seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
31166 + seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
31167 + seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
31168 seq_printf(m, "%d gtt total\n", dev->gtt_total);
31169 return 0;
31170 }
31171 @@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
31172 mutex_lock(&dev->struct_mutex);
31173 seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
31174 atomic_read(&dev->vma_count),
31175 +#ifdef CONFIG_GRKERNSEC_HIDESYM
31176 + NULL, 0);
31177 +#else
31178 high_memory, (u64)virt_to_phys(high_memory));
31179 +#endif
31180
31181 list_for_each_entry(pt, &dev->vmalist, head) {
31182 vma = pt->vma;
31183 @@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
31184 continue;
31185 seq_printf(m,
31186 "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
31187 - pt->pid, vma->vm_start, vma->vm_end,
31188 + pt->pid,
31189 +#ifdef CONFIG_GRKERNSEC_HIDESYM
31190 + 0, 0,
31191 +#else
31192 + vma->vm_start, vma->vm_end,
31193 +#endif
31194 vma->vm_flags & VM_READ ? 'r' : '-',
31195 vma->vm_flags & VM_WRITE ? 'w' : '-',
31196 vma->vm_flags & VM_EXEC ? 'x' : '-',
31197 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
31198 vma->vm_flags & VM_LOCKED ? 'l' : '-',
31199 vma->vm_flags & VM_IO ? 'i' : '-',
31200 +#ifdef CONFIG_GRKERNSEC_HIDESYM
31201 + 0);
31202 +#else
31203 vma->vm_pgoff);
31204 +#endif
31205
31206 #if defined(__i386__)
31207 pgprot = pgprot_val(vma->vm_page_prot);
31208 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_ioc32.c linux-2.6.32.49/drivers/gpu/drm/drm_ioc32.c
31209 --- linux-2.6.32.49/drivers/gpu/drm/drm_ioc32.c 2011-11-08 19:02:43.000000000 -0500
31210 +++ linux-2.6.32.49/drivers/gpu/drm/drm_ioc32.c 2011-11-15 19:59:43.000000000 -0500
31211 @@ -463,7 +463,7 @@ static int compat_drm_infobufs(struct fi
31212 request = compat_alloc_user_space(nbytes);
31213 if (!access_ok(VERIFY_WRITE, request, nbytes))
31214 return -EFAULT;
31215 - list = (struct drm_buf_desc *) (request + 1);
31216 + list = (struct drm_buf_desc __user *) (request + 1);
31217
31218 if (__put_user(count, &request->count)
31219 || __put_user(list, &request->list))
31220 @@ -525,7 +525,7 @@ static int compat_drm_mapbufs(struct fil
31221 request = compat_alloc_user_space(nbytes);
31222 if (!access_ok(VERIFY_WRITE, request, nbytes))
31223 return -EFAULT;
31224 - list = (struct drm_buf_pub *) (request + 1);
31225 + list = (struct drm_buf_pub __user *) (request + 1);
31226
31227 if (__put_user(count, &request->count)
31228 || __put_user(list, &request->list))
31229 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.49/drivers/gpu/drm/drm_ioctl.c
31230 --- linux-2.6.32.49/drivers/gpu/drm/drm_ioctl.c 2011-11-08 19:02:43.000000000 -0500
31231 +++ linux-2.6.32.49/drivers/gpu/drm/drm_ioctl.c 2011-11-15 19:59:43.000000000 -0500
31232 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
31233 stats->data[i].value =
31234 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
31235 else
31236 - stats->data[i].value = atomic_read(&dev->counts[i]);
31237 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
31238 stats->data[i].type = dev->types[i];
31239 }
31240
31241 diff -urNp linux-2.6.32.49/drivers/gpu/drm/drm_lock.c linux-2.6.32.49/drivers/gpu/drm/drm_lock.c
31242 --- linux-2.6.32.49/drivers/gpu/drm/drm_lock.c 2011-11-08 19:02:43.000000000 -0500
31243 +++ linux-2.6.32.49/drivers/gpu/drm/drm_lock.c 2011-11-15 19:59:43.000000000 -0500
31244 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
31245 if (drm_lock_take(&master->lock, lock->context)) {
31246 master->lock.file_priv = file_priv;
31247 master->lock.lock_time = jiffies;
31248 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
31249 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
31250 break; /* Got lock */
31251 }
31252
31253 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
31254 return -EINVAL;
31255 }
31256
31257 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
31258 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
31259
31260 /* kernel_context_switch isn't used by any of the x86 drm
31261 * modules but is required by the Sparc driver.
31262 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.49/drivers/gpu/drm/i810/i810_dma.c
31263 --- linux-2.6.32.49/drivers/gpu/drm/i810/i810_dma.c 2011-11-08 19:02:43.000000000 -0500
31264 +++ linux-2.6.32.49/drivers/gpu/drm/i810/i810_dma.c 2011-11-15 19:59:43.000000000 -0500
31265 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
31266 dma->buflist[vertex->idx],
31267 vertex->discard, vertex->used);
31268
31269 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
31270 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
31271 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
31272 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
31273 sarea_priv->last_enqueue = dev_priv->counter - 1;
31274 sarea_priv->last_dispatch = (int)hw_status[5];
31275
31276 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
31277 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
31278 mc->last_render);
31279
31280 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
31281 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
31282 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
31283 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
31284 sarea_priv->last_enqueue = dev_priv->counter - 1;
31285 sarea_priv->last_dispatch = (int)hw_status[5];
31286
31287 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.49/drivers/gpu/drm/i810/i810_drv.h
31288 --- linux-2.6.32.49/drivers/gpu/drm/i810/i810_drv.h 2011-11-08 19:02:43.000000000 -0500
31289 +++ linux-2.6.32.49/drivers/gpu/drm/i810/i810_drv.h 2011-11-15 19:59:43.000000000 -0500
31290 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
31291 int page_flipping;
31292
31293 wait_queue_head_t irq_queue;
31294 - atomic_t irq_received;
31295 - atomic_t irq_emitted;
31296 + atomic_unchecked_t irq_received;
31297 + atomic_unchecked_t irq_emitted;
31298
31299 int front_offset;
31300 } drm_i810_private_t;
31301 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.49/drivers/gpu/drm/i830/i830_drv.h
31302 --- linux-2.6.32.49/drivers/gpu/drm/i830/i830_drv.h 2011-11-08 19:02:43.000000000 -0500
31303 +++ linux-2.6.32.49/drivers/gpu/drm/i830/i830_drv.h 2011-11-15 19:59:43.000000000 -0500
31304 @@ -115,8 +115,8 @@ typedef struct drm_i830_private {
31305 int page_flipping;
31306
31307 wait_queue_head_t irq_queue;
31308 - atomic_t irq_received;
31309 - atomic_t irq_emitted;
31310 + atomic_unchecked_t irq_received;
31311 + atomic_unchecked_t irq_emitted;
31312
31313 int use_mi_batchbuffer_start;
31314
31315 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.49/drivers/gpu/drm/i830/i830_irq.c
31316 --- linux-2.6.32.49/drivers/gpu/drm/i830/i830_irq.c 2011-11-08 19:02:43.000000000 -0500
31317 +++ linux-2.6.32.49/drivers/gpu/drm/i830/i830_irq.c 2011-11-15 19:59:43.000000000 -0500
31318 @@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
31319
31320 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
31321
31322 - atomic_inc(&dev_priv->irq_received);
31323 + atomic_inc_unchecked(&dev_priv->irq_received);
31324 wake_up_interruptible(&dev_priv->irq_queue);
31325
31326 return IRQ_HANDLED;
31327 @@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
31328
31329 DRM_DEBUG("%s\n", __func__);
31330
31331 - atomic_inc(&dev_priv->irq_emitted);
31332 + atomic_inc_unchecked(&dev_priv->irq_emitted);
31333
31334 BEGIN_LP_RING(2);
31335 OUT_RING(0);
31336 OUT_RING(GFX_OP_USER_INTERRUPT);
31337 ADVANCE_LP_RING();
31338
31339 - return atomic_read(&dev_priv->irq_emitted);
31340 + return atomic_read_unchecked(&dev_priv->irq_emitted);
31341 }
31342
31343 static int i830_wait_irq(struct drm_device * dev, int irq_nr)
31344 @@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
31345
31346 DRM_DEBUG("%s\n", __func__);
31347
31348 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
31349 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
31350 return 0;
31351
31352 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
31353 @@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
31354
31355 for (;;) {
31356 __set_current_state(TASK_INTERRUPTIBLE);
31357 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
31358 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
31359 break;
31360 if ((signed)(end - jiffies) <= 0) {
31361 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
31362 @@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
31363 I830_WRITE16(I830REG_HWSTAM, 0xffff);
31364 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
31365 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
31366 - atomic_set(&dev_priv->irq_received, 0);
31367 - atomic_set(&dev_priv->irq_emitted, 0);
31368 + atomic_set_unchecked(&dev_priv->irq_received, 0);
31369 + atomic_set_unchecked(&dev_priv->irq_emitted, 0);
31370 init_waitqueue_head(&dev_priv->irq_queue);
31371 }
31372
31373 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7017.c
31374 --- linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7017.c 2011-11-08 19:02:43.000000000 -0500
31375 +++ linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7017.c 2011-11-15 19:59:43.000000000 -0500
31376 @@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
31377 }
31378 }
31379
31380 -struct intel_dvo_dev_ops ch7017_ops = {
31381 +const struct intel_dvo_dev_ops ch7017_ops = {
31382 .init = ch7017_init,
31383 .detect = ch7017_detect,
31384 .mode_valid = ch7017_mode_valid,
31385 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7xxx.c
31386 --- linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-11-08 19:02:43.000000000 -0500
31387 +++ linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-11-15 19:59:43.000000000 -0500
31388 @@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
31389 }
31390 }
31391
31392 -struct intel_dvo_dev_ops ch7xxx_ops = {
31393 +const struct intel_dvo_dev_ops ch7xxx_ops = {
31394 .init = ch7xxx_init,
31395 .detect = ch7xxx_detect,
31396 .mode_valid = ch7xxx_mode_valid,
31397 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/dvo.h linux-2.6.32.49/drivers/gpu/drm/i915/dvo.h
31398 --- linux-2.6.32.49/drivers/gpu/drm/i915/dvo.h 2011-11-08 19:02:43.000000000 -0500
31399 +++ linux-2.6.32.49/drivers/gpu/drm/i915/dvo.h 2011-11-15 19:59:43.000000000 -0500
31400 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
31401 *
31402 * \return singly-linked list of modes or NULL if no modes found.
31403 */
31404 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
31405 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
31406
31407 /**
31408 * Clean up driver-specific bits of the output
31409 */
31410 - void (*destroy) (struct intel_dvo_device *dvo);
31411 + void (* const destroy) (struct intel_dvo_device *dvo);
31412
31413 /**
31414 * Debugging hook to dump device registers to log file
31415 */
31416 - void (*dump_regs)(struct intel_dvo_device *dvo);
31417 + void (* const dump_regs)(struct intel_dvo_device *dvo);
31418 };
31419
31420 -extern struct intel_dvo_dev_ops sil164_ops;
31421 -extern struct intel_dvo_dev_ops ch7xxx_ops;
31422 -extern struct intel_dvo_dev_ops ivch_ops;
31423 -extern struct intel_dvo_dev_ops tfp410_ops;
31424 -extern struct intel_dvo_dev_ops ch7017_ops;
31425 +extern const struct intel_dvo_dev_ops sil164_ops;
31426 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
31427 +extern const struct intel_dvo_dev_ops ivch_ops;
31428 +extern const struct intel_dvo_dev_ops tfp410_ops;
31429 +extern const struct intel_dvo_dev_ops ch7017_ops;
31430
31431 #endif /* _INTEL_DVO_H */
31432 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ivch.c
31433 --- linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ivch.c 2011-11-08 19:02:43.000000000 -0500
31434 +++ linux-2.6.32.49/drivers/gpu/drm/i915/dvo_ivch.c 2011-11-15 19:59:43.000000000 -0500
31435 @@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
31436 }
31437 }
31438
31439 -struct intel_dvo_dev_ops ivch_ops= {
31440 +const struct intel_dvo_dev_ops ivch_ops= {
31441 .init = ivch_init,
31442 .dpms = ivch_dpms,
31443 .save = ivch_save,
31444 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.49/drivers/gpu/drm/i915/dvo_sil164.c
31445 --- linux-2.6.32.49/drivers/gpu/drm/i915/dvo_sil164.c 2011-11-08 19:02:43.000000000 -0500
31446 +++ linux-2.6.32.49/drivers/gpu/drm/i915/dvo_sil164.c 2011-11-15 19:59:43.000000000 -0500
31447 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
31448 }
31449 }
31450
31451 -struct intel_dvo_dev_ops sil164_ops = {
31452 +const struct intel_dvo_dev_ops sil164_ops = {
31453 .init = sil164_init,
31454 .detect = sil164_detect,
31455 .mode_valid = sil164_mode_valid,
31456 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.49/drivers/gpu/drm/i915/dvo_tfp410.c
31457 --- linux-2.6.32.49/drivers/gpu/drm/i915/dvo_tfp410.c 2011-11-08 19:02:43.000000000 -0500
31458 +++ linux-2.6.32.49/drivers/gpu/drm/i915/dvo_tfp410.c 2011-11-15 19:59:43.000000000 -0500
31459 @@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
31460 }
31461 }
31462
31463 -struct intel_dvo_dev_ops tfp410_ops = {
31464 +const struct intel_dvo_dev_ops tfp410_ops = {
31465 .init = tfp410_init,
31466 .detect = tfp410_detect,
31467 .mode_valid = tfp410_mode_valid,
31468 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.49/drivers/gpu/drm/i915/i915_debugfs.c
31469 --- linux-2.6.32.49/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-08 19:02:43.000000000 -0500
31470 +++ linux-2.6.32.49/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-15 19:59:43.000000000 -0500
31471 @@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
31472 I915_READ(GTIMR));
31473 }
31474 seq_printf(m, "Interrupts received: %d\n",
31475 - atomic_read(&dev_priv->irq_received));
31476 + atomic_read_unchecked(&dev_priv->irq_received));
31477 if (dev_priv->hw_status_page != NULL) {
31478 seq_printf(m, "Current sequence: %d\n",
31479 i915_get_gem_seqno(dev));
31480 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.c
31481 --- linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.c 2011-11-08 19:02:43.000000000 -0500
31482 +++ linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.c 2011-11-15 19:59:43.000000000 -0500
31483 @@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
31484 return i915_resume(dev);
31485 }
31486
31487 -static struct vm_operations_struct i915_gem_vm_ops = {
31488 +static const struct vm_operations_struct i915_gem_vm_ops = {
31489 .fault = i915_gem_fault,
31490 .open = drm_gem_vm_open,
31491 .close = drm_gem_vm_close,
31492 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.h
31493 --- linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.h 2011-11-08 19:02:43.000000000 -0500
31494 +++ linux-2.6.32.49/drivers/gpu/drm/i915/i915_drv.h 2011-11-15 19:59:43.000000000 -0500
31495 @@ -168,7 +168,7 @@ struct drm_i915_display_funcs {
31496 /* display clock increase/decrease */
31497 /* pll clock increase/decrease */
31498 /* clock gating init */
31499 -};
31500 +} __no_const;
31501
31502 typedef struct drm_i915_private {
31503 struct drm_device *dev;
31504 @@ -197,7 +197,7 @@ typedef struct drm_i915_private {
31505 int page_flipping;
31506
31507 wait_queue_head_t irq_queue;
31508 - atomic_t irq_received;
31509 + atomic_unchecked_t irq_received;
31510 /** Protects user_irq_refcount and irq_mask_reg */
31511 spinlock_t user_irq_lock;
31512 /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
31513 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.49/drivers/gpu/drm/i915/i915_gem.c
31514 --- linux-2.6.32.49/drivers/gpu/drm/i915/i915_gem.c 2011-11-26 19:44:53.000000000 -0500
31515 +++ linux-2.6.32.49/drivers/gpu/drm/i915/i915_gem.c 2011-11-26 19:55:10.000000000 -0500
31516 @@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
31517
31518 args->aper_size = dev->gtt_total;
31519 args->aper_available_size = (args->aper_size -
31520 - atomic_read(&dev->pin_memory));
31521 + atomic_read_unchecked(&dev->pin_memory));
31522
31523 return 0;
31524 }
31525 @@ -2058,7 +2058,7 @@ i915_gem_object_unbind(struct drm_gem_ob
31526
31527 if (obj_priv->gtt_space) {
31528 atomic_dec(&dev->gtt_count);
31529 - atomic_sub(obj->size, &dev->gtt_memory);
31530 + atomic_sub_unchecked(obj->size, &dev->gtt_memory);
31531
31532 drm_mm_put_block(obj_priv->gtt_space);
31533 obj_priv->gtt_space = NULL;
31534 @@ -2701,7 +2701,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
31535 goto search_free;
31536 }
31537 atomic_inc(&dev->gtt_count);
31538 - atomic_add(obj->size, &dev->gtt_memory);
31539 + atomic_add_unchecked(obj->size, &dev->gtt_memory);
31540
31541 /* Assert that the object is not currently in any GPU domain. As it
31542 * wasn't in the GTT, there shouldn't be any way it could have been in
31543 @@ -3755,9 +3755,9 @@ i915_gem_execbuffer(struct drm_device *d
31544 "%d/%d gtt bytes\n",
31545 atomic_read(&dev->object_count),
31546 atomic_read(&dev->pin_count),
31547 - atomic_read(&dev->object_memory),
31548 - atomic_read(&dev->pin_memory),
31549 - atomic_read(&dev->gtt_memory),
31550 + atomic_read_unchecked(&dev->object_memory),
31551 + atomic_read_unchecked(&dev->pin_memory),
31552 + atomic_read_unchecked(&dev->gtt_memory),
31553 dev->gtt_total);
31554 }
31555 goto err;
31556 @@ -3989,7 +3989,7 @@ i915_gem_object_pin(struct drm_gem_objec
31557 */
31558 if (obj_priv->pin_count == 1) {
31559 atomic_inc(&dev->pin_count);
31560 - atomic_add(obj->size, &dev->pin_memory);
31561 + atomic_add_unchecked(obj->size, &dev->pin_memory);
31562 if (!obj_priv->active &&
31563 (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
31564 !list_empty(&obj_priv->list))
31565 @@ -4022,7 +4022,7 @@ i915_gem_object_unpin(struct drm_gem_obj
31566 list_move_tail(&obj_priv->list,
31567 &dev_priv->mm.inactive_list);
31568 atomic_dec(&dev->pin_count);
31569 - atomic_sub(obj->size, &dev->pin_memory);
31570 + atomic_sub_unchecked(obj->size, &dev->pin_memory);
31571 }
31572 i915_verify_inactive(dev, __FILE__, __LINE__);
31573 }
31574 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.49/drivers/gpu/drm/i915/i915_irq.c
31575 --- linux-2.6.32.49/drivers/gpu/drm/i915/i915_irq.c 2011-11-08 19:02:43.000000000 -0500
31576 +++ linux-2.6.32.49/drivers/gpu/drm/i915/i915_irq.c 2011-11-15 19:59:43.000000000 -0500
31577 @@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
31578 int irq_received;
31579 int ret = IRQ_NONE;
31580
31581 - atomic_inc(&dev_priv->irq_received);
31582 + atomic_inc_unchecked(&dev_priv->irq_received);
31583
31584 if (IS_IGDNG(dev))
31585 return igdng_irq_handler(dev);
31586 @@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
31587 {
31588 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
31589
31590 - atomic_set(&dev_priv->irq_received, 0);
31591 + atomic_set_unchecked(&dev_priv->irq_received, 0);
31592
31593 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
31594 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
31595 diff -urNp linux-2.6.32.49/drivers/gpu/drm/i915/intel_sdvo.c linux-2.6.32.49/drivers/gpu/drm/i915/intel_sdvo.c
31596 --- linux-2.6.32.49/drivers/gpu/drm/i915/intel_sdvo.c 2011-11-08 19:02:43.000000000 -0500
31597 +++ linux-2.6.32.49/drivers/gpu/drm/i915/intel_sdvo.c 2011-11-15 19:59:43.000000000 -0500
31598 @@ -2795,7 +2795,9 @@ bool intel_sdvo_init(struct drm_device *
31599 sdvo_priv->slave_addr = intel_sdvo_get_slave_addr(dev, output_device);
31600
31601 /* Save the bit-banging i2c functionality for use by the DDC wrapper */
31602 - intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
31603 + pax_open_kernel();
31604 + *(void **)&intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
31605 + pax_close_kernel();
31606
31607 /* Read the regs to test if we can talk to the device */
31608 for (i = 0; i < 0x40; i++) {
31609 diff -urNp linux-2.6.32.49/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.49/drivers/gpu/drm/mga/mga_drv.h
31610 --- linux-2.6.32.49/drivers/gpu/drm/mga/mga_drv.h 2011-11-08 19:02:43.000000000 -0500
31611 +++ linux-2.6.32.49/drivers/gpu/drm/mga/mga_drv.h 2011-11-15 19:59:43.000000000 -0500
31612 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
31613 u32 clear_cmd;
31614 u32 maccess;
31615
31616 - atomic_t vbl_received; /**< Number of vblanks received. */
31617 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
31618 wait_queue_head_t fence_queue;
31619 - atomic_t last_fence_retired;
31620 + atomic_unchecked_t last_fence_retired;
31621 u32 next_fence_to_post;
31622
31623 unsigned int fb_cpp;
31624 diff -urNp linux-2.6.32.49/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.49/drivers/gpu/drm/mga/mga_irq.c
31625 --- linux-2.6.32.49/drivers/gpu/drm/mga/mga_irq.c 2011-11-08 19:02:43.000000000 -0500
31626 +++ linux-2.6.32.49/drivers/gpu/drm/mga/mga_irq.c 2011-11-15 19:59:43.000000000 -0500
31627 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
31628 if (crtc != 0)
31629 return 0;
31630
31631 - return atomic_read(&dev_priv->vbl_received);
31632 + return atomic_read_unchecked(&dev_priv->vbl_received);
31633 }
31634
31635
31636 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
31637 /* VBLANK interrupt */
31638 if (status & MGA_VLINEPEN) {
31639 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
31640 - atomic_inc(&dev_priv->vbl_received);
31641 + atomic_inc_unchecked(&dev_priv->vbl_received);
31642 drm_handle_vblank(dev, 0);
31643 handled = 1;
31644 }
31645 @@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
31646 MGA_WRITE(MGA_PRIMEND, prim_end);
31647 }
31648
31649 - atomic_inc(&dev_priv->last_fence_retired);
31650 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
31651 DRM_WAKEUP(&dev_priv->fence_queue);
31652 handled = 1;
31653 }
31654 @@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
31655 * using fences.
31656 */
31657 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
31658 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
31659 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
31660 - *sequence) <= (1 << 23)));
31661
31662 *sequence = cur_fence;
31663 diff -urNp linux-2.6.32.49/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.49/drivers/gpu/drm/r128/r128_cce.c
31664 --- linux-2.6.32.49/drivers/gpu/drm/r128/r128_cce.c 2011-11-08 19:02:43.000000000 -0500
31665 +++ linux-2.6.32.49/drivers/gpu/drm/r128/r128_cce.c 2011-11-15 19:59:43.000000000 -0500
31666 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
31667
31668 /* GH: Simple idle check.
31669 */
31670 - atomic_set(&dev_priv->idle_count, 0);
31671 + atomic_set_unchecked(&dev_priv->idle_count, 0);
31672
31673 /* We don't support anything other than bus-mastering ring mode,
31674 * but the ring can be in either AGP or PCI space for the ring
31675 diff -urNp linux-2.6.32.49/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.49/drivers/gpu/drm/r128/r128_drv.h
31676 --- linux-2.6.32.49/drivers/gpu/drm/r128/r128_drv.h 2011-11-08 19:02:43.000000000 -0500
31677 +++ linux-2.6.32.49/drivers/gpu/drm/r128/r128_drv.h 2011-11-15 19:59:43.000000000 -0500
31678 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
31679 int is_pci;
31680 unsigned long cce_buffers_offset;
31681
31682 - atomic_t idle_count;
31683 + atomic_unchecked_t idle_count;
31684
31685 int page_flipping;
31686 int current_page;
31687 u32 crtc_offset;
31688 u32 crtc_offset_cntl;
31689
31690 - atomic_t vbl_received;
31691 + atomic_unchecked_t vbl_received;
31692
31693 u32 color_fmt;
31694 unsigned int front_offset;
31695 diff -urNp linux-2.6.32.49/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.49/drivers/gpu/drm/r128/r128_irq.c
31696 --- linux-2.6.32.49/drivers/gpu/drm/r128/r128_irq.c 2011-11-08 19:02:43.000000000 -0500
31697 +++ linux-2.6.32.49/drivers/gpu/drm/r128/r128_irq.c 2011-11-15 19:59:43.000000000 -0500
31698 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
31699 if (crtc != 0)
31700 return 0;
31701
31702 - return atomic_read(&dev_priv->vbl_received);
31703 + return atomic_read_unchecked(&dev_priv->vbl_received);
31704 }
31705
31706 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
31707 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
31708 /* VBLANK interrupt */
31709 if (status & R128_CRTC_VBLANK_INT) {
31710 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
31711 - atomic_inc(&dev_priv->vbl_received);
31712 + atomic_inc_unchecked(&dev_priv->vbl_received);
31713 drm_handle_vblank(dev, 0);
31714 return IRQ_HANDLED;
31715 }
31716 diff -urNp linux-2.6.32.49/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.49/drivers/gpu/drm/r128/r128_state.c
31717 --- linux-2.6.32.49/drivers/gpu/drm/r128/r128_state.c 2011-11-08 19:02:43.000000000 -0500
31718 +++ linux-2.6.32.49/drivers/gpu/drm/r128/r128_state.c 2011-11-15 19:59:43.000000000 -0500
31719 @@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
31720
31721 static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
31722 {
31723 - if (atomic_read(&dev_priv->idle_count) == 0) {
31724 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
31725 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
31726 } else {
31727 - atomic_set(&dev_priv->idle_count, 0);
31728 + atomic_set_unchecked(&dev_priv->idle_count, 0);
31729 }
31730 }
31731
31732 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/atom.c linux-2.6.32.49/drivers/gpu/drm/radeon/atom.c
31733 --- linux-2.6.32.49/drivers/gpu/drm/radeon/atom.c 2011-11-08 19:02:43.000000000 -0500
31734 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/atom.c 2011-11-15 19:59:43.000000000 -0500
31735 @@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
31736 char name[512];
31737 int i;
31738
31739 + pax_track_stack();
31740 +
31741 ctx->card = card;
31742 ctx->bios = bios;
31743
31744 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.49/drivers/gpu/drm/radeon/mkregtable.c
31745 --- linux-2.6.32.49/drivers/gpu/drm/radeon/mkregtable.c 2011-11-08 19:02:43.000000000 -0500
31746 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/mkregtable.c 2011-11-15 19:59:43.000000000 -0500
31747 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
31748 regex_t mask_rex;
31749 regmatch_t match[4];
31750 char buf[1024];
31751 - size_t end;
31752 + long end;
31753 int len;
31754 int done = 0;
31755 int r;
31756 unsigned o;
31757 struct offset *offset;
31758 char last_reg_s[10];
31759 - int last_reg;
31760 + unsigned long last_reg;
31761
31762 if (regcomp
31763 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
31764 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_atombios.c
31765 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-08 19:02:43.000000000 -0500
31766 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-15 19:59:43.000000000 -0500
31767 @@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
31768 bool linkb;
31769 struct radeon_i2c_bus_rec ddc_bus;
31770
31771 + pax_track_stack();
31772 +
31773 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
31774
31775 if (data_offset == 0)
31776 @@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
31777 }
31778 }
31779
31780 -struct bios_connector {
31781 +static struct bios_connector {
31782 bool valid;
31783 uint16_t line_mux;
31784 uint16_t devices;
31785 int connector_type;
31786 struct radeon_i2c_bus_rec ddc_bus;
31787 -};
31788 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
31789
31790 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
31791 drm_device
31792 @@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
31793 uint8_t dac;
31794 union atom_supported_devices *supported_devices;
31795 int i, j;
31796 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
31797
31798 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
31799
31800 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_display.c
31801 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_display.c 2011-11-08 19:02:43.000000000 -0500
31802 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_display.c 2011-11-15 19:59:43.000000000 -0500
31803 @@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
31804
31805 if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
31806 error = freq - current_freq;
31807 - error = error < 0 ? 0xffffffff : error;
31808 + error = (int32_t)error < 0 ? 0xffffffff : error;
31809 } else
31810 error = abs(current_freq - freq);
31811 vco_diff = abs(vco - best_vco);
31812 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_drv.h
31813 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-08 19:02:43.000000000 -0500
31814 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-15 19:59:43.000000000 -0500
31815 @@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
31816
31817 /* SW interrupt */
31818 wait_queue_head_t swi_queue;
31819 - atomic_t swi_emitted;
31820 + atomic_unchecked_t swi_emitted;
31821 int vblank_crtc;
31822 uint32_t irq_enable_reg;
31823 uint32_t r500_disp_irq_reg;
31824 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_fence.c
31825 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-08 19:02:43.000000000 -0500
31826 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-15 19:59:43.000000000 -0500
31827 @@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
31828 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
31829 return 0;
31830 }
31831 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
31832 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
31833 if (!rdev->cp.ready) {
31834 /* FIXME: cp is not running assume everythings is done right
31835 * away
31836 @@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
31837 return r;
31838 }
31839 WREG32(rdev->fence_drv.scratch_reg, 0);
31840 - atomic_set(&rdev->fence_drv.seq, 0);
31841 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
31842 INIT_LIST_HEAD(&rdev->fence_drv.created);
31843 INIT_LIST_HEAD(&rdev->fence_drv.emited);
31844 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
31845 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.49/drivers/gpu/drm/radeon/radeon.h
31846 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon.h 2011-11-08 19:02:43.000000000 -0500
31847 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon.h 2011-11-15 19:59:43.000000000 -0500
31848 @@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
31849 */
31850 struct radeon_fence_driver {
31851 uint32_t scratch_reg;
31852 - atomic_t seq;
31853 + atomic_unchecked_t seq;
31854 uint32_t last_seq;
31855 unsigned long count_timeout;
31856 wait_queue_head_t queue;
31857 @@ -640,7 +640,7 @@ struct radeon_asic {
31858 uint32_t offset, uint32_t obj_size);
31859 int (*clear_surface_reg)(struct radeon_device *rdev, int reg);
31860 void (*bandwidth_update)(struct radeon_device *rdev);
31861 -};
31862 +} __no_const;
31863
31864 /*
31865 * Asic structures
31866 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ioc32.c
31867 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-08 19:02:43.000000000 -0500
31868 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-15 19:59:43.000000000 -0500
31869 @@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
31870 request = compat_alloc_user_space(sizeof(*request));
31871 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
31872 || __put_user(req32.param, &request->param)
31873 - || __put_user((void __user *)(unsigned long)req32.value,
31874 + || __put_user((unsigned long)req32.value,
31875 &request->value))
31876 return -EFAULT;
31877
31878 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_irq.c
31879 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-08 19:02:43.000000000 -0500
31880 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-15 19:59:43.000000000 -0500
31881 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
31882 unsigned int ret;
31883 RING_LOCALS;
31884
31885 - atomic_inc(&dev_priv->swi_emitted);
31886 - ret = atomic_read(&dev_priv->swi_emitted);
31887 + atomic_inc_unchecked(&dev_priv->swi_emitted);
31888 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
31889
31890 BEGIN_RING(4);
31891 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
31892 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
31893 drm_radeon_private_t *dev_priv =
31894 (drm_radeon_private_t *) dev->dev_private;
31895
31896 - atomic_set(&dev_priv->swi_emitted, 0);
31897 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
31898 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
31899
31900 dev->max_vblank_count = 0x001fffff;
31901 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_state.c
31902 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_state.c 2011-11-08 19:02:43.000000000 -0500
31903 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_state.c 2011-11-15 19:59:43.000000000 -0500
31904 @@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
31905 {
31906 drm_radeon_private_t *dev_priv = dev->dev_private;
31907 drm_radeon_getparam_t *param = data;
31908 - int value;
31909 + int value = 0;
31910
31911 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
31912
31913 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ttm.c
31914 --- linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-08 19:02:43.000000000 -0500
31915 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-15 19:59:43.000000000 -0500
31916 @@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
31917 DRM_INFO("radeon: ttm finalized\n");
31918 }
31919
31920 -static struct vm_operations_struct radeon_ttm_vm_ops;
31921 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
31922 -
31923 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
31924 -{
31925 - struct ttm_buffer_object *bo;
31926 - int r;
31927 -
31928 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
31929 - if (bo == NULL) {
31930 - return VM_FAULT_NOPAGE;
31931 - }
31932 - r = ttm_vm_ops->fault(vma, vmf);
31933 - return r;
31934 -}
31935 -
31936 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
31937 {
31938 struct drm_file *file_priv;
31939 struct radeon_device *rdev;
31940 - int r;
31941
31942 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
31943 return drm_mmap(filp, vma);
31944 @@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
31945
31946 file_priv = (struct drm_file *)filp->private_data;
31947 rdev = file_priv->minor->dev->dev_private;
31948 - if (rdev == NULL) {
31949 + if (!rdev)
31950 return -EINVAL;
31951 - }
31952 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
31953 - if (unlikely(r != 0)) {
31954 - return r;
31955 - }
31956 - if (unlikely(ttm_vm_ops == NULL)) {
31957 - ttm_vm_ops = vma->vm_ops;
31958 - radeon_ttm_vm_ops = *ttm_vm_ops;
31959 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
31960 - }
31961 - vma->vm_ops = &radeon_ttm_vm_ops;
31962 - return 0;
31963 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
31964 }
31965
31966
31967 diff -urNp linux-2.6.32.49/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.49/drivers/gpu/drm/radeon/rs690.c
31968 --- linux-2.6.32.49/drivers/gpu/drm/radeon/rs690.c 2011-11-08 19:02:43.000000000 -0500
31969 +++ linux-2.6.32.49/drivers/gpu/drm/radeon/rs690.c 2011-11-15 19:59:43.000000000 -0500
31970 @@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
31971 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
31972 rdev->pm.sideport_bandwidth.full)
31973 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
31974 - read_delay_latency.full = rfixed_const(370 * 800 * 1000);
31975 + read_delay_latency.full = rfixed_const(800 * 1000);
31976 read_delay_latency.full = rfixed_div(read_delay_latency,
31977 rdev->pm.igp_sideport_mclk);
31978 + a.full = rfixed_const(370);
31979 + read_delay_latency.full = rfixed_mul(read_delay_latency, a);
31980 } else {
31981 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
31982 rdev->pm.k8_bandwidth.full)
31983 diff -urNp linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo.c
31984 --- linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo.c 2011-11-08 19:02:43.000000000 -0500
31985 +++ linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo.c 2011-11-15 19:59:43.000000000 -0500
31986 @@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
31987 NULL
31988 };
31989
31990 -static struct sysfs_ops ttm_bo_global_ops = {
31991 +static const struct sysfs_ops ttm_bo_global_ops = {
31992 .show = &ttm_bo_global_show
31993 };
31994
31995 diff -urNp linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo_vm.c
31996 --- linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-11-08 19:02:43.000000000 -0500
31997 +++ linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-11-15 19:59:43.000000000 -0500
31998 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
31999 {
32000 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
32001 vma->vm_private_data;
32002 - struct ttm_bo_device *bdev = bo->bdev;
32003 + struct ttm_bo_device *bdev;
32004 unsigned long bus_base;
32005 unsigned long bus_offset;
32006 unsigned long bus_size;
32007 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
32008 unsigned long address = (unsigned long)vmf->virtual_address;
32009 int retval = VM_FAULT_NOPAGE;
32010
32011 + if (!bo)
32012 + return VM_FAULT_NOPAGE;
32013 + bdev = bo->bdev;
32014 +
32015 /*
32016 * Work around locking order reversal in fault / nopfn
32017 * between mmap_sem and bo_reserve: Perform a trylock operation
32018 diff -urNp linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_global.c
32019 --- linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_global.c 2011-11-08 19:02:43.000000000 -0500
32020 +++ linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_global.c 2011-11-15 19:59:43.000000000 -0500
32021 @@ -36,7 +36,7 @@
32022 struct ttm_global_item {
32023 struct mutex mutex;
32024 void *object;
32025 - int refcount;
32026 + atomic_t refcount;
32027 };
32028
32029 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
32030 @@ -49,7 +49,7 @@ void ttm_global_init(void)
32031 struct ttm_global_item *item = &glob[i];
32032 mutex_init(&item->mutex);
32033 item->object = NULL;
32034 - item->refcount = 0;
32035 + atomic_set(&item->refcount, 0);
32036 }
32037 }
32038
32039 @@ -59,7 +59,7 @@ void ttm_global_release(void)
32040 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
32041 struct ttm_global_item *item = &glob[i];
32042 BUG_ON(item->object != NULL);
32043 - BUG_ON(item->refcount != 0);
32044 + BUG_ON(atomic_read(&item->refcount) != 0);
32045 }
32046 }
32047
32048 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
32049 void *object;
32050
32051 mutex_lock(&item->mutex);
32052 - if (item->refcount == 0) {
32053 + if (atomic_read(&item->refcount) == 0) {
32054 item->object = kzalloc(ref->size, GFP_KERNEL);
32055 if (unlikely(item->object == NULL)) {
32056 ret = -ENOMEM;
32057 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
32058 goto out_err;
32059
32060 }
32061 - ++item->refcount;
32062 + atomic_inc(&item->refcount);
32063 ref->object = item->object;
32064 object = item->object;
32065 mutex_unlock(&item->mutex);
32066 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
32067 struct ttm_global_item *item = &glob[ref->global_type];
32068
32069 mutex_lock(&item->mutex);
32070 - BUG_ON(item->refcount == 0);
32071 + BUG_ON(atomic_read(&item->refcount) == 0);
32072 BUG_ON(ref->object != item->object);
32073 - if (--item->refcount == 0) {
32074 + if (atomic_dec_and_test(&item->refcount)) {
32075 ref->release(ref);
32076 item->object = NULL;
32077 }
32078 diff -urNp linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_memory.c
32079 --- linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_memory.c 2011-11-08 19:02:43.000000000 -0500
32080 +++ linux-2.6.32.49/drivers/gpu/drm/ttm/ttm_memory.c 2011-11-15 19:59:43.000000000 -0500
32081 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
32082 NULL
32083 };
32084
32085 -static struct sysfs_ops ttm_mem_zone_ops = {
32086 +static const struct sysfs_ops ttm_mem_zone_ops = {
32087 .show = &ttm_mem_zone_show,
32088 .store = &ttm_mem_zone_store
32089 };
32090 diff -urNp linux-2.6.32.49/drivers/gpu/drm/via/via_drv.h linux-2.6.32.49/drivers/gpu/drm/via/via_drv.h
32091 --- linux-2.6.32.49/drivers/gpu/drm/via/via_drv.h 2011-11-08 19:02:43.000000000 -0500
32092 +++ linux-2.6.32.49/drivers/gpu/drm/via/via_drv.h 2011-11-15 19:59:43.000000000 -0500
32093 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
32094 typedef uint32_t maskarray_t[5];
32095
32096 typedef struct drm_via_irq {
32097 - atomic_t irq_received;
32098 + atomic_unchecked_t irq_received;
32099 uint32_t pending_mask;
32100 uint32_t enable_mask;
32101 wait_queue_head_t irq_queue;
32102 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
32103 struct timeval last_vblank;
32104 int last_vblank_valid;
32105 unsigned usec_per_vblank;
32106 - atomic_t vbl_received;
32107 + atomic_unchecked_t vbl_received;
32108 drm_via_state_t hc_state;
32109 char pci_buf[VIA_PCI_BUF_SIZE];
32110 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
32111 diff -urNp linux-2.6.32.49/drivers/gpu/drm/via/via_irq.c linux-2.6.32.49/drivers/gpu/drm/via/via_irq.c
32112 --- linux-2.6.32.49/drivers/gpu/drm/via/via_irq.c 2011-11-08 19:02:43.000000000 -0500
32113 +++ linux-2.6.32.49/drivers/gpu/drm/via/via_irq.c 2011-11-15 19:59:43.000000000 -0500
32114 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
32115 if (crtc != 0)
32116 return 0;
32117
32118 - return atomic_read(&dev_priv->vbl_received);
32119 + return atomic_read_unchecked(&dev_priv->vbl_received);
32120 }
32121
32122 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
32123 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
32124
32125 status = VIA_READ(VIA_REG_INTERRUPT);
32126 if (status & VIA_IRQ_VBLANK_PENDING) {
32127 - atomic_inc(&dev_priv->vbl_received);
32128 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
32129 + atomic_inc_unchecked(&dev_priv->vbl_received);
32130 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
32131 do_gettimeofday(&cur_vblank);
32132 if (dev_priv->last_vblank_valid) {
32133 dev_priv->usec_per_vblank =
32134 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
32135 dev_priv->last_vblank = cur_vblank;
32136 dev_priv->last_vblank_valid = 1;
32137 }
32138 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
32139 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
32140 DRM_DEBUG("US per vblank is: %u\n",
32141 dev_priv->usec_per_vblank);
32142 }
32143 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
32144
32145 for (i = 0; i < dev_priv->num_irqs; ++i) {
32146 if (status & cur_irq->pending_mask) {
32147 - atomic_inc(&cur_irq->irq_received);
32148 + atomic_inc_unchecked(&cur_irq->irq_received);
32149 DRM_WAKEUP(&cur_irq->irq_queue);
32150 handled = 1;
32151 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
32152 @@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
32153 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
32154 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
32155 masks[irq][4]));
32156 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
32157 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
32158 } else {
32159 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
32160 (((cur_irq_sequence =
32161 - atomic_read(&cur_irq->irq_received)) -
32162 + atomic_read_unchecked(&cur_irq->irq_received)) -
32163 *sequence) <= (1 << 23)));
32164 }
32165 *sequence = cur_irq_sequence;
32166 @@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
32167 }
32168
32169 for (i = 0; i < dev_priv->num_irqs; ++i) {
32170 - atomic_set(&cur_irq->irq_received, 0);
32171 + atomic_set_unchecked(&cur_irq->irq_received, 0);
32172 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
32173 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
32174 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
32175 @@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
32176 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
32177 case VIA_IRQ_RELATIVE:
32178 irqwait->request.sequence +=
32179 - atomic_read(&cur_irq->irq_received);
32180 + atomic_read_unchecked(&cur_irq->irq_received);
32181 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
32182 case VIA_IRQ_ABSOLUTE:
32183 break;
32184 diff -urNp linux-2.6.32.49/drivers/hid/hid-core.c linux-2.6.32.49/drivers/hid/hid-core.c
32185 --- linux-2.6.32.49/drivers/hid/hid-core.c 2011-11-08 19:02:43.000000000 -0500
32186 +++ linux-2.6.32.49/drivers/hid/hid-core.c 2011-11-15 19:59:43.000000000 -0500
32187 @@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
32188
32189 int hid_add_device(struct hid_device *hdev)
32190 {
32191 - static atomic_t id = ATOMIC_INIT(0);
32192 + static atomic_unchecked_t id = ATOMIC_INIT(0);
32193 int ret;
32194
32195 if (WARN_ON(hdev->status & HID_STAT_ADDED))
32196 @@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
32197 /* XXX hack, any other cleaner solution after the driver core
32198 * is converted to allow more than 20 bytes as the device name? */
32199 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
32200 - hdev->vendor, hdev->product, atomic_inc_return(&id));
32201 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
32202
32203 ret = device_add(&hdev->dev);
32204 if (!ret)
32205 diff -urNp linux-2.6.32.49/drivers/hid/usbhid/hiddev.c linux-2.6.32.49/drivers/hid/usbhid/hiddev.c
32206 --- linux-2.6.32.49/drivers/hid/usbhid/hiddev.c 2011-11-08 19:02:43.000000000 -0500
32207 +++ linux-2.6.32.49/drivers/hid/usbhid/hiddev.c 2011-11-15 19:59:43.000000000 -0500
32208 @@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
32209 return put_user(HID_VERSION, (int __user *)arg);
32210
32211 case HIDIOCAPPLICATION:
32212 - if (arg < 0 || arg >= hid->maxapplication)
32213 + if (arg >= hid->maxapplication)
32214 return -EINVAL;
32215
32216 for (i = 0; i < hid->maxcollection; i++)
32217 diff -urNp linux-2.6.32.49/drivers/hwmon/lis3lv02d.c linux-2.6.32.49/drivers/hwmon/lis3lv02d.c
32218 --- linux-2.6.32.49/drivers/hwmon/lis3lv02d.c 2011-11-08 19:02:43.000000000 -0500
32219 +++ linux-2.6.32.49/drivers/hwmon/lis3lv02d.c 2011-11-15 19:59:43.000000000 -0500
32220 @@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
32221 * the lid is closed. This leads to interrupts as soon as a little move
32222 * is done.
32223 */
32224 - atomic_inc(&lis3_dev.count);
32225 + atomic_inc_unchecked(&lis3_dev.count);
32226
32227 wake_up_interruptible(&lis3_dev.misc_wait);
32228 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
32229 @@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
32230 if (test_and_set_bit(0, &lis3_dev.misc_opened))
32231 return -EBUSY; /* already open */
32232
32233 - atomic_set(&lis3_dev.count, 0);
32234 + atomic_set_unchecked(&lis3_dev.count, 0);
32235
32236 /*
32237 * The sensor can generate interrupts for free-fall and direction
32238 @@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
32239 add_wait_queue(&lis3_dev.misc_wait, &wait);
32240 while (true) {
32241 set_current_state(TASK_INTERRUPTIBLE);
32242 - data = atomic_xchg(&lis3_dev.count, 0);
32243 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
32244 if (data)
32245 break;
32246
32247 @@ -244,7 +244,7 @@ out:
32248 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
32249 {
32250 poll_wait(file, &lis3_dev.misc_wait, wait);
32251 - if (atomic_read(&lis3_dev.count))
32252 + if (atomic_read_unchecked(&lis3_dev.count))
32253 return POLLIN | POLLRDNORM;
32254 return 0;
32255 }
32256 diff -urNp linux-2.6.32.49/drivers/hwmon/lis3lv02d.h linux-2.6.32.49/drivers/hwmon/lis3lv02d.h
32257 --- linux-2.6.32.49/drivers/hwmon/lis3lv02d.h 2011-11-08 19:02:43.000000000 -0500
32258 +++ linux-2.6.32.49/drivers/hwmon/lis3lv02d.h 2011-11-15 19:59:43.000000000 -0500
32259 @@ -201,7 +201,7 @@ struct lis3lv02d {
32260
32261 struct input_polled_dev *idev; /* input device */
32262 struct platform_device *pdev; /* platform device */
32263 - atomic_t count; /* interrupt count after last read */
32264 + atomic_unchecked_t count; /* interrupt count after last read */
32265 int xcalib; /* calibrated null value for x */
32266 int ycalib; /* calibrated null value for y */
32267 int zcalib; /* calibrated null value for z */
32268 diff -urNp linux-2.6.32.49/drivers/hwmon/sht15.c linux-2.6.32.49/drivers/hwmon/sht15.c
32269 --- linux-2.6.32.49/drivers/hwmon/sht15.c 2011-11-08 19:02:43.000000000 -0500
32270 +++ linux-2.6.32.49/drivers/hwmon/sht15.c 2011-11-15 19:59:43.000000000 -0500
32271 @@ -112,7 +112,7 @@ struct sht15_data {
32272 int supply_uV;
32273 int supply_uV_valid;
32274 struct work_struct update_supply_work;
32275 - atomic_t interrupt_handled;
32276 + atomic_unchecked_t interrupt_handled;
32277 };
32278
32279 /**
32280 @@ -245,13 +245,13 @@ static inline int sht15_update_single_va
32281 return ret;
32282
32283 gpio_direction_input(data->pdata->gpio_data);
32284 - atomic_set(&data->interrupt_handled, 0);
32285 + atomic_set_unchecked(&data->interrupt_handled, 0);
32286
32287 enable_irq(gpio_to_irq(data->pdata->gpio_data));
32288 if (gpio_get_value(data->pdata->gpio_data) == 0) {
32289 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
32290 /* Only relevant if the interrupt hasn't occured. */
32291 - if (!atomic_read(&data->interrupt_handled))
32292 + if (!atomic_read_unchecked(&data->interrupt_handled))
32293 schedule_work(&data->read_work);
32294 }
32295 ret = wait_event_timeout(data->wait_queue,
32296 @@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
32297 struct sht15_data *data = d;
32298 /* First disable the interrupt */
32299 disable_irq_nosync(irq);
32300 - atomic_inc(&data->interrupt_handled);
32301 + atomic_inc_unchecked(&data->interrupt_handled);
32302 /* Then schedule a reading work struct */
32303 if (data->flag != SHT15_READING_NOTHING)
32304 schedule_work(&data->read_work);
32305 @@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
32306 here as could have gone low in meantime so verify
32307 it hasn't!
32308 */
32309 - atomic_set(&data->interrupt_handled, 0);
32310 + atomic_set_unchecked(&data->interrupt_handled, 0);
32311 enable_irq(gpio_to_irq(data->pdata->gpio_data));
32312 /* If still not occured or another handler has been scheduled */
32313 if (gpio_get_value(data->pdata->gpio_data)
32314 - || atomic_read(&data->interrupt_handled))
32315 + || atomic_read_unchecked(&data->interrupt_handled))
32316 return;
32317 }
32318 /* Read the data back from the device */
32319 diff -urNp linux-2.6.32.49/drivers/hwmon/w83791d.c linux-2.6.32.49/drivers/hwmon/w83791d.c
32320 --- linux-2.6.32.49/drivers/hwmon/w83791d.c 2011-11-08 19:02:43.000000000 -0500
32321 +++ linux-2.6.32.49/drivers/hwmon/w83791d.c 2011-11-15 19:59:43.000000000 -0500
32322 @@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
32323 struct i2c_board_info *info);
32324 static int w83791d_remove(struct i2c_client *client);
32325
32326 -static int w83791d_read(struct i2c_client *client, u8 register);
32327 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
32328 +static int w83791d_read(struct i2c_client *client, u8 reg);
32329 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
32330 static struct w83791d_data *w83791d_update_device(struct device *dev);
32331
32332 #ifdef DEBUG
32333 diff -urNp linux-2.6.32.49/drivers/i2c/busses/i2c-amd756-s4882.c linux-2.6.32.49/drivers/i2c/busses/i2c-amd756-s4882.c
32334 --- linux-2.6.32.49/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-08 19:02:43.000000000 -0500
32335 +++ linux-2.6.32.49/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-15 19:59:43.000000000 -0500
32336 @@ -43,7 +43,7 @@
32337 extern struct i2c_adapter amd756_smbus;
32338
32339 static struct i2c_adapter *s4882_adapter;
32340 -static struct i2c_algorithm *s4882_algo;
32341 +static i2c_algorithm_no_const *s4882_algo;
32342
32343 /* Wrapper access functions for multiplexed SMBus */
32344 static DEFINE_MUTEX(amd756_lock);
32345 diff -urNp linux-2.6.32.49/drivers/i2c/busses/i2c-nforce2-s4985.c linux-2.6.32.49/drivers/i2c/busses/i2c-nforce2-s4985.c
32346 --- linux-2.6.32.49/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-08 19:02:43.000000000 -0500
32347 +++ linux-2.6.32.49/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-15 19:59:43.000000000 -0500
32348 @@ -41,7 +41,7 @@
32349 extern struct i2c_adapter *nforce2_smbus;
32350
32351 static struct i2c_adapter *s4985_adapter;
32352 -static struct i2c_algorithm *s4985_algo;
32353 +static i2c_algorithm_no_const *s4985_algo;
32354
32355 /* Wrapper access functions for multiplexed SMBus */
32356 static DEFINE_MUTEX(nforce2_lock);
32357 diff -urNp linux-2.6.32.49/drivers/ide/aec62xx.c linux-2.6.32.49/drivers/ide/aec62xx.c
32358 --- linux-2.6.32.49/drivers/ide/aec62xx.c 2011-11-08 19:02:43.000000000 -0500
32359 +++ linux-2.6.32.49/drivers/ide/aec62xx.c 2011-11-18 18:01:55.000000000 -0500
32360 @@ -180,7 +180,7 @@ static const struct ide_port_ops atp86x_
32361 .cable_detect = atp86x_cable_detect,
32362 };
32363
32364 -static const struct ide_port_info aec62xx_chipsets[] __devinitdata = {
32365 +static const struct ide_port_info aec62xx_chipsets[] __devinitconst = {
32366 { /* 0: AEC6210 */
32367 .name = DRV_NAME,
32368 .init_chipset = init_chipset_aec62xx,
32369 diff -urNp linux-2.6.32.49/drivers/ide/alim15x3.c linux-2.6.32.49/drivers/ide/alim15x3.c
32370 --- linux-2.6.32.49/drivers/ide/alim15x3.c 2011-11-08 19:02:43.000000000 -0500
32371 +++ linux-2.6.32.49/drivers/ide/alim15x3.c 2011-11-18 18:01:55.000000000 -0500
32372 @@ -509,7 +509,7 @@ static const struct ide_dma_ops ali_dma_
32373 .dma_sff_read_status = ide_dma_sff_read_status,
32374 };
32375
32376 -static const struct ide_port_info ali15x3_chipset __devinitdata = {
32377 +static const struct ide_port_info ali15x3_chipset __devinitconst = {
32378 .name = DRV_NAME,
32379 .init_chipset = init_chipset_ali15x3,
32380 .init_hwif = init_hwif_ali15x3,
32381 diff -urNp linux-2.6.32.49/drivers/ide/amd74xx.c linux-2.6.32.49/drivers/ide/amd74xx.c
32382 --- linux-2.6.32.49/drivers/ide/amd74xx.c 2011-11-08 19:02:43.000000000 -0500
32383 +++ linux-2.6.32.49/drivers/ide/amd74xx.c 2011-11-18 18:01:55.000000000 -0500
32384 @@ -221,7 +221,7 @@ static const struct ide_port_ops amd_por
32385 .udma_mask = udma, \
32386 }
32387
32388 -static const struct ide_port_info amd74xx_chipsets[] __devinitdata = {
32389 +static const struct ide_port_info amd74xx_chipsets[] __devinitconst = {
32390 /* 0: AMD7401 */ DECLARE_AMD_DEV(0x00, ATA_UDMA2),
32391 /* 1: AMD7409 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA4),
32392 /* 2: AMD7411/7441 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA5),
32393 diff -urNp linux-2.6.32.49/drivers/ide/atiixp.c linux-2.6.32.49/drivers/ide/atiixp.c
32394 --- linux-2.6.32.49/drivers/ide/atiixp.c 2011-11-08 19:02:43.000000000 -0500
32395 +++ linux-2.6.32.49/drivers/ide/atiixp.c 2011-11-18 18:01:55.000000000 -0500
32396 @@ -137,7 +137,7 @@ static const struct ide_port_ops atiixp_
32397 .cable_detect = atiixp_cable_detect,
32398 };
32399
32400 -static const struct ide_port_info atiixp_pci_info[] __devinitdata = {
32401 +static const struct ide_port_info atiixp_pci_info[] __devinitconst = {
32402 { /* 0: IXP200/300/400/700 */
32403 .name = DRV_NAME,
32404 .enablebits = {{0x48,0x01,0x00}, {0x48,0x08,0x00}},
32405 diff -urNp linux-2.6.32.49/drivers/ide/cmd64x.c linux-2.6.32.49/drivers/ide/cmd64x.c
32406 --- linux-2.6.32.49/drivers/ide/cmd64x.c 2011-11-08 19:02:43.000000000 -0500
32407 +++ linux-2.6.32.49/drivers/ide/cmd64x.c 2011-11-18 18:01:55.000000000 -0500
32408 @@ -372,7 +372,7 @@ static const struct ide_dma_ops cmd646_r
32409 .dma_sff_read_status = ide_dma_sff_read_status,
32410 };
32411
32412 -static const struct ide_port_info cmd64x_chipsets[] __devinitdata = {
32413 +static const struct ide_port_info cmd64x_chipsets[] __devinitconst = {
32414 { /* 0: CMD643 */
32415 .name = DRV_NAME,
32416 .init_chipset = init_chipset_cmd64x,
32417 diff -urNp linux-2.6.32.49/drivers/ide/cs5520.c linux-2.6.32.49/drivers/ide/cs5520.c
32418 --- linux-2.6.32.49/drivers/ide/cs5520.c 2011-11-08 19:02:43.000000000 -0500
32419 +++ linux-2.6.32.49/drivers/ide/cs5520.c 2011-11-18 18:01:55.000000000 -0500
32420 @@ -93,7 +93,7 @@ static const struct ide_port_ops cs5520_
32421 .set_dma_mode = cs5520_set_dma_mode,
32422 };
32423
32424 -static const struct ide_port_info cyrix_chipset __devinitdata = {
32425 +static const struct ide_port_info cyrix_chipset __devinitconst = {
32426 .name = DRV_NAME,
32427 .enablebits = { { 0x60, 0x01, 0x01 }, { 0x60, 0x02, 0x02 } },
32428 .port_ops = &cs5520_port_ops,
32429 diff -urNp linux-2.6.32.49/drivers/ide/cs5530.c linux-2.6.32.49/drivers/ide/cs5530.c
32430 --- linux-2.6.32.49/drivers/ide/cs5530.c 2011-11-08 19:02:43.000000000 -0500
32431 +++ linux-2.6.32.49/drivers/ide/cs5530.c 2011-11-18 18:01:55.000000000 -0500
32432 @@ -244,7 +244,7 @@ static const struct ide_port_ops cs5530_
32433 .udma_filter = cs5530_udma_filter,
32434 };
32435
32436 -static const struct ide_port_info cs5530_chipset __devinitdata = {
32437 +static const struct ide_port_info cs5530_chipset __devinitconst = {
32438 .name = DRV_NAME,
32439 .init_chipset = init_chipset_cs5530,
32440 .init_hwif = init_hwif_cs5530,
32441 diff -urNp linux-2.6.32.49/drivers/ide/cs5535.c linux-2.6.32.49/drivers/ide/cs5535.c
32442 --- linux-2.6.32.49/drivers/ide/cs5535.c 2011-11-08 19:02:43.000000000 -0500
32443 +++ linux-2.6.32.49/drivers/ide/cs5535.c 2011-11-18 18:01:55.000000000 -0500
32444 @@ -170,7 +170,7 @@ static const struct ide_port_ops cs5535_
32445 .cable_detect = cs5535_cable_detect,
32446 };
32447
32448 -static const struct ide_port_info cs5535_chipset __devinitdata = {
32449 +static const struct ide_port_info cs5535_chipset __devinitconst = {
32450 .name = DRV_NAME,
32451 .port_ops = &cs5535_port_ops,
32452 .host_flags = IDE_HFLAG_SINGLE | IDE_HFLAG_POST_SET_MODE,
32453 diff -urNp linux-2.6.32.49/drivers/ide/cy82c693.c linux-2.6.32.49/drivers/ide/cy82c693.c
32454 --- linux-2.6.32.49/drivers/ide/cy82c693.c 2011-11-08 19:02:43.000000000 -0500
32455 +++ linux-2.6.32.49/drivers/ide/cy82c693.c 2011-11-18 18:01:55.000000000 -0500
32456 @@ -288,7 +288,7 @@ static const struct ide_port_ops cy82c69
32457 .set_dma_mode = cy82c693_set_dma_mode,
32458 };
32459
32460 -static const struct ide_port_info cy82c693_chipset __devinitdata = {
32461 +static const struct ide_port_info cy82c693_chipset __devinitconst = {
32462 .name = DRV_NAME,
32463 .init_iops = init_iops_cy82c693,
32464 .port_ops = &cy82c693_port_ops,
32465 diff -urNp linux-2.6.32.49/drivers/ide/hpt366.c linux-2.6.32.49/drivers/ide/hpt366.c
32466 --- linux-2.6.32.49/drivers/ide/hpt366.c 2011-11-08 19:02:43.000000000 -0500
32467 +++ linux-2.6.32.49/drivers/ide/hpt366.c 2011-11-18 18:01:55.000000000 -0500
32468 @@ -507,7 +507,7 @@ static struct hpt_timings hpt37x_timings
32469 }
32470 };
32471
32472 -static const struct hpt_info hpt36x __devinitdata = {
32473 +static const struct hpt_info hpt36x __devinitconst = {
32474 .chip_name = "HPT36x",
32475 .chip_type = HPT36x,
32476 .udma_mask = HPT366_ALLOW_ATA66_3 ? (HPT366_ALLOW_ATA66_4 ? ATA_UDMA4 : ATA_UDMA3) : ATA_UDMA2,
32477 @@ -515,7 +515,7 @@ static const struct hpt_info hpt36x __de
32478 .timings = &hpt36x_timings
32479 };
32480
32481 -static const struct hpt_info hpt370 __devinitdata = {
32482 +static const struct hpt_info hpt370 __devinitconst = {
32483 .chip_name = "HPT370",
32484 .chip_type = HPT370,
32485 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
32486 @@ -523,7 +523,7 @@ static const struct hpt_info hpt370 __de
32487 .timings = &hpt37x_timings
32488 };
32489
32490 -static const struct hpt_info hpt370a __devinitdata = {
32491 +static const struct hpt_info hpt370a __devinitconst = {
32492 .chip_name = "HPT370A",
32493 .chip_type = HPT370A,
32494 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
32495 @@ -531,7 +531,7 @@ static const struct hpt_info hpt370a __d
32496 .timings = &hpt37x_timings
32497 };
32498
32499 -static const struct hpt_info hpt374 __devinitdata = {
32500 +static const struct hpt_info hpt374 __devinitconst = {
32501 .chip_name = "HPT374",
32502 .chip_type = HPT374,
32503 .udma_mask = ATA_UDMA5,
32504 @@ -539,7 +539,7 @@ static const struct hpt_info hpt374 __de
32505 .timings = &hpt37x_timings
32506 };
32507
32508 -static const struct hpt_info hpt372 __devinitdata = {
32509 +static const struct hpt_info hpt372 __devinitconst = {
32510 .chip_name = "HPT372",
32511 .chip_type = HPT372,
32512 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32513 @@ -547,7 +547,7 @@ static const struct hpt_info hpt372 __de
32514 .timings = &hpt37x_timings
32515 };
32516
32517 -static const struct hpt_info hpt372a __devinitdata = {
32518 +static const struct hpt_info hpt372a __devinitconst = {
32519 .chip_name = "HPT372A",
32520 .chip_type = HPT372A,
32521 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32522 @@ -555,7 +555,7 @@ static const struct hpt_info hpt372a __d
32523 .timings = &hpt37x_timings
32524 };
32525
32526 -static const struct hpt_info hpt302 __devinitdata = {
32527 +static const struct hpt_info hpt302 __devinitconst = {
32528 .chip_name = "HPT302",
32529 .chip_type = HPT302,
32530 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32531 @@ -563,7 +563,7 @@ static const struct hpt_info hpt302 __de
32532 .timings = &hpt37x_timings
32533 };
32534
32535 -static const struct hpt_info hpt371 __devinitdata = {
32536 +static const struct hpt_info hpt371 __devinitconst = {
32537 .chip_name = "HPT371",
32538 .chip_type = HPT371,
32539 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32540 @@ -571,7 +571,7 @@ static const struct hpt_info hpt371 __de
32541 .timings = &hpt37x_timings
32542 };
32543
32544 -static const struct hpt_info hpt372n __devinitdata = {
32545 +static const struct hpt_info hpt372n __devinitconst = {
32546 .chip_name = "HPT372N",
32547 .chip_type = HPT372N,
32548 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32549 @@ -579,7 +579,7 @@ static const struct hpt_info hpt372n __d
32550 .timings = &hpt37x_timings
32551 };
32552
32553 -static const struct hpt_info hpt302n __devinitdata = {
32554 +static const struct hpt_info hpt302n __devinitconst = {
32555 .chip_name = "HPT302N",
32556 .chip_type = HPT302N,
32557 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32558 @@ -587,7 +587,7 @@ static const struct hpt_info hpt302n __d
32559 .timings = &hpt37x_timings
32560 };
32561
32562 -static const struct hpt_info hpt371n __devinitdata = {
32563 +static const struct hpt_info hpt371n __devinitconst = {
32564 .chip_name = "HPT371N",
32565 .chip_type = HPT371N,
32566 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32567 @@ -1422,7 +1422,7 @@ static const struct ide_dma_ops hpt36x_d
32568 .dma_sff_read_status = ide_dma_sff_read_status,
32569 };
32570
32571 -static const struct ide_port_info hpt366_chipsets[] __devinitdata = {
32572 +static const struct ide_port_info hpt366_chipsets[] __devinitconst = {
32573 { /* 0: HPT36x */
32574 .name = DRV_NAME,
32575 .init_chipset = init_chipset_hpt366,
32576 diff -urNp linux-2.6.32.49/drivers/ide/ide-cd.c linux-2.6.32.49/drivers/ide/ide-cd.c
32577 --- linux-2.6.32.49/drivers/ide/ide-cd.c 2011-11-08 19:02:43.000000000 -0500
32578 +++ linux-2.6.32.49/drivers/ide/ide-cd.c 2011-11-15 19:59:43.000000000 -0500
32579 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
32580 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
32581 if ((unsigned long)buf & alignment
32582 || blk_rq_bytes(rq) & q->dma_pad_mask
32583 - || object_is_on_stack(buf))
32584 + || object_starts_on_stack(buf))
32585 drive->dma = 0;
32586 }
32587 }
32588 diff -urNp linux-2.6.32.49/drivers/ide/ide-floppy.c linux-2.6.32.49/drivers/ide/ide-floppy.c
32589 --- linux-2.6.32.49/drivers/ide/ide-floppy.c 2011-11-08 19:02:43.000000000 -0500
32590 +++ linux-2.6.32.49/drivers/ide/ide-floppy.c 2011-11-15 19:59:43.000000000 -0500
32591 @@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
32592 u8 pc_buf[256], header_len, desc_cnt;
32593 int i, rc = 1, blocks, length;
32594
32595 + pax_track_stack();
32596 +
32597 ide_debug_log(IDE_DBG_FUNC, "enter");
32598
32599 drive->bios_cyl = 0;
32600 diff -urNp linux-2.6.32.49/drivers/ide/ide-pci-generic.c linux-2.6.32.49/drivers/ide/ide-pci-generic.c
32601 --- linux-2.6.32.49/drivers/ide/ide-pci-generic.c 2011-11-08 19:02:43.000000000 -0500
32602 +++ linux-2.6.32.49/drivers/ide/ide-pci-generic.c 2011-11-18 18:01:55.000000000 -0500
32603 @@ -53,7 +53,7 @@ static const struct ide_port_ops netcell
32604 .udma_mask = ATA_UDMA6, \
32605 }
32606
32607 -static const struct ide_port_info generic_chipsets[] __devinitdata = {
32608 +static const struct ide_port_info generic_chipsets[] __devinitconst = {
32609 /* 0: Unknown */
32610 DECLARE_GENERIC_PCI_DEV(0),
32611
32612 diff -urNp linux-2.6.32.49/drivers/ide/it8172.c linux-2.6.32.49/drivers/ide/it8172.c
32613 --- linux-2.6.32.49/drivers/ide/it8172.c 2011-11-08 19:02:43.000000000 -0500
32614 +++ linux-2.6.32.49/drivers/ide/it8172.c 2011-11-18 18:01:55.000000000 -0500
32615 @@ -115,7 +115,7 @@ static const struct ide_port_ops it8172_
32616 .set_dma_mode = it8172_set_dma_mode,
32617 };
32618
32619 -static const struct ide_port_info it8172_port_info __devinitdata = {
32620 +static const struct ide_port_info it8172_port_info __devinitconst = {
32621 .name = DRV_NAME,
32622 .port_ops = &it8172_port_ops,
32623 .enablebits = { {0x41, 0x80, 0x80}, {0x00, 0x00, 0x00} },
32624 diff -urNp linux-2.6.32.49/drivers/ide/it8213.c linux-2.6.32.49/drivers/ide/it8213.c
32625 --- linux-2.6.32.49/drivers/ide/it8213.c 2011-11-08 19:02:43.000000000 -0500
32626 +++ linux-2.6.32.49/drivers/ide/it8213.c 2011-11-18 18:01:55.000000000 -0500
32627 @@ -156,7 +156,7 @@ static const struct ide_port_ops it8213_
32628 .cable_detect = it8213_cable_detect,
32629 };
32630
32631 -static const struct ide_port_info it8213_chipset __devinitdata = {
32632 +static const struct ide_port_info it8213_chipset __devinitconst = {
32633 .name = DRV_NAME,
32634 .enablebits = { {0x41, 0x80, 0x80} },
32635 .port_ops = &it8213_port_ops,
32636 diff -urNp linux-2.6.32.49/drivers/ide/it821x.c linux-2.6.32.49/drivers/ide/it821x.c
32637 --- linux-2.6.32.49/drivers/ide/it821x.c 2011-11-08 19:02:43.000000000 -0500
32638 +++ linux-2.6.32.49/drivers/ide/it821x.c 2011-11-18 18:01:55.000000000 -0500
32639 @@ -627,7 +627,7 @@ static const struct ide_port_ops it821x_
32640 .cable_detect = it821x_cable_detect,
32641 };
32642
32643 -static const struct ide_port_info it821x_chipset __devinitdata = {
32644 +static const struct ide_port_info it821x_chipset __devinitconst = {
32645 .name = DRV_NAME,
32646 .init_chipset = init_chipset_it821x,
32647 .init_hwif = init_hwif_it821x,
32648 diff -urNp linux-2.6.32.49/drivers/ide/jmicron.c linux-2.6.32.49/drivers/ide/jmicron.c
32649 --- linux-2.6.32.49/drivers/ide/jmicron.c 2011-11-08 19:02:43.000000000 -0500
32650 +++ linux-2.6.32.49/drivers/ide/jmicron.c 2011-11-18 18:01:55.000000000 -0500
32651 @@ -102,7 +102,7 @@ static const struct ide_port_ops jmicron
32652 .cable_detect = jmicron_cable_detect,
32653 };
32654
32655 -static const struct ide_port_info jmicron_chipset __devinitdata = {
32656 +static const struct ide_port_info jmicron_chipset __devinitconst = {
32657 .name = DRV_NAME,
32658 .enablebits = { { 0x40, 0x01, 0x01 }, { 0x40, 0x10, 0x10 } },
32659 .port_ops = &jmicron_port_ops,
32660 diff -urNp linux-2.6.32.49/drivers/ide/ns87415.c linux-2.6.32.49/drivers/ide/ns87415.c
32661 --- linux-2.6.32.49/drivers/ide/ns87415.c 2011-11-08 19:02:43.000000000 -0500
32662 +++ linux-2.6.32.49/drivers/ide/ns87415.c 2011-11-18 18:01:55.000000000 -0500
32663 @@ -293,7 +293,7 @@ static const struct ide_dma_ops ns87415_
32664 .dma_sff_read_status = superio_dma_sff_read_status,
32665 };
32666
32667 -static const struct ide_port_info ns87415_chipset __devinitdata = {
32668 +static const struct ide_port_info ns87415_chipset __devinitconst = {
32669 .name = DRV_NAME,
32670 .init_hwif = init_hwif_ns87415,
32671 .tp_ops = &ns87415_tp_ops,
32672 diff -urNp linux-2.6.32.49/drivers/ide/opti621.c linux-2.6.32.49/drivers/ide/opti621.c
32673 --- linux-2.6.32.49/drivers/ide/opti621.c 2011-11-08 19:02:43.000000000 -0500
32674 +++ linux-2.6.32.49/drivers/ide/opti621.c 2011-11-18 18:01:55.000000000 -0500
32675 @@ -202,7 +202,7 @@ static const struct ide_port_ops opti621
32676 .set_pio_mode = opti621_set_pio_mode,
32677 };
32678
32679 -static const struct ide_port_info opti621_chipset __devinitdata = {
32680 +static const struct ide_port_info opti621_chipset __devinitconst = {
32681 .name = DRV_NAME,
32682 .enablebits = { {0x45, 0x80, 0x00}, {0x40, 0x08, 0x00} },
32683 .port_ops = &opti621_port_ops,
32684 diff -urNp linux-2.6.32.49/drivers/ide/pdc202xx_new.c linux-2.6.32.49/drivers/ide/pdc202xx_new.c
32685 --- linux-2.6.32.49/drivers/ide/pdc202xx_new.c 2011-11-08 19:02:43.000000000 -0500
32686 +++ linux-2.6.32.49/drivers/ide/pdc202xx_new.c 2011-11-18 18:01:55.000000000 -0500
32687 @@ -465,7 +465,7 @@ static const struct ide_port_ops pdcnew_
32688 .udma_mask = udma, \
32689 }
32690
32691 -static const struct ide_port_info pdcnew_chipsets[] __devinitdata = {
32692 +static const struct ide_port_info pdcnew_chipsets[] __devinitconst = {
32693 /* 0: PDC202{68,70} */ DECLARE_PDCNEW_DEV(ATA_UDMA5),
32694 /* 1: PDC202{69,71,75,76,77} */ DECLARE_PDCNEW_DEV(ATA_UDMA6),
32695 };
32696 diff -urNp linux-2.6.32.49/drivers/ide/pdc202xx_old.c linux-2.6.32.49/drivers/ide/pdc202xx_old.c
32697 --- linux-2.6.32.49/drivers/ide/pdc202xx_old.c 2011-11-08 19:02:43.000000000 -0500
32698 +++ linux-2.6.32.49/drivers/ide/pdc202xx_old.c 2011-11-18 18:01:55.000000000 -0500
32699 @@ -285,7 +285,7 @@ static const struct ide_dma_ops pdc2026x
32700 .max_sectors = sectors, \
32701 }
32702
32703 -static const struct ide_port_info pdc202xx_chipsets[] __devinitdata = {
32704 +static const struct ide_port_info pdc202xx_chipsets[] __devinitconst = {
32705 { /* 0: PDC20246 */
32706 .name = DRV_NAME,
32707 .init_chipset = init_chipset_pdc202xx,
32708 diff -urNp linux-2.6.32.49/drivers/ide/piix.c linux-2.6.32.49/drivers/ide/piix.c
32709 --- linux-2.6.32.49/drivers/ide/piix.c 2011-11-08 19:02:43.000000000 -0500
32710 +++ linux-2.6.32.49/drivers/ide/piix.c 2011-11-18 18:01:55.000000000 -0500
32711 @@ -344,7 +344,7 @@ static const struct ide_port_ops ich_por
32712 .udma_mask = udma, \
32713 }
32714
32715 -static const struct ide_port_info piix_pci_info[] __devinitdata = {
32716 +static const struct ide_port_info piix_pci_info[] __devinitconst = {
32717 /* 0: MPIIX */
32718 { /*
32719 * MPIIX actually has only a single IDE channel mapped to
32720 diff -urNp linux-2.6.32.49/drivers/ide/rz1000.c linux-2.6.32.49/drivers/ide/rz1000.c
32721 --- linux-2.6.32.49/drivers/ide/rz1000.c 2011-11-08 19:02:43.000000000 -0500
32722 +++ linux-2.6.32.49/drivers/ide/rz1000.c 2011-11-18 18:01:55.000000000 -0500
32723 @@ -38,7 +38,7 @@ static int __devinit rz1000_disable_read
32724 }
32725 }
32726
32727 -static const struct ide_port_info rz1000_chipset __devinitdata = {
32728 +static const struct ide_port_info rz1000_chipset __devinitconst = {
32729 .name = DRV_NAME,
32730 .host_flags = IDE_HFLAG_NO_DMA,
32731 };
32732 diff -urNp linux-2.6.32.49/drivers/ide/sc1200.c linux-2.6.32.49/drivers/ide/sc1200.c
32733 --- linux-2.6.32.49/drivers/ide/sc1200.c 2011-11-08 19:02:43.000000000 -0500
32734 +++ linux-2.6.32.49/drivers/ide/sc1200.c 2011-11-18 18:01:55.000000000 -0500
32735 @@ -290,7 +290,7 @@ static const struct ide_dma_ops sc1200_d
32736 .dma_sff_read_status = ide_dma_sff_read_status,
32737 };
32738
32739 -static const struct ide_port_info sc1200_chipset __devinitdata = {
32740 +static const struct ide_port_info sc1200_chipset __devinitconst = {
32741 .name = DRV_NAME,
32742 .port_ops = &sc1200_port_ops,
32743 .dma_ops = &sc1200_dma_ops,
32744 diff -urNp linux-2.6.32.49/drivers/ide/scc_pata.c linux-2.6.32.49/drivers/ide/scc_pata.c
32745 --- linux-2.6.32.49/drivers/ide/scc_pata.c 2011-11-08 19:02:43.000000000 -0500
32746 +++ linux-2.6.32.49/drivers/ide/scc_pata.c 2011-11-18 18:01:55.000000000 -0500
32747 @@ -811,7 +811,7 @@ static const struct ide_dma_ops scc_dma_
32748 .dma_sff_read_status = scc_dma_sff_read_status,
32749 };
32750
32751 -static const struct ide_port_info scc_chipset __devinitdata = {
32752 +static const struct ide_port_info scc_chipset __devinitconst = {
32753 .name = "sccIDE",
32754 .init_iops = init_iops_scc,
32755 .init_dma = scc_init_dma,
32756 diff -urNp linux-2.6.32.49/drivers/ide/serverworks.c linux-2.6.32.49/drivers/ide/serverworks.c
32757 --- linux-2.6.32.49/drivers/ide/serverworks.c 2011-11-08 19:02:43.000000000 -0500
32758 +++ linux-2.6.32.49/drivers/ide/serverworks.c 2011-11-18 18:01:55.000000000 -0500
32759 @@ -353,7 +353,7 @@ static const struct ide_port_ops svwks_p
32760 .cable_detect = svwks_cable_detect,
32761 };
32762
32763 -static const struct ide_port_info serverworks_chipsets[] __devinitdata = {
32764 +static const struct ide_port_info serverworks_chipsets[] __devinitconst = {
32765 { /* 0: OSB4 */
32766 .name = DRV_NAME,
32767 .init_chipset = init_chipset_svwks,
32768 diff -urNp linux-2.6.32.49/drivers/ide/setup-pci.c linux-2.6.32.49/drivers/ide/setup-pci.c
32769 --- linux-2.6.32.49/drivers/ide/setup-pci.c 2011-11-08 19:02:43.000000000 -0500
32770 +++ linux-2.6.32.49/drivers/ide/setup-pci.c 2011-11-15 19:59:43.000000000 -0500
32771 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
32772 int ret, i, n_ports = dev2 ? 4 : 2;
32773 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
32774
32775 + pax_track_stack();
32776 +
32777 for (i = 0; i < n_ports / 2; i++) {
32778 ret = ide_setup_pci_controller(pdev[i], d, !i);
32779 if (ret < 0)
32780 diff -urNp linux-2.6.32.49/drivers/ide/siimage.c linux-2.6.32.49/drivers/ide/siimage.c
32781 --- linux-2.6.32.49/drivers/ide/siimage.c 2011-11-08 19:02:43.000000000 -0500
32782 +++ linux-2.6.32.49/drivers/ide/siimage.c 2011-11-18 18:01:55.000000000 -0500
32783 @@ -719,7 +719,7 @@ static const struct ide_dma_ops sil_dma_
32784 .udma_mask = ATA_UDMA6, \
32785 }
32786
32787 -static const struct ide_port_info siimage_chipsets[] __devinitdata = {
32788 +static const struct ide_port_info siimage_chipsets[] __devinitconst = {
32789 /* 0: SiI680 */ DECLARE_SII_DEV(&sil_pata_port_ops),
32790 /* 1: SiI3112 */ DECLARE_SII_DEV(&sil_sata_port_ops)
32791 };
32792 diff -urNp linux-2.6.32.49/drivers/ide/sis5513.c linux-2.6.32.49/drivers/ide/sis5513.c
32793 --- linux-2.6.32.49/drivers/ide/sis5513.c 2011-11-08 19:02:43.000000000 -0500
32794 +++ linux-2.6.32.49/drivers/ide/sis5513.c 2011-11-18 18:01:55.000000000 -0500
32795 @@ -561,7 +561,7 @@ static const struct ide_port_ops sis_ata
32796 .cable_detect = sis_cable_detect,
32797 };
32798
32799 -static const struct ide_port_info sis5513_chipset __devinitdata = {
32800 +static const struct ide_port_info sis5513_chipset __devinitconst = {
32801 .name = DRV_NAME,
32802 .init_chipset = init_chipset_sis5513,
32803 .enablebits = { {0x4a, 0x02, 0x02}, {0x4a, 0x04, 0x04} },
32804 diff -urNp linux-2.6.32.49/drivers/ide/sl82c105.c linux-2.6.32.49/drivers/ide/sl82c105.c
32805 --- linux-2.6.32.49/drivers/ide/sl82c105.c 2011-11-08 19:02:43.000000000 -0500
32806 +++ linux-2.6.32.49/drivers/ide/sl82c105.c 2011-11-18 18:01:55.000000000 -0500
32807 @@ -319,7 +319,7 @@ static const struct ide_dma_ops sl82c105
32808 .dma_sff_read_status = ide_dma_sff_read_status,
32809 };
32810
32811 -static const struct ide_port_info sl82c105_chipset __devinitdata = {
32812 +static const struct ide_port_info sl82c105_chipset __devinitconst = {
32813 .name = DRV_NAME,
32814 .init_chipset = init_chipset_sl82c105,
32815 .enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
32816 diff -urNp linux-2.6.32.49/drivers/ide/slc90e66.c linux-2.6.32.49/drivers/ide/slc90e66.c
32817 --- linux-2.6.32.49/drivers/ide/slc90e66.c 2011-11-08 19:02:43.000000000 -0500
32818 +++ linux-2.6.32.49/drivers/ide/slc90e66.c 2011-11-18 18:01:55.000000000 -0500
32819 @@ -131,7 +131,7 @@ static const struct ide_port_ops slc90e6
32820 .cable_detect = slc90e66_cable_detect,
32821 };
32822
32823 -static const struct ide_port_info slc90e66_chipset __devinitdata = {
32824 +static const struct ide_port_info slc90e66_chipset __devinitconst = {
32825 .name = DRV_NAME,
32826 .enablebits = { {0x41, 0x80, 0x80}, {0x43, 0x80, 0x80} },
32827 .port_ops = &slc90e66_port_ops,
32828 diff -urNp linux-2.6.32.49/drivers/ide/tc86c001.c linux-2.6.32.49/drivers/ide/tc86c001.c
32829 --- linux-2.6.32.49/drivers/ide/tc86c001.c 2011-11-08 19:02:43.000000000 -0500
32830 +++ linux-2.6.32.49/drivers/ide/tc86c001.c 2011-11-18 18:01:55.000000000 -0500
32831 @@ -190,7 +190,7 @@ static const struct ide_dma_ops tc86c001
32832 .dma_sff_read_status = ide_dma_sff_read_status,
32833 };
32834
32835 -static const struct ide_port_info tc86c001_chipset __devinitdata = {
32836 +static const struct ide_port_info tc86c001_chipset __devinitconst = {
32837 .name = DRV_NAME,
32838 .init_hwif = init_hwif_tc86c001,
32839 .port_ops = &tc86c001_port_ops,
32840 diff -urNp linux-2.6.32.49/drivers/ide/triflex.c linux-2.6.32.49/drivers/ide/triflex.c
32841 --- linux-2.6.32.49/drivers/ide/triflex.c 2011-11-08 19:02:43.000000000 -0500
32842 +++ linux-2.6.32.49/drivers/ide/triflex.c 2011-11-18 18:01:55.000000000 -0500
32843 @@ -92,7 +92,7 @@ static const struct ide_port_ops triflex
32844 .set_dma_mode = triflex_set_mode,
32845 };
32846
32847 -static const struct ide_port_info triflex_device __devinitdata = {
32848 +static const struct ide_port_info triflex_device __devinitconst = {
32849 .name = DRV_NAME,
32850 .enablebits = {{0x80, 0x01, 0x01}, {0x80, 0x02, 0x02}},
32851 .port_ops = &triflex_port_ops,
32852 diff -urNp linux-2.6.32.49/drivers/ide/trm290.c linux-2.6.32.49/drivers/ide/trm290.c
32853 --- linux-2.6.32.49/drivers/ide/trm290.c 2011-11-08 19:02:43.000000000 -0500
32854 +++ linux-2.6.32.49/drivers/ide/trm290.c 2011-11-18 18:01:55.000000000 -0500
32855 @@ -324,7 +324,7 @@ static struct ide_dma_ops trm290_dma_ops
32856 .dma_check = trm290_dma_check,
32857 };
32858
32859 -static const struct ide_port_info trm290_chipset __devinitdata = {
32860 +static const struct ide_port_info trm290_chipset __devinitconst = {
32861 .name = DRV_NAME,
32862 .init_hwif = init_hwif_trm290,
32863 .tp_ops = &trm290_tp_ops,
32864 diff -urNp linux-2.6.32.49/drivers/ide/via82cxxx.c linux-2.6.32.49/drivers/ide/via82cxxx.c
32865 --- linux-2.6.32.49/drivers/ide/via82cxxx.c 2011-11-08 19:02:43.000000000 -0500
32866 +++ linux-2.6.32.49/drivers/ide/via82cxxx.c 2011-11-18 18:01:55.000000000 -0500
32867 @@ -374,7 +374,7 @@ static const struct ide_port_ops via_por
32868 .cable_detect = via82cxxx_cable_detect,
32869 };
32870
32871 -static const struct ide_port_info via82cxxx_chipset __devinitdata = {
32872 +static const struct ide_port_info via82cxxx_chipset __devinitconst = {
32873 .name = DRV_NAME,
32874 .init_chipset = init_chipset_via82cxxx,
32875 .enablebits = { { 0x40, 0x02, 0x02 }, { 0x40, 0x01, 0x01 } },
32876 diff -urNp linux-2.6.32.49/drivers/ieee1394/dv1394.c linux-2.6.32.49/drivers/ieee1394/dv1394.c
32877 --- linux-2.6.32.49/drivers/ieee1394/dv1394.c 2011-11-08 19:02:43.000000000 -0500
32878 +++ linux-2.6.32.49/drivers/ieee1394/dv1394.c 2011-11-15 19:59:43.000000000 -0500
32879 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
32880 based upon DIF section and sequence
32881 */
32882
32883 -static void inline
32884 +static inline void
32885 frame_put_packet (struct frame *f, struct packet *p)
32886 {
32887 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
32888 diff -urNp linux-2.6.32.49/drivers/ieee1394/hosts.c linux-2.6.32.49/drivers/ieee1394/hosts.c
32889 --- linux-2.6.32.49/drivers/ieee1394/hosts.c 2011-11-08 19:02:43.000000000 -0500
32890 +++ linux-2.6.32.49/drivers/ieee1394/hosts.c 2011-11-15 19:59:43.000000000 -0500
32891 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
32892 }
32893
32894 static struct hpsb_host_driver dummy_driver = {
32895 + .name = "dummy",
32896 .transmit_packet = dummy_transmit_packet,
32897 .devctl = dummy_devctl,
32898 .isoctl = dummy_isoctl
32899 diff -urNp linux-2.6.32.49/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.49/drivers/ieee1394/init_ohci1394_dma.c
32900 --- linux-2.6.32.49/drivers/ieee1394/init_ohci1394_dma.c 2011-11-08 19:02:43.000000000 -0500
32901 +++ linux-2.6.32.49/drivers/ieee1394/init_ohci1394_dma.c 2011-11-15 19:59:43.000000000 -0500
32902 @@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
32903 for (func = 0; func < 8; func++) {
32904 u32 class = read_pci_config(num,slot,func,
32905 PCI_CLASS_REVISION);
32906 - if ((class == 0xffffffff))
32907 + if (class == 0xffffffff)
32908 continue; /* No device at this func */
32909
32910 if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
32911 diff -urNp linux-2.6.32.49/drivers/ieee1394/ohci1394.c linux-2.6.32.49/drivers/ieee1394/ohci1394.c
32912 --- linux-2.6.32.49/drivers/ieee1394/ohci1394.c 2011-11-08 19:02:43.000000000 -0500
32913 +++ linux-2.6.32.49/drivers/ieee1394/ohci1394.c 2011-11-15 19:59:43.000000000 -0500
32914 @@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
32915 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
32916
32917 /* Module Parameters */
32918 -static int phys_dma = 1;
32919 +static int phys_dma;
32920 module_param(phys_dma, int, 0444);
32921 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
32922 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
32923
32924 static void dma_trm_tasklet(unsigned long data);
32925 static void dma_trm_reset(struct dma_trm_ctx *d);
32926 diff -urNp linux-2.6.32.49/drivers/ieee1394/sbp2.c linux-2.6.32.49/drivers/ieee1394/sbp2.c
32927 --- linux-2.6.32.49/drivers/ieee1394/sbp2.c 2011-11-08 19:02:43.000000000 -0500
32928 +++ linux-2.6.32.49/drivers/ieee1394/sbp2.c 2011-11-15 19:59:43.000000000 -0500
32929 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
32930 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
32931 MODULE_LICENSE("GPL");
32932
32933 -static int sbp2_module_init(void)
32934 +static int __init sbp2_module_init(void)
32935 {
32936 int ret;
32937
32938 diff -urNp linux-2.6.32.49/drivers/infiniband/core/cm.c linux-2.6.32.49/drivers/infiniband/core/cm.c
32939 --- linux-2.6.32.49/drivers/infiniband/core/cm.c 2011-11-08 19:02:43.000000000 -0500
32940 +++ linux-2.6.32.49/drivers/infiniband/core/cm.c 2011-11-15 19:59:43.000000000 -0500
32941 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
32942
32943 struct cm_counter_group {
32944 struct kobject obj;
32945 - atomic_long_t counter[CM_ATTR_COUNT];
32946 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
32947 };
32948
32949 struct cm_counter_attribute {
32950 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
32951 struct ib_mad_send_buf *msg = NULL;
32952 int ret;
32953
32954 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32955 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32956 counter[CM_REQ_COUNTER]);
32957
32958 /* Quick state check to discard duplicate REQs. */
32959 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
32960 if (!cm_id_priv)
32961 return;
32962
32963 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32964 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32965 counter[CM_REP_COUNTER]);
32966 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
32967 if (ret)
32968 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
32969 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
32970 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
32971 spin_unlock_irq(&cm_id_priv->lock);
32972 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32973 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32974 counter[CM_RTU_COUNTER]);
32975 goto out;
32976 }
32977 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
32978 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
32979 dreq_msg->local_comm_id);
32980 if (!cm_id_priv) {
32981 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32982 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32983 counter[CM_DREQ_COUNTER]);
32984 cm_issue_drep(work->port, work->mad_recv_wc);
32985 return -EINVAL;
32986 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
32987 case IB_CM_MRA_REP_RCVD:
32988 break;
32989 case IB_CM_TIMEWAIT:
32990 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32991 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32992 counter[CM_DREQ_COUNTER]);
32993 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
32994 goto unlock;
32995 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
32996 cm_free_msg(msg);
32997 goto deref;
32998 case IB_CM_DREQ_RCVD:
32999 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33000 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33001 counter[CM_DREQ_COUNTER]);
33002 goto unlock;
33003 default:
33004 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
33005 ib_modify_mad(cm_id_priv->av.port->mad_agent,
33006 cm_id_priv->msg, timeout)) {
33007 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
33008 - atomic_long_inc(&work->port->
33009 + atomic_long_inc_unchecked(&work->port->
33010 counter_group[CM_RECV_DUPLICATES].
33011 counter[CM_MRA_COUNTER]);
33012 goto out;
33013 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
33014 break;
33015 case IB_CM_MRA_REQ_RCVD:
33016 case IB_CM_MRA_REP_RCVD:
33017 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33018 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33019 counter[CM_MRA_COUNTER]);
33020 /* fall through */
33021 default:
33022 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
33023 case IB_CM_LAP_IDLE:
33024 break;
33025 case IB_CM_MRA_LAP_SENT:
33026 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33027 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33028 counter[CM_LAP_COUNTER]);
33029 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
33030 goto unlock;
33031 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
33032 cm_free_msg(msg);
33033 goto deref;
33034 case IB_CM_LAP_RCVD:
33035 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33036 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33037 counter[CM_LAP_COUNTER]);
33038 goto unlock;
33039 default:
33040 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
33041 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
33042 if (cur_cm_id_priv) {
33043 spin_unlock_irq(&cm.lock);
33044 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33045 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33046 counter[CM_SIDR_REQ_COUNTER]);
33047 goto out; /* Duplicate message. */
33048 }
33049 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
33050 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
33051 msg->retries = 1;
33052
33053 - atomic_long_add(1 + msg->retries,
33054 + atomic_long_add_unchecked(1 + msg->retries,
33055 &port->counter_group[CM_XMIT].counter[attr_index]);
33056 if (msg->retries)
33057 - atomic_long_add(msg->retries,
33058 + atomic_long_add_unchecked(msg->retries,
33059 &port->counter_group[CM_XMIT_RETRIES].
33060 counter[attr_index]);
33061
33062 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
33063 }
33064
33065 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
33066 - atomic_long_inc(&port->counter_group[CM_RECV].
33067 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
33068 counter[attr_id - CM_ATTR_ID_OFFSET]);
33069
33070 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
33071 @@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
33072 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
33073
33074 return sprintf(buf, "%ld\n",
33075 - atomic_long_read(&group->counter[cm_attr->index]));
33076 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
33077 }
33078
33079 -static struct sysfs_ops cm_counter_ops = {
33080 +static const struct sysfs_ops cm_counter_ops = {
33081 .show = cm_show_counter
33082 };
33083
33084 diff -urNp linux-2.6.32.49/drivers/infiniband/core/fmr_pool.c linux-2.6.32.49/drivers/infiniband/core/fmr_pool.c
33085 --- linux-2.6.32.49/drivers/infiniband/core/fmr_pool.c 2011-11-08 19:02:43.000000000 -0500
33086 +++ linux-2.6.32.49/drivers/infiniband/core/fmr_pool.c 2011-11-15 19:59:43.000000000 -0500
33087 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
33088
33089 struct task_struct *thread;
33090
33091 - atomic_t req_ser;
33092 - atomic_t flush_ser;
33093 + atomic_unchecked_t req_ser;
33094 + atomic_unchecked_t flush_ser;
33095
33096 wait_queue_head_t force_wait;
33097 };
33098 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
33099 struct ib_fmr_pool *pool = pool_ptr;
33100
33101 do {
33102 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
33103 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
33104 ib_fmr_batch_release(pool);
33105
33106 - atomic_inc(&pool->flush_ser);
33107 + atomic_inc_unchecked(&pool->flush_ser);
33108 wake_up_interruptible(&pool->force_wait);
33109
33110 if (pool->flush_function)
33111 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
33112 }
33113
33114 set_current_state(TASK_INTERRUPTIBLE);
33115 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
33116 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
33117 !kthread_should_stop())
33118 schedule();
33119 __set_current_state(TASK_RUNNING);
33120 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
33121 pool->dirty_watermark = params->dirty_watermark;
33122 pool->dirty_len = 0;
33123 spin_lock_init(&pool->pool_lock);
33124 - atomic_set(&pool->req_ser, 0);
33125 - atomic_set(&pool->flush_ser, 0);
33126 + atomic_set_unchecked(&pool->req_ser, 0);
33127 + atomic_set_unchecked(&pool->flush_ser, 0);
33128 init_waitqueue_head(&pool->force_wait);
33129
33130 pool->thread = kthread_run(ib_fmr_cleanup_thread,
33131 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
33132 }
33133 spin_unlock_irq(&pool->pool_lock);
33134
33135 - serial = atomic_inc_return(&pool->req_ser);
33136 + serial = atomic_inc_return_unchecked(&pool->req_ser);
33137 wake_up_process(pool->thread);
33138
33139 if (wait_event_interruptible(pool->force_wait,
33140 - atomic_read(&pool->flush_ser) - serial >= 0))
33141 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
33142 return -EINTR;
33143
33144 return 0;
33145 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
33146 } else {
33147 list_add_tail(&fmr->list, &pool->dirty_list);
33148 if (++pool->dirty_len >= pool->dirty_watermark) {
33149 - atomic_inc(&pool->req_ser);
33150 + atomic_inc_unchecked(&pool->req_ser);
33151 wake_up_process(pool->thread);
33152 }
33153 }
33154 diff -urNp linux-2.6.32.49/drivers/infiniband/core/sysfs.c linux-2.6.32.49/drivers/infiniband/core/sysfs.c
33155 --- linux-2.6.32.49/drivers/infiniband/core/sysfs.c 2011-11-08 19:02:43.000000000 -0500
33156 +++ linux-2.6.32.49/drivers/infiniband/core/sysfs.c 2011-11-15 19:59:43.000000000 -0500
33157 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
33158 return port_attr->show(p, port_attr, buf);
33159 }
33160
33161 -static struct sysfs_ops port_sysfs_ops = {
33162 +static const struct sysfs_ops port_sysfs_ops = {
33163 .show = port_attr_show
33164 };
33165
33166 diff -urNp linux-2.6.32.49/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.49/drivers/infiniband/core/uverbs_marshall.c
33167 --- linux-2.6.32.49/drivers/infiniband/core/uverbs_marshall.c 2011-11-08 19:02:43.000000000 -0500
33168 +++ linux-2.6.32.49/drivers/infiniband/core/uverbs_marshall.c 2011-11-15 19:59:43.000000000 -0500
33169 @@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
33170 dst->grh.sgid_index = src->grh.sgid_index;
33171 dst->grh.hop_limit = src->grh.hop_limit;
33172 dst->grh.traffic_class = src->grh.traffic_class;
33173 + memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
33174 dst->dlid = src->dlid;
33175 dst->sl = src->sl;
33176 dst->src_path_bits = src->src_path_bits;
33177 dst->static_rate = src->static_rate;
33178 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
33179 dst->port_num = src->port_num;
33180 + dst->reserved = 0;
33181 }
33182 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
33183
33184 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
33185 struct ib_qp_attr *src)
33186 {
33187 + dst->qp_state = src->qp_state;
33188 dst->cur_qp_state = src->cur_qp_state;
33189 dst->path_mtu = src->path_mtu;
33190 dst->path_mig_state = src->path_mig_state;
33191 @@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
33192 dst->rnr_retry = src->rnr_retry;
33193 dst->alt_port_num = src->alt_port_num;
33194 dst->alt_timeout = src->alt_timeout;
33195 + memset(dst->reserved, 0, sizeof(dst->reserved));
33196 }
33197 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
33198
33199 diff -urNp linux-2.6.32.49/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.49/drivers/infiniband/hw/ipath/ipath_fs.c
33200 --- linux-2.6.32.49/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-08 19:02:43.000000000 -0500
33201 +++ linux-2.6.32.49/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-15 19:59:43.000000000 -0500
33202 @@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
33203 struct infinipath_counters counters;
33204 struct ipath_devdata *dd;
33205
33206 + pax_track_stack();
33207 +
33208 dd = file->f_path.dentry->d_inode->i_private;
33209 dd->ipath_f_read_counters(dd, &counters);
33210
33211 diff -urNp linux-2.6.32.49/drivers/infiniband/hw/nes/nes.c linux-2.6.32.49/drivers/infiniband/hw/nes/nes.c
33212 --- linux-2.6.32.49/drivers/infiniband/hw/nes/nes.c 2011-11-08 19:02:43.000000000 -0500
33213 +++ linux-2.6.32.49/drivers/infiniband/hw/nes/nes.c 2011-11-15 19:59:43.000000000 -0500
33214 @@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
33215 LIST_HEAD(nes_adapter_list);
33216 static LIST_HEAD(nes_dev_list);
33217
33218 -atomic_t qps_destroyed;
33219 +atomic_unchecked_t qps_destroyed;
33220
33221 static unsigned int ee_flsh_adapter;
33222 static unsigned int sysfs_nonidx_addr;
33223 @@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
33224 struct nes_adapter *nesadapter = nesdev->nesadapter;
33225 u32 qp_id;
33226
33227 - atomic_inc(&qps_destroyed);
33228 + atomic_inc_unchecked(&qps_destroyed);
33229
33230 /* Free the control structures */
33231
33232 diff -urNp linux-2.6.32.49/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.49/drivers/infiniband/hw/nes/nes_cm.c
33233 --- linux-2.6.32.49/drivers/infiniband/hw/nes/nes_cm.c 2011-11-08 19:02:43.000000000 -0500
33234 +++ linux-2.6.32.49/drivers/infiniband/hw/nes/nes_cm.c 2011-11-15 19:59:43.000000000 -0500
33235 @@ -69,11 +69,11 @@ u32 cm_packets_received;
33236 u32 cm_listens_created;
33237 u32 cm_listens_destroyed;
33238 u32 cm_backlog_drops;
33239 -atomic_t cm_loopbacks;
33240 -atomic_t cm_nodes_created;
33241 -atomic_t cm_nodes_destroyed;
33242 -atomic_t cm_accel_dropped_pkts;
33243 -atomic_t cm_resets_recvd;
33244 +atomic_unchecked_t cm_loopbacks;
33245 +atomic_unchecked_t cm_nodes_created;
33246 +atomic_unchecked_t cm_nodes_destroyed;
33247 +atomic_unchecked_t cm_accel_dropped_pkts;
33248 +atomic_unchecked_t cm_resets_recvd;
33249
33250 static inline int mini_cm_accelerated(struct nes_cm_core *,
33251 struct nes_cm_node *);
33252 @@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
33253
33254 static struct nes_cm_core *g_cm_core;
33255
33256 -atomic_t cm_connects;
33257 -atomic_t cm_accepts;
33258 -atomic_t cm_disconnects;
33259 -atomic_t cm_closes;
33260 -atomic_t cm_connecteds;
33261 -atomic_t cm_connect_reqs;
33262 -atomic_t cm_rejects;
33263 +atomic_unchecked_t cm_connects;
33264 +atomic_unchecked_t cm_accepts;
33265 +atomic_unchecked_t cm_disconnects;
33266 +atomic_unchecked_t cm_closes;
33267 +atomic_unchecked_t cm_connecteds;
33268 +atomic_unchecked_t cm_connect_reqs;
33269 +atomic_unchecked_t cm_rejects;
33270
33271
33272 /**
33273 @@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
33274 cm_node->rem_mac);
33275
33276 add_hte_node(cm_core, cm_node);
33277 - atomic_inc(&cm_nodes_created);
33278 + atomic_inc_unchecked(&cm_nodes_created);
33279
33280 return cm_node;
33281 }
33282 @@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
33283 }
33284
33285 atomic_dec(&cm_core->node_cnt);
33286 - atomic_inc(&cm_nodes_destroyed);
33287 + atomic_inc_unchecked(&cm_nodes_destroyed);
33288 nesqp = cm_node->nesqp;
33289 if (nesqp) {
33290 nesqp->cm_node = NULL;
33291 @@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
33292
33293 static void drop_packet(struct sk_buff *skb)
33294 {
33295 - atomic_inc(&cm_accel_dropped_pkts);
33296 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
33297 dev_kfree_skb_any(skb);
33298 }
33299
33300 @@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
33301
33302 int reset = 0; /* whether to send reset in case of err.. */
33303 int passive_state;
33304 - atomic_inc(&cm_resets_recvd);
33305 + atomic_inc_unchecked(&cm_resets_recvd);
33306 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
33307 " refcnt=%d\n", cm_node, cm_node->state,
33308 atomic_read(&cm_node->ref_count));
33309 @@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
33310 rem_ref_cm_node(cm_node->cm_core, cm_node);
33311 return NULL;
33312 }
33313 - atomic_inc(&cm_loopbacks);
33314 + atomic_inc_unchecked(&cm_loopbacks);
33315 loopbackremotenode->loopbackpartner = cm_node;
33316 loopbackremotenode->tcp_cntxt.rcv_wscale =
33317 NES_CM_DEFAULT_RCV_WND_SCALE;
33318 @@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
33319 add_ref_cm_node(cm_node);
33320 } else if (cm_node->state == NES_CM_STATE_TSA) {
33321 rem_ref_cm_node(cm_core, cm_node);
33322 - atomic_inc(&cm_accel_dropped_pkts);
33323 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
33324 dev_kfree_skb_any(skb);
33325 break;
33326 }
33327 @@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
33328
33329 if ((cm_id) && (cm_id->event_handler)) {
33330 if (issue_disconn) {
33331 - atomic_inc(&cm_disconnects);
33332 + atomic_inc_unchecked(&cm_disconnects);
33333 cm_event.event = IW_CM_EVENT_DISCONNECT;
33334 cm_event.status = disconn_status;
33335 cm_event.local_addr = cm_id->local_addr;
33336 @@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
33337 }
33338
33339 if (issue_close) {
33340 - atomic_inc(&cm_closes);
33341 + atomic_inc_unchecked(&cm_closes);
33342 nes_disconnect(nesqp, 1);
33343
33344 cm_id->provider_data = nesqp;
33345 @@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
33346
33347 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
33348 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
33349 - atomic_inc(&cm_accepts);
33350 + atomic_inc_unchecked(&cm_accepts);
33351
33352 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
33353 atomic_read(&nesvnic->netdev->refcnt));
33354 @@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
33355
33356 struct nes_cm_core *cm_core;
33357
33358 - atomic_inc(&cm_rejects);
33359 + atomic_inc_unchecked(&cm_rejects);
33360 cm_node = (struct nes_cm_node *) cm_id->provider_data;
33361 loopback = cm_node->loopbackpartner;
33362 cm_core = cm_node->cm_core;
33363 @@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
33364 ntohl(cm_id->local_addr.sin_addr.s_addr),
33365 ntohs(cm_id->local_addr.sin_port));
33366
33367 - atomic_inc(&cm_connects);
33368 + atomic_inc_unchecked(&cm_connects);
33369 nesqp->active_conn = 1;
33370
33371 /* cache the cm_id in the qp */
33372 @@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
33373 if (nesqp->destroyed) {
33374 return;
33375 }
33376 - atomic_inc(&cm_connecteds);
33377 + atomic_inc_unchecked(&cm_connecteds);
33378 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
33379 " local port 0x%04X. jiffies = %lu.\n",
33380 nesqp->hwqp.qp_id,
33381 @@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
33382
33383 ret = cm_id->event_handler(cm_id, &cm_event);
33384 cm_id->add_ref(cm_id);
33385 - atomic_inc(&cm_closes);
33386 + atomic_inc_unchecked(&cm_closes);
33387 cm_event.event = IW_CM_EVENT_CLOSE;
33388 cm_event.status = IW_CM_EVENT_STATUS_OK;
33389 cm_event.provider_data = cm_id->provider_data;
33390 @@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
33391 return;
33392 cm_id = cm_node->cm_id;
33393
33394 - atomic_inc(&cm_connect_reqs);
33395 + atomic_inc_unchecked(&cm_connect_reqs);
33396 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
33397 cm_node, cm_id, jiffies);
33398
33399 @@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
33400 return;
33401 cm_id = cm_node->cm_id;
33402
33403 - atomic_inc(&cm_connect_reqs);
33404 + atomic_inc_unchecked(&cm_connect_reqs);
33405 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
33406 cm_node, cm_id, jiffies);
33407
33408 diff -urNp linux-2.6.32.49/drivers/infiniband/hw/nes/nes.h linux-2.6.32.49/drivers/infiniband/hw/nes/nes.h
33409 --- linux-2.6.32.49/drivers/infiniband/hw/nes/nes.h 2011-11-08 19:02:43.000000000 -0500
33410 +++ linux-2.6.32.49/drivers/infiniband/hw/nes/nes.h 2011-11-15 19:59:43.000000000 -0500
33411 @@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
33412 extern unsigned int wqm_quanta;
33413 extern struct list_head nes_adapter_list;
33414
33415 -extern atomic_t cm_connects;
33416 -extern atomic_t cm_accepts;
33417 -extern atomic_t cm_disconnects;
33418 -extern atomic_t cm_closes;
33419 -extern atomic_t cm_connecteds;
33420 -extern atomic_t cm_connect_reqs;
33421 -extern atomic_t cm_rejects;
33422 -extern atomic_t mod_qp_timouts;
33423 -extern atomic_t qps_created;
33424 -extern atomic_t qps_destroyed;
33425 -extern atomic_t sw_qps_destroyed;
33426 +extern atomic_unchecked_t cm_connects;
33427 +extern atomic_unchecked_t cm_accepts;
33428 +extern atomic_unchecked_t cm_disconnects;
33429 +extern atomic_unchecked_t cm_closes;
33430 +extern atomic_unchecked_t cm_connecteds;
33431 +extern atomic_unchecked_t cm_connect_reqs;
33432 +extern atomic_unchecked_t cm_rejects;
33433 +extern atomic_unchecked_t mod_qp_timouts;
33434 +extern atomic_unchecked_t qps_created;
33435 +extern atomic_unchecked_t qps_destroyed;
33436 +extern atomic_unchecked_t sw_qps_destroyed;
33437 extern u32 mh_detected;
33438 extern u32 mh_pauses_sent;
33439 extern u32 cm_packets_sent;
33440 @@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
33441 extern u32 cm_listens_created;
33442 extern u32 cm_listens_destroyed;
33443 extern u32 cm_backlog_drops;
33444 -extern atomic_t cm_loopbacks;
33445 -extern atomic_t cm_nodes_created;
33446 -extern atomic_t cm_nodes_destroyed;
33447 -extern atomic_t cm_accel_dropped_pkts;
33448 -extern atomic_t cm_resets_recvd;
33449 +extern atomic_unchecked_t cm_loopbacks;
33450 +extern atomic_unchecked_t cm_nodes_created;
33451 +extern atomic_unchecked_t cm_nodes_destroyed;
33452 +extern atomic_unchecked_t cm_accel_dropped_pkts;
33453 +extern atomic_unchecked_t cm_resets_recvd;
33454
33455 extern u32 int_mod_timer_init;
33456 extern u32 int_mod_cq_depth_256;
33457 diff -urNp linux-2.6.32.49/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.49/drivers/infiniband/hw/nes/nes_nic.c
33458 --- linux-2.6.32.49/drivers/infiniband/hw/nes/nes_nic.c 2011-11-08 19:02:43.000000000 -0500
33459 +++ linux-2.6.32.49/drivers/infiniband/hw/nes/nes_nic.c 2011-11-15 19:59:43.000000000 -0500
33460 @@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
33461 target_stat_values[++index] = mh_detected;
33462 target_stat_values[++index] = mh_pauses_sent;
33463 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
33464 - target_stat_values[++index] = atomic_read(&cm_connects);
33465 - target_stat_values[++index] = atomic_read(&cm_accepts);
33466 - target_stat_values[++index] = atomic_read(&cm_disconnects);
33467 - target_stat_values[++index] = atomic_read(&cm_connecteds);
33468 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
33469 - target_stat_values[++index] = atomic_read(&cm_rejects);
33470 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
33471 - target_stat_values[++index] = atomic_read(&qps_created);
33472 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
33473 - target_stat_values[++index] = atomic_read(&qps_destroyed);
33474 - target_stat_values[++index] = atomic_read(&cm_closes);
33475 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
33476 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
33477 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
33478 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
33479 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
33480 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
33481 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
33482 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
33483 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
33484 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
33485 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
33486 target_stat_values[++index] = cm_packets_sent;
33487 target_stat_values[++index] = cm_packets_bounced;
33488 target_stat_values[++index] = cm_packets_created;
33489 @@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
33490 target_stat_values[++index] = cm_listens_created;
33491 target_stat_values[++index] = cm_listens_destroyed;
33492 target_stat_values[++index] = cm_backlog_drops;
33493 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
33494 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
33495 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
33496 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
33497 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
33498 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
33499 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
33500 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
33501 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
33502 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
33503 target_stat_values[++index] = int_mod_timer_init;
33504 target_stat_values[++index] = int_mod_cq_depth_1;
33505 target_stat_values[++index] = int_mod_cq_depth_4;
33506 diff -urNp linux-2.6.32.49/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.49/drivers/infiniband/hw/nes/nes_verbs.c
33507 --- linux-2.6.32.49/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-08 19:02:43.000000000 -0500
33508 +++ linux-2.6.32.49/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-15 19:59:43.000000000 -0500
33509 @@ -45,9 +45,9 @@
33510
33511 #include <rdma/ib_umem.h>
33512
33513 -atomic_t mod_qp_timouts;
33514 -atomic_t qps_created;
33515 -atomic_t sw_qps_destroyed;
33516 +atomic_unchecked_t mod_qp_timouts;
33517 +atomic_unchecked_t qps_created;
33518 +atomic_unchecked_t sw_qps_destroyed;
33519
33520 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
33521
33522 @@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
33523 if (init_attr->create_flags)
33524 return ERR_PTR(-EINVAL);
33525
33526 - atomic_inc(&qps_created);
33527 + atomic_inc_unchecked(&qps_created);
33528 switch (init_attr->qp_type) {
33529 case IB_QPT_RC:
33530 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
33531 @@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
33532 struct iw_cm_event cm_event;
33533 int ret;
33534
33535 - atomic_inc(&sw_qps_destroyed);
33536 + atomic_inc_unchecked(&sw_qps_destroyed);
33537 nesqp->destroyed = 1;
33538
33539 /* Blow away the connection if it exists. */
33540 diff -urNp linux-2.6.32.49/drivers/input/gameport/gameport.c linux-2.6.32.49/drivers/input/gameport/gameport.c
33541 --- linux-2.6.32.49/drivers/input/gameport/gameport.c 2011-11-08 19:02:43.000000000 -0500
33542 +++ linux-2.6.32.49/drivers/input/gameport/gameport.c 2011-11-15 19:59:43.000000000 -0500
33543 @@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
33544 */
33545 static void gameport_init_port(struct gameport *gameport)
33546 {
33547 - static atomic_t gameport_no = ATOMIC_INIT(0);
33548 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
33549
33550 __module_get(THIS_MODULE);
33551
33552 mutex_init(&gameport->drv_mutex);
33553 device_initialize(&gameport->dev);
33554 - dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
33555 + dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
33556 gameport->dev.bus = &gameport_bus;
33557 gameport->dev.release = gameport_release_port;
33558 if (gameport->parent)
33559 diff -urNp linux-2.6.32.49/drivers/input/input.c linux-2.6.32.49/drivers/input/input.c
33560 --- linux-2.6.32.49/drivers/input/input.c 2011-11-08 19:02:43.000000000 -0500
33561 +++ linux-2.6.32.49/drivers/input/input.c 2011-11-15 19:59:43.000000000 -0500
33562 @@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
33563 */
33564 int input_register_device(struct input_dev *dev)
33565 {
33566 - static atomic_t input_no = ATOMIC_INIT(0);
33567 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
33568 struct input_handler *handler;
33569 const char *path;
33570 int error;
33571 @@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
33572 dev->setkeycode = input_default_setkeycode;
33573
33574 dev_set_name(&dev->dev, "input%ld",
33575 - (unsigned long) atomic_inc_return(&input_no) - 1);
33576 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
33577
33578 error = device_add(&dev->dev);
33579 if (error)
33580 diff -urNp linux-2.6.32.49/drivers/input/joystick/sidewinder.c linux-2.6.32.49/drivers/input/joystick/sidewinder.c
33581 --- linux-2.6.32.49/drivers/input/joystick/sidewinder.c 2011-11-08 19:02:43.000000000 -0500
33582 +++ linux-2.6.32.49/drivers/input/joystick/sidewinder.c 2011-11-15 19:59:43.000000000 -0500
33583 @@ -30,6 +30,7 @@
33584 #include <linux/kernel.h>
33585 #include <linux/module.h>
33586 #include <linux/slab.h>
33587 +#include <linux/sched.h>
33588 #include <linux/init.h>
33589 #include <linux/input.h>
33590 #include <linux/gameport.h>
33591 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
33592 unsigned char buf[SW_LENGTH];
33593 int i;
33594
33595 + pax_track_stack();
33596 +
33597 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
33598
33599 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
33600 diff -urNp linux-2.6.32.49/drivers/input/joystick/xpad.c linux-2.6.32.49/drivers/input/joystick/xpad.c
33601 --- linux-2.6.32.49/drivers/input/joystick/xpad.c 2011-11-08 19:02:43.000000000 -0500
33602 +++ linux-2.6.32.49/drivers/input/joystick/xpad.c 2011-11-15 19:59:43.000000000 -0500
33603 @@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
33604
33605 static int xpad_led_probe(struct usb_xpad *xpad)
33606 {
33607 - static atomic_t led_seq = ATOMIC_INIT(0);
33608 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
33609 long led_no;
33610 struct xpad_led *led;
33611 struct led_classdev *led_cdev;
33612 @@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
33613 if (!led)
33614 return -ENOMEM;
33615
33616 - led_no = (long)atomic_inc_return(&led_seq) - 1;
33617 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
33618
33619 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
33620 led->xpad = xpad;
33621 diff -urNp linux-2.6.32.49/drivers/input/serio/serio.c linux-2.6.32.49/drivers/input/serio/serio.c
33622 --- linux-2.6.32.49/drivers/input/serio/serio.c 2011-11-08 19:02:43.000000000 -0500
33623 +++ linux-2.6.32.49/drivers/input/serio/serio.c 2011-11-15 19:59:43.000000000 -0500
33624 @@ -527,7 +527,7 @@ static void serio_release_port(struct de
33625 */
33626 static void serio_init_port(struct serio *serio)
33627 {
33628 - static atomic_t serio_no = ATOMIC_INIT(0);
33629 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
33630
33631 __module_get(THIS_MODULE);
33632
33633 @@ -536,7 +536,7 @@ static void serio_init_port(struct serio
33634 mutex_init(&serio->drv_mutex);
33635 device_initialize(&serio->dev);
33636 dev_set_name(&serio->dev, "serio%ld",
33637 - (long)atomic_inc_return(&serio_no) - 1);
33638 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
33639 serio->dev.bus = &serio_bus;
33640 serio->dev.release = serio_release_port;
33641 if (serio->parent) {
33642 diff -urNp linux-2.6.32.49/drivers/isdn/gigaset/common.c linux-2.6.32.49/drivers/isdn/gigaset/common.c
33643 --- linux-2.6.32.49/drivers/isdn/gigaset/common.c 2011-11-08 19:02:43.000000000 -0500
33644 +++ linux-2.6.32.49/drivers/isdn/gigaset/common.c 2011-11-15 19:59:43.000000000 -0500
33645 @@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
33646 cs->commands_pending = 0;
33647 cs->cur_at_seq = 0;
33648 cs->gotfwver = -1;
33649 - cs->open_count = 0;
33650 + local_set(&cs->open_count, 0);
33651 cs->dev = NULL;
33652 cs->tty = NULL;
33653 cs->tty_dev = NULL;
33654 diff -urNp linux-2.6.32.49/drivers/isdn/gigaset/gigaset.h linux-2.6.32.49/drivers/isdn/gigaset/gigaset.h
33655 --- linux-2.6.32.49/drivers/isdn/gigaset/gigaset.h 2011-11-08 19:02:43.000000000 -0500
33656 +++ linux-2.6.32.49/drivers/isdn/gigaset/gigaset.h 2011-11-15 19:59:43.000000000 -0500
33657 @@ -34,6 +34,7 @@
33658 #include <linux/tty_driver.h>
33659 #include <linux/list.h>
33660 #include <asm/atomic.h>
33661 +#include <asm/local.h>
33662
33663 #define GIG_VERSION {0,5,0,0}
33664 #define GIG_COMPAT {0,4,0,0}
33665 @@ -446,7 +447,7 @@ struct cardstate {
33666 spinlock_t cmdlock;
33667 unsigned curlen, cmdbytes;
33668
33669 - unsigned open_count;
33670 + local_t open_count;
33671 struct tty_struct *tty;
33672 struct tasklet_struct if_wake_tasklet;
33673 unsigned control_state;
33674 diff -urNp linux-2.6.32.49/drivers/isdn/gigaset/interface.c linux-2.6.32.49/drivers/isdn/gigaset/interface.c
33675 --- linux-2.6.32.49/drivers/isdn/gigaset/interface.c 2011-11-08 19:02:43.000000000 -0500
33676 +++ linux-2.6.32.49/drivers/isdn/gigaset/interface.c 2011-11-15 19:59:43.000000000 -0500
33677 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
33678 return -ERESTARTSYS; // FIXME -EINTR?
33679 tty->driver_data = cs;
33680
33681 - ++cs->open_count;
33682 -
33683 - if (cs->open_count == 1) {
33684 + if (local_inc_return(&cs->open_count) == 1) {
33685 spin_lock_irqsave(&cs->lock, flags);
33686 cs->tty = tty;
33687 spin_unlock_irqrestore(&cs->lock, flags);
33688 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
33689
33690 if (!cs->connected)
33691 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
33692 - else if (!cs->open_count)
33693 + else if (!local_read(&cs->open_count))
33694 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33695 else {
33696 - if (!--cs->open_count) {
33697 + if (!local_dec_return(&cs->open_count)) {
33698 spin_lock_irqsave(&cs->lock, flags);
33699 cs->tty = NULL;
33700 spin_unlock_irqrestore(&cs->lock, flags);
33701 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
33702 if (!cs->connected) {
33703 gig_dbg(DEBUG_IF, "not connected");
33704 retval = -ENODEV;
33705 - } else if (!cs->open_count)
33706 + } else if (!local_read(&cs->open_count))
33707 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33708 else {
33709 retval = 0;
33710 @@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
33711 if (!cs->connected) {
33712 gig_dbg(DEBUG_IF, "not connected");
33713 retval = -ENODEV;
33714 - } else if (!cs->open_count)
33715 + } else if (!local_read(&cs->open_count))
33716 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33717 else if (cs->mstate != MS_LOCKED) {
33718 dev_warn(cs->dev, "can't write to unlocked device\n");
33719 @@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
33720 if (!cs->connected) {
33721 gig_dbg(DEBUG_IF, "not connected");
33722 retval = -ENODEV;
33723 - } else if (!cs->open_count)
33724 + } else if (!local_read(&cs->open_count))
33725 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33726 else if (cs->mstate != MS_LOCKED) {
33727 dev_warn(cs->dev, "can't write to unlocked device\n");
33728 @@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
33729
33730 if (!cs->connected)
33731 gig_dbg(DEBUG_IF, "not connected");
33732 - else if (!cs->open_count)
33733 + else if (!local_read(&cs->open_count))
33734 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33735 else if (cs->mstate != MS_LOCKED)
33736 dev_warn(cs->dev, "can't write to unlocked device\n");
33737 @@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
33738
33739 if (!cs->connected)
33740 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
33741 - else if (!cs->open_count)
33742 + else if (!local_read(&cs->open_count))
33743 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33744 else {
33745 //FIXME
33746 @@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
33747
33748 if (!cs->connected)
33749 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
33750 - else if (!cs->open_count)
33751 + else if (!local_read(&cs->open_count))
33752 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33753 else {
33754 //FIXME
33755 @@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
33756 goto out;
33757 }
33758
33759 - if (!cs->open_count) {
33760 + if (!local_read(&cs->open_count)) {
33761 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33762 goto out;
33763 }
33764 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/avm/b1.c linux-2.6.32.49/drivers/isdn/hardware/avm/b1.c
33765 --- linux-2.6.32.49/drivers/isdn/hardware/avm/b1.c 2011-11-08 19:02:43.000000000 -0500
33766 +++ linux-2.6.32.49/drivers/isdn/hardware/avm/b1.c 2011-11-15 19:59:43.000000000 -0500
33767 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
33768 }
33769 if (left) {
33770 if (t4file->user) {
33771 - if (copy_from_user(buf, dp, left))
33772 + if (left > sizeof buf || copy_from_user(buf, dp, left))
33773 return -EFAULT;
33774 } else {
33775 memcpy(buf, dp, left);
33776 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
33777 }
33778 if (left) {
33779 if (config->user) {
33780 - if (copy_from_user(buf, dp, left))
33781 + if (left > sizeof buf || copy_from_user(buf, dp, left))
33782 return -EFAULT;
33783 } else {
33784 memcpy(buf, dp, left);
33785 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.49/drivers/isdn/hardware/eicon/capidtmf.c
33786 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-08 19:02:43.000000000 -0500
33787 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-15 19:59:43.000000000 -0500
33788 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
33789 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
33790 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
33791
33792 + pax_track_stack();
33793
33794 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
33795 {
33796 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.49/drivers/isdn/hardware/eicon/capifunc.c
33797 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/capifunc.c 2011-11-08 19:02:43.000000000 -0500
33798 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/capifunc.c 2011-11-15 19:59:43.000000000 -0500
33799 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
33800 IDI_SYNC_REQ req;
33801 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33802
33803 + pax_track_stack();
33804 +
33805 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33806
33807 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33808 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.49/drivers/isdn/hardware/eicon/diddfunc.c
33809 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-08 19:02:43.000000000 -0500
33810 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-15 19:59:43.000000000 -0500
33811 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
33812 IDI_SYNC_REQ req;
33813 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33814
33815 + pax_track_stack();
33816 +
33817 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33818
33819 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33820 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.49/drivers/isdn/hardware/eicon/divasfunc.c
33821 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-08 19:02:43.000000000 -0500
33822 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-15 19:59:43.000000000 -0500
33823 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
33824 IDI_SYNC_REQ req;
33825 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33826
33827 + pax_track_stack();
33828 +
33829 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33830
33831 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33832 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/divasync.h linux-2.6.32.49/drivers/isdn/hardware/eicon/divasync.h
33833 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/divasync.h 2011-11-08 19:02:43.000000000 -0500
33834 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/divasync.h 2011-11-15 19:59:43.000000000 -0500
33835 @@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
33836 } diva_didd_add_adapter_t;
33837 typedef struct _diva_didd_remove_adapter {
33838 IDI_CALL p_request;
33839 -} diva_didd_remove_adapter_t;
33840 +} __no_const diva_didd_remove_adapter_t;
33841 typedef struct _diva_didd_read_adapter_array {
33842 void * buffer;
33843 dword length;
33844 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.49/drivers/isdn/hardware/eicon/idifunc.c
33845 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/idifunc.c 2011-11-08 19:02:43.000000000 -0500
33846 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/idifunc.c 2011-11-15 19:59:43.000000000 -0500
33847 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
33848 IDI_SYNC_REQ req;
33849 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33850
33851 + pax_track_stack();
33852 +
33853 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33854
33855 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33856 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/message.c linux-2.6.32.49/drivers/isdn/hardware/eicon/message.c
33857 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/message.c 2011-11-08 19:02:43.000000000 -0500
33858 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/message.c 2011-11-15 19:59:43.000000000 -0500
33859 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
33860 dword d;
33861 word w;
33862
33863 + pax_track_stack();
33864 +
33865 a = plci->adapter;
33866 Id = ((word)plci->Id<<8)|a->Id;
33867 PUT_WORD(&SS_Ind[4],0x0000);
33868 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
33869 word j, n, w;
33870 dword d;
33871
33872 + pax_track_stack();
33873 +
33874
33875 for(i=0;i<8;i++) bp_parms[i].length = 0;
33876 for(i=0;i<2;i++) global_config[i].length = 0;
33877 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
33878 const byte llc3[] = {4,3,2,2,6,6,0};
33879 const byte header[] = {0,2,3,3,0,0,0};
33880
33881 + pax_track_stack();
33882 +
33883 for(i=0;i<8;i++) bp_parms[i].length = 0;
33884 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
33885 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
33886 @@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
33887 word appl_number_group_type[MAX_APPL];
33888 PLCI *auxplci;
33889
33890 + pax_track_stack();
33891 +
33892 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
33893
33894 if(!a->group_optimization_enabled)
33895 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.49/drivers/isdn/hardware/eicon/mntfunc.c
33896 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-08 19:02:43.000000000 -0500
33897 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-15 19:59:43.000000000 -0500
33898 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
33899 IDI_SYNC_REQ req;
33900 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33901
33902 + pax_track_stack();
33903 +
33904 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33905
33906 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33907 diff -urNp linux-2.6.32.49/drivers/isdn/hardware/eicon/xdi_adapter.h linux-2.6.32.49/drivers/isdn/hardware/eicon/xdi_adapter.h
33908 --- linux-2.6.32.49/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-08 19:02:43.000000000 -0500
33909 +++ linux-2.6.32.49/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-15 19:59:43.000000000 -0500
33910 @@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
33911 typedef struct _diva_os_idi_adapter_interface {
33912 diva_init_card_proc_t cleanup_adapter_proc;
33913 diva_cmd_card_proc_t cmd_proc;
33914 -} diva_os_idi_adapter_interface_t;
33915 +} __no_const diva_os_idi_adapter_interface_t;
33916
33917 typedef struct _diva_os_xdi_adapter {
33918 struct list_head link;
33919 diff -urNp linux-2.6.32.49/drivers/isdn/i4l/isdn_common.c linux-2.6.32.49/drivers/isdn/i4l/isdn_common.c
33920 --- linux-2.6.32.49/drivers/isdn/i4l/isdn_common.c 2011-11-08 19:02:43.000000000 -0500
33921 +++ linux-2.6.32.49/drivers/isdn/i4l/isdn_common.c 2011-11-15 19:59:43.000000000 -0500
33922 @@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
33923 } iocpar;
33924 void __user *argp = (void __user *)arg;
33925
33926 + pax_track_stack();
33927 +
33928 #define name iocpar.name
33929 #define bname iocpar.bname
33930 #define iocts iocpar.iocts
33931 diff -urNp linux-2.6.32.49/drivers/isdn/icn/icn.c linux-2.6.32.49/drivers/isdn/icn/icn.c
33932 --- linux-2.6.32.49/drivers/isdn/icn/icn.c 2011-11-08 19:02:43.000000000 -0500
33933 +++ linux-2.6.32.49/drivers/isdn/icn/icn.c 2011-11-15 19:59:43.000000000 -0500
33934 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
33935 if (count > len)
33936 count = len;
33937 if (user) {
33938 - if (copy_from_user(msg, buf, count))
33939 + if (count > sizeof msg || copy_from_user(msg, buf, count))
33940 return -EFAULT;
33941 } else
33942 memcpy(msg, buf, count);
33943 diff -urNp linux-2.6.32.49/drivers/isdn/mISDN/socket.c linux-2.6.32.49/drivers/isdn/mISDN/socket.c
33944 --- linux-2.6.32.49/drivers/isdn/mISDN/socket.c 2011-11-08 19:02:43.000000000 -0500
33945 +++ linux-2.6.32.49/drivers/isdn/mISDN/socket.c 2011-11-15 19:59:43.000000000 -0500
33946 @@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
33947 if (dev) {
33948 struct mISDN_devinfo di;
33949
33950 + memset(&di, 0, sizeof(di));
33951 di.id = dev->id;
33952 di.Dprotocols = dev->Dprotocols;
33953 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
33954 @@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
33955 if (dev) {
33956 struct mISDN_devinfo di;
33957
33958 + memset(&di, 0, sizeof(di));
33959 di.id = dev->id;
33960 di.Dprotocols = dev->Dprotocols;
33961 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
33962 diff -urNp linux-2.6.32.49/drivers/isdn/sc/interrupt.c linux-2.6.32.49/drivers/isdn/sc/interrupt.c
33963 --- linux-2.6.32.49/drivers/isdn/sc/interrupt.c 2011-11-08 19:02:43.000000000 -0500
33964 +++ linux-2.6.32.49/drivers/isdn/sc/interrupt.c 2011-11-15 19:59:43.000000000 -0500
33965 @@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
33966 }
33967 else if(callid>=0x0000 && callid<=0x7FFF)
33968 {
33969 + int len;
33970 +
33971 pr_debug("%s: Got Incoming Call\n",
33972 sc_adapter[card]->devicename);
33973 - strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
33974 - strcpy(setup.eazmsn,
33975 - sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
33976 + len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
33977 + sizeof(setup.phone));
33978 + if (len >= sizeof(setup.phone))
33979 + continue;
33980 + len = strlcpy(setup.eazmsn,
33981 + sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
33982 + sizeof(setup.eazmsn));
33983 + if (len >= sizeof(setup.eazmsn))
33984 + continue;
33985 setup.si1 = 7;
33986 setup.si2 = 0;
33987 setup.plan = 0;
33988 @@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
33989 * Handle a GetMyNumber Rsp
33990 */
33991 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
33992 - strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
33993 + strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
33994 + rcvmsg.msg_data.byte_array,
33995 + sizeof(rcvmsg.msg_data.byte_array));
33996 continue;
33997 }
33998
33999 diff -urNp linux-2.6.32.49/drivers/lguest/core.c linux-2.6.32.49/drivers/lguest/core.c
34000 --- linux-2.6.32.49/drivers/lguest/core.c 2011-11-08 19:02:43.000000000 -0500
34001 +++ linux-2.6.32.49/drivers/lguest/core.c 2011-11-15 19:59:43.000000000 -0500
34002 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
34003 * it's worked so far. The end address needs +1 because __get_vm_area
34004 * allocates an extra guard page, so we need space for that.
34005 */
34006 +
34007 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
34008 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
34009 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
34010 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
34011 +#else
34012 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
34013 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
34014 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
34015 +#endif
34016 +
34017 if (!switcher_vma) {
34018 err = -ENOMEM;
34019 printk("lguest: could not map switcher pages high\n");
34020 @@ -118,7 +126,7 @@ static __init int map_switcher(void)
34021 * Now the Switcher is mapped at the right address, we can't fail!
34022 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
34023 */
34024 - memcpy(switcher_vma->addr, start_switcher_text,
34025 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
34026 end_switcher_text - start_switcher_text);
34027
34028 printk(KERN_INFO "lguest: mapped switcher at %p\n",
34029 diff -urNp linux-2.6.32.49/drivers/lguest/x86/core.c linux-2.6.32.49/drivers/lguest/x86/core.c
34030 --- linux-2.6.32.49/drivers/lguest/x86/core.c 2011-11-08 19:02:43.000000000 -0500
34031 +++ linux-2.6.32.49/drivers/lguest/x86/core.c 2011-11-15 19:59:43.000000000 -0500
34032 @@ -59,7 +59,7 @@ static struct {
34033 /* Offset from where switcher.S was compiled to where we've copied it */
34034 static unsigned long switcher_offset(void)
34035 {
34036 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
34037 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
34038 }
34039
34040 /* This cpu's struct lguest_pages. */
34041 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
34042 * These copies are pretty cheap, so we do them unconditionally: */
34043 /* Save the current Host top-level page directory.
34044 */
34045 +
34046 +#ifdef CONFIG_PAX_PER_CPU_PGD
34047 + pages->state.host_cr3 = read_cr3();
34048 +#else
34049 pages->state.host_cr3 = __pa(current->mm->pgd);
34050 +#endif
34051 +
34052 /*
34053 * Set up the Guest's page tables to see this CPU's pages (and no
34054 * other CPU's pages).
34055 @@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
34056 * compiled-in switcher code and the high-mapped copy we just made.
34057 */
34058 for (i = 0; i < IDT_ENTRIES; i++)
34059 - default_idt_entries[i] += switcher_offset();
34060 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
34061
34062 /*
34063 * Set up the Switcher's per-cpu areas.
34064 @@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
34065 * it will be undisturbed when we switch. To change %cs and jump we
34066 * need this structure to feed to Intel's "lcall" instruction.
34067 */
34068 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
34069 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
34070 lguest_entry.segment = LGUEST_CS;
34071
34072 /*
34073 diff -urNp linux-2.6.32.49/drivers/lguest/x86/switcher_32.S linux-2.6.32.49/drivers/lguest/x86/switcher_32.S
34074 --- linux-2.6.32.49/drivers/lguest/x86/switcher_32.S 2011-11-08 19:02:43.000000000 -0500
34075 +++ linux-2.6.32.49/drivers/lguest/x86/switcher_32.S 2011-11-15 19:59:43.000000000 -0500
34076 @@ -87,6 +87,7 @@
34077 #include <asm/page.h>
34078 #include <asm/segment.h>
34079 #include <asm/lguest.h>
34080 +#include <asm/processor-flags.h>
34081
34082 // We mark the start of the code to copy
34083 // It's placed in .text tho it's never run here
34084 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
34085 // Changes type when we load it: damn Intel!
34086 // For after we switch over our page tables
34087 // That entry will be read-only: we'd crash.
34088 +
34089 +#ifdef CONFIG_PAX_KERNEXEC
34090 + mov %cr0, %edx
34091 + xor $X86_CR0_WP, %edx
34092 + mov %edx, %cr0
34093 +#endif
34094 +
34095 movl $(GDT_ENTRY_TSS*8), %edx
34096 ltr %dx
34097
34098 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
34099 // Let's clear it again for our return.
34100 // The GDT descriptor of the Host
34101 // Points to the table after two "size" bytes
34102 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
34103 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
34104 // Clear "used" from type field (byte 5, bit 2)
34105 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
34106 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
34107 +
34108 +#ifdef CONFIG_PAX_KERNEXEC
34109 + mov %cr0, %eax
34110 + xor $X86_CR0_WP, %eax
34111 + mov %eax, %cr0
34112 +#endif
34113
34114 // Once our page table's switched, the Guest is live!
34115 // The Host fades as we run this final step.
34116 @@ -295,13 +309,12 @@ deliver_to_host:
34117 // I consulted gcc, and it gave
34118 // These instructions, which I gladly credit:
34119 leal (%edx,%ebx,8), %eax
34120 - movzwl (%eax),%edx
34121 - movl 4(%eax), %eax
34122 - xorw %ax, %ax
34123 - orl %eax, %edx
34124 + movl 4(%eax), %edx
34125 + movw (%eax), %dx
34126 // Now the address of the handler's in %edx
34127 // We call it now: its "iret" drops us home.
34128 - jmp *%edx
34129 + ljmp $__KERNEL_CS, $1f
34130 +1: jmp *%edx
34131
34132 // Every interrupt can come to us here
34133 // But we must truly tell each apart.
34134 diff -urNp linux-2.6.32.49/drivers/macintosh/macio_asic.c linux-2.6.32.49/drivers/macintosh/macio_asic.c
34135 --- linux-2.6.32.49/drivers/macintosh/macio_asic.c 2011-11-08 19:02:43.000000000 -0500
34136 +++ linux-2.6.32.49/drivers/macintosh/macio_asic.c 2011-11-18 18:01:55.000000000 -0500
34137 @@ -701,7 +701,7 @@ static void __devexit macio_pci_remove(s
34138 * MacIO is matched against any Apple ID, it's probe() function
34139 * will then decide wether it applies or not
34140 */
34141 -static const struct pci_device_id __devinitdata pci_ids [] = { {
34142 +static const struct pci_device_id __devinitconst pci_ids [] = { {
34143 .vendor = PCI_VENDOR_ID_APPLE,
34144 .device = PCI_ANY_ID,
34145 .subvendor = PCI_ANY_ID,
34146 diff -urNp linux-2.6.32.49/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.49/drivers/macintosh/via-pmu-backlight.c
34147 --- linux-2.6.32.49/drivers/macintosh/via-pmu-backlight.c 2011-11-08 19:02:43.000000000 -0500
34148 +++ linux-2.6.32.49/drivers/macintosh/via-pmu-backlight.c 2011-11-15 19:59:43.000000000 -0500
34149 @@ -15,7 +15,7 @@
34150
34151 #define MAX_PMU_LEVEL 0xFF
34152
34153 -static struct backlight_ops pmu_backlight_data;
34154 +static const struct backlight_ops pmu_backlight_data;
34155 static DEFINE_SPINLOCK(pmu_backlight_lock);
34156 static int sleeping, uses_pmu_bl;
34157 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
34158 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
34159 return bd->props.brightness;
34160 }
34161
34162 -static struct backlight_ops pmu_backlight_data = {
34163 +static const struct backlight_ops pmu_backlight_data = {
34164 .get_brightness = pmu_backlight_get_brightness,
34165 .update_status = pmu_backlight_update_status,
34166
34167 diff -urNp linux-2.6.32.49/drivers/macintosh/via-pmu.c linux-2.6.32.49/drivers/macintosh/via-pmu.c
34168 --- linux-2.6.32.49/drivers/macintosh/via-pmu.c 2011-11-08 19:02:43.000000000 -0500
34169 +++ linux-2.6.32.49/drivers/macintosh/via-pmu.c 2011-11-15 19:59:43.000000000 -0500
34170 @@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
34171 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
34172 }
34173
34174 -static struct platform_suspend_ops pmu_pm_ops = {
34175 +static const struct platform_suspend_ops pmu_pm_ops = {
34176 .enter = powerbook_sleep,
34177 .valid = pmu_sleep_valid,
34178 };
34179 diff -urNp linux-2.6.32.49/drivers/md/dm.c linux-2.6.32.49/drivers/md/dm.c
34180 --- linux-2.6.32.49/drivers/md/dm.c 2011-11-08 19:02:43.000000000 -0500
34181 +++ linux-2.6.32.49/drivers/md/dm.c 2011-11-15 19:59:43.000000000 -0500
34182 @@ -165,9 +165,9 @@ struct mapped_device {
34183 /*
34184 * Event handling.
34185 */
34186 - atomic_t event_nr;
34187 + atomic_unchecked_t event_nr;
34188 wait_queue_head_t eventq;
34189 - atomic_t uevent_seq;
34190 + atomic_unchecked_t uevent_seq;
34191 struct list_head uevent_list;
34192 spinlock_t uevent_lock; /* Protect access to uevent_list */
34193
34194 @@ -1776,8 +1776,8 @@ static struct mapped_device *alloc_dev(i
34195 rwlock_init(&md->map_lock);
34196 atomic_set(&md->holders, 1);
34197 atomic_set(&md->open_count, 0);
34198 - atomic_set(&md->event_nr, 0);
34199 - atomic_set(&md->uevent_seq, 0);
34200 + atomic_set_unchecked(&md->event_nr, 0);
34201 + atomic_set_unchecked(&md->uevent_seq, 0);
34202 INIT_LIST_HEAD(&md->uevent_list);
34203 spin_lock_init(&md->uevent_lock);
34204
34205 @@ -1927,7 +1927,7 @@ static void event_callback(void *context
34206
34207 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
34208
34209 - atomic_inc(&md->event_nr);
34210 + atomic_inc_unchecked(&md->event_nr);
34211 wake_up(&md->eventq);
34212 }
34213
34214 @@ -2562,18 +2562,18 @@ void dm_kobject_uevent(struct mapped_dev
34215
34216 uint32_t dm_next_uevent_seq(struct mapped_device *md)
34217 {
34218 - return atomic_add_return(1, &md->uevent_seq);
34219 + return atomic_add_return_unchecked(1, &md->uevent_seq);
34220 }
34221
34222 uint32_t dm_get_event_nr(struct mapped_device *md)
34223 {
34224 - return atomic_read(&md->event_nr);
34225 + return atomic_read_unchecked(&md->event_nr);
34226 }
34227
34228 int dm_wait_event(struct mapped_device *md, int event_nr)
34229 {
34230 return wait_event_interruptible(md->eventq,
34231 - (event_nr != atomic_read(&md->event_nr)));
34232 + (event_nr != atomic_read_unchecked(&md->event_nr)));
34233 }
34234
34235 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
34236 diff -urNp linux-2.6.32.49/drivers/md/dm-ioctl.c linux-2.6.32.49/drivers/md/dm-ioctl.c
34237 --- linux-2.6.32.49/drivers/md/dm-ioctl.c 2011-11-08 19:02:43.000000000 -0500
34238 +++ linux-2.6.32.49/drivers/md/dm-ioctl.c 2011-11-15 19:59:43.000000000 -0500
34239 @@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
34240 cmd == DM_LIST_VERSIONS_CMD)
34241 return 0;
34242
34243 - if ((cmd == DM_DEV_CREATE_CMD)) {
34244 + if (cmd == DM_DEV_CREATE_CMD) {
34245 if (!*param->name) {
34246 DMWARN("name not supplied when creating device");
34247 return -EINVAL;
34248 diff -urNp linux-2.6.32.49/drivers/md/dm-raid1.c linux-2.6.32.49/drivers/md/dm-raid1.c
34249 --- linux-2.6.32.49/drivers/md/dm-raid1.c 2011-11-08 19:02:43.000000000 -0500
34250 +++ linux-2.6.32.49/drivers/md/dm-raid1.c 2011-11-15 19:59:43.000000000 -0500
34251 @@ -41,7 +41,7 @@ enum dm_raid1_error {
34252
34253 struct mirror {
34254 struct mirror_set *ms;
34255 - atomic_t error_count;
34256 + atomic_unchecked_t error_count;
34257 unsigned long error_type;
34258 struct dm_dev *dev;
34259 sector_t offset;
34260 @@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
34261 * simple way to tell if a device has encountered
34262 * errors.
34263 */
34264 - atomic_inc(&m->error_count);
34265 + atomic_inc_unchecked(&m->error_count);
34266
34267 if (test_and_set_bit(error_type, &m->error_type))
34268 return;
34269 @@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
34270 }
34271
34272 for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
34273 - if (!atomic_read(&new->error_count)) {
34274 + if (!atomic_read_unchecked(&new->error_count)) {
34275 set_default_mirror(new);
34276 break;
34277 }
34278 @@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
34279 struct mirror *m = get_default_mirror(ms);
34280
34281 do {
34282 - if (likely(!atomic_read(&m->error_count)))
34283 + if (likely(!atomic_read_unchecked(&m->error_count)))
34284 return m;
34285
34286 if (m-- == ms->mirror)
34287 @@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
34288 {
34289 struct mirror *default_mirror = get_default_mirror(m->ms);
34290
34291 - return !atomic_read(&default_mirror->error_count);
34292 + return !atomic_read_unchecked(&default_mirror->error_count);
34293 }
34294
34295 static int mirror_available(struct mirror_set *ms, struct bio *bio)
34296 @@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
34297 */
34298 if (likely(region_in_sync(ms, region, 1)))
34299 m = choose_mirror(ms, bio->bi_sector);
34300 - else if (m && atomic_read(&m->error_count))
34301 + else if (m && atomic_read_unchecked(&m->error_count))
34302 m = NULL;
34303
34304 if (likely(m))
34305 @@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
34306 }
34307
34308 ms->mirror[mirror].ms = ms;
34309 - atomic_set(&(ms->mirror[mirror].error_count), 0);
34310 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
34311 ms->mirror[mirror].error_type = 0;
34312 ms->mirror[mirror].offset = offset;
34313
34314 @@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
34315 */
34316 static char device_status_char(struct mirror *m)
34317 {
34318 - if (!atomic_read(&(m->error_count)))
34319 + if (!atomic_read_unchecked(&(m->error_count)))
34320 return 'A';
34321
34322 return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
34323 diff -urNp linux-2.6.32.49/drivers/md/dm-stripe.c linux-2.6.32.49/drivers/md/dm-stripe.c
34324 --- linux-2.6.32.49/drivers/md/dm-stripe.c 2011-11-08 19:02:43.000000000 -0500
34325 +++ linux-2.6.32.49/drivers/md/dm-stripe.c 2011-11-15 19:59:43.000000000 -0500
34326 @@ -20,7 +20,7 @@ struct stripe {
34327 struct dm_dev *dev;
34328 sector_t physical_start;
34329
34330 - atomic_t error_count;
34331 + atomic_unchecked_t error_count;
34332 };
34333
34334 struct stripe_c {
34335 @@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
34336 kfree(sc);
34337 return r;
34338 }
34339 - atomic_set(&(sc->stripe[i].error_count), 0);
34340 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
34341 }
34342
34343 ti->private = sc;
34344 @@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
34345 DMEMIT("%d ", sc->stripes);
34346 for (i = 0; i < sc->stripes; i++) {
34347 DMEMIT("%s ", sc->stripe[i].dev->name);
34348 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
34349 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
34350 'D' : 'A';
34351 }
34352 buffer[i] = '\0';
34353 @@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
34354 */
34355 for (i = 0; i < sc->stripes; i++)
34356 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
34357 - atomic_inc(&(sc->stripe[i].error_count));
34358 - if (atomic_read(&(sc->stripe[i].error_count)) <
34359 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
34360 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
34361 DM_IO_ERROR_THRESHOLD)
34362 queue_work(kstriped, &sc->kstriped_ws);
34363 }
34364 diff -urNp linux-2.6.32.49/drivers/md/dm-sysfs.c linux-2.6.32.49/drivers/md/dm-sysfs.c
34365 --- linux-2.6.32.49/drivers/md/dm-sysfs.c 2011-11-08 19:02:43.000000000 -0500
34366 +++ linux-2.6.32.49/drivers/md/dm-sysfs.c 2011-11-15 19:59:43.000000000 -0500
34367 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
34368 NULL,
34369 };
34370
34371 -static struct sysfs_ops dm_sysfs_ops = {
34372 +static const struct sysfs_ops dm_sysfs_ops = {
34373 .show = dm_attr_show,
34374 };
34375
34376 diff -urNp linux-2.6.32.49/drivers/md/dm-table.c linux-2.6.32.49/drivers/md/dm-table.c
34377 --- linux-2.6.32.49/drivers/md/dm-table.c 2011-11-08 19:02:43.000000000 -0500
34378 +++ linux-2.6.32.49/drivers/md/dm-table.c 2011-11-15 19:59:43.000000000 -0500
34379 @@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
34380 if (!dev_size)
34381 return 0;
34382
34383 - if ((start >= dev_size) || (start + len > dev_size)) {
34384 + if ((start >= dev_size) || (len > dev_size - start)) {
34385 DMWARN("%s: %s too small for target: "
34386 "start=%llu, len=%llu, dev_size=%llu",
34387 dm_device_name(ti->table->md), bdevname(bdev, b),
34388 diff -urNp linux-2.6.32.49/drivers/md/md.c linux-2.6.32.49/drivers/md/md.c
34389 --- linux-2.6.32.49/drivers/md/md.c 2011-11-08 19:02:43.000000000 -0500
34390 +++ linux-2.6.32.49/drivers/md/md.c 2011-11-15 19:59:43.000000000 -0500
34391 @@ -153,10 +153,10 @@ static int start_readonly;
34392 * start build, activate spare
34393 */
34394 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
34395 -static atomic_t md_event_count;
34396 +static atomic_unchecked_t md_event_count;
34397 void md_new_event(mddev_t *mddev)
34398 {
34399 - atomic_inc(&md_event_count);
34400 + atomic_inc_unchecked(&md_event_count);
34401 wake_up(&md_event_waiters);
34402 }
34403 EXPORT_SYMBOL_GPL(md_new_event);
34404 @@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
34405 */
34406 static void md_new_event_inintr(mddev_t *mddev)
34407 {
34408 - atomic_inc(&md_event_count);
34409 + atomic_inc_unchecked(&md_event_count);
34410 wake_up(&md_event_waiters);
34411 }
34412
34413 @@ -1226,7 +1226,7 @@ static int super_1_load(mdk_rdev_t *rdev
34414
34415 rdev->preferred_minor = 0xffff;
34416 rdev->data_offset = le64_to_cpu(sb->data_offset);
34417 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
34418 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
34419
34420 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
34421 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
34422 @@ -1400,7 +1400,7 @@ static void super_1_sync(mddev_t *mddev,
34423 else
34424 sb->resync_offset = cpu_to_le64(0);
34425
34426 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
34427 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
34428
34429 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
34430 sb->size = cpu_to_le64(mddev->dev_sectors);
34431 @@ -2222,7 +2222,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
34432 static ssize_t
34433 errors_show(mdk_rdev_t *rdev, char *page)
34434 {
34435 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
34436 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
34437 }
34438
34439 static ssize_t
34440 @@ -2231,7 +2231,7 @@ errors_store(mdk_rdev_t *rdev, const cha
34441 char *e;
34442 unsigned long n = simple_strtoul(buf, &e, 10);
34443 if (*buf && (*e == 0 || *e == '\n')) {
34444 - atomic_set(&rdev->corrected_errors, n);
34445 + atomic_set_unchecked(&rdev->corrected_errors, n);
34446 return len;
34447 }
34448 return -EINVAL;
34449 @@ -2525,7 +2525,7 @@ static void rdev_free(struct kobject *ko
34450 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
34451 kfree(rdev);
34452 }
34453 -static struct sysfs_ops rdev_sysfs_ops = {
34454 +static const struct sysfs_ops rdev_sysfs_ops = {
34455 .show = rdev_attr_show,
34456 .store = rdev_attr_store,
34457 };
34458 @@ -2574,8 +2574,8 @@ static mdk_rdev_t *md_import_device(dev_
34459 rdev->data_offset = 0;
34460 rdev->sb_events = 0;
34461 atomic_set(&rdev->nr_pending, 0);
34462 - atomic_set(&rdev->read_errors, 0);
34463 - atomic_set(&rdev->corrected_errors, 0);
34464 + atomic_set_unchecked(&rdev->read_errors, 0);
34465 + atomic_set_unchecked(&rdev->corrected_errors, 0);
34466
34467 size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
34468 if (!size) {
34469 @@ -3895,7 +3895,7 @@ static void md_free(struct kobject *ko)
34470 kfree(mddev);
34471 }
34472
34473 -static struct sysfs_ops md_sysfs_ops = {
34474 +static const struct sysfs_ops md_sysfs_ops = {
34475 .show = md_attr_show,
34476 .store = md_attr_store,
34477 };
34478 @@ -4482,7 +4482,8 @@ out:
34479 err = 0;
34480 blk_integrity_unregister(disk);
34481 md_new_event(mddev);
34482 - sysfs_notify_dirent(mddev->sysfs_state);
34483 + if (mddev->sysfs_state)
34484 + sysfs_notify_dirent(mddev->sysfs_state);
34485 return err;
34486 }
34487
34488 @@ -5962,7 +5963,7 @@ static int md_seq_show(struct seq_file *
34489
34490 spin_unlock(&pers_lock);
34491 seq_printf(seq, "\n");
34492 - mi->event = atomic_read(&md_event_count);
34493 + mi->event = atomic_read_unchecked(&md_event_count);
34494 return 0;
34495 }
34496 if (v == (void*)2) {
34497 @@ -6051,7 +6052,7 @@ static int md_seq_show(struct seq_file *
34498 chunk_kb ? "KB" : "B");
34499 if (bitmap->file) {
34500 seq_printf(seq, ", file: ");
34501 - seq_path(seq, &bitmap->file->f_path, " \t\n");
34502 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
34503 }
34504
34505 seq_printf(seq, "\n");
34506 @@ -6085,7 +6086,7 @@ static int md_seq_open(struct inode *ino
34507 else {
34508 struct seq_file *p = file->private_data;
34509 p->private = mi;
34510 - mi->event = atomic_read(&md_event_count);
34511 + mi->event = atomic_read_unchecked(&md_event_count);
34512 }
34513 return error;
34514 }
34515 @@ -6101,7 +6102,7 @@ static unsigned int mdstat_poll(struct f
34516 /* always allow read */
34517 mask = POLLIN | POLLRDNORM;
34518
34519 - if (mi->event != atomic_read(&md_event_count))
34520 + if (mi->event != atomic_read_unchecked(&md_event_count))
34521 mask |= POLLERR | POLLPRI;
34522 return mask;
34523 }
34524 @@ -6145,7 +6146,7 @@ static int is_mddev_idle(mddev_t *mddev,
34525 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
34526 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
34527 (int)part_stat_read(&disk->part0, sectors[1]) -
34528 - atomic_read(&disk->sync_io);
34529 + atomic_read_unchecked(&disk->sync_io);
34530 /* sync IO will cause sync_io to increase before the disk_stats
34531 * as sync_io is counted when a request starts, and
34532 * disk_stats is counted when it completes.
34533 diff -urNp linux-2.6.32.49/drivers/md/md.h linux-2.6.32.49/drivers/md/md.h
34534 --- linux-2.6.32.49/drivers/md/md.h 2011-11-08 19:02:43.000000000 -0500
34535 +++ linux-2.6.32.49/drivers/md/md.h 2011-11-15 19:59:43.000000000 -0500
34536 @@ -94,10 +94,10 @@ struct mdk_rdev_s
34537 * only maintained for arrays that
34538 * support hot removal
34539 */
34540 - atomic_t read_errors; /* number of consecutive read errors that
34541 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
34542 * we have tried to ignore.
34543 */
34544 - atomic_t corrected_errors; /* number of corrected read errors,
34545 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
34546 * for reporting to userspace and storing
34547 * in superblock.
34548 */
34549 @@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
34550
34551 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
34552 {
34553 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
34554 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
34555 }
34556
34557 struct mdk_personality
34558 diff -urNp linux-2.6.32.49/drivers/md/raid10.c linux-2.6.32.49/drivers/md/raid10.c
34559 --- linux-2.6.32.49/drivers/md/raid10.c 2011-11-08 19:02:43.000000000 -0500
34560 +++ linux-2.6.32.49/drivers/md/raid10.c 2011-11-15 19:59:43.000000000 -0500
34561 @@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
34562 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
34563 set_bit(R10BIO_Uptodate, &r10_bio->state);
34564 else {
34565 - atomic_add(r10_bio->sectors,
34566 + atomic_add_unchecked(r10_bio->sectors,
34567 &conf->mirrors[d].rdev->corrected_errors);
34568 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
34569 md_error(r10_bio->mddev,
34570 @@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
34571 test_bit(In_sync, &rdev->flags)) {
34572 atomic_inc(&rdev->nr_pending);
34573 rcu_read_unlock();
34574 - atomic_add(s, &rdev->corrected_errors);
34575 + atomic_add_unchecked(s, &rdev->corrected_errors);
34576 if (sync_page_io(rdev->bdev,
34577 r10_bio->devs[sl].addr +
34578 sect + rdev->data_offset,
34579 diff -urNp linux-2.6.32.49/drivers/md/raid1.c linux-2.6.32.49/drivers/md/raid1.c
34580 --- linux-2.6.32.49/drivers/md/raid1.c 2011-11-08 19:02:43.000000000 -0500
34581 +++ linux-2.6.32.49/drivers/md/raid1.c 2011-11-15 19:59:43.000000000 -0500
34582 @@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
34583 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
34584 continue;
34585 rdev = conf->mirrors[d].rdev;
34586 - atomic_add(s, &rdev->corrected_errors);
34587 + atomic_add_unchecked(s, &rdev->corrected_errors);
34588 if (sync_page_io(rdev->bdev,
34589 sect + rdev->data_offset,
34590 s<<9,
34591 @@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
34592 /* Well, this device is dead */
34593 md_error(mddev, rdev);
34594 else {
34595 - atomic_add(s, &rdev->corrected_errors);
34596 + atomic_add_unchecked(s, &rdev->corrected_errors);
34597 printk(KERN_INFO
34598 "raid1:%s: read error corrected "
34599 "(%d sectors at %llu on %s)\n",
34600 diff -urNp linux-2.6.32.49/drivers/md/raid5.c linux-2.6.32.49/drivers/md/raid5.c
34601 --- linux-2.6.32.49/drivers/md/raid5.c 2011-11-26 19:44:53.000000000 -0500
34602 +++ linux-2.6.32.49/drivers/md/raid5.c 2011-11-26 19:45:06.000000000 -0500
34603 @@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
34604 bi->bi_next = NULL;
34605 if ((rw & WRITE) &&
34606 test_bit(R5_ReWrite, &sh->dev[i].flags))
34607 - atomic_add(STRIPE_SECTORS,
34608 + atomic_add_unchecked(STRIPE_SECTORS,
34609 &rdev->corrected_errors);
34610 generic_make_request(bi);
34611 } else {
34612 @@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
34613 clear_bit(R5_ReadError, &sh->dev[i].flags);
34614 clear_bit(R5_ReWrite, &sh->dev[i].flags);
34615 }
34616 - if (atomic_read(&conf->disks[i].rdev->read_errors))
34617 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
34618 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
34619 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
34620 } else {
34621 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
34622 int retry = 0;
34623 rdev = conf->disks[i].rdev;
34624
34625 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
34626 - atomic_inc(&rdev->read_errors);
34627 + atomic_inc_unchecked(&rdev->read_errors);
34628 if (conf->mddev->degraded >= conf->max_degraded)
34629 printk_rl(KERN_WARNING
34630 "raid5:%s: read error not correctable "
34631 @@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
34632 (unsigned long long)(sh->sector
34633 + rdev->data_offset),
34634 bdn);
34635 - else if (atomic_read(&rdev->read_errors)
34636 + else if (atomic_read_unchecked(&rdev->read_errors)
34637 > conf->max_nr_stripes)
34638 printk(KERN_WARNING
34639 "raid5:%s: Too many read errors, failing device %s.\n",
34640 @@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
34641 sector_t r_sector;
34642 struct stripe_head sh2;
34643
34644 + pax_track_stack();
34645
34646 chunk_offset = sector_div(new_sector, sectors_per_chunk);
34647 stripe = new_sector;
34648 diff -urNp linux-2.6.32.49/drivers/media/common/saa7146_hlp.c linux-2.6.32.49/drivers/media/common/saa7146_hlp.c
34649 --- linux-2.6.32.49/drivers/media/common/saa7146_hlp.c 2011-11-08 19:02:43.000000000 -0500
34650 +++ linux-2.6.32.49/drivers/media/common/saa7146_hlp.c 2011-11-15 19:59:43.000000000 -0500
34651 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
34652
34653 int x[32], y[32], w[32], h[32];
34654
34655 + pax_track_stack();
34656 +
34657 /* clear out memory */
34658 memset(&line_list[0], 0x00, sizeof(u32)*32);
34659 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
34660 diff -urNp linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
34661 --- linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-08 19:02:43.000000000 -0500
34662 +++ linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-15 19:59:43.000000000 -0500
34663 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
34664 u8 buf[HOST_LINK_BUF_SIZE];
34665 int i;
34666
34667 + pax_track_stack();
34668 +
34669 dprintk("%s\n", __func__);
34670
34671 /* check if we have space for a link buf in the rx_buffer */
34672 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
34673 unsigned long timeout;
34674 int written;
34675
34676 + pax_track_stack();
34677 +
34678 dprintk("%s\n", __func__);
34679
34680 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
34681 diff -urNp linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_demux.h linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_demux.h
34682 --- linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-08 19:02:43.000000000 -0500
34683 +++ linux-2.6.32.49/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-15 19:59:43.000000000 -0500
34684 @@ -71,7 +71,7 @@ struct dvb_demux_feed {
34685 union {
34686 dmx_ts_cb ts;
34687 dmx_section_cb sec;
34688 - } cb;
34689 + } __no_const cb;
34690
34691 struct dvb_demux *demux;
34692 void *priv;
34693 diff -urNp linux-2.6.32.49/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.49/drivers/media/dvb/dvb-core/dvbdev.c
34694 --- linux-2.6.32.49/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-08 19:02:43.000000000 -0500
34695 +++ linux-2.6.32.49/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-15 19:59:43.000000000 -0500
34696 @@ -191,7 +191,7 @@ int dvb_register_device(struct dvb_adapt
34697 const struct dvb_device *template, void *priv, int type)
34698 {
34699 struct dvb_device *dvbdev;
34700 - struct file_operations *dvbdevfops;
34701 + file_operations_no_const *dvbdevfops;
34702 struct device *clsdev;
34703 int minor;
34704 int id;
34705 diff -urNp linux-2.6.32.49/drivers/media/dvb/dvb-usb/cxusb.c linux-2.6.32.49/drivers/media/dvb/dvb-usb/cxusb.c
34706 --- linux-2.6.32.49/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-08 19:02:43.000000000 -0500
34707 +++ linux-2.6.32.49/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-15 19:59:43.000000000 -0500
34708 @@ -1040,7 +1040,7 @@ static struct dib0070_config dib7070p_di
34709 struct dib0700_adapter_state {
34710 int (*set_param_save) (struct dvb_frontend *,
34711 struct dvb_frontend_parameters *);
34712 -};
34713 +} __no_const;
34714
34715 static int dib7070_set_param_override(struct dvb_frontend *fe,
34716 struct dvb_frontend_parameters *fep)
34717 diff -urNp linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_core.c
34718 --- linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-08 19:02:43.000000000 -0500
34719 +++ linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-15 19:59:43.000000000 -0500
34720 @@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
34721
34722 u8 buf[260];
34723
34724 + pax_track_stack();
34725 +
34726 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
34727 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
34728
34729 diff -urNp linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_devices.c linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_devices.c
34730 --- linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-11-08 19:02:43.000000000 -0500
34731 +++ linux-2.6.32.49/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-11-15 19:59:43.000000000 -0500
34732 @@ -28,7 +28,7 @@ MODULE_PARM_DESC(force_lna_activation, "
34733
34734 struct dib0700_adapter_state {
34735 int (*set_param_save) (struct dvb_frontend *, struct dvb_frontend_parameters *);
34736 -};
34737 +} __no_const;
34738
34739 /* Hauppauge Nova-T 500 (aka Bristol)
34740 * has a LNA on GPIO0 which is enabled by setting 1 */
34741 diff -urNp linux-2.6.32.49/drivers/media/dvb/frontends/dib3000.h linux-2.6.32.49/drivers/media/dvb/frontends/dib3000.h
34742 --- linux-2.6.32.49/drivers/media/dvb/frontends/dib3000.h 2011-11-08 19:02:43.000000000 -0500
34743 +++ linux-2.6.32.49/drivers/media/dvb/frontends/dib3000.h 2011-11-15 19:59:43.000000000 -0500
34744 @@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
34745 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
34746 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
34747 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
34748 -};
34749 +} __no_const;
34750
34751 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
34752 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
34753 diff -urNp linux-2.6.32.49/drivers/media/dvb/frontends/or51211.c linux-2.6.32.49/drivers/media/dvb/frontends/or51211.c
34754 --- linux-2.6.32.49/drivers/media/dvb/frontends/or51211.c 2011-11-08 19:02:43.000000000 -0500
34755 +++ linux-2.6.32.49/drivers/media/dvb/frontends/or51211.c 2011-11-15 19:59:43.000000000 -0500
34756 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
34757 u8 tudata[585];
34758 int i;
34759
34760 + pax_track_stack();
34761 +
34762 dprintk("Firmware is %zd bytes\n",fw->size);
34763
34764 /* Get eprom data */
34765 diff -urNp linux-2.6.32.49/drivers/media/radio/radio-cadet.c linux-2.6.32.49/drivers/media/radio/radio-cadet.c
34766 --- linux-2.6.32.49/drivers/media/radio/radio-cadet.c 2011-11-08 19:02:43.000000000 -0500
34767 +++ linux-2.6.32.49/drivers/media/radio/radio-cadet.c 2011-11-15 19:59:43.000000000 -0500
34768 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
34769 while (i < count && dev->rdsin != dev->rdsout)
34770 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
34771
34772 - if (copy_to_user(data, readbuf, i))
34773 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
34774 return -EFAULT;
34775 return i;
34776 }
34777 diff -urNp linux-2.6.32.49/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.49/drivers/media/video/cx18/cx18-driver.c
34778 --- linux-2.6.32.49/drivers/media/video/cx18/cx18-driver.c 2011-11-08 19:02:43.000000000 -0500
34779 +++ linux-2.6.32.49/drivers/media/video/cx18/cx18-driver.c 2011-11-15 19:59:43.000000000 -0500
34780 @@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
34781
34782 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
34783
34784 -static atomic_t cx18_instance = ATOMIC_INIT(0);
34785 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
34786
34787 /* Parameter declarations */
34788 static int cardtype[CX18_MAX_CARDS];
34789 @@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
34790 struct i2c_client c;
34791 u8 eedata[256];
34792
34793 + pax_track_stack();
34794 +
34795 memset(&c, 0, sizeof(c));
34796 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
34797 c.adapter = &cx->i2c_adap[0];
34798 @@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
34799 struct cx18 *cx;
34800
34801 /* FIXME - module parameter arrays constrain max instances */
34802 - i = atomic_inc_return(&cx18_instance) - 1;
34803 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
34804 if (i >= CX18_MAX_CARDS) {
34805 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
34806 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
34807 diff -urNp linux-2.6.32.49/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.49/drivers/media/video/ivtv/ivtv-driver.c
34808 --- linux-2.6.32.49/drivers/media/video/ivtv/ivtv-driver.c 2011-11-08 19:02:43.000000000 -0500
34809 +++ linux-2.6.32.49/drivers/media/video/ivtv/ivtv-driver.c 2011-11-15 19:59:43.000000000 -0500
34810 @@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
34811 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
34812
34813 /* ivtv instance counter */
34814 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
34815 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
34816
34817 /* Parameter declarations */
34818 static int cardtype[IVTV_MAX_CARDS];
34819 diff -urNp linux-2.6.32.49/drivers/media/video/omap24xxcam.c linux-2.6.32.49/drivers/media/video/omap24xxcam.c
34820 --- linux-2.6.32.49/drivers/media/video/omap24xxcam.c 2011-11-08 19:02:43.000000000 -0500
34821 +++ linux-2.6.32.49/drivers/media/video/omap24xxcam.c 2011-11-15 19:59:43.000000000 -0500
34822 @@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
34823 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
34824
34825 do_gettimeofday(&vb->ts);
34826 - vb->field_count = atomic_add_return(2, &fh->field_count);
34827 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
34828 if (csr & csr_error) {
34829 vb->state = VIDEOBUF_ERROR;
34830 if (!atomic_read(&fh->cam->in_reset)) {
34831 diff -urNp linux-2.6.32.49/drivers/media/video/omap24xxcam.h linux-2.6.32.49/drivers/media/video/omap24xxcam.h
34832 --- linux-2.6.32.49/drivers/media/video/omap24xxcam.h 2011-11-08 19:02:43.000000000 -0500
34833 +++ linux-2.6.32.49/drivers/media/video/omap24xxcam.h 2011-11-15 19:59:43.000000000 -0500
34834 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
34835 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
34836 struct videobuf_queue vbq;
34837 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
34838 - atomic_t field_count; /* field counter for videobuf_buffer */
34839 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
34840 /* accessing cam here doesn't need serialisation: it's constant */
34841 struct omap24xxcam_device *cam;
34842 };
34843 diff -urNp linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
34844 --- linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-08 19:02:43.000000000 -0500
34845 +++ linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-15 19:59:43.000000000 -0500
34846 @@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
34847 u8 *eeprom;
34848 struct tveeprom tvdata;
34849
34850 + pax_track_stack();
34851 +
34852 memset(&tvdata,0,sizeof(tvdata));
34853
34854 eeprom = pvr2_eeprom_fetch(hdw);
34855 diff -urNp linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
34856 --- linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-08 19:02:43.000000000 -0500
34857 +++ linux-2.6.32.49/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-15 19:59:43.000000000 -0500
34858 @@ -195,7 +195,7 @@ struct pvr2_hdw {
34859
34860 /* I2C stuff */
34861 struct i2c_adapter i2c_adap;
34862 - struct i2c_algorithm i2c_algo;
34863 + i2c_algorithm_no_const i2c_algo;
34864 pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
34865 int i2c_cx25840_hack_state;
34866 int i2c_linked;
34867 diff -urNp linux-2.6.32.49/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.49/drivers/media/video/saa7134/saa6752hs.c
34868 --- linux-2.6.32.49/drivers/media/video/saa7134/saa6752hs.c 2011-11-08 19:02:43.000000000 -0500
34869 +++ linux-2.6.32.49/drivers/media/video/saa7134/saa6752hs.c 2011-11-15 19:59:43.000000000 -0500
34870 @@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
34871 unsigned char localPAT[256];
34872 unsigned char localPMT[256];
34873
34874 + pax_track_stack();
34875 +
34876 /* Set video format - must be done first as it resets other settings */
34877 set_reg8(client, 0x41, h->video_format);
34878
34879 diff -urNp linux-2.6.32.49/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.49/drivers/media/video/saa7164/saa7164-cmd.c
34880 --- linux-2.6.32.49/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-08 19:02:43.000000000 -0500
34881 +++ linux-2.6.32.49/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-15 19:59:43.000000000 -0500
34882 @@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
34883 wait_queue_head_t *q = 0;
34884 dprintk(DBGLVL_CMD, "%s()\n", __func__);
34885
34886 + pax_track_stack();
34887 +
34888 /* While any outstand message on the bus exists... */
34889 do {
34890
34891 @@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
34892 u8 tmp[512];
34893 dprintk(DBGLVL_CMD, "%s()\n", __func__);
34894
34895 + pax_track_stack();
34896 +
34897 while (loop) {
34898
34899 tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
34900 diff -urNp linux-2.6.32.49/drivers/media/video/usbvideo/ibmcam.c linux-2.6.32.49/drivers/media/video/usbvideo/ibmcam.c
34901 --- linux-2.6.32.49/drivers/media/video/usbvideo/ibmcam.c 2011-11-08 19:02:43.000000000 -0500
34902 +++ linux-2.6.32.49/drivers/media/video/usbvideo/ibmcam.c 2011-11-15 19:59:43.000000000 -0500
34903 @@ -3947,15 +3947,15 @@ static struct usb_device_id id_table[] =
34904 static int __init ibmcam_init(void)
34905 {
34906 struct usbvideo_cb cbTbl;
34907 - memset(&cbTbl, 0, sizeof(cbTbl));
34908 - cbTbl.probe = ibmcam_probe;
34909 - cbTbl.setupOnOpen = ibmcam_setup_on_open;
34910 - cbTbl.videoStart = ibmcam_video_start;
34911 - cbTbl.videoStop = ibmcam_video_stop;
34912 - cbTbl.processData = ibmcam_ProcessIsocData;
34913 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34914 - cbTbl.adjustPicture = ibmcam_adjust_picture;
34915 - cbTbl.getFPS = ibmcam_calculate_fps;
34916 + memset((void *)&cbTbl, 0, sizeof(cbTbl));
34917 + *(void **)&cbTbl.probe = ibmcam_probe;
34918 + *(void **)&cbTbl.setupOnOpen = ibmcam_setup_on_open;
34919 + *(void **)&cbTbl.videoStart = ibmcam_video_start;
34920 + *(void **)&cbTbl.videoStop = ibmcam_video_stop;
34921 + *(void **)&cbTbl.processData = ibmcam_ProcessIsocData;
34922 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34923 + *(void **)&cbTbl.adjustPicture = ibmcam_adjust_picture;
34924 + *(void **)&cbTbl.getFPS = ibmcam_calculate_fps;
34925 return usbvideo_register(
34926 &cams,
34927 MAX_IBMCAM,
34928 diff -urNp linux-2.6.32.49/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.49/drivers/media/video/usbvideo/konicawc.c
34929 --- linux-2.6.32.49/drivers/media/video/usbvideo/konicawc.c 2011-11-08 19:02:43.000000000 -0500
34930 +++ linux-2.6.32.49/drivers/media/video/usbvideo/konicawc.c 2011-11-15 19:59:43.000000000 -0500
34931 @@ -225,7 +225,7 @@ static void konicawc_register_input(stru
34932 int error;
34933
34934 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
34935 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34936 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34937
34938 cam->input = input_dev = input_allocate_device();
34939 if (!input_dev) {
34940 @@ -935,16 +935,16 @@ static int __init konicawc_init(void)
34941 struct usbvideo_cb cbTbl;
34942 printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION ":"
34943 DRIVER_DESC "\n");
34944 - memset(&cbTbl, 0, sizeof(cbTbl));
34945 - cbTbl.probe = konicawc_probe;
34946 - cbTbl.setupOnOpen = konicawc_setup_on_open;
34947 - cbTbl.processData = konicawc_process_isoc;
34948 - cbTbl.getFPS = konicawc_calculate_fps;
34949 - cbTbl.setVideoMode = konicawc_set_video_mode;
34950 - cbTbl.startDataPump = konicawc_start_data;
34951 - cbTbl.stopDataPump = konicawc_stop_data;
34952 - cbTbl.adjustPicture = konicawc_adjust_picture;
34953 - cbTbl.userFree = konicawc_free_uvd;
34954 + memset((void * )&cbTbl, 0, sizeof(cbTbl));
34955 + *(void **)&cbTbl.probe = konicawc_probe;
34956 + *(void **)&cbTbl.setupOnOpen = konicawc_setup_on_open;
34957 + *(void **)&cbTbl.processData = konicawc_process_isoc;
34958 + *(void **)&cbTbl.getFPS = konicawc_calculate_fps;
34959 + *(void **)&cbTbl.setVideoMode = konicawc_set_video_mode;
34960 + *(void **)&cbTbl.startDataPump = konicawc_start_data;
34961 + *(void **)&cbTbl.stopDataPump = konicawc_stop_data;
34962 + *(void **)&cbTbl.adjustPicture = konicawc_adjust_picture;
34963 + *(void **)&cbTbl.userFree = konicawc_free_uvd;
34964 return usbvideo_register(
34965 &cams,
34966 MAX_CAMERAS,
34967 diff -urNp linux-2.6.32.49/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.49/drivers/media/video/usbvideo/quickcam_messenger.c
34968 --- linux-2.6.32.49/drivers/media/video/usbvideo/quickcam_messenger.c 2011-11-08 19:02:43.000000000 -0500
34969 +++ linux-2.6.32.49/drivers/media/video/usbvideo/quickcam_messenger.c 2011-11-15 19:59:43.000000000 -0500
34970 @@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
34971 int error;
34972
34973 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
34974 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34975 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34976
34977 cam->input = input_dev = input_allocate_device();
34978 if (!input_dev) {
34979 diff -urNp linux-2.6.32.49/drivers/media/video/usbvideo/ultracam.c linux-2.6.32.49/drivers/media/video/usbvideo/ultracam.c
34980 --- linux-2.6.32.49/drivers/media/video/usbvideo/ultracam.c 2011-11-08 19:02:43.000000000 -0500
34981 +++ linux-2.6.32.49/drivers/media/video/usbvideo/ultracam.c 2011-11-15 19:59:43.000000000 -0500
34982 @@ -655,14 +655,14 @@ static int __init ultracam_init(void)
34983 {
34984 struct usbvideo_cb cbTbl;
34985 memset(&cbTbl, 0, sizeof(cbTbl));
34986 - cbTbl.probe = ultracam_probe;
34987 - cbTbl.setupOnOpen = ultracam_setup_on_open;
34988 - cbTbl.videoStart = ultracam_video_start;
34989 - cbTbl.videoStop = ultracam_video_stop;
34990 - cbTbl.processData = ultracam_ProcessIsocData;
34991 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34992 - cbTbl.adjustPicture = ultracam_adjust_picture;
34993 - cbTbl.getFPS = ultracam_calculate_fps;
34994 + *(void **)&cbTbl.probe = ultracam_probe;
34995 + *(void **)&cbTbl.setupOnOpen = ultracam_setup_on_open;
34996 + *(void **)&cbTbl.videoStart = ultracam_video_start;
34997 + *(void **)&cbTbl.videoStop = ultracam_video_stop;
34998 + *(void **)&cbTbl.processData = ultracam_ProcessIsocData;
34999 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
35000 + *(void **)&cbTbl.adjustPicture = ultracam_adjust_picture;
35001 + *(void **)&cbTbl.getFPS = ultracam_calculate_fps;
35002 return usbvideo_register(
35003 &cams,
35004 MAX_CAMERAS,
35005 diff -urNp linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.c linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.c
35006 --- linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.c 2011-11-08 19:02:43.000000000 -0500
35007 +++ linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.c 2011-11-15 19:59:43.000000000 -0500
35008 @@ -697,15 +697,15 @@ int usbvideo_register(
35009 __func__, cams, base_size, num_cams);
35010
35011 /* Copy callbacks, apply defaults for those that are not set */
35012 - memmove(&cams->cb, cbTbl, sizeof(cams->cb));
35013 + memmove((void *)&cams->cb, cbTbl, sizeof(cams->cb));
35014 if (cams->cb.getFrame == NULL)
35015 - cams->cb.getFrame = usbvideo_GetFrame;
35016 + *(void **)&cams->cb.getFrame = usbvideo_GetFrame;
35017 if (cams->cb.disconnect == NULL)
35018 - cams->cb.disconnect = usbvideo_Disconnect;
35019 + *(void **)&cams->cb.disconnect = usbvideo_Disconnect;
35020 if (cams->cb.startDataPump == NULL)
35021 - cams->cb.startDataPump = usbvideo_StartDataPump;
35022 + *(void **)&cams->cb.startDataPump = usbvideo_StartDataPump;
35023 if (cams->cb.stopDataPump == NULL)
35024 - cams->cb.stopDataPump = usbvideo_StopDataPump;
35025 + *(void **)&cams->cb.stopDataPump = usbvideo_StopDataPump;
35026
35027 cams->num_cameras = num_cams;
35028 cams->cam = (struct uvd *) &cams[1];
35029 diff -urNp linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.h linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.h
35030 --- linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.h 2011-11-08 19:02:43.000000000 -0500
35031 +++ linux-2.6.32.49/drivers/media/video/usbvideo/usbvideo.h 2011-11-15 19:59:43.000000000 -0500
35032 @@ -268,7 +268,7 @@ struct usbvideo_cb {
35033 int (*startDataPump)(struct uvd *uvd);
35034 void (*stopDataPump)(struct uvd *uvd);
35035 int (*setVideoMode)(struct uvd *uvd, struct video_window *vw);
35036 -};
35037 +} __no_const;
35038
35039 struct usbvideo {
35040 int num_cameras; /* As allocated */
35041 diff -urNp linux-2.6.32.49/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.49/drivers/media/video/usbvision/usbvision-core.c
35042 --- linux-2.6.32.49/drivers/media/video/usbvision/usbvision-core.c 2011-11-08 19:02:43.000000000 -0500
35043 +++ linux-2.6.32.49/drivers/media/video/usbvision/usbvision-core.c 2011-11-15 19:59:43.000000000 -0500
35044 @@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
35045 unsigned char rv, gv, bv;
35046 static unsigned char *Y, *U, *V;
35047
35048 + pax_track_stack();
35049 +
35050 frame = usbvision->curFrame;
35051 imageSize = frame->frmwidth * frame->frmheight;
35052 if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
35053 diff -urNp linux-2.6.32.49/drivers/media/video/v4l2-device.c linux-2.6.32.49/drivers/media/video/v4l2-device.c
35054 --- linux-2.6.32.49/drivers/media/video/v4l2-device.c 2011-11-08 19:02:43.000000000 -0500
35055 +++ linux-2.6.32.49/drivers/media/video/v4l2-device.c 2011-11-15 19:59:43.000000000 -0500
35056 @@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
35057 EXPORT_SYMBOL_GPL(v4l2_device_register);
35058
35059 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
35060 - atomic_t *instance)
35061 + atomic_unchecked_t *instance)
35062 {
35063 - int num = atomic_inc_return(instance) - 1;
35064 + int num = atomic_inc_return_unchecked(instance) - 1;
35065 int len = strlen(basename);
35066
35067 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
35068 diff -urNp linux-2.6.32.49/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.49/drivers/media/video/videobuf-dma-sg.c
35069 --- linux-2.6.32.49/drivers/media/video/videobuf-dma-sg.c 2011-11-08 19:02:43.000000000 -0500
35070 +++ linux-2.6.32.49/drivers/media/video/videobuf-dma-sg.c 2011-11-15 19:59:43.000000000 -0500
35071 @@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
35072 {
35073 struct videobuf_queue q;
35074
35075 + pax_track_stack();
35076 +
35077 /* Required to make generic handler to call __videobuf_alloc */
35078 q.int_ops = &sg_ops;
35079
35080 diff -urNp linux-2.6.32.49/drivers/message/fusion/mptbase.c linux-2.6.32.49/drivers/message/fusion/mptbase.c
35081 --- linux-2.6.32.49/drivers/message/fusion/mptbase.c 2011-11-08 19:02:43.000000000 -0500
35082 +++ linux-2.6.32.49/drivers/message/fusion/mptbase.c 2011-11-15 19:59:43.000000000 -0500
35083 @@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
35084 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
35085 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
35086
35087 +#ifdef CONFIG_GRKERNSEC_HIDESYM
35088 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
35089 + NULL, NULL);
35090 +#else
35091 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
35092 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
35093 +#endif
35094 +
35095 /*
35096 * Rounding UP to nearest 4-kB boundary here...
35097 */
35098 diff -urNp linux-2.6.32.49/drivers/message/fusion/mptsas.c linux-2.6.32.49/drivers/message/fusion/mptsas.c
35099 --- linux-2.6.32.49/drivers/message/fusion/mptsas.c 2011-11-08 19:02:43.000000000 -0500
35100 +++ linux-2.6.32.49/drivers/message/fusion/mptsas.c 2011-11-15 19:59:43.000000000 -0500
35101 @@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
35102 return 0;
35103 }
35104
35105 +static inline void
35106 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
35107 +{
35108 + if (phy_info->port_details) {
35109 + phy_info->port_details->rphy = rphy;
35110 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
35111 + ioc->name, rphy));
35112 + }
35113 +
35114 + if (rphy) {
35115 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
35116 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
35117 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
35118 + ioc->name, rphy, rphy->dev.release));
35119 + }
35120 +}
35121 +
35122 /* no mutex */
35123 static void
35124 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
35125 @@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
35126 return NULL;
35127 }
35128
35129 -static inline void
35130 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
35131 -{
35132 - if (phy_info->port_details) {
35133 - phy_info->port_details->rphy = rphy;
35134 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
35135 - ioc->name, rphy));
35136 - }
35137 -
35138 - if (rphy) {
35139 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
35140 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
35141 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
35142 - ioc->name, rphy, rphy->dev.release));
35143 - }
35144 -}
35145 -
35146 static inline struct sas_port *
35147 mptsas_get_port(struct mptsas_phyinfo *phy_info)
35148 {
35149 diff -urNp linux-2.6.32.49/drivers/message/fusion/mptscsih.c linux-2.6.32.49/drivers/message/fusion/mptscsih.c
35150 --- linux-2.6.32.49/drivers/message/fusion/mptscsih.c 2011-11-08 19:02:43.000000000 -0500
35151 +++ linux-2.6.32.49/drivers/message/fusion/mptscsih.c 2011-11-15 19:59:43.000000000 -0500
35152 @@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
35153
35154 h = shost_priv(SChost);
35155
35156 - if (h) {
35157 - if (h->info_kbuf == NULL)
35158 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
35159 - return h->info_kbuf;
35160 - h->info_kbuf[0] = '\0';
35161 + if (!h)
35162 + return NULL;
35163
35164 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
35165 - h->info_kbuf[size-1] = '\0';
35166 - }
35167 + if (h->info_kbuf == NULL)
35168 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
35169 + return h->info_kbuf;
35170 + h->info_kbuf[0] = '\0';
35171 +
35172 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
35173 + h->info_kbuf[size-1] = '\0';
35174
35175 return h->info_kbuf;
35176 }
35177 diff -urNp linux-2.6.32.49/drivers/message/i2o/i2o_config.c linux-2.6.32.49/drivers/message/i2o/i2o_config.c
35178 --- linux-2.6.32.49/drivers/message/i2o/i2o_config.c 2011-11-08 19:02:43.000000000 -0500
35179 +++ linux-2.6.32.49/drivers/message/i2o/i2o_config.c 2011-11-15 19:59:43.000000000 -0500
35180 @@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
35181 struct i2o_message *msg;
35182 unsigned int iop;
35183
35184 + pax_track_stack();
35185 +
35186 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
35187 return -EFAULT;
35188
35189 diff -urNp linux-2.6.32.49/drivers/message/i2o/i2o_proc.c linux-2.6.32.49/drivers/message/i2o/i2o_proc.c
35190 --- linux-2.6.32.49/drivers/message/i2o/i2o_proc.c 2011-11-08 19:02:43.000000000 -0500
35191 +++ linux-2.6.32.49/drivers/message/i2o/i2o_proc.c 2011-11-15 19:59:43.000000000 -0500
35192 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
35193 "Array Controller Device"
35194 };
35195
35196 -static char *chtostr(u8 * chars, int n)
35197 -{
35198 - char tmp[256];
35199 - tmp[0] = 0;
35200 - return strncat(tmp, (char *)chars, n);
35201 -}
35202 -
35203 static int i2o_report_query_status(struct seq_file *seq, int block_status,
35204 char *group)
35205 {
35206 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
35207
35208 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
35209 seq_printf(seq, "%-#8x", ddm_table.module_id);
35210 - seq_printf(seq, "%-29s",
35211 - chtostr(ddm_table.module_name_version, 28));
35212 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
35213 seq_printf(seq, "%9d ", ddm_table.data_size);
35214 seq_printf(seq, "%8d", ddm_table.code_size);
35215
35216 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
35217
35218 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
35219 seq_printf(seq, "%-#8x", dst->module_id);
35220 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
35221 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
35222 + seq_printf(seq, "%-.28s", dst->module_name_version);
35223 + seq_printf(seq, "%-.8s", dst->date);
35224 seq_printf(seq, "%8d ", dst->module_size);
35225 seq_printf(seq, "%8d ", dst->mpb_size);
35226 seq_printf(seq, "0x%04x", dst->module_flags);
35227 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
35228 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
35229 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
35230 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
35231 - seq_printf(seq, "Vendor info : %s\n",
35232 - chtostr((u8 *) (work32 + 2), 16));
35233 - seq_printf(seq, "Product info : %s\n",
35234 - chtostr((u8 *) (work32 + 6), 16));
35235 - seq_printf(seq, "Description : %s\n",
35236 - chtostr((u8 *) (work32 + 10), 16));
35237 - seq_printf(seq, "Product rev. : %s\n",
35238 - chtostr((u8 *) (work32 + 14), 8));
35239 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
35240 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
35241 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
35242 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
35243
35244 seq_printf(seq, "Serial number : ");
35245 print_serial_number(seq, (u8 *) (work32 + 16),
35246 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
35247 }
35248
35249 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
35250 - seq_printf(seq, "Module name : %s\n",
35251 - chtostr(result.module_name, 24));
35252 - seq_printf(seq, "Module revision : %s\n",
35253 - chtostr(result.module_rev, 8));
35254 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
35255 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
35256
35257 seq_printf(seq, "Serial number : ");
35258 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
35259 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
35260 return 0;
35261 }
35262
35263 - seq_printf(seq, "Device name : %s\n",
35264 - chtostr(result.device_name, 64));
35265 - seq_printf(seq, "Service name : %s\n",
35266 - chtostr(result.service_name, 64));
35267 - seq_printf(seq, "Physical name : %s\n",
35268 - chtostr(result.physical_location, 64));
35269 - seq_printf(seq, "Instance number : %s\n",
35270 - chtostr(result.instance_number, 4));
35271 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
35272 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
35273 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
35274 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
35275
35276 return 0;
35277 }
35278 diff -urNp linux-2.6.32.49/drivers/message/i2o/iop.c linux-2.6.32.49/drivers/message/i2o/iop.c
35279 --- linux-2.6.32.49/drivers/message/i2o/iop.c 2011-11-08 19:02:43.000000000 -0500
35280 +++ linux-2.6.32.49/drivers/message/i2o/iop.c 2011-11-15 19:59:43.000000000 -0500
35281 @@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
35282
35283 spin_lock_irqsave(&c->context_list_lock, flags);
35284
35285 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
35286 - atomic_inc(&c->context_list_counter);
35287 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
35288 + atomic_inc_unchecked(&c->context_list_counter);
35289
35290 - entry->context = atomic_read(&c->context_list_counter);
35291 + entry->context = atomic_read_unchecked(&c->context_list_counter);
35292
35293 list_add(&entry->list, &c->context_list);
35294
35295 @@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
35296
35297 #if BITS_PER_LONG == 64
35298 spin_lock_init(&c->context_list_lock);
35299 - atomic_set(&c->context_list_counter, 0);
35300 + atomic_set_unchecked(&c->context_list_counter, 0);
35301 INIT_LIST_HEAD(&c->context_list);
35302 #endif
35303
35304 diff -urNp linux-2.6.32.49/drivers/mfd/ab3100-core.c linux-2.6.32.49/drivers/mfd/ab3100-core.c
35305 --- linux-2.6.32.49/drivers/mfd/ab3100-core.c 2011-11-08 19:02:43.000000000 -0500
35306 +++ linux-2.6.32.49/drivers/mfd/ab3100-core.c 2011-11-18 18:01:55.000000000 -0500
35307 @@ -777,7 +777,7 @@ struct ab_family_id {
35308 char *name;
35309 };
35310
35311 -static const struct ab_family_id ids[] __initdata = {
35312 +static const struct ab_family_id ids[] __initconst = {
35313 /* AB3100 */
35314 {
35315 .id = 0xc0,
35316 diff -urNp linux-2.6.32.49/drivers/mfd/wm8350-i2c.c linux-2.6.32.49/drivers/mfd/wm8350-i2c.c
35317 --- linux-2.6.32.49/drivers/mfd/wm8350-i2c.c 2011-11-08 19:02:43.000000000 -0500
35318 +++ linux-2.6.32.49/drivers/mfd/wm8350-i2c.c 2011-11-15 19:59:43.000000000 -0500
35319 @@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
35320 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
35321 int ret;
35322
35323 + pax_track_stack();
35324 +
35325 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
35326 return -EINVAL;
35327
35328 diff -urNp linux-2.6.32.49/drivers/misc/kgdbts.c linux-2.6.32.49/drivers/misc/kgdbts.c
35329 --- linux-2.6.32.49/drivers/misc/kgdbts.c 2011-11-08 19:02:43.000000000 -0500
35330 +++ linux-2.6.32.49/drivers/misc/kgdbts.c 2011-11-15 19:59:43.000000000 -0500
35331 @@ -118,7 +118,7 @@
35332 } while (0)
35333 #define MAX_CONFIG_LEN 40
35334
35335 -static struct kgdb_io kgdbts_io_ops;
35336 +static const struct kgdb_io kgdbts_io_ops;
35337 static char get_buf[BUFMAX];
35338 static int get_buf_cnt;
35339 static char put_buf[BUFMAX];
35340 @@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
35341 module_put(THIS_MODULE);
35342 }
35343
35344 -static struct kgdb_io kgdbts_io_ops = {
35345 +static const struct kgdb_io kgdbts_io_ops = {
35346 .name = "kgdbts",
35347 .read_char = kgdbts_get_char,
35348 .write_char = kgdbts_put_char,
35349 diff -urNp linux-2.6.32.49/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.49/drivers/misc/sgi-gru/gruhandles.c
35350 --- linux-2.6.32.49/drivers/misc/sgi-gru/gruhandles.c 2011-11-08 19:02:43.000000000 -0500
35351 +++ linux-2.6.32.49/drivers/misc/sgi-gru/gruhandles.c 2011-11-15 19:59:43.000000000 -0500
35352 @@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
35353
35354 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
35355 {
35356 - atomic_long_inc(&mcs_op_statistics[op].count);
35357 - atomic_long_add(clks, &mcs_op_statistics[op].total);
35358 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
35359 + atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
35360 if (mcs_op_statistics[op].max < clks)
35361 mcs_op_statistics[op].max = clks;
35362 }
35363 diff -urNp linux-2.6.32.49/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.49/drivers/misc/sgi-gru/gruprocfs.c
35364 --- linux-2.6.32.49/drivers/misc/sgi-gru/gruprocfs.c 2011-11-08 19:02:43.000000000 -0500
35365 +++ linux-2.6.32.49/drivers/misc/sgi-gru/gruprocfs.c 2011-11-15 19:59:43.000000000 -0500
35366 @@ -32,9 +32,9 @@
35367
35368 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
35369
35370 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
35371 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
35372 {
35373 - unsigned long val = atomic_long_read(v);
35374 + unsigned long val = atomic_long_read_unchecked(v);
35375
35376 if (val)
35377 seq_printf(s, "%16lu %s\n", val, id);
35378 @@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
35379 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
35380
35381 for (op = 0; op < mcsop_last; op++) {
35382 - count = atomic_long_read(&mcs_op_statistics[op].count);
35383 - total = atomic_long_read(&mcs_op_statistics[op].total);
35384 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
35385 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
35386 max = mcs_op_statistics[op].max;
35387 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
35388 count ? total / count : 0, max);
35389 diff -urNp linux-2.6.32.49/drivers/misc/sgi-gru/grutables.h linux-2.6.32.49/drivers/misc/sgi-gru/grutables.h
35390 --- linux-2.6.32.49/drivers/misc/sgi-gru/grutables.h 2011-11-08 19:02:43.000000000 -0500
35391 +++ linux-2.6.32.49/drivers/misc/sgi-gru/grutables.h 2011-11-15 19:59:43.000000000 -0500
35392 @@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
35393 * GRU statistics.
35394 */
35395 struct gru_stats_s {
35396 - atomic_long_t vdata_alloc;
35397 - atomic_long_t vdata_free;
35398 - atomic_long_t gts_alloc;
35399 - atomic_long_t gts_free;
35400 - atomic_long_t vdata_double_alloc;
35401 - atomic_long_t gts_double_allocate;
35402 - atomic_long_t assign_context;
35403 - atomic_long_t assign_context_failed;
35404 - atomic_long_t free_context;
35405 - atomic_long_t load_user_context;
35406 - atomic_long_t load_kernel_context;
35407 - atomic_long_t lock_kernel_context;
35408 - atomic_long_t unlock_kernel_context;
35409 - atomic_long_t steal_user_context;
35410 - atomic_long_t steal_kernel_context;
35411 - atomic_long_t steal_context_failed;
35412 - atomic_long_t nopfn;
35413 - atomic_long_t break_cow;
35414 - atomic_long_t asid_new;
35415 - atomic_long_t asid_next;
35416 - atomic_long_t asid_wrap;
35417 - atomic_long_t asid_reuse;
35418 - atomic_long_t intr;
35419 - atomic_long_t intr_mm_lock_failed;
35420 - atomic_long_t call_os;
35421 - atomic_long_t call_os_offnode_reference;
35422 - atomic_long_t call_os_check_for_bug;
35423 - atomic_long_t call_os_wait_queue;
35424 - atomic_long_t user_flush_tlb;
35425 - atomic_long_t user_unload_context;
35426 - atomic_long_t user_exception;
35427 - atomic_long_t set_context_option;
35428 - atomic_long_t migrate_check;
35429 - atomic_long_t migrated_retarget;
35430 - atomic_long_t migrated_unload;
35431 - atomic_long_t migrated_unload_delay;
35432 - atomic_long_t migrated_nopfn_retarget;
35433 - atomic_long_t migrated_nopfn_unload;
35434 - atomic_long_t tlb_dropin;
35435 - atomic_long_t tlb_dropin_fail_no_asid;
35436 - atomic_long_t tlb_dropin_fail_upm;
35437 - atomic_long_t tlb_dropin_fail_invalid;
35438 - atomic_long_t tlb_dropin_fail_range_active;
35439 - atomic_long_t tlb_dropin_fail_idle;
35440 - atomic_long_t tlb_dropin_fail_fmm;
35441 - atomic_long_t tlb_dropin_fail_no_exception;
35442 - atomic_long_t tlb_dropin_fail_no_exception_war;
35443 - atomic_long_t tfh_stale_on_fault;
35444 - atomic_long_t mmu_invalidate_range;
35445 - atomic_long_t mmu_invalidate_page;
35446 - atomic_long_t mmu_clear_flush_young;
35447 - atomic_long_t flush_tlb;
35448 - atomic_long_t flush_tlb_gru;
35449 - atomic_long_t flush_tlb_gru_tgh;
35450 - atomic_long_t flush_tlb_gru_zero_asid;
35451 -
35452 - atomic_long_t copy_gpa;
35453 -
35454 - atomic_long_t mesq_receive;
35455 - atomic_long_t mesq_receive_none;
35456 - atomic_long_t mesq_send;
35457 - atomic_long_t mesq_send_failed;
35458 - atomic_long_t mesq_noop;
35459 - atomic_long_t mesq_send_unexpected_error;
35460 - atomic_long_t mesq_send_lb_overflow;
35461 - atomic_long_t mesq_send_qlimit_reached;
35462 - atomic_long_t mesq_send_amo_nacked;
35463 - atomic_long_t mesq_send_put_nacked;
35464 - atomic_long_t mesq_qf_not_full;
35465 - atomic_long_t mesq_qf_locked;
35466 - atomic_long_t mesq_qf_noop_not_full;
35467 - atomic_long_t mesq_qf_switch_head_failed;
35468 - atomic_long_t mesq_qf_unexpected_error;
35469 - atomic_long_t mesq_noop_unexpected_error;
35470 - atomic_long_t mesq_noop_lb_overflow;
35471 - atomic_long_t mesq_noop_qlimit_reached;
35472 - atomic_long_t mesq_noop_amo_nacked;
35473 - atomic_long_t mesq_noop_put_nacked;
35474 + atomic_long_unchecked_t vdata_alloc;
35475 + atomic_long_unchecked_t vdata_free;
35476 + atomic_long_unchecked_t gts_alloc;
35477 + atomic_long_unchecked_t gts_free;
35478 + atomic_long_unchecked_t vdata_double_alloc;
35479 + atomic_long_unchecked_t gts_double_allocate;
35480 + atomic_long_unchecked_t assign_context;
35481 + atomic_long_unchecked_t assign_context_failed;
35482 + atomic_long_unchecked_t free_context;
35483 + atomic_long_unchecked_t load_user_context;
35484 + atomic_long_unchecked_t load_kernel_context;
35485 + atomic_long_unchecked_t lock_kernel_context;
35486 + atomic_long_unchecked_t unlock_kernel_context;
35487 + atomic_long_unchecked_t steal_user_context;
35488 + atomic_long_unchecked_t steal_kernel_context;
35489 + atomic_long_unchecked_t steal_context_failed;
35490 + atomic_long_unchecked_t nopfn;
35491 + atomic_long_unchecked_t break_cow;
35492 + atomic_long_unchecked_t asid_new;
35493 + atomic_long_unchecked_t asid_next;
35494 + atomic_long_unchecked_t asid_wrap;
35495 + atomic_long_unchecked_t asid_reuse;
35496 + atomic_long_unchecked_t intr;
35497 + atomic_long_unchecked_t intr_mm_lock_failed;
35498 + atomic_long_unchecked_t call_os;
35499 + atomic_long_unchecked_t call_os_offnode_reference;
35500 + atomic_long_unchecked_t call_os_check_for_bug;
35501 + atomic_long_unchecked_t call_os_wait_queue;
35502 + atomic_long_unchecked_t user_flush_tlb;
35503 + atomic_long_unchecked_t user_unload_context;
35504 + atomic_long_unchecked_t user_exception;
35505 + atomic_long_unchecked_t set_context_option;
35506 + atomic_long_unchecked_t migrate_check;
35507 + atomic_long_unchecked_t migrated_retarget;
35508 + atomic_long_unchecked_t migrated_unload;
35509 + atomic_long_unchecked_t migrated_unload_delay;
35510 + atomic_long_unchecked_t migrated_nopfn_retarget;
35511 + atomic_long_unchecked_t migrated_nopfn_unload;
35512 + atomic_long_unchecked_t tlb_dropin;
35513 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
35514 + atomic_long_unchecked_t tlb_dropin_fail_upm;
35515 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
35516 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
35517 + atomic_long_unchecked_t tlb_dropin_fail_idle;
35518 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
35519 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
35520 + atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
35521 + atomic_long_unchecked_t tfh_stale_on_fault;
35522 + atomic_long_unchecked_t mmu_invalidate_range;
35523 + atomic_long_unchecked_t mmu_invalidate_page;
35524 + atomic_long_unchecked_t mmu_clear_flush_young;
35525 + atomic_long_unchecked_t flush_tlb;
35526 + atomic_long_unchecked_t flush_tlb_gru;
35527 + atomic_long_unchecked_t flush_tlb_gru_tgh;
35528 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
35529 +
35530 + atomic_long_unchecked_t copy_gpa;
35531 +
35532 + atomic_long_unchecked_t mesq_receive;
35533 + atomic_long_unchecked_t mesq_receive_none;
35534 + atomic_long_unchecked_t mesq_send;
35535 + atomic_long_unchecked_t mesq_send_failed;
35536 + atomic_long_unchecked_t mesq_noop;
35537 + atomic_long_unchecked_t mesq_send_unexpected_error;
35538 + atomic_long_unchecked_t mesq_send_lb_overflow;
35539 + atomic_long_unchecked_t mesq_send_qlimit_reached;
35540 + atomic_long_unchecked_t mesq_send_amo_nacked;
35541 + atomic_long_unchecked_t mesq_send_put_nacked;
35542 + atomic_long_unchecked_t mesq_qf_not_full;
35543 + atomic_long_unchecked_t mesq_qf_locked;
35544 + atomic_long_unchecked_t mesq_qf_noop_not_full;
35545 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
35546 + atomic_long_unchecked_t mesq_qf_unexpected_error;
35547 + atomic_long_unchecked_t mesq_noop_unexpected_error;
35548 + atomic_long_unchecked_t mesq_noop_lb_overflow;
35549 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
35550 + atomic_long_unchecked_t mesq_noop_amo_nacked;
35551 + atomic_long_unchecked_t mesq_noop_put_nacked;
35552
35553 };
35554
35555 @@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
35556 cchop_deallocate, tghop_invalidate, mcsop_last};
35557
35558 struct mcs_op_statistic {
35559 - atomic_long_t count;
35560 - atomic_long_t total;
35561 + atomic_long_unchecked_t count;
35562 + atomic_long_unchecked_t total;
35563 unsigned long max;
35564 };
35565
35566 @@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
35567
35568 #define STAT(id) do { \
35569 if (gru_options & OPT_STATS) \
35570 - atomic_long_inc(&gru_stats.id); \
35571 + atomic_long_inc_unchecked(&gru_stats.id); \
35572 } while (0)
35573
35574 #ifdef CONFIG_SGI_GRU_DEBUG
35575 diff -urNp linux-2.6.32.49/drivers/misc/sgi-xp/xpc.h linux-2.6.32.49/drivers/misc/sgi-xp/xpc.h
35576 --- linux-2.6.32.49/drivers/misc/sgi-xp/xpc.h 2011-11-08 19:02:43.000000000 -0500
35577 +++ linux-2.6.32.49/drivers/misc/sgi-xp/xpc.h 2011-11-18 18:05:51.000000000 -0500
35578 @@ -835,6 +835,7 @@ struct xpc_arch_operations {
35579 void (*received_payload) (struct xpc_channel *, void *);
35580 void (*notify_senders_of_disconnect) (struct xpc_channel *);
35581 };
35582 +typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
35583
35584 /* struct xpc_partition act_state values (for XPC HB) */
35585
35586 @@ -876,7 +877,7 @@ extern struct xpc_registration xpc_regis
35587 /* found in xpc_main.c */
35588 extern struct device *xpc_part;
35589 extern struct device *xpc_chan;
35590 -extern struct xpc_arch_operations xpc_arch_ops;
35591 +extern xpc_arch_operations_no_const xpc_arch_ops;
35592 extern int xpc_disengage_timelimit;
35593 extern int xpc_disengage_timedout;
35594 extern int xpc_activate_IRQ_rcvd;
35595 diff -urNp linux-2.6.32.49/drivers/misc/sgi-xp/xpc_main.c linux-2.6.32.49/drivers/misc/sgi-xp/xpc_main.c
35596 --- linux-2.6.32.49/drivers/misc/sgi-xp/xpc_main.c 2011-11-08 19:02:43.000000000 -0500
35597 +++ linux-2.6.32.49/drivers/misc/sgi-xp/xpc_main.c 2011-11-18 18:05:28.000000000 -0500
35598 @@ -169,7 +169,7 @@ static struct notifier_block xpc_die_not
35599 .notifier_call = xpc_system_die,
35600 };
35601
35602 -struct xpc_arch_operations xpc_arch_ops;
35603 +xpc_arch_operations_no_const xpc_arch_ops;
35604
35605 /*
35606 * Timer function to enforce the timelimit on the partition disengage.
35607 diff -urNp linux-2.6.32.49/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.32.49/drivers/misc/sgi-xp/xpc_sn2.c
35608 --- linux-2.6.32.49/drivers/misc/sgi-xp/xpc_sn2.c 2011-11-08 19:02:43.000000000 -0500
35609 +++ linux-2.6.32.49/drivers/misc/sgi-xp/xpc_sn2.c 2011-11-15 19:59:43.000000000 -0500
35610 @@ -2350,7 +2350,7 @@ xpc_received_payload_sn2(struct xpc_chan
35611 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
35612 }
35613
35614 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
35615 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
35616 .setup_partitions = xpc_setup_partitions_sn2,
35617 .teardown_partitions = xpc_teardown_partitions_sn2,
35618 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
35619 @@ -2413,7 +2413,9 @@ xpc_init_sn2(void)
35620 int ret;
35621 size_t buf_size;
35622
35623 - xpc_arch_ops = xpc_arch_ops_sn2;
35624 + pax_open_kernel();
35625 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_sn2, sizeof(xpc_arch_ops_sn2));
35626 + pax_close_kernel();
35627
35628 if (offsetof(struct xpc_msg_sn2, payload) > XPC_MSG_HDR_MAX_SIZE) {
35629 dev_err(xpc_part, "header portion of struct xpc_msg_sn2 is "
35630 diff -urNp linux-2.6.32.49/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.32.49/drivers/misc/sgi-xp/xpc_uv.c
35631 --- linux-2.6.32.49/drivers/misc/sgi-xp/xpc_uv.c 2011-11-08 19:02:43.000000000 -0500
35632 +++ linux-2.6.32.49/drivers/misc/sgi-xp/xpc_uv.c 2011-11-15 19:59:43.000000000 -0500
35633 @@ -1669,7 +1669,7 @@ xpc_received_payload_uv(struct xpc_chann
35634 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
35635 }
35636
35637 -static struct xpc_arch_operations xpc_arch_ops_uv = {
35638 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
35639 .setup_partitions = xpc_setup_partitions_uv,
35640 .teardown_partitions = xpc_teardown_partitions_uv,
35641 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
35642 @@ -1729,7 +1729,9 @@ static struct xpc_arch_operations xpc_ar
35643 int
35644 xpc_init_uv(void)
35645 {
35646 - xpc_arch_ops = xpc_arch_ops_uv;
35647 + pax_open_kernel();
35648 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_uv, sizeof(xpc_arch_ops_uv));
35649 + pax_close_kernel();
35650
35651 if (sizeof(struct xpc_notify_mq_msghdr_uv) > XPC_MSG_HDR_MAX_SIZE) {
35652 dev_err(xpc_part, "xpc_notify_mq_msghdr_uv is larger than %d\n",
35653 diff -urNp linux-2.6.32.49/drivers/misc/sgi-xp/xp.h linux-2.6.32.49/drivers/misc/sgi-xp/xp.h
35654 --- linux-2.6.32.49/drivers/misc/sgi-xp/xp.h 2011-11-08 19:02:43.000000000 -0500
35655 +++ linux-2.6.32.49/drivers/misc/sgi-xp/xp.h 2011-11-15 19:59:43.000000000 -0500
35656 @@ -289,7 +289,7 @@ struct xpc_interface {
35657 xpc_notify_func, void *);
35658 void (*received) (short, int, void *);
35659 enum xp_retval (*partid_to_nasids) (short, void *);
35660 -};
35661 +} __no_const;
35662
35663 extern struct xpc_interface xpc_interface;
35664
35665 diff -urNp linux-2.6.32.49/drivers/mmc/host/sdhci-pci.c linux-2.6.32.49/drivers/mmc/host/sdhci-pci.c
35666 --- linux-2.6.32.49/drivers/mmc/host/sdhci-pci.c 2011-11-08 19:02:43.000000000 -0500
35667 +++ linux-2.6.32.49/drivers/mmc/host/sdhci-pci.c 2011-11-18 18:01:55.000000000 -0500
35668 @@ -297,7 +297,7 @@ static const struct sdhci_pci_fixes sdhc
35669 .probe = via_probe,
35670 };
35671
35672 -static const struct pci_device_id pci_ids[] __devinitdata = {
35673 +static const struct pci_device_id pci_ids[] __devinitconst = {
35674 {
35675 .vendor = PCI_VENDOR_ID_RICOH,
35676 .device = PCI_DEVICE_ID_RICOH_R5C822,
35677 diff -urNp linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0001.c
35678 --- linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-08 19:02:43.000000000 -0500
35679 +++ linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-15 19:59:43.000000000 -0500
35680 @@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
35681 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
35682 unsigned long timeo = jiffies + HZ;
35683
35684 + pax_track_stack();
35685 +
35686 /* Prevent setting state FL_SYNCING for chip in suspended state. */
35687 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
35688 goto sleep;
35689 @@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
35690 unsigned long initial_adr;
35691 int initial_len = len;
35692
35693 + pax_track_stack();
35694 +
35695 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
35696 adr += chip->start;
35697 initial_adr = adr;
35698 @@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
35699 int retries = 3;
35700 int ret;
35701
35702 + pax_track_stack();
35703 +
35704 adr += chip->start;
35705
35706 retry:
35707 diff -urNp linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0020.c
35708 --- linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-08 19:02:43.000000000 -0500
35709 +++ linux-2.6.32.49/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-15 19:59:43.000000000 -0500
35710 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
35711 unsigned long cmd_addr;
35712 struct cfi_private *cfi = map->fldrv_priv;
35713
35714 + pax_track_stack();
35715 +
35716 adr += chip->start;
35717
35718 /* Ensure cmd read/writes are aligned. */
35719 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
35720 DECLARE_WAITQUEUE(wait, current);
35721 int wbufsize, z;
35722
35723 + pax_track_stack();
35724 +
35725 /* M58LW064A requires bus alignment for buffer wriets -- saw */
35726 if (adr & (map_bankwidth(map)-1))
35727 return -EINVAL;
35728 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
35729 DECLARE_WAITQUEUE(wait, current);
35730 int ret = 0;
35731
35732 + pax_track_stack();
35733 +
35734 adr += chip->start;
35735
35736 /* Let's determine this according to the interleave only once */
35737 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
35738 unsigned long timeo = jiffies + HZ;
35739 DECLARE_WAITQUEUE(wait, current);
35740
35741 + pax_track_stack();
35742 +
35743 adr += chip->start;
35744
35745 /* Let's determine this according to the interleave only once */
35746 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
35747 unsigned long timeo = jiffies + HZ;
35748 DECLARE_WAITQUEUE(wait, current);
35749
35750 + pax_track_stack();
35751 +
35752 adr += chip->start;
35753
35754 /* Let's determine this according to the interleave only once */
35755 diff -urNp linux-2.6.32.49/drivers/mtd/devices/doc2000.c linux-2.6.32.49/drivers/mtd/devices/doc2000.c
35756 --- linux-2.6.32.49/drivers/mtd/devices/doc2000.c 2011-11-08 19:02:43.000000000 -0500
35757 +++ linux-2.6.32.49/drivers/mtd/devices/doc2000.c 2011-11-15 19:59:43.000000000 -0500
35758 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
35759
35760 /* The ECC will not be calculated correctly if less than 512 is written */
35761 /* DBB-
35762 - if (len != 0x200 && eccbuf)
35763 + if (len != 0x200)
35764 printk(KERN_WARNING
35765 "ECC needs a full sector write (adr: %lx size %lx)\n",
35766 (long) to, (long) len);
35767 diff -urNp linux-2.6.32.49/drivers/mtd/devices/doc2001.c linux-2.6.32.49/drivers/mtd/devices/doc2001.c
35768 --- linux-2.6.32.49/drivers/mtd/devices/doc2001.c 2011-11-08 19:02:43.000000000 -0500
35769 +++ linux-2.6.32.49/drivers/mtd/devices/doc2001.c 2011-11-15 19:59:43.000000000 -0500
35770 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
35771 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
35772
35773 /* Don't allow read past end of device */
35774 - if (from >= this->totlen)
35775 + if (from >= this->totlen || !len)
35776 return -EINVAL;
35777
35778 /* Don't allow a single read to cross a 512-byte block boundary */
35779 diff -urNp linux-2.6.32.49/drivers/mtd/ftl.c linux-2.6.32.49/drivers/mtd/ftl.c
35780 --- linux-2.6.32.49/drivers/mtd/ftl.c 2011-11-08 19:02:43.000000000 -0500
35781 +++ linux-2.6.32.49/drivers/mtd/ftl.c 2011-11-15 19:59:43.000000000 -0500
35782 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
35783 loff_t offset;
35784 uint16_t srcunitswap = cpu_to_le16(srcunit);
35785
35786 + pax_track_stack();
35787 +
35788 eun = &part->EUNInfo[srcunit];
35789 xfer = &part->XferInfo[xferunit];
35790 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
35791 diff -urNp linux-2.6.32.49/drivers/mtd/inftlcore.c linux-2.6.32.49/drivers/mtd/inftlcore.c
35792 --- linux-2.6.32.49/drivers/mtd/inftlcore.c 2011-11-08 19:02:43.000000000 -0500
35793 +++ linux-2.6.32.49/drivers/mtd/inftlcore.c 2011-11-15 19:59:43.000000000 -0500
35794 @@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
35795 struct inftl_oob oob;
35796 size_t retlen;
35797
35798 + pax_track_stack();
35799 +
35800 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
35801 "pending=%d)\n", inftl, thisVUC, pendingblock);
35802
35803 diff -urNp linux-2.6.32.49/drivers/mtd/inftlmount.c linux-2.6.32.49/drivers/mtd/inftlmount.c
35804 --- linux-2.6.32.49/drivers/mtd/inftlmount.c 2011-11-08 19:02:43.000000000 -0500
35805 +++ linux-2.6.32.49/drivers/mtd/inftlmount.c 2011-11-15 19:59:43.000000000 -0500
35806 @@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
35807 struct INFTLPartition *ip;
35808 size_t retlen;
35809
35810 + pax_track_stack();
35811 +
35812 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
35813
35814 /*
35815 diff -urNp linux-2.6.32.49/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.49/drivers/mtd/lpddr/qinfo_probe.c
35816 --- linux-2.6.32.49/drivers/mtd/lpddr/qinfo_probe.c 2011-11-08 19:02:43.000000000 -0500
35817 +++ linux-2.6.32.49/drivers/mtd/lpddr/qinfo_probe.c 2011-11-15 19:59:43.000000000 -0500
35818 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
35819 {
35820 map_word pfow_val[4];
35821
35822 + pax_track_stack();
35823 +
35824 /* Check identification string */
35825 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
35826 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
35827 diff -urNp linux-2.6.32.49/drivers/mtd/mtdchar.c linux-2.6.32.49/drivers/mtd/mtdchar.c
35828 --- linux-2.6.32.49/drivers/mtd/mtdchar.c 2011-11-26 19:44:53.000000000 -0500
35829 +++ linux-2.6.32.49/drivers/mtd/mtdchar.c 2011-11-26 19:45:06.000000000 -0500
35830 @@ -461,6 +461,8 @@ static int mtd_ioctl(struct inode *inode
35831 u_long size;
35832 struct mtd_info_user info;
35833
35834 + pax_track_stack();
35835 +
35836 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
35837
35838 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
35839 diff -urNp linux-2.6.32.49/drivers/mtd/nftlcore.c linux-2.6.32.49/drivers/mtd/nftlcore.c
35840 --- linux-2.6.32.49/drivers/mtd/nftlcore.c 2011-11-08 19:02:43.000000000 -0500
35841 +++ linux-2.6.32.49/drivers/mtd/nftlcore.c 2011-11-15 19:59:43.000000000 -0500
35842 @@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
35843 int inplace = 1;
35844 size_t retlen;
35845
35846 + pax_track_stack();
35847 +
35848 memset(BlockMap, 0xff, sizeof(BlockMap));
35849 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
35850
35851 diff -urNp linux-2.6.32.49/drivers/mtd/nftlmount.c linux-2.6.32.49/drivers/mtd/nftlmount.c
35852 --- linux-2.6.32.49/drivers/mtd/nftlmount.c 2011-11-08 19:02:43.000000000 -0500
35853 +++ linux-2.6.32.49/drivers/mtd/nftlmount.c 2011-11-15 19:59:43.000000000 -0500
35854 @@ -23,6 +23,7 @@
35855 #include <asm/errno.h>
35856 #include <linux/delay.h>
35857 #include <linux/slab.h>
35858 +#include <linux/sched.h>
35859 #include <linux/mtd/mtd.h>
35860 #include <linux/mtd/nand.h>
35861 #include <linux/mtd/nftl.h>
35862 @@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
35863 struct mtd_info *mtd = nftl->mbd.mtd;
35864 unsigned int i;
35865
35866 + pax_track_stack();
35867 +
35868 /* Assume logical EraseSize == physical erasesize for starting the scan.
35869 We'll sort it out later if we find a MediaHeader which says otherwise */
35870 /* Actually, we won't. The new DiskOnChip driver has already scanned
35871 diff -urNp linux-2.6.32.49/drivers/mtd/ubi/build.c linux-2.6.32.49/drivers/mtd/ubi/build.c
35872 --- linux-2.6.32.49/drivers/mtd/ubi/build.c 2011-11-08 19:02:43.000000000 -0500
35873 +++ linux-2.6.32.49/drivers/mtd/ubi/build.c 2011-11-15 19:59:43.000000000 -0500
35874 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
35875 static int __init bytes_str_to_int(const char *str)
35876 {
35877 char *endp;
35878 - unsigned long result;
35879 + unsigned long result, scale = 1;
35880
35881 result = simple_strtoul(str, &endp, 0);
35882 if (str == endp || result >= INT_MAX) {
35883 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
35884
35885 switch (*endp) {
35886 case 'G':
35887 - result *= 1024;
35888 + scale *= 1024;
35889 case 'M':
35890 - result *= 1024;
35891 + scale *= 1024;
35892 case 'K':
35893 - result *= 1024;
35894 + scale *= 1024;
35895 if (endp[1] == 'i' && endp[2] == 'B')
35896 endp += 2;
35897 case '\0':
35898 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
35899 return -EINVAL;
35900 }
35901
35902 - return result;
35903 + if ((intoverflow_t)result*scale >= INT_MAX) {
35904 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
35905 + str);
35906 + return -EINVAL;
35907 + }
35908 +
35909 + return result*scale;
35910 }
35911
35912 /**
35913 diff -urNp linux-2.6.32.49/drivers/net/atlx/atl2.c linux-2.6.32.49/drivers/net/atlx/atl2.c
35914 --- linux-2.6.32.49/drivers/net/atlx/atl2.c 2011-11-08 19:02:43.000000000 -0500
35915 +++ linux-2.6.32.49/drivers/net/atlx/atl2.c 2011-11-18 18:01:55.000000000 -0500
35916 @@ -2845,7 +2845,7 @@ static void atl2_force_ps(struct atl2_hw
35917 */
35918
35919 #define ATL2_PARAM(X, desc) \
35920 - static const int __devinitdata X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
35921 + static const int __devinitconst X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
35922 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
35923 MODULE_PARM_DESC(X, desc);
35924 #else
35925 diff -urNp linux-2.6.32.49/drivers/net/bnx2.c linux-2.6.32.49/drivers/net/bnx2.c
35926 --- linux-2.6.32.49/drivers/net/bnx2.c 2011-11-08 19:02:43.000000000 -0500
35927 +++ linux-2.6.32.49/drivers/net/bnx2.c 2011-11-15 19:59:43.000000000 -0500
35928 @@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
35929 int rc = 0;
35930 u32 magic, csum;
35931
35932 + pax_track_stack();
35933 +
35934 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
35935 goto test_nvram_done;
35936
35937 diff -urNp linux-2.6.32.49/drivers/net/cxgb3/l2t.h linux-2.6.32.49/drivers/net/cxgb3/l2t.h
35938 --- linux-2.6.32.49/drivers/net/cxgb3/l2t.h 2011-11-08 19:02:43.000000000 -0500
35939 +++ linux-2.6.32.49/drivers/net/cxgb3/l2t.h 2011-11-15 19:59:43.000000000 -0500
35940 @@ -86,7 +86,7 @@ typedef void (*arp_failure_handler_func)
35941 */
35942 struct l2t_skb_cb {
35943 arp_failure_handler_func arp_failure_handler;
35944 -};
35945 +} __no_const;
35946
35947 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
35948
35949 diff -urNp linux-2.6.32.49/drivers/net/cxgb3/t3_hw.c linux-2.6.32.49/drivers/net/cxgb3/t3_hw.c
35950 --- linux-2.6.32.49/drivers/net/cxgb3/t3_hw.c 2011-11-08 19:02:43.000000000 -0500
35951 +++ linux-2.6.32.49/drivers/net/cxgb3/t3_hw.c 2011-11-15 19:59:43.000000000 -0500
35952 @@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
35953 int i, addr, ret;
35954 struct t3_vpd vpd;
35955
35956 + pax_track_stack();
35957 +
35958 /*
35959 * Card information is normally at VPD_BASE but some early cards had
35960 * it at 0.
35961 diff -urNp linux-2.6.32.49/drivers/net/e1000e/82571.c linux-2.6.32.49/drivers/net/e1000e/82571.c
35962 --- linux-2.6.32.49/drivers/net/e1000e/82571.c 2011-11-08 19:02:43.000000000 -0500
35963 +++ linux-2.6.32.49/drivers/net/e1000e/82571.c 2011-11-15 19:59:43.000000000 -0500
35964 @@ -212,7 +212,7 @@ static s32 e1000_init_mac_params_82571(s
35965 {
35966 struct e1000_hw *hw = &adapter->hw;
35967 struct e1000_mac_info *mac = &hw->mac;
35968 - struct e1000_mac_operations *func = &mac->ops;
35969 + e1000_mac_operations_no_const *func = &mac->ops;
35970 u32 swsm = 0;
35971 u32 swsm2 = 0;
35972 bool force_clear_smbi = false;
35973 @@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(s
35974 temp = er32(ICRXDMTC);
35975 }
35976
35977 -static struct e1000_mac_operations e82571_mac_ops = {
35978 +static const struct e1000_mac_operations e82571_mac_ops = {
35979 /* .check_mng_mode: mac type dependent */
35980 /* .check_for_link: media type dependent */
35981 .id_led_init = e1000e_id_led_init,
35982 @@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e8257
35983 .setup_led = e1000e_setup_led_generic,
35984 };
35985
35986 -static struct e1000_phy_operations e82_phy_ops_igp = {
35987 +static const struct e1000_phy_operations e82_phy_ops_igp = {
35988 .acquire_phy = e1000_get_hw_semaphore_82571,
35989 .check_reset_block = e1000e_check_reset_block_generic,
35990 .commit_phy = NULL,
35991 @@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_p
35992 .cfg_on_link_up = NULL,
35993 };
35994
35995 -static struct e1000_phy_operations e82_phy_ops_m88 = {
35996 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
35997 .acquire_phy = e1000_get_hw_semaphore_82571,
35998 .check_reset_block = e1000e_check_reset_block_generic,
35999 .commit_phy = e1000e_phy_sw_reset,
36000 @@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_p
36001 .cfg_on_link_up = NULL,
36002 };
36003
36004 -static struct e1000_phy_operations e82_phy_ops_bm = {
36005 +static const struct e1000_phy_operations e82_phy_ops_bm = {
36006 .acquire_phy = e1000_get_hw_semaphore_82571,
36007 .check_reset_block = e1000e_check_reset_block_generic,
36008 .commit_phy = e1000e_phy_sw_reset,
36009 @@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_p
36010 .cfg_on_link_up = NULL,
36011 };
36012
36013 -static struct e1000_nvm_operations e82571_nvm_ops = {
36014 +static const struct e1000_nvm_operations e82571_nvm_ops = {
36015 .acquire_nvm = e1000_acquire_nvm_82571,
36016 .read_nvm = e1000e_read_nvm_eerd,
36017 .release_nvm = e1000_release_nvm_82571,
36018 diff -urNp linux-2.6.32.49/drivers/net/e1000e/e1000.h linux-2.6.32.49/drivers/net/e1000e/e1000.h
36019 --- linux-2.6.32.49/drivers/net/e1000e/e1000.h 2011-11-08 19:02:43.000000000 -0500
36020 +++ linux-2.6.32.49/drivers/net/e1000e/e1000.h 2011-11-15 19:59:43.000000000 -0500
36021 @@ -375,9 +375,9 @@ struct e1000_info {
36022 u32 pba;
36023 u32 max_hw_frame_size;
36024 s32 (*get_variants)(struct e1000_adapter *);
36025 - struct e1000_mac_operations *mac_ops;
36026 - struct e1000_phy_operations *phy_ops;
36027 - struct e1000_nvm_operations *nvm_ops;
36028 + const struct e1000_mac_operations *mac_ops;
36029 + const struct e1000_phy_operations *phy_ops;
36030 + const struct e1000_nvm_operations *nvm_ops;
36031 };
36032
36033 /* hardware capability, feature, and workaround flags */
36034 diff -urNp linux-2.6.32.49/drivers/net/e1000e/es2lan.c linux-2.6.32.49/drivers/net/e1000e/es2lan.c
36035 --- linux-2.6.32.49/drivers/net/e1000e/es2lan.c 2011-11-08 19:02:43.000000000 -0500
36036 +++ linux-2.6.32.49/drivers/net/e1000e/es2lan.c 2011-11-15 19:59:43.000000000 -0500
36037 @@ -207,7 +207,7 @@ static s32 e1000_init_mac_params_80003es
36038 {
36039 struct e1000_hw *hw = &adapter->hw;
36040 struct e1000_mac_info *mac = &hw->mac;
36041 - struct e1000_mac_operations *func = &mac->ops;
36042 + e1000_mac_operations_no_const *func = &mac->ops;
36043
36044 /* Set media type */
36045 switch (adapter->pdev->device) {
36046 @@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es
36047 temp = er32(ICRXDMTC);
36048 }
36049
36050 -static struct e1000_mac_operations es2_mac_ops = {
36051 +static const struct e1000_mac_operations es2_mac_ops = {
36052 .id_led_init = e1000e_id_led_init,
36053 .check_mng_mode = e1000e_check_mng_mode_generic,
36054 /* check_for_link dependent on media type */
36055 @@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_m
36056 .setup_led = e1000e_setup_led_generic,
36057 };
36058
36059 -static struct e1000_phy_operations es2_phy_ops = {
36060 +static const struct e1000_phy_operations es2_phy_ops = {
36061 .acquire_phy = e1000_acquire_phy_80003es2lan,
36062 .check_reset_block = e1000e_check_reset_block_generic,
36063 .commit_phy = e1000e_phy_sw_reset,
36064 @@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_p
36065 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
36066 };
36067
36068 -static struct e1000_nvm_operations es2_nvm_ops = {
36069 +static const struct e1000_nvm_operations es2_nvm_ops = {
36070 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
36071 .read_nvm = e1000e_read_nvm_eerd,
36072 .release_nvm = e1000_release_nvm_80003es2lan,
36073 diff -urNp linux-2.6.32.49/drivers/net/e1000e/hw.h linux-2.6.32.49/drivers/net/e1000e/hw.h
36074 --- linux-2.6.32.49/drivers/net/e1000e/hw.h 2011-11-08 19:02:43.000000000 -0500
36075 +++ linux-2.6.32.49/drivers/net/e1000e/hw.h 2011-11-15 19:59:43.000000000 -0500
36076 @@ -753,6 +753,7 @@ struct e1000_mac_operations {
36077 s32 (*setup_physical_interface)(struct e1000_hw *);
36078 s32 (*setup_led)(struct e1000_hw *);
36079 };
36080 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
36081
36082 /* Function pointers for the PHY. */
36083 struct e1000_phy_operations {
36084 @@ -774,6 +775,7 @@ struct e1000_phy_operations {
36085 s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
36086 s32 (*cfg_on_link_up)(struct e1000_hw *);
36087 };
36088 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
36089
36090 /* Function pointers for the NVM. */
36091 struct e1000_nvm_operations {
36092 @@ -785,9 +787,10 @@ struct e1000_nvm_operations {
36093 s32 (*validate_nvm)(struct e1000_hw *);
36094 s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
36095 };
36096 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
36097
36098 struct e1000_mac_info {
36099 - struct e1000_mac_operations ops;
36100 + e1000_mac_operations_no_const ops;
36101
36102 u8 addr[6];
36103 u8 perm_addr[6];
36104 @@ -823,7 +826,7 @@ struct e1000_mac_info {
36105 };
36106
36107 struct e1000_phy_info {
36108 - struct e1000_phy_operations ops;
36109 + e1000_phy_operations_no_const ops;
36110
36111 enum e1000_phy_type type;
36112
36113 @@ -857,7 +860,7 @@ struct e1000_phy_info {
36114 };
36115
36116 struct e1000_nvm_info {
36117 - struct e1000_nvm_operations ops;
36118 + e1000_nvm_operations_no_const ops;
36119
36120 enum e1000_nvm_type type;
36121 enum e1000_nvm_override override;
36122 diff -urNp linux-2.6.32.49/drivers/net/e1000e/ich8lan.c linux-2.6.32.49/drivers/net/e1000e/ich8lan.c
36123 --- linux-2.6.32.49/drivers/net/e1000e/ich8lan.c 2011-11-08 19:02:43.000000000 -0500
36124 +++ linux-2.6.32.49/drivers/net/e1000e/ich8lan.c 2011-11-15 19:59:43.000000000 -0500
36125 @@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
36126 }
36127 }
36128
36129 -static struct e1000_mac_operations ich8_mac_ops = {
36130 +static const struct e1000_mac_operations ich8_mac_ops = {
36131 .id_led_init = e1000e_id_led_init,
36132 .check_mng_mode = e1000_check_mng_mode_ich8lan,
36133 .check_for_link = e1000_check_for_copper_link_ich8lan,
36134 @@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
36135 /* id_led_init dependent on mac type */
36136 };
36137
36138 -static struct e1000_phy_operations ich8_phy_ops = {
36139 +static const struct e1000_phy_operations ich8_phy_ops = {
36140 .acquire_phy = e1000_acquire_swflag_ich8lan,
36141 .check_reset_block = e1000_check_reset_block_ich8lan,
36142 .commit_phy = NULL,
36143 @@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
36144 .write_phy_reg = e1000e_write_phy_reg_igp,
36145 };
36146
36147 -static struct e1000_nvm_operations ich8_nvm_ops = {
36148 +static const struct e1000_nvm_operations ich8_nvm_ops = {
36149 .acquire_nvm = e1000_acquire_nvm_ich8lan,
36150 .read_nvm = e1000_read_nvm_ich8lan,
36151 .release_nvm = e1000_release_nvm_ich8lan,
36152 diff -urNp linux-2.6.32.49/drivers/net/fealnx.c linux-2.6.32.49/drivers/net/fealnx.c
36153 --- linux-2.6.32.49/drivers/net/fealnx.c 2011-11-08 19:02:43.000000000 -0500
36154 +++ linux-2.6.32.49/drivers/net/fealnx.c 2011-11-18 18:01:55.000000000 -0500
36155 @@ -151,7 +151,7 @@ struct chip_info {
36156 int flags;
36157 };
36158
36159 -static const struct chip_info skel_netdrv_tbl[] __devinitdata = {
36160 +static const struct chip_info skel_netdrv_tbl[] __devinitconst = {
36161 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
36162 { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
36163 { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
36164 diff -urNp linux-2.6.32.49/drivers/net/hamradio/6pack.c linux-2.6.32.49/drivers/net/hamradio/6pack.c
36165 --- linux-2.6.32.49/drivers/net/hamradio/6pack.c 2011-11-08 19:02:43.000000000 -0500
36166 +++ linux-2.6.32.49/drivers/net/hamradio/6pack.c 2011-11-15 19:59:43.000000000 -0500
36167 @@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
36168 unsigned char buf[512];
36169 int count1;
36170
36171 + pax_track_stack();
36172 +
36173 if (!count)
36174 return;
36175
36176 diff -urNp linux-2.6.32.49/drivers/net/ibmveth.c linux-2.6.32.49/drivers/net/ibmveth.c
36177 --- linux-2.6.32.49/drivers/net/ibmveth.c 2011-11-08 19:02:43.000000000 -0500
36178 +++ linux-2.6.32.49/drivers/net/ibmveth.c 2011-11-15 19:59:43.000000000 -0500
36179 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
36180 NULL,
36181 };
36182
36183 -static struct sysfs_ops veth_pool_ops = {
36184 +static const struct sysfs_ops veth_pool_ops = {
36185 .show = veth_pool_show,
36186 .store = veth_pool_store,
36187 };
36188 diff -urNp linux-2.6.32.49/drivers/net/igb/e1000_82575.c linux-2.6.32.49/drivers/net/igb/e1000_82575.c
36189 --- linux-2.6.32.49/drivers/net/igb/e1000_82575.c 2011-11-08 19:02:43.000000000 -0500
36190 +++ linux-2.6.32.49/drivers/net/igb/e1000_82575.c 2011-11-15 19:59:43.000000000 -0500
36191 @@ -1411,7 +1411,7 @@ void igb_vmdq_set_replication_pf(struct
36192 wr32(E1000_VT_CTL, vt_ctl);
36193 }
36194
36195 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
36196 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
36197 .reset_hw = igb_reset_hw_82575,
36198 .init_hw = igb_init_hw_82575,
36199 .check_for_link = igb_check_for_link_82575,
36200 @@ -1420,13 +1420,13 @@ static struct e1000_mac_operations e1000
36201 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
36202 };
36203
36204 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
36205 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
36206 .acquire = igb_acquire_phy_82575,
36207 .get_cfg_done = igb_get_cfg_done_82575,
36208 .release = igb_release_phy_82575,
36209 };
36210
36211 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
36212 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
36213 .acquire = igb_acquire_nvm_82575,
36214 .read = igb_read_nvm_eerd,
36215 .release = igb_release_nvm_82575,
36216 diff -urNp linux-2.6.32.49/drivers/net/igb/e1000_hw.h linux-2.6.32.49/drivers/net/igb/e1000_hw.h
36217 --- linux-2.6.32.49/drivers/net/igb/e1000_hw.h 2011-11-08 19:02:43.000000000 -0500
36218 +++ linux-2.6.32.49/drivers/net/igb/e1000_hw.h 2011-11-15 19:59:43.000000000 -0500
36219 @@ -288,6 +288,7 @@ struct e1000_mac_operations {
36220 s32 (*read_mac_addr)(struct e1000_hw *);
36221 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
36222 };
36223 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
36224
36225 struct e1000_phy_operations {
36226 s32 (*acquire)(struct e1000_hw *);
36227 @@ -303,6 +304,7 @@ struct e1000_phy_operations {
36228 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
36229 s32 (*write_reg)(struct e1000_hw *, u32, u16);
36230 };
36231 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
36232
36233 struct e1000_nvm_operations {
36234 s32 (*acquire)(struct e1000_hw *);
36235 @@ -310,6 +312,7 @@ struct e1000_nvm_operations {
36236 void (*release)(struct e1000_hw *);
36237 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
36238 };
36239 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
36240
36241 struct e1000_info {
36242 s32 (*get_invariants)(struct e1000_hw *);
36243 @@ -321,7 +324,7 @@ struct e1000_info {
36244 extern const struct e1000_info e1000_82575_info;
36245
36246 struct e1000_mac_info {
36247 - struct e1000_mac_operations ops;
36248 + e1000_mac_operations_no_const ops;
36249
36250 u8 addr[6];
36251 u8 perm_addr[6];
36252 @@ -365,7 +368,7 @@ struct e1000_mac_info {
36253 };
36254
36255 struct e1000_phy_info {
36256 - struct e1000_phy_operations ops;
36257 + e1000_phy_operations_no_const ops;
36258
36259 enum e1000_phy_type type;
36260
36261 @@ -400,7 +403,7 @@ struct e1000_phy_info {
36262 };
36263
36264 struct e1000_nvm_info {
36265 - struct e1000_nvm_operations ops;
36266 + e1000_nvm_operations_no_const ops;
36267
36268 enum e1000_nvm_type type;
36269 enum e1000_nvm_override override;
36270 @@ -446,6 +449,7 @@ struct e1000_mbx_operations {
36271 s32 (*check_for_ack)(struct e1000_hw *, u16);
36272 s32 (*check_for_rst)(struct e1000_hw *, u16);
36273 };
36274 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
36275
36276 struct e1000_mbx_stats {
36277 u32 msgs_tx;
36278 @@ -457,7 +461,7 @@ struct e1000_mbx_stats {
36279 };
36280
36281 struct e1000_mbx_info {
36282 - struct e1000_mbx_operations ops;
36283 + e1000_mbx_operations_no_const ops;
36284 struct e1000_mbx_stats stats;
36285 u32 timeout;
36286 u32 usec_delay;
36287 diff -urNp linux-2.6.32.49/drivers/net/igbvf/vf.h linux-2.6.32.49/drivers/net/igbvf/vf.h
36288 --- linux-2.6.32.49/drivers/net/igbvf/vf.h 2011-11-08 19:02:43.000000000 -0500
36289 +++ linux-2.6.32.49/drivers/net/igbvf/vf.h 2011-11-15 19:59:43.000000000 -0500
36290 @@ -187,9 +187,10 @@ struct e1000_mac_operations {
36291 s32 (*read_mac_addr)(struct e1000_hw *);
36292 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
36293 };
36294 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
36295
36296 struct e1000_mac_info {
36297 - struct e1000_mac_operations ops;
36298 + e1000_mac_operations_no_const ops;
36299 u8 addr[6];
36300 u8 perm_addr[6];
36301
36302 @@ -211,6 +212,7 @@ struct e1000_mbx_operations {
36303 s32 (*check_for_ack)(struct e1000_hw *);
36304 s32 (*check_for_rst)(struct e1000_hw *);
36305 };
36306 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
36307
36308 struct e1000_mbx_stats {
36309 u32 msgs_tx;
36310 @@ -222,7 +224,7 @@ struct e1000_mbx_stats {
36311 };
36312
36313 struct e1000_mbx_info {
36314 - struct e1000_mbx_operations ops;
36315 + e1000_mbx_operations_no_const ops;
36316 struct e1000_mbx_stats stats;
36317 u32 timeout;
36318 u32 usec_delay;
36319 diff -urNp linux-2.6.32.49/drivers/net/iseries_veth.c linux-2.6.32.49/drivers/net/iseries_veth.c
36320 --- linux-2.6.32.49/drivers/net/iseries_veth.c 2011-11-08 19:02:43.000000000 -0500
36321 +++ linux-2.6.32.49/drivers/net/iseries_veth.c 2011-11-15 19:59:43.000000000 -0500
36322 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
36323 NULL
36324 };
36325
36326 -static struct sysfs_ops veth_cnx_sysfs_ops = {
36327 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
36328 .show = veth_cnx_attribute_show
36329 };
36330
36331 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
36332 NULL
36333 };
36334
36335 -static struct sysfs_ops veth_port_sysfs_ops = {
36336 +static const struct sysfs_ops veth_port_sysfs_ops = {
36337 .show = veth_port_attribute_show
36338 };
36339
36340 diff -urNp linux-2.6.32.49/drivers/net/ixgb/ixgb_main.c linux-2.6.32.49/drivers/net/ixgb/ixgb_main.c
36341 --- linux-2.6.32.49/drivers/net/ixgb/ixgb_main.c 2011-11-08 19:02:43.000000000 -0500
36342 +++ linux-2.6.32.49/drivers/net/ixgb/ixgb_main.c 2011-11-15 19:59:43.000000000 -0500
36343 @@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
36344 u32 rctl;
36345 int i;
36346
36347 + pax_track_stack();
36348 +
36349 /* Check for Promiscuous and All Multicast modes */
36350
36351 rctl = IXGB_READ_REG(hw, RCTL);
36352 diff -urNp linux-2.6.32.49/drivers/net/ixgb/ixgb_param.c linux-2.6.32.49/drivers/net/ixgb/ixgb_param.c
36353 --- linux-2.6.32.49/drivers/net/ixgb/ixgb_param.c 2011-11-08 19:02:43.000000000 -0500
36354 +++ linux-2.6.32.49/drivers/net/ixgb/ixgb_param.c 2011-11-15 19:59:43.000000000 -0500
36355 @@ -260,6 +260,9 @@ void __devinit
36356 ixgb_check_options(struct ixgb_adapter *adapter)
36357 {
36358 int bd = adapter->bd_number;
36359 +
36360 + pax_track_stack();
36361 +
36362 if (bd >= IXGB_MAX_NIC) {
36363 printk(KERN_NOTICE
36364 "Warning: no configuration for board #%i\n", bd);
36365 diff -urNp linux-2.6.32.49/drivers/net/ixgbe/ixgbe_type.h linux-2.6.32.49/drivers/net/ixgbe/ixgbe_type.h
36366 --- linux-2.6.32.49/drivers/net/ixgbe/ixgbe_type.h 2011-11-08 19:02:43.000000000 -0500
36367 +++ linux-2.6.32.49/drivers/net/ixgbe/ixgbe_type.h 2011-11-15 19:59:43.000000000 -0500
36368 @@ -2327,6 +2327,7 @@ struct ixgbe_eeprom_operations {
36369 s32 (*validate_checksum)(struct ixgbe_hw *, u16 *);
36370 s32 (*update_checksum)(struct ixgbe_hw *);
36371 };
36372 +typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
36373
36374 struct ixgbe_mac_operations {
36375 s32 (*init_hw)(struct ixgbe_hw *);
36376 @@ -2376,6 +2377,7 @@ struct ixgbe_mac_operations {
36377 /* Flow Control */
36378 s32 (*fc_enable)(struct ixgbe_hw *, s32);
36379 };
36380 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
36381
36382 struct ixgbe_phy_operations {
36383 s32 (*identify)(struct ixgbe_hw *);
36384 @@ -2394,9 +2396,10 @@ struct ixgbe_phy_operations {
36385 s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *);
36386 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
36387 };
36388 +typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
36389
36390 struct ixgbe_eeprom_info {
36391 - struct ixgbe_eeprom_operations ops;
36392 + ixgbe_eeprom_operations_no_const ops;
36393 enum ixgbe_eeprom_type type;
36394 u32 semaphore_delay;
36395 u16 word_size;
36396 @@ -2404,7 +2407,7 @@ struct ixgbe_eeprom_info {
36397 };
36398
36399 struct ixgbe_mac_info {
36400 - struct ixgbe_mac_operations ops;
36401 + ixgbe_mac_operations_no_const ops;
36402 enum ixgbe_mac_type type;
36403 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
36404 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
36405 @@ -2423,7 +2426,7 @@ struct ixgbe_mac_info {
36406 };
36407
36408 struct ixgbe_phy_info {
36409 - struct ixgbe_phy_operations ops;
36410 + ixgbe_phy_operations_no_const ops;
36411 struct mdio_if_info mdio;
36412 enum ixgbe_phy_type type;
36413 u32 id;
36414 diff -urNp linux-2.6.32.49/drivers/net/mlx4/main.c linux-2.6.32.49/drivers/net/mlx4/main.c
36415 --- linux-2.6.32.49/drivers/net/mlx4/main.c 2011-11-08 19:02:43.000000000 -0500
36416 +++ linux-2.6.32.49/drivers/net/mlx4/main.c 2011-11-15 19:59:43.000000000 -0500
36417 @@ -38,6 +38,7 @@
36418 #include <linux/errno.h>
36419 #include <linux/pci.h>
36420 #include <linux/dma-mapping.h>
36421 +#include <linux/sched.h>
36422
36423 #include <linux/mlx4/device.h>
36424 #include <linux/mlx4/doorbell.h>
36425 @@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
36426 u64 icm_size;
36427 int err;
36428
36429 + pax_track_stack();
36430 +
36431 err = mlx4_QUERY_FW(dev);
36432 if (err) {
36433 if (err == -EACCES)
36434 diff -urNp linux-2.6.32.49/drivers/net/niu.c linux-2.6.32.49/drivers/net/niu.c
36435 --- linux-2.6.32.49/drivers/net/niu.c 2011-11-08 19:02:43.000000000 -0500
36436 +++ linux-2.6.32.49/drivers/net/niu.c 2011-11-15 19:59:43.000000000 -0500
36437 @@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
36438 int i, num_irqs, err;
36439 u8 first_ldg;
36440
36441 + pax_track_stack();
36442 +
36443 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
36444 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
36445 ldg_num_map[i] = first_ldg + i;
36446 diff -urNp linux-2.6.32.49/drivers/net/pcnet32.c linux-2.6.32.49/drivers/net/pcnet32.c
36447 --- linux-2.6.32.49/drivers/net/pcnet32.c 2011-11-08 19:02:43.000000000 -0500
36448 +++ linux-2.6.32.49/drivers/net/pcnet32.c 2011-11-15 19:59:43.000000000 -0500
36449 @@ -79,7 +79,7 @@ static int cards_found;
36450 /*
36451 * VLB I/O addresses
36452 */
36453 -static unsigned int pcnet32_portlist[] __initdata =
36454 +static unsigned int pcnet32_portlist[] __devinitdata =
36455 { 0x300, 0x320, 0x340, 0x360, 0 };
36456
36457 static int pcnet32_debug = 0;
36458 @@ -267,7 +267,7 @@ struct pcnet32_private {
36459 struct sk_buff **rx_skbuff;
36460 dma_addr_t *tx_dma_addr;
36461 dma_addr_t *rx_dma_addr;
36462 - struct pcnet32_access a;
36463 + struct pcnet32_access *a;
36464 spinlock_t lock; /* Guard lock */
36465 unsigned int cur_rx, cur_tx; /* The next free ring entry */
36466 unsigned int rx_ring_size; /* current rx ring size */
36467 @@ -457,9 +457,9 @@ static void pcnet32_netif_start(struct n
36468 u16 val;
36469
36470 netif_wake_queue(dev);
36471 - val = lp->a.read_csr(ioaddr, CSR3);
36472 + val = lp->a->read_csr(ioaddr, CSR3);
36473 val &= 0x00ff;
36474 - lp->a.write_csr(ioaddr, CSR3, val);
36475 + lp->a->write_csr(ioaddr, CSR3, val);
36476 napi_enable(&lp->napi);
36477 }
36478
36479 @@ -744,7 +744,7 @@ static u32 pcnet32_get_link(struct net_d
36480 r = mii_link_ok(&lp->mii_if);
36481 } else if (lp->chip_version >= PCNET32_79C970A) {
36482 ulong ioaddr = dev->base_addr; /* card base I/O address */
36483 - r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
36484 + r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
36485 } else { /* can not detect link on really old chips */
36486 r = 1;
36487 }
36488 @@ -806,7 +806,7 @@ static int pcnet32_set_ringparam(struct
36489 pcnet32_netif_stop(dev);
36490
36491 spin_lock_irqsave(&lp->lock, flags);
36492 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36493 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36494
36495 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
36496
36497 @@ -886,7 +886,7 @@ static void pcnet32_ethtool_test(struct
36498 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
36499 {
36500 struct pcnet32_private *lp = netdev_priv(dev);
36501 - struct pcnet32_access *a = &lp->a; /* access to registers */
36502 + struct pcnet32_access *a = lp->a; /* access to registers */
36503 ulong ioaddr = dev->base_addr; /* card base I/O address */
36504 struct sk_buff *skb; /* sk buff */
36505 int x, i; /* counters */
36506 @@ -906,21 +906,21 @@ static int pcnet32_loopback_test(struct
36507 pcnet32_netif_stop(dev);
36508
36509 spin_lock_irqsave(&lp->lock, flags);
36510 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36511 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36512
36513 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
36514
36515 /* Reset the PCNET32 */
36516 - lp->a.reset(ioaddr);
36517 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36518 + lp->a->reset(ioaddr);
36519 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36520
36521 /* switch pcnet32 to 32bit mode */
36522 - lp->a.write_bcr(ioaddr, 20, 2);
36523 + lp->a->write_bcr(ioaddr, 20, 2);
36524
36525 /* purge & init rings but don't actually restart */
36526 pcnet32_restart(dev, 0x0000);
36527
36528 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36529 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36530
36531 /* Initialize Transmit buffers. */
36532 size = data_len + 15;
36533 @@ -966,10 +966,10 @@ static int pcnet32_loopback_test(struct
36534
36535 /* set int loopback in CSR15 */
36536 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
36537 - lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
36538 + lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
36539
36540 teststatus = cpu_to_le16(0x8000);
36541 - lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
36542 + lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
36543
36544 /* Check status of descriptors */
36545 for (x = 0; x < numbuffs; x++) {
36546 @@ -990,7 +990,7 @@ static int pcnet32_loopback_test(struct
36547 }
36548 }
36549
36550 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36551 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36552 wmb();
36553 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
36554 printk(KERN_DEBUG "%s: RX loopback packets:\n", dev->name);
36555 @@ -1039,7 +1039,7 @@ static int pcnet32_loopback_test(struct
36556 pcnet32_restart(dev, CSR0_NORMAL);
36557 } else {
36558 pcnet32_purge_rx_ring(dev);
36559 - lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
36560 + lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
36561 }
36562 spin_unlock_irqrestore(&lp->lock, flags);
36563
36564 @@ -1049,7 +1049,7 @@ static int pcnet32_loopback_test(struct
36565 static void pcnet32_led_blink_callback(struct net_device *dev)
36566 {
36567 struct pcnet32_private *lp = netdev_priv(dev);
36568 - struct pcnet32_access *a = &lp->a;
36569 + struct pcnet32_access *a = lp->a;
36570 ulong ioaddr = dev->base_addr;
36571 unsigned long flags;
36572 int i;
36573 @@ -1066,7 +1066,7 @@ static void pcnet32_led_blink_callback(s
36574 static int pcnet32_phys_id(struct net_device *dev, u32 data)
36575 {
36576 struct pcnet32_private *lp = netdev_priv(dev);
36577 - struct pcnet32_access *a = &lp->a;
36578 + struct pcnet32_access *a = lp->a;
36579 ulong ioaddr = dev->base_addr;
36580 unsigned long flags;
36581 int i, regs[4];
36582 @@ -1112,7 +1112,7 @@ static int pcnet32_suspend(struct net_de
36583 {
36584 int csr5;
36585 struct pcnet32_private *lp = netdev_priv(dev);
36586 - struct pcnet32_access *a = &lp->a;
36587 + struct pcnet32_access *a = lp->a;
36588 ulong ioaddr = dev->base_addr;
36589 int ticks;
36590
36591 @@ -1388,8 +1388,8 @@ static int pcnet32_poll(struct napi_stru
36592 spin_lock_irqsave(&lp->lock, flags);
36593 if (pcnet32_tx(dev)) {
36594 /* reset the chip to clear the error condition, then restart */
36595 - lp->a.reset(ioaddr);
36596 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36597 + lp->a->reset(ioaddr);
36598 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36599 pcnet32_restart(dev, CSR0_START);
36600 netif_wake_queue(dev);
36601 }
36602 @@ -1401,12 +1401,12 @@ static int pcnet32_poll(struct napi_stru
36603 __napi_complete(napi);
36604
36605 /* clear interrupt masks */
36606 - val = lp->a.read_csr(ioaddr, CSR3);
36607 + val = lp->a->read_csr(ioaddr, CSR3);
36608 val &= 0x00ff;
36609 - lp->a.write_csr(ioaddr, CSR3, val);
36610 + lp->a->write_csr(ioaddr, CSR3, val);
36611
36612 /* Set interrupt enable. */
36613 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
36614 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
36615
36616 spin_unlock_irqrestore(&lp->lock, flags);
36617 }
36618 @@ -1429,7 +1429,7 @@ static void pcnet32_get_regs(struct net_
36619 int i, csr0;
36620 u16 *buff = ptr;
36621 struct pcnet32_private *lp = netdev_priv(dev);
36622 - struct pcnet32_access *a = &lp->a;
36623 + struct pcnet32_access *a = lp->a;
36624 ulong ioaddr = dev->base_addr;
36625 unsigned long flags;
36626
36627 @@ -1466,9 +1466,9 @@ static void pcnet32_get_regs(struct net_
36628 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
36629 if (lp->phymask & (1 << j)) {
36630 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
36631 - lp->a.write_bcr(ioaddr, 33,
36632 + lp->a->write_bcr(ioaddr, 33,
36633 (j << 5) | i);
36634 - *buff++ = lp->a.read_bcr(ioaddr, 34);
36635 + *buff++ = lp->a->read_bcr(ioaddr, 34);
36636 }
36637 }
36638 }
36639 @@ -1858,7 +1858,7 @@ pcnet32_probe1(unsigned long ioaddr, int
36640 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
36641 lp->options |= PCNET32_PORT_FD;
36642
36643 - lp->a = *a;
36644 + lp->a = a;
36645
36646 /* prior to register_netdev, dev->name is not yet correct */
36647 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
36648 @@ -1917,7 +1917,7 @@ pcnet32_probe1(unsigned long ioaddr, int
36649 if (lp->mii) {
36650 /* lp->phycount and lp->phymask are set to 0 by memset above */
36651
36652 - lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
36653 + lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
36654 /* scan for PHYs */
36655 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
36656 unsigned short id1, id2;
36657 @@ -1938,7 +1938,7 @@ pcnet32_probe1(unsigned long ioaddr, int
36658 "Found PHY %04x:%04x at address %d.\n",
36659 id1, id2, i);
36660 }
36661 - lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
36662 + lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
36663 if (lp->phycount > 1) {
36664 lp->options |= PCNET32_PORT_MII;
36665 }
36666 @@ -2109,10 +2109,10 @@ static int pcnet32_open(struct net_devic
36667 }
36668
36669 /* Reset the PCNET32 */
36670 - lp->a.reset(ioaddr);
36671 + lp->a->reset(ioaddr);
36672
36673 /* switch pcnet32 to 32bit mode */
36674 - lp->a.write_bcr(ioaddr, 20, 2);
36675 + lp->a->write_bcr(ioaddr, 20, 2);
36676
36677 if (netif_msg_ifup(lp))
36678 printk(KERN_DEBUG
36679 @@ -2122,14 +2122,14 @@ static int pcnet32_open(struct net_devic
36680 (u32) (lp->init_dma_addr));
36681
36682 /* set/reset autoselect bit */
36683 - val = lp->a.read_bcr(ioaddr, 2) & ~2;
36684 + val = lp->a->read_bcr(ioaddr, 2) & ~2;
36685 if (lp->options & PCNET32_PORT_ASEL)
36686 val |= 2;
36687 - lp->a.write_bcr(ioaddr, 2, val);
36688 + lp->a->write_bcr(ioaddr, 2, val);
36689
36690 /* handle full duplex setting */
36691 if (lp->mii_if.full_duplex) {
36692 - val = lp->a.read_bcr(ioaddr, 9) & ~3;
36693 + val = lp->a->read_bcr(ioaddr, 9) & ~3;
36694 if (lp->options & PCNET32_PORT_FD) {
36695 val |= 1;
36696 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
36697 @@ -2139,14 +2139,14 @@ static int pcnet32_open(struct net_devic
36698 if (lp->chip_version == 0x2627)
36699 val |= 3;
36700 }
36701 - lp->a.write_bcr(ioaddr, 9, val);
36702 + lp->a->write_bcr(ioaddr, 9, val);
36703 }
36704
36705 /* set/reset GPSI bit in test register */
36706 - val = lp->a.read_csr(ioaddr, 124) & ~0x10;
36707 + val = lp->a->read_csr(ioaddr, 124) & ~0x10;
36708 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
36709 val |= 0x10;
36710 - lp->a.write_csr(ioaddr, 124, val);
36711 + lp->a->write_csr(ioaddr, 124, val);
36712
36713 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
36714 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
36715 @@ -2167,24 +2167,24 @@ static int pcnet32_open(struct net_devic
36716 * duplex, and/or enable auto negotiation, and clear DANAS
36717 */
36718 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
36719 - lp->a.write_bcr(ioaddr, 32,
36720 - lp->a.read_bcr(ioaddr, 32) | 0x0080);
36721 + lp->a->write_bcr(ioaddr, 32,
36722 + lp->a->read_bcr(ioaddr, 32) | 0x0080);
36723 /* disable Auto Negotiation, set 10Mpbs, HD */
36724 - val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
36725 + val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
36726 if (lp->options & PCNET32_PORT_FD)
36727 val |= 0x10;
36728 if (lp->options & PCNET32_PORT_100)
36729 val |= 0x08;
36730 - lp->a.write_bcr(ioaddr, 32, val);
36731 + lp->a->write_bcr(ioaddr, 32, val);
36732 } else {
36733 if (lp->options & PCNET32_PORT_ASEL) {
36734 - lp->a.write_bcr(ioaddr, 32,
36735 - lp->a.read_bcr(ioaddr,
36736 + lp->a->write_bcr(ioaddr, 32,
36737 + lp->a->read_bcr(ioaddr,
36738 32) | 0x0080);
36739 /* enable auto negotiate, setup, disable fd */
36740 - val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
36741 + val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
36742 val |= 0x20;
36743 - lp->a.write_bcr(ioaddr, 32, val);
36744 + lp->a->write_bcr(ioaddr, 32, val);
36745 }
36746 }
36747 } else {
36748 @@ -2197,10 +2197,10 @@ static int pcnet32_open(struct net_devic
36749 * There is really no good other way to handle multiple PHYs
36750 * other than turning off all automatics
36751 */
36752 - val = lp->a.read_bcr(ioaddr, 2);
36753 - lp->a.write_bcr(ioaddr, 2, val & ~2);
36754 - val = lp->a.read_bcr(ioaddr, 32);
36755 - lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
36756 + val = lp->a->read_bcr(ioaddr, 2);
36757 + lp->a->write_bcr(ioaddr, 2, val & ~2);
36758 + val = lp->a->read_bcr(ioaddr, 32);
36759 + lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
36760
36761 if (!(lp->options & PCNET32_PORT_ASEL)) {
36762 /* setup ecmd */
36763 @@ -2210,7 +2210,7 @@ static int pcnet32_open(struct net_devic
36764 ecmd.speed =
36765 lp->
36766 options & PCNET32_PORT_100 ? SPEED_100 : SPEED_10;
36767 - bcr9 = lp->a.read_bcr(ioaddr, 9);
36768 + bcr9 = lp->a->read_bcr(ioaddr, 9);
36769
36770 if (lp->options & PCNET32_PORT_FD) {
36771 ecmd.duplex = DUPLEX_FULL;
36772 @@ -2219,7 +2219,7 @@ static int pcnet32_open(struct net_devic
36773 ecmd.duplex = DUPLEX_HALF;
36774 bcr9 |= ~(1 << 0);
36775 }
36776 - lp->a.write_bcr(ioaddr, 9, bcr9);
36777 + lp->a->write_bcr(ioaddr, 9, bcr9);
36778 }
36779
36780 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
36781 @@ -2252,9 +2252,9 @@ static int pcnet32_open(struct net_devic
36782
36783 #ifdef DO_DXSUFLO
36784 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
36785 - val = lp->a.read_csr(ioaddr, CSR3);
36786 + val = lp->a->read_csr(ioaddr, CSR3);
36787 val |= 0x40;
36788 - lp->a.write_csr(ioaddr, CSR3, val);
36789 + lp->a->write_csr(ioaddr, CSR3, val);
36790 }
36791 #endif
36792
36793 @@ -2270,11 +2270,11 @@ static int pcnet32_open(struct net_devic
36794 napi_enable(&lp->napi);
36795
36796 /* Re-initialize the PCNET32, and start it when done. */
36797 - lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
36798 - lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
36799 + lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
36800 + lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
36801
36802 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36803 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
36804 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36805 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
36806
36807 netif_start_queue(dev);
36808
36809 @@ -2286,20 +2286,20 @@ static int pcnet32_open(struct net_devic
36810
36811 i = 0;
36812 while (i++ < 100)
36813 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
36814 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
36815 break;
36816 /*
36817 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
36818 * reports that doing so triggers a bug in the '974.
36819 */
36820 - lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
36821 + lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
36822
36823 if (netif_msg_ifup(lp))
36824 printk(KERN_DEBUG
36825 "%s: pcnet32 open after %d ticks, init block %#x csr0 %4.4x.\n",
36826 dev->name, i,
36827 (u32) (lp->init_dma_addr),
36828 - lp->a.read_csr(ioaddr, CSR0));
36829 + lp->a->read_csr(ioaddr, CSR0));
36830
36831 spin_unlock_irqrestore(&lp->lock, flags);
36832
36833 @@ -2313,7 +2313,7 @@ static int pcnet32_open(struct net_devic
36834 * Switch back to 16bit mode to avoid problems with dumb
36835 * DOS packet driver after a warm reboot
36836 */
36837 - lp->a.write_bcr(ioaddr, 20, 4);
36838 + lp->a->write_bcr(ioaddr, 20, 4);
36839
36840 err_free_irq:
36841 spin_unlock_irqrestore(&lp->lock, flags);
36842 @@ -2420,7 +2420,7 @@ static void pcnet32_restart(struct net_d
36843
36844 /* wait for stop */
36845 for (i = 0; i < 100; i++)
36846 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
36847 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
36848 break;
36849
36850 if (i >= 100 && netif_msg_drv(lp))
36851 @@ -2433,13 +2433,13 @@ static void pcnet32_restart(struct net_d
36852 return;
36853
36854 /* ReInit Ring */
36855 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
36856 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
36857 i = 0;
36858 while (i++ < 1000)
36859 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
36860 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
36861 break;
36862
36863 - lp->a.write_csr(ioaddr, CSR0, csr0_bits);
36864 + lp->a->write_csr(ioaddr, CSR0, csr0_bits);
36865 }
36866
36867 static void pcnet32_tx_timeout(struct net_device *dev)
36868 @@ -2452,8 +2452,8 @@ static void pcnet32_tx_timeout(struct ne
36869 if (pcnet32_debug & NETIF_MSG_DRV)
36870 printk(KERN_ERR
36871 "%s: transmit timed out, status %4.4x, resetting.\n",
36872 - dev->name, lp->a.read_csr(ioaddr, CSR0));
36873 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
36874 + dev->name, lp->a->read_csr(ioaddr, CSR0));
36875 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
36876 dev->stats.tx_errors++;
36877 if (netif_msg_tx_err(lp)) {
36878 int i;
36879 @@ -2497,7 +2497,7 @@ static netdev_tx_t pcnet32_start_xmit(st
36880 if (netif_msg_tx_queued(lp)) {
36881 printk(KERN_DEBUG
36882 "%s: pcnet32_start_xmit() called, csr0 %4.4x.\n",
36883 - dev->name, lp->a.read_csr(ioaddr, CSR0));
36884 + dev->name, lp->a->read_csr(ioaddr, CSR0));
36885 }
36886
36887 /* Default status -- will not enable Successful-TxDone
36888 @@ -2528,7 +2528,7 @@ static netdev_tx_t pcnet32_start_xmit(st
36889 dev->stats.tx_bytes += skb->len;
36890
36891 /* Trigger an immediate send poll. */
36892 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
36893 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
36894
36895 dev->trans_start = jiffies;
36896
36897 @@ -2555,18 +2555,18 @@ pcnet32_interrupt(int irq, void *dev_id)
36898
36899 spin_lock(&lp->lock);
36900
36901 - csr0 = lp->a.read_csr(ioaddr, CSR0);
36902 + csr0 = lp->a->read_csr(ioaddr, CSR0);
36903 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
36904 if (csr0 == 0xffff) {
36905 break; /* PCMCIA remove happened */
36906 }
36907 /* Acknowledge all of the current interrupt sources ASAP. */
36908 - lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
36909 + lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
36910
36911 if (netif_msg_intr(lp))
36912 printk(KERN_DEBUG
36913 "%s: interrupt csr0=%#2.2x new csr=%#2.2x.\n",
36914 - dev->name, csr0, lp->a.read_csr(ioaddr, CSR0));
36915 + dev->name, csr0, lp->a->read_csr(ioaddr, CSR0));
36916
36917 /* Log misc errors. */
36918 if (csr0 & 0x4000)
36919 @@ -2595,19 +2595,19 @@ pcnet32_interrupt(int irq, void *dev_id)
36920 if (napi_schedule_prep(&lp->napi)) {
36921 u16 val;
36922 /* set interrupt masks */
36923 - val = lp->a.read_csr(ioaddr, CSR3);
36924 + val = lp->a->read_csr(ioaddr, CSR3);
36925 val |= 0x5f00;
36926 - lp->a.write_csr(ioaddr, CSR3, val);
36927 + lp->a->write_csr(ioaddr, CSR3, val);
36928
36929 __napi_schedule(&lp->napi);
36930 break;
36931 }
36932 - csr0 = lp->a.read_csr(ioaddr, CSR0);
36933 + csr0 = lp->a->read_csr(ioaddr, CSR0);
36934 }
36935
36936 if (netif_msg_intr(lp))
36937 printk(KERN_DEBUG "%s: exiting interrupt, csr0=%#4.4x.\n",
36938 - dev->name, lp->a.read_csr(ioaddr, CSR0));
36939 + dev->name, lp->a->read_csr(ioaddr, CSR0));
36940
36941 spin_unlock(&lp->lock);
36942
36943 @@ -2627,21 +2627,21 @@ static int pcnet32_close(struct net_devi
36944
36945 spin_lock_irqsave(&lp->lock, flags);
36946
36947 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
36948 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
36949
36950 if (netif_msg_ifdown(lp))
36951 printk(KERN_DEBUG
36952 "%s: Shutting down ethercard, status was %2.2x.\n",
36953 - dev->name, lp->a.read_csr(ioaddr, CSR0));
36954 + dev->name, lp->a->read_csr(ioaddr, CSR0));
36955
36956 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
36957 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
36958 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
36959
36960 /*
36961 * Switch back to 16bit mode to avoid problems with dumb
36962 * DOS packet driver after a warm reboot
36963 */
36964 - lp->a.write_bcr(ioaddr, 20, 4);
36965 + lp->a->write_bcr(ioaddr, 20, 4);
36966
36967 spin_unlock_irqrestore(&lp->lock, flags);
36968
36969 @@ -2664,7 +2664,7 @@ static struct net_device_stats *pcnet32_
36970 unsigned long flags;
36971
36972 spin_lock_irqsave(&lp->lock, flags);
36973 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
36974 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
36975 spin_unlock_irqrestore(&lp->lock, flags);
36976
36977 return &dev->stats;
36978 @@ -2686,10 +2686,10 @@ static void pcnet32_load_multicast(struc
36979 if (dev->flags & IFF_ALLMULTI) {
36980 ib->filter[0] = cpu_to_le32(~0U);
36981 ib->filter[1] = cpu_to_le32(~0U);
36982 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
36983 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
36984 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
36985 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
36986 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
36987 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
36988 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
36989 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
36990 return;
36991 }
36992 /* clear the multicast filter */
36993 @@ -2710,7 +2710,7 @@ static void pcnet32_load_multicast(struc
36994 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
36995 }
36996 for (i = 0; i < 4; i++)
36997 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
36998 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
36999 le16_to_cpu(mcast_table[i]));
37000 return;
37001 }
37002 @@ -2726,7 +2726,7 @@ static void pcnet32_set_multicast_list(s
37003
37004 spin_lock_irqsave(&lp->lock, flags);
37005 suspended = pcnet32_suspend(dev, &flags, 0);
37006 - csr15 = lp->a.read_csr(ioaddr, CSR15);
37007 + csr15 = lp->a->read_csr(ioaddr, CSR15);
37008 if (dev->flags & IFF_PROMISC) {
37009 /* Log any net taps. */
37010 if (netif_msg_hw(lp))
37011 @@ -2735,21 +2735,21 @@ static void pcnet32_set_multicast_list(s
37012 lp->init_block->mode =
37013 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
37014 7);
37015 - lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
37016 + lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
37017 } else {
37018 lp->init_block->mode =
37019 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
37020 - lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
37021 + lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
37022 pcnet32_load_multicast(dev);
37023 }
37024
37025 if (suspended) {
37026 int csr5;
37027 /* clear SUSPEND (SPND) - CSR5 bit 0 */
37028 - csr5 = lp->a.read_csr(ioaddr, CSR5);
37029 - lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
37030 + csr5 = lp->a->read_csr(ioaddr, CSR5);
37031 + lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
37032 } else {
37033 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
37034 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
37035 pcnet32_restart(dev, CSR0_NORMAL);
37036 netif_wake_queue(dev);
37037 }
37038 @@ -2767,8 +2767,8 @@ static int mdio_read(struct net_device *
37039 if (!lp->mii)
37040 return 0;
37041
37042 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37043 - val_out = lp->a.read_bcr(ioaddr, 34);
37044 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37045 + val_out = lp->a->read_bcr(ioaddr, 34);
37046
37047 return val_out;
37048 }
37049 @@ -2782,8 +2782,8 @@ static void mdio_write(struct net_device
37050 if (!lp->mii)
37051 return;
37052
37053 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37054 - lp->a.write_bcr(ioaddr, 34, val);
37055 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37056 + lp->a->write_bcr(ioaddr, 34, val);
37057 }
37058
37059 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
37060 @@ -2862,7 +2862,7 @@ static void pcnet32_check_media(struct n
37061 curr_link = mii_link_ok(&lp->mii_if);
37062 } else {
37063 ulong ioaddr = dev->base_addr; /* card base I/O address */
37064 - curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
37065 + curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
37066 }
37067 if (!curr_link) {
37068 if (prev_link || verbose) {
37069 @@ -2887,13 +2887,13 @@ static void pcnet32_check_media(struct n
37070 (ecmd.duplex ==
37071 DUPLEX_FULL) ? "full" : "half");
37072 }
37073 - bcr9 = lp->a.read_bcr(dev->base_addr, 9);
37074 + bcr9 = lp->a->read_bcr(dev->base_addr, 9);
37075 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
37076 if (lp->mii_if.full_duplex)
37077 bcr9 |= (1 << 0);
37078 else
37079 bcr9 &= ~(1 << 0);
37080 - lp->a.write_bcr(dev->base_addr, 9, bcr9);
37081 + lp->a->write_bcr(dev->base_addr, 9, bcr9);
37082 }
37083 } else {
37084 if (netif_msg_link(lp))
37085 diff -urNp linux-2.6.32.49/drivers/net/sis190.c linux-2.6.32.49/drivers/net/sis190.c
37086 --- linux-2.6.32.49/drivers/net/sis190.c 2011-11-08 19:02:43.000000000 -0500
37087 +++ linux-2.6.32.49/drivers/net/sis190.c 2011-11-18 18:01:55.000000000 -0500
37088 @@ -1598,7 +1598,7 @@ static int __devinit sis190_get_mac_addr
37089 static int __devinit sis190_get_mac_addr_from_apc(struct pci_dev *pdev,
37090 struct net_device *dev)
37091 {
37092 - static const u16 __devinitdata ids[] = { 0x0965, 0x0966, 0x0968 };
37093 + static const u16 __devinitconst ids[] = { 0x0965, 0x0966, 0x0968 };
37094 struct sis190_private *tp = netdev_priv(dev);
37095 struct pci_dev *isa_bridge;
37096 u8 reg, tmp8;
37097 diff -urNp linux-2.6.32.49/drivers/net/sundance.c linux-2.6.32.49/drivers/net/sundance.c
37098 --- linux-2.6.32.49/drivers/net/sundance.c 2011-11-08 19:02:43.000000000 -0500
37099 +++ linux-2.6.32.49/drivers/net/sundance.c 2011-11-18 18:01:55.000000000 -0500
37100 @@ -225,7 +225,7 @@ enum {
37101 struct pci_id_info {
37102 const char *name;
37103 };
37104 -static const struct pci_id_info pci_id_tbl[] __devinitdata = {
37105 +static const struct pci_id_info pci_id_tbl[] __devinitconst = {
37106 {"D-Link DFE-550TX FAST Ethernet Adapter"},
37107 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
37108 {"D-Link DFE-580TX 4 port Server Adapter"},
37109 diff -urNp linux-2.6.32.49/drivers/net/tg3.h linux-2.6.32.49/drivers/net/tg3.h
37110 --- linux-2.6.32.49/drivers/net/tg3.h 2011-11-08 19:02:43.000000000 -0500
37111 +++ linux-2.6.32.49/drivers/net/tg3.h 2011-11-15 19:59:43.000000000 -0500
37112 @@ -95,6 +95,7 @@
37113 #define CHIPREV_ID_5750_A0 0x4000
37114 #define CHIPREV_ID_5750_A1 0x4001
37115 #define CHIPREV_ID_5750_A3 0x4003
37116 +#define CHIPREV_ID_5750_C1 0x4201
37117 #define CHIPREV_ID_5750_C2 0x4202
37118 #define CHIPREV_ID_5752_A0_HW 0x5000
37119 #define CHIPREV_ID_5752_A0 0x6000
37120 diff -urNp linux-2.6.32.49/drivers/net/tokenring/abyss.c linux-2.6.32.49/drivers/net/tokenring/abyss.c
37121 --- linux-2.6.32.49/drivers/net/tokenring/abyss.c 2011-11-08 19:02:43.000000000 -0500
37122 +++ linux-2.6.32.49/drivers/net/tokenring/abyss.c 2011-11-15 19:59:43.000000000 -0500
37123 @@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
37124
37125 static int __init abyss_init (void)
37126 {
37127 - abyss_netdev_ops = tms380tr_netdev_ops;
37128 + pax_open_kernel();
37129 + memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37130
37131 - abyss_netdev_ops.ndo_open = abyss_open;
37132 - abyss_netdev_ops.ndo_stop = abyss_close;
37133 + *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
37134 + *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
37135 + pax_close_kernel();
37136
37137 return pci_register_driver(&abyss_driver);
37138 }
37139 diff -urNp linux-2.6.32.49/drivers/net/tokenring/madgemc.c linux-2.6.32.49/drivers/net/tokenring/madgemc.c
37140 --- linux-2.6.32.49/drivers/net/tokenring/madgemc.c 2011-11-08 19:02:43.000000000 -0500
37141 +++ linux-2.6.32.49/drivers/net/tokenring/madgemc.c 2011-11-15 19:59:43.000000000 -0500
37142 @@ -755,9 +755,11 @@ static struct mca_driver madgemc_driver
37143
37144 static int __init madgemc_init (void)
37145 {
37146 - madgemc_netdev_ops = tms380tr_netdev_ops;
37147 - madgemc_netdev_ops.ndo_open = madgemc_open;
37148 - madgemc_netdev_ops.ndo_stop = madgemc_close;
37149 + pax_open_kernel();
37150 + memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37151 + *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
37152 + *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
37153 + pax_close_kernel();
37154
37155 return mca_register_driver (&madgemc_driver);
37156 }
37157 diff -urNp linux-2.6.32.49/drivers/net/tokenring/proteon.c linux-2.6.32.49/drivers/net/tokenring/proteon.c
37158 --- linux-2.6.32.49/drivers/net/tokenring/proteon.c 2011-11-08 19:02:43.000000000 -0500
37159 +++ linux-2.6.32.49/drivers/net/tokenring/proteon.c 2011-11-15 19:59:43.000000000 -0500
37160 @@ -353,9 +353,11 @@ static int __init proteon_init(void)
37161 struct platform_device *pdev;
37162 int i, num = 0, err = 0;
37163
37164 - proteon_netdev_ops = tms380tr_netdev_ops;
37165 - proteon_netdev_ops.ndo_open = proteon_open;
37166 - proteon_netdev_ops.ndo_stop = tms380tr_close;
37167 + pax_open_kernel();
37168 + memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37169 + *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
37170 + *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
37171 + pax_close_kernel();
37172
37173 err = platform_driver_register(&proteon_driver);
37174 if (err)
37175 diff -urNp linux-2.6.32.49/drivers/net/tokenring/skisa.c linux-2.6.32.49/drivers/net/tokenring/skisa.c
37176 --- linux-2.6.32.49/drivers/net/tokenring/skisa.c 2011-11-08 19:02:43.000000000 -0500
37177 +++ linux-2.6.32.49/drivers/net/tokenring/skisa.c 2011-11-15 19:59:43.000000000 -0500
37178 @@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
37179 struct platform_device *pdev;
37180 int i, num = 0, err = 0;
37181
37182 - sk_isa_netdev_ops = tms380tr_netdev_ops;
37183 - sk_isa_netdev_ops.ndo_open = sk_isa_open;
37184 - sk_isa_netdev_ops.ndo_stop = tms380tr_close;
37185 + pax_open_kernel();
37186 + memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37187 + *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
37188 + *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
37189 + pax_close_kernel();
37190
37191 err = platform_driver_register(&sk_isa_driver);
37192 if (err)
37193 diff -urNp linux-2.6.32.49/drivers/net/tulip/de2104x.c linux-2.6.32.49/drivers/net/tulip/de2104x.c
37194 --- linux-2.6.32.49/drivers/net/tulip/de2104x.c 2011-11-08 19:02:43.000000000 -0500
37195 +++ linux-2.6.32.49/drivers/net/tulip/de2104x.c 2011-11-15 19:59:43.000000000 -0500
37196 @@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
37197 struct de_srom_info_leaf *il;
37198 void *bufp;
37199
37200 + pax_track_stack();
37201 +
37202 /* download entire eeprom */
37203 for (i = 0; i < DE_EEPROM_WORDS; i++)
37204 ((__le16 *)ee_data)[i] =
37205 diff -urNp linux-2.6.32.49/drivers/net/tulip/de4x5.c linux-2.6.32.49/drivers/net/tulip/de4x5.c
37206 --- linux-2.6.32.49/drivers/net/tulip/de4x5.c 2011-11-08 19:02:43.000000000 -0500
37207 +++ linux-2.6.32.49/drivers/net/tulip/de4x5.c 2011-11-15 19:59:43.000000000 -0500
37208 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
37209 for (i=0; i<ETH_ALEN; i++) {
37210 tmp.addr[i] = dev->dev_addr[i];
37211 }
37212 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
37213 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
37214 break;
37215
37216 case DE4X5_SET_HWADDR: /* Set the hardware address */
37217 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
37218 spin_lock_irqsave(&lp->lock, flags);
37219 memcpy(&statbuf, &lp->pktStats, ioc->len);
37220 spin_unlock_irqrestore(&lp->lock, flags);
37221 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
37222 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
37223 return -EFAULT;
37224 break;
37225 }
37226 diff -urNp linux-2.6.32.49/drivers/net/tulip/eeprom.c linux-2.6.32.49/drivers/net/tulip/eeprom.c
37227 --- linux-2.6.32.49/drivers/net/tulip/eeprom.c 2011-11-08 19:02:43.000000000 -0500
37228 +++ linux-2.6.32.49/drivers/net/tulip/eeprom.c 2011-11-18 18:01:55.000000000 -0500
37229 @@ -80,7 +80,7 @@ static struct eeprom_fixup eeprom_fixups
37230 {NULL}};
37231
37232
37233 -static const char *block_name[] __devinitdata = {
37234 +static const char *block_name[] __devinitconst = {
37235 "21140 non-MII",
37236 "21140 MII PHY",
37237 "21142 Serial PHY",
37238 diff -urNp linux-2.6.32.49/drivers/net/tulip/winbond-840.c linux-2.6.32.49/drivers/net/tulip/winbond-840.c
37239 --- linux-2.6.32.49/drivers/net/tulip/winbond-840.c 2011-11-08 19:02:43.000000000 -0500
37240 +++ linux-2.6.32.49/drivers/net/tulip/winbond-840.c 2011-11-18 18:01:55.000000000 -0500
37241 @@ -235,7 +235,7 @@ struct pci_id_info {
37242 int drv_flags; /* Driver use, intended as capability flags. */
37243 };
37244
37245 -static const struct pci_id_info pci_id_tbl[] __devinitdata = {
37246 +static const struct pci_id_info pci_id_tbl[] __devinitconst = {
37247 { /* Sometime a Level-One switch card. */
37248 "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII},
37249 { "Winbond W89c840", CanHaveMII | HasBrokenTx},
37250 diff -urNp linux-2.6.32.49/drivers/net/usb/hso.c linux-2.6.32.49/drivers/net/usb/hso.c
37251 --- linux-2.6.32.49/drivers/net/usb/hso.c 2011-11-08 19:02:43.000000000 -0500
37252 +++ linux-2.6.32.49/drivers/net/usb/hso.c 2011-11-15 19:59:43.000000000 -0500
37253 @@ -71,7 +71,7 @@
37254 #include <asm/byteorder.h>
37255 #include <linux/serial_core.h>
37256 #include <linux/serial.h>
37257 -
37258 +#include <asm/local.h>
37259
37260 #define DRIVER_VERSION "1.2"
37261 #define MOD_AUTHOR "Option Wireless"
37262 @@ -258,7 +258,7 @@ struct hso_serial {
37263
37264 /* from usb_serial_port */
37265 struct tty_struct *tty;
37266 - int open_count;
37267 + local_t open_count;
37268 spinlock_t serial_lock;
37269
37270 int (*write_data) (struct hso_serial *serial);
37271 @@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
37272 struct urb *urb;
37273
37274 urb = serial->rx_urb[0];
37275 - if (serial->open_count > 0) {
37276 + if (local_read(&serial->open_count) > 0) {
37277 count = put_rxbuf_data(urb, serial);
37278 if (count == -1)
37279 return;
37280 @@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
37281 DUMP1(urb->transfer_buffer, urb->actual_length);
37282
37283 /* Anyone listening? */
37284 - if (serial->open_count == 0)
37285 + if (local_read(&serial->open_count) == 0)
37286 return;
37287
37288 if (status == 0) {
37289 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
37290 spin_unlock_irq(&serial->serial_lock);
37291
37292 /* check for port already opened, if not set the termios */
37293 - serial->open_count++;
37294 - if (serial->open_count == 1) {
37295 + if (local_inc_return(&serial->open_count) == 1) {
37296 tty->low_latency = 1;
37297 serial->rx_state = RX_IDLE;
37298 /* Force default termio settings */
37299 @@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
37300 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
37301 if (result) {
37302 hso_stop_serial_device(serial->parent);
37303 - serial->open_count--;
37304 + local_dec(&serial->open_count);
37305 kref_put(&serial->parent->ref, hso_serial_ref_free);
37306 }
37307 } else {
37308 @@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
37309
37310 /* reset the rts and dtr */
37311 /* do the actual close */
37312 - serial->open_count--;
37313 + local_dec(&serial->open_count);
37314
37315 - if (serial->open_count <= 0) {
37316 - serial->open_count = 0;
37317 + if (local_read(&serial->open_count) <= 0) {
37318 + local_set(&serial->open_count, 0);
37319 spin_lock_irq(&serial->serial_lock);
37320 if (serial->tty == tty) {
37321 serial->tty->driver_data = NULL;
37322 @@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
37323
37324 /* the actual setup */
37325 spin_lock_irqsave(&serial->serial_lock, flags);
37326 - if (serial->open_count)
37327 + if (local_read(&serial->open_count))
37328 _hso_serial_set_termios(tty, old);
37329 else
37330 tty->termios = old;
37331 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
37332 /* Start all serial ports */
37333 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
37334 if (serial_table[i] && (serial_table[i]->interface == iface)) {
37335 - if (dev2ser(serial_table[i])->open_count) {
37336 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
37337 result =
37338 hso_start_serial_device(serial_table[i], GFP_NOIO);
37339 hso_kick_transmit(dev2ser(serial_table[i]));
37340 diff -urNp linux-2.6.32.49/drivers/net/vxge/vxge-config.h linux-2.6.32.49/drivers/net/vxge/vxge-config.h
37341 --- linux-2.6.32.49/drivers/net/vxge/vxge-config.h 2011-11-08 19:02:43.000000000 -0500
37342 +++ linux-2.6.32.49/drivers/net/vxge/vxge-config.h 2011-11-15 19:59:43.000000000 -0500
37343 @@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs {
37344 void (*link_down)(struct __vxge_hw_device *devh);
37345 void (*crit_err)(struct __vxge_hw_device *devh,
37346 enum vxge_hw_event type, u64 ext_data);
37347 -};
37348 +} __no_const;
37349
37350 /*
37351 * struct __vxge_hw_blockpool_entry - Block private data structure
37352 diff -urNp linux-2.6.32.49/drivers/net/vxge/vxge-main.c linux-2.6.32.49/drivers/net/vxge/vxge-main.c
37353 --- linux-2.6.32.49/drivers/net/vxge/vxge-main.c 2011-11-08 19:02:43.000000000 -0500
37354 +++ linux-2.6.32.49/drivers/net/vxge/vxge-main.c 2011-11-15 19:59:43.000000000 -0500
37355 @@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
37356 struct sk_buff *completed[NR_SKB_COMPLETED];
37357 int more;
37358
37359 + pax_track_stack();
37360 +
37361 do {
37362 more = 0;
37363 skb_ptr = completed;
37364 @@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
37365 u8 mtable[256] = {0}; /* CPU to vpath mapping */
37366 int index;
37367
37368 + pax_track_stack();
37369 +
37370 /*
37371 * Filling
37372 * - itable with bucket numbers
37373 diff -urNp linux-2.6.32.49/drivers/net/vxge/vxge-traffic.h linux-2.6.32.49/drivers/net/vxge/vxge-traffic.h
37374 --- linux-2.6.32.49/drivers/net/vxge/vxge-traffic.h 2011-11-08 19:02:43.000000000 -0500
37375 +++ linux-2.6.32.49/drivers/net/vxge/vxge-traffic.h 2011-11-15 19:59:43.000000000 -0500
37376 @@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs {
37377 struct vxge_hw_mempool_dma *dma_object,
37378 u32 index,
37379 u32 is_last);
37380 -};
37381 +} __no_const;
37382
37383 void
37384 __vxge_hw_mempool_destroy(
37385 diff -urNp linux-2.6.32.49/drivers/net/wan/cycx_x25.c linux-2.6.32.49/drivers/net/wan/cycx_x25.c
37386 --- linux-2.6.32.49/drivers/net/wan/cycx_x25.c 2011-11-08 19:02:43.000000000 -0500
37387 +++ linux-2.6.32.49/drivers/net/wan/cycx_x25.c 2011-11-15 19:59:43.000000000 -0500
37388 @@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
37389 unsigned char hex[1024],
37390 * phex = hex;
37391
37392 + pax_track_stack();
37393 +
37394 if (len >= (sizeof(hex) / 2))
37395 len = (sizeof(hex) / 2) - 1;
37396
37397 diff -urNp linux-2.6.32.49/drivers/net/wan/hdlc_x25.c linux-2.6.32.49/drivers/net/wan/hdlc_x25.c
37398 --- linux-2.6.32.49/drivers/net/wan/hdlc_x25.c 2011-11-08 19:02:43.000000000 -0500
37399 +++ linux-2.6.32.49/drivers/net/wan/hdlc_x25.c 2011-11-15 19:59:43.000000000 -0500
37400 @@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
37401
37402 static int x25_open(struct net_device *dev)
37403 {
37404 - struct lapb_register_struct cb;
37405 + static struct lapb_register_struct cb = {
37406 + .connect_confirmation = x25_connected,
37407 + .connect_indication = x25_connected,
37408 + .disconnect_confirmation = x25_disconnected,
37409 + .disconnect_indication = x25_disconnected,
37410 + .data_indication = x25_data_indication,
37411 + .data_transmit = x25_data_transmit
37412 + };
37413 int result;
37414
37415 - cb.connect_confirmation = x25_connected;
37416 - cb.connect_indication = x25_connected;
37417 - cb.disconnect_confirmation = x25_disconnected;
37418 - cb.disconnect_indication = x25_disconnected;
37419 - cb.data_indication = x25_data_indication;
37420 - cb.data_transmit = x25_data_transmit;
37421 -
37422 result = lapb_register(dev, &cb);
37423 if (result != LAPB_OK)
37424 return result;
37425 diff -urNp linux-2.6.32.49/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.49/drivers/net/wimax/i2400m/usb-fw.c
37426 --- linux-2.6.32.49/drivers/net/wimax/i2400m/usb-fw.c 2011-11-08 19:02:43.000000000 -0500
37427 +++ linux-2.6.32.49/drivers/net/wimax/i2400m/usb-fw.c 2011-11-15 19:59:43.000000000 -0500
37428 @@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
37429 int do_autopm = 1;
37430 DECLARE_COMPLETION_ONSTACK(notif_completion);
37431
37432 + pax_track_stack();
37433 +
37434 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
37435 i2400m, ack, ack_size);
37436 BUG_ON(_ack == i2400m->bm_ack_buf);
37437 diff -urNp linux-2.6.32.49/drivers/net/wireless/airo.c linux-2.6.32.49/drivers/net/wireless/airo.c
37438 --- linux-2.6.32.49/drivers/net/wireless/airo.c 2011-11-08 19:02:43.000000000 -0500
37439 +++ linux-2.6.32.49/drivers/net/wireless/airo.c 2011-11-15 19:59:43.000000000 -0500
37440 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
37441 BSSListElement * loop_net;
37442 BSSListElement * tmp_net;
37443
37444 + pax_track_stack();
37445 +
37446 /* Blow away current list of scan results */
37447 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
37448 list_move_tail (&loop_net->list, &ai->network_free_list);
37449 @@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
37450 WepKeyRid wkr;
37451 int rc;
37452
37453 + pax_track_stack();
37454 +
37455 memset( &mySsid, 0, sizeof( mySsid ) );
37456 kfree (ai->flash);
37457 ai->flash = NULL;
37458 @@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
37459 __le32 *vals = stats.vals;
37460 int len;
37461
37462 + pax_track_stack();
37463 +
37464 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
37465 return -ENOMEM;
37466 data = (struct proc_data *)file->private_data;
37467 @@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
37468 /* If doLoseSync is not 1, we won't do a Lose Sync */
37469 int doLoseSync = -1;
37470
37471 + pax_track_stack();
37472 +
37473 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
37474 return -ENOMEM;
37475 data = (struct proc_data *)file->private_data;
37476 @@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
37477 int i;
37478 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
37479
37480 + pax_track_stack();
37481 +
37482 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
37483 if (!qual)
37484 return -ENOMEM;
37485 @@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
37486 CapabilityRid cap_rid;
37487 __le32 *vals = stats_rid.vals;
37488
37489 + pax_track_stack();
37490 +
37491 /* Get stats out of the card */
37492 clear_bit(JOB_WSTATS, &local->jobs);
37493 if (local->power.event) {
37494 diff -urNp linux-2.6.32.49/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.49/drivers/net/wireless/ath/ath5k/debug.c
37495 --- linux-2.6.32.49/drivers/net/wireless/ath/ath5k/debug.c 2011-11-08 19:02:43.000000000 -0500
37496 +++ linux-2.6.32.49/drivers/net/wireless/ath/ath5k/debug.c 2011-11-15 19:59:43.000000000 -0500
37497 @@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
37498 unsigned int v;
37499 u64 tsf;
37500
37501 + pax_track_stack();
37502 +
37503 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
37504 len += snprintf(buf+len, sizeof(buf)-len,
37505 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
37506 @@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
37507 unsigned int len = 0;
37508 unsigned int i;
37509
37510 + pax_track_stack();
37511 +
37512 len += snprintf(buf+len, sizeof(buf)-len,
37513 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
37514
37515 diff -urNp linux-2.6.32.49/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.49/drivers/net/wireless/ath/ath9k/debug.c
37516 --- linux-2.6.32.49/drivers/net/wireless/ath/ath9k/debug.c 2011-11-08 19:02:43.000000000 -0500
37517 +++ linux-2.6.32.49/drivers/net/wireless/ath/ath9k/debug.c 2011-11-15 19:59:43.000000000 -0500
37518 @@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
37519 char buf[512];
37520 unsigned int len = 0;
37521
37522 + pax_track_stack();
37523 +
37524 len += snprintf(buf + len, sizeof(buf) - len,
37525 "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
37526 len += snprintf(buf + len, sizeof(buf) - len,
37527 @@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
37528 int i;
37529 u8 addr[ETH_ALEN];
37530
37531 + pax_track_stack();
37532 +
37533 len += snprintf(buf + len, sizeof(buf) - len,
37534 "primary: %s (%s chan=%d ht=%d)\n",
37535 wiphy_name(sc->pri_wiphy->hw->wiphy),
37536 diff -urNp linux-2.6.32.49/drivers/net/wireless/b43/debugfs.c linux-2.6.32.49/drivers/net/wireless/b43/debugfs.c
37537 --- linux-2.6.32.49/drivers/net/wireless/b43/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37538 +++ linux-2.6.32.49/drivers/net/wireless/b43/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37539 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
37540 struct b43_debugfs_fops {
37541 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
37542 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
37543 - struct file_operations fops;
37544 + const struct file_operations fops;
37545 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
37546 size_t file_struct_offset;
37547 };
37548 diff -urNp linux-2.6.32.49/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.49/drivers/net/wireless/b43legacy/debugfs.c
37549 --- linux-2.6.32.49/drivers/net/wireless/b43legacy/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37550 +++ linux-2.6.32.49/drivers/net/wireless/b43legacy/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37551 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
37552 struct b43legacy_debugfs_fops {
37553 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
37554 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
37555 - struct file_operations fops;
37556 + const struct file_operations fops;
37557 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
37558 size_t file_struct_offset;
37559 /* Take wl->irq_lock before calling read/write? */
37560 diff -urNp linux-2.6.32.49/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.49/drivers/net/wireless/ipw2x00/ipw2100.c
37561 --- linux-2.6.32.49/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-08 19:02:43.000000000 -0500
37562 +++ linux-2.6.32.49/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-15 19:59:43.000000000 -0500
37563 @@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
37564 int err;
37565 DECLARE_SSID_BUF(ssid);
37566
37567 + pax_track_stack();
37568 +
37569 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
37570
37571 if (ssid_len)
37572 @@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
37573 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
37574 int err;
37575
37576 + pax_track_stack();
37577 +
37578 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
37579 idx, keylen, len);
37580
37581 diff -urNp linux-2.6.32.49/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.49/drivers/net/wireless/ipw2x00/libipw_rx.c
37582 --- linux-2.6.32.49/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-08 19:02:43.000000000 -0500
37583 +++ linux-2.6.32.49/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-15 19:59:43.000000000 -0500
37584 @@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
37585 unsigned long flags;
37586 DECLARE_SSID_BUF(ssid);
37587
37588 + pax_track_stack();
37589 +
37590 LIBIPW_DEBUG_SCAN("'%s' (%pM"
37591 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
37592 print_ssid(ssid, info_element->data, info_element->len),
37593 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-1000.c
37594 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-11-08 19:02:43.000000000 -0500
37595 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-11-15 19:59:43.000000000 -0500
37596 @@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
37597 },
37598 };
37599
37600 -static struct iwl_ops iwl1000_ops = {
37601 +static const struct iwl_ops iwl1000_ops = {
37602 .ucode = &iwl5000_ucode,
37603 .lib = &iwl1000_lib,
37604 .hcmd = &iwl5000_hcmd,
37605 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl3945-base.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl3945-base.c
37606 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-11-08 19:02:43.000000000 -0500
37607 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-11-15 19:59:43.000000000 -0500
37608 @@ -3927,7 +3927,9 @@ static int iwl3945_pci_probe(struct pci_
37609 */
37610 if (iwl3945_mod_params.disable_hw_scan) {
37611 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
37612 - iwl3945_hw_ops.hw_scan = NULL;
37613 + pax_open_kernel();
37614 + *(void **)&iwl3945_hw_ops.hw_scan = NULL;
37615 + pax_close_kernel();
37616 }
37617
37618
37619 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-3945.c
37620 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-11-08 19:02:43.000000000 -0500
37621 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-11-15 19:59:43.000000000 -0500
37622 @@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
37623 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
37624 };
37625
37626 -static struct iwl_ops iwl3945_ops = {
37627 +static const struct iwl_ops iwl3945_ops = {
37628 .ucode = &iwl3945_ucode,
37629 .lib = &iwl3945_lib,
37630 .hcmd = &iwl3945_hcmd,
37631 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-4965.c
37632 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-11-08 19:02:43.000000000 -0500
37633 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-11-15 19:59:43.000000000 -0500
37634 @@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
37635 },
37636 };
37637
37638 -static struct iwl_ops iwl4965_ops = {
37639 +static const struct iwl_ops iwl4965_ops = {
37640 .ucode = &iwl4965_ucode,
37641 .lib = &iwl4965_lib,
37642 .hcmd = &iwl4965_hcmd,
37643 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-5000.c
37644 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-11-08 19:02:43.000000000 -0500
37645 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-11-15 19:59:43.000000000 -0500
37646 @@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
37647 },
37648 };
37649
37650 -struct iwl_ops iwl5000_ops = {
37651 +const struct iwl_ops iwl5000_ops = {
37652 .ucode = &iwl5000_ucode,
37653 .lib = &iwl5000_lib,
37654 .hcmd = &iwl5000_hcmd,
37655 .utils = &iwl5000_hcmd_utils,
37656 };
37657
37658 -static struct iwl_ops iwl5150_ops = {
37659 +static const struct iwl_ops iwl5150_ops = {
37660 .ucode = &iwl5000_ucode,
37661 .lib = &iwl5150_lib,
37662 .hcmd = &iwl5000_hcmd,
37663 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-6000.c
37664 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-11-08 19:02:43.000000000 -0500
37665 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-11-15 19:59:43.000000000 -0500
37666 @@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
37667 .calc_rssi = iwl5000_calc_rssi,
37668 };
37669
37670 -static struct iwl_ops iwl6000_ops = {
37671 +static const struct iwl_ops iwl6000_ops = {
37672 .ucode = &iwl5000_ucode,
37673 .lib = &iwl6000_lib,
37674 .hcmd = &iwl5000_hcmd,
37675 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn.c
37676 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-11-08 19:02:43.000000000 -0500
37677 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-11-15 19:59:43.000000000 -0500
37678 @@ -2911,7 +2911,9 @@ static int iwl_pci_probe(struct pci_dev
37679 if (iwl_debug_level & IWL_DL_INFO)
37680 dev_printk(KERN_DEBUG, &(pdev->dev),
37681 "Disabling hw_scan\n");
37682 - iwl_hw_ops.hw_scan = NULL;
37683 + pax_open_kernel();
37684 + *(void **)&iwl_hw_ops.hw_scan = NULL;
37685 + pax_close_kernel();
37686 }
37687
37688 hw = iwl_alloc_all(cfg, &iwl_hw_ops);
37689 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
37690 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-08 19:02:43.000000000 -0500
37691 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-15 19:59:43.000000000 -0500
37692 @@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
37693 u8 active_index = 0;
37694 s32 tpt = 0;
37695
37696 + pax_track_stack();
37697 +
37698 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
37699
37700 if (!ieee80211_is_data(hdr->frame_control) ||
37701 @@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
37702 u8 valid_tx_ant = 0;
37703 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
37704
37705 + pax_track_stack();
37706 +
37707 /* Override starting rate (index 0) if needed for debug purposes */
37708 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
37709
37710 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debugfs.c
37711 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-08 19:02:43.000000000 -0500
37712 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-15 19:59:43.000000000 -0500
37713 @@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
37714 int pos = 0;
37715 const size_t bufsz = sizeof(buf);
37716
37717 + pax_track_stack();
37718 +
37719 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
37720 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
37721 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
37722 @@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
37723 const size_t bufsz = sizeof(buf);
37724 ssize_t ret;
37725
37726 + pax_track_stack();
37727 +
37728 for (i = 0; i < AC_NUM; i++) {
37729 pos += scnprintf(buf + pos, bufsz - pos,
37730 "\tcw_min\tcw_max\taifsn\ttxop\n");
37731 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debug.h
37732 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-08 19:02:43.000000000 -0500
37733 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-15 19:59:43.000000000 -0500
37734 @@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
37735 #endif
37736
37737 #else
37738 -#define IWL_DEBUG(__priv, level, fmt, args...)
37739 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
37740 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
37741 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
37742 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
37743 void *p, u32 len)
37744 {}
37745 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-dev.h
37746 --- linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-11-08 19:02:43.000000000 -0500
37747 +++ linux-2.6.32.49/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-11-15 19:59:43.000000000 -0500
37748 @@ -68,7 +68,7 @@ struct iwl_tx_queue;
37749
37750 /* shared structures from iwl-5000.c */
37751 extern struct iwl_mod_params iwl50_mod_params;
37752 -extern struct iwl_ops iwl5000_ops;
37753 +extern const struct iwl_ops iwl5000_ops;
37754 extern struct iwl_ucode_ops iwl5000_ucode;
37755 extern struct iwl_lib_ops iwl5000_lib;
37756 extern struct iwl_hcmd_ops iwl5000_hcmd;
37757 diff -urNp linux-2.6.32.49/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.49/drivers/net/wireless/iwmc3200wifi/debugfs.c
37758 --- linux-2.6.32.49/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37759 +++ linux-2.6.32.49/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37760 @@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
37761 int buf_len = 512;
37762 size_t len = 0;
37763
37764 + pax_track_stack();
37765 +
37766 if (*ppos != 0)
37767 return 0;
37768 if (count < sizeof(buf))
37769 diff -urNp linux-2.6.32.49/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.49/drivers/net/wireless/libertas/debugfs.c
37770 --- linux-2.6.32.49/drivers/net/wireless/libertas/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37771 +++ linux-2.6.32.49/drivers/net/wireless/libertas/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37772 @@ -708,7 +708,7 @@ out_unlock:
37773 struct lbs_debugfs_files {
37774 const char *name;
37775 int perm;
37776 - struct file_operations fops;
37777 + const struct file_operations fops;
37778 };
37779
37780 static const struct lbs_debugfs_files debugfs_files[] = {
37781 diff -urNp linux-2.6.32.49/drivers/net/wireless/rndis_wlan.c linux-2.6.32.49/drivers/net/wireless/rndis_wlan.c
37782 --- linux-2.6.32.49/drivers/net/wireless/rndis_wlan.c 2011-11-08 19:02:43.000000000 -0500
37783 +++ linux-2.6.32.49/drivers/net/wireless/rndis_wlan.c 2011-11-15 19:59:43.000000000 -0500
37784 @@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
37785
37786 devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
37787
37788 - if (rts_threshold < 0 || rts_threshold > 2347)
37789 + if (rts_threshold > 2347)
37790 rts_threshold = 2347;
37791
37792 tmp = cpu_to_le32(rts_threshold);
37793 diff -urNp linux-2.6.32.49/drivers/oprofile/buffer_sync.c linux-2.6.32.49/drivers/oprofile/buffer_sync.c
37794 --- linux-2.6.32.49/drivers/oprofile/buffer_sync.c 2011-11-08 19:02:43.000000000 -0500
37795 +++ linux-2.6.32.49/drivers/oprofile/buffer_sync.c 2011-11-15 19:59:43.000000000 -0500
37796 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
37797 if (cookie == NO_COOKIE)
37798 offset = pc;
37799 if (cookie == INVALID_COOKIE) {
37800 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
37801 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
37802 offset = pc;
37803 }
37804 if (cookie != last_cookie) {
37805 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
37806 /* add userspace sample */
37807
37808 if (!mm) {
37809 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
37810 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
37811 return 0;
37812 }
37813
37814 cookie = lookup_dcookie(mm, s->eip, &offset);
37815
37816 if (cookie == INVALID_COOKIE) {
37817 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
37818 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
37819 return 0;
37820 }
37821
37822 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
37823 /* ignore backtraces if failed to add a sample */
37824 if (state == sb_bt_start) {
37825 state = sb_bt_ignore;
37826 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
37827 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
37828 }
37829 }
37830 release_mm(mm);
37831 diff -urNp linux-2.6.32.49/drivers/oprofile/event_buffer.c linux-2.6.32.49/drivers/oprofile/event_buffer.c
37832 --- linux-2.6.32.49/drivers/oprofile/event_buffer.c 2011-11-08 19:02:43.000000000 -0500
37833 +++ linux-2.6.32.49/drivers/oprofile/event_buffer.c 2011-11-15 19:59:43.000000000 -0500
37834 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
37835 }
37836
37837 if (buffer_pos == buffer_size) {
37838 - atomic_inc(&oprofile_stats.event_lost_overflow);
37839 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
37840 return;
37841 }
37842
37843 diff -urNp linux-2.6.32.49/drivers/oprofile/oprof.c linux-2.6.32.49/drivers/oprofile/oprof.c
37844 --- linux-2.6.32.49/drivers/oprofile/oprof.c 2011-11-08 19:02:43.000000000 -0500
37845 +++ linux-2.6.32.49/drivers/oprofile/oprof.c 2011-11-15 19:59:43.000000000 -0500
37846 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
37847 if (oprofile_ops.switch_events())
37848 return;
37849
37850 - atomic_inc(&oprofile_stats.multiplex_counter);
37851 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
37852 start_switch_worker();
37853 }
37854
37855 diff -urNp linux-2.6.32.49/drivers/oprofile/oprofilefs.c linux-2.6.32.49/drivers/oprofile/oprofilefs.c
37856 --- linux-2.6.32.49/drivers/oprofile/oprofilefs.c 2011-11-08 19:02:43.000000000 -0500
37857 +++ linux-2.6.32.49/drivers/oprofile/oprofilefs.c 2011-11-15 19:59:43.000000000 -0500
37858 @@ -187,7 +187,7 @@ static const struct file_operations atom
37859
37860
37861 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
37862 - char const *name, atomic_t *val)
37863 + char const *name, atomic_unchecked_t *val)
37864 {
37865 struct dentry *d = __oprofilefs_create_file(sb, root, name,
37866 &atomic_ro_fops, 0444);
37867 diff -urNp linux-2.6.32.49/drivers/oprofile/oprofile_stats.c linux-2.6.32.49/drivers/oprofile/oprofile_stats.c
37868 --- linux-2.6.32.49/drivers/oprofile/oprofile_stats.c 2011-11-08 19:02:43.000000000 -0500
37869 +++ linux-2.6.32.49/drivers/oprofile/oprofile_stats.c 2011-11-15 19:59:43.000000000 -0500
37870 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
37871 cpu_buf->sample_invalid_eip = 0;
37872 }
37873
37874 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
37875 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
37876 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
37877 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
37878 - atomic_set(&oprofile_stats.multiplex_counter, 0);
37879 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
37880 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
37881 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
37882 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
37883 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
37884 }
37885
37886
37887 diff -urNp linux-2.6.32.49/drivers/oprofile/oprofile_stats.h linux-2.6.32.49/drivers/oprofile/oprofile_stats.h
37888 --- linux-2.6.32.49/drivers/oprofile/oprofile_stats.h 2011-11-08 19:02:43.000000000 -0500
37889 +++ linux-2.6.32.49/drivers/oprofile/oprofile_stats.h 2011-11-15 19:59:43.000000000 -0500
37890 @@ -13,11 +13,11 @@
37891 #include <asm/atomic.h>
37892
37893 struct oprofile_stat_struct {
37894 - atomic_t sample_lost_no_mm;
37895 - atomic_t sample_lost_no_mapping;
37896 - atomic_t bt_lost_no_mapping;
37897 - atomic_t event_lost_overflow;
37898 - atomic_t multiplex_counter;
37899 + atomic_unchecked_t sample_lost_no_mm;
37900 + atomic_unchecked_t sample_lost_no_mapping;
37901 + atomic_unchecked_t bt_lost_no_mapping;
37902 + atomic_unchecked_t event_lost_overflow;
37903 + atomic_unchecked_t multiplex_counter;
37904 };
37905
37906 extern struct oprofile_stat_struct oprofile_stats;
37907 diff -urNp linux-2.6.32.49/drivers/parisc/pdc_stable.c linux-2.6.32.49/drivers/parisc/pdc_stable.c
37908 --- linux-2.6.32.49/drivers/parisc/pdc_stable.c 2011-11-08 19:02:43.000000000 -0500
37909 +++ linux-2.6.32.49/drivers/parisc/pdc_stable.c 2011-11-15 19:59:43.000000000 -0500
37910 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
37911 return ret;
37912 }
37913
37914 -static struct sysfs_ops pdcspath_attr_ops = {
37915 +static const struct sysfs_ops pdcspath_attr_ops = {
37916 .show = pdcspath_attr_show,
37917 .store = pdcspath_attr_store,
37918 };
37919 diff -urNp linux-2.6.32.49/drivers/parport/procfs.c linux-2.6.32.49/drivers/parport/procfs.c
37920 --- linux-2.6.32.49/drivers/parport/procfs.c 2011-11-08 19:02:43.000000000 -0500
37921 +++ linux-2.6.32.49/drivers/parport/procfs.c 2011-11-15 19:59:43.000000000 -0500
37922 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
37923
37924 *ppos += len;
37925
37926 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
37927 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
37928 }
37929
37930 #ifdef CONFIG_PARPORT_1284
37931 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
37932
37933 *ppos += len;
37934
37935 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
37936 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
37937 }
37938 #endif /* IEEE1284.3 support. */
37939
37940 diff -urNp linux-2.6.32.49/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.49/drivers/pci/hotplug/acpiphp_glue.c
37941 --- linux-2.6.32.49/drivers/pci/hotplug/acpiphp_glue.c 2011-11-08 19:02:43.000000000 -0500
37942 +++ linux-2.6.32.49/drivers/pci/hotplug/acpiphp_glue.c 2011-11-15 19:59:43.000000000 -0500
37943 @@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
37944 }
37945
37946
37947 -static struct acpi_dock_ops acpiphp_dock_ops = {
37948 +static const struct acpi_dock_ops acpiphp_dock_ops = {
37949 .handler = handle_hotplug_event_func,
37950 };
37951
37952 diff -urNp linux-2.6.32.49/drivers/pci/hotplug/cpci_hotplug.h linux-2.6.32.49/drivers/pci/hotplug/cpci_hotplug.h
37953 --- linux-2.6.32.49/drivers/pci/hotplug/cpci_hotplug.h 2011-11-08 19:02:43.000000000 -0500
37954 +++ linux-2.6.32.49/drivers/pci/hotplug/cpci_hotplug.h 2011-11-15 19:59:43.000000000 -0500
37955 @@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
37956 int (*hardware_test) (struct slot* slot, u32 value);
37957 u8 (*get_power) (struct slot* slot);
37958 int (*set_power) (struct slot* slot, int value);
37959 -};
37960 +} __no_const;
37961
37962 struct cpci_hp_controller {
37963 unsigned int irq;
37964 diff -urNp linux-2.6.32.49/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.49/drivers/pci/hotplug/cpqphp_nvram.c
37965 --- linux-2.6.32.49/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-08 19:02:43.000000000 -0500
37966 +++ linux-2.6.32.49/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-15 19:59:43.000000000 -0500
37967 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
37968
37969 void compaq_nvram_init (void __iomem *rom_start)
37970 {
37971 +
37972 +#ifndef CONFIG_PAX_KERNEXEC
37973 if (rom_start) {
37974 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
37975 }
37976 +#endif
37977 +
37978 dbg("int15 entry = %p\n", compaq_int15_entry_point);
37979
37980 /* initialize our int15 lock */
37981 diff -urNp linux-2.6.32.49/drivers/pci/hotplug/fakephp.c linux-2.6.32.49/drivers/pci/hotplug/fakephp.c
37982 --- linux-2.6.32.49/drivers/pci/hotplug/fakephp.c 2011-11-08 19:02:43.000000000 -0500
37983 +++ linux-2.6.32.49/drivers/pci/hotplug/fakephp.c 2011-11-15 19:59:43.000000000 -0500
37984 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
37985 }
37986
37987 static struct kobj_type legacy_ktype = {
37988 - .sysfs_ops = &(struct sysfs_ops){
37989 + .sysfs_ops = &(const struct sysfs_ops){
37990 .store = legacy_store, .show = legacy_show
37991 },
37992 .release = &legacy_release,
37993 diff -urNp linux-2.6.32.49/drivers/pci/intel-iommu.c linux-2.6.32.49/drivers/pci/intel-iommu.c
37994 --- linux-2.6.32.49/drivers/pci/intel-iommu.c 2011-11-08 19:02:43.000000000 -0500
37995 +++ linux-2.6.32.49/drivers/pci/intel-iommu.c 2011-11-15 19:59:43.000000000 -0500
37996 @@ -2643,7 +2643,7 @@ error:
37997 return 0;
37998 }
37999
38000 -static dma_addr_t intel_map_page(struct device *dev, struct page *page,
38001 +dma_addr_t intel_map_page(struct device *dev, struct page *page,
38002 unsigned long offset, size_t size,
38003 enum dma_data_direction dir,
38004 struct dma_attrs *attrs)
38005 @@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
38006 spin_unlock_irqrestore(&async_umap_flush_lock, flags);
38007 }
38008
38009 -static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
38010 +void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
38011 size_t size, enum dma_data_direction dir,
38012 struct dma_attrs *attrs)
38013 {
38014 @@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
38015 }
38016 }
38017
38018 -static void *intel_alloc_coherent(struct device *hwdev, size_t size,
38019 +void *intel_alloc_coherent(struct device *hwdev, size_t size,
38020 dma_addr_t *dma_handle, gfp_t flags)
38021 {
38022 void *vaddr;
38023 @@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
38024 return NULL;
38025 }
38026
38027 -static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
38028 +void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
38029 dma_addr_t dma_handle)
38030 {
38031 int order;
38032 @@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
38033 free_pages((unsigned long)vaddr, order);
38034 }
38035
38036 -static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
38037 +void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
38038 int nelems, enum dma_data_direction dir,
38039 struct dma_attrs *attrs)
38040 {
38041 @@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
38042 return nelems;
38043 }
38044
38045 -static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
38046 +int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
38047 enum dma_data_direction dir, struct dma_attrs *attrs)
38048 {
38049 int i;
38050 @@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
38051 return nelems;
38052 }
38053
38054 -static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
38055 +int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
38056 {
38057 return !dma_addr;
38058 }
38059
38060 -struct dma_map_ops intel_dma_ops = {
38061 +const struct dma_map_ops intel_dma_ops = {
38062 .alloc_coherent = intel_alloc_coherent,
38063 .free_coherent = intel_free_coherent,
38064 .map_sg = intel_map_sg,
38065 diff -urNp linux-2.6.32.49/drivers/pci/pcie/aspm.c linux-2.6.32.49/drivers/pci/pcie/aspm.c
38066 --- linux-2.6.32.49/drivers/pci/pcie/aspm.c 2011-11-08 19:02:43.000000000 -0500
38067 +++ linux-2.6.32.49/drivers/pci/pcie/aspm.c 2011-11-15 19:59:43.000000000 -0500
38068 @@ -27,9 +27,9 @@
38069 #define MODULE_PARAM_PREFIX "pcie_aspm."
38070
38071 /* Note: those are not register definitions */
38072 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
38073 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
38074 -#define ASPM_STATE_L1 (4) /* L1 state */
38075 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
38076 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
38077 +#define ASPM_STATE_L1 (4U) /* L1 state */
38078 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
38079 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
38080
38081 diff -urNp linux-2.6.32.49/drivers/pci/probe.c linux-2.6.32.49/drivers/pci/probe.c
38082 --- linux-2.6.32.49/drivers/pci/probe.c 2011-11-08 19:02:43.000000000 -0500
38083 +++ linux-2.6.32.49/drivers/pci/probe.c 2011-11-15 19:59:43.000000000 -0500
38084 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
38085 return ret;
38086 }
38087
38088 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
38089 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
38090 struct device_attribute *attr,
38091 char *buf)
38092 {
38093 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
38094 }
38095
38096 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
38097 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
38098 struct device_attribute *attr,
38099 char *buf)
38100 {
38101 diff -urNp linux-2.6.32.49/drivers/pci/proc.c linux-2.6.32.49/drivers/pci/proc.c
38102 --- linux-2.6.32.49/drivers/pci/proc.c 2011-11-08 19:02:43.000000000 -0500
38103 +++ linux-2.6.32.49/drivers/pci/proc.c 2011-11-15 19:59:43.000000000 -0500
38104 @@ -480,7 +480,16 @@ static const struct file_operations proc
38105 static int __init pci_proc_init(void)
38106 {
38107 struct pci_dev *dev = NULL;
38108 +
38109 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
38110 +#ifdef CONFIG_GRKERNSEC_PROC_USER
38111 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
38112 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38113 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
38114 +#endif
38115 +#else
38116 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
38117 +#endif
38118 proc_create("devices", 0, proc_bus_pci_dir,
38119 &proc_bus_pci_dev_operations);
38120 proc_initialized = 1;
38121 diff -urNp linux-2.6.32.49/drivers/pci/slot.c linux-2.6.32.49/drivers/pci/slot.c
38122 --- linux-2.6.32.49/drivers/pci/slot.c 2011-11-08 19:02:43.000000000 -0500
38123 +++ linux-2.6.32.49/drivers/pci/slot.c 2011-11-15 19:59:43.000000000 -0500
38124 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
38125 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
38126 }
38127
38128 -static struct sysfs_ops pci_slot_sysfs_ops = {
38129 +static const struct sysfs_ops pci_slot_sysfs_ops = {
38130 .show = pci_slot_attr_show,
38131 .store = pci_slot_attr_store,
38132 };
38133 diff -urNp linux-2.6.32.49/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.49/drivers/pcmcia/pcmcia_ioctl.c
38134 --- linux-2.6.32.49/drivers/pcmcia/pcmcia_ioctl.c 2011-11-08 19:02:43.000000000 -0500
38135 +++ linux-2.6.32.49/drivers/pcmcia/pcmcia_ioctl.c 2011-11-15 19:59:43.000000000 -0500
38136 @@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
38137 return -EFAULT;
38138 }
38139 }
38140 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
38141 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
38142 if (!buf)
38143 return -ENOMEM;
38144
38145 diff -urNp linux-2.6.32.49/drivers/platform/x86/acer-wmi.c linux-2.6.32.49/drivers/platform/x86/acer-wmi.c
38146 --- linux-2.6.32.49/drivers/platform/x86/acer-wmi.c 2011-11-08 19:02:43.000000000 -0500
38147 +++ linux-2.6.32.49/drivers/platform/x86/acer-wmi.c 2011-11-15 19:59:43.000000000 -0500
38148 @@ -918,7 +918,7 @@ static int update_bl_status(struct backl
38149 return 0;
38150 }
38151
38152 -static struct backlight_ops acer_bl_ops = {
38153 +static const struct backlight_ops acer_bl_ops = {
38154 .get_brightness = read_brightness,
38155 .update_status = update_bl_status,
38156 };
38157 diff -urNp linux-2.6.32.49/drivers/platform/x86/asus_acpi.c linux-2.6.32.49/drivers/platform/x86/asus_acpi.c
38158 --- linux-2.6.32.49/drivers/platform/x86/asus_acpi.c 2011-11-08 19:02:43.000000000 -0500
38159 +++ linux-2.6.32.49/drivers/platform/x86/asus_acpi.c 2011-11-15 19:59:43.000000000 -0500
38160 @@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
38161 return 0;
38162 }
38163
38164 -static struct backlight_ops asus_backlight_data = {
38165 +static const struct backlight_ops asus_backlight_data = {
38166 .get_brightness = read_brightness,
38167 .update_status = set_brightness_status,
38168 };
38169 diff -urNp linux-2.6.32.49/drivers/platform/x86/asus-laptop.c linux-2.6.32.49/drivers/platform/x86/asus-laptop.c
38170 --- linux-2.6.32.49/drivers/platform/x86/asus-laptop.c 2011-11-08 19:02:43.000000000 -0500
38171 +++ linux-2.6.32.49/drivers/platform/x86/asus-laptop.c 2011-11-15 19:59:43.000000000 -0500
38172 @@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
38173 */
38174 static int read_brightness(struct backlight_device *bd);
38175 static int update_bl_status(struct backlight_device *bd);
38176 -static struct backlight_ops asusbl_ops = {
38177 +static const struct backlight_ops asusbl_ops = {
38178 .get_brightness = read_brightness,
38179 .update_status = update_bl_status,
38180 };
38181 diff -urNp linux-2.6.32.49/drivers/platform/x86/compal-laptop.c linux-2.6.32.49/drivers/platform/x86/compal-laptop.c
38182 --- linux-2.6.32.49/drivers/platform/x86/compal-laptop.c 2011-11-08 19:02:43.000000000 -0500
38183 +++ linux-2.6.32.49/drivers/platform/x86/compal-laptop.c 2011-11-15 19:59:43.000000000 -0500
38184 @@ -163,7 +163,7 @@ static int bl_update_status(struct backl
38185 return set_lcd_level(b->props.brightness);
38186 }
38187
38188 -static struct backlight_ops compalbl_ops = {
38189 +static const struct backlight_ops compalbl_ops = {
38190 .get_brightness = bl_get_brightness,
38191 .update_status = bl_update_status,
38192 };
38193 diff -urNp linux-2.6.32.49/drivers/platform/x86/dell-laptop.c linux-2.6.32.49/drivers/platform/x86/dell-laptop.c
38194 --- linux-2.6.32.49/drivers/platform/x86/dell-laptop.c 2011-11-08 19:02:43.000000000 -0500
38195 +++ linux-2.6.32.49/drivers/platform/x86/dell-laptop.c 2011-11-15 19:59:43.000000000 -0500
38196 @@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
38197 return buffer.output[1];
38198 }
38199
38200 -static struct backlight_ops dell_ops = {
38201 +static const struct backlight_ops dell_ops = {
38202 .get_brightness = dell_get_intensity,
38203 .update_status = dell_send_intensity,
38204 };
38205 diff -urNp linux-2.6.32.49/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.49/drivers/platform/x86/eeepc-laptop.c
38206 --- linux-2.6.32.49/drivers/platform/x86/eeepc-laptop.c 2011-11-08 19:02:43.000000000 -0500
38207 +++ linux-2.6.32.49/drivers/platform/x86/eeepc-laptop.c 2011-11-15 19:59:43.000000000 -0500
38208 @@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
38209 */
38210 static int read_brightness(struct backlight_device *bd);
38211 static int update_bl_status(struct backlight_device *bd);
38212 -static struct backlight_ops eeepcbl_ops = {
38213 +static const struct backlight_ops eeepcbl_ops = {
38214 .get_brightness = read_brightness,
38215 .update_status = update_bl_status,
38216 };
38217 diff -urNp linux-2.6.32.49/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.49/drivers/platform/x86/fujitsu-laptop.c
38218 --- linux-2.6.32.49/drivers/platform/x86/fujitsu-laptop.c 2011-11-08 19:02:43.000000000 -0500
38219 +++ linux-2.6.32.49/drivers/platform/x86/fujitsu-laptop.c 2011-11-15 19:59:43.000000000 -0500
38220 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
38221 return ret;
38222 }
38223
38224 -static struct backlight_ops fujitsubl_ops = {
38225 +static const struct backlight_ops fujitsubl_ops = {
38226 .get_brightness = bl_get_brightness,
38227 .update_status = bl_update_status,
38228 };
38229 diff -urNp linux-2.6.32.49/drivers/platform/x86/msi-laptop.c linux-2.6.32.49/drivers/platform/x86/msi-laptop.c
38230 --- linux-2.6.32.49/drivers/platform/x86/msi-laptop.c 2011-11-08 19:02:43.000000000 -0500
38231 +++ linux-2.6.32.49/drivers/platform/x86/msi-laptop.c 2011-11-15 19:59:43.000000000 -0500
38232 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
38233 return set_lcd_level(b->props.brightness);
38234 }
38235
38236 -static struct backlight_ops msibl_ops = {
38237 +static const struct backlight_ops msibl_ops = {
38238 .get_brightness = bl_get_brightness,
38239 .update_status = bl_update_status,
38240 };
38241 diff -urNp linux-2.6.32.49/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.49/drivers/platform/x86/panasonic-laptop.c
38242 --- linux-2.6.32.49/drivers/platform/x86/panasonic-laptop.c 2011-11-08 19:02:43.000000000 -0500
38243 +++ linux-2.6.32.49/drivers/platform/x86/panasonic-laptop.c 2011-11-15 19:59:43.000000000 -0500
38244 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
38245 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
38246 }
38247
38248 -static struct backlight_ops pcc_backlight_ops = {
38249 +static const struct backlight_ops pcc_backlight_ops = {
38250 .get_brightness = bl_get,
38251 .update_status = bl_set_status,
38252 };
38253 diff -urNp linux-2.6.32.49/drivers/platform/x86/sony-laptop.c linux-2.6.32.49/drivers/platform/x86/sony-laptop.c
38254 --- linux-2.6.32.49/drivers/platform/x86/sony-laptop.c 2011-11-08 19:02:43.000000000 -0500
38255 +++ linux-2.6.32.49/drivers/platform/x86/sony-laptop.c 2011-11-15 19:59:43.000000000 -0500
38256 @@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
38257 }
38258
38259 static struct backlight_device *sony_backlight_device;
38260 -static struct backlight_ops sony_backlight_ops = {
38261 +static const struct backlight_ops sony_backlight_ops = {
38262 .update_status = sony_backlight_update_status,
38263 .get_brightness = sony_backlight_get_brightness,
38264 };
38265 diff -urNp linux-2.6.32.49/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.49/drivers/platform/x86/thinkpad_acpi.c
38266 --- linux-2.6.32.49/drivers/platform/x86/thinkpad_acpi.c 2011-11-08 19:02:43.000000000 -0500
38267 +++ linux-2.6.32.49/drivers/platform/x86/thinkpad_acpi.c 2011-11-15 19:59:43.000000000 -0500
38268 @@ -2139,7 +2139,7 @@ static int hotkey_mask_get(void)
38269 return 0;
38270 }
38271
38272 -void static hotkey_mask_warn_incomplete_mask(void)
38273 +static void hotkey_mask_warn_incomplete_mask(void)
38274 {
38275 /* log only what the user can fix... */
38276 const u32 wantedmask = hotkey_driver_mask &
38277 @@ -6125,7 +6125,7 @@ static void tpacpi_brightness_notify_cha
38278 BACKLIGHT_UPDATE_HOTKEY);
38279 }
38280
38281 -static struct backlight_ops ibm_backlight_data = {
38282 +static const struct backlight_ops ibm_backlight_data = {
38283 .get_brightness = brightness_get,
38284 .update_status = brightness_update_status,
38285 };
38286 diff -urNp linux-2.6.32.49/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.49/drivers/platform/x86/toshiba_acpi.c
38287 --- linux-2.6.32.49/drivers/platform/x86/toshiba_acpi.c 2011-11-08 19:02:43.000000000 -0500
38288 +++ linux-2.6.32.49/drivers/platform/x86/toshiba_acpi.c 2011-11-15 19:59:43.000000000 -0500
38289 @@ -671,7 +671,7 @@ static acpi_status remove_device(void)
38290 return AE_OK;
38291 }
38292
38293 -static struct backlight_ops toshiba_backlight_data = {
38294 +static const struct backlight_ops toshiba_backlight_data = {
38295 .get_brightness = get_lcd,
38296 .update_status = set_lcd_status,
38297 };
38298 diff -urNp linux-2.6.32.49/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.49/drivers/pnp/pnpbios/bioscalls.c
38299 --- linux-2.6.32.49/drivers/pnp/pnpbios/bioscalls.c 2011-11-08 19:02:43.000000000 -0500
38300 +++ linux-2.6.32.49/drivers/pnp/pnpbios/bioscalls.c 2011-11-15 19:59:43.000000000 -0500
38301 @@ -60,7 +60,7 @@ do { \
38302 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
38303 } while(0)
38304
38305 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
38306 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
38307 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
38308
38309 /*
38310 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
38311
38312 cpu = get_cpu();
38313 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
38314 +
38315 + pax_open_kernel();
38316 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
38317 + pax_close_kernel();
38318
38319 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
38320 spin_lock_irqsave(&pnp_bios_lock, flags);
38321 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
38322 :"memory");
38323 spin_unlock_irqrestore(&pnp_bios_lock, flags);
38324
38325 + pax_open_kernel();
38326 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
38327 + pax_close_kernel();
38328 +
38329 put_cpu();
38330
38331 /* If we get here and this is set then the PnP BIOS faulted on us. */
38332 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
38333 return status;
38334 }
38335
38336 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
38337 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
38338 {
38339 int i;
38340
38341 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
38342 pnp_bios_callpoint.offset = header->fields.pm16offset;
38343 pnp_bios_callpoint.segment = PNP_CS16;
38344
38345 + pax_open_kernel();
38346 +
38347 for_each_possible_cpu(i) {
38348 struct desc_struct *gdt = get_cpu_gdt_table(i);
38349 if (!gdt)
38350 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
38351 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
38352 (unsigned long)__va(header->fields.pm16dseg));
38353 }
38354 +
38355 + pax_close_kernel();
38356 }
38357 diff -urNp linux-2.6.32.49/drivers/pnp/resource.c linux-2.6.32.49/drivers/pnp/resource.c
38358 --- linux-2.6.32.49/drivers/pnp/resource.c 2011-11-08 19:02:43.000000000 -0500
38359 +++ linux-2.6.32.49/drivers/pnp/resource.c 2011-11-15 19:59:43.000000000 -0500
38360 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
38361 return 1;
38362
38363 /* check if the resource is valid */
38364 - if (*irq < 0 || *irq > 15)
38365 + if (*irq > 15)
38366 return 0;
38367
38368 /* check if the resource is reserved */
38369 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
38370 return 1;
38371
38372 /* check if the resource is valid */
38373 - if (*dma < 0 || *dma == 4 || *dma > 7)
38374 + if (*dma == 4 || *dma > 7)
38375 return 0;
38376
38377 /* check if the resource is reserved */
38378 diff -urNp linux-2.6.32.49/drivers/power/bq27x00_battery.c linux-2.6.32.49/drivers/power/bq27x00_battery.c
38379 --- linux-2.6.32.49/drivers/power/bq27x00_battery.c 2011-11-08 19:02:43.000000000 -0500
38380 +++ linux-2.6.32.49/drivers/power/bq27x00_battery.c 2011-11-15 19:59:43.000000000 -0500
38381 @@ -44,7 +44,7 @@ struct bq27x00_device_info;
38382 struct bq27x00_access_methods {
38383 int (*read)(u8 reg, int *rt_value, int b_single,
38384 struct bq27x00_device_info *di);
38385 -};
38386 +} __no_const;
38387
38388 struct bq27x00_device_info {
38389 struct device *dev;
38390 diff -urNp linux-2.6.32.49/drivers/rtc/rtc-dev.c linux-2.6.32.49/drivers/rtc/rtc-dev.c
38391 --- linux-2.6.32.49/drivers/rtc/rtc-dev.c 2011-11-08 19:02:43.000000000 -0500
38392 +++ linux-2.6.32.49/drivers/rtc/rtc-dev.c 2011-11-15 19:59:43.000000000 -0500
38393 @@ -14,6 +14,7 @@
38394 #include <linux/module.h>
38395 #include <linux/rtc.h>
38396 #include <linux/sched.h>
38397 +#include <linux/grsecurity.h>
38398 #include "rtc-core.h"
38399
38400 static dev_t rtc_devt;
38401 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
38402 if (copy_from_user(&tm, uarg, sizeof(tm)))
38403 return -EFAULT;
38404
38405 + gr_log_timechange();
38406 +
38407 return rtc_set_time(rtc, &tm);
38408
38409 case RTC_PIE_ON:
38410 diff -urNp linux-2.6.32.49/drivers/s390/cio/qdio_perf.c linux-2.6.32.49/drivers/s390/cio/qdio_perf.c
38411 --- linux-2.6.32.49/drivers/s390/cio/qdio_perf.c 2011-11-08 19:02:43.000000000 -0500
38412 +++ linux-2.6.32.49/drivers/s390/cio/qdio_perf.c 2011-11-15 19:59:43.000000000 -0500
38413 @@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
38414 static int qdio_perf_proc_show(struct seq_file *m, void *v)
38415 {
38416 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
38417 - (long)atomic_long_read(&perf_stats.qdio_int));
38418 + (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
38419 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
38420 - (long)atomic_long_read(&perf_stats.pci_int));
38421 + (long)atomic_long_read_unchecked(&perf_stats.pci_int));
38422 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
38423 - (long)atomic_long_read(&perf_stats.thin_int));
38424 + (long)atomic_long_read_unchecked(&perf_stats.thin_int));
38425 seq_printf(m, "\n");
38426 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
38427 - (long)atomic_long_read(&perf_stats.tasklet_inbound));
38428 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
38429 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
38430 - (long)atomic_long_read(&perf_stats.tasklet_outbound));
38431 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
38432 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
38433 - (long)atomic_long_read(&perf_stats.tasklet_thinint),
38434 - (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
38435 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
38436 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
38437 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
38438 - (long)atomic_long_read(&perf_stats.thinint_inbound),
38439 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
38440 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
38441 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
38442 seq_printf(m, "\n");
38443 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
38444 - (long)atomic_long_read(&perf_stats.siga_in));
38445 + (long)atomic_long_read_unchecked(&perf_stats.siga_in));
38446 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
38447 - (long)atomic_long_read(&perf_stats.siga_out));
38448 + (long)atomic_long_read_unchecked(&perf_stats.siga_out));
38449 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
38450 - (long)atomic_long_read(&perf_stats.siga_sync));
38451 + (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
38452 seq_printf(m, "\n");
38453 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
38454 - (long)atomic_long_read(&perf_stats.inbound_handler));
38455 + (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
38456 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
38457 - (long)atomic_long_read(&perf_stats.outbound_handler));
38458 + (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
38459 seq_printf(m, "\n");
38460 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
38461 - (long)atomic_long_read(&perf_stats.fast_requeue));
38462 + (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
38463 seq_printf(m, "Number of outbound target full condition\t: %li\n",
38464 - (long)atomic_long_read(&perf_stats.outbound_target_full));
38465 + (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
38466 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
38467 - (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
38468 + (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
38469 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
38470 - (long)atomic_long_read(&perf_stats.debug_stop_polling));
38471 + (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
38472 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
38473 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
38474 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
38475 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
38476 - (long)atomic_long_read(&perf_stats.debug_eqbs_all),
38477 - (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
38478 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
38479 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
38480 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
38481 - (long)atomic_long_read(&perf_stats.debug_sqbs_all),
38482 - (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
38483 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
38484 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
38485 seq_printf(m, "\n");
38486 return 0;
38487 }
38488 diff -urNp linux-2.6.32.49/drivers/s390/cio/qdio_perf.h linux-2.6.32.49/drivers/s390/cio/qdio_perf.h
38489 --- linux-2.6.32.49/drivers/s390/cio/qdio_perf.h 2011-11-08 19:02:43.000000000 -0500
38490 +++ linux-2.6.32.49/drivers/s390/cio/qdio_perf.h 2011-11-15 19:59:43.000000000 -0500
38491 @@ -13,46 +13,46 @@
38492
38493 struct qdio_perf_stats {
38494 /* interrupt handler calls */
38495 - atomic_long_t qdio_int;
38496 - atomic_long_t pci_int;
38497 - atomic_long_t thin_int;
38498 + atomic_long_unchecked_t qdio_int;
38499 + atomic_long_unchecked_t pci_int;
38500 + atomic_long_unchecked_t thin_int;
38501
38502 /* tasklet runs */
38503 - atomic_long_t tasklet_inbound;
38504 - atomic_long_t tasklet_outbound;
38505 - atomic_long_t tasklet_thinint;
38506 - atomic_long_t tasklet_thinint_loop;
38507 - atomic_long_t thinint_inbound;
38508 - atomic_long_t thinint_inbound_loop;
38509 - atomic_long_t thinint_inbound_loop2;
38510 + atomic_long_unchecked_t tasklet_inbound;
38511 + atomic_long_unchecked_t tasklet_outbound;
38512 + atomic_long_unchecked_t tasklet_thinint;
38513 + atomic_long_unchecked_t tasklet_thinint_loop;
38514 + atomic_long_unchecked_t thinint_inbound;
38515 + atomic_long_unchecked_t thinint_inbound_loop;
38516 + atomic_long_unchecked_t thinint_inbound_loop2;
38517
38518 /* signal adapter calls */
38519 - atomic_long_t siga_out;
38520 - atomic_long_t siga_in;
38521 - atomic_long_t siga_sync;
38522 + atomic_long_unchecked_t siga_out;
38523 + atomic_long_unchecked_t siga_in;
38524 + atomic_long_unchecked_t siga_sync;
38525
38526 /* misc */
38527 - atomic_long_t inbound_handler;
38528 - atomic_long_t outbound_handler;
38529 - atomic_long_t fast_requeue;
38530 - atomic_long_t outbound_target_full;
38531 + atomic_long_unchecked_t inbound_handler;
38532 + atomic_long_unchecked_t outbound_handler;
38533 + atomic_long_unchecked_t fast_requeue;
38534 + atomic_long_unchecked_t outbound_target_full;
38535
38536 /* for debugging */
38537 - atomic_long_t debug_tl_out_timer;
38538 - atomic_long_t debug_stop_polling;
38539 - atomic_long_t debug_eqbs_all;
38540 - atomic_long_t debug_eqbs_incomplete;
38541 - atomic_long_t debug_sqbs_all;
38542 - atomic_long_t debug_sqbs_incomplete;
38543 + atomic_long_unchecked_t debug_tl_out_timer;
38544 + atomic_long_unchecked_t debug_stop_polling;
38545 + atomic_long_unchecked_t debug_eqbs_all;
38546 + atomic_long_unchecked_t debug_eqbs_incomplete;
38547 + atomic_long_unchecked_t debug_sqbs_all;
38548 + atomic_long_unchecked_t debug_sqbs_incomplete;
38549 };
38550
38551 extern struct qdio_perf_stats perf_stats;
38552 extern int qdio_performance_stats;
38553
38554 -static inline void qdio_perf_stat_inc(atomic_long_t *count)
38555 +static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
38556 {
38557 if (qdio_performance_stats)
38558 - atomic_long_inc(count);
38559 + atomic_long_inc_unchecked(count);
38560 }
38561
38562 int qdio_setup_perf_stats(void);
38563 diff -urNp linux-2.6.32.49/drivers/scsi/aacraid/aacraid.h linux-2.6.32.49/drivers/scsi/aacraid/aacraid.h
38564 --- linux-2.6.32.49/drivers/scsi/aacraid/aacraid.h 2011-11-08 19:02:43.000000000 -0500
38565 +++ linux-2.6.32.49/drivers/scsi/aacraid/aacraid.h 2011-11-15 19:59:43.000000000 -0500
38566 @@ -471,7 +471,7 @@ struct adapter_ops
38567 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
38568 /* Administrative operations */
38569 int (*adapter_comm)(struct aac_dev * dev, int comm);
38570 -};
38571 +} __no_const;
38572
38573 /*
38574 * Define which interrupt handler needs to be installed
38575 diff -urNp linux-2.6.32.49/drivers/scsi/aacraid/commctrl.c linux-2.6.32.49/drivers/scsi/aacraid/commctrl.c
38576 --- linux-2.6.32.49/drivers/scsi/aacraid/commctrl.c 2011-11-08 19:02:43.000000000 -0500
38577 +++ linux-2.6.32.49/drivers/scsi/aacraid/commctrl.c 2011-11-15 19:59:43.000000000 -0500
38578 @@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
38579 u32 actual_fibsize64, actual_fibsize = 0;
38580 int i;
38581
38582 + pax_track_stack();
38583
38584 if (dev->in_reset) {
38585 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
38586 diff -urNp linux-2.6.32.49/drivers/scsi/aacraid/linit.c linux-2.6.32.49/drivers/scsi/aacraid/linit.c
38587 --- linux-2.6.32.49/drivers/scsi/aacraid/linit.c 2011-11-08 19:02:43.000000000 -0500
38588 +++ linux-2.6.32.49/drivers/scsi/aacraid/linit.c 2011-11-18 18:01:55.000000000 -0500
38589 @@ -91,7 +91,7 @@ static DECLARE_PCI_DEVICE_TABLE(aac_pci_
38590 #elif defined(__devinitconst)
38591 static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
38592 #else
38593 -static const struct pci_device_id aac_pci_tbl[] __devinitdata = {
38594 +static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
38595 #endif
38596 { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
38597 { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
38598 diff -urNp linux-2.6.32.49/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.49/drivers/scsi/aic94xx/aic94xx_init.c
38599 --- linux-2.6.32.49/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-08 19:02:43.000000000 -0500
38600 +++ linux-2.6.32.49/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-18 18:01:55.000000000 -0500
38601 @@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
38602 flash_error_table[i].reason);
38603 }
38604
38605 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
38606 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
38607 asd_show_update_bios, asd_store_update_bios);
38608
38609 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
38610 @@ -1011,7 +1011,7 @@ static struct sas_domain_function_templa
38611 .lldd_control_phy = asd_control_phy,
38612 };
38613
38614 -static const struct pci_device_id aic94xx_pci_table[] __devinitdata = {
38615 +static const struct pci_device_id aic94xx_pci_table[] __devinitconst = {
38616 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x410),0, 0, 1},
38617 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x412),0, 0, 1},
38618 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x416),0, 0, 1},
38619 diff -urNp linux-2.6.32.49/drivers/scsi/bfa/bfa_iocfc.h linux-2.6.32.49/drivers/scsi/bfa/bfa_iocfc.h
38620 --- linux-2.6.32.49/drivers/scsi/bfa/bfa_iocfc.h 2011-11-08 19:02:43.000000000 -0500
38621 +++ linux-2.6.32.49/drivers/scsi/bfa/bfa_iocfc.h 2011-11-15 19:59:43.000000000 -0500
38622 @@ -61,7 +61,7 @@ struct bfa_hwif_s {
38623 void (*hw_isr_mode_set)(struct bfa_s *bfa, bfa_boolean_t msix);
38624 void (*hw_msix_getvecs)(struct bfa_s *bfa, u32 *vecmap,
38625 u32 *nvecs, u32 *maxvec);
38626 -};
38627 +} __no_const;
38628 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
38629
38630 struct bfa_iocfc_s {
38631 diff -urNp linux-2.6.32.49/drivers/scsi/bfa/bfa_ioc.h linux-2.6.32.49/drivers/scsi/bfa/bfa_ioc.h
38632 --- linux-2.6.32.49/drivers/scsi/bfa/bfa_ioc.h 2011-11-08 19:02:43.000000000 -0500
38633 +++ linux-2.6.32.49/drivers/scsi/bfa/bfa_ioc.h 2011-11-15 19:59:43.000000000 -0500
38634 @@ -127,7 +127,7 @@ struct bfa_ioc_cbfn_s {
38635 bfa_ioc_disable_cbfn_t disable_cbfn;
38636 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
38637 bfa_ioc_reset_cbfn_t reset_cbfn;
38638 -};
38639 +} __no_const;
38640
38641 /**
38642 * Heartbeat failure notification queue element.
38643 diff -urNp linux-2.6.32.49/drivers/scsi/BusLogic.c linux-2.6.32.49/drivers/scsi/BusLogic.c
38644 --- linux-2.6.32.49/drivers/scsi/BusLogic.c 2011-11-08 19:02:43.000000000 -0500
38645 +++ linux-2.6.32.49/drivers/scsi/BusLogic.c 2011-11-15 19:59:43.000000000 -0500
38646 @@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
38647 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
38648 *PrototypeHostAdapter)
38649 {
38650 + pax_track_stack();
38651 +
38652 /*
38653 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
38654 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
38655 diff -urNp linux-2.6.32.49/drivers/scsi/dpt_i2o.c linux-2.6.32.49/drivers/scsi/dpt_i2o.c
38656 --- linux-2.6.32.49/drivers/scsi/dpt_i2o.c 2011-11-08 19:02:43.000000000 -0500
38657 +++ linux-2.6.32.49/drivers/scsi/dpt_i2o.c 2011-11-15 19:59:43.000000000 -0500
38658 @@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
38659 dma_addr_t addr;
38660 ulong flags = 0;
38661
38662 + pax_track_stack();
38663 +
38664 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
38665 // get user msg size in u32s
38666 if(get_user(size, &user_msg[0])){
38667 @@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38668 s32 rcode;
38669 dma_addr_t addr;
38670
38671 + pax_track_stack();
38672 +
38673 memset(msg, 0 , sizeof(msg));
38674 len = scsi_bufflen(cmd);
38675 direction = 0x00000000;
38676 diff -urNp linux-2.6.32.49/drivers/scsi/eata.c linux-2.6.32.49/drivers/scsi/eata.c
38677 --- linux-2.6.32.49/drivers/scsi/eata.c 2011-11-08 19:02:43.000000000 -0500
38678 +++ linux-2.6.32.49/drivers/scsi/eata.c 2011-11-15 19:59:43.000000000 -0500
38679 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38680 struct hostdata *ha;
38681 char name[16];
38682
38683 + pax_track_stack();
38684 +
38685 sprintf(name, "%s%d", driver_name, j);
38686
38687 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38688 diff -urNp linux-2.6.32.49/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.49/drivers/scsi/fcoe/libfcoe.c
38689 --- linux-2.6.32.49/drivers/scsi/fcoe/libfcoe.c 2011-11-08 19:02:43.000000000 -0500
38690 +++ linux-2.6.32.49/drivers/scsi/fcoe/libfcoe.c 2011-11-15 19:59:43.000000000 -0500
38691 @@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
38692 size_t rlen;
38693 size_t dlen;
38694
38695 + pax_track_stack();
38696 +
38697 fiph = (struct fip_header *)skb->data;
38698 sub = fiph->fip_subcode;
38699 if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
38700 diff -urNp linux-2.6.32.49/drivers/scsi/fnic/fnic_main.c linux-2.6.32.49/drivers/scsi/fnic/fnic_main.c
38701 --- linux-2.6.32.49/drivers/scsi/fnic/fnic_main.c 2011-11-08 19:02:43.000000000 -0500
38702 +++ linux-2.6.32.49/drivers/scsi/fnic/fnic_main.c 2011-11-15 19:59:43.000000000 -0500
38703 @@ -669,7 +669,7 @@ static int __devinit fnic_probe(struct p
38704 /* Start local port initiatialization */
38705
38706 lp->link_up = 0;
38707 - lp->tt = fnic_transport_template;
38708 + memcpy((void *)&lp->tt, &fnic_transport_template, sizeof(fnic_transport_template));
38709
38710 lp->max_retry_count = fnic->config.flogi_retries;
38711 lp->max_rport_retry_count = fnic->config.plogi_retries;
38712 diff -urNp linux-2.6.32.49/drivers/scsi/gdth.c linux-2.6.32.49/drivers/scsi/gdth.c
38713 --- linux-2.6.32.49/drivers/scsi/gdth.c 2011-11-08 19:02:43.000000000 -0500
38714 +++ linux-2.6.32.49/drivers/scsi/gdth.c 2011-11-15 19:59:43.000000000 -0500
38715 @@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
38716 ulong flags;
38717 gdth_ha_str *ha;
38718
38719 + pax_track_stack();
38720 +
38721 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38722 return -EFAULT;
38723 ha = gdth_find_ha(ldrv.ionode);
38724 @@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
38725 gdth_ha_str *ha;
38726 int rval;
38727
38728 + pax_track_stack();
38729 +
38730 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38731 res.number >= MAX_HDRIVES)
38732 return -EFAULT;
38733 @@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
38734 gdth_ha_str *ha;
38735 int rval;
38736
38737 + pax_track_stack();
38738 +
38739 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38740 return -EFAULT;
38741 ha = gdth_find_ha(gen.ionode);
38742 @@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
38743 int i;
38744 gdth_cmd_str gdtcmd;
38745 char cmnd[MAX_COMMAND_SIZE];
38746 +
38747 + pax_track_stack();
38748 +
38749 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38750
38751 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38752 diff -urNp linux-2.6.32.49/drivers/scsi/gdth_proc.c linux-2.6.32.49/drivers/scsi/gdth_proc.c
38753 --- linux-2.6.32.49/drivers/scsi/gdth_proc.c 2011-11-08 19:02:43.000000000 -0500
38754 +++ linux-2.6.32.49/drivers/scsi/gdth_proc.c 2011-11-15 19:59:43.000000000 -0500
38755 @@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
38756 ulong64 paddr;
38757
38758 char cmnd[MAX_COMMAND_SIZE];
38759 +
38760 + pax_track_stack();
38761 +
38762 memset(cmnd, 0xff, 12);
38763 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38764
38765 @@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
38766 gdth_hget_str *phg;
38767 char cmnd[MAX_COMMAND_SIZE];
38768
38769 + pax_track_stack();
38770 +
38771 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38772 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38773 if (!gdtcmd || !estr)
38774 diff -urNp linux-2.6.32.49/drivers/scsi/hosts.c linux-2.6.32.49/drivers/scsi/hosts.c
38775 --- linux-2.6.32.49/drivers/scsi/hosts.c 2011-11-26 19:44:53.000000000 -0500
38776 +++ linux-2.6.32.49/drivers/scsi/hosts.c 2011-11-26 19:45:06.000000000 -0500
38777 @@ -40,7 +40,7 @@
38778 #include "scsi_logging.h"
38779
38780
38781 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
38782 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38783
38784
38785 static void scsi_host_cls_release(struct device *dev)
38786 @@ -347,7 +347,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38787 * subtract one because we increment first then return, but we need to
38788 * know what the next host number was before increment
38789 */
38790 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38791 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38792 shost->dma_channel = 0xff;
38793
38794 /* These three are default values which can be overridden */
38795 diff -urNp linux-2.6.32.49/drivers/scsi/ipr.c linux-2.6.32.49/drivers/scsi/ipr.c
38796 --- linux-2.6.32.49/drivers/scsi/ipr.c 2011-11-08 19:02:43.000000000 -0500
38797 +++ linux-2.6.32.49/drivers/scsi/ipr.c 2011-11-15 19:59:43.000000000 -0500
38798 @@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38799 return true;
38800 }
38801
38802 -static struct ata_port_operations ipr_sata_ops = {
38803 +static const struct ata_port_operations ipr_sata_ops = {
38804 .phy_reset = ipr_ata_phy_reset,
38805 .hardreset = ipr_sata_reset,
38806 .post_internal_cmd = ipr_ata_post_internal,
38807 diff -urNp linux-2.6.32.49/drivers/scsi/ips.h linux-2.6.32.49/drivers/scsi/ips.h
38808 --- linux-2.6.32.49/drivers/scsi/ips.h 2011-11-08 19:02:43.000000000 -0500
38809 +++ linux-2.6.32.49/drivers/scsi/ips.h 2011-11-15 19:59:43.000000000 -0500
38810 @@ -1027,7 +1027,7 @@ typedef struct {
38811 int (*intr)(struct ips_ha *);
38812 void (*enableint)(struct ips_ha *);
38813 uint32_t (*statupd)(struct ips_ha *);
38814 -} ips_hw_func_t;
38815 +} __no_const ips_hw_func_t;
38816
38817 typedef struct ips_ha {
38818 uint8_t ha_id[IPS_MAX_CHANNELS+1];
38819 diff -urNp linux-2.6.32.49/drivers/scsi/libfc/fc_exch.c linux-2.6.32.49/drivers/scsi/libfc/fc_exch.c
38820 --- linux-2.6.32.49/drivers/scsi/libfc/fc_exch.c 2011-11-08 19:02:43.000000000 -0500
38821 +++ linux-2.6.32.49/drivers/scsi/libfc/fc_exch.c 2011-11-15 19:59:43.000000000 -0500
38822 @@ -86,12 +86,12 @@ struct fc_exch_mgr {
38823 * all together if not used XXX
38824 */
38825 struct {
38826 - atomic_t no_free_exch;
38827 - atomic_t no_free_exch_xid;
38828 - atomic_t xid_not_found;
38829 - atomic_t xid_busy;
38830 - atomic_t seq_not_found;
38831 - atomic_t non_bls_resp;
38832 + atomic_unchecked_t no_free_exch;
38833 + atomic_unchecked_t no_free_exch_xid;
38834 + atomic_unchecked_t xid_not_found;
38835 + atomic_unchecked_t xid_busy;
38836 + atomic_unchecked_t seq_not_found;
38837 + atomic_unchecked_t non_bls_resp;
38838 } stats;
38839 };
38840 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
38841 @@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
38842 /* allocate memory for exchange */
38843 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38844 if (!ep) {
38845 - atomic_inc(&mp->stats.no_free_exch);
38846 + atomic_inc_unchecked(&mp->stats.no_free_exch);
38847 goto out;
38848 }
38849 memset(ep, 0, sizeof(*ep));
38850 @@ -557,7 +557,7 @@ out:
38851 return ep;
38852 err:
38853 spin_unlock_bh(&pool->lock);
38854 - atomic_inc(&mp->stats.no_free_exch_xid);
38855 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38856 mempool_free(ep, mp->ep_pool);
38857 return NULL;
38858 }
38859 @@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38860 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38861 ep = fc_exch_find(mp, xid);
38862 if (!ep) {
38863 - atomic_inc(&mp->stats.xid_not_found);
38864 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38865 reject = FC_RJT_OX_ID;
38866 goto out;
38867 }
38868 @@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38869 ep = fc_exch_find(mp, xid);
38870 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38871 if (ep) {
38872 - atomic_inc(&mp->stats.xid_busy);
38873 + atomic_inc_unchecked(&mp->stats.xid_busy);
38874 reject = FC_RJT_RX_ID;
38875 goto rel;
38876 }
38877 @@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38878 }
38879 xid = ep->xid; /* get our XID */
38880 } else if (!ep) {
38881 - atomic_inc(&mp->stats.xid_not_found);
38882 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38883 reject = FC_RJT_RX_ID; /* XID not found */
38884 goto out;
38885 }
38886 @@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38887 } else {
38888 sp = &ep->seq;
38889 if (sp->id != fh->fh_seq_id) {
38890 - atomic_inc(&mp->stats.seq_not_found);
38891 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38892 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38893 goto rel;
38894 }
38895 @@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
38896
38897 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38898 if (!ep) {
38899 - atomic_inc(&mp->stats.xid_not_found);
38900 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38901 goto out;
38902 }
38903 if (ep->esb_stat & ESB_ST_COMPLETE) {
38904 - atomic_inc(&mp->stats.xid_not_found);
38905 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38906 goto out;
38907 }
38908 if (ep->rxid == FC_XID_UNKNOWN)
38909 ep->rxid = ntohs(fh->fh_rx_id);
38910 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38911 - atomic_inc(&mp->stats.xid_not_found);
38912 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38913 goto rel;
38914 }
38915 if (ep->did != ntoh24(fh->fh_s_id) &&
38916 ep->did != FC_FID_FLOGI) {
38917 - atomic_inc(&mp->stats.xid_not_found);
38918 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38919 goto rel;
38920 }
38921 sof = fr_sof(fp);
38922 @@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
38923 } else {
38924 sp = &ep->seq;
38925 if (sp->id != fh->fh_seq_id) {
38926 - atomic_inc(&mp->stats.seq_not_found);
38927 + atomic_inc_unchecked(&mp->stats.seq_not_found);
38928 goto rel;
38929 }
38930 }
38931 @@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
38932 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38933
38934 if (!sp)
38935 - atomic_inc(&mp->stats.xid_not_found);
38936 + atomic_inc_unchecked(&mp->stats.xid_not_found);
38937 else
38938 - atomic_inc(&mp->stats.non_bls_resp);
38939 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
38940
38941 fc_frame_free(fp);
38942 }
38943 diff -urNp linux-2.6.32.49/drivers/scsi/libsas/sas_ata.c linux-2.6.32.49/drivers/scsi/libsas/sas_ata.c
38944 --- linux-2.6.32.49/drivers/scsi/libsas/sas_ata.c 2011-11-08 19:02:43.000000000 -0500
38945 +++ linux-2.6.32.49/drivers/scsi/libsas/sas_ata.c 2011-11-15 19:59:43.000000000 -0500
38946 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
38947 }
38948 }
38949
38950 -static struct ata_port_operations sas_sata_ops = {
38951 +static const struct ata_port_operations sas_sata_ops = {
38952 .phy_reset = sas_ata_phy_reset,
38953 .post_internal_cmd = sas_ata_post_internal,
38954 .qc_defer = ata_std_qc_defer,
38955 diff -urNp linux-2.6.32.49/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.49/drivers/scsi/lpfc/lpfc_debugfs.c
38956 --- linux-2.6.32.49/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-08 19:02:43.000000000 -0500
38957 +++ linux-2.6.32.49/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-15 19:59:43.000000000 -0500
38958 @@ -124,7 +124,7 @@ struct lpfc_debug {
38959 int len;
38960 };
38961
38962 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38963 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38964 static unsigned long lpfc_debugfs_start_time = 0L;
38965
38966 /**
38967 @@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38968 lpfc_debugfs_enable = 0;
38969
38970 len = 0;
38971 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38972 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38973 (lpfc_debugfs_max_disc_trc - 1);
38974 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38975 dtp = vport->disc_trc + i;
38976 @@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38977 lpfc_debugfs_enable = 0;
38978
38979 len = 0;
38980 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38981 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38982 (lpfc_debugfs_max_slow_ring_trc - 1);
38983 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38984 dtp = phba->slow_ring_trc + i;
38985 @@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38986 uint32_t *ptr;
38987 char buffer[1024];
38988
38989 + pax_track_stack();
38990 +
38991 off = 0;
38992 spin_lock_irq(&phba->hbalock);
38993
38994 @@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
38995 !vport || !vport->disc_trc)
38996 return;
38997
38998 - index = atomic_inc_return(&vport->disc_trc_cnt) &
38999 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
39000 (lpfc_debugfs_max_disc_trc - 1);
39001 dtp = vport->disc_trc + index;
39002 dtp->fmt = fmt;
39003 dtp->data1 = data1;
39004 dtp->data2 = data2;
39005 dtp->data3 = data3;
39006 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
39007 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
39008 dtp->jif = jiffies;
39009 #endif
39010 return;
39011 @@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
39012 !phba || !phba->slow_ring_trc)
39013 return;
39014
39015 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
39016 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
39017 (lpfc_debugfs_max_slow_ring_trc - 1);
39018 dtp = phba->slow_ring_trc + index;
39019 dtp->fmt = fmt;
39020 dtp->data1 = data1;
39021 dtp->data2 = data2;
39022 dtp->data3 = data3;
39023 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
39024 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
39025 dtp->jif = jiffies;
39026 #endif
39027 return;
39028 @@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
39029 "slow_ring buffer\n");
39030 goto debug_failed;
39031 }
39032 - atomic_set(&phba->slow_ring_trc_cnt, 0);
39033 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
39034 memset(phba->slow_ring_trc, 0,
39035 (sizeof(struct lpfc_debugfs_trc) *
39036 lpfc_debugfs_max_slow_ring_trc));
39037 @@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
39038 "buffer\n");
39039 goto debug_failed;
39040 }
39041 - atomic_set(&vport->disc_trc_cnt, 0);
39042 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
39043
39044 snprintf(name, sizeof(name), "discovery_trace");
39045 vport->debug_disc_trc =
39046 diff -urNp linux-2.6.32.49/drivers/scsi/lpfc/lpfc.h linux-2.6.32.49/drivers/scsi/lpfc/lpfc.h
39047 --- linux-2.6.32.49/drivers/scsi/lpfc/lpfc.h 2011-11-08 19:02:43.000000000 -0500
39048 +++ linux-2.6.32.49/drivers/scsi/lpfc/lpfc.h 2011-11-15 19:59:43.000000000 -0500
39049 @@ -400,7 +400,7 @@ struct lpfc_vport {
39050 struct dentry *debug_nodelist;
39051 struct dentry *vport_debugfs_root;
39052 struct lpfc_debugfs_trc *disc_trc;
39053 - atomic_t disc_trc_cnt;
39054 + atomic_unchecked_t disc_trc_cnt;
39055 #endif
39056 uint8_t stat_data_enabled;
39057 uint8_t stat_data_blocked;
39058 @@ -725,8 +725,8 @@ struct lpfc_hba {
39059 struct timer_list fabric_block_timer;
39060 unsigned long bit_flags;
39061 #define FABRIC_COMANDS_BLOCKED 0
39062 - atomic_t num_rsrc_err;
39063 - atomic_t num_cmd_success;
39064 + atomic_unchecked_t num_rsrc_err;
39065 + atomic_unchecked_t num_cmd_success;
39066 unsigned long last_rsrc_error_time;
39067 unsigned long last_ramp_down_time;
39068 unsigned long last_ramp_up_time;
39069 @@ -740,7 +740,7 @@ struct lpfc_hba {
39070 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
39071 struct dentry *debug_slow_ring_trc;
39072 struct lpfc_debugfs_trc *slow_ring_trc;
39073 - atomic_t slow_ring_trc_cnt;
39074 + atomic_unchecked_t slow_ring_trc_cnt;
39075 #endif
39076
39077 /* Used for deferred freeing of ELS data buffers */
39078 diff -urNp linux-2.6.32.49/drivers/scsi/lpfc/lpfc_init.c linux-2.6.32.49/drivers/scsi/lpfc/lpfc_init.c
39079 --- linux-2.6.32.49/drivers/scsi/lpfc/lpfc_init.c 2011-11-08 19:02:43.000000000 -0500
39080 +++ linux-2.6.32.49/drivers/scsi/lpfc/lpfc_init.c 2011-11-15 19:59:43.000000000 -0500
39081 @@ -8021,8 +8021,10 @@ lpfc_init(void)
39082 printk(LPFC_COPYRIGHT "\n");
39083
39084 if (lpfc_enable_npiv) {
39085 - lpfc_transport_functions.vport_create = lpfc_vport_create;
39086 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
39087 + pax_open_kernel();
39088 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
39089 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
39090 + pax_close_kernel();
39091 }
39092 lpfc_transport_template =
39093 fc_attach_transport(&lpfc_transport_functions);
39094 diff -urNp linux-2.6.32.49/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.49/drivers/scsi/lpfc/lpfc_scsi.c
39095 --- linux-2.6.32.49/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-08 19:02:43.000000000 -0500
39096 +++ linux-2.6.32.49/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-15 19:59:43.000000000 -0500
39097 @@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
39098 uint32_t evt_posted;
39099
39100 spin_lock_irqsave(&phba->hbalock, flags);
39101 - atomic_inc(&phba->num_rsrc_err);
39102 + atomic_inc_unchecked(&phba->num_rsrc_err);
39103 phba->last_rsrc_error_time = jiffies;
39104
39105 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
39106 @@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
39107 unsigned long flags;
39108 struct lpfc_hba *phba = vport->phba;
39109 uint32_t evt_posted;
39110 - atomic_inc(&phba->num_cmd_success);
39111 + atomic_inc_unchecked(&phba->num_cmd_success);
39112
39113 if (vport->cfg_lun_queue_depth <= queue_depth)
39114 return;
39115 @@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39116 int i;
39117 struct lpfc_rport_data *rdata;
39118
39119 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
39120 - num_cmd_success = atomic_read(&phba->num_cmd_success);
39121 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
39122 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
39123
39124 vports = lpfc_create_vport_work_array(phba);
39125 if (vports != NULL)
39126 @@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39127 }
39128 }
39129 lpfc_destroy_vport_work_array(phba, vports);
39130 - atomic_set(&phba->num_rsrc_err, 0);
39131 - atomic_set(&phba->num_cmd_success, 0);
39132 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39133 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39134 }
39135
39136 /**
39137 @@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
39138 }
39139 }
39140 lpfc_destroy_vport_work_array(phba, vports);
39141 - atomic_set(&phba->num_rsrc_err, 0);
39142 - atomic_set(&phba->num_cmd_success, 0);
39143 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
39144 + atomic_set_unchecked(&phba->num_cmd_success, 0);
39145 }
39146
39147 /**
39148 diff -urNp linux-2.6.32.49/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.49/drivers/scsi/megaraid/megaraid_mbox.c
39149 --- linux-2.6.32.49/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-08 19:02:43.000000000 -0500
39150 +++ linux-2.6.32.49/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-15 19:59:43.000000000 -0500
39151 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
39152 int rval;
39153 int i;
39154
39155 + pax_track_stack();
39156 +
39157 // Allocate memory for the base list of scb for management module.
39158 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
39159
39160 diff -urNp linux-2.6.32.49/drivers/scsi/osd/osd_initiator.c linux-2.6.32.49/drivers/scsi/osd/osd_initiator.c
39161 --- linux-2.6.32.49/drivers/scsi/osd/osd_initiator.c 2011-11-08 19:02:43.000000000 -0500
39162 +++ linux-2.6.32.49/drivers/scsi/osd/osd_initiator.c 2011-11-15 19:59:43.000000000 -0500
39163 @@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
39164 int nelem = ARRAY_SIZE(get_attrs), a = 0;
39165 int ret;
39166
39167 + pax_track_stack();
39168 +
39169 or = osd_start_request(od, GFP_KERNEL);
39170 if (!or)
39171 return -ENOMEM;
39172 diff -urNp linux-2.6.32.49/drivers/scsi/pmcraid.c linux-2.6.32.49/drivers/scsi/pmcraid.c
39173 --- linux-2.6.32.49/drivers/scsi/pmcraid.c 2011-11-08 19:02:43.000000000 -0500
39174 +++ linux-2.6.32.49/drivers/scsi/pmcraid.c 2011-11-15 19:59:43.000000000 -0500
39175 @@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
39176 res->scsi_dev = scsi_dev;
39177 scsi_dev->hostdata = res;
39178 res->change_detected = 0;
39179 - atomic_set(&res->read_failures, 0);
39180 - atomic_set(&res->write_failures, 0);
39181 + atomic_set_unchecked(&res->read_failures, 0);
39182 + atomic_set_unchecked(&res->write_failures, 0);
39183 rc = 0;
39184 }
39185 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
39186 @@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
39187
39188 /* If this was a SCSI read/write command keep count of errors */
39189 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
39190 - atomic_inc(&res->read_failures);
39191 + atomic_inc_unchecked(&res->read_failures);
39192 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
39193 - atomic_inc(&res->write_failures);
39194 + atomic_inc_unchecked(&res->write_failures);
39195
39196 if (!RES_IS_GSCSI(res->cfg_entry) &&
39197 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
39198 @@ -4116,7 +4116,7 @@ static void pmcraid_worker_function(stru
39199
39200 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
39201 /* add resources only after host is added into system */
39202 - if (!atomic_read(&pinstance->expose_resources))
39203 + if (!atomic_read_unchecked(&pinstance->expose_resources))
39204 return;
39205
39206 spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
39207 @@ -4850,7 +4850,7 @@ static int __devinit pmcraid_init_instan
39208 init_waitqueue_head(&pinstance->reset_wait_q);
39209
39210 atomic_set(&pinstance->outstanding_cmds, 0);
39211 - atomic_set(&pinstance->expose_resources, 0);
39212 + atomic_set_unchecked(&pinstance->expose_resources, 0);
39213
39214 INIT_LIST_HEAD(&pinstance->free_res_q);
39215 INIT_LIST_HEAD(&pinstance->used_res_q);
39216 @@ -5502,7 +5502,7 @@ static int __devinit pmcraid_probe(
39217 /* Schedule worker thread to handle CCN and take care of adding and
39218 * removing devices to OS
39219 */
39220 - atomic_set(&pinstance->expose_resources, 1);
39221 + atomic_set_unchecked(&pinstance->expose_resources, 1);
39222 schedule_work(&pinstance->worker_q);
39223 return rc;
39224
39225 diff -urNp linux-2.6.32.49/drivers/scsi/pmcraid.h linux-2.6.32.49/drivers/scsi/pmcraid.h
39226 --- linux-2.6.32.49/drivers/scsi/pmcraid.h 2011-11-08 19:02:43.000000000 -0500
39227 +++ linux-2.6.32.49/drivers/scsi/pmcraid.h 2011-11-15 19:59:43.000000000 -0500
39228 @@ -690,7 +690,7 @@ struct pmcraid_instance {
39229 atomic_t outstanding_cmds;
39230
39231 /* should add/delete resources to mid-layer now ?*/
39232 - atomic_t expose_resources;
39233 + atomic_unchecked_t expose_resources;
39234
39235 /* Tasklet to handle deferred processing */
39236 struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
39237 @@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
39238 struct list_head queue; /* link to "to be exposed" resources */
39239 struct pmcraid_config_table_entry cfg_entry;
39240 struct scsi_device *scsi_dev; /* Link scsi_device structure */
39241 - atomic_t read_failures; /* count of failed READ commands */
39242 - atomic_t write_failures; /* count of failed WRITE commands */
39243 + atomic_unchecked_t read_failures; /* count of failed READ commands */
39244 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
39245
39246 /* To indicate add/delete/modify during CCN */
39247 u8 change_detected;
39248 diff -urNp linux-2.6.32.49/drivers/scsi/qla2xxx/qla_def.h linux-2.6.32.49/drivers/scsi/qla2xxx/qla_def.h
39249 --- linux-2.6.32.49/drivers/scsi/qla2xxx/qla_def.h 2011-11-08 19:02:43.000000000 -0500
39250 +++ linux-2.6.32.49/drivers/scsi/qla2xxx/qla_def.h 2011-11-15 19:59:43.000000000 -0500
39251 @@ -2089,7 +2089,7 @@ struct isp_operations {
39252
39253 int (*get_flash_version) (struct scsi_qla_host *, void *);
39254 int (*start_scsi) (srb_t *);
39255 -};
39256 +} __no_const;
39257
39258 /* MSI-X Support *************************************************************/
39259
39260 diff -urNp linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_def.h
39261 --- linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_def.h 2011-11-08 19:02:43.000000000 -0500
39262 +++ linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_def.h 2011-11-15 19:59:43.000000000 -0500
39263 @@ -240,7 +240,7 @@ struct ddb_entry {
39264 atomic_t retry_relogin_timer; /* Min Time between relogins
39265 * (4000 only) */
39266 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
39267 - atomic_t relogin_retry_count; /* Num of times relogin has been
39268 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
39269 * retried */
39270
39271 uint16_t port;
39272 diff -urNp linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_init.c
39273 --- linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_init.c 2011-11-08 19:02:43.000000000 -0500
39274 +++ linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_init.c 2011-11-15 19:59:43.000000000 -0500
39275 @@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
39276 atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
39277 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
39278 atomic_set(&ddb_entry->relogin_timer, 0);
39279 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39280 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39281 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39282 list_add_tail(&ddb_entry->list, &ha->ddb_list);
39283 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
39284 @@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
39285 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39286 atomic_set(&ddb_entry->port_down_timer,
39287 ha->port_down_retry_count);
39288 - atomic_set(&ddb_entry->relogin_retry_count, 0);
39289 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39290 atomic_set(&ddb_entry->relogin_timer, 0);
39291 clear_bit(DF_RELOGIN, &ddb_entry->flags);
39292 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
39293 diff -urNp linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_os.c
39294 --- linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_os.c 2011-11-08 19:02:43.000000000 -0500
39295 +++ linux-2.6.32.49/drivers/scsi/qla4xxx/ql4_os.c 2011-11-15 19:59:43.000000000 -0500
39296 @@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
39297 ddb_entry->fw_ddb_device_state ==
39298 DDB_DS_SESSION_FAILED) {
39299 /* Reset retry relogin timer */
39300 - atomic_inc(&ddb_entry->relogin_retry_count);
39301 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
39302 DEBUG2(printk("scsi%ld: index[%d] relogin"
39303 " timed out-retrying"
39304 " relogin (%d)\n",
39305 ha->host_no,
39306 ddb_entry->fw_ddb_index,
39307 - atomic_read(&ddb_entry->
39308 + atomic_read_unchecked(&ddb_entry->
39309 relogin_retry_count))
39310 );
39311 start_dpc++;
39312 diff -urNp linux-2.6.32.49/drivers/scsi/scsi.c linux-2.6.32.49/drivers/scsi/scsi.c
39313 --- linux-2.6.32.49/drivers/scsi/scsi.c 2011-11-08 19:02:43.000000000 -0500
39314 +++ linux-2.6.32.49/drivers/scsi/scsi.c 2011-11-15 19:59:43.000000000 -0500
39315 @@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
39316 unsigned long timeout;
39317 int rtn = 0;
39318
39319 - atomic_inc(&cmd->device->iorequest_cnt);
39320 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39321
39322 /* check if the device is still usable */
39323 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
39324 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_debug.c linux-2.6.32.49/drivers/scsi/scsi_debug.c
39325 --- linux-2.6.32.49/drivers/scsi/scsi_debug.c 2011-11-08 19:02:43.000000000 -0500
39326 +++ linux-2.6.32.49/drivers/scsi/scsi_debug.c 2011-11-15 19:59:43.000000000 -0500
39327 @@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
39328 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
39329 unsigned char *cmd = (unsigned char *)scp->cmnd;
39330
39331 + pax_track_stack();
39332 +
39333 if ((errsts = check_readiness(scp, 1, devip)))
39334 return errsts;
39335 memset(arr, 0, sizeof(arr));
39336 @@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
39337 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
39338 unsigned char *cmd = (unsigned char *)scp->cmnd;
39339
39340 + pax_track_stack();
39341 +
39342 if ((errsts = check_readiness(scp, 1, devip)))
39343 return errsts;
39344 memset(arr, 0, sizeof(arr));
39345 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_lib.c linux-2.6.32.49/drivers/scsi/scsi_lib.c
39346 --- linux-2.6.32.49/drivers/scsi/scsi_lib.c 2011-11-26 19:44:53.000000000 -0500
39347 +++ linux-2.6.32.49/drivers/scsi/scsi_lib.c 2011-11-26 19:45:06.000000000 -0500
39348 @@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
39349
39350 scsi_init_cmd_errh(cmd);
39351 cmd->result = DID_NO_CONNECT << 16;
39352 - atomic_inc(&cmd->device->iorequest_cnt);
39353 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39354
39355 /*
39356 * SCSI request completion path will do scsi_device_unbusy(),
39357 @@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
39358 */
39359 cmd->serial_number = 0;
39360
39361 - atomic_inc(&cmd->device->iodone_cnt);
39362 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
39363 if (cmd->result)
39364 - atomic_inc(&cmd->device->ioerr_cnt);
39365 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
39366
39367 disposition = scsi_decide_disposition(cmd);
39368 if (disposition != SUCCESS &&
39369 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_sysfs.c linux-2.6.32.49/drivers/scsi/scsi_sysfs.c
39370 --- linux-2.6.32.49/drivers/scsi/scsi_sysfs.c 2011-11-08 19:02:43.000000000 -0500
39371 +++ linux-2.6.32.49/drivers/scsi/scsi_sysfs.c 2011-11-15 19:59:43.000000000 -0500
39372 @@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
39373 char *buf) \
39374 { \
39375 struct scsi_device *sdev = to_scsi_device(dev); \
39376 - unsigned long long count = atomic_read(&sdev->field); \
39377 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
39378 return snprintf(buf, 20, "0x%llx\n", count); \
39379 } \
39380 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
39381 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_tgt_lib.c linux-2.6.32.49/drivers/scsi/scsi_tgt_lib.c
39382 --- linux-2.6.32.49/drivers/scsi/scsi_tgt_lib.c 2011-11-08 19:02:43.000000000 -0500
39383 +++ linux-2.6.32.49/drivers/scsi/scsi_tgt_lib.c 2011-11-15 19:59:43.000000000 -0500
39384 @@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
39385 int err;
39386
39387 dprintk("%lx %u\n", uaddr, len);
39388 - err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
39389 + err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
39390 if (err) {
39391 /*
39392 * TODO: need to fixup sg_tablesize, max_segment_size,
39393 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_transport_fc.c linux-2.6.32.49/drivers/scsi/scsi_transport_fc.c
39394 --- linux-2.6.32.49/drivers/scsi/scsi_transport_fc.c 2011-11-08 19:02:43.000000000 -0500
39395 +++ linux-2.6.32.49/drivers/scsi/scsi_transport_fc.c 2011-11-15 19:59:43.000000000 -0500
39396 @@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
39397 * Netlink Infrastructure
39398 */
39399
39400 -static atomic_t fc_event_seq;
39401 +static atomic_unchecked_t fc_event_seq;
39402
39403 /**
39404 * fc_get_event_number - Obtain the next sequential FC event number
39405 @@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
39406 u32
39407 fc_get_event_number(void)
39408 {
39409 - return atomic_add_return(1, &fc_event_seq);
39410 + return atomic_add_return_unchecked(1, &fc_event_seq);
39411 }
39412 EXPORT_SYMBOL(fc_get_event_number);
39413
39414 @@ -641,7 +641,7 @@ static __init int fc_transport_init(void
39415 {
39416 int error;
39417
39418 - atomic_set(&fc_event_seq, 0);
39419 + atomic_set_unchecked(&fc_event_seq, 0);
39420
39421 error = transport_class_register(&fc_host_class);
39422 if (error)
39423 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.49/drivers/scsi/scsi_transport_iscsi.c
39424 --- linux-2.6.32.49/drivers/scsi/scsi_transport_iscsi.c 2011-11-08 19:02:43.000000000 -0500
39425 +++ linux-2.6.32.49/drivers/scsi/scsi_transport_iscsi.c 2011-11-15 19:59:43.000000000 -0500
39426 @@ -81,7 +81,7 @@ struct iscsi_internal {
39427 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39428 };
39429
39430 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39431 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39432 static struct workqueue_struct *iscsi_eh_timer_workq;
39433
39434 /*
39435 @@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
39436 int err;
39437
39438 ihost = shost->shost_data;
39439 - session->sid = atomic_add_return(1, &iscsi_session_nr);
39440 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39441
39442 if (id == ISCSI_MAX_TARGET) {
39443 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39444 @@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
39445 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39446 ISCSI_TRANSPORT_VERSION);
39447
39448 - atomic_set(&iscsi_session_nr, 0);
39449 + atomic_set_unchecked(&iscsi_session_nr, 0);
39450
39451 err = class_register(&iscsi_transport_class);
39452 if (err)
39453 diff -urNp linux-2.6.32.49/drivers/scsi/scsi_transport_srp.c linux-2.6.32.49/drivers/scsi/scsi_transport_srp.c
39454 --- linux-2.6.32.49/drivers/scsi/scsi_transport_srp.c 2011-11-08 19:02:43.000000000 -0500
39455 +++ linux-2.6.32.49/drivers/scsi/scsi_transport_srp.c 2011-11-15 19:59:43.000000000 -0500
39456 @@ -33,7 +33,7 @@
39457 #include "scsi_transport_srp_internal.h"
39458
39459 struct srp_host_attrs {
39460 - atomic_t next_port_id;
39461 + atomic_unchecked_t next_port_id;
39462 };
39463 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39464
39465 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39466 struct Scsi_Host *shost = dev_to_shost(dev);
39467 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39468
39469 - atomic_set(&srp_host->next_port_id, 0);
39470 + atomic_set_unchecked(&srp_host->next_port_id, 0);
39471 return 0;
39472 }
39473
39474 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39475 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39476 rport->roles = ids->roles;
39477
39478 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39479 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39480 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39481
39482 transport_setup_device(&rport->dev);
39483 diff -urNp linux-2.6.32.49/drivers/scsi/sg.c linux-2.6.32.49/drivers/scsi/sg.c
39484 --- linux-2.6.32.49/drivers/scsi/sg.c 2011-11-08 19:02:43.000000000 -0500
39485 +++ linux-2.6.32.49/drivers/scsi/sg.c 2011-11-15 19:59:43.000000000 -0500
39486 @@ -1064,7 +1064,7 @@ sg_ioctl(struct inode *inode, struct fil
39487 sdp->disk->disk_name,
39488 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
39489 NULL,
39490 - (char *)arg);
39491 + (char __user *)arg);
39492 case BLKTRACESTART:
39493 return blk_trace_startstop(sdp->device->request_queue, 1);
39494 case BLKTRACESTOP:
39495 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
39496 const struct file_operations * fops;
39497 };
39498
39499 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39500 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39501 {"allow_dio", &adio_fops},
39502 {"debug", &debug_fops},
39503 {"def_reserved_size", &dressz_fops},
39504 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
39505 {
39506 int k, mask;
39507 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39508 - struct sg_proc_leaf * leaf;
39509 + const struct sg_proc_leaf * leaf;
39510
39511 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39512 if (!sg_proc_sgp)
39513 diff -urNp linux-2.6.32.49/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.49/drivers/scsi/sym53c8xx_2/sym_glue.c
39514 --- linux-2.6.32.49/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-08 19:02:43.000000000 -0500
39515 +++ linux-2.6.32.49/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-15 19:59:43.000000000 -0500
39516 @@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
39517 int do_iounmap = 0;
39518 int do_disable_device = 1;
39519
39520 + pax_track_stack();
39521 +
39522 memset(&sym_dev, 0, sizeof(sym_dev));
39523 memset(&nvram, 0, sizeof(nvram));
39524 sym_dev.pdev = pdev;
39525 diff -urNp linux-2.6.32.49/drivers/serial/kgdboc.c linux-2.6.32.49/drivers/serial/kgdboc.c
39526 --- linux-2.6.32.49/drivers/serial/kgdboc.c 2011-11-08 19:02:43.000000000 -0500
39527 +++ linux-2.6.32.49/drivers/serial/kgdboc.c 2011-11-15 19:59:43.000000000 -0500
39528 @@ -18,7 +18,7 @@
39529
39530 #define MAX_CONFIG_LEN 40
39531
39532 -static struct kgdb_io kgdboc_io_ops;
39533 +static const struct kgdb_io kgdboc_io_ops;
39534
39535 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
39536 static int configured = -1;
39537 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
39538 module_put(THIS_MODULE);
39539 }
39540
39541 -static struct kgdb_io kgdboc_io_ops = {
39542 +static const struct kgdb_io kgdboc_io_ops = {
39543 .name = "kgdboc",
39544 .read_char = kgdboc_get_char,
39545 .write_char = kgdboc_put_char,
39546 diff -urNp linux-2.6.32.49/drivers/spi/spi.c linux-2.6.32.49/drivers/spi/spi.c
39547 --- linux-2.6.32.49/drivers/spi/spi.c 2011-11-08 19:02:43.000000000 -0500
39548 +++ linux-2.6.32.49/drivers/spi/spi.c 2011-11-15 19:59:43.000000000 -0500
39549 @@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
39550 EXPORT_SYMBOL_GPL(spi_sync);
39551
39552 /* portable code must never pass more than 32 bytes */
39553 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39554 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39555
39556 static u8 *buf;
39557
39558 diff -urNp linux-2.6.32.49/drivers/staging/android/binder.c linux-2.6.32.49/drivers/staging/android/binder.c
39559 --- linux-2.6.32.49/drivers/staging/android/binder.c 2011-11-08 19:02:43.000000000 -0500
39560 +++ linux-2.6.32.49/drivers/staging/android/binder.c 2011-11-15 19:59:43.000000000 -0500
39561 @@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
39562 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
39563 }
39564
39565 -static struct vm_operations_struct binder_vm_ops = {
39566 +static const struct vm_operations_struct binder_vm_ops = {
39567 .open = binder_vma_open,
39568 .close = binder_vma_close,
39569 };
39570 diff -urNp linux-2.6.32.49/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.49/drivers/staging/b3dfg/b3dfg.c
39571 --- linux-2.6.32.49/drivers/staging/b3dfg/b3dfg.c 2011-11-08 19:02:43.000000000 -0500
39572 +++ linux-2.6.32.49/drivers/staging/b3dfg/b3dfg.c 2011-11-15 19:59:43.000000000 -0500
39573 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
39574 return VM_FAULT_NOPAGE;
39575 }
39576
39577 -static struct vm_operations_struct b3dfg_vm_ops = {
39578 +static const struct vm_operations_struct b3dfg_vm_ops = {
39579 .fault = b3dfg_vma_fault,
39580 };
39581
39582 @@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
39583 return r;
39584 }
39585
39586 -static struct file_operations b3dfg_fops = {
39587 +static const struct file_operations b3dfg_fops = {
39588 .owner = THIS_MODULE,
39589 .open = b3dfg_open,
39590 .release = b3dfg_release,
39591 diff -urNp linux-2.6.32.49/drivers/staging/comedi/comedi_fops.c linux-2.6.32.49/drivers/staging/comedi/comedi_fops.c
39592 --- linux-2.6.32.49/drivers/staging/comedi/comedi_fops.c 2011-11-08 19:02:43.000000000 -0500
39593 +++ linux-2.6.32.49/drivers/staging/comedi/comedi_fops.c 2011-11-15 19:59:43.000000000 -0500
39594 @@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
39595 mutex_unlock(&dev->mutex);
39596 }
39597
39598 -static struct vm_operations_struct comedi_vm_ops = {
39599 +static const struct vm_operations_struct comedi_vm_ops = {
39600 .close = comedi_unmap,
39601 };
39602
39603 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.49/drivers/staging/dream/qdsp5/adsp_driver.c
39604 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/adsp_driver.c 2011-11-08 19:02:43.000000000 -0500
39605 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/adsp_driver.c 2011-11-15 19:59:43.000000000 -0500
39606 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
39607 static dev_t adsp_devno;
39608 static struct class *adsp_class;
39609
39610 -static struct file_operations adsp_fops = {
39611 +static const struct file_operations adsp_fops = {
39612 .owner = THIS_MODULE,
39613 .open = adsp_open,
39614 .unlocked_ioctl = adsp_ioctl,
39615 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_aac.c
39616 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_aac.c 2011-11-08 19:02:43.000000000 -0500
39617 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_aac.c 2011-11-15 19:59:43.000000000 -0500
39618 @@ -1022,7 +1022,7 @@ done:
39619 return rc;
39620 }
39621
39622 -static struct file_operations audio_aac_fops = {
39623 +static const struct file_operations audio_aac_fops = {
39624 .owner = THIS_MODULE,
39625 .open = audio_open,
39626 .release = audio_release,
39627 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_amrnb.c
39628 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-11-08 19:02:43.000000000 -0500
39629 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-11-15 19:59:43.000000000 -0500
39630 @@ -833,7 +833,7 @@ done:
39631 return rc;
39632 }
39633
39634 -static struct file_operations audio_amrnb_fops = {
39635 +static const struct file_operations audio_amrnb_fops = {
39636 .owner = THIS_MODULE,
39637 .open = audamrnb_open,
39638 .release = audamrnb_release,
39639 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_evrc.c
39640 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_evrc.c 2011-11-08 19:02:43.000000000 -0500
39641 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_evrc.c 2011-11-15 19:59:43.000000000 -0500
39642 @@ -805,7 +805,7 @@ dma_fail:
39643 return rc;
39644 }
39645
39646 -static struct file_operations audio_evrc_fops = {
39647 +static const struct file_operations audio_evrc_fops = {
39648 .owner = THIS_MODULE,
39649 .open = audevrc_open,
39650 .release = audevrc_release,
39651 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_in.c
39652 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_in.c 2011-11-08 19:02:43.000000000 -0500
39653 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_in.c 2011-11-15 19:59:43.000000000 -0500
39654 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
39655 return 0;
39656 }
39657
39658 -static struct file_operations audio_fops = {
39659 +static const struct file_operations audio_fops = {
39660 .owner = THIS_MODULE,
39661 .open = audio_in_open,
39662 .release = audio_in_release,
39663 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
39664 .unlocked_ioctl = audio_in_ioctl,
39665 };
39666
39667 -static struct file_operations audpre_fops = {
39668 +static const struct file_operations audpre_fops = {
39669 .owner = THIS_MODULE,
39670 .open = audpre_open,
39671 .unlocked_ioctl = audpre_ioctl,
39672 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_mp3.c
39673 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_mp3.c 2011-11-08 19:02:43.000000000 -0500
39674 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_mp3.c 2011-11-15 19:59:43.000000000 -0500
39675 @@ -941,7 +941,7 @@ done:
39676 return rc;
39677 }
39678
39679 -static struct file_operations audio_mp3_fops = {
39680 +static const struct file_operations audio_mp3_fops = {
39681 .owner = THIS_MODULE,
39682 .open = audio_open,
39683 .release = audio_release,
39684 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_out.c
39685 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_out.c 2011-11-08 19:02:43.000000000 -0500
39686 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_out.c 2011-11-15 19:59:43.000000000 -0500
39687 @@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
39688 return 0;
39689 }
39690
39691 -static struct file_operations audio_fops = {
39692 +static const struct file_operations audio_fops = {
39693 .owner = THIS_MODULE,
39694 .open = audio_open,
39695 .release = audio_release,
39696 @@ -819,7 +819,7 @@ static struct file_operations audio_fops
39697 .unlocked_ioctl = audio_ioctl,
39698 };
39699
39700 -static struct file_operations audpp_fops = {
39701 +static const struct file_operations audpp_fops = {
39702 .owner = THIS_MODULE,
39703 .open = audpp_open,
39704 .unlocked_ioctl = audpp_ioctl,
39705 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_qcelp.c
39706 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-11-08 19:02:43.000000000 -0500
39707 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-11-15 19:59:43.000000000 -0500
39708 @@ -816,7 +816,7 @@ err:
39709 return rc;
39710 }
39711
39712 -static struct file_operations audio_qcelp_fops = {
39713 +static const struct file_operations audio_qcelp_fops = {
39714 .owner = THIS_MODULE,
39715 .open = audqcelp_open,
39716 .release = audqcelp_release,
39717 diff -urNp linux-2.6.32.49/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.49/drivers/staging/dream/qdsp5/snd.c
39718 --- linux-2.6.32.49/drivers/staging/dream/qdsp5/snd.c 2011-11-08 19:02:43.000000000 -0500
39719 +++ linux-2.6.32.49/drivers/staging/dream/qdsp5/snd.c 2011-11-15 19:59:43.000000000 -0500
39720 @@ -242,7 +242,7 @@ err:
39721 return rc;
39722 }
39723
39724 -static struct file_operations snd_fops = {
39725 +static const struct file_operations snd_fops = {
39726 .owner = THIS_MODULE,
39727 .open = snd_open,
39728 .release = snd_release,
39729 diff -urNp linux-2.6.32.49/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.49/drivers/staging/dream/smd/smd_qmi.c
39730 --- linux-2.6.32.49/drivers/staging/dream/smd/smd_qmi.c 2011-11-08 19:02:43.000000000 -0500
39731 +++ linux-2.6.32.49/drivers/staging/dream/smd/smd_qmi.c 2011-11-15 19:59:43.000000000 -0500
39732 @@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
39733 return 0;
39734 }
39735
39736 -static struct file_operations qmi_fops = {
39737 +static const struct file_operations qmi_fops = {
39738 .owner = THIS_MODULE,
39739 .read = qmi_read,
39740 .write = qmi_write,
39741 diff -urNp linux-2.6.32.49/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.49/drivers/staging/dream/smd/smd_rpcrouter_device.c
39742 --- linux-2.6.32.49/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-11-08 19:02:43.000000000 -0500
39743 +++ linux-2.6.32.49/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-11-15 19:59:43.000000000 -0500
39744 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
39745 return rc;
39746 }
39747
39748 -static struct file_operations rpcrouter_server_fops = {
39749 +static const struct file_operations rpcrouter_server_fops = {
39750 .owner = THIS_MODULE,
39751 .open = rpcrouter_open,
39752 .release = rpcrouter_release,
39753 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
39754 .unlocked_ioctl = rpcrouter_ioctl,
39755 };
39756
39757 -static struct file_operations rpcrouter_router_fops = {
39758 +static const struct file_operations rpcrouter_router_fops = {
39759 .owner = THIS_MODULE,
39760 .open = rpcrouter_open,
39761 .release = rpcrouter_release,
39762 diff -urNp linux-2.6.32.49/drivers/staging/dst/dcore.c linux-2.6.32.49/drivers/staging/dst/dcore.c
39763 --- linux-2.6.32.49/drivers/staging/dst/dcore.c 2011-11-08 19:02:43.000000000 -0500
39764 +++ linux-2.6.32.49/drivers/staging/dst/dcore.c 2011-11-15 19:59:43.000000000 -0500
39765 @@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
39766 return 0;
39767 }
39768
39769 -static struct block_device_operations dst_blk_ops = {
39770 +static const struct block_device_operations dst_blk_ops = {
39771 .open = dst_bdev_open,
39772 .release = dst_bdev_release,
39773 .owner = THIS_MODULE,
39774 @@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
39775 n->size = ctl->size;
39776
39777 atomic_set(&n->refcnt, 1);
39778 - atomic_long_set(&n->gen, 0);
39779 + atomic_long_set_unchecked(&n->gen, 0);
39780 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
39781
39782 err = dst_node_sysfs_init(n);
39783 diff -urNp linux-2.6.32.49/drivers/staging/dst/trans.c linux-2.6.32.49/drivers/staging/dst/trans.c
39784 --- linux-2.6.32.49/drivers/staging/dst/trans.c 2011-11-08 19:02:43.000000000 -0500
39785 +++ linux-2.6.32.49/drivers/staging/dst/trans.c 2011-11-15 19:59:43.000000000 -0500
39786 @@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
39787 t->error = 0;
39788 t->retries = 0;
39789 atomic_set(&t->refcnt, 1);
39790 - t->gen = atomic_long_inc_return(&n->gen);
39791 + t->gen = atomic_long_inc_return_unchecked(&n->gen);
39792
39793 t->enc = bio_data_dir(bio);
39794 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
39795 diff -urNp linux-2.6.32.49/drivers/staging/et131x/et1310_tx.c linux-2.6.32.49/drivers/staging/et131x/et1310_tx.c
39796 --- linux-2.6.32.49/drivers/staging/et131x/et1310_tx.c 2011-11-08 19:02:43.000000000 -0500
39797 +++ linux-2.6.32.49/drivers/staging/et131x/et1310_tx.c 2011-11-15 19:59:43.000000000 -0500
39798 @@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
39799 struct net_device_stats *stats = &etdev->net_stats;
39800
39801 if (pMpTcb->Flags & fMP_DEST_BROAD)
39802 - atomic_inc(&etdev->Stats.brdcstxmt);
39803 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39804 else if (pMpTcb->Flags & fMP_DEST_MULTI)
39805 - atomic_inc(&etdev->Stats.multixmt);
39806 + atomic_inc_unchecked(&etdev->Stats.multixmt);
39807 else
39808 - atomic_inc(&etdev->Stats.unixmt);
39809 + atomic_inc_unchecked(&etdev->Stats.unixmt);
39810
39811 if (pMpTcb->Packet) {
39812 stats->tx_bytes += pMpTcb->Packet->len;
39813 diff -urNp linux-2.6.32.49/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.49/drivers/staging/et131x/et131x_adapter.h
39814 --- linux-2.6.32.49/drivers/staging/et131x/et131x_adapter.h 2011-11-08 19:02:43.000000000 -0500
39815 +++ linux-2.6.32.49/drivers/staging/et131x/et131x_adapter.h 2011-11-15 19:59:43.000000000 -0500
39816 @@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
39817 * operations
39818 */
39819 u32 unircv; /* # multicast packets received */
39820 - atomic_t unixmt; /* # multicast packets for Tx */
39821 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39822 u32 multircv; /* # multicast packets received */
39823 - atomic_t multixmt; /* # multicast packets for Tx */
39824 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39825 u32 brdcstrcv; /* # broadcast packets received */
39826 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
39827 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39828 u32 norcvbuf; /* # Rx packets discarded */
39829 u32 noxmtbuf; /* # Tx packets discarded */
39830
39831 diff -urNp linux-2.6.32.49/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.49/drivers/staging/go7007/go7007-v4l2.c
39832 --- linux-2.6.32.49/drivers/staging/go7007/go7007-v4l2.c 2011-11-08 19:02:43.000000000 -0500
39833 +++ linux-2.6.32.49/drivers/staging/go7007/go7007-v4l2.c 2011-11-15 19:59:43.000000000 -0500
39834 @@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
39835 return 0;
39836 }
39837
39838 -static struct vm_operations_struct go7007_vm_ops = {
39839 +static const struct vm_operations_struct go7007_vm_ops = {
39840 .open = go7007_vm_open,
39841 .close = go7007_vm_close,
39842 .fault = go7007_vm_fault,
39843 diff -urNp linux-2.6.32.49/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.49/drivers/staging/hv/blkvsc_drv.c
39844 --- linux-2.6.32.49/drivers/staging/hv/blkvsc_drv.c 2011-11-08 19:02:43.000000000 -0500
39845 +++ linux-2.6.32.49/drivers/staging/hv/blkvsc_drv.c 2011-11-15 19:59:43.000000000 -0500
39846 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
39847 /* The one and only one */
39848 static struct blkvsc_driver_context g_blkvsc_drv;
39849
39850 -static struct block_device_operations block_ops = {
39851 +static const struct block_device_operations block_ops = {
39852 .owner = THIS_MODULE,
39853 .open = blkvsc_open,
39854 .release = blkvsc_release,
39855 diff -urNp linux-2.6.32.49/drivers/staging/hv/Channel.c linux-2.6.32.49/drivers/staging/hv/Channel.c
39856 --- linux-2.6.32.49/drivers/staging/hv/Channel.c 2011-11-08 19:02:43.000000000 -0500
39857 +++ linux-2.6.32.49/drivers/staging/hv/Channel.c 2011-11-15 19:59:43.000000000 -0500
39858 @@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
39859
39860 DPRINT_ENTER(VMBUS);
39861
39862 - nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
39863 - atomic_inc(&gVmbusConnection.NextGpadlHandle);
39864 + nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
39865 + atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
39866
39867 VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
39868 ASSERT(msgInfo != NULL);
39869 diff -urNp linux-2.6.32.49/drivers/staging/hv/Hv.c linux-2.6.32.49/drivers/staging/hv/Hv.c
39870 --- linux-2.6.32.49/drivers/staging/hv/Hv.c 2011-11-08 19:02:43.000000000 -0500
39871 +++ linux-2.6.32.49/drivers/staging/hv/Hv.c 2011-11-15 19:59:43.000000000 -0500
39872 @@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
39873 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
39874 u32 outputAddressHi = outputAddress >> 32;
39875 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
39876 - volatile void *hypercallPage = gHvContext.HypercallPage;
39877 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
39878
39879 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
39880 Control, Input, Output);
39881 diff -urNp linux-2.6.32.49/drivers/staging/hv/VmbusApi.h linux-2.6.32.49/drivers/staging/hv/VmbusApi.h
39882 --- linux-2.6.32.49/drivers/staging/hv/VmbusApi.h 2011-11-08 19:02:43.000000000 -0500
39883 +++ linux-2.6.32.49/drivers/staging/hv/VmbusApi.h 2011-11-15 19:59:43.000000000 -0500
39884 @@ -109,7 +109,7 @@ struct vmbus_channel_interface {
39885 u32 *GpadlHandle);
39886 int (*TeardownGpadl)(struct hv_device *device, u32 GpadlHandle);
39887 void (*GetInfo)(struct hv_device *dev, struct hv_device_info *devinfo);
39888 -};
39889 +} __no_const;
39890
39891 /* Base driver object */
39892 struct hv_driver {
39893 diff -urNp linux-2.6.32.49/drivers/staging/hv/vmbus_drv.c linux-2.6.32.49/drivers/staging/hv/vmbus_drv.c
39894 --- linux-2.6.32.49/drivers/staging/hv/vmbus_drv.c 2011-11-08 19:02:43.000000000 -0500
39895 +++ linux-2.6.32.49/drivers/staging/hv/vmbus_drv.c 2011-11-15 19:59:43.000000000 -0500
39896 @@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
39897 to_device_context(root_device_obj);
39898 struct device_context *child_device_ctx =
39899 to_device_context(child_device_obj);
39900 - static atomic_t device_num = ATOMIC_INIT(0);
39901 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
39902
39903 DPRINT_ENTER(VMBUS_DRV);
39904
39905 @@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
39906
39907 /* Set the device name. Otherwise, device_register() will fail. */
39908 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
39909 - atomic_inc_return(&device_num));
39910 + atomic_inc_return_unchecked(&device_num));
39911
39912 /* The new device belongs to this bus */
39913 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
39914 diff -urNp linux-2.6.32.49/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.49/drivers/staging/hv/VmbusPrivate.h
39915 --- linux-2.6.32.49/drivers/staging/hv/VmbusPrivate.h 2011-11-08 19:02:43.000000000 -0500
39916 +++ linux-2.6.32.49/drivers/staging/hv/VmbusPrivate.h 2011-11-15 19:59:43.000000000 -0500
39917 @@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
39918 struct VMBUS_CONNECTION {
39919 enum VMBUS_CONNECT_STATE ConnectState;
39920
39921 - atomic_t NextGpadlHandle;
39922 + atomic_unchecked_t NextGpadlHandle;
39923
39924 /*
39925 * Represents channel interrupts. Each bit position represents a
39926 diff -urNp linux-2.6.32.49/drivers/staging/iio/ring_generic.h linux-2.6.32.49/drivers/staging/iio/ring_generic.h
39927 --- linux-2.6.32.49/drivers/staging/iio/ring_generic.h 2011-11-08 19:02:43.000000000 -0500
39928 +++ linux-2.6.32.49/drivers/staging/iio/ring_generic.h 2011-11-15 19:59:43.000000000 -0500
39929 @@ -87,7 +87,7 @@ struct iio_ring_access_funcs {
39930
39931 int (*is_enabled)(struct iio_ring_buffer *ring);
39932 int (*enable)(struct iio_ring_buffer *ring);
39933 -};
39934 +} __no_const;
39935
39936 /**
39937 * struct iio_ring_buffer - general ring buffer structure
39938 diff -urNp linux-2.6.32.49/drivers/staging/octeon/ethernet.c linux-2.6.32.49/drivers/staging/octeon/ethernet.c
39939 --- linux-2.6.32.49/drivers/staging/octeon/ethernet.c 2011-11-08 19:02:43.000000000 -0500
39940 +++ linux-2.6.32.49/drivers/staging/octeon/ethernet.c 2011-11-15 19:59:43.000000000 -0500
39941 @@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
39942 * since the RX tasklet also increments it.
39943 */
39944 #ifdef CONFIG_64BIT
39945 - atomic64_add(rx_status.dropped_packets,
39946 - (atomic64_t *)&priv->stats.rx_dropped);
39947 + atomic64_add_unchecked(rx_status.dropped_packets,
39948 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
39949 #else
39950 - atomic_add(rx_status.dropped_packets,
39951 - (atomic_t *)&priv->stats.rx_dropped);
39952 + atomic_add_unchecked(rx_status.dropped_packets,
39953 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
39954 #endif
39955 }
39956
39957 diff -urNp linux-2.6.32.49/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.49/drivers/staging/octeon/ethernet-rx.c
39958 --- linux-2.6.32.49/drivers/staging/octeon/ethernet-rx.c 2011-11-08 19:02:43.000000000 -0500
39959 +++ linux-2.6.32.49/drivers/staging/octeon/ethernet-rx.c 2011-11-15 19:59:43.000000000 -0500
39960 @@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
39961 /* Increment RX stats for virtual ports */
39962 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
39963 #ifdef CONFIG_64BIT
39964 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
39965 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
39966 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
39967 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
39968 #else
39969 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
39970 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
39971 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
39972 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
39973 #endif
39974 }
39975 netif_receive_skb(skb);
39976 @@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
39977 dev->name);
39978 */
39979 #ifdef CONFIG_64BIT
39980 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
39981 + atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
39982 #else
39983 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
39984 + atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
39985 #endif
39986 dev_kfree_skb_irq(skb);
39987 }
39988 diff -urNp linux-2.6.32.49/drivers/staging/otus/80211core/pub_zfi.h linux-2.6.32.49/drivers/staging/otus/80211core/pub_zfi.h
39989 --- linux-2.6.32.49/drivers/staging/otus/80211core/pub_zfi.h 2011-11-08 19:02:43.000000000 -0500
39990 +++ linux-2.6.32.49/drivers/staging/otus/80211core/pub_zfi.h 2011-11-18 18:01:55.000000000 -0500
39991 @@ -531,7 +531,7 @@ struct zsCbFuncTbl
39992 u8_t (*zfcbClassifyTxPacket)(zdev_t* dev, zbuf_t* buf);
39993
39994 void (*zfcbHwWatchDogNotify)(zdev_t* dev);
39995 -};
39996 +} __no_const;
39997
39998 extern void zfZeroMemory(u8_t* va, u16_t length);
39999 #define ZM_INIT_CB_FUNC_TABLE(p) zfZeroMemory((u8_t *)p, sizeof(struct zsCbFuncTbl));
40000 diff -urNp linux-2.6.32.49/drivers/staging/panel/panel.c linux-2.6.32.49/drivers/staging/panel/panel.c
40001 --- linux-2.6.32.49/drivers/staging/panel/panel.c 2011-11-08 19:02:43.000000000 -0500
40002 +++ linux-2.6.32.49/drivers/staging/panel/panel.c 2011-11-15 19:59:43.000000000 -0500
40003 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
40004 return 0;
40005 }
40006
40007 -static struct file_operations lcd_fops = {
40008 +static const struct file_operations lcd_fops = {
40009 .write = lcd_write,
40010 .open = lcd_open,
40011 .release = lcd_release,
40012 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
40013 return 0;
40014 }
40015
40016 -static struct file_operations keypad_fops = {
40017 +static const struct file_operations keypad_fops = {
40018 .read = keypad_read, /* read */
40019 .open = keypad_open, /* open */
40020 .release = keypad_release, /* close */
40021 diff -urNp linux-2.6.32.49/drivers/staging/phison/phison.c linux-2.6.32.49/drivers/staging/phison/phison.c
40022 --- linux-2.6.32.49/drivers/staging/phison/phison.c 2011-11-08 19:02:43.000000000 -0500
40023 +++ linux-2.6.32.49/drivers/staging/phison/phison.c 2011-11-15 19:59:43.000000000 -0500
40024 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
40025 ATA_BMDMA_SHT(DRV_NAME),
40026 };
40027
40028 -static struct ata_port_operations phison_ops = {
40029 +static const struct ata_port_operations phison_ops = {
40030 .inherits = &ata_bmdma_port_ops,
40031 .prereset = phison_pre_reset,
40032 };
40033 diff -urNp linux-2.6.32.49/drivers/staging/poch/poch.c linux-2.6.32.49/drivers/staging/poch/poch.c
40034 --- linux-2.6.32.49/drivers/staging/poch/poch.c 2011-11-08 19:02:43.000000000 -0500
40035 +++ linux-2.6.32.49/drivers/staging/poch/poch.c 2011-11-15 19:59:43.000000000 -0500
40036 @@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
40037 return 0;
40038 }
40039
40040 -static struct file_operations poch_fops = {
40041 +static const struct file_operations poch_fops = {
40042 .owner = THIS_MODULE,
40043 .open = poch_open,
40044 .release = poch_release,
40045 diff -urNp linux-2.6.32.49/drivers/staging/pohmelfs/inode.c linux-2.6.32.49/drivers/staging/pohmelfs/inode.c
40046 --- linux-2.6.32.49/drivers/staging/pohmelfs/inode.c 2011-11-08 19:02:43.000000000 -0500
40047 +++ linux-2.6.32.49/drivers/staging/pohmelfs/inode.c 2011-11-15 19:59:43.000000000 -0500
40048 @@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
40049 mutex_init(&psb->mcache_lock);
40050 psb->mcache_root = RB_ROOT;
40051 psb->mcache_timeout = msecs_to_jiffies(5000);
40052 - atomic_long_set(&psb->mcache_gen, 0);
40053 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
40054
40055 psb->trans_max_pages = 100;
40056
40057 @@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
40058 INIT_LIST_HEAD(&psb->crypto_ready_list);
40059 INIT_LIST_HEAD(&psb->crypto_active_list);
40060
40061 - atomic_set(&psb->trans_gen, 1);
40062 + atomic_set_unchecked(&psb->trans_gen, 1);
40063 atomic_long_set(&psb->total_inodes, 0);
40064
40065 mutex_init(&psb->state_lock);
40066 diff -urNp linux-2.6.32.49/drivers/staging/pohmelfs/mcache.c linux-2.6.32.49/drivers/staging/pohmelfs/mcache.c
40067 --- linux-2.6.32.49/drivers/staging/pohmelfs/mcache.c 2011-11-08 19:02:43.000000000 -0500
40068 +++ linux-2.6.32.49/drivers/staging/pohmelfs/mcache.c 2011-11-15 19:59:43.000000000 -0500
40069 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
40070 m->data = data;
40071 m->start = start;
40072 m->size = size;
40073 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
40074 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
40075
40076 mutex_lock(&psb->mcache_lock);
40077 err = pohmelfs_mcache_insert(psb, m);
40078 diff -urNp linux-2.6.32.49/drivers/staging/pohmelfs/netfs.h linux-2.6.32.49/drivers/staging/pohmelfs/netfs.h
40079 --- linux-2.6.32.49/drivers/staging/pohmelfs/netfs.h 2011-11-08 19:02:43.000000000 -0500
40080 +++ linux-2.6.32.49/drivers/staging/pohmelfs/netfs.h 2011-11-15 19:59:43.000000000 -0500
40081 @@ -570,14 +570,14 @@ struct pohmelfs_config;
40082 struct pohmelfs_sb {
40083 struct rb_root mcache_root;
40084 struct mutex mcache_lock;
40085 - atomic_long_t mcache_gen;
40086 + atomic_long_unchecked_t mcache_gen;
40087 unsigned long mcache_timeout;
40088
40089 unsigned int idx;
40090
40091 unsigned int trans_retries;
40092
40093 - atomic_t trans_gen;
40094 + atomic_unchecked_t trans_gen;
40095
40096 unsigned int crypto_attached_size;
40097 unsigned int crypto_align_size;
40098 diff -urNp linux-2.6.32.49/drivers/staging/pohmelfs/trans.c linux-2.6.32.49/drivers/staging/pohmelfs/trans.c
40099 --- linux-2.6.32.49/drivers/staging/pohmelfs/trans.c 2011-11-08 19:02:43.000000000 -0500
40100 +++ linux-2.6.32.49/drivers/staging/pohmelfs/trans.c 2011-11-15 19:59:43.000000000 -0500
40101 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
40102 int err;
40103 struct netfs_cmd *cmd = t->iovec.iov_base;
40104
40105 - t->gen = atomic_inc_return(&psb->trans_gen);
40106 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
40107
40108 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
40109 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
40110 diff -urNp linux-2.6.32.49/drivers/staging/sep/sep_driver.c linux-2.6.32.49/drivers/staging/sep/sep_driver.c
40111 --- linux-2.6.32.49/drivers/staging/sep/sep_driver.c 2011-11-08 19:02:43.000000000 -0500
40112 +++ linux-2.6.32.49/drivers/staging/sep/sep_driver.c 2011-11-15 19:59:43.000000000 -0500
40113 @@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
40114 static dev_t sep_devno;
40115
40116 /* the files operations structure of the driver */
40117 -static struct file_operations sep_file_operations = {
40118 +static const struct file_operations sep_file_operations = {
40119 .owner = THIS_MODULE,
40120 .ioctl = sep_ioctl,
40121 .poll = sep_poll,
40122 diff -urNp linux-2.6.32.49/drivers/staging/usbip/usbip_common.h linux-2.6.32.49/drivers/staging/usbip/usbip_common.h
40123 --- linux-2.6.32.49/drivers/staging/usbip/usbip_common.h 2011-11-08 19:02:43.000000000 -0500
40124 +++ linux-2.6.32.49/drivers/staging/usbip/usbip_common.h 2011-11-15 19:59:43.000000000 -0500
40125 @@ -374,7 +374,7 @@ struct usbip_device {
40126 void (*shutdown)(struct usbip_device *);
40127 void (*reset)(struct usbip_device *);
40128 void (*unusable)(struct usbip_device *);
40129 - } eh_ops;
40130 + } __no_const eh_ops;
40131 };
40132
40133
40134 diff -urNp linux-2.6.32.49/drivers/staging/usbip/vhci.h linux-2.6.32.49/drivers/staging/usbip/vhci.h
40135 --- linux-2.6.32.49/drivers/staging/usbip/vhci.h 2011-11-08 19:02:43.000000000 -0500
40136 +++ linux-2.6.32.49/drivers/staging/usbip/vhci.h 2011-11-15 19:59:43.000000000 -0500
40137 @@ -92,7 +92,7 @@ struct vhci_hcd {
40138 unsigned resuming:1;
40139 unsigned long re_timeout;
40140
40141 - atomic_t seqnum;
40142 + atomic_unchecked_t seqnum;
40143
40144 /*
40145 * NOTE:
40146 diff -urNp linux-2.6.32.49/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.49/drivers/staging/usbip/vhci_hcd.c
40147 --- linux-2.6.32.49/drivers/staging/usbip/vhci_hcd.c 2011-11-08 19:02:43.000000000 -0500
40148 +++ linux-2.6.32.49/drivers/staging/usbip/vhci_hcd.c 2011-11-15 19:59:43.000000000 -0500
40149 @@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
40150 return;
40151 }
40152
40153 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40154 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40155 if (priv->seqnum == 0xffff)
40156 usbip_uinfo("seqnum max\n");
40157
40158 @@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
40159 return -ENOMEM;
40160 }
40161
40162 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40163 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40164 if (unlink->seqnum == 0xffff)
40165 usbip_uinfo("seqnum max\n");
40166
40167 @@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
40168 vdev->rhport = rhport;
40169 }
40170
40171 - atomic_set(&vhci->seqnum, 0);
40172 + atomic_set_unchecked(&vhci->seqnum, 0);
40173 spin_lock_init(&vhci->lock);
40174
40175
40176 diff -urNp linux-2.6.32.49/drivers/staging/usbip/vhci_rx.c linux-2.6.32.49/drivers/staging/usbip/vhci_rx.c
40177 --- linux-2.6.32.49/drivers/staging/usbip/vhci_rx.c 2011-11-08 19:02:43.000000000 -0500
40178 +++ linux-2.6.32.49/drivers/staging/usbip/vhci_rx.c 2011-11-15 19:59:43.000000000 -0500
40179 @@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
40180 usbip_uerr("cannot find a urb of seqnum %u\n",
40181 pdu->base.seqnum);
40182 usbip_uinfo("max seqnum %d\n",
40183 - atomic_read(&the_controller->seqnum));
40184 + atomic_read_unchecked(&the_controller->seqnum));
40185 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40186 return;
40187 }
40188 diff -urNp linux-2.6.32.49/drivers/staging/vme/devices/vme_user.c linux-2.6.32.49/drivers/staging/vme/devices/vme_user.c
40189 --- linux-2.6.32.49/drivers/staging/vme/devices/vme_user.c 2011-11-08 19:02:43.000000000 -0500
40190 +++ linux-2.6.32.49/drivers/staging/vme/devices/vme_user.c 2011-11-15 19:59:43.000000000 -0500
40191 @@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
40192 static int __init vme_user_probe(struct device *, int, int);
40193 static int __exit vme_user_remove(struct device *, int, int);
40194
40195 -static struct file_operations vme_user_fops = {
40196 +static const struct file_operations vme_user_fops = {
40197 .open = vme_user_open,
40198 .release = vme_user_release,
40199 .read = vme_user_read,
40200 diff -urNp linux-2.6.32.49/drivers/staging/vt6655/hostap.c linux-2.6.32.49/drivers/staging/vt6655/hostap.c
40201 --- linux-2.6.32.49/drivers/staging/vt6655/hostap.c 2011-11-08 19:02:43.000000000 -0500
40202 +++ linux-2.6.32.49/drivers/staging/vt6655/hostap.c 2011-11-15 19:59:43.000000000 -0500
40203 @@ -84,7 +84,7 @@ static int hostap_enable_hostapd(PSDevic
40204 PSDevice apdev_priv;
40205 struct net_device *dev = pDevice->dev;
40206 int ret;
40207 - const struct net_device_ops apdev_netdev_ops = {
40208 + net_device_ops_no_const apdev_netdev_ops = {
40209 .ndo_start_xmit = pDevice->tx_80211,
40210 };
40211
40212 diff -urNp linux-2.6.32.49/drivers/staging/vt6656/hostap.c linux-2.6.32.49/drivers/staging/vt6656/hostap.c
40213 --- linux-2.6.32.49/drivers/staging/vt6656/hostap.c 2011-11-08 19:02:43.000000000 -0500
40214 +++ linux-2.6.32.49/drivers/staging/vt6656/hostap.c 2011-11-15 19:59:43.000000000 -0500
40215 @@ -86,7 +86,7 @@ static int hostap_enable_hostapd(PSDevic
40216 PSDevice apdev_priv;
40217 struct net_device *dev = pDevice->dev;
40218 int ret;
40219 - const struct net_device_ops apdev_netdev_ops = {
40220 + net_device_ops_no_const apdev_netdev_ops = {
40221 .ndo_start_xmit = pDevice->tx_80211,
40222 };
40223
40224 diff -urNp linux-2.6.32.49/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.32.49/drivers/staging/wlan-ng/hfa384x_usb.c
40225 --- linux-2.6.32.49/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-08 19:02:43.000000000 -0500
40226 +++ linux-2.6.32.49/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-15 19:59:43.000000000 -0500
40227 @@ -205,7 +205,7 @@ static void unlocked_usbctlx_complete(hf
40228
40229 struct usbctlx_completor {
40230 int (*complete) (struct usbctlx_completor *);
40231 -};
40232 +} __no_const;
40233 typedef struct usbctlx_completor usbctlx_completor_t;
40234
40235 static int
40236 diff -urNp linux-2.6.32.49/drivers/telephony/ixj.c linux-2.6.32.49/drivers/telephony/ixj.c
40237 --- linux-2.6.32.49/drivers/telephony/ixj.c 2011-11-08 19:02:43.000000000 -0500
40238 +++ linux-2.6.32.49/drivers/telephony/ixj.c 2011-11-15 19:59:43.000000000 -0500
40239 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40240 bool mContinue;
40241 char *pIn, *pOut;
40242
40243 + pax_track_stack();
40244 +
40245 if (!SCI_Prepare(j))
40246 return 0;
40247
40248 diff -urNp linux-2.6.32.49/drivers/uio/uio.c linux-2.6.32.49/drivers/uio/uio.c
40249 --- linux-2.6.32.49/drivers/uio/uio.c 2011-11-08 19:02:43.000000000 -0500
40250 +++ linux-2.6.32.49/drivers/uio/uio.c 2011-11-15 19:59:43.000000000 -0500
40251 @@ -23,6 +23,7 @@
40252 #include <linux/string.h>
40253 #include <linux/kobject.h>
40254 #include <linux/uio_driver.h>
40255 +#include <asm/local.h>
40256
40257 #define UIO_MAX_DEVICES 255
40258
40259 @@ -30,10 +31,10 @@ struct uio_device {
40260 struct module *owner;
40261 struct device *dev;
40262 int minor;
40263 - atomic_t event;
40264 + atomic_unchecked_t event;
40265 struct fasync_struct *async_queue;
40266 wait_queue_head_t wait;
40267 - int vma_count;
40268 + local_t vma_count;
40269 struct uio_info *info;
40270 struct kobject *map_dir;
40271 struct kobject *portio_dir;
40272 @@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
40273 return entry->show(mem, buf);
40274 }
40275
40276 -static struct sysfs_ops map_sysfs_ops = {
40277 +static const struct sysfs_ops map_sysfs_ops = {
40278 .show = map_type_show,
40279 };
40280
40281 @@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
40282 return entry->show(port, buf);
40283 }
40284
40285 -static struct sysfs_ops portio_sysfs_ops = {
40286 +static const struct sysfs_ops portio_sysfs_ops = {
40287 .show = portio_type_show,
40288 };
40289
40290 @@ -255,7 +256,7 @@ static ssize_t show_event(struct device
40291 struct uio_device *idev = dev_get_drvdata(dev);
40292 if (idev)
40293 return sprintf(buf, "%u\n",
40294 - (unsigned int)atomic_read(&idev->event));
40295 + (unsigned int)atomic_read_unchecked(&idev->event));
40296 else
40297 return -ENODEV;
40298 }
40299 @@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
40300 {
40301 struct uio_device *idev = info->uio_dev;
40302
40303 - atomic_inc(&idev->event);
40304 + atomic_inc_unchecked(&idev->event);
40305 wake_up_interruptible(&idev->wait);
40306 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
40307 }
40308 @@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
40309 }
40310
40311 listener->dev = idev;
40312 - listener->event_count = atomic_read(&idev->event);
40313 + listener->event_count = atomic_read_unchecked(&idev->event);
40314 filep->private_data = listener;
40315
40316 if (idev->info->open) {
40317 @@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
40318 return -EIO;
40319
40320 poll_wait(filep, &idev->wait, wait);
40321 - if (listener->event_count != atomic_read(&idev->event))
40322 + if (listener->event_count != atomic_read_unchecked(&idev->event))
40323 return POLLIN | POLLRDNORM;
40324 return 0;
40325 }
40326 @@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
40327 do {
40328 set_current_state(TASK_INTERRUPTIBLE);
40329
40330 - event_count = atomic_read(&idev->event);
40331 + event_count = atomic_read_unchecked(&idev->event);
40332 if (event_count != listener->event_count) {
40333 if (copy_to_user(buf, &event_count, count))
40334 retval = -EFAULT;
40335 @@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
40336 static void uio_vma_open(struct vm_area_struct *vma)
40337 {
40338 struct uio_device *idev = vma->vm_private_data;
40339 - idev->vma_count++;
40340 + local_inc(&idev->vma_count);
40341 }
40342
40343 static void uio_vma_close(struct vm_area_struct *vma)
40344 {
40345 struct uio_device *idev = vma->vm_private_data;
40346 - idev->vma_count--;
40347 + local_dec(&idev->vma_count);
40348 }
40349
40350 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
40351 @@ -840,7 +841,7 @@ int __uio_register_device(struct module
40352 idev->owner = owner;
40353 idev->info = info;
40354 init_waitqueue_head(&idev->wait);
40355 - atomic_set(&idev->event, 0);
40356 + atomic_set_unchecked(&idev->event, 0);
40357
40358 ret = uio_get_minor(idev);
40359 if (ret)
40360 diff -urNp linux-2.6.32.49/drivers/usb/atm/usbatm.c linux-2.6.32.49/drivers/usb/atm/usbatm.c
40361 --- linux-2.6.32.49/drivers/usb/atm/usbatm.c 2011-11-08 19:02:43.000000000 -0500
40362 +++ linux-2.6.32.49/drivers/usb/atm/usbatm.c 2011-11-15 19:59:43.000000000 -0500
40363 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
40364 if (printk_ratelimit())
40365 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
40366 __func__, vpi, vci);
40367 - atomic_inc(&vcc->stats->rx_err);
40368 + atomic_inc_unchecked(&vcc->stats->rx_err);
40369 return;
40370 }
40371
40372 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
40373 if (length > ATM_MAX_AAL5_PDU) {
40374 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
40375 __func__, length, vcc);
40376 - atomic_inc(&vcc->stats->rx_err);
40377 + atomic_inc_unchecked(&vcc->stats->rx_err);
40378 goto out;
40379 }
40380
40381 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
40382 if (sarb->len < pdu_length) {
40383 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
40384 __func__, pdu_length, sarb->len, vcc);
40385 - atomic_inc(&vcc->stats->rx_err);
40386 + atomic_inc_unchecked(&vcc->stats->rx_err);
40387 goto out;
40388 }
40389
40390 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
40391 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
40392 __func__, vcc);
40393 - atomic_inc(&vcc->stats->rx_err);
40394 + atomic_inc_unchecked(&vcc->stats->rx_err);
40395 goto out;
40396 }
40397
40398 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
40399 if (printk_ratelimit())
40400 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
40401 __func__, length);
40402 - atomic_inc(&vcc->stats->rx_drop);
40403 + atomic_inc_unchecked(&vcc->stats->rx_drop);
40404 goto out;
40405 }
40406
40407 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
40408
40409 vcc->push(vcc, skb);
40410
40411 - atomic_inc(&vcc->stats->rx);
40412 + atomic_inc_unchecked(&vcc->stats->rx);
40413 out:
40414 skb_trim(sarb, 0);
40415 }
40416 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
40417 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
40418
40419 usbatm_pop(vcc, skb);
40420 - atomic_inc(&vcc->stats->tx);
40421 + atomic_inc_unchecked(&vcc->stats->tx);
40422
40423 skb = skb_dequeue(&instance->sndqueue);
40424 }
40425 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
40426 if (!left--)
40427 return sprintf(page,
40428 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
40429 - atomic_read(&atm_dev->stats.aal5.tx),
40430 - atomic_read(&atm_dev->stats.aal5.tx_err),
40431 - atomic_read(&atm_dev->stats.aal5.rx),
40432 - atomic_read(&atm_dev->stats.aal5.rx_err),
40433 - atomic_read(&atm_dev->stats.aal5.rx_drop));
40434 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
40435 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
40436 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
40437 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
40438 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
40439
40440 if (!left--) {
40441 if (instance->disconnected)
40442 diff -urNp linux-2.6.32.49/drivers/usb/class/cdc-wdm.c linux-2.6.32.49/drivers/usb/class/cdc-wdm.c
40443 --- linux-2.6.32.49/drivers/usb/class/cdc-wdm.c 2011-11-08 19:02:43.000000000 -0500
40444 +++ linux-2.6.32.49/drivers/usb/class/cdc-wdm.c 2011-11-15 19:59:43.000000000 -0500
40445 @@ -314,7 +314,7 @@ static ssize_t wdm_write
40446 if (r < 0)
40447 goto outnp;
40448
40449 - if (!file->f_flags && O_NONBLOCK)
40450 + if (!(file->f_flags & O_NONBLOCK))
40451 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
40452 &desc->flags));
40453 else
40454 diff -urNp linux-2.6.32.49/drivers/usb/core/hcd.c linux-2.6.32.49/drivers/usb/core/hcd.c
40455 --- linux-2.6.32.49/drivers/usb/core/hcd.c 2011-11-08 19:02:43.000000000 -0500
40456 +++ linux-2.6.32.49/drivers/usb/core/hcd.c 2011-11-15 19:59:43.000000000 -0500
40457 @@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
40458
40459 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
40460
40461 -struct usb_mon_operations *mon_ops;
40462 +const struct usb_mon_operations *mon_ops;
40463
40464 /*
40465 * The registration is unlocked.
40466 @@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
40467 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
40468 */
40469
40470 -int usb_mon_register (struct usb_mon_operations *ops)
40471 +int usb_mon_register (const struct usb_mon_operations *ops)
40472 {
40473
40474 if (mon_ops)
40475 diff -urNp linux-2.6.32.49/drivers/usb/core/hcd.h linux-2.6.32.49/drivers/usb/core/hcd.h
40476 --- linux-2.6.32.49/drivers/usb/core/hcd.h 2011-11-08 19:02:43.000000000 -0500
40477 +++ linux-2.6.32.49/drivers/usb/core/hcd.h 2011-11-15 19:59:43.000000000 -0500
40478 @@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
40479 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
40480
40481 struct usb_mon_operations {
40482 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
40483 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
40484 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
40485 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
40486 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
40487 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
40488 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
40489 };
40490
40491 -extern struct usb_mon_operations *mon_ops;
40492 +extern const struct usb_mon_operations *mon_ops;
40493
40494 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
40495 {
40496 @@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
40497 (*mon_ops->urb_complete)(bus, urb, status);
40498 }
40499
40500 -int usb_mon_register(struct usb_mon_operations *ops);
40501 +int usb_mon_register(const struct usb_mon_operations *ops);
40502 void usb_mon_deregister(void);
40503
40504 #else
40505 diff -urNp linux-2.6.32.49/drivers/usb/core/message.c linux-2.6.32.49/drivers/usb/core/message.c
40506 --- linux-2.6.32.49/drivers/usb/core/message.c 2011-11-08 19:02:43.000000000 -0500
40507 +++ linux-2.6.32.49/drivers/usb/core/message.c 2011-11-15 19:59:43.000000000 -0500
40508 @@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
40509 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
40510 if (buf) {
40511 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
40512 - if (len > 0) {
40513 - smallbuf = kmalloc(++len, GFP_NOIO);
40514 + if (len++ > 0) {
40515 + smallbuf = kmalloc(len, GFP_NOIO);
40516 if (!smallbuf)
40517 return buf;
40518 memcpy(smallbuf, buf, len);
40519 diff -urNp linux-2.6.32.49/drivers/usb/misc/appledisplay.c linux-2.6.32.49/drivers/usb/misc/appledisplay.c
40520 --- linux-2.6.32.49/drivers/usb/misc/appledisplay.c 2011-11-08 19:02:43.000000000 -0500
40521 +++ linux-2.6.32.49/drivers/usb/misc/appledisplay.c 2011-11-15 19:59:43.000000000 -0500
40522 @@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
40523 return pdata->msgdata[1];
40524 }
40525
40526 -static struct backlight_ops appledisplay_bl_data = {
40527 +static const struct backlight_ops appledisplay_bl_data = {
40528 .get_brightness = appledisplay_bl_get_brightness,
40529 .update_status = appledisplay_bl_update_status,
40530 };
40531 diff -urNp linux-2.6.32.49/drivers/usb/mon/mon_main.c linux-2.6.32.49/drivers/usb/mon/mon_main.c
40532 --- linux-2.6.32.49/drivers/usb/mon/mon_main.c 2011-11-08 19:02:43.000000000 -0500
40533 +++ linux-2.6.32.49/drivers/usb/mon/mon_main.c 2011-11-15 19:59:43.000000000 -0500
40534 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
40535 /*
40536 * Ops
40537 */
40538 -static struct usb_mon_operations mon_ops_0 = {
40539 +static const struct usb_mon_operations mon_ops_0 = {
40540 .urb_submit = mon_submit,
40541 .urb_submit_error = mon_submit_error,
40542 .urb_complete = mon_complete,
40543 diff -urNp linux-2.6.32.49/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.49/drivers/usb/wusbcore/wa-hc.h
40544 --- linux-2.6.32.49/drivers/usb/wusbcore/wa-hc.h 2011-11-08 19:02:43.000000000 -0500
40545 +++ linux-2.6.32.49/drivers/usb/wusbcore/wa-hc.h 2011-11-15 19:59:43.000000000 -0500
40546 @@ -192,7 +192,7 @@ struct wahc {
40547 struct list_head xfer_delayed_list;
40548 spinlock_t xfer_list_lock;
40549 struct work_struct xfer_work;
40550 - atomic_t xfer_id_count;
40551 + atomic_unchecked_t xfer_id_count;
40552 };
40553
40554
40555 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
40556 INIT_LIST_HEAD(&wa->xfer_delayed_list);
40557 spin_lock_init(&wa->xfer_list_lock);
40558 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
40559 - atomic_set(&wa->xfer_id_count, 1);
40560 + atomic_set_unchecked(&wa->xfer_id_count, 1);
40561 }
40562
40563 /**
40564 diff -urNp linux-2.6.32.49/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.49/drivers/usb/wusbcore/wa-xfer.c
40565 --- linux-2.6.32.49/drivers/usb/wusbcore/wa-xfer.c 2011-11-08 19:02:43.000000000 -0500
40566 +++ linux-2.6.32.49/drivers/usb/wusbcore/wa-xfer.c 2011-11-15 19:59:43.000000000 -0500
40567 @@ -293,7 +293,7 @@ out:
40568 */
40569 static void wa_xfer_id_init(struct wa_xfer *xfer)
40570 {
40571 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
40572 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
40573 }
40574
40575 /*
40576 diff -urNp linux-2.6.32.49/drivers/uwb/wlp/messages.c linux-2.6.32.49/drivers/uwb/wlp/messages.c
40577 --- linux-2.6.32.49/drivers/uwb/wlp/messages.c 2011-11-08 19:02:43.000000000 -0500
40578 +++ linux-2.6.32.49/drivers/uwb/wlp/messages.c 2011-11-15 19:59:43.000000000 -0500
40579 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
40580 size_t len = skb->len;
40581 size_t used;
40582 ssize_t result;
40583 - struct wlp_nonce enonce, rnonce;
40584 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
40585 enum wlp_assc_error assc_err;
40586 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
40587 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
40588 diff -urNp linux-2.6.32.49/drivers/uwb/wlp/sysfs.c linux-2.6.32.49/drivers/uwb/wlp/sysfs.c
40589 --- linux-2.6.32.49/drivers/uwb/wlp/sysfs.c 2011-11-08 19:02:43.000000000 -0500
40590 +++ linux-2.6.32.49/drivers/uwb/wlp/sysfs.c 2011-11-15 19:59:43.000000000 -0500
40591 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
40592 return ret;
40593 }
40594
40595 -static
40596 -struct sysfs_ops wss_sysfs_ops = {
40597 +static const struct sysfs_ops wss_sysfs_ops = {
40598 .show = wlp_wss_attr_show,
40599 .store = wlp_wss_attr_store,
40600 };
40601 diff -urNp linux-2.6.32.49/drivers/video/atmel_lcdfb.c linux-2.6.32.49/drivers/video/atmel_lcdfb.c
40602 --- linux-2.6.32.49/drivers/video/atmel_lcdfb.c 2011-11-08 19:02:43.000000000 -0500
40603 +++ linux-2.6.32.49/drivers/video/atmel_lcdfb.c 2011-11-15 19:59:43.000000000 -0500
40604 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
40605 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
40606 }
40607
40608 -static struct backlight_ops atmel_lcdc_bl_ops = {
40609 +static const struct backlight_ops atmel_lcdc_bl_ops = {
40610 .update_status = atmel_bl_update_status,
40611 .get_brightness = atmel_bl_get_brightness,
40612 };
40613 diff -urNp linux-2.6.32.49/drivers/video/aty/aty128fb.c linux-2.6.32.49/drivers/video/aty/aty128fb.c
40614 --- linux-2.6.32.49/drivers/video/aty/aty128fb.c 2011-11-08 19:02:43.000000000 -0500
40615 +++ linux-2.6.32.49/drivers/video/aty/aty128fb.c 2011-11-18 18:01:55.000000000 -0500
40616 @@ -149,7 +149,7 @@ enum {
40617 };
40618
40619 /* Must match above enum */
40620 -static const char *r128_family[] __devinitdata = {
40621 +static const char *r128_family[] __devinitconst = {
40622 "AGP",
40623 "PCI",
40624 "PRO AGP",
40625 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
40626 return bd->props.brightness;
40627 }
40628
40629 -static struct backlight_ops aty128_bl_data = {
40630 +static const struct backlight_ops aty128_bl_data = {
40631 .get_brightness = aty128_bl_get_brightness,
40632 .update_status = aty128_bl_update_status,
40633 };
40634 diff -urNp linux-2.6.32.49/drivers/video/aty/atyfb_base.c linux-2.6.32.49/drivers/video/aty/atyfb_base.c
40635 --- linux-2.6.32.49/drivers/video/aty/atyfb_base.c 2011-11-08 19:02:43.000000000 -0500
40636 +++ linux-2.6.32.49/drivers/video/aty/atyfb_base.c 2011-11-15 19:59:43.000000000 -0500
40637 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
40638 return bd->props.brightness;
40639 }
40640
40641 -static struct backlight_ops aty_bl_data = {
40642 +static const struct backlight_ops aty_bl_data = {
40643 .get_brightness = aty_bl_get_brightness,
40644 .update_status = aty_bl_update_status,
40645 };
40646 diff -urNp linux-2.6.32.49/drivers/video/aty/radeon_backlight.c linux-2.6.32.49/drivers/video/aty/radeon_backlight.c
40647 --- linux-2.6.32.49/drivers/video/aty/radeon_backlight.c 2011-11-08 19:02:43.000000000 -0500
40648 +++ linux-2.6.32.49/drivers/video/aty/radeon_backlight.c 2011-11-15 19:59:43.000000000 -0500
40649 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
40650 return bd->props.brightness;
40651 }
40652
40653 -static struct backlight_ops radeon_bl_data = {
40654 +static const struct backlight_ops radeon_bl_data = {
40655 .get_brightness = radeon_bl_get_brightness,
40656 .update_status = radeon_bl_update_status,
40657 };
40658 diff -urNp linux-2.6.32.49/drivers/video/backlight/adp5520_bl.c linux-2.6.32.49/drivers/video/backlight/adp5520_bl.c
40659 --- linux-2.6.32.49/drivers/video/backlight/adp5520_bl.c 2011-11-08 19:02:43.000000000 -0500
40660 +++ linux-2.6.32.49/drivers/video/backlight/adp5520_bl.c 2011-11-15 19:59:43.000000000 -0500
40661 @@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
40662 return error ? data->current_brightness : reg_val;
40663 }
40664
40665 -static struct backlight_ops adp5520_bl_ops = {
40666 +static const struct backlight_ops adp5520_bl_ops = {
40667 .update_status = adp5520_bl_update_status,
40668 .get_brightness = adp5520_bl_get_brightness,
40669 };
40670 diff -urNp linux-2.6.32.49/drivers/video/backlight/adx_bl.c linux-2.6.32.49/drivers/video/backlight/adx_bl.c
40671 --- linux-2.6.32.49/drivers/video/backlight/adx_bl.c 2011-11-08 19:02:43.000000000 -0500
40672 +++ linux-2.6.32.49/drivers/video/backlight/adx_bl.c 2011-11-15 19:59:43.000000000 -0500
40673 @@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
40674 return 1;
40675 }
40676
40677 -static struct backlight_ops adx_backlight_ops = {
40678 +static const struct backlight_ops adx_backlight_ops = {
40679 .options = 0,
40680 .update_status = adx_backlight_update_status,
40681 .get_brightness = adx_backlight_get_brightness,
40682 diff -urNp linux-2.6.32.49/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.49/drivers/video/backlight/atmel-pwm-bl.c
40683 --- linux-2.6.32.49/drivers/video/backlight/atmel-pwm-bl.c 2011-11-08 19:02:43.000000000 -0500
40684 +++ linux-2.6.32.49/drivers/video/backlight/atmel-pwm-bl.c 2011-11-15 19:59:43.000000000 -0500
40685 @@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
40686 return pwm_channel_enable(&pwmbl->pwmc);
40687 }
40688
40689 -static struct backlight_ops atmel_pwm_bl_ops = {
40690 +static const struct backlight_ops atmel_pwm_bl_ops = {
40691 .get_brightness = atmel_pwm_bl_get_intensity,
40692 .update_status = atmel_pwm_bl_set_intensity,
40693 };
40694 diff -urNp linux-2.6.32.49/drivers/video/backlight/backlight.c linux-2.6.32.49/drivers/video/backlight/backlight.c
40695 --- linux-2.6.32.49/drivers/video/backlight/backlight.c 2011-11-08 19:02:43.000000000 -0500
40696 +++ linux-2.6.32.49/drivers/video/backlight/backlight.c 2011-11-15 19:59:43.000000000 -0500
40697 @@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
40698 * ERR_PTR() or a pointer to the newly allocated device.
40699 */
40700 struct backlight_device *backlight_device_register(const char *name,
40701 - struct device *parent, void *devdata, struct backlight_ops *ops)
40702 + struct device *parent, void *devdata, const struct backlight_ops *ops)
40703 {
40704 struct backlight_device *new_bd;
40705 int rc;
40706 diff -urNp linux-2.6.32.49/drivers/video/backlight/corgi_lcd.c linux-2.6.32.49/drivers/video/backlight/corgi_lcd.c
40707 --- linux-2.6.32.49/drivers/video/backlight/corgi_lcd.c 2011-11-08 19:02:43.000000000 -0500
40708 +++ linux-2.6.32.49/drivers/video/backlight/corgi_lcd.c 2011-11-15 19:59:43.000000000 -0500
40709 @@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
40710 }
40711 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
40712
40713 -static struct backlight_ops corgi_bl_ops = {
40714 +static const struct backlight_ops corgi_bl_ops = {
40715 .get_brightness = corgi_bl_get_intensity,
40716 .update_status = corgi_bl_update_status,
40717 };
40718 diff -urNp linux-2.6.32.49/drivers/video/backlight/cr_bllcd.c linux-2.6.32.49/drivers/video/backlight/cr_bllcd.c
40719 --- linux-2.6.32.49/drivers/video/backlight/cr_bllcd.c 2011-11-08 19:02:43.000000000 -0500
40720 +++ linux-2.6.32.49/drivers/video/backlight/cr_bllcd.c 2011-11-15 19:59:43.000000000 -0500
40721 @@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
40722 return intensity;
40723 }
40724
40725 -static struct backlight_ops cr_backlight_ops = {
40726 +static const struct backlight_ops cr_backlight_ops = {
40727 .get_brightness = cr_backlight_get_intensity,
40728 .update_status = cr_backlight_set_intensity,
40729 };
40730 diff -urNp linux-2.6.32.49/drivers/video/backlight/da903x_bl.c linux-2.6.32.49/drivers/video/backlight/da903x_bl.c
40731 --- linux-2.6.32.49/drivers/video/backlight/da903x_bl.c 2011-11-08 19:02:43.000000000 -0500
40732 +++ linux-2.6.32.49/drivers/video/backlight/da903x_bl.c 2011-11-15 19:59:43.000000000 -0500
40733 @@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
40734 return data->current_brightness;
40735 }
40736
40737 -static struct backlight_ops da903x_backlight_ops = {
40738 +static const struct backlight_ops da903x_backlight_ops = {
40739 .update_status = da903x_backlight_update_status,
40740 .get_brightness = da903x_backlight_get_brightness,
40741 };
40742 diff -urNp linux-2.6.32.49/drivers/video/backlight/generic_bl.c linux-2.6.32.49/drivers/video/backlight/generic_bl.c
40743 --- linux-2.6.32.49/drivers/video/backlight/generic_bl.c 2011-11-08 19:02:43.000000000 -0500
40744 +++ linux-2.6.32.49/drivers/video/backlight/generic_bl.c 2011-11-15 19:59:43.000000000 -0500
40745 @@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
40746 }
40747 EXPORT_SYMBOL(corgibl_limit_intensity);
40748
40749 -static struct backlight_ops genericbl_ops = {
40750 +static const struct backlight_ops genericbl_ops = {
40751 .options = BL_CORE_SUSPENDRESUME,
40752 .get_brightness = genericbl_get_intensity,
40753 .update_status = genericbl_send_intensity,
40754 diff -urNp linux-2.6.32.49/drivers/video/backlight/hp680_bl.c linux-2.6.32.49/drivers/video/backlight/hp680_bl.c
40755 --- linux-2.6.32.49/drivers/video/backlight/hp680_bl.c 2011-11-08 19:02:43.000000000 -0500
40756 +++ linux-2.6.32.49/drivers/video/backlight/hp680_bl.c 2011-11-15 19:59:43.000000000 -0500
40757 @@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
40758 return current_intensity;
40759 }
40760
40761 -static struct backlight_ops hp680bl_ops = {
40762 +static const struct backlight_ops hp680bl_ops = {
40763 .get_brightness = hp680bl_get_intensity,
40764 .update_status = hp680bl_set_intensity,
40765 };
40766 diff -urNp linux-2.6.32.49/drivers/video/backlight/jornada720_bl.c linux-2.6.32.49/drivers/video/backlight/jornada720_bl.c
40767 --- linux-2.6.32.49/drivers/video/backlight/jornada720_bl.c 2011-11-08 19:02:43.000000000 -0500
40768 +++ linux-2.6.32.49/drivers/video/backlight/jornada720_bl.c 2011-11-15 19:59:43.000000000 -0500
40769 @@ -93,7 +93,7 @@ out:
40770 return ret;
40771 }
40772
40773 -static struct backlight_ops jornada_bl_ops = {
40774 +static const struct backlight_ops jornada_bl_ops = {
40775 .get_brightness = jornada_bl_get_brightness,
40776 .update_status = jornada_bl_update_status,
40777 .options = BL_CORE_SUSPENDRESUME,
40778 diff -urNp linux-2.6.32.49/drivers/video/backlight/kb3886_bl.c linux-2.6.32.49/drivers/video/backlight/kb3886_bl.c
40779 --- linux-2.6.32.49/drivers/video/backlight/kb3886_bl.c 2011-11-08 19:02:43.000000000 -0500
40780 +++ linux-2.6.32.49/drivers/video/backlight/kb3886_bl.c 2011-11-15 19:59:43.000000000 -0500
40781 @@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
40782 return kb3886bl_intensity;
40783 }
40784
40785 -static struct backlight_ops kb3886bl_ops = {
40786 +static const struct backlight_ops kb3886bl_ops = {
40787 .get_brightness = kb3886bl_get_intensity,
40788 .update_status = kb3886bl_send_intensity,
40789 };
40790 diff -urNp linux-2.6.32.49/drivers/video/backlight/locomolcd.c linux-2.6.32.49/drivers/video/backlight/locomolcd.c
40791 --- linux-2.6.32.49/drivers/video/backlight/locomolcd.c 2011-11-08 19:02:43.000000000 -0500
40792 +++ linux-2.6.32.49/drivers/video/backlight/locomolcd.c 2011-11-15 19:59:43.000000000 -0500
40793 @@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
40794 return current_intensity;
40795 }
40796
40797 -static struct backlight_ops locomobl_data = {
40798 +static const struct backlight_ops locomobl_data = {
40799 .get_brightness = locomolcd_get_intensity,
40800 .update_status = locomolcd_set_intensity,
40801 };
40802 diff -urNp linux-2.6.32.49/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.49/drivers/video/backlight/mbp_nvidia_bl.c
40803 --- linux-2.6.32.49/drivers/video/backlight/mbp_nvidia_bl.c 2011-11-08 19:02:43.000000000 -0500
40804 +++ linux-2.6.32.49/drivers/video/backlight/mbp_nvidia_bl.c 2011-11-15 19:59:43.000000000 -0500
40805 @@ -33,7 +33,7 @@ struct dmi_match_data {
40806 unsigned long iostart;
40807 unsigned long iolen;
40808 /* Backlight operations structure. */
40809 - struct backlight_ops backlight_ops;
40810 + const struct backlight_ops backlight_ops;
40811 };
40812
40813 /* Module parameters. */
40814 diff -urNp linux-2.6.32.49/drivers/video/backlight/omap1_bl.c linux-2.6.32.49/drivers/video/backlight/omap1_bl.c
40815 --- linux-2.6.32.49/drivers/video/backlight/omap1_bl.c 2011-11-08 19:02:43.000000000 -0500
40816 +++ linux-2.6.32.49/drivers/video/backlight/omap1_bl.c 2011-11-15 19:59:43.000000000 -0500
40817 @@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
40818 return bl->current_intensity;
40819 }
40820
40821 -static struct backlight_ops omapbl_ops = {
40822 +static const struct backlight_ops omapbl_ops = {
40823 .get_brightness = omapbl_get_intensity,
40824 .update_status = omapbl_update_status,
40825 };
40826 diff -urNp linux-2.6.32.49/drivers/video/backlight/progear_bl.c linux-2.6.32.49/drivers/video/backlight/progear_bl.c
40827 --- linux-2.6.32.49/drivers/video/backlight/progear_bl.c 2011-11-08 19:02:43.000000000 -0500
40828 +++ linux-2.6.32.49/drivers/video/backlight/progear_bl.c 2011-11-15 19:59:43.000000000 -0500
40829 @@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
40830 return intensity - HW_LEVEL_MIN;
40831 }
40832
40833 -static struct backlight_ops progearbl_ops = {
40834 +static const struct backlight_ops progearbl_ops = {
40835 .get_brightness = progearbl_get_intensity,
40836 .update_status = progearbl_set_intensity,
40837 };
40838 diff -urNp linux-2.6.32.49/drivers/video/backlight/pwm_bl.c linux-2.6.32.49/drivers/video/backlight/pwm_bl.c
40839 --- linux-2.6.32.49/drivers/video/backlight/pwm_bl.c 2011-11-08 19:02:43.000000000 -0500
40840 +++ linux-2.6.32.49/drivers/video/backlight/pwm_bl.c 2011-11-15 19:59:43.000000000 -0500
40841 @@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
40842 return bl->props.brightness;
40843 }
40844
40845 -static struct backlight_ops pwm_backlight_ops = {
40846 +static const struct backlight_ops pwm_backlight_ops = {
40847 .update_status = pwm_backlight_update_status,
40848 .get_brightness = pwm_backlight_get_brightness,
40849 };
40850 diff -urNp linux-2.6.32.49/drivers/video/backlight/tosa_bl.c linux-2.6.32.49/drivers/video/backlight/tosa_bl.c
40851 --- linux-2.6.32.49/drivers/video/backlight/tosa_bl.c 2011-11-08 19:02:43.000000000 -0500
40852 +++ linux-2.6.32.49/drivers/video/backlight/tosa_bl.c 2011-11-15 19:59:43.000000000 -0500
40853 @@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
40854 return props->brightness;
40855 }
40856
40857 -static struct backlight_ops bl_ops = {
40858 +static const struct backlight_ops bl_ops = {
40859 .get_brightness = tosa_bl_get_brightness,
40860 .update_status = tosa_bl_update_status,
40861 };
40862 diff -urNp linux-2.6.32.49/drivers/video/backlight/wm831x_bl.c linux-2.6.32.49/drivers/video/backlight/wm831x_bl.c
40863 --- linux-2.6.32.49/drivers/video/backlight/wm831x_bl.c 2011-11-08 19:02:43.000000000 -0500
40864 +++ linux-2.6.32.49/drivers/video/backlight/wm831x_bl.c 2011-11-15 19:59:43.000000000 -0500
40865 @@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
40866 return data->current_brightness;
40867 }
40868
40869 -static struct backlight_ops wm831x_backlight_ops = {
40870 +static const struct backlight_ops wm831x_backlight_ops = {
40871 .options = BL_CORE_SUSPENDRESUME,
40872 .update_status = wm831x_backlight_update_status,
40873 .get_brightness = wm831x_backlight_get_brightness,
40874 diff -urNp linux-2.6.32.49/drivers/video/bf54x-lq043fb.c linux-2.6.32.49/drivers/video/bf54x-lq043fb.c
40875 --- linux-2.6.32.49/drivers/video/bf54x-lq043fb.c 2011-11-08 19:02:43.000000000 -0500
40876 +++ linux-2.6.32.49/drivers/video/bf54x-lq043fb.c 2011-11-15 19:59:43.000000000 -0500
40877 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
40878 return 0;
40879 }
40880
40881 -static struct backlight_ops bfin_lq043fb_bl_ops = {
40882 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
40883 .get_brightness = bl_get_brightness,
40884 };
40885
40886 diff -urNp linux-2.6.32.49/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.49/drivers/video/bfin-t350mcqb-fb.c
40887 --- linux-2.6.32.49/drivers/video/bfin-t350mcqb-fb.c 2011-11-08 19:02:43.000000000 -0500
40888 +++ linux-2.6.32.49/drivers/video/bfin-t350mcqb-fb.c 2011-11-15 19:59:43.000000000 -0500
40889 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
40890 return 0;
40891 }
40892
40893 -static struct backlight_ops bfin_lq043fb_bl_ops = {
40894 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
40895 .get_brightness = bl_get_brightness,
40896 };
40897
40898 diff -urNp linux-2.6.32.49/drivers/video/fbcmap.c linux-2.6.32.49/drivers/video/fbcmap.c
40899 --- linux-2.6.32.49/drivers/video/fbcmap.c 2011-11-08 19:02:43.000000000 -0500
40900 +++ linux-2.6.32.49/drivers/video/fbcmap.c 2011-11-15 19:59:43.000000000 -0500
40901 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
40902 rc = -ENODEV;
40903 goto out;
40904 }
40905 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
40906 - !info->fbops->fb_setcmap)) {
40907 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
40908 rc = -EINVAL;
40909 goto out1;
40910 }
40911 diff -urNp linux-2.6.32.49/drivers/video/fbmem.c linux-2.6.32.49/drivers/video/fbmem.c
40912 --- linux-2.6.32.49/drivers/video/fbmem.c 2011-11-08 19:02:43.000000000 -0500
40913 +++ linux-2.6.32.49/drivers/video/fbmem.c 2011-11-15 19:59:43.000000000 -0500
40914 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
40915 image->dx += image->width + 8;
40916 }
40917 } else if (rotate == FB_ROTATE_UD) {
40918 - for (x = 0; x < num && image->dx >= 0; x++) {
40919 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
40920 info->fbops->fb_imageblit(info, image);
40921 image->dx -= image->width + 8;
40922 }
40923 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
40924 image->dy += image->height + 8;
40925 }
40926 } else if (rotate == FB_ROTATE_CCW) {
40927 - for (x = 0; x < num && image->dy >= 0; x++) {
40928 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
40929 info->fbops->fb_imageblit(info, image);
40930 image->dy -= image->height + 8;
40931 }
40932 @@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
40933 int flags = info->flags;
40934 int ret = 0;
40935
40936 + pax_track_stack();
40937 +
40938 if (var->activate & FB_ACTIVATE_INV_MODE) {
40939 struct fb_videomode mode1, mode2;
40940
40941 @@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
40942 void __user *argp = (void __user *)arg;
40943 long ret = 0;
40944
40945 + pax_track_stack();
40946 +
40947 switch (cmd) {
40948 case FBIOGET_VSCREENINFO:
40949 if (!lock_fb_info(info))
40950 @@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
40951 return -EFAULT;
40952 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
40953 return -EINVAL;
40954 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
40955 + if (con2fb.framebuffer >= FB_MAX)
40956 return -EINVAL;
40957 if (!registered_fb[con2fb.framebuffer])
40958 request_module("fb%d", con2fb.framebuffer);
40959 diff -urNp linux-2.6.32.49/drivers/video/geode/gx1fb_core.c linux-2.6.32.49/drivers/video/geode/gx1fb_core.c
40960 --- linux-2.6.32.49/drivers/video/geode/gx1fb_core.c 2011-11-08 19:02:43.000000000 -0500
40961 +++ linux-2.6.32.49/drivers/video/geode/gx1fb_core.c 2011-11-18 18:01:55.000000000 -0500
40962 @@ -30,7 +30,7 @@ static int crt_option = 1;
40963 static char panel_option[32] = "";
40964
40965 /* Modes relevant to the GX1 (taken from modedb.c) */
40966 -static const struct fb_videomode __initdata gx1_modedb[] = {
40967 +static const struct fb_videomode __initconst gx1_modedb[] = {
40968 /* 640x480-60 VESA */
40969 { NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
40970 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_VESA },
40971 diff -urNp linux-2.6.32.49/drivers/video/gxt4500.c linux-2.6.32.49/drivers/video/gxt4500.c
40972 --- linux-2.6.32.49/drivers/video/gxt4500.c 2011-11-08 19:02:43.000000000 -0500
40973 +++ linux-2.6.32.49/drivers/video/gxt4500.c 2011-11-18 18:01:55.000000000 -0500
40974 @@ -156,7 +156,7 @@ struct gxt4500_par {
40975 static char *mode_option;
40976
40977 /* default mode: 1280x1024 @ 60 Hz, 8 bpp */
40978 -static const struct fb_videomode defaultmode __devinitdata = {
40979 +static const struct fb_videomode defaultmode __devinitconst = {
40980 .refresh = 60,
40981 .xres = 1280,
40982 .yres = 1024,
40983 @@ -581,7 +581,7 @@ static int gxt4500_blank(int blank, stru
40984 return 0;
40985 }
40986
40987 -static const struct fb_fix_screeninfo gxt4500_fix __devinitdata = {
40988 +static const struct fb_fix_screeninfo gxt4500_fix __devinitconst = {
40989 .id = "IBM GXT4500P",
40990 .type = FB_TYPE_PACKED_PIXELS,
40991 .visual = FB_VISUAL_PSEUDOCOLOR,
40992 diff -urNp linux-2.6.32.49/drivers/video/i810/i810_accel.c linux-2.6.32.49/drivers/video/i810/i810_accel.c
40993 --- linux-2.6.32.49/drivers/video/i810/i810_accel.c 2011-11-08 19:02:43.000000000 -0500
40994 +++ linux-2.6.32.49/drivers/video/i810/i810_accel.c 2011-11-15 19:59:43.000000000 -0500
40995 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
40996 }
40997 }
40998 printk("ringbuffer lockup!!!\n");
40999 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
41000 i810_report_error(mmio);
41001 par->dev_flags |= LOCKUP;
41002 info->pixmap.scan_align = 1;
41003 diff -urNp linux-2.6.32.49/drivers/video/i810/i810_main.c linux-2.6.32.49/drivers/video/i810/i810_main.c
41004 --- linux-2.6.32.49/drivers/video/i810/i810_main.c 2011-11-08 19:02:43.000000000 -0500
41005 +++ linux-2.6.32.49/drivers/video/i810/i810_main.c 2011-11-18 18:01:55.000000000 -0500
41006 @@ -97,7 +97,7 @@ static int i810fb_blank (int blank_
41007 static void i810fb_release_resource (struct fb_info *info, struct i810fb_par *par);
41008
41009 /* PCI */
41010 -static const char *i810_pci_list[] __devinitdata = {
41011 +static const char *i810_pci_list[] __devinitconst = {
41012 "Intel(R) 810 Framebuffer Device" ,
41013 "Intel(R) 810-DC100 Framebuffer Device" ,
41014 "Intel(R) 810E Framebuffer Device" ,
41015 diff -urNp linux-2.6.32.49/drivers/video/logo/logo_linux_clut224.ppm linux-2.6.32.49/drivers/video/logo/logo_linux_clut224.ppm
41016 --- linux-2.6.32.49/drivers/video/logo/logo_linux_clut224.ppm 2011-11-08 19:02:43.000000000 -0500
41017 +++ linux-2.6.32.49/drivers/video/logo/logo_linux_clut224.ppm 2011-11-15 19:59:43.000000000 -0500
41018 @@ -1,1604 +1,1123 @@
41019 P3
41020 -# Standard 224-color Linux logo
41021 80 80
41022 255
41023 - 0 0 0 0 0 0 0 0 0 0 0 0
41024 - 0 0 0 0 0 0 0 0 0 0 0 0
41025 - 0 0 0 0 0 0 0 0 0 0 0 0
41026 - 0 0 0 0 0 0 0 0 0 0 0 0
41027 - 0 0 0 0 0 0 0 0 0 0 0 0
41028 - 0 0 0 0 0 0 0 0 0 0 0 0
41029 - 0 0 0 0 0 0 0 0 0 0 0 0
41030 - 0 0 0 0 0 0 0 0 0 0 0 0
41031 - 0 0 0 0 0 0 0 0 0 0 0 0
41032 - 6 6 6 6 6 6 10 10 10 10 10 10
41033 - 10 10 10 6 6 6 6 6 6 6 6 6
41034 - 0 0 0 0 0 0 0 0 0 0 0 0
41035 - 0 0 0 0 0 0 0 0 0 0 0 0
41036 - 0 0 0 0 0 0 0 0 0 0 0 0
41037 - 0 0 0 0 0 0 0 0 0 0 0 0
41038 - 0 0 0 0 0 0 0 0 0 0 0 0
41039 - 0 0 0 0 0 0 0 0 0 0 0 0
41040 - 0 0 0 0 0 0 0 0 0 0 0 0
41041 - 0 0 0 0 0 0 0 0 0 0 0 0
41042 - 0 0 0 0 0 0 0 0 0 0 0 0
41043 - 0 0 0 0 0 0 0 0 0 0 0 0
41044 - 0 0 0 0 0 0 0 0 0 0 0 0
41045 - 0 0 0 0 0 0 0 0 0 0 0 0
41046 - 0 0 0 0 0 0 0 0 0 0 0 0
41047 - 0 0 0 0 0 0 0 0 0 0 0 0
41048 - 0 0 0 0 0 0 0 0 0 0 0 0
41049 - 0 0 0 0 0 0 0 0 0 0 0 0
41050 - 0 0 0 0 0 0 0 0 0 0 0 0
41051 - 0 0 0 6 6 6 10 10 10 14 14 14
41052 - 22 22 22 26 26 26 30 30 30 34 34 34
41053 - 30 30 30 30 30 30 26 26 26 18 18 18
41054 - 14 14 14 10 10 10 6 6 6 0 0 0
41055 - 0 0 0 0 0 0 0 0 0 0 0 0
41056 - 0 0 0 0 0 0 0 0 0 0 0 0
41057 - 0 0 0 0 0 0 0 0 0 0 0 0
41058 - 0 0 0 0 0 0 0 0 0 0 0 0
41059 - 0 0 0 0 0 0 0 0 0 0 0 0
41060 - 0 0 0 0 0 0 0 0 0 0 0 0
41061 - 0 0 0 0 0 0 0 0 0 0 0 0
41062 - 0 0 0 0 0 0 0 0 0 0 0 0
41063 - 0 0 0 0 0 0 0 0 0 0 0 0
41064 - 0 0 0 0 0 1 0 0 1 0 0 0
41065 - 0 0 0 0 0 0 0 0 0 0 0 0
41066 - 0 0 0 0 0 0 0 0 0 0 0 0
41067 - 0 0 0 0 0 0 0 0 0 0 0 0
41068 - 0 0 0 0 0 0 0 0 0 0 0 0
41069 - 0 0 0 0 0 0 0 0 0 0 0 0
41070 - 0 0 0 0 0 0 0 0 0 0 0 0
41071 - 6 6 6 14 14 14 26 26 26 42 42 42
41072 - 54 54 54 66 66 66 78 78 78 78 78 78
41073 - 78 78 78 74 74 74 66 66 66 54 54 54
41074 - 42 42 42 26 26 26 18 18 18 10 10 10
41075 - 6 6 6 0 0 0 0 0 0 0 0 0
41076 - 0 0 0 0 0 0 0 0 0 0 0 0
41077 - 0 0 0 0 0 0 0 0 0 0 0 0
41078 - 0 0 0 0 0 0 0 0 0 0 0 0
41079 - 0 0 0 0 0 0 0 0 0 0 0 0
41080 - 0 0 0 0 0 0 0 0 0 0 0 0
41081 - 0 0 0 0 0 0 0 0 0 0 0 0
41082 - 0 0 0 0 0 0 0 0 0 0 0 0
41083 - 0 0 0 0 0 0 0 0 0 0 0 0
41084 - 0 0 1 0 0 0 0 0 0 0 0 0
41085 - 0 0 0 0 0 0 0 0 0 0 0 0
41086 - 0 0 0 0 0 0 0 0 0 0 0 0
41087 - 0 0 0 0 0 0 0 0 0 0 0 0
41088 - 0 0 0 0 0 0 0 0 0 0 0 0
41089 - 0 0 0 0 0 0 0 0 0 0 0 0
41090 - 0 0 0 0 0 0 0 0 0 10 10 10
41091 - 22 22 22 42 42 42 66 66 66 86 86 86
41092 - 66 66 66 38 38 38 38 38 38 22 22 22
41093 - 26 26 26 34 34 34 54 54 54 66 66 66
41094 - 86 86 86 70 70 70 46 46 46 26 26 26
41095 - 14 14 14 6 6 6 0 0 0 0 0 0
41096 - 0 0 0 0 0 0 0 0 0 0 0 0
41097 - 0 0 0 0 0 0 0 0 0 0 0 0
41098 - 0 0 0 0 0 0 0 0 0 0 0 0
41099 - 0 0 0 0 0 0 0 0 0 0 0 0
41100 - 0 0 0 0 0 0 0 0 0 0 0 0
41101 - 0 0 0 0 0 0 0 0 0 0 0 0
41102 - 0 0 0 0 0 0 0 0 0 0 0 0
41103 - 0 0 0 0 0 0 0 0 0 0 0 0
41104 - 0 0 1 0 0 1 0 0 1 0 0 0
41105 - 0 0 0 0 0 0 0 0 0 0 0 0
41106 - 0 0 0 0 0 0 0 0 0 0 0 0
41107 - 0 0 0 0 0 0 0 0 0 0 0 0
41108 - 0 0 0 0 0 0 0 0 0 0 0 0
41109 - 0 0 0 0 0 0 0 0 0 0 0 0
41110 - 0 0 0 0 0 0 10 10 10 26 26 26
41111 - 50 50 50 82 82 82 58 58 58 6 6 6
41112 - 2 2 6 2 2 6 2 2 6 2 2 6
41113 - 2 2 6 2 2 6 2 2 6 2 2 6
41114 - 6 6 6 54 54 54 86 86 86 66 66 66
41115 - 38 38 38 18 18 18 6 6 6 0 0 0
41116 - 0 0 0 0 0 0 0 0 0 0 0 0
41117 - 0 0 0 0 0 0 0 0 0 0 0 0
41118 - 0 0 0 0 0 0 0 0 0 0 0 0
41119 - 0 0 0 0 0 0 0 0 0 0 0 0
41120 - 0 0 0 0 0 0 0 0 0 0 0 0
41121 - 0 0 0 0 0 0 0 0 0 0 0 0
41122 - 0 0 0 0 0 0 0 0 0 0 0 0
41123 - 0 0 0 0 0 0 0 0 0 0 0 0
41124 - 0 0 0 0 0 0 0 0 0 0 0 0
41125 - 0 0 0 0 0 0 0 0 0 0 0 0
41126 - 0 0 0 0 0 0 0 0 0 0 0 0
41127 - 0 0 0 0 0 0 0 0 0 0 0 0
41128 - 0 0 0 0 0 0 0 0 0 0 0 0
41129 - 0 0 0 0 0 0 0 0 0 0 0 0
41130 - 0 0 0 6 6 6 22 22 22 50 50 50
41131 - 78 78 78 34 34 34 2 2 6 2 2 6
41132 - 2 2 6 2 2 6 2 2 6 2 2 6
41133 - 2 2 6 2 2 6 2 2 6 2 2 6
41134 - 2 2 6 2 2 6 6 6 6 70 70 70
41135 - 78 78 78 46 46 46 22 22 22 6 6 6
41136 - 0 0 0 0 0 0 0 0 0 0 0 0
41137 - 0 0 0 0 0 0 0 0 0 0 0 0
41138 - 0 0 0 0 0 0 0 0 0 0 0 0
41139 - 0 0 0 0 0 0 0 0 0 0 0 0
41140 - 0 0 0 0 0 0 0 0 0 0 0 0
41141 - 0 0 0 0 0 0 0 0 0 0 0 0
41142 - 0 0 0 0 0 0 0 0 0 0 0 0
41143 - 0 0 0 0 0 0 0 0 0 0 0 0
41144 - 0 0 1 0 0 1 0 0 1 0 0 0
41145 - 0 0 0 0 0 0 0 0 0 0 0 0
41146 - 0 0 0 0 0 0 0 0 0 0 0 0
41147 - 0 0 0 0 0 0 0 0 0 0 0 0
41148 - 0 0 0 0 0 0 0 0 0 0 0 0
41149 - 0 0 0 0 0 0 0 0 0 0 0 0
41150 - 6 6 6 18 18 18 42 42 42 82 82 82
41151 - 26 26 26 2 2 6 2 2 6 2 2 6
41152 - 2 2 6 2 2 6 2 2 6 2 2 6
41153 - 2 2 6 2 2 6 2 2 6 14 14 14
41154 - 46 46 46 34 34 34 6 6 6 2 2 6
41155 - 42 42 42 78 78 78 42 42 42 18 18 18
41156 - 6 6 6 0 0 0 0 0 0 0 0 0
41157 - 0 0 0 0 0 0 0 0 0 0 0 0
41158 - 0 0 0 0 0 0 0 0 0 0 0 0
41159 - 0 0 0 0 0 0 0 0 0 0 0 0
41160 - 0 0 0 0 0 0 0 0 0 0 0 0
41161 - 0 0 0 0 0 0 0 0 0 0 0 0
41162 - 0 0 0 0 0 0 0 0 0 0 0 0
41163 - 0 0 0 0 0 0 0 0 0 0 0 0
41164 - 0 0 1 0 0 0 0 0 1 0 0 0
41165 - 0 0 0 0 0 0 0 0 0 0 0 0
41166 - 0 0 0 0 0 0 0 0 0 0 0 0
41167 - 0 0 0 0 0 0 0 0 0 0 0 0
41168 - 0 0 0 0 0 0 0 0 0 0 0 0
41169 - 0 0 0 0 0 0 0 0 0 0 0 0
41170 - 10 10 10 30 30 30 66 66 66 58 58 58
41171 - 2 2 6 2 2 6 2 2 6 2 2 6
41172 - 2 2 6 2 2 6 2 2 6 2 2 6
41173 - 2 2 6 2 2 6 2 2 6 26 26 26
41174 - 86 86 86 101 101 101 46 46 46 10 10 10
41175 - 2 2 6 58 58 58 70 70 70 34 34 34
41176 - 10 10 10 0 0 0 0 0 0 0 0 0
41177 - 0 0 0 0 0 0 0 0 0 0 0 0
41178 - 0 0 0 0 0 0 0 0 0 0 0 0
41179 - 0 0 0 0 0 0 0 0 0 0 0 0
41180 - 0 0 0 0 0 0 0 0 0 0 0 0
41181 - 0 0 0 0 0 0 0 0 0 0 0 0
41182 - 0 0 0 0 0 0 0 0 0 0 0 0
41183 - 0 0 0 0 0 0 0 0 0 0 0 0
41184 - 0 0 1 0 0 1 0 0 1 0 0 0
41185 - 0 0 0 0 0 0 0 0 0 0 0 0
41186 - 0 0 0 0 0 0 0 0 0 0 0 0
41187 - 0 0 0 0 0 0 0 0 0 0 0 0
41188 - 0 0 0 0 0 0 0 0 0 0 0 0
41189 - 0 0 0 0 0 0 0 0 0 0 0 0
41190 - 14 14 14 42 42 42 86 86 86 10 10 10
41191 - 2 2 6 2 2 6 2 2 6 2 2 6
41192 - 2 2 6 2 2 6 2 2 6 2 2 6
41193 - 2 2 6 2 2 6 2 2 6 30 30 30
41194 - 94 94 94 94 94 94 58 58 58 26 26 26
41195 - 2 2 6 6 6 6 78 78 78 54 54 54
41196 - 22 22 22 6 6 6 0 0 0 0 0 0
41197 - 0 0 0 0 0 0 0 0 0 0 0 0
41198 - 0 0 0 0 0 0 0 0 0 0 0 0
41199 - 0 0 0 0 0 0 0 0 0 0 0 0
41200 - 0 0 0 0 0 0 0 0 0 0 0 0
41201 - 0 0 0 0 0 0 0 0 0 0 0 0
41202 - 0 0 0 0 0 0 0 0 0 0 0 0
41203 - 0 0 0 0 0 0 0 0 0 0 0 0
41204 - 0 0 0 0 0 0 0 0 0 0 0 0
41205 - 0 0 0 0 0 0 0 0 0 0 0 0
41206 - 0 0 0 0 0 0 0 0 0 0 0 0
41207 - 0 0 0 0 0 0 0 0 0 0 0 0
41208 - 0 0 0 0 0 0 0 0 0 0 0 0
41209 - 0 0 0 0 0 0 0 0 0 6 6 6
41210 - 22 22 22 62 62 62 62 62 62 2 2 6
41211 - 2 2 6 2 2 6 2 2 6 2 2 6
41212 - 2 2 6 2 2 6 2 2 6 2 2 6
41213 - 2 2 6 2 2 6 2 2 6 26 26 26
41214 - 54 54 54 38 38 38 18 18 18 10 10 10
41215 - 2 2 6 2 2 6 34 34 34 82 82 82
41216 - 38 38 38 14 14 14 0 0 0 0 0 0
41217 - 0 0 0 0 0 0 0 0 0 0 0 0
41218 - 0 0 0 0 0 0 0 0 0 0 0 0
41219 - 0 0 0 0 0 0 0 0 0 0 0 0
41220 - 0 0 0 0 0 0 0 0 0 0 0 0
41221 - 0 0 0 0 0 0 0 0 0 0 0 0
41222 - 0 0 0 0 0 0 0 0 0 0 0 0
41223 - 0 0 0 0 0 0 0 0 0 0 0 0
41224 - 0 0 0 0 0 1 0 0 1 0 0 0
41225 - 0 0 0 0 0 0 0 0 0 0 0 0
41226 - 0 0 0 0 0 0 0 0 0 0 0 0
41227 - 0 0 0 0 0 0 0 0 0 0 0 0
41228 - 0 0 0 0 0 0 0 0 0 0 0 0
41229 - 0 0 0 0 0 0 0 0 0 6 6 6
41230 - 30 30 30 78 78 78 30 30 30 2 2 6
41231 - 2 2 6 2 2 6 2 2 6 2 2 6
41232 - 2 2 6 2 2 6 2 2 6 2 2 6
41233 - 2 2 6 2 2 6 2 2 6 10 10 10
41234 - 10 10 10 2 2 6 2 2 6 2 2 6
41235 - 2 2 6 2 2 6 2 2 6 78 78 78
41236 - 50 50 50 18 18 18 6 6 6 0 0 0
41237 - 0 0 0 0 0 0 0 0 0 0 0 0
41238 - 0 0 0 0 0 0 0 0 0 0 0 0
41239 - 0 0 0 0 0 0 0 0 0 0 0 0
41240 - 0 0 0 0 0 0 0 0 0 0 0 0
41241 - 0 0 0 0 0 0 0 0 0 0 0 0
41242 - 0 0 0 0 0 0 0 0 0 0 0 0
41243 - 0 0 0 0 0 0 0 0 0 0 0 0
41244 - 0 0 1 0 0 0 0 0 0 0 0 0
41245 - 0 0 0 0 0 0 0 0 0 0 0 0
41246 - 0 0 0 0 0 0 0 0 0 0 0 0
41247 - 0 0 0 0 0 0 0 0 0 0 0 0
41248 - 0 0 0 0 0 0 0 0 0 0 0 0
41249 - 0 0 0 0 0 0 0 0 0 10 10 10
41250 - 38 38 38 86 86 86 14 14 14 2 2 6
41251 - 2 2 6 2 2 6 2 2 6 2 2 6
41252 - 2 2 6 2 2 6 2 2 6 2 2 6
41253 - 2 2 6 2 2 6 2 2 6 2 2 6
41254 - 2 2 6 2 2 6 2 2 6 2 2 6
41255 - 2 2 6 2 2 6 2 2 6 54 54 54
41256 - 66 66 66 26 26 26 6 6 6 0 0 0
41257 - 0 0 0 0 0 0 0 0 0 0 0 0
41258 - 0 0 0 0 0 0 0 0 0 0 0 0
41259 - 0 0 0 0 0 0 0 0 0 0 0 0
41260 - 0 0 0 0 0 0 0 0 0 0 0 0
41261 - 0 0 0 0 0 0 0 0 0 0 0 0
41262 - 0 0 0 0 0 0 0 0 0 0 0 0
41263 - 0 0 0 0 0 0 0 0 0 0 0 0
41264 - 0 0 0 0 0 1 0 0 1 0 0 0
41265 - 0 0 0 0 0 0 0 0 0 0 0 0
41266 - 0 0 0 0 0 0 0 0 0 0 0 0
41267 - 0 0 0 0 0 0 0 0 0 0 0 0
41268 - 0 0 0 0 0 0 0 0 0 0 0 0
41269 - 0 0 0 0 0 0 0 0 0 14 14 14
41270 - 42 42 42 82 82 82 2 2 6 2 2 6
41271 - 2 2 6 6 6 6 10 10 10 2 2 6
41272 - 2 2 6 2 2 6 2 2 6 2 2 6
41273 - 2 2 6 2 2 6 2 2 6 6 6 6
41274 - 14 14 14 10 10 10 2 2 6 2 2 6
41275 - 2 2 6 2 2 6 2 2 6 18 18 18
41276 - 82 82 82 34 34 34 10 10 10 0 0 0
41277 - 0 0 0 0 0 0 0 0 0 0 0 0
41278 - 0 0 0 0 0 0 0 0 0 0 0 0
41279 - 0 0 0 0 0 0 0 0 0 0 0 0
41280 - 0 0 0 0 0 0 0 0 0 0 0 0
41281 - 0 0 0 0 0 0 0 0 0 0 0 0
41282 - 0 0 0 0 0 0 0 0 0 0 0 0
41283 - 0 0 0 0 0 0 0 0 0 0 0 0
41284 - 0 0 1 0 0 0 0 0 0 0 0 0
41285 - 0 0 0 0 0 0 0 0 0 0 0 0
41286 - 0 0 0 0 0 0 0 0 0 0 0 0
41287 - 0 0 0 0 0 0 0 0 0 0 0 0
41288 - 0 0 0 0 0 0 0 0 0 0 0 0
41289 - 0 0 0 0 0 0 0 0 0 14 14 14
41290 - 46 46 46 86 86 86 2 2 6 2 2 6
41291 - 6 6 6 6 6 6 22 22 22 34 34 34
41292 - 6 6 6 2 2 6 2 2 6 2 2 6
41293 - 2 2 6 2 2 6 18 18 18 34 34 34
41294 - 10 10 10 50 50 50 22 22 22 2 2 6
41295 - 2 2 6 2 2 6 2 2 6 10 10 10
41296 - 86 86 86 42 42 42 14 14 14 0 0 0
41297 - 0 0 0 0 0 0 0 0 0 0 0 0
41298 - 0 0 0 0 0 0 0 0 0 0 0 0
41299 - 0 0 0 0 0 0 0 0 0 0 0 0
41300 - 0 0 0 0 0 0 0 0 0 0 0 0
41301 - 0 0 0 0 0 0 0 0 0 0 0 0
41302 - 0 0 0 0 0 0 0 0 0 0 0 0
41303 - 0 0 0 0 0 0 0 0 0 0 0 0
41304 - 0 0 1 0 0 1 0 0 1 0 0 0
41305 - 0 0 0 0 0 0 0 0 0 0 0 0
41306 - 0 0 0 0 0 0 0 0 0 0 0 0
41307 - 0 0 0 0 0 0 0 0 0 0 0 0
41308 - 0 0 0 0 0 0 0 0 0 0 0 0
41309 - 0 0 0 0 0 0 0 0 0 14 14 14
41310 - 46 46 46 86 86 86 2 2 6 2 2 6
41311 - 38 38 38 116 116 116 94 94 94 22 22 22
41312 - 22 22 22 2 2 6 2 2 6 2 2 6
41313 - 14 14 14 86 86 86 138 138 138 162 162 162
41314 -154 154 154 38 38 38 26 26 26 6 6 6
41315 - 2 2 6 2 2 6 2 2 6 2 2 6
41316 - 86 86 86 46 46 46 14 14 14 0 0 0
41317 - 0 0 0 0 0 0 0 0 0 0 0 0
41318 - 0 0 0 0 0 0 0 0 0 0 0 0
41319 - 0 0 0 0 0 0 0 0 0 0 0 0
41320 - 0 0 0 0 0 0 0 0 0 0 0 0
41321 - 0 0 0 0 0 0 0 0 0 0 0 0
41322 - 0 0 0 0 0 0 0 0 0 0 0 0
41323 - 0 0 0 0 0 0 0 0 0 0 0 0
41324 - 0 0 0 0 0 0 0 0 0 0 0 0
41325 - 0 0 0 0 0 0 0 0 0 0 0 0
41326 - 0 0 0 0 0 0 0 0 0 0 0 0
41327 - 0 0 0 0 0 0 0 0 0 0 0 0
41328 - 0 0 0 0 0 0 0 0 0 0 0 0
41329 - 0 0 0 0 0 0 0 0 0 14 14 14
41330 - 46 46 46 86 86 86 2 2 6 14 14 14
41331 -134 134 134 198 198 198 195 195 195 116 116 116
41332 - 10 10 10 2 2 6 2 2 6 6 6 6
41333 -101 98 89 187 187 187 210 210 210 218 218 218
41334 -214 214 214 134 134 134 14 14 14 6 6 6
41335 - 2 2 6 2 2 6 2 2 6 2 2 6
41336 - 86 86 86 50 50 50 18 18 18 6 6 6
41337 - 0 0 0 0 0 0 0 0 0 0 0 0
41338 - 0 0 0 0 0 0 0 0 0 0 0 0
41339 - 0 0 0 0 0 0 0 0 0 0 0 0
41340 - 0 0 0 0 0 0 0 0 0 0 0 0
41341 - 0 0 0 0 0 0 0 0 0 0 0 0
41342 - 0 0 0 0 0 0 0 0 0 0 0 0
41343 - 0 0 0 0 0 0 0 0 1 0 0 0
41344 - 0 0 1 0 0 1 0 0 1 0 0 0
41345 - 0 0 0 0 0 0 0 0 0 0 0 0
41346 - 0 0 0 0 0 0 0 0 0 0 0 0
41347 - 0 0 0 0 0 0 0 0 0 0 0 0
41348 - 0 0 0 0 0 0 0 0 0 0 0 0
41349 - 0 0 0 0 0 0 0 0 0 14 14 14
41350 - 46 46 46 86 86 86 2 2 6 54 54 54
41351 -218 218 218 195 195 195 226 226 226 246 246 246
41352 - 58 58 58 2 2 6 2 2 6 30 30 30
41353 -210 210 210 253 253 253 174 174 174 123 123 123
41354 -221 221 221 234 234 234 74 74 74 2 2 6
41355 - 2 2 6 2 2 6 2 2 6 2 2 6
41356 - 70 70 70 58 58 58 22 22 22 6 6 6
41357 - 0 0 0 0 0 0 0 0 0 0 0 0
41358 - 0 0 0 0 0 0 0 0 0 0 0 0
41359 - 0 0 0 0 0 0 0 0 0 0 0 0
41360 - 0 0 0 0 0 0 0 0 0 0 0 0
41361 - 0 0 0 0 0 0 0 0 0 0 0 0
41362 - 0 0 0 0 0 0 0 0 0 0 0 0
41363 - 0 0 0 0 0 0 0 0 0 0 0 0
41364 - 0 0 0 0 0 0 0 0 0 0 0 0
41365 - 0 0 0 0 0 0 0 0 0 0 0 0
41366 - 0 0 0 0 0 0 0 0 0 0 0 0
41367 - 0 0 0 0 0 0 0 0 0 0 0 0
41368 - 0 0 0 0 0 0 0 0 0 0 0 0
41369 - 0 0 0 0 0 0 0 0 0 14 14 14
41370 - 46 46 46 82 82 82 2 2 6 106 106 106
41371 -170 170 170 26 26 26 86 86 86 226 226 226
41372 -123 123 123 10 10 10 14 14 14 46 46 46
41373 -231 231 231 190 190 190 6 6 6 70 70 70
41374 - 90 90 90 238 238 238 158 158 158 2 2 6
41375 - 2 2 6 2 2 6 2 2 6 2 2 6
41376 - 70 70 70 58 58 58 22 22 22 6 6 6
41377 - 0 0 0 0 0 0 0 0 0 0 0 0
41378 - 0 0 0 0 0 0 0 0 0 0 0 0
41379 - 0 0 0 0 0 0 0 0 0 0 0 0
41380 - 0 0 0 0 0 0 0 0 0 0 0 0
41381 - 0 0 0 0 0 0 0 0 0 0 0 0
41382 - 0 0 0 0 0 0 0 0 0 0 0 0
41383 - 0 0 0 0 0 0 0 0 1 0 0 0
41384 - 0 0 1 0 0 1 0 0 1 0 0 0
41385 - 0 0 0 0 0 0 0 0 0 0 0 0
41386 - 0 0 0 0 0 0 0 0 0 0 0 0
41387 - 0 0 0 0 0 0 0 0 0 0 0 0
41388 - 0 0 0 0 0 0 0 0 0 0 0 0
41389 - 0 0 0 0 0 0 0 0 0 14 14 14
41390 - 42 42 42 86 86 86 6 6 6 116 116 116
41391 -106 106 106 6 6 6 70 70 70 149 149 149
41392 -128 128 128 18 18 18 38 38 38 54 54 54
41393 -221 221 221 106 106 106 2 2 6 14 14 14
41394 - 46 46 46 190 190 190 198 198 198 2 2 6
41395 - 2 2 6 2 2 6 2 2 6 2 2 6
41396 - 74 74 74 62 62 62 22 22 22 6 6 6
41397 - 0 0 0 0 0 0 0 0 0 0 0 0
41398 - 0 0 0 0 0 0 0 0 0 0 0 0
41399 - 0 0 0 0 0 0 0 0 0 0 0 0
41400 - 0 0 0 0 0 0 0 0 0 0 0 0
41401 - 0 0 0 0 0 0 0 0 0 0 0 0
41402 - 0 0 0 0 0 0 0 0 0 0 0 0
41403 - 0 0 0 0 0 0 0 0 1 0 0 0
41404 - 0 0 1 0 0 0 0 0 1 0 0 0
41405 - 0 0 0 0 0 0 0 0 0 0 0 0
41406 - 0 0 0 0 0 0 0 0 0 0 0 0
41407 - 0 0 0 0 0 0 0 0 0 0 0 0
41408 - 0 0 0 0 0 0 0 0 0 0 0 0
41409 - 0 0 0 0 0 0 0 0 0 14 14 14
41410 - 42 42 42 94 94 94 14 14 14 101 101 101
41411 -128 128 128 2 2 6 18 18 18 116 116 116
41412 -118 98 46 121 92 8 121 92 8 98 78 10
41413 -162 162 162 106 106 106 2 2 6 2 2 6
41414 - 2 2 6 195 195 195 195 195 195 6 6 6
41415 - 2 2 6 2 2 6 2 2 6 2 2 6
41416 - 74 74 74 62 62 62 22 22 22 6 6 6
41417 - 0 0 0 0 0 0 0 0 0 0 0 0
41418 - 0 0 0 0 0 0 0 0 0 0 0 0
41419 - 0 0 0 0 0 0 0 0 0 0 0 0
41420 - 0 0 0 0 0 0 0 0 0 0 0 0
41421 - 0 0 0 0 0 0 0 0 0 0 0 0
41422 - 0 0 0 0 0 0 0 0 0 0 0 0
41423 - 0 0 0 0 0 0 0 0 1 0 0 1
41424 - 0 0 1 0 0 0 0 0 1 0 0 0
41425 - 0 0 0 0 0 0 0 0 0 0 0 0
41426 - 0 0 0 0 0 0 0 0 0 0 0 0
41427 - 0 0 0 0 0 0 0 0 0 0 0 0
41428 - 0 0 0 0 0 0 0 0 0 0 0 0
41429 - 0 0 0 0 0 0 0 0 0 10 10 10
41430 - 38 38 38 90 90 90 14 14 14 58 58 58
41431 -210 210 210 26 26 26 54 38 6 154 114 10
41432 -226 170 11 236 186 11 225 175 15 184 144 12
41433 -215 174 15 175 146 61 37 26 9 2 2 6
41434 - 70 70 70 246 246 246 138 138 138 2 2 6
41435 - 2 2 6 2 2 6 2 2 6 2 2 6
41436 - 70 70 70 66 66 66 26 26 26 6 6 6
41437 - 0 0 0 0 0 0 0 0 0 0 0 0
41438 - 0 0 0 0 0 0 0 0 0 0 0 0
41439 - 0 0 0 0 0 0 0 0 0 0 0 0
41440 - 0 0 0 0 0 0 0 0 0 0 0 0
41441 - 0 0 0 0 0 0 0 0 0 0 0 0
41442 - 0 0 0 0 0 0 0 0 0 0 0 0
41443 - 0 0 0 0 0 0 0 0 0 0 0 0
41444 - 0 0 0 0 0 0 0 0 0 0 0 0
41445 - 0 0 0 0 0 0 0 0 0 0 0 0
41446 - 0 0 0 0 0 0 0 0 0 0 0 0
41447 - 0 0 0 0 0 0 0 0 0 0 0 0
41448 - 0 0 0 0 0 0 0 0 0 0 0 0
41449 - 0 0 0 0 0 0 0 0 0 10 10 10
41450 - 38 38 38 86 86 86 14 14 14 10 10 10
41451 -195 195 195 188 164 115 192 133 9 225 175 15
41452 -239 182 13 234 190 10 232 195 16 232 200 30
41453 -245 207 45 241 208 19 232 195 16 184 144 12
41454 -218 194 134 211 206 186 42 42 42 2 2 6
41455 - 2 2 6 2 2 6 2 2 6 2 2 6
41456 - 50 50 50 74 74 74 30 30 30 6 6 6
41457 - 0 0 0 0 0 0 0 0 0 0 0 0
41458 - 0 0 0 0 0 0 0 0 0 0 0 0
41459 - 0 0 0 0 0 0 0 0 0 0 0 0
41460 - 0 0 0 0 0 0 0 0 0 0 0 0
41461 - 0 0 0 0 0 0 0 0 0 0 0 0
41462 - 0 0 0 0 0 0 0 0 0 0 0 0
41463 - 0 0 0 0 0 0 0 0 0 0 0 0
41464 - 0 0 0 0 0 0 0 0 0 0 0 0
41465 - 0 0 0 0 0 0 0 0 0 0 0 0
41466 - 0 0 0 0 0 0 0 0 0 0 0 0
41467 - 0 0 0 0 0 0 0 0 0 0 0 0
41468 - 0 0 0 0 0 0 0 0 0 0 0 0
41469 - 0 0 0 0 0 0 0 0 0 10 10 10
41470 - 34 34 34 86 86 86 14 14 14 2 2 6
41471 -121 87 25 192 133 9 219 162 10 239 182 13
41472 -236 186 11 232 195 16 241 208 19 244 214 54
41473 -246 218 60 246 218 38 246 215 20 241 208 19
41474 -241 208 19 226 184 13 121 87 25 2 2 6
41475 - 2 2 6 2 2 6 2 2 6 2 2 6
41476 - 50 50 50 82 82 82 34 34 34 10 10 10
41477 - 0 0 0 0 0 0 0 0 0 0 0 0
41478 - 0 0 0 0 0 0 0 0 0 0 0 0
41479 - 0 0 0 0 0 0 0 0 0 0 0 0
41480 - 0 0 0 0 0 0 0 0 0 0 0 0
41481 - 0 0 0 0 0 0 0 0 0 0 0 0
41482 - 0 0 0 0 0 0 0 0 0 0 0 0
41483 - 0 0 0 0 0 0 0 0 0 0 0 0
41484 - 0 0 0 0 0 0 0 0 0 0 0 0
41485 - 0 0 0 0 0 0 0 0 0 0 0 0
41486 - 0 0 0 0 0 0 0 0 0 0 0 0
41487 - 0 0 0 0 0 0 0 0 0 0 0 0
41488 - 0 0 0 0 0 0 0 0 0 0 0 0
41489 - 0 0 0 0 0 0 0 0 0 10 10 10
41490 - 34 34 34 82 82 82 30 30 30 61 42 6
41491 -180 123 7 206 145 10 230 174 11 239 182 13
41492 -234 190 10 238 202 15 241 208 19 246 218 74
41493 -246 218 38 246 215 20 246 215 20 246 215 20
41494 -226 184 13 215 174 15 184 144 12 6 6 6
41495 - 2 2 6 2 2 6 2 2 6 2 2 6
41496 - 26 26 26 94 94 94 42 42 42 14 14 14
41497 - 0 0 0 0 0 0 0 0 0 0 0 0
41498 - 0 0 0 0 0 0 0 0 0 0 0 0
41499 - 0 0 0 0 0 0 0 0 0 0 0 0
41500 - 0 0 0 0 0 0 0 0 0 0 0 0
41501 - 0 0 0 0 0 0 0 0 0 0 0 0
41502 - 0 0 0 0 0 0 0 0 0 0 0 0
41503 - 0 0 0 0 0 0 0 0 0 0 0 0
41504 - 0 0 0 0 0 0 0 0 0 0 0 0
41505 - 0 0 0 0 0 0 0 0 0 0 0 0
41506 - 0 0 0 0 0 0 0 0 0 0 0 0
41507 - 0 0 0 0 0 0 0 0 0 0 0 0
41508 - 0 0 0 0 0 0 0 0 0 0 0 0
41509 - 0 0 0 0 0 0 0 0 0 10 10 10
41510 - 30 30 30 78 78 78 50 50 50 104 69 6
41511 -192 133 9 216 158 10 236 178 12 236 186 11
41512 -232 195 16 241 208 19 244 214 54 245 215 43
41513 -246 215 20 246 215 20 241 208 19 198 155 10
41514 -200 144 11 216 158 10 156 118 10 2 2 6
41515 - 2 2 6 2 2 6 2 2 6 2 2 6
41516 - 6 6 6 90 90 90 54 54 54 18 18 18
41517 - 6 6 6 0 0 0 0 0 0 0 0 0
41518 - 0 0 0 0 0 0 0 0 0 0 0 0
41519 - 0 0 0 0 0 0 0 0 0 0 0 0
41520 - 0 0 0 0 0 0 0 0 0 0 0 0
41521 - 0 0 0 0 0 0 0 0 0 0 0 0
41522 - 0 0 0 0 0 0 0 0 0 0 0 0
41523 - 0 0 0 0 0 0 0 0 0 0 0 0
41524 - 0 0 0 0 0 0 0 0 0 0 0 0
41525 - 0 0 0 0 0 0 0 0 0 0 0 0
41526 - 0 0 0 0 0 0 0 0 0 0 0 0
41527 - 0 0 0 0 0 0 0 0 0 0 0 0
41528 - 0 0 0 0 0 0 0 0 0 0 0 0
41529 - 0 0 0 0 0 0 0 0 0 10 10 10
41530 - 30 30 30 78 78 78 46 46 46 22 22 22
41531 -137 92 6 210 162 10 239 182 13 238 190 10
41532 -238 202 15 241 208 19 246 215 20 246 215 20
41533 -241 208 19 203 166 17 185 133 11 210 150 10
41534 -216 158 10 210 150 10 102 78 10 2 2 6
41535 - 6 6 6 54 54 54 14 14 14 2 2 6
41536 - 2 2 6 62 62 62 74 74 74 30 30 30
41537 - 10 10 10 0 0 0 0 0 0 0 0 0
41538 - 0 0 0 0 0 0 0 0 0 0 0 0
41539 - 0 0 0 0 0 0 0 0 0 0 0 0
41540 - 0 0 0 0 0 0 0 0 0 0 0 0
41541 - 0 0 0 0 0 0 0 0 0 0 0 0
41542 - 0 0 0 0 0 0 0 0 0 0 0 0
41543 - 0 0 0 0 0 0 0 0 0 0 0 0
41544 - 0 0 0 0 0 0 0 0 0 0 0 0
41545 - 0 0 0 0 0 0 0 0 0 0 0 0
41546 - 0 0 0 0 0 0 0 0 0 0 0 0
41547 - 0 0 0 0 0 0 0 0 0 0 0 0
41548 - 0 0 0 0 0 0 0 0 0 0 0 0
41549 - 0 0 0 0 0 0 0 0 0 10 10 10
41550 - 34 34 34 78 78 78 50 50 50 6 6 6
41551 - 94 70 30 139 102 15 190 146 13 226 184 13
41552 -232 200 30 232 195 16 215 174 15 190 146 13
41553 -168 122 10 192 133 9 210 150 10 213 154 11
41554 -202 150 34 182 157 106 101 98 89 2 2 6
41555 - 2 2 6 78 78 78 116 116 116 58 58 58
41556 - 2 2 6 22 22 22 90 90 90 46 46 46
41557 - 18 18 18 6 6 6 0 0 0 0 0 0
41558 - 0 0 0 0 0 0 0 0 0 0 0 0
41559 - 0 0 0 0 0 0 0 0 0 0 0 0
41560 - 0 0 0 0 0 0 0 0 0 0 0 0
41561 - 0 0 0 0 0 0 0 0 0 0 0 0
41562 - 0 0 0 0 0 0 0 0 0 0 0 0
41563 - 0 0 0 0 0 0 0 0 0 0 0 0
41564 - 0 0 0 0 0 0 0 0 0 0 0 0
41565 - 0 0 0 0 0 0 0 0 0 0 0 0
41566 - 0 0 0 0 0 0 0 0 0 0 0 0
41567 - 0 0 0 0 0 0 0 0 0 0 0 0
41568 - 0 0 0 0 0 0 0 0 0 0 0 0
41569 - 0 0 0 0 0 0 0 0 0 10 10 10
41570 - 38 38 38 86 86 86 50 50 50 6 6 6
41571 -128 128 128 174 154 114 156 107 11 168 122 10
41572 -198 155 10 184 144 12 197 138 11 200 144 11
41573 -206 145 10 206 145 10 197 138 11 188 164 115
41574 -195 195 195 198 198 198 174 174 174 14 14 14
41575 - 2 2 6 22 22 22 116 116 116 116 116 116
41576 - 22 22 22 2 2 6 74 74 74 70 70 70
41577 - 30 30 30 10 10 10 0 0 0 0 0 0
41578 - 0 0 0 0 0 0 0 0 0 0 0 0
41579 - 0 0 0 0 0 0 0 0 0 0 0 0
41580 - 0 0 0 0 0 0 0 0 0 0 0 0
41581 - 0 0 0 0 0 0 0 0 0 0 0 0
41582 - 0 0 0 0 0 0 0 0 0 0 0 0
41583 - 0 0 0 0 0 0 0 0 0 0 0 0
41584 - 0 0 0 0 0 0 0 0 0 0 0 0
41585 - 0 0 0 0 0 0 0 0 0 0 0 0
41586 - 0 0 0 0 0 0 0 0 0 0 0 0
41587 - 0 0 0 0 0 0 0 0 0 0 0 0
41588 - 0 0 0 0 0 0 0 0 0 0 0 0
41589 - 0 0 0 0 0 0 6 6 6 18 18 18
41590 - 50 50 50 101 101 101 26 26 26 10 10 10
41591 -138 138 138 190 190 190 174 154 114 156 107 11
41592 -197 138 11 200 144 11 197 138 11 192 133 9
41593 -180 123 7 190 142 34 190 178 144 187 187 187
41594 -202 202 202 221 221 221 214 214 214 66 66 66
41595 - 2 2 6 2 2 6 50 50 50 62 62 62
41596 - 6 6 6 2 2 6 10 10 10 90 90 90
41597 - 50 50 50 18 18 18 6 6 6 0 0 0
41598 - 0 0 0 0 0 0 0 0 0 0 0 0
41599 - 0 0 0 0 0 0 0 0 0 0 0 0
41600 - 0 0 0 0 0 0 0 0 0 0 0 0
41601 - 0 0 0 0 0 0 0 0 0 0 0 0
41602 - 0 0 0 0 0 0 0 0 0 0 0 0
41603 - 0 0 0 0 0 0 0 0 0 0 0 0
41604 - 0 0 0 0 0 0 0 0 0 0 0 0
41605 - 0 0 0 0 0 0 0 0 0 0 0 0
41606 - 0 0 0 0 0 0 0 0 0 0 0 0
41607 - 0 0 0 0 0 0 0 0 0 0 0 0
41608 - 0 0 0 0 0 0 0 0 0 0 0 0
41609 - 0 0 0 0 0 0 10 10 10 34 34 34
41610 - 74 74 74 74 74 74 2 2 6 6 6 6
41611 -144 144 144 198 198 198 190 190 190 178 166 146
41612 -154 121 60 156 107 11 156 107 11 168 124 44
41613 -174 154 114 187 187 187 190 190 190 210 210 210
41614 -246 246 246 253 253 253 253 253 253 182 182 182
41615 - 6 6 6 2 2 6 2 2 6 2 2 6
41616 - 2 2 6 2 2 6 2 2 6 62 62 62
41617 - 74 74 74 34 34 34 14 14 14 0 0 0
41618 - 0 0 0 0 0 0 0 0 0 0 0 0
41619 - 0 0 0 0 0 0 0 0 0 0 0 0
41620 - 0 0 0 0 0 0 0 0 0 0 0 0
41621 - 0 0 0 0 0 0 0 0 0 0 0 0
41622 - 0 0 0 0 0 0 0 0 0 0 0 0
41623 - 0 0 0 0 0 0 0 0 0 0 0 0
41624 - 0 0 0 0 0 0 0 0 0 0 0 0
41625 - 0 0 0 0 0 0 0 0 0 0 0 0
41626 - 0 0 0 0 0 0 0 0 0 0 0 0
41627 - 0 0 0 0 0 0 0 0 0 0 0 0
41628 - 0 0 0 0 0 0 0 0 0 0 0 0
41629 - 0 0 0 10 10 10 22 22 22 54 54 54
41630 - 94 94 94 18 18 18 2 2 6 46 46 46
41631 -234 234 234 221 221 221 190 190 190 190 190 190
41632 -190 190 190 187 187 187 187 187 187 190 190 190
41633 -190 190 190 195 195 195 214 214 214 242 242 242
41634 -253 253 253 253 253 253 253 253 253 253 253 253
41635 - 82 82 82 2 2 6 2 2 6 2 2 6
41636 - 2 2 6 2 2 6 2 2 6 14 14 14
41637 - 86 86 86 54 54 54 22 22 22 6 6 6
41638 - 0 0 0 0 0 0 0 0 0 0 0 0
41639 - 0 0 0 0 0 0 0 0 0 0 0 0
41640 - 0 0 0 0 0 0 0 0 0 0 0 0
41641 - 0 0 0 0 0 0 0 0 0 0 0 0
41642 - 0 0 0 0 0 0 0 0 0 0 0 0
41643 - 0 0 0 0 0 0 0 0 0 0 0 0
41644 - 0 0 0 0 0 0 0 0 0 0 0 0
41645 - 0 0 0 0 0 0 0 0 0 0 0 0
41646 - 0 0 0 0 0 0 0 0 0 0 0 0
41647 - 0 0 0 0 0 0 0 0 0 0 0 0
41648 - 0 0 0 0 0 0 0 0 0 0 0 0
41649 - 6 6 6 18 18 18 46 46 46 90 90 90
41650 - 46 46 46 18 18 18 6 6 6 182 182 182
41651 -253 253 253 246 246 246 206 206 206 190 190 190
41652 -190 190 190 190 190 190 190 190 190 190 190 190
41653 -206 206 206 231 231 231 250 250 250 253 253 253
41654 -253 253 253 253 253 253 253 253 253 253 253 253
41655 -202 202 202 14 14 14 2 2 6 2 2 6
41656 - 2 2 6 2 2 6 2 2 6 2 2 6
41657 - 42 42 42 86 86 86 42 42 42 18 18 18
41658 - 6 6 6 0 0 0 0 0 0 0 0 0
41659 - 0 0 0 0 0 0 0 0 0 0 0 0
41660 - 0 0 0 0 0 0 0 0 0 0 0 0
41661 - 0 0 0 0 0 0 0 0 0 0 0 0
41662 - 0 0 0 0 0 0 0 0 0 0 0 0
41663 - 0 0 0 0 0 0 0 0 0 0 0 0
41664 - 0 0 0 0 0 0 0 0 0 0 0 0
41665 - 0 0 0 0 0 0 0 0 0 0 0 0
41666 - 0 0 0 0 0 0 0 0 0 0 0 0
41667 - 0 0 0 0 0 0 0 0 0 0 0 0
41668 - 0 0 0 0 0 0 0 0 0 6 6 6
41669 - 14 14 14 38 38 38 74 74 74 66 66 66
41670 - 2 2 6 6 6 6 90 90 90 250 250 250
41671 -253 253 253 253 253 253 238 238 238 198 198 198
41672 -190 190 190 190 190 190 195 195 195 221 221 221
41673 -246 246 246 253 253 253 253 253 253 253 253 253
41674 -253 253 253 253 253 253 253 253 253 253 253 253
41675 -253 253 253 82 82 82 2 2 6 2 2 6
41676 - 2 2 6 2 2 6 2 2 6 2 2 6
41677 - 2 2 6 78 78 78 70 70 70 34 34 34
41678 - 14 14 14 6 6 6 0 0 0 0 0 0
41679 - 0 0 0 0 0 0 0 0 0 0 0 0
41680 - 0 0 0 0 0 0 0 0 0 0 0 0
41681 - 0 0 0 0 0 0 0 0 0 0 0 0
41682 - 0 0 0 0 0 0 0 0 0 0 0 0
41683 - 0 0 0 0 0 0 0 0 0 0 0 0
41684 - 0 0 0 0 0 0 0 0 0 0 0 0
41685 - 0 0 0 0 0 0 0 0 0 0 0 0
41686 - 0 0 0 0 0 0 0 0 0 0 0 0
41687 - 0 0 0 0 0 0 0 0 0 0 0 0
41688 - 0 0 0 0 0 0 0 0 0 14 14 14
41689 - 34 34 34 66 66 66 78 78 78 6 6 6
41690 - 2 2 6 18 18 18 218 218 218 253 253 253
41691 -253 253 253 253 253 253 253 253 253 246 246 246
41692 -226 226 226 231 231 231 246 246 246 253 253 253
41693 -253 253 253 253 253 253 253 253 253 253 253 253
41694 -253 253 253 253 253 253 253 253 253 253 253 253
41695 -253 253 253 178 178 178 2 2 6 2 2 6
41696 - 2 2 6 2 2 6 2 2 6 2 2 6
41697 - 2 2 6 18 18 18 90 90 90 62 62 62
41698 - 30 30 30 10 10 10 0 0 0 0 0 0
41699 - 0 0 0 0 0 0 0 0 0 0 0 0
41700 - 0 0 0 0 0 0 0 0 0 0 0 0
41701 - 0 0 0 0 0 0 0 0 0 0 0 0
41702 - 0 0 0 0 0 0 0 0 0 0 0 0
41703 - 0 0 0 0 0 0 0 0 0 0 0 0
41704 - 0 0 0 0 0 0 0 0 0 0 0 0
41705 - 0 0 0 0 0 0 0 0 0 0 0 0
41706 - 0 0 0 0 0 0 0 0 0 0 0 0
41707 - 0 0 0 0 0 0 0 0 0 0 0 0
41708 - 0 0 0 0 0 0 10 10 10 26 26 26
41709 - 58 58 58 90 90 90 18 18 18 2 2 6
41710 - 2 2 6 110 110 110 253 253 253 253 253 253
41711 -253 253 253 253 253 253 253 253 253 253 253 253
41712 -250 250 250 253 253 253 253 253 253 253 253 253
41713 -253 253 253 253 253 253 253 253 253 253 253 253
41714 -253 253 253 253 253 253 253 253 253 253 253 253
41715 -253 253 253 231 231 231 18 18 18 2 2 6
41716 - 2 2 6 2 2 6 2 2 6 2 2 6
41717 - 2 2 6 2 2 6 18 18 18 94 94 94
41718 - 54 54 54 26 26 26 10 10 10 0 0 0
41719 - 0 0 0 0 0 0 0 0 0 0 0 0
41720 - 0 0 0 0 0 0 0 0 0 0 0 0
41721 - 0 0 0 0 0 0 0 0 0 0 0 0
41722 - 0 0 0 0 0 0 0 0 0 0 0 0
41723 - 0 0 0 0 0 0 0 0 0 0 0 0
41724 - 0 0 0 0 0 0 0 0 0 0 0 0
41725 - 0 0 0 0 0 0 0 0 0 0 0 0
41726 - 0 0 0 0 0 0 0 0 0 0 0 0
41727 - 0 0 0 0 0 0 0 0 0 0 0 0
41728 - 0 0 0 6 6 6 22 22 22 50 50 50
41729 - 90 90 90 26 26 26 2 2 6 2 2 6
41730 - 14 14 14 195 195 195 250 250 250 253 253 253
41731 -253 253 253 253 253 253 253 253 253 253 253 253
41732 -253 253 253 253 253 253 253 253 253 253 253 253
41733 -253 253 253 253 253 253 253 253 253 253 253 253
41734 -253 253 253 253 253 253 253 253 253 253 253 253
41735 -250 250 250 242 242 242 54 54 54 2 2 6
41736 - 2 2 6 2 2 6 2 2 6 2 2 6
41737 - 2 2 6 2 2 6 2 2 6 38 38 38
41738 - 86 86 86 50 50 50 22 22 22 6 6 6
41739 - 0 0 0 0 0 0 0 0 0 0 0 0
41740 - 0 0 0 0 0 0 0 0 0 0 0 0
41741 - 0 0 0 0 0 0 0 0 0 0 0 0
41742 - 0 0 0 0 0 0 0 0 0 0 0 0
41743 - 0 0 0 0 0 0 0 0 0 0 0 0
41744 - 0 0 0 0 0 0 0 0 0 0 0 0
41745 - 0 0 0 0 0 0 0 0 0 0 0 0
41746 - 0 0 0 0 0 0 0 0 0 0 0 0
41747 - 0 0 0 0 0 0 0 0 0 0 0 0
41748 - 6 6 6 14 14 14 38 38 38 82 82 82
41749 - 34 34 34 2 2 6 2 2 6 2 2 6
41750 - 42 42 42 195 195 195 246 246 246 253 253 253
41751 -253 253 253 253 253 253 253 253 253 250 250 250
41752 -242 242 242 242 242 242 250 250 250 253 253 253
41753 -253 253 253 253 253 253 253 253 253 253 253 253
41754 -253 253 253 250 250 250 246 246 246 238 238 238
41755 -226 226 226 231 231 231 101 101 101 6 6 6
41756 - 2 2 6 2 2 6 2 2 6 2 2 6
41757 - 2 2 6 2 2 6 2 2 6 2 2 6
41758 - 38 38 38 82 82 82 42 42 42 14 14 14
41759 - 6 6 6 0 0 0 0 0 0 0 0 0
41760 - 0 0 0 0 0 0 0 0 0 0 0 0
41761 - 0 0 0 0 0 0 0 0 0 0 0 0
41762 - 0 0 0 0 0 0 0 0 0 0 0 0
41763 - 0 0 0 0 0 0 0 0 0 0 0 0
41764 - 0 0 0 0 0 0 0 0 0 0 0 0
41765 - 0 0 0 0 0 0 0 0 0 0 0 0
41766 - 0 0 0 0 0 0 0 0 0 0 0 0
41767 - 0 0 0 0 0 0 0 0 0 0 0 0
41768 - 10 10 10 26 26 26 62 62 62 66 66 66
41769 - 2 2 6 2 2 6 2 2 6 6 6 6
41770 - 70 70 70 170 170 170 206 206 206 234 234 234
41771 -246 246 246 250 250 250 250 250 250 238 238 238
41772 -226 226 226 231 231 231 238 238 238 250 250 250
41773 -250 250 250 250 250 250 246 246 246 231 231 231
41774 -214 214 214 206 206 206 202 202 202 202 202 202
41775 -198 198 198 202 202 202 182 182 182 18 18 18
41776 - 2 2 6 2 2 6 2 2 6 2 2 6
41777 - 2 2 6 2 2 6 2 2 6 2 2 6
41778 - 2 2 6 62 62 62 66 66 66 30 30 30
41779 - 10 10 10 0 0 0 0 0 0 0 0 0
41780 - 0 0 0 0 0 0 0 0 0 0 0 0
41781 - 0 0 0 0 0 0 0 0 0 0 0 0
41782 - 0 0 0 0 0 0 0 0 0 0 0 0
41783 - 0 0 0 0 0 0 0 0 0 0 0 0
41784 - 0 0 0 0 0 0 0 0 0 0 0 0
41785 - 0 0 0 0 0 0 0 0 0 0 0 0
41786 - 0 0 0 0 0 0 0 0 0 0 0 0
41787 - 0 0 0 0 0 0 0 0 0 0 0 0
41788 - 14 14 14 42 42 42 82 82 82 18 18 18
41789 - 2 2 6 2 2 6 2 2 6 10 10 10
41790 - 94 94 94 182 182 182 218 218 218 242 242 242
41791 -250 250 250 253 253 253 253 253 253 250 250 250
41792 -234 234 234 253 253 253 253 253 253 253 253 253
41793 -253 253 253 253 253 253 253 253 253 246 246 246
41794 -238 238 238 226 226 226 210 210 210 202 202 202
41795 -195 195 195 195 195 195 210 210 210 158 158 158
41796 - 6 6 6 14 14 14 50 50 50 14 14 14
41797 - 2 2 6 2 2 6 2 2 6 2 2 6
41798 - 2 2 6 6 6 6 86 86 86 46 46 46
41799 - 18 18 18 6 6 6 0 0 0 0 0 0
41800 - 0 0 0 0 0 0 0 0 0 0 0 0
41801 - 0 0 0 0 0 0 0 0 0 0 0 0
41802 - 0 0 0 0 0 0 0 0 0 0 0 0
41803 - 0 0 0 0 0 0 0 0 0 0 0 0
41804 - 0 0 0 0 0 0 0 0 0 0 0 0
41805 - 0 0 0 0 0 0 0 0 0 0 0 0
41806 - 0 0 0 0 0 0 0 0 0 0 0 0
41807 - 0 0 0 0 0 0 0 0 0 6 6 6
41808 - 22 22 22 54 54 54 70 70 70 2 2 6
41809 - 2 2 6 10 10 10 2 2 6 22 22 22
41810 -166 166 166 231 231 231 250 250 250 253 253 253
41811 -253 253 253 253 253 253 253 253 253 250 250 250
41812 -242 242 242 253 253 253 253 253 253 253 253 253
41813 -253 253 253 253 253 253 253 253 253 253 253 253
41814 -253 253 253 253 253 253 253 253 253 246 246 246
41815 -231 231 231 206 206 206 198 198 198 226 226 226
41816 - 94 94 94 2 2 6 6 6 6 38 38 38
41817 - 30 30 30 2 2 6 2 2 6 2 2 6
41818 - 2 2 6 2 2 6 62 62 62 66 66 66
41819 - 26 26 26 10 10 10 0 0 0 0 0 0
41820 - 0 0 0 0 0 0 0 0 0 0 0 0
41821 - 0 0 0 0 0 0 0 0 0 0 0 0
41822 - 0 0 0 0 0 0 0 0 0 0 0 0
41823 - 0 0 0 0 0 0 0 0 0 0 0 0
41824 - 0 0 0 0 0 0 0 0 0 0 0 0
41825 - 0 0 0 0 0 0 0 0 0 0 0 0
41826 - 0 0 0 0 0 0 0 0 0 0 0 0
41827 - 0 0 0 0 0 0 0 0 0 10 10 10
41828 - 30 30 30 74 74 74 50 50 50 2 2 6
41829 - 26 26 26 26 26 26 2 2 6 106 106 106
41830 -238 238 238 253 253 253 253 253 253 253 253 253
41831 -253 253 253 253 253 253 253 253 253 253 253 253
41832 -253 253 253 253 253 253 253 253 253 253 253 253
41833 -253 253 253 253 253 253 253 253 253 253 253 253
41834 -253 253 253 253 253 253 253 253 253 253 253 253
41835 -253 253 253 246 246 246 218 218 218 202 202 202
41836 -210 210 210 14 14 14 2 2 6 2 2 6
41837 - 30 30 30 22 22 22 2 2 6 2 2 6
41838 - 2 2 6 2 2 6 18 18 18 86 86 86
41839 - 42 42 42 14 14 14 0 0 0 0 0 0
41840 - 0 0 0 0 0 0 0 0 0 0 0 0
41841 - 0 0 0 0 0 0 0 0 0 0 0 0
41842 - 0 0 0 0 0 0 0 0 0 0 0 0
41843 - 0 0 0 0 0 0 0 0 0 0 0 0
41844 - 0 0 0 0 0 0 0 0 0 0 0 0
41845 - 0 0 0 0 0 0 0 0 0 0 0 0
41846 - 0 0 0 0 0 0 0 0 0 0 0 0
41847 - 0 0 0 0 0 0 0 0 0 14 14 14
41848 - 42 42 42 90 90 90 22 22 22 2 2 6
41849 - 42 42 42 2 2 6 18 18 18 218 218 218
41850 -253 253 253 253 253 253 253 253 253 253 253 253
41851 -253 253 253 253 253 253 253 253 253 253 253 253
41852 -253 253 253 253 253 253 253 253 253 253 253 253
41853 -253 253 253 253 253 253 253 253 253 253 253 253
41854 -253 253 253 253 253 253 253 253 253 253 253 253
41855 -253 253 253 253 253 253 250 250 250 221 221 221
41856 -218 218 218 101 101 101 2 2 6 14 14 14
41857 - 18 18 18 38 38 38 10 10 10 2 2 6
41858 - 2 2 6 2 2 6 2 2 6 78 78 78
41859 - 58 58 58 22 22 22 6 6 6 0 0 0
41860 - 0 0 0 0 0 0 0 0 0 0 0 0
41861 - 0 0 0 0 0 0 0 0 0 0 0 0
41862 - 0 0 0 0 0 0 0 0 0 0 0 0
41863 - 0 0 0 0 0 0 0 0 0 0 0 0
41864 - 0 0 0 0 0 0 0 0 0 0 0 0
41865 - 0 0 0 0 0 0 0 0 0 0 0 0
41866 - 0 0 0 0 0 0 0 0 0 0 0 0
41867 - 0 0 0 0 0 0 6 6 6 18 18 18
41868 - 54 54 54 82 82 82 2 2 6 26 26 26
41869 - 22 22 22 2 2 6 123 123 123 253 253 253
41870 -253 253 253 253 253 253 253 253 253 253 253 253
41871 -253 253 253 253 253 253 253 253 253 253 253 253
41872 -253 253 253 253 253 253 253 253 253 253 253 253
41873 -253 253 253 253 253 253 253 253 253 253 253 253
41874 -253 253 253 253 253 253 253 253 253 253 253 253
41875 -253 253 253 253 253 253 253 253 253 250 250 250
41876 -238 238 238 198 198 198 6 6 6 38 38 38
41877 - 58 58 58 26 26 26 38 38 38 2 2 6
41878 - 2 2 6 2 2 6 2 2 6 46 46 46
41879 - 78 78 78 30 30 30 10 10 10 0 0 0
41880 - 0 0 0 0 0 0 0 0 0 0 0 0
41881 - 0 0 0 0 0 0 0 0 0 0 0 0
41882 - 0 0 0 0 0 0 0 0 0 0 0 0
41883 - 0 0 0 0 0 0 0 0 0 0 0 0
41884 - 0 0 0 0 0 0 0 0 0 0 0 0
41885 - 0 0 0 0 0 0 0 0 0 0 0 0
41886 - 0 0 0 0 0 0 0 0 0 0 0 0
41887 - 0 0 0 0 0 0 10 10 10 30 30 30
41888 - 74 74 74 58 58 58 2 2 6 42 42 42
41889 - 2 2 6 22 22 22 231 231 231 253 253 253
41890 -253 253 253 253 253 253 253 253 253 253 253 253
41891 -253 253 253 253 253 253 253 253 253 250 250 250
41892 -253 253 253 253 253 253 253 253 253 253 253 253
41893 -253 253 253 253 253 253 253 253 253 253 253 253
41894 -253 253 253 253 253 253 253 253 253 253 253 253
41895 -253 253 253 253 253 253 253 253 253 253 253 253
41896 -253 253 253 246 246 246 46 46 46 38 38 38
41897 - 42 42 42 14 14 14 38 38 38 14 14 14
41898 - 2 2 6 2 2 6 2 2 6 6 6 6
41899 - 86 86 86 46 46 46 14 14 14 0 0 0
41900 - 0 0 0 0 0 0 0 0 0 0 0 0
41901 - 0 0 0 0 0 0 0 0 0 0 0 0
41902 - 0 0 0 0 0 0 0 0 0 0 0 0
41903 - 0 0 0 0 0 0 0 0 0 0 0 0
41904 - 0 0 0 0 0 0 0 0 0 0 0 0
41905 - 0 0 0 0 0 0 0 0 0 0 0 0
41906 - 0 0 0 0 0 0 0 0 0 0 0 0
41907 - 0 0 0 6 6 6 14 14 14 42 42 42
41908 - 90 90 90 18 18 18 18 18 18 26 26 26
41909 - 2 2 6 116 116 116 253 253 253 253 253 253
41910 -253 253 253 253 253 253 253 253 253 253 253 253
41911 -253 253 253 253 253 253 250 250 250 238 238 238
41912 -253 253 253 253 253 253 253 253 253 253 253 253
41913 -253 253 253 253 253 253 253 253 253 253 253 253
41914 -253 253 253 253 253 253 253 253 253 253 253 253
41915 -253 253 253 253 253 253 253 253 253 253 253 253
41916 -253 253 253 253 253 253 94 94 94 6 6 6
41917 - 2 2 6 2 2 6 10 10 10 34 34 34
41918 - 2 2 6 2 2 6 2 2 6 2 2 6
41919 - 74 74 74 58 58 58 22 22 22 6 6 6
41920 - 0 0 0 0 0 0 0 0 0 0 0 0
41921 - 0 0 0 0 0 0 0 0 0 0 0 0
41922 - 0 0 0 0 0 0 0 0 0 0 0 0
41923 - 0 0 0 0 0 0 0 0 0 0 0 0
41924 - 0 0 0 0 0 0 0 0 0 0 0 0
41925 - 0 0 0 0 0 0 0 0 0 0 0 0
41926 - 0 0 0 0 0 0 0 0 0 0 0 0
41927 - 0 0 0 10 10 10 26 26 26 66 66 66
41928 - 82 82 82 2 2 6 38 38 38 6 6 6
41929 - 14 14 14 210 210 210 253 253 253 253 253 253
41930 -253 253 253 253 253 253 253 253 253 253 253 253
41931 -253 253 253 253 253 253 246 246 246 242 242 242
41932 -253 253 253 253 253 253 253 253 253 253 253 253
41933 -253 253 253 253 253 253 253 253 253 253 253 253
41934 -253 253 253 253 253 253 253 253 253 253 253 253
41935 -253 253 253 253 253 253 253 253 253 253 253 253
41936 -253 253 253 253 253 253 144 144 144 2 2 6
41937 - 2 2 6 2 2 6 2 2 6 46 46 46
41938 - 2 2 6 2 2 6 2 2 6 2 2 6
41939 - 42 42 42 74 74 74 30 30 30 10 10 10
41940 - 0 0 0 0 0 0 0 0 0 0 0 0
41941 - 0 0 0 0 0 0 0 0 0 0 0 0
41942 - 0 0 0 0 0 0 0 0 0 0 0 0
41943 - 0 0 0 0 0 0 0 0 0 0 0 0
41944 - 0 0 0 0 0 0 0 0 0 0 0 0
41945 - 0 0 0 0 0 0 0 0 0 0 0 0
41946 - 0 0 0 0 0 0 0 0 0 0 0 0
41947 - 6 6 6 14 14 14 42 42 42 90 90 90
41948 - 26 26 26 6 6 6 42 42 42 2 2 6
41949 - 74 74 74 250 250 250 253 253 253 253 253 253
41950 -253 253 253 253 253 253 253 253 253 253 253 253
41951 -253 253 253 253 253 253 242 242 242 242 242 242
41952 -253 253 253 253 253 253 253 253 253 253 253 253
41953 -253 253 253 253 253 253 253 253 253 253 253 253
41954 -253 253 253 253 253 253 253 253 253 253 253 253
41955 -253 253 253 253 253 253 253 253 253 253 253 253
41956 -253 253 253 253 253 253 182 182 182 2 2 6
41957 - 2 2 6 2 2 6 2 2 6 46 46 46
41958 - 2 2 6 2 2 6 2 2 6 2 2 6
41959 - 10 10 10 86 86 86 38 38 38 10 10 10
41960 - 0 0 0 0 0 0 0 0 0 0 0 0
41961 - 0 0 0 0 0 0 0 0 0 0 0 0
41962 - 0 0 0 0 0 0 0 0 0 0 0 0
41963 - 0 0 0 0 0 0 0 0 0 0 0 0
41964 - 0 0 0 0 0 0 0 0 0 0 0 0
41965 - 0 0 0 0 0 0 0 0 0 0 0 0
41966 - 0 0 0 0 0 0 0 0 0 0 0 0
41967 - 10 10 10 26 26 26 66 66 66 82 82 82
41968 - 2 2 6 22 22 22 18 18 18 2 2 6
41969 -149 149 149 253 253 253 253 253 253 253 253 253
41970 -253 253 253 253 253 253 253 253 253 253 253 253
41971 -253 253 253 253 253 253 234 234 234 242 242 242
41972 -253 253 253 253 253 253 253 253 253 253 253 253
41973 -253 253 253 253 253 253 253 253 253 253 253 253
41974 -253 253 253 253 253 253 253 253 253 253 253 253
41975 -253 253 253 253 253 253 253 253 253 253 253 253
41976 -253 253 253 253 253 253 206 206 206 2 2 6
41977 - 2 2 6 2 2 6 2 2 6 38 38 38
41978 - 2 2 6 2 2 6 2 2 6 2 2 6
41979 - 6 6 6 86 86 86 46 46 46 14 14 14
41980 - 0 0 0 0 0 0 0 0 0 0 0 0
41981 - 0 0 0 0 0 0 0 0 0 0 0 0
41982 - 0 0 0 0 0 0 0 0 0 0 0 0
41983 - 0 0 0 0 0 0 0 0 0 0 0 0
41984 - 0 0 0 0 0 0 0 0 0 0 0 0
41985 - 0 0 0 0 0 0 0 0 0 0 0 0
41986 - 0 0 0 0 0 0 0 0 0 6 6 6
41987 - 18 18 18 46 46 46 86 86 86 18 18 18
41988 - 2 2 6 34 34 34 10 10 10 6 6 6
41989 -210 210 210 253 253 253 253 253 253 253 253 253
41990 -253 253 253 253 253 253 253 253 253 253 253 253
41991 -253 253 253 253 253 253 234 234 234 242 242 242
41992 -253 253 253 253 253 253 253 253 253 253 253 253
41993 -253 253 253 253 253 253 253 253 253 253 253 253
41994 -253 253 253 253 253 253 253 253 253 253 253 253
41995 -253 253 253 253 253 253 253 253 253 253 253 253
41996 -253 253 253 253 253 253 221 221 221 6 6 6
41997 - 2 2 6 2 2 6 6 6 6 30 30 30
41998 - 2 2 6 2 2 6 2 2 6 2 2 6
41999 - 2 2 6 82 82 82 54 54 54 18 18 18
42000 - 6 6 6 0 0 0 0 0 0 0 0 0
42001 - 0 0 0 0 0 0 0 0 0 0 0 0
42002 - 0 0 0 0 0 0 0 0 0 0 0 0
42003 - 0 0 0 0 0 0 0 0 0 0 0 0
42004 - 0 0 0 0 0 0 0 0 0 0 0 0
42005 - 0 0 0 0 0 0 0 0 0 0 0 0
42006 - 0 0 0 0 0 0 0 0 0 10 10 10
42007 - 26 26 26 66 66 66 62 62 62 2 2 6
42008 - 2 2 6 38 38 38 10 10 10 26 26 26
42009 -238 238 238 253 253 253 253 253 253 253 253 253
42010 -253 253 253 253 253 253 253 253 253 253 253 253
42011 -253 253 253 253 253 253 231 231 231 238 238 238
42012 -253 253 253 253 253 253 253 253 253 253 253 253
42013 -253 253 253 253 253 253 253 253 253 253 253 253
42014 -253 253 253 253 253 253 253 253 253 253 253 253
42015 -253 253 253 253 253 253 253 253 253 253 253 253
42016 -253 253 253 253 253 253 231 231 231 6 6 6
42017 - 2 2 6 2 2 6 10 10 10 30 30 30
42018 - 2 2 6 2 2 6 2 2 6 2 2 6
42019 - 2 2 6 66 66 66 58 58 58 22 22 22
42020 - 6 6 6 0 0 0 0 0 0 0 0 0
42021 - 0 0 0 0 0 0 0 0 0 0 0 0
42022 - 0 0 0 0 0 0 0 0 0 0 0 0
42023 - 0 0 0 0 0 0 0 0 0 0 0 0
42024 - 0 0 0 0 0 0 0 0 0 0 0 0
42025 - 0 0 0 0 0 0 0 0 0 0 0 0
42026 - 0 0 0 0 0 0 0 0 0 10 10 10
42027 - 38 38 38 78 78 78 6 6 6 2 2 6
42028 - 2 2 6 46 46 46 14 14 14 42 42 42
42029 -246 246 246 253 253 253 253 253 253 253 253 253
42030 -253 253 253 253 253 253 253 253 253 253 253 253
42031 -253 253 253 253 253 253 231 231 231 242 242 242
42032 -253 253 253 253 253 253 253 253 253 253 253 253
42033 -253 253 253 253 253 253 253 253 253 253 253 253
42034 -253 253 253 253 253 253 253 253 253 253 253 253
42035 -253 253 253 253 253 253 253 253 253 253 253 253
42036 -253 253 253 253 253 253 234 234 234 10 10 10
42037 - 2 2 6 2 2 6 22 22 22 14 14 14
42038 - 2 2 6 2 2 6 2 2 6 2 2 6
42039 - 2 2 6 66 66 66 62 62 62 22 22 22
42040 - 6 6 6 0 0 0 0 0 0 0 0 0
42041 - 0 0 0 0 0 0 0 0 0 0 0 0
42042 - 0 0 0 0 0 0 0 0 0 0 0 0
42043 - 0 0 0 0 0 0 0 0 0 0 0 0
42044 - 0 0 0 0 0 0 0 0 0 0 0 0
42045 - 0 0 0 0 0 0 0 0 0 0 0 0
42046 - 0 0 0 0 0 0 6 6 6 18 18 18
42047 - 50 50 50 74 74 74 2 2 6 2 2 6
42048 - 14 14 14 70 70 70 34 34 34 62 62 62
42049 -250 250 250 253 253 253 253 253 253 253 253 253
42050 -253 253 253 253 253 253 253 253 253 253 253 253
42051 -253 253 253 253 253 253 231 231 231 246 246 246
42052 -253 253 253 253 253 253 253 253 253 253 253 253
42053 -253 253 253 253 253 253 253 253 253 253 253 253
42054 -253 253 253 253 253 253 253 253 253 253 253 253
42055 -253 253 253 253 253 253 253 253 253 253 253 253
42056 -253 253 253 253 253 253 234 234 234 14 14 14
42057 - 2 2 6 2 2 6 30 30 30 2 2 6
42058 - 2 2 6 2 2 6 2 2 6 2 2 6
42059 - 2 2 6 66 66 66 62 62 62 22 22 22
42060 - 6 6 6 0 0 0 0 0 0 0 0 0
42061 - 0 0 0 0 0 0 0 0 0 0 0 0
42062 - 0 0 0 0 0 0 0 0 0 0 0 0
42063 - 0 0 0 0 0 0 0 0 0 0 0 0
42064 - 0 0 0 0 0 0 0 0 0 0 0 0
42065 - 0 0 0 0 0 0 0 0 0 0 0 0
42066 - 0 0 0 0 0 0 6 6 6 18 18 18
42067 - 54 54 54 62 62 62 2 2 6 2 2 6
42068 - 2 2 6 30 30 30 46 46 46 70 70 70
42069 -250 250 250 253 253 253 253 253 253 253 253 253
42070 -253 253 253 253 253 253 253 253 253 253 253 253
42071 -253 253 253 253 253 253 231 231 231 246 246 246
42072 -253 253 253 253 253 253 253 253 253 253 253 253
42073 -253 253 253 253 253 253 253 253 253 253 253 253
42074 -253 253 253 253 253 253 253 253 253 253 253 253
42075 -253 253 253 253 253 253 253 253 253 253 253 253
42076 -253 253 253 253 253 253 226 226 226 10 10 10
42077 - 2 2 6 6 6 6 30 30 30 2 2 6
42078 - 2 2 6 2 2 6 2 2 6 2 2 6
42079 - 2 2 6 66 66 66 58 58 58 22 22 22
42080 - 6 6 6 0 0 0 0 0 0 0 0 0
42081 - 0 0 0 0 0 0 0 0 0 0 0 0
42082 - 0 0 0 0 0 0 0 0 0 0 0 0
42083 - 0 0 0 0 0 0 0 0 0 0 0 0
42084 - 0 0 0 0 0 0 0 0 0 0 0 0
42085 - 0 0 0 0 0 0 0 0 0 0 0 0
42086 - 0 0 0 0 0 0 6 6 6 22 22 22
42087 - 58 58 58 62 62 62 2 2 6 2 2 6
42088 - 2 2 6 2 2 6 30 30 30 78 78 78
42089 -250 250 250 253 253 253 253 253 253 253 253 253
42090 -253 253 253 253 253 253 253 253 253 253 253 253
42091 -253 253 253 253 253 253 231 231 231 246 246 246
42092 -253 253 253 253 253 253 253 253 253 253 253 253
42093 -253 253 253 253 253 253 253 253 253 253 253 253
42094 -253 253 253 253 253 253 253 253 253 253 253 253
42095 -253 253 253 253 253 253 253 253 253 253 253 253
42096 -253 253 253 253 253 253 206 206 206 2 2 6
42097 - 22 22 22 34 34 34 18 14 6 22 22 22
42098 - 26 26 26 18 18 18 6 6 6 2 2 6
42099 - 2 2 6 82 82 82 54 54 54 18 18 18
42100 - 6 6 6 0 0 0 0 0 0 0 0 0
42101 - 0 0 0 0 0 0 0 0 0 0 0 0
42102 - 0 0 0 0 0 0 0 0 0 0 0 0
42103 - 0 0 0 0 0 0 0 0 0 0 0 0
42104 - 0 0 0 0 0 0 0 0 0 0 0 0
42105 - 0 0 0 0 0 0 0 0 0 0 0 0
42106 - 0 0 0 0 0 0 6 6 6 26 26 26
42107 - 62 62 62 106 106 106 74 54 14 185 133 11
42108 -210 162 10 121 92 8 6 6 6 62 62 62
42109 -238 238 238 253 253 253 253 253 253 253 253 253
42110 -253 253 253 253 253 253 253 253 253 253 253 253
42111 -253 253 253 253 253 253 231 231 231 246 246 246
42112 -253 253 253 253 253 253 253 253 253 253 253 253
42113 -253 253 253 253 253 253 253 253 253 253 253 253
42114 -253 253 253 253 253 253 253 253 253 253 253 253
42115 -253 253 253 253 253 253 253 253 253 253 253 253
42116 -253 253 253 253 253 253 158 158 158 18 18 18
42117 - 14 14 14 2 2 6 2 2 6 2 2 6
42118 - 6 6 6 18 18 18 66 66 66 38 38 38
42119 - 6 6 6 94 94 94 50 50 50 18 18 18
42120 - 6 6 6 0 0 0 0 0 0 0 0 0
42121 - 0 0 0 0 0 0 0 0 0 0 0 0
42122 - 0 0 0 0 0 0 0 0 0 0 0 0
42123 - 0 0 0 0 0 0 0 0 0 0 0 0
42124 - 0 0 0 0 0 0 0 0 0 0 0 0
42125 - 0 0 0 0 0 0 0 0 0 6 6 6
42126 - 10 10 10 10 10 10 18 18 18 38 38 38
42127 - 78 78 78 142 134 106 216 158 10 242 186 14
42128 -246 190 14 246 190 14 156 118 10 10 10 10
42129 - 90 90 90 238 238 238 253 253 253 253 253 253
42130 -253 253 253 253 253 253 253 253 253 253 253 253
42131 -253 253 253 253 253 253 231 231 231 250 250 250
42132 -253 253 253 253 253 253 253 253 253 253 253 253
42133 -253 253 253 253 253 253 253 253 253 253 253 253
42134 -253 253 253 253 253 253 253 253 253 253 253 253
42135 -253 253 253 253 253 253 253 253 253 246 230 190
42136 -238 204 91 238 204 91 181 142 44 37 26 9
42137 - 2 2 6 2 2 6 2 2 6 2 2 6
42138 - 2 2 6 2 2 6 38 38 38 46 46 46
42139 - 26 26 26 106 106 106 54 54 54 18 18 18
42140 - 6 6 6 0 0 0 0 0 0 0 0 0
42141 - 0 0 0 0 0 0 0 0 0 0 0 0
42142 - 0 0 0 0 0 0 0 0 0 0 0 0
42143 - 0 0 0 0 0 0 0 0 0 0 0 0
42144 - 0 0 0 0 0 0 0 0 0 0 0 0
42145 - 0 0 0 6 6 6 14 14 14 22 22 22
42146 - 30 30 30 38 38 38 50 50 50 70 70 70
42147 -106 106 106 190 142 34 226 170 11 242 186 14
42148 -246 190 14 246 190 14 246 190 14 154 114 10
42149 - 6 6 6 74 74 74 226 226 226 253 253 253
42150 -253 253 253 253 253 253 253 253 253 253 253 253
42151 -253 253 253 253 253 253 231 231 231 250 250 250
42152 -253 253 253 253 253 253 253 253 253 253 253 253
42153 -253 253 253 253 253 253 253 253 253 253 253 253
42154 -253 253 253 253 253 253 253 253 253 253 253 253
42155 -253 253 253 253 253 253 253 253 253 228 184 62
42156 -241 196 14 241 208 19 232 195 16 38 30 10
42157 - 2 2 6 2 2 6 2 2 6 2 2 6
42158 - 2 2 6 6 6 6 30 30 30 26 26 26
42159 -203 166 17 154 142 90 66 66 66 26 26 26
42160 - 6 6 6 0 0 0 0 0 0 0 0 0
42161 - 0 0 0 0 0 0 0 0 0 0 0 0
42162 - 0 0 0 0 0 0 0 0 0 0 0 0
42163 - 0 0 0 0 0 0 0 0 0 0 0 0
42164 - 0 0 0 0 0 0 0 0 0 0 0 0
42165 - 6 6 6 18 18 18 38 38 38 58 58 58
42166 - 78 78 78 86 86 86 101 101 101 123 123 123
42167 -175 146 61 210 150 10 234 174 13 246 186 14
42168 -246 190 14 246 190 14 246 190 14 238 190 10
42169 -102 78 10 2 2 6 46 46 46 198 198 198
42170 -253 253 253 253 253 253 253 253 253 253 253 253
42171 -253 253 253 253 253 253 234 234 234 242 242 242
42172 -253 253 253 253 253 253 253 253 253 253 253 253
42173 -253 253 253 253 253 253 253 253 253 253 253 253
42174 -253 253 253 253 253 253 253 253 253 253 253 253
42175 -253 253 253 253 253 253 253 253 253 224 178 62
42176 -242 186 14 241 196 14 210 166 10 22 18 6
42177 - 2 2 6 2 2 6 2 2 6 2 2 6
42178 - 2 2 6 2 2 6 6 6 6 121 92 8
42179 -238 202 15 232 195 16 82 82 82 34 34 34
42180 - 10 10 10 0 0 0 0 0 0 0 0 0
42181 - 0 0 0 0 0 0 0 0 0 0 0 0
42182 - 0 0 0 0 0 0 0 0 0 0 0 0
42183 - 0 0 0 0 0 0 0 0 0 0 0 0
42184 - 0 0 0 0 0 0 0 0 0 0 0 0
42185 - 14 14 14 38 38 38 70 70 70 154 122 46
42186 -190 142 34 200 144 11 197 138 11 197 138 11
42187 -213 154 11 226 170 11 242 186 14 246 190 14
42188 -246 190 14 246 190 14 246 190 14 246 190 14
42189 -225 175 15 46 32 6 2 2 6 22 22 22
42190 -158 158 158 250 250 250 253 253 253 253 253 253
42191 -253 253 253 253 253 253 253 253 253 253 253 253
42192 -253 253 253 253 253 253 253 253 253 253 253 253
42193 -253 253 253 253 253 253 253 253 253 253 253 253
42194 -253 253 253 253 253 253 253 253 253 253 253 253
42195 -253 253 253 250 250 250 242 242 242 224 178 62
42196 -239 182 13 236 186 11 213 154 11 46 32 6
42197 - 2 2 6 2 2 6 2 2 6 2 2 6
42198 - 2 2 6 2 2 6 61 42 6 225 175 15
42199 -238 190 10 236 186 11 112 100 78 42 42 42
42200 - 14 14 14 0 0 0 0 0 0 0 0 0
42201 - 0 0 0 0 0 0 0 0 0 0 0 0
42202 - 0 0 0 0 0 0 0 0 0 0 0 0
42203 - 0 0 0 0 0 0 0 0 0 0 0 0
42204 - 0 0 0 0 0 0 0 0 0 6 6 6
42205 - 22 22 22 54 54 54 154 122 46 213 154 11
42206 -226 170 11 230 174 11 226 170 11 226 170 11
42207 -236 178 12 242 186 14 246 190 14 246 190 14
42208 -246 190 14 246 190 14 246 190 14 246 190 14
42209 -241 196 14 184 144 12 10 10 10 2 2 6
42210 - 6 6 6 116 116 116 242 242 242 253 253 253
42211 -253 253 253 253 253 253 253 253 253 253 253 253
42212 -253 253 253 253 253 253 253 253 253 253 253 253
42213 -253 253 253 253 253 253 253 253 253 253 253 253
42214 -253 253 253 253 253 253 253 253 253 253 253 253
42215 -253 253 253 231 231 231 198 198 198 214 170 54
42216 -236 178 12 236 178 12 210 150 10 137 92 6
42217 - 18 14 6 2 2 6 2 2 6 2 2 6
42218 - 6 6 6 70 47 6 200 144 11 236 178 12
42219 -239 182 13 239 182 13 124 112 88 58 58 58
42220 - 22 22 22 6 6 6 0 0 0 0 0 0
42221 - 0 0 0 0 0 0 0 0 0 0 0 0
42222 - 0 0 0 0 0 0 0 0 0 0 0 0
42223 - 0 0 0 0 0 0 0 0 0 0 0 0
42224 - 0 0 0 0 0 0 0 0 0 10 10 10
42225 - 30 30 30 70 70 70 180 133 36 226 170 11
42226 -239 182 13 242 186 14 242 186 14 246 186 14
42227 -246 190 14 246 190 14 246 190 14 246 190 14
42228 -246 190 14 246 190 14 246 190 14 246 190 14
42229 -246 190 14 232 195 16 98 70 6 2 2 6
42230 - 2 2 6 2 2 6 66 66 66 221 221 221
42231 -253 253 253 253 253 253 253 253 253 253 253 253
42232 -253 253 253 253 253 253 253 253 253 253 253 253
42233 -253 253 253 253 253 253 253 253 253 253 253 253
42234 -253 253 253 253 253 253 253 253 253 253 253 253
42235 -253 253 253 206 206 206 198 198 198 214 166 58
42236 -230 174 11 230 174 11 216 158 10 192 133 9
42237 -163 110 8 116 81 8 102 78 10 116 81 8
42238 -167 114 7 197 138 11 226 170 11 239 182 13
42239 -242 186 14 242 186 14 162 146 94 78 78 78
42240 - 34 34 34 14 14 14 6 6 6 0 0 0
42241 - 0 0 0 0 0 0 0 0 0 0 0 0
42242 - 0 0 0 0 0 0 0 0 0 0 0 0
42243 - 0 0 0 0 0 0 0 0 0 0 0 0
42244 - 0 0 0 0 0 0 0 0 0 6 6 6
42245 - 30 30 30 78 78 78 190 142 34 226 170 11
42246 -239 182 13 246 190 14 246 190 14 246 190 14
42247 -246 190 14 246 190 14 246 190 14 246 190 14
42248 -246 190 14 246 190 14 246 190 14 246 190 14
42249 -246 190 14 241 196 14 203 166 17 22 18 6
42250 - 2 2 6 2 2 6 2 2 6 38 38 38
42251 -218 218 218 253 253 253 253 253 253 253 253 253
42252 -253 253 253 253 253 253 253 253 253 253 253 253
42253 -253 253 253 253 253 253 253 253 253 253 253 253
42254 -253 253 253 253 253 253 253 253 253 253 253 253
42255 -250 250 250 206 206 206 198 198 198 202 162 69
42256 -226 170 11 236 178 12 224 166 10 210 150 10
42257 -200 144 11 197 138 11 192 133 9 197 138 11
42258 -210 150 10 226 170 11 242 186 14 246 190 14
42259 -246 190 14 246 186 14 225 175 15 124 112 88
42260 - 62 62 62 30 30 30 14 14 14 6 6 6
42261 - 0 0 0 0 0 0 0 0 0 0 0 0
42262 - 0 0 0 0 0 0 0 0 0 0 0 0
42263 - 0 0 0 0 0 0 0 0 0 0 0 0
42264 - 0 0 0 0 0 0 0 0 0 10 10 10
42265 - 30 30 30 78 78 78 174 135 50 224 166 10
42266 -239 182 13 246 190 14 246 190 14 246 190 14
42267 -246 190 14 246 190 14 246 190 14 246 190 14
42268 -246 190 14 246 190 14 246 190 14 246 190 14
42269 -246 190 14 246 190 14 241 196 14 139 102 15
42270 - 2 2 6 2 2 6 2 2 6 2 2 6
42271 - 78 78 78 250 250 250 253 253 253 253 253 253
42272 -253 253 253 253 253 253 253 253 253 253 253 253
42273 -253 253 253 253 253 253 253 253 253 253 253 253
42274 -253 253 253 253 253 253 253 253 253 253 253 253
42275 -250 250 250 214 214 214 198 198 198 190 150 46
42276 -219 162 10 236 178 12 234 174 13 224 166 10
42277 -216 158 10 213 154 11 213 154 11 216 158 10
42278 -226 170 11 239 182 13 246 190 14 246 190 14
42279 -246 190 14 246 190 14 242 186 14 206 162 42
42280 -101 101 101 58 58 58 30 30 30 14 14 14
42281 - 6 6 6 0 0 0 0 0 0 0 0 0
42282 - 0 0 0 0 0 0 0 0 0 0 0 0
42283 - 0 0 0 0 0 0 0 0 0 0 0 0
42284 - 0 0 0 0 0 0 0 0 0 10 10 10
42285 - 30 30 30 74 74 74 174 135 50 216 158 10
42286 -236 178 12 246 190 14 246 190 14 246 190 14
42287 -246 190 14 246 190 14 246 190 14 246 190 14
42288 -246 190 14 246 190 14 246 190 14 246 190 14
42289 -246 190 14 246 190 14 241 196 14 226 184 13
42290 - 61 42 6 2 2 6 2 2 6 2 2 6
42291 - 22 22 22 238 238 238 253 253 253 253 253 253
42292 -253 253 253 253 253 253 253 253 253 253 253 253
42293 -253 253 253 253 253 253 253 253 253 253 253 253
42294 -253 253 253 253 253 253 253 253 253 253 253 253
42295 -253 253 253 226 226 226 187 187 187 180 133 36
42296 -216 158 10 236 178 12 239 182 13 236 178 12
42297 -230 174 11 226 170 11 226 170 11 230 174 11
42298 -236 178 12 242 186 14 246 190 14 246 190 14
42299 -246 190 14 246 190 14 246 186 14 239 182 13
42300 -206 162 42 106 106 106 66 66 66 34 34 34
42301 - 14 14 14 6 6 6 0 0 0 0 0 0
42302 - 0 0 0 0 0 0 0 0 0 0 0 0
42303 - 0 0 0 0 0 0 0 0 0 0 0 0
42304 - 0 0 0 0 0 0 0 0 0 6 6 6
42305 - 26 26 26 70 70 70 163 133 67 213 154 11
42306 -236 178 12 246 190 14 246 190 14 246 190 14
42307 -246 190 14 246 190 14 246 190 14 246 190 14
42308 -246 190 14 246 190 14 246 190 14 246 190 14
42309 -246 190 14 246 190 14 246 190 14 241 196 14
42310 -190 146 13 18 14 6 2 2 6 2 2 6
42311 - 46 46 46 246 246 246 253 253 253 253 253 253
42312 -253 253 253 253 253 253 253 253 253 253 253 253
42313 -253 253 253 253 253 253 253 253 253 253 253 253
42314 -253 253 253 253 253 253 253 253 253 253 253 253
42315 -253 253 253 221 221 221 86 86 86 156 107 11
42316 -216 158 10 236 178 12 242 186 14 246 186 14
42317 -242 186 14 239 182 13 239 182 13 242 186 14
42318 -242 186 14 246 186 14 246 190 14 246 190 14
42319 -246 190 14 246 190 14 246 190 14 246 190 14
42320 -242 186 14 225 175 15 142 122 72 66 66 66
42321 - 30 30 30 10 10 10 0 0 0 0 0 0
42322 - 0 0 0 0 0 0 0 0 0 0 0 0
42323 - 0 0 0 0 0 0 0 0 0 0 0 0
42324 - 0 0 0 0 0 0 0 0 0 6 6 6
42325 - 26 26 26 70 70 70 163 133 67 210 150 10
42326 -236 178 12 246 190 14 246 190 14 246 190 14
42327 -246 190 14 246 190 14 246 190 14 246 190 14
42328 -246 190 14 246 190 14 246 190 14 246 190 14
42329 -246 190 14 246 190 14 246 190 14 246 190 14
42330 -232 195 16 121 92 8 34 34 34 106 106 106
42331 -221 221 221 253 253 253 253 253 253 253 253 253
42332 -253 253 253 253 253 253 253 253 253 253 253 253
42333 -253 253 253 253 253 253 253 253 253 253 253 253
42334 -253 253 253 253 253 253 253 253 253 253 253 253
42335 -242 242 242 82 82 82 18 14 6 163 110 8
42336 -216 158 10 236 178 12 242 186 14 246 190 14
42337 -246 190 14 246 190 14 246 190 14 246 190 14
42338 -246 190 14 246 190 14 246 190 14 246 190 14
42339 -246 190 14 246 190 14 246 190 14 246 190 14
42340 -246 190 14 246 190 14 242 186 14 163 133 67
42341 - 46 46 46 18 18 18 6 6 6 0 0 0
42342 - 0 0 0 0 0 0 0 0 0 0 0 0
42343 - 0 0 0 0 0 0 0 0 0 0 0 0
42344 - 0 0 0 0 0 0 0 0 0 10 10 10
42345 - 30 30 30 78 78 78 163 133 67 210 150 10
42346 -236 178 12 246 186 14 246 190 14 246 190 14
42347 -246 190 14 246 190 14 246 190 14 246 190 14
42348 -246 190 14 246 190 14 246 190 14 246 190 14
42349 -246 190 14 246 190 14 246 190 14 246 190 14
42350 -241 196 14 215 174 15 190 178 144 253 253 253
42351 -253 253 253 253 253 253 253 253 253 253 253 253
42352 -253 253 253 253 253 253 253 253 253 253 253 253
42353 -253 253 253 253 253 253 253 253 253 253 253 253
42354 -253 253 253 253 253 253 253 253 253 218 218 218
42355 - 58 58 58 2 2 6 22 18 6 167 114 7
42356 -216 158 10 236 178 12 246 186 14 246 190 14
42357 -246 190 14 246 190 14 246 190 14 246 190 14
42358 -246 190 14 246 190 14 246 190 14 246 190 14
42359 -246 190 14 246 190 14 246 190 14 246 190 14
42360 -246 190 14 246 186 14 242 186 14 190 150 46
42361 - 54 54 54 22 22 22 6 6 6 0 0 0
42362 - 0 0 0 0 0 0 0 0 0 0 0 0
42363 - 0 0 0 0 0 0 0 0 0 0 0 0
42364 - 0 0 0 0 0 0 0 0 0 14 14 14
42365 - 38 38 38 86 86 86 180 133 36 213 154 11
42366 -236 178 12 246 186 14 246 190 14 246 190 14
42367 -246 190 14 246 190 14 246 190 14 246 190 14
42368 -246 190 14 246 190 14 246 190 14 246 190 14
42369 -246 190 14 246 190 14 246 190 14 246 190 14
42370 -246 190 14 232 195 16 190 146 13 214 214 214
42371 -253 253 253 253 253 253 253 253 253 253 253 253
42372 -253 253 253 253 253 253 253 253 253 253 253 253
42373 -253 253 253 253 253 253 253 253 253 253 253 253
42374 -253 253 253 250 250 250 170 170 170 26 26 26
42375 - 2 2 6 2 2 6 37 26 9 163 110 8
42376 -219 162 10 239 182 13 246 186 14 246 190 14
42377 -246 190 14 246 190 14 246 190 14 246 190 14
42378 -246 190 14 246 190 14 246 190 14 246 190 14
42379 -246 190 14 246 190 14 246 190 14 246 190 14
42380 -246 186 14 236 178 12 224 166 10 142 122 72
42381 - 46 46 46 18 18 18 6 6 6 0 0 0
42382 - 0 0 0 0 0 0 0 0 0 0 0 0
42383 - 0 0 0 0 0 0 0 0 0 0 0 0
42384 - 0 0 0 0 0 0 6 6 6 18 18 18
42385 - 50 50 50 109 106 95 192 133 9 224 166 10
42386 -242 186 14 246 190 14 246 190 14 246 190 14
42387 -246 190 14 246 190 14 246 190 14 246 190 14
42388 -246 190 14 246 190 14 246 190 14 246 190 14
42389 -246 190 14 246 190 14 246 190 14 246 190 14
42390 -242 186 14 226 184 13 210 162 10 142 110 46
42391 -226 226 226 253 253 253 253 253 253 253 253 253
42392 -253 253 253 253 253 253 253 253 253 253 253 253
42393 -253 253 253 253 253 253 253 253 253 253 253 253
42394 -198 198 198 66 66 66 2 2 6 2 2 6
42395 - 2 2 6 2 2 6 50 34 6 156 107 11
42396 -219 162 10 239 182 13 246 186 14 246 190 14
42397 -246 190 14 246 190 14 246 190 14 246 190 14
42398 -246 190 14 246 190 14 246 190 14 246 190 14
42399 -246 190 14 246 190 14 246 190 14 242 186 14
42400 -234 174 13 213 154 11 154 122 46 66 66 66
42401 - 30 30 30 10 10 10 0 0 0 0 0 0
42402 - 0 0 0 0 0 0 0 0 0 0 0 0
42403 - 0 0 0 0 0 0 0 0 0 0 0 0
42404 - 0 0 0 0 0 0 6 6 6 22 22 22
42405 - 58 58 58 154 121 60 206 145 10 234 174 13
42406 -242 186 14 246 186 14 246 190 14 246 190 14
42407 -246 190 14 246 190 14 246 190 14 246 190 14
42408 -246 190 14 246 190 14 246 190 14 246 190 14
42409 -246 190 14 246 190 14 246 190 14 246 190 14
42410 -246 186 14 236 178 12 210 162 10 163 110 8
42411 - 61 42 6 138 138 138 218 218 218 250 250 250
42412 -253 253 253 253 253 253 253 253 253 250 250 250
42413 -242 242 242 210 210 210 144 144 144 66 66 66
42414 - 6 6 6 2 2 6 2 2 6 2 2 6
42415 - 2 2 6 2 2 6 61 42 6 163 110 8
42416 -216 158 10 236 178 12 246 190 14 246 190 14
42417 -246 190 14 246 190 14 246 190 14 246 190 14
42418 -246 190 14 246 190 14 246 190 14 246 190 14
42419 -246 190 14 239 182 13 230 174 11 216 158 10
42420 -190 142 34 124 112 88 70 70 70 38 38 38
42421 - 18 18 18 6 6 6 0 0 0 0 0 0
42422 - 0 0 0 0 0 0 0 0 0 0 0 0
42423 - 0 0 0 0 0 0 0 0 0 0 0 0
42424 - 0 0 0 0 0 0 6 6 6 22 22 22
42425 - 62 62 62 168 124 44 206 145 10 224 166 10
42426 -236 178 12 239 182 13 242 186 14 242 186 14
42427 -246 186 14 246 190 14 246 190 14 246 190 14
42428 -246 190 14 246 190 14 246 190 14 246 190 14
42429 -246 190 14 246 190 14 246 190 14 246 190 14
42430 -246 190 14 236 178 12 216 158 10 175 118 6
42431 - 80 54 7 2 2 6 6 6 6 30 30 30
42432 - 54 54 54 62 62 62 50 50 50 38 38 38
42433 - 14 14 14 2 2 6 2 2 6 2 2 6
42434 - 2 2 6 2 2 6 2 2 6 2 2 6
42435 - 2 2 6 6 6 6 80 54 7 167 114 7
42436 -213 154 11 236 178 12 246 190 14 246 190 14
42437 -246 190 14 246 190 14 246 190 14 246 190 14
42438 -246 190 14 242 186 14 239 182 13 239 182 13
42439 -230 174 11 210 150 10 174 135 50 124 112 88
42440 - 82 82 82 54 54 54 34 34 34 18 18 18
42441 - 6 6 6 0 0 0 0 0 0 0 0 0
42442 - 0 0 0 0 0 0 0 0 0 0 0 0
42443 - 0 0 0 0 0 0 0 0 0 0 0 0
42444 - 0 0 0 0 0 0 6 6 6 18 18 18
42445 - 50 50 50 158 118 36 192 133 9 200 144 11
42446 -216 158 10 219 162 10 224 166 10 226 170 11
42447 -230 174 11 236 178 12 239 182 13 239 182 13
42448 -242 186 14 246 186 14 246 190 14 246 190 14
42449 -246 190 14 246 190 14 246 190 14 246 190 14
42450 -246 186 14 230 174 11 210 150 10 163 110 8
42451 -104 69 6 10 10 10 2 2 6 2 2 6
42452 - 2 2 6 2 2 6 2 2 6 2 2 6
42453 - 2 2 6 2 2 6 2 2 6 2 2 6
42454 - 2 2 6 2 2 6 2 2 6 2 2 6
42455 - 2 2 6 6 6 6 91 60 6 167 114 7
42456 -206 145 10 230 174 11 242 186 14 246 190 14
42457 -246 190 14 246 190 14 246 186 14 242 186 14
42458 -239 182 13 230 174 11 224 166 10 213 154 11
42459 -180 133 36 124 112 88 86 86 86 58 58 58
42460 - 38 38 38 22 22 22 10 10 10 6 6 6
42461 - 0 0 0 0 0 0 0 0 0 0 0 0
42462 - 0 0 0 0 0 0 0 0 0 0 0 0
42463 - 0 0 0 0 0 0 0 0 0 0 0 0
42464 - 0 0 0 0 0 0 0 0 0 14 14 14
42465 - 34 34 34 70 70 70 138 110 50 158 118 36
42466 -167 114 7 180 123 7 192 133 9 197 138 11
42467 -200 144 11 206 145 10 213 154 11 219 162 10
42468 -224 166 10 230 174 11 239 182 13 242 186 14
42469 -246 186 14 246 186 14 246 186 14 246 186 14
42470 -239 182 13 216 158 10 185 133 11 152 99 6
42471 -104 69 6 18 14 6 2 2 6 2 2 6
42472 - 2 2 6 2 2 6 2 2 6 2 2 6
42473 - 2 2 6 2 2 6 2 2 6 2 2 6
42474 - 2 2 6 2 2 6 2 2 6 2 2 6
42475 - 2 2 6 6 6 6 80 54 7 152 99 6
42476 -192 133 9 219 162 10 236 178 12 239 182 13
42477 -246 186 14 242 186 14 239 182 13 236 178 12
42478 -224 166 10 206 145 10 192 133 9 154 121 60
42479 - 94 94 94 62 62 62 42 42 42 22 22 22
42480 - 14 14 14 6 6 6 0 0 0 0 0 0
42481 - 0 0 0 0 0 0 0 0 0 0 0 0
42482 - 0 0 0 0 0 0 0 0 0 0 0 0
42483 - 0 0 0 0 0 0 0 0 0 0 0 0
42484 - 0 0 0 0 0 0 0 0 0 6 6 6
42485 - 18 18 18 34 34 34 58 58 58 78 78 78
42486 -101 98 89 124 112 88 142 110 46 156 107 11
42487 -163 110 8 167 114 7 175 118 6 180 123 7
42488 -185 133 11 197 138 11 210 150 10 219 162 10
42489 -226 170 11 236 178 12 236 178 12 234 174 13
42490 -219 162 10 197 138 11 163 110 8 130 83 6
42491 - 91 60 6 10 10 10 2 2 6 2 2 6
42492 - 18 18 18 38 38 38 38 38 38 38 38 38
42493 - 38 38 38 38 38 38 38 38 38 38 38 38
42494 - 38 38 38 38 38 38 26 26 26 2 2 6
42495 - 2 2 6 6 6 6 70 47 6 137 92 6
42496 -175 118 6 200 144 11 219 162 10 230 174 11
42497 -234 174 13 230 174 11 219 162 10 210 150 10
42498 -192 133 9 163 110 8 124 112 88 82 82 82
42499 - 50 50 50 30 30 30 14 14 14 6 6 6
42500 - 0 0 0 0 0 0 0 0 0 0 0 0
42501 - 0 0 0 0 0 0 0 0 0 0 0 0
42502 - 0 0 0 0 0 0 0 0 0 0 0 0
42503 - 0 0 0 0 0 0 0 0 0 0 0 0
42504 - 0 0 0 0 0 0 0 0 0 0 0 0
42505 - 6 6 6 14 14 14 22 22 22 34 34 34
42506 - 42 42 42 58 58 58 74 74 74 86 86 86
42507 -101 98 89 122 102 70 130 98 46 121 87 25
42508 -137 92 6 152 99 6 163 110 8 180 123 7
42509 -185 133 11 197 138 11 206 145 10 200 144 11
42510 -180 123 7 156 107 11 130 83 6 104 69 6
42511 - 50 34 6 54 54 54 110 110 110 101 98 89
42512 - 86 86 86 82 82 82 78 78 78 78 78 78
42513 - 78 78 78 78 78 78 78 78 78 78 78 78
42514 - 78 78 78 82 82 82 86 86 86 94 94 94
42515 -106 106 106 101 101 101 86 66 34 124 80 6
42516 -156 107 11 180 123 7 192 133 9 200 144 11
42517 -206 145 10 200 144 11 192 133 9 175 118 6
42518 -139 102 15 109 106 95 70 70 70 42 42 42
42519 - 22 22 22 10 10 10 0 0 0 0 0 0
42520 - 0 0 0 0 0 0 0 0 0 0 0 0
42521 - 0 0 0 0 0 0 0 0 0 0 0 0
42522 - 0 0 0 0 0 0 0 0 0 0 0 0
42523 - 0 0 0 0 0 0 0 0 0 0 0 0
42524 - 0 0 0 0 0 0 0 0 0 0 0 0
42525 - 0 0 0 0 0 0 6 6 6 10 10 10
42526 - 14 14 14 22 22 22 30 30 30 38 38 38
42527 - 50 50 50 62 62 62 74 74 74 90 90 90
42528 -101 98 89 112 100 78 121 87 25 124 80 6
42529 -137 92 6 152 99 6 152 99 6 152 99 6
42530 -138 86 6 124 80 6 98 70 6 86 66 30
42531 -101 98 89 82 82 82 58 58 58 46 46 46
42532 - 38 38 38 34 34 34 34 34 34 34 34 34
42533 - 34 34 34 34 34 34 34 34 34 34 34 34
42534 - 34 34 34 34 34 34 38 38 38 42 42 42
42535 - 54 54 54 82 82 82 94 86 76 91 60 6
42536 -134 86 6 156 107 11 167 114 7 175 118 6
42537 -175 118 6 167 114 7 152 99 6 121 87 25
42538 -101 98 89 62 62 62 34 34 34 18 18 18
42539 - 6 6 6 0 0 0 0 0 0 0 0 0
42540 - 0 0 0 0 0 0 0 0 0 0 0 0
42541 - 0 0 0 0 0 0 0 0 0 0 0 0
42542 - 0 0 0 0 0 0 0 0 0 0 0 0
42543 - 0 0 0 0 0 0 0 0 0 0 0 0
42544 - 0 0 0 0 0 0 0 0 0 0 0 0
42545 - 0 0 0 0 0 0 0 0 0 0 0 0
42546 - 0 0 0 6 6 6 6 6 6 10 10 10
42547 - 18 18 18 22 22 22 30 30 30 42 42 42
42548 - 50 50 50 66 66 66 86 86 86 101 98 89
42549 -106 86 58 98 70 6 104 69 6 104 69 6
42550 -104 69 6 91 60 6 82 62 34 90 90 90
42551 - 62 62 62 38 38 38 22 22 22 14 14 14
42552 - 10 10 10 10 10 10 10 10 10 10 10 10
42553 - 10 10 10 10 10 10 6 6 6 10 10 10
42554 - 10 10 10 10 10 10 10 10 10 14 14 14
42555 - 22 22 22 42 42 42 70 70 70 89 81 66
42556 - 80 54 7 104 69 6 124 80 6 137 92 6
42557 -134 86 6 116 81 8 100 82 52 86 86 86
42558 - 58 58 58 30 30 30 14 14 14 6 6 6
42559 - 0 0 0 0 0 0 0 0 0 0 0 0
42560 - 0 0 0 0 0 0 0 0 0 0 0 0
42561 - 0 0 0 0 0 0 0 0 0 0 0 0
42562 - 0 0 0 0 0 0 0 0 0 0 0 0
42563 - 0 0 0 0 0 0 0 0 0 0 0 0
42564 - 0 0 0 0 0 0 0 0 0 0 0 0
42565 - 0 0 0 0 0 0 0 0 0 0 0 0
42566 - 0 0 0 0 0 0 0 0 0 0 0 0
42567 - 0 0 0 6 6 6 10 10 10 14 14 14
42568 - 18 18 18 26 26 26 38 38 38 54 54 54
42569 - 70 70 70 86 86 86 94 86 76 89 81 66
42570 - 89 81 66 86 86 86 74 74 74 50 50 50
42571 - 30 30 30 14 14 14 6 6 6 0 0 0
42572 - 0 0 0 0 0 0 0 0 0 0 0 0
42573 - 0 0 0 0 0 0 0 0 0 0 0 0
42574 - 0 0 0 0 0 0 0 0 0 0 0 0
42575 - 6 6 6 18 18 18 34 34 34 58 58 58
42576 - 82 82 82 89 81 66 89 81 66 89 81 66
42577 - 94 86 66 94 86 76 74 74 74 50 50 50
42578 - 26 26 26 14 14 14 6 6 6 0 0 0
42579 - 0 0 0 0 0 0 0 0 0 0 0 0
42580 - 0 0 0 0 0 0 0 0 0 0 0 0
42581 - 0 0 0 0 0 0 0 0 0 0 0 0
42582 - 0 0 0 0 0 0 0 0 0 0 0 0
42583 - 0 0 0 0 0 0 0 0 0 0 0 0
42584 - 0 0 0 0 0 0 0 0 0 0 0 0
42585 - 0 0 0 0 0 0 0 0 0 0 0 0
42586 - 0 0 0 0 0 0 0 0 0 0 0 0
42587 - 0 0 0 0 0 0 0 0 0 0 0 0
42588 - 6 6 6 6 6 6 14 14 14 18 18 18
42589 - 30 30 30 38 38 38 46 46 46 54 54 54
42590 - 50 50 50 42 42 42 30 30 30 18 18 18
42591 - 10 10 10 0 0 0 0 0 0 0 0 0
42592 - 0 0 0 0 0 0 0 0 0 0 0 0
42593 - 0 0 0 0 0 0 0 0 0 0 0 0
42594 - 0 0 0 0 0 0 0 0 0 0 0 0
42595 - 0 0 0 6 6 6 14 14 14 26 26 26
42596 - 38 38 38 50 50 50 58 58 58 58 58 58
42597 - 54 54 54 42 42 42 30 30 30 18 18 18
42598 - 10 10 10 0 0 0 0 0 0 0 0 0
42599 - 0 0 0 0 0 0 0 0 0 0 0 0
42600 - 0 0 0 0 0 0 0 0 0 0 0 0
42601 - 0 0 0 0 0 0 0 0 0 0 0 0
42602 - 0 0 0 0 0 0 0 0 0 0 0 0
42603 - 0 0 0 0 0 0 0 0 0 0 0 0
42604 - 0 0 0 0 0 0 0 0 0 0 0 0
42605 - 0 0 0 0 0 0 0 0 0 0 0 0
42606 - 0 0 0 0 0 0 0 0 0 0 0 0
42607 - 0 0 0 0 0 0 0 0 0 0 0 0
42608 - 0 0 0 0 0 0 0 0 0 6 6 6
42609 - 6 6 6 10 10 10 14 14 14 18 18 18
42610 - 18 18 18 14 14 14 10 10 10 6 6 6
42611 - 0 0 0 0 0 0 0 0 0 0 0 0
42612 - 0 0 0 0 0 0 0 0 0 0 0 0
42613 - 0 0 0 0 0 0 0 0 0 0 0 0
42614 - 0 0 0 0 0 0 0 0 0 0 0 0
42615 - 0 0 0 0 0 0 0 0 0 6 6 6
42616 - 14 14 14 18 18 18 22 22 22 22 22 22
42617 - 18 18 18 14 14 14 10 10 10 6 6 6
42618 - 0 0 0 0 0 0 0 0 0 0 0 0
42619 - 0 0 0 0 0 0 0 0 0 0 0 0
42620 - 0 0 0 0 0 0 0 0 0 0 0 0
42621 - 0 0 0 0 0 0 0 0 0 0 0 0
42622 - 0 0 0 0 0 0 0 0 0 0 0 0
42623 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42624 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42625 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42626 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42627 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42628 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42629 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42630 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42631 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42632 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42633 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42634 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42635 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42636 +4 4 4 4 4 4
42637 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42638 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42639 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42640 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42641 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42642 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42643 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42644 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42645 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42646 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42647 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42648 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42649 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42650 +4 4 4 4 4 4
42651 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42652 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42653 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42654 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42655 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42656 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42657 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42658 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42659 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42660 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42661 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42662 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42663 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42664 +4 4 4 4 4 4
42665 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42666 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42667 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42668 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42669 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42670 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42671 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42672 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42673 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42674 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42675 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42676 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42677 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42678 +4 4 4 4 4 4
42679 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42680 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42681 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42682 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42683 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42684 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42685 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42686 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42687 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42688 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42689 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42690 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42691 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42692 +4 4 4 4 4 4
42693 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42694 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42695 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42696 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42697 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42698 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42699 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42700 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42701 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42702 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42703 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42704 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42705 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42706 +4 4 4 4 4 4
42707 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42708 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42709 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42710 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42711 +4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
42712 +0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
42713 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42714 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42715 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42716 +4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
42717 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
42718 +4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
42719 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42720 +4 4 4 4 4 4
42721 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42722 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42723 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42724 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42725 +4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
42726 +37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
42727 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42728 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42729 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42730 +4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
42731 +2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
42732 +4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
42733 +1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42734 +4 4 4 4 4 4
42735 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42736 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42737 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42738 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42739 +2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
42740 +153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
42741 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
42742 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42743 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42744 +4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
42745 +60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
42746 +4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
42747 +2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
42748 +4 4 4 4 4 4
42749 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42750 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42751 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42752 +4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
42753 +4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
42754 +165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
42755 +1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
42756 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42757 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
42758 +3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
42759 +163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
42760 +0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
42761 +37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
42762 +4 4 4 4 4 4
42763 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42764 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42765 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42766 +4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
42767 +37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
42768 +156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
42769 +125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
42770 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
42771 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
42772 +0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
42773 +174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
42774 +0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
42775 +64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
42776 +4 4 4 4 4 4
42777 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42778 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42779 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
42780 +5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
42781 +156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
42782 +156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
42783 +174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
42784 +1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
42785 +4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
42786 +13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
42787 +174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
42788 +22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
42789 +90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
42790 +4 4 4 4 4 4
42791 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42792 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42793 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
42794 +0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
42795 +174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
42796 +156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
42797 +163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
42798 +4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
42799 +5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
42800 +131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
42801 +190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
42802 +90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
42803 +31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
42804 +4 4 4 4 4 4
42805 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42806 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42807 +4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
42808 +4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
42809 +155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
42810 +167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
42811 +153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
42812 +41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
42813 +1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
42814 +177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
42815 +125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
42816 +136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
42817 +7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
42818 +4 4 4 4 4 4
42819 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42820 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42821 +4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
42822 +125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
42823 +156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
42824 +137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
42825 +156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
42826 +167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
42827 +0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
42828 +166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
42829 +6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
42830 +90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
42831 +1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
42832 +4 4 4 4 4 4
42833 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42834 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42835 +1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
42836 +167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
42837 +157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
42838 +26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
42839 +158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
42840 +165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
42841 +60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
42842 +137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
42843 +52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
42844 +13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
42845 +4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
42846 +4 4 4 4 4 4
42847 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42848 +4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
42849 +0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
42850 +158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
42851 +167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
42852 +4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
42853 +174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
42854 +155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
42855 +137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
42856 +16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
42857 +136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
42858 +2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
42859 +4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
42860 +4 4 4 4 4 4
42861 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42862 +4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
42863 +37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
42864 +157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
42865 +153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
42866 +4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
42867 +125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
42868 +156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
42869 +174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
42870 +4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
42871 +136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
42872 +1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
42873 +2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
42874 +0 0 0 4 4 4
42875 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
42876 +4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
42877 +158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
42878 +153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
42879 +37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
42880 +4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
42881 +4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
42882 +154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
42883 +174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
42884 +32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
42885 +28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
42886 +50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
42887 +0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
42888 +2 0 0 0 0 0
42889 +4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
42890 +0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
42891 +174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
42892 +165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
42893 +4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
42894 +4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
42895 +4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
42896 +174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
42897 +60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
42898 +136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
42899 +22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
42900 +136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
42901 +26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
42902 +37 38 37 0 0 0
42903 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
42904 +13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
42905 +153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
42906 +177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
42907 +4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
42908 +5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
42909 +6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
42910 +166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
42911 +4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
42912 +146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
42913 +71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
42914 +90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
42915 +125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
42916 +85 115 134 4 0 0
42917 +4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
42918 +125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
42919 +155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
42920 +125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
42921 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
42922 +0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
42923 +5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
42924 +37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
42925 +4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
42926 +90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
42927 +2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
42928 +13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
42929 +166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
42930 +60 73 81 4 0 0
42931 +4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
42932 +174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
42933 +156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
42934 +4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
42935 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
42936 +10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
42937 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
42938 +4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
42939 +80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
42940 +28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
42941 +50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
42942 +1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
42943 +167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
42944 +16 19 21 4 0 0
42945 +4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
42946 +158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
42947 +167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
42948 +4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
42949 +4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
42950 +80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
42951 +4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
42952 +3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
42953 +146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
42954 +68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
42955 +136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
42956 +24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
42957 +163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
42958 +4 0 0 4 3 3
42959 +3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
42960 +156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
42961 +155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
42962 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
42963 +2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
42964 +136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
42965 +0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
42966 +0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
42967 +136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
42968 +28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
42969 +22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
42970 +137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
42971 +60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
42972 +3 2 2 4 4 4
42973 +3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
42974 +157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
42975 +37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
42976 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
42977 +0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
42978 +101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
42979 +14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
42980 +22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
42981 +136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
42982 +17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
42983 +2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
42984 +166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
42985 +13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
42986 +4 4 4 4 4 4
42987 +1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
42988 +163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
42989 +4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
42990 +4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
42991 +40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
42992 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
42993 +101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
42994 +136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
42995 +136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
42996 +136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
42997 +3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
42998 +174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
42999 +4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
43000 +4 4 4 4 4 4
43001 +4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
43002 +155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
43003 +4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
43004 +4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
43005 +101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
43006 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
43007 +136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
43008 +136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
43009 +136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
43010 +90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
43011 +85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
43012 +167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
43013 +6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
43014 +5 5 5 5 5 5
43015 +1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
43016 +131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
43017 +6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
43018 +0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
43019 +101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
43020 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43021 +101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
43022 +136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
43023 +101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
43024 +7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
43025 +174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
43026 +24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
43027 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
43028 +5 5 5 4 4 4
43029 +4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
43030 +131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
43031 +6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
43032 +13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
43033 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
43034 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
43035 +101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
43036 +136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
43037 +136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
43038 +2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
43039 +174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
43040 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
43041 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43042 +4 4 4 4 4 4
43043 +1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
43044 +137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
43045 +4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
43046 +64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
43047 +90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
43048 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43049 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43050 +136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
43051 +101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
43052 +37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
43053 +167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
43054 +3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
43055 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43056 +4 4 4 4 4 4
43057 +4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
43058 +153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
43059 +4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
43060 +90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
43061 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
43062 +90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
43063 +101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
43064 +101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
43065 +35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
43066 +154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
43067 +60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
43068 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43069 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43070 +4 4 4 4 4 4
43071 +1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
43072 +153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
43073 +4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
43074 +64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
43075 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
43076 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43077 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43078 +136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
43079 +13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
43080 +174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
43081 +6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
43082 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43083 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43084 +4 4 4 4 4 4
43085 +4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
43086 +156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
43087 +4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
43088 +90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
43089 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
43090 +90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
43091 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
43092 +101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
43093 +2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
43094 +174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
43095 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43096 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43097 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43098 +4 4 4 4 4 4
43099 +3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
43100 +158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
43101 +4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
43102 +37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
43103 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
43104 +90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
43105 +101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
43106 +90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
43107 +5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
43108 +167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
43109 +6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
43110 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43111 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43112 +4 4 4 4 4 4
43113 +4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
43114 +163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
43115 +4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
43116 +18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
43117 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
43118 +90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
43119 +101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
43120 +13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
43121 +3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
43122 +174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
43123 +4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
43124 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43125 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43126 +4 4 4 4 4 4
43127 +1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
43128 +167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
43129 +4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
43130 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
43131 +26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
43132 +90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
43133 +101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
43134 +7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
43135 +4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
43136 +174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
43137 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43138 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43139 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43140 +4 4 4 4 4 4
43141 +4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
43142 +174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
43143 +5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
43144 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
43145 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43146 +90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
43147 +101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
43148 +2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
43149 +3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
43150 +153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
43151 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43152 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43153 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43154 +4 4 4 4 4 4
43155 +1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
43156 +174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
43157 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
43158 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
43159 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43160 +26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
43161 +35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
43162 +2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
43163 +3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
43164 +131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
43165 +4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43166 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43167 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43168 +4 4 4 4 4 4
43169 +3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
43170 +174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
43171 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
43172 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
43173 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43174 +26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
43175 +7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
43176 +4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
43177 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
43178 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43179 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43180 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43181 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43182 +4 4 4 4 4 4
43183 +1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
43184 +174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
43185 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
43186 +18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
43187 +18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
43188 +26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
43189 +28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
43190 +3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
43191 +4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43192 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43193 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43194 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43195 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43196 +4 4 4 4 4 4
43197 +4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
43198 +174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
43199 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
43200 +10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
43201 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43202 +18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
43203 +90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
43204 +3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
43205 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
43206 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43207 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43208 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43209 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43210 +4 4 4 4 4 4
43211 +1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
43212 +177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
43213 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
43214 +10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
43215 +26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
43216 +6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
43217 +10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
43218 +2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
43219 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43220 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43221 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43222 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43223 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43224 +4 4 4 4 4 4
43225 +4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
43226 +177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
43227 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
43228 +10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
43229 +26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
43230 +7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
43231 +3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
43232 +21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
43233 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
43234 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43235 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43236 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43237 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43238 +4 4 4 4 4 4
43239 +3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
43240 +190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
43241 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
43242 +10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
43243 +24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
43244 +18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
43245 +28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
43246 +26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
43247 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43248 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43249 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43250 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43251 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43252 +4 4 4 4 4 4
43253 +4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
43254 +190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
43255 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
43256 +10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
43257 +0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
43258 +26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
43259 +37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
43260 +90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
43261 +4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
43262 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43263 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43264 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43265 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43266 +4 4 4 4 4 4
43267 +4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
43268 +193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
43269 +5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
43270 +10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
43271 +1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
43272 +26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
43273 +22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
43274 +26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
43275 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43276 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43277 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43278 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43279 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43280 +4 4 4 4 4 4
43281 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43282 +190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
43283 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
43284 +10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
43285 +2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
43286 +26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
43287 +10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
43288 +26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
43289 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
43290 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43291 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43292 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43293 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43294 +4 4 4 4 4 4
43295 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
43296 +193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
43297 +5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
43298 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
43299 +13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
43300 +10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
43301 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43302 +26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
43303 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43304 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43305 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43306 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43307 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43308 +4 4 4 4 4 4
43309 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43310 +190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
43311 +5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
43312 +28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
43313 +10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
43314 +28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
43315 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43316 +26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
43317 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
43318 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43319 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43320 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43321 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43322 +4 4 4 4 4 4
43323 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
43324 +193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
43325 +5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
43326 +4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
43327 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
43328 +10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
43329 +18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
43330 +22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
43331 +4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
43332 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43333 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43334 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43335 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43336 +4 4 4 4 4 4
43337 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43338 +190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
43339 +6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
43340 +1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
43341 +18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
43342 +10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
43343 +26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
43344 +1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
43345 +5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
43346 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43347 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43348 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43349 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43350 +4 4 4 4 4 4
43351 +4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
43352 +193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
43353 +2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
43354 +4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
43355 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
43356 +10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
43357 +26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
43358 +2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
43359 +3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
43360 +131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43361 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43362 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43363 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43364 +4 4 4 4 4 4
43365 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43366 +193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
43367 +0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
43368 +4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
43369 +13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
43370 +10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
43371 +28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
43372 +4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
43373 +0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
43374 +125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43375 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43376 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43377 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43378 +4 4 4 4 4 4
43379 +4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
43380 +193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
43381 +120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
43382 +4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
43383 +4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
43384 +10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
43385 +4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
43386 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
43387 +24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
43388 +125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
43389 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43390 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43391 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43392 +4 4 4 4 4 4
43393 +4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
43394 +174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
43395 +220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
43396 +3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
43397 +4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
43398 +10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
43399 +1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
43400 +5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
43401 +137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
43402 +125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
43403 +0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43404 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43405 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43406 +4 4 4 4 4 4
43407 +5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
43408 +193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
43409 +220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
43410 +4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
43411 +4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
43412 +22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
43413 +4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43414 +1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
43415 +166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
43416 +125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
43417 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43418 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43419 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43420 +4 4 4 4 4 4
43421 +4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
43422 +220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
43423 +205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
43424 +24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
43425 +4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
43426 +4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
43427 +4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
43428 +2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
43429 +156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
43430 +137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
43431 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43432 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43433 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43434 +4 4 4 4 4 4
43435 +5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
43436 +125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
43437 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
43438 +193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
43439 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
43440 +1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
43441 +5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
43442 +60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
43443 +153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
43444 +125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
43445 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43446 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43447 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43448 +4 4 4 4 4 4
43449 +4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
43450 +6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
43451 +193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
43452 +244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
43453 +0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
43454 +4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
43455 +3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
43456 +220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
43457 +153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
43458 +13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
43459 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43460 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43461 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43462 +4 4 4 4 4 4
43463 +5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
43464 +6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
43465 +244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
43466 +220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
43467 +3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
43468 +4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
43469 +0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
43470 +177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
43471 +158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
43472 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
43473 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43474 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43475 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43476 +4 4 4 4 4 4
43477 +5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
43478 +6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
43479 +177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
43480 +220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
43481 +125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
43482 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
43483 +37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
43484 +174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
43485 +158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
43486 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43487 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43488 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43489 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43490 +4 4 4 4 4 4
43491 +4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
43492 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
43493 +26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
43494 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
43495 +244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
43496 +0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
43497 +177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
43498 +174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
43499 +60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
43500 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43501 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43502 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43503 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43504 +4 4 4 4 4 4
43505 +5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
43506 +6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
43507 +6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
43508 +220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
43509 +220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
43510 +0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
43511 +220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
43512 +174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
43513 +4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
43514 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43515 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43516 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43517 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43518 +4 4 4 4 4 4
43519 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
43520 +6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
43521 +4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
43522 +220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
43523 +205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
43524 +60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
43525 +177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
43526 +190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
43527 +4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43528 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43529 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43530 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43531 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43532 +4 4 4 4 4 4
43533 +4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
43534 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
43535 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
43536 +125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
43537 +205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
43538 +193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
43539 +190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
43540 +153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
43541 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43542 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43543 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43544 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43545 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43546 +4 4 4 4 4 4
43547 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
43548 +6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
43549 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
43550 +4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
43551 +205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
43552 +220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
43553 +174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
43554 +6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
43555 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43556 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43557 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43558 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43559 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43560 +4 4 4 4 4 4
43561 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
43562 +5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
43563 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
43564 +4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
43565 +220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
43566 +190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
43567 +193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
43568 +4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
43569 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43570 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43571 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43572 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43573 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43574 +4 4 4 4 4 4
43575 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43576 +4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
43577 +4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
43578 +6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
43579 +174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
43580 +193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
43581 +193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
43582 +6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
43583 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43584 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43585 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43586 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43587 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43588 +4 4 4 4 4 4
43589 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43590 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
43591 +5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
43592 +5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
43593 +6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
43594 +193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
43595 +60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
43596 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43597 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43598 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43599 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43600 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43601 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43602 +4 4 4 4 4 4
43603 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43604 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43605 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
43606 +5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
43607 +4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
43608 +193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
43609 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
43610 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43611 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43612 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43613 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43614 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43615 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43616 +4 4 4 4 4 4
43617 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43618 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43619 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
43620 +4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
43621 +6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
43622 +153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
43623 +6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
43624 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43625 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43626 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43627 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43628 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43629 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43630 +4 4 4 4 4 4
43631 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43632 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43633 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43634 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
43635 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
43636 +24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
43637 +6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
43638 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43639 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43640 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43641 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43642 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43643 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43644 +4 4 4 4 4 4
43645 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43646 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43647 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43648 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
43649 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
43650 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
43651 +4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
43652 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43653 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43654 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43655 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43656 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43657 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43658 +4 4 4 4 4 4
43659 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43660 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43661 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43662 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
43663 +5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
43664 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
43665 +6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
43666 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43667 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43668 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43669 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43670 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43671 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43672 +4 4 4 4 4 4
43673 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43674 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43675 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43676 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
43677 +4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
43678 +4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
43679 +6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43680 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43681 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43682 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43683 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43684 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43685 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43686 +4 4 4 4 4 4
43687 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43688 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43689 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43690 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43691 +4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
43692 +6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
43693 +4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
43694 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43695 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43696 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43697 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43698 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43699 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43700 +4 4 4 4 4 4
43701 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43702 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43703 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43704 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43705 +4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
43706 +4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
43707 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43708 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43709 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43710 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43711 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43712 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43713 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43714 +4 4 4 4 4 4
43715 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43716 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43717 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43718 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43719 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
43720 +5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
43721 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43722 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43723 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43724 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43725 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43726 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43727 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43728 +4 4 4 4 4 4
43729 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43730 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43731 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43732 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43733 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
43734 +5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
43735 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43736 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43737 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43738 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43739 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43740 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43741 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43742 +4 4 4 4 4 4
43743 diff -urNp linux-2.6.32.49/drivers/video/nvidia/nv_backlight.c linux-2.6.32.49/drivers/video/nvidia/nv_backlight.c
43744 --- linux-2.6.32.49/drivers/video/nvidia/nv_backlight.c 2011-11-08 19:02:43.000000000 -0500
43745 +++ linux-2.6.32.49/drivers/video/nvidia/nv_backlight.c 2011-11-15 19:59:43.000000000 -0500
43746 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
43747 return bd->props.brightness;
43748 }
43749
43750 -static struct backlight_ops nvidia_bl_ops = {
43751 +static const struct backlight_ops nvidia_bl_ops = {
43752 .get_brightness = nvidia_bl_get_brightness,
43753 .update_status = nvidia_bl_update_status,
43754 };
43755 diff -urNp linux-2.6.32.49/drivers/video/riva/fbdev.c linux-2.6.32.49/drivers/video/riva/fbdev.c
43756 --- linux-2.6.32.49/drivers/video/riva/fbdev.c 2011-11-08 19:02:43.000000000 -0500
43757 +++ linux-2.6.32.49/drivers/video/riva/fbdev.c 2011-11-15 19:59:43.000000000 -0500
43758 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
43759 return bd->props.brightness;
43760 }
43761
43762 -static struct backlight_ops riva_bl_ops = {
43763 +static const struct backlight_ops riva_bl_ops = {
43764 .get_brightness = riva_bl_get_brightness,
43765 .update_status = riva_bl_update_status,
43766 };
43767 diff -urNp linux-2.6.32.49/drivers/video/uvesafb.c linux-2.6.32.49/drivers/video/uvesafb.c
43768 --- linux-2.6.32.49/drivers/video/uvesafb.c 2011-11-08 19:02:43.000000000 -0500
43769 +++ linux-2.6.32.49/drivers/video/uvesafb.c 2011-11-15 19:59:43.000000000 -0500
43770 @@ -18,6 +18,7 @@
43771 #include <linux/fb.h>
43772 #include <linux/io.h>
43773 #include <linux/mutex.h>
43774 +#include <linux/moduleloader.h>
43775 #include <video/edid.h>
43776 #include <video/uvesafb.h>
43777 #ifdef CONFIG_X86
43778 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
43779 NULL,
43780 };
43781
43782 - return call_usermodehelper(v86d_path, argv, envp, 1);
43783 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
43784 }
43785
43786 /*
43787 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
43788 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
43789 par->pmi_setpal = par->ypan = 0;
43790 } else {
43791 +
43792 +#ifdef CONFIG_PAX_KERNEXEC
43793 +#ifdef CONFIG_MODULES
43794 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43795 +#endif
43796 + if (!par->pmi_code) {
43797 + par->pmi_setpal = par->ypan = 0;
43798 + return 0;
43799 + }
43800 +#endif
43801 +
43802 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43803 + task->t.regs.edi);
43804 +
43805 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43806 + pax_open_kernel();
43807 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43808 + pax_close_kernel();
43809 +
43810 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43811 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43812 +#else
43813 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43814 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43815 +#endif
43816 +
43817 printk(KERN_INFO "uvesafb: protected mode interface info at "
43818 "%04x:%04x\n",
43819 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43820 @@ -1799,6 +1822,11 @@ out:
43821 if (par->vbe_modes)
43822 kfree(par->vbe_modes);
43823
43824 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43825 + if (par->pmi_code)
43826 + module_free_exec(NULL, par->pmi_code);
43827 +#endif
43828 +
43829 framebuffer_release(info);
43830 return err;
43831 }
43832 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
43833 kfree(par->vbe_state_orig);
43834 if (par->vbe_state_saved)
43835 kfree(par->vbe_state_saved);
43836 +
43837 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43838 + if (par->pmi_code)
43839 + module_free_exec(NULL, par->pmi_code);
43840 +#endif
43841 +
43842 }
43843
43844 framebuffer_release(info);
43845 diff -urNp linux-2.6.32.49/drivers/video/vesafb.c linux-2.6.32.49/drivers/video/vesafb.c
43846 --- linux-2.6.32.49/drivers/video/vesafb.c 2011-11-08 19:02:43.000000000 -0500
43847 +++ linux-2.6.32.49/drivers/video/vesafb.c 2011-11-15 19:59:43.000000000 -0500
43848 @@ -9,6 +9,7 @@
43849 */
43850
43851 #include <linux/module.h>
43852 +#include <linux/moduleloader.h>
43853 #include <linux/kernel.h>
43854 #include <linux/errno.h>
43855 #include <linux/string.h>
43856 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
43857 static int vram_total __initdata; /* Set total amount of memory */
43858 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43859 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43860 -static void (*pmi_start)(void) __read_mostly;
43861 -static void (*pmi_pal) (void) __read_mostly;
43862 +static void (*pmi_start)(void) __read_only;
43863 +static void (*pmi_pal) (void) __read_only;
43864 static int depth __read_mostly;
43865 static int vga_compat __read_mostly;
43866 /* --------------------------------------------------------------------- */
43867 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
43868 unsigned int size_vmode;
43869 unsigned int size_remap;
43870 unsigned int size_total;
43871 + void *pmi_code = NULL;
43872
43873 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43874 return -ENODEV;
43875 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
43876 size_remap = size_total;
43877 vesafb_fix.smem_len = size_remap;
43878
43879 -#ifndef __i386__
43880 - screen_info.vesapm_seg = 0;
43881 -#endif
43882 -
43883 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43884 printk(KERN_WARNING
43885 "vesafb: cannot reserve video memory at 0x%lx\n",
43886 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
43887 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43888 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43889
43890 +#ifdef __i386__
43891 +
43892 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43893 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
43894 + if (!pmi_code)
43895 +#elif !defined(CONFIG_PAX_KERNEXEC)
43896 + if (0)
43897 +#endif
43898 +
43899 +#endif
43900 + screen_info.vesapm_seg = 0;
43901 +
43902 if (screen_info.vesapm_seg) {
43903 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43904 - screen_info.vesapm_seg,screen_info.vesapm_off);
43905 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43906 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43907 }
43908
43909 if (screen_info.vesapm_seg < 0xc000)
43910 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
43911
43912 if (ypan || pmi_setpal) {
43913 unsigned short *pmi_base;
43914 +
43915 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43916 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43917 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43918 +
43919 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43920 + pax_open_kernel();
43921 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43922 +#else
43923 + pmi_code = pmi_base;
43924 +#endif
43925 +
43926 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43927 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43928 +
43929 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43930 + pmi_start = ktva_ktla(pmi_start);
43931 + pmi_pal = ktva_ktla(pmi_pal);
43932 + pax_close_kernel();
43933 +#endif
43934 +
43935 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43936 if (pmi_base[3]) {
43937 printk(KERN_INFO "vesafb: pmi: ports = ");
43938 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
43939 info->node, info->fix.id);
43940 return 0;
43941 err:
43942 +
43943 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43944 + module_free_exec(NULL, pmi_code);
43945 +#endif
43946 +
43947 if (info->screen_base)
43948 iounmap(info->screen_base);
43949 framebuffer_release(info);
43950 diff -urNp linux-2.6.32.49/drivers/xen/sys-hypervisor.c linux-2.6.32.49/drivers/xen/sys-hypervisor.c
43951 --- linux-2.6.32.49/drivers/xen/sys-hypervisor.c 2011-11-08 19:02:43.000000000 -0500
43952 +++ linux-2.6.32.49/drivers/xen/sys-hypervisor.c 2011-11-15 19:59:43.000000000 -0500
43953 @@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
43954 return 0;
43955 }
43956
43957 -static struct sysfs_ops hyp_sysfs_ops = {
43958 +static const struct sysfs_ops hyp_sysfs_ops = {
43959 .show = hyp_sysfs_show,
43960 .store = hyp_sysfs_store,
43961 };
43962 diff -urNp linux-2.6.32.49/fs/9p/vfs_inode.c linux-2.6.32.49/fs/9p/vfs_inode.c
43963 --- linux-2.6.32.49/fs/9p/vfs_inode.c 2011-11-08 19:02:43.000000000 -0500
43964 +++ linux-2.6.32.49/fs/9p/vfs_inode.c 2011-11-15 19:59:43.000000000 -0500
43965 @@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
43966 static void
43967 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43968 {
43969 - char *s = nd_get_link(nd);
43970 + const char *s = nd_get_link(nd);
43971
43972 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43973 IS_ERR(s) ? "<error>" : s);
43974 diff -urNp linux-2.6.32.49/fs/aio.c linux-2.6.32.49/fs/aio.c
43975 --- linux-2.6.32.49/fs/aio.c 2011-11-08 19:02:43.000000000 -0500
43976 +++ linux-2.6.32.49/fs/aio.c 2011-11-15 19:59:43.000000000 -0500
43977 @@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
43978 size += sizeof(struct io_event) * nr_events;
43979 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43980
43981 - if (nr_pages < 0)
43982 + if (nr_pages <= 0)
43983 return -EINVAL;
43984
43985 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43986 @@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
43987 struct aio_timeout to;
43988 int retry = 0;
43989
43990 + pax_track_stack();
43991 +
43992 /* needed to zero any padding within an entry (there shouldn't be
43993 * any, but C is fun!
43994 */
43995 @@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
43996 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
43997 {
43998 ssize_t ret;
43999 + struct iovec iovstack;
44000
44001 ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
44002 kiocb->ki_nbytes, 1,
44003 - &kiocb->ki_inline_vec, &kiocb->ki_iovec);
44004 + &iovstack, &kiocb->ki_iovec);
44005 if (ret < 0)
44006 goto out;
44007
44008 + if (kiocb->ki_iovec == &iovstack) {
44009 + kiocb->ki_inline_vec = iovstack;
44010 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
44011 + }
44012 kiocb->ki_nr_segs = kiocb->ki_nbytes;
44013 kiocb->ki_cur_seg = 0;
44014 /* ki_nbytes/left now reflect bytes instead of segs */
44015 diff -urNp linux-2.6.32.49/fs/attr.c linux-2.6.32.49/fs/attr.c
44016 --- linux-2.6.32.49/fs/attr.c 2011-11-08 19:02:43.000000000 -0500
44017 +++ linux-2.6.32.49/fs/attr.c 2011-11-15 19:59:43.000000000 -0500
44018 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
44019 unsigned long limit;
44020
44021 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
44022 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
44023 if (limit != RLIM_INFINITY && offset > limit)
44024 goto out_sig;
44025 if (offset > inode->i_sb->s_maxbytes)
44026 diff -urNp linux-2.6.32.49/fs/autofs/root.c linux-2.6.32.49/fs/autofs/root.c
44027 --- linux-2.6.32.49/fs/autofs/root.c 2011-11-08 19:02:43.000000000 -0500
44028 +++ linux-2.6.32.49/fs/autofs/root.c 2011-11-15 19:59:43.000000000 -0500
44029 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
44030 set_bit(n,sbi->symlink_bitmap);
44031 sl = &sbi->symlink[n];
44032 sl->len = strlen(symname);
44033 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
44034 + slsize = sl->len+1;
44035 + sl->data = kmalloc(slsize, GFP_KERNEL);
44036 if (!sl->data) {
44037 clear_bit(n,sbi->symlink_bitmap);
44038 unlock_kernel();
44039 diff -urNp linux-2.6.32.49/fs/autofs4/symlink.c linux-2.6.32.49/fs/autofs4/symlink.c
44040 --- linux-2.6.32.49/fs/autofs4/symlink.c 2011-11-08 19:02:43.000000000 -0500
44041 +++ linux-2.6.32.49/fs/autofs4/symlink.c 2011-11-15 19:59:43.000000000 -0500
44042 @@ -15,7 +15,7 @@
44043 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
44044 {
44045 struct autofs_info *ino = autofs4_dentry_ino(dentry);
44046 - nd_set_link(nd, (char *)ino->u.symlink);
44047 + nd_set_link(nd, ino->u.symlink);
44048 return NULL;
44049 }
44050
44051 diff -urNp linux-2.6.32.49/fs/autofs4/waitq.c linux-2.6.32.49/fs/autofs4/waitq.c
44052 --- linux-2.6.32.49/fs/autofs4/waitq.c 2011-11-08 19:02:43.000000000 -0500
44053 +++ linux-2.6.32.49/fs/autofs4/waitq.c 2011-11-15 19:59:43.000000000 -0500
44054 @@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
44055 {
44056 unsigned long sigpipe, flags;
44057 mm_segment_t fs;
44058 - const char *data = (const char *)addr;
44059 + const char __user *data = (const char __force_user *)addr;
44060 ssize_t wr = 0;
44061
44062 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
44063 diff -urNp linux-2.6.32.49/fs/befs/linuxvfs.c linux-2.6.32.49/fs/befs/linuxvfs.c
44064 --- linux-2.6.32.49/fs/befs/linuxvfs.c 2011-11-08 19:02:43.000000000 -0500
44065 +++ linux-2.6.32.49/fs/befs/linuxvfs.c 2011-11-15 19:59:43.000000000 -0500
44066 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
44067 {
44068 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
44069 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
44070 - char *link = nd_get_link(nd);
44071 + const char *link = nd_get_link(nd);
44072 if (!IS_ERR(link))
44073 kfree(link);
44074 }
44075 diff -urNp linux-2.6.32.49/fs/binfmt_aout.c linux-2.6.32.49/fs/binfmt_aout.c
44076 --- linux-2.6.32.49/fs/binfmt_aout.c 2011-11-08 19:02:43.000000000 -0500
44077 +++ linux-2.6.32.49/fs/binfmt_aout.c 2011-11-15 19:59:43.000000000 -0500
44078 @@ -16,6 +16,7 @@
44079 #include <linux/string.h>
44080 #include <linux/fs.h>
44081 #include <linux/file.h>
44082 +#include <linux/security.h>
44083 #include <linux/stat.h>
44084 #include <linux/fcntl.h>
44085 #include <linux/ptrace.h>
44086 @@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
44087 #endif
44088 # define START_STACK(u) (u.start_stack)
44089
44090 + memset(&dump, 0, sizeof(dump));
44091 +
44092 fs = get_fs();
44093 set_fs(KERNEL_DS);
44094 has_dumped = 1;
44095 @@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
44096
44097 /* If the size of the dump file exceeds the rlimit, then see what would happen
44098 if we wrote the stack, but not the data area. */
44099 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
44100 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
44101 dump.u_dsize = 0;
44102
44103 /* Make sure we have enough room to write the stack and data areas. */
44104 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
44105 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
44106 dump.u_ssize = 0;
44107
44108 @@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
44109 dump_size = dump.u_ssize << PAGE_SHIFT;
44110 DUMP_WRITE(dump_start,dump_size);
44111 }
44112 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
44113 - set_fs(KERNEL_DS);
44114 - DUMP_WRITE(current,sizeof(*current));
44115 +/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
44116 end_coredump:
44117 set_fs(fs);
44118 return has_dumped;
44119 @@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
44120 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
44121 if (rlim >= RLIM_INFINITY)
44122 rlim = ~0;
44123 +
44124 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
44125 if (ex.a_data + ex.a_bss > rlim)
44126 return -ENOMEM;
44127
44128 @@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
44129 install_exec_creds(bprm);
44130 current->flags &= ~PF_FORKNOEXEC;
44131
44132 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44133 + current->mm->pax_flags = 0UL;
44134 +#endif
44135 +
44136 +#ifdef CONFIG_PAX_PAGEEXEC
44137 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
44138 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
44139 +
44140 +#ifdef CONFIG_PAX_EMUTRAMP
44141 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
44142 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
44143 +#endif
44144 +
44145 +#ifdef CONFIG_PAX_MPROTECT
44146 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
44147 + current->mm->pax_flags |= MF_PAX_MPROTECT;
44148 +#endif
44149 +
44150 + }
44151 +#endif
44152 +
44153 if (N_MAGIC(ex) == OMAGIC) {
44154 unsigned long text_addr, map_size;
44155 loff_t pos;
44156 @@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
44157
44158 down_write(&current->mm->mmap_sem);
44159 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
44160 - PROT_READ | PROT_WRITE | PROT_EXEC,
44161 + PROT_READ | PROT_WRITE,
44162 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
44163 fd_offset + ex.a_text);
44164 up_write(&current->mm->mmap_sem);
44165 diff -urNp linux-2.6.32.49/fs/binfmt_elf.c linux-2.6.32.49/fs/binfmt_elf.c
44166 --- linux-2.6.32.49/fs/binfmt_elf.c 2011-11-08 19:02:43.000000000 -0500
44167 +++ linux-2.6.32.49/fs/binfmt_elf.c 2011-11-18 18:51:56.000000000 -0500
44168 @@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
44169 #define elf_core_dump NULL
44170 #endif
44171
44172 +#ifdef CONFIG_PAX_MPROTECT
44173 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
44174 +#endif
44175 +
44176 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
44177 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
44178 #else
44179 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
44180 .load_binary = load_elf_binary,
44181 .load_shlib = load_elf_library,
44182 .core_dump = elf_core_dump,
44183 +
44184 +#ifdef CONFIG_PAX_MPROTECT
44185 + .handle_mprotect= elf_handle_mprotect,
44186 +#endif
44187 +
44188 .min_coredump = ELF_EXEC_PAGESIZE,
44189 .hasvdso = 1
44190 };
44191 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
44192
44193 static int set_brk(unsigned long start, unsigned long end)
44194 {
44195 + unsigned long e = end;
44196 +
44197 start = ELF_PAGEALIGN(start);
44198 end = ELF_PAGEALIGN(end);
44199 if (end > start) {
44200 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
44201 if (BAD_ADDR(addr))
44202 return addr;
44203 }
44204 - current->mm->start_brk = current->mm->brk = end;
44205 + current->mm->start_brk = current->mm->brk = e;
44206 return 0;
44207 }
44208
44209 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
44210 elf_addr_t __user *u_rand_bytes;
44211 const char *k_platform = ELF_PLATFORM;
44212 const char *k_base_platform = ELF_BASE_PLATFORM;
44213 - unsigned char k_rand_bytes[16];
44214 + u32 k_rand_bytes[4];
44215 int items;
44216 elf_addr_t *elf_info;
44217 int ei_index = 0;
44218 const struct cred *cred = current_cred();
44219 struct vm_area_struct *vma;
44220 + unsigned long saved_auxv[AT_VECTOR_SIZE];
44221 +
44222 + pax_track_stack();
44223
44224 /*
44225 * In some cases (e.g. Hyper-Threading), we want to avoid L1
44226 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
44227 * Generate 16 random bytes for userspace PRNG seeding.
44228 */
44229 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
44230 - u_rand_bytes = (elf_addr_t __user *)
44231 - STACK_ALLOC(p, sizeof(k_rand_bytes));
44232 + srandom32(k_rand_bytes[0] ^ random32());
44233 + srandom32(k_rand_bytes[1] ^ random32());
44234 + srandom32(k_rand_bytes[2] ^ random32());
44235 + srandom32(k_rand_bytes[3] ^ random32());
44236 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
44237 + u_rand_bytes = (elf_addr_t __user *) p;
44238 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
44239 return -EFAULT;
44240
44241 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
44242 return -EFAULT;
44243 current->mm->env_end = p;
44244
44245 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
44246 +
44247 /* Put the elf_info on the stack in the right place. */
44248 sp = (elf_addr_t __user *)envp + 1;
44249 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
44250 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
44251 return -EFAULT;
44252 return 0;
44253 }
44254 @@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
44255 {
44256 struct elf_phdr *elf_phdata;
44257 struct elf_phdr *eppnt;
44258 - unsigned long load_addr = 0;
44259 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
44260 int load_addr_set = 0;
44261 unsigned long last_bss = 0, elf_bss = 0;
44262 - unsigned long error = ~0UL;
44263 + unsigned long error = -EINVAL;
44264 unsigned long total_size;
44265 int retval, i, size;
44266
44267 @@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
44268 goto out_close;
44269 }
44270
44271 +#ifdef CONFIG_PAX_SEGMEXEC
44272 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
44273 + pax_task_size = SEGMEXEC_TASK_SIZE;
44274 +#endif
44275 +
44276 eppnt = elf_phdata;
44277 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
44278 if (eppnt->p_type == PT_LOAD) {
44279 @@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
44280 k = load_addr + eppnt->p_vaddr;
44281 if (BAD_ADDR(k) ||
44282 eppnt->p_filesz > eppnt->p_memsz ||
44283 - eppnt->p_memsz > TASK_SIZE ||
44284 - TASK_SIZE - eppnt->p_memsz < k) {
44285 + eppnt->p_memsz > pax_task_size ||
44286 + pax_task_size - eppnt->p_memsz < k) {
44287 error = -ENOMEM;
44288 goto out_close;
44289 }
44290 @@ -532,6 +557,194 @@ out:
44291 return error;
44292 }
44293
44294 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
44295 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
44296 +{
44297 + unsigned long pax_flags = 0UL;
44298 +
44299 +#ifdef CONFIG_PAX_PAGEEXEC
44300 + if (elf_phdata->p_flags & PF_PAGEEXEC)
44301 + pax_flags |= MF_PAX_PAGEEXEC;
44302 +#endif
44303 +
44304 +#ifdef CONFIG_PAX_SEGMEXEC
44305 + if (elf_phdata->p_flags & PF_SEGMEXEC)
44306 + pax_flags |= MF_PAX_SEGMEXEC;
44307 +#endif
44308 +
44309 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44310 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44311 + if (nx_enabled)
44312 + pax_flags &= ~MF_PAX_SEGMEXEC;
44313 + else
44314 + pax_flags &= ~MF_PAX_PAGEEXEC;
44315 + }
44316 +#endif
44317 +
44318 +#ifdef CONFIG_PAX_EMUTRAMP
44319 + if (elf_phdata->p_flags & PF_EMUTRAMP)
44320 + pax_flags |= MF_PAX_EMUTRAMP;
44321 +#endif
44322 +
44323 +#ifdef CONFIG_PAX_MPROTECT
44324 + if (elf_phdata->p_flags & PF_MPROTECT)
44325 + pax_flags |= MF_PAX_MPROTECT;
44326 +#endif
44327 +
44328 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44329 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
44330 + pax_flags |= MF_PAX_RANDMMAP;
44331 +#endif
44332 +
44333 + return pax_flags;
44334 +}
44335 +#endif
44336 +
44337 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44338 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
44339 +{
44340 + unsigned long pax_flags = 0UL;
44341 +
44342 +#ifdef CONFIG_PAX_PAGEEXEC
44343 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
44344 + pax_flags |= MF_PAX_PAGEEXEC;
44345 +#endif
44346 +
44347 +#ifdef CONFIG_PAX_SEGMEXEC
44348 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
44349 + pax_flags |= MF_PAX_SEGMEXEC;
44350 +#endif
44351 +
44352 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44353 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44354 + if (nx_enabled)
44355 + pax_flags &= ~MF_PAX_SEGMEXEC;
44356 + else
44357 + pax_flags &= ~MF_PAX_PAGEEXEC;
44358 + }
44359 +#endif
44360 +
44361 +#ifdef CONFIG_PAX_EMUTRAMP
44362 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
44363 + pax_flags |= MF_PAX_EMUTRAMP;
44364 +#endif
44365 +
44366 +#ifdef CONFIG_PAX_MPROTECT
44367 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
44368 + pax_flags |= MF_PAX_MPROTECT;
44369 +#endif
44370 +
44371 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44372 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
44373 + pax_flags |= MF_PAX_RANDMMAP;
44374 +#endif
44375 +
44376 + return pax_flags;
44377 +}
44378 +#endif
44379 +
44380 +#ifdef CONFIG_PAX_EI_PAX
44381 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
44382 +{
44383 + unsigned long pax_flags = 0UL;
44384 +
44385 +#ifdef CONFIG_PAX_PAGEEXEC
44386 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
44387 + pax_flags |= MF_PAX_PAGEEXEC;
44388 +#endif
44389 +
44390 +#ifdef CONFIG_PAX_SEGMEXEC
44391 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
44392 + pax_flags |= MF_PAX_SEGMEXEC;
44393 +#endif
44394 +
44395 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44396 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44397 + if (nx_enabled)
44398 + pax_flags &= ~MF_PAX_SEGMEXEC;
44399 + else
44400 + pax_flags &= ~MF_PAX_PAGEEXEC;
44401 + }
44402 +#endif
44403 +
44404 +#ifdef CONFIG_PAX_EMUTRAMP
44405 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
44406 + pax_flags |= MF_PAX_EMUTRAMP;
44407 +#endif
44408 +
44409 +#ifdef CONFIG_PAX_MPROTECT
44410 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
44411 + pax_flags |= MF_PAX_MPROTECT;
44412 +#endif
44413 +
44414 +#ifdef CONFIG_PAX_ASLR
44415 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
44416 + pax_flags |= MF_PAX_RANDMMAP;
44417 +#endif
44418 +
44419 + return pax_flags;
44420 +}
44421 +#endif
44422 +
44423 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44424 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
44425 +{
44426 + unsigned long pax_flags = 0UL;
44427 +
44428 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44429 + unsigned long i;
44430 + int found_flags = 0;
44431 +#endif
44432 +
44433 +#ifdef CONFIG_PAX_EI_PAX
44434 + pax_flags = pax_parse_ei_pax(elf_ex);
44435 +#endif
44436 +
44437 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
44438 + for (i = 0UL; i < elf_ex->e_phnum; i++)
44439 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
44440 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
44441 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
44442 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
44443 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
44444 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
44445 + return -EINVAL;
44446 +
44447 +#ifdef CONFIG_PAX_SOFTMODE
44448 + if (pax_softmode)
44449 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
44450 + else
44451 +#endif
44452 +
44453 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
44454 + found_flags = 1;
44455 + break;
44456 + }
44457 +#endif
44458 +
44459 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
44460 + if (found_flags == 0) {
44461 + struct elf_phdr phdr;
44462 + memset(&phdr, 0, sizeof(phdr));
44463 + phdr.p_flags = PF_NOEMUTRAMP;
44464 +#ifdef CONFIG_PAX_SOFTMODE
44465 + if (pax_softmode)
44466 + pax_flags = pax_parse_softmode(&phdr);
44467 + else
44468 +#endif
44469 + pax_flags = pax_parse_hardmode(&phdr);
44470 + }
44471 +#endif
44472 +
44473 +
44474 + if (0 > pax_check_flags(&pax_flags))
44475 + return -EINVAL;
44476 +
44477 + current->mm->pax_flags = pax_flags;
44478 + return 0;
44479 +}
44480 +#endif
44481 +
44482 /*
44483 * These are the functions used to load ELF style executables and shared
44484 * libraries. There is no binary dependent code anywhere else.
44485 @@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
44486 {
44487 unsigned int random_variable = 0;
44488
44489 +#ifdef CONFIG_PAX_RANDUSTACK
44490 + if (randomize_va_space)
44491 + return stack_top - current->mm->delta_stack;
44492 +#endif
44493 +
44494 if ((current->flags & PF_RANDOMIZE) &&
44495 !(current->personality & ADDR_NO_RANDOMIZE)) {
44496 random_variable = get_random_int() & STACK_RND_MASK;
44497 @@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
44498 unsigned long load_addr = 0, load_bias = 0;
44499 int load_addr_set = 0;
44500 char * elf_interpreter = NULL;
44501 - unsigned long error;
44502 + unsigned long error = 0;
44503 struct elf_phdr *elf_ppnt, *elf_phdata;
44504 unsigned long elf_bss, elf_brk;
44505 int retval, i;
44506 @@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
44507 unsigned long start_code, end_code, start_data, end_data;
44508 unsigned long reloc_func_desc = 0;
44509 int executable_stack = EXSTACK_DEFAULT;
44510 - unsigned long def_flags = 0;
44511 struct {
44512 struct elfhdr elf_ex;
44513 struct elfhdr interp_elf_ex;
44514 } *loc;
44515 + unsigned long pax_task_size = TASK_SIZE;
44516
44517 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
44518 if (!loc) {
44519 @@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
44520
44521 /* OK, This is the point of no return */
44522 current->flags &= ~PF_FORKNOEXEC;
44523 - current->mm->def_flags = def_flags;
44524 +
44525 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44526 + current->mm->pax_flags = 0UL;
44527 +#endif
44528 +
44529 +#ifdef CONFIG_PAX_DLRESOLVE
44530 + current->mm->call_dl_resolve = 0UL;
44531 +#endif
44532 +
44533 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
44534 + current->mm->call_syscall = 0UL;
44535 +#endif
44536 +
44537 +#ifdef CONFIG_PAX_ASLR
44538 + current->mm->delta_mmap = 0UL;
44539 + current->mm->delta_stack = 0UL;
44540 +#endif
44541 +
44542 + current->mm->def_flags = 0;
44543 +
44544 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44545 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
44546 + send_sig(SIGKILL, current, 0);
44547 + goto out_free_dentry;
44548 + }
44549 +#endif
44550 +
44551 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44552 + pax_set_initial_flags(bprm);
44553 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44554 + if (pax_set_initial_flags_func)
44555 + (pax_set_initial_flags_func)(bprm);
44556 +#endif
44557 +
44558 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
44559 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
44560 + current->mm->context.user_cs_limit = PAGE_SIZE;
44561 + current->mm->def_flags |= VM_PAGEEXEC;
44562 + }
44563 +#endif
44564 +
44565 +#ifdef CONFIG_PAX_SEGMEXEC
44566 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
44567 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
44568 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
44569 + pax_task_size = SEGMEXEC_TASK_SIZE;
44570 + }
44571 +#endif
44572 +
44573 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
44574 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44575 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
44576 + put_cpu();
44577 + }
44578 +#endif
44579
44580 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
44581 may depend on the personality. */
44582 SET_PERSONALITY(loc->elf_ex);
44583 +
44584 +#ifdef CONFIG_PAX_ASLR
44585 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
44586 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
44587 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
44588 + }
44589 +#endif
44590 +
44591 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44592 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44593 + executable_stack = EXSTACK_DISABLE_X;
44594 + current->personality &= ~READ_IMPLIES_EXEC;
44595 + } else
44596 +#endif
44597 +
44598 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
44599 current->personality |= READ_IMPLIES_EXEC;
44600
44601 @@ -800,10 +1087,27 @@ static int load_elf_binary(struct linux_
44602 * might try to exec. This is because the brk will
44603 * follow the loader, and is not movable. */
44604 #ifdef CONFIG_X86
44605 - load_bias = 0;
44606 + if (current->flags & PF_RANDOMIZE)
44607 + load_bias = 0;
44608 + else
44609 + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44610 #else
44611 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44612 #endif
44613 +
44614 +#ifdef CONFIG_PAX_RANDMMAP
44615 + /* PaX: randomize base address at the default exe base if requested */
44616 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
44617 +#ifdef CONFIG_SPARC64
44618 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
44619 +#else
44620 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
44621 +#endif
44622 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
44623 + elf_flags |= MAP_FIXED;
44624 + }
44625 +#endif
44626 +
44627 }
44628
44629 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
44630 @@ -836,9 +1140,9 @@ static int load_elf_binary(struct linux_
44631 * allowed task size. Note that p_filesz must always be
44632 * <= p_memsz so it is only necessary to check p_memsz.
44633 */
44634 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44635 - elf_ppnt->p_memsz > TASK_SIZE ||
44636 - TASK_SIZE - elf_ppnt->p_memsz < k) {
44637 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44638 + elf_ppnt->p_memsz > pax_task_size ||
44639 + pax_task_size - elf_ppnt->p_memsz < k) {
44640 /* set_brk can never work. Avoid overflows. */
44641 send_sig(SIGKILL, current, 0);
44642 retval = -EINVAL;
44643 @@ -866,6 +1170,11 @@ static int load_elf_binary(struct linux_
44644 start_data += load_bias;
44645 end_data += load_bias;
44646
44647 +#ifdef CONFIG_PAX_RANDMMAP
44648 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
44649 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
44650 +#endif
44651 +
44652 /* Calling set_brk effectively mmaps the pages that we need
44653 * for the bss and break sections. We must do this before
44654 * mapping in the interpreter, to make sure it doesn't wind
44655 @@ -877,9 +1186,11 @@ static int load_elf_binary(struct linux_
44656 goto out_free_dentry;
44657 }
44658 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
44659 - send_sig(SIGSEGV, current, 0);
44660 - retval = -EFAULT; /* Nobody gets to see this, but.. */
44661 - goto out_free_dentry;
44662 + /*
44663 + * This bss-zeroing can fail if the ELF
44664 + * file specifies odd protections. So
44665 + * we don't check the return value
44666 + */
44667 }
44668
44669 if (elf_interpreter) {
44670 @@ -1112,8 +1423,10 @@ static int dump_seek(struct file *file,
44671 unsigned long n = off;
44672 if (n > PAGE_SIZE)
44673 n = PAGE_SIZE;
44674 - if (!dump_write(file, buf, n))
44675 + if (!dump_write(file, buf, n)) {
44676 + free_page((unsigned long)buf);
44677 return 0;
44678 + }
44679 off -= n;
44680 }
44681 free_page((unsigned long)buf);
44682 @@ -1125,7 +1438,7 @@ static int dump_seek(struct file *file,
44683 * Decide what to dump of a segment, part, all or none.
44684 */
44685 static unsigned long vma_dump_size(struct vm_area_struct *vma,
44686 - unsigned long mm_flags)
44687 + unsigned long mm_flags, long signr)
44688 {
44689 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
44690
44691 @@ -1159,7 +1472,7 @@ static unsigned long vma_dump_size(struc
44692 if (vma->vm_file == NULL)
44693 return 0;
44694
44695 - if (FILTER(MAPPED_PRIVATE))
44696 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
44697 goto whole;
44698
44699 /*
44700 @@ -1255,8 +1568,11 @@ static int writenote(struct memelfnote *
44701 #undef DUMP_WRITE
44702
44703 #define DUMP_WRITE(addr, nr) \
44704 + do { \
44705 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
44706 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
44707 - goto end_coredump;
44708 + goto end_coredump; \
44709 + } while (0);
44710
44711 static void fill_elf_header(struct elfhdr *elf, int segs,
44712 u16 machine, u32 flags, u8 osabi)
44713 @@ -1385,9 +1701,9 @@ static void fill_auxv_note(struct memelf
44714 {
44715 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
44716 int i = 0;
44717 - do
44718 + do {
44719 i += 2;
44720 - while (auxv[i - 2] != AT_NULL);
44721 + } while (auxv[i - 2] != AT_NULL);
44722 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
44723 }
44724
44725 @@ -1973,7 +2289,7 @@ static int elf_core_dump(long signr, str
44726 phdr.p_offset = offset;
44727 phdr.p_vaddr = vma->vm_start;
44728 phdr.p_paddr = 0;
44729 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
44730 + phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
44731 phdr.p_memsz = vma->vm_end - vma->vm_start;
44732 offset += phdr.p_filesz;
44733 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
44734 @@ -2006,7 +2322,7 @@ static int elf_core_dump(long signr, str
44735 unsigned long addr;
44736 unsigned long end;
44737
44738 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
44739 + end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
44740
44741 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
44742 struct page *page;
44743 @@ -2015,6 +2331,7 @@ static int elf_core_dump(long signr, str
44744 page = get_dump_page(addr);
44745 if (page) {
44746 void *kaddr = kmap(page);
44747 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
44748 stop = ((size += PAGE_SIZE) > limit) ||
44749 !dump_write(file, kaddr, PAGE_SIZE);
44750 kunmap(page);
44751 @@ -2042,6 +2359,97 @@ out:
44752
44753 #endif /* USE_ELF_CORE_DUMP */
44754
44755 +#ifdef CONFIG_PAX_MPROTECT
44756 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
44757 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44758 + * we'll remove VM_MAYWRITE for good on RELRO segments.
44759 + *
44760 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44761 + * basis because we want to allow the common case and not the special ones.
44762 + */
44763 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44764 +{
44765 + struct elfhdr elf_h;
44766 + struct elf_phdr elf_p;
44767 + unsigned long i;
44768 + unsigned long oldflags;
44769 + bool is_textrel_rw, is_textrel_rx, is_relro;
44770 +
44771 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44772 + return;
44773 +
44774 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44775 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44776 +
44777 +#ifdef CONFIG_PAX_ELFRELOCS
44778 + /* possible TEXTREL */
44779 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44780 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44781 +#else
44782 + is_textrel_rw = false;
44783 + is_textrel_rx = false;
44784 +#endif
44785 +
44786 + /* possible RELRO */
44787 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44788 +
44789 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44790 + return;
44791 +
44792 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44793 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44794 +
44795 +#ifdef CONFIG_PAX_ETEXECRELOCS
44796 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44797 +#else
44798 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44799 +#endif
44800 +
44801 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44802 + !elf_check_arch(&elf_h) ||
44803 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44804 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44805 + return;
44806 +
44807 + for (i = 0UL; i < elf_h.e_phnum; i++) {
44808 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44809 + return;
44810 + switch (elf_p.p_type) {
44811 + case PT_DYNAMIC:
44812 + if (!is_textrel_rw && !is_textrel_rx)
44813 + continue;
44814 + i = 0UL;
44815 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44816 + elf_dyn dyn;
44817 +
44818 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44819 + return;
44820 + if (dyn.d_tag == DT_NULL)
44821 + return;
44822 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44823 + gr_log_textrel(vma);
44824 + if (is_textrel_rw)
44825 + vma->vm_flags |= VM_MAYWRITE;
44826 + else
44827 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44828 + vma->vm_flags &= ~VM_MAYWRITE;
44829 + return;
44830 + }
44831 + i++;
44832 + }
44833 + return;
44834 +
44835 + case PT_GNU_RELRO:
44836 + if (!is_relro)
44837 + continue;
44838 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44839 + vma->vm_flags &= ~VM_MAYWRITE;
44840 + return;
44841 + }
44842 + }
44843 +}
44844 +#endif
44845 +
44846 static int __init init_elf_binfmt(void)
44847 {
44848 return register_binfmt(&elf_format);
44849 diff -urNp linux-2.6.32.49/fs/binfmt_flat.c linux-2.6.32.49/fs/binfmt_flat.c
44850 --- linux-2.6.32.49/fs/binfmt_flat.c 2011-11-08 19:02:43.000000000 -0500
44851 +++ linux-2.6.32.49/fs/binfmt_flat.c 2011-11-15 19:59:43.000000000 -0500
44852 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
44853 realdatastart = (unsigned long) -ENOMEM;
44854 printk("Unable to allocate RAM for process data, errno %d\n",
44855 (int)-realdatastart);
44856 + down_write(&current->mm->mmap_sem);
44857 do_munmap(current->mm, textpos, text_len);
44858 + up_write(&current->mm->mmap_sem);
44859 ret = realdatastart;
44860 goto err;
44861 }
44862 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
44863 }
44864 if (IS_ERR_VALUE(result)) {
44865 printk("Unable to read data+bss, errno %d\n", (int)-result);
44866 + down_write(&current->mm->mmap_sem);
44867 do_munmap(current->mm, textpos, text_len);
44868 do_munmap(current->mm, realdatastart, data_len + extra);
44869 + up_write(&current->mm->mmap_sem);
44870 ret = result;
44871 goto err;
44872 }
44873 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
44874 }
44875 if (IS_ERR_VALUE(result)) {
44876 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44877 + down_write(&current->mm->mmap_sem);
44878 do_munmap(current->mm, textpos, text_len + data_len + extra +
44879 MAX_SHARED_LIBS * sizeof(unsigned long));
44880 + up_write(&current->mm->mmap_sem);
44881 ret = result;
44882 goto err;
44883 }
44884 diff -urNp linux-2.6.32.49/fs/bio.c linux-2.6.32.49/fs/bio.c
44885 --- linux-2.6.32.49/fs/bio.c 2011-11-08 19:02:43.000000000 -0500
44886 +++ linux-2.6.32.49/fs/bio.c 2011-11-15 19:59:43.000000000 -0500
44887 @@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
44888
44889 i = 0;
44890 while (i < bio_slab_nr) {
44891 - struct bio_slab *bslab = &bio_slabs[i];
44892 + bslab = &bio_slabs[i];
44893
44894 if (!bslab->slab && entry == -1)
44895 entry = i;
44896 @@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
44897 const int read = bio_data_dir(bio) == READ;
44898 struct bio_map_data *bmd = bio->bi_private;
44899 int i;
44900 - char *p = bmd->sgvecs[0].iov_base;
44901 + char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
44902
44903 __bio_for_each_segment(bvec, bio, i, 0) {
44904 char *addr = page_address(bvec->bv_page);
44905 diff -urNp linux-2.6.32.49/fs/block_dev.c linux-2.6.32.49/fs/block_dev.c
44906 --- linux-2.6.32.49/fs/block_dev.c 2011-11-08 19:02:43.000000000 -0500
44907 +++ linux-2.6.32.49/fs/block_dev.c 2011-11-15 19:59:43.000000000 -0500
44908 @@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
44909 else if (bdev->bd_contains == bdev)
44910 res = 0; /* is a whole device which isn't held */
44911
44912 - else if (bdev->bd_contains->bd_holder == bd_claim)
44913 + else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
44914 res = 0; /* is a partition of a device that is being partitioned */
44915 else if (bdev->bd_contains->bd_holder != NULL)
44916 res = -EBUSY; /* is a partition of a held device */
44917 diff -urNp linux-2.6.32.49/fs/btrfs/ctree.c linux-2.6.32.49/fs/btrfs/ctree.c
44918 --- linux-2.6.32.49/fs/btrfs/ctree.c 2011-11-08 19:02:43.000000000 -0500
44919 +++ linux-2.6.32.49/fs/btrfs/ctree.c 2011-11-15 19:59:43.000000000 -0500
44920 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44921 free_extent_buffer(buf);
44922 add_root_to_dirty_list(root);
44923 } else {
44924 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44925 - parent_start = parent->start;
44926 - else
44927 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44928 + if (parent)
44929 + parent_start = parent->start;
44930 + else
44931 + parent_start = 0;
44932 + } else
44933 parent_start = 0;
44934
44935 WARN_ON(trans->transid != btrfs_header_generation(parent));
44936 @@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
44937
44938 ret = 0;
44939 if (slot == 0) {
44940 - struct btrfs_disk_key disk_key;
44941 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44942 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44943 }
44944 diff -urNp linux-2.6.32.49/fs/btrfs/disk-io.c linux-2.6.32.49/fs/btrfs/disk-io.c
44945 --- linux-2.6.32.49/fs/btrfs/disk-io.c 2011-11-08 19:02:43.000000000 -0500
44946 +++ linux-2.6.32.49/fs/btrfs/disk-io.c 2011-11-15 19:59:43.000000000 -0500
44947 @@ -39,7 +39,7 @@
44948 #include "tree-log.h"
44949 #include "free-space-cache.h"
44950
44951 -static struct extent_io_ops btree_extent_io_ops;
44952 +static const struct extent_io_ops btree_extent_io_ops;
44953 static void end_workqueue_fn(struct btrfs_work *work);
44954 static void free_fs_root(struct btrfs_root *root);
44955
44956 @@ -2607,7 +2607,7 @@ out:
44957 return 0;
44958 }
44959
44960 -static struct extent_io_ops btree_extent_io_ops = {
44961 +static const struct extent_io_ops btree_extent_io_ops = {
44962 .write_cache_pages_lock_hook = btree_lock_page_hook,
44963 .readpage_end_io_hook = btree_readpage_end_io_hook,
44964 .submit_bio_hook = btree_submit_bio_hook,
44965 diff -urNp linux-2.6.32.49/fs/btrfs/extent_io.h linux-2.6.32.49/fs/btrfs/extent_io.h
44966 --- linux-2.6.32.49/fs/btrfs/extent_io.h 2011-11-08 19:02:43.000000000 -0500
44967 +++ linux-2.6.32.49/fs/btrfs/extent_io.h 2011-11-15 19:59:43.000000000 -0500
44968 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
44969 struct bio *bio, int mirror_num,
44970 unsigned long bio_flags);
44971 struct extent_io_ops {
44972 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44973 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44974 u64 start, u64 end, int *page_started,
44975 unsigned long *nr_written);
44976 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44977 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44978 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44979 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44980 extent_submit_bio_hook_t *submit_bio_hook;
44981 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
44982 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44983 size_t size, struct bio *bio,
44984 unsigned long bio_flags);
44985 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44986 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
44987 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
44988 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
44989 u64 start, u64 end,
44990 struct extent_state *state);
44991 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
44992 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
44993 u64 start, u64 end,
44994 struct extent_state *state);
44995 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44996 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
44997 struct extent_state *state);
44998 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
44999 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
45000 struct extent_state *state, int uptodate);
45001 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
45002 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
45003 unsigned long old, unsigned long bits);
45004 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
45005 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
45006 unsigned long bits);
45007 - int (*merge_extent_hook)(struct inode *inode,
45008 + int (* const merge_extent_hook)(struct inode *inode,
45009 struct extent_state *new,
45010 struct extent_state *other);
45011 - int (*split_extent_hook)(struct inode *inode,
45012 + int (* const split_extent_hook)(struct inode *inode,
45013 struct extent_state *orig, u64 split);
45014 - int (*write_cache_pages_lock_hook)(struct page *page);
45015 + int (* const write_cache_pages_lock_hook)(struct page *page);
45016 };
45017
45018 struct extent_io_tree {
45019 @@ -88,7 +88,7 @@ struct extent_io_tree {
45020 u64 dirty_bytes;
45021 spinlock_t lock;
45022 spinlock_t buffer_lock;
45023 - struct extent_io_ops *ops;
45024 + const struct extent_io_ops *ops;
45025 };
45026
45027 struct extent_state {
45028 diff -urNp linux-2.6.32.49/fs/btrfs/extent-tree.c linux-2.6.32.49/fs/btrfs/extent-tree.c
45029 --- linux-2.6.32.49/fs/btrfs/extent-tree.c 2011-11-08 19:02:43.000000000 -0500
45030 +++ linux-2.6.32.49/fs/btrfs/extent-tree.c 2011-11-15 19:59:43.000000000 -0500
45031 @@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
45032 u64 group_start = group->key.objectid;
45033 new_extents = kmalloc(sizeof(*new_extents),
45034 GFP_NOFS);
45035 + if (!new_extents) {
45036 + ret = -ENOMEM;
45037 + goto out;
45038 + }
45039 nr_extents = 1;
45040 ret = get_new_locations(reloc_inode,
45041 extent_key,
45042 diff -urNp linux-2.6.32.49/fs/btrfs/free-space-cache.c linux-2.6.32.49/fs/btrfs/free-space-cache.c
45043 --- linux-2.6.32.49/fs/btrfs/free-space-cache.c 2011-11-08 19:02:43.000000000 -0500
45044 +++ linux-2.6.32.49/fs/btrfs/free-space-cache.c 2011-11-15 19:59:43.000000000 -0500
45045 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
45046
45047 while(1) {
45048 if (entry->bytes < bytes || entry->offset < min_start) {
45049 - struct rb_node *node;
45050 -
45051 node = rb_next(&entry->offset_index);
45052 if (!node)
45053 break;
45054 @@ -1226,7 +1224,7 @@ again:
45055 */
45056 while (entry->bitmap || found_bitmap ||
45057 (!entry->bitmap && entry->bytes < min_bytes)) {
45058 - struct rb_node *node = rb_next(&entry->offset_index);
45059 + node = rb_next(&entry->offset_index);
45060
45061 if (entry->bitmap && entry->bytes > bytes + empty_size) {
45062 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
45063 diff -urNp linux-2.6.32.49/fs/btrfs/inode.c linux-2.6.32.49/fs/btrfs/inode.c
45064 --- linux-2.6.32.49/fs/btrfs/inode.c 2011-11-08 19:02:43.000000000 -0500
45065 +++ linux-2.6.32.49/fs/btrfs/inode.c 2011-11-15 19:59:43.000000000 -0500
45066 @@ -63,7 +63,7 @@ static const struct inode_operations btr
45067 static const struct address_space_operations btrfs_aops;
45068 static const struct address_space_operations btrfs_symlink_aops;
45069 static const struct file_operations btrfs_dir_file_operations;
45070 -static struct extent_io_ops btrfs_extent_io_ops;
45071 +static const struct extent_io_ops btrfs_extent_io_ops;
45072
45073 static struct kmem_cache *btrfs_inode_cachep;
45074 struct kmem_cache *btrfs_trans_handle_cachep;
45075 @@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
45076 1, 0, NULL, GFP_NOFS);
45077 while (start < end) {
45078 async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
45079 + BUG_ON(!async_cow);
45080 async_cow->inode = inode;
45081 async_cow->root = root;
45082 async_cow->locked_page = locked_page;
45083 @@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
45084 inline_size = btrfs_file_extent_inline_item_len(leaf,
45085 btrfs_item_nr(leaf, path->slots[0]));
45086 tmp = kmalloc(inline_size, GFP_NOFS);
45087 + if (!tmp)
45088 + return -ENOMEM;
45089 ptr = btrfs_file_extent_inline_start(item);
45090
45091 read_extent_buffer(leaf, tmp, ptr, inline_size);
45092 @@ -5410,7 +5413,7 @@ fail:
45093 return -ENOMEM;
45094 }
45095
45096 -static int btrfs_getattr(struct vfsmount *mnt,
45097 +int btrfs_getattr(struct vfsmount *mnt,
45098 struct dentry *dentry, struct kstat *stat)
45099 {
45100 struct inode *inode = dentry->d_inode;
45101 @@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
45102 return 0;
45103 }
45104
45105 +EXPORT_SYMBOL(btrfs_getattr);
45106 +
45107 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
45108 +{
45109 + return BTRFS_I(inode)->root->anon_super.s_dev;
45110 +}
45111 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
45112 +
45113 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
45114 struct inode *new_dir, struct dentry *new_dentry)
45115 {
45116 @@ -5972,7 +5983,7 @@ static const struct file_operations btrf
45117 .fsync = btrfs_sync_file,
45118 };
45119
45120 -static struct extent_io_ops btrfs_extent_io_ops = {
45121 +static const struct extent_io_ops btrfs_extent_io_ops = {
45122 .fill_delalloc = run_delalloc_range,
45123 .submit_bio_hook = btrfs_submit_bio_hook,
45124 .merge_bio_hook = btrfs_merge_bio_hook,
45125 diff -urNp linux-2.6.32.49/fs/btrfs/relocation.c linux-2.6.32.49/fs/btrfs/relocation.c
45126 --- linux-2.6.32.49/fs/btrfs/relocation.c 2011-11-08 19:02:43.000000000 -0500
45127 +++ linux-2.6.32.49/fs/btrfs/relocation.c 2011-11-15 19:59:43.000000000 -0500
45128 @@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
45129 }
45130 spin_unlock(&rc->reloc_root_tree.lock);
45131
45132 - BUG_ON((struct btrfs_root *)node->data != root);
45133 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
45134
45135 if (!del) {
45136 spin_lock(&rc->reloc_root_tree.lock);
45137 diff -urNp linux-2.6.32.49/fs/btrfs/sysfs.c linux-2.6.32.49/fs/btrfs/sysfs.c
45138 --- linux-2.6.32.49/fs/btrfs/sysfs.c 2011-11-08 19:02:43.000000000 -0500
45139 +++ linux-2.6.32.49/fs/btrfs/sysfs.c 2011-11-15 19:59:43.000000000 -0500
45140 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
45141 complete(&root->kobj_unregister);
45142 }
45143
45144 -static struct sysfs_ops btrfs_super_attr_ops = {
45145 +static const struct sysfs_ops btrfs_super_attr_ops = {
45146 .show = btrfs_super_attr_show,
45147 .store = btrfs_super_attr_store,
45148 };
45149
45150 -static struct sysfs_ops btrfs_root_attr_ops = {
45151 +static const struct sysfs_ops btrfs_root_attr_ops = {
45152 .show = btrfs_root_attr_show,
45153 .store = btrfs_root_attr_store,
45154 };
45155 diff -urNp linux-2.6.32.49/fs/buffer.c linux-2.6.32.49/fs/buffer.c
45156 --- linux-2.6.32.49/fs/buffer.c 2011-11-08 19:02:43.000000000 -0500
45157 +++ linux-2.6.32.49/fs/buffer.c 2011-11-15 19:59:43.000000000 -0500
45158 @@ -25,6 +25,7 @@
45159 #include <linux/percpu.h>
45160 #include <linux/slab.h>
45161 #include <linux/capability.h>
45162 +#include <linux/security.h>
45163 #include <linux/blkdev.h>
45164 #include <linux/file.h>
45165 #include <linux/quotaops.h>
45166 diff -urNp linux-2.6.32.49/fs/cachefiles/bind.c linux-2.6.32.49/fs/cachefiles/bind.c
45167 --- linux-2.6.32.49/fs/cachefiles/bind.c 2011-11-08 19:02:43.000000000 -0500
45168 +++ linux-2.6.32.49/fs/cachefiles/bind.c 2011-11-15 19:59:43.000000000 -0500
45169 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
45170 args);
45171
45172 /* start by checking things over */
45173 - ASSERT(cache->fstop_percent >= 0 &&
45174 - cache->fstop_percent < cache->fcull_percent &&
45175 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
45176 cache->fcull_percent < cache->frun_percent &&
45177 cache->frun_percent < 100);
45178
45179 - ASSERT(cache->bstop_percent >= 0 &&
45180 - cache->bstop_percent < cache->bcull_percent &&
45181 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
45182 cache->bcull_percent < cache->brun_percent &&
45183 cache->brun_percent < 100);
45184
45185 diff -urNp linux-2.6.32.49/fs/cachefiles/daemon.c linux-2.6.32.49/fs/cachefiles/daemon.c
45186 --- linux-2.6.32.49/fs/cachefiles/daemon.c 2011-11-08 19:02:43.000000000 -0500
45187 +++ linux-2.6.32.49/fs/cachefiles/daemon.c 2011-11-15 19:59:43.000000000 -0500
45188 @@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
45189 if (test_bit(CACHEFILES_DEAD, &cache->flags))
45190 return -EIO;
45191
45192 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
45193 + if (datalen > PAGE_SIZE - 1)
45194 return -EOPNOTSUPP;
45195
45196 /* drag the command string into the kernel so we can parse it */
45197 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
45198 if (args[0] != '%' || args[1] != '\0')
45199 return -EINVAL;
45200
45201 - if (fstop < 0 || fstop >= cache->fcull_percent)
45202 + if (fstop >= cache->fcull_percent)
45203 return cachefiles_daemon_range_error(cache, args);
45204
45205 cache->fstop_percent = fstop;
45206 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
45207 if (args[0] != '%' || args[1] != '\0')
45208 return -EINVAL;
45209
45210 - if (bstop < 0 || bstop >= cache->bcull_percent)
45211 + if (bstop >= cache->bcull_percent)
45212 return cachefiles_daemon_range_error(cache, args);
45213
45214 cache->bstop_percent = bstop;
45215 diff -urNp linux-2.6.32.49/fs/cachefiles/internal.h linux-2.6.32.49/fs/cachefiles/internal.h
45216 --- linux-2.6.32.49/fs/cachefiles/internal.h 2011-11-08 19:02:43.000000000 -0500
45217 +++ linux-2.6.32.49/fs/cachefiles/internal.h 2011-11-15 19:59:43.000000000 -0500
45218 @@ -56,7 +56,7 @@ struct cachefiles_cache {
45219 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
45220 struct rb_root active_nodes; /* active nodes (can't be culled) */
45221 rwlock_t active_lock; /* lock for active_nodes */
45222 - atomic_t gravecounter; /* graveyard uniquifier */
45223 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
45224 unsigned frun_percent; /* when to stop culling (% files) */
45225 unsigned fcull_percent; /* when to start culling (% files) */
45226 unsigned fstop_percent; /* when to stop allocating (% files) */
45227 @@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
45228 * proc.c
45229 */
45230 #ifdef CONFIG_CACHEFILES_HISTOGRAM
45231 -extern atomic_t cachefiles_lookup_histogram[HZ];
45232 -extern atomic_t cachefiles_mkdir_histogram[HZ];
45233 -extern atomic_t cachefiles_create_histogram[HZ];
45234 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
45235 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
45236 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
45237
45238 extern int __init cachefiles_proc_init(void);
45239 extern void cachefiles_proc_cleanup(void);
45240 static inline
45241 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
45242 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
45243 {
45244 unsigned long jif = jiffies - start_jif;
45245 if (jif >= HZ)
45246 jif = HZ - 1;
45247 - atomic_inc(&histogram[jif]);
45248 + atomic_inc_unchecked(&histogram[jif]);
45249 }
45250
45251 #else
45252 diff -urNp linux-2.6.32.49/fs/cachefiles/namei.c linux-2.6.32.49/fs/cachefiles/namei.c
45253 --- linux-2.6.32.49/fs/cachefiles/namei.c 2011-11-08 19:02:43.000000000 -0500
45254 +++ linux-2.6.32.49/fs/cachefiles/namei.c 2011-11-15 19:59:43.000000000 -0500
45255 @@ -250,7 +250,7 @@ try_again:
45256 /* first step is to make up a grave dentry in the graveyard */
45257 sprintf(nbuffer, "%08x%08x",
45258 (uint32_t) get_seconds(),
45259 - (uint32_t) atomic_inc_return(&cache->gravecounter));
45260 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
45261
45262 /* do the multiway lock magic */
45263 trap = lock_rename(cache->graveyard, dir);
45264 diff -urNp linux-2.6.32.49/fs/cachefiles/proc.c linux-2.6.32.49/fs/cachefiles/proc.c
45265 --- linux-2.6.32.49/fs/cachefiles/proc.c 2011-11-08 19:02:43.000000000 -0500
45266 +++ linux-2.6.32.49/fs/cachefiles/proc.c 2011-11-15 19:59:43.000000000 -0500
45267 @@ -14,9 +14,9 @@
45268 #include <linux/seq_file.h>
45269 #include "internal.h"
45270
45271 -atomic_t cachefiles_lookup_histogram[HZ];
45272 -atomic_t cachefiles_mkdir_histogram[HZ];
45273 -atomic_t cachefiles_create_histogram[HZ];
45274 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
45275 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
45276 +atomic_unchecked_t cachefiles_create_histogram[HZ];
45277
45278 /*
45279 * display the latency histogram
45280 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
45281 return 0;
45282 default:
45283 index = (unsigned long) v - 3;
45284 - x = atomic_read(&cachefiles_lookup_histogram[index]);
45285 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
45286 - z = atomic_read(&cachefiles_create_histogram[index]);
45287 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
45288 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
45289 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
45290 if (x == 0 && y == 0 && z == 0)
45291 return 0;
45292
45293 diff -urNp linux-2.6.32.49/fs/cachefiles/rdwr.c linux-2.6.32.49/fs/cachefiles/rdwr.c
45294 --- linux-2.6.32.49/fs/cachefiles/rdwr.c 2011-11-08 19:02:43.000000000 -0500
45295 +++ linux-2.6.32.49/fs/cachefiles/rdwr.c 2011-11-15 19:59:43.000000000 -0500
45296 @@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
45297 old_fs = get_fs();
45298 set_fs(KERNEL_DS);
45299 ret = file->f_op->write(
45300 - file, (const void __user *) data, len, &pos);
45301 + file, (const void __force_user *) data, len, &pos);
45302 set_fs(old_fs);
45303 kunmap(page);
45304 if (ret != len)
45305 diff -urNp linux-2.6.32.49/fs/cifs/cifs_debug.c linux-2.6.32.49/fs/cifs/cifs_debug.c
45306 --- linux-2.6.32.49/fs/cifs/cifs_debug.c 2011-11-08 19:02:43.000000000 -0500
45307 +++ linux-2.6.32.49/fs/cifs/cifs_debug.c 2011-11-15 19:59:43.000000000 -0500
45308 @@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
45309 tcon = list_entry(tmp3,
45310 struct cifsTconInfo,
45311 tcon_list);
45312 - atomic_set(&tcon->num_smbs_sent, 0);
45313 - atomic_set(&tcon->num_writes, 0);
45314 - atomic_set(&tcon->num_reads, 0);
45315 - atomic_set(&tcon->num_oplock_brks, 0);
45316 - atomic_set(&tcon->num_opens, 0);
45317 - atomic_set(&tcon->num_posixopens, 0);
45318 - atomic_set(&tcon->num_posixmkdirs, 0);
45319 - atomic_set(&tcon->num_closes, 0);
45320 - atomic_set(&tcon->num_deletes, 0);
45321 - atomic_set(&tcon->num_mkdirs, 0);
45322 - atomic_set(&tcon->num_rmdirs, 0);
45323 - atomic_set(&tcon->num_renames, 0);
45324 - atomic_set(&tcon->num_t2renames, 0);
45325 - atomic_set(&tcon->num_ffirst, 0);
45326 - atomic_set(&tcon->num_fnext, 0);
45327 - atomic_set(&tcon->num_fclose, 0);
45328 - atomic_set(&tcon->num_hardlinks, 0);
45329 - atomic_set(&tcon->num_symlinks, 0);
45330 - atomic_set(&tcon->num_locks, 0);
45331 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
45332 + atomic_set_unchecked(&tcon->num_writes, 0);
45333 + atomic_set_unchecked(&tcon->num_reads, 0);
45334 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
45335 + atomic_set_unchecked(&tcon->num_opens, 0);
45336 + atomic_set_unchecked(&tcon->num_posixopens, 0);
45337 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
45338 + atomic_set_unchecked(&tcon->num_closes, 0);
45339 + atomic_set_unchecked(&tcon->num_deletes, 0);
45340 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
45341 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
45342 + atomic_set_unchecked(&tcon->num_renames, 0);
45343 + atomic_set_unchecked(&tcon->num_t2renames, 0);
45344 + atomic_set_unchecked(&tcon->num_ffirst, 0);
45345 + atomic_set_unchecked(&tcon->num_fnext, 0);
45346 + atomic_set_unchecked(&tcon->num_fclose, 0);
45347 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
45348 + atomic_set_unchecked(&tcon->num_symlinks, 0);
45349 + atomic_set_unchecked(&tcon->num_locks, 0);
45350 }
45351 }
45352 }
45353 @@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
45354 if (tcon->need_reconnect)
45355 seq_puts(m, "\tDISCONNECTED ");
45356 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
45357 - atomic_read(&tcon->num_smbs_sent),
45358 - atomic_read(&tcon->num_oplock_brks));
45359 + atomic_read_unchecked(&tcon->num_smbs_sent),
45360 + atomic_read_unchecked(&tcon->num_oplock_brks));
45361 seq_printf(m, "\nReads: %d Bytes: %lld",
45362 - atomic_read(&tcon->num_reads),
45363 + atomic_read_unchecked(&tcon->num_reads),
45364 (long long)(tcon->bytes_read));
45365 seq_printf(m, "\nWrites: %d Bytes: %lld",
45366 - atomic_read(&tcon->num_writes),
45367 + atomic_read_unchecked(&tcon->num_writes),
45368 (long long)(tcon->bytes_written));
45369 seq_printf(m, "\nFlushes: %d",
45370 - atomic_read(&tcon->num_flushes));
45371 + atomic_read_unchecked(&tcon->num_flushes));
45372 seq_printf(m, "\nLocks: %d HardLinks: %d "
45373 "Symlinks: %d",
45374 - atomic_read(&tcon->num_locks),
45375 - atomic_read(&tcon->num_hardlinks),
45376 - atomic_read(&tcon->num_symlinks));
45377 + atomic_read_unchecked(&tcon->num_locks),
45378 + atomic_read_unchecked(&tcon->num_hardlinks),
45379 + atomic_read_unchecked(&tcon->num_symlinks));
45380 seq_printf(m, "\nOpens: %d Closes: %d "
45381 "Deletes: %d",
45382 - atomic_read(&tcon->num_opens),
45383 - atomic_read(&tcon->num_closes),
45384 - atomic_read(&tcon->num_deletes));
45385 + atomic_read_unchecked(&tcon->num_opens),
45386 + atomic_read_unchecked(&tcon->num_closes),
45387 + atomic_read_unchecked(&tcon->num_deletes));
45388 seq_printf(m, "\nPosix Opens: %d "
45389 "Posix Mkdirs: %d",
45390 - atomic_read(&tcon->num_posixopens),
45391 - atomic_read(&tcon->num_posixmkdirs));
45392 + atomic_read_unchecked(&tcon->num_posixopens),
45393 + atomic_read_unchecked(&tcon->num_posixmkdirs));
45394 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
45395 - atomic_read(&tcon->num_mkdirs),
45396 - atomic_read(&tcon->num_rmdirs));
45397 + atomic_read_unchecked(&tcon->num_mkdirs),
45398 + atomic_read_unchecked(&tcon->num_rmdirs));
45399 seq_printf(m, "\nRenames: %d T2 Renames %d",
45400 - atomic_read(&tcon->num_renames),
45401 - atomic_read(&tcon->num_t2renames));
45402 + atomic_read_unchecked(&tcon->num_renames),
45403 + atomic_read_unchecked(&tcon->num_t2renames));
45404 seq_printf(m, "\nFindFirst: %d FNext %d "
45405 "FClose %d",
45406 - atomic_read(&tcon->num_ffirst),
45407 - atomic_read(&tcon->num_fnext),
45408 - atomic_read(&tcon->num_fclose));
45409 + atomic_read_unchecked(&tcon->num_ffirst),
45410 + atomic_read_unchecked(&tcon->num_fnext),
45411 + atomic_read_unchecked(&tcon->num_fclose));
45412 }
45413 }
45414 }
45415 diff -urNp linux-2.6.32.49/fs/cifs/cifsfs.c linux-2.6.32.49/fs/cifs/cifsfs.c
45416 --- linux-2.6.32.49/fs/cifs/cifsfs.c 2011-11-08 19:02:43.000000000 -0500
45417 +++ linux-2.6.32.49/fs/cifs/cifsfs.c 2011-11-15 19:59:43.000000000 -0500
45418 @@ -869,7 +869,7 @@ cifs_init_request_bufs(void)
45419 cifs_req_cachep = kmem_cache_create("cifs_request",
45420 CIFSMaxBufSize +
45421 MAX_CIFS_HDR_SIZE, 0,
45422 - SLAB_HWCACHE_ALIGN, NULL);
45423 + SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
45424 if (cifs_req_cachep == NULL)
45425 return -ENOMEM;
45426
45427 @@ -896,7 +896,7 @@ cifs_init_request_bufs(void)
45428 efficient to alloc 1 per page off the slab compared to 17K (5page)
45429 alloc of large cifs buffers even when page debugging is on */
45430 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
45431 - MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
45432 + MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
45433 NULL);
45434 if (cifs_sm_req_cachep == NULL) {
45435 mempool_destroy(cifs_req_poolp);
45436 @@ -991,8 +991,8 @@ init_cifs(void)
45437 atomic_set(&bufAllocCount, 0);
45438 atomic_set(&smBufAllocCount, 0);
45439 #ifdef CONFIG_CIFS_STATS2
45440 - atomic_set(&totBufAllocCount, 0);
45441 - atomic_set(&totSmBufAllocCount, 0);
45442 + atomic_set_unchecked(&totBufAllocCount, 0);
45443 + atomic_set_unchecked(&totSmBufAllocCount, 0);
45444 #endif /* CONFIG_CIFS_STATS2 */
45445
45446 atomic_set(&midCount, 0);
45447 diff -urNp linux-2.6.32.49/fs/cifs/cifsglob.h linux-2.6.32.49/fs/cifs/cifsglob.h
45448 --- linux-2.6.32.49/fs/cifs/cifsglob.h 2011-11-08 19:02:43.000000000 -0500
45449 +++ linux-2.6.32.49/fs/cifs/cifsglob.h 2011-11-15 19:59:43.000000000 -0500
45450 @@ -252,28 +252,28 @@ struct cifsTconInfo {
45451 __u16 Flags; /* optional support bits */
45452 enum statusEnum tidStatus;
45453 #ifdef CONFIG_CIFS_STATS
45454 - atomic_t num_smbs_sent;
45455 - atomic_t num_writes;
45456 - atomic_t num_reads;
45457 - atomic_t num_flushes;
45458 - atomic_t num_oplock_brks;
45459 - atomic_t num_opens;
45460 - atomic_t num_closes;
45461 - atomic_t num_deletes;
45462 - atomic_t num_mkdirs;
45463 - atomic_t num_posixopens;
45464 - atomic_t num_posixmkdirs;
45465 - atomic_t num_rmdirs;
45466 - atomic_t num_renames;
45467 - atomic_t num_t2renames;
45468 - atomic_t num_ffirst;
45469 - atomic_t num_fnext;
45470 - atomic_t num_fclose;
45471 - atomic_t num_hardlinks;
45472 - atomic_t num_symlinks;
45473 - atomic_t num_locks;
45474 - atomic_t num_acl_get;
45475 - atomic_t num_acl_set;
45476 + atomic_unchecked_t num_smbs_sent;
45477 + atomic_unchecked_t num_writes;
45478 + atomic_unchecked_t num_reads;
45479 + atomic_unchecked_t num_flushes;
45480 + atomic_unchecked_t num_oplock_brks;
45481 + atomic_unchecked_t num_opens;
45482 + atomic_unchecked_t num_closes;
45483 + atomic_unchecked_t num_deletes;
45484 + atomic_unchecked_t num_mkdirs;
45485 + atomic_unchecked_t num_posixopens;
45486 + atomic_unchecked_t num_posixmkdirs;
45487 + atomic_unchecked_t num_rmdirs;
45488 + atomic_unchecked_t num_renames;
45489 + atomic_unchecked_t num_t2renames;
45490 + atomic_unchecked_t num_ffirst;
45491 + atomic_unchecked_t num_fnext;
45492 + atomic_unchecked_t num_fclose;
45493 + atomic_unchecked_t num_hardlinks;
45494 + atomic_unchecked_t num_symlinks;
45495 + atomic_unchecked_t num_locks;
45496 + atomic_unchecked_t num_acl_get;
45497 + atomic_unchecked_t num_acl_set;
45498 #ifdef CONFIG_CIFS_STATS2
45499 unsigned long long time_writes;
45500 unsigned long long time_reads;
45501 @@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
45502 }
45503
45504 #ifdef CONFIG_CIFS_STATS
45505 -#define cifs_stats_inc atomic_inc
45506 +#define cifs_stats_inc atomic_inc_unchecked
45507
45508 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
45509 unsigned int bytes)
45510 @@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
45511 /* Various Debug counters */
45512 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
45513 #ifdef CONFIG_CIFS_STATS2
45514 -GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
45515 -GLOBAL_EXTERN atomic_t totSmBufAllocCount;
45516 +GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
45517 +GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
45518 #endif
45519 GLOBAL_EXTERN atomic_t smBufAllocCount;
45520 GLOBAL_EXTERN atomic_t midCount;
45521 diff -urNp linux-2.6.32.49/fs/cifs/link.c linux-2.6.32.49/fs/cifs/link.c
45522 --- linux-2.6.32.49/fs/cifs/link.c 2011-11-08 19:02:43.000000000 -0500
45523 +++ linux-2.6.32.49/fs/cifs/link.c 2011-11-15 19:59:43.000000000 -0500
45524 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
45525
45526 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
45527 {
45528 - char *p = nd_get_link(nd);
45529 + const char *p = nd_get_link(nd);
45530 if (!IS_ERR(p))
45531 kfree(p);
45532 }
45533 diff -urNp linux-2.6.32.49/fs/cifs/misc.c linux-2.6.32.49/fs/cifs/misc.c
45534 --- linux-2.6.32.49/fs/cifs/misc.c 2011-11-08 19:02:43.000000000 -0500
45535 +++ linux-2.6.32.49/fs/cifs/misc.c 2011-11-15 19:59:43.000000000 -0500
45536 @@ -155,7 +155,7 @@ cifs_buf_get(void)
45537 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
45538 atomic_inc(&bufAllocCount);
45539 #ifdef CONFIG_CIFS_STATS2
45540 - atomic_inc(&totBufAllocCount);
45541 + atomic_inc_unchecked(&totBufAllocCount);
45542 #endif /* CONFIG_CIFS_STATS2 */
45543 }
45544
45545 @@ -190,7 +190,7 @@ cifs_small_buf_get(void)
45546 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
45547 atomic_inc(&smBufAllocCount);
45548 #ifdef CONFIG_CIFS_STATS2
45549 - atomic_inc(&totSmBufAllocCount);
45550 + atomic_inc_unchecked(&totSmBufAllocCount);
45551 #endif /* CONFIG_CIFS_STATS2 */
45552
45553 }
45554 diff -urNp linux-2.6.32.49/fs/coda/cache.c linux-2.6.32.49/fs/coda/cache.c
45555 --- linux-2.6.32.49/fs/coda/cache.c 2011-11-08 19:02:43.000000000 -0500
45556 +++ linux-2.6.32.49/fs/coda/cache.c 2011-11-15 19:59:43.000000000 -0500
45557 @@ -24,14 +24,14 @@
45558 #include <linux/coda_fs_i.h>
45559 #include <linux/coda_cache.h>
45560
45561 -static atomic_t permission_epoch = ATOMIC_INIT(0);
45562 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
45563
45564 /* replace or extend an acl cache hit */
45565 void coda_cache_enter(struct inode *inode, int mask)
45566 {
45567 struct coda_inode_info *cii = ITOC(inode);
45568
45569 - cii->c_cached_epoch = atomic_read(&permission_epoch);
45570 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
45571 if (cii->c_uid != current_fsuid()) {
45572 cii->c_uid = current_fsuid();
45573 cii->c_cached_perm = mask;
45574 @@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
45575 void coda_cache_clear_inode(struct inode *inode)
45576 {
45577 struct coda_inode_info *cii = ITOC(inode);
45578 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
45579 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
45580 }
45581
45582 /* remove all acl caches */
45583 void coda_cache_clear_all(struct super_block *sb)
45584 {
45585 - atomic_inc(&permission_epoch);
45586 + atomic_inc_unchecked(&permission_epoch);
45587 }
45588
45589
45590 @@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
45591
45592 hit = (mask & cii->c_cached_perm) == mask &&
45593 cii->c_uid == current_fsuid() &&
45594 - cii->c_cached_epoch == atomic_read(&permission_epoch);
45595 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
45596
45597 return hit;
45598 }
45599 diff -urNp linux-2.6.32.49/fs/compat_binfmt_elf.c linux-2.6.32.49/fs/compat_binfmt_elf.c
45600 --- linux-2.6.32.49/fs/compat_binfmt_elf.c 2011-11-08 19:02:43.000000000 -0500
45601 +++ linux-2.6.32.49/fs/compat_binfmt_elf.c 2011-11-15 19:59:43.000000000 -0500
45602 @@ -29,10 +29,12 @@
45603 #undef elfhdr
45604 #undef elf_phdr
45605 #undef elf_note
45606 +#undef elf_dyn
45607 #undef elf_addr_t
45608 #define elfhdr elf32_hdr
45609 #define elf_phdr elf32_phdr
45610 #define elf_note elf32_note
45611 +#define elf_dyn Elf32_Dyn
45612 #define elf_addr_t Elf32_Addr
45613
45614 /*
45615 diff -urNp linux-2.6.32.49/fs/compat.c linux-2.6.32.49/fs/compat.c
45616 --- linux-2.6.32.49/fs/compat.c 2011-11-08 19:02:43.000000000 -0500
45617 +++ linux-2.6.32.49/fs/compat.c 2011-11-15 19:59:43.000000000 -0500
45618 @@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char _
45619 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
45620 {
45621 compat_ino_t ino = stat->ino;
45622 - typeof(ubuf->st_uid) uid = 0;
45623 - typeof(ubuf->st_gid) gid = 0;
45624 + typeof(((struct compat_stat *)0)->st_uid) uid = 0;
45625 + typeof(((struct compat_stat *)0)->st_gid) gid = 0;
45626 int err;
45627
45628 SET_UID(uid, stat->uid);
45629 @@ -533,7 +533,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
45630
45631 set_fs(KERNEL_DS);
45632 /* The __user pointer cast is valid because of the set_fs() */
45633 - ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
45634 + ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
45635 set_fs(oldfs);
45636 /* truncating is ok because it's a user address */
45637 if (!ret)
45638 @@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
45639
45640 struct compat_readdir_callback {
45641 struct compat_old_linux_dirent __user *dirent;
45642 + struct file * file;
45643 int result;
45644 };
45645
45646 @@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
45647 buf->result = -EOVERFLOW;
45648 return -EOVERFLOW;
45649 }
45650 +
45651 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45652 + return 0;
45653 +
45654 buf->result++;
45655 dirent = buf->dirent;
45656 if (!access_ok(VERIFY_WRITE, dirent,
45657 @@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
45658
45659 buf.result = 0;
45660 buf.dirent = dirent;
45661 + buf.file = file;
45662
45663 error = vfs_readdir(file, compat_fillonedir, &buf);
45664 if (buf.result)
45665 @@ -899,6 +905,7 @@ struct compat_linux_dirent {
45666 struct compat_getdents_callback {
45667 struct compat_linux_dirent __user *current_dir;
45668 struct compat_linux_dirent __user *previous;
45669 + struct file * file;
45670 int count;
45671 int error;
45672 };
45673 @@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
45674 buf->error = -EOVERFLOW;
45675 return -EOVERFLOW;
45676 }
45677 +
45678 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45679 + return 0;
45680 +
45681 dirent = buf->previous;
45682 if (dirent) {
45683 if (__put_user(offset, &dirent->d_off))
45684 @@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
45685 buf.previous = NULL;
45686 buf.count = count;
45687 buf.error = 0;
45688 + buf.file = file;
45689
45690 error = vfs_readdir(file, compat_filldir, &buf);
45691 if (error >= 0)
45692 @@ -987,6 +999,7 @@ out:
45693 struct compat_getdents_callback64 {
45694 struct linux_dirent64 __user *current_dir;
45695 struct linux_dirent64 __user *previous;
45696 + struct file * file;
45697 int count;
45698 int error;
45699 };
45700 @@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
45701 buf->error = -EINVAL; /* only used if we fail.. */
45702 if (reclen > buf->count)
45703 return -EINVAL;
45704 +
45705 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45706 + return 0;
45707 +
45708 dirent = buf->previous;
45709
45710 if (dirent) {
45711 @@ -1054,13 +1071,14 @@ asmlinkage long compat_sys_getdents64(un
45712 buf.previous = NULL;
45713 buf.count = count;
45714 buf.error = 0;
45715 + buf.file = file;
45716
45717 error = vfs_readdir(file, compat_filldir64, &buf);
45718 if (error >= 0)
45719 error = buf.error;
45720 lastdirent = buf.previous;
45721 if (lastdirent) {
45722 - typeof(lastdirent->d_off) d_off = file->f_pos;
45723 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
45724 if (__put_user_unaligned(d_off, &lastdirent->d_off))
45725 error = -EFAULT;
45726 else
45727 @@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
45728 * verify all the pointers
45729 */
45730 ret = -EINVAL;
45731 - if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
45732 + if (nr_segs > UIO_MAXIOV)
45733 goto out;
45734 if (!file->f_op)
45735 goto out;
45736 @@ -1463,11 +1481,35 @@ int compat_do_execve(char * filename,
45737 compat_uptr_t __user *envp,
45738 struct pt_regs * regs)
45739 {
45740 +#ifdef CONFIG_GRKERNSEC
45741 + struct file *old_exec_file;
45742 + struct acl_subject_label *old_acl;
45743 + struct rlimit old_rlim[RLIM_NLIMITS];
45744 +#endif
45745 struct linux_binprm *bprm;
45746 struct file *file;
45747 struct files_struct *displaced;
45748 bool clear_in_exec;
45749 int retval;
45750 + const struct cred *cred = current_cred();
45751 +
45752 + /*
45753 + * We move the actual failure in case of RLIMIT_NPROC excess from
45754 + * set*uid() to execve() because too many poorly written programs
45755 + * don't check setuid() return code. Here we additionally recheck
45756 + * whether NPROC limit is still exceeded.
45757 + */
45758 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45759 +
45760 + if ((current->flags & PF_NPROC_EXCEEDED) &&
45761 + atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
45762 + retval = -EAGAIN;
45763 + goto out_ret;
45764 + }
45765 +
45766 + /* We're below the limit (still or again), so we don't want to make
45767 + * further execve() calls fail. */
45768 + current->flags &= ~PF_NPROC_EXCEEDED;
45769
45770 retval = unshare_files(&displaced);
45771 if (retval)
45772 @@ -1499,6 +1541,15 @@ int compat_do_execve(char * filename,
45773 bprm->filename = filename;
45774 bprm->interp = filename;
45775
45776 + if (gr_process_user_ban()) {
45777 + retval = -EPERM;
45778 + goto out_file;
45779 + }
45780 +
45781 + retval = -EACCES;
45782 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
45783 + goto out_file;
45784 +
45785 retval = bprm_mm_init(bprm);
45786 if (retval)
45787 goto out_file;
45788 @@ -1528,9 +1579,40 @@ int compat_do_execve(char * filename,
45789 if (retval < 0)
45790 goto out;
45791
45792 + if (!gr_tpe_allow(file)) {
45793 + retval = -EACCES;
45794 + goto out;
45795 + }
45796 +
45797 + if (gr_check_crash_exec(file)) {
45798 + retval = -EACCES;
45799 + goto out;
45800 + }
45801 +
45802 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45803 +
45804 + gr_handle_exec_args_compat(bprm, argv);
45805 +
45806 +#ifdef CONFIG_GRKERNSEC
45807 + old_acl = current->acl;
45808 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45809 + old_exec_file = current->exec_file;
45810 + get_file(file);
45811 + current->exec_file = file;
45812 +#endif
45813 +
45814 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45815 + bprm->unsafe & LSM_UNSAFE_SHARE);
45816 + if (retval < 0)
45817 + goto out_fail;
45818 +
45819 retval = search_binary_handler(bprm, regs);
45820 if (retval < 0)
45821 - goto out;
45822 + goto out_fail;
45823 +#ifdef CONFIG_GRKERNSEC
45824 + if (old_exec_file)
45825 + fput(old_exec_file);
45826 +#endif
45827
45828 /* execve succeeded */
45829 current->fs->in_exec = 0;
45830 @@ -1541,6 +1623,14 @@ int compat_do_execve(char * filename,
45831 put_files_struct(displaced);
45832 return retval;
45833
45834 +out_fail:
45835 +#ifdef CONFIG_GRKERNSEC
45836 + current->acl = old_acl;
45837 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45838 + fput(current->exec_file);
45839 + current->exec_file = old_exec_file;
45840 +#endif
45841 +
45842 out:
45843 if (bprm->mm) {
45844 acct_arg_size(bprm, 0);
45845 @@ -1711,6 +1801,8 @@ int compat_core_sys_select(int n, compat
45846 struct fdtable *fdt;
45847 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45848
45849 + pax_track_stack();
45850 +
45851 if (n < 0)
45852 goto out_nofds;
45853
45854 @@ -2151,7 +2243,7 @@ asmlinkage long compat_sys_nfsservctl(in
45855 oldfs = get_fs();
45856 set_fs(KERNEL_DS);
45857 /* The __user pointer casts are valid because of the set_fs() */
45858 - err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres);
45859 + err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres);
45860 set_fs(oldfs);
45861
45862 if (err)
45863 diff -urNp linux-2.6.32.49/fs/compat_ioctl.c linux-2.6.32.49/fs/compat_ioctl.c
45864 --- linux-2.6.32.49/fs/compat_ioctl.c 2011-11-08 19:02:43.000000000 -0500
45865 +++ linux-2.6.32.49/fs/compat_ioctl.c 2011-11-15 19:59:43.000000000 -0500
45866 @@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
45867 up = (struct compat_video_spu_palette __user *) arg;
45868 err = get_user(palp, &up->palette);
45869 err |= get_user(length, &up->length);
45870 + if (err)
45871 + return -EFAULT;
45872
45873 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45874 err = put_user(compat_ptr(palp), &up_native->palette);
45875 @@ -1513,7 +1515,7 @@ static int serial_struct_ioctl(unsigned
45876 return -EFAULT;
45877 if (__get_user(udata, &ss32->iomem_base))
45878 return -EFAULT;
45879 - ss.iomem_base = compat_ptr(udata);
45880 + ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
45881 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
45882 __get_user(ss.port_high, &ss32->port_high))
45883 return -EFAULT;
45884 @@ -1809,7 +1811,7 @@ static int compat_ioctl_preallocate(stru
45885 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
45886 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
45887 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
45888 - copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
45889 + copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
45890 return -EFAULT;
45891
45892 return ioctl_preallocate(file, p);
45893 diff -urNp linux-2.6.32.49/fs/configfs/dir.c linux-2.6.32.49/fs/configfs/dir.c
45894 --- linux-2.6.32.49/fs/configfs/dir.c 2011-11-08 19:02:43.000000000 -0500
45895 +++ linux-2.6.32.49/fs/configfs/dir.c 2011-11-15 19:59:43.000000000 -0500
45896 @@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
45897 }
45898 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45899 struct configfs_dirent *next;
45900 - const char * name;
45901 + const unsigned char * name;
45902 + char d_name[sizeof(next->s_dentry->d_iname)];
45903 int len;
45904
45905 next = list_entry(p, struct configfs_dirent,
45906 @@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
45907 continue;
45908
45909 name = configfs_get_name(next);
45910 - len = strlen(name);
45911 + if (next->s_dentry && name == next->s_dentry->d_iname) {
45912 + len = next->s_dentry->d_name.len;
45913 + memcpy(d_name, name, len);
45914 + name = d_name;
45915 + } else
45916 + len = strlen(name);
45917 if (next->s_dentry)
45918 ino = next->s_dentry->d_inode->i_ino;
45919 else
45920 diff -urNp linux-2.6.32.49/fs/dcache.c linux-2.6.32.49/fs/dcache.c
45921 --- linux-2.6.32.49/fs/dcache.c 2011-11-08 19:02:43.000000000 -0500
45922 +++ linux-2.6.32.49/fs/dcache.c 2011-11-15 19:59:43.000000000 -0500
45923 @@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
45924
45925 static struct kmem_cache *dentry_cache __read_mostly;
45926
45927 -#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
45928 -
45929 /*
45930 * This is the single most critical data structure when it comes
45931 * to the dcache: the hashtable for lookups. Somebody should try
45932 @@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
45933 mempages -= reserve;
45934
45935 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45936 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45937 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45938
45939 dcache_init();
45940 inode_init();
45941 diff -urNp linux-2.6.32.49/fs/dlm/lockspace.c linux-2.6.32.49/fs/dlm/lockspace.c
45942 --- linux-2.6.32.49/fs/dlm/lockspace.c 2011-11-08 19:02:43.000000000 -0500
45943 +++ linux-2.6.32.49/fs/dlm/lockspace.c 2011-11-15 19:59:43.000000000 -0500
45944 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
45945 kfree(ls);
45946 }
45947
45948 -static struct sysfs_ops dlm_attr_ops = {
45949 +static const struct sysfs_ops dlm_attr_ops = {
45950 .show = dlm_attr_show,
45951 .store = dlm_attr_store,
45952 };
45953 diff -urNp linux-2.6.32.49/fs/ecryptfs/inode.c linux-2.6.32.49/fs/ecryptfs/inode.c
45954 --- linux-2.6.32.49/fs/ecryptfs/inode.c 2011-11-08 19:02:43.000000000 -0500
45955 +++ linux-2.6.32.49/fs/ecryptfs/inode.c 2011-11-15 19:59:43.000000000 -0500
45956 @@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
45957 old_fs = get_fs();
45958 set_fs(get_ds());
45959 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45960 - (char __user *)lower_buf,
45961 + (char __force_user *)lower_buf,
45962 lower_bufsiz);
45963 set_fs(old_fs);
45964 if (rc < 0)
45965 @@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
45966 }
45967 old_fs = get_fs();
45968 set_fs(get_ds());
45969 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45970 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45971 set_fs(old_fs);
45972 if (rc < 0)
45973 goto out_free;
45974 diff -urNp linux-2.6.32.49/fs/exec.c linux-2.6.32.49/fs/exec.c
45975 --- linux-2.6.32.49/fs/exec.c 2011-11-08 19:02:43.000000000 -0500
45976 +++ linux-2.6.32.49/fs/exec.c 2011-11-18 19:28:23.000000000 -0500
45977 @@ -56,12 +56,24 @@
45978 #include <linux/fsnotify.h>
45979 #include <linux/fs_struct.h>
45980 #include <linux/pipe_fs_i.h>
45981 +#include <linux/random.h>
45982 +#include <linux/seq_file.h>
45983 +
45984 +#ifdef CONFIG_PAX_REFCOUNT
45985 +#include <linux/kallsyms.h>
45986 +#include <linux/kdebug.h>
45987 +#endif
45988
45989 #include <asm/uaccess.h>
45990 #include <asm/mmu_context.h>
45991 #include <asm/tlb.h>
45992 #include "internal.h"
45993
45994 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
45995 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
45996 +EXPORT_SYMBOL(pax_set_initial_flags_func);
45997 +#endif
45998 +
45999 int core_uses_pid;
46000 char core_pattern[CORENAME_MAX_SIZE] = "core";
46001 unsigned int core_pipe_limit;
46002 @@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
46003 int write)
46004 {
46005 struct page *page;
46006 - int ret;
46007
46008 -#ifdef CONFIG_STACK_GROWSUP
46009 - if (write) {
46010 - ret = expand_stack_downwards(bprm->vma, pos);
46011 - if (ret < 0)
46012 - return NULL;
46013 - }
46014 -#endif
46015 - ret = get_user_pages(current, bprm->mm, pos,
46016 - 1, write, 1, &page, NULL);
46017 - if (ret <= 0)
46018 + if (0 > expand_stack_downwards(bprm->vma, pos))
46019 + return NULL;
46020 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
46021 return NULL;
46022
46023 if (write) {
46024 @@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
46025 vma->vm_end = STACK_TOP_MAX;
46026 vma->vm_start = vma->vm_end - PAGE_SIZE;
46027 vma->vm_flags = VM_STACK_FLAGS;
46028 +
46029 +#ifdef CONFIG_PAX_SEGMEXEC
46030 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
46031 +#endif
46032 +
46033 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
46034
46035 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
46036 @@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
46037 mm->stack_vm = mm->total_vm = 1;
46038 up_write(&mm->mmap_sem);
46039 bprm->p = vma->vm_end - sizeof(void *);
46040 +
46041 +#ifdef CONFIG_PAX_RANDUSTACK
46042 + if (randomize_va_space)
46043 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
46044 +#endif
46045 +
46046 return 0;
46047 err:
46048 up_write(&mm->mmap_sem);
46049 @@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
46050 int r;
46051 mm_segment_t oldfs = get_fs();
46052 set_fs(KERNEL_DS);
46053 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
46054 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
46055 set_fs(oldfs);
46056 return r;
46057 }
46058 @@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
46059 unsigned long new_end = old_end - shift;
46060 struct mmu_gather *tlb;
46061
46062 - BUG_ON(new_start > new_end);
46063 + if (new_start >= new_end || new_start < mmap_min_addr)
46064 + return -ENOMEM;
46065
46066 /*
46067 * ensure there are no vmas between where we want to go
46068 @@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
46069 if (vma != find_vma(mm, new_start))
46070 return -EFAULT;
46071
46072 +#ifdef CONFIG_PAX_SEGMEXEC
46073 + BUG_ON(pax_find_mirror_vma(vma));
46074 +#endif
46075 +
46076 /*
46077 * cover the whole range: [new_start, old_end)
46078 */
46079 @@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
46080 stack_top = arch_align_stack(stack_top);
46081 stack_top = PAGE_ALIGN(stack_top);
46082
46083 - if (unlikely(stack_top < mmap_min_addr) ||
46084 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
46085 - return -ENOMEM;
46086 -
46087 stack_shift = vma->vm_end - stack_top;
46088
46089 bprm->p -= stack_shift;
46090 @@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
46091 bprm->exec -= stack_shift;
46092
46093 down_write(&mm->mmap_sem);
46094 +
46095 + /* Move stack pages down in memory. */
46096 + if (stack_shift) {
46097 + ret = shift_arg_pages(vma, stack_shift);
46098 + if (ret)
46099 + goto out_unlock;
46100 + }
46101 +
46102 vm_flags = VM_STACK_FLAGS;
46103
46104 /*
46105 @@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
46106 vm_flags &= ~VM_EXEC;
46107 vm_flags |= mm->def_flags;
46108
46109 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
46110 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
46111 + vm_flags &= ~VM_EXEC;
46112 +
46113 +#ifdef CONFIG_PAX_MPROTECT
46114 + if (mm->pax_flags & MF_PAX_MPROTECT)
46115 + vm_flags &= ~VM_MAYEXEC;
46116 +#endif
46117 +
46118 + }
46119 +#endif
46120 +
46121 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
46122 vm_flags);
46123 if (ret)
46124 goto out_unlock;
46125 BUG_ON(prev != vma);
46126
46127 - /* Move stack pages down in memory. */
46128 - if (stack_shift) {
46129 - ret = shift_arg_pages(vma, stack_shift);
46130 - if (ret)
46131 - goto out_unlock;
46132 - }
46133 -
46134 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
46135 stack_size = vma->vm_end - vma->vm_start;
46136 /*
46137 @@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
46138 old_fs = get_fs();
46139 set_fs(get_ds());
46140 /* The cast to a user pointer is valid due to the set_fs() */
46141 - result = vfs_read(file, (void __user *)addr, count, &pos);
46142 + result = vfs_read(file, (void __force_user *)addr, count, &pos);
46143 set_fs(old_fs);
46144 return result;
46145 }
46146 @@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
46147 }
46148 rcu_read_unlock();
46149
46150 - if (p->fs->users > n_fs) {
46151 + if (atomic_read(&p->fs->users) > n_fs) {
46152 bprm->unsafe |= LSM_UNSAFE_SHARE;
46153 } else {
46154 res = -EAGAIN;
46155 @@ -1347,11 +1376,35 @@ int do_execve(char * filename,
46156 char __user *__user *envp,
46157 struct pt_regs * regs)
46158 {
46159 +#ifdef CONFIG_GRKERNSEC
46160 + struct file *old_exec_file;
46161 + struct acl_subject_label *old_acl;
46162 + struct rlimit old_rlim[RLIM_NLIMITS];
46163 +#endif
46164 struct linux_binprm *bprm;
46165 struct file *file;
46166 struct files_struct *displaced;
46167 bool clear_in_exec;
46168 int retval;
46169 + const struct cred *cred = current_cred();
46170 +
46171 + /*
46172 + * We move the actual failure in case of RLIMIT_NPROC excess from
46173 + * set*uid() to execve() because too many poorly written programs
46174 + * don't check setuid() return code. Here we additionally recheck
46175 + * whether NPROC limit is still exceeded.
46176 + */
46177 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
46178 +
46179 + if ((current->flags & PF_NPROC_EXCEEDED) &&
46180 + atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
46181 + retval = -EAGAIN;
46182 + goto out_ret;
46183 + }
46184 +
46185 + /* We're below the limit (still or again), so we don't want to make
46186 + * further execve() calls fail. */
46187 + current->flags &= ~PF_NPROC_EXCEEDED;
46188
46189 retval = unshare_files(&displaced);
46190 if (retval)
46191 @@ -1383,6 +1436,16 @@ int do_execve(char * filename,
46192 bprm->filename = filename;
46193 bprm->interp = filename;
46194
46195 + if (gr_process_user_ban()) {
46196 + retval = -EPERM;
46197 + goto out_file;
46198 + }
46199 +
46200 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
46201 + retval = -EACCES;
46202 + goto out_file;
46203 + }
46204 +
46205 retval = bprm_mm_init(bprm);
46206 if (retval)
46207 goto out_file;
46208 @@ -1412,10 +1475,41 @@ int do_execve(char * filename,
46209 if (retval < 0)
46210 goto out;
46211
46212 + if (!gr_tpe_allow(file)) {
46213 + retval = -EACCES;
46214 + goto out;
46215 + }
46216 +
46217 + if (gr_check_crash_exec(file)) {
46218 + retval = -EACCES;
46219 + goto out;
46220 + }
46221 +
46222 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
46223 +
46224 + gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
46225 +
46226 +#ifdef CONFIG_GRKERNSEC
46227 + old_acl = current->acl;
46228 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
46229 + old_exec_file = current->exec_file;
46230 + get_file(file);
46231 + current->exec_file = file;
46232 +#endif
46233 +
46234 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
46235 + bprm->unsafe & LSM_UNSAFE_SHARE);
46236 + if (retval < 0)
46237 + goto out_fail;
46238 +
46239 current->flags &= ~PF_KTHREAD;
46240 retval = search_binary_handler(bprm,regs);
46241 if (retval < 0)
46242 - goto out;
46243 + goto out_fail;
46244 +#ifdef CONFIG_GRKERNSEC
46245 + if (old_exec_file)
46246 + fput(old_exec_file);
46247 +#endif
46248
46249 /* execve succeeded */
46250 current->fs->in_exec = 0;
46251 @@ -1426,6 +1520,14 @@ int do_execve(char * filename,
46252 put_files_struct(displaced);
46253 return retval;
46254
46255 +out_fail:
46256 +#ifdef CONFIG_GRKERNSEC
46257 + current->acl = old_acl;
46258 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
46259 + fput(current->exec_file);
46260 + current->exec_file = old_exec_file;
46261 +#endif
46262 +
46263 out:
46264 if (bprm->mm) {
46265 acct_arg_size(bprm, 0);
46266 @@ -1591,6 +1693,220 @@ out:
46267 return ispipe;
46268 }
46269
46270 +int pax_check_flags(unsigned long *flags)
46271 +{
46272 + int retval = 0;
46273 +
46274 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
46275 + if (*flags & MF_PAX_SEGMEXEC)
46276 + {
46277 + *flags &= ~MF_PAX_SEGMEXEC;
46278 + retval = -EINVAL;
46279 + }
46280 +#endif
46281 +
46282 + if ((*flags & MF_PAX_PAGEEXEC)
46283 +
46284 +#ifdef CONFIG_PAX_PAGEEXEC
46285 + && (*flags & MF_PAX_SEGMEXEC)
46286 +#endif
46287 +
46288 + )
46289 + {
46290 + *flags &= ~MF_PAX_PAGEEXEC;
46291 + retval = -EINVAL;
46292 + }
46293 +
46294 + if ((*flags & MF_PAX_MPROTECT)
46295 +
46296 +#ifdef CONFIG_PAX_MPROTECT
46297 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
46298 +#endif
46299 +
46300 + )
46301 + {
46302 + *flags &= ~MF_PAX_MPROTECT;
46303 + retval = -EINVAL;
46304 + }
46305 +
46306 + if ((*flags & MF_PAX_EMUTRAMP)
46307 +
46308 +#ifdef CONFIG_PAX_EMUTRAMP
46309 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
46310 +#endif
46311 +
46312 + )
46313 + {
46314 + *flags &= ~MF_PAX_EMUTRAMP;
46315 + retval = -EINVAL;
46316 + }
46317 +
46318 + return retval;
46319 +}
46320 +
46321 +EXPORT_SYMBOL(pax_check_flags);
46322 +
46323 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
46324 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
46325 +{
46326 + struct task_struct *tsk = current;
46327 + struct mm_struct *mm = current->mm;
46328 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
46329 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
46330 + char *path_exec = NULL;
46331 + char *path_fault = NULL;
46332 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
46333 +
46334 + if (buffer_exec && buffer_fault) {
46335 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
46336 +
46337 + down_read(&mm->mmap_sem);
46338 + vma = mm->mmap;
46339 + while (vma && (!vma_exec || !vma_fault)) {
46340 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
46341 + vma_exec = vma;
46342 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
46343 + vma_fault = vma;
46344 + vma = vma->vm_next;
46345 + }
46346 + if (vma_exec) {
46347 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
46348 + if (IS_ERR(path_exec))
46349 + path_exec = "<path too long>";
46350 + else {
46351 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
46352 + if (path_exec) {
46353 + *path_exec = 0;
46354 + path_exec = buffer_exec;
46355 + } else
46356 + path_exec = "<path too long>";
46357 + }
46358 + }
46359 + if (vma_fault) {
46360 + start = vma_fault->vm_start;
46361 + end = vma_fault->vm_end;
46362 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
46363 + if (vma_fault->vm_file) {
46364 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
46365 + if (IS_ERR(path_fault))
46366 + path_fault = "<path too long>";
46367 + else {
46368 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
46369 + if (path_fault) {
46370 + *path_fault = 0;
46371 + path_fault = buffer_fault;
46372 + } else
46373 + path_fault = "<path too long>";
46374 + }
46375 + } else
46376 + path_fault = "<anonymous mapping>";
46377 + }
46378 + up_read(&mm->mmap_sem);
46379 + }
46380 + if (tsk->signal->curr_ip)
46381 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
46382 + else
46383 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
46384 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
46385 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
46386 + task_uid(tsk), task_euid(tsk), pc, sp);
46387 + free_page((unsigned long)buffer_exec);
46388 + free_page((unsigned long)buffer_fault);
46389 + pax_report_insns(regs, pc, sp);
46390 + do_coredump(SIGKILL, SIGKILL, regs);
46391 +}
46392 +#endif
46393 +
46394 +#ifdef CONFIG_PAX_REFCOUNT
46395 +void pax_report_refcount_overflow(struct pt_regs *regs)
46396 +{
46397 + if (current->signal->curr_ip)
46398 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46399 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
46400 + else
46401 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46402 + current->comm, task_pid_nr(current), current_uid(), current_euid());
46403 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
46404 + show_regs(regs);
46405 + force_sig_specific(SIGKILL, current);
46406 +}
46407 +#endif
46408 +
46409 +#ifdef CONFIG_PAX_USERCOPY
46410 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
46411 +int object_is_on_stack(const void *obj, unsigned long len)
46412 +{
46413 + const void * const stack = task_stack_page(current);
46414 + const void * const stackend = stack + THREAD_SIZE;
46415 +
46416 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46417 + const void *frame = NULL;
46418 + const void *oldframe;
46419 +#endif
46420 +
46421 + if (obj + len < obj)
46422 + return -1;
46423 +
46424 + if (obj + len <= stack || stackend <= obj)
46425 + return 0;
46426 +
46427 + if (obj < stack || stackend < obj + len)
46428 + return -1;
46429 +
46430 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46431 + oldframe = __builtin_frame_address(1);
46432 + if (oldframe)
46433 + frame = __builtin_frame_address(2);
46434 + /*
46435 + low ----------------------------------------------> high
46436 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
46437 + ^----------------^
46438 + allow copies only within here
46439 + */
46440 + while (stack <= frame && frame < stackend) {
46441 + /* if obj + len extends past the last frame, this
46442 + check won't pass and the next frame will be 0,
46443 + causing us to bail out and correctly report
46444 + the copy as invalid
46445 + */
46446 + if (obj + len <= frame)
46447 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
46448 + oldframe = frame;
46449 + frame = *(const void * const *)frame;
46450 + }
46451 + return -1;
46452 +#else
46453 + return 1;
46454 +#endif
46455 +}
46456 +
46457 +
46458 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
46459 +{
46460 + if (current->signal->curr_ip)
46461 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46462 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46463 + else
46464 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46465 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46466 +
46467 + dump_stack();
46468 + gr_handle_kernel_exploit();
46469 + do_group_exit(SIGKILL);
46470 +}
46471 +#endif
46472 +
46473 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
46474 +void pax_track_stack(void)
46475 +{
46476 + unsigned long sp = (unsigned long)&sp;
46477 + if (sp < current_thread_info()->lowest_stack &&
46478 + sp > (unsigned long)task_stack_page(current))
46479 + current_thread_info()->lowest_stack = sp;
46480 +}
46481 +EXPORT_SYMBOL(pax_track_stack);
46482 +#endif
46483 +
46484 static int zap_process(struct task_struct *start)
46485 {
46486 struct task_struct *t;
46487 @@ -1793,17 +2109,17 @@ static void wait_for_dump_helpers(struct
46488 pipe = file->f_path.dentry->d_inode->i_pipe;
46489
46490 pipe_lock(pipe);
46491 - pipe->readers++;
46492 - pipe->writers--;
46493 + atomic_inc(&pipe->readers);
46494 + atomic_dec(&pipe->writers);
46495
46496 - while ((pipe->readers > 1) && (!signal_pending(current))) {
46497 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
46498 wake_up_interruptible_sync(&pipe->wait);
46499 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
46500 pipe_wait(pipe);
46501 }
46502
46503 - pipe->readers--;
46504 - pipe->writers++;
46505 + atomic_dec(&pipe->readers);
46506 + atomic_inc(&pipe->writers);
46507 pipe_unlock(pipe);
46508
46509 }
46510 @@ -1826,10 +2142,13 @@ void do_coredump(long signr, int exit_co
46511 char **helper_argv = NULL;
46512 int helper_argc = 0;
46513 int dump_count = 0;
46514 - static atomic_t core_dump_count = ATOMIC_INIT(0);
46515 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
46516
46517 audit_core_dumps(signr);
46518
46519 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
46520 + gr_handle_brute_attach(current, mm->flags);
46521 +
46522 binfmt = mm->binfmt;
46523 if (!binfmt || !binfmt->core_dump)
46524 goto fail;
46525 @@ -1874,6 +2193,8 @@ void do_coredump(long signr, int exit_co
46526 */
46527 clear_thread_flag(TIF_SIGPENDING);
46528
46529 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
46530 +
46531 /*
46532 * lock_kernel() because format_corename() is controlled by sysctl, which
46533 * uses lock_kernel()
46534 @@ -1908,7 +2229,7 @@ void do_coredump(long signr, int exit_co
46535 goto fail_unlock;
46536 }
46537
46538 - dump_count = atomic_inc_return(&core_dump_count);
46539 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
46540 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
46541 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
46542 task_tgid_vnr(current), current->comm);
46543 @@ -1972,7 +2293,7 @@ close_fail:
46544 filp_close(file, NULL);
46545 fail_dropcount:
46546 if (dump_count)
46547 - atomic_dec(&core_dump_count);
46548 + atomic_dec_unchecked(&core_dump_count);
46549 fail_unlock:
46550 if (helper_argv)
46551 argv_free(helper_argv);
46552 diff -urNp linux-2.6.32.49/fs/ext2/balloc.c linux-2.6.32.49/fs/ext2/balloc.c
46553 --- linux-2.6.32.49/fs/ext2/balloc.c 2011-11-08 19:02:43.000000000 -0500
46554 +++ linux-2.6.32.49/fs/ext2/balloc.c 2011-11-15 19:59:43.000000000 -0500
46555 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
46556
46557 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46558 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46559 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46560 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46561 sbi->s_resuid != current_fsuid() &&
46562 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46563 return 0;
46564 diff -urNp linux-2.6.32.49/fs/ext3/balloc.c linux-2.6.32.49/fs/ext3/balloc.c
46565 --- linux-2.6.32.49/fs/ext3/balloc.c 2011-11-08 19:02:43.000000000 -0500
46566 +++ linux-2.6.32.49/fs/ext3/balloc.c 2011-11-15 19:59:43.000000000 -0500
46567 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
46568
46569 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46570 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46571 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46572 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46573 sbi->s_resuid != current_fsuid() &&
46574 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46575 return 0;
46576 diff -urNp linux-2.6.32.49/fs/ext4/balloc.c linux-2.6.32.49/fs/ext4/balloc.c
46577 --- linux-2.6.32.49/fs/ext4/balloc.c 2011-11-08 19:02:43.000000000 -0500
46578 +++ linux-2.6.32.49/fs/ext4/balloc.c 2011-11-15 19:59:43.000000000 -0500
46579 @@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
46580 /* Hm, nope. Are (enough) root reserved blocks available? */
46581 if (sbi->s_resuid == current_fsuid() ||
46582 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
46583 - capable(CAP_SYS_RESOURCE)) {
46584 + capable_nolog(CAP_SYS_RESOURCE)) {
46585 if (free_blocks >= (nblocks + dirty_blocks))
46586 return 1;
46587 }
46588 diff -urNp linux-2.6.32.49/fs/ext4/ext4.h linux-2.6.32.49/fs/ext4/ext4.h
46589 --- linux-2.6.32.49/fs/ext4/ext4.h 2011-11-08 19:02:43.000000000 -0500
46590 +++ linux-2.6.32.49/fs/ext4/ext4.h 2011-11-15 19:59:43.000000000 -0500
46591 @@ -1077,19 +1077,19 @@ struct ext4_sb_info {
46592
46593 /* stats for buddy allocator */
46594 spinlock_t s_mb_pa_lock;
46595 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
46596 - atomic_t s_bal_success; /* we found long enough chunks */
46597 - atomic_t s_bal_allocated; /* in blocks */
46598 - atomic_t s_bal_ex_scanned; /* total extents scanned */
46599 - atomic_t s_bal_goals; /* goal hits */
46600 - atomic_t s_bal_breaks; /* too long searches */
46601 - atomic_t s_bal_2orders; /* 2^order hits */
46602 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
46603 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
46604 + atomic_unchecked_t s_bal_allocated; /* in blocks */
46605 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
46606 + atomic_unchecked_t s_bal_goals; /* goal hits */
46607 + atomic_unchecked_t s_bal_breaks; /* too long searches */
46608 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
46609 spinlock_t s_bal_lock;
46610 unsigned long s_mb_buddies_generated;
46611 unsigned long long s_mb_generation_time;
46612 - atomic_t s_mb_lost_chunks;
46613 - atomic_t s_mb_preallocated;
46614 - atomic_t s_mb_discarded;
46615 + atomic_unchecked_t s_mb_lost_chunks;
46616 + atomic_unchecked_t s_mb_preallocated;
46617 + atomic_unchecked_t s_mb_discarded;
46618 atomic_t s_lock_busy;
46619
46620 /* locality groups */
46621 diff -urNp linux-2.6.32.49/fs/ext4/file.c linux-2.6.32.49/fs/ext4/file.c
46622 --- linux-2.6.32.49/fs/ext4/file.c 2011-11-08 19:02:43.000000000 -0500
46623 +++ linux-2.6.32.49/fs/ext4/file.c 2011-11-15 19:59:43.000000000 -0500
46624 @@ -122,8 +122,8 @@ static int ext4_file_open(struct inode *
46625 cp = d_path(&path, buf, sizeof(buf));
46626 path_put(&path);
46627 if (!IS_ERR(cp)) {
46628 - memcpy(sbi->s_es->s_last_mounted, cp,
46629 - sizeof(sbi->s_es->s_last_mounted));
46630 + strlcpy(sbi->s_es->s_last_mounted, cp,
46631 + sizeof(sbi->s_es->s_last_mounted));
46632 sb->s_dirt = 1;
46633 }
46634 }
46635 diff -urNp linux-2.6.32.49/fs/ext4/mballoc.c linux-2.6.32.49/fs/ext4/mballoc.c
46636 --- linux-2.6.32.49/fs/ext4/mballoc.c 2011-11-08 19:02:43.000000000 -0500
46637 +++ linux-2.6.32.49/fs/ext4/mballoc.c 2011-11-15 19:59:43.000000000 -0500
46638 @@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
46639 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
46640
46641 if (EXT4_SB(sb)->s_mb_stats)
46642 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
46643 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
46644
46645 break;
46646 }
46647 @@ -2131,7 +2131,7 @@ repeat:
46648 ac->ac_status = AC_STATUS_CONTINUE;
46649 ac->ac_flags |= EXT4_MB_HINT_FIRST;
46650 cr = 3;
46651 - atomic_inc(&sbi->s_mb_lost_chunks);
46652 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
46653 goto repeat;
46654 }
46655 }
46656 @@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
46657 ext4_grpblk_t counters[16];
46658 } sg;
46659
46660 + pax_track_stack();
46661 +
46662 group--;
46663 if (group == 0)
46664 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
46665 @@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
46666 if (sbi->s_mb_stats) {
46667 printk(KERN_INFO
46668 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
46669 - atomic_read(&sbi->s_bal_allocated),
46670 - atomic_read(&sbi->s_bal_reqs),
46671 - atomic_read(&sbi->s_bal_success));
46672 + atomic_read_unchecked(&sbi->s_bal_allocated),
46673 + atomic_read_unchecked(&sbi->s_bal_reqs),
46674 + atomic_read_unchecked(&sbi->s_bal_success));
46675 printk(KERN_INFO
46676 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
46677 "%u 2^N hits, %u breaks, %u lost\n",
46678 - atomic_read(&sbi->s_bal_ex_scanned),
46679 - atomic_read(&sbi->s_bal_goals),
46680 - atomic_read(&sbi->s_bal_2orders),
46681 - atomic_read(&sbi->s_bal_breaks),
46682 - atomic_read(&sbi->s_mb_lost_chunks));
46683 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
46684 + atomic_read_unchecked(&sbi->s_bal_goals),
46685 + atomic_read_unchecked(&sbi->s_bal_2orders),
46686 + atomic_read_unchecked(&sbi->s_bal_breaks),
46687 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
46688 printk(KERN_INFO
46689 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
46690 sbi->s_mb_buddies_generated++,
46691 sbi->s_mb_generation_time);
46692 printk(KERN_INFO
46693 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
46694 - atomic_read(&sbi->s_mb_preallocated),
46695 - atomic_read(&sbi->s_mb_discarded));
46696 + atomic_read_unchecked(&sbi->s_mb_preallocated),
46697 + atomic_read_unchecked(&sbi->s_mb_discarded));
46698 }
46699
46700 free_percpu(sbi->s_locality_groups);
46701 @@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
46702 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
46703
46704 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
46705 - atomic_inc(&sbi->s_bal_reqs);
46706 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46707 + atomic_inc_unchecked(&sbi->s_bal_reqs);
46708 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46709 if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
46710 - atomic_inc(&sbi->s_bal_success);
46711 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
46712 + atomic_inc_unchecked(&sbi->s_bal_success);
46713 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
46714 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
46715 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
46716 - atomic_inc(&sbi->s_bal_goals);
46717 + atomic_inc_unchecked(&sbi->s_bal_goals);
46718 if (ac->ac_found > sbi->s_mb_max_to_scan)
46719 - atomic_inc(&sbi->s_bal_breaks);
46720 + atomic_inc_unchecked(&sbi->s_bal_breaks);
46721 }
46722
46723 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
46724 @@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
46725 trace_ext4_mb_new_inode_pa(ac, pa);
46726
46727 ext4_mb_use_inode_pa(ac, pa);
46728 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46729 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46730
46731 ei = EXT4_I(ac->ac_inode);
46732 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46733 @@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
46734 trace_ext4_mb_new_group_pa(ac, pa);
46735
46736 ext4_mb_use_group_pa(ac, pa);
46737 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46738 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46739
46740 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46741 lg = ac->ac_lg;
46742 @@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
46743 * from the bitmap and continue.
46744 */
46745 }
46746 - atomic_add(free, &sbi->s_mb_discarded);
46747 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
46748
46749 return err;
46750 }
46751 @@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
46752 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
46753 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
46754 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
46755 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46756 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46757
46758 if (ac) {
46759 ac->ac_sb = sb;
46760 diff -urNp linux-2.6.32.49/fs/ext4/super.c linux-2.6.32.49/fs/ext4/super.c
46761 --- linux-2.6.32.49/fs/ext4/super.c 2011-11-08 19:02:43.000000000 -0500
46762 +++ linux-2.6.32.49/fs/ext4/super.c 2011-11-15 19:59:43.000000000 -0500
46763 @@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
46764 }
46765
46766
46767 -static struct sysfs_ops ext4_attr_ops = {
46768 +static const struct sysfs_ops ext4_attr_ops = {
46769 .show = ext4_attr_show,
46770 .store = ext4_attr_store,
46771 };
46772 diff -urNp linux-2.6.32.49/fs/fcntl.c linux-2.6.32.49/fs/fcntl.c
46773 --- linux-2.6.32.49/fs/fcntl.c 2011-11-08 19:02:43.000000000 -0500
46774 +++ linux-2.6.32.49/fs/fcntl.c 2011-11-15 19:59:43.000000000 -0500
46775 @@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
46776 if (err)
46777 return err;
46778
46779 + if (gr_handle_chroot_fowner(pid, type))
46780 + return -ENOENT;
46781 + if (gr_check_protected_task_fowner(pid, type))
46782 + return -EACCES;
46783 +
46784 f_modown(filp, pid, type, force);
46785 return 0;
46786 }
46787 @@ -265,7 +270,7 @@ pid_t f_getown(struct file *filp)
46788
46789 static int f_setown_ex(struct file *filp, unsigned long arg)
46790 {
46791 - struct f_owner_ex * __user owner_p = (void * __user)arg;
46792 + struct f_owner_ex __user *owner_p = (void __user *)arg;
46793 struct f_owner_ex owner;
46794 struct pid *pid;
46795 int type;
46796 @@ -305,7 +310,7 @@ static int f_setown_ex(struct file *filp
46797
46798 static int f_getown_ex(struct file *filp, unsigned long arg)
46799 {
46800 - struct f_owner_ex * __user owner_p = (void * __user)arg;
46801 + struct f_owner_ex __user *owner_p = (void __user *)arg;
46802 struct f_owner_ex owner;
46803 int ret = 0;
46804
46805 @@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
46806 switch (cmd) {
46807 case F_DUPFD:
46808 case F_DUPFD_CLOEXEC:
46809 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46810 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
46811 break;
46812 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46813 diff -urNp linux-2.6.32.49/fs/fifo.c linux-2.6.32.49/fs/fifo.c
46814 --- linux-2.6.32.49/fs/fifo.c 2011-11-08 19:02:43.000000000 -0500
46815 +++ linux-2.6.32.49/fs/fifo.c 2011-11-15 19:59:43.000000000 -0500
46816 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
46817 */
46818 filp->f_op = &read_pipefifo_fops;
46819 pipe->r_counter++;
46820 - if (pipe->readers++ == 0)
46821 + if (atomic_inc_return(&pipe->readers) == 1)
46822 wake_up_partner(inode);
46823
46824 - if (!pipe->writers) {
46825 + if (!atomic_read(&pipe->writers)) {
46826 if ((filp->f_flags & O_NONBLOCK)) {
46827 /* suppress POLLHUP until we have
46828 * seen a writer */
46829 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
46830 * errno=ENXIO when there is no process reading the FIFO.
46831 */
46832 ret = -ENXIO;
46833 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46834 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46835 goto err;
46836
46837 filp->f_op = &write_pipefifo_fops;
46838 pipe->w_counter++;
46839 - if (!pipe->writers++)
46840 + if (atomic_inc_return(&pipe->writers) == 1)
46841 wake_up_partner(inode);
46842
46843 - if (!pipe->readers) {
46844 + if (!atomic_read(&pipe->readers)) {
46845 wait_for_partner(inode, &pipe->r_counter);
46846 if (signal_pending(current))
46847 goto err_wr;
46848 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
46849 */
46850 filp->f_op = &rdwr_pipefifo_fops;
46851
46852 - pipe->readers++;
46853 - pipe->writers++;
46854 + atomic_inc(&pipe->readers);
46855 + atomic_inc(&pipe->writers);
46856 pipe->r_counter++;
46857 pipe->w_counter++;
46858 - if (pipe->readers == 1 || pipe->writers == 1)
46859 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46860 wake_up_partner(inode);
46861 break;
46862
46863 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
46864 return 0;
46865
46866 err_rd:
46867 - if (!--pipe->readers)
46868 + if (atomic_dec_and_test(&pipe->readers))
46869 wake_up_interruptible(&pipe->wait);
46870 ret = -ERESTARTSYS;
46871 goto err;
46872
46873 err_wr:
46874 - if (!--pipe->writers)
46875 + if (atomic_dec_and_test(&pipe->writers))
46876 wake_up_interruptible(&pipe->wait);
46877 ret = -ERESTARTSYS;
46878 goto err;
46879
46880 err:
46881 - if (!pipe->readers && !pipe->writers)
46882 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46883 free_pipe_info(inode);
46884
46885 err_nocleanup:
46886 diff -urNp linux-2.6.32.49/fs/file.c linux-2.6.32.49/fs/file.c
46887 --- linux-2.6.32.49/fs/file.c 2011-11-08 19:02:43.000000000 -0500
46888 +++ linux-2.6.32.49/fs/file.c 2011-11-15 19:59:43.000000000 -0500
46889 @@ -14,6 +14,7 @@
46890 #include <linux/slab.h>
46891 #include <linux/vmalloc.h>
46892 #include <linux/file.h>
46893 +#include <linux/security.h>
46894 #include <linux/fdtable.h>
46895 #include <linux/bitops.h>
46896 #include <linux/interrupt.h>
46897 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
46898 * N.B. For clone tasks sharing a files structure, this test
46899 * will limit the total number of files that can be opened.
46900 */
46901 +
46902 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46903 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
46904 return -EMFILE;
46905
46906 diff -urNp linux-2.6.32.49/fs/filesystems.c linux-2.6.32.49/fs/filesystems.c
46907 --- linux-2.6.32.49/fs/filesystems.c 2011-11-08 19:02:43.000000000 -0500
46908 +++ linux-2.6.32.49/fs/filesystems.c 2011-11-15 19:59:43.000000000 -0500
46909 @@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
46910 int len = dot ? dot - name : strlen(name);
46911
46912 fs = __get_fs_type(name, len);
46913 +
46914 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46915 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46916 +#else
46917 if (!fs && (request_module("%.*s", len, name) == 0))
46918 +#endif
46919 fs = __get_fs_type(name, len);
46920
46921 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46922 diff -urNp linux-2.6.32.49/fs/fscache/cookie.c linux-2.6.32.49/fs/fscache/cookie.c
46923 --- linux-2.6.32.49/fs/fscache/cookie.c 2011-11-08 19:02:43.000000000 -0500
46924 +++ linux-2.6.32.49/fs/fscache/cookie.c 2011-11-15 19:59:43.000000000 -0500
46925 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46926 parent ? (char *) parent->def->name : "<no-parent>",
46927 def->name, netfs_data);
46928
46929 - fscache_stat(&fscache_n_acquires);
46930 + fscache_stat_unchecked(&fscache_n_acquires);
46931
46932 /* if there's no parent cookie, then we don't create one here either */
46933 if (!parent) {
46934 - fscache_stat(&fscache_n_acquires_null);
46935 + fscache_stat_unchecked(&fscache_n_acquires_null);
46936 _leave(" [no parent]");
46937 return NULL;
46938 }
46939 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46940 /* allocate and initialise a cookie */
46941 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46942 if (!cookie) {
46943 - fscache_stat(&fscache_n_acquires_oom);
46944 + fscache_stat_unchecked(&fscache_n_acquires_oom);
46945 _leave(" [ENOMEM]");
46946 return NULL;
46947 }
46948 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46949
46950 switch (cookie->def->type) {
46951 case FSCACHE_COOKIE_TYPE_INDEX:
46952 - fscache_stat(&fscache_n_cookie_index);
46953 + fscache_stat_unchecked(&fscache_n_cookie_index);
46954 break;
46955 case FSCACHE_COOKIE_TYPE_DATAFILE:
46956 - fscache_stat(&fscache_n_cookie_data);
46957 + fscache_stat_unchecked(&fscache_n_cookie_data);
46958 break;
46959 default:
46960 - fscache_stat(&fscache_n_cookie_special);
46961 + fscache_stat_unchecked(&fscache_n_cookie_special);
46962 break;
46963 }
46964
46965 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46966 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46967 atomic_dec(&parent->n_children);
46968 __fscache_cookie_put(cookie);
46969 - fscache_stat(&fscache_n_acquires_nobufs);
46970 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
46971 _leave(" = NULL");
46972 return NULL;
46973 }
46974 }
46975
46976 - fscache_stat(&fscache_n_acquires_ok);
46977 + fscache_stat_unchecked(&fscache_n_acquires_ok);
46978 _leave(" = %p", cookie);
46979 return cookie;
46980 }
46981 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
46982 cache = fscache_select_cache_for_object(cookie->parent);
46983 if (!cache) {
46984 up_read(&fscache_addremove_sem);
46985 - fscache_stat(&fscache_n_acquires_no_cache);
46986 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
46987 _leave(" = -ENOMEDIUM [no cache]");
46988 return -ENOMEDIUM;
46989 }
46990 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
46991 object = cache->ops->alloc_object(cache, cookie);
46992 fscache_stat_d(&fscache_n_cop_alloc_object);
46993 if (IS_ERR(object)) {
46994 - fscache_stat(&fscache_n_object_no_alloc);
46995 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
46996 ret = PTR_ERR(object);
46997 goto error;
46998 }
46999
47000 - fscache_stat(&fscache_n_object_alloc);
47001 + fscache_stat_unchecked(&fscache_n_object_alloc);
47002
47003 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
47004
47005 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
47006 struct fscache_object *object;
47007 struct hlist_node *_p;
47008
47009 - fscache_stat(&fscache_n_updates);
47010 + fscache_stat_unchecked(&fscache_n_updates);
47011
47012 if (!cookie) {
47013 - fscache_stat(&fscache_n_updates_null);
47014 + fscache_stat_unchecked(&fscache_n_updates_null);
47015 _leave(" [no cookie]");
47016 return;
47017 }
47018 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
47019 struct fscache_object *object;
47020 unsigned long event;
47021
47022 - fscache_stat(&fscache_n_relinquishes);
47023 + fscache_stat_unchecked(&fscache_n_relinquishes);
47024 if (retire)
47025 - fscache_stat(&fscache_n_relinquishes_retire);
47026 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
47027
47028 if (!cookie) {
47029 - fscache_stat(&fscache_n_relinquishes_null);
47030 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
47031 _leave(" [no cookie]");
47032 return;
47033 }
47034 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
47035
47036 /* wait for the cookie to finish being instantiated (or to fail) */
47037 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
47038 - fscache_stat(&fscache_n_relinquishes_waitcrt);
47039 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
47040 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
47041 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
47042 }
47043 diff -urNp linux-2.6.32.49/fs/fscache/internal.h linux-2.6.32.49/fs/fscache/internal.h
47044 --- linux-2.6.32.49/fs/fscache/internal.h 2011-11-08 19:02:43.000000000 -0500
47045 +++ linux-2.6.32.49/fs/fscache/internal.h 2011-11-15 19:59:43.000000000 -0500
47046 @@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
47047 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
47048 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
47049
47050 -extern atomic_t fscache_n_op_pend;
47051 -extern atomic_t fscache_n_op_run;
47052 -extern atomic_t fscache_n_op_enqueue;
47053 -extern atomic_t fscache_n_op_deferred_release;
47054 -extern atomic_t fscache_n_op_release;
47055 -extern atomic_t fscache_n_op_gc;
47056 -extern atomic_t fscache_n_op_cancelled;
47057 -extern atomic_t fscache_n_op_rejected;
47058 -
47059 -extern atomic_t fscache_n_attr_changed;
47060 -extern atomic_t fscache_n_attr_changed_ok;
47061 -extern atomic_t fscache_n_attr_changed_nobufs;
47062 -extern atomic_t fscache_n_attr_changed_nomem;
47063 -extern atomic_t fscache_n_attr_changed_calls;
47064 -
47065 -extern atomic_t fscache_n_allocs;
47066 -extern atomic_t fscache_n_allocs_ok;
47067 -extern atomic_t fscache_n_allocs_wait;
47068 -extern atomic_t fscache_n_allocs_nobufs;
47069 -extern atomic_t fscache_n_allocs_intr;
47070 -extern atomic_t fscache_n_allocs_object_dead;
47071 -extern atomic_t fscache_n_alloc_ops;
47072 -extern atomic_t fscache_n_alloc_op_waits;
47073 -
47074 -extern atomic_t fscache_n_retrievals;
47075 -extern atomic_t fscache_n_retrievals_ok;
47076 -extern atomic_t fscache_n_retrievals_wait;
47077 -extern atomic_t fscache_n_retrievals_nodata;
47078 -extern atomic_t fscache_n_retrievals_nobufs;
47079 -extern atomic_t fscache_n_retrievals_intr;
47080 -extern atomic_t fscache_n_retrievals_nomem;
47081 -extern atomic_t fscache_n_retrievals_object_dead;
47082 -extern atomic_t fscache_n_retrieval_ops;
47083 -extern atomic_t fscache_n_retrieval_op_waits;
47084 -
47085 -extern atomic_t fscache_n_stores;
47086 -extern atomic_t fscache_n_stores_ok;
47087 -extern atomic_t fscache_n_stores_again;
47088 -extern atomic_t fscache_n_stores_nobufs;
47089 -extern atomic_t fscache_n_stores_oom;
47090 -extern atomic_t fscache_n_store_ops;
47091 -extern atomic_t fscache_n_store_calls;
47092 -extern atomic_t fscache_n_store_pages;
47093 -extern atomic_t fscache_n_store_radix_deletes;
47094 -extern atomic_t fscache_n_store_pages_over_limit;
47095 -
47096 -extern atomic_t fscache_n_store_vmscan_not_storing;
47097 -extern atomic_t fscache_n_store_vmscan_gone;
47098 -extern atomic_t fscache_n_store_vmscan_busy;
47099 -extern atomic_t fscache_n_store_vmscan_cancelled;
47100 -
47101 -extern atomic_t fscache_n_marks;
47102 -extern atomic_t fscache_n_uncaches;
47103 -
47104 -extern atomic_t fscache_n_acquires;
47105 -extern atomic_t fscache_n_acquires_null;
47106 -extern atomic_t fscache_n_acquires_no_cache;
47107 -extern atomic_t fscache_n_acquires_ok;
47108 -extern atomic_t fscache_n_acquires_nobufs;
47109 -extern atomic_t fscache_n_acquires_oom;
47110 -
47111 -extern atomic_t fscache_n_updates;
47112 -extern atomic_t fscache_n_updates_null;
47113 -extern atomic_t fscache_n_updates_run;
47114 -
47115 -extern atomic_t fscache_n_relinquishes;
47116 -extern atomic_t fscache_n_relinquishes_null;
47117 -extern atomic_t fscache_n_relinquishes_waitcrt;
47118 -extern atomic_t fscache_n_relinquishes_retire;
47119 -
47120 -extern atomic_t fscache_n_cookie_index;
47121 -extern atomic_t fscache_n_cookie_data;
47122 -extern atomic_t fscache_n_cookie_special;
47123 -
47124 -extern atomic_t fscache_n_object_alloc;
47125 -extern atomic_t fscache_n_object_no_alloc;
47126 -extern atomic_t fscache_n_object_lookups;
47127 -extern atomic_t fscache_n_object_lookups_negative;
47128 -extern atomic_t fscache_n_object_lookups_positive;
47129 -extern atomic_t fscache_n_object_lookups_timed_out;
47130 -extern atomic_t fscache_n_object_created;
47131 -extern atomic_t fscache_n_object_avail;
47132 -extern atomic_t fscache_n_object_dead;
47133 -
47134 -extern atomic_t fscache_n_checkaux_none;
47135 -extern atomic_t fscache_n_checkaux_okay;
47136 -extern atomic_t fscache_n_checkaux_update;
47137 -extern atomic_t fscache_n_checkaux_obsolete;
47138 +extern atomic_unchecked_t fscache_n_op_pend;
47139 +extern atomic_unchecked_t fscache_n_op_run;
47140 +extern atomic_unchecked_t fscache_n_op_enqueue;
47141 +extern atomic_unchecked_t fscache_n_op_deferred_release;
47142 +extern atomic_unchecked_t fscache_n_op_release;
47143 +extern atomic_unchecked_t fscache_n_op_gc;
47144 +extern atomic_unchecked_t fscache_n_op_cancelled;
47145 +extern atomic_unchecked_t fscache_n_op_rejected;
47146 +
47147 +extern atomic_unchecked_t fscache_n_attr_changed;
47148 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
47149 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
47150 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
47151 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
47152 +
47153 +extern atomic_unchecked_t fscache_n_allocs;
47154 +extern atomic_unchecked_t fscache_n_allocs_ok;
47155 +extern atomic_unchecked_t fscache_n_allocs_wait;
47156 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
47157 +extern atomic_unchecked_t fscache_n_allocs_intr;
47158 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
47159 +extern atomic_unchecked_t fscache_n_alloc_ops;
47160 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
47161 +
47162 +extern atomic_unchecked_t fscache_n_retrievals;
47163 +extern atomic_unchecked_t fscache_n_retrievals_ok;
47164 +extern atomic_unchecked_t fscache_n_retrievals_wait;
47165 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
47166 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
47167 +extern atomic_unchecked_t fscache_n_retrievals_intr;
47168 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
47169 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
47170 +extern atomic_unchecked_t fscache_n_retrieval_ops;
47171 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
47172 +
47173 +extern atomic_unchecked_t fscache_n_stores;
47174 +extern atomic_unchecked_t fscache_n_stores_ok;
47175 +extern atomic_unchecked_t fscache_n_stores_again;
47176 +extern atomic_unchecked_t fscache_n_stores_nobufs;
47177 +extern atomic_unchecked_t fscache_n_stores_oom;
47178 +extern atomic_unchecked_t fscache_n_store_ops;
47179 +extern atomic_unchecked_t fscache_n_store_calls;
47180 +extern atomic_unchecked_t fscache_n_store_pages;
47181 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
47182 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
47183 +
47184 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47185 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
47186 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
47187 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47188 +
47189 +extern atomic_unchecked_t fscache_n_marks;
47190 +extern atomic_unchecked_t fscache_n_uncaches;
47191 +
47192 +extern atomic_unchecked_t fscache_n_acquires;
47193 +extern atomic_unchecked_t fscache_n_acquires_null;
47194 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
47195 +extern atomic_unchecked_t fscache_n_acquires_ok;
47196 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
47197 +extern atomic_unchecked_t fscache_n_acquires_oom;
47198 +
47199 +extern atomic_unchecked_t fscache_n_updates;
47200 +extern atomic_unchecked_t fscache_n_updates_null;
47201 +extern atomic_unchecked_t fscache_n_updates_run;
47202 +
47203 +extern atomic_unchecked_t fscache_n_relinquishes;
47204 +extern atomic_unchecked_t fscache_n_relinquishes_null;
47205 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47206 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
47207 +
47208 +extern atomic_unchecked_t fscache_n_cookie_index;
47209 +extern atomic_unchecked_t fscache_n_cookie_data;
47210 +extern atomic_unchecked_t fscache_n_cookie_special;
47211 +
47212 +extern atomic_unchecked_t fscache_n_object_alloc;
47213 +extern atomic_unchecked_t fscache_n_object_no_alloc;
47214 +extern atomic_unchecked_t fscache_n_object_lookups;
47215 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
47216 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
47217 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
47218 +extern atomic_unchecked_t fscache_n_object_created;
47219 +extern atomic_unchecked_t fscache_n_object_avail;
47220 +extern atomic_unchecked_t fscache_n_object_dead;
47221 +
47222 +extern atomic_unchecked_t fscache_n_checkaux_none;
47223 +extern atomic_unchecked_t fscache_n_checkaux_okay;
47224 +extern atomic_unchecked_t fscache_n_checkaux_update;
47225 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
47226
47227 extern atomic_t fscache_n_cop_alloc_object;
47228 extern atomic_t fscache_n_cop_lookup_object;
47229 @@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
47230 atomic_inc(stat);
47231 }
47232
47233 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
47234 +{
47235 + atomic_inc_unchecked(stat);
47236 +}
47237 +
47238 static inline void fscache_stat_d(atomic_t *stat)
47239 {
47240 atomic_dec(stat);
47241 @@ -259,6 +264,7 @@ extern const struct file_operations fsca
47242
47243 #define __fscache_stat(stat) (NULL)
47244 #define fscache_stat(stat) do {} while (0)
47245 +#define fscache_stat_unchecked(stat) do {} while (0)
47246 #define fscache_stat_d(stat) do {} while (0)
47247 #endif
47248
47249 diff -urNp linux-2.6.32.49/fs/fscache/object.c linux-2.6.32.49/fs/fscache/object.c
47250 --- linux-2.6.32.49/fs/fscache/object.c 2011-11-08 19:02:43.000000000 -0500
47251 +++ linux-2.6.32.49/fs/fscache/object.c 2011-11-15 19:59:43.000000000 -0500
47252 @@ -144,7 +144,7 @@ static void fscache_object_state_machine
47253 /* update the object metadata on disk */
47254 case FSCACHE_OBJECT_UPDATING:
47255 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
47256 - fscache_stat(&fscache_n_updates_run);
47257 + fscache_stat_unchecked(&fscache_n_updates_run);
47258 fscache_stat(&fscache_n_cop_update_object);
47259 object->cache->ops->update_object(object);
47260 fscache_stat_d(&fscache_n_cop_update_object);
47261 @@ -233,7 +233,7 @@ static void fscache_object_state_machine
47262 spin_lock(&object->lock);
47263 object->state = FSCACHE_OBJECT_DEAD;
47264 spin_unlock(&object->lock);
47265 - fscache_stat(&fscache_n_object_dead);
47266 + fscache_stat_unchecked(&fscache_n_object_dead);
47267 goto terminal_transit;
47268
47269 /* handle the parent cache of this object being withdrawn from
47270 @@ -248,7 +248,7 @@ static void fscache_object_state_machine
47271 spin_lock(&object->lock);
47272 object->state = FSCACHE_OBJECT_DEAD;
47273 spin_unlock(&object->lock);
47274 - fscache_stat(&fscache_n_object_dead);
47275 + fscache_stat_unchecked(&fscache_n_object_dead);
47276 goto terminal_transit;
47277
47278 /* complain about the object being woken up once it is
47279 @@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
47280 parent->cookie->def->name, cookie->def->name,
47281 object->cache->tag->name);
47282
47283 - fscache_stat(&fscache_n_object_lookups);
47284 + fscache_stat_unchecked(&fscache_n_object_lookups);
47285 fscache_stat(&fscache_n_cop_lookup_object);
47286 ret = object->cache->ops->lookup_object(object);
47287 fscache_stat_d(&fscache_n_cop_lookup_object);
47288 @@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
47289 if (ret == -ETIMEDOUT) {
47290 /* probably stuck behind another object, so move this one to
47291 * the back of the queue */
47292 - fscache_stat(&fscache_n_object_lookups_timed_out);
47293 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
47294 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
47295 }
47296
47297 @@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
47298
47299 spin_lock(&object->lock);
47300 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
47301 - fscache_stat(&fscache_n_object_lookups_negative);
47302 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
47303
47304 /* transit here to allow write requests to begin stacking up
47305 * and read requests to begin returning ENODATA */
47306 @@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
47307 * result, in which case there may be data available */
47308 spin_lock(&object->lock);
47309 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
47310 - fscache_stat(&fscache_n_object_lookups_positive);
47311 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
47312
47313 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
47314
47315 @@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
47316 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
47317 } else {
47318 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
47319 - fscache_stat(&fscache_n_object_created);
47320 + fscache_stat_unchecked(&fscache_n_object_created);
47321
47322 object->state = FSCACHE_OBJECT_AVAILABLE;
47323 spin_unlock(&object->lock);
47324 @@ -633,7 +633,7 @@ static void fscache_object_available(str
47325 fscache_enqueue_dependents(object);
47326
47327 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
47328 - fscache_stat(&fscache_n_object_avail);
47329 + fscache_stat_unchecked(&fscache_n_object_avail);
47330
47331 _leave("");
47332 }
47333 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
47334 enum fscache_checkaux result;
47335
47336 if (!object->cookie->def->check_aux) {
47337 - fscache_stat(&fscache_n_checkaux_none);
47338 + fscache_stat_unchecked(&fscache_n_checkaux_none);
47339 return FSCACHE_CHECKAUX_OKAY;
47340 }
47341
47342 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
47343 switch (result) {
47344 /* entry okay as is */
47345 case FSCACHE_CHECKAUX_OKAY:
47346 - fscache_stat(&fscache_n_checkaux_okay);
47347 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
47348 break;
47349
47350 /* entry requires update */
47351 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
47352 - fscache_stat(&fscache_n_checkaux_update);
47353 + fscache_stat_unchecked(&fscache_n_checkaux_update);
47354 break;
47355
47356 /* entry requires deletion */
47357 case FSCACHE_CHECKAUX_OBSOLETE:
47358 - fscache_stat(&fscache_n_checkaux_obsolete);
47359 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
47360 break;
47361
47362 default:
47363 diff -urNp linux-2.6.32.49/fs/fscache/operation.c linux-2.6.32.49/fs/fscache/operation.c
47364 --- linux-2.6.32.49/fs/fscache/operation.c 2011-11-08 19:02:43.000000000 -0500
47365 +++ linux-2.6.32.49/fs/fscache/operation.c 2011-11-15 19:59:43.000000000 -0500
47366 @@ -16,7 +16,7 @@
47367 #include <linux/seq_file.h>
47368 #include "internal.h"
47369
47370 -atomic_t fscache_op_debug_id;
47371 +atomic_unchecked_t fscache_op_debug_id;
47372 EXPORT_SYMBOL(fscache_op_debug_id);
47373
47374 /**
47375 @@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
47376 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
47377 ASSERTCMP(atomic_read(&op->usage), >, 0);
47378
47379 - fscache_stat(&fscache_n_op_enqueue);
47380 + fscache_stat_unchecked(&fscache_n_op_enqueue);
47381 switch (op->flags & FSCACHE_OP_TYPE) {
47382 case FSCACHE_OP_FAST:
47383 _debug("queue fast");
47384 @@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
47385 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
47386 if (op->processor)
47387 fscache_enqueue_operation(op);
47388 - fscache_stat(&fscache_n_op_run);
47389 + fscache_stat_unchecked(&fscache_n_op_run);
47390 }
47391
47392 /*
47393 @@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
47394 if (object->n_ops > 0) {
47395 atomic_inc(&op->usage);
47396 list_add_tail(&op->pend_link, &object->pending_ops);
47397 - fscache_stat(&fscache_n_op_pend);
47398 + fscache_stat_unchecked(&fscache_n_op_pend);
47399 } else if (!list_empty(&object->pending_ops)) {
47400 atomic_inc(&op->usage);
47401 list_add_tail(&op->pend_link, &object->pending_ops);
47402 - fscache_stat(&fscache_n_op_pend);
47403 + fscache_stat_unchecked(&fscache_n_op_pend);
47404 fscache_start_operations(object);
47405 } else {
47406 ASSERTCMP(object->n_in_progress, ==, 0);
47407 @@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
47408 object->n_exclusive++; /* reads and writes must wait */
47409 atomic_inc(&op->usage);
47410 list_add_tail(&op->pend_link, &object->pending_ops);
47411 - fscache_stat(&fscache_n_op_pend);
47412 + fscache_stat_unchecked(&fscache_n_op_pend);
47413 ret = 0;
47414 } else {
47415 /* not allowed to submit ops in any other state */
47416 @@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
47417 if (object->n_exclusive > 0) {
47418 atomic_inc(&op->usage);
47419 list_add_tail(&op->pend_link, &object->pending_ops);
47420 - fscache_stat(&fscache_n_op_pend);
47421 + fscache_stat_unchecked(&fscache_n_op_pend);
47422 } else if (!list_empty(&object->pending_ops)) {
47423 atomic_inc(&op->usage);
47424 list_add_tail(&op->pend_link, &object->pending_ops);
47425 - fscache_stat(&fscache_n_op_pend);
47426 + fscache_stat_unchecked(&fscache_n_op_pend);
47427 fscache_start_operations(object);
47428 } else {
47429 ASSERTCMP(object->n_exclusive, ==, 0);
47430 @@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
47431 object->n_ops++;
47432 atomic_inc(&op->usage);
47433 list_add_tail(&op->pend_link, &object->pending_ops);
47434 - fscache_stat(&fscache_n_op_pend);
47435 + fscache_stat_unchecked(&fscache_n_op_pend);
47436 ret = 0;
47437 } else if (object->state == FSCACHE_OBJECT_DYING ||
47438 object->state == FSCACHE_OBJECT_LC_DYING ||
47439 object->state == FSCACHE_OBJECT_WITHDRAWING) {
47440 - fscache_stat(&fscache_n_op_rejected);
47441 + fscache_stat_unchecked(&fscache_n_op_rejected);
47442 ret = -ENOBUFS;
47443 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
47444 fscache_report_unexpected_submission(object, op, ostate);
47445 @@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
47446
47447 ret = -EBUSY;
47448 if (!list_empty(&op->pend_link)) {
47449 - fscache_stat(&fscache_n_op_cancelled);
47450 + fscache_stat_unchecked(&fscache_n_op_cancelled);
47451 list_del_init(&op->pend_link);
47452 object->n_ops--;
47453 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
47454 @@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
47455 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
47456 BUG();
47457
47458 - fscache_stat(&fscache_n_op_release);
47459 + fscache_stat_unchecked(&fscache_n_op_release);
47460
47461 if (op->release) {
47462 op->release(op);
47463 @@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
47464 * lock, and defer it otherwise */
47465 if (!spin_trylock(&object->lock)) {
47466 _debug("defer put");
47467 - fscache_stat(&fscache_n_op_deferred_release);
47468 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
47469
47470 cache = object->cache;
47471 spin_lock(&cache->op_gc_list_lock);
47472 @@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
47473
47474 _debug("GC DEFERRED REL OBJ%x OP%x",
47475 object->debug_id, op->debug_id);
47476 - fscache_stat(&fscache_n_op_gc);
47477 + fscache_stat_unchecked(&fscache_n_op_gc);
47478
47479 ASSERTCMP(atomic_read(&op->usage), ==, 0);
47480
47481 diff -urNp linux-2.6.32.49/fs/fscache/page.c linux-2.6.32.49/fs/fscache/page.c
47482 --- linux-2.6.32.49/fs/fscache/page.c 2011-11-08 19:02:43.000000000 -0500
47483 +++ linux-2.6.32.49/fs/fscache/page.c 2011-11-15 19:59:43.000000000 -0500
47484 @@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
47485 val = radix_tree_lookup(&cookie->stores, page->index);
47486 if (!val) {
47487 rcu_read_unlock();
47488 - fscache_stat(&fscache_n_store_vmscan_not_storing);
47489 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
47490 __fscache_uncache_page(cookie, page);
47491 return true;
47492 }
47493 @@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
47494 spin_unlock(&cookie->stores_lock);
47495
47496 if (xpage) {
47497 - fscache_stat(&fscache_n_store_vmscan_cancelled);
47498 - fscache_stat(&fscache_n_store_radix_deletes);
47499 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
47500 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47501 ASSERTCMP(xpage, ==, page);
47502 } else {
47503 - fscache_stat(&fscache_n_store_vmscan_gone);
47504 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
47505 }
47506
47507 wake_up_bit(&cookie->flags, 0);
47508 @@ -106,7 +106,7 @@ page_busy:
47509 /* we might want to wait here, but that could deadlock the allocator as
47510 * the slow-work threads writing to the cache may all end up sleeping
47511 * on memory allocation */
47512 - fscache_stat(&fscache_n_store_vmscan_busy);
47513 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
47514 return false;
47515 }
47516 EXPORT_SYMBOL(__fscache_maybe_release_page);
47517 @@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
47518 FSCACHE_COOKIE_STORING_TAG);
47519 if (!radix_tree_tag_get(&cookie->stores, page->index,
47520 FSCACHE_COOKIE_PENDING_TAG)) {
47521 - fscache_stat(&fscache_n_store_radix_deletes);
47522 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47523 xpage = radix_tree_delete(&cookie->stores, page->index);
47524 }
47525 spin_unlock(&cookie->stores_lock);
47526 @@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
47527
47528 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
47529
47530 - fscache_stat(&fscache_n_attr_changed_calls);
47531 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
47532
47533 if (fscache_object_is_active(object)) {
47534 fscache_set_op_state(op, "CallFS");
47535 @@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
47536
47537 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47538
47539 - fscache_stat(&fscache_n_attr_changed);
47540 + fscache_stat_unchecked(&fscache_n_attr_changed);
47541
47542 op = kzalloc(sizeof(*op), GFP_KERNEL);
47543 if (!op) {
47544 - fscache_stat(&fscache_n_attr_changed_nomem);
47545 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
47546 _leave(" = -ENOMEM");
47547 return -ENOMEM;
47548 }
47549 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
47550 if (fscache_submit_exclusive_op(object, op) < 0)
47551 goto nobufs;
47552 spin_unlock(&cookie->lock);
47553 - fscache_stat(&fscache_n_attr_changed_ok);
47554 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
47555 fscache_put_operation(op);
47556 _leave(" = 0");
47557 return 0;
47558 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
47559 nobufs:
47560 spin_unlock(&cookie->lock);
47561 kfree(op);
47562 - fscache_stat(&fscache_n_attr_changed_nobufs);
47563 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
47564 _leave(" = %d", -ENOBUFS);
47565 return -ENOBUFS;
47566 }
47567 @@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
47568 /* allocate a retrieval operation and attempt to submit it */
47569 op = kzalloc(sizeof(*op), GFP_NOIO);
47570 if (!op) {
47571 - fscache_stat(&fscache_n_retrievals_nomem);
47572 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47573 return NULL;
47574 }
47575
47576 @@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
47577 return 0;
47578 }
47579
47580 - fscache_stat(&fscache_n_retrievals_wait);
47581 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
47582
47583 jif = jiffies;
47584 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
47585 fscache_wait_bit_interruptible,
47586 TASK_INTERRUPTIBLE) != 0) {
47587 - fscache_stat(&fscache_n_retrievals_intr);
47588 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47589 _leave(" = -ERESTARTSYS");
47590 return -ERESTARTSYS;
47591 }
47592 @@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
47593 */
47594 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
47595 struct fscache_retrieval *op,
47596 - atomic_t *stat_op_waits,
47597 - atomic_t *stat_object_dead)
47598 + atomic_unchecked_t *stat_op_waits,
47599 + atomic_unchecked_t *stat_object_dead)
47600 {
47601 int ret;
47602
47603 @@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
47604 goto check_if_dead;
47605
47606 _debug(">>> WT");
47607 - fscache_stat(stat_op_waits);
47608 + fscache_stat_unchecked(stat_op_waits);
47609 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
47610 fscache_wait_bit_interruptible,
47611 TASK_INTERRUPTIBLE) < 0) {
47612 @@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
47613
47614 check_if_dead:
47615 if (unlikely(fscache_object_is_dead(object))) {
47616 - fscache_stat(stat_object_dead);
47617 + fscache_stat_unchecked(stat_object_dead);
47618 return -ENOBUFS;
47619 }
47620 return 0;
47621 @@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
47622
47623 _enter("%p,%p,,,", cookie, page);
47624
47625 - fscache_stat(&fscache_n_retrievals);
47626 + fscache_stat_unchecked(&fscache_n_retrievals);
47627
47628 if (hlist_empty(&cookie->backing_objects))
47629 goto nobufs;
47630 @@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
47631 goto nobufs_unlock;
47632 spin_unlock(&cookie->lock);
47633
47634 - fscache_stat(&fscache_n_retrieval_ops);
47635 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47636
47637 /* pin the netfs read context in case we need to do the actual netfs
47638 * read because we've encountered a cache read failure */
47639 @@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
47640
47641 error:
47642 if (ret == -ENOMEM)
47643 - fscache_stat(&fscache_n_retrievals_nomem);
47644 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47645 else if (ret == -ERESTARTSYS)
47646 - fscache_stat(&fscache_n_retrievals_intr);
47647 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47648 else if (ret == -ENODATA)
47649 - fscache_stat(&fscache_n_retrievals_nodata);
47650 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47651 else if (ret < 0)
47652 - fscache_stat(&fscache_n_retrievals_nobufs);
47653 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47654 else
47655 - fscache_stat(&fscache_n_retrievals_ok);
47656 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47657
47658 fscache_put_retrieval(op);
47659 _leave(" = %d", ret);
47660 @@ -453,7 +453,7 @@ nobufs_unlock:
47661 spin_unlock(&cookie->lock);
47662 kfree(op);
47663 nobufs:
47664 - fscache_stat(&fscache_n_retrievals_nobufs);
47665 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47666 _leave(" = -ENOBUFS");
47667 return -ENOBUFS;
47668 }
47669 @@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
47670
47671 _enter("%p,,%d,,,", cookie, *nr_pages);
47672
47673 - fscache_stat(&fscache_n_retrievals);
47674 + fscache_stat_unchecked(&fscache_n_retrievals);
47675
47676 if (hlist_empty(&cookie->backing_objects))
47677 goto nobufs;
47678 @@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
47679 goto nobufs_unlock;
47680 spin_unlock(&cookie->lock);
47681
47682 - fscache_stat(&fscache_n_retrieval_ops);
47683 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
47684
47685 /* pin the netfs read context in case we need to do the actual netfs
47686 * read because we've encountered a cache read failure */
47687 @@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
47688
47689 error:
47690 if (ret == -ENOMEM)
47691 - fscache_stat(&fscache_n_retrievals_nomem);
47692 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47693 else if (ret == -ERESTARTSYS)
47694 - fscache_stat(&fscache_n_retrievals_intr);
47695 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
47696 else if (ret == -ENODATA)
47697 - fscache_stat(&fscache_n_retrievals_nodata);
47698 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47699 else if (ret < 0)
47700 - fscache_stat(&fscache_n_retrievals_nobufs);
47701 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47702 else
47703 - fscache_stat(&fscache_n_retrievals_ok);
47704 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
47705
47706 fscache_put_retrieval(op);
47707 _leave(" = %d", ret);
47708 @@ -570,7 +570,7 @@ nobufs_unlock:
47709 spin_unlock(&cookie->lock);
47710 kfree(op);
47711 nobufs:
47712 - fscache_stat(&fscache_n_retrievals_nobufs);
47713 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47714 _leave(" = -ENOBUFS");
47715 return -ENOBUFS;
47716 }
47717 @@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
47718
47719 _enter("%p,%p,,,", cookie, page);
47720
47721 - fscache_stat(&fscache_n_allocs);
47722 + fscache_stat_unchecked(&fscache_n_allocs);
47723
47724 if (hlist_empty(&cookie->backing_objects))
47725 goto nobufs;
47726 @@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
47727 goto nobufs_unlock;
47728 spin_unlock(&cookie->lock);
47729
47730 - fscache_stat(&fscache_n_alloc_ops);
47731 + fscache_stat_unchecked(&fscache_n_alloc_ops);
47732
47733 ret = fscache_wait_for_retrieval_activation(
47734 object, op,
47735 @@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
47736
47737 error:
47738 if (ret == -ERESTARTSYS)
47739 - fscache_stat(&fscache_n_allocs_intr);
47740 + fscache_stat_unchecked(&fscache_n_allocs_intr);
47741 else if (ret < 0)
47742 - fscache_stat(&fscache_n_allocs_nobufs);
47743 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47744 else
47745 - fscache_stat(&fscache_n_allocs_ok);
47746 + fscache_stat_unchecked(&fscache_n_allocs_ok);
47747
47748 fscache_put_retrieval(op);
47749 _leave(" = %d", ret);
47750 @@ -651,7 +651,7 @@ nobufs_unlock:
47751 spin_unlock(&cookie->lock);
47752 kfree(op);
47753 nobufs:
47754 - fscache_stat(&fscache_n_allocs_nobufs);
47755 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47756 _leave(" = -ENOBUFS");
47757 return -ENOBUFS;
47758 }
47759 @@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
47760
47761 spin_lock(&cookie->stores_lock);
47762
47763 - fscache_stat(&fscache_n_store_calls);
47764 + fscache_stat_unchecked(&fscache_n_store_calls);
47765
47766 /* find a page to store */
47767 page = NULL;
47768 @@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
47769 page = results[0];
47770 _debug("gang %d [%lx]", n, page->index);
47771 if (page->index > op->store_limit) {
47772 - fscache_stat(&fscache_n_store_pages_over_limit);
47773 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
47774 goto superseded;
47775 }
47776
47777 @@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
47778
47779 if (page) {
47780 fscache_set_op_state(&op->op, "Store");
47781 - fscache_stat(&fscache_n_store_pages);
47782 + fscache_stat_unchecked(&fscache_n_store_pages);
47783 fscache_stat(&fscache_n_cop_write_page);
47784 ret = object->cache->ops->write_page(op, page);
47785 fscache_stat_d(&fscache_n_cop_write_page);
47786 @@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
47787 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47788 ASSERT(PageFsCache(page));
47789
47790 - fscache_stat(&fscache_n_stores);
47791 + fscache_stat_unchecked(&fscache_n_stores);
47792
47793 op = kzalloc(sizeof(*op), GFP_NOIO);
47794 if (!op)
47795 @@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
47796 spin_unlock(&cookie->stores_lock);
47797 spin_unlock(&object->lock);
47798
47799 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47800 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47801 op->store_limit = object->store_limit;
47802
47803 if (fscache_submit_op(object, &op->op) < 0)
47804 @@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
47805
47806 spin_unlock(&cookie->lock);
47807 radix_tree_preload_end();
47808 - fscache_stat(&fscache_n_store_ops);
47809 - fscache_stat(&fscache_n_stores_ok);
47810 + fscache_stat_unchecked(&fscache_n_store_ops);
47811 + fscache_stat_unchecked(&fscache_n_stores_ok);
47812
47813 /* the slow work queue now carries its own ref on the object */
47814 fscache_put_operation(&op->op);
47815 @@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
47816 return 0;
47817
47818 already_queued:
47819 - fscache_stat(&fscache_n_stores_again);
47820 + fscache_stat_unchecked(&fscache_n_stores_again);
47821 already_pending:
47822 spin_unlock(&cookie->stores_lock);
47823 spin_unlock(&object->lock);
47824 spin_unlock(&cookie->lock);
47825 radix_tree_preload_end();
47826 kfree(op);
47827 - fscache_stat(&fscache_n_stores_ok);
47828 + fscache_stat_unchecked(&fscache_n_stores_ok);
47829 _leave(" = 0");
47830 return 0;
47831
47832 @@ -886,14 +886,14 @@ nobufs:
47833 spin_unlock(&cookie->lock);
47834 radix_tree_preload_end();
47835 kfree(op);
47836 - fscache_stat(&fscache_n_stores_nobufs);
47837 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
47838 _leave(" = -ENOBUFS");
47839 return -ENOBUFS;
47840
47841 nomem_free:
47842 kfree(op);
47843 nomem:
47844 - fscache_stat(&fscache_n_stores_oom);
47845 + fscache_stat_unchecked(&fscache_n_stores_oom);
47846 _leave(" = -ENOMEM");
47847 return -ENOMEM;
47848 }
47849 @@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
47850 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47851 ASSERTCMP(page, !=, NULL);
47852
47853 - fscache_stat(&fscache_n_uncaches);
47854 + fscache_stat_unchecked(&fscache_n_uncaches);
47855
47856 /* cache withdrawal may beat us to it */
47857 if (!PageFsCache(page))
47858 @@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
47859 unsigned long loop;
47860
47861 #ifdef CONFIG_FSCACHE_STATS
47862 - atomic_add(pagevec->nr, &fscache_n_marks);
47863 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47864 #endif
47865
47866 for (loop = 0; loop < pagevec->nr; loop++) {
47867 diff -urNp linux-2.6.32.49/fs/fscache/stats.c linux-2.6.32.49/fs/fscache/stats.c
47868 --- linux-2.6.32.49/fs/fscache/stats.c 2011-11-08 19:02:43.000000000 -0500
47869 +++ linux-2.6.32.49/fs/fscache/stats.c 2011-11-15 19:59:43.000000000 -0500
47870 @@ -18,95 +18,95 @@
47871 /*
47872 * operation counters
47873 */
47874 -atomic_t fscache_n_op_pend;
47875 -atomic_t fscache_n_op_run;
47876 -atomic_t fscache_n_op_enqueue;
47877 -atomic_t fscache_n_op_requeue;
47878 -atomic_t fscache_n_op_deferred_release;
47879 -atomic_t fscache_n_op_release;
47880 -atomic_t fscache_n_op_gc;
47881 -atomic_t fscache_n_op_cancelled;
47882 -atomic_t fscache_n_op_rejected;
47883 -
47884 -atomic_t fscache_n_attr_changed;
47885 -atomic_t fscache_n_attr_changed_ok;
47886 -atomic_t fscache_n_attr_changed_nobufs;
47887 -atomic_t fscache_n_attr_changed_nomem;
47888 -atomic_t fscache_n_attr_changed_calls;
47889 -
47890 -atomic_t fscache_n_allocs;
47891 -atomic_t fscache_n_allocs_ok;
47892 -atomic_t fscache_n_allocs_wait;
47893 -atomic_t fscache_n_allocs_nobufs;
47894 -atomic_t fscache_n_allocs_intr;
47895 -atomic_t fscache_n_allocs_object_dead;
47896 -atomic_t fscache_n_alloc_ops;
47897 -atomic_t fscache_n_alloc_op_waits;
47898 -
47899 -atomic_t fscache_n_retrievals;
47900 -atomic_t fscache_n_retrievals_ok;
47901 -atomic_t fscache_n_retrievals_wait;
47902 -atomic_t fscache_n_retrievals_nodata;
47903 -atomic_t fscache_n_retrievals_nobufs;
47904 -atomic_t fscache_n_retrievals_intr;
47905 -atomic_t fscache_n_retrievals_nomem;
47906 -atomic_t fscache_n_retrievals_object_dead;
47907 -atomic_t fscache_n_retrieval_ops;
47908 -atomic_t fscache_n_retrieval_op_waits;
47909 -
47910 -atomic_t fscache_n_stores;
47911 -atomic_t fscache_n_stores_ok;
47912 -atomic_t fscache_n_stores_again;
47913 -atomic_t fscache_n_stores_nobufs;
47914 -atomic_t fscache_n_stores_oom;
47915 -atomic_t fscache_n_store_ops;
47916 -atomic_t fscache_n_store_calls;
47917 -atomic_t fscache_n_store_pages;
47918 -atomic_t fscache_n_store_radix_deletes;
47919 -atomic_t fscache_n_store_pages_over_limit;
47920 -
47921 -atomic_t fscache_n_store_vmscan_not_storing;
47922 -atomic_t fscache_n_store_vmscan_gone;
47923 -atomic_t fscache_n_store_vmscan_busy;
47924 -atomic_t fscache_n_store_vmscan_cancelled;
47925 -
47926 -atomic_t fscache_n_marks;
47927 -atomic_t fscache_n_uncaches;
47928 -
47929 -atomic_t fscache_n_acquires;
47930 -atomic_t fscache_n_acquires_null;
47931 -atomic_t fscache_n_acquires_no_cache;
47932 -atomic_t fscache_n_acquires_ok;
47933 -atomic_t fscache_n_acquires_nobufs;
47934 -atomic_t fscache_n_acquires_oom;
47935 -
47936 -atomic_t fscache_n_updates;
47937 -atomic_t fscache_n_updates_null;
47938 -atomic_t fscache_n_updates_run;
47939 -
47940 -atomic_t fscache_n_relinquishes;
47941 -atomic_t fscache_n_relinquishes_null;
47942 -atomic_t fscache_n_relinquishes_waitcrt;
47943 -atomic_t fscache_n_relinquishes_retire;
47944 -
47945 -atomic_t fscache_n_cookie_index;
47946 -atomic_t fscache_n_cookie_data;
47947 -atomic_t fscache_n_cookie_special;
47948 -
47949 -atomic_t fscache_n_object_alloc;
47950 -atomic_t fscache_n_object_no_alloc;
47951 -atomic_t fscache_n_object_lookups;
47952 -atomic_t fscache_n_object_lookups_negative;
47953 -atomic_t fscache_n_object_lookups_positive;
47954 -atomic_t fscache_n_object_lookups_timed_out;
47955 -atomic_t fscache_n_object_created;
47956 -atomic_t fscache_n_object_avail;
47957 -atomic_t fscache_n_object_dead;
47958 -
47959 -atomic_t fscache_n_checkaux_none;
47960 -atomic_t fscache_n_checkaux_okay;
47961 -atomic_t fscache_n_checkaux_update;
47962 -atomic_t fscache_n_checkaux_obsolete;
47963 +atomic_unchecked_t fscache_n_op_pend;
47964 +atomic_unchecked_t fscache_n_op_run;
47965 +atomic_unchecked_t fscache_n_op_enqueue;
47966 +atomic_unchecked_t fscache_n_op_requeue;
47967 +atomic_unchecked_t fscache_n_op_deferred_release;
47968 +atomic_unchecked_t fscache_n_op_release;
47969 +atomic_unchecked_t fscache_n_op_gc;
47970 +atomic_unchecked_t fscache_n_op_cancelled;
47971 +atomic_unchecked_t fscache_n_op_rejected;
47972 +
47973 +atomic_unchecked_t fscache_n_attr_changed;
47974 +atomic_unchecked_t fscache_n_attr_changed_ok;
47975 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
47976 +atomic_unchecked_t fscache_n_attr_changed_nomem;
47977 +atomic_unchecked_t fscache_n_attr_changed_calls;
47978 +
47979 +atomic_unchecked_t fscache_n_allocs;
47980 +atomic_unchecked_t fscache_n_allocs_ok;
47981 +atomic_unchecked_t fscache_n_allocs_wait;
47982 +atomic_unchecked_t fscache_n_allocs_nobufs;
47983 +atomic_unchecked_t fscache_n_allocs_intr;
47984 +atomic_unchecked_t fscache_n_allocs_object_dead;
47985 +atomic_unchecked_t fscache_n_alloc_ops;
47986 +atomic_unchecked_t fscache_n_alloc_op_waits;
47987 +
47988 +atomic_unchecked_t fscache_n_retrievals;
47989 +atomic_unchecked_t fscache_n_retrievals_ok;
47990 +atomic_unchecked_t fscache_n_retrievals_wait;
47991 +atomic_unchecked_t fscache_n_retrievals_nodata;
47992 +atomic_unchecked_t fscache_n_retrievals_nobufs;
47993 +atomic_unchecked_t fscache_n_retrievals_intr;
47994 +atomic_unchecked_t fscache_n_retrievals_nomem;
47995 +atomic_unchecked_t fscache_n_retrievals_object_dead;
47996 +atomic_unchecked_t fscache_n_retrieval_ops;
47997 +atomic_unchecked_t fscache_n_retrieval_op_waits;
47998 +
47999 +atomic_unchecked_t fscache_n_stores;
48000 +atomic_unchecked_t fscache_n_stores_ok;
48001 +atomic_unchecked_t fscache_n_stores_again;
48002 +atomic_unchecked_t fscache_n_stores_nobufs;
48003 +atomic_unchecked_t fscache_n_stores_oom;
48004 +atomic_unchecked_t fscache_n_store_ops;
48005 +atomic_unchecked_t fscache_n_store_calls;
48006 +atomic_unchecked_t fscache_n_store_pages;
48007 +atomic_unchecked_t fscache_n_store_radix_deletes;
48008 +atomic_unchecked_t fscache_n_store_pages_over_limit;
48009 +
48010 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
48011 +atomic_unchecked_t fscache_n_store_vmscan_gone;
48012 +atomic_unchecked_t fscache_n_store_vmscan_busy;
48013 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
48014 +
48015 +atomic_unchecked_t fscache_n_marks;
48016 +atomic_unchecked_t fscache_n_uncaches;
48017 +
48018 +atomic_unchecked_t fscache_n_acquires;
48019 +atomic_unchecked_t fscache_n_acquires_null;
48020 +atomic_unchecked_t fscache_n_acquires_no_cache;
48021 +atomic_unchecked_t fscache_n_acquires_ok;
48022 +atomic_unchecked_t fscache_n_acquires_nobufs;
48023 +atomic_unchecked_t fscache_n_acquires_oom;
48024 +
48025 +atomic_unchecked_t fscache_n_updates;
48026 +atomic_unchecked_t fscache_n_updates_null;
48027 +atomic_unchecked_t fscache_n_updates_run;
48028 +
48029 +atomic_unchecked_t fscache_n_relinquishes;
48030 +atomic_unchecked_t fscache_n_relinquishes_null;
48031 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
48032 +atomic_unchecked_t fscache_n_relinquishes_retire;
48033 +
48034 +atomic_unchecked_t fscache_n_cookie_index;
48035 +atomic_unchecked_t fscache_n_cookie_data;
48036 +atomic_unchecked_t fscache_n_cookie_special;
48037 +
48038 +atomic_unchecked_t fscache_n_object_alloc;
48039 +atomic_unchecked_t fscache_n_object_no_alloc;
48040 +atomic_unchecked_t fscache_n_object_lookups;
48041 +atomic_unchecked_t fscache_n_object_lookups_negative;
48042 +atomic_unchecked_t fscache_n_object_lookups_positive;
48043 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
48044 +atomic_unchecked_t fscache_n_object_created;
48045 +atomic_unchecked_t fscache_n_object_avail;
48046 +atomic_unchecked_t fscache_n_object_dead;
48047 +
48048 +atomic_unchecked_t fscache_n_checkaux_none;
48049 +atomic_unchecked_t fscache_n_checkaux_okay;
48050 +atomic_unchecked_t fscache_n_checkaux_update;
48051 +atomic_unchecked_t fscache_n_checkaux_obsolete;
48052
48053 atomic_t fscache_n_cop_alloc_object;
48054 atomic_t fscache_n_cop_lookup_object;
48055 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
48056 seq_puts(m, "FS-Cache statistics\n");
48057
48058 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
48059 - atomic_read(&fscache_n_cookie_index),
48060 - atomic_read(&fscache_n_cookie_data),
48061 - atomic_read(&fscache_n_cookie_special));
48062 + atomic_read_unchecked(&fscache_n_cookie_index),
48063 + atomic_read_unchecked(&fscache_n_cookie_data),
48064 + atomic_read_unchecked(&fscache_n_cookie_special));
48065
48066 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
48067 - atomic_read(&fscache_n_object_alloc),
48068 - atomic_read(&fscache_n_object_no_alloc),
48069 - atomic_read(&fscache_n_object_avail),
48070 - atomic_read(&fscache_n_object_dead));
48071 + atomic_read_unchecked(&fscache_n_object_alloc),
48072 + atomic_read_unchecked(&fscache_n_object_no_alloc),
48073 + atomic_read_unchecked(&fscache_n_object_avail),
48074 + atomic_read_unchecked(&fscache_n_object_dead));
48075 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
48076 - atomic_read(&fscache_n_checkaux_none),
48077 - atomic_read(&fscache_n_checkaux_okay),
48078 - atomic_read(&fscache_n_checkaux_update),
48079 - atomic_read(&fscache_n_checkaux_obsolete));
48080 + atomic_read_unchecked(&fscache_n_checkaux_none),
48081 + atomic_read_unchecked(&fscache_n_checkaux_okay),
48082 + atomic_read_unchecked(&fscache_n_checkaux_update),
48083 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
48084
48085 seq_printf(m, "Pages : mrk=%u unc=%u\n",
48086 - atomic_read(&fscache_n_marks),
48087 - atomic_read(&fscache_n_uncaches));
48088 + atomic_read_unchecked(&fscache_n_marks),
48089 + atomic_read_unchecked(&fscache_n_uncaches));
48090
48091 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
48092 " oom=%u\n",
48093 - atomic_read(&fscache_n_acquires),
48094 - atomic_read(&fscache_n_acquires_null),
48095 - atomic_read(&fscache_n_acquires_no_cache),
48096 - atomic_read(&fscache_n_acquires_ok),
48097 - atomic_read(&fscache_n_acquires_nobufs),
48098 - atomic_read(&fscache_n_acquires_oom));
48099 + atomic_read_unchecked(&fscache_n_acquires),
48100 + atomic_read_unchecked(&fscache_n_acquires_null),
48101 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
48102 + atomic_read_unchecked(&fscache_n_acquires_ok),
48103 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
48104 + atomic_read_unchecked(&fscache_n_acquires_oom));
48105
48106 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
48107 - atomic_read(&fscache_n_object_lookups),
48108 - atomic_read(&fscache_n_object_lookups_negative),
48109 - atomic_read(&fscache_n_object_lookups_positive),
48110 - atomic_read(&fscache_n_object_lookups_timed_out),
48111 - atomic_read(&fscache_n_object_created));
48112 + atomic_read_unchecked(&fscache_n_object_lookups),
48113 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
48114 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
48115 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
48116 + atomic_read_unchecked(&fscache_n_object_created));
48117
48118 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
48119 - atomic_read(&fscache_n_updates),
48120 - atomic_read(&fscache_n_updates_null),
48121 - atomic_read(&fscache_n_updates_run));
48122 + atomic_read_unchecked(&fscache_n_updates),
48123 + atomic_read_unchecked(&fscache_n_updates_null),
48124 + atomic_read_unchecked(&fscache_n_updates_run));
48125
48126 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
48127 - atomic_read(&fscache_n_relinquishes),
48128 - atomic_read(&fscache_n_relinquishes_null),
48129 - atomic_read(&fscache_n_relinquishes_waitcrt),
48130 - atomic_read(&fscache_n_relinquishes_retire));
48131 + atomic_read_unchecked(&fscache_n_relinquishes),
48132 + atomic_read_unchecked(&fscache_n_relinquishes_null),
48133 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
48134 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
48135
48136 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
48137 - atomic_read(&fscache_n_attr_changed),
48138 - atomic_read(&fscache_n_attr_changed_ok),
48139 - atomic_read(&fscache_n_attr_changed_nobufs),
48140 - atomic_read(&fscache_n_attr_changed_nomem),
48141 - atomic_read(&fscache_n_attr_changed_calls));
48142 + atomic_read_unchecked(&fscache_n_attr_changed),
48143 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
48144 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
48145 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
48146 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
48147
48148 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
48149 - atomic_read(&fscache_n_allocs),
48150 - atomic_read(&fscache_n_allocs_ok),
48151 - atomic_read(&fscache_n_allocs_wait),
48152 - atomic_read(&fscache_n_allocs_nobufs),
48153 - atomic_read(&fscache_n_allocs_intr));
48154 + atomic_read_unchecked(&fscache_n_allocs),
48155 + atomic_read_unchecked(&fscache_n_allocs_ok),
48156 + atomic_read_unchecked(&fscache_n_allocs_wait),
48157 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
48158 + atomic_read_unchecked(&fscache_n_allocs_intr));
48159 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
48160 - atomic_read(&fscache_n_alloc_ops),
48161 - atomic_read(&fscache_n_alloc_op_waits),
48162 - atomic_read(&fscache_n_allocs_object_dead));
48163 + atomic_read_unchecked(&fscache_n_alloc_ops),
48164 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
48165 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
48166
48167 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
48168 " int=%u oom=%u\n",
48169 - atomic_read(&fscache_n_retrievals),
48170 - atomic_read(&fscache_n_retrievals_ok),
48171 - atomic_read(&fscache_n_retrievals_wait),
48172 - atomic_read(&fscache_n_retrievals_nodata),
48173 - atomic_read(&fscache_n_retrievals_nobufs),
48174 - atomic_read(&fscache_n_retrievals_intr),
48175 - atomic_read(&fscache_n_retrievals_nomem));
48176 + atomic_read_unchecked(&fscache_n_retrievals),
48177 + atomic_read_unchecked(&fscache_n_retrievals_ok),
48178 + atomic_read_unchecked(&fscache_n_retrievals_wait),
48179 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
48180 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
48181 + atomic_read_unchecked(&fscache_n_retrievals_intr),
48182 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
48183 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
48184 - atomic_read(&fscache_n_retrieval_ops),
48185 - atomic_read(&fscache_n_retrieval_op_waits),
48186 - atomic_read(&fscache_n_retrievals_object_dead));
48187 + atomic_read_unchecked(&fscache_n_retrieval_ops),
48188 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
48189 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
48190
48191 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
48192 - atomic_read(&fscache_n_stores),
48193 - atomic_read(&fscache_n_stores_ok),
48194 - atomic_read(&fscache_n_stores_again),
48195 - atomic_read(&fscache_n_stores_nobufs),
48196 - atomic_read(&fscache_n_stores_oom));
48197 + atomic_read_unchecked(&fscache_n_stores),
48198 + atomic_read_unchecked(&fscache_n_stores_ok),
48199 + atomic_read_unchecked(&fscache_n_stores_again),
48200 + atomic_read_unchecked(&fscache_n_stores_nobufs),
48201 + atomic_read_unchecked(&fscache_n_stores_oom));
48202 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
48203 - atomic_read(&fscache_n_store_ops),
48204 - atomic_read(&fscache_n_store_calls),
48205 - atomic_read(&fscache_n_store_pages),
48206 - atomic_read(&fscache_n_store_radix_deletes),
48207 - atomic_read(&fscache_n_store_pages_over_limit));
48208 + atomic_read_unchecked(&fscache_n_store_ops),
48209 + atomic_read_unchecked(&fscache_n_store_calls),
48210 + atomic_read_unchecked(&fscache_n_store_pages),
48211 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
48212 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
48213
48214 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
48215 - atomic_read(&fscache_n_store_vmscan_not_storing),
48216 - atomic_read(&fscache_n_store_vmscan_gone),
48217 - atomic_read(&fscache_n_store_vmscan_busy),
48218 - atomic_read(&fscache_n_store_vmscan_cancelled));
48219 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
48220 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
48221 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
48222 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
48223
48224 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
48225 - atomic_read(&fscache_n_op_pend),
48226 - atomic_read(&fscache_n_op_run),
48227 - atomic_read(&fscache_n_op_enqueue),
48228 - atomic_read(&fscache_n_op_cancelled),
48229 - atomic_read(&fscache_n_op_rejected));
48230 + atomic_read_unchecked(&fscache_n_op_pend),
48231 + atomic_read_unchecked(&fscache_n_op_run),
48232 + atomic_read_unchecked(&fscache_n_op_enqueue),
48233 + atomic_read_unchecked(&fscache_n_op_cancelled),
48234 + atomic_read_unchecked(&fscache_n_op_rejected));
48235 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
48236 - atomic_read(&fscache_n_op_deferred_release),
48237 - atomic_read(&fscache_n_op_release),
48238 - atomic_read(&fscache_n_op_gc));
48239 + atomic_read_unchecked(&fscache_n_op_deferred_release),
48240 + atomic_read_unchecked(&fscache_n_op_release),
48241 + atomic_read_unchecked(&fscache_n_op_gc));
48242
48243 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
48244 atomic_read(&fscache_n_cop_alloc_object),
48245 diff -urNp linux-2.6.32.49/fs/fs_struct.c linux-2.6.32.49/fs/fs_struct.c
48246 --- linux-2.6.32.49/fs/fs_struct.c 2011-11-08 19:02:43.000000000 -0500
48247 +++ linux-2.6.32.49/fs/fs_struct.c 2011-11-15 19:59:43.000000000 -0500
48248 @@ -4,6 +4,7 @@
48249 #include <linux/path.h>
48250 #include <linux/slab.h>
48251 #include <linux/fs_struct.h>
48252 +#include <linux/grsecurity.h>
48253
48254 /*
48255 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
48256 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
48257 old_root = fs->root;
48258 fs->root = *path;
48259 path_get(path);
48260 + gr_set_chroot_entries(current, path);
48261 write_unlock(&fs->lock);
48262 if (old_root.dentry)
48263 path_put(&old_root);
48264 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
48265 && fs->root.mnt == old_root->mnt) {
48266 path_get(new_root);
48267 fs->root = *new_root;
48268 + gr_set_chroot_entries(p, new_root);
48269 count++;
48270 }
48271 if (fs->pwd.dentry == old_root->dentry
48272 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
48273 task_lock(tsk);
48274 write_lock(&fs->lock);
48275 tsk->fs = NULL;
48276 - kill = !--fs->users;
48277 + gr_clear_chroot_entries(tsk);
48278 + kill = !atomic_dec_return(&fs->users);
48279 write_unlock(&fs->lock);
48280 task_unlock(tsk);
48281 if (kill)
48282 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
48283 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
48284 /* We don't need to lock fs - think why ;-) */
48285 if (fs) {
48286 - fs->users = 1;
48287 + atomic_set(&fs->users, 1);
48288 fs->in_exec = 0;
48289 rwlock_init(&fs->lock);
48290 fs->umask = old->umask;
48291 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
48292
48293 task_lock(current);
48294 write_lock(&fs->lock);
48295 - kill = !--fs->users;
48296 + kill = !atomic_dec_return(&fs->users);
48297 current->fs = new_fs;
48298 + gr_set_chroot_entries(current, &new_fs->root);
48299 write_unlock(&fs->lock);
48300 task_unlock(current);
48301
48302 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
48303
48304 /* to be mentioned only in INIT_TASK */
48305 struct fs_struct init_fs = {
48306 - .users = 1,
48307 + .users = ATOMIC_INIT(1),
48308 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
48309 .umask = 0022,
48310 };
48311 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
48312 task_lock(current);
48313
48314 write_lock(&init_fs.lock);
48315 - init_fs.users++;
48316 + atomic_inc(&init_fs.users);
48317 write_unlock(&init_fs.lock);
48318
48319 write_lock(&fs->lock);
48320 current->fs = &init_fs;
48321 - kill = !--fs->users;
48322 + gr_set_chroot_entries(current, &current->fs->root);
48323 + kill = !atomic_dec_return(&fs->users);
48324 write_unlock(&fs->lock);
48325
48326 task_unlock(current);
48327 diff -urNp linux-2.6.32.49/fs/fuse/cuse.c linux-2.6.32.49/fs/fuse/cuse.c
48328 --- linux-2.6.32.49/fs/fuse/cuse.c 2011-11-08 19:02:43.000000000 -0500
48329 +++ linux-2.6.32.49/fs/fuse/cuse.c 2011-11-15 19:59:43.000000000 -0500
48330 @@ -576,10 +576,12 @@ static int __init cuse_init(void)
48331 INIT_LIST_HEAD(&cuse_conntbl[i]);
48332
48333 /* inherit and extend fuse_dev_operations */
48334 - cuse_channel_fops = fuse_dev_operations;
48335 - cuse_channel_fops.owner = THIS_MODULE;
48336 - cuse_channel_fops.open = cuse_channel_open;
48337 - cuse_channel_fops.release = cuse_channel_release;
48338 + pax_open_kernel();
48339 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
48340 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
48341 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
48342 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
48343 + pax_close_kernel();
48344
48345 cuse_class = class_create(THIS_MODULE, "cuse");
48346 if (IS_ERR(cuse_class))
48347 diff -urNp linux-2.6.32.49/fs/fuse/dev.c linux-2.6.32.49/fs/fuse/dev.c
48348 --- linux-2.6.32.49/fs/fuse/dev.c 2011-11-08 19:02:43.000000000 -0500
48349 +++ linux-2.6.32.49/fs/fuse/dev.c 2011-11-15 19:59:43.000000000 -0500
48350 @@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
48351 {
48352 struct fuse_notify_inval_entry_out outarg;
48353 int err = -EINVAL;
48354 - char buf[FUSE_NAME_MAX+1];
48355 + char *buf = NULL;
48356 struct qstr name;
48357
48358 if (size < sizeof(outarg))
48359 @@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
48360 if (outarg.namelen > FUSE_NAME_MAX)
48361 goto err;
48362
48363 + err = -ENOMEM;
48364 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
48365 + if (!buf)
48366 + goto err;
48367 +
48368 err = -EINVAL;
48369 if (size != sizeof(outarg) + outarg.namelen + 1)
48370 goto err;
48371 @@ -914,17 +919,15 @@ static int fuse_notify_inval_entry(struc
48372
48373 down_read(&fc->killsb);
48374 err = -ENOENT;
48375 - if (!fc->sb)
48376 - goto err_unlock;
48377 -
48378 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
48379 -
48380 -err_unlock:
48381 + if (fc->sb)
48382 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
48383 up_read(&fc->killsb);
48384 + kfree(buf);
48385 return err;
48386
48387 err:
48388 fuse_copy_finish(cs);
48389 + kfree(buf);
48390 return err;
48391 }
48392
48393 diff -urNp linux-2.6.32.49/fs/fuse/dir.c linux-2.6.32.49/fs/fuse/dir.c
48394 --- linux-2.6.32.49/fs/fuse/dir.c 2011-11-08 19:02:43.000000000 -0500
48395 +++ linux-2.6.32.49/fs/fuse/dir.c 2011-11-15 19:59:43.000000000 -0500
48396 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
48397 return link;
48398 }
48399
48400 -static void free_link(char *link)
48401 +static void free_link(const char *link)
48402 {
48403 if (!IS_ERR(link))
48404 free_page((unsigned long) link);
48405 diff -urNp linux-2.6.32.49/fs/gfs2/ops_inode.c linux-2.6.32.49/fs/gfs2/ops_inode.c
48406 --- linux-2.6.32.49/fs/gfs2/ops_inode.c 2011-11-08 19:02:43.000000000 -0500
48407 +++ linux-2.6.32.49/fs/gfs2/ops_inode.c 2011-11-15 19:59:43.000000000 -0500
48408 @@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
48409 unsigned int x;
48410 int error;
48411
48412 + pax_track_stack();
48413 +
48414 if (ndentry->d_inode) {
48415 nip = GFS2_I(ndentry->d_inode);
48416 if (ip == nip)
48417 diff -urNp linux-2.6.32.49/fs/gfs2/sys.c linux-2.6.32.49/fs/gfs2/sys.c
48418 --- linux-2.6.32.49/fs/gfs2/sys.c 2011-11-08 19:02:43.000000000 -0500
48419 +++ linux-2.6.32.49/fs/gfs2/sys.c 2011-11-15 19:59:43.000000000 -0500
48420 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
48421 return a->store ? a->store(sdp, buf, len) : len;
48422 }
48423
48424 -static struct sysfs_ops gfs2_attr_ops = {
48425 +static const struct sysfs_ops gfs2_attr_ops = {
48426 .show = gfs2_attr_show,
48427 .store = gfs2_attr_store,
48428 };
48429 @@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
48430 return 0;
48431 }
48432
48433 -static struct kset_uevent_ops gfs2_uevent_ops = {
48434 +static const struct kset_uevent_ops gfs2_uevent_ops = {
48435 .uevent = gfs2_uevent,
48436 };
48437
48438 diff -urNp linux-2.6.32.49/fs/hfs/btree.c linux-2.6.32.49/fs/hfs/btree.c
48439 --- linux-2.6.32.49/fs/hfs/btree.c 2011-11-08 19:02:43.000000000 -0500
48440 +++ linux-2.6.32.49/fs/hfs/btree.c 2011-11-18 18:49:57.000000000 -0500
48441 @@ -45,11 +45,27 @@ struct hfs_btree *hfs_btree_open(struct
48442 case HFS_EXT_CNID:
48443 hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
48444 mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
48445 +
48446 + if (HFS_I(tree->inode)->alloc_blocks >
48447 + HFS_I(tree->inode)->first_blocks) {
48448 + printk(KERN_ERR "hfs: invalid btree extent records\n");
48449 + unlock_new_inode(tree->inode);
48450 + goto free_inode;
48451 + }
48452 +
48453 tree->inode->i_mapping->a_ops = &hfs_btree_aops;
48454 break;
48455 case HFS_CAT_CNID:
48456 hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
48457 mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
48458 +
48459 + if (!HFS_I(tree->inode)->first_blocks) {
48460 + printk(KERN_ERR "hfs: invalid btree extent records "
48461 + "(0 size).\n");
48462 + unlock_new_inode(tree->inode);
48463 + goto free_inode;
48464 + }
48465 +
48466 tree->inode->i_mapping->a_ops = &hfs_btree_aops;
48467 break;
48468 default:
48469 @@ -58,11 +74,6 @@ struct hfs_btree *hfs_btree_open(struct
48470 }
48471 unlock_new_inode(tree->inode);
48472
48473 - if (!HFS_I(tree->inode)->first_blocks) {
48474 - printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
48475 - goto free_inode;
48476 - }
48477 -
48478 mapping = tree->inode->i_mapping;
48479 page = read_mapping_page(mapping, 0, NULL);
48480 if (IS_ERR(page))
48481 diff -urNp linux-2.6.32.49/fs/hfsplus/catalog.c linux-2.6.32.49/fs/hfsplus/catalog.c
48482 --- linux-2.6.32.49/fs/hfsplus/catalog.c 2011-11-08 19:02:43.000000000 -0500
48483 +++ linux-2.6.32.49/fs/hfsplus/catalog.c 2011-11-15 19:59:43.000000000 -0500
48484 @@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
48485 int err;
48486 u16 type;
48487
48488 + pax_track_stack();
48489 +
48490 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
48491 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
48492 if (err)
48493 @@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
48494 int entry_size;
48495 int err;
48496
48497 + pax_track_stack();
48498 +
48499 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
48500 sb = dir->i_sb;
48501 hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
48502 @@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
48503 int entry_size, type;
48504 int err = 0;
48505
48506 + pax_track_stack();
48507 +
48508 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
48509 dst_dir->i_ino, dst_name->name);
48510 sb = src_dir->i_sb;
48511 diff -urNp linux-2.6.32.49/fs/hfsplus/dir.c linux-2.6.32.49/fs/hfsplus/dir.c
48512 --- linux-2.6.32.49/fs/hfsplus/dir.c 2011-11-08 19:02:43.000000000 -0500
48513 +++ linux-2.6.32.49/fs/hfsplus/dir.c 2011-11-15 19:59:43.000000000 -0500
48514 @@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
48515 struct hfsplus_readdir_data *rd;
48516 u16 type;
48517
48518 + pax_track_stack();
48519 +
48520 if (filp->f_pos >= inode->i_size)
48521 return 0;
48522
48523 diff -urNp linux-2.6.32.49/fs/hfsplus/inode.c linux-2.6.32.49/fs/hfsplus/inode.c
48524 --- linux-2.6.32.49/fs/hfsplus/inode.c 2011-11-08 19:02:43.000000000 -0500
48525 +++ linux-2.6.32.49/fs/hfsplus/inode.c 2011-11-15 19:59:43.000000000 -0500
48526 @@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
48527 int res = 0;
48528 u16 type;
48529
48530 + pax_track_stack();
48531 +
48532 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
48533
48534 HFSPLUS_I(inode).dev = 0;
48535 @@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
48536 struct hfs_find_data fd;
48537 hfsplus_cat_entry entry;
48538
48539 + pax_track_stack();
48540 +
48541 if (HFSPLUS_IS_RSRC(inode))
48542 main_inode = HFSPLUS_I(inode).rsrc_inode;
48543
48544 diff -urNp linux-2.6.32.49/fs/hfsplus/ioctl.c linux-2.6.32.49/fs/hfsplus/ioctl.c
48545 --- linux-2.6.32.49/fs/hfsplus/ioctl.c 2011-11-08 19:02:43.000000000 -0500
48546 +++ linux-2.6.32.49/fs/hfsplus/ioctl.c 2011-11-15 19:59:43.000000000 -0500
48547 @@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
48548 struct hfsplus_cat_file *file;
48549 int res;
48550
48551 + pax_track_stack();
48552 +
48553 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48554 return -EOPNOTSUPP;
48555
48556 @@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
48557 struct hfsplus_cat_file *file;
48558 ssize_t res = 0;
48559
48560 + pax_track_stack();
48561 +
48562 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48563 return -EOPNOTSUPP;
48564
48565 diff -urNp linux-2.6.32.49/fs/hfsplus/super.c linux-2.6.32.49/fs/hfsplus/super.c
48566 --- linux-2.6.32.49/fs/hfsplus/super.c 2011-11-08 19:02:43.000000000 -0500
48567 +++ linux-2.6.32.49/fs/hfsplus/super.c 2011-11-15 19:59:43.000000000 -0500
48568 @@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
48569 struct nls_table *nls = NULL;
48570 int err = -EINVAL;
48571
48572 + pax_track_stack();
48573 +
48574 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
48575 if (!sbi)
48576 return -ENOMEM;
48577 diff -urNp linux-2.6.32.49/fs/hugetlbfs/inode.c linux-2.6.32.49/fs/hugetlbfs/inode.c
48578 --- linux-2.6.32.49/fs/hugetlbfs/inode.c 2011-11-08 19:02:43.000000000 -0500
48579 +++ linux-2.6.32.49/fs/hugetlbfs/inode.c 2011-11-15 19:59:43.000000000 -0500
48580 @@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
48581 .kill_sb = kill_litter_super,
48582 };
48583
48584 -static struct vfsmount *hugetlbfs_vfsmount;
48585 +struct vfsmount *hugetlbfs_vfsmount;
48586
48587 static int can_do_hugetlb_shm(void)
48588 {
48589 diff -urNp linux-2.6.32.49/fs/ioctl.c linux-2.6.32.49/fs/ioctl.c
48590 --- linux-2.6.32.49/fs/ioctl.c 2011-11-08 19:02:43.000000000 -0500
48591 +++ linux-2.6.32.49/fs/ioctl.c 2011-11-15 19:59:43.000000000 -0500
48592 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
48593 u64 phys, u64 len, u32 flags)
48594 {
48595 struct fiemap_extent extent;
48596 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
48597 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
48598
48599 /* only count the extents */
48600 if (fieinfo->fi_extents_max == 0) {
48601 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
48602
48603 fieinfo.fi_flags = fiemap.fm_flags;
48604 fieinfo.fi_extents_max = fiemap.fm_extent_count;
48605 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
48606 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
48607
48608 if (fiemap.fm_extent_count != 0 &&
48609 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
48610 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
48611 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
48612 fiemap.fm_flags = fieinfo.fi_flags;
48613 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
48614 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
48615 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
48616 error = -EFAULT;
48617
48618 return error;
48619 diff -urNp linux-2.6.32.49/fs/jbd/checkpoint.c linux-2.6.32.49/fs/jbd/checkpoint.c
48620 --- linux-2.6.32.49/fs/jbd/checkpoint.c 2011-11-08 19:02:43.000000000 -0500
48621 +++ linux-2.6.32.49/fs/jbd/checkpoint.c 2011-11-15 19:59:43.000000000 -0500
48622 @@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
48623 tid_t this_tid;
48624 int result;
48625
48626 + pax_track_stack();
48627 +
48628 jbd_debug(1, "Start checkpoint\n");
48629
48630 /*
48631 diff -urNp linux-2.6.32.49/fs/jffs2/compr_rtime.c linux-2.6.32.49/fs/jffs2/compr_rtime.c
48632 --- linux-2.6.32.49/fs/jffs2/compr_rtime.c 2011-11-08 19:02:43.000000000 -0500
48633 +++ linux-2.6.32.49/fs/jffs2/compr_rtime.c 2011-11-15 19:59:43.000000000 -0500
48634 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
48635 int outpos = 0;
48636 int pos=0;
48637
48638 + pax_track_stack();
48639 +
48640 memset(positions,0,sizeof(positions));
48641
48642 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
48643 @@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
48644 int outpos = 0;
48645 int pos=0;
48646
48647 + pax_track_stack();
48648 +
48649 memset(positions,0,sizeof(positions));
48650
48651 while (outpos<destlen) {
48652 diff -urNp linux-2.6.32.49/fs/jffs2/compr_rubin.c linux-2.6.32.49/fs/jffs2/compr_rubin.c
48653 --- linux-2.6.32.49/fs/jffs2/compr_rubin.c 2011-11-08 19:02:43.000000000 -0500
48654 +++ linux-2.6.32.49/fs/jffs2/compr_rubin.c 2011-11-15 19:59:43.000000000 -0500
48655 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
48656 int ret;
48657 uint32_t mysrclen, mydstlen;
48658
48659 + pax_track_stack();
48660 +
48661 mysrclen = *sourcelen;
48662 mydstlen = *dstlen - 8;
48663
48664 diff -urNp linux-2.6.32.49/fs/jffs2/erase.c linux-2.6.32.49/fs/jffs2/erase.c
48665 --- linux-2.6.32.49/fs/jffs2/erase.c 2011-11-08 19:02:43.000000000 -0500
48666 +++ linux-2.6.32.49/fs/jffs2/erase.c 2011-11-15 19:59:43.000000000 -0500
48667 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
48668 struct jffs2_unknown_node marker = {
48669 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
48670 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48671 - .totlen = cpu_to_je32(c->cleanmarker_size)
48672 + .totlen = cpu_to_je32(c->cleanmarker_size),
48673 + .hdr_crc = cpu_to_je32(0)
48674 };
48675
48676 jffs2_prealloc_raw_node_refs(c, jeb, 1);
48677 diff -urNp linux-2.6.32.49/fs/jffs2/wbuf.c linux-2.6.32.49/fs/jffs2/wbuf.c
48678 --- linux-2.6.32.49/fs/jffs2/wbuf.c 2011-11-08 19:02:43.000000000 -0500
48679 +++ linux-2.6.32.49/fs/jffs2/wbuf.c 2011-11-15 19:59:43.000000000 -0500
48680 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
48681 {
48682 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
48683 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48684 - .totlen = constant_cpu_to_je32(8)
48685 + .totlen = constant_cpu_to_je32(8),
48686 + .hdr_crc = constant_cpu_to_je32(0)
48687 };
48688
48689 /*
48690 diff -urNp linux-2.6.32.49/fs/jffs2/xattr.c linux-2.6.32.49/fs/jffs2/xattr.c
48691 --- linux-2.6.32.49/fs/jffs2/xattr.c 2011-11-08 19:02:43.000000000 -0500
48692 +++ linux-2.6.32.49/fs/jffs2/xattr.c 2011-11-15 19:59:43.000000000 -0500
48693 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
48694
48695 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
48696
48697 + pax_track_stack();
48698 +
48699 /* Phase.1 : Merge same xref */
48700 for (i=0; i < XREF_TMPHASH_SIZE; i++)
48701 xref_tmphash[i] = NULL;
48702 diff -urNp linux-2.6.32.49/fs/jfs/super.c linux-2.6.32.49/fs/jfs/super.c
48703 --- linux-2.6.32.49/fs/jfs/super.c 2011-11-08 19:02:43.000000000 -0500
48704 +++ linux-2.6.32.49/fs/jfs/super.c 2011-11-15 19:59:43.000000000 -0500
48705 @@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
48706
48707 jfs_inode_cachep =
48708 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
48709 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
48710 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
48711 init_once);
48712 if (jfs_inode_cachep == NULL)
48713 return -ENOMEM;
48714 diff -urNp linux-2.6.32.49/fs/Kconfig.binfmt linux-2.6.32.49/fs/Kconfig.binfmt
48715 --- linux-2.6.32.49/fs/Kconfig.binfmt 2011-11-08 19:02:43.000000000 -0500
48716 +++ linux-2.6.32.49/fs/Kconfig.binfmt 2011-11-15 19:59:43.000000000 -0500
48717 @@ -86,7 +86,7 @@ config HAVE_AOUT
48718
48719 config BINFMT_AOUT
48720 tristate "Kernel support for a.out and ECOFF binaries"
48721 - depends on HAVE_AOUT
48722 + depends on HAVE_AOUT && BROKEN
48723 ---help---
48724 A.out (Assembler.OUTput) is a set of formats for libraries and
48725 executables used in the earliest versions of UNIX. Linux used
48726 diff -urNp linux-2.6.32.49/fs/libfs.c linux-2.6.32.49/fs/libfs.c
48727 --- linux-2.6.32.49/fs/libfs.c 2011-11-08 19:02:43.000000000 -0500
48728 +++ linux-2.6.32.49/fs/libfs.c 2011-11-15 19:59:43.000000000 -0500
48729 @@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
48730
48731 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
48732 struct dentry *next;
48733 + char d_name[sizeof(next->d_iname)];
48734 + const unsigned char *name;
48735 +
48736 next = list_entry(p, struct dentry, d_u.d_child);
48737 if (d_unhashed(next) || !next->d_inode)
48738 continue;
48739
48740 spin_unlock(&dcache_lock);
48741 - if (filldir(dirent, next->d_name.name,
48742 + name = next->d_name.name;
48743 + if (name == next->d_iname) {
48744 + memcpy(d_name, name, next->d_name.len);
48745 + name = d_name;
48746 + }
48747 + if (filldir(dirent, name,
48748 next->d_name.len, filp->f_pos,
48749 next->d_inode->i_ino,
48750 dt_type(next->d_inode)) < 0)
48751 diff -urNp linux-2.6.32.49/fs/lockd/clntproc.c linux-2.6.32.49/fs/lockd/clntproc.c
48752 --- linux-2.6.32.49/fs/lockd/clntproc.c 2011-11-08 19:02:43.000000000 -0500
48753 +++ linux-2.6.32.49/fs/lockd/clntproc.c 2011-11-15 19:59:43.000000000 -0500
48754 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
48755 /*
48756 * Cookie counter for NLM requests
48757 */
48758 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
48759 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
48760
48761 void nlmclnt_next_cookie(struct nlm_cookie *c)
48762 {
48763 - u32 cookie = atomic_inc_return(&nlm_cookie);
48764 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48765
48766 memcpy(c->data, &cookie, 4);
48767 c->len=4;
48768 @@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48769 struct nlm_rqst reqst, *req;
48770 int status;
48771
48772 + pax_track_stack();
48773 +
48774 req = &reqst;
48775 memset(req, 0, sizeof(*req));
48776 locks_init_lock(&req->a_args.lock.fl);
48777 diff -urNp linux-2.6.32.49/fs/lockd/svc.c linux-2.6.32.49/fs/lockd/svc.c
48778 --- linux-2.6.32.49/fs/lockd/svc.c 2011-11-08 19:02:43.000000000 -0500
48779 +++ linux-2.6.32.49/fs/lockd/svc.c 2011-11-15 19:59:43.000000000 -0500
48780 @@ -43,7 +43,7 @@
48781
48782 static struct svc_program nlmsvc_program;
48783
48784 -struct nlmsvc_binding * nlmsvc_ops;
48785 +const struct nlmsvc_binding * nlmsvc_ops;
48786 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48787
48788 static DEFINE_MUTEX(nlmsvc_mutex);
48789 diff -urNp linux-2.6.32.49/fs/locks.c linux-2.6.32.49/fs/locks.c
48790 --- linux-2.6.32.49/fs/locks.c 2011-11-08 19:02:43.000000000 -0500
48791 +++ linux-2.6.32.49/fs/locks.c 2011-11-15 19:59:43.000000000 -0500
48792 @@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
48793
48794 static struct kmem_cache *filelock_cache __read_mostly;
48795
48796 +static void locks_init_lock_always(struct file_lock *fl)
48797 +{
48798 + fl->fl_next = NULL;
48799 + fl->fl_fasync = NULL;
48800 + fl->fl_owner = NULL;
48801 + fl->fl_pid = 0;
48802 + fl->fl_nspid = NULL;
48803 + fl->fl_file = NULL;
48804 + fl->fl_flags = 0;
48805 + fl->fl_type = 0;
48806 + fl->fl_start = fl->fl_end = 0;
48807 +}
48808 +
48809 /* Allocate an empty lock structure. */
48810 static struct file_lock *locks_alloc_lock(void)
48811 {
48812 - return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
48813 + struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
48814 +
48815 + if (fl)
48816 + locks_init_lock_always(fl);
48817 +
48818 + return fl;
48819 }
48820
48821 void locks_release_private(struct file_lock *fl)
48822 @@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *f
48823 INIT_LIST_HEAD(&fl->fl_link);
48824 INIT_LIST_HEAD(&fl->fl_block);
48825 init_waitqueue_head(&fl->fl_wait);
48826 - fl->fl_next = NULL;
48827 - fl->fl_fasync = NULL;
48828 - fl->fl_owner = NULL;
48829 - fl->fl_pid = 0;
48830 - fl->fl_nspid = NULL;
48831 - fl->fl_file = NULL;
48832 - fl->fl_flags = 0;
48833 - fl->fl_type = 0;
48834 - fl->fl_start = fl->fl_end = 0;
48835 fl->fl_ops = NULL;
48836 fl->fl_lmops = NULL;
48837 + locks_init_lock_always(fl);
48838 }
48839
48840 EXPORT_SYMBOL(locks_init_lock);
48841 @@ -2007,16 +2017,16 @@ void locks_remove_flock(struct file *fil
48842 return;
48843
48844 if (filp->f_op && filp->f_op->flock) {
48845 - struct file_lock fl = {
48846 + struct file_lock flock = {
48847 .fl_pid = current->tgid,
48848 .fl_file = filp,
48849 .fl_flags = FL_FLOCK,
48850 .fl_type = F_UNLCK,
48851 .fl_end = OFFSET_MAX,
48852 };
48853 - filp->f_op->flock(filp, F_SETLKW, &fl);
48854 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
48855 - fl.fl_ops->fl_release_private(&fl);
48856 + filp->f_op->flock(filp, F_SETLKW, &flock);
48857 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
48858 + flock.fl_ops->fl_release_private(&flock);
48859 }
48860
48861 lock_kernel();
48862 diff -urNp linux-2.6.32.49/fs/mbcache.c linux-2.6.32.49/fs/mbcache.c
48863 --- linux-2.6.32.49/fs/mbcache.c 2011-11-08 19:02:43.000000000 -0500
48864 +++ linux-2.6.32.49/fs/mbcache.c 2011-11-15 19:59:43.000000000 -0500
48865 @@ -266,9 +266,9 @@ mb_cache_create(const char *name, struct
48866 if (!cache)
48867 goto fail;
48868 cache->c_name = name;
48869 - cache->c_op.free = NULL;
48870 + *(void **)&cache->c_op.free = NULL;
48871 if (cache_op)
48872 - cache->c_op.free = cache_op->free;
48873 + *(void **)&cache->c_op.free = cache_op->free;
48874 atomic_set(&cache->c_entry_count, 0);
48875 cache->c_bucket_bits = bucket_bits;
48876 #ifdef MB_CACHE_INDEXES_COUNT
48877 diff -urNp linux-2.6.32.49/fs/namei.c linux-2.6.32.49/fs/namei.c
48878 --- linux-2.6.32.49/fs/namei.c 2011-11-08 19:02:43.000000000 -0500
48879 +++ linux-2.6.32.49/fs/namei.c 2011-11-18 19:36:31.000000000 -0500
48880 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
48881 return ret;
48882
48883 /*
48884 - * Read/write DACs are always overridable.
48885 - * Executable DACs are overridable if at least one exec bit is set.
48886 - */
48887 - if (!(mask & MAY_EXEC) || execute_ok(inode))
48888 - if (capable(CAP_DAC_OVERRIDE))
48889 - return 0;
48890 -
48891 - /*
48892 * Searching includes executable on directories, else just read.
48893 */
48894 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48895 @@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
48896 if (capable(CAP_DAC_READ_SEARCH))
48897 return 0;
48898
48899 + /*
48900 + * Read/write DACs are always overridable.
48901 + * Executable DACs are overridable if at least one exec bit is set.
48902 + */
48903 + if (!(mask & MAY_EXEC) || execute_ok(inode))
48904 + if (capable(CAP_DAC_OVERRIDE))
48905 + return 0;
48906 +
48907 return -EACCES;
48908 }
48909
48910 @@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
48911 if (!ret)
48912 goto ok;
48913
48914 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
48915 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
48916 + capable(CAP_DAC_OVERRIDE))
48917 goto ok;
48918
48919 return ret;
48920 @@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
48921 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
48922 error = PTR_ERR(cookie);
48923 if (!IS_ERR(cookie)) {
48924 - char *s = nd_get_link(nd);
48925 + const char *s = nd_get_link(nd);
48926 error = 0;
48927 if (s)
48928 error = __vfs_follow_link(nd, s);
48929 @@ -669,6 +670,13 @@ static inline int do_follow_link(struct
48930 err = security_inode_follow_link(path->dentry, nd);
48931 if (err)
48932 goto loop;
48933 +
48934 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
48935 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
48936 + err = -EACCES;
48937 + goto loop;
48938 + }
48939 +
48940 current->link_count++;
48941 current->total_link_count++;
48942 nd->depth++;
48943 @@ -1016,11 +1024,19 @@ return_reval:
48944 break;
48945 }
48946 return_base:
48947 + if (!(nd->flags & (LOOKUP_CONTINUE | LOOKUP_PARENT)) &&
48948 + !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
48949 + path_put(&nd->path);
48950 + return -ENOENT;
48951 + }
48952 return 0;
48953 out_dput:
48954 path_put_conditional(&next, nd);
48955 break;
48956 }
48957 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
48958 + err = -ENOENT;
48959 +
48960 path_put(&nd->path);
48961 return_err:
48962 return err;
48963 @@ -1091,13 +1107,20 @@ static int do_path_lookup(int dfd, const
48964 int retval = path_init(dfd, name, flags, nd);
48965 if (!retval)
48966 retval = path_walk(name, nd);
48967 - if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
48968 - nd->path.dentry->d_inode))
48969 - audit_inode(name, nd->path.dentry);
48970 +
48971 + if (likely(!retval)) {
48972 + if (nd->path.dentry && nd->path.dentry->d_inode) {
48973 + if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
48974 + retval = -ENOENT;
48975 + if (!audit_dummy_context())
48976 + audit_inode(name, nd->path.dentry);
48977 + }
48978 + }
48979 if (nd->root.mnt) {
48980 path_put(&nd->root);
48981 nd->root.mnt = NULL;
48982 }
48983 +
48984 return retval;
48985 }
48986
48987 @@ -1576,6 +1599,20 @@ int may_open(struct path *path, int acc_
48988 if (error)
48989 goto err_out;
48990
48991 +
48992 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
48993 + error = -EPERM;
48994 + goto err_out;
48995 + }
48996 + if (gr_handle_rawio(inode)) {
48997 + error = -EPERM;
48998 + goto err_out;
48999 + }
49000 + if (!gr_acl_handle_open(dentry, path->mnt, acc_mode)) {
49001 + error = -EACCES;
49002 + goto err_out;
49003 + }
49004 +
49005 if (flag & O_TRUNC) {
49006 error = get_write_access(inode);
49007 if (error)
49008 @@ -1620,6 +1657,17 @@ static int __open_namei_create(struct na
49009 {
49010 int error;
49011 struct dentry *dir = nd->path.dentry;
49012 + int acc_mode = ACC_MODE(flag);
49013 +
49014 + if (flag & O_TRUNC)
49015 + acc_mode |= MAY_WRITE;
49016 + if (flag & O_APPEND)
49017 + acc_mode |= MAY_APPEND;
49018 +
49019 + if (!gr_acl_handle_creat(path->dentry, dir, nd->path.mnt, flag, acc_mode, mode)) {
49020 + error = -EACCES;
49021 + goto out_unlock;
49022 + }
49023
49024 if (!IS_POSIXACL(dir->d_inode))
49025 mode &= ~current_umask();
49026 @@ -1627,6 +1675,8 @@ static int __open_namei_create(struct na
49027 if (error)
49028 goto out_unlock;
49029 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
49030 + if (!error)
49031 + gr_handle_create(path->dentry, nd->path.mnt);
49032 out_unlock:
49033 mutex_unlock(&dir->d_inode->i_mutex);
49034 dput(nd->path.dentry);
49035 @@ -1709,6 +1759,22 @@ struct file *do_filp_open(int dfd, const
49036 &nd, flag);
49037 if (error)
49038 return ERR_PTR(error);
49039 +
49040 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
49041 + error = -EPERM;
49042 + goto exit;
49043 + }
49044 +
49045 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
49046 + error = -EPERM;
49047 + goto exit;
49048 + }
49049 +
49050 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, acc_mode)) {
49051 + error = -EACCES;
49052 + goto exit;
49053 + }
49054 +
49055 goto ok;
49056 }
49057
49058 @@ -1795,6 +1861,19 @@ do_last:
49059 /*
49060 * It already exists.
49061 */
49062 +
49063 + if (!gr_acl_handle_hidden_file(path.dentry, path.mnt)) {
49064 + error = -ENOENT;
49065 + goto exit_mutex_unlock;
49066 + }
49067 +
49068 + /* only check if O_CREAT is specified, all other checks need
49069 + to go into may_open */
49070 + if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
49071 + error = -EACCES;
49072 + goto exit_mutex_unlock;
49073 + }
49074 +
49075 mutex_unlock(&dir->d_inode->i_mutex);
49076 audit_inode(pathname, path.dentry);
49077
49078 @@ -1887,6 +1966,13 @@ do_link:
49079 error = security_inode_follow_link(path.dentry, &nd);
49080 if (error)
49081 goto exit_dput;
49082 +
49083 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
49084 + path.dentry, nd.path.mnt)) {
49085 + error = -EACCES;
49086 + goto exit_dput;
49087 + }
49088 +
49089 error = __do_follow_link(&path, &nd);
49090 if (error) {
49091 /* Does someone understand code flow here? Or it is only
49092 @@ -1984,6 +2070,10 @@ struct dentry *lookup_create(struct name
49093 }
49094 return dentry;
49095 eexist:
49096 + if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
49097 + dput(dentry);
49098 + return ERR_PTR(-ENOENT);
49099 + }
49100 dput(dentry);
49101 dentry = ERR_PTR(-EEXIST);
49102 fail:
49103 @@ -2061,6 +2151,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
49104 error = may_mknod(mode);
49105 if (error)
49106 goto out_dput;
49107 +
49108 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
49109 + error = -EPERM;
49110 + goto out_dput;
49111 + }
49112 +
49113 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
49114 + error = -EACCES;
49115 + goto out_dput;
49116 + }
49117 +
49118 error = mnt_want_write(nd.path.mnt);
49119 if (error)
49120 goto out_dput;
49121 @@ -2081,6 +2182,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
49122 }
49123 out_drop_write:
49124 mnt_drop_write(nd.path.mnt);
49125 +
49126 + if (!error)
49127 + gr_handle_create(dentry, nd.path.mnt);
49128 out_dput:
49129 dput(dentry);
49130 out_unlock:
49131 @@ -2134,6 +2238,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
49132 if (IS_ERR(dentry))
49133 goto out_unlock;
49134
49135 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
49136 + error = -EACCES;
49137 + goto out_dput;
49138 + }
49139 +
49140 if (!IS_POSIXACL(nd.path.dentry->d_inode))
49141 mode &= ~current_umask();
49142 error = mnt_want_write(nd.path.mnt);
49143 @@ -2145,6 +2254,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
49144 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
49145 out_drop_write:
49146 mnt_drop_write(nd.path.mnt);
49147 +
49148 + if (!error)
49149 + gr_handle_create(dentry, nd.path.mnt);
49150 +
49151 out_dput:
49152 dput(dentry);
49153 out_unlock:
49154 @@ -2226,6 +2339,8 @@ static long do_rmdir(int dfd, const char
49155 char * name;
49156 struct dentry *dentry;
49157 struct nameidata nd;
49158 + ino_t saved_ino = 0;
49159 + dev_t saved_dev = 0;
49160
49161 error = user_path_parent(dfd, pathname, &nd, &name);
49162 if (error)
49163 @@ -2250,6 +2365,17 @@ static long do_rmdir(int dfd, const char
49164 error = PTR_ERR(dentry);
49165 if (IS_ERR(dentry))
49166 goto exit2;
49167 +
49168 + if (dentry->d_inode != NULL) {
49169 + saved_ino = dentry->d_inode->i_ino;
49170 + saved_dev = gr_get_dev_from_dentry(dentry);
49171 +
49172 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
49173 + error = -EACCES;
49174 + goto exit3;
49175 + }
49176 + }
49177 +
49178 error = mnt_want_write(nd.path.mnt);
49179 if (error)
49180 goto exit3;
49181 @@ -2257,6 +2383,8 @@ static long do_rmdir(int dfd, const char
49182 if (error)
49183 goto exit4;
49184 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
49185 + if (!error && (saved_dev || saved_ino))
49186 + gr_handle_delete(saved_ino, saved_dev);
49187 exit4:
49188 mnt_drop_write(nd.path.mnt);
49189 exit3:
49190 @@ -2318,6 +2446,8 @@ static long do_unlinkat(int dfd, const c
49191 struct dentry *dentry;
49192 struct nameidata nd;
49193 struct inode *inode = NULL;
49194 + ino_t saved_ino = 0;
49195 + dev_t saved_dev = 0;
49196
49197 error = user_path_parent(dfd, pathname, &nd, &name);
49198 if (error)
49199 @@ -2337,8 +2467,19 @@ static long do_unlinkat(int dfd, const c
49200 if (nd.last.name[nd.last.len])
49201 goto slashes;
49202 inode = dentry->d_inode;
49203 - if (inode)
49204 + if (inode) {
49205 + if (inode->i_nlink <= 1) {
49206 + saved_ino = inode->i_ino;
49207 + saved_dev = gr_get_dev_from_dentry(dentry);
49208 + }
49209 +
49210 atomic_inc(&inode->i_count);
49211 +
49212 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
49213 + error = -EACCES;
49214 + goto exit2;
49215 + }
49216 + }
49217 error = mnt_want_write(nd.path.mnt);
49218 if (error)
49219 goto exit2;
49220 @@ -2346,6 +2487,8 @@ static long do_unlinkat(int dfd, const c
49221 if (error)
49222 goto exit3;
49223 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
49224 + if (!error && (saved_ino || saved_dev))
49225 + gr_handle_delete(saved_ino, saved_dev);
49226 exit3:
49227 mnt_drop_write(nd.path.mnt);
49228 exit2:
49229 @@ -2424,6 +2567,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
49230 if (IS_ERR(dentry))
49231 goto out_unlock;
49232
49233 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
49234 + error = -EACCES;
49235 + goto out_dput;
49236 + }
49237 +
49238 error = mnt_want_write(nd.path.mnt);
49239 if (error)
49240 goto out_dput;
49241 @@ -2431,6 +2579,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
49242 if (error)
49243 goto out_drop_write;
49244 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
49245 + if (!error)
49246 + gr_handle_create(dentry, nd.path.mnt);
49247 out_drop_write:
49248 mnt_drop_write(nd.path.mnt);
49249 out_dput:
49250 @@ -2524,6 +2674,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
49251 error = PTR_ERR(new_dentry);
49252 if (IS_ERR(new_dentry))
49253 goto out_unlock;
49254 +
49255 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
49256 + old_path.dentry->d_inode,
49257 + old_path.dentry->d_inode->i_mode, to)) {
49258 + error = -EACCES;
49259 + goto out_dput;
49260 + }
49261 +
49262 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
49263 + old_path.dentry, old_path.mnt, to)) {
49264 + error = -EACCES;
49265 + goto out_dput;
49266 + }
49267 +
49268 error = mnt_want_write(nd.path.mnt);
49269 if (error)
49270 goto out_dput;
49271 @@ -2531,6 +2695,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
49272 if (error)
49273 goto out_drop_write;
49274 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
49275 + if (!error)
49276 + gr_handle_create(new_dentry, nd.path.mnt);
49277 out_drop_write:
49278 mnt_drop_write(nd.path.mnt);
49279 out_dput:
49280 @@ -2708,6 +2874,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
49281 char *to;
49282 int error;
49283
49284 + pax_track_stack();
49285 +
49286 error = user_path_parent(olddfd, oldname, &oldnd, &from);
49287 if (error)
49288 goto exit;
49289 @@ -2764,6 +2932,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
49290 if (new_dentry == trap)
49291 goto exit5;
49292
49293 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
49294 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
49295 + to);
49296 + if (error)
49297 + goto exit5;
49298 +
49299 error = mnt_want_write(oldnd.path.mnt);
49300 if (error)
49301 goto exit5;
49302 @@ -2773,6 +2947,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
49303 goto exit6;
49304 error = vfs_rename(old_dir->d_inode, old_dentry,
49305 new_dir->d_inode, new_dentry);
49306 + if (!error)
49307 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
49308 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
49309 exit6:
49310 mnt_drop_write(oldnd.path.mnt);
49311 exit5:
49312 @@ -2798,6 +2975,8 @@ SYSCALL_DEFINE2(rename, const char __use
49313
49314 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
49315 {
49316 + char tmpbuf[64];
49317 + const char *newlink;
49318 int len;
49319
49320 len = PTR_ERR(link);
49321 @@ -2807,7 +2986,14 @@ int vfs_readlink(struct dentry *dentry,
49322 len = strlen(link);
49323 if (len > (unsigned) buflen)
49324 len = buflen;
49325 - if (copy_to_user(buffer, link, len))
49326 +
49327 + if (len < sizeof(tmpbuf)) {
49328 + memcpy(tmpbuf, link, len);
49329 + newlink = tmpbuf;
49330 + } else
49331 + newlink = link;
49332 +
49333 + if (copy_to_user(buffer, newlink, len))
49334 len = -EFAULT;
49335 out:
49336 return len;
49337 diff -urNp linux-2.6.32.49/fs/namespace.c linux-2.6.32.49/fs/namespace.c
49338 --- linux-2.6.32.49/fs/namespace.c 2011-11-08 19:02:43.000000000 -0500
49339 +++ linux-2.6.32.49/fs/namespace.c 2011-11-15 19:59:43.000000000 -0500
49340 @@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
49341 if (!(sb->s_flags & MS_RDONLY))
49342 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
49343 up_write(&sb->s_umount);
49344 +
49345 + gr_log_remount(mnt->mnt_devname, retval);
49346 +
49347 return retval;
49348 }
49349
49350 @@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
49351 security_sb_umount_busy(mnt);
49352 up_write(&namespace_sem);
49353 release_mounts(&umount_list);
49354 +
49355 + gr_log_unmount(mnt->mnt_devname, retval);
49356 +
49357 return retval;
49358 }
49359
49360 @@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
49361 if (retval)
49362 goto dput_out;
49363
49364 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
49365 + retval = -EPERM;
49366 + goto dput_out;
49367 + }
49368 +
49369 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
49370 + retval = -EPERM;
49371 + goto dput_out;
49372 + }
49373 +
49374 if (flags & MS_REMOUNT)
49375 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
49376 data_page);
49377 @@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
49378 dev_name, data_page);
49379 dput_out:
49380 path_put(&path);
49381 +
49382 + gr_log_mount(dev_name, dir_name, retval);
49383 +
49384 return retval;
49385 }
49386
49387 @@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
49388 goto out1;
49389 }
49390
49391 + if (gr_handle_chroot_pivot()) {
49392 + error = -EPERM;
49393 + path_put(&old);
49394 + goto out1;
49395 + }
49396 +
49397 read_lock(&current->fs->lock);
49398 root = current->fs->root;
49399 path_get(&current->fs->root);
49400 diff -urNp linux-2.6.32.49/fs/ncpfs/dir.c linux-2.6.32.49/fs/ncpfs/dir.c
49401 --- linux-2.6.32.49/fs/ncpfs/dir.c 2011-11-08 19:02:43.000000000 -0500
49402 +++ linux-2.6.32.49/fs/ncpfs/dir.c 2011-11-15 19:59:43.000000000 -0500
49403 @@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
49404 int res, val = 0, len;
49405 __u8 __name[NCP_MAXPATHLEN + 1];
49406
49407 + pax_track_stack();
49408 +
49409 parent = dget_parent(dentry);
49410 dir = parent->d_inode;
49411
49412 @@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
49413 int error, res, len;
49414 __u8 __name[NCP_MAXPATHLEN + 1];
49415
49416 + pax_track_stack();
49417 +
49418 lock_kernel();
49419 error = -EIO;
49420 if (!ncp_conn_valid(server))
49421 @@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
49422 int error, result, len;
49423 int opmode;
49424 __u8 __name[NCP_MAXPATHLEN + 1];
49425 -
49426 +
49427 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
49428 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
49429
49430 + pax_track_stack();
49431 +
49432 error = -EIO;
49433 lock_kernel();
49434 if (!ncp_conn_valid(server))
49435 @@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
49436 int error, len;
49437 __u8 __name[NCP_MAXPATHLEN + 1];
49438
49439 + pax_track_stack();
49440 +
49441 DPRINTK("ncp_mkdir: making %s/%s\n",
49442 dentry->d_parent->d_name.name, dentry->d_name.name);
49443
49444 @@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
49445 if (!ncp_conn_valid(server))
49446 goto out;
49447
49448 + pax_track_stack();
49449 +
49450 ncp_age_dentry(server, dentry);
49451 len = sizeof(__name);
49452 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
49453 @@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
49454 int old_len, new_len;
49455 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
49456
49457 + pax_track_stack();
49458 +
49459 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
49460 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
49461 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
49462 diff -urNp linux-2.6.32.49/fs/ncpfs/inode.c linux-2.6.32.49/fs/ncpfs/inode.c
49463 --- linux-2.6.32.49/fs/ncpfs/inode.c 2011-11-08 19:02:43.000000000 -0500
49464 +++ linux-2.6.32.49/fs/ncpfs/inode.c 2011-11-15 19:59:43.000000000 -0500
49465 @@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
49466 #endif
49467 struct ncp_entry_info finfo;
49468
49469 + pax_track_stack();
49470 +
49471 data.wdog_pid = NULL;
49472 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
49473 if (!server)
49474 diff -urNp linux-2.6.32.49/fs/nfs/inode.c linux-2.6.32.49/fs/nfs/inode.c
49475 --- linux-2.6.32.49/fs/nfs/inode.c 2011-11-08 19:02:43.000000000 -0500
49476 +++ linux-2.6.32.49/fs/nfs/inode.c 2011-11-15 19:59:43.000000000 -0500
49477 @@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct
49478 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
49479 nfsi->attrtimeo_timestamp = jiffies;
49480
49481 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
49482 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
49483 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
49484 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
49485 else
49486 @@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
49487 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
49488 }
49489
49490 -static atomic_long_t nfs_attr_generation_counter;
49491 +static atomic_long_unchecked_t nfs_attr_generation_counter;
49492
49493 static unsigned long nfs_read_attr_generation_counter(void)
49494 {
49495 - return atomic_long_read(&nfs_attr_generation_counter);
49496 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
49497 }
49498
49499 unsigned long nfs_inc_attr_generation_counter(void)
49500 {
49501 - return atomic_long_inc_return(&nfs_attr_generation_counter);
49502 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
49503 }
49504
49505 void nfs_fattr_init(struct nfs_fattr *fattr)
49506 diff -urNp linux-2.6.32.49/fs/nfsd/lockd.c linux-2.6.32.49/fs/nfsd/lockd.c
49507 --- linux-2.6.32.49/fs/nfsd/lockd.c 2011-11-08 19:02:43.000000000 -0500
49508 +++ linux-2.6.32.49/fs/nfsd/lockd.c 2011-11-15 19:59:43.000000000 -0500
49509 @@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
49510 fput(filp);
49511 }
49512
49513 -static struct nlmsvc_binding nfsd_nlm_ops = {
49514 +static const struct nlmsvc_binding nfsd_nlm_ops = {
49515 .fopen = nlm_fopen, /* open file for locking */
49516 .fclose = nlm_fclose, /* close file */
49517 };
49518 diff -urNp linux-2.6.32.49/fs/nfsd/nfs4state.c linux-2.6.32.49/fs/nfsd/nfs4state.c
49519 --- linux-2.6.32.49/fs/nfsd/nfs4state.c 2011-11-08 19:02:43.000000000 -0500
49520 +++ linux-2.6.32.49/fs/nfsd/nfs4state.c 2011-11-15 19:59:43.000000000 -0500
49521 @@ -3459,6 +3459,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
49522 unsigned int cmd;
49523 int err;
49524
49525 + pax_track_stack();
49526 +
49527 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
49528 (long long) lock->lk_offset,
49529 (long long) lock->lk_length);
49530 diff -urNp linux-2.6.32.49/fs/nfsd/nfs4xdr.c linux-2.6.32.49/fs/nfsd/nfs4xdr.c
49531 --- linux-2.6.32.49/fs/nfsd/nfs4xdr.c 2011-11-08 19:02:43.000000000 -0500
49532 +++ linux-2.6.32.49/fs/nfsd/nfs4xdr.c 2011-11-15 19:59:43.000000000 -0500
49533 @@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
49534 struct nfsd4_compoundres *resp = rqstp->rq_resp;
49535 u32 minorversion = resp->cstate.minorversion;
49536
49537 + pax_track_stack();
49538 +
49539 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
49540 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
49541 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
49542 diff -urNp linux-2.6.32.49/fs/nfsd/vfs.c linux-2.6.32.49/fs/nfsd/vfs.c
49543 --- linux-2.6.32.49/fs/nfsd/vfs.c 2011-11-08 19:02:43.000000000 -0500
49544 +++ linux-2.6.32.49/fs/nfsd/vfs.c 2011-11-15 19:59:43.000000000 -0500
49545 @@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
49546 } else {
49547 oldfs = get_fs();
49548 set_fs(KERNEL_DS);
49549 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
49550 + host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
49551 set_fs(oldfs);
49552 }
49553
49554 @@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
49555
49556 /* Write the data. */
49557 oldfs = get_fs(); set_fs(KERNEL_DS);
49558 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
49559 + host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
49560 set_fs(oldfs);
49561 if (host_err < 0)
49562 goto out_nfserr;
49563 @@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
49564 */
49565
49566 oldfs = get_fs(); set_fs(KERNEL_DS);
49567 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
49568 + host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
49569 set_fs(oldfs);
49570
49571 if (host_err < 0)
49572 diff -urNp linux-2.6.32.49/fs/nilfs2/ioctl.c linux-2.6.32.49/fs/nilfs2/ioctl.c
49573 --- linux-2.6.32.49/fs/nilfs2/ioctl.c 2011-11-08 19:02:43.000000000 -0500
49574 +++ linux-2.6.32.49/fs/nilfs2/ioctl.c 2011-11-15 19:59:43.000000000 -0500
49575 @@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
49576 unsigned int cmd, void __user *argp)
49577 {
49578 struct nilfs_argv argv[5];
49579 - const static size_t argsz[5] = {
49580 + static const size_t argsz[5] = {
49581 sizeof(struct nilfs_vdesc),
49582 sizeof(struct nilfs_period),
49583 sizeof(__u64),
49584 diff -urNp linux-2.6.32.49/fs/notify/dnotify/dnotify.c linux-2.6.32.49/fs/notify/dnotify/dnotify.c
49585 --- linux-2.6.32.49/fs/notify/dnotify/dnotify.c 2011-11-08 19:02:43.000000000 -0500
49586 +++ linux-2.6.32.49/fs/notify/dnotify/dnotify.c 2011-11-15 19:59:43.000000000 -0500
49587 @@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
49588 kmem_cache_free(dnotify_mark_entry_cache, dnentry);
49589 }
49590
49591 -static struct fsnotify_ops dnotify_fsnotify_ops = {
49592 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
49593 .handle_event = dnotify_handle_event,
49594 .should_send_event = dnotify_should_send_event,
49595 .free_group_priv = NULL,
49596 diff -urNp linux-2.6.32.49/fs/notify/notification.c linux-2.6.32.49/fs/notify/notification.c
49597 --- linux-2.6.32.49/fs/notify/notification.c 2011-11-08 19:02:43.000000000 -0500
49598 +++ linux-2.6.32.49/fs/notify/notification.c 2011-11-15 19:59:43.000000000 -0500
49599 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
49600 * get set to 0 so it will never get 'freed'
49601 */
49602 static struct fsnotify_event q_overflow_event;
49603 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49604 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49605
49606 /**
49607 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
49608 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
49609 */
49610 u32 fsnotify_get_cookie(void)
49611 {
49612 - return atomic_inc_return(&fsnotify_sync_cookie);
49613 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
49614 }
49615 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
49616
49617 diff -urNp linux-2.6.32.49/fs/ntfs/dir.c linux-2.6.32.49/fs/ntfs/dir.c
49618 --- linux-2.6.32.49/fs/ntfs/dir.c 2011-11-08 19:02:43.000000000 -0500
49619 +++ linux-2.6.32.49/fs/ntfs/dir.c 2011-11-15 19:59:43.000000000 -0500
49620 @@ -1328,7 +1328,7 @@ find_next_index_buffer:
49621 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
49622 ~(s64)(ndir->itype.index.block_size - 1)));
49623 /* Bounds checks. */
49624 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49625 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49626 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
49627 "inode 0x%lx or driver bug.", vdir->i_ino);
49628 goto err_out;
49629 diff -urNp linux-2.6.32.49/fs/ntfs/file.c linux-2.6.32.49/fs/ntfs/file.c
49630 --- linux-2.6.32.49/fs/ntfs/file.c 2011-11-08 19:02:43.000000000 -0500
49631 +++ linux-2.6.32.49/fs/ntfs/file.c 2011-11-15 19:59:43.000000000 -0500
49632 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
49633 #endif /* NTFS_RW */
49634 };
49635
49636 -const struct file_operations ntfs_empty_file_ops = {};
49637 +const struct file_operations ntfs_empty_file_ops __read_only;
49638
49639 -const struct inode_operations ntfs_empty_inode_ops = {};
49640 +const struct inode_operations ntfs_empty_inode_ops __read_only;
49641 diff -urNp linux-2.6.32.49/fs/ocfs2/cluster/masklog.c linux-2.6.32.49/fs/ocfs2/cluster/masklog.c
49642 --- linux-2.6.32.49/fs/ocfs2/cluster/masklog.c 2011-11-08 19:02:43.000000000 -0500
49643 +++ linux-2.6.32.49/fs/ocfs2/cluster/masklog.c 2011-11-15 19:59:43.000000000 -0500
49644 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
49645 return mlog_mask_store(mlog_attr->mask, buf, count);
49646 }
49647
49648 -static struct sysfs_ops mlog_attr_ops = {
49649 +static const struct sysfs_ops mlog_attr_ops = {
49650 .show = mlog_show,
49651 .store = mlog_store,
49652 };
49653 diff -urNp linux-2.6.32.49/fs/ocfs2/localalloc.c linux-2.6.32.49/fs/ocfs2/localalloc.c
49654 --- linux-2.6.32.49/fs/ocfs2/localalloc.c 2011-11-08 19:02:43.000000000 -0500
49655 +++ linux-2.6.32.49/fs/ocfs2/localalloc.c 2011-11-15 19:59:43.000000000 -0500
49656 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
49657 goto bail;
49658 }
49659
49660 - atomic_inc(&osb->alloc_stats.moves);
49661 + atomic_inc_unchecked(&osb->alloc_stats.moves);
49662
49663 status = 0;
49664 bail:
49665 diff -urNp linux-2.6.32.49/fs/ocfs2/namei.c linux-2.6.32.49/fs/ocfs2/namei.c
49666 --- linux-2.6.32.49/fs/ocfs2/namei.c 2011-11-08 19:02:43.000000000 -0500
49667 +++ linux-2.6.32.49/fs/ocfs2/namei.c 2011-11-15 19:59:43.000000000 -0500
49668 @@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
49669 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
49670 struct ocfs2_dir_lookup_result target_insert = { NULL, };
49671
49672 + pax_track_stack();
49673 +
49674 /* At some point it might be nice to break this function up a
49675 * bit. */
49676
49677 diff -urNp linux-2.6.32.49/fs/ocfs2/ocfs2.h linux-2.6.32.49/fs/ocfs2/ocfs2.h
49678 --- linux-2.6.32.49/fs/ocfs2/ocfs2.h 2011-11-08 19:02:43.000000000 -0500
49679 +++ linux-2.6.32.49/fs/ocfs2/ocfs2.h 2011-11-15 19:59:43.000000000 -0500
49680 @@ -217,11 +217,11 @@ enum ocfs2_vol_state
49681
49682 struct ocfs2_alloc_stats
49683 {
49684 - atomic_t moves;
49685 - atomic_t local_data;
49686 - atomic_t bitmap_data;
49687 - atomic_t bg_allocs;
49688 - atomic_t bg_extends;
49689 + atomic_unchecked_t moves;
49690 + atomic_unchecked_t local_data;
49691 + atomic_unchecked_t bitmap_data;
49692 + atomic_unchecked_t bg_allocs;
49693 + atomic_unchecked_t bg_extends;
49694 };
49695
49696 enum ocfs2_local_alloc_state
49697 diff -urNp linux-2.6.32.49/fs/ocfs2/suballoc.c linux-2.6.32.49/fs/ocfs2/suballoc.c
49698 --- linux-2.6.32.49/fs/ocfs2/suballoc.c 2011-11-08 19:02:43.000000000 -0500
49699 +++ linux-2.6.32.49/fs/ocfs2/suballoc.c 2011-11-15 19:59:43.000000000 -0500
49700 @@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
49701 mlog_errno(status);
49702 goto bail;
49703 }
49704 - atomic_inc(&osb->alloc_stats.bg_extends);
49705 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49706
49707 /* You should never ask for this much metadata */
49708 BUG_ON(bits_wanted >
49709 @@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
49710 mlog_errno(status);
49711 goto bail;
49712 }
49713 - atomic_inc(&osb->alloc_stats.bg_allocs);
49714 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
49715
49716 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
49717 ac->ac_bits_given += (*num_bits);
49718 @@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
49719 mlog_errno(status);
49720 goto bail;
49721 }
49722 - atomic_inc(&osb->alloc_stats.bg_allocs);
49723 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
49724
49725 BUG_ON(num_bits != 1);
49726
49727 @@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
49728 cluster_start,
49729 num_clusters);
49730 if (!status)
49731 - atomic_inc(&osb->alloc_stats.local_data);
49732 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
49733 } else {
49734 if (min_clusters > (osb->bitmap_cpg - 1)) {
49735 /* The only paths asking for contiguousness
49736 @@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
49737 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49738 bg_blkno,
49739 bg_bit_off);
49740 - atomic_inc(&osb->alloc_stats.bitmap_data);
49741 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49742 }
49743 }
49744 if (status < 0) {
49745 diff -urNp linux-2.6.32.49/fs/ocfs2/super.c linux-2.6.32.49/fs/ocfs2/super.c
49746 --- linux-2.6.32.49/fs/ocfs2/super.c 2011-11-08 19:02:43.000000000 -0500
49747 +++ linux-2.6.32.49/fs/ocfs2/super.c 2011-11-15 19:59:43.000000000 -0500
49748 @@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49749 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49750 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49751 "Stats",
49752 - atomic_read(&osb->alloc_stats.bitmap_data),
49753 - atomic_read(&osb->alloc_stats.local_data),
49754 - atomic_read(&osb->alloc_stats.bg_allocs),
49755 - atomic_read(&osb->alloc_stats.moves),
49756 - atomic_read(&osb->alloc_stats.bg_extends));
49757 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49758 + atomic_read_unchecked(&osb->alloc_stats.local_data),
49759 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49760 + atomic_read_unchecked(&osb->alloc_stats.moves),
49761 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49762
49763 out += snprintf(buf + out, len - out,
49764 "%10s => State: %u Descriptor: %llu Size: %u bits "
49765 @@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
49766 spin_lock_init(&osb->osb_xattr_lock);
49767 ocfs2_init_inode_steal_slot(osb);
49768
49769 - atomic_set(&osb->alloc_stats.moves, 0);
49770 - atomic_set(&osb->alloc_stats.local_data, 0);
49771 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
49772 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
49773 - atomic_set(&osb->alloc_stats.bg_extends, 0);
49774 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49775 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49776 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49777 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49778 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49779
49780 /* Copy the blockcheck stats from the superblock probe */
49781 osb->osb_ecc_stats = *stats;
49782 diff -urNp linux-2.6.32.49/fs/open.c linux-2.6.32.49/fs/open.c
49783 --- linux-2.6.32.49/fs/open.c 2011-11-08 19:02:43.000000000 -0500
49784 +++ linux-2.6.32.49/fs/open.c 2011-11-18 19:28:37.000000000 -0500
49785 @@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
49786 error = locks_verify_truncate(inode, NULL, length);
49787 if (!error)
49788 error = security_path_truncate(&path, length, 0);
49789 +
49790 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49791 + error = -EACCES;
49792 +
49793 if (!error) {
49794 vfs_dq_init(inode);
49795 error = do_truncate(path.dentry, length, 0, NULL);
49796 @@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49797 if (__mnt_is_readonly(path.mnt))
49798 res = -EROFS;
49799
49800 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49801 + res = -EACCES;
49802 +
49803 out_path_release:
49804 path_put(&path);
49805 out:
49806 @@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49807 if (error)
49808 goto dput_and_out;
49809
49810 + gr_log_chdir(path.dentry, path.mnt);
49811 +
49812 set_fs_pwd(current->fs, &path);
49813
49814 dput_and_out:
49815 @@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49816 goto out_putf;
49817
49818 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
49819 +
49820 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49821 + error = -EPERM;
49822 +
49823 + if (!error)
49824 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49825 +
49826 if (!error)
49827 set_fs_pwd(current->fs, &file->f_path);
49828 out_putf:
49829 @@ -588,7 +604,13 @@ SYSCALL_DEFINE1(chroot, const char __use
49830 if (!capable(CAP_SYS_CHROOT))
49831 goto dput_and_out;
49832
49833 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49834 + goto dput_and_out;
49835 +
49836 set_fs_root(current->fs, &path);
49837 +
49838 + gr_handle_chroot_chdir(&path);
49839 +
49840 error = 0;
49841 dput_and_out:
49842 path_put(&path);
49843 @@ -616,12 +638,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49844 err = mnt_want_write_file(file);
49845 if (err)
49846 goto out_putf;
49847 +
49848 mutex_lock(&inode->i_mutex);
49849 +
49850 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
49851 + err = -EACCES;
49852 + goto out_unlock;
49853 + }
49854 +
49855 if (mode == (mode_t) -1)
49856 mode = inode->i_mode;
49857 +
49858 + if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
49859 + err = -EPERM;
49860 + goto out_unlock;
49861 + }
49862 +
49863 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49864 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49865 err = notify_change(dentry, &newattrs);
49866 +
49867 +out_unlock:
49868 mutex_unlock(&inode->i_mutex);
49869 mnt_drop_write(file->f_path.mnt);
49870 out_putf:
49871 @@ -645,12 +682,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49872 error = mnt_want_write(path.mnt);
49873 if (error)
49874 goto dput_and_out;
49875 +
49876 mutex_lock(&inode->i_mutex);
49877 +
49878 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49879 + error = -EACCES;
49880 + goto out_unlock;
49881 + }
49882 +
49883 if (mode == (mode_t) -1)
49884 mode = inode->i_mode;
49885 +
49886 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49887 + error = -EACCES;
49888 + goto out_unlock;
49889 + }
49890 +
49891 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49892 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49893 error = notify_change(path.dentry, &newattrs);
49894 +
49895 +out_unlock:
49896 mutex_unlock(&inode->i_mutex);
49897 mnt_drop_write(path.mnt);
49898 dput_and_out:
49899 @@ -664,12 +716,15 @@ SYSCALL_DEFINE2(chmod, const char __user
49900 return sys_fchmodat(AT_FDCWD, filename, mode);
49901 }
49902
49903 -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
49904 +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
49905 {
49906 struct inode *inode = dentry->d_inode;
49907 int error;
49908 struct iattr newattrs;
49909
49910 + if (!gr_acl_handle_chown(dentry, mnt))
49911 + return -EACCES;
49912 +
49913 newattrs.ia_valid = ATTR_CTIME;
49914 if (user != (uid_t) -1) {
49915 newattrs.ia_valid |= ATTR_UID;
49916 @@ -700,7 +755,7 @@ SYSCALL_DEFINE3(chown, const char __user
49917 error = mnt_want_write(path.mnt);
49918 if (error)
49919 goto out_release;
49920 - error = chown_common(path.dentry, user, group);
49921 + error = chown_common(path.dentry, user, group, path.mnt);
49922 mnt_drop_write(path.mnt);
49923 out_release:
49924 path_put(&path);
49925 @@ -725,7 +780,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
49926 error = mnt_want_write(path.mnt);
49927 if (error)
49928 goto out_release;
49929 - error = chown_common(path.dentry, user, group);
49930 + error = chown_common(path.dentry, user, group, path.mnt);
49931 mnt_drop_write(path.mnt);
49932 out_release:
49933 path_put(&path);
49934 @@ -744,7 +799,7 @@ SYSCALL_DEFINE3(lchown, const char __use
49935 error = mnt_want_write(path.mnt);
49936 if (error)
49937 goto out_release;
49938 - error = chown_common(path.dentry, user, group);
49939 + error = chown_common(path.dentry, user, group, path.mnt);
49940 mnt_drop_write(path.mnt);
49941 out_release:
49942 path_put(&path);
49943 @@ -767,7 +822,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
49944 goto out_fput;
49945 dentry = file->f_path.dentry;
49946 audit_inode(NULL, dentry);
49947 - error = chown_common(dentry, user, group);
49948 + error = chown_common(dentry, user, group, file->f_path.mnt);
49949 mnt_drop_write(file->f_path.mnt);
49950 out_fput:
49951 fput(file);
49952 @@ -1036,7 +1091,7 @@ long do_sys_open(int dfd, const char __u
49953 if (!IS_ERR(tmp)) {
49954 fd = get_unused_fd_flags(flags);
49955 if (fd >= 0) {
49956 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
49957 + struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
49958 if (IS_ERR(f)) {
49959 put_unused_fd(fd);
49960 fd = PTR_ERR(f);
49961 diff -urNp linux-2.6.32.49/fs/partitions/ldm.c linux-2.6.32.49/fs/partitions/ldm.c
49962 --- linux-2.6.32.49/fs/partitions/ldm.c 2011-11-08 19:02:43.000000000 -0500
49963 +++ linux-2.6.32.49/fs/partitions/ldm.c 2011-11-15 19:59:43.000000000 -0500
49964 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
49965 ldm_error ("A VBLK claims to have %d parts.", num);
49966 return false;
49967 }
49968 +
49969 if (rec >= num) {
49970 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
49971 return false;
49972 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
49973 goto found;
49974 }
49975
49976 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
49977 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
49978 if (!f) {
49979 ldm_crit ("Out of memory.");
49980 return false;
49981 diff -urNp linux-2.6.32.49/fs/partitions/mac.c linux-2.6.32.49/fs/partitions/mac.c
49982 --- linux-2.6.32.49/fs/partitions/mac.c 2011-11-08 19:02:43.000000000 -0500
49983 +++ linux-2.6.32.49/fs/partitions/mac.c 2011-11-15 19:59:43.000000000 -0500
49984 @@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
49985 return 0; /* not a MacOS disk */
49986 }
49987 blocks_in_map = be32_to_cpu(part->map_count);
49988 + printk(" [mac]");
49989 if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
49990 put_dev_sector(sect);
49991 return 0;
49992 }
49993 - printk(" [mac]");
49994 for (slot = 1; slot <= blocks_in_map; ++slot) {
49995 int pos = slot * secsize;
49996 put_dev_sector(sect);
49997 diff -urNp linux-2.6.32.49/fs/pipe.c linux-2.6.32.49/fs/pipe.c
49998 --- linux-2.6.32.49/fs/pipe.c 2011-11-08 19:02:43.000000000 -0500
49999 +++ linux-2.6.32.49/fs/pipe.c 2011-11-15 19:59:43.000000000 -0500
50000 @@ -401,9 +401,9 @@ redo:
50001 }
50002 if (bufs) /* More to do? */
50003 continue;
50004 - if (!pipe->writers)
50005 + if (!atomic_read(&pipe->writers))
50006 break;
50007 - if (!pipe->waiting_writers) {
50008 + if (!atomic_read(&pipe->waiting_writers)) {
50009 /* syscall merging: Usually we must not sleep
50010 * if O_NONBLOCK is set, or if we got some data.
50011 * But if a writer sleeps in kernel space, then
50012 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
50013 mutex_lock(&inode->i_mutex);
50014 pipe = inode->i_pipe;
50015
50016 - if (!pipe->readers) {
50017 + if (!atomic_read(&pipe->readers)) {
50018 send_sig(SIGPIPE, current, 0);
50019 ret = -EPIPE;
50020 goto out;
50021 @@ -511,7 +511,7 @@ redo1:
50022 for (;;) {
50023 int bufs;
50024
50025 - if (!pipe->readers) {
50026 + if (!atomic_read(&pipe->readers)) {
50027 send_sig(SIGPIPE, current, 0);
50028 if (!ret)
50029 ret = -EPIPE;
50030 @@ -597,9 +597,9 @@ redo2:
50031 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
50032 do_wakeup = 0;
50033 }
50034 - pipe->waiting_writers++;
50035 + atomic_inc(&pipe->waiting_writers);
50036 pipe_wait(pipe);
50037 - pipe->waiting_writers--;
50038 + atomic_dec(&pipe->waiting_writers);
50039 }
50040 out:
50041 mutex_unlock(&inode->i_mutex);
50042 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
50043 mask = 0;
50044 if (filp->f_mode & FMODE_READ) {
50045 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
50046 - if (!pipe->writers && filp->f_version != pipe->w_counter)
50047 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
50048 mask |= POLLHUP;
50049 }
50050
50051 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
50052 * Most Unices do not set POLLERR for FIFOs but on Linux they
50053 * behave exactly like pipes for poll().
50054 */
50055 - if (!pipe->readers)
50056 + if (!atomic_read(&pipe->readers))
50057 mask |= POLLERR;
50058 }
50059
50060 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
50061
50062 mutex_lock(&inode->i_mutex);
50063 pipe = inode->i_pipe;
50064 - pipe->readers -= decr;
50065 - pipe->writers -= decw;
50066 + atomic_sub(decr, &pipe->readers);
50067 + atomic_sub(decw, &pipe->writers);
50068
50069 - if (!pipe->readers && !pipe->writers) {
50070 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
50071 free_pipe_info(inode);
50072 } else {
50073 wake_up_interruptible_sync(&pipe->wait);
50074 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
50075
50076 if (inode->i_pipe) {
50077 ret = 0;
50078 - inode->i_pipe->readers++;
50079 + atomic_inc(&inode->i_pipe->readers);
50080 }
50081
50082 mutex_unlock(&inode->i_mutex);
50083 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
50084
50085 if (inode->i_pipe) {
50086 ret = 0;
50087 - inode->i_pipe->writers++;
50088 + atomic_inc(&inode->i_pipe->writers);
50089 }
50090
50091 mutex_unlock(&inode->i_mutex);
50092 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
50093 if (inode->i_pipe) {
50094 ret = 0;
50095 if (filp->f_mode & FMODE_READ)
50096 - inode->i_pipe->readers++;
50097 + atomic_inc(&inode->i_pipe->readers);
50098 if (filp->f_mode & FMODE_WRITE)
50099 - inode->i_pipe->writers++;
50100 + atomic_inc(&inode->i_pipe->writers);
50101 }
50102
50103 mutex_unlock(&inode->i_mutex);
50104 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
50105 inode->i_pipe = NULL;
50106 }
50107
50108 -static struct vfsmount *pipe_mnt __read_mostly;
50109 +struct vfsmount *pipe_mnt __read_mostly;
50110 static int pipefs_delete_dentry(struct dentry *dentry)
50111 {
50112 /*
50113 @@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
50114 goto fail_iput;
50115 inode->i_pipe = pipe;
50116
50117 - pipe->readers = pipe->writers = 1;
50118 + atomic_set(&pipe->readers, 1);
50119 + atomic_set(&pipe->writers, 1);
50120 inode->i_fop = &rdwr_pipefifo_fops;
50121
50122 /*
50123 diff -urNp linux-2.6.32.49/fs/proc/array.c linux-2.6.32.49/fs/proc/array.c
50124 --- linux-2.6.32.49/fs/proc/array.c 2011-11-08 19:02:43.000000000 -0500
50125 +++ linux-2.6.32.49/fs/proc/array.c 2011-11-15 19:59:43.000000000 -0500
50126 @@ -60,6 +60,7 @@
50127 #include <linux/tty.h>
50128 #include <linux/string.h>
50129 #include <linux/mman.h>
50130 +#include <linux/grsecurity.h>
50131 #include <linux/proc_fs.h>
50132 #include <linux/ioport.h>
50133 #include <linux/uaccess.h>
50134 @@ -321,6 +322,21 @@ static inline void task_context_switch_c
50135 p->nivcsw);
50136 }
50137
50138 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
50139 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
50140 +{
50141 + if (p->mm)
50142 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
50143 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
50144 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
50145 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
50146 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
50147 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
50148 + else
50149 + seq_printf(m, "PaX:\t-----\n");
50150 +}
50151 +#endif
50152 +
50153 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
50154 struct pid *pid, struct task_struct *task)
50155 {
50156 @@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
50157 task_cap(m, task);
50158 cpuset_task_status_allowed(m, task);
50159 task_context_switch_counts(m, task);
50160 +
50161 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
50162 + task_pax(m, task);
50163 +#endif
50164 +
50165 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
50166 + task_grsec_rbac(m, task);
50167 +#endif
50168 +
50169 return 0;
50170 }
50171
50172 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50173 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50174 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50175 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50176 +#endif
50177 +
50178 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
50179 struct pid *pid, struct task_struct *task, int whole)
50180 {
50181 @@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
50182 cputime_t cutime, cstime, utime, stime;
50183 cputime_t cgtime, gtime;
50184 unsigned long rsslim = 0;
50185 - char tcomm[sizeof(task->comm)];
50186 + char tcomm[sizeof(task->comm)] = { 0 };
50187 unsigned long flags;
50188
50189 + pax_track_stack();
50190 +
50191 state = *get_task_state(task);
50192 vsize = eip = esp = 0;
50193 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
50194 @@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
50195 gtime = task_gtime(task);
50196 }
50197
50198 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50199 + if (PAX_RAND_FLAGS(mm)) {
50200 + eip = 0;
50201 + esp = 0;
50202 + wchan = 0;
50203 + }
50204 +#endif
50205 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50206 + wchan = 0;
50207 + eip =0;
50208 + esp =0;
50209 +#endif
50210 +
50211 /* scale priority and nice values from timeslices to -20..20 */
50212 /* to make it look like a "normal" Unix priority/nice value */
50213 priority = task_prio(task);
50214 @@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
50215 vsize,
50216 mm ? get_mm_rss(mm) : 0,
50217 rsslim,
50218 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50219 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
50220 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
50221 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
50222 +#else
50223 mm ? (permitted ? mm->start_code : 1) : 0,
50224 mm ? (permitted ? mm->end_code : 1) : 0,
50225 (permitted && mm) ? mm->start_stack : 0,
50226 +#endif
50227 esp,
50228 eip,
50229 /* The signal information here is obsolete.
50230 @@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
50231
50232 return 0;
50233 }
50234 +
50235 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50236 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
50237 +{
50238 + u32 curr_ip = 0;
50239 + unsigned long flags;
50240 +
50241 + if (lock_task_sighand(task, &flags)) {
50242 + curr_ip = task->signal->curr_ip;
50243 + unlock_task_sighand(task, &flags);
50244 + }
50245 +
50246 + return sprintf(buffer, "%pI4\n", &curr_ip);
50247 +}
50248 +#endif
50249 diff -urNp linux-2.6.32.49/fs/proc/base.c linux-2.6.32.49/fs/proc/base.c
50250 --- linux-2.6.32.49/fs/proc/base.c 2011-11-08 19:02:43.000000000 -0500
50251 +++ linux-2.6.32.49/fs/proc/base.c 2011-11-15 19:59:43.000000000 -0500
50252 @@ -102,6 +102,22 @@ struct pid_entry {
50253 union proc_op op;
50254 };
50255
50256 +struct getdents_callback {
50257 + struct linux_dirent __user * current_dir;
50258 + struct linux_dirent __user * previous;
50259 + struct file * file;
50260 + int count;
50261 + int error;
50262 +};
50263 +
50264 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
50265 + loff_t offset, u64 ino, unsigned int d_type)
50266 +{
50267 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
50268 + buf->error = -EINVAL;
50269 + return 0;
50270 +}
50271 +
50272 #define NOD(NAME, MODE, IOP, FOP, OP) { \
50273 .name = (NAME), \
50274 .len = sizeof(NAME) - 1, \
50275 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
50276 if (task == current)
50277 return 0;
50278
50279 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
50280 + return -EPERM;
50281 +
50282 /*
50283 * If current is actively ptrace'ing, and would also be
50284 * permitted to freshly attach with ptrace now, permit it.
50285 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
50286 if (!mm->arg_end)
50287 goto out_mm; /* Shh! No looking before we're done */
50288
50289 + if (gr_acl_handle_procpidmem(task))
50290 + goto out_mm;
50291 +
50292 len = mm->arg_end - mm->arg_start;
50293
50294 if (len > PAGE_SIZE)
50295 @@ -287,12 +309,28 @@ out:
50296 return res;
50297 }
50298
50299 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50300 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50301 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
50302 + _mm->pax_flags & MF_PAX_SEGMEXEC))
50303 +#endif
50304 +
50305 static int proc_pid_auxv(struct task_struct *task, char *buffer)
50306 {
50307 int res = 0;
50308 struct mm_struct *mm = get_task_mm(task);
50309 if (mm) {
50310 unsigned int nwords = 0;
50311 +
50312 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50313 + /* allow if we're currently ptracing this task */
50314 + if (PAX_RAND_FLAGS(mm) &&
50315 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
50316 + mmput(mm);
50317 + return 0;
50318 + }
50319 +#endif
50320 +
50321 do {
50322 nwords += 2;
50323 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
50324 @@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
50325 }
50326
50327
50328 -#ifdef CONFIG_KALLSYMS
50329 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50330 /*
50331 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
50332 * Returns the resolved symbol. If that fails, simply return the address.
50333 @@ -345,7 +383,7 @@ static void unlock_trace(struct task_str
50334 mutex_unlock(&task->cred_guard_mutex);
50335 }
50336
50337 -#ifdef CONFIG_STACKTRACE
50338 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50339
50340 #define MAX_STACK_TRACE_DEPTH 64
50341
50342 @@ -545,7 +583,7 @@ static int proc_pid_limits(struct task_s
50343 return count;
50344 }
50345
50346 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50347 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50348 static int proc_pid_syscall(struct task_struct *task, char *buffer)
50349 {
50350 long nr;
50351 @@ -574,7 +612,7 @@ static int proc_pid_syscall(struct task_
50352 /************************************************************************/
50353
50354 /* permission checks */
50355 -static int proc_fd_access_allowed(struct inode *inode)
50356 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
50357 {
50358 struct task_struct *task;
50359 int allowed = 0;
50360 @@ -584,7 +622,10 @@ static int proc_fd_access_allowed(struct
50361 */
50362 task = get_proc_task(inode);
50363 if (task) {
50364 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50365 + if (log)
50366 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
50367 + else
50368 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50369 put_task_struct(task);
50370 }
50371 return allowed;
50372 @@ -963,6 +1004,9 @@ static ssize_t environ_read(struct file
50373 if (!task)
50374 goto out_no_task;
50375
50376 + if (gr_acl_handle_procpidmem(task))
50377 + goto out;
50378 +
50379 if (!ptrace_may_access(task, PTRACE_MODE_READ))
50380 goto out;
50381
50382 @@ -1377,7 +1421,7 @@ static void *proc_pid_follow_link(struct
50383 path_put(&nd->path);
50384
50385 /* Are we allowed to snoop on the tasks file descriptors? */
50386 - if (!proc_fd_access_allowed(inode))
50387 + if (!proc_fd_access_allowed(inode,0))
50388 goto out;
50389
50390 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
50391 @@ -1417,8 +1461,18 @@ static int proc_pid_readlink(struct dent
50392 struct path path;
50393
50394 /* Are we allowed to snoop on the tasks file descriptors? */
50395 - if (!proc_fd_access_allowed(inode))
50396 - goto out;
50397 + /* logging this is needed for learning on chromium to work properly,
50398 + but we don't want to flood the logs from 'ps' which does a readlink
50399 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
50400 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
50401 + */
50402 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
50403 + if (!proc_fd_access_allowed(inode,0))
50404 + goto out;
50405 + } else {
50406 + if (!proc_fd_access_allowed(inode,1))
50407 + goto out;
50408 + }
50409
50410 error = PROC_I(inode)->op.proc_get_link(inode, &path);
50411 if (error)
50412 @@ -1483,7 +1537,11 @@ static struct inode *proc_pid_make_inode
50413 rcu_read_lock();
50414 cred = __task_cred(task);
50415 inode->i_uid = cred->euid;
50416 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50417 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50418 +#else
50419 inode->i_gid = cred->egid;
50420 +#endif
50421 rcu_read_unlock();
50422 }
50423 security_task_to_inode(task, inode);
50424 @@ -1501,6 +1559,9 @@ static int pid_getattr(struct vfsmount *
50425 struct inode *inode = dentry->d_inode;
50426 struct task_struct *task;
50427 const struct cred *cred;
50428 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50429 + const struct cred *tmpcred = current_cred();
50430 +#endif
50431
50432 generic_fillattr(inode, stat);
50433
50434 @@ -1508,13 +1569,41 @@ static int pid_getattr(struct vfsmount *
50435 stat->uid = 0;
50436 stat->gid = 0;
50437 task = pid_task(proc_pid(inode), PIDTYPE_PID);
50438 +
50439 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
50440 + rcu_read_unlock();
50441 + return -ENOENT;
50442 + }
50443 +
50444 if (task) {
50445 + cred = __task_cred(task);
50446 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50447 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
50448 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50449 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50450 +#endif
50451 + ) {
50452 +#endif
50453 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50454 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50455 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50456 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50457 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50458 +#endif
50459 task_dumpable(task)) {
50460 - cred = __task_cred(task);
50461 stat->uid = cred->euid;
50462 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50463 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
50464 +#else
50465 stat->gid = cred->egid;
50466 +#endif
50467 }
50468 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50469 + } else {
50470 + rcu_read_unlock();
50471 + return -ENOENT;
50472 + }
50473 +#endif
50474 }
50475 rcu_read_unlock();
50476 return 0;
50477 @@ -1545,11 +1634,20 @@ static int pid_revalidate(struct dentry
50478
50479 if (task) {
50480 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50481 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50482 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50483 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50484 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50485 +#endif
50486 task_dumpable(task)) {
50487 rcu_read_lock();
50488 cred = __task_cred(task);
50489 inode->i_uid = cred->euid;
50490 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50491 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50492 +#else
50493 inode->i_gid = cred->egid;
50494 +#endif
50495 rcu_read_unlock();
50496 } else {
50497 inode->i_uid = 0;
50498 @@ -1670,7 +1768,8 @@ static int proc_fd_info(struct inode *in
50499 int fd = proc_fd(inode);
50500
50501 if (task) {
50502 - files = get_files_struct(task);
50503 + if (!gr_acl_handle_procpidmem(task))
50504 + files = get_files_struct(task);
50505 put_task_struct(task);
50506 }
50507 if (files) {
50508 @@ -1922,12 +2021,22 @@ static const struct file_operations proc
50509 static int proc_fd_permission(struct inode *inode, int mask)
50510 {
50511 int rv;
50512 + struct task_struct *task;
50513
50514 rv = generic_permission(inode, mask, NULL);
50515 - if (rv == 0)
50516 - return 0;
50517 +
50518 if (task_pid(current) == proc_pid(inode))
50519 rv = 0;
50520 +
50521 + task = get_proc_task(inode);
50522 + if (task == NULL)
50523 + return rv;
50524 +
50525 + if (gr_acl_handle_procpidmem(task))
50526 + rv = -EACCES;
50527 +
50528 + put_task_struct(task);
50529 +
50530 return rv;
50531 }
50532
50533 @@ -2036,6 +2145,9 @@ static struct dentry *proc_pident_lookup
50534 if (!task)
50535 goto out_no_task;
50536
50537 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50538 + goto out;
50539 +
50540 /*
50541 * Yes, it does not scale. And it should not. Don't add
50542 * new entries into /proc/<tgid>/ without very good reasons.
50543 @@ -2080,6 +2192,9 @@ static int proc_pident_readdir(struct fi
50544 if (!task)
50545 goto out_no_task;
50546
50547 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50548 + goto out;
50549 +
50550 ret = 0;
50551 i = filp->f_pos;
50552 switch (i) {
50553 @@ -2347,7 +2462,7 @@ static void *proc_self_follow_link(struc
50554 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
50555 void *cookie)
50556 {
50557 - char *s = nd_get_link(nd);
50558 + const char *s = nd_get_link(nd);
50559 if (!IS_ERR(s))
50560 __putname(s);
50561 }
50562 @@ -2553,7 +2668,7 @@ static const struct pid_entry tgid_base_
50563 #ifdef CONFIG_SCHED_DEBUG
50564 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50565 #endif
50566 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50567 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50568 INF("syscall", S_IRUGO, proc_pid_syscall),
50569 #endif
50570 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50571 @@ -2578,10 +2693,10 @@ static const struct pid_entry tgid_base_
50572 #ifdef CONFIG_SECURITY
50573 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50574 #endif
50575 -#ifdef CONFIG_KALLSYMS
50576 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50577 INF("wchan", S_IRUGO, proc_pid_wchan),
50578 #endif
50579 -#ifdef CONFIG_STACKTRACE
50580 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50581 ONE("stack", S_IRUGO, proc_pid_stack),
50582 #endif
50583 #ifdef CONFIG_SCHEDSTATS
50584 @@ -2611,6 +2726,9 @@ static const struct pid_entry tgid_base_
50585 #ifdef CONFIG_TASK_IO_ACCOUNTING
50586 INF("io", S_IRUSR, proc_tgid_io_accounting),
50587 #endif
50588 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50589 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
50590 +#endif
50591 };
50592
50593 static int proc_tgid_base_readdir(struct file * filp,
50594 @@ -2735,7 +2853,14 @@ static struct dentry *proc_pid_instantia
50595 if (!inode)
50596 goto out;
50597
50598 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50599 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
50600 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50601 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50602 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
50603 +#else
50604 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
50605 +#endif
50606 inode->i_op = &proc_tgid_base_inode_operations;
50607 inode->i_fop = &proc_tgid_base_operations;
50608 inode->i_flags|=S_IMMUTABLE;
50609 @@ -2777,7 +2902,14 @@ struct dentry *proc_pid_lookup(struct in
50610 if (!task)
50611 goto out;
50612
50613 + if (!has_group_leader_pid(task))
50614 + goto out_put_task;
50615 +
50616 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50617 + goto out_put_task;
50618 +
50619 result = proc_pid_instantiate(dir, dentry, task, NULL);
50620 +out_put_task:
50621 put_task_struct(task);
50622 out:
50623 return result;
50624 @@ -2842,6 +2974,11 @@ int proc_pid_readdir(struct file * filp,
50625 {
50626 unsigned int nr;
50627 struct task_struct *reaper;
50628 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50629 + const struct cred *tmpcred = current_cred();
50630 + const struct cred *itercred;
50631 +#endif
50632 + filldir_t __filldir = filldir;
50633 struct tgid_iter iter;
50634 struct pid_namespace *ns;
50635
50636 @@ -2865,8 +3002,27 @@ int proc_pid_readdir(struct file * filp,
50637 for (iter = next_tgid(ns, iter);
50638 iter.task;
50639 iter.tgid += 1, iter = next_tgid(ns, iter)) {
50640 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50641 + rcu_read_lock();
50642 + itercred = __task_cred(iter.task);
50643 +#endif
50644 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
50645 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50646 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
50647 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50648 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50649 +#endif
50650 + )
50651 +#endif
50652 + )
50653 + __filldir = &gr_fake_filldir;
50654 + else
50655 + __filldir = filldir;
50656 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50657 + rcu_read_unlock();
50658 +#endif
50659 filp->f_pos = iter.tgid + TGID_OFFSET;
50660 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
50661 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
50662 put_task_struct(iter.task);
50663 goto out;
50664 }
50665 @@ -2892,7 +3048,7 @@ static const struct pid_entry tid_base_s
50666 #ifdef CONFIG_SCHED_DEBUG
50667 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50668 #endif
50669 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50670 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50671 INF("syscall", S_IRUGO, proc_pid_syscall),
50672 #endif
50673 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50674 @@ -2916,10 +3072,10 @@ static const struct pid_entry tid_base_s
50675 #ifdef CONFIG_SECURITY
50676 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50677 #endif
50678 -#ifdef CONFIG_KALLSYMS
50679 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50680 INF("wchan", S_IRUGO, proc_pid_wchan),
50681 #endif
50682 -#ifdef CONFIG_STACKTRACE
50683 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50684 ONE("stack", S_IRUGO, proc_pid_stack),
50685 #endif
50686 #ifdef CONFIG_SCHEDSTATS
50687 diff -urNp linux-2.6.32.49/fs/proc/cmdline.c linux-2.6.32.49/fs/proc/cmdline.c
50688 --- linux-2.6.32.49/fs/proc/cmdline.c 2011-11-08 19:02:43.000000000 -0500
50689 +++ linux-2.6.32.49/fs/proc/cmdline.c 2011-11-15 19:59:43.000000000 -0500
50690 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
50691
50692 static int __init proc_cmdline_init(void)
50693 {
50694 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50695 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
50696 +#else
50697 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
50698 +#endif
50699 return 0;
50700 }
50701 module_init(proc_cmdline_init);
50702 diff -urNp linux-2.6.32.49/fs/proc/devices.c linux-2.6.32.49/fs/proc/devices.c
50703 --- linux-2.6.32.49/fs/proc/devices.c 2011-11-08 19:02:43.000000000 -0500
50704 +++ linux-2.6.32.49/fs/proc/devices.c 2011-11-15 19:59:43.000000000 -0500
50705 @@ -64,7 +64,11 @@ static const struct file_operations proc
50706
50707 static int __init proc_devices_init(void)
50708 {
50709 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50710 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
50711 +#else
50712 proc_create("devices", 0, NULL, &proc_devinfo_operations);
50713 +#endif
50714 return 0;
50715 }
50716 module_init(proc_devices_init);
50717 diff -urNp linux-2.6.32.49/fs/proc/inode.c linux-2.6.32.49/fs/proc/inode.c
50718 --- linux-2.6.32.49/fs/proc/inode.c 2011-11-08 19:02:43.000000000 -0500
50719 +++ linux-2.6.32.49/fs/proc/inode.c 2011-11-15 19:59:43.000000000 -0500
50720 @@ -18,12 +18,19 @@
50721 #include <linux/module.h>
50722 #include <linux/smp_lock.h>
50723 #include <linux/sysctl.h>
50724 +#include <linux/grsecurity.h>
50725
50726 #include <asm/system.h>
50727 #include <asm/uaccess.h>
50728
50729 #include "internal.h"
50730
50731 +#ifdef CONFIG_PROC_SYSCTL
50732 +extern const struct inode_operations proc_sys_inode_operations;
50733 +extern const struct inode_operations proc_sys_dir_operations;
50734 +#endif
50735 +
50736 +
50737 struct proc_dir_entry *de_get(struct proc_dir_entry *de)
50738 {
50739 atomic_inc(&de->count);
50740 @@ -62,6 +69,13 @@ static void proc_delete_inode(struct ino
50741 de_put(de);
50742 if (PROC_I(inode)->sysctl)
50743 sysctl_head_put(PROC_I(inode)->sysctl);
50744 +
50745 +#ifdef CONFIG_PROC_SYSCTL
50746 + if (inode->i_op == &proc_sys_inode_operations ||
50747 + inode->i_op == &proc_sys_dir_operations)
50748 + gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
50749 +#endif
50750 +
50751 clear_inode(inode);
50752 }
50753
50754 @@ -457,7 +471,11 @@ struct inode *proc_get_inode(struct supe
50755 if (de->mode) {
50756 inode->i_mode = de->mode;
50757 inode->i_uid = de->uid;
50758 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50759 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50760 +#else
50761 inode->i_gid = de->gid;
50762 +#endif
50763 }
50764 if (de->size)
50765 inode->i_size = de->size;
50766 diff -urNp linux-2.6.32.49/fs/proc/internal.h linux-2.6.32.49/fs/proc/internal.h
50767 --- linux-2.6.32.49/fs/proc/internal.h 2011-11-08 19:02:43.000000000 -0500
50768 +++ linux-2.6.32.49/fs/proc/internal.h 2011-11-15 19:59:43.000000000 -0500
50769 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50770 struct pid *pid, struct task_struct *task);
50771 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50772 struct pid *pid, struct task_struct *task);
50773 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50774 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50775 +#endif
50776 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50777
50778 extern const struct file_operations proc_maps_operations;
50779 diff -urNp linux-2.6.32.49/fs/proc/Kconfig linux-2.6.32.49/fs/proc/Kconfig
50780 --- linux-2.6.32.49/fs/proc/Kconfig 2011-11-08 19:02:43.000000000 -0500
50781 +++ linux-2.6.32.49/fs/proc/Kconfig 2011-11-15 19:59:43.000000000 -0500
50782 @@ -30,12 +30,12 @@ config PROC_FS
50783
50784 config PROC_KCORE
50785 bool "/proc/kcore support" if !ARM
50786 - depends on PROC_FS && MMU
50787 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50788
50789 config PROC_VMCORE
50790 bool "/proc/vmcore support (EXPERIMENTAL)"
50791 - depends on PROC_FS && CRASH_DUMP
50792 - default y
50793 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50794 + default n
50795 help
50796 Exports the dump image of crashed kernel in ELF format.
50797
50798 @@ -59,8 +59,8 @@ config PROC_SYSCTL
50799 limited in memory.
50800
50801 config PROC_PAGE_MONITOR
50802 - default y
50803 - depends on PROC_FS && MMU
50804 + default n
50805 + depends on PROC_FS && MMU && !GRKERNSEC
50806 bool "Enable /proc page monitoring" if EMBEDDED
50807 help
50808 Various /proc files exist to monitor process memory utilization:
50809 diff -urNp linux-2.6.32.49/fs/proc/kcore.c linux-2.6.32.49/fs/proc/kcore.c
50810 --- linux-2.6.32.49/fs/proc/kcore.c 2011-11-08 19:02:43.000000000 -0500
50811 +++ linux-2.6.32.49/fs/proc/kcore.c 2011-11-15 19:59:43.000000000 -0500
50812 @@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
50813 off_t offset = 0;
50814 struct kcore_list *m;
50815
50816 + pax_track_stack();
50817 +
50818 /* setup ELF header */
50819 elf = (struct elfhdr *) bufp;
50820 bufp += sizeof(struct elfhdr);
50821 @@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
50822 * the addresses in the elf_phdr on our list.
50823 */
50824 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50825 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50826 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50827 + if (tsz > buflen)
50828 tsz = buflen;
50829 -
50830 +
50831 while (buflen) {
50832 struct kcore_list *m;
50833
50834 @@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
50835 kfree(elf_buf);
50836 } else {
50837 if (kern_addr_valid(start)) {
50838 - unsigned long n;
50839 + char *elf_buf;
50840 + mm_segment_t oldfs;
50841
50842 - n = copy_to_user(buffer, (char *)start, tsz);
50843 - /*
50844 - * We cannot distingush between fault on source
50845 - * and fault on destination. When this happens
50846 - * we clear too and hope it will trigger the
50847 - * EFAULT again.
50848 - */
50849 - if (n) {
50850 - if (clear_user(buffer + tsz - n,
50851 - n))
50852 + elf_buf = kmalloc(tsz, GFP_KERNEL);
50853 + if (!elf_buf)
50854 + return -ENOMEM;
50855 + oldfs = get_fs();
50856 + set_fs(KERNEL_DS);
50857 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50858 + set_fs(oldfs);
50859 + if (copy_to_user(buffer, elf_buf, tsz)) {
50860 + kfree(elf_buf);
50861 return -EFAULT;
50862 + }
50863 }
50864 + set_fs(oldfs);
50865 + kfree(elf_buf);
50866 } else {
50867 if (clear_user(buffer, tsz))
50868 return -EFAULT;
50869 @@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
50870
50871 static int open_kcore(struct inode *inode, struct file *filp)
50872 {
50873 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50874 + return -EPERM;
50875 +#endif
50876 if (!capable(CAP_SYS_RAWIO))
50877 return -EPERM;
50878 if (kcore_need_update)
50879 diff -urNp linux-2.6.32.49/fs/proc/meminfo.c linux-2.6.32.49/fs/proc/meminfo.c
50880 --- linux-2.6.32.49/fs/proc/meminfo.c 2011-11-08 19:02:43.000000000 -0500
50881 +++ linux-2.6.32.49/fs/proc/meminfo.c 2011-11-15 19:59:43.000000000 -0500
50882 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50883 unsigned long pages[NR_LRU_LISTS];
50884 int lru;
50885
50886 + pax_track_stack();
50887 +
50888 /*
50889 * display in kilobytes.
50890 */
50891 @@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
50892 vmi.used >> 10,
50893 vmi.largest_chunk >> 10
50894 #ifdef CONFIG_MEMORY_FAILURE
50895 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50896 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50897 #endif
50898 );
50899
50900 diff -urNp linux-2.6.32.49/fs/proc/nommu.c linux-2.6.32.49/fs/proc/nommu.c
50901 --- linux-2.6.32.49/fs/proc/nommu.c 2011-11-08 19:02:43.000000000 -0500
50902 +++ linux-2.6.32.49/fs/proc/nommu.c 2011-11-15 19:59:43.000000000 -0500
50903 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
50904 if (len < 1)
50905 len = 1;
50906 seq_printf(m, "%*c", len, ' ');
50907 - seq_path(m, &file->f_path, "");
50908 + seq_path(m, &file->f_path, "\n\\");
50909 }
50910
50911 seq_putc(m, '\n');
50912 diff -urNp linux-2.6.32.49/fs/proc/proc_net.c linux-2.6.32.49/fs/proc/proc_net.c
50913 --- linux-2.6.32.49/fs/proc/proc_net.c 2011-11-08 19:02:43.000000000 -0500
50914 +++ linux-2.6.32.49/fs/proc/proc_net.c 2011-11-15 19:59:43.000000000 -0500
50915 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
50916 struct task_struct *task;
50917 struct nsproxy *ns;
50918 struct net *net = NULL;
50919 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50920 + const struct cred *cred = current_cred();
50921 +#endif
50922 +
50923 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50924 + if (cred->fsuid)
50925 + return net;
50926 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50927 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50928 + return net;
50929 +#endif
50930
50931 rcu_read_lock();
50932 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50933 diff -urNp linux-2.6.32.49/fs/proc/proc_sysctl.c linux-2.6.32.49/fs/proc/proc_sysctl.c
50934 --- linux-2.6.32.49/fs/proc/proc_sysctl.c 2011-11-08 19:02:43.000000000 -0500
50935 +++ linux-2.6.32.49/fs/proc/proc_sysctl.c 2011-11-18 18:45:06.000000000 -0500
50936 @@ -7,11 +7,13 @@
50937 #include <linux/security.h>
50938 #include "internal.h"
50939
50940 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50941 +
50942 static const struct dentry_operations proc_sys_dentry_operations;
50943 static const struct file_operations proc_sys_file_operations;
50944 -static const struct inode_operations proc_sys_inode_operations;
50945 +const struct inode_operations proc_sys_inode_operations;
50946 static const struct file_operations proc_sys_dir_file_operations;
50947 -static const struct inode_operations proc_sys_dir_operations;
50948 +const struct inode_operations proc_sys_dir_operations;
50949
50950 static struct inode *proc_sys_make_inode(struct super_block *sb,
50951 struct ctl_table_header *head, struct ctl_table *table)
50952 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
50953 if (!p)
50954 goto out;
50955
50956 + if (gr_handle_sysctl(p, MAY_EXEC))
50957 + goto out;
50958 +
50959 err = ERR_PTR(-ENOMEM);
50960 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
50961 if (h)
50962 @@ -119,6 +124,9 @@ static struct dentry *proc_sys_lookup(st
50963
50964 err = NULL;
50965 dentry->d_op = &proc_sys_dentry_operations;
50966 +
50967 + gr_handle_proc_create(dentry, inode);
50968 +
50969 d_add(dentry, inode);
50970
50971 out:
50972 @@ -200,6 +208,9 @@ static int proc_sys_fill_cache(struct fi
50973 return -ENOMEM;
50974 } else {
50975 child->d_op = &proc_sys_dentry_operations;
50976 +
50977 + gr_handle_proc_create(child, inode);
50978 +
50979 d_add(child, inode);
50980 }
50981 } else {
50982 @@ -228,6 +239,9 @@ static int scan(struct ctl_table_header
50983 if (*pos < file->f_pos)
50984 continue;
50985
50986 + if (gr_handle_sysctl(table, 0))
50987 + continue;
50988 +
50989 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
50990 if (res)
50991 return res;
50992 @@ -344,6 +358,9 @@ static int proc_sys_getattr(struct vfsmo
50993 if (IS_ERR(head))
50994 return PTR_ERR(head);
50995
50996 + if (table && gr_handle_sysctl(table, MAY_EXEC))
50997 + return -ENOENT;
50998 +
50999 generic_fillattr(inode, stat);
51000 if (table)
51001 stat->mode = (stat->mode & S_IFMT) | table->mode;
51002 @@ -358,17 +375,18 @@ static const struct file_operations proc
51003 };
51004
51005 static const struct file_operations proc_sys_dir_file_operations = {
51006 + .read = generic_read_dir,
51007 .readdir = proc_sys_readdir,
51008 .llseek = generic_file_llseek,
51009 };
51010
51011 -static const struct inode_operations proc_sys_inode_operations = {
51012 +const struct inode_operations proc_sys_inode_operations = {
51013 .permission = proc_sys_permission,
51014 .setattr = proc_sys_setattr,
51015 .getattr = proc_sys_getattr,
51016 };
51017
51018 -static const struct inode_operations proc_sys_dir_operations = {
51019 +const struct inode_operations proc_sys_dir_operations = {
51020 .lookup = proc_sys_lookup,
51021 .permission = proc_sys_permission,
51022 .setattr = proc_sys_setattr,
51023 diff -urNp linux-2.6.32.49/fs/proc/root.c linux-2.6.32.49/fs/proc/root.c
51024 --- linux-2.6.32.49/fs/proc/root.c 2011-11-08 19:02:43.000000000 -0500
51025 +++ linux-2.6.32.49/fs/proc/root.c 2011-11-15 19:59:43.000000000 -0500
51026 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
51027 #ifdef CONFIG_PROC_DEVICETREE
51028 proc_device_tree_init();
51029 #endif
51030 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51031 +#ifdef CONFIG_GRKERNSEC_PROC_USER
51032 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
51033 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51034 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
51035 +#endif
51036 +#else
51037 proc_mkdir("bus", NULL);
51038 +#endif
51039 proc_sys_init();
51040 }
51041
51042 diff -urNp linux-2.6.32.49/fs/proc/task_mmu.c linux-2.6.32.49/fs/proc/task_mmu.c
51043 --- linux-2.6.32.49/fs/proc/task_mmu.c 2011-11-08 19:02:43.000000000 -0500
51044 +++ linux-2.6.32.49/fs/proc/task_mmu.c 2011-11-15 19:59:43.000000000 -0500
51045 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
51046 "VmStk:\t%8lu kB\n"
51047 "VmExe:\t%8lu kB\n"
51048 "VmLib:\t%8lu kB\n"
51049 - "VmPTE:\t%8lu kB\n",
51050 - hiwater_vm << (PAGE_SHIFT-10),
51051 + "VmPTE:\t%8lu kB\n"
51052 +
51053 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
51054 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
51055 +#endif
51056 +
51057 + ,hiwater_vm << (PAGE_SHIFT-10),
51058 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
51059 mm->locked_vm << (PAGE_SHIFT-10),
51060 hiwater_rss << (PAGE_SHIFT-10),
51061 total_rss << (PAGE_SHIFT-10),
51062 data << (PAGE_SHIFT-10),
51063 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
51064 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
51065 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
51066 +
51067 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
51068 + , mm->context.user_cs_base, mm->context.user_cs_limit
51069 +#endif
51070 +
51071 + );
51072 }
51073
51074 unsigned long task_vsize(struct mm_struct *mm)
51075 @@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
51076 struct proc_maps_private *priv = m->private;
51077 struct vm_area_struct *vma = v;
51078
51079 - vma_stop(priv, vma);
51080 + if (!IS_ERR(vma))
51081 + vma_stop(priv, vma);
51082 if (priv->task)
51083 put_task_struct(priv->task);
51084 }
51085 @@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
51086 return ret;
51087 }
51088
51089 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51090 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
51091 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
51092 + _mm->pax_flags & MF_PAX_SEGMEXEC))
51093 +#endif
51094 +
51095 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
51096 {
51097 struct mm_struct *mm = vma->vm_mm;
51098 @@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
51099 int flags = vma->vm_flags;
51100 unsigned long ino = 0;
51101 unsigned long long pgoff = 0;
51102 - unsigned long start;
51103 dev_t dev = 0;
51104 int len;
51105
51106 @@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
51107 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
51108 }
51109
51110 - /* We don't show the stack guard page in /proc/maps */
51111 - start = vma->vm_start;
51112 - if (vma->vm_flags & VM_GROWSDOWN)
51113 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
51114 - start += PAGE_SIZE;
51115 -
51116 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
51117 - start,
51118 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51119 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
51120 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
51121 +#else
51122 + vma->vm_start,
51123 vma->vm_end,
51124 +#endif
51125 flags & VM_READ ? 'r' : '-',
51126 flags & VM_WRITE ? 'w' : '-',
51127 flags & VM_EXEC ? 'x' : '-',
51128 flags & VM_MAYSHARE ? 's' : 'p',
51129 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51130 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
51131 +#else
51132 pgoff,
51133 +#endif
51134 MAJOR(dev), MINOR(dev), ino, &len);
51135
51136 /*
51137 @@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
51138 */
51139 if (file) {
51140 pad_len_spaces(m, len);
51141 - seq_path(m, &file->f_path, "\n");
51142 + seq_path(m, &file->f_path, "\n\\");
51143 } else {
51144 const char *name = arch_vma_name(vma);
51145 if (!name) {
51146 @@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
51147 if (vma->vm_start <= mm->brk &&
51148 vma->vm_end >= mm->start_brk) {
51149 name = "[heap]";
51150 - } else if (vma->vm_start <= mm->start_stack &&
51151 - vma->vm_end >= mm->start_stack) {
51152 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
51153 + (vma->vm_start <= mm->start_stack &&
51154 + vma->vm_end >= mm->start_stack)) {
51155 name = "[stack]";
51156 }
51157 } else {
51158 @@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
51159 };
51160
51161 memset(&mss, 0, sizeof mss);
51162 - mss.vma = vma;
51163 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
51164 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
51165 +
51166 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51167 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
51168 +#endif
51169 + mss.vma = vma;
51170 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
51171 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
51172 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51173 + }
51174 +#endif
51175
51176 show_map_vma(m, vma);
51177
51178 @@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
51179 "Swap: %8lu kB\n"
51180 "KernelPageSize: %8lu kB\n"
51181 "MMUPageSize: %8lu kB\n",
51182 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51183 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
51184 +#else
51185 (vma->vm_end - vma->vm_start) >> 10,
51186 +#endif
51187 mss.resident >> 10,
51188 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
51189 mss.shared_clean >> 10,
51190 diff -urNp linux-2.6.32.49/fs/proc/task_nommu.c linux-2.6.32.49/fs/proc/task_nommu.c
51191 --- linux-2.6.32.49/fs/proc/task_nommu.c 2011-11-08 19:02:43.000000000 -0500
51192 +++ linux-2.6.32.49/fs/proc/task_nommu.c 2011-11-15 19:59:43.000000000 -0500
51193 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
51194 else
51195 bytes += kobjsize(mm);
51196
51197 - if (current->fs && current->fs->users > 1)
51198 + if (current->fs && atomic_read(&current->fs->users) > 1)
51199 sbytes += kobjsize(current->fs);
51200 else
51201 bytes += kobjsize(current->fs);
51202 @@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
51203 if (len < 1)
51204 len = 1;
51205 seq_printf(m, "%*c", len, ' ');
51206 - seq_path(m, &file->f_path, "");
51207 + seq_path(m, &file->f_path, "\n\\");
51208 }
51209
51210 seq_putc(m, '\n');
51211 diff -urNp linux-2.6.32.49/fs/readdir.c linux-2.6.32.49/fs/readdir.c
51212 --- linux-2.6.32.49/fs/readdir.c 2011-11-08 19:02:43.000000000 -0500
51213 +++ linux-2.6.32.49/fs/readdir.c 2011-11-15 19:59:43.000000000 -0500
51214 @@ -16,6 +16,7 @@
51215 #include <linux/security.h>
51216 #include <linux/syscalls.h>
51217 #include <linux/unistd.h>
51218 +#include <linux/namei.h>
51219
51220 #include <asm/uaccess.h>
51221
51222 @@ -67,6 +68,7 @@ struct old_linux_dirent {
51223
51224 struct readdir_callback {
51225 struct old_linux_dirent __user * dirent;
51226 + struct file * file;
51227 int result;
51228 };
51229
51230 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
51231 buf->result = -EOVERFLOW;
51232 return -EOVERFLOW;
51233 }
51234 +
51235 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
51236 + return 0;
51237 +
51238 buf->result++;
51239 dirent = buf->dirent;
51240 if (!access_ok(VERIFY_WRITE, dirent,
51241 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
51242
51243 buf.result = 0;
51244 buf.dirent = dirent;
51245 + buf.file = file;
51246
51247 error = vfs_readdir(file, fillonedir, &buf);
51248 if (buf.result)
51249 @@ -142,6 +149,7 @@ struct linux_dirent {
51250 struct getdents_callback {
51251 struct linux_dirent __user * current_dir;
51252 struct linux_dirent __user * previous;
51253 + struct file * file;
51254 int count;
51255 int error;
51256 };
51257 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
51258 buf->error = -EOVERFLOW;
51259 return -EOVERFLOW;
51260 }
51261 +
51262 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
51263 + return 0;
51264 +
51265 dirent = buf->previous;
51266 if (dirent) {
51267 if (__put_user(offset, &dirent->d_off))
51268 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
51269 buf.previous = NULL;
51270 buf.count = count;
51271 buf.error = 0;
51272 + buf.file = file;
51273
51274 error = vfs_readdir(file, filldir, &buf);
51275 if (error >= 0)
51276 @@ -228,6 +241,7 @@ out:
51277 struct getdents_callback64 {
51278 struct linux_dirent64 __user * current_dir;
51279 struct linux_dirent64 __user * previous;
51280 + struct file *file;
51281 int count;
51282 int error;
51283 };
51284 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
51285 buf->error = -EINVAL; /* only used if we fail.. */
51286 if (reclen > buf->count)
51287 return -EINVAL;
51288 +
51289 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
51290 + return 0;
51291 +
51292 dirent = buf->previous;
51293 if (dirent) {
51294 if (__put_user(offset, &dirent->d_off))
51295 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
51296
51297 buf.current_dir = dirent;
51298 buf.previous = NULL;
51299 + buf.file = file;
51300 buf.count = count;
51301 buf.error = 0;
51302
51303 @@ -297,7 +316,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
51304 error = buf.error;
51305 lastdirent = buf.previous;
51306 if (lastdirent) {
51307 - typeof(lastdirent->d_off) d_off = file->f_pos;
51308 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
51309 if (__put_user(d_off, &lastdirent->d_off))
51310 error = -EFAULT;
51311 else
51312 diff -urNp linux-2.6.32.49/fs/reiserfs/dir.c linux-2.6.32.49/fs/reiserfs/dir.c
51313 --- linux-2.6.32.49/fs/reiserfs/dir.c 2011-11-08 19:02:43.000000000 -0500
51314 +++ linux-2.6.32.49/fs/reiserfs/dir.c 2011-11-15 19:59:43.000000000 -0500
51315 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
51316 struct reiserfs_dir_entry de;
51317 int ret = 0;
51318
51319 + pax_track_stack();
51320 +
51321 reiserfs_write_lock(inode->i_sb);
51322
51323 reiserfs_check_lock_depth(inode->i_sb, "readdir");
51324 diff -urNp linux-2.6.32.49/fs/reiserfs/do_balan.c linux-2.6.32.49/fs/reiserfs/do_balan.c
51325 --- linux-2.6.32.49/fs/reiserfs/do_balan.c 2011-11-08 19:02:43.000000000 -0500
51326 +++ linux-2.6.32.49/fs/reiserfs/do_balan.c 2011-11-15 19:59:43.000000000 -0500
51327 @@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
51328 return;
51329 }
51330
51331 - atomic_inc(&(fs_generation(tb->tb_sb)));
51332 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
51333 do_balance_starts(tb);
51334
51335 /* balance leaf returns 0 except if combining L R and S into
51336 diff -urNp linux-2.6.32.49/fs/reiserfs/item_ops.c linux-2.6.32.49/fs/reiserfs/item_ops.c
51337 --- linux-2.6.32.49/fs/reiserfs/item_ops.c 2011-11-08 19:02:43.000000000 -0500
51338 +++ linux-2.6.32.49/fs/reiserfs/item_ops.c 2011-11-15 19:59:43.000000000 -0500
51339 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
51340 vi->vi_index, vi->vi_type, vi->vi_ih);
51341 }
51342
51343 -static struct item_operations stat_data_ops = {
51344 +static const struct item_operations stat_data_ops = {
51345 .bytes_number = sd_bytes_number,
51346 .decrement_key = sd_decrement_key,
51347 .is_left_mergeable = sd_is_left_mergeable,
51348 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
51349 vi->vi_index, vi->vi_type, vi->vi_ih);
51350 }
51351
51352 -static struct item_operations direct_ops = {
51353 +static const struct item_operations direct_ops = {
51354 .bytes_number = direct_bytes_number,
51355 .decrement_key = direct_decrement_key,
51356 .is_left_mergeable = direct_is_left_mergeable,
51357 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
51358 vi->vi_index, vi->vi_type, vi->vi_ih);
51359 }
51360
51361 -static struct item_operations indirect_ops = {
51362 +static const struct item_operations indirect_ops = {
51363 .bytes_number = indirect_bytes_number,
51364 .decrement_key = indirect_decrement_key,
51365 .is_left_mergeable = indirect_is_left_mergeable,
51366 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
51367 printk("\n");
51368 }
51369
51370 -static struct item_operations direntry_ops = {
51371 +static const struct item_operations direntry_ops = {
51372 .bytes_number = direntry_bytes_number,
51373 .decrement_key = direntry_decrement_key,
51374 .is_left_mergeable = direntry_is_left_mergeable,
51375 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
51376 "Invalid item type observed, run fsck ASAP");
51377 }
51378
51379 -static struct item_operations errcatch_ops = {
51380 +static const struct item_operations errcatch_ops = {
51381 errcatch_bytes_number,
51382 errcatch_decrement_key,
51383 errcatch_is_left_mergeable,
51384 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
51385 #error Item types must use disk-format assigned values.
51386 #endif
51387
51388 -struct item_operations *item_ops[TYPE_ANY + 1] = {
51389 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
51390 &stat_data_ops,
51391 &indirect_ops,
51392 &direct_ops,
51393 diff -urNp linux-2.6.32.49/fs/reiserfs/journal.c linux-2.6.32.49/fs/reiserfs/journal.c
51394 --- linux-2.6.32.49/fs/reiserfs/journal.c 2011-11-08 19:02:43.000000000 -0500
51395 +++ linux-2.6.32.49/fs/reiserfs/journal.c 2011-11-15 19:59:43.000000000 -0500
51396 @@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
51397 struct buffer_head *bh;
51398 int i, j;
51399
51400 + pax_track_stack();
51401 +
51402 bh = __getblk(dev, block, bufsize);
51403 if (buffer_uptodate(bh))
51404 return (bh);
51405 diff -urNp linux-2.6.32.49/fs/reiserfs/namei.c linux-2.6.32.49/fs/reiserfs/namei.c
51406 --- linux-2.6.32.49/fs/reiserfs/namei.c 2011-11-08 19:02:43.000000000 -0500
51407 +++ linux-2.6.32.49/fs/reiserfs/namei.c 2011-11-15 19:59:43.000000000 -0500
51408 @@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
51409 unsigned long savelink = 1;
51410 struct timespec ctime;
51411
51412 + pax_track_stack();
51413 +
51414 /* three balancings: (1) old name removal, (2) new name insertion
51415 and (3) maybe "save" link insertion
51416 stat data updates: (1) old directory,
51417 diff -urNp linux-2.6.32.49/fs/reiserfs/procfs.c linux-2.6.32.49/fs/reiserfs/procfs.c
51418 --- linux-2.6.32.49/fs/reiserfs/procfs.c 2011-11-08 19:02:43.000000000 -0500
51419 +++ linux-2.6.32.49/fs/reiserfs/procfs.c 2011-11-15 19:59:43.000000000 -0500
51420 @@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
51421 "SMALL_TAILS " : "NO_TAILS ",
51422 replay_only(sb) ? "REPLAY_ONLY " : "",
51423 convert_reiserfs(sb) ? "CONV " : "",
51424 - atomic_read(&r->s_generation_counter),
51425 + atomic_read_unchecked(&r->s_generation_counter),
51426 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
51427 SF(s_do_balance), SF(s_unneeded_left_neighbor),
51428 SF(s_good_search_by_key_reada), SF(s_bmaps),
51429 @@ -309,6 +309,8 @@ static int show_journal(struct seq_file
51430 struct journal_params *jp = &rs->s_v1.s_journal;
51431 char b[BDEVNAME_SIZE];
51432
51433 + pax_track_stack();
51434 +
51435 seq_printf(m, /* on-disk fields */
51436 "jp_journal_1st_block: \t%i\n"
51437 "jp_journal_dev: \t%s[%x]\n"
51438 diff -urNp linux-2.6.32.49/fs/reiserfs/stree.c linux-2.6.32.49/fs/reiserfs/stree.c
51439 --- linux-2.6.32.49/fs/reiserfs/stree.c 2011-11-08 19:02:43.000000000 -0500
51440 +++ linux-2.6.32.49/fs/reiserfs/stree.c 2011-11-15 19:59:43.000000000 -0500
51441 @@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
51442 int iter = 0;
51443 #endif
51444
51445 + pax_track_stack();
51446 +
51447 BUG_ON(!th->t_trans_id);
51448
51449 init_tb_struct(th, &s_del_balance, sb, path,
51450 @@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
51451 int retval;
51452 int quota_cut_bytes = 0;
51453
51454 + pax_track_stack();
51455 +
51456 BUG_ON(!th->t_trans_id);
51457
51458 le_key2cpu_key(&cpu_key, key);
51459 @@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
51460 int quota_cut_bytes;
51461 loff_t tail_pos = 0;
51462
51463 + pax_track_stack();
51464 +
51465 BUG_ON(!th->t_trans_id);
51466
51467 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
51468 @@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
51469 int retval;
51470 int fs_gen;
51471
51472 + pax_track_stack();
51473 +
51474 BUG_ON(!th->t_trans_id);
51475
51476 fs_gen = get_generation(inode->i_sb);
51477 @@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
51478 int fs_gen = 0;
51479 int quota_bytes = 0;
51480
51481 + pax_track_stack();
51482 +
51483 BUG_ON(!th->t_trans_id);
51484
51485 if (inode) { /* Do we count quotas for item? */
51486 diff -urNp linux-2.6.32.49/fs/reiserfs/super.c linux-2.6.32.49/fs/reiserfs/super.c
51487 --- linux-2.6.32.49/fs/reiserfs/super.c 2011-11-08 19:02:43.000000000 -0500
51488 +++ linux-2.6.32.49/fs/reiserfs/super.c 2011-11-15 19:59:43.000000000 -0500
51489 @@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
51490 {.option_name = NULL}
51491 };
51492
51493 + pax_track_stack();
51494 +
51495 *blocks = 0;
51496 if (!options || !*options)
51497 /* use default configuration: create tails, journaling on, no
51498 diff -urNp linux-2.6.32.49/fs/select.c linux-2.6.32.49/fs/select.c
51499 --- linux-2.6.32.49/fs/select.c 2011-11-08 19:02:43.000000000 -0500
51500 +++ linux-2.6.32.49/fs/select.c 2011-11-15 19:59:43.000000000 -0500
51501 @@ -20,6 +20,7 @@
51502 #include <linux/module.h>
51503 #include <linux/slab.h>
51504 #include <linux/poll.h>
51505 +#include <linux/security.h>
51506 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
51507 #include <linux/file.h>
51508 #include <linux/fdtable.h>
51509 @@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
51510 int retval, i, timed_out = 0;
51511 unsigned long slack = 0;
51512
51513 + pax_track_stack();
51514 +
51515 rcu_read_lock();
51516 retval = max_select_fd(n, fds);
51517 rcu_read_unlock();
51518 @@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
51519 /* Allocate small arguments on the stack to save memory and be faster */
51520 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
51521
51522 + pax_track_stack();
51523 +
51524 ret = -EINVAL;
51525 if (n < 0)
51526 goto out_nofds;
51527 @@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
51528 struct poll_list *walk = head;
51529 unsigned long todo = nfds;
51530
51531 + pax_track_stack();
51532 +
51533 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
51534 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
51535 return -EINVAL;
51536
51537 diff -urNp linux-2.6.32.49/fs/seq_file.c linux-2.6.32.49/fs/seq_file.c
51538 --- linux-2.6.32.49/fs/seq_file.c 2011-11-08 19:02:43.000000000 -0500
51539 +++ linux-2.6.32.49/fs/seq_file.c 2011-11-15 19:59:43.000000000 -0500
51540 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
51541 return 0;
51542 }
51543 if (!m->buf) {
51544 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51545 + m->size = PAGE_SIZE;
51546 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51547 if (!m->buf)
51548 return -ENOMEM;
51549 }
51550 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
51551 Eoverflow:
51552 m->op->stop(m, p);
51553 kfree(m->buf);
51554 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51555 + m->size <<= 1;
51556 + m->buf = kmalloc(m->size, GFP_KERNEL);
51557 return !m->buf ? -ENOMEM : -EAGAIN;
51558 }
51559
51560 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
51561 m->version = file->f_version;
51562 /* grab buffer if we didn't have one */
51563 if (!m->buf) {
51564 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51565 + m->size = PAGE_SIZE;
51566 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51567 if (!m->buf)
51568 goto Enomem;
51569 }
51570 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
51571 goto Fill;
51572 m->op->stop(m, p);
51573 kfree(m->buf);
51574 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51575 + m->size <<= 1;
51576 + m->buf = kmalloc(m->size, GFP_KERNEL);
51577 if (!m->buf)
51578 goto Enomem;
51579 m->count = 0;
51580 @@ -551,7 +555,7 @@ static void single_stop(struct seq_file
51581 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
51582 void *data)
51583 {
51584 - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
51585 + seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
51586 int res = -ENOMEM;
51587
51588 if (op) {
51589 diff -urNp linux-2.6.32.49/fs/smbfs/proc.c linux-2.6.32.49/fs/smbfs/proc.c
51590 --- linux-2.6.32.49/fs/smbfs/proc.c 2011-11-08 19:02:43.000000000 -0500
51591 +++ linux-2.6.32.49/fs/smbfs/proc.c 2011-11-15 19:59:43.000000000 -0500
51592 @@ -266,9 +266,9 @@ int smb_setcodepage(struct smb_sb_info *
51593
51594 out:
51595 if (server->local_nls != NULL && server->remote_nls != NULL)
51596 - server->ops->convert = convert_cp;
51597 + *(void **)&server->ops->convert = convert_cp;
51598 else
51599 - server->ops->convert = convert_memcpy;
51600 + *(void **)&server->ops->convert = convert_memcpy;
51601
51602 smb_unlock_server(server);
51603 return n;
51604 @@ -933,9 +933,9 @@ smb_newconn(struct smb_sb_info *server,
51605
51606 /* FIXME: the win9x code wants to modify these ... (seek/trunc bug) */
51607 if (server->mnt->flags & SMB_MOUNT_OLDATTR) {
51608 - server->ops->getattr = smb_proc_getattr_core;
51609 + *(void **)&server->ops->getattr = smb_proc_getattr_core;
51610 } else if (server->mnt->flags & SMB_MOUNT_DIRATTR) {
51611 - server->ops->getattr = smb_proc_getattr_ff;
51612 + *(void **)&server->ops->getattr = smb_proc_getattr_ff;
51613 }
51614
51615 /* Decode server capabilities */
51616 @@ -3439,7 +3439,7 @@ out:
51617 static void
51618 install_ops(struct smb_ops *dst, struct smb_ops *src)
51619 {
51620 - memcpy(dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
51621 + memcpy((void *)dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
51622 }
51623
51624 /* < LANMAN2 */
51625 diff -urNp linux-2.6.32.49/fs/smbfs/symlink.c linux-2.6.32.49/fs/smbfs/symlink.c
51626 --- linux-2.6.32.49/fs/smbfs/symlink.c 2011-11-08 19:02:43.000000000 -0500
51627 +++ linux-2.6.32.49/fs/smbfs/symlink.c 2011-11-15 19:59:43.000000000 -0500
51628 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
51629
51630 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
51631 {
51632 - char *s = nd_get_link(nd);
51633 + const char *s = nd_get_link(nd);
51634 if (!IS_ERR(s))
51635 __putname(s);
51636 }
51637 diff -urNp linux-2.6.32.49/fs/splice.c linux-2.6.32.49/fs/splice.c
51638 --- linux-2.6.32.49/fs/splice.c 2011-11-08 19:02:43.000000000 -0500
51639 +++ linux-2.6.32.49/fs/splice.c 2011-11-15 19:59:43.000000000 -0500
51640 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
51641 pipe_lock(pipe);
51642
51643 for (;;) {
51644 - if (!pipe->readers) {
51645 + if (!atomic_read(&pipe->readers)) {
51646 send_sig(SIGPIPE, current, 0);
51647 if (!ret)
51648 ret = -EPIPE;
51649 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
51650 do_wakeup = 0;
51651 }
51652
51653 - pipe->waiting_writers++;
51654 + atomic_inc(&pipe->waiting_writers);
51655 pipe_wait(pipe);
51656 - pipe->waiting_writers--;
51657 + atomic_dec(&pipe->waiting_writers);
51658 }
51659
51660 pipe_unlock(pipe);
51661 @@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
51662 .spd_release = spd_release_page,
51663 };
51664
51665 + pax_track_stack();
51666 +
51667 index = *ppos >> PAGE_CACHE_SHIFT;
51668 loff = *ppos & ~PAGE_CACHE_MASK;
51669 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
51670 @@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
51671 old_fs = get_fs();
51672 set_fs(get_ds());
51673 /* The cast to a user pointer is valid due to the set_fs() */
51674 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
51675 + res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
51676 set_fs(old_fs);
51677
51678 return res;
51679 @@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
51680 old_fs = get_fs();
51681 set_fs(get_ds());
51682 /* The cast to a user pointer is valid due to the set_fs() */
51683 - res = vfs_write(file, (const char __user *)buf, count, &pos);
51684 + res = vfs_write(file, (const char __force_user *)buf, count, &pos);
51685 set_fs(old_fs);
51686
51687 return res;
51688 @@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
51689 .spd_release = spd_release_page,
51690 };
51691
51692 + pax_track_stack();
51693 +
51694 index = *ppos >> PAGE_CACHE_SHIFT;
51695 offset = *ppos & ~PAGE_CACHE_MASK;
51696 nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
51697 @@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
51698 goto err;
51699
51700 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
51701 - vec[i].iov_base = (void __user *) page_address(page);
51702 + vec[i].iov_base = (__force void __user *) page_address(page);
51703 vec[i].iov_len = this_len;
51704 pages[i] = page;
51705 spd.nr_pages++;
51706 @@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
51707 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
51708 {
51709 while (!pipe->nrbufs) {
51710 - if (!pipe->writers)
51711 + if (!atomic_read(&pipe->writers))
51712 return 0;
51713
51714 - if (!pipe->waiting_writers && sd->num_spliced)
51715 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
51716 return 0;
51717
51718 if (sd->flags & SPLICE_F_NONBLOCK)
51719 @@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
51720 * out of the pipe right after the splice_to_pipe(). So set
51721 * PIPE_READERS appropriately.
51722 */
51723 - pipe->readers = 1;
51724 + atomic_set(&pipe->readers, 1);
51725
51726 current->splice_pipe = pipe;
51727 }
51728 @@ -1593,6 +1597,8 @@ static long vmsplice_to_pipe(struct file
51729 .spd_release = spd_release_page,
51730 };
51731
51732 + pax_track_stack();
51733 +
51734 pipe = pipe_info(file->f_path.dentry->d_inode);
51735 if (!pipe)
51736 return -EBADF;
51737 @@ -1701,9 +1707,9 @@ static int ipipe_prep(struct pipe_inode_
51738 ret = -ERESTARTSYS;
51739 break;
51740 }
51741 - if (!pipe->writers)
51742 + if (!atomic_read(&pipe->writers))
51743 break;
51744 - if (!pipe->waiting_writers) {
51745 + if (!atomic_read(&pipe->waiting_writers)) {
51746 if (flags & SPLICE_F_NONBLOCK) {
51747 ret = -EAGAIN;
51748 break;
51749 @@ -1735,7 +1741,7 @@ static int opipe_prep(struct pipe_inode_
51750 pipe_lock(pipe);
51751
51752 while (pipe->nrbufs >= PIPE_BUFFERS) {
51753 - if (!pipe->readers) {
51754 + if (!atomic_read(&pipe->readers)) {
51755 send_sig(SIGPIPE, current, 0);
51756 ret = -EPIPE;
51757 break;
51758 @@ -1748,9 +1754,9 @@ static int opipe_prep(struct pipe_inode_
51759 ret = -ERESTARTSYS;
51760 break;
51761 }
51762 - pipe->waiting_writers++;
51763 + atomic_inc(&pipe->waiting_writers);
51764 pipe_wait(pipe);
51765 - pipe->waiting_writers--;
51766 + atomic_dec(&pipe->waiting_writers);
51767 }
51768
51769 pipe_unlock(pipe);
51770 @@ -1786,14 +1792,14 @@ retry:
51771 pipe_double_lock(ipipe, opipe);
51772
51773 do {
51774 - if (!opipe->readers) {
51775 + if (!atomic_read(&opipe->readers)) {
51776 send_sig(SIGPIPE, current, 0);
51777 if (!ret)
51778 ret = -EPIPE;
51779 break;
51780 }
51781
51782 - if (!ipipe->nrbufs && !ipipe->writers)
51783 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
51784 break;
51785
51786 /*
51787 @@ -1893,7 +1899,7 @@ static int link_pipe(struct pipe_inode_i
51788 pipe_double_lock(ipipe, opipe);
51789
51790 do {
51791 - if (!opipe->readers) {
51792 + if (!atomic_read(&opipe->readers)) {
51793 send_sig(SIGPIPE, current, 0);
51794 if (!ret)
51795 ret = -EPIPE;
51796 @@ -1938,7 +1944,7 @@ static int link_pipe(struct pipe_inode_i
51797 * return EAGAIN if we have the potential of some data in the
51798 * future, otherwise just return 0
51799 */
51800 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
51801 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
51802 ret = -EAGAIN;
51803
51804 pipe_unlock(ipipe);
51805 diff -urNp linux-2.6.32.49/fs/sysfs/file.c linux-2.6.32.49/fs/sysfs/file.c
51806 --- linux-2.6.32.49/fs/sysfs/file.c 2011-11-08 19:02:43.000000000 -0500
51807 +++ linux-2.6.32.49/fs/sysfs/file.c 2011-11-15 19:59:43.000000000 -0500
51808 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
51809
51810 struct sysfs_open_dirent {
51811 atomic_t refcnt;
51812 - atomic_t event;
51813 + atomic_unchecked_t event;
51814 wait_queue_head_t poll;
51815 struct list_head buffers; /* goes through sysfs_buffer.list */
51816 };
51817 @@ -53,7 +53,7 @@ struct sysfs_buffer {
51818 size_t count;
51819 loff_t pos;
51820 char * page;
51821 - struct sysfs_ops * ops;
51822 + const struct sysfs_ops * ops;
51823 struct mutex mutex;
51824 int needs_read_fill;
51825 int event;
51826 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
51827 {
51828 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
51829 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
51830 - struct sysfs_ops * ops = buffer->ops;
51831 + const struct sysfs_ops * ops = buffer->ops;
51832 int ret = 0;
51833 ssize_t count;
51834
51835 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
51836 if (!sysfs_get_active_two(attr_sd))
51837 return -ENODEV;
51838
51839 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
51840 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
51841 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
51842
51843 sysfs_put_active_two(attr_sd);
51844 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
51845 {
51846 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
51847 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
51848 - struct sysfs_ops * ops = buffer->ops;
51849 + const struct sysfs_ops * ops = buffer->ops;
51850 int rc;
51851
51852 /* need attr_sd for attr and ops, its parent for kobj */
51853 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
51854 return -ENOMEM;
51855
51856 atomic_set(&new_od->refcnt, 0);
51857 - atomic_set(&new_od->event, 1);
51858 + atomic_set_unchecked(&new_od->event, 1);
51859 init_waitqueue_head(&new_od->poll);
51860 INIT_LIST_HEAD(&new_od->buffers);
51861 goto retry;
51862 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
51863 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
51864 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
51865 struct sysfs_buffer *buffer;
51866 - struct sysfs_ops *ops;
51867 + const struct sysfs_ops *ops;
51868 int error = -EACCES;
51869 char *p;
51870
51871 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
51872
51873 sysfs_put_active_two(attr_sd);
51874
51875 - if (buffer->event != atomic_read(&od->event))
51876 + if (buffer->event != atomic_read_unchecked(&od->event))
51877 goto trigger;
51878
51879 return DEFAULT_POLLMASK;
51880 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
51881
51882 od = sd->s_attr.open;
51883 if (od) {
51884 - atomic_inc(&od->event);
51885 + atomic_inc_unchecked(&od->event);
51886 wake_up_interruptible(&od->poll);
51887 }
51888
51889 diff -urNp linux-2.6.32.49/fs/sysfs/mount.c linux-2.6.32.49/fs/sysfs/mount.c
51890 --- linux-2.6.32.49/fs/sysfs/mount.c 2011-11-08 19:02:43.000000000 -0500
51891 +++ linux-2.6.32.49/fs/sysfs/mount.c 2011-11-15 19:59:43.000000000 -0500
51892 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
51893 .s_name = "",
51894 .s_count = ATOMIC_INIT(1),
51895 .s_flags = SYSFS_DIR,
51896 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51897 + .s_mode = S_IFDIR | S_IRWXU,
51898 +#else
51899 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51900 +#endif
51901 .s_ino = 1,
51902 };
51903
51904 diff -urNp linux-2.6.32.49/fs/sysfs/symlink.c linux-2.6.32.49/fs/sysfs/symlink.c
51905 --- linux-2.6.32.49/fs/sysfs/symlink.c 2011-11-08 19:02:43.000000000 -0500
51906 +++ linux-2.6.32.49/fs/sysfs/symlink.c 2011-11-15 19:59:43.000000000 -0500
51907 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
51908
51909 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51910 {
51911 - char *page = nd_get_link(nd);
51912 + const char *page = nd_get_link(nd);
51913 if (!IS_ERR(page))
51914 free_page((unsigned long)page);
51915 }
51916 diff -urNp linux-2.6.32.49/fs/udf/balloc.c linux-2.6.32.49/fs/udf/balloc.c
51917 --- linux-2.6.32.49/fs/udf/balloc.c 2011-11-08 19:02:43.000000000 -0500
51918 +++ linux-2.6.32.49/fs/udf/balloc.c 2011-11-15 19:59:43.000000000 -0500
51919 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
51920
51921 mutex_lock(&sbi->s_alloc_mutex);
51922 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
51923 - if (bloc->logicalBlockNum < 0 ||
51924 - (bloc->logicalBlockNum + count) >
51925 - partmap->s_partition_len) {
51926 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
51927 udf_debug("%d < %d || %d + %d > %d\n",
51928 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
51929 count, partmap->s_partition_len);
51930 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
51931
51932 mutex_lock(&sbi->s_alloc_mutex);
51933 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
51934 - if (bloc->logicalBlockNum < 0 ||
51935 - (bloc->logicalBlockNum + count) >
51936 - partmap->s_partition_len) {
51937 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
51938 udf_debug("%d < %d || %d + %d > %d\n",
51939 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
51940 partmap->s_partition_len);
51941 diff -urNp linux-2.6.32.49/fs/udf/inode.c linux-2.6.32.49/fs/udf/inode.c
51942 --- linux-2.6.32.49/fs/udf/inode.c 2011-11-08 19:02:43.000000000 -0500
51943 +++ linux-2.6.32.49/fs/udf/inode.c 2011-11-15 19:59:43.000000000 -0500
51944 @@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
51945 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51946 int lastblock = 0;
51947
51948 + pax_track_stack();
51949 +
51950 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51951 prev_epos.block = iinfo->i_location;
51952 prev_epos.bh = NULL;
51953 diff -urNp linux-2.6.32.49/fs/udf/misc.c linux-2.6.32.49/fs/udf/misc.c
51954 --- linux-2.6.32.49/fs/udf/misc.c 2011-11-08 19:02:43.000000000 -0500
51955 +++ linux-2.6.32.49/fs/udf/misc.c 2011-11-15 19:59:43.000000000 -0500
51956 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51957
51958 u8 udf_tag_checksum(const struct tag *t)
51959 {
51960 - u8 *data = (u8 *)t;
51961 + const u8 *data = (const u8 *)t;
51962 u8 checksum = 0;
51963 int i;
51964 for (i = 0; i < sizeof(struct tag); ++i)
51965 diff -urNp linux-2.6.32.49/fs/utimes.c linux-2.6.32.49/fs/utimes.c
51966 --- linux-2.6.32.49/fs/utimes.c 2011-11-08 19:02:43.000000000 -0500
51967 +++ linux-2.6.32.49/fs/utimes.c 2011-11-15 19:59:43.000000000 -0500
51968 @@ -1,6 +1,7 @@
51969 #include <linux/compiler.h>
51970 #include <linux/file.h>
51971 #include <linux/fs.h>
51972 +#include <linux/security.h>
51973 #include <linux/linkage.h>
51974 #include <linux/mount.h>
51975 #include <linux/namei.h>
51976 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
51977 goto mnt_drop_write_and_out;
51978 }
51979 }
51980 +
51981 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
51982 + error = -EACCES;
51983 + goto mnt_drop_write_and_out;
51984 + }
51985 +
51986 mutex_lock(&inode->i_mutex);
51987 error = notify_change(path->dentry, &newattrs);
51988 mutex_unlock(&inode->i_mutex);
51989 diff -urNp linux-2.6.32.49/fs/xattr_acl.c linux-2.6.32.49/fs/xattr_acl.c
51990 --- linux-2.6.32.49/fs/xattr_acl.c 2011-11-08 19:02:43.000000000 -0500
51991 +++ linux-2.6.32.49/fs/xattr_acl.c 2011-11-15 19:59:43.000000000 -0500
51992 @@ -17,8 +17,8 @@
51993 struct posix_acl *
51994 posix_acl_from_xattr(const void *value, size_t size)
51995 {
51996 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
51997 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
51998 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
51999 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
52000 int count;
52001 struct posix_acl *acl;
52002 struct posix_acl_entry *acl_e;
52003 diff -urNp linux-2.6.32.49/fs/xattr.c linux-2.6.32.49/fs/xattr.c
52004 --- linux-2.6.32.49/fs/xattr.c 2011-11-08 19:02:43.000000000 -0500
52005 +++ linux-2.6.32.49/fs/xattr.c 2011-11-15 19:59:43.000000000 -0500
52006 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
52007 * Extended attribute SET operations
52008 */
52009 static long
52010 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
52011 +setxattr(struct path *path, const char __user *name, const void __user *value,
52012 size_t size, int flags)
52013 {
52014 int error;
52015 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
52016 return PTR_ERR(kvalue);
52017 }
52018
52019 - error = vfs_setxattr(d, kname, kvalue, size, flags);
52020 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
52021 + error = -EACCES;
52022 + goto out;
52023 + }
52024 +
52025 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
52026 +out:
52027 kfree(kvalue);
52028 return error;
52029 }
52030 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
52031 return error;
52032 error = mnt_want_write(path.mnt);
52033 if (!error) {
52034 - error = setxattr(path.dentry, name, value, size, flags);
52035 + error = setxattr(&path, name, value, size, flags);
52036 mnt_drop_write(path.mnt);
52037 }
52038 path_put(&path);
52039 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
52040 return error;
52041 error = mnt_want_write(path.mnt);
52042 if (!error) {
52043 - error = setxattr(path.dentry, name, value, size, flags);
52044 + error = setxattr(&path, name, value, size, flags);
52045 mnt_drop_write(path.mnt);
52046 }
52047 path_put(&path);
52048 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
52049 const void __user *,value, size_t, size, int, flags)
52050 {
52051 struct file *f;
52052 - struct dentry *dentry;
52053 int error = -EBADF;
52054
52055 f = fget(fd);
52056 if (!f)
52057 return error;
52058 - dentry = f->f_path.dentry;
52059 - audit_inode(NULL, dentry);
52060 + audit_inode(NULL, f->f_path.dentry);
52061 error = mnt_want_write_file(f);
52062 if (!error) {
52063 - error = setxattr(dentry, name, value, size, flags);
52064 + error = setxattr(&f->f_path, name, value, size, flags);
52065 mnt_drop_write(f->f_path.mnt);
52066 }
52067 fput(f);
52068 diff -urNp linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl32.c
52069 --- linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-11-08 19:02:43.000000000 -0500
52070 +++ linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-11-15 19:59:43.000000000 -0500
52071 @@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
52072 xfs_fsop_geom_t fsgeo;
52073 int error;
52074
52075 + memset(&fsgeo, 0, sizeof(fsgeo));
52076 error = xfs_fs_geometry(mp, &fsgeo, 3);
52077 if (error)
52078 return -error;
52079 diff -urNp linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl.c
52080 --- linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl.c 2011-11-08 19:02:43.000000000 -0500
52081 +++ linux-2.6.32.49/fs/xfs/linux-2.6/xfs_ioctl.c 2011-11-15 19:59:43.000000000 -0500
52082 @@ -134,7 +134,7 @@ xfs_find_handle(
52083 }
52084
52085 error = -EFAULT;
52086 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
52087 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
52088 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
52089 goto out_put;
52090
52091 @@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
52092 if (IS_ERR(dentry))
52093 return PTR_ERR(dentry);
52094
52095 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
52096 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
52097 if (!kbuf)
52098 goto out_dput;
52099
52100 @@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
52101 xfs_mount_t *mp,
52102 void __user *arg)
52103 {
52104 - xfs_fsop_geom_t fsgeo;
52105 + xfs_fsop_geom_t fsgeo;
52106 int error;
52107
52108 error = xfs_fs_geometry(mp, &fsgeo, 3);
52109 diff -urNp linux-2.6.32.49/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.49/fs/xfs/linux-2.6/xfs_iops.c
52110 --- linux-2.6.32.49/fs/xfs/linux-2.6/xfs_iops.c 2011-11-08 19:02:43.000000000 -0500
52111 +++ linux-2.6.32.49/fs/xfs/linux-2.6/xfs_iops.c 2011-11-15 19:59:43.000000000 -0500
52112 @@ -468,7 +468,7 @@ xfs_vn_put_link(
52113 struct nameidata *nd,
52114 void *p)
52115 {
52116 - char *s = nd_get_link(nd);
52117 + const char *s = nd_get_link(nd);
52118
52119 if (!IS_ERR(s))
52120 kfree(s);
52121 diff -urNp linux-2.6.32.49/fs/xfs/xfs_bmap.c linux-2.6.32.49/fs/xfs/xfs_bmap.c
52122 --- linux-2.6.32.49/fs/xfs/xfs_bmap.c 2011-11-08 19:02:43.000000000 -0500
52123 +++ linux-2.6.32.49/fs/xfs/xfs_bmap.c 2011-11-15 19:59:43.000000000 -0500
52124 @@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
52125 int nmap,
52126 int ret_nmap);
52127 #else
52128 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
52129 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
52130 #endif /* DEBUG */
52131
52132 #if defined(XFS_RW_TRACE)
52133 diff -urNp linux-2.6.32.49/fs/xfs/xfs_dir2_sf.c linux-2.6.32.49/fs/xfs/xfs_dir2_sf.c
52134 --- linux-2.6.32.49/fs/xfs/xfs_dir2_sf.c 2011-11-08 19:02:43.000000000 -0500
52135 +++ linux-2.6.32.49/fs/xfs/xfs_dir2_sf.c 2011-11-15 19:59:43.000000000 -0500
52136 @@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
52137 }
52138
52139 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
52140 - if (filldir(dirent, sfep->name, sfep->namelen,
52141 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
52142 + char name[sfep->namelen];
52143 + memcpy(name, sfep->name, sfep->namelen);
52144 + if (filldir(dirent, name, sfep->namelen,
52145 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
52146 + *offset = off & 0x7fffffff;
52147 + return 0;
52148 + }
52149 + } else if (filldir(dirent, sfep->name, sfep->namelen,
52150 off & 0x7fffffff, ino, DT_UNKNOWN)) {
52151 *offset = off & 0x7fffffff;
52152 return 0;
52153 diff -urNp linux-2.6.32.49/fs/xfs/xfs_vnodeops.c linux-2.6.32.49/fs/xfs/xfs_vnodeops.c
52154 --- linux-2.6.32.49/fs/xfs/xfs_vnodeops.c 2011-11-08 19:02:43.000000000 -0500
52155 +++ linux-2.6.32.49/fs/xfs/xfs_vnodeops.c 2011-11-18 18:59:38.000000000 -0500
52156 @@ -564,13 +564,17 @@ xfs_readlink(
52157
52158 xfs_ilock(ip, XFS_ILOCK_SHARED);
52159
52160 - ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
52161 - ASSERT(ip->i_d.di_size <= MAXPATHLEN);
52162 -
52163 pathlen = ip->i_d.di_size;
52164 if (!pathlen)
52165 goto out;
52166
52167 + if (pathlen > MAXPATHLEN) {
52168 + xfs_fs_cmn_err(CE_ALERT, mp, "%s: inode (%llu) symlink length (%d) too long",
52169 + __func__, (unsigned long long)ip->i_ino, pathlen);
52170 + ASSERT(0);
52171 + return XFS_ERROR(EFSCORRUPTED);
52172 + }
52173 +
52174 if (ip->i_df.if_flags & XFS_IFINLINE) {
52175 memcpy(link, ip->i_df.if_u1.if_data, pathlen);
52176 link[pathlen] = '\0';
52177 diff -urNp linux-2.6.32.49/grsecurity/gracl_alloc.c linux-2.6.32.49/grsecurity/gracl_alloc.c
52178 --- linux-2.6.32.49/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
52179 +++ linux-2.6.32.49/grsecurity/gracl_alloc.c 2011-11-15 19:59:43.000000000 -0500
52180 @@ -0,0 +1,105 @@
52181 +#include <linux/kernel.h>
52182 +#include <linux/mm.h>
52183 +#include <linux/slab.h>
52184 +#include <linux/vmalloc.h>
52185 +#include <linux/gracl.h>
52186 +#include <linux/grsecurity.h>
52187 +
52188 +static unsigned long alloc_stack_next = 1;
52189 +static unsigned long alloc_stack_size = 1;
52190 +static void **alloc_stack;
52191 +
52192 +static __inline__ int
52193 +alloc_pop(void)
52194 +{
52195 + if (alloc_stack_next == 1)
52196 + return 0;
52197 +
52198 + kfree(alloc_stack[alloc_stack_next - 2]);
52199 +
52200 + alloc_stack_next--;
52201 +
52202 + return 1;
52203 +}
52204 +
52205 +static __inline__ int
52206 +alloc_push(void *buf)
52207 +{
52208 + if (alloc_stack_next >= alloc_stack_size)
52209 + return 1;
52210 +
52211 + alloc_stack[alloc_stack_next - 1] = buf;
52212 +
52213 + alloc_stack_next++;
52214 +
52215 + return 0;
52216 +}
52217 +
52218 +void *
52219 +acl_alloc(unsigned long len)
52220 +{
52221 + void *ret = NULL;
52222 +
52223 + if (!len || len > PAGE_SIZE)
52224 + goto out;
52225 +
52226 + ret = kmalloc(len, GFP_KERNEL);
52227 +
52228 + if (ret) {
52229 + if (alloc_push(ret)) {
52230 + kfree(ret);
52231 + ret = NULL;
52232 + }
52233 + }
52234 +
52235 +out:
52236 + return ret;
52237 +}
52238 +
52239 +void *
52240 +acl_alloc_num(unsigned long num, unsigned long len)
52241 +{
52242 + if (!len || (num > (PAGE_SIZE / len)))
52243 + return NULL;
52244 +
52245 + return acl_alloc(num * len);
52246 +}
52247 +
52248 +void
52249 +acl_free_all(void)
52250 +{
52251 + if (gr_acl_is_enabled() || !alloc_stack)
52252 + return;
52253 +
52254 + while (alloc_pop()) ;
52255 +
52256 + if (alloc_stack) {
52257 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
52258 + kfree(alloc_stack);
52259 + else
52260 + vfree(alloc_stack);
52261 + }
52262 +
52263 + alloc_stack = NULL;
52264 + alloc_stack_size = 1;
52265 + alloc_stack_next = 1;
52266 +
52267 + return;
52268 +}
52269 +
52270 +int
52271 +acl_alloc_stack_init(unsigned long size)
52272 +{
52273 + if ((size * sizeof (void *)) <= PAGE_SIZE)
52274 + alloc_stack =
52275 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
52276 + else
52277 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
52278 +
52279 + alloc_stack_size = size;
52280 +
52281 + if (!alloc_stack)
52282 + return 0;
52283 + else
52284 + return 1;
52285 +}
52286 diff -urNp linux-2.6.32.49/grsecurity/gracl.c linux-2.6.32.49/grsecurity/gracl.c
52287 --- linux-2.6.32.49/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
52288 +++ linux-2.6.32.49/grsecurity/gracl.c 2011-11-16 17:55:28.000000000 -0500
52289 @@ -0,0 +1,4141 @@
52290 +#include <linux/kernel.h>
52291 +#include <linux/module.h>
52292 +#include <linux/sched.h>
52293 +#include <linux/mm.h>
52294 +#include <linux/file.h>
52295 +#include <linux/fs.h>
52296 +#include <linux/namei.h>
52297 +#include <linux/mount.h>
52298 +#include <linux/tty.h>
52299 +#include <linux/proc_fs.h>
52300 +#include <linux/smp_lock.h>
52301 +#include <linux/slab.h>
52302 +#include <linux/vmalloc.h>
52303 +#include <linux/types.h>
52304 +#include <linux/sysctl.h>
52305 +#include <linux/netdevice.h>
52306 +#include <linux/ptrace.h>
52307 +#include <linux/gracl.h>
52308 +#include <linux/gralloc.h>
52309 +#include <linux/grsecurity.h>
52310 +#include <linux/grinternal.h>
52311 +#include <linux/pid_namespace.h>
52312 +#include <linux/fdtable.h>
52313 +#include <linux/percpu.h>
52314 +
52315 +#include <asm/uaccess.h>
52316 +#include <asm/errno.h>
52317 +#include <asm/mman.h>
52318 +
52319 +static struct acl_role_db acl_role_set;
52320 +static struct name_db name_set;
52321 +static struct inodev_db inodev_set;
52322 +
52323 +/* for keeping track of userspace pointers used for subjects, so we
52324 + can share references in the kernel as well
52325 +*/
52326 +
52327 +static struct dentry *real_root;
52328 +static struct vfsmount *real_root_mnt;
52329 +
52330 +static struct acl_subj_map_db subj_map_set;
52331 +
52332 +static struct acl_role_label *default_role;
52333 +
52334 +static struct acl_role_label *role_list;
52335 +
52336 +static u16 acl_sp_role_value;
52337 +
52338 +extern char *gr_shared_page[4];
52339 +static DEFINE_MUTEX(gr_dev_mutex);
52340 +DEFINE_RWLOCK(gr_inode_lock);
52341 +
52342 +struct gr_arg *gr_usermode;
52343 +
52344 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
52345 +
52346 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
52347 +extern void gr_clear_learn_entries(void);
52348 +
52349 +#ifdef CONFIG_GRKERNSEC_RESLOG
52350 +extern void gr_log_resource(const struct task_struct *task,
52351 + const int res, const unsigned long wanted, const int gt);
52352 +#endif
52353 +
52354 +unsigned char *gr_system_salt;
52355 +unsigned char *gr_system_sum;
52356 +
52357 +static struct sprole_pw **acl_special_roles = NULL;
52358 +static __u16 num_sprole_pws = 0;
52359 +
52360 +static struct acl_role_label *kernel_role = NULL;
52361 +
52362 +static unsigned int gr_auth_attempts = 0;
52363 +static unsigned long gr_auth_expires = 0UL;
52364 +
52365 +#ifdef CONFIG_NET
52366 +extern struct vfsmount *sock_mnt;
52367 +#endif
52368 +extern struct vfsmount *pipe_mnt;
52369 +extern struct vfsmount *shm_mnt;
52370 +#ifdef CONFIG_HUGETLBFS
52371 +extern struct vfsmount *hugetlbfs_vfsmount;
52372 +#endif
52373 +
52374 +static struct acl_object_label *fakefs_obj_rw;
52375 +static struct acl_object_label *fakefs_obj_rwx;
52376 +
52377 +extern int gr_init_uidset(void);
52378 +extern void gr_free_uidset(void);
52379 +extern void gr_remove_uid(uid_t uid);
52380 +extern int gr_find_uid(uid_t uid);
52381 +
52382 +__inline__ int
52383 +gr_acl_is_enabled(void)
52384 +{
52385 + return (gr_status & GR_READY);
52386 +}
52387 +
52388 +#ifdef CONFIG_BTRFS_FS
52389 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
52390 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
52391 +#endif
52392 +
52393 +static inline dev_t __get_dev(const struct dentry *dentry)
52394 +{
52395 +#ifdef CONFIG_BTRFS_FS
52396 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
52397 + return get_btrfs_dev_from_inode(dentry->d_inode);
52398 + else
52399 +#endif
52400 + return dentry->d_inode->i_sb->s_dev;
52401 +}
52402 +
52403 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
52404 +{
52405 + return __get_dev(dentry);
52406 +}
52407 +
52408 +static char gr_task_roletype_to_char(struct task_struct *task)
52409 +{
52410 + switch (task->role->roletype &
52411 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
52412 + GR_ROLE_SPECIAL)) {
52413 + case GR_ROLE_DEFAULT:
52414 + return 'D';
52415 + case GR_ROLE_USER:
52416 + return 'U';
52417 + case GR_ROLE_GROUP:
52418 + return 'G';
52419 + case GR_ROLE_SPECIAL:
52420 + return 'S';
52421 + }
52422 +
52423 + return 'X';
52424 +}
52425 +
52426 +char gr_roletype_to_char(void)
52427 +{
52428 + return gr_task_roletype_to_char(current);
52429 +}
52430 +
52431 +__inline__ int
52432 +gr_acl_tpe_check(void)
52433 +{
52434 + if (unlikely(!(gr_status & GR_READY)))
52435 + return 0;
52436 + if (current->role->roletype & GR_ROLE_TPE)
52437 + return 1;
52438 + else
52439 + return 0;
52440 +}
52441 +
52442 +int
52443 +gr_handle_rawio(const struct inode *inode)
52444 +{
52445 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
52446 + if (inode && S_ISBLK(inode->i_mode) &&
52447 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
52448 + !capable(CAP_SYS_RAWIO))
52449 + return 1;
52450 +#endif
52451 + return 0;
52452 +}
52453 +
52454 +static int
52455 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
52456 +{
52457 + if (likely(lena != lenb))
52458 + return 0;
52459 +
52460 + return !memcmp(a, b, lena);
52461 +}
52462 +
52463 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
52464 +{
52465 + *buflen -= namelen;
52466 + if (*buflen < 0)
52467 + return -ENAMETOOLONG;
52468 + *buffer -= namelen;
52469 + memcpy(*buffer, str, namelen);
52470 + return 0;
52471 +}
52472 +
52473 +/* this must be called with vfsmount_lock and dcache_lock held */
52474 +
52475 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
52476 + struct dentry *root, struct vfsmount *rootmnt,
52477 + char *buffer, int buflen)
52478 +{
52479 + char * end = buffer+buflen;
52480 + char * retval;
52481 + int namelen;
52482 +
52483 + *--end = '\0';
52484 + buflen--;
52485 +
52486 + if (buflen < 1)
52487 + goto Elong;
52488 + /* Get '/' right */
52489 + retval = end-1;
52490 + *retval = '/';
52491 +
52492 + for (;;) {
52493 + struct dentry * parent;
52494 +
52495 + if (dentry == root && vfsmnt == rootmnt)
52496 + break;
52497 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
52498 + /* Global root? */
52499 + if (vfsmnt->mnt_parent == vfsmnt)
52500 + goto global_root;
52501 + dentry = vfsmnt->mnt_mountpoint;
52502 + vfsmnt = vfsmnt->mnt_parent;
52503 + continue;
52504 + }
52505 + parent = dentry->d_parent;
52506 + prefetch(parent);
52507 + namelen = dentry->d_name.len;
52508 + buflen -= namelen + 1;
52509 + if (buflen < 0)
52510 + goto Elong;
52511 + end -= namelen;
52512 + memcpy(end, dentry->d_name.name, namelen);
52513 + *--end = '/';
52514 + retval = end;
52515 + dentry = parent;
52516 + }
52517 +
52518 +out:
52519 + return retval;
52520 +
52521 +global_root:
52522 + namelen = dentry->d_name.len;
52523 + buflen -= namelen;
52524 + if (buflen < 0)
52525 + goto Elong;
52526 + retval -= namelen-1; /* hit the slash */
52527 + memcpy(retval, dentry->d_name.name, namelen);
52528 + goto out;
52529 +Elong:
52530 + retval = ERR_PTR(-ENAMETOOLONG);
52531 + goto out;
52532 +}
52533 +
52534 +static char *
52535 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
52536 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
52537 +{
52538 + char *retval;
52539 +
52540 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
52541 + if (unlikely(IS_ERR(retval)))
52542 + retval = strcpy(buf, "<path too long>");
52543 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
52544 + retval[1] = '\0';
52545 +
52546 + return retval;
52547 +}
52548 +
52549 +static char *
52550 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52551 + char *buf, int buflen)
52552 +{
52553 + char *res;
52554 +
52555 + /* we can use real_root, real_root_mnt, because this is only called
52556 + by the RBAC system */
52557 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
52558 +
52559 + return res;
52560 +}
52561 +
52562 +static char *
52563 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52564 + char *buf, int buflen)
52565 +{
52566 + char *res;
52567 + struct dentry *root;
52568 + struct vfsmount *rootmnt;
52569 + struct task_struct *reaper = &init_task;
52570 +
52571 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
52572 + read_lock(&reaper->fs->lock);
52573 + root = dget(reaper->fs->root.dentry);
52574 + rootmnt = mntget(reaper->fs->root.mnt);
52575 + read_unlock(&reaper->fs->lock);
52576 +
52577 + spin_lock(&dcache_lock);
52578 + spin_lock(&vfsmount_lock);
52579 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
52580 + spin_unlock(&vfsmount_lock);
52581 + spin_unlock(&dcache_lock);
52582 +
52583 + dput(root);
52584 + mntput(rootmnt);
52585 + return res;
52586 +}
52587 +
52588 +static char *
52589 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52590 +{
52591 + char *ret;
52592 + spin_lock(&dcache_lock);
52593 + spin_lock(&vfsmount_lock);
52594 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52595 + PAGE_SIZE);
52596 + spin_unlock(&vfsmount_lock);
52597 + spin_unlock(&dcache_lock);
52598 + return ret;
52599 +}
52600 +
52601 +static char *
52602 +gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52603 +{
52604 + char *ret;
52605 + char *buf;
52606 + int buflen;
52607 +
52608 + spin_lock(&dcache_lock);
52609 + spin_lock(&vfsmount_lock);
52610 + buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
52611 + ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
52612 + buflen = (int)(ret - buf);
52613 + if (buflen >= 5)
52614 + prepend(&ret, &buflen, "/proc", 5);
52615 + else
52616 + ret = strcpy(buf, "<path too long>");
52617 + spin_unlock(&vfsmount_lock);
52618 + spin_unlock(&dcache_lock);
52619 + return ret;
52620 +}
52621 +
52622 +char *
52623 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
52624 +{
52625 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52626 + PAGE_SIZE);
52627 +}
52628 +
52629 +char *
52630 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
52631 +{
52632 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52633 + PAGE_SIZE);
52634 +}
52635 +
52636 +char *
52637 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
52638 +{
52639 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
52640 + PAGE_SIZE);
52641 +}
52642 +
52643 +char *
52644 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
52645 +{
52646 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
52647 + PAGE_SIZE);
52648 +}
52649 +
52650 +char *
52651 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
52652 +{
52653 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
52654 + PAGE_SIZE);
52655 +}
52656 +
52657 +__inline__ __u32
52658 +to_gr_audit(const __u32 reqmode)
52659 +{
52660 + /* masks off auditable permission flags, then shifts them to create
52661 + auditing flags, and adds the special case of append auditing if
52662 + we're requesting write */
52663 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
52664 +}
52665 +
52666 +struct acl_subject_label *
52667 +lookup_subject_map(const struct acl_subject_label *userp)
52668 +{
52669 + unsigned int index = shash(userp, subj_map_set.s_size);
52670 + struct subject_map *match;
52671 +
52672 + match = subj_map_set.s_hash[index];
52673 +
52674 + while (match && match->user != userp)
52675 + match = match->next;
52676 +
52677 + if (match != NULL)
52678 + return match->kernel;
52679 + else
52680 + return NULL;
52681 +}
52682 +
52683 +static void
52684 +insert_subj_map_entry(struct subject_map *subjmap)
52685 +{
52686 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
52687 + struct subject_map **curr;
52688 +
52689 + subjmap->prev = NULL;
52690 +
52691 + curr = &subj_map_set.s_hash[index];
52692 + if (*curr != NULL)
52693 + (*curr)->prev = subjmap;
52694 +
52695 + subjmap->next = *curr;
52696 + *curr = subjmap;
52697 +
52698 + return;
52699 +}
52700 +
52701 +static struct acl_role_label *
52702 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
52703 + const gid_t gid)
52704 +{
52705 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
52706 + struct acl_role_label *match;
52707 + struct role_allowed_ip *ipp;
52708 + unsigned int x;
52709 + u32 curr_ip = task->signal->curr_ip;
52710 +
52711 + task->signal->saved_ip = curr_ip;
52712 +
52713 + match = acl_role_set.r_hash[index];
52714 +
52715 + while (match) {
52716 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
52717 + for (x = 0; x < match->domain_child_num; x++) {
52718 + if (match->domain_children[x] == uid)
52719 + goto found;
52720 + }
52721 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
52722 + break;
52723 + match = match->next;
52724 + }
52725 +found:
52726 + if (match == NULL) {
52727 + try_group:
52728 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
52729 + match = acl_role_set.r_hash[index];
52730 +
52731 + while (match) {
52732 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
52733 + for (x = 0; x < match->domain_child_num; x++) {
52734 + if (match->domain_children[x] == gid)
52735 + goto found2;
52736 + }
52737 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
52738 + break;
52739 + match = match->next;
52740 + }
52741 +found2:
52742 + if (match == NULL)
52743 + match = default_role;
52744 + if (match->allowed_ips == NULL)
52745 + return match;
52746 + else {
52747 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52748 + if (likely
52749 + ((ntohl(curr_ip) & ipp->netmask) ==
52750 + (ntohl(ipp->addr) & ipp->netmask)))
52751 + return match;
52752 + }
52753 + match = default_role;
52754 + }
52755 + } else if (match->allowed_ips == NULL) {
52756 + return match;
52757 + } else {
52758 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52759 + if (likely
52760 + ((ntohl(curr_ip) & ipp->netmask) ==
52761 + (ntohl(ipp->addr) & ipp->netmask)))
52762 + return match;
52763 + }
52764 + goto try_group;
52765 + }
52766 +
52767 + return match;
52768 +}
52769 +
52770 +struct acl_subject_label *
52771 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52772 + const struct acl_role_label *role)
52773 +{
52774 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52775 + struct acl_subject_label *match;
52776 +
52777 + match = role->subj_hash[index];
52778 +
52779 + while (match && (match->inode != ino || match->device != dev ||
52780 + (match->mode & GR_DELETED))) {
52781 + match = match->next;
52782 + }
52783 +
52784 + if (match && !(match->mode & GR_DELETED))
52785 + return match;
52786 + else
52787 + return NULL;
52788 +}
52789 +
52790 +struct acl_subject_label *
52791 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52792 + const struct acl_role_label *role)
52793 +{
52794 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
52795 + struct acl_subject_label *match;
52796 +
52797 + match = role->subj_hash[index];
52798 +
52799 + while (match && (match->inode != ino || match->device != dev ||
52800 + !(match->mode & GR_DELETED))) {
52801 + match = match->next;
52802 + }
52803 +
52804 + if (match && (match->mode & GR_DELETED))
52805 + return match;
52806 + else
52807 + return NULL;
52808 +}
52809 +
52810 +static struct acl_object_label *
52811 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52812 + const struct acl_subject_label *subj)
52813 +{
52814 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52815 + struct acl_object_label *match;
52816 +
52817 + match = subj->obj_hash[index];
52818 +
52819 + while (match && (match->inode != ino || match->device != dev ||
52820 + (match->mode & GR_DELETED))) {
52821 + match = match->next;
52822 + }
52823 +
52824 + if (match && !(match->mode & GR_DELETED))
52825 + return match;
52826 + else
52827 + return NULL;
52828 +}
52829 +
52830 +static struct acl_object_label *
52831 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52832 + const struct acl_subject_label *subj)
52833 +{
52834 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52835 + struct acl_object_label *match;
52836 +
52837 + match = subj->obj_hash[index];
52838 +
52839 + while (match && (match->inode != ino || match->device != dev ||
52840 + !(match->mode & GR_DELETED))) {
52841 + match = match->next;
52842 + }
52843 +
52844 + if (match && (match->mode & GR_DELETED))
52845 + return match;
52846 +
52847 + match = subj->obj_hash[index];
52848 +
52849 + while (match && (match->inode != ino || match->device != dev ||
52850 + (match->mode & GR_DELETED))) {
52851 + match = match->next;
52852 + }
52853 +
52854 + if (match && !(match->mode & GR_DELETED))
52855 + return match;
52856 + else
52857 + return NULL;
52858 +}
52859 +
52860 +static struct name_entry *
52861 +lookup_name_entry(const char *name)
52862 +{
52863 + unsigned int len = strlen(name);
52864 + unsigned int key = full_name_hash(name, len);
52865 + unsigned int index = key % name_set.n_size;
52866 + struct name_entry *match;
52867 +
52868 + match = name_set.n_hash[index];
52869 +
52870 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52871 + match = match->next;
52872 +
52873 + return match;
52874 +}
52875 +
52876 +static struct name_entry *
52877 +lookup_name_entry_create(const char *name)
52878 +{
52879 + unsigned int len = strlen(name);
52880 + unsigned int key = full_name_hash(name, len);
52881 + unsigned int index = key % name_set.n_size;
52882 + struct name_entry *match;
52883 +
52884 + match = name_set.n_hash[index];
52885 +
52886 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52887 + !match->deleted))
52888 + match = match->next;
52889 +
52890 + if (match && match->deleted)
52891 + return match;
52892 +
52893 + match = name_set.n_hash[index];
52894 +
52895 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52896 + match->deleted))
52897 + match = match->next;
52898 +
52899 + if (match && !match->deleted)
52900 + return match;
52901 + else
52902 + return NULL;
52903 +}
52904 +
52905 +static struct inodev_entry *
52906 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
52907 +{
52908 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
52909 + struct inodev_entry *match;
52910 +
52911 + match = inodev_set.i_hash[index];
52912 +
52913 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52914 + match = match->next;
52915 +
52916 + return match;
52917 +}
52918 +
52919 +static void
52920 +insert_inodev_entry(struct inodev_entry *entry)
52921 +{
52922 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52923 + inodev_set.i_size);
52924 + struct inodev_entry **curr;
52925 +
52926 + entry->prev = NULL;
52927 +
52928 + curr = &inodev_set.i_hash[index];
52929 + if (*curr != NULL)
52930 + (*curr)->prev = entry;
52931 +
52932 + entry->next = *curr;
52933 + *curr = entry;
52934 +
52935 + return;
52936 +}
52937 +
52938 +static void
52939 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52940 +{
52941 + unsigned int index =
52942 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52943 + struct acl_role_label **curr;
52944 + struct acl_role_label *tmp;
52945 +
52946 + curr = &acl_role_set.r_hash[index];
52947 +
52948 + /* if role was already inserted due to domains and already has
52949 + a role in the same bucket as it attached, then we need to
52950 + combine these two buckets
52951 + */
52952 + if (role->next) {
52953 + tmp = role->next;
52954 + while (tmp->next)
52955 + tmp = tmp->next;
52956 + tmp->next = *curr;
52957 + } else
52958 + role->next = *curr;
52959 + *curr = role;
52960 +
52961 + return;
52962 +}
52963 +
52964 +static void
52965 +insert_acl_role_label(struct acl_role_label *role)
52966 +{
52967 + int i;
52968 +
52969 + if (role_list == NULL) {
52970 + role_list = role;
52971 + role->prev = NULL;
52972 + } else {
52973 + role->prev = role_list;
52974 + role_list = role;
52975 + }
52976 +
52977 + /* used for hash chains */
52978 + role->next = NULL;
52979 +
52980 + if (role->roletype & GR_ROLE_DOMAIN) {
52981 + for (i = 0; i < role->domain_child_num; i++)
52982 + __insert_acl_role_label(role, role->domain_children[i]);
52983 + } else
52984 + __insert_acl_role_label(role, role->uidgid);
52985 +}
52986 +
52987 +static int
52988 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
52989 +{
52990 + struct name_entry **curr, *nentry;
52991 + struct inodev_entry *ientry;
52992 + unsigned int len = strlen(name);
52993 + unsigned int key = full_name_hash(name, len);
52994 + unsigned int index = key % name_set.n_size;
52995 +
52996 + curr = &name_set.n_hash[index];
52997 +
52998 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
52999 + curr = &((*curr)->next);
53000 +
53001 + if (*curr != NULL)
53002 + return 1;
53003 +
53004 + nentry = acl_alloc(sizeof (struct name_entry));
53005 + if (nentry == NULL)
53006 + return 0;
53007 + ientry = acl_alloc(sizeof (struct inodev_entry));
53008 + if (ientry == NULL)
53009 + return 0;
53010 + ientry->nentry = nentry;
53011 +
53012 + nentry->key = key;
53013 + nentry->name = name;
53014 + nentry->inode = inode;
53015 + nentry->device = device;
53016 + nentry->len = len;
53017 + nentry->deleted = deleted;
53018 +
53019 + nentry->prev = NULL;
53020 + curr = &name_set.n_hash[index];
53021 + if (*curr != NULL)
53022 + (*curr)->prev = nentry;
53023 + nentry->next = *curr;
53024 + *curr = nentry;
53025 +
53026 + /* insert us into the table searchable by inode/dev */
53027 + insert_inodev_entry(ientry);
53028 +
53029 + return 1;
53030 +}
53031 +
53032 +static void
53033 +insert_acl_obj_label(struct acl_object_label *obj,
53034 + struct acl_subject_label *subj)
53035 +{
53036 + unsigned int index =
53037 + fhash(obj->inode, obj->device, subj->obj_hash_size);
53038 + struct acl_object_label **curr;
53039 +
53040 +
53041 + obj->prev = NULL;
53042 +
53043 + curr = &subj->obj_hash[index];
53044 + if (*curr != NULL)
53045 + (*curr)->prev = obj;
53046 +
53047 + obj->next = *curr;
53048 + *curr = obj;
53049 +
53050 + return;
53051 +}
53052 +
53053 +static void
53054 +insert_acl_subj_label(struct acl_subject_label *obj,
53055 + struct acl_role_label *role)
53056 +{
53057 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
53058 + struct acl_subject_label **curr;
53059 +
53060 + obj->prev = NULL;
53061 +
53062 + curr = &role->subj_hash[index];
53063 + if (*curr != NULL)
53064 + (*curr)->prev = obj;
53065 +
53066 + obj->next = *curr;
53067 + *curr = obj;
53068 +
53069 + return;
53070 +}
53071 +
53072 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
53073 +
53074 +static void *
53075 +create_table(__u32 * len, int elementsize)
53076 +{
53077 + unsigned int table_sizes[] = {
53078 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
53079 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
53080 + 4194301, 8388593, 16777213, 33554393, 67108859
53081 + };
53082 + void *newtable = NULL;
53083 + unsigned int pwr = 0;
53084 +
53085 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
53086 + table_sizes[pwr] <= *len)
53087 + pwr++;
53088 +
53089 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
53090 + return newtable;
53091 +
53092 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
53093 + newtable =
53094 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
53095 + else
53096 + newtable = vmalloc(table_sizes[pwr] * elementsize);
53097 +
53098 + *len = table_sizes[pwr];
53099 +
53100 + return newtable;
53101 +}
53102 +
53103 +static int
53104 +init_variables(const struct gr_arg *arg)
53105 +{
53106 + struct task_struct *reaper = &init_task;
53107 + unsigned int stacksize;
53108 +
53109 + subj_map_set.s_size = arg->role_db.num_subjects;
53110 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
53111 + name_set.n_size = arg->role_db.num_objects;
53112 + inodev_set.i_size = arg->role_db.num_objects;
53113 +
53114 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
53115 + !name_set.n_size || !inodev_set.i_size)
53116 + return 1;
53117 +
53118 + if (!gr_init_uidset())
53119 + return 1;
53120 +
53121 + /* set up the stack that holds allocation info */
53122 +
53123 + stacksize = arg->role_db.num_pointers + 5;
53124 +
53125 + if (!acl_alloc_stack_init(stacksize))
53126 + return 1;
53127 +
53128 + /* grab reference for the real root dentry and vfsmount */
53129 + read_lock(&reaper->fs->lock);
53130 + real_root = dget(reaper->fs->root.dentry);
53131 + real_root_mnt = mntget(reaper->fs->root.mnt);
53132 + read_unlock(&reaper->fs->lock);
53133 +
53134 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53135 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
53136 +#endif
53137 +
53138 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
53139 + if (fakefs_obj_rw == NULL)
53140 + return 1;
53141 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
53142 +
53143 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
53144 + if (fakefs_obj_rwx == NULL)
53145 + return 1;
53146 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
53147 +
53148 + subj_map_set.s_hash =
53149 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
53150 + acl_role_set.r_hash =
53151 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
53152 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
53153 + inodev_set.i_hash =
53154 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
53155 +
53156 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
53157 + !name_set.n_hash || !inodev_set.i_hash)
53158 + return 1;
53159 +
53160 + memset(subj_map_set.s_hash, 0,
53161 + sizeof(struct subject_map *) * subj_map_set.s_size);
53162 + memset(acl_role_set.r_hash, 0,
53163 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
53164 + memset(name_set.n_hash, 0,
53165 + sizeof (struct name_entry *) * name_set.n_size);
53166 + memset(inodev_set.i_hash, 0,
53167 + sizeof (struct inodev_entry *) * inodev_set.i_size);
53168 +
53169 + return 0;
53170 +}
53171 +
53172 +/* free information not needed after startup
53173 + currently contains user->kernel pointer mappings for subjects
53174 +*/
53175 +
53176 +static void
53177 +free_init_variables(void)
53178 +{
53179 + __u32 i;
53180 +
53181 + if (subj_map_set.s_hash) {
53182 + for (i = 0; i < subj_map_set.s_size; i++) {
53183 + if (subj_map_set.s_hash[i]) {
53184 + kfree(subj_map_set.s_hash[i]);
53185 + subj_map_set.s_hash[i] = NULL;
53186 + }
53187 + }
53188 +
53189 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
53190 + PAGE_SIZE)
53191 + kfree(subj_map_set.s_hash);
53192 + else
53193 + vfree(subj_map_set.s_hash);
53194 + }
53195 +
53196 + return;
53197 +}
53198 +
53199 +static void
53200 +free_variables(void)
53201 +{
53202 + struct acl_subject_label *s;
53203 + struct acl_role_label *r;
53204 + struct task_struct *task, *task2;
53205 + unsigned int x;
53206 +
53207 + gr_clear_learn_entries();
53208 +
53209 + read_lock(&tasklist_lock);
53210 + do_each_thread(task2, task) {
53211 + task->acl_sp_role = 0;
53212 + task->acl_role_id = 0;
53213 + task->acl = NULL;
53214 + task->role = NULL;
53215 + } while_each_thread(task2, task);
53216 + read_unlock(&tasklist_lock);
53217 +
53218 + /* release the reference to the real root dentry and vfsmount */
53219 + if (real_root)
53220 + dput(real_root);
53221 + real_root = NULL;
53222 + if (real_root_mnt)
53223 + mntput(real_root_mnt);
53224 + real_root_mnt = NULL;
53225 +
53226 + /* free all object hash tables */
53227 +
53228 + FOR_EACH_ROLE_START(r)
53229 + if (r->subj_hash == NULL)
53230 + goto next_role;
53231 + FOR_EACH_SUBJECT_START(r, s, x)
53232 + if (s->obj_hash == NULL)
53233 + break;
53234 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
53235 + kfree(s->obj_hash);
53236 + else
53237 + vfree(s->obj_hash);
53238 + FOR_EACH_SUBJECT_END(s, x)
53239 + FOR_EACH_NESTED_SUBJECT_START(r, s)
53240 + if (s->obj_hash == NULL)
53241 + break;
53242 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
53243 + kfree(s->obj_hash);
53244 + else
53245 + vfree(s->obj_hash);
53246 + FOR_EACH_NESTED_SUBJECT_END(s)
53247 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
53248 + kfree(r->subj_hash);
53249 + else
53250 + vfree(r->subj_hash);
53251 + r->subj_hash = NULL;
53252 +next_role:
53253 + FOR_EACH_ROLE_END(r)
53254 +
53255 + acl_free_all();
53256 +
53257 + if (acl_role_set.r_hash) {
53258 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
53259 + PAGE_SIZE)
53260 + kfree(acl_role_set.r_hash);
53261 + else
53262 + vfree(acl_role_set.r_hash);
53263 + }
53264 + if (name_set.n_hash) {
53265 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
53266 + PAGE_SIZE)
53267 + kfree(name_set.n_hash);
53268 + else
53269 + vfree(name_set.n_hash);
53270 + }
53271 +
53272 + if (inodev_set.i_hash) {
53273 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
53274 + PAGE_SIZE)
53275 + kfree(inodev_set.i_hash);
53276 + else
53277 + vfree(inodev_set.i_hash);
53278 + }
53279 +
53280 + gr_free_uidset();
53281 +
53282 + memset(&name_set, 0, sizeof (struct name_db));
53283 + memset(&inodev_set, 0, sizeof (struct inodev_db));
53284 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
53285 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
53286 +
53287 + default_role = NULL;
53288 + role_list = NULL;
53289 +
53290 + return;
53291 +}
53292 +
53293 +static __u32
53294 +count_user_objs(struct acl_object_label *userp)
53295 +{
53296 + struct acl_object_label o_tmp;
53297 + __u32 num = 0;
53298 +
53299 + while (userp) {
53300 + if (copy_from_user(&o_tmp, userp,
53301 + sizeof (struct acl_object_label)))
53302 + break;
53303 +
53304 + userp = o_tmp.prev;
53305 + num++;
53306 + }
53307 +
53308 + return num;
53309 +}
53310 +
53311 +static struct acl_subject_label *
53312 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
53313 +
53314 +static int
53315 +copy_user_glob(struct acl_object_label *obj)
53316 +{
53317 + struct acl_object_label *g_tmp, **guser;
53318 + unsigned int len;
53319 + char *tmp;
53320 +
53321 + if (obj->globbed == NULL)
53322 + return 0;
53323 +
53324 + guser = &obj->globbed;
53325 + while (*guser) {
53326 + g_tmp = (struct acl_object_label *)
53327 + acl_alloc(sizeof (struct acl_object_label));
53328 + if (g_tmp == NULL)
53329 + return -ENOMEM;
53330 +
53331 + if (copy_from_user(g_tmp, *guser,
53332 + sizeof (struct acl_object_label)))
53333 + return -EFAULT;
53334 +
53335 + len = strnlen_user(g_tmp->filename, PATH_MAX);
53336 +
53337 + if (!len || len >= PATH_MAX)
53338 + return -EINVAL;
53339 +
53340 + if ((tmp = (char *) acl_alloc(len)) == NULL)
53341 + return -ENOMEM;
53342 +
53343 + if (copy_from_user(tmp, g_tmp->filename, len))
53344 + return -EFAULT;
53345 + tmp[len-1] = '\0';
53346 + g_tmp->filename = tmp;
53347 +
53348 + *guser = g_tmp;
53349 + guser = &(g_tmp->next);
53350 + }
53351 +
53352 + return 0;
53353 +}
53354 +
53355 +static int
53356 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
53357 + struct acl_role_label *role)
53358 +{
53359 + struct acl_object_label *o_tmp;
53360 + unsigned int len;
53361 + int ret;
53362 + char *tmp;
53363 +
53364 + while (userp) {
53365 + if ((o_tmp = (struct acl_object_label *)
53366 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
53367 + return -ENOMEM;
53368 +
53369 + if (copy_from_user(o_tmp, userp,
53370 + sizeof (struct acl_object_label)))
53371 + return -EFAULT;
53372 +
53373 + userp = o_tmp->prev;
53374 +
53375 + len = strnlen_user(o_tmp->filename, PATH_MAX);
53376 +
53377 + if (!len || len >= PATH_MAX)
53378 + return -EINVAL;
53379 +
53380 + if ((tmp = (char *) acl_alloc(len)) == NULL)
53381 + return -ENOMEM;
53382 +
53383 + if (copy_from_user(tmp, o_tmp->filename, len))
53384 + return -EFAULT;
53385 + tmp[len-1] = '\0';
53386 + o_tmp->filename = tmp;
53387 +
53388 + insert_acl_obj_label(o_tmp, subj);
53389 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
53390 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
53391 + return -ENOMEM;
53392 +
53393 + ret = copy_user_glob(o_tmp);
53394 + if (ret)
53395 + return ret;
53396 +
53397 + if (o_tmp->nested) {
53398 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
53399 + if (IS_ERR(o_tmp->nested))
53400 + return PTR_ERR(o_tmp->nested);
53401 +
53402 + /* insert into nested subject list */
53403 + o_tmp->nested->next = role->hash->first;
53404 + role->hash->first = o_tmp->nested;
53405 + }
53406 + }
53407 +
53408 + return 0;
53409 +}
53410 +
53411 +static __u32
53412 +count_user_subjs(struct acl_subject_label *userp)
53413 +{
53414 + struct acl_subject_label s_tmp;
53415 + __u32 num = 0;
53416 +
53417 + while (userp) {
53418 + if (copy_from_user(&s_tmp, userp,
53419 + sizeof (struct acl_subject_label)))
53420 + break;
53421 +
53422 + userp = s_tmp.prev;
53423 + /* do not count nested subjects against this count, since
53424 + they are not included in the hash table, but are
53425 + attached to objects. We have already counted
53426 + the subjects in userspace for the allocation
53427 + stack
53428 + */
53429 + if (!(s_tmp.mode & GR_NESTED))
53430 + num++;
53431 + }
53432 +
53433 + return num;
53434 +}
53435 +
53436 +static int
53437 +copy_user_allowedips(struct acl_role_label *rolep)
53438 +{
53439 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
53440 +
53441 + ruserip = rolep->allowed_ips;
53442 +
53443 + while (ruserip) {
53444 + rlast = rtmp;
53445 +
53446 + if ((rtmp = (struct role_allowed_ip *)
53447 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
53448 + return -ENOMEM;
53449 +
53450 + if (copy_from_user(rtmp, ruserip,
53451 + sizeof (struct role_allowed_ip)))
53452 + return -EFAULT;
53453 +
53454 + ruserip = rtmp->prev;
53455 +
53456 + if (!rlast) {
53457 + rtmp->prev = NULL;
53458 + rolep->allowed_ips = rtmp;
53459 + } else {
53460 + rlast->next = rtmp;
53461 + rtmp->prev = rlast;
53462 + }
53463 +
53464 + if (!ruserip)
53465 + rtmp->next = NULL;
53466 + }
53467 +
53468 + return 0;
53469 +}
53470 +
53471 +static int
53472 +copy_user_transitions(struct acl_role_label *rolep)
53473 +{
53474 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
53475 +
53476 + unsigned int len;
53477 + char *tmp;
53478 +
53479 + rusertp = rolep->transitions;
53480 +
53481 + while (rusertp) {
53482 + rlast = rtmp;
53483 +
53484 + if ((rtmp = (struct role_transition *)
53485 + acl_alloc(sizeof (struct role_transition))) == NULL)
53486 + return -ENOMEM;
53487 +
53488 + if (copy_from_user(rtmp, rusertp,
53489 + sizeof (struct role_transition)))
53490 + return -EFAULT;
53491 +
53492 + rusertp = rtmp->prev;
53493 +
53494 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
53495 +
53496 + if (!len || len >= GR_SPROLE_LEN)
53497 + return -EINVAL;
53498 +
53499 + if ((tmp = (char *) acl_alloc(len)) == NULL)
53500 + return -ENOMEM;
53501 +
53502 + if (copy_from_user(tmp, rtmp->rolename, len))
53503 + return -EFAULT;
53504 + tmp[len-1] = '\0';
53505 + rtmp->rolename = tmp;
53506 +
53507 + if (!rlast) {
53508 + rtmp->prev = NULL;
53509 + rolep->transitions = rtmp;
53510 + } else {
53511 + rlast->next = rtmp;
53512 + rtmp->prev = rlast;
53513 + }
53514 +
53515 + if (!rusertp)
53516 + rtmp->next = NULL;
53517 + }
53518 +
53519 + return 0;
53520 +}
53521 +
53522 +static struct acl_subject_label *
53523 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
53524 +{
53525 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
53526 + unsigned int len;
53527 + char *tmp;
53528 + __u32 num_objs;
53529 + struct acl_ip_label **i_tmp, *i_utmp2;
53530 + struct gr_hash_struct ghash;
53531 + struct subject_map *subjmap;
53532 + unsigned int i_num;
53533 + int err;
53534 +
53535 + s_tmp = lookup_subject_map(userp);
53536 +
53537 + /* we've already copied this subject into the kernel, just return
53538 + the reference to it, and don't copy it over again
53539 + */
53540 + if (s_tmp)
53541 + return(s_tmp);
53542 +
53543 + if ((s_tmp = (struct acl_subject_label *)
53544 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
53545 + return ERR_PTR(-ENOMEM);
53546 +
53547 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
53548 + if (subjmap == NULL)
53549 + return ERR_PTR(-ENOMEM);
53550 +
53551 + subjmap->user = userp;
53552 + subjmap->kernel = s_tmp;
53553 + insert_subj_map_entry(subjmap);
53554 +
53555 + if (copy_from_user(s_tmp, userp,
53556 + sizeof (struct acl_subject_label)))
53557 + return ERR_PTR(-EFAULT);
53558 +
53559 + len = strnlen_user(s_tmp->filename, PATH_MAX);
53560 +
53561 + if (!len || len >= PATH_MAX)
53562 + return ERR_PTR(-EINVAL);
53563 +
53564 + if ((tmp = (char *) acl_alloc(len)) == NULL)
53565 + return ERR_PTR(-ENOMEM);
53566 +
53567 + if (copy_from_user(tmp, s_tmp->filename, len))
53568 + return ERR_PTR(-EFAULT);
53569 + tmp[len-1] = '\0';
53570 + s_tmp->filename = tmp;
53571 +
53572 + if (!strcmp(s_tmp->filename, "/"))
53573 + role->root_label = s_tmp;
53574 +
53575 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
53576 + return ERR_PTR(-EFAULT);
53577 +
53578 + /* copy user and group transition tables */
53579 +
53580 + if (s_tmp->user_trans_num) {
53581 + uid_t *uidlist;
53582 +
53583 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
53584 + if (uidlist == NULL)
53585 + return ERR_PTR(-ENOMEM);
53586 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
53587 + return ERR_PTR(-EFAULT);
53588 +
53589 + s_tmp->user_transitions = uidlist;
53590 + }
53591 +
53592 + if (s_tmp->group_trans_num) {
53593 + gid_t *gidlist;
53594 +
53595 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
53596 + if (gidlist == NULL)
53597 + return ERR_PTR(-ENOMEM);
53598 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
53599 + return ERR_PTR(-EFAULT);
53600 +
53601 + s_tmp->group_transitions = gidlist;
53602 + }
53603 +
53604 + /* set up object hash table */
53605 + num_objs = count_user_objs(ghash.first);
53606 +
53607 + s_tmp->obj_hash_size = num_objs;
53608 + s_tmp->obj_hash =
53609 + (struct acl_object_label **)
53610 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
53611 +
53612 + if (!s_tmp->obj_hash)
53613 + return ERR_PTR(-ENOMEM);
53614 +
53615 + memset(s_tmp->obj_hash, 0,
53616 + s_tmp->obj_hash_size *
53617 + sizeof (struct acl_object_label *));
53618 +
53619 + /* add in objects */
53620 + err = copy_user_objs(ghash.first, s_tmp, role);
53621 +
53622 + if (err)
53623 + return ERR_PTR(err);
53624 +
53625 + /* set pointer for parent subject */
53626 + if (s_tmp->parent_subject) {
53627 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
53628 +
53629 + if (IS_ERR(s_tmp2))
53630 + return s_tmp2;
53631 +
53632 + s_tmp->parent_subject = s_tmp2;
53633 + }
53634 +
53635 + /* add in ip acls */
53636 +
53637 + if (!s_tmp->ip_num) {
53638 + s_tmp->ips = NULL;
53639 + goto insert;
53640 + }
53641 +
53642 + i_tmp =
53643 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
53644 + sizeof (struct acl_ip_label *));
53645 +
53646 + if (!i_tmp)
53647 + return ERR_PTR(-ENOMEM);
53648 +
53649 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
53650 + *(i_tmp + i_num) =
53651 + (struct acl_ip_label *)
53652 + acl_alloc(sizeof (struct acl_ip_label));
53653 + if (!*(i_tmp + i_num))
53654 + return ERR_PTR(-ENOMEM);
53655 +
53656 + if (copy_from_user
53657 + (&i_utmp2, s_tmp->ips + i_num,
53658 + sizeof (struct acl_ip_label *)))
53659 + return ERR_PTR(-EFAULT);
53660 +
53661 + if (copy_from_user
53662 + (*(i_tmp + i_num), i_utmp2,
53663 + sizeof (struct acl_ip_label)))
53664 + return ERR_PTR(-EFAULT);
53665 +
53666 + if ((*(i_tmp + i_num))->iface == NULL)
53667 + continue;
53668 +
53669 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
53670 + if (!len || len >= IFNAMSIZ)
53671 + return ERR_PTR(-EINVAL);
53672 + tmp = acl_alloc(len);
53673 + if (tmp == NULL)
53674 + return ERR_PTR(-ENOMEM);
53675 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
53676 + return ERR_PTR(-EFAULT);
53677 + (*(i_tmp + i_num))->iface = tmp;
53678 + }
53679 +
53680 + s_tmp->ips = i_tmp;
53681 +
53682 +insert:
53683 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
53684 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
53685 + return ERR_PTR(-ENOMEM);
53686 +
53687 + return s_tmp;
53688 +}
53689 +
53690 +static int
53691 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
53692 +{
53693 + struct acl_subject_label s_pre;
53694 + struct acl_subject_label * ret;
53695 + int err;
53696 +
53697 + while (userp) {
53698 + if (copy_from_user(&s_pre, userp,
53699 + sizeof (struct acl_subject_label)))
53700 + return -EFAULT;
53701 +
53702 + /* do not add nested subjects here, add
53703 + while parsing objects
53704 + */
53705 +
53706 + if (s_pre.mode & GR_NESTED) {
53707 + userp = s_pre.prev;
53708 + continue;
53709 + }
53710 +
53711 + ret = do_copy_user_subj(userp, role);
53712 +
53713 + err = PTR_ERR(ret);
53714 + if (IS_ERR(ret))
53715 + return err;
53716 +
53717 + insert_acl_subj_label(ret, role);
53718 +
53719 + userp = s_pre.prev;
53720 + }
53721 +
53722 + return 0;
53723 +}
53724 +
53725 +static int
53726 +copy_user_acl(struct gr_arg *arg)
53727 +{
53728 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
53729 + struct sprole_pw *sptmp;
53730 + struct gr_hash_struct *ghash;
53731 + uid_t *domainlist;
53732 + unsigned int r_num;
53733 + unsigned int len;
53734 + char *tmp;
53735 + int err = 0;
53736 + __u16 i;
53737 + __u32 num_subjs;
53738 +
53739 + /* we need a default and kernel role */
53740 + if (arg->role_db.num_roles < 2)
53741 + return -EINVAL;
53742 +
53743 + /* copy special role authentication info from userspace */
53744 +
53745 + num_sprole_pws = arg->num_sprole_pws;
53746 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53747 +
53748 + if (!acl_special_roles) {
53749 + err = -ENOMEM;
53750 + goto cleanup;
53751 + }
53752 +
53753 + for (i = 0; i < num_sprole_pws; i++) {
53754 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53755 + if (!sptmp) {
53756 + err = -ENOMEM;
53757 + goto cleanup;
53758 + }
53759 + if (copy_from_user(sptmp, arg->sprole_pws + i,
53760 + sizeof (struct sprole_pw))) {
53761 + err = -EFAULT;
53762 + goto cleanup;
53763 + }
53764 +
53765 + len =
53766 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53767 +
53768 + if (!len || len >= GR_SPROLE_LEN) {
53769 + err = -EINVAL;
53770 + goto cleanup;
53771 + }
53772 +
53773 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53774 + err = -ENOMEM;
53775 + goto cleanup;
53776 + }
53777 +
53778 + if (copy_from_user(tmp, sptmp->rolename, len)) {
53779 + err = -EFAULT;
53780 + goto cleanup;
53781 + }
53782 + tmp[len-1] = '\0';
53783 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53784 + printk(KERN_ALERT "Copying special role %s\n", tmp);
53785 +#endif
53786 + sptmp->rolename = tmp;
53787 + acl_special_roles[i] = sptmp;
53788 + }
53789 +
53790 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53791 +
53792 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53793 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
53794 +
53795 + if (!r_tmp) {
53796 + err = -ENOMEM;
53797 + goto cleanup;
53798 + }
53799 +
53800 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
53801 + sizeof (struct acl_role_label *))) {
53802 + err = -EFAULT;
53803 + goto cleanup;
53804 + }
53805 +
53806 + if (copy_from_user(r_tmp, r_utmp2,
53807 + sizeof (struct acl_role_label))) {
53808 + err = -EFAULT;
53809 + goto cleanup;
53810 + }
53811 +
53812 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53813 +
53814 + if (!len || len >= PATH_MAX) {
53815 + err = -EINVAL;
53816 + goto cleanup;
53817 + }
53818 +
53819 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
53820 + err = -ENOMEM;
53821 + goto cleanup;
53822 + }
53823 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
53824 + err = -EFAULT;
53825 + goto cleanup;
53826 + }
53827 + tmp[len-1] = '\0';
53828 + r_tmp->rolename = tmp;
53829 +
53830 + if (!strcmp(r_tmp->rolename, "default")
53831 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53832 + default_role = r_tmp;
53833 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53834 + kernel_role = r_tmp;
53835 + }
53836 +
53837 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53838 + err = -ENOMEM;
53839 + goto cleanup;
53840 + }
53841 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53842 + err = -EFAULT;
53843 + goto cleanup;
53844 + }
53845 +
53846 + r_tmp->hash = ghash;
53847 +
53848 + num_subjs = count_user_subjs(r_tmp->hash->first);
53849 +
53850 + r_tmp->subj_hash_size = num_subjs;
53851 + r_tmp->subj_hash =
53852 + (struct acl_subject_label **)
53853 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53854 +
53855 + if (!r_tmp->subj_hash) {
53856 + err = -ENOMEM;
53857 + goto cleanup;
53858 + }
53859 +
53860 + err = copy_user_allowedips(r_tmp);
53861 + if (err)
53862 + goto cleanup;
53863 +
53864 + /* copy domain info */
53865 + if (r_tmp->domain_children != NULL) {
53866 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53867 + if (domainlist == NULL) {
53868 + err = -ENOMEM;
53869 + goto cleanup;
53870 + }
53871 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53872 + err = -EFAULT;
53873 + goto cleanup;
53874 + }
53875 + r_tmp->domain_children = domainlist;
53876 + }
53877 +
53878 + err = copy_user_transitions(r_tmp);
53879 + if (err)
53880 + goto cleanup;
53881 +
53882 + memset(r_tmp->subj_hash, 0,
53883 + r_tmp->subj_hash_size *
53884 + sizeof (struct acl_subject_label *));
53885 +
53886 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53887 +
53888 + if (err)
53889 + goto cleanup;
53890 +
53891 + /* set nested subject list to null */
53892 + r_tmp->hash->first = NULL;
53893 +
53894 + insert_acl_role_label(r_tmp);
53895 + }
53896 +
53897 + goto return_err;
53898 + cleanup:
53899 + free_variables();
53900 + return_err:
53901 + return err;
53902 +
53903 +}
53904 +
53905 +static int
53906 +gracl_init(struct gr_arg *args)
53907 +{
53908 + int error = 0;
53909 +
53910 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53911 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53912 +
53913 + if (init_variables(args)) {
53914 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53915 + error = -ENOMEM;
53916 + free_variables();
53917 + goto out;
53918 + }
53919 +
53920 + error = copy_user_acl(args);
53921 + free_init_variables();
53922 + if (error) {
53923 + free_variables();
53924 + goto out;
53925 + }
53926 +
53927 + if ((error = gr_set_acls(0))) {
53928 + free_variables();
53929 + goto out;
53930 + }
53931 +
53932 + pax_open_kernel();
53933 + gr_status |= GR_READY;
53934 + pax_close_kernel();
53935 +
53936 + out:
53937 + return error;
53938 +}
53939 +
53940 +/* derived from glibc fnmatch() 0: match, 1: no match*/
53941 +
53942 +static int
53943 +glob_match(const char *p, const char *n)
53944 +{
53945 + char c;
53946 +
53947 + while ((c = *p++) != '\0') {
53948 + switch (c) {
53949 + case '?':
53950 + if (*n == '\0')
53951 + return 1;
53952 + else if (*n == '/')
53953 + return 1;
53954 + break;
53955 + case '\\':
53956 + if (*n != c)
53957 + return 1;
53958 + break;
53959 + case '*':
53960 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
53961 + if (*n == '/')
53962 + return 1;
53963 + else if (c == '?') {
53964 + if (*n == '\0')
53965 + return 1;
53966 + else
53967 + ++n;
53968 + }
53969 + }
53970 + if (c == '\0') {
53971 + return 0;
53972 + } else {
53973 + const char *endp;
53974 +
53975 + if ((endp = strchr(n, '/')) == NULL)
53976 + endp = n + strlen(n);
53977 +
53978 + if (c == '[') {
53979 + for (--p; n < endp; ++n)
53980 + if (!glob_match(p, n))
53981 + return 0;
53982 + } else if (c == '/') {
53983 + while (*n != '\0' && *n != '/')
53984 + ++n;
53985 + if (*n == '/' && !glob_match(p, n + 1))
53986 + return 0;
53987 + } else {
53988 + for (--p; n < endp; ++n)
53989 + if (*n == c && !glob_match(p, n))
53990 + return 0;
53991 + }
53992 +
53993 + return 1;
53994 + }
53995 + case '[':
53996 + {
53997 + int not;
53998 + char cold;
53999 +
54000 + if (*n == '\0' || *n == '/')
54001 + return 1;
54002 +
54003 + not = (*p == '!' || *p == '^');
54004 + if (not)
54005 + ++p;
54006 +
54007 + c = *p++;
54008 + for (;;) {
54009 + unsigned char fn = (unsigned char)*n;
54010 +
54011 + if (c == '\0')
54012 + return 1;
54013 + else {
54014 + if (c == fn)
54015 + goto matched;
54016 + cold = c;
54017 + c = *p++;
54018 +
54019 + if (c == '-' && *p != ']') {
54020 + unsigned char cend = *p++;
54021 +
54022 + if (cend == '\0')
54023 + return 1;
54024 +
54025 + if (cold <= fn && fn <= cend)
54026 + goto matched;
54027 +
54028 + c = *p++;
54029 + }
54030 + }
54031 +
54032 + if (c == ']')
54033 + break;
54034 + }
54035 + if (!not)
54036 + return 1;
54037 + break;
54038 + matched:
54039 + while (c != ']') {
54040 + if (c == '\0')
54041 + return 1;
54042 +
54043 + c = *p++;
54044 + }
54045 + if (not)
54046 + return 1;
54047 + }
54048 + break;
54049 + default:
54050 + if (c != *n)
54051 + return 1;
54052 + }
54053 +
54054 + ++n;
54055 + }
54056 +
54057 + if (*n == '\0')
54058 + return 0;
54059 +
54060 + if (*n == '/')
54061 + return 0;
54062 +
54063 + return 1;
54064 +}
54065 +
54066 +static struct acl_object_label *
54067 +chk_glob_label(struct acl_object_label *globbed,
54068 + struct dentry *dentry, struct vfsmount *mnt, char **path)
54069 +{
54070 + struct acl_object_label *tmp;
54071 +
54072 + if (*path == NULL)
54073 + *path = gr_to_filename_nolock(dentry, mnt);
54074 +
54075 + tmp = globbed;
54076 +
54077 + while (tmp) {
54078 + if (!glob_match(tmp->filename, *path))
54079 + return tmp;
54080 + tmp = tmp->next;
54081 + }
54082 +
54083 + return NULL;
54084 +}
54085 +
54086 +static struct acl_object_label *
54087 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
54088 + const ino_t curr_ino, const dev_t curr_dev,
54089 + const struct acl_subject_label *subj, char **path, const int checkglob)
54090 +{
54091 + struct acl_subject_label *tmpsubj;
54092 + struct acl_object_label *retval;
54093 + struct acl_object_label *retval2;
54094 +
54095 + tmpsubj = (struct acl_subject_label *) subj;
54096 + read_lock(&gr_inode_lock);
54097 + do {
54098 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
54099 + if (retval) {
54100 + if (checkglob && retval->globbed) {
54101 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
54102 + (struct vfsmount *)orig_mnt, path);
54103 + if (retval2)
54104 + retval = retval2;
54105 + }
54106 + break;
54107 + }
54108 + } while ((tmpsubj = tmpsubj->parent_subject));
54109 + read_unlock(&gr_inode_lock);
54110 +
54111 + return retval;
54112 +}
54113 +
54114 +static __inline__ struct acl_object_label *
54115 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
54116 + const struct dentry *curr_dentry,
54117 + const struct acl_subject_label *subj, char **path, const int checkglob)
54118 +{
54119 + int newglob = checkglob;
54120 +
54121 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
54122 + as we don't want a / * rule to match instead of the / object
54123 + don't do this for create lookups that call this function though, since they're looking up
54124 + on the parent and thus need globbing checks on all paths
54125 + */
54126 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
54127 + newglob = GR_NO_GLOB;
54128 +
54129 + return __full_lookup(orig_dentry, orig_mnt,
54130 + curr_dentry->d_inode->i_ino,
54131 + __get_dev(curr_dentry), subj, path, newglob);
54132 +}
54133 +
54134 +static struct acl_object_label *
54135 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54136 + const struct acl_subject_label *subj, char *path, const int checkglob)
54137 +{
54138 + struct dentry *dentry = (struct dentry *) l_dentry;
54139 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
54140 + struct acl_object_label *retval;
54141 +
54142 + spin_lock(&dcache_lock);
54143 + spin_lock(&vfsmount_lock);
54144 +
54145 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
54146 +#ifdef CONFIG_NET
54147 + mnt == sock_mnt ||
54148 +#endif
54149 +#ifdef CONFIG_HUGETLBFS
54150 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
54151 +#endif
54152 + /* ignore Eric Biederman */
54153 + IS_PRIVATE(l_dentry->d_inode))) {
54154 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
54155 + goto out;
54156 + }
54157 +
54158 + for (;;) {
54159 + if (dentry == real_root && mnt == real_root_mnt)
54160 + break;
54161 +
54162 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
54163 + if (mnt->mnt_parent == mnt)
54164 + break;
54165 +
54166 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54167 + if (retval != NULL)
54168 + goto out;
54169 +
54170 + dentry = mnt->mnt_mountpoint;
54171 + mnt = mnt->mnt_parent;
54172 + continue;
54173 + }
54174 +
54175 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54176 + if (retval != NULL)
54177 + goto out;
54178 +
54179 + dentry = dentry->d_parent;
54180 + }
54181 +
54182 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54183 +
54184 + if (retval == NULL)
54185 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
54186 +out:
54187 + spin_unlock(&vfsmount_lock);
54188 + spin_unlock(&dcache_lock);
54189 +
54190 + BUG_ON(retval == NULL);
54191 +
54192 + return retval;
54193 +}
54194 +
54195 +static __inline__ struct acl_object_label *
54196 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54197 + const struct acl_subject_label *subj)
54198 +{
54199 + char *path = NULL;
54200 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
54201 +}
54202 +
54203 +static __inline__ struct acl_object_label *
54204 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54205 + const struct acl_subject_label *subj)
54206 +{
54207 + char *path = NULL;
54208 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
54209 +}
54210 +
54211 +static __inline__ struct acl_object_label *
54212 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54213 + const struct acl_subject_label *subj, char *path)
54214 +{
54215 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
54216 +}
54217 +
54218 +static struct acl_subject_label *
54219 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54220 + const struct acl_role_label *role)
54221 +{
54222 + struct dentry *dentry = (struct dentry *) l_dentry;
54223 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
54224 + struct acl_subject_label *retval;
54225 +
54226 + spin_lock(&dcache_lock);
54227 + spin_lock(&vfsmount_lock);
54228 +
54229 + for (;;) {
54230 + if (dentry == real_root && mnt == real_root_mnt)
54231 + break;
54232 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
54233 + if (mnt->mnt_parent == mnt)
54234 + break;
54235 +
54236 + read_lock(&gr_inode_lock);
54237 + retval =
54238 + lookup_acl_subj_label(dentry->d_inode->i_ino,
54239 + __get_dev(dentry), role);
54240 + read_unlock(&gr_inode_lock);
54241 + if (retval != NULL)
54242 + goto out;
54243 +
54244 + dentry = mnt->mnt_mountpoint;
54245 + mnt = mnt->mnt_parent;
54246 + continue;
54247 + }
54248 +
54249 + read_lock(&gr_inode_lock);
54250 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
54251 + __get_dev(dentry), role);
54252 + read_unlock(&gr_inode_lock);
54253 + if (retval != NULL)
54254 + goto out;
54255 +
54256 + dentry = dentry->d_parent;
54257 + }
54258 +
54259 + read_lock(&gr_inode_lock);
54260 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
54261 + __get_dev(dentry), role);
54262 + read_unlock(&gr_inode_lock);
54263 +
54264 + if (unlikely(retval == NULL)) {
54265 + read_lock(&gr_inode_lock);
54266 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
54267 + __get_dev(real_root), role);
54268 + read_unlock(&gr_inode_lock);
54269 + }
54270 +out:
54271 + spin_unlock(&vfsmount_lock);
54272 + spin_unlock(&dcache_lock);
54273 +
54274 + BUG_ON(retval == NULL);
54275 +
54276 + return retval;
54277 +}
54278 +
54279 +static void
54280 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
54281 +{
54282 + struct task_struct *task = current;
54283 + const struct cred *cred = current_cred();
54284 +
54285 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
54286 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54287 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54288 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
54289 +
54290 + return;
54291 +}
54292 +
54293 +static void
54294 +gr_log_learn_sysctl(const char *path, const __u32 mode)
54295 +{
54296 + struct task_struct *task = current;
54297 + const struct cred *cred = current_cred();
54298 +
54299 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
54300 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54301 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54302 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
54303 +
54304 + return;
54305 +}
54306 +
54307 +static void
54308 +gr_log_learn_id_change(const char type, const unsigned int real,
54309 + const unsigned int effective, const unsigned int fs)
54310 +{
54311 + struct task_struct *task = current;
54312 + const struct cred *cred = current_cred();
54313 +
54314 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
54315 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54316 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54317 + type, real, effective, fs, &task->signal->saved_ip);
54318 +
54319 + return;
54320 +}
54321 +
54322 +__u32
54323 +gr_search_file(const struct dentry * dentry, const __u32 mode,
54324 + const struct vfsmount * mnt)
54325 +{
54326 + __u32 retval = mode;
54327 + struct acl_subject_label *curracl;
54328 + struct acl_object_label *currobj;
54329 +
54330 + if (unlikely(!(gr_status & GR_READY)))
54331 + return (mode & ~GR_AUDITS);
54332 +
54333 + curracl = current->acl;
54334 +
54335 + currobj = chk_obj_label(dentry, mnt, curracl);
54336 + retval = currobj->mode & mode;
54337 +
54338 + /* if we're opening a specified transfer file for writing
54339 + (e.g. /dev/initctl), then transfer our role to init
54340 + */
54341 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
54342 + current->role->roletype & GR_ROLE_PERSIST)) {
54343 + struct task_struct *task = init_pid_ns.child_reaper;
54344 +
54345 + if (task->role != current->role) {
54346 + task->acl_sp_role = 0;
54347 + task->acl_role_id = current->acl_role_id;
54348 + task->role = current->role;
54349 + rcu_read_lock();
54350 + read_lock(&grsec_exec_file_lock);
54351 + gr_apply_subject_to_task(task);
54352 + read_unlock(&grsec_exec_file_lock);
54353 + rcu_read_unlock();
54354 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
54355 + }
54356 + }
54357 +
54358 + if (unlikely
54359 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
54360 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
54361 + __u32 new_mode = mode;
54362 +
54363 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54364 +
54365 + retval = new_mode;
54366 +
54367 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
54368 + new_mode |= GR_INHERIT;
54369 +
54370 + if (!(mode & GR_NOLEARN))
54371 + gr_log_learn(dentry, mnt, new_mode);
54372 + }
54373 +
54374 + return retval;
54375 +}
54376 +
54377 +struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
54378 + const struct dentry *parent,
54379 + const struct vfsmount *mnt)
54380 +{
54381 + struct name_entry *match;
54382 + struct acl_object_label *matchpo;
54383 + struct acl_subject_label *curracl;
54384 + char *path;
54385 +
54386 + if (unlikely(!(gr_status & GR_READY)))
54387 + return NULL;
54388 +
54389 + preempt_disable();
54390 + path = gr_to_filename_rbac(new_dentry, mnt);
54391 + match = lookup_name_entry_create(path);
54392 +
54393 + curracl = current->acl;
54394 +
54395 + if (match) {
54396 + read_lock(&gr_inode_lock);
54397 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
54398 + read_unlock(&gr_inode_lock);
54399 +
54400 + if (matchpo) {
54401 + preempt_enable();
54402 + return matchpo;
54403 + }
54404 + }
54405 +
54406 + // lookup parent
54407 +
54408 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
54409 +
54410 + preempt_enable();
54411 + return matchpo;
54412 +}
54413 +
54414 +__u32
54415 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
54416 + const struct vfsmount * mnt, const __u32 mode)
54417 +{
54418 + struct acl_object_label *matchpo;
54419 + __u32 retval;
54420 +
54421 + if (unlikely(!(gr_status & GR_READY)))
54422 + return (mode & ~GR_AUDITS);
54423 +
54424 + matchpo = gr_get_create_object(new_dentry, parent, mnt);
54425 +
54426 + retval = matchpo->mode & mode;
54427 +
54428 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
54429 + && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
54430 + __u32 new_mode = mode;
54431 +
54432 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54433 +
54434 + gr_log_learn(new_dentry, mnt, new_mode);
54435 + return new_mode;
54436 + }
54437 +
54438 + return retval;
54439 +}
54440 +
54441 +__u32
54442 +gr_check_link(const struct dentry * new_dentry,
54443 + const struct dentry * parent_dentry,
54444 + const struct vfsmount * parent_mnt,
54445 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
54446 +{
54447 + struct acl_object_label *obj;
54448 + __u32 oldmode, newmode;
54449 + __u32 needmode;
54450 + __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
54451 + GR_DELETE | GR_INHERIT;
54452 +
54453 + if (unlikely(!(gr_status & GR_READY)))
54454 + return (GR_CREATE | GR_LINK);
54455 +
54456 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
54457 + oldmode = obj->mode;
54458 +
54459 + obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
54460 + newmode = obj->mode;
54461 +
54462 + needmode = newmode & checkmodes;
54463 +
54464 + // old name for hardlink must have at least the permissions of the new name
54465 + if ((oldmode & needmode) != needmode)
54466 + goto bad;
54467 +
54468 + // if old name had restrictions/auditing, make sure the new name does as well
54469 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
54470 +
54471 + // don't allow hardlinking of suid/sgid files without permission
54472 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
54473 + needmode |= GR_SETID;
54474 +
54475 + if ((newmode & needmode) != needmode)
54476 + goto bad;
54477 +
54478 + // enforce minimum permissions
54479 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
54480 + return newmode;
54481 +bad:
54482 + needmode = oldmode;
54483 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
54484 + needmode |= GR_SETID;
54485 +
54486 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
54487 + gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
54488 + return (GR_CREATE | GR_LINK);
54489 + } else if (newmode & GR_SUPPRESS)
54490 + return GR_SUPPRESS;
54491 + else
54492 + return 0;
54493 +}
54494 +
54495 +int
54496 +gr_check_hidden_task(const struct task_struct *task)
54497 +{
54498 + if (unlikely(!(gr_status & GR_READY)))
54499 + return 0;
54500 +
54501 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
54502 + return 1;
54503 +
54504 + return 0;
54505 +}
54506 +
54507 +int
54508 +gr_check_protected_task(const struct task_struct *task)
54509 +{
54510 + if (unlikely(!(gr_status & GR_READY) || !task))
54511 + return 0;
54512 +
54513 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54514 + task->acl != current->acl)
54515 + return 1;
54516 +
54517 + return 0;
54518 +}
54519 +
54520 +int
54521 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
54522 +{
54523 + struct task_struct *p;
54524 + int ret = 0;
54525 +
54526 + if (unlikely(!(gr_status & GR_READY) || !pid))
54527 + return ret;
54528 +
54529 + read_lock(&tasklist_lock);
54530 + do_each_pid_task(pid, type, p) {
54531 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54532 + p->acl != current->acl) {
54533 + ret = 1;
54534 + goto out;
54535 + }
54536 + } while_each_pid_task(pid, type, p);
54537 +out:
54538 + read_unlock(&tasklist_lock);
54539 +
54540 + return ret;
54541 +}
54542 +
54543 +void
54544 +gr_copy_label(struct task_struct *tsk)
54545 +{
54546 + tsk->signal->used_accept = 0;
54547 + tsk->acl_sp_role = 0;
54548 + tsk->acl_role_id = current->acl_role_id;
54549 + tsk->acl = current->acl;
54550 + tsk->role = current->role;
54551 + tsk->signal->curr_ip = current->signal->curr_ip;
54552 + tsk->signal->saved_ip = current->signal->saved_ip;
54553 + if (current->exec_file)
54554 + get_file(current->exec_file);
54555 + tsk->exec_file = current->exec_file;
54556 + tsk->is_writable = current->is_writable;
54557 + if (unlikely(current->signal->used_accept)) {
54558 + current->signal->curr_ip = 0;
54559 + current->signal->saved_ip = 0;
54560 + }
54561 +
54562 + return;
54563 +}
54564 +
54565 +static void
54566 +gr_set_proc_res(struct task_struct *task)
54567 +{
54568 + struct acl_subject_label *proc;
54569 + unsigned short i;
54570 +
54571 + proc = task->acl;
54572 +
54573 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
54574 + return;
54575 +
54576 + for (i = 0; i < RLIM_NLIMITS; i++) {
54577 + if (!(proc->resmask & (1 << i)))
54578 + continue;
54579 +
54580 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
54581 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
54582 + }
54583 +
54584 + return;
54585 +}
54586 +
54587 +extern int __gr_process_user_ban(struct user_struct *user);
54588 +
54589 +int
54590 +gr_check_user_change(int real, int effective, int fs)
54591 +{
54592 + unsigned int i;
54593 + __u16 num;
54594 + uid_t *uidlist;
54595 + int curuid;
54596 + int realok = 0;
54597 + int effectiveok = 0;
54598 + int fsok = 0;
54599 +
54600 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54601 + struct user_struct *user;
54602 +
54603 + if (real == -1)
54604 + goto skipit;
54605 +
54606 + user = find_user(real);
54607 + if (user == NULL)
54608 + goto skipit;
54609 +
54610 + if (__gr_process_user_ban(user)) {
54611 + /* for find_user */
54612 + free_uid(user);
54613 + return 1;
54614 + }
54615 +
54616 + /* for find_user */
54617 + free_uid(user);
54618 +
54619 +skipit:
54620 +#endif
54621 +
54622 + if (unlikely(!(gr_status & GR_READY)))
54623 + return 0;
54624 +
54625 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54626 + gr_log_learn_id_change('u', real, effective, fs);
54627 +
54628 + num = current->acl->user_trans_num;
54629 + uidlist = current->acl->user_transitions;
54630 +
54631 + if (uidlist == NULL)
54632 + return 0;
54633 +
54634 + if (real == -1)
54635 + realok = 1;
54636 + if (effective == -1)
54637 + effectiveok = 1;
54638 + if (fs == -1)
54639 + fsok = 1;
54640 +
54641 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
54642 + for (i = 0; i < num; i++) {
54643 + curuid = (int)uidlist[i];
54644 + if (real == curuid)
54645 + realok = 1;
54646 + if (effective == curuid)
54647 + effectiveok = 1;
54648 + if (fs == curuid)
54649 + fsok = 1;
54650 + }
54651 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
54652 + for (i = 0; i < num; i++) {
54653 + curuid = (int)uidlist[i];
54654 + if (real == curuid)
54655 + break;
54656 + if (effective == curuid)
54657 + break;
54658 + if (fs == curuid)
54659 + break;
54660 + }
54661 + /* not in deny list */
54662 + if (i == num) {
54663 + realok = 1;
54664 + effectiveok = 1;
54665 + fsok = 1;
54666 + }
54667 + }
54668 +
54669 + if (realok && effectiveok && fsok)
54670 + return 0;
54671 + else {
54672 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54673 + return 1;
54674 + }
54675 +}
54676 +
54677 +int
54678 +gr_check_group_change(int real, int effective, int fs)
54679 +{
54680 + unsigned int i;
54681 + __u16 num;
54682 + gid_t *gidlist;
54683 + int curgid;
54684 + int realok = 0;
54685 + int effectiveok = 0;
54686 + int fsok = 0;
54687 +
54688 + if (unlikely(!(gr_status & GR_READY)))
54689 + return 0;
54690 +
54691 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54692 + gr_log_learn_id_change('g', real, effective, fs);
54693 +
54694 + num = current->acl->group_trans_num;
54695 + gidlist = current->acl->group_transitions;
54696 +
54697 + if (gidlist == NULL)
54698 + return 0;
54699 +
54700 + if (real == -1)
54701 + realok = 1;
54702 + if (effective == -1)
54703 + effectiveok = 1;
54704 + if (fs == -1)
54705 + fsok = 1;
54706 +
54707 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
54708 + for (i = 0; i < num; i++) {
54709 + curgid = (int)gidlist[i];
54710 + if (real == curgid)
54711 + realok = 1;
54712 + if (effective == curgid)
54713 + effectiveok = 1;
54714 + if (fs == curgid)
54715 + fsok = 1;
54716 + }
54717 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
54718 + for (i = 0; i < num; i++) {
54719 + curgid = (int)gidlist[i];
54720 + if (real == curgid)
54721 + break;
54722 + if (effective == curgid)
54723 + break;
54724 + if (fs == curgid)
54725 + break;
54726 + }
54727 + /* not in deny list */
54728 + if (i == num) {
54729 + realok = 1;
54730 + effectiveok = 1;
54731 + fsok = 1;
54732 + }
54733 + }
54734 +
54735 + if (realok && effectiveok && fsok)
54736 + return 0;
54737 + else {
54738 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54739 + return 1;
54740 + }
54741 +}
54742 +
54743 +void
54744 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54745 +{
54746 + struct acl_role_label *role = task->role;
54747 + struct acl_subject_label *subj = NULL;
54748 + struct acl_object_label *obj;
54749 + struct file *filp;
54750 +
54751 + if (unlikely(!(gr_status & GR_READY)))
54752 + return;
54753 +
54754 + filp = task->exec_file;
54755 +
54756 + /* kernel process, we'll give them the kernel role */
54757 + if (unlikely(!filp)) {
54758 + task->role = kernel_role;
54759 + task->acl = kernel_role->root_label;
54760 + return;
54761 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54762 + role = lookup_acl_role_label(task, uid, gid);
54763 +
54764 + /* perform subject lookup in possibly new role
54765 + we can use this result below in the case where role == task->role
54766 + */
54767 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54768 +
54769 + /* if we changed uid/gid, but result in the same role
54770 + and are using inheritance, don't lose the inherited subject
54771 + if current subject is other than what normal lookup
54772 + would result in, we arrived via inheritance, don't
54773 + lose subject
54774 + */
54775 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54776 + (subj == task->acl)))
54777 + task->acl = subj;
54778 +
54779 + task->role = role;
54780 +
54781 + task->is_writable = 0;
54782 +
54783 + /* ignore additional mmap checks for processes that are writable
54784 + by the default ACL */
54785 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54786 + if (unlikely(obj->mode & GR_WRITE))
54787 + task->is_writable = 1;
54788 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54789 + if (unlikely(obj->mode & GR_WRITE))
54790 + task->is_writable = 1;
54791 +
54792 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54793 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54794 +#endif
54795 +
54796 + gr_set_proc_res(task);
54797 +
54798 + return;
54799 +}
54800 +
54801 +int
54802 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54803 + const int unsafe_share)
54804 +{
54805 + struct task_struct *task = current;
54806 + struct acl_subject_label *newacl;
54807 + struct acl_object_label *obj;
54808 + __u32 retmode;
54809 +
54810 + if (unlikely(!(gr_status & GR_READY)))
54811 + return 0;
54812 +
54813 + newacl = chk_subj_label(dentry, mnt, task->role);
54814 +
54815 + task_lock(task);
54816 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54817 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54818 + !(task->role->roletype & GR_ROLE_GOD) &&
54819 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54820 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54821 + task_unlock(task);
54822 + if (unsafe_share)
54823 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54824 + else
54825 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54826 + return -EACCES;
54827 + }
54828 + task_unlock(task);
54829 +
54830 + obj = chk_obj_label(dentry, mnt, task->acl);
54831 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54832 +
54833 + if (!(task->acl->mode & GR_INHERITLEARN) &&
54834 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54835 + if (obj->nested)
54836 + task->acl = obj->nested;
54837 + else
54838 + task->acl = newacl;
54839 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54840 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54841 +
54842 + task->is_writable = 0;
54843 +
54844 + /* ignore additional mmap checks for processes that are writable
54845 + by the default ACL */
54846 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
54847 + if (unlikely(obj->mode & GR_WRITE))
54848 + task->is_writable = 1;
54849 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
54850 + if (unlikely(obj->mode & GR_WRITE))
54851 + task->is_writable = 1;
54852 +
54853 + gr_set_proc_res(task);
54854 +
54855 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54856 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54857 +#endif
54858 + return 0;
54859 +}
54860 +
54861 +/* always called with valid inodev ptr */
54862 +static void
54863 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54864 +{
54865 + struct acl_object_label *matchpo;
54866 + struct acl_subject_label *matchps;
54867 + struct acl_subject_label *subj;
54868 + struct acl_role_label *role;
54869 + unsigned int x;
54870 +
54871 + FOR_EACH_ROLE_START(role)
54872 + FOR_EACH_SUBJECT_START(role, subj, x)
54873 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54874 + matchpo->mode |= GR_DELETED;
54875 + FOR_EACH_SUBJECT_END(subj,x)
54876 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
54877 + if (subj->inode == ino && subj->device == dev)
54878 + subj->mode |= GR_DELETED;
54879 + FOR_EACH_NESTED_SUBJECT_END(subj)
54880 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54881 + matchps->mode |= GR_DELETED;
54882 + FOR_EACH_ROLE_END(role)
54883 +
54884 + inodev->nentry->deleted = 1;
54885 +
54886 + return;
54887 +}
54888 +
54889 +void
54890 +gr_handle_delete(const ino_t ino, const dev_t dev)
54891 +{
54892 + struct inodev_entry *inodev;
54893 +
54894 + if (unlikely(!(gr_status & GR_READY)))
54895 + return;
54896 +
54897 + write_lock(&gr_inode_lock);
54898 + inodev = lookup_inodev_entry(ino, dev);
54899 + if (inodev != NULL)
54900 + do_handle_delete(inodev, ino, dev);
54901 + write_unlock(&gr_inode_lock);
54902 +
54903 + return;
54904 +}
54905 +
54906 +static void
54907 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54908 + const ino_t newinode, const dev_t newdevice,
54909 + struct acl_subject_label *subj)
54910 +{
54911 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54912 + struct acl_object_label *match;
54913 +
54914 + match = subj->obj_hash[index];
54915 +
54916 + while (match && (match->inode != oldinode ||
54917 + match->device != olddevice ||
54918 + !(match->mode & GR_DELETED)))
54919 + match = match->next;
54920 +
54921 + if (match && (match->inode == oldinode)
54922 + && (match->device == olddevice)
54923 + && (match->mode & GR_DELETED)) {
54924 + if (match->prev == NULL) {
54925 + subj->obj_hash[index] = match->next;
54926 + if (match->next != NULL)
54927 + match->next->prev = NULL;
54928 + } else {
54929 + match->prev->next = match->next;
54930 + if (match->next != NULL)
54931 + match->next->prev = match->prev;
54932 + }
54933 + match->prev = NULL;
54934 + match->next = NULL;
54935 + match->inode = newinode;
54936 + match->device = newdevice;
54937 + match->mode &= ~GR_DELETED;
54938 +
54939 + insert_acl_obj_label(match, subj);
54940 + }
54941 +
54942 + return;
54943 +}
54944 +
54945 +static void
54946 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54947 + const ino_t newinode, const dev_t newdevice,
54948 + struct acl_role_label *role)
54949 +{
54950 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54951 + struct acl_subject_label *match;
54952 +
54953 + match = role->subj_hash[index];
54954 +
54955 + while (match && (match->inode != oldinode ||
54956 + match->device != olddevice ||
54957 + !(match->mode & GR_DELETED)))
54958 + match = match->next;
54959 +
54960 + if (match && (match->inode == oldinode)
54961 + && (match->device == olddevice)
54962 + && (match->mode & GR_DELETED)) {
54963 + if (match->prev == NULL) {
54964 + role->subj_hash[index] = match->next;
54965 + if (match->next != NULL)
54966 + match->next->prev = NULL;
54967 + } else {
54968 + match->prev->next = match->next;
54969 + if (match->next != NULL)
54970 + match->next->prev = match->prev;
54971 + }
54972 + match->prev = NULL;
54973 + match->next = NULL;
54974 + match->inode = newinode;
54975 + match->device = newdevice;
54976 + match->mode &= ~GR_DELETED;
54977 +
54978 + insert_acl_subj_label(match, role);
54979 + }
54980 +
54981 + return;
54982 +}
54983 +
54984 +static void
54985 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
54986 + const ino_t newinode, const dev_t newdevice)
54987 +{
54988 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
54989 + struct inodev_entry *match;
54990 +
54991 + match = inodev_set.i_hash[index];
54992 +
54993 + while (match && (match->nentry->inode != oldinode ||
54994 + match->nentry->device != olddevice || !match->nentry->deleted))
54995 + match = match->next;
54996 +
54997 + if (match && (match->nentry->inode == oldinode)
54998 + && (match->nentry->device == olddevice) &&
54999 + match->nentry->deleted) {
55000 + if (match->prev == NULL) {
55001 + inodev_set.i_hash[index] = match->next;
55002 + if (match->next != NULL)
55003 + match->next->prev = NULL;
55004 + } else {
55005 + match->prev->next = match->next;
55006 + if (match->next != NULL)
55007 + match->next->prev = match->prev;
55008 + }
55009 + match->prev = NULL;
55010 + match->next = NULL;
55011 + match->nentry->inode = newinode;
55012 + match->nentry->device = newdevice;
55013 + match->nentry->deleted = 0;
55014 +
55015 + insert_inodev_entry(match);
55016 + }
55017 +
55018 + return;
55019 +}
55020 +
55021 +static void
55022 +__do_handle_create(const struct name_entry *matchn, ino_t inode, dev_t dev)
55023 +{
55024 + struct acl_subject_label *subj;
55025 + struct acl_role_label *role;
55026 + unsigned int x;
55027 +
55028 + FOR_EACH_ROLE_START(role)
55029 + update_acl_subj_label(matchn->inode, matchn->device,
55030 + inode, dev, role);
55031 +
55032 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
55033 + if ((subj->inode == inode) && (subj->device == dev)) {
55034 + subj->inode = inode;
55035 + subj->device = dev;
55036 + }
55037 + FOR_EACH_NESTED_SUBJECT_END(subj)
55038 + FOR_EACH_SUBJECT_START(role, subj, x)
55039 + update_acl_obj_label(matchn->inode, matchn->device,
55040 + inode, dev, subj);
55041 + FOR_EACH_SUBJECT_END(subj,x)
55042 + FOR_EACH_ROLE_END(role)
55043 +
55044 + update_inodev_entry(matchn->inode, matchn->device, inode, dev);
55045 +
55046 + return;
55047 +}
55048 +
55049 +static void
55050 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
55051 + const struct vfsmount *mnt)
55052 +{
55053 + ino_t ino = dentry->d_inode->i_ino;
55054 + dev_t dev = __get_dev(dentry);
55055 +
55056 + __do_handle_create(matchn, ino, dev);
55057 +
55058 + return;
55059 +}
55060 +
55061 +void
55062 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
55063 +{
55064 + struct name_entry *matchn;
55065 +
55066 + if (unlikely(!(gr_status & GR_READY)))
55067 + return;
55068 +
55069 + preempt_disable();
55070 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
55071 +
55072 + if (unlikely((unsigned long)matchn)) {
55073 + write_lock(&gr_inode_lock);
55074 + do_handle_create(matchn, dentry, mnt);
55075 + write_unlock(&gr_inode_lock);
55076 + }
55077 + preempt_enable();
55078 +
55079 + return;
55080 +}
55081 +
55082 +void
55083 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
55084 +{
55085 + struct name_entry *matchn;
55086 +
55087 + if (unlikely(!(gr_status & GR_READY)))
55088 + return;
55089 +
55090 + preempt_disable();
55091 + matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
55092 +
55093 + if (unlikely((unsigned long)matchn)) {
55094 + write_lock(&gr_inode_lock);
55095 + __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
55096 + write_unlock(&gr_inode_lock);
55097 + }
55098 + preempt_enable();
55099 +
55100 + return;
55101 +}
55102 +
55103 +void
55104 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
55105 + struct dentry *old_dentry,
55106 + struct dentry *new_dentry,
55107 + struct vfsmount *mnt, const __u8 replace)
55108 +{
55109 + struct name_entry *matchn;
55110 + struct inodev_entry *inodev;
55111 + struct inode *inode = new_dentry->d_inode;
55112 + ino_t oldinode = old_dentry->d_inode->i_ino;
55113 + dev_t olddev = __get_dev(old_dentry);
55114 +
55115 + /* vfs_rename swaps the name and parent link for old_dentry and
55116 + new_dentry
55117 + at this point, old_dentry has the new name, parent link, and inode
55118 + for the renamed file
55119 + if a file is being replaced by a rename, new_dentry has the inode
55120 + and name for the replaced file
55121 + */
55122 +
55123 + if (unlikely(!(gr_status & GR_READY)))
55124 + return;
55125 +
55126 + preempt_disable();
55127 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
55128 +
55129 + /* we wouldn't have to check d_inode if it weren't for
55130 + NFS silly-renaming
55131 + */
55132 +
55133 + write_lock(&gr_inode_lock);
55134 + if (unlikely(replace && inode)) {
55135 + ino_t newinode = inode->i_ino;
55136 + dev_t newdev = __get_dev(new_dentry);
55137 + inodev = lookup_inodev_entry(newinode, newdev);
55138 + if (inodev != NULL && ((inode->i_nlink <= 1) || S_ISDIR(inode->i_mode)))
55139 + do_handle_delete(inodev, newinode, newdev);
55140 + }
55141 +
55142 + inodev = lookup_inodev_entry(oldinode, olddev);
55143 + if (inodev != NULL && ((old_dentry->d_inode->i_nlink <= 1) || S_ISDIR(old_dentry->d_inode->i_mode)))
55144 + do_handle_delete(inodev, oldinode, olddev);
55145 +
55146 + if (unlikely((unsigned long)matchn))
55147 + do_handle_create(matchn, old_dentry, mnt);
55148 +
55149 + write_unlock(&gr_inode_lock);
55150 + preempt_enable();
55151 +
55152 + return;
55153 +}
55154 +
55155 +static int
55156 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
55157 + unsigned char **sum)
55158 +{
55159 + struct acl_role_label *r;
55160 + struct role_allowed_ip *ipp;
55161 + struct role_transition *trans;
55162 + unsigned int i;
55163 + int found = 0;
55164 + u32 curr_ip = current->signal->curr_ip;
55165 +
55166 + current->signal->saved_ip = curr_ip;
55167 +
55168 + /* check transition table */
55169 +
55170 + for (trans = current->role->transitions; trans; trans = trans->next) {
55171 + if (!strcmp(rolename, trans->rolename)) {
55172 + found = 1;
55173 + break;
55174 + }
55175 + }
55176 +
55177 + if (!found)
55178 + return 0;
55179 +
55180 + /* handle special roles that do not require authentication
55181 + and check ip */
55182 +
55183 + FOR_EACH_ROLE_START(r)
55184 + if (!strcmp(rolename, r->rolename) &&
55185 + (r->roletype & GR_ROLE_SPECIAL)) {
55186 + found = 0;
55187 + if (r->allowed_ips != NULL) {
55188 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
55189 + if ((ntohl(curr_ip) & ipp->netmask) ==
55190 + (ntohl(ipp->addr) & ipp->netmask))
55191 + found = 1;
55192 + }
55193 + } else
55194 + found = 2;
55195 + if (!found)
55196 + return 0;
55197 +
55198 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
55199 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
55200 + *salt = NULL;
55201 + *sum = NULL;
55202 + return 1;
55203 + }
55204 + }
55205 + FOR_EACH_ROLE_END(r)
55206 +
55207 + for (i = 0; i < num_sprole_pws; i++) {
55208 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
55209 + *salt = acl_special_roles[i]->salt;
55210 + *sum = acl_special_roles[i]->sum;
55211 + return 1;
55212 + }
55213 + }
55214 +
55215 + return 0;
55216 +}
55217 +
55218 +static void
55219 +assign_special_role(char *rolename)
55220 +{
55221 + struct acl_object_label *obj;
55222 + struct acl_role_label *r;
55223 + struct acl_role_label *assigned = NULL;
55224 + struct task_struct *tsk;
55225 + struct file *filp;
55226 +
55227 + FOR_EACH_ROLE_START(r)
55228 + if (!strcmp(rolename, r->rolename) &&
55229 + (r->roletype & GR_ROLE_SPECIAL)) {
55230 + assigned = r;
55231 + break;
55232 + }
55233 + FOR_EACH_ROLE_END(r)
55234 +
55235 + if (!assigned)
55236 + return;
55237 +
55238 + read_lock(&tasklist_lock);
55239 + read_lock(&grsec_exec_file_lock);
55240 +
55241 + tsk = current->real_parent;
55242 + if (tsk == NULL)
55243 + goto out_unlock;
55244 +
55245 + filp = tsk->exec_file;
55246 + if (filp == NULL)
55247 + goto out_unlock;
55248 +
55249 + tsk->is_writable = 0;
55250 +
55251 + tsk->acl_sp_role = 1;
55252 + tsk->acl_role_id = ++acl_sp_role_value;
55253 + tsk->role = assigned;
55254 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
55255 +
55256 + /* ignore additional mmap checks for processes that are writable
55257 + by the default ACL */
55258 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55259 + if (unlikely(obj->mode & GR_WRITE))
55260 + tsk->is_writable = 1;
55261 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
55262 + if (unlikely(obj->mode & GR_WRITE))
55263 + tsk->is_writable = 1;
55264 +
55265 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55266 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
55267 +#endif
55268 +
55269 +out_unlock:
55270 + read_unlock(&grsec_exec_file_lock);
55271 + read_unlock(&tasklist_lock);
55272 + return;
55273 +}
55274 +
55275 +int gr_check_secure_terminal(struct task_struct *task)
55276 +{
55277 + struct task_struct *p, *p2, *p3;
55278 + struct files_struct *files;
55279 + struct fdtable *fdt;
55280 + struct file *our_file = NULL, *file;
55281 + int i;
55282 +
55283 + if (task->signal->tty == NULL)
55284 + return 1;
55285 +
55286 + files = get_files_struct(task);
55287 + if (files != NULL) {
55288 + rcu_read_lock();
55289 + fdt = files_fdtable(files);
55290 + for (i=0; i < fdt->max_fds; i++) {
55291 + file = fcheck_files(files, i);
55292 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
55293 + get_file(file);
55294 + our_file = file;
55295 + }
55296 + }
55297 + rcu_read_unlock();
55298 + put_files_struct(files);
55299 + }
55300 +
55301 + if (our_file == NULL)
55302 + return 1;
55303 +
55304 + read_lock(&tasklist_lock);
55305 + do_each_thread(p2, p) {
55306 + files = get_files_struct(p);
55307 + if (files == NULL ||
55308 + (p->signal && p->signal->tty == task->signal->tty)) {
55309 + if (files != NULL)
55310 + put_files_struct(files);
55311 + continue;
55312 + }
55313 + rcu_read_lock();
55314 + fdt = files_fdtable(files);
55315 + for (i=0; i < fdt->max_fds; i++) {
55316 + file = fcheck_files(files, i);
55317 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
55318 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
55319 + p3 = task;
55320 + while (p3->pid > 0) {
55321 + if (p3 == p)
55322 + break;
55323 + p3 = p3->real_parent;
55324 + }
55325 + if (p3 == p)
55326 + break;
55327 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
55328 + gr_handle_alertkill(p);
55329 + rcu_read_unlock();
55330 + put_files_struct(files);
55331 + read_unlock(&tasklist_lock);
55332 + fput(our_file);
55333 + return 0;
55334 + }
55335 + }
55336 + rcu_read_unlock();
55337 + put_files_struct(files);
55338 + } while_each_thread(p2, p);
55339 + read_unlock(&tasklist_lock);
55340 +
55341 + fput(our_file);
55342 + return 1;
55343 +}
55344 +
55345 +ssize_t
55346 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
55347 +{
55348 + struct gr_arg_wrapper uwrap;
55349 + unsigned char *sprole_salt = NULL;
55350 + unsigned char *sprole_sum = NULL;
55351 + int error = sizeof (struct gr_arg_wrapper);
55352 + int error2 = 0;
55353 +
55354 + mutex_lock(&gr_dev_mutex);
55355 +
55356 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
55357 + error = -EPERM;
55358 + goto out;
55359 + }
55360 +
55361 + if (count != sizeof (struct gr_arg_wrapper)) {
55362 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
55363 + error = -EINVAL;
55364 + goto out;
55365 + }
55366 +
55367 +
55368 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
55369 + gr_auth_expires = 0;
55370 + gr_auth_attempts = 0;
55371 + }
55372 +
55373 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
55374 + error = -EFAULT;
55375 + goto out;
55376 + }
55377 +
55378 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
55379 + error = -EINVAL;
55380 + goto out;
55381 + }
55382 +
55383 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
55384 + error = -EFAULT;
55385 + goto out;
55386 + }
55387 +
55388 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
55389 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
55390 + time_after(gr_auth_expires, get_seconds())) {
55391 + error = -EBUSY;
55392 + goto out;
55393 + }
55394 +
55395 + /* if non-root trying to do anything other than use a special role,
55396 + do not attempt authentication, do not count towards authentication
55397 + locking
55398 + */
55399 +
55400 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
55401 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
55402 + current_uid()) {
55403 + error = -EPERM;
55404 + goto out;
55405 + }
55406 +
55407 + /* ensure pw and special role name are null terminated */
55408 +
55409 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
55410 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
55411 +
55412 + /* Okay.
55413 + * We have our enough of the argument structure..(we have yet
55414 + * to copy_from_user the tables themselves) . Copy the tables
55415 + * only if we need them, i.e. for loading operations. */
55416 +
55417 + switch (gr_usermode->mode) {
55418 + case GR_STATUS:
55419 + if (gr_status & GR_READY) {
55420 + error = 1;
55421 + if (!gr_check_secure_terminal(current))
55422 + error = 3;
55423 + } else
55424 + error = 2;
55425 + goto out;
55426 + case GR_SHUTDOWN:
55427 + if ((gr_status & GR_READY)
55428 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55429 + pax_open_kernel();
55430 + gr_status &= ~GR_READY;
55431 + pax_close_kernel();
55432 +
55433 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
55434 + free_variables();
55435 + memset(gr_usermode, 0, sizeof (struct gr_arg));
55436 + memset(gr_system_salt, 0, GR_SALT_LEN);
55437 + memset(gr_system_sum, 0, GR_SHA_LEN);
55438 + } else if (gr_status & GR_READY) {
55439 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
55440 + error = -EPERM;
55441 + } else {
55442 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
55443 + error = -EAGAIN;
55444 + }
55445 + break;
55446 + case GR_ENABLE:
55447 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
55448 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
55449 + else {
55450 + if (gr_status & GR_READY)
55451 + error = -EAGAIN;
55452 + else
55453 + error = error2;
55454 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
55455 + }
55456 + break;
55457 + case GR_RELOAD:
55458 + if (!(gr_status & GR_READY)) {
55459 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
55460 + error = -EAGAIN;
55461 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55462 + lock_kernel();
55463 +
55464 + pax_open_kernel();
55465 + gr_status &= ~GR_READY;
55466 + pax_close_kernel();
55467 +
55468 + free_variables();
55469 + if (!(error2 = gracl_init(gr_usermode))) {
55470 + unlock_kernel();
55471 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
55472 + } else {
55473 + unlock_kernel();
55474 + error = error2;
55475 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
55476 + }
55477 + } else {
55478 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
55479 + error = -EPERM;
55480 + }
55481 + break;
55482 + case GR_SEGVMOD:
55483 + if (unlikely(!(gr_status & GR_READY))) {
55484 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
55485 + error = -EAGAIN;
55486 + break;
55487 + }
55488 +
55489 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55490 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
55491 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
55492 + struct acl_subject_label *segvacl;
55493 + segvacl =
55494 + lookup_acl_subj_label(gr_usermode->segv_inode,
55495 + gr_usermode->segv_device,
55496 + current->role);
55497 + if (segvacl) {
55498 + segvacl->crashes = 0;
55499 + segvacl->expires = 0;
55500 + }
55501 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
55502 + gr_remove_uid(gr_usermode->segv_uid);
55503 + }
55504 + } else {
55505 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
55506 + error = -EPERM;
55507 + }
55508 + break;
55509 + case GR_SPROLE:
55510 + case GR_SPROLEPAM:
55511 + if (unlikely(!(gr_status & GR_READY))) {
55512 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
55513 + error = -EAGAIN;
55514 + break;
55515 + }
55516 +
55517 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
55518 + current->role->expires = 0;
55519 + current->role->auth_attempts = 0;
55520 + }
55521 +
55522 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
55523 + time_after(current->role->expires, get_seconds())) {
55524 + error = -EBUSY;
55525 + goto out;
55526 + }
55527 +
55528 + if (lookup_special_role_auth
55529 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
55530 + && ((!sprole_salt && !sprole_sum)
55531 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
55532 + char *p = "";
55533 + assign_special_role(gr_usermode->sp_role);
55534 + read_lock(&tasklist_lock);
55535 + if (current->real_parent)
55536 + p = current->real_parent->role->rolename;
55537 + read_unlock(&tasklist_lock);
55538 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
55539 + p, acl_sp_role_value);
55540 + } else {
55541 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
55542 + error = -EPERM;
55543 + if(!(current->role->auth_attempts++))
55544 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55545 +
55546 + goto out;
55547 + }
55548 + break;
55549 + case GR_UNSPROLE:
55550 + if (unlikely(!(gr_status & GR_READY))) {
55551 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
55552 + error = -EAGAIN;
55553 + break;
55554 + }
55555 +
55556 + if (current->role->roletype & GR_ROLE_SPECIAL) {
55557 + char *p = "";
55558 + int i = 0;
55559 +
55560 + read_lock(&tasklist_lock);
55561 + if (current->real_parent) {
55562 + p = current->real_parent->role->rolename;
55563 + i = current->real_parent->acl_role_id;
55564 + }
55565 + read_unlock(&tasklist_lock);
55566 +
55567 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
55568 + gr_set_acls(1);
55569 + } else {
55570 + error = -EPERM;
55571 + goto out;
55572 + }
55573 + break;
55574 + default:
55575 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
55576 + error = -EINVAL;
55577 + break;
55578 + }
55579 +
55580 + if (error != -EPERM)
55581 + goto out;
55582 +
55583 + if(!(gr_auth_attempts++))
55584 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55585 +
55586 + out:
55587 + mutex_unlock(&gr_dev_mutex);
55588 + return error;
55589 +}
55590 +
55591 +/* must be called with
55592 + rcu_read_lock();
55593 + read_lock(&tasklist_lock);
55594 + read_lock(&grsec_exec_file_lock);
55595 +*/
55596 +int gr_apply_subject_to_task(struct task_struct *task)
55597 +{
55598 + struct acl_object_label *obj;
55599 + char *tmpname;
55600 + struct acl_subject_label *tmpsubj;
55601 + struct file *filp;
55602 + struct name_entry *nmatch;
55603 +
55604 + filp = task->exec_file;
55605 + if (filp == NULL)
55606 + return 0;
55607 +
55608 + /* the following is to apply the correct subject
55609 + on binaries running when the RBAC system
55610 + is enabled, when the binaries have been
55611 + replaced or deleted since their execution
55612 + -----
55613 + when the RBAC system starts, the inode/dev
55614 + from exec_file will be one the RBAC system
55615 + is unaware of. It only knows the inode/dev
55616 + of the present file on disk, or the absence
55617 + of it.
55618 + */
55619 + preempt_disable();
55620 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
55621 +
55622 + nmatch = lookup_name_entry(tmpname);
55623 + preempt_enable();
55624 + tmpsubj = NULL;
55625 + if (nmatch) {
55626 + if (nmatch->deleted)
55627 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
55628 + else
55629 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
55630 + if (tmpsubj != NULL)
55631 + task->acl = tmpsubj;
55632 + }
55633 + if (tmpsubj == NULL)
55634 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
55635 + task->role);
55636 + if (task->acl) {
55637 + task->is_writable = 0;
55638 + /* ignore additional mmap checks for processes that are writable
55639 + by the default ACL */
55640 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55641 + if (unlikely(obj->mode & GR_WRITE))
55642 + task->is_writable = 1;
55643 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
55644 + if (unlikely(obj->mode & GR_WRITE))
55645 + task->is_writable = 1;
55646 +
55647 + gr_set_proc_res(task);
55648 +
55649 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55650 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
55651 +#endif
55652 + } else {
55653 + return 1;
55654 + }
55655 +
55656 + return 0;
55657 +}
55658 +
55659 +int
55660 +gr_set_acls(const int type)
55661 +{
55662 + struct task_struct *task, *task2;
55663 + struct acl_role_label *role = current->role;
55664 + __u16 acl_role_id = current->acl_role_id;
55665 + const struct cred *cred;
55666 + int ret;
55667 +
55668 + rcu_read_lock();
55669 + read_lock(&tasklist_lock);
55670 + read_lock(&grsec_exec_file_lock);
55671 + do_each_thread(task2, task) {
55672 + /* check to see if we're called from the exit handler,
55673 + if so, only replace ACLs that have inherited the admin
55674 + ACL */
55675 +
55676 + if (type && (task->role != role ||
55677 + task->acl_role_id != acl_role_id))
55678 + continue;
55679 +
55680 + task->acl_role_id = 0;
55681 + task->acl_sp_role = 0;
55682 +
55683 + if (task->exec_file) {
55684 + cred = __task_cred(task);
55685 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
55686 +
55687 + ret = gr_apply_subject_to_task(task);
55688 + if (ret) {
55689 + read_unlock(&grsec_exec_file_lock);
55690 + read_unlock(&tasklist_lock);
55691 + rcu_read_unlock();
55692 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
55693 + return ret;
55694 + }
55695 + } else {
55696 + // it's a kernel process
55697 + task->role = kernel_role;
55698 + task->acl = kernel_role->root_label;
55699 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
55700 + task->acl->mode &= ~GR_PROCFIND;
55701 +#endif
55702 + }
55703 + } while_each_thread(task2, task);
55704 + read_unlock(&grsec_exec_file_lock);
55705 + read_unlock(&tasklist_lock);
55706 + rcu_read_unlock();
55707 +
55708 + return 0;
55709 +}
55710 +
55711 +void
55712 +gr_learn_resource(const struct task_struct *task,
55713 + const int res, const unsigned long wanted, const int gt)
55714 +{
55715 + struct acl_subject_label *acl;
55716 + const struct cred *cred;
55717 +
55718 + if (unlikely((gr_status & GR_READY) &&
55719 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
55720 + goto skip_reslog;
55721 +
55722 +#ifdef CONFIG_GRKERNSEC_RESLOG
55723 + gr_log_resource(task, res, wanted, gt);
55724 +#endif
55725 + skip_reslog:
55726 +
55727 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
55728 + return;
55729 +
55730 + acl = task->acl;
55731 +
55732 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
55733 + !(acl->resmask & (1 << (unsigned short) res))))
55734 + return;
55735 +
55736 + if (wanted >= acl->res[res].rlim_cur) {
55737 + unsigned long res_add;
55738 +
55739 + res_add = wanted;
55740 + switch (res) {
55741 + case RLIMIT_CPU:
55742 + res_add += GR_RLIM_CPU_BUMP;
55743 + break;
55744 + case RLIMIT_FSIZE:
55745 + res_add += GR_RLIM_FSIZE_BUMP;
55746 + break;
55747 + case RLIMIT_DATA:
55748 + res_add += GR_RLIM_DATA_BUMP;
55749 + break;
55750 + case RLIMIT_STACK:
55751 + res_add += GR_RLIM_STACK_BUMP;
55752 + break;
55753 + case RLIMIT_CORE:
55754 + res_add += GR_RLIM_CORE_BUMP;
55755 + break;
55756 + case RLIMIT_RSS:
55757 + res_add += GR_RLIM_RSS_BUMP;
55758 + break;
55759 + case RLIMIT_NPROC:
55760 + res_add += GR_RLIM_NPROC_BUMP;
55761 + break;
55762 + case RLIMIT_NOFILE:
55763 + res_add += GR_RLIM_NOFILE_BUMP;
55764 + break;
55765 + case RLIMIT_MEMLOCK:
55766 + res_add += GR_RLIM_MEMLOCK_BUMP;
55767 + break;
55768 + case RLIMIT_AS:
55769 + res_add += GR_RLIM_AS_BUMP;
55770 + break;
55771 + case RLIMIT_LOCKS:
55772 + res_add += GR_RLIM_LOCKS_BUMP;
55773 + break;
55774 + case RLIMIT_SIGPENDING:
55775 + res_add += GR_RLIM_SIGPENDING_BUMP;
55776 + break;
55777 + case RLIMIT_MSGQUEUE:
55778 + res_add += GR_RLIM_MSGQUEUE_BUMP;
55779 + break;
55780 + case RLIMIT_NICE:
55781 + res_add += GR_RLIM_NICE_BUMP;
55782 + break;
55783 + case RLIMIT_RTPRIO:
55784 + res_add += GR_RLIM_RTPRIO_BUMP;
55785 + break;
55786 + case RLIMIT_RTTIME:
55787 + res_add += GR_RLIM_RTTIME_BUMP;
55788 + break;
55789 + }
55790 +
55791 + acl->res[res].rlim_cur = res_add;
55792 +
55793 + if (wanted > acl->res[res].rlim_max)
55794 + acl->res[res].rlim_max = res_add;
55795 +
55796 + /* only log the subject filename, since resource logging is supported for
55797 + single-subject learning only */
55798 + rcu_read_lock();
55799 + cred = __task_cred(task);
55800 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55801 + task->role->roletype, cred->uid, cred->gid, acl->filename,
55802 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55803 + "", (unsigned long) res, &task->signal->saved_ip);
55804 + rcu_read_unlock();
55805 + }
55806 +
55807 + return;
55808 +}
55809 +
55810 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55811 +void
55812 +pax_set_initial_flags(struct linux_binprm *bprm)
55813 +{
55814 + struct task_struct *task = current;
55815 + struct acl_subject_label *proc;
55816 + unsigned long flags;
55817 +
55818 + if (unlikely(!(gr_status & GR_READY)))
55819 + return;
55820 +
55821 + flags = pax_get_flags(task);
55822 +
55823 + proc = task->acl;
55824 +
55825 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55826 + flags &= ~MF_PAX_PAGEEXEC;
55827 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55828 + flags &= ~MF_PAX_SEGMEXEC;
55829 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55830 + flags &= ~MF_PAX_RANDMMAP;
55831 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55832 + flags &= ~MF_PAX_EMUTRAMP;
55833 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55834 + flags &= ~MF_PAX_MPROTECT;
55835 +
55836 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55837 + flags |= MF_PAX_PAGEEXEC;
55838 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55839 + flags |= MF_PAX_SEGMEXEC;
55840 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55841 + flags |= MF_PAX_RANDMMAP;
55842 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55843 + flags |= MF_PAX_EMUTRAMP;
55844 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55845 + flags |= MF_PAX_MPROTECT;
55846 +
55847 + pax_set_flags(task, flags);
55848 +
55849 + return;
55850 +}
55851 +#endif
55852 +
55853 +#ifdef CONFIG_SYSCTL
55854 +/* Eric Biederman likes breaking userland ABI and every inode-based security
55855 + system to save 35kb of memory */
55856 +
55857 +/* we modify the passed in filename, but adjust it back before returning */
55858 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55859 +{
55860 + struct name_entry *nmatch;
55861 + char *p, *lastp = NULL;
55862 + struct acl_object_label *obj = NULL, *tmp;
55863 + struct acl_subject_label *tmpsubj;
55864 + char c = '\0';
55865 +
55866 + read_lock(&gr_inode_lock);
55867 +
55868 + p = name + len - 1;
55869 + do {
55870 + nmatch = lookup_name_entry(name);
55871 + if (lastp != NULL)
55872 + *lastp = c;
55873 +
55874 + if (nmatch == NULL)
55875 + goto next_component;
55876 + tmpsubj = current->acl;
55877 + do {
55878 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55879 + if (obj != NULL) {
55880 + tmp = obj->globbed;
55881 + while (tmp) {
55882 + if (!glob_match(tmp->filename, name)) {
55883 + obj = tmp;
55884 + goto found_obj;
55885 + }
55886 + tmp = tmp->next;
55887 + }
55888 + goto found_obj;
55889 + }
55890 + } while ((tmpsubj = tmpsubj->parent_subject));
55891 +next_component:
55892 + /* end case */
55893 + if (p == name)
55894 + break;
55895 +
55896 + while (*p != '/')
55897 + p--;
55898 + if (p == name)
55899 + lastp = p + 1;
55900 + else {
55901 + lastp = p;
55902 + p--;
55903 + }
55904 + c = *lastp;
55905 + *lastp = '\0';
55906 + } while (1);
55907 +found_obj:
55908 + read_unlock(&gr_inode_lock);
55909 + /* obj returned will always be non-null */
55910 + return obj;
55911 +}
55912 +
55913 +/* returns 0 when allowing, non-zero on error
55914 + op of 0 is used for readdir, so we don't log the names of hidden files
55915 +*/
55916 +__u32
55917 +gr_handle_sysctl(const struct ctl_table *table, const int op)
55918 +{
55919 + ctl_table *tmp;
55920 + const char *proc_sys = "/proc/sys";
55921 + char *path;
55922 + struct acl_object_label *obj;
55923 + unsigned short len = 0, pos = 0, depth = 0, i;
55924 + __u32 err = 0;
55925 + __u32 mode = 0;
55926 +
55927 + if (unlikely(!(gr_status & GR_READY)))
55928 + return 0;
55929 +
55930 + /* for now, ignore operations on non-sysctl entries if it's not a
55931 + readdir*/
55932 + if (table->child != NULL && op != 0)
55933 + return 0;
55934 +
55935 + mode |= GR_FIND;
55936 + /* it's only a read if it's an entry, read on dirs is for readdir */
55937 + if (op & MAY_READ)
55938 + mode |= GR_READ;
55939 + if (op & MAY_WRITE)
55940 + mode |= GR_WRITE;
55941 +
55942 + preempt_disable();
55943 +
55944 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55945 +
55946 + /* it's only a read/write if it's an actual entry, not a dir
55947 + (which are opened for readdir)
55948 + */
55949 +
55950 + /* convert the requested sysctl entry into a pathname */
55951 +
55952 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55953 + len += strlen(tmp->procname);
55954 + len++;
55955 + depth++;
55956 + }
55957 +
55958 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55959 + /* deny */
55960 + goto out;
55961 + }
55962 +
55963 + memset(path, 0, PAGE_SIZE);
55964 +
55965 + memcpy(path, proc_sys, strlen(proc_sys));
55966 +
55967 + pos += strlen(proc_sys);
55968 +
55969 + for (; depth > 0; depth--) {
55970 + path[pos] = '/';
55971 + pos++;
55972 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55973 + if (depth == i) {
55974 + memcpy(path + pos, tmp->procname,
55975 + strlen(tmp->procname));
55976 + pos += strlen(tmp->procname);
55977 + }
55978 + i++;
55979 + }
55980 + }
55981 +
55982 + obj = gr_lookup_by_name(path, pos);
55983 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
55984 +
55985 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
55986 + ((err & mode) != mode))) {
55987 + __u32 new_mode = mode;
55988 +
55989 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55990 +
55991 + err = 0;
55992 + gr_log_learn_sysctl(path, new_mode);
55993 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
55994 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
55995 + err = -ENOENT;
55996 + } else if (!(err & GR_FIND)) {
55997 + err = -ENOENT;
55998 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
55999 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
56000 + path, (mode & GR_READ) ? " reading" : "",
56001 + (mode & GR_WRITE) ? " writing" : "");
56002 + err = -EACCES;
56003 + } else if ((err & mode) != mode) {
56004 + err = -EACCES;
56005 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
56006 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
56007 + path, (mode & GR_READ) ? " reading" : "",
56008 + (mode & GR_WRITE) ? " writing" : "");
56009 + err = 0;
56010 + } else
56011 + err = 0;
56012 +
56013 + out:
56014 + preempt_enable();
56015 +
56016 + return err;
56017 +}
56018 +#endif
56019 +
56020 +int
56021 +gr_handle_proc_ptrace(struct task_struct *task)
56022 +{
56023 + struct file *filp;
56024 + struct task_struct *tmp = task;
56025 + struct task_struct *curtemp = current;
56026 + __u32 retmode;
56027 +
56028 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
56029 + if (unlikely(!(gr_status & GR_READY)))
56030 + return 0;
56031 +#endif
56032 +
56033 + read_lock(&tasklist_lock);
56034 + read_lock(&grsec_exec_file_lock);
56035 + filp = task->exec_file;
56036 +
56037 + while (tmp->pid > 0) {
56038 + if (tmp == curtemp)
56039 + break;
56040 + tmp = tmp->real_parent;
56041 + }
56042 +
56043 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
56044 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
56045 + read_unlock(&grsec_exec_file_lock);
56046 + read_unlock(&tasklist_lock);
56047 + return 1;
56048 + }
56049 +
56050 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56051 + if (!(gr_status & GR_READY)) {
56052 + read_unlock(&grsec_exec_file_lock);
56053 + read_unlock(&tasklist_lock);
56054 + return 0;
56055 + }
56056 +#endif
56057 +
56058 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
56059 + read_unlock(&grsec_exec_file_lock);
56060 + read_unlock(&tasklist_lock);
56061 +
56062 + if (retmode & GR_NOPTRACE)
56063 + return 1;
56064 +
56065 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
56066 + && (current->acl != task->acl || (current->acl != current->role->root_label
56067 + && current->pid != task->pid)))
56068 + return 1;
56069 +
56070 + return 0;
56071 +}
56072 +
56073 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
56074 +{
56075 + if (unlikely(!(gr_status & GR_READY)))
56076 + return;
56077 +
56078 + if (!(current->role->roletype & GR_ROLE_GOD))
56079 + return;
56080 +
56081 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
56082 + p->role->rolename, gr_task_roletype_to_char(p),
56083 + p->acl->filename);
56084 +}
56085 +
56086 +int
56087 +gr_handle_ptrace(struct task_struct *task, const long request)
56088 +{
56089 + struct task_struct *tmp = task;
56090 + struct task_struct *curtemp = current;
56091 + __u32 retmode;
56092 +
56093 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
56094 + if (unlikely(!(gr_status & GR_READY)))
56095 + return 0;
56096 +#endif
56097 +
56098 + read_lock(&tasklist_lock);
56099 + while (tmp->pid > 0) {
56100 + if (tmp == curtemp)
56101 + break;
56102 + tmp = tmp->real_parent;
56103 + }
56104 +
56105 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
56106 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
56107 + read_unlock(&tasklist_lock);
56108 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56109 + return 1;
56110 + }
56111 + read_unlock(&tasklist_lock);
56112 +
56113 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56114 + if (!(gr_status & GR_READY))
56115 + return 0;
56116 +#endif
56117 +
56118 + read_lock(&grsec_exec_file_lock);
56119 + if (unlikely(!task->exec_file)) {
56120 + read_unlock(&grsec_exec_file_lock);
56121 + return 0;
56122 + }
56123 +
56124 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
56125 + read_unlock(&grsec_exec_file_lock);
56126 +
56127 + if (retmode & GR_NOPTRACE) {
56128 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56129 + return 1;
56130 + }
56131 +
56132 + if (retmode & GR_PTRACERD) {
56133 + switch (request) {
56134 + case PTRACE_POKETEXT:
56135 + case PTRACE_POKEDATA:
56136 + case PTRACE_POKEUSR:
56137 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
56138 + case PTRACE_SETREGS:
56139 + case PTRACE_SETFPREGS:
56140 +#endif
56141 +#ifdef CONFIG_X86
56142 + case PTRACE_SETFPXREGS:
56143 +#endif
56144 +#ifdef CONFIG_ALTIVEC
56145 + case PTRACE_SETVRREGS:
56146 +#endif
56147 + return 1;
56148 + default:
56149 + return 0;
56150 + }
56151 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
56152 + !(current->role->roletype & GR_ROLE_GOD) &&
56153 + (current->acl != task->acl)) {
56154 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56155 + return 1;
56156 + }
56157 +
56158 + return 0;
56159 +}
56160 +
56161 +static int is_writable_mmap(const struct file *filp)
56162 +{
56163 + struct task_struct *task = current;
56164 + struct acl_object_label *obj, *obj2;
56165 +
56166 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
56167 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
56168 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
56169 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
56170 + task->role->root_label);
56171 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
56172 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
56173 + return 1;
56174 + }
56175 + }
56176 + return 0;
56177 +}
56178 +
56179 +int
56180 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
56181 +{
56182 + __u32 mode;
56183 +
56184 + if (unlikely(!file || !(prot & PROT_EXEC)))
56185 + return 1;
56186 +
56187 + if (is_writable_mmap(file))
56188 + return 0;
56189 +
56190 + mode =
56191 + gr_search_file(file->f_path.dentry,
56192 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
56193 + file->f_path.mnt);
56194 +
56195 + if (!gr_tpe_allow(file))
56196 + return 0;
56197 +
56198 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
56199 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56200 + return 0;
56201 + } else if (unlikely(!(mode & GR_EXEC))) {
56202 + return 0;
56203 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
56204 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56205 + return 1;
56206 + }
56207 +
56208 + return 1;
56209 +}
56210 +
56211 +int
56212 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
56213 +{
56214 + __u32 mode;
56215 +
56216 + if (unlikely(!file || !(prot & PROT_EXEC)))
56217 + return 1;
56218 +
56219 + if (is_writable_mmap(file))
56220 + return 0;
56221 +
56222 + mode =
56223 + gr_search_file(file->f_path.dentry,
56224 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
56225 + file->f_path.mnt);
56226 +
56227 + if (!gr_tpe_allow(file))
56228 + return 0;
56229 +
56230 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
56231 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56232 + return 0;
56233 + } else if (unlikely(!(mode & GR_EXEC))) {
56234 + return 0;
56235 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
56236 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56237 + return 1;
56238 + }
56239 +
56240 + return 1;
56241 +}
56242 +
56243 +void
56244 +gr_acl_handle_psacct(struct task_struct *task, const long code)
56245 +{
56246 + unsigned long runtime;
56247 + unsigned long cputime;
56248 + unsigned int wday, cday;
56249 + __u8 whr, chr;
56250 + __u8 wmin, cmin;
56251 + __u8 wsec, csec;
56252 + struct timespec timeval;
56253 +
56254 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
56255 + !(task->acl->mode & GR_PROCACCT)))
56256 + return;
56257 +
56258 + do_posix_clock_monotonic_gettime(&timeval);
56259 + runtime = timeval.tv_sec - task->start_time.tv_sec;
56260 + wday = runtime / (3600 * 24);
56261 + runtime -= wday * (3600 * 24);
56262 + whr = runtime / 3600;
56263 + runtime -= whr * 3600;
56264 + wmin = runtime / 60;
56265 + runtime -= wmin * 60;
56266 + wsec = runtime;
56267 +
56268 + cputime = (task->utime + task->stime) / HZ;
56269 + cday = cputime / (3600 * 24);
56270 + cputime -= cday * (3600 * 24);
56271 + chr = cputime / 3600;
56272 + cputime -= chr * 3600;
56273 + cmin = cputime / 60;
56274 + cputime -= cmin * 60;
56275 + csec = cputime;
56276 +
56277 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
56278 +
56279 + return;
56280 +}
56281 +
56282 +void gr_set_kernel_label(struct task_struct *task)
56283 +{
56284 + if (gr_status & GR_READY) {
56285 + task->role = kernel_role;
56286 + task->acl = kernel_role->root_label;
56287 + }
56288 + return;
56289 +}
56290 +
56291 +#ifdef CONFIG_TASKSTATS
56292 +int gr_is_taskstats_denied(int pid)
56293 +{
56294 + struct task_struct *task;
56295 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56296 + const struct cred *cred;
56297 +#endif
56298 + int ret = 0;
56299 +
56300 + /* restrict taskstats viewing to un-chrooted root users
56301 + who have the 'view' subject flag if the RBAC system is enabled
56302 + */
56303 +
56304 + rcu_read_lock();
56305 + read_lock(&tasklist_lock);
56306 + task = find_task_by_vpid(pid);
56307 + if (task) {
56308 +#ifdef CONFIG_GRKERNSEC_CHROOT
56309 + if (proc_is_chrooted(task))
56310 + ret = -EACCES;
56311 +#endif
56312 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56313 + cred = __task_cred(task);
56314 +#ifdef CONFIG_GRKERNSEC_PROC_USER
56315 + if (cred->uid != 0)
56316 + ret = -EACCES;
56317 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56318 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
56319 + ret = -EACCES;
56320 +#endif
56321 +#endif
56322 + if (gr_status & GR_READY) {
56323 + if (!(task->acl->mode & GR_VIEW))
56324 + ret = -EACCES;
56325 + }
56326 + } else
56327 + ret = -ENOENT;
56328 +
56329 + read_unlock(&tasklist_lock);
56330 + rcu_read_unlock();
56331 +
56332 + return ret;
56333 +}
56334 +#endif
56335 +
56336 +/* AUXV entries are filled via a descendant of search_binary_handler
56337 + after we've already applied the subject for the target
56338 +*/
56339 +int gr_acl_enable_at_secure(void)
56340 +{
56341 + if (unlikely(!(gr_status & GR_READY)))
56342 + return 0;
56343 +
56344 + if (current->acl->mode & GR_ATSECURE)
56345 + return 1;
56346 +
56347 + return 0;
56348 +}
56349 +
56350 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
56351 +{
56352 + struct task_struct *task = current;
56353 + struct dentry *dentry = file->f_path.dentry;
56354 + struct vfsmount *mnt = file->f_path.mnt;
56355 + struct acl_object_label *obj, *tmp;
56356 + struct acl_subject_label *subj;
56357 + unsigned int bufsize;
56358 + int is_not_root;
56359 + char *path;
56360 + dev_t dev = __get_dev(dentry);
56361 +
56362 + if (unlikely(!(gr_status & GR_READY)))
56363 + return 1;
56364 +
56365 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
56366 + return 1;
56367 +
56368 + /* ignore Eric Biederman */
56369 + if (IS_PRIVATE(dentry->d_inode))
56370 + return 1;
56371 +
56372 + subj = task->acl;
56373 + do {
56374 + obj = lookup_acl_obj_label(ino, dev, subj);
56375 + if (obj != NULL)
56376 + return (obj->mode & GR_FIND) ? 1 : 0;
56377 + } while ((subj = subj->parent_subject));
56378 +
56379 + /* this is purely an optimization since we're looking for an object
56380 + for the directory we're doing a readdir on
56381 + if it's possible for any globbed object to match the entry we're
56382 + filling into the directory, then the object we find here will be
56383 + an anchor point with attached globbed objects
56384 + */
56385 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
56386 + if (obj->globbed == NULL)
56387 + return (obj->mode & GR_FIND) ? 1 : 0;
56388 +
56389 + is_not_root = ((obj->filename[0] == '/') &&
56390 + (obj->filename[1] == '\0')) ? 0 : 1;
56391 + bufsize = PAGE_SIZE - namelen - is_not_root;
56392 +
56393 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
56394 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
56395 + return 1;
56396 +
56397 + preempt_disable();
56398 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
56399 + bufsize);
56400 +
56401 + bufsize = strlen(path);
56402 +
56403 + /* if base is "/", don't append an additional slash */
56404 + if (is_not_root)
56405 + *(path + bufsize) = '/';
56406 + memcpy(path + bufsize + is_not_root, name, namelen);
56407 + *(path + bufsize + namelen + is_not_root) = '\0';
56408 +
56409 + tmp = obj->globbed;
56410 + while (tmp) {
56411 + if (!glob_match(tmp->filename, path)) {
56412 + preempt_enable();
56413 + return (tmp->mode & GR_FIND) ? 1 : 0;
56414 + }
56415 + tmp = tmp->next;
56416 + }
56417 + preempt_enable();
56418 + return (obj->mode & GR_FIND) ? 1 : 0;
56419 +}
56420 +
56421 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
56422 +EXPORT_SYMBOL(gr_acl_is_enabled);
56423 +#endif
56424 +EXPORT_SYMBOL(gr_learn_resource);
56425 +EXPORT_SYMBOL(gr_set_kernel_label);
56426 +#ifdef CONFIG_SECURITY
56427 +EXPORT_SYMBOL(gr_check_user_change);
56428 +EXPORT_SYMBOL(gr_check_group_change);
56429 +#endif
56430 +
56431 diff -urNp linux-2.6.32.49/grsecurity/gracl_cap.c linux-2.6.32.49/grsecurity/gracl_cap.c
56432 --- linux-2.6.32.49/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
56433 +++ linux-2.6.32.49/grsecurity/gracl_cap.c 2011-11-15 19:59:43.000000000 -0500
56434 @@ -0,0 +1,101 @@
56435 +#include <linux/kernel.h>
56436 +#include <linux/module.h>
56437 +#include <linux/sched.h>
56438 +#include <linux/gracl.h>
56439 +#include <linux/grsecurity.h>
56440 +#include <linux/grinternal.h>
56441 +
56442 +extern const char *captab_log[];
56443 +extern int captab_log_entries;
56444 +
56445 +int
56446 +gr_acl_is_capable(const int cap)
56447 +{
56448 + struct task_struct *task = current;
56449 + const struct cred *cred = current_cred();
56450 + struct acl_subject_label *curracl;
56451 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
56452 + kernel_cap_t cap_audit = __cap_empty_set;
56453 +
56454 + if (!gr_acl_is_enabled())
56455 + return 1;
56456 +
56457 + curracl = task->acl;
56458 +
56459 + cap_drop = curracl->cap_lower;
56460 + cap_mask = curracl->cap_mask;
56461 + cap_audit = curracl->cap_invert_audit;
56462 +
56463 + while ((curracl = curracl->parent_subject)) {
56464 + /* if the cap isn't specified in the current computed mask but is specified in the
56465 + current level subject, and is lowered in the current level subject, then add
56466 + it to the set of dropped capabilities
56467 + otherwise, add the current level subject's mask to the current computed mask
56468 + */
56469 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56470 + cap_raise(cap_mask, cap);
56471 + if (cap_raised(curracl->cap_lower, cap))
56472 + cap_raise(cap_drop, cap);
56473 + if (cap_raised(curracl->cap_invert_audit, cap))
56474 + cap_raise(cap_audit, cap);
56475 + }
56476 + }
56477 +
56478 + if (!cap_raised(cap_drop, cap)) {
56479 + if (cap_raised(cap_audit, cap))
56480 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
56481 + return 1;
56482 + }
56483 +
56484 + curracl = task->acl;
56485 +
56486 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
56487 + && cap_raised(cred->cap_effective, cap)) {
56488 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
56489 + task->role->roletype, cred->uid,
56490 + cred->gid, task->exec_file ?
56491 + gr_to_filename(task->exec_file->f_path.dentry,
56492 + task->exec_file->f_path.mnt) : curracl->filename,
56493 + curracl->filename, 0UL,
56494 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
56495 + return 1;
56496 + }
56497 +
56498 + if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
56499 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
56500 + return 0;
56501 +}
56502 +
56503 +int
56504 +gr_acl_is_capable_nolog(const int cap)
56505 +{
56506 + struct acl_subject_label *curracl;
56507 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
56508 +
56509 + if (!gr_acl_is_enabled())
56510 + return 1;
56511 +
56512 + curracl = current->acl;
56513 +
56514 + cap_drop = curracl->cap_lower;
56515 + cap_mask = curracl->cap_mask;
56516 +
56517 + while ((curracl = curracl->parent_subject)) {
56518 + /* if the cap isn't specified in the current computed mask but is specified in the
56519 + current level subject, and is lowered in the current level subject, then add
56520 + it to the set of dropped capabilities
56521 + otherwise, add the current level subject's mask to the current computed mask
56522 + */
56523 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56524 + cap_raise(cap_mask, cap);
56525 + if (cap_raised(curracl->cap_lower, cap))
56526 + cap_raise(cap_drop, cap);
56527 + }
56528 + }
56529 +
56530 + if (!cap_raised(cap_drop, cap))
56531 + return 1;
56532 +
56533 + return 0;
56534 +}
56535 +
56536 diff -urNp linux-2.6.32.49/grsecurity/gracl_fs.c linux-2.6.32.49/grsecurity/gracl_fs.c
56537 --- linux-2.6.32.49/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
56538 +++ linux-2.6.32.49/grsecurity/gracl_fs.c 2011-11-18 19:29:57.000000000 -0500
56539 @@ -0,0 +1,433 @@
56540 +#include <linux/kernel.h>
56541 +#include <linux/sched.h>
56542 +#include <linux/types.h>
56543 +#include <linux/fs.h>
56544 +#include <linux/file.h>
56545 +#include <linux/stat.h>
56546 +#include <linux/grsecurity.h>
56547 +#include <linux/grinternal.h>
56548 +#include <linux/gracl.h>
56549 +
56550 +__u32
56551 +gr_acl_handle_hidden_file(const struct dentry * dentry,
56552 + const struct vfsmount * mnt)
56553 +{
56554 + __u32 mode;
56555 +
56556 + if (unlikely(!dentry->d_inode))
56557 + return GR_FIND;
56558 +
56559 + mode =
56560 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
56561 +
56562 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
56563 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56564 + return mode;
56565 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
56566 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56567 + return 0;
56568 + } else if (unlikely(!(mode & GR_FIND)))
56569 + return 0;
56570 +
56571 + return GR_FIND;
56572 +}
56573 +
56574 +__u32
56575 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56576 + int acc_mode)
56577 +{
56578 + __u32 reqmode = GR_FIND;
56579 + __u32 mode;
56580 +
56581 + if (unlikely(!dentry->d_inode))
56582 + return reqmode;
56583 +
56584 + if (acc_mode & MAY_APPEND)
56585 + reqmode |= GR_APPEND;
56586 + else if (acc_mode & MAY_WRITE)
56587 + reqmode |= GR_WRITE;
56588 + if ((acc_mode & MAY_READ) && !S_ISDIR(dentry->d_inode->i_mode))
56589 + reqmode |= GR_READ;
56590 +
56591 + mode =
56592 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56593 + mnt);
56594 +
56595 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56596 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56597 + reqmode & GR_READ ? " reading" : "",
56598 + reqmode & GR_WRITE ? " writing" : reqmode &
56599 + GR_APPEND ? " appending" : "");
56600 + return reqmode;
56601 + } else
56602 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56603 + {
56604 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56605 + reqmode & GR_READ ? " reading" : "",
56606 + reqmode & GR_WRITE ? " writing" : reqmode &
56607 + GR_APPEND ? " appending" : "");
56608 + return 0;
56609 + } else if (unlikely((mode & reqmode) != reqmode))
56610 + return 0;
56611 +
56612 + return reqmode;
56613 +}
56614 +
56615 +__u32
56616 +gr_acl_handle_creat(const struct dentry * dentry,
56617 + const struct dentry * p_dentry,
56618 + const struct vfsmount * p_mnt, int open_flags, int acc_mode,
56619 + const int imode)
56620 +{
56621 + __u32 reqmode = GR_WRITE | GR_CREATE;
56622 + __u32 mode;
56623 +
56624 + if (acc_mode & MAY_APPEND)
56625 + reqmode |= GR_APPEND;
56626 + // if a directory was required or the directory already exists, then
56627 + // don't count this open as a read
56628 + if ((acc_mode & MAY_READ) &&
56629 + !((open_flags & O_DIRECTORY) || (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode))))
56630 + reqmode |= GR_READ;
56631 + if ((open_flags & O_CREAT) && (imode & (S_ISUID | S_ISGID)))
56632 + reqmode |= GR_SETID;
56633 +
56634 + mode =
56635 + gr_check_create(dentry, p_dentry, p_mnt,
56636 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56637 +
56638 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56639 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56640 + reqmode & GR_READ ? " reading" : "",
56641 + reqmode & GR_WRITE ? " writing" : reqmode &
56642 + GR_APPEND ? " appending" : "");
56643 + return reqmode;
56644 + } else
56645 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56646 + {
56647 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56648 + reqmode & GR_READ ? " reading" : "",
56649 + reqmode & GR_WRITE ? " writing" : reqmode &
56650 + GR_APPEND ? " appending" : "");
56651 + return 0;
56652 + } else if (unlikely((mode & reqmode) != reqmode))
56653 + return 0;
56654 +
56655 + return reqmode;
56656 +}
56657 +
56658 +__u32
56659 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
56660 + const int fmode)
56661 +{
56662 + __u32 mode, reqmode = GR_FIND;
56663 +
56664 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
56665 + reqmode |= GR_EXEC;
56666 + if (fmode & S_IWOTH)
56667 + reqmode |= GR_WRITE;
56668 + if (fmode & S_IROTH)
56669 + reqmode |= GR_READ;
56670 +
56671 + mode =
56672 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56673 + mnt);
56674 +
56675 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56676 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56677 + reqmode & GR_READ ? " reading" : "",
56678 + reqmode & GR_WRITE ? " writing" : "",
56679 + reqmode & GR_EXEC ? " executing" : "");
56680 + return reqmode;
56681 + } else
56682 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56683 + {
56684 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56685 + reqmode & GR_READ ? " reading" : "",
56686 + reqmode & GR_WRITE ? " writing" : "",
56687 + reqmode & GR_EXEC ? " executing" : "");
56688 + return 0;
56689 + } else if (unlikely((mode & reqmode) != reqmode))
56690 + return 0;
56691 +
56692 + return reqmode;
56693 +}
56694 +
56695 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
56696 +{
56697 + __u32 mode;
56698 +
56699 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
56700 +
56701 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56702 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
56703 + return mode;
56704 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56705 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
56706 + return 0;
56707 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56708 + return 0;
56709 +
56710 + return (reqmode);
56711 +}
56712 +
56713 +__u32
56714 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56715 +{
56716 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
56717 +}
56718 +
56719 +__u32
56720 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56721 +{
56722 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56723 +}
56724 +
56725 +__u32
56726 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56727 +{
56728 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56729 +}
56730 +
56731 +__u32
56732 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56733 +{
56734 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56735 +}
56736 +
56737 +__u32
56738 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56739 + mode_t mode)
56740 +{
56741 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56742 + return 1;
56743 +
56744 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56745 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56746 + GR_FCHMOD_ACL_MSG);
56747 + } else {
56748 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56749 + }
56750 +}
56751 +
56752 +__u32
56753 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56754 + mode_t mode)
56755 +{
56756 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56757 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56758 + GR_CHMOD_ACL_MSG);
56759 + } else {
56760 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56761 + }
56762 +}
56763 +
56764 +__u32
56765 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56766 +{
56767 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56768 +}
56769 +
56770 +__u32
56771 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56772 +{
56773 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56774 +}
56775 +
56776 +__u32
56777 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56778 +{
56779 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56780 +}
56781 +
56782 +__u32
56783 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56784 +{
56785 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56786 + GR_UNIXCONNECT_ACL_MSG);
56787 +}
56788 +
56789 +/* hardlinks require at minimum create and link permission,
56790 + any additional privilege required is based on the
56791 + privilege of the file being linked to
56792 +*/
56793 +__u32
56794 +gr_acl_handle_link(const struct dentry * new_dentry,
56795 + const struct dentry * parent_dentry,
56796 + const struct vfsmount * parent_mnt,
56797 + const struct dentry * old_dentry,
56798 + const struct vfsmount * old_mnt, const char *to)
56799 +{
56800 + __u32 mode;
56801 + __u32 needmode = GR_CREATE | GR_LINK;
56802 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56803 +
56804 + mode =
56805 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56806 + old_mnt);
56807 +
56808 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56809 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56810 + return mode;
56811 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56812 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56813 + return 0;
56814 + } else if (unlikely((mode & needmode) != needmode))
56815 + return 0;
56816 +
56817 + return 1;
56818 +}
56819 +
56820 +__u32
56821 +gr_acl_handle_symlink(const struct dentry * new_dentry,
56822 + const struct dentry * parent_dentry,
56823 + const struct vfsmount * parent_mnt, const char *from)
56824 +{
56825 + __u32 needmode = GR_WRITE | GR_CREATE;
56826 + __u32 mode;
56827 +
56828 + mode =
56829 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
56830 + GR_CREATE | GR_AUDIT_CREATE |
56831 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56832 +
56833 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56834 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56835 + return mode;
56836 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56837 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56838 + return 0;
56839 + } else if (unlikely((mode & needmode) != needmode))
56840 + return 0;
56841 +
56842 + return (GR_WRITE | GR_CREATE);
56843 +}
56844 +
56845 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56846 +{
56847 + __u32 mode;
56848 +
56849 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56850 +
56851 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56852 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56853 + return mode;
56854 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56855 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56856 + return 0;
56857 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
56858 + return 0;
56859 +
56860 + return (reqmode);
56861 +}
56862 +
56863 +__u32
56864 +gr_acl_handle_mknod(const struct dentry * new_dentry,
56865 + const struct dentry * parent_dentry,
56866 + const struct vfsmount * parent_mnt,
56867 + const int mode)
56868 +{
56869 + __u32 reqmode = GR_WRITE | GR_CREATE;
56870 + if (unlikely(mode & (S_ISUID | S_ISGID)))
56871 + reqmode |= GR_SETID;
56872 +
56873 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56874 + reqmode, GR_MKNOD_ACL_MSG);
56875 +}
56876 +
56877 +__u32
56878 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
56879 + const struct dentry *parent_dentry,
56880 + const struct vfsmount *parent_mnt)
56881 +{
56882 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56883 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56884 +}
56885 +
56886 +#define RENAME_CHECK_SUCCESS(old, new) \
56887 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56888 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56889 +
56890 +int
56891 +gr_acl_handle_rename(struct dentry *new_dentry,
56892 + struct dentry *parent_dentry,
56893 + const struct vfsmount *parent_mnt,
56894 + struct dentry *old_dentry,
56895 + struct inode *old_parent_inode,
56896 + struct vfsmount *old_mnt, const char *newname)
56897 +{
56898 + __u32 comp1, comp2;
56899 + int error = 0;
56900 +
56901 + if (unlikely(!gr_acl_is_enabled()))
56902 + return 0;
56903 +
56904 + if (!new_dentry->d_inode) {
56905 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56906 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56907 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56908 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56909 + GR_DELETE | GR_AUDIT_DELETE |
56910 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56911 + GR_SUPPRESS, old_mnt);
56912 + } else {
56913 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56914 + GR_CREATE | GR_DELETE |
56915 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56916 + GR_AUDIT_READ | GR_AUDIT_WRITE |
56917 + GR_SUPPRESS, parent_mnt);
56918 + comp2 =
56919 + gr_search_file(old_dentry,
56920 + GR_READ | GR_WRITE | GR_AUDIT_READ |
56921 + GR_DELETE | GR_AUDIT_DELETE |
56922 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56923 + }
56924 +
56925 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56926 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56927 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56928 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56929 + && !(comp2 & GR_SUPPRESS)) {
56930 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56931 + error = -EACCES;
56932 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56933 + error = -EACCES;
56934 +
56935 + return error;
56936 +}
56937 +
56938 +void
56939 +gr_acl_handle_exit(void)
56940 +{
56941 + u16 id;
56942 + char *rolename;
56943 + struct file *exec_file;
56944 +
56945 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56946 + !(current->role->roletype & GR_ROLE_PERSIST))) {
56947 + id = current->acl_role_id;
56948 + rolename = current->role->rolename;
56949 + gr_set_acls(1);
56950 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56951 + }
56952 +
56953 + write_lock(&grsec_exec_file_lock);
56954 + exec_file = current->exec_file;
56955 + current->exec_file = NULL;
56956 + write_unlock(&grsec_exec_file_lock);
56957 +
56958 + if (exec_file)
56959 + fput(exec_file);
56960 +}
56961 +
56962 +int
56963 +gr_acl_handle_procpidmem(const struct task_struct *task)
56964 +{
56965 + if (unlikely(!gr_acl_is_enabled()))
56966 + return 0;
56967 +
56968 + if (task != current && task->acl->mode & GR_PROTPROCFD)
56969 + return -EACCES;
56970 +
56971 + return 0;
56972 +}
56973 diff -urNp linux-2.6.32.49/grsecurity/gracl_ip.c linux-2.6.32.49/grsecurity/gracl_ip.c
56974 --- linux-2.6.32.49/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
56975 +++ linux-2.6.32.49/grsecurity/gracl_ip.c 2011-11-15 19:59:43.000000000 -0500
56976 @@ -0,0 +1,382 @@
56977 +#include <linux/kernel.h>
56978 +#include <asm/uaccess.h>
56979 +#include <asm/errno.h>
56980 +#include <net/sock.h>
56981 +#include <linux/file.h>
56982 +#include <linux/fs.h>
56983 +#include <linux/net.h>
56984 +#include <linux/in.h>
56985 +#include <linux/skbuff.h>
56986 +#include <linux/ip.h>
56987 +#include <linux/udp.h>
56988 +#include <linux/smp_lock.h>
56989 +#include <linux/types.h>
56990 +#include <linux/sched.h>
56991 +#include <linux/netdevice.h>
56992 +#include <linux/inetdevice.h>
56993 +#include <linux/gracl.h>
56994 +#include <linux/grsecurity.h>
56995 +#include <linux/grinternal.h>
56996 +
56997 +#define GR_BIND 0x01
56998 +#define GR_CONNECT 0x02
56999 +#define GR_INVERT 0x04
57000 +#define GR_BINDOVERRIDE 0x08
57001 +#define GR_CONNECTOVERRIDE 0x10
57002 +#define GR_SOCK_FAMILY 0x20
57003 +
57004 +static const char * gr_protocols[IPPROTO_MAX] = {
57005 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
57006 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
57007 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
57008 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
57009 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
57010 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
57011 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
57012 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
57013 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
57014 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
57015 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
57016 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
57017 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
57018 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
57019 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
57020 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
57021 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
57022 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
57023 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
57024 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
57025 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
57026 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
57027 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
57028 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
57029 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
57030 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
57031 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
57032 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
57033 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
57034 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
57035 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
57036 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
57037 + };
57038 +
57039 +static const char * gr_socktypes[SOCK_MAX] = {
57040 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
57041 + "unknown:7", "unknown:8", "unknown:9", "packet"
57042 + };
57043 +
57044 +static const char * gr_sockfamilies[AF_MAX+1] = {
57045 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
57046 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
57047 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
57048 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
57049 + };
57050 +
57051 +const char *
57052 +gr_proto_to_name(unsigned char proto)
57053 +{
57054 + return gr_protocols[proto];
57055 +}
57056 +
57057 +const char *
57058 +gr_socktype_to_name(unsigned char type)
57059 +{
57060 + return gr_socktypes[type];
57061 +}
57062 +
57063 +const char *
57064 +gr_sockfamily_to_name(unsigned char family)
57065 +{
57066 + return gr_sockfamilies[family];
57067 +}
57068 +
57069 +int
57070 +gr_search_socket(const int domain, const int type, const int protocol)
57071 +{
57072 + struct acl_subject_label *curr;
57073 + const struct cred *cred = current_cred();
57074 +
57075 + if (unlikely(!gr_acl_is_enabled()))
57076 + goto exit;
57077 +
57078 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
57079 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
57080 + goto exit; // let the kernel handle it
57081 +
57082 + curr = current->acl;
57083 +
57084 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
57085 + /* the family is allowed, if this is PF_INET allow it only if
57086 + the extra sock type/protocol checks pass */
57087 + if (domain == PF_INET)
57088 + goto inet_check;
57089 + goto exit;
57090 + } else {
57091 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57092 + __u32 fakeip = 0;
57093 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57094 + current->role->roletype, cred->uid,
57095 + cred->gid, current->exec_file ?
57096 + gr_to_filename(current->exec_file->f_path.dentry,
57097 + current->exec_file->f_path.mnt) :
57098 + curr->filename, curr->filename,
57099 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
57100 + &current->signal->saved_ip);
57101 + goto exit;
57102 + }
57103 + goto exit_fail;
57104 + }
57105 +
57106 +inet_check:
57107 + /* the rest of this checking is for IPv4 only */
57108 + if (!curr->ips)
57109 + goto exit;
57110 +
57111 + if ((curr->ip_type & (1 << type)) &&
57112 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
57113 + goto exit;
57114 +
57115 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57116 + /* we don't place acls on raw sockets , and sometimes
57117 + dgram/ip sockets are opened for ioctl and not
57118 + bind/connect, so we'll fake a bind learn log */
57119 + if (type == SOCK_RAW || type == SOCK_PACKET) {
57120 + __u32 fakeip = 0;
57121 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57122 + current->role->roletype, cred->uid,
57123 + cred->gid, current->exec_file ?
57124 + gr_to_filename(current->exec_file->f_path.dentry,
57125 + current->exec_file->f_path.mnt) :
57126 + curr->filename, curr->filename,
57127 + &fakeip, 0, type,
57128 + protocol, GR_CONNECT, &current->signal->saved_ip);
57129 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
57130 + __u32 fakeip = 0;
57131 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57132 + current->role->roletype, cred->uid,
57133 + cred->gid, current->exec_file ?
57134 + gr_to_filename(current->exec_file->f_path.dentry,
57135 + current->exec_file->f_path.mnt) :
57136 + curr->filename, curr->filename,
57137 + &fakeip, 0, type,
57138 + protocol, GR_BIND, &current->signal->saved_ip);
57139 + }
57140 + /* we'll log when they use connect or bind */
57141 + goto exit;
57142 + }
57143 +
57144 +exit_fail:
57145 + if (domain == PF_INET)
57146 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
57147 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
57148 + else
57149 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
57150 + gr_socktype_to_name(type), protocol);
57151 +
57152 + return 0;
57153 +exit:
57154 + return 1;
57155 +}
57156 +
57157 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
57158 +{
57159 + if ((ip->mode & mode) &&
57160 + (ip_port >= ip->low) &&
57161 + (ip_port <= ip->high) &&
57162 + ((ntohl(ip_addr) & our_netmask) ==
57163 + (ntohl(our_addr) & our_netmask))
57164 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
57165 + && (ip->type & (1 << type))) {
57166 + if (ip->mode & GR_INVERT)
57167 + return 2; // specifically denied
57168 + else
57169 + return 1; // allowed
57170 + }
57171 +
57172 + return 0; // not specifically allowed, may continue parsing
57173 +}
57174 +
57175 +static int
57176 +gr_search_connectbind(const int full_mode, struct sock *sk,
57177 + struct sockaddr_in *addr, const int type)
57178 +{
57179 + char iface[IFNAMSIZ] = {0};
57180 + struct acl_subject_label *curr;
57181 + struct acl_ip_label *ip;
57182 + struct inet_sock *isk;
57183 + struct net_device *dev;
57184 + struct in_device *idev;
57185 + unsigned long i;
57186 + int ret;
57187 + int mode = full_mode & (GR_BIND | GR_CONNECT);
57188 + __u32 ip_addr = 0;
57189 + __u32 our_addr;
57190 + __u32 our_netmask;
57191 + char *p;
57192 + __u16 ip_port = 0;
57193 + const struct cred *cred = current_cred();
57194 +
57195 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
57196 + return 0;
57197 +
57198 + curr = current->acl;
57199 + isk = inet_sk(sk);
57200 +
57201 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
57202 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
57203 + addr->sin_addr.s_addr = curr->inaddr_any_override;
57204 + if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
57205 + struct sockaddr_in saddr;
57206 + int err;
57207 +
57208 + saddr.sin_family = AF_INET;
57209 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
57210 + saddr.sin_port = isk->sport;
57211 +
57212 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
57213 + if (err)
57214 + return err;
57215 +
57216 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
57217 + if (err)
57218 + return err;
57219 + }
57220 +
57221 + if (!curr->ips)
57222 + return 0;
57223 +
57224 + ip_addr = addr->sin_addr.s_addr;
57225 + ip_port = ntohs(addr->sin_port);
57226 +
57227 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57228 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57229 + current->role->roletype, cred->uid,
57230 + cred->gid, current->exec_file ?
57231 + gr_to_filename(current->exec_file->f_path.dentry,
57232 + current->exec_file->f_path.mnt) :
57233 + curr->filename, curr->filename,
57234 + &ip_addr, ip_port, type,
57235 + sk->sk_protocol, mode, &current->signal->saved_ip);
57236 + return 0;
57237 + }
57238 +
57239 + for (i = 0; i < curr->ip_num; i++) {
57240 + ip = *(curr->ips + i);
57241 + if (ip->iface != NULL) {
57242 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
57243 + p = strchr(iface, ':');
57244 + if (p != NULL)
57245 + *p = '\0';
57246 + dev = dev_get_by_name(sock_net(sk), iface);
57247 + if (dev == NULL)
57248 + continue;
57249 + idev = in_dev_get(dev);
57250 + if (idev == NULL) {
57251 + dev_put(dev);
57252 + continue;
57253 + }
57254 + rcu_read_lock();
57255 + for_ifa(idev) {
57256 + if (!strcmp(ip->iface, ifa->ifa_label)) {
57257 + our_addr = ifa->ifa_address;
57258 + our_netmask = 0xffffffff;
57259 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
57260 + if (ret == 1) {
57261 + rcu_read_unlock();
57262 + in_dev_put(idev);
57263 + dev_put(dev);
57264 + return 0;
57265 + } else if (ret == 2) {
57266 + rcu_read_unlock();
57267 + in_dev_put(idev);
57268 + dev_put(dev);
57269 + goto denied;
57270 + }
57271 + }
57272 + } endfor_ifa(idev);
57273 + rcu_read_unlock();
57274 + in_dev_put(idev);
57275 + dev_put(dev);
57276 + } else {
57277 + our_addr = ip->addr;
57278 + our_netmask = ip->netmask;
57279 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
57280 + if (ret == 1)
57281 + return 0;
57282 + else if (ret == 2)
57283 + goto denied;
57284 + }
57285 + }
57286 +
57287 +denied:
57288 + if (mode == GR_BIND)
57289 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
57290 + else if (mode == GR_CONNECT)
57291 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
57292 +
57293 + return -EACCES;
57294 +}
57295 +
57296 +int
57297 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
57298 +{
57299 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
57300 +}
57301 +
57302 +int
57303 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
57304 +{
57305 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
57306 +}
57307 +
57308 +int gr_search_listen(struct socket *sock)
57309 +{
57310 + struct sock *sk = sock->sk;
57311 + struct sockaddr_in addr;
57312 +
57313 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
57314 + addr.sin_port = inet_sk(sk)->sport;
57315 +
57316 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
57317 +}
57318 +
57319 +int gr_search_accept(struct socket *sock)
57320 +{
57321 + struct sock *sk = sock->sk;
57322 + struct sockaddr_in addr;
57323 +
57324 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
57325 + addr.sin_port = inet_sk(sk)->sport;
57326 +
57327 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
57328 +}
57329 +
57330 +int
57331 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
57332 +{
57333 + if (addr)
57334 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
57335 + else {
57336 + struct sockaddr_in sin;
57337 + const struct inet_sock *inet = inet_sk(sk);
57338 +
57339 + sin.sin_addr.s_addr = inet->daddr;
57340 + sin.sin_port = inet->dport;
57341 +
57342 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
57343 + }
57344 +}
57345 +
57346 +int
57347 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
57348 +{
57349 + struct sockaddr_in sin;
57350 +
57351 + if (unlikely(skb->len < sizeof (struct udphdr)))
57352 + return 0; // skip this packet
57353 +
57354 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
57355 + sin.sin_port = udp_hdr(skb)->source;
57356 +
57357 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
57358 +}
57359 diff -urNp linux-2.6.32.49/grsecurity/gracl_learn.c linux-2.6.32.49/grsecurity/gracl_learn.c
57360 --- linux-2.6.32.49/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
57361 +++ linux-2.6.32.49/grsecurity/gracl_learn.c 2011-11-15 19:59:43.000000000 -0500
57362 @@ -0,0 +1,208 @@
57363 +#include <linux/kernel.h>
57364 +#include <linux/mm.h>
57365 +#include <linux/sched.h>
57366 +#include <linux/poll.h>
57367 +#include <linux/smp_lock.h>
57368 +#include <linux/string.h>
57369 +#include <linux/file.h>
57370 +#include <linux/types.h>
57371 +#include <linux/vmalloc.h>
57372 +#include <linux/grinternal.h>
57373 +
57374 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
57375 + size_t count, loff_t *ppos);
57376 +extern int gr_acl_is_enabled(void);
57377 +
57378 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
57379 +static int gr_learn_attached;
57380 +
57381 +/* use a 512k buffer */
57382 +#define LEARN_BUFFER_SIZE (512 * 1024)
57383 +
57384 +static DEFINE_SPINLOCK(gr_learn_lock);
57385 +static DEFINE_MUTEX(gr_learn_user_mutex);
57386 +
57387 +/* we need to maintain two buffers, so that the kernel context of grlearn
57388 + uses a semaphore around the userspace copying, and the other kernel contexts
57389 + use a spinlock when copying into the buffer, since they cannot sleep
57390 +*/
57391 +static char *learn_buffer;
57392 +static char *learn_buffer_user;
57393 +static int learn_buffer_len;
57394 +static int learn_buffer_user_len;
57395 +
57396 +static ssize_t
57397 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
57398 +{
57399 + DECLARE_WAITQUEUE(wait, current);
57400 + ssize_t retval = 0;
57401 +
57402 + add_wait_queue(&learn_wait, &wait);
57403 + set_current_state(TASK_INTERRUPTIBLE);
57404 + do {
57405 + mutex_lock(&gr_learn_user_mutex);
57406 + spin_lock(&gr_learn_lock);
57407 + if (learn_buffer_len)
57408 + break;
57409 + spin_unlock(&gr_learn_lock);
57410 + mutex_unlock(&gr_learn_user_mutex);
57411 + if (file->f_flags & O_NONBLOCK) {
57412 + retval = -EAGAIN;
57413 + goto out;
57414 + }
57415 + if (signal_pending(current)) {
57416 + retval = -ERESTARTSYS;
57417 + goto out;
57418 + }
57419 +
57420 + schedule();
57421 + } while (1);
57422 +
57423 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
57424 + learn_buffer_user_len = learn_buffer_len;
57425 + retval = learn_buffer_len;
57426 + learn_buffer_len = 0;
57427 +
57428 + spin_unlock(&gr_learn_lock);
57429 +
57430 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
57431 + retval = -EFAULT;
57432 +
57433 + mutex_unlock(&gr_learn_user_mutex);
57434 +out:
57435 + set_current_state(TASK_RUNNING);
57436 + remove_wait_queue(&learn_wait, &wait);
57437 + return retval;
57438 +}
57439 +
57440 +static unsigned int
57441 +poll_learn(struct file * file, poll_table * wait)
57442 +{
57443 + poll_wait(file, &learn_wait, wait);
57444 +
57445 + if (learn_buffer_len)
57446 + return (POLLIN | POLLRDNORM);
57447 +
57448 + return 0;
57449 +}
57450 +
57451 +void
57452 +gr_clear_learn_entries(void)
57453 +{
57454 + char *tmp;
57455 +
57456 + mutex_lock(&gr_learn_user_mutex);
57457 + spin_lock(&gr_learn_lock);
57458 + tmp = learn_buffer;
57459 + learn_buffer = NULL;
57460 + spin_unlock(&gr_learn_lock);
57461 + if (tmp)
57462 + vfree(tmp);
57463 + if (learn_buffer_user != NULL) {
57464 + vfree(learn_buffer_user);
57465 + learn_buffer_user = NULL;
57466 + }
57467 + learn_buffer_len = 0;
57468 + mutex_unlock(&gr_learn_user_mutex);
57469 +
57470 + return;
57471 +}
57472 +
57473 +void
57474 +gr_add_learn_entry(const char *fmt, ...)
57475 +{
57476 + va_list args;
57477 + unsigned int len;
57478 +
57479 + if (!gr_learn_attached)
57480 + return;
57481 +
57482 + spin_lock(&gr_learn_lock);
57483 +
57484 + /* leave a gap at the end so we know when it's "full" but don't have to
57485 + compute the exact length of the string we're trying to append
57486 + */
57487 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
57488 + spin_unlock(&gr_learn_lock);
57489 + wake_up_interruptible(&learn_wait);
57490 + return;
57491 + }
57492 + if (learn_buffer == NULL) {
57493 + spin_unlock(&gr_learn_lock);
57494 + return;
57495 + }
57496 +
57497 + va_start(args, fmt);
57498 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
57499 + va_end(args);
57500 +
57501 + learn_buffer_len += len + 1;
57502 +
57503 + spin_unlock(&gr_learn_lock);
57504 + wake_up_interruptible(&learn_wait);
57505 +
57506 + return;
57507 +}
57508 +
57509 +static int
57510 +open_learn(struct inode *inode, struct file *file)
57511 +{
57512 + if (file->f_mode & FMODE_READ && gr_learn_attached)
57513 + return -EBUSY;
57514 + if (file->f_mode & FMODE_READ) {
57515 + int retval = 0;
57516 + mutex_lock(&gr_learn_user_mutex);
57517 + if (learn_buffer == NULL)
57518 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
57519 + if (learn_buffer_user == NULL)
57520 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
57521 + if (learn_buffer == NULL) {
57522 + retval = -ENOMEM;
57523 + goto out_error;
57524 + }
57525 + if (learn_buffer_user == NULL) {
57526 + retval = -ENOMEM;
57527 + goto out_error;
57528 + }
57529 + learn_buffer_len = 0;
57530 + learn_buffer_user_len = 0;
57531 + gr_learn_attached = 1;
57532 +out_error:
57533 + mutex_unlock(&gr_learn_user_mutex);
57534 + return retval;
57535 + }
57536 + return 0;
57537 +}
57538 +
57539 +static int
57540 +close_learn(struct inode *inode, struct file *file)
57541 +{
57542 + if (file->f_mode & FMODE_READ) {
57543 + char *tmp = NULL;
57544 + mutex_lock(&gr_learn_user_mutex);
57545 + spin_lock(&gr_learn_lock);
57546 + tmp = learn_buffer;
57547 + learn_buffer = NULL;
57548 + spin_unlock(&gr_learn_lock);
57549 + if (tmp)
57550 + vfree(tmp);
57551 + if (learn_buffer_user != NULL) {
57552 + vfree(learn_buffer_user);
57553 + learn_buffer_user = NULL;
57554 + }
57555 + learn_buffer_len = 0;
57556 + learn_buffer_user_len = 0;
57557 + gr_learn_attached = 0;
57558 + mutex_unlock(&gr_learn_user_mutex);
57559 + }
57560 +
57561 + return 0;
57562 +}
57563 +
57564 +const struct file_operations grsec_fops = {
57565 + .read = read_learn,
57566 + .write = write_grsec_handler,
57567 + .open = open_learn,
57568 + .release = close_learn,
57569 + .poll = poll_learn,
57570 +};
57571 diff -urNp linux-2.6.32.49/grsecurity/gracl_res.c linux-2.6.32.49/grsecurity/gracl_res.c
57572 --- linux-2.6.32.49/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
57573 +++ linux-2.6.32.49/grsecurity/gracl_res.c 2011-11-15 19:59:43.000000000 -0500
57574 @@ -0,0 +1,67 @@
57575 +#include <linux/kernel.h>
57576 +#include <linux/sched.h>
57577 +#include <linux/gracl.h>
57578 +#include <linux/grinternal.h>
57579 +
57580 +static const char *restab_log[] = {
57581 + [RLIMIT_CPU] = "RLIMIT_CPU",
57582 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
57583 + [RLIMIT_DATA] = "RLIMIT_DATA",
57584 + [RLIMIT_STACK] = "RLIMIT_STACK",
57585 + [RLIMIT_CORE] = "RLIMIT_CORE",
57586 + [RLIMIT_RSS] = "RLIMIT_RSS",
57587 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
57588 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
57589 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
57590 + [RLIMIT_AS] = "RLIMIT_AS",
57591 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
57592 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
57593 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
57594 + [RLIMIT_NICE] = "RLIMIT_NICE",
57595 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
57596 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
57597 + [GR_CRASH_RES] = "RLIMIT_CRASH"
57598 +};
57599 +
57600 +void
57601 +gr_log_resource(const struct task_struct *task,
57602 + const int res, const unsigned long wanted, const int gt)
57603 +{
57604 + const struct cred *cred;
57605 + unsigned long rlim;
57606 +
57607 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
57608 + return;
57609 +
57610 + // not yet supported resource
57611 + if (unlikely(!restab_log[res]))
57612 + return;
57613 +
57614 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
57615 + rlim = task->signal->rlim[res].rlim_max;
57616 + else
57617 + rlim = task->signal->rlim[res].rlim_cur;
57618 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
57619 + return;
57620 +
57621 + rcu_read_lock();
57622 + cred = __task_cred(task);
57623 +
57624 + if (res == RLIMIT_NPROC &&
57625 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
57626 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
57627 + goto out_rcu_unlock;
57628 + else if (res == RLIMIT_MEMLOCK &&
57629 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
57630 + goto out_rcu_unlock;
57631 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
57632 + goto out_rcu_unlock;
57633 + rcu_read_unlock();
57634 +
57635 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
57636 +
57637 + return;
57638 +out_rcu_unlock:
57639 + rcu_read_unlock();
57640 + return;
57641 +}
57642 diff -urNp linux-2.6.32.49/grsecurity/gracl_segv.c linux-2.6.32.49/grsecurity/gracl_segv.c
57643 --- linux-2.6.32.49/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
57644 +++ linux-2.6.32.49/grsecurity/gracl_segv.c 2011-11-17 20:48:17.000000000 -0500
57645 @@ -0,0 +1,284 @@
57646 +#include <linux/kernel.h>
57647 +#include <linux/mm.h>
57648 +#include <asm/uaccess.h>
57649 +#include <asm/errno.h>
57650 +#include <asm/mman.h>
57651 +#include <net/sock.h>
57652 +#include <linux/file.h>
57653 +#include <linux/fs.h>
57654 +#include <linux/net.h>
57655 +#include <linux/in.h>
57656 +#include <linux/smp_lock.h>
57657 +#include <linux/slab.h>
57658 +#include <linux/types.h>
57659 +#include <linux/sched.h>
57660 +#include <linux/timer.h>
57661 +#include <linux/gracl.h>
57662 +#include <linux/grsecurity.h>
57663 +#include <linux/grinternal.h>
57664 +
57665 +static struct crash_uid *uid_set;
57666 +static unsigned short uid_used;
57667 +static DEFINE_SPINLOCK(gr_uid_lock);
57668 +extern rwlock_t gr_inode_lock;
57669 +extern struct acl_subject_label *
57670 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
57671 + struct acl_role_label *role);
57672 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
57673 +
57674 +int
57675 +gr_init_uidset(void)
57676 +{
57677 + uid_set =
57678 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
57679 + uid_used = 0;
57680 +
57681 + return uid_set ? 1 : 0;
57682 +}
57683 +
57684 +void
57685 +gr_free_uidset(void)
57686 +{
57687 + if (uid_set)
57688 + kfree(uid_set);
57689 +
57690 + return;
57691 +}
57692 +
57693 +int
57694 +gr_find_uid(const uid_t uid)
57695 +{
57696 + struct crash_uid *tmp = uid_set;
57697 + uid_t buid;
57698 + int low = 0, high = uid_used - 1, mid;
57699 +
57700 + while (high >= low) {
57701 + mid = (low + high) >> 1;
57702 + buid = tmp[mid].uid;
57703 + if (buid == uid)
57704 + return mid;
57705 + if (buid > uid)
57706 + high = mid - 1;
57707 + if (buid < uid)
57708 + low = mid + 1;
57709 + }
57710 +
57711 + return -1;
57712 +}
57713 +
57714 +static __inline__ void
57715 +gr_insertsort(void)
57716 +{
57717 + unsigned short i, j;
57718 + struct crash_uid index;
57719 +
57720 + for (i = 1; i < uid_used; i++) {
57721 + index = uid_set[i];
57722 + j = i;
57723 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57724 + uid_set[j] = uid_set[j - 1];
57725 + j--;
57726 + }
57727 + uid_set[j] = index;
57728 + }
57729 +
57730 + return;
57731 +}
57732 +
57733 +static __inline__ void
57734 +gr_insert_uid(const uid_t uid, const unsigned long expires)
57735 +{
57736 + int loc;
57737 +
57738 + if (uid_used == GR_UIDTABLE_MAX)
57739 + return;
57740 +
57741 + loc = gr_find_uid(uid);
57742 +
57743 + if (loc >= 0) {
57744 + uid_set[loc].expires = expires;
57745 + return;
57746 + }
57747 +
57748 + uid_set[uid_used].uid = uid;
57749 + uid_set[uid_used].expires = expires;
57750 + uid_used++;
57751 +
57752 + gr_insertsort();
57753 +
57754 + return;
57755 +}
57756 +
57757 +void
57758 +gr_remove_uid(const unsigned short loc)
57759 +{
57760 + unsigned short i;
57761 +
57762 + for (i = loc + 1; i < uid_used; i++)
57763 + uid_set[i - 1] = uid_set[i];
57764 +
57765 + uid_used--;
57766 +
57767 + return;
57768 +}
57769 +
57770 +int
57771 +gr_check_crash_uid(const uid_t uid)
57772 +{
57773 + int loc;
57774 + int ret = 0;
57775 +
57776 + if (unlikely(!gr_acl_is_enabled()))
57777 + return 0;
57778 +
57779 + spin_lock(&gr_uid_lock);
57780 + loc = gr_find_uid(uid);
57781 +
57782 + if (loc < 0)
57783 + goto out_unlock;
57784 +
57785 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
57786 + gr_remove_uid(loc);
57787 + else
57788 + ret = 1;
57789 +
57790 +out_unlock:
57791 + spin_unlock(&gr_uid_lock);
57792 + return ret;
57793 +}
57794 +
57795 +static __inline__ int
57796 +proc_is_setxid(const struct cred *cred)
57797 +{
57798 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
57799 + cred->uid != cred->fsuid)
57800 + return 1;
57801 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57802 + cred->gid != cred->fsgid)
57803 + return 1;
57804 +
57805 + return 0;
57806 +}
57807 +
57808 +void
57809 +gr_handle_crash(struct task_struct *task, const int sig)
57810 +{
57811 + struct acl_subject_label *curr;
57812 + struct task_struct *tsk, *tsk2;
57813 + const struct cred *cred;
57814 + const struct cred *cred2;
57815 +
57816 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57817 + return;
57818 +
57819 + if (unlikely(!gr_acl_is_enabled()))
57820 + return;
57821 +
57822 + curr = task->acl;
57823 +
57824 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
57825 + return;
57826 +
57827 + if (time_before_eq(curr->expires, get_seconds())) {
57828 + curr->expires = 0;
57829 + curr->crashes = 0;
57830 + }
57831 +
57832 + curr->crashes++;
57833 +
57834 + if (!curr->expires)
57835 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57836 +
57837 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57838 + time_after(curr->expires, get_seconds())) {
57839 + rcu_read_lock();
57840 + cred = __task_cred(task);
57841 + if (cred->uid && proc_is_setxid(cred)) {
57842 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57843 + spin_lock(&gr_uid_lock);
57844 + gr_insert_uid(cred->uid, curr->expires);
57845 + spin_unlock(&gr_uid_lock);
57846 + curr->expires = 0;
57847 + curr->crashes = 0;
57848 + read_lock(&tasklist_lock);
57849 + do_each_thread(tsk2, tsk) {
57850 + cred2 = __task_cred(tsk);
57851 + if (tsk != task && cred2->uid == cred->uid)
57852 + gr_fake_force_sig(SIGKILL, tsk);
57853 + } while_each_thread(tsk2, tsk);
57854 + read_unlock(&tasklist_lock);
57855 + } else {
57856 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57857 + read_lock(&tasklist_lock);
57858 + read_lock(&grsec_exec_file_lock);
57859 + do_each_thread(tsk2, tsk) {
57860 + if (likely(tsk != task)) {
57861 + // if this thread has the same subject as the one that triggered
57862 + // RES_CRASH and it's the same binary, kill it
57863 + if (tsk->acl == task->acl && tsk->exec_file == task->exec_file)
57864 + gr_fake_force_sig(SIGKILL, tsk);
57865 + }
57866 + } while_each_thread(tsk2, tsk);
57867 + read_unlock(&grsec_exec_file_lock);
57868 + read_unlock(&tasklist_lock);
57869 + }
57870 + rcu_read_unlock();
57871 + }
57872 +
57873 + return;
57874 +}
57875 +
57876 +int
57877 +gr_check_crash_exec(const struct file *filp)
57878 +{
57879 + struct acl_subject_label *curr;
57880 +
57881 + if (unlikely(!gr_acl_is_enabled()))
57882 + return 0;
57883 +
57884 + read_lock(&gr_inode_lock);
57885 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57886 + filp->f_path.dentry->d_inode->i_sb->s_dev,
57887 + current->role);
57888 + read_unlock(&gr_inode_lock);
57889 +
57890 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57891 + (!curr->crashes && !curr->expires))
57892 + return 0;
57893 +
57894 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57895 + time_after(curr->expires, get_seconds()))
57896 + return 1;
57897 + else if (time_before_eq(curr->expires, get_seconds())) {
57898 + curr->crashes = 0;
57899 + curr->expires = 0;
57900 + }
57901 +
57902 + return 0;
57903 +}
57904 +
57905 +void
57906 +gr_handle_alertkill(struct task_struct *task)
57907 +{
57908 + struct acl_subject_label *curracl;
57909 + __u32 curr_ip;
57910 + struct task_struct *p, *p2;
57911 +
57912 + if (unlikely(!gr_acl_is_enabled()))
57913 + return;
57914 +
57915 + curracl = task->acl;
57916 + curr_ip = task->signal->curr_ip;
57917 +
57918 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57919 + read_lock(&tasklist_lock);
57920 + do_each_thread(p2, p) {
57921 + if (p->signal->curr_ip == curr_ip)
57922 + gr_fake_force_sig(SIGKILL, p);
57923 + } while_each_thread(p2, p);
57924 + read_unlock(&tasklist_lock);
57925 + } else if (curracl->mode & GR_KILLPROC)
57926 + gr_fake_force_sig(SIGKILL, task);
57927 +
57928 + return;
57929 +}
57930 diff -urNp linux-2.6.32.49/grsecurity/gracl_shm.c linux-2.6.32.49/grsecurity/gracl_shm.c
57931 --- linux-2.6.32.49/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57932 +++ linux-2.6.32.49/grsecurity/gracl_shm.c 2011-11-15 19:59:43.000000000 -0500
57933 @@ -0,0 +1,40 @@
57934 +#include <linux/kernel.h>
57935 +#include <linux/mm.h>
57936 +#include <linux/sched.h>
57937 +#include <linux/file.h>
57938 +#include <linux/ipc.h>
57939 +#include <linux/gracl.h>
57940 +#include <linux/grsecurity.h>
57941 +#include <linux/grinternal.h>
57942 +
57943 +int
57944 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57945 + const time_t shm_createtime, const uid_t cuid, const int shmid)
57946 +{
57947 + struct task_struct *task;
57948 +
57949 + if (!gr_acl_is_enabled())
57950 + return 1;
57951 +
57952 + rcu_read_lock();
57953 + read_lock(&tasklist_lock);
57954 +
57955 + task = find_task_by_vpid(shm_cprid);
57956 +
57957 + if (unlikely(!task))
57958 + task = find_task_by_vpid(shm_lapid);
57959 +
57960 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57961 + (task->pid == shm_lapid)) &&
57962 + (task->acl->mode & GR_PROTSHM) &&
57963 + (task->acl != current->acl))) {
57964 + read_unlock(&tasklist_lock);
57965 + rcu_read_unlock();
57966 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
57967 + return 0;
57968 + }
57969 + read_unlock(&tasklist_lock);
57970 + rcu_read_unlock();
57971 +
57972 + return 1;
57973 +}
57974 diff -urNp linux-2.6.32.49/grsecurity/grsec_chdir.c linux-2.6.32.49/grsecurity/grsec_chdir.c
57975 --- linux-2.6.32.49/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
57976 +++ linux-2.6.32.49/grsecurity/grsec_chdir.c 2011-11-15 19:59:43.000000000 -0500
57977 @@ -0,0 +1,19 @@
57978 +#include <linux/kernel.h>
57979 +#include <linux/sched.h>
57980 +#include <linux/fs.h>
57981 +#include <linux/file.h>
57982 +#include <linux/grsecurity.h>
57983 +#include <linux/grinternal.h>
57984 +
57985 +void
57986 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
57987 +{
57988 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57989 + if ((grsec_enable_chdir && grsec_enable_group &&
57990 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
57991 + !grsec_enable_group)) {
57992 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
57993 + }
57994 +#endif
57995 + return;
57996 +}
57997 diff -urNp linux-2.6.32.49/grsecurity/grsec_chroot.c linux-2.6.32.49/grsecurity/grsec_chroot.c
57998 --- linux-2.6.32.49/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
57999 +++ linux-2.6.32.49/grsecurity/grsec_chroot.c 2011-11-15 19:59:43.000000000 -0500
58000 @@ -0,0 +1,386 @@
58001 +#include <linux/kernel.h>
58002 +#include <linux/module.h>
58003 +#include <linux/sched.h>
58004 +#include <linux/file.h>
58005 +#include <linux/fs.h>
58006 +#include <linux/mount.h>
58007 +#include <linux/types.h>
58008 +#include <linux/pid_namespace.h>
58009 +#include <linux/grsecurity.h>
58010 +#include <linux/grinternal.h>
58011 +
58012 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
58013 +{
58014 +#ifdef CONFIG_GRKERNSEC
58015 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
58016 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
58017 + task->gr_is_chrooted = 1;
58018 + else
58019 + task->gr_is_chrooted = 0;
58020 +
58021 + task->gr_chroot_dentry = path->dentry;
58022 +#endif
58023 + return;
58024 +}
58025 +
58026 +void gr_clear_chroot_entries(struct task_struct *task)
58027 +{
58028 +#ifdef CONFIG_GRKERNSEC
58029 + task->gr_is_chrooted = 0;
58030 + task->gr_chroot_dentry = NULL;
58031 +#endif
58032 + return;
58033 +}
58034 +
58035 +int
58036 +gr_handle_chroot_unix(const pid_t pid)
58037 +{
58038 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58039 + struct task_struct *p;
58040 +
58041 + if (unlikely(!grsec_enable_chroot_unix))
58042 + return 1;
58043 +
58044 + if (likely(!proc_is_chrooted(current)))
58045 + return 1;
58046 +
58047 + rcu_read_lock();
58048 + read_lock(&tasklist_lock);
58049 +
58050 + p = find_task_by_vpid_unrestricted(pid);
58051 + if (unlikely(p && !have_same_root(current, p))) {
58052 + read_unlock(&tasklist_lock);
58053 + rcu_read_unlock();
58054 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
58055 + return 0;
58056 + }
58057 + read_unlock(&tasklist_lock);
58058 + rcu_read_unlock();
58059 +#endif
58060 + return 1;
58061 +}
58062 +
58063 +int
58064 +gr_handle_chroot_nice(void)
58065 +{
58066 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58067 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
58068 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
58069 + return -EPERM;
58070 + }
58071 +#endif
58072 + return 0;
58073 +}
58074 +
58075 +int
58076 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
58077 +{
58078 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58079 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
58080 + && proc_is_chrooted(current)) {
58081 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
58082 + return -EACCES;
58083 + }
58084 +#endif
58085 + return 0;
58086 +}
58087 +
58088 +int
58089 +gr_handle_chroot_rawio(const struct inode *inode)
58090 +{
58091 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58092 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
58093 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
58094 + return 1;
58095 +#endif
58096 + return 0;
58097 +}
58098 +
58099 +int
58100 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
58101 +{
58102 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58103 + struct task_struct *p;
58104 + int ret = 0;
58105 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
58106 + return ret;
58107 +
58108 + read_lock(&tasklist_lock);
58109 + do_each_pid_task(pid, type, p) {
58110 + if (!have_same_root(current, p)) {
58111 + ret = 1;
58112 + goto out;
58113 + }
58114 + } while_each_pid_task(pid, type, p);
58115 +out:
58116 + read_unlock(&tasklist_lock);
58117 + return ret;
58118 +#endif
58119 + return 0;
58120 +}
58121 +
58122 +int
58123 +gr_pid_is_chrooted(struct task_struct *p)
58124 +{
58125 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58126 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
58127 + return 0;
58128 +
58129 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
58130 + !have_same_root(current, p)) {
58131 + return 1;
58132 + }
58133 +#endif
58134 + return 0;
58135 +}
58136 +
58137 +EXPORT_SYMBOL(gr_pid_is_chrooted);
58138 +
58139 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
58140 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
58141 +{
58142 + struct dentry *dentry = (struct dentry *)u_dentry;
58143 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
58144 + struct dentry *realroot;
58145 + struct vfsmount *realrootmnt;
58146 + struct dentry *currentroot;
58147 + struct vfsmount *currentmnt;
58148 + struct task_struct *reaper = &init_task;
58149 + int ret = 1;
58150 +
58151 + read_lock(&reaper->fs->lock);
58152 + realrootmnt = mntget(reaper->fs->root.mnt);
58153 + realroot = dget(reaper->fs->root.dentry);
58154 + read_unlock(&reaper->fs->lock);
58155 +
58156 + read_lock(&current->fs->lock);
58157 + currentmnt = mntget(current->fs->root.mnt);
58158 + currentroot = dget(current->fs->root.dentry);
58159 + read_unlock(&current->fs->lock);
58160 +
58161 + spin_lock(&dcache_lock);
58162 + for (;;) {
58163 + if (unlikely((dentry == realroot && mnt == realrootmnt)
58164 + || (dentry == currentroot && mnt == currentmnt)))
58165 + break;
58166 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
58167 + if (mnt->mnt_parent == mnt)
58168 + break;
58169 + dentry = mnt->mnt_mountpoint;
58170 + mnt = mnt->mnt_parent;
58171 + continue;
58172 + }
58173 + dentry = dentry->d_parent;
58174 + }
58175 + spin_unlock(&dcache_lock);
58176 +
58177 + dput(currentroot);
58178 + mntput(currentmnt);
58179 +
58180 + /* access is outside of chroot */
58181 + if (dentry == realroot && mnt == realrootmnt)
58182 + ret = 0;
58183 +
58184 + dput(realroot);
58185 + mntput(realrootmnt);
58186 + return ret;
58187 +}
58188 +#endif
58189 +
58190 +int
58191 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
58192 +{
58193 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58194 + if (!grsec_enable_chroot_fchdir)
58195 + return 1;
58196 +
58197 + if (!proc_is_chrooted(current))
58198 + return 1;
58199 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
58200 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
58201 + return 0;
58202 + }
58203 +#endif
58204 + return 1;
58205 +}
58206 +
58207 +int
58208 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58209 + const time_t shm_createtime)
58210 +{
58211 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58212 + struct task_struct *p;
58213 + time_t starttime;
58214 +
58215 + if (unlikely(!grsec_enable_chroot_shmat))
58216 + return 1;
58217 +
58218 + if (likely(!proc_is_chrooted(current)))
58219 + return 1;
58220 +
58221 + rcu_read_lock();
58222 + read_lock(&tasklist_lock);
58223 +
58224 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
58225 + starttime = p->start_time.tv_sec;
58226 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
58227 + if (have_same_root(current, p)) {
58228 + goto allow;
58229 + } else {
58230 + read_unlock(&tasklist_lock);
58231 + rcu_read_unlock();
58232 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
58233 + return 0;
58234 + }
58235 + }
58236 + /* creator exited, pid reuse, fall through to next check */
58237 + }
58238 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
58239 + if (unlikely(!have_same_root(current, p))) {
58240 + read_unlock(&tasklist_lock);
58241 + rcu_read_unlock();
58242 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
58243 + return 0;
58244 + }
58245 + }
58246 +
58247 +allow:
58248 + read_unlock(&tasklist_lock);
58249 + rcu_read_unlock();
58250 +#endif
58251 + return 1;
58252 +}
58253 +
58254 +void
58255 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
58256 +{
58257 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58258 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
58259 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
58260 +#endif
58261 + return;
58262 +}
58263 +
58264 +int
58265 +gr_handle_chroot_mknod(const struct dentry *dentry,
58266 + const struct vfsmount *mnt, const int mode)
58267 +{
58268 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58269 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
58270 + proc_is_chrooted(current)) {
58271 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
58272 + return -EPERM;
58273 + }
58274 +#endif
58275 + return 0;
58276 +}
58277 +
58278 +int
58279 +gr_handle_chroot_mount(const struct dentry *dentry,
58280 + const struct vfsmount *mnt, const char *dev_name)
58281 +{
58282 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58283 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
58284 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
58285 + return -EPERM;
58286 + }
58287 +#endif
58288 + return 0;
58289 +}
58290 +
58291 +int
58292 +gr_handle_chroot_pivot(void)
58293 +{
58294 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58295 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
58296 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
58297 + return -EPERM;
58298 + }
58299 +#endif
58300 + return 0;
58301 +}
58302 +
58303 +int
58304 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
58305 +{
58306 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58307 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
58308 + !gr_is_outside_chroot(dentry, mnt)) {
58309 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
58310 + return -EPERM;
58311 + }
58312 +#endif
58313 + return 0;
58314 +}
58315 +
58316 +extern const char *captab_log[];
58317 +extern int captab_log_entries;
58318 +
58319 +int
58320 +gr_chroot_is_capable(const int cap)
58321 +{
58322 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58323 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
58324 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
58325 + if (cap_raised(chroot_caps, cap)) {
58326 + const struct cred *creds = current_cred();
58327 + if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
58328 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
58329 + }
58330 + return 0;
58331 + }
58332 + }
58333 +#endif
58334 + return 1;
58335 +}
58336 +
58337 +int
58338 +gr_chroot_is_capable_nolog(const int cap)
58339 +{
58340 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58341 + if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
58342 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
58343 + if (cap_raised(chroot_caps, cap)) {
58344 + return 0;
58345 + }
58346 + }
58347 +#endif
58348 + return 1;
58349 +}
58350 +
58351 +int
58352 +gr_handle_chroot_sysctl(const int op)
58353 +{
58354 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58355 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
58356 + && (op & MAY_WRITE))
58357 + return -EACCES;
58358 +#endif
58359 + return 0;
58360 +}
58361 +
58362 +void
58363 +gr_handle_chroot_chdir(struct path *path)
58364 +{
58365 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58366 + if (grsec_enable_chroot_chdir)
58367 + set_fs_pwd(current->fs, path);
58368 +#endif
58369 + return;
58370 +}
58371 +
58372 +int
58373 +gr_handle_chroot_chmod(const struct dentry *dentry,
58374 + const struct vfsmount *mnt, const int mode)
58375 +{
58376 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58377 + /* allow chmod +s on directories, but not on files */
58378 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
58379 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
58380 + proc_is_chrooted(current)) {
58381 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
58382 + return -EPERM;
58383 + }
58384 +#endif
58385 + return 0;
58386 +}
58387 diff -urNp linux-2.6.32.49/grsecurity/grsec_disabled.c linux-2.6.32.49/grsecurity/grsec_disabled.c
58388 --- linux-2.6.32.49/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
58389 +++ linux-2.6.32.49/grsecurity/grsec_disabled.c 2011-11-18 19:30:15.000000000 -0500
58390 @@ -0,0 +1,439 @@
58391 +#include <linux/kernel.h>
58392 +#include <linux/module.h>
58393 +#include <linux/sched.h>
58394 +#include <linux/file.h>
58395 +#include <linux/fs.h>
58396 +#include <linux/kdev_t.h>
58397 +#include <linux/net.h>
58398 +#include <linux/in.h>
58399 +#include <linux/ip.h>
58400 +#include <linux/skbuff.h>
58401 +#include <linux/sysctl.h>
58402 +
58403 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
58404 +void
58405 +pax_set_initial_flags(struct linux_binprm *bprm)
58406 +{
58407 + return;
58408 +}
58409 +#endif
58410 +
58411 +#ifdef CONFIG_SYSCTL
58412 +__u32
58413 +gr_handle_sysctl(const struct ctl_table * table, const int op)
58414 +{
58415 + return 0;
58416 +}
58417 +#endif
58418 +
58419 +#ifdef CONFIG_TASKSTATS
58420 +int gr_is_taskstats_denied(int pid)
58421 +{
58422 + return 0;
58423 +}
58424 +#endif
58425 +
58426 +int
58427 +gr_acl_is_enabled(void)
58428 +{
58429 + return 0;
58430 +}
58431 +
58432 +void
58433 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
58434 +{
58435 + return;
58436 +}
58437 +
58438 +int
58439 +gr_handle_rawio(const struct inode *inode)
58440 +{
58441 + return 0;
58442 +}
58443 +
58444 +void
58445 +gr_acl_handle_psacct(struct task_struct *task, const long code)
58446 +{
58447 + return;
58448 +}
58449 +
58450 +int
58451 +gr_handle_ptrace(struct task_struct *task, const long request)
58452 +{
58453 + return 0;
58454 +}
58455 +
58456 +int
58457 +gr_handle_proc_ptrace(struct task_struct *task)
58458 +{
58459 + return 0;
58460 +}
58461 +
58462 +void
58463 +gr_learn_resource(const struct task_struct *task,
58464 + const int res, const unsigned long wanted, const int gt)
58465 +{
58466 + return;
58467 +}
58468 +
58469 +int
58470 +gr_set_acls(const int type)
58471 +{
58472 + return 0;
58473 +}
58474 +
58475 +int
58476 +gr_check_hidden_task(const struct task_struct *tsk)
58477 +{
58478 + return 0;
58479 +}
58480 +
58481 +int
58482 +gr_check_protected_task(const struct task_struct *task)
58483 +{
58484 + return 0;
58485 +}
58486 +
58487 +int
58488 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
58489 +{
58490 + return 0;
58491 +}
58492 +
58493 +void
58494 +gr_copy_label(struct task_struct *tsk)
58495 +{
58496 + return;
58497 +}
58498 +
58499 +void
58500 +gr_set_pax_flags(struct task_struct *task)
58501 +{
58502 + return;
58503 +}
58504 +
58505 +int
58506 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
58507 + const int unsafe_share)
58508 +{
58509 + return 0;
58510 +}
58511 +
58512 +void
58513 +gr_handle_delete(const ino_t ino, const dev_t dev)
58514 +{
58515 + return;
58516 +}
58517 +
58518 +void
58519 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
58520 +{
58521 + return;
58522 +}
58523 +
58524 +void
58525 +gr_handle_crash(struct task_struct *task, const int sig)
58526 +{
58527 + return;
58528 +}
58529 +
58530 +int
58531 +gr_check_crash_exec(const struct file *filp)
58532 +{
58533 + return 0;
58534 +}
58535 +
58536 +int
58537 +gr_check_crash_uid(const uid_t uid)
58538 +{
58539 + return 0;
58540 +}
58541 +
58542 +void
58543 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
58544 + struct dentry *old_dentry,
58545 + struct dentry *new_dentry,
58546 + struct vfsmount *mnt, const __u8 replace)
58547 +{
58548 + return;
58549 +}
58550 +
58551 +int
58552 +gr_search_socket(const int family, const int type, const int protocol)
58553 +{
58554 + return 1;
58555 +}
58556 +
58557 +int
58558 +gr_search_connectbind(const int mode, const struct socket *sock,
58559 + const struct sockaddr_in *addr)
58560 +{
58561 + return 0;
58562 +}
58563 +
58564 +void
58565 +gr_handle_alertkill(struct task_struct *task)
58566 +{
58567 + return;
58568 +}
58569 +
58570 +__u32
58571 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
58572 +{
58573 + return 1;
58574 +}
58575 +
58576 +__u32
58577 +gr_acl_handle_hidden_file(const struct dentry * dentry,
58578 + const struct vfsmount * mnt)
58579 +{
58580 + return 1;
58581 +}
58582 +
58583 +__u32
58584 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
58585 + int acc_mode)
58586 +{
58587 + return 1;
58588 +}
58589 +
58590 +__u32
58591 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
58592 +{
58593 + return 1;
58594 +}
58595 +
58596 +__u32
58597 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
58598 +{
58599 + return 1;
58600 +}
58601 +
58602 +int
58603 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
58604 + unsigned int *vm_flags)
58605 +{
58606 + return 1;
58607 +}
58608 +
58609 +__u32
58610 +gr_acl_handle_truncate(const struct dentry * dentry,
58611 + const struct vfsmount * mnt)
58612 +{
58613 + return 1;
58614 +}
58615 +
58616 +__u32
58617 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
58618 +{
58619 + return 1;
58620 +}
58621 +
58622 +__u32
58623 +gr_acl_handle_access(const struct dentry * dentry,
58624 + const struct vfsmount * mnt, const int fmode)
58625 +{
58626 + return 1;
58627 +}
58628 +
58629 +__u32
58630 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
58631 + mode_t mode)
58632 +{
58633 + return 1;
58634 +}
58635 +
58636 +__u32
58637 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
58638 + mode_t mode)
58639 +{
58640 + return 1;
58641 +}
58642 +
58643 +__u32
58644 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
58645 +{
58646 + return 1;
58647 +}
58648 +
58649 +__u32
58650 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
58651 +{
58652 + return 1;
58653 +}
58654 +
58655 +void
58656 +grsecurity_init(void)
58657 +{
58658 + return;
58659 +}
58660 +
58661 +__u32
58662 +gr_acl_handle_mknod(const struct dentry * new_dentry,
58663 + const struct dentry * parent_dentry,
58664 + const struct vfsmount * parent_mnt,
58665 + const int mode)
58666 +{
58667 + return 1;
58668 +}
58669 +
58670 +__u32
58671 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
58672 + const struct dentry * parent_dentry,
58673 + const struct vfsmount * parent_mnt)
58674 +{
58675 + return 1;
58676 +}
58677 +
58678 +__u32
58679 +gr_acl_handle_symlink(const struct dentry * new_dentry,
58680 + const struct dentry * parent_dentry,
58681 + const struct vfsmount * parent_mnt, const char *from)
58682 +{
58683 + return 1;
58684 +}
58685 +
58686 +__u32
58687 +gr_acl_handle_link(const struct dentry * new_dentry,
58688 + const struct dentry * parent_dentry,
58689 + const struct vfsmount * parent_mnt,
58690 + const struct dentry * old_dentry,
58691 + const struct vfsmount * old_mnt, const char *to)
58692 +{
58693 + return 1;
58694 +}
58695 +
58696 +int
58697 +gr_acl_handle_rename(const struct dentry *new_dentry,
58698 + const struct dentry *parent_dentry,
58699 + const struct vfsmount *parent_mnt,
58700 + const struct dentry *old_dentry,
58701 + const struct inode *old_parent_inode,
58702 + const struct vfsmount *old_mnt, const char *newname)
58703 +{
58704 + return 0;
58705 +}
58706 +
58707 +int
58708 +gr_acl_handle_filldir(const struct file *file, const char *name,
58709 + const int namelen, const ino_t ino)
58710 +{
58711 + return 1;
58712 +}
58713 +
58714 +int
58715 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58716 + const time_t shm_createtime, const uid_t cuid, const int shmid)
58717 +{
58718 + return 1;
58719 +}
58720 +
58721 +int
58722 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58723 +{
58724 + return 0;
58725 +}
58726 +
58727 +int
58728 +gr_search_accept(const struct socket *sock)
58729 +{
58730 + return 0;
58731 +}
58732 +
58733 +int
58734 +gr_search_listen(const struct socket *sock)
58735 +{
58736 + return 0;
58737 +}
58738 +
58739 +int
58740 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58741 +{
58742 + return 0;
58743 +}
58744 +
58745 +__u32
58746 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58747 +{
58748 + return 1;
58749 +}
58750 +
58751 +__u32
58752 +gr_acl_handle_creat(const struct dentry * dentry,
58753 + const struct dentry * p_dentry,
58754 + const struct vfsmount * p_mnt, int open_flags, int acc_mode,
58755 + const int imode)
58756 +{
58757 + return 1;
58758 +}
58759 +
58760 +void
58761 +gr_acl_handle_exit(void)
58762 +{
58763 + return;
58764 +}
58765 +
58766 +int
58767 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58768 +{
58769 + return 1;
58770 +}
58771 +
58772 +void
58773 +gr_set_role_label(const uid_t uid, const gid_t gid)
58774 +{
58775 + return;
58776 +}
58777 +
58778 +int
58779 +gr_acl_handle_procpidmem(const struct task_struct *task)
58780 +{
58781 + return 0;
58782 +}
58783 +
58784 +int
58785 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58786 +{
58787 + return 0;
58788 +}
58789 +
58790 +int
58791 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58792 +{
58793 + return 0;
58794 +}
58795 +
58796 +void
58797 +gr_set_kernel_label(struct task_struct *task)
58798 +{
58799 + return;
58800 +}
58801 +
58802 +int
58803 +gr_check_user_change(int real, int effective, int fs)
58804 +{
58805 + return 0;
58806 +}
58807 +
58808 +int
58809 +gr_check_group_change(int real, int effective, int fs)
58810 +{
58811 + return 0;
58812 +}
58813 +
58814 +int gr_acl_enable_at_secure(void)
58815 +{
58816 + return 0;
58817 +}
58818 +
58819 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58820 +{
58821 + return dentry->d_inode->i_sb->s_dev;
58822 +}
58823 +
58824 +EXPORT_SYMBOL(gr_learn_resource);
58825 +EXPORT_SYMBOL(gr_set_kernel_label);
58826 +#ifdef CONFIG_SECURITY
58827 +EXPORT_SYMBOL(gr_check_user_change);
58828 +EXPORT_SYMBOL(gr_check_group_change);
58829 +#endif
58830 diff -urNp linux-2.6.32.49/grsecurity/grsec_exec.c linux-2.6.32.49/grsecurity/grsec_exec.c
58831 --- linux-2.6.32.49/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58832 +++ linux-2.6.32.49/grsecurity/grsec_exec.c 2011-11-15 19:59:43.000000000 -0500
58833 @@ -0,0 +1,204 @@
58834 +#include <linux/kernel.h>
58835 +#include <linux/sched.h>
58836 +#include <linux/file.h>
58837 +#include <linux/binfmts.h>
58838 +#include <linux/smp_lock.h>
58839 +#include <linux/fs.h>
58840 +#include <linux/types.h>
58841 +#include <linux/grdefs.h>
58842 +#include <linux/grinternal.h>
58843 +#include <linux/capability.h>
58844 +#include <linux/compat.h>
58845 +#include <linux/module.h>
58846 +
58847 +#include <asm/uaccess.h>
58848 +
58849 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58850 +static char gr_exec_arg_buf[132];
58851 +static DEFINE_MUTEX(gr_exec_arg_mutex);
58852 +#endif
58853 +
58854 +void
58855 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58856 +{
58857 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58858 + char *grarg = gr_exec_arg_buf;
58859 + unsigned int i, x, execlen = 0;
58860 + char c;
58861 +
58862 + if (!((grsec_enable_execlog && grsec_enable_group &&
58863 + in_group_p(grsec_audit_gid))
58864 + || (grsec_enable_execlog && !grsec_enable_group)))
58865 + return;
58866 +
58867 + mutex_lock(&gr_exec_arg_mutex);
58868 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58869 +
58870 + if (unlikely(argv == NULL))
58871 + goto log;
58872 +
58873 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58874 + const char __user *p;
58875 + unsigned int len;
58876 +
58877 + if (copy_from_user(&p, argv + i, sizeof(p)))
58878 + goto log;
58879 + if (!p)
58880 + goto log;
58881 + len = strnlen_user(p, 128 - execlen);
58882 + if (len > 128 - execlen)
58883 + len = 128 - execlen;
58884 + else if (len > 0)
58885 + len--;
58886 + if (copy_from_user(grarg + execlen, p, len))
58887 + goto log;
58888 +
58889 + /* rewrite unprintable characters */
58890 + for (x = 0; x < len; x++) {
58891 + c = *(grarg + execlen + x);
58892 + if (c < 32 || c > 126)
58893 + *(grarg + execlen + x) = ' ';
58894 + }
58895 +
58896 + execlen += len;
58897 + *(grarg + execlen) = ' ';
58898 + *(grarg + execlen + 1) = '\0';
58899 + execlen++;
58900 + }
58901 +
58902 + log:
58903 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58904 + bprm->file->f_path.mnt, grarg);
58905 + mutex_unlock(&gr_exec_arg_mutex);
58906 +#endif
58907 + return;
58908 +}
58909 +
58910 +#ifdef CONFIG_COMPAT
58911 +void
58912 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58913 +{
58914 +#ifdef CONFIG_GRKERNSEC_EXECLOG
58915 + char *grarg = gr_exec_arg_buf;
58916 + unsigned int i, x, execlen = 0;
58917 + char c;
58918 +
58919 + if (!((grsec_enable_execlog && grsec_enable_group &&
58920 + in_group_p(grsec_audit_gid))
58921 + || (grsec_enable_execlog && !grsec_enable_group)))
58922 + return;
58923 +
58924 + mutex_lock(&gr_exec_arg_mutex);
58925 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
58926 +
58927 + if (unlikely(argv == NULL))
58928 + goto log;
58929 +
58930 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
58931 + compat_uptr_t p;
58932 + unsigned int len;
58933 +
58934 + if (get_user(p, argv + i))
58935 + goto log;
58936 + len = strnlen_user(compat_ptr(p), 128 - execlen);
58937 + if (len > 128 - execlen)
58938 + len = 128 - execlen;
58939 + else if (len > 0)
58940 + len--;
58941 + else
58942 + goto log;
58943 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58944 + goto log;
58945 +
58946 + /* rewrite unprintable characters */
58947 + for (x = 0; x < len; x++) {
58948 + c = *(grarg + execlen + x);
58949 + if (c < 32 || c > 126)
58950 + *(grarg + execlen + x) = ' ';
58951 + }
58952 +
58953 + execlen += len;
58954 + *(grarg + execlen) = ' ';
58955 + *(grarg + execlen + 1) = '\0';
58956 + execlen++;
58957 + }
58958 +
58959 + log:
58960 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58961 + bprm->file->f_path.mnt, grarg);
58962 + mutex_unlock(&gr_exec_arg_mutex);
58963 +#endif
58964 + return;
58965 +}
58966 +#endif
58967 +
58968 +#ifdef CONFIG_GRKERNSEC
58969 +extern int gr_acl_is_capable(const int cap);
58970 +extern int gr_acl_is_capable_nolog(const int cap);
58971 +extern int gr_chroot_is_capable(const int cap);
58972 +extern int gr_chroot_is_capable_nolog(const int cap);
58973 +#endif
58974 +
58975 +const char *captab_log[] = {
58976 + "CAP_CHOWN",
58977 + "CAP_DAC_OVERRIDE",
58978 + "CAP_DAC_READ_SEARCH",
58979 + "CAP_FOWNER",
58980 + "CAP_FSETID",
58981 + "CAP_KILL",
58982 + "CAP_SETGID",
58983 + "CAP_SETUID",
58984 + "CAP_SETPCAP",
58985 + "CAP_LINUX_IMMUTABLE",
58986 + "CAP_NET_BIND_SERVICE",
58987 + "CAP_NET_BROADCAST",
58988 + "CAP_NET_ADMIN",
58989 + "CAP_NET_RAW",
58990 + "CAP_IPC_LOCK",
58991 + "CAP_IPC_OWNER",
58992 + "CAP_SYS_MODULE",
58993 + "CAP_SYS_RAWIO",
58994 + "CAP_SYS_CHROOT",
58995 + "CAP_SYS_PTRACE",
58996 + "CAP_SYS_PACCT",
58997 + "CAP_SYS_ADMIN",
58998 + "CAP_SYS_BOOT",
58999 + "CAP_SYS_NICE",
59000 + "CAP_SYS_RESOURCE",
59001 + "CAP_SYS_TIME",
59002 + "CAP_SYS_TTY_CONFIG",
59003 + "CAP_MKNOD",
59004 + "CAP_LEASE",
59005 + "CAP_AUDIT_WRITE",
59006 + "CAP_AUDIT_CONTROL",
59007 + "CAP_SETFCAP",
59008 + "CAP_MAC_OVERRIDE",
59009 + "CAP_MAC_ADMIN"
59010 +};
59011 +
59012 +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
59013 +
59014 +int gr_is_capable(const int cap)
59015 +{
59016 +#ifdef CONFIG_GRKERNSEC
59017 + if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
59018 + return 1;
59019 + return 0;
59020 +#else
59021 + return 1;
59022 +#endif
59023 +}
59024 +
59025 +int gr_is_capable_nolog(const int cap)
59026 +{
59027 +#ifdef CONFIG_GRKERNSEC
59028 + if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
59029 + return 1;
59030 + return 0;
59031 +#else
59032 + return 1;
59033 +#endif
59034 +}
59035 +
59036 +EXPORT_SYMBOL(gr_is_capable);
59037 +EXPORT_SYMBOL(gr_is_capable_nolog);
59038 diff -urNp linux-2.6.32.49/grsecurity/grsec_fifo.c linux-2.6.32.49/grsecurity/grsec_fifo.c
59039 --- linux-2.6.32.49/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
59040 +++ linux-2.6.32.49/grsecurity/grsec_fifo.c 2011-11-15 19:59:43.000000000 -0500
59041 @@ -0,0 +1,24 @@
59042 +#include <linux/kernel.h>
59043 +#include <linux/sched.h>
59044 +#include <linux/fs.h>
59045 +#include <linux/file.h>
59046 +#include <linux/grinternal.h>
59047 +
59048 +int
59049 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
59050 + const struct dentry *dir, const int flag, const int acc_mode)
59051 +{
59052 +#ifdef CONFIG_GRKERNSEC_FIFO
59053 + const struct cred *cred = current_cred();
59054 +
59055 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
59056 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
59057 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
59058 + (cred->fsuid != dentry->d_inode->i_uid)) {
59059 + if (!inode_permission(dentry->d_inode, acc_mode))
59060 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
59061 + return -EACCES;
59062 + }
59063 +#endif
59064 + return 0;
59065 +}
59066 diff -urNp linux-2.6.32.49/grsecurity/grsec_fork.c linux-2.6.32.49/grsecurity/grsec_fork.c
59067 --- linux-2.6.32.49/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
59068 +++ linux-2.6.32.49/grsecurity/grsec_fork.c 2011-11-15 19:59:43.000000000 -0500
59069 @@ -0,0 +1,23 @@
59070 +#include <linux/kernel.h>
59071 +#include <linux/sched.h>
59072 +#include <linux/grsecurity.h>
59073 +#include <linux/grinternal.h>
59074 +#include <linux/errno.h>
59075 +
59076 +void
59077 +gr_log_forkfail(const int retval)
59078 +{
59079 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59080 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
59081 + switch (retval) {
59082 + case -EAGAIN:
59083 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
59084 + break;
59085 + case -ENOMEM:
59086 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
59087 + break;
59088 + }
59089 + }
59090 +#endif
59091 + return;
59092 +}
59093 diff -urNp linux-2.6.32.49/grsecurity/grsec_init.c linux-2.6.32.49/grsecurity/grsec_init.c
59094 --- linux-2.6.32.49/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
59095 +++ linux-2.6.32.49/grsecurity/grsec_init.c 2011-11-15 19:59:43.000000000 -0500
59096 @@ -0,0 +1,270 @@
59097 +#include <linux/kernel.h>
59098 +#include <linux/sched.h>
59099 +#include <linux/mm.h>
59100 +#include <linux/smp_lock.h>
59101 +#include <linux/gracl.h>
59102 +#include <linux/slab.h>
59103 +#include <linux/vmalloc.h>
59104 +#include <linux/percpu.h>
59105 +#include <linux/module.h>
59106 +
59107 +int grsec_enable_brute;
59108 +int grsec_enable_link;
59109 +int grsec_enable_dmesg;
59110 +int grsec_enable_harden_ptrace;
59111 +int grsec_enable_fifo;
59112 +int grsec_enable_execlog;
59113 +int grsec_enable_signal;
59114 +int grsec_enable_forkfail;
59115 +int grsec_enable_audit_ptrace;
59116 +int grsec_enable_time;
59117 +int grsec_enable_audit_textrel;
59118 +int grsec_enable_group;
59119 +int grsec_audit_gid;
59120 +int grsec_enable_chdir;
59121 +int grsec_enable_mount;
59122 +int grsec_enable_rofs;
59123 +int grsec_enable_chroot_findtask;
59124 +int grsec_enable_chroot_mount;
59125 +int grsec_enable_chroot_shmat;
59126 +int grsec_enable_chroot_fchdir;
59127 +int grsec_enable_chroot_double;
59128 +int grsec_enable_chroot_pivot;
59129 +int grsec_enable_chroot_chdir;
59130 +int grsec_enable_chroot_chmod;
59131 +int grsec_enable_chroot_mknod;
59132 +int grsec_enable_chroot_nice;
59133 +int grsec_enable_chroot_execlog;
59134 +int grsec_enable_chroot_caps;
59135 +int grsec_enable_chroot_sysctl;
59136 +int grsec_enable_chroot_unix;
59137 +int grsec_enable_tpe;
59138 +int grsec_tpe_gid;
59139 +int grsec_enable_blackhole;
59140 +#ifdef CONFIG_IPV6_MODULE
59141 +EXPORT_SYMBOL(grsec_enable_blackhole);
59142 +#endif
59143 +int grsec_lastack_retries;
59144 +int grsec_enable_tpe_all;
59145 +int grsec_enable_tpe_invert;
59146 +int grsec_enable_socket_all;
59147 +int grsec_socket_all_gid;
59148 +int grsec_enable_socket_client;
59149 +int grsec_socket_client_gid;
59150 +int grsec_enable_socket_server;
59151 +int grsec_socket_server_gid;
59152 +int grsec_resource_logging;
59153 +int grsec_disable_privio;
59154 +int grsec_enable_log_rwxmaps;
59155 +int grsec_lock;
59156 +
59157 +DEFINE_SPINLOCK(grsec_alert_lock);
59158 +unsigned long grsec_alert_wtime = 0;
59159 +unsigned long grsec_alert_fyet = 0;
59160 +
59161 +DEFINE_SPINLOCK(grsec_audit_lock);
59162 +
59163 +DEFINE_RWLOCK(grsec_exec_file_lock);
59164 +
59165 +char *gr_shared_page[4];
59166 +
59167 +char *gr_alert_log_fmt;
59168 +char *gr_audit_log_fmt;
59169 +char *gr_alert_log_buf;
59170 +char *gr_audit_log_buf;
59171 +
59172 +extern struct gr_arg *gr_usermode;
59173 +extern unsigned char *gr_system_salt;
59174 +extern unsigned char *gr_system_sum;
59175 +
59176 +void __init
59177 +grsecurity_init(void)
59178 +{
59179 + int j;
59180 + /* create the per-cpu shared pages */
59181 +
59182 +#ifdef CONFIG_X86
59183 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
59184 +#endif
59185 +
59186 + for (j = 0; j < 4; j++) {
59187 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
59188 + if (gr_shared_page[j] == NULL) {
59189 + panic("Unable to allocate grsecurity shared page");
59190 + return;
59191 + }
59192 + }
59193 +
59194 + /* allocate log buffers */
59195 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
59196 + if (!gr_alert_log_fmt) {
59197 + panic("Unable to allocate grsecurity alert log format buffer");
59198 + return;
59199 + }
59200 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
59201 + if (!gr_audit_log_fmt) {
59202 + panic("Unable to allocate grsecurity audit log format buffer");
59203 + return;
59204 + }
59205 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
59206 + if (!gr_alert_log_buf) {
59207 + panic("Unable to allocate grsecurity alert log buffer");
59208 + return;
59209 + }
59210 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
59211 + if (!gr_audit_log_buf) {
59212 + panic("Unable to allocate grsecurity audit log buffer");
59213 + return;
59214 + }
59215 +
59216 + /* allocate memory for authentication structure */
59217 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
59218 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
59219 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
59220 +
59221 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
59222 + panic("Unable to allocate grsecurity authentication structure");
59223 + return;
59224 + }
59225 +
59226 +
59227 +#ifdef CONFIG_GRKERNSEC_IO
59228 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
59229 + grsec_disable_privio = 1;
59230 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
59231 + grsec_disable_privio = 1;
59232 +#else
59233 + grsec_disable_privio = 0;
59234 +#endif
59235 +#endif
59236 +
59237 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59238 + /* for backward compatibility, tpe_invert always defaults to on if
59239 + enabled in the kernel
59240 + */
59241 + grsec_enable_tpe_invert = 1;
59242 +#endif
59243 +
59244 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
59245 +#ifndef CONFIG_GRKERNSEC_SYSCTL
59246 + grsec_lock = 1;
59247 +#endif
59248 +
59249 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59250 + grsec_enable_audit_textrel = 1;
59251 +#endif
59252 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59253 + grsec_enable_log_rwxmaps = 1;
59254 +#endif
59255 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
59256 + grsec_enable_group = 1;
59257 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
59258 +#endif
59259 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59260 + grsec_enable_chdir = 1;
59261 +#endif
59262 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
59263 + grsec_enable_harden_ptrace = 1;
59264 +#endif
59265 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59266 + grsec_enable_mount = 1;
59267 +#endif
59268 +#ifdef CONFIG_GRKERNSEC_LINK
59269 + grsec_enable_link = 1;
59270 +#endif
59271 +#ifdef CONFIG_GRKERNSEC_BRUTE
59272 + grsec_enable_brute = 1;
59273 +#endif
59274 +#ifdef CONFIG_GRKERNSEC_DMESG
59275 + grsec_enable_dmesg = 1;
59276 +#endif
59277 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59278 + grsec_enable_blackhole = 1;
59279 + grsec_lastack_retries = 4;
59280 +#endif
59281 +#ifdef CONFIG_GRKERNSEC_FIFO
59282 + grsec_enable_fifo = 1;
59283 +#endif
59284 +#ifdef CONFIG_GRKERNSEC_EXECLOG
59285 + grsec_enable_execlog = 1;
59286 +#endif
59287 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59288 + grsec_enable_signal = 1;
59289 +#endif
59290 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
59291 + grsec_enable_forkfail = 1;
59292 +#endif
59293 +#ifdef CONFIG_GRKERNSEC_TIME
59294 + grsec_enable_time = 1;
59295 +#endif
59296 +#ifdef CONFIG_GRKERNSEC_RESLOG
59297 + grsec_resource_logging = 1;
59298 +#endif
59299 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59300 + grsec_enable_chroot_findtask = 1;
59301 +#endif
59302 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59303 + grsec_enable_chroot_unix = 1;
59304 +#endif
59305 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59306 + grsec_enable_chroot_mount = 1;
59307 +#endif
59308 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59309 + grsec_enable_chroot_fchdir = 1;
59310 +#endif
59311 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59312 + grsec_enable_chroot_shmat = 1;
59313 +#endif
59314 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59315 + grsec_enable_audit_ptrace = 1;
59316 +#endif
59317 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59318 + grsec_enable_chroot_double = 1;
59319 +#endif
59320 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59321 + grsec_enable_chroot_pivot = 1;
59322 +#endif
59323 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59324 + grsec_enable_chroot_chdir = 1;
59325 +#endif
59326 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59327 + grsec_enable_chroot_chmod = 1;
59328 +#endif
59329 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59330 + grsec_enable_chroot_mknod = 1;
59331 +#endif
59332 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59333 + grsec_enable_chroot_nice = 1;
59334 +#endif
59335 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59336 + grsec_enable_chroot_execlog = 1;
59337 +#endif
59338 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59339 + grsec_enable_chroot_caps = 1;
59340 +#endif
59341 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59342 + grsec_enable_chroot_sysctl = 1;
59343 +#endif
59344 +#ifdef CONFIG_GRKERNSEC_TPE
59345 + grsec_enable_tpe = 1;
59346 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
59347 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
59348 + grsec_enable_tpe_all = 1;
59349 +#endif
59350 +#endif
59351 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59352 + grsec_enable_socket_all = 1;
59353 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
59354 +#endif
59355 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59356 + grsec_enable_socket_client = 1;
59357 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
59358 +#endif
59359 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59360 + grsec_enable_socket_server = 1;
59361 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
59362 +#endif
59363 +#endif
59364 +
59365 + return;
59366 +}
59367 diff -urNp linux-2.6.32.49/grsecurity/grsec_link.c linux-2.6.32.49/grsecurity/grsec_link.c
59368 --- linux-2.6.32.49/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
59369 +++ linux-2.6.32.49/grsecurity/grsec_link.c 2011-11-15 19:59:43.000000000 -0500
59370 @@ -0,0 +1,43 @@
59371 +#include <linux/kernel.h>
59372 +#include <linux/sched.h>
59373 +#include <linux/fs.h>
59374 +#include <linux/file.h>
59375 +#include <linux/grinternal.h>
59376 +
59377 +int
59378 +gr_handle_follow_link(const struct inode *parent,
59379 + const struct inode *inode,
59380 + const struct dentry *dentry, const struct vfsmount *mnt)
59381 +{
59382 +#ifdef CONFIG_GRKERNSEC_LINK
59383 + const struct cred *cred = current_cred();
59384 +
59385 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
59386 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
59387 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
59388 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
59389 + return -EACCES;
59390 + }
59391 +#endif
59392 + return 0;
59393 +}
59394 +
59395 +int
59396 +gr_handle_hardlink(const struct dentry *dentry,
59397 + const struct vfsmount *mnt,
59398 + struct inode *inode, const int mode, const char *to)
59399 +{
59400 +#ifdef CONFIG_GRKERNSEC_LINK
59401 + const struct cred *cred = current_cred();
59402 +
59403 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
59404 + (!S_ISREG(mode) || (mode & S_ISUID) ||
59405 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
59406 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
59407 + !capable(CAP_FOWNER) && cred->uid) {
59408 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
59409 + return -EPERM;
59410 + }
59411 +#endif
59412 + return 0;
59413 +}
59414 diff -urNp linux-2.6.32.49/grsecurity/grsec_log.c linux-2.6.32.49/grsecurity/grsec_log.c
59415 --- linux-2.6.32.49/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
59416 +++ linux-2.6.32.49/grsecurity/grsec_log.c 2011-11-15 19:59:43.000000000 -0500
59417 @@ -0,0 +1,322 @@
59418 +#include <linux/kernel.h>
59419 +#include <linux/sched.h>
59420 +#include <linux/file.h>
59421 +#include <linux/tty.h>
59422 +#include <linux/fs.h>
59423 +#include <linux/grinternal.h>
59424 +
59425 +#ifdef CONFIG_TREE_PREEMPT_RCU
59426 +#define DISABLE_PREEMPT() preempt_disable()
59427 +#define ENABLE_PREEMPT() preempt_enable()
59428 +#else
59429 +#define DISABLE_PREEMPT()
59430 +#define ENABLE_PREEMPT()
59431 +#endif
59432 +
59433 +#define BEGIN_LOCKS(x) \
59434 + DISABLE_PREEMPT(); \
59435 + rcu_read_lock(); \
59436 + read_lock(&tasklist_lock); \
59437 + read_lock(&grsec_exec_file_lock); \
59438 + if (x != GR_DO_AUDIT) \
59439 + spin_lock(&grsec_alert_lock); \
59440 + else \
59441 + spin_lock(&grsec_audit_lock)
59442 +
59443 +#define END_LOCKS(x) \
59444 + if (x != GR_DO_AUDIT) \
59445 + spin_unlock(&grsec_alert_lock); \
59446 + else \
59447 + spin_unlock(&grsec_audit_lock); \
59448 + read_unlock(&grsec_exec_file_lock); \
59449 + read_unlock(&tasklist_lock); \
59450 + rcu_read_unlock(); \
59451 + ENABLE_PREEMPT(); \
59452 + if (x == GR_DONT_AUDIT) \
59453 + gr_handle_alertkill(current)
59454 +
59455 +enum {
59456 + FLOODING,
59457 + NO_FLOODING
59458 +};
59459 +
59460 +extern char *gr_alert_log_fmt;
59461 +extern char *gr_audit_log_fmt;
59462 +extern char *gr_alert_log_buf;
59463 +extern char *gr_audit_log_buf;
59464 +
59465 +static int gr_log_start(int audit)
59466 +{
59467 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
59468 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
59469 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59470 +#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
59471 + unsigned long curr_secs = get_seconds();
59472 +
59473 + if (audit == GR_DO_AUDIT)
59474 + goto set_fmt;
59475 +
59476 + if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
59477 + grsec_alert_wtime = curr_secs;
59478 + grsec_alert_fyet = 0;
59479 + } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
59480 + && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
59481 + grsec_alert_fyet++;
59482 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
59483 + grsec_alert_wtime = curr_secs;
59484 + grsec_alert_fyet++;
59485 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
59486 + return FLOODING;
59487 + }
59488 + else return FLOODING;
59489 +
59490 +set_fmt:
59491 +#endif
59492 + memset(buf, 0, PAGE_SIZE);
59493 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
59494 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
59495 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
59496 + } else if (current->signal->curr_ip) {
59497 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
59498 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
59499 + } else if (gr_acl_is_enabled()) {
59500 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
59501 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
59502 + } else {
59503 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
59504 + strcpy(buf, fmt);
59505 + }
59506 +
59507 + return NO_FLOODING;
59508 +}
59509 +
59510 +static void gr_log_middle(int audit, const char *msg, va_list ap)
59511 + __attribute__ ((format (printf, 2, 0)));
59512 +
59513 +static void gr_log_middle(int audit, const char *msg, va_list ap)
59514 +{
59515 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59516 + unsigned int len = strlen(buf);
59517 +
59518 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
59519 +
59520 + return;
59521 +}
59522 +
59523 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
59524 + __attribute__ ((format (printf, 2, 3)));
59525 +
59526 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
59527 +{
59528 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59529 + unsigned int len = strlen(buf);
59530 + va_list ap;
59531 +
59532 + va_start(ap, msg);
59533 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
59534 + va_end(ap);
59535 +
59536 + return;
59537 +}
59538 +
59539 +static void gr_log_end(int audit, int append_default)
59540 +{
59541 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59542 +
59543 + if (append_default) {
59544 + unsigned int len = strlen(buf);
59545 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
59546 + }
59547 +
59548 + printk("%s\n", buf);
59549 +
59550 + return;
59551 +}
59552 +
59553 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
59554 +{
59555 + int logtype;
59556 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
59557 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
59558 + void *voidptr = NULL;
59559 + int num1 = 0, num2 = 0;
59560 + unsigned long ulong1 = 0, ulong2 = 0;
59561 + struct dentry *dentry = NULL;
59562 + struct vfsmount *mnt = NULL;
59563 + struct file *file = NULL;
59564 + struct task_struct *task = NULL;
59565 + const struct cred *cred, *pcred;
59566 + va_list ap;
59567 +
59568 + BEGIN_LOCKS(audit);
59569 + logtype = gr_log_start(audit);
59570 + if (logtype == FLOODING) {
59571 + END_LOCKS(audit);
59572 + return;
59573 + }
59574 + va_start(ap, argtypes);
59575 + switch (argtypes) {
59576 + case GR_TTYSNIFF:
59577 + task = va_arg(ap, struct task_struct *);
59578 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
59579 + break;
59580 + case GR_SYSCTL_HIDDEN:
59581 + str1 = va_arg(ap, char *);
59582 + gr_log_middle_varargs(audit, msg, result, str1);
59583 + break;
59584 + case GR_RBAC:
59585 + dentry = va_arg(ap, struct dentry *);
59586 + mnt = va_arg(ap, struct vfsmount *);
59587 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
59588 + break;
59589 + case GR_RBAC_STR:
59590 + dentry = va_arg(ap, struct dentry *);
59591 + mnt = va_arg(ap, struct vfsmount *);
59592 + str1 = va_arg(ap, char *);
59593 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
59594 + break;
59595 + case GR_STR_RBAC:
59596 + str1 = va_arg(ap, char *);
59597 + dentry = va_arg(ap, struct dentry *);
59598 + mnt = va_arg(ap, struct vfsmount *);
59599 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
59600 + break;
59601 + case GR_RBAC_MODE2:
59602 + dentry = va_arg(ap, struct dentry *);
59603 + mnt = va_arg(ap, struct vfsmount *);
59604 + str1 = va_arg(ap, char *);
59605 + str2 = va_arg(ap, char *);
59606 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
59607 + break;
59608 + case GR_RBAC_MODE3:
59609 + dentry = va_arg(ap, struct dentry *);
59610 + mnt = va_arg(ap, struct vfsmount *);
59611 + str1 = va_arg(ap, char *);
59612 + str2 = va_arg(ap, char *);
59613 + str3 = va_arg(ap, char *);
59614 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
59615 + break;
59616 + case GR_FILENAME:
59617 + dentry = va_arg(ap, struct dentry *);
59618 + mnt = va_arg(ap, struct vfsmount *);
59619 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
59620 + break;
59621 + case GR_STR_FILENAME:
59622 + str1 = va_arg(ap, char *);
59623 + dentry = va_arg(ap, struct dentry *);
59624 + mnt = va_arg(ap, struct vfsmount *);
59625 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
59626 + break;
59627 + case GR_FILENAME_STR:
59628 + dentry = va_arg(ap, struct dentry *);
59629 + mnt = va_arg(ap, struct vfsmount *);
59630 + str1 = va_arg(ap, char *);
59631 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
59632 + break;
59633 + case GR_FILENAME_TWO_INT:
59634 + dentry = va_arg(ap, struct dentry *);
59635 + mnt = va_arg(ap, struct vfsmount *);
59636 + num1 = va_arg(ap, int);
59637 + num2 = va_arg(ap, int);
59638 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
59639 + break;
59640 + case GR_FILENAME_TWO_INT_STR:
59641 + dentry = va_arg(ap, struct dentry *);
59642 + mnt = va_arg(ap, struct vfsmount *);
59643 + num1 = va_arg(ap, int);
59644 + num2 = va_arg(ap, int);
59645 + str1 = va_arg(ap, char *);
59646 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
59647 + break;
59648 + case GR_TEXTREL:
59649 + file = va_arg(ap, struct file *);
59650 + ulong1 = va_arg(ap, unsigned long);
59651 + ulong2 = va_arg(ap, unsigned long);
59652 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
59653 + break;
59654 + case GR_PTRACE:
59655 + task = va_arg(ap, struct task_struct *);
59656 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
59657 + break;
59658 + case GR_RESOURCE:
59659 + task = va_arg(ap, struct task_struct *);
59660 + cred = __task_cred(task);
59661 + pcred = __task_cred(task->real_parent);
59662 + ulong1 = va_arg(ap, unsigned long);
59663 + str1 = va_arg(ap, char *);
59664 + ulong2 = va_arg(ap, unsigned long);
59665 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59666 + break;
59667 + case GR_CAP:
59668 + task = va_arg(ap, struct task_struct *);
59669 + cred = __task_cred(task);
59670 + pcred = __task_cred(task->real_parent);
59671 + str1 = va_arg(ap, char *);
59672 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59673 + break;
59674 + case GR_SIG:
59675 + str1 = va_arg(ap, char *);
59676 + voidptr = va_arg(ap, void *);
59677 + gr_log_middle_varargs(audit, msg, str1, voidptr);
59678 + break;
59679 + case GR_SIG2:
59680 + task = va_arg(ap, struct task_struct *);
59681 + cred = __task_cred(task);
59682 + pcred = __task_cred(task->real_parent);
59683 + num1 = va_arg(ap, int);
59684 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59685 + break;
59686 + case GR_CRASH1:
59687 + task = va_arg(ap, struct task_struct *);
59688 + cred = __task_cred(task);
59689 + pcred = __task_cred(task->real_parent);
59690 + ulong1 = va_arg(ap, unsigned long);
59691 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
59692 + break;
59693 + case GR_CRASH2:
59694 + task = va_arg(ap, struct task_struct *);
59695 + cred = __task_cred(task);
59696 + pcred = __task_cred(task->real_parent);
59697 + ulong1 = va_arg(ap, unsigned long);
59698 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
59699 + break;
59700 + case GR_RWXMAP:
59701 + file = va_arg(ap, struct file *);
59702 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
59703 + break;
59704 + case GR_PSACCT:
59705 + {
59706 + unsigned int wday, cday;
59707 + __u8 whr, chr;
59708 + __u8 wmin, cmin;
59709 + __u8 wsec, csec;
59710 + char cur_tty[64] = { 0 };
59711 + char parent_tty[64] = { 0 };
59712 +
59713 + task = va_arg(ap, struct task_struct *);
59714 + wday = va_arg(ap, unsigned int);
59715 + cday = va_arg(ap, unsigned int);
59716 + whr = va_arg(ap, int);
59717 + chr = va_arg(ap, int);
59718 + wmin = va_arg(ap, int);
59719 + cmin = va_arg(ap, int);
59720 + wsec = va_arg(ap, int);
59721 + csec = va_arg(ap, int);
59722 + ulong1 = va_arg(ap, unsigned long);
59723 + cred = __task_cred(task);
59724 + pcred = __task_cred(task->real_parent);
59725 +
59726 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59727 + }
59728 + break;
59729 + default:
59730 + gr_log_middle(audit, msg, ap);
59731 + }
59732 + va_end(ap);
59733 + // these don't need DEFAULTSECARGS printed on the end
59734 + if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
59735 + gr_log_end(audit, 0);
59736 + else
59737 + gr_log_end(audit, 1);
59738 + END_LOCKS(audit);
59739 +}
59740 diff -urNp linux-2.6.32.49/grsecurity/grsec_mem.c linux-2.6.32.49/grsecurity/grsec_mem.c
59741 --- linux-2.6.32.49/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
59742 +++ linux-2.6.32.49/grsecurity/grsec_mem.c 2011-11-15 19:59:43.000000000 -0500
59743 @@ -0,0 +1,33 @@
59744 +#include <linux/kernel.h>
59745 +#include <linux/sched.h>
59746 +#include <linux/mm.h>
59747 +#include <linux/mman.h>
59748 +#include <linux/grinternal.h>
59749 +
59750 +void
59751 +gr_handle_ioperm(void)
59752 +{
59753 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
59754 + return;
59755 +}
59756 +
59757 +void
59758 +gr_handle_iopl(void)
59759 +{
59760 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
59761 + return;
59762 +}
59763 +
59764 +void
59765 +gr_handle_mem_readwrite(u64 from, u64 to)
59766 +{
59767 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
59768 + return;
59769 +}
59770 +
59771 +void
59772 +gr_handle_vm86(void)
59773 +{
59774 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
59775 + return;
59776 +}
59777 diff -urNp linux-2.6.32.49/grsecurity/grsec_mount.c linux-2.6.32.49/grsecurity/grsec_mount.c
59778 --- linux-2.6.32.49/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
59779 +++ linux-2.6.32.49/grsecurity/grsec_mount.c 2011-11-15 19:59:43.000000000 -0500
59780 @@ -0,0 +1,62 @@
59781 +#include <linux/kernel.h>
59782 +#include <linux/sched.h>
59783 +#include <linux/mount.h>
59784 +#include <linux/grsecurity.h>
59785 +#include <linux/grinternal.h>
59786 +
59787 +void
59788 +gr_log_remount(const char *devname, const int retval)
59789 +{
59790 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59791 + if (grsec_enable_mount && (retval >= 0))
59792 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59793 +#endif
59794 + return;
59795 +}
59796 +
59797 +void
59798 +gr_log_unmount(const char *devname, const int retval)
59799 +{
59800 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59801 + if (grsec_enable_mount && (retval >= 0))
59802 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59803 +#endif
59804 + return;
59805 +}
59806 +
59807 +void
59808 +gr_log_mount(const char *from, const char *to, const int retval)
59809 +{
59810 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59811 + if (grsec_enable_mount && (retval >= 0))
59812 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59813 +#endif
59814 + return;
59815 +}
59816 +
59817 +int
59818 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59819 +{
59820 +#ifdef CONFIG_GRKERNSEC_ROFS
59821 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59822 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59823 + return -EPERM;
59824 + } else
59825 + return 0;
59826 +#endif
59827 + return 0;
59828 +}
59829 +
59830 +int
59831 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59832 +{
59833 +#ifdef CONFIG_GRKERNSEC_ROFS
59834 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59835 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59836 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59837 + return -EPERM;
59838 + } else
59839 + return 0;
59840 +#endif
59841 + return 0;
59842 +}
59843 diff -urNp linux-2.6.32.49/grsecurity/grsec_pax.c linux-2.6.32.49/grsecurity/grsec_pax.c
59844 --- linux-2.6.32.49/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59845 +++ linux-2.6.32.49/grsecurity/grsec_pax.c 2011-11-15 19:59:43.000000000 -0500
59846 @@ -0,0 +1,36 @@
59847 +#include <linux/kernel.h>
59848 +#include <linux/sched.h>
59849 +#include <linux/mm.h>
59850 +#include <linux/file.h>
59851 +#include <linux/grinternal.h>
59852 +#include <linux/grsecurity.h>
59853 +
59854 +void
59855 +gr_log_textrel(struct vm_area_struct * vma)
59856 +{
59857 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59858 + if (grsec_enable_audit_textrel)
59859 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59860 +#endif
59861 + return;
59862 +}
59863 +
59864 +void
59865 +gr_log_rwxmmap(struct file *file)
59866 +{
59867 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59868 + if (grsec_enable_log_rwxmaps)
59869 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59870 +#endif
59871 + return;
59872 +}
59873 +
59874 +void
59875 +gr_log_rwxmprotect(struct file *file)
59876 +{
59877 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59878 + if (grsec_enable_log_rwxmaps)
59879 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59880 +#endif
59881 + return;
59882 +}
59883 diff -urNp linux-2.6.32.49/grsecurity/grsec_ptrace.c linux-2.6.32.49/grsecurity/grsec_ptrace.c
59884 --- linux-2.6.32.49/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59885 +++ linux-2.6.32.49/grsecurity/grsec_ptrace.c 2011-11-15 19:59:43.000000000 -0500
59886 @@ -0,0 +1,14 @@
59887 +#include <linux/kernel.h>
59888 +#include <linux/sched.h>
59889 +#include <linux/grinternal.h>
59890 +#include <linux/grsecurity.h>
59891 +
59892 +void
59893 +gr_audit_ptrace(struct task_struct *task)
59894 +{
59895 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59896 + if (grsec_enable_audit_ptrace)
59897 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59898 +#endif
59899 + return;
59900 +}
59901 diff -urNp linux-2.6.32.49/grsecurity/grsec_sig.c linux-2.6.32.49/grsecurity/grsec_sig.c
59902 --- linux-2.6.32.49/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59903 +++ linux-2.6.32.49/grsecurity/grsec_sig.c 2011-11-15 19:59:43.000000000 -0500
59904 @@ -0,0 +1,205 @@
59905 +#include <linux/kernel.h>
59906 +#include <linux/sched.h>
59907 +#include <linux/delay.h>
59908 +#include <linux/grsecurity.h>
59909 +#include <linux/grinternal.h>
59910 +#include <linux/hardirq.h>
59911 +
59912 +char *signames[] = {
59913 + [SIGSEGV] = "Segmentation fault",
59914 + [SIGILL] = "Illegal instruction",
59915 + [SIGABRT] = "Abort",
59916 + [SIGBUS] = "Invalid alignment/Bus error"
59917 +};
59918 +
59919 +void
59920 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59921 +{
59922 +#ifdef CONFIG_GRKERNSEC_SIGNAL
59923 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59924 + (sig == SIGABRT) || (sig == SIGBUS))) {
59925 + if (t->pid == current->pid) {
59926 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59927 + } else {
59928 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59929 + }
59930 + }
59931 +#endif
59932 + return;
59933 +}
59934 +
59935 +int
59936 +gr_handle_signal(const struct task_struct *p, const int sig)
59937 +{
59938 +#ifdef CONFIG_GRKERNSEC
59939 + if (current->pid > 1 && gr_check_protected_task(p)) {
59940 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59941 + return -EPERM;
59942 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59943 + return -EPERM;
59944 + }
59945 +#endif
59946 + return 0;
59947 +}
59948 +
59949 +#ifdef CONFIG_GRKERNSEC
59950 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59951 +
59952 +int gr_fake_force_sig(int sig, struct task_struct *t)
59953 +{
59954 + unsigned long int flags;
59955 + int ret, blocked, ignored;
59956 + struct k_sigaction *action;
59957 +
59958 + spin_lock_irqsave(&t->sighand->siglock, flags);
59959 + action = &t->sighand->action[sig-1];
59960 + ignored = action->sa.sa_handler == SIG_IGN;
59961 + blocked = sigismember(&t->blocked, sig);
59962 + if (blocked || ignored) {
59963 + action->sa.sa_handler = SIG_DFL;
59964 + if (blocked) {
59965 + sigdelset(&t->blocked, sig);
59966 + recalc_sigpending_and_wake(t);
59967 + }
59968 + }
59969 + if (action->sa.sa_handler == SIG_DFL)
59970 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
59971 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
59972 +
59973 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
59974 +
59975 + return ret;
59976 +}
59977 +#endif
59978 +
59979 +#ifdef CONFIG_GRKERNSEC_BRUTE
59980 +#define GR_USER_BAN_TIME (15 * 60)
59981 +
59982 +static int __get_dumpable(unsigned long mm_flags)
59983 +{
59984 + int ret;
59985 +
59986 + ret = mm_flags & MMF_DUMPABLE_MASK;
59987 + return (ret >= 2) ? 2 : ret;
59988 +}
59989 +#endif
59990 +
59991 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
59992 +{
59993 +#ifdef CONFIG_GRKERNSEC_BRUTE
59994 + uid_t uid = 0;
59995 +
59996 + if (!grsec_enable_brute)
59997 + return;
59998 +
59999 + rcu_read_lock();
60000 + read_lock(&tasklist_lock);
60001 + read_lock(&grsec_exec_file_lock);
60002 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
60003 + p->real_parent->brute = 1;
60004 + else {
60005 + const struct cred *cred = __task_cred(p), *cred2;
60006 + struct task_struct *tsk, *tsk2;
60007 +
60008 + if (!__get_dumpable(mm_flags) && cred->uid) {
60009 + struct user_struct *user;
60010 +
60011 + uid = cred->uid;
60012 +
60013 + /* this is put upon execution past expiration */
60014 + user = find_user(uid);
60015 + if (user == NULL)
60016 + goto unlock;
60017 + user->banned = 1;
60018 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
60019 + if (user->ban_expires == ~0UL)
60020 + user->ban_expires--;
60021 +
60022 + do_each_thread(tsk2, tsk) {
60023 + cred2 = __task_cred(tsk);
60024 + if (tsk != p && cred2->uid == uid)
60025 + gr_fake_force_sig(SIGKILL, tsk);
60026 + } while_each_thread(tsk2, tsk);
60027 + }
60028 + }
60029 +unlock:
60030 + read_unlock(&grsec_exec_file_lock);
60031 + read_unlock(&tasklist_lock);
60032 + rcu_read_unlock();
60033 +
60034 + if (uid)
60035 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
60036 +#endif
60037 + return;
60038 +}
60039 +
60040 +void gr_handle_brute_check(void)
60041 +{
60042 +#ifdef CONFIG_GRKERNSEC_BRUTE
60043 + if (current->brute)
60044 + msleep(30 * 1000);
60045 +#endif
60046 + return;
60047 +}
60048 +
60049 +void gr_handle_kernel_exploit(void)
60050 +{
60051 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
60052 + const struct cred *cred;
60053 + struct task_struct *tsk, *tsk2;
60054 + struct user_struct *user;
60055 + uid_t uid;
60056 +
60057 + if (in_irq() || in_serving_softirq() || in_nmi())
60058 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
60059 +
60060 + uid = current_uid();
60061 +
60062 + if (uid == 0)
60063 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
60064 + else {
60065 + /* kill all the processes of this user, hold a reference
60066 + to their creds struct, and prevent them from creating
60067 + another process until system reset
60068 + */
60069 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
60070 + /* we intentionally leak this ref */
60071 + user = get_uid(current->cred->user);
60072 + if (user) {
60073 + user->banned = 1;
60074 + user->ban_expires = ~0UL;
60075 + }
60076 +
60077 + read_lock(&tasklist_lock);
60078 + do_each_thread(tsk2, tsk) {
60079 + cred = __task_cred(tsk);
60080 + if (cred->uid == uid)
60081 + gr_fake_force_sig(SIGKILL, tsk);
60082 + } while_each_thread(tsk2, tsk);
60083 + read_unlock(&tasklist_lock);
60084 + }
60085 +#endif
60086 +}
60087 +
60088 +int __gr_process_user_ban(struct user_struct *user)
60089 +{
60090 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60091 + if (unlikely(user->banned)) {
60092 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
60093 + user->banned = 0;
60094 + user->ban_expires = 0;
60095 + free_uid(user);
60096 + } else
60097 + return -EPERM;
60098 + }
60099 +#endif
60100 + return 0;
60101 +}
60102 +
60103 +int gr_process_user_ban(void)
60104 +{
60105 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60106 + return __gr_process_user_ban(current->cred->user);
60107 +#endif
60108 + return 0;
60109 +}
60110 diff -urNp linux-2.6.32.49/grsecurity/grsec_sock.c linux-2.6.32.49/grsecurity/grsec_sock.c
60111 --- linux-2.6.32.49/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
60112 +++ linux-2.6.32.49/grsecurity/grsec_sock.c 2011-11-15 19:59:43.000000000 -0500
60113 @@ -0,0 +1,275 @@
60114 +#include <linux/kernel.h>
60115 +#include <linux/module.h>
60116 +#include <linux/sched.h>
60117 +#include <linux/file.h>
60118 +#include <linux/net.h>
60119 +#include <linux/in.h>
60120 +#include <linux/ip.h>
60121 +#include <net/sock.h>
60122 +#include <net/inet_sock.h>
60123 +#include <linux/grsecurity.h>
60124 +#include <linux/grinternal.h>
60125 +#include <linux/gracl.h>
60126 +
60127 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
60128 +EXPORT_SYMBOL(gr_cap_rtnetlink);
60129 +
60130 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
60131 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
60132 +
60133 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
60134 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
60135 +
60136 +#ifdef CONFIG_UNIX_MODULE
60137 +EXPORT_SYMBOL(gr_acl_handle_unix);
60138 +EXPORT_SYMBOL(gr_acl_handle_mknod);
60139 +EXPORT_SYMBOL(gr_handle_chroot_unix);
60140 +EXPORT_SYMBOL(gr_handle_create);
60141 +#endif
60142 +
60143 +#ifdef CONFIG_GRKERNSEC
60144 +#define gr_conn_table_size 32749
60145 +struct conn_table_entry {
60146 + struct conn_table_entry *next;
60147 + struct signal_struct *sig;
60148 +};
60149 +
60150 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
60151 +DEFINE_SPINLOCK(gr_conn_table_lock);
60152 +
60153 +extern const char * gr_socktype_to_name(unsigned char type);
60154 +extern const char * gr_proto_to_name(unsigned char proto);
60155 +extern const char * gr_sockfamily_to_name(unsigned char family);
60156 +
60157 +static __inline__ int
60158 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
60159 +{
60160 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
60161 +}
60162 +
60163 +static __inline__ int
60164 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
60165 + __u16 sport, __u16 dport)
60166 +{
60167 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
60168 + sig->gr_sport == sport && sig->gr_dport == dport))
60169 + return 1;
60170 + else
60171 + return 0;
60172 +}
60173 +
60174 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
60175 +{
60176 + struct conn_table_entry **match;
60177 + unsigned int index;
60178 +
60179 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60180 + sig->gr_sport, sig->gr_dport,
60181 + gr_conn_table_size);
60182 +
60183 + newent->sig = sig;
60184 +
60185 + match = &gr_conn_table[index];
60186 + newent->next = *match;
60187 + *match = newent;
60188 +
60189 + return;
60190 +}
60191 +
60192 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
60193 +{
60194 + struct conn_table_entry *match, *last = NULL;
60195 + unsigned int index;
60196 +
60197 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60198 + sig->gr_sport, sig->gr_dport,
60199 + gr_conn_table_size);
60200 +
60201 + match = gr_conn_table[index];
60202 + while (match && !conn_match(match->sig,
60203 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
60204 + sig->gr_dport)) {
60205 + last = match;
60206 + match = match->next;
60207 + }
60208 +
60209 + if (match) {
60210 + if (last)
60211 + last->next = match->next;
60212 + else
60213 + gr_conn_table[index] = NULL;
60214 + kfree(match);
60215 + }
60216 +
60217 + return;
60218 +}
60219 +
60220 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
60221 + __u16 sport, __u16 dport)
60222 +{
60223 + struct conn_table_entry *match;
60224 + unsigned int index;
60225 +
60226 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
60227 +
60228 + match = gr_conn_table[index];
60229 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
60230 + match = match->next;
60231 +
60232 + if (match)
60233 + return match->sig;
60234 + else
60235 + return NULL;
60236 +}
60237 +
60238 +#endif
60239 +
60240 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
60241 +{
60242 +#ifdef CONFIG_GRKERNSEC
60243 + struct signal_struct *sig = task->signal;
60244 + struct conn_table_entry *newent;
60245 +
60246 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
60247 + if (newent == NULL)
60248 + return;
60249 + /* no bh lock needed since we are called with bh disabled */
60250 + spin_lock(&gr_conn_table_lock);
60251 + gr_del_task_from_ip_table_nolock(sig);
60252 + sig->gr_saddr = inet->rcv_saddr;
60253 + sig->gr_daddr = inet->daddr;
60254 + sig->gr_sport = inet->sport;
60255 + sig->gr_dport = inet->dport;
60256 + gr_add_to_task_ip_table_nolock(sig, newent);
60257 + spin_unlock(&gr_conn_table_lock);
60258 +#endif
60259 + return;
60260 +}
60261 +
60262 +void gr_del_task_from_ip_table(struct task_struct *task)
60263 +{
60264 +#ifdef CONFIG_GRKERNSEC
60265 + spin_lock_bh(&gr_conn_table_lock);
60266 + gr_del_task_from_ip_table_nolock(task->signal);
60267 + spin_unlock_bh(&gr_conn_table_lock);
60268 +#endif
60269 + return;
60270 +}
60271 +
60272 +void
60273 +gr_attach_curr_ip(const struct sock *sk)
60274 +{
60275 +#ifdef CONFIG_GRKERNSEC
60276 + struct signal_struct *p, *set;
60277 + const struct inet_sock *inet = inet_sk(sk);
60278 +
60279 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
60280 + return;
60281 +
60282 + set = current->signal;
60283 +
60284 + spin_lock_bh(&gr_conn_table_lock);
60285 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
60286 + inet->dport, inet->sport);
60287 + if (unlikely(p != NULL)) {
60288 + set->curr_ip = p->curr_ip;
60289 + set->used_accept = 1;
60290 + gr_del_task_from_ip_table_nolock(p);
60291 + spin_unlock_bh(&gr_conn_table_lock);
60292 + return;
60293 + }
60294 + spin_unlock_bh(&gr_conn_table_lock);
60295 +
60296 + set->curr_ip = inet->daddr;
60297 + set->used_accept = 1;
60298 +#endif
60299 + return;
60300 +}
60301 +
60302 +int
60303 +gr_handle_sock_all(const int family, const int type, const int protocol)
60304 +{
60305 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60306 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
60307 + (family != AF_UNIX)) {
60308 + if (family == AF_INET)
60309 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
60310 + else
60311 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
60312 + return -EACCES;
60313 + }
60314 +#endif
60315 + return 0;
60316 +}
60317 +
60318 +int
60319 +gr_handle_sock_server(const struct sockaddr *sck)
60320 +{
60321 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60322 + if (grsec_enable_socket_server &&
60323 + in_group_p(grsec_socket_server_gid) &&
60324 + sck && (sck->sa_family != AF_UNIX) &&
60325 + (sck->sa_family != AF_LOCAL)) {
60326 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
60327 + return -EACCES;
60328 + }
60329 +#endif
60330 + return 0;
60331 +}
60332 +
60333 +int
60334 +gr_handle_sock_server_other(const struct sock *sck)
60335 +{
60336 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60337 + if (grsec_enable_socket_server &&
60338 + in_group_p(grsec_socket_server_gid) &&
60339 + sck && (sck->sk_family != AF_UNIX) &&
60340 + (sck->sk_family != AF_LOCAL)) {
60341 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
60342 + return -EACCES;
60343 + }
60344 +#endif
60345 + return 0;
60346 +}
60347 +
60348 +int
60349 +gr_handle_sock_client(const struct sockaddr *sck)
60350 +{
60351 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60352 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
60353 + sck && (sck->sa_family != AF_UNIX) &&
60354 + (sck->sa_family != AF_LOCAL)) {
60355 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
60356 + return -EACCES;
60357 + }
60358 +#endif
60359 + return 0;
60360 +}
60361 +
60362 +kernel_cap_t
60363 +gr_cap_rtnetlink(struct sock *sock)
60364 +{
60365 +#ifdef CONFIG_GRKERNSEC
60366 + if (!gr_acl_is_enabled())
60367 + return current_cap();
60368 + else if (sock->sk_protocol == NETLINK_ISCSI &&
60369 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
60370 + gr_is_capable(CAP_SYS_ADMIN))
60371 + return current_cap();
60372 + else if (sock->sk_protocol == NETLINK_AUDIT &&
60373 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
60374 + gr_is_capable(CAP_AUDIT_WRITE) &&
60375 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
60376 + gr_is_capable(CAP_AUDIT_CONTROL))
60377 + return current_cap();
60378 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
60379 + ((sock->sk_protocol == NETLINK_ROUTE) ?
60380 + gr_is_capable_nolog(CAP_NET_ADMIN) :
60381 + gr_is_capable(CAP_NET_ADMIN)))
60382 + return current_cap();
60383 + else
60384 + return __cap_empty_set;
60385 +#else
60386 + return current_cap();
60387 +#endif
60388 +}
60389 diff -urNp linux-2.6.32.49/grsecurity/grsec_sysctl.c linux-2.6.32.49/grsecurity/grsec_sysctl.c
60390 --- linux-2.6.32.49/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
60391 +++ linux-2.6.32.49/grsecurity/grsec_sysctl.c 2011-11-15 19:59:43.000000000 -0500
60392 @@ -0,0 +1,479 @@
60393 +#include <linux/kernel.h>
60394 +#include <linux/sched.h>
60395 +#include <linux/sysctl.h>
60396 +#include <linux/grsecurity.h>
60397 +#include <linux/grinternal.h>
60398 +
60399 +int
60400 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
60401 +{
60402 +#ifdef CONFIG_GRKERNSEC_SYSCTL
60403 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
60404 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
60405 + return -EACCES;
60406 + }
60407 +#endif
60408 + return 0;
60409 +}
60410 +
60411 +#ifdef CONFIG_GRKERNSEC_ROFS
60412 +static int __maybe_unused one = 1;
60413 +#endif
60414 +
60415 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
60416 +ctl_table grsecurity_table[] = {
60417 +#ifdef CONFIG_GRKERNSEC_SYSCTL
60418 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
60419 +#ifdef CONFIG_GRKERNSEC_IO
60420 + {
60421 + .ctl_name = CTL_UNNUMBERED,
60422 + .procname = "disable_priv_io",
60423 + .data = &grsec_disable_privio,
60424 + .maxlen = sizeof(int),
60425 + .mode = 0600,
60426 + .proc_handler = &proc_dointvec,
60427 + },
60428 +#endif
60429 +#endif
60430 +#ifdef CONFIG_GRKERNSEC_LINK
60431 + {
60432 + .ctl_name = CTL_UNNUMBERED,
60433 + .procname = "linking_restrictions",
60434 + .data = &grsec_enable_link,
60435 + .maxlen = sizeof(int),
60436 + .mode = 0600,
60437 + .proc_handler = &proc_dointvec,
60438 + },
60439 +#endif
60440 +#ifdef CONFIG_GRKERNSEC_BRUTE
60441 + {
60442 + .ctl_name = CTL_UNNUMBERED,
60443 + .procname = "deter_bruteforce",
60444 + .data = &grsec_enable_brute,
60445 + .maxlen = sizeof(int),
60446 + .mode = 0600,
60447 + .proc_handler = &proc_dointvec,
60448 + },
60449 +#endif
60450 +#ifdef CONFIG_GRKERNSEC_FIFO
60451 + {
60452 + .ctl_name = CTL_UNNUMBERED,
60453 + .procname = "fifo_restrictions",
60454 + .data = &grsec_enable_fifo,
60455 + .maxlen = sizeof(int),
60456 + .mode = 0600,
60457 + .proc_handler = &proc_dointvec,
60458 + },
60459 +#endif
60460 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
60461 + {
60462 + .ctl_name = CTL_UNNUMBERED,
60463 + .procname = "ip_blackhole",
60464 + .data = &grsec_enable_blackhole,
60465 + .maxlen = sizeof(int),
60466 + .mode = 0600,
60467 + .proc_handler = &proc_dointvec,
60468 + },
60469 + {
60470 + .ctl_name = CTL_UNNUMBERED,
60471 + .procname = "lastack_retries",
60472 + .data = &grsec_lastack_retries,
60473 + .maxlen = sizeof(int),
60474 + .mode = 0600,
60475 + .proc_handler = &proc_dointvec,
60476 + },
60477 +#endif
60478 +#ifdef CONFIG_GRKERNSEC_EXECLOG
60479 + {
60480 + .ctl_name = CTL_UNNUMBERED,
60481 + .procname = "exec_logging",
60482 + .data = &grsec_enable_execlog,
60483 + .maxlen = sizeof(int),
60484 + .mode = 0600,
60485 + .proc_handler = &proc_dointvec,
60486 + },
60487 +#endif
60488 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
60489 + {
60490 + .ctl_name = CTL_UNNUMBERED,
60491 + .procname = "rwxmap_logging",
60492 + .data = &grsec_enable_log_rwxmaps,
60493 + .maxlen = sizeof(int),
60494 + .mode = 0600,
60495 + .proc_handler = &proc_dointvec,
60496 + },
60497 +#endif
60498 +#ifdef CONFIG_GRKERNSEC_SIGNAL
60499 + {
60500 + .ctl_name = CTL_UNNUMBERED,
60501 + .procname = "signal_logging",
60502 + .data = &grsec_enable_signal,
60503 + .maxlen = sizeof(int),
60504 + .mode = 0600,
60505 + .proc_handler = &proc_dointvec,
60506 + },
60507 +#endif
60508 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
60509 + {
60510 + .ctl_name = CTL_UNNUMBERED,
60511 + .procname = "forkfail_logging",
60512 + .data = &grsec_enable_forkfail,
60513 + .maxlen = sizeof(int),
60514 + .mode = 0600,
60515 + .proc_handler = &proc_dointvec,
60516 + },
60517 +#endif
60518 +#ifdef CONFIG_GRKERNSEC_TIME
60519 + {
60520 + .ctl_name = CTL_UNNUMBERED,
60521 + .procname = "timechange_logging",
60522 + .data = &grsec_enable_time,
60523 + .maxlen = sizeof(int),
60524 + .mode = 0600,
60525 + .proc_handler = &proc_dointvec,
60526 + },
60527 +#endif
60528 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
60529 + {
60530 + .ctl_name = CTL_UNNUMBERED,
60531 + .procname = "chroot_deny_shmat",
60532 + .data = &grsec_enable_chroot_shmat,
60533 + .maxlen = sizeof(int),
60534 + .mode = 0600,
60535 + .proc_handler = &proc_dointvec,
60536 + },
60537 +#endif
60538 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
60539 + {
60540 + .ctl_name = CTL_UNNUMBERED,
60541 + .procname = "chroot_deny_unix",
60542 + .data = &grsec_enable_chroot_unix,
60543 + .maxlen = sizeof(int),
60544 + .mode = 0600,
60545 + .proc_handler = &proc_dointvec,
60546 + },
60547 +#endif
60548 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
60549 + {
60550 + .ctl_name = CTL_UNNUMBERED,
60551 + .procname = "chroot_deny_mount",
60552 + .data = &grsec_enable_chroot_mount,
60553 + .maxlen = sizeof(int),
60554 + .mode = 0600,
60555 + .proc_handler = &proc_dointvec,
60556 + },
60557 +#endif
60558 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
60559 + {
60560 + .ctl_name = CTL_UNNUMBERED,
60561 + .procname = "chroot_deny_fchdir",
60562 + .data = &grsec_enable_chroot_fchdir,
60563 + .maxlen = sizeof(int),
60564 + .mode = 0600,
60565 + .proc_handler = &proc_dointvec,
60566 + },
60567 +#endif
60568 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
60569 + {
60570 + .ctl_name = CTL_UNNUMBERED,
60571 + .procname = "chroot_deny_chroot",
60572 + .data = &grsec_enable_chroot_double,
60573 + .maxlen = sizeof(int),
60574 + .mode = 0600,
60575 + .proc_handler = &proc_dointvec,
60576 + },
60577 +#endif
60578 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
60579 + {
60580 + .ctl_name = CTL_UNNUMBERED,
60581 + .procname = "chroot_deny_pivot",
60582 + .data = &grsec_enable_chroot_pivot,
60583 + .maxlen = sizeof(int),
60584 + .mode = 0600,
60585 + .proc_handler = &proc_dointvec,
60586 + },
60587 +#endif
60588 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
60589 + {
60590 + .ctl_name = CTL_UNNUMBERED,
60591 + .procname = "chroot_enforce_chdir",
60592 + .data = &grsec_enable_chroot_chdir,
60593 + .maxlen = sizeof(int),
60594 + .mode = 0600,
60595 + .proc_handler = &proc_dointvec,
60596 + },
60597 +#endif
60598 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
60599 + {
60600 + .ctl_name = CTL_UNNUMBERED,
60601 + .procname = "chroot_deny_chmod",
60602 + .data = &grsec_enable_chroot_chmod,
60603 + .maxlen = sizeof(int),
60604 + .mode = 0600,
60605 + .proc_handler = &proc_dointvec,
60606 + },
60607 +#endif
60608 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
60609 + {
60610 + .ctl_name = CTL_UNNUMBERED,
60611 + .procname = "chroot_deny_mknod",
60612 + .data = &grsec_enable_chroot_mknod,
60613 + .maxlen = sizeof(int),
60614 + .mode = 0600,
60615 + .proc_handler = &proc_dointvec,
60616 + },
60617 +#endif
60618 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
60619 + {
60620 + .ctl_name = CTL_UNNUMBERED,
60621 + .procname = "chroot_restrict_nice",
60622 + .data = &grsec_enable_chroot_nice,
60623 + .maxlen = sizeof(int),
60624 + .mode = 0600,
60625 + .proc_handler = &proc_dointvec,
60626 + },
60627 +#endif
60628 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
60629 + {
60630 + .ctl_name = CTL_UNNUMBERED,
60631 + .procname = "chroot_execlog",
60632 + .data = &grsec_enable_chroot_execlog,
60633 + .maxlen = sizeof(int),
60634 + .mode = 0600,
60635 + .proc_handler = &proc_dointvec,
60636 + },
60637 +#endif
60638 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
60639 + {
60640 + .ctl_name = CTL_UNNUMBERED,
60641 + .procname = "chroot_caps",
60642 + .data = &grsec_enable_chroot_caps,
60643 + .maxlen = sizeof(int),
60644 + .mode = 0600,
60645 + .proc_handler = &proc_dointvec,
60646 + },
60647 +#endif
60648 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
60649 + {
60650 + .ctl_name = CTL_UNNUMBERED,
60651 + .procname = "chroot_deny_sysctl",
60652 + .data = &grsec_enable_chroot_sysctl,
60653 + .maxlen = sizeof(int),
60654 + .mode = 0600,
60655 + .proc_handler = &proc_dointvec,
60656 + },
60657 +#endif
60658 +#ifdef CONFIG_GRKERNSEC_TPE
60659 + {
60660 + .ctl_name = CTL_UNNUMBERED,
60661 + .procname = "tpe",
60662 + .data = &grsec_enable_tpe,
60663 + .maxlen = sizeof(int),
60664 + .mode = 0600,
60665 + .proc_handler = &proc_dointvec,
60666 + },
60667 + {
60668 + .ctl_name = CTL_UNNUMBERED,
60669 + .procname = "tpe_gid",
60670 + .data = &grsec_tpe_gid,
60671 + .maxlen = sizeof(int),
60672 + .mode = 0600,
60673 + .proc_handler = &proc_dointvec,
60674 + },
60675 +#endif
60676 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60677 + {
60678 + .ctl_name = CTL_UNNUMBERED,
60679 + .procname = "tpe_invert",
60680 + .data = &grsec_enable_tpe_invert,
60681 + .maxlen = sizeof(int),
60682 + .mode = 0600,
60683 + .proc_handler = &proc_dointvec,
60684 + },
60685 +#endif
60686 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60687 + {
60688 + .ctl_name = CTL_UNNUMBERED,
60689 + .procname = "tpe_restrict_all",
60690 + .data = &grsec_enable_tpe_all,
60691 + .maxlen = sizeof(int),
60692 + .mode = 0600,
60693 + .proc_handler = &proc_dointvec,
60694 + },
60695 +#endif
60696 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60697 + {
60698 + .ctl_name = CTL_UNNUMBERED,
60699 + .procname = "socket_all",
60700 + .data = &grsec_enable_socket_all,
60701 + .maxlen = sizeof(int),
60702 + .mode = 0600,
60703 + .proc_handler = &proc_dointvec,
60704 + },
60705 + {
60706 + .ctl_name = CTL_UNNUMBERED,
60707 + .procname = "socket_all_gid",
60708 + .data = &grsec_socket_all_gid,
60709 + .maxlen = sizeof(int),
60710 + .mode = 0600,
60711 + .proc_handler = &proc_dointvec,
60712 + },
60713 +#endif
60714 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60715 + {
60716 + .ctl_name = CTL_UNNUMBERED,
60717 + .procname = "socket_client",
60718 + .data = &grsec_enable_socket_client,
60719 + .maxlen = sizeof(int),
60720 + .mode = 0600,
60721 + .proc_handler = &proc_dointvec,
60722 + },
60723 + {
60724 + .ctl_name = CTL_UNNUMBERED,
60725 + .procname = "socket_client_gid",
60726 + .data = &grsec_socket_client_gid,
60727 + .maxlen = sizeof(int),
60728 + .mode = 0600,
60729 + .proc_handler = &proc_dointvec,
60730 + },
60731 +#endif
60732 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60733 + {
60734 + .ctl_name = CTL_UNNUMBERED,
60735 + .procname = "socket_server",
60736 + .data = &grsec_enable_socket_server,
60737 + .maxlen = sizeof(int),
60738 + .mode = 0600,
60739 + .proc_handler = &proc_dointvec,
60740 + },
60741 + {
60742 + .ctl_name = CTL_UNNUMBERED,
60743 + .procname = "socket_server_gid",
60744 + .data = &grsec_socket_server_gid,
60745 + .maxlen = sizeof(int),
60746 + .mode = 0600,
60747 + .proc_handler = &proc_dointvec,
60748 + },
60749 +#endif
60750 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60751 + {
60752 + .ctl_name = CTL_UNNUMBERED,
60753 + .procname = "audit_group",
60754 + .data = &grsec_enable_group,
60755 + .maxlen = sizeof(int),
60756 + .mode = 0600,
60757 + .proc_handler = &proc_dointvec,
60758 + },
60759 + {
60760 + .ctl_name = CTL_UNNUMBERED,
60761 + .procname = "audit_gid",
60762 + .data = &grsec_audit_gid,
60763 + .maxlen = sizeof(int),
60764 + .mode = 0600,
60765 + .proc_handler = &proc_dointvec,
60766 + },
60767 +#endif
60768 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60769 + {
60770 + .ctl_name = CTL_UNNUMBERED,
60771 + .procname = "audit_chdir",
60772 + .data = &grsec_enable_chdir,
60773 + .maxlen = sizeof(int),
60774 + .mode = 0600,
60775 + .proc_handler = &proc_dointvec,
60776 + },
60777 +#endif
60778 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60779 + {
60780 + .ctl_name = CTL_UNNUMBERED,
60781 + .procname = "audit_mount",
60782 + .data = &grsec_enable_mount,
60783 + .maxlen = sizeof(int),
60784 + .mode = 0600,
60785 + .proc_handler = &proc_dointvec,
60786 + },
60787 +#endif
60788 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60789 + {
60790 + .ctl_name = CTL_UNNUMBERED,
60791 + .procname = "audit_textrel",
60792 + .data = &grsec_enable_audit_textrel,
60793 + .maxlen = sizeof(int),
60794 + .mode = 0600,
60795 + .proc_handler = &proc_dointvec,
60796 + },
60797 +#endif
60798 +#ifdef CONFIG_GRKERNSEC_DMESG
60799 + {
60800 + .ctl_name = CTL_UNNUMBERED,
60801 + .procname = "dmesg",
60802 + .data = &grsec_enable_dmesg,
60803 + .maxlen = sizeof(int),
60804 + .mode = 0600,
60805 + .proc_handler = &proc_dointvec,
60806 + },
60807 +#endif
60808 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60809 + {
60810 + .ctl_name = CTL_UNNUMBERED,
60811 + .procname = "chroot_findtask",
60812 + .data = &grsec_enable_chroot_findtask,
60813 + .maxlen = sizeof(int),
60814 + .mode = 0600,
60815 + .proc_handler = &proc_dointvec,
60816 + },
60817 +#endif
60818 +#ifdef CONFIG_GRKERNSEC_RESLOG
60819 + {
60820 + .ctl_name = CTL_UNNUMBERED,
60821 + .procname = "resource_logging",
60822 + .data = &grsec_resource_logging,
60823 + .maxlen = sizeof(int),
60824 + .mode = 0600,
60825 + .proc_handler = &proc_dointvec,
60826 + },
60827 +#endif
60828 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
60829 + {
60830 + .ctl_name = CTL_UNNUMBERED,
60831 + .procname = "audit_ptrace",
60832 + .data = &grsec_enable_audit_ptrace,
60833 + .maxlen = sizeof(int),
60834 + .mode = 0600,
60835 + .proc_handler = &proc_dointvec,
60836 + },
60837 +#endif
60838 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
60839 + {
60840 + .ctl_name = CTL_UNNUMBERED,
60841 + .procname = "harden_ptrace",
60842 + .data = &grsec_enable_harden_ptrace,
60843 + .maxlen = sizeof(int),
60844 + .mode = 0600,
60845 + .proc_handler = &proc_dointvec,
60846 + },
60847 +#endif
60848 + {
60849 + .ctl_name = CTL_UNNUMBERED,
60850 + .procname = "grsec_lock",
60851 + .data = &grsec_lock,
60852 + .maxlen = sizeof(int),
60853 + .mode = 0600,
60854 + .proc_handler = &proc_dointvec,
60855 + },
60856 +#endif
60857 +#ifdef CONFIG_GRKERNSEC_ROFS
60858 + {
60859 + .ctl_name = CTL_UNNUMBERED,
60860 + .procname = "romount_protect",
60861 + .data = &grsec_enable_rofs,
60862 + .maxlen = sizeof(int),
60863 + .mode = 0600,
60864 + .proc_handler = &proc_dointvec_minmax,
60865 + .extra1 = &one,
60866 + .extra2 = &one,
60867 + },
60868 +#endif
60869 + { .ctl_name = 0 }
60870 +};
60871 +#endif
60872 diff -urNp linux-2.6.32.49/grsecurity/grsec_time.c linux-2.6.32.49/grsecurity/grsec_time.c
60873 --- linux-2.6.32.49/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60874 +++ linux-2.6.32.49/grsecurity/grsec_time.c 2011-11-15 19:59:43.000000000 -0500
60875 @@ -0,0 +1,16 @@
60876 +#include <linux/kernel.h>
60877 +#include <linux/sched.h>
60878 +#include <linux/grinternal.h>
60879 +#include <linux/module.h>
60880 +
60881 +void
60882 +gr_log_timechange(void)
60883 +{
60884 +#ifdef CONFIG_GRKERNSEC_TIME
60885 + if (grsec_enable_time)
60886 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60887 +#endif
60888 + return;
60889 +}
60890 +
60891 +EXPORT_SYMBOL(gr_log_timechange);
60892 diff -urNp linux-2.6.32.49/grsecurity/grsec_tpe.c linux-2.6.32.49/grsecurity/grsec_tpe.c
60893 --- linux-2.6.32.49/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60894 +++ linux-2.6.32.49/grsecurity/grsec_tpe.c 2011-11-15 19:59:43.000000000 -0500
60895 @@ -0,0 +1,39 @@
60896 +#include <linux/kernel.h>
60897 +#include <linux/sched.h>
60898 +#include <linux/file.h>
60899 +#include <linux/fs.h>
60900 +#include <linux/grinternal.h>
60901 +
60902 +extern int gr_acl_tpe_check(void);
60903 +
60904 +int
60905 +gr_tpe_allow(const struct file *file)
60906 +{
60907 +#ifdef CONFIG_GRKERNSEC
60908 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60909 + const struct cred *cred = current_cred();
60910 +
60911 + if (cred->uid && ((grsec_enable_tpe &&
60912 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60913 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60914 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60915 +#else
60916 + in_group_p(grsec_tpe_gid)
60917 +#endif
60918 + ) || gr_acl_tpe_check()) &&
60919 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60920 + (inode->i_mode & S_IWOTH))))) {
60921 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60922 + return 0;
60923 + }
60924 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
60925 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60926 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60927 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60928 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60929 + return 0;
60930 + }
60931 +#endif
60932 +#endif
60933 + return 1;
60934 +}
60935 diff -urNp linux-2.6.32.49/grsecurity/grsum.c linux-2.6.32.49/grsecurity/grsum.c
60936 --- linux-2.6.32.49/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60937 +++ linux-2.6.32.49/grsecurity/grsum.c 2011-11-15 19:59:43.000000000 -0500
60938 @@ -0,0 +1,61 @@
60939 +#include <linux/err.h>
60940 +#include <linux/kernel.h>
60941 +#include <linux/sched.h>
60942 +#include <linux/mm.h>
60943 +#include <linux/scatterlist.h>
60944 +#include <linux/crypto.h>
60945 +#include <linux/gracl.h>
60946 +
60947 +
60948 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60949 +#error "crypto and sha256 must be built into the kernel"
60950 +#endif
60951 +
60952 +int
60953 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60954 +{
60955 + char *p;
60956 + struct crypto_hash *tfm;
60957 + struct hash_desc desc;
60958 + struct scatterlist sg;
60959 + unsigned char temp_sum[GR_SHA_LEN];
60960 + volatile int retval = 0;
60961 + volatile int dummy = 0;
60962 + unsigned int i;
60963 +
60964 + sg_init_table(&sg, 1);
60965 +
60966 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
60967 + if (IS_ERR(tfm)) {
60968 + /* should never happen, since sha256 should be built in */
60969 + return 1;
60970 + }
60971 +
60972 + desc.tfm = tfm;
60973 + desc.flags = 0;
60974 +
60975 + crypto_hash_init(&desc);
60976 +
60977 + p = salt;
60978 + sg_set_buf(&sg, p, GR_SALT_LEN);
60979 + crypto_hash_update(&desc, &sg, sg.length);
60980 +
60981 + p = entry->pw;
60982 + sg_set_buf(&sg, p, strlen(p));
60983 +
60984 + crypto_hash_update(&desc, &sg, sg.length);
60985 +
60986 + crypto_hash_final(&desc, temp_sum);
60987 +
60988 + memset(entry->pw, 0, GR_PW_LEN);
60989 +
60990 + for (i = 0; i < GR_SHA_LEN; i++)
60991 + if (sum[i] != temp_sum[i])
60992 + retval = 1;
60993 + else
60994 + dummy = 1; // waste a cycle
60995 +
60996 + crypto_free_hash(tfm);
60997 +
60998 + return retval;
60999 +}
61000 diff -urNp linux-2.6.32.49/grsecurity/Kconfig linux-2.6.32.49/grsecurity/Kconfig
61001 --- linux-2.6.32.49/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
61002 +++ linux-2.6.32.49/grsecurity/Kconfig 2011-11-15 19:59:43.000000000 -0500
61003 @@ -0,0 +1,1036 @@
61004 +#
61005 +# grecurity configuration
61006 +#
61007 +
61008 +menu "Grsecurity"
61009 +
61010 +config GRKERNSEC
61011 + bool "Grsecurity"
61012 + select CRYPTO
61013 + select CRYPTO_SHA256
61014 + help
61015 + If you say Y here, you will be able to configure many features
61016 + that will enhance the security of your system. It is highly
61017 + recommended that you say Y here and read through the help
61018 + for each option so that you fully understand the features and
61019 + can evaluate their usefulness for your machine.
61020 +
61021 +choice
61022 + prompt "Security Level"
61023 + depends on GRKERNSEC
61024 + default GRKERNSEC_CUSTOM
61025 +
61026 +config GRKERNSEC_LOW
61027 + bool "Low"
61028 + select GRKERNSEC_LINK
61029 + select GRKERNSEC_FIFO
61030 + select GRKERNSEC_RANDNET
61031 + select GRKERNSEC_DMESG
61032 + select GRKERNSEC_CHROOT
61033 + select GRKERNSEC_CHROOT_CHDIR
61034 +
61035 + help
61036 + If you choose this option, several of the grsecurity options will
61037 + be enabled that will give you greater protection against a number
61038 + of attacks, while assuring that none of your software will have any
61039 + conflicts with the additional security measures. If you run a lot
61040 + of unusual software, or you are having problems with the higher
61041 + security levels, you should say Y here. With this option, the
61042 + following features are enabled:
61043 +
61044 + - Linking restrictions
61045 + - FIFO restrictions
61046 + - Restricted dmesg
61047 + - Enforced chdir("/") on chroot
61048 + - Runtime module disabling
61049 +
61050 +config GRKERNSEC_MEDIUM
61051 + bool "Medium"
61052 + select PAX
61053 + select PAX_EI_PAX
61054 + select PAX_PT_PAX_FLAGS
61055 + select PAX_HAVE_ACL_FLAGS
61056 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
61057 + select GRKERNSEC_CHROOT
61058 + select GRKERNSEC_CHROOT_SYSCTL
61059 + select GRKERNSEC_LINK
61060 + select GRKERNSEC_FIFO
61061 + select GRKERNSEC_DMESG
61062 + select GRKERNSEC_RANDNET
61063 + select GRKERNSEC_FORKFAIL
61064 + select GRKERNSEC_TIME
61065 + select GRKERNSEC_SIGNAL
61066 + select GRKERNSEC_CHROOT
61067 + select GRKERNSEC_CHROOT_UNIX
61068 + select GRKERNSEC_CHROOT_MOUNT
61069 + select GRKERNSEC_CHROOT_PIVOT
61070 + select GRKERNSEC_CHROOT_DOUBLE
61071 + select GRKERNSEC_CHROOT_CHDIR
61072 + select GRKERNSEC_CHROOT_MKNOD
61073 + select GRKERNSEC_PROC
61074 + select GRKERNSEC_PROC_USERGROUP
61075 + select PAX_RANDUSTACK
61076 + select PAX_ASLR
61077 + select PAX_RANDMMAP
61078 + select PAX_REFCOUNT if (X86 || SPARC64)
61079 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
61080 +
61081 + help
61082 + If you say Y here, several features in addition to those included
61083 + in the low additional security level will be enabled. These
61084 + features provide even more security to your system, though in rare
61085 + cases they may be incompatible with very old or poorly written
61086 + software. If you enable this option, make sure that your auth
61087 + service (identd) is running as gid 1001. With this option,
61088 + the following features (in addition to those provided in the
61089 + low additional security level) will be enabled:
61090 +
61091 + - Failed fork logging
61092 + - Time change logging
61093 + - Signal logging
61094 + - Deny mounts in chroot
61095 + - Deny double chrooting
61096 + - Deny sysctl writes in chroot
61097 + - Deny mknod in chroot
61098 + - Deny access to abstract AF_UNIX sockets out of chroot
61099 + - Deny pivot_root in chroot
61100 + - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
61101 + - /proc restrictions with special GID set to 10 (usually wheel)
61102 + - Address Space Layout Randomization (ASLR)
61103 + - Prevent exploitation of most refcount overflows
61104 + - Bounds checking of copying between the kernel and userland
61105 +
61106 +config GRKERNSEC_HIGH
61107 + bool "High"
61108 + select GRKERNSEC_LINK
61109 + select GRKERNSEC_FIFO
61110 + select GRKERNSEC_DMESG
61111 + select GRKERNSEC_FORKFAIL
61112 + select GRKERNSEC_TIME
61113 + select GRKERNSEC_SIGNAL
61114 + select GRKERNSEC_CHROOT
61115 + select GRKERNSEC_CHROOT_SHMAT
61116 + select GRKERNSEC_CHROOT_UNIX
61117 + select GRKERNSEC_CHROOT_MOUNT
61118 + select GRKERNSEC_CHROOT_FCHDIR
61119 + select GRKERNSEC_CHROOT_PIVOT
61120 + select GRKERNSEC_CHROOT_DOUBLE
61121 + select GRKERNSEC_CHROOT_CHDIR
61122 + select GRKERNSEC_CHROOT_MKNOD
61123 + select GRKERNSEC_CHROOT_CAPS
61124 + select GRKERNSEC_CHROOT_SYSCTL
61125 + select GRKERNSEC_CHROOT_FINDTASK
61126 + select GRKERNSEC_SYSFS_RESTRICT
61127 + select GRKERNSEC_PROC
61128 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
61129 + select GRKERNSEC_HIDESYM
61130 + select GRKERNSEC_BRUTE
61131 + select GRKERNSEC_PROC_USERGROUP
61132 + select GRKERNSEC_KMEM
61133 + select GRKERNSEC_RESLOG
61134 + select GRKERNSEC_RANDNET
61135 + select GRKERNSEC_PROC_ADD
61136 + select GRKERNSEC_CHROOT_CHMOD
61137 + select GRKERNSEC_CHROOT_NICE
61138 + select GRKERNSEC_AUDIT_MOUNT
61139 + select GRKERNSEC_MODHARDEN if (MODULES)
61140 + select GRKERNSEC_HARDEN_PTRACE
61141 + select GRKERNSEC_VM86 if (X86_32)
61142 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
61143 + select PAX
61144 + select PAX_RANDUSTACK
61145 + select PAX_ASLR
61146 + select PAX_RANDMMAP
61147 + select PAX_NOEXEC
61148 + select PAX_MPROTECT
61149 + select PAX_EI_PAX
61150 + select PAX_PT_PAX_FLAGS
61151 + select PAX_HAVE_ACL_FLAGS
61152 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
61153 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
61154 + select PAX_RANDKSTACK if (X86_TSC && X86)
61155 + select PAX_SEGMEXEC if (X86_32)
61156 + select PAX_PAGEEXEC
61157 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
61158 + select PAX_EMUTRAMP if (PARISC)
61159 + select PAX_EMUSIGRT if (PARISC)
61160 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
61161 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
61162 + select PAX_REFCOUNT if (X86 || SPARC64)
61163 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
61164 + help
61165 + If you say Y here, many of the features of grsecurity will be
61166 + enabled, which will protect you against many kinds of attacks
61167 + against your system. The heightened security comes at a cost
61168 + of an increased chance of incompatibilities with rare software
61169 + on your machine. Since this security level enables PaX, you should
61170 + view <http://pax.grsecurity.net> and read about the PaX
61171 + project. While you are there, download chpax and run it on
61172 + binaries that cause problems with PaX. Also remember that
61173 + since the /proc restrictions are enabled, you must run your
61174 + identd as gid 1001. This security level enables the following
61175 + features in addition to those listed in the low and medium
61176 + security levels:
61177 +
61178 + - Additional /proc restrictions
61179 + - Chmod restrictions in chroot
61180 + - No signals, ptrace, or viewing of processes outside of chroot
61181 + - Capability restrictions in chroot
61182 + - Deny fchdir out of chroot
61183 + - Priority restrictions in chroot
61184 + - Segmentation-based implementation of PaX
61185 + - Mprotect restrictions
61186 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
61187 + - Kernel stack randomization
61188 + - Mount/unmount/remount logging
61189 + - Kernel symbol hiding
61190 + - Hardening of module auto-loading
61191 + - Ptrace restrictions
61192 + - Restricted vm86 mode
61193 + - Restricted sysfs/debugfs
61194 + - Active kernel exploit response
61195 +
61196 +config GRKERNSEC_CUSTOM
61197 + bool "Custom"
61198 + help
61199 + If you say Y here, you will be able to configure every grsecurity
61200 + option, which allows you to enable many more features that aren't
61201 + covered in the basic security levels. These additional features
61202 + include TPE, socket restrictions, and the sysctl system for
61203 + grsecurity. It is advised that you read through the help for
61204 + each option to determine its usefulness in your situation.
61205 +
61206 +endchoice
61207 +
61208 +menu "Address Space Protection"
61209 +depends on GRKERNSEC
61210 +
61211 +config GRKERNSEC_KMEM
61212 + bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
61213 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
61214 + help
61215 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
61216 + be written to or read from to modify or leak the contents of the running
61217 + kernel. /dev/port will also not be allowed to be opened. If you have module
61218 + support disabled, enabling this will close up four ways that are
61219 + currently used to insert malicious code into the running kernel.
61220 + Even with all these features enabled, we still highly recommend that
61221 + you use the RBAC system, as it is still possible for an attacker to
61222 + modify the running kernel through privileged I/O granted by ioperm/iopl.
61223 + If you are not using XFree86, you may be able to stop this additional
61224 + case by enabling the 'Disable privileged I/O' option. Though nothing
61225 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
61226 + but only to video memory, which is the only writing we allow in this
61227 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
61228 + not be allowed to mprotect it with PROT_WRITE later.
61229 + It is highly recommended that you say Y here if you meet all the
61230 + conditions above.
61231 +
61232 +config GRKERNSEC_VM86
61233 + bool "Restrict VM86 mode"
61234 + depends on X86_32
61235 +
61236 + help
61237 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
61238 + make use of a special execution mode on 32bit x86 processors called
61239 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
61240 + video cards and will still work with this option enabled. The purpose
61241 + of the option is to prevent exploitation of emulation errors in
61242 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
61243 + Nearly all users should be able to enable this option.
61244 +
61245 +config GRKERNSEC_IO
61246 + bool "Disable privileged I/O"
61247 + depends on X86
61248 + select RTC_CLASS
61249 + select RTC_INTF_DEV
61250 + select RTC_DRV_CMOS
61251 +
61252 + help
61253 + If you say Y here, all ioperm and iopl calls will return an error.
61254 + Ioperm and iopl can be used to modify the running kernel.
61255 + Unfortunately, some programs need this access to operate properly,
61256 + the most notable of which are XFree86 and hwclock. hwclock can be
61257 + remedied by having RTC support in the kernel, so real-time
61258 + clock support is enabled if this option is enabled, to ensure
61259 + that hwclock operates correctly. XFree86 still will not
61260 + operate correctly with this option enabled, so DO NOT CHOOSE Y
61261 + IF YOU USE XFree86. If you use XFree86 and you still want to
61262 + protect your kernel against modification, use the RBAC system.
61263 +
61264 +config GRKERNSEC_PROC_MEMMAP
61265 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
61266 + default y if (PAX_NOEXEC || PAX_ASLR)
61267 + depends on PAX_NOEXEC || PAX_ASLR
61268 + help
61269 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
61270 + give no information about the addresses of its mappings if
61271 + PaX features that rely on random addresses are enabled on the task.
61272 + If you use PaX it is greatly recommended that you say Y here as it
61273 + closes up a hole that makes the full ASLR useless for suid
61274 + binaries.
61275 +
61276 +config GRKERNSEC_BRUTE
61277 + bool "Deter exploit bruteforcing"
61278 + help
61279 + If you say Y here, attempts to bruteforce exploits against forking
61280 + daemons such as apache or sshd, as well as against suid/sgid binaries
61281 + will be deterred. When a child of a forking daemon is killed by PaX
61282 + or crashes due to an illegal instruction or other suspicious signal,
61283 + the parent process will be delayed 30 seconds upon every subsequent
61284 + fork until the administrator is able to assess the situation and
61285 + restart the daemon.
61286 + In the suid/sgid case, the attempt is logged, the user has all their
61287 + processes terminated, and they are prevented from executing any further
61288 + processes for 15 minutes.
61289 + It is recommended that you also enable signal logging in the auditing
61290 + section so that logs are generated when a process triggers a suspicious
61291 + signal.
61292 + If the sysctl option is enabled, a sysctl option with name
61293 + "deter_bruteforce" is created.
61294 +
61295 +config GRKERNSEC_MODHARDEN
61296 + bool "Harden module auto-loading"
61297 + depends on MODULES
61298 + help
61299 + If you say Y here, module auto-loading in response to use of some
61300 + feature implemented by an unloaded module will be restricted to
61301 + root users. Enabling this option helps defend against attacks
61302 + by unprivileged users who abuse the auto-loading behavior to
61303 + cause a vulnerable module to load that is then exploited.
61304 +
61305 + If this option prevents a legitimate use of auto-loading for a
61306 + non-root user, the administrator can execute modprobe manually
61307 + with the exact name of the module mentioned in the alert log.
61308 + Alternatively, the administrator can add the module to the list
61309 + of modules loaded at boot by modifying init scripts.
61310 +
61311 + Modification of init scripts will most likely be needed on
61312 + Ubuntu servers with encrypted home directory support enabled,
61313 + as the first non-root user logging in will cause the ecb(aes),
61314 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
61315 +
61316 +config GRKERNSEC_HIDESYM
61317 + bool "Hide kernel symbols"
61318 + help
61319 + If you say Y here, getting information on loaded modules, and
61320 + displaying all kernel symbols through a syscall will be restricted
61321 + to users with CAP_SYS_MODULE. For software compatibility reasons,
61322 + /proc/kallsyms will be restricted to the root user. The RBAC
61323 + system can hide that entry even from root.
61324 +
61325 + This option also prevents leaking of kernel addresses through
61326 + several /proc entries.
61327 +
61328 + Note that this option is only effective provided the following
61329 + conditions are met:
61330 + 1) The kernel using grsecurity is not precompiled by some distribution
61331 + 2) You have also enabled GRKERNSEC_DMESG
61332 + 3) You are using the RBAC system and hiding other files such as your
61333 + kernel image and System.map. Alternatively, enabling this option
61334 + causes the permissions on /boot, /lib/modules, and the kernel
61335 + source directory to change at compile time to prevent
61336 + reading by non-root users.
61337 + If the above conditions are met, this option will aid in providing a
61338 + useful protection against local kernel exploitation of overflows
61339 + and arbitrary read/write vulnerabilities.
61340 +
61341 +config GRKERNSEC_KERN_LOCKOUT
61342 + bool "Active kernel exploit response"
61343 + depends on X86 || ARM || PPC || SPARC
61344 + help
61345 + If you say Y here, when a PaX alert is triggered due to suspicious
61346 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
61347 + or an OOPs occurs due to bad memory accesses, instead of just
61348 + terminating the offending process (and potentially allowing
61349 + a subsequent exploit from the same user), we will take one of two
61350 + actions:
61351 + If the user was root, we will panic the system
61352 + If the user was non-root, we will log the attempt, terminate
61353 + all processes owned by the user, then prevent them from creating
61354 + any new processes until the system is restarted
61355 + This deters repeated kernel exploitation/bruteforcing attempts
61356 + and is useful for later forensics.
61357 +
61358 +endmenu
61359 +menu "Role Based Access Control Options"
61360 +depends on GRKERNSEC
61361 +
61362 +config GRKERNSEC_RBAC_DEBUG
61363 + bool
61364 +
61365 +config GRKERNSEC_NO_RBAC
61366 + bool "Disable RBAC system"
61367 + help
61368 + If you say Y here, the /dev/grsec device will be removed from the kernel,
61369 + preventing the RBAC system from being enabled. You should only say Y
61370 + here if you have no intention of using the RBAC system, so as to prevent
61371 + an attacker with root access from misusing the RBAC system to hide files
61372 + and processes when loadable module support and /dev/[k]mem have been
61373 + locked down.
61374 +
61375 +config GRKERNSEC_ACL_HIDEKERN
61376 + bool "Hide kernel processes"
61377 + help
61378 + If you say Y here, all kernel threads will be hidden to all
61379 + processes but those whose subject has the "view hidden processes"
61380 + flag.
61381 +
61382 +config GRKERNSEC_ACL_MAXTRIES
61383 + int "Maximum tries before password lockout"
61384 + default 3
61385 + help
61386 + This option enforces the maximum number of times a user can attempt
61387 + to authorize themselves with the grsecurity RBAC system before being
61388 + denied the ability to attempt authorization again for a specified time.
61389 + The lower the number, the harder it will be to brute-force a password.
61390 +
61391 +config GRKERNSEC_ACL_TIMEOUT
61392 + int "Time to wait after max password tries, in seconds"
61393 + default 30
61394 + help
61395 + This option specifies the time the user must wait after attempting to
61396 + authorize to the RBAC system with the maximum number of invalid
61397 + passwords. The higher the number, the harder it will be to brute-force
61398 + a password.
61399 +
61400 +endmenu
61401 +menu "Filesystem Protections"
61402 +depends on GRKERNSEC
61403 +
61404 +config GRKERNSEC_PROC
61405 + bool "Proc restrictions"
61406 + help
61407 + If you say Y here, the permissions of the /proc filesystem
61408 + will be altered to enhance system security and privacy. You MUST
61409 + choose either a user only restriction or a user and group restriction.
61410 + Depending upon the option you choose, you can either restrict users to
61411 + see only the processes they themselves run, or choose a group that can
61412 + view all processes and files normally restricted to root if you choose
61413 + the "restrict to user only" option. NOTE: If you're running identd as
61414 + a non-root user, you will have to run it as the group you specify here.
61415 +
61416 +config GRKERNSEC_PROC_USER
61417 + bool "Restrict /proc to user only"
61418 + depends on GRKERNSEC_PROC
61419 + help
61420 + If you say Y here, non-root users will only be able to view their own
61421 + processes, and restricts them from viewing network-related information,
61422 + and viewing kernel symbol and module information.
61423 +
61424 +config GRKERNSEC_PROC_USERGROUP
61425 + bool "Allow special group"
61426 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
61427 + help
61428 + If you say Y here, you will be able to select a group that will be
61429 + able to view all processes and network-related information. If you've
61430 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
61431 + remain hidden. This option is useful if you want to run identd as
61432 + a non-root user.
61433 +
61434 +config GRKERNSEC_PROC_GID
61435 + int "GID for special group"
61436 + depends on GRKERNSEC_PROC_USERGROUP
61437 + default 1001
61438 +
61439 +config GRKERNSEC_PROC_ADD
61440 + bool "Additional restrictions"
61441 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
61442 + help
61443 + If you say Y here, additional restrictions will be placed on
61444 + /proc that keep normal users from viewing device information and
61445 + slabinfo information that could be useful for exploits.
61446 +
61447 +config GRKERNSEC_LINK
61448 + bool "Linking restrictions"
61449 + help
61450 + If you say Y here, /tmp race exploits will be prevented, since users
61451 + will no longer be able to follow symlinks owned by other users in
61452 + world-writable +t directories (e.g. /tmp), unless the owner of the
61453 + symlink is the owner of the directory. users will also not be
61454 + able to hardlink to files they do not own. If the sysctl option is
61455 + enabled, a sysctl option with name "linking_restrictions" is created.
61456 +
61457 +config GRKERNSEC_FIFO
61458 + bool "FIFO restrictions"
61459 + help
61460 + If you say Y here, users will not be able to write to FIFOs they don't
61461 + own in world-writable +t directories (e.g. /tmp), unless the owner of
61462 + the FIFO is the same owner of the directory it's held in. If the sysctl
61463 + option is enabled, a sysctl option with name "fifo_restrictions" is
61464 + created.
61465 +
61466 +config GRKERNSEC_SYSFS_RESTRICT
61467 + bool "Sysfs/debugfs restriction"
61468 + depends on SYSFS
61469 + help
61470 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
61471 + any filesystem normally mounted under it (e.g. debugfs) will only
61472 + be accessible by root. These filesystems generally provide access
61473 + to hardware and debug information that isn't appropriate for unprivileged
61474 + users of the system. Sysfs and debugfs have also become a large source
61475 + of new vulnerabilities, ranging from infoleaks to local compromise.
61476 + There has been very little oversight with an eye toward security involved
61477 + in adding new exporters of information to these filesystems, so their
61478 + use is discouraged.
61479 + This option is equivalent to a chmod 0700 of the mount paths.
61480 +
61481 +config GRKERNSEC_ROFS
61482 + bool "Runtime read-only mount protection"
61483 + help
61484 + If you say Y here, a sysctl option with name "romount_protect" will
61485 + be created. By setting this option to 1 at runtime, filesystems
61486 + will be protected in the following ways:
61487 + * No new writable mounts will be allowed
61488 + * Existing read-only mounts won't be able to be remounted read/write
61489 + * Write operations will be denied on all block devices
61490 + This option acts independently of grsec_lock: once it is set to 1,
61491 + it cannot be turned off. Therefore, please be mindful of the resulting
61492 + behavior if this option is enabled in an init script on a read-only
61493 + filesystem. This feature is mainly intended for secure embedded systems.
61494 +
61495 +config GRKERNSEC_CHROOT
61496 + bool "Chroot jail restrictions"
61497 + help
61498 + If you say Y here, you will be able to choose several options that will
61499 + make breaking out of a chrooted jail much more difficult. If you
61500 + encounter no software incompatibilities with the following options, it
61501 + is recommended that you enable each one.
61502 +
61503 +config GRKERNSEC_CHROOT_MOUNT
61504 + bool "Deny mounts"
61505 + depends on GRKERNSEC_CHROOT
61506 + help
61507 + If you say Y here, processes inside a chroot will not be able to
61508 + mount or remount filesystems. If the sysctl option is enabled, a
61509 + sysctl option with name "chroot_deny_mount" is created.
61510 +
61511 +config GRKERNSEC_CHROOT_DOUBLE
61512 + bool "Deny double-chroots"
61513 + depends on GRKERNSEC_CHROOT
61514 + help
61515 + If you say Y here, processes inside a chroot will not be able to chroot
61516 + again outside the chroot. This is a widely used method of breaking
61517 + out of a chroot jail and should not be allowed. If the sysctl
61518 + option is enabled, a sysctl option with name
61519 + "chroot_deny_chroot" is created.
61520 +
61521 +config GRKERNSEC_CHROOT_PIVOT
61522 + bool "Deny pivot_root in chroot"
61523 + depends on GRKERNSEC_CHROOT
61524 + help
61525 + If you say Y here, processes inside a chroot will not be able to use
61526 + a function called pivot_root() that was introduced in Linux 2.3.41. It
61527 + works similar to chroot in that it changes the root filesystem. This
61528 + function could be misused in a chrooted process to attempt to break out
61529 + of the chroot, and therefore should not be allowed. If the sysctl
61530 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
61531 + created.
61532 +
61533 +config GRKERNSEC_CHROOT_CHDIR
61534 + bool "Enforce chdir(\"/\") on all chroots"
61535 + depends on GRKERNSEC_CHROOT
61536 + help
61537 + If you say Y here, the current working directory of all newly-chrooted
61538 + applications will be set to the the root directory of the chroot.
61539 + The man page on chroot(2) states:
61540 + Note that this call does not change the current working
61541 + directory, so that `.' can be outside the tree rooted at
61542 + `/'. In particular, the super-user can escape from a
61543 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
61544 +
61545 + It is recommended that you say Y here, since it's not known to break
61546 + any software. If the sysctl option is enabled, a sysctl option with
61547 + name "chroot_enforce_chdir" is created.
61548 +
61549 +config GRKERNSEC_CHROOT_CHMOD
61550 + bool "Deny (f)chmod +s"
61551 + depends on GRKERNSEC_CHROOT
61552 + help
61553 + If you say Y here, processes inside a chroot will not be able to chmod
61554 + or fchmod files to make them have suid or sgid bits. This protects
61555 + against another published method of breaking a chroot. If the sysctl
61556 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
61557 + created.
61558 +
61559 +config GRKERNSEC_CHROOT_FCHDIR
61560 + bool "Deny fchdir out of chroot"
61561 + depends on GRKERNSEC_CHROOT
61562 + help
61563 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
61564 + to a file descriptor of the chrooting process that points to a directory
61565 + outside the filesystem will be stopped. If the sysctl option
61566 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
61567 +
61568 +config GRKERNSEC_CHROOT_MKNOD
61569 + bool "Deny mknod"
61570 + depends on GRKERNSEC_CHROOT
61571 + help
61572 + If you say Y here, processes inside a chroot will not be allowed to
61573 + mknod. The problem with using mknod inside a chroot is that it
61574 + would allow an attacker to create a device entry that is the same
61575 + as one on the physical root of your system, which could range from
61576 + anything from the console device to a device for your harddrive (which
61577 + they could then use to wipe the drive or steal data). It is recommended
61578 + that you say Y here, unless you run into software incompatibilities.
61579 + If the sysctl option is enabled, a sysctl option with name
61580 + "chroot_deny_mknod" is created.
61581 +
61582 +config GRKERNSEC_CHROOT_SHMAT
61583 + bool "Deny shmat() out of chroot"
61584 + depends on GRKERNSEC_CHROOT
61585 + help
61586 + If you say Y here, processes inside a chroot will not be able to attach
61587 + to shared memory segments that were created outside of the chroot jail.
61588 + It is recommended that you say Y here. If the sysctl option is enabled,
61589 + a sysctl option with name "chroot_deny_shmat" is created.
61590 +
61591 +config GRKERNSEC_CHROOT_UNIX
61592 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
61593 + depends on GRKERNSEC_CHROOT
61594 + help
61595 + If you say Y here, processes inside a chroot will not be able to
61596 + connect to abstract (meaning not belonging to a filesystem) Unix
61597 + domain sockets that were bound outside of a chroot. It is recommended
61598 + that you say Y here. If the sysctl option is enabled, a sysctl option
61599 + with name "chroot_deny_unix" is created.
61600 +
61601 +config GRKERNSEC_CHROOT_FINDTASK
61602 + bool "Protect outside processes"
61603 + depends on GRKERNSEC_CHROOT
61604 + help
61605 + If you say Y here, processes inside a chroot will not be able to
61606 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
61607 + getsid, or view any process outside of the chroot. If the sysctl
61608 + option is enabled, a sysctl option with name "chroot_findtask" is
61609 + created.
61610 +
61611 +config GRKERNSEC_CHROOT_NICE
61612 + bool "Restrict priority changes"
61613 + depends on GRKERNSEC_CHROOT
61614 + help
61615 + If you say Y here, processes inside a chroot will not be able to raise
61616 + the priority of processes in the chroot, or alter the priority of
61617 + processes outside the chroot. This provides more security than simply
61618 + removing CAP_SYS_NICE from the process' capability set. If the
61619 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
61620 + is created.
61621 +
61622 +config GRKERNSEC_CHROOT_SYSCTL
61623 + bool "Deny sysctl writes"
61624 + depends on GRKERNSEC_CHROOT
61625 + help
61626 + If you say Y here, an attacker in a chroot will not be able to
61627 + write to sysctl entries, either by sysctl(2) or through a /proc
61628 + interface. It is strongly recommended that you say Y here. If the
61629 + sysctl option is enabled, a sysctl option with name
61630 + "chroot_deny_sysctl" is created.
61631 +
61632 +config GRKERNSEC_CHROOT_CAPS
61633 + bool "Capability restrictions"
61634 + depends on GRKERNSEC_CHROOT
61635 + help
61636 + If you say Y here, the capabilities on all processes within a
61637 + chroot jail will be lowered to stop module insertion, raw i/o,
61638 + system and net admin tasks, rebooting the system, modifying immutable
61639 + files, modifying IPC owned by another, and changing the system time.
61640 + This is left an option because it can break some apps. Disable this
61641 + if your chrooted apps are having problems performing those kinds of
61642 + tasks. If the sysctl option is enabled, a sysctl option with
61643 + name "chroot_caps" is created.
61644 +
61645 +endmenu
61646 +menu "Kernel Auditing"
61647 +depends on GRKERNSEC
61648 +
61649 +config GRKERNSEC_AUDIT_GROUP
61650 + bool "Single group for auditing"
61651 + help
61652 + If you say Y here, the exec, chdir, and (un)mount logging features
61653 + will only operate on a group you specify. This option is recommended
61654 + if you only want to watch certain users instead of having a large
61655 + amount of logs from the entire system. If the sysctl option is enabled,
61656 + a sysctl option with name "audit_group" is created.
61657 +
61658 +config GRKERNSEC_AUDIT_GID
61659 + int "GID for auditing"
61660 + depends on GRKERNSEC_AUDIT_GROUP
61661 + default 1007
61662 +
61663 +config GRKERNSEC_EXECLOG
61664 + bool "Exec logging"
61665 + help
61666 + If you say Y here, all execve() calls will be logged (since the
61667 + other exec*() calls are frontends to execve(), all execution
61668 + will be logged). Useful for shell-servers that like to keep track
61669 + of their users. If the sysctl option is enabled, a sysctl option with
61670 + name "exec_logging" is created.
61671 + WARNING: This option when enabled will produce a LOT of logs, especially
61672 + on an active system.
61673 +
61674 +config GRKERNSEC_RESLOG
61675 + bool "Resource logging"
61676 + help
61677 + If you say Y here, all attempts to overstep resource limits will
61678 + be logged with the resource name, the requested size, and the current
61679 + limit. It is highly recommended that you say Y here. If the sysctl
61680 + option is enabled, a sysctl option with name "resource_logging" is
61681 + created. If the RBAC system is enabled, the sysctl value is ignored.
61682 +
61683 +config GRKERNSEC_CHROOT_EXECLOG
61684 + bool "Log execs within chroot"
61685 + help
61686 + If you say Y here, all executions inside a chroot jail will be logged
61687 + to syslog. This can cause a large amount of logs if certain
61688 + applications (eg. djb's daemontools) are installed on the system, and
61689 + is therefore left as an option. If the sysctl option is enabled, a
61690 + sysctl option with name "chroot_execlog" is created.
61691 +
61692 +config GRKERNSEC_AUDIT_PTRACE
61693 + bool "Ptrace logging"
61694 + help
61695 + If you say Y here, all attempts to attach to a process via ptrace
61696 + will be logged. If the sysctl option is enabled, a sysctl option
61697 + with name "audit_ptrace" is created.
61698 +
61699 +config GRKERNSEC_AUDIT_CHDIR
61700 + bool "Chdir logging"
61701 + help
61702 + If you say Y here, all chdir() calls will be logged. If the sysctl
61703 + option is enabled, a sysctl option with name "audit_chdir" is created.
61704 +
61705 +config GRKERNSEC_AUDIT_MOUNT
61706 + bool "(Un)Mount logging"
61707 + help
61708 + If you say Y here, all mounts and unmounts will be logged. If the
61709 + sysctl option is enabled, a sysctl option with name "audit_mount" is
61710 + created.
61711 +
61712 +config GRKERNSEC_SIGNAL
61713 + bool "Signal logging"
61714 + help
61715 + If you say Y here, certain important signals will be logged, such as
61716 + SIGSEGV, which will as a result inform you of when a error in a program
61717 + occurred, which in some cases could mean a possible exploit attempt.
61718 + If the sysctl option is enabled, a sysctl option with name
61719 + "signal_logging" is created.
61720 +
61721 +config GRKERNSEC_FORKFAIL
61722 + bool "Fork failure logging"
61723 + help
61724 + If you say Y here, all failed fork() attempts will be logged.
61725 + This could suggest a fork bomb, or someone attempting to overstep
61726 + their process limit. If the sysctl option is enabled, a sysctl option
61727 + with name "forkfail_logging" is created.
61728 +
61729 +config GRKERNSEC_TIME
61730 + bool "Time change logging"
61731 + help
61732 + If you say Y here, any changes of the system clock will be logged.
61733 + If the sysctl option is enabled, a sysctl option with name
61734 + "timechange_logging" is created.
61735 +
61736 +config GRKERNSEC_PROC_IPADDR
61737 + bool "/proc/<pid>/ipaddr support"
61738 + help
61739 + If you say Y here, a new entry will be added to each /proc/<pid>
61740 + directory that contains the IP address of the person using the task.
61741 + The IP is carried across local TCP and AF_UNIX stream sockets.
61742 + This information can be useful for IDS/IPSes to perform remote response
61743 + to a local attack. The entry is readable by only the owner of the
61744 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
61745 + the RBAC system), and thus does not create privacy concerns.
61746 +
61747 +config GRKERNSEC_RWXMAP_LOG
61748 + bool 'Denied RWX mmap/mprotect logging'
61749 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
61750 + help
61751 + If you say Y here, calls to mmap() and mprotect() with explicit
61752 + usage of PROT_WRITE and PROT_EXEC together will be logged when
61753 + denied by the PAX_MPROTECT feature. If the sysctl option is
61754 + enabled, a sysctl option with name "rwxmap_logging" is created.
61755 +
61756 +config GRKERNSEC_AUDIT_TEXTREL
61757 + bool 'ELF text relocations logging (READ HELP)'
61758 + depends on PAX_MPROTECT
61759 + help
61760 + If you say Y here, text relocations will be logged with the filename
61761 + of the offending library or binary. The purpose of the feature is
61762 + to help Linux distribution developers get rid of libraries and
61763 + binaries that need text relocations which hinder the future progress
61764 + of PaX. Only Linux distribution developers should say Y here, and
61765 + never on a production machine, as this option creates an information
61766 + leak that could aid an attacker in defeating the randomization of
61767 + a single memory region. If the sysctl option is enabled, a sysctl
61768 + option with name "audit_textrel" is created.
61769 +
61770 +endmenu
61771 +
61772 +menu "Executable Protections"
61773 +depends on GRKERNSEC
61774 +
61775 +config GRKERNSEC_DMESG
61776 + bool "Dmesg(8) restriction"
61777 + help
61778 + If you say Y here, non-root users will not be able to use dmesg(8)
61779 + to view up to the last 4kb of messages in the kernel's log buffer.
61780 + The kernel's log buffer often contains kernel addresses and other
61781 + identifying information useful to an attacker in fingerprinting a
61782 + system for a targeted exploit.
61783 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
61784 + created.
61785 +
61786 +config GRKERNSEC_HARDEN_PTRACE
61787 + bool "Deter ptrace-based process snooping"
61788 + help
61789 + If you say Y here, TTY sniffers and other malicious monitoring
61790 + programs implemented through ptrace will be defeated. If you
61791 + have been using the RBAC system, this option has already been
61792 + enabled for several years for all users, with the ability to make
61793 + fine-grained exceptions.
61794 +
61795 + This option only affects the ability of non-root users to ptrace
61796 + processes that are not a descendent of the ptracing process.
61797 + This means that strace ./binary and gdb ./binary will still work,
61798 + but attaching to arbitrary processes will not. If the sysctl
61799 + option is enabled, a sysctl option with name "harden_ptrace" is
61800 + created.
61801 +
61802 +config GRKERNSEC_TPE
61803 + bool "Trusted Path Execution (TPE)"
61804 + help
61805 + If you say Y here, you will be able to choose a gid to add to the
61806 + supplementary groups of users you want to mark as "untrusted."
61807 + These users will not be able to execute any files that are not in
61808 + root-owned directories writable only by root. If the sysctl option
61809 + is enabled, a sysctl option with name "tpe" is created.
61810 +
61811 +config GRKERNSEC_TPE_ALL
61812 + bool "Partially restrict all non-root users"
61813 + depends on GRKERNSEC_TPE
61814 + help
61815 + If you say Y here, all non-root users will be covered under
61816 + a weaker TPE restriction. This is separate from, and in addition to,
61817 + the main TPE options that you have selected elsewhere. Thus, if a
61818 + "trusted" GID is chosen, this restriction applies to even that GID.
61819 + Under this restriction, all non-root users will only be allowed to
61820 + execute files in directories they own that are not group or
61821 + world-writable, or in directories owned by root and writable only by
61822 + root. If the sysctl option is enabled, a sysctl option with name
61823 + "tpe_restrict_all" is created.
61824 +
61825 +config GRKERNSEC_TPE_INVERT
61826 + bool "Invert GID option"
61827 + depends on GRKERNSEC_TPE
61828 + help
61829 + If you say Y here, the group you specify in the TPE configuration will
61830 + decide what group TPE restrictions will be *disabled* for. This
61831 + option is useful if you want TPE restrictions to be applied to most
61832 + users on the system. If the sysctl option is enabled, a sysctl option
61833 + with name "tpe_invert" is created. Unlike other sysctl options, this
61834 + entry will default to on for backward-compatibility.
61835 +
61836 +config GRKERNSEC_TPE_GID
61837 + int "GID for untrusted users"
61838 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
61839 + default 1005
61840 + help
61841 + Setting this GID determines what group TPE restrictions will be
61842 + *enabled* for. If the sysctl option is enabled, a sysctl option
61843 + with name "tpe_gid" is created.
61844 +
61845 +config GRKERNSEC_TPE_GID
61846 + int "GID for trusted users"
61847 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
61848 + default 1005
61849 + help
61850 + Setting this GID determines what group TPE restrictions will be
61851 + *disabled* for. If the sysctl option is enabled, a sysctl option
61852 + with name "tpe_gid" is created.
61853 +
61854 +endmenu
61855 +menu "Network Protections"
61856 +depends on GRKERNSEC
61857 +
61858 +config GRKERNSEC_RANDNET
61859 + bool "Larger entropy pools"
61860 + help
61861 + If you say Y here, the entropy pools used for many features of Linux
61862 + and grsecurity will be doubled in size. Since several grsecurity
61863 + features use additional randomness, it is recommended that you say Y
61864 + here. Saying Y here has a similar effect as modifying
61865 + /proc/sys/kernel/random/poolsize.
61866 +
61867 +config GRKERNSEC_BLACKHOLE
61868 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
61869 + depends on NET
61870 + help
61871 + If you say Y here, neither TCP resets nor ICMP
61872 + destination-unreachable packets will be sent in response to packets
61873 + sent to ports for which no associated listening process exists.
61874 + This feature supports both IPV4 and IPV6 and exempts the
61875 + loopback interface from blackholing. Enabling this feature
61876 + makes a host more resilient to DoS attacks and reduces network
61877 + visibility against scanners.
61878 +
61879 + The blackhole feature as-implemented is equivalent to the FreeBSD
61880 + blackhole feature, as it prevents RST responses to all packets, not
61881 + just SYNs. Under most application behavior this causes no
61882 + problems, but applications (like haproxy) may not close certain
61883 + connections in a way that cleanly terminates them on the remote
61884 + end, leaving the remote host in LAST_ACK state. Because of this
61885 + side-effect and to prevent intentional LAST_ACK DoSes, this
61886 + feature also adds automatic mitigation against such attacks.
61887 + The mitigation drastically reduces the amount of time a socket
61888 + can spend in LAST_ACK state. If you're using haproxy and not
61889 + all servers it connects to have this option enabled, consider
61890 + disabling this feature on the haproxy host.
61891 +
61892 + If the sysctl option is enabled, two sysctl options with names
61893 + "ip_blackhole" and "lastack_retries" will be created.
61894 + While "ip_blackhole" takes the standard zero/non-zero on/off
61895 + toggle, "lastack_retries" uses the same kinds of values as
61896 + "tcp_retries1" and "tcp_retries2". The default value of 4
61897 + prevents a socket from lasting more than 45 seconds in LAST_ACK
61898 + state.
61899 +
61900 +config GRKERNSEC_SOCKET
61901 + bool "Socket restrictions"
61902 + depends on NET
61903 + help
61904 + If you say Y here, you will be able to choose from several options.
61905 + If you assign a GID on your system and add it to the supplementary
61906 + groups of users you want to restrict socket access to, this patch
61907 + will perform up to three things, based on the option(s) you choose.
61908 +
61909 +config GRKERNSEC_SOCKET_ALL
61910 + bool "Deny any sockets to group"
61911 + depends on GRKERNSEC_SOCKET
61912 + help
61913 + If you say Y here, you will be able to choose a GID of whose users will
61914 + be unable to connect to other hosts from your machine or run server
61915 + applications from your machine. If the sysctl option is enabled, a
61916 + sysctl option with name "socket_all" is created.
61917 +
61918 +config GRKERNSEC_SOCKET_ALL_GID
61919 + int "GID to deny all sockets for"
61920 + depends on GRKERNSEC_SOCKET_ALL
61921 + default 1004
61922 + help
61923 + Here you can choose the GID to disable socket access for. Remember to
61924 + add the users you want socket access disabled for to the GID
61925 + specified here. If the sysctl option is enabled, a sysctl option
61926 + with name "socket_all_gid" is created.
61927 +
61928 +config GRKERNSEC_SOCKET_CLIENT
61929 + bool "Deny client sockets to group"
61930 + depends on GRKERNSEC_SOCKET
61931 + help
61932 + If you say Y here, you will be able to choose a GID of whose users will
61933 + be unable to connect to other hosts from your machine, but will be
61934 + able to run servers. If this option is enabled, all users in the group
61935 + you specify will have to use passive mode when initiating ftp transfers
61936 + from the shell on your machine. If the sysctl option is enabled, a
61937 + sysctl option with name "socket_client" is created.
61938 +
61939 +config GRKERNSEC_SOCKET_CLIENT_GID
61940 + int "GID to deny client sockets for"
61941 + depends on GRKERNSEC_SOCKET_CLIENT
61942 + default 1003
61943 + help
61944 + Here you can choose the GID to disable client socket access for.
61945 + Remember to add the users you want client socket access disabled for to
61946 + the GID specified here. If the sysctl option is enabled, a sysctl
61947 + option with name "socket_client_gid" is created.
61948 +
61949 +config GRKERNSEC_SOCKET_SERVER
61950 + bool "Deny server sockets to group"
61951 + depends on GRKERNSEC_SOCKET
61952 + help
61953 + If you say Y here, you will be able to choose a GID of whose users will
61954 + be unable to run server applications from your machine. If the sysctl
61955 + option is enabled, a sysctl option with name "socket_server" is created.
61956 +
61957 +config GRKERNSEC_SOCKET_SERVER_GID
61958 + int "GID to deny server sockets for"
61959 + depends on GRKERNSEC_SOCKET_SERVER
61960 + default 1002
61961 + help
61962 + Here you can choose the GID to disable server socket access for.
61963 + Remember to add the users you want server socket access disabled for to
61964 + the GID specified here. If the sysctl option is enabled, a sysctl
61965 + option with name "socket_server_gid" is created.
61966 +
61967 +endmenu
61968 +menu "Sysctl support"
61969 +depends on GRKERNSEC && SYSCTL
61970 +
61971 +config GRKERNSEC_SYSCTL
61972 + bool "Sysctl support"
61973 + help
61974 + If you say Y here, you will be able to change the options that
61975 + grsecurity runs with at bootup, without having to recompile your
61976 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
61977 + to enable (1) or disable (0) various features. All the sysctl entries
61978 + are mutable until the "grsec_lock" entry is set to a non-zero value.
61979 + All features enabled in the kernel configuration are disabled at boot
61980 + if you do not say Y to the "Turn on features by default" option.
61981 + All options should be set at startup, and the grsec_lock entry should
61982 + be set to a non-zero value after all the options are set.
61983 + *THIS IS EXTREMELY IMPORTANT*
61984 +
61985 +config GRKERNSEC_SYSCTL_DISTRO
61986 + bool "Extra sysctl support for distro makers (READ HELP)"
61987 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
61988 + help
61989 + If you say Y here, additional sysctl options will be created
61990 + for features that affect processes running as root. Therefore,
61991 + it is critical when using this option that the grsec_lock entry be
61992 + enabled after boot. Only distros with prebuilt kernel packages
61993 + with this option enabled that can ensure grsec_lock is enabled
61994 + after boot should use this option.
61995 + *Failure to set grsec_lock after boot makes all grsec features
61996 + this option covers useless*
61997 +
61998 + Currently this option creates the following sysctl entries:
61999 + "Disable Privileged I/O": "disable_priv_io"
62000 +
62001 +config GRKERNSEC_SYSCTL_ON
62002 + bool "Turn on features by default"
62003 + depends on GRKERNSEC_SYSCTL
62004 + help
62005 + If you say Y here, instead of having all features enabled in the
62006 + kernel configuration disabled at boot time, the features will be
62007 + enabled at boot time. It is recommended you say Y here unless
62008 + there is some reason you would want all sysctl-tunable features to
62009 + be disabled by default. As mentioned elsewhere, it is important
62010 + to enable the grsec_lock entry once you have finished modifying
62011 + the sysctl entries.
62012 +
62013 +endmenu
62014 +menu "Logging Options"
62015 +depends on GRKERNSEC
62016 +
62017 +config GRKERNSEC_FLOODTIME
62018 + int "Seconds in between log messages (minimum)"
62019 + default 10
62020 + help
62021 + This option allows you to enforce the number of seconds between
62022 + grsecurity log messages. The default should be suitable for most
62023 + people, however, if you choose to change it, choose a value small enough
62024 + to allow informative logs to be produced, but large enough to
62025 + prevent flooding.
62026 +
62027 +config GRKERNSEC_FLOODBURST
62028 + int "Number of messages in a burst (maximum)"
62029 + default 6
62030 + help
62031 + This option allows you to choose the maximum number of messages allowed
62032 + within the flood time interval you chose in a separate option. The
62033 + default should be suitable for most people, however if you find that
62034 + many of your logs are being interpreted as flooding, you may want to
62035 + raise this value.
62036 +
62037 +endmenu
62038 +
62039 +endmenu
62040 diff -urNp linux-2.6.32.49/grsecurity/Makefile linux-2.6.32.49/grsecurity/Makefile
62041 --- linux-2.6.32.49/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
62042 +++ linux-2.6.32.49/grsecurity/Makefile 2011-11-15 19:59:43.000000000 -0500
62043 @@ -0,0 +1,36 @@
62044 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
62045 +# during 2001-2009 it has been completely redesigned by Brad Spengler
62046 +# into an RBAC system
62047 +#
62048 +# All code in this directory and various hooks inserted throughout the kernel
62049 +# are copyright Brad Spengler - Open Source Security, Inc., and released
62050 +# under the GPL v2 or higher
62051 +
62052 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
62053 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
62054 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
62055 +
62056 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
62057 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
62058 + gracl_learn.o grsec_log.o
62059 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
62060 +
62061 +ifdef CONFIG_NET
62062 +obj-y += grsec_sock.o
62063 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
62064 +endif
62065 +
62066 +ifndef CONFIG_GRKERNSEC
62067 +obj-y += grsec_disabled.o
62068 +endif
62069 +
62070 +ifdef CONFIG_GRKERNSEC_HIDESYM
62071 +extra-y := grsec_hidesym.o
62072 +$(obj)/grsec_hidesym.o:
62073 + @-chmod -f 500 /boot
62074 + @-chmod -f 500 /lib/modules
62075 + @-chmod -f 500 /lib64/modules
62076 + @-chmod -f 500 /lib32/modules
62077 + @-chmod -f 700 .
62078 + @echo ' grsec: protected kernel image paths'
62079 +endif
62080 diff -urNp linux-2.6.32.49/include/acpi/acpi_bus.h linux-2.6.32.49/include/acpi/acpi_bus.h
62081 --- linux-2.6.32.49/include/acpi/acpi_bus.h 2011-11-08 19:02:43.000000000 -0500
62082 +++ linux-2.6.32.49/include/acpi/acpi_bus.h 2011-11-15 19:59:43.000000000 -0500
62083 @@ -107,7 +107,7 @@ struct acpi_device_ops {
62084 acpi_op_bind bind;
62085 acpi_op_unbind unbind;
62086 acpi_op_notify notify;
62087 -};
62088 +} __no_const;
62089
62090 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
62091
62092 diff -urNp linux-2.6.32.49/include/acpi/acpi_drivers.h linux-2.6.32.49/include/acpi/acpi_drivers.h
62093 --- linux-2.6.32.49/include/acpi/acpi_drivers.h 2011-11-08 19:02:43.000000000 -0500
62094 +++ linux-2.6.32.49/include/acpi/acpi_drivers.h 2011-11-15 19:59:43.000000000 -0500
62095 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
62096 Dock Station
62097 -------------------------------------------------------------------------- */
62098 struct acpi_dock_ops {
62099 - acpi_notify_handler handler;
62100 - acpi_notify_handler uevent;
62101 + const acpi_notify_handler handler;
62102 + const acpi_notify_handler uevent;
62103 };
62104
62105 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
62106 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
62107 extern int register_dock_notifier(struct notifier_block *nb);
62108 extern void unregister_dock_notifier(struct notifier_block *nb);
62109 extern int register_hotplug_dock_device(acpi_handle handle,
62110 - struct acpi_dock_ops *ops,
62111 + const struct acpi_dock_ops *ops,
62112 void *context);
62113 extern void unregister_hotplug_dock_device(acpi_handle handle);
62114 #else
62115 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
62116 {
62117 }
62118 static inline int register_hotplug_dock_device(acpi_handle handle,
62119 - struct acpi_dock_ops *ops,
62120 + const struct acpi_dock_ops *ops,
62121 void *context)
62122 {
62123 return -ENODEV;
62124 diff -urNp linux-2.6.32.49/include/asm-generic/atomic-long.h linux-2.6.32.49/include/asm-generic/atomic-long.h
62125 --- linux-2.6.32.49/include/asm-generic/atomic-long.h 2011-11-08 19:02:43.000000000 -0500
62126 +++ linux-2.6.32.49/include/asm-generic/atomic-long.h 2011-11-15 19:59:43.000000000 -0500
62127 @@ -22,6 +22,12 @@
62128
62129 typedef atomic64_t atomic_long_t;
62130
62131 +#ifdef CONFIG_PAX_REFCOUNT
62132 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
62133 +#else
62134 +typedef atomic64_t atomic_long_unchecked_t;
62135 +#endif
62136 +
62137 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
62138
62139 static inline long atomic_long_read(atomic_long_t *l)
62140 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
62141 return (long)atomic64_read(v);
62142 }
62143
62144 +#ifdef CONFIG_PAX_REFCOUNT
62145 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
62146 +{
62147 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62148 +
62149 + return (long)atomic64_read_unchecked(v);
62150 +}
62151 +#endif
62152 +
62153 static inline void atomic_long_set(atomic_long_t *l, long i)
62154 {
62155 atomic64_t *v = (atomic64_t *)l;
62156 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
62157 atomic64_set(v, i);
62158 }
62159
62160 +#ifdef CONFIG_PAX_REFCOUNT
62161 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
62162 +{
62163 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62164 +
62165 + atomic64_set_unchecked(v, i);
62166 +}
62167 +#endif
62168 +
62169 static inline void atomic_long_inc(atomic_long_t *l)
62170 {
62171 atomic64_t *v = (atomic64_t *)l;
62172 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
62173 atomic64_inc(v);
62174 }
62175
62176 +#ifdef CONFIG_PAX_REFCOUNT
62177 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
62178 +{
62179 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62180 +
62181 + atomic64_inc_unchecked(v);
62182 +}
62183 +#endif
62184 +
62185 static inline void atomic_long_dec(atomic_long_t *l)
62186 {
62187 atomic64_t *v = (atomic64_t *)l;
62188 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
62189 atomic64_dec(v);
62190 }
62191
62192 +#ifdef CONFIG_PAX_REFCOUNT
62193 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
62194 +{
62195 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62196 +
62197 + atomic64_dec_unchecked(v);
62198 +}
62199 +#endif
62200 +
62201 static inline void atomic_long_add(long i, atomic_long_t *l)
62202 {
62203 atomic64_t *v = (atomic64_t *)l;
62204 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
62205 atomic64_add(i, v);
62206 }
62207
62208 +#ifdef CONFIG_PAX_REFCOUNT
62209 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
62210 +{
62211 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62212 +
62213 + atomic64_add_unchecked(i, v);
62214 +}
62215 +#endif
62216 +
62217 static inline void atomic_long_sub(long i, atomic_long_t *l)
62218 {
62219 atomic64_t *v = (atomic64_t *)l;
62220 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
62221 return (long)atomic64_inc_return(v);
62222 }
62223
62224 +#ifdef CONFIG_PAX_REFCOUNT
62225 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
62226 +{
62227 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62228 +
62229 + return (long)atomic64_inc_return_unchecked(v);
62230 +}
62231 +#endif
62232 +
62233 static inline long atomic_long_dec_return(atomic_long_t *l)
62234 {
62235 atomic64_t *v = (atomic64_t *)l;
62236 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
62237
62238 typedef atomic_t atomic_long_t;
62239
62240 +#ifdef CONFIG_PAX_REFCOUNT
62241 +typedef atomic_unchecked_t atomic_long_unchecked_t;
62242 +#else
62243 +typedef atomic_t atomic_long_unchecked_t;
62244 +#endif
62245 +
62246 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
62247 static inline long atomic_long_read(atomic_long_t *l)
62248 {
62249 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
62250 return (long)atomic_read(v);
62251 }
62252
62253 +#ifdef CONFIG_PAX_REFCOUNT
62254 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
62255 +{
62256 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62257 +
62258 + return (long)atomic_read_unchecked(v);
62259 +}
62260 +#endif
62261 +
62262 static inline void atomic_long_set(atomic_long_t *l, long i)
62263 {
62264 atomic_t *v = (atomic_t *)l;
62265 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
62266 atomic_set(v, i);
62267 }
62268
62269 +#ifdef CONFIG_PAX_REFCOUNT
62270 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
62271 +{
62272 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62273 +
62274 + atomic_set_unchecked(v, i);
62275 +}
62276 +#endif
62277 +
62278 static inline void atomic_long_inc(atomic_long_t *l)
62279 {
62280 atomic_t *v = (atomic_t *)l;
62281 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
62282 atomic_inc(v);
62283 }
62284
62285 +#ifdef CONFIG_PAX_REFCOUNT
62286 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
62287 +{
62288 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62289 +
62290 + atomic_inc_unchecked(v);
62291 +}
62292 +#endif
62293 +
62294 static inline void atomic_long_dec(atomic_long_t *l)
62295 {
62296 atomic_t *v = (atomic_t *)l;
62297 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
62298 atomic_dec(v);
62299 }
62300
62301 +#ifdef CONFIG_PAX_REFCOUNT
62302 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
62303 +{
62304 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62305 +
62306 + atomic_dec_unchecked(v);
62307 +}
62308 +#endif
62309 +
62310 static inline void atomic_long_add(long i, atomic_long_t *l)
62311 {
62312 atomic_t *v = (atomic_t *)l;
62313 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
62314 atomic_add(i, v);
62315 }
62316
62317 +#ifdef CONFIG_PAX_REFCOUNT
62318 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
62319 +{
62320 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62321 +
62322 + atomic_add_unchecked(i, v);
62323 +}
62324 +#endif
62325 +
62326 static inline void atomic_long_sub(long i, atomic_long_t *l)
62327 {
62328 atomic_t *v = (atomic_t *)l;
62329 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
62330 return (long)atomic_inc_return(v);
62331 }
62332
62333 +#ifdef CONFIG_PAX_REFCOUNT
62334 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
62335 +{
62336 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62337 +
62338 + return (long)atomic_inc_return_unchecked(v);
62339 +}
62340 +#endif
62341 +
62342 static inline long atomic_long_dec_return(atomic_long_t *l)
62343 {
62344 atomic_t *v = (atomic_t *)l;
62345 @@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
62346
62347 #endif /* BITS_PER_LONG == 64 */
62348
62349 +#ifdef CONFIG_PAX_REFCOUNT
62350 +static inline void pax_refcount_needs_these_functions(void)
62351 +{
62352 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
62353 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
62354 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
62355 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
62356 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
62357 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
62358 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
62359 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
62360 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
62361 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
62362 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
62363 +
62364 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
62365 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
62366 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
62367 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
62368 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
62369 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
62370 +}
62371 +#else
62372 +#define atomic_read_unchecked(v) atomic_read(v)
62373 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
62374 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
62375 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
62376 +#define atomic_inc_unchecked(v) atomic_inc(v)
62377 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
62378 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
62379 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
62380 +#define atomic_dec_unchecked(v) atomic_dec(v)
62381 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
62382 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
62383 +
62384 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
62385 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
62386 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
62387 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
62388 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
62389 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
62390 +#endif
62391 +
62392 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
62393 diff -urNp linux-2.6.32.49/include/asm-generic/bug.h linux-2.6.32.49/include/asm-generic/bug.h
62394 --- linux-2.6.32.49/include/asm-generic/bug.h 2011-11-08 19:02:43.000000000 -0500
62395 +++ linux-2.6.32.49/include/asm-generic/bug.h 2011-11-15 19:59:43.000000000 -0500
62396 @@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha
62397
62398 #else /* !CONFIG_BUG */
62399 #ifndef HAVE_ARCH_BUG
62400 -#define BUG() do {} while(0)
62401 +#define BUG() do { for (;;) ; } while(0)
62402 #endif
62403
62404 #ifndef HAVE_ARCH_BUG_ON
62405 -#define BUG_ON(condition) do { if (condition) ; } while(0)
62406 +#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0)
62407 #endif
62408
62409 #ifndef HAVE_ARCH_WARN_ON
62410 diff -urNp linux-2.6.32.49/include/asm-generic/cache.h linux-2.6.32.49/include/asm-generic/cache.h
62411 --- linux-2.6.32.49/include/asm-generic/cache.h 2011-11-08 19:02:43.000000000 -0500
62412 +++ linux-2.6.32.49/include/asm-generic/cache.h 2011-11-15 19:59:43.000000000 -0500
62413 @@ -6,7 +6,7 @@
62414 * cache lines need to provide their own cache.h.
62415 */
62416
62417 -#define L1_CACHE_SHIFT 5
62418 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
62419 +#define L1_CACHE_SHIFT 5UL
62420 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
62421
62422 #endif /* __ASM_GENERIC_CACHE_H */
62423 diff -urNp linux-2.6.32.49/include/asm-generic/dma-mapping-common.h linux-2.6.32.49/include/asm-generic/dma-mapping-common.h
62424 --- linux-2.6.32.49/include/asm-generic/dma-mapping-common.h 2011-11-08 19:02:43.000000000 -0500
62425 +++ linux-2.6.32.49/include/asm-generic/dma-mapping-common.h 2011-11-15 19:59:43.000000000 -0500
62426 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
62427 enum dma_data_direction dir,
62428 struct dma_attrs *attrs)
62429 {
62430 - struct dma_map_ops *ops = get_dma_ops(dev);
62431 + const struct dma_map_ops *ops = get_dma_ops(dev);
62432 dma_addr_t addr;
62433
62434 kmemcheck_mark_initialized(ptr, size);
62435 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
62436 enum dma_data_direction dir,
62437 struct dma_attrs *attrs)
62438 {
62439 - struct dma_map_ops *ops = get_dma_ops(dev);
62440 + const struct dma_map_ops *ops = get_dma_ops(dev);
62441
62442 BUG_ON(!valid_dma_direction(dir));
62443 if (ops->unmap_page)
62444 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
62445 int nents, enum dma_data_direction dir,
62446 struct dma_attrs *attrs)
62447 {
62448 - struct dma_map_ops *ops = get_dma_ops(dev);
62449 + const struct dma_map_ops *ops = get_dma_ops(dev);
62450 int i, ents;
62451 struct scatterlist *s;
62452
62453 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
62454 int nents, enum dma_data_direction dir,
62455 struct dma_attrs *attrs)
62456 {
62457 - struct dma_map_ops *ops = get_dma_ops(dev);
62458 + const struct dma_map_ops *ops = get_dma_ops(dev);
62459
62460 BUG_ON(!valid_dma_direction(dir));
62461 debug_dma_unmap_sg(dev, sg, nents, dir);
62462 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
62463 size_t offset, size_t size,
62464 enum dma_data_direction dir)
62465 {
62466 - struct dma_map_ops *ops = get_dma_ops(dev);
62467 + const struct dma_map_ops *ops = get_dma_ops(dev);
62468 dma_addr_t addr;
62469
62470 kmemcheck_mark_initialized(page_address(page) + offset, size);
62471 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
62472 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
62473 size_t size, enum dma_data_direction dir)
62474 {
62475 - struct dma_map_ops *ops = get_dma_ops(dev);
62476 + const struct dma_map_ops *ops = get_dma_ops(dev);
62477
62478 BUG_ON(!valid_dma_direction(dir));
62479 if (ops->unmap_page)
62480 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
62481 size_t size,
62482 enum dma_data_direction dir)
62483 {
62484 - struct dma_map_ops *ops = get_dma_ops(dev);
62485 + const struct dma_map_ops *ops = get_dma_ops(dev);
62486
62487 BUG_ON(!valid_dma_direction(dir));
62488 if (ops->sync_single_for_cpu)
62489 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
62490 dma_addr_t addr, size_t size,
62491 enum dma_data_direction dir)
62492 {
62493 - struct dma_map_ops *ops = get_dma_ops(dev);
62494 + const struct dma_map_ops *ops = get_dma_ops(dev);
62495
62496 BUG_ON(!valid_dma_direction(dir));
62497 if (ops->sync_single_for_device)
62498 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
62499 size_t size,
62500 enum dma_data_direction dir)
62501 {
62502 - struct dma_map_ops *ops = get_dma_ops(dev);
62503 + const struct dma_map_ops *ops = get_dma_ops(dev);
62504
62505 BUG_ON(!valid_dma_direction(dir));
62506 if (ops->sync_single_range_for_cpu) {
62507 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
62508 size_t size,
62509 enum dma_data_direction dir)
62510 {
62511 - struct dma_map_ops *ops = get_dma_ops(dev);
62512 + const struct dma_map_ops *ops = get_dma_ops(dev);
62513
62514 BUG_ON(!valid_dma_direction(dir));
62515 if (ops->sync_single_range_for_device) {
62516 @@ -155,7 +155,7 @@ static inline void
62517 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
62518 int nelems, enum dma_data_direction dir)
62519 {
62520 - struct dma_map_ops *ops = get_dma_ops(dev);
62521 + const struct dma_map_ops *ops = get_dma_ops(dev);
62522
62523 BUG_ON(!valid_dma_direction(dir));
62524 if (ops->sync_sg_for_cpu)
62525 @@ -167,7 +167,7 @@ static inline void
62526 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
62527 int nelems, enum dma_data_direction dir)
62528 {
62529 - struct dma_map_ops *ops = get_dma_ops(dev);
62530 + const struct dma_map_ops *ops = get_dma_ops(dev);
62531
62532 BUG_ON(!valid_dma_direction(dir));
62533 if (ops->sync_sg_for_device)
62534 diff -urNp linux-2.6.32.49/include/asm-generic/emergency-restart.h linux-2.6.32.49/include/asm-generic/emergency-restart.h
62535 --- linux-2.6.32.49/include/asm-generic/emergency-restart.h 2011-11-08 19:02:43.000000000 -0500
62536 +++ linux-2.6.32.49/include/asm-generic/emergency-restart.h 2011-11-15 19:59:43.000000000 -0500
62537 @@ -1,7 +1,7 @@
62538 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
62539 #define _ASM_GENERIC_EMERGENCY_RESTART_H
62540
62541 -static inline void machine_emergency_restart(void)
62542 +static inline __noreturn void machine_emergency_restart(void)
62543 {
62544 machine_restart(NULL);
62545 }
62546 diff -urNp linux-2.6.32.49/include/asm-generic/futex.h linux-2.6.32.49/include/asm-generic/futex.h
62547 --- linux-2.6.32.49/include/asm-generic/futex.h 2011-11-08 19:02:43.000000000 -0500
62548 +++ linux-2.6.32.49/include/asm-generic/futex.h 2011-11-15 19:59:43.000000000 -0500
62549 @@ -6,7 +6,7 @@
62550 #include <asm/errno.h>
62551
62552 static inline int
62553 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
62554 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
62555 {
62556 int op = (encoded_op >> 28) & 7;
62557 int cmp = (encoded_op >> 24) & 15;
62558 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
62559 }
62560
62561 static inline int
62562 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
62563 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
62564 {
62565 return -ENOSYS;
62566 }
62567 diff -urNp linux-2.6.32.49/include/asm-generic/int-l64.h linux-2.6.32.49/include/asm-generic/int-l64.h
62568 --- linux-2.6.32.49/include/asm-generic/int-l64.h 2011-11-08 19:02:43.000000000 -0500
62569 +++ linux-2.6.32.49/include/asm-generic/int-l64.h 2011-11-15 19:59:43.000000000 -0500
62570 @@ -46,6 +46,8 @@ typedef unsigned int u32;
62571 typedef signed long s64;
62572 typedef unsigned long u64;
62573
62574 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
62575 +
62576 #define S8_C(x) x
62577 #define U8_C(x) x ## U
62578 #define S16_C(x) x
62579 diff -urNp linux-2.6.32.49/include/asm-generic/int-ll64.h linux-2.6.32.49/include/asm-generic/int-ll64.h
62580 --- linux-2.6.32.49/include/asm-generic/int-ll64.h 2011-11-08 19:02:43.000000000 -0500
62581 +++ linux-2.6.32.49/include/asm-generic/int-ll64.h 2011-11-15 19:59:43.000000000 -0500
62582 @@ -51,6 +51,8 @@ typedef unsigned int u32;
62583 typedef signed long long s64;
62584 typedef unsigned long long u64;
62585
62586 +typedef unsigned long long intoverflow_t;
62587 +
62588 #define S8_C(x) x
62589 #define U8_C(x) x ## U
62590 #define S16_C(x) x
62591 diff -urNp linux-2.6.32.49/include/asm-generic/kmap_types.h linux-2.6.32.49/include/asm-generic/kmap_types.h
62592 --- linux-2.6.32.49/include/asm-generic/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
62593 +++ linux-2.6.32.49/include/asm-generic/kmap_types.h 2011-11-15 19:59:43.000000000 -0500
62594 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
62595 KMAP_D(16) KM_IRQ_PTE,
62596 KMAP_D(17) KM_NMI,
62597 KMAP_D(18) KM_NMI_PTE,
62598 -KMAP_D(19) KM_TYPE_NR
62599 +KMAP_D(19) KM_CLEARPAGE,
62600 +KMAP_D(20) KM_TYPE_NR
62601 };
62602
62603 #undef KMAP_D
62604 diff -urNp linux-2.6.32.49/include/asm-generic/pgtable.h linux-2.6.32.49/include/asm-generic/pgtable.h
62605 --- linux-2.6.32.49/include/asm-generic/pgtable.h 2011-11-08 19:02:43.000000000 -0500
62606 +++ linux-2.6.32.49/include/asm-generic/pgtable.h 2011-11-15 19:59:43.000000000 -0500
62607 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
62608 unsigned long size);
62609 #endif
62610
62611 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
62612 +static inline unsigned long pax_open_kernel(void) { return 0; }
62613 +#endif
62614 +
62615 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
62616 +static inline unsigned long pax_close_kernel(void) { return 0; }
62617 +#endif
62618 +
62619 #endif /* !__ASSEMBLY__ */
62620
62621 #endif /* _ASM_GENERIC_PGTABLE_H */
62622 diff -urNp linux-2.6.32.49/include/asm-generic/pgtable-nopmd.h linux-2.6.32.49/include/asm-generic/pgtable-nopmd.h
62623 --- linux-2.6.32.49/include/asm-generic/pgtable-nopmd.h 2011-11-08 19:02:43.000000000 -0500
62624 +++ linux-2.6.32.49/include/asm-generic/pgtable-nopmd.h 2011-11-15 19:59:43.000000000 -0500
62625 @@ -1,14 +1,19 @@
62626 #ifndef _PGTABLE_NOPMD_H
62627 #define _PGTABLE_NOPMD_H
62628
62629 -#ifndef __ASSEMBLY__
62630 -
62631 #include <asm-generic/pgtable-nopud.h>
62632
62633 -struct mm_struct;
62634 -
62635 #define __PAGETABLE_PMD_FOLDED
62636
62637 +#define PMD_SHIFT PUD_SHIFT
62638 +#define PTRS_PER_PMD 1
62639 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
62640 +#define PMD_MASK (~(PMD_SIZE-1))
62641 +
62642 +#ifndef __ASSEMBLY__
62643 +
62644 +struct mm_struct;
62645 +
62646 /*
62647 * Having the pmd type consist of a pud gets the size right, and allows
62648 * us to conceptually access the pud entry that this pmd is folded into
62649 @@ -16,11 +21,6 @@ struct mm_struct;
62650 */
62651 typedef struct { pud_t pud; } pmd_t;
62652
62653 -#define PMD_SHIFT PUD_SHIFT
62654 -#define PTRS_PER_PMD 1
62655 -#define PMD_SIZE (1UL << PMD_SHIFT)
62656 -#define PMD_MASK (~(PMD_SIZE-1))
62657 -
62658 /*
62659 * The "pud_xxx()" functions here are trivial for a folded two-level
62660 * setup: the pmd is never bad, and a pmd always exists (as it's folded
62661 diff -urNp linux-2.6.32.49/include/asm-generic/pgtable-nopud.h linux-2.6.32.49/include/asm-generic/pgtable-nopud.h
62662 --- linux-2.6.32.49/include/asm-generic/pgtable-nopud.h 2011-11-08 19:02:43.000000000 -0500
62663 +++ linux-2.6.32.49/include/asm-generic/pgtable-nopud.h 2011-11-15 19:59:43.000000000 -0500
62664 @@ -1,10 +1,15 @@
62665 #ifndef _PGTABLE_NOPUD_H
62666 #define _PGTABLE_NOPUD_H
62667
62668 -#ifndef __ASSEMBLY__
62669 -
62670 #define __PAGETABLE_PUD_FOLDED
62671
62672 +#define PUD_SHIFT PGDIR_SHIFT
62673 +#define PTRS_PER_PUD 1
62674 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
62675 +#define PUD_MASK (~(PUD_SIZE-1))
62676 +
62677 +#ifndef __ASSEMBLY__
62678 +
62679 /*
62680 * Having the pud type consist of a pgd gets the size right, and allows
62681 * us to conceptually access the pgd entry that this pud is folded into
62682 @@ -12,11 +17,6 @@
62683 */
62684 typedef struct { pgd_t pgd; } pud_t;
62685
62686 -#define PUD_SHIFT PGDIR_SHIFT
62687 -#define PTRS_PER_PUD 1
62688 -#define PUD_SIZE (1UL << PUD_SHIFT)
62689 -#define PUD_MASK (~(PUD_SIZE-1))
62690 -
62691 /*
62692 * The "pgd_xxx()" functions here are trivial for a folded two-level
62693 * setup: the pud is never bad, and a pud always exists (as it's folded
62694 diff -urNp linux-2.6.32.49/include/asm-generic/vmlinux.lds.h linux-2.6.32.49/include/asm-generic/vmlinux.lds.h
62695 --- linux-2.6.32.49/include/asm-generic/vmlinux.lds.h 2011-11-08 19:02:43.000000000 -0500
62696 +++ linux-2.6.32.49/include/asm-generic/vmlinux.lds.h 2011-11-15 19:59:43.000000000 -0500
62697 @@ -199,6 +199,7 @@
62698 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
62699 VMLINUX_SYMBOL(__start_rodata) = .; \
62700 *(.rodata) *(.rodata.*) \
62701 + *(.data.read_only) \
62702 *(__vermagic) /* Kernel version magic */ \
62703 *(__markers_strings) /* Markers: strings */ \
62704 *(__tracepoints_strings)/* Tracepoints: strings */ \
62705 @@ -656,22 +657,24 @@
62706 * section in the linker script will go there too. @phdr should have
62707 * a leading colon.
62708 *
62709 - * Note that this macros defines __per_cpu_load as an absolute symbol.
62710 + * Note that this macros defines per_cpu_load as an absolute symbol.
62711 * If there is no need to put the percpu section at a predetermined
62712 * address, use PERCPU().
62713 */
62714 #define PERCPU_VADDR(vaddr, phdr) \
62715 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
62716 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
62717 + per_cpu_load = .; \
62718 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
62719 - LOAD_OFFSET) { \
62720 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
62721 VMLINUX_SYMBOL(__per_cpu_start) = .; \
62722 *(.data.percpu.first) \
62723 - *(.data.percpu.page_aligned) \
62724 *(.data.percpu) \
62725 + . = ALIGN(PAGE_SIZE); \
62726 + *(.data.percpu.page_aligned) \
62727 *(.data.percpu.shared_aligned) \
62728 VMLINUX_SYMBOL(__per_cpu_end) = .; \
62729 } phdr \
62730 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
62731 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
62732
62733 /**
62734 * PERCPU - define output section for percpu area, simple version
62735 diff -urNp linux-2.6.32.49/include/drm/drm_crtc_helper.h linux-2.6.32.49/include/drm/drm_crtc_helper.h
62736 --- linux-2.6.32.49/include/drm/drm_crtc_helper.h 2011-11-08 19:02:43.000000000 -0500
62737 +++ linux-2.6.32.49/include/drm/drm_crtc_helper.h 2011-11-15 19:59:43.000000000 -0500
62738 @@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs {
62739
62740 /* reload the current crtc LUT */
62741 void (*load_lut)(struct drm_crtc *crtc);
62742 -};
62743 +} __no_const;
62744
62745 struct drm_encoder_helper_funcs {
62746 void (*dpms)(struct drm_encoder *encoder, int mode);
62747 @@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs {
62748 struct drm_connector *connector);
62749 /* disable encoder when not in use - more explicit than dpms off */
62750 void (*disable)(struct drm_encoder *encoder);
62751 -};
62752 +} __no_const;
62753
62754 struct drm_connector_helper_funcs {
62755 int (*get_modes)(struct drm_connector *connector);
62756 diff -urNp linux-2.6.32.49/include/drm/drmP.h linux-2.6.32.49/include/drm/drmP.h
62757 --- linux-2.6.32.49/include/drm/drmP.h 2011-11-08 19:02:43.000000000 -0500
62758 +++ linux-2.6.32.49/include/drm/drmP.h 2011-11-15 19:59:43.000000000 -0500
62759 @@ -71,6 +71,7 @@
62760 #include <linux/workqueue.h>
62761 #include <linux/poll.h>
62762 #include <asm/pgalloc.h>
62763 +#include <asm/local.h>
62764 #include "drm.h"
62765
62766 #include <linux/idr.h>
62767 @@ -814,7 +815,7 @@ struct drm_driver {
62768 void (*vgaarb_irq)(struct drm_device *dev, bool state);
62769
62770 /* Driver private ops for this object */
62771 - struct vm_operations_struct *gem_vm_ops;
62772 + const struct vm_operations_struct *gem_vm_ops;
62773
62774 int major;
62775 int minor;
62776 @@ -917,7 +918,7 @@ struct drm_device {
62777
62778 /** \name Usage Counters */
62779 /*@{ */
62780 - int open_count; /**< Outstanding files open */
62781 + local_t open_count; /**< Outstanding files open */
62782 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
62783 atomic_t vma_count; /**< Outstanding vma areas open */
62784 int buf_use; /**< Buffers in use -- cannot alloc */
62785 @@ -928,7 +929,7 @@ struct drm_device {
62786 /*@{ */
62787 unsigned long counters;
62788 enum drm_stat_type types[15];
62789 - atomic_t counts[15];
62790 + atomic_unchecked_t counts[15];
62791 /*@} */
62792
62793 struct list_head filelist;
62794 @@ -1016,7 +1017,7 @@ struct drm_device {
62795 struct pci_controller *hose;
62796 #endif
62797 struct drm_sg_mem *sg; /**< Scatter gather memory */
62798 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
62799 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
62800 void *dev_private; /**< device private data */
62801 void *mm_private;
62802 struct address_space *dev_mapping;
62803 @@ -1042,11 +1043,11 @@ struct drm_device {
62804 spinlock_t object_name_lock;
62805 struct idr object_name_idr;
62806 atomic_t object_count;
62807 - atomic_t object_memory;
62808 + atomic_unchecked_t object_memory;
62809 atomic_t pin_count;
62810 - atomic_t pin_memory;
62811 + atomic_unchecked_t pin_memory;
62812 atomic_t gtt_count;
62813 - atomic_t gtt_memory;
62814 + atomic_unchecked_t gtt_memory;
62815 uint32_t gtt_total;
62816 uint32_t invalidate_domains; /* domains pending invalidation */
62817 uint32_t flush_domains; /* domains pending flush */
62818 diff -urNp linux-2.6.32.49/include/drm/ttm/ttm_memory.h linux-2.6.32.49/include/drm/ttm/ttm_memory.h
62819 --- linux-2.6.32.49/include/drm/ttm/ttm_memory.h 2011-11-08 19:02:43.000000000 -0500
62820 +++ linux-2.6.32.49/include/drm/ttm/ttm_memory.h 2011-11-15 19:59:43.000000000 -0500
62821 @@ -47,7 +47,7 @@
62822
62823 struct ttm_mem_shrink {
62824 int (*do_shrink) (struct ttm_mem_shrink *);
62825 -};
62826 +} __no_const;
62827
62828 /**
62829 * struct ttm_mem_global - Global memory accounting structure.
62830 diff -urNp linux-2.6.32.49/include/linux/a.out.h linux-2.6.32.49/include/linux/a.out.h
62831 --- linux-2.6.32.49/include/linux/a.out.h 2011-11-08 19:02:43.000000000 -0500
62832 +++ linux-2.6.32.49/include/linux/a.out.h 2011-11-15 19:59:43.000000000 -0500
62833 @@ -39,6 +39,14 @@ enum machine_type {
62834 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
62835 };
62836
62837 +/* Constants for the N_FLAGS field */
62838 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62839 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
62840 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
62841 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
62842 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62843 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62844 +
62845 #if !defined (N_MAGIC)
62846 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
62847 #endif
62848 diff -urNp linux-2.6.32.49/include/linux/atmdev.h linux-2.6.32.49/include/linux/atmdev.h
62849 --- linux-2.6.32.49/include/linux/atmdev.h 2011-11-08 19:02:43.000000000 -0500
62850 +++ linux-2.6.32.49/include/linux/atmdev.h 2011-11-15 19:59:43.000000000 -0500
62851 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
62852 #endif
62853
62854 struct k_atm_aal_stats {
62855 -#define __HANDLE_ITEM(i) atomic_t i
62856 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
62857 __AAL_STAT_ITEMS
62858 #undef __HANDLE_ITEM
62859 };
62860 diff -urNp linux-2.6.32.49/include/linux/backlight.h linux-2.6.32.49/include/linux/backlight.h
62861 --- linux-2.6.32.49/include/linux/backlight.h 2011-11-08 19:02:43.000000000 -0500
62862 +++ linux-2.6.32.49/include/linux/backlight.h 2011-11-15 19:59:43.000000000 -0500
62863 @@ -36,18 +36,18 @@ struct backlight_device;
62864 struct fb_info;
62865
62866 struct backlight_ops {
62867 - unsigned int options;
62868 + const unsigned int options;
62869
62870 #define BL_CORE_SUSPENDRESUME (1 << 0)
62871
62872 /* Notify the backlight driver some property has changed */
62873 - int (*update_status)(struct backlight_device *);
62874 + int (* const update_status)(struct backlight_device *);
62875 /* Return the current backlight brightness (accounting for power,
62876 fb_blank etc.) */
62877 - int (*get_brightness)(struct backlight_device *);
62878 + int (* const get_brightness)(struct backlight_device *);
62879 /* Check if given framebuffer device is the one bound to this backlight;
62880 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
62881 - int (*check_fb)(struct fb_info *);
62882 + int (* const check_fb)(struct fb_info *);
62883 };
62884
62885 /* This structure defines all the properties of a backlight */
62886 @@ -86,7 +86,7 @@ struct backlight_device {
62887 registered this device has been unloaded, and if class_get_devdata()
62888 points to something in the body of that driver, it is also invalid. */
62889 struct mutex ops_lock;
62890 - struct backlight_ops *ops;
62891 + const struct backlight_ops *ops;
62892
62893 /* The framebuffer notifier block */
62894 struct notifier_block fb_notif;
62895 @@ -103,7 +103,7 @@ static inline void backlight_update_stat
62896 }
62897
62898 extern struct backlight_device *backlight_device_register(const char *name,
62899 - struct device *dev, void *devdata, struct backlight_ops *ops);
62900 + struct device *dev, void *devdata, const struct backlight_ops *ops);
62901 extern void backlight_device_unregister(struct backlight_device *bd);
62902 extern void backlight_force_update(struct backlight_device *bd,
62903 enum backlight_update_reason reason);
62904 diff -urNp linux-2.6.32.49/include/linux/binfmts.h linux-2.6.32.49/include/linux/binfmts.h
62905 --- linux-2.6.32.49/include/linux/binfmts.h 2011-11-08 19:02:43.000000000 -0500
62906 +++ linux-2.6.32.49/include/linux/binfmts.h 2011-11-15 19:59:43.000000000 -0500
62907 @@ -83,6 +83,7 @@ struct linux_binfmt {
62908 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
62909 int (*load_shlib)(struct file *);
62910 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
62911 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
62912 unsigned long min_coredump; /* minimal dump size */
62913 int hasvdso;
62914 };
62915 diff -urNp linux-2.6.32.49/include/linux/blkdev.h linux-2.6.32.49/include/linux/blkdev.h
62916 --- linux-2.6.32.49/include/linux/blkdev.h 2011-11-08 19:02:43.000000000 -0500
62917 +++ linux-2.6.32.49/include/linux/blkdev.h 2011-11-15 19:59:43.000000000 -0500
62918 @@ -1278,7 +1278,7 @@ struct block_device_operations {
62919 int (*revalidate_disk) (struct gendisk *);
62920 int (*getgeo)(struct block_device *, struct hd_geometry *);
62921 struct module *owner;
62922 -};
62923 +} __do_const;
62924
62925 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
62926 unsigned long);
62927 diff -urNp linux-2.6.32.49/include/linux/blktrace_api.h linux-2.6.32.49/include/linux/blktrace_api.h
62928 --- linux-2.6.32.49/include/linux/blktrace_api.h 2011-11-08 19:02:43.000000000 -0500
62929 +++ linux-2.6.32.49/include/linux/blktrace_api.h 2011-11-15 19:59:43.000000000 -0500
62930 @@ -160,7 +160,7 @@ struct blk_trace {
62931 struct dentry *dir;
62932 struct dentry *dropped_file;
62933 struct dentry *msg_file;
62934 - atomic_t dropped;
62935 + atomic_unchecked_t dropped;
62936 };
62937
62938 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
62939 diff -urNp linux-2.6.32.49/include/linux/byteorder/little_endian.h linux-2.6.32.49/include/linux/byteorder/little_endian.h
62940 --- linux-2.6.32.49/include/linux/byteorder/little_endian.h 2011-11-08 19:02:43.000000000 -0500
62941 +++ linux-2.6.32.49/include/linux/byteorder/little_endian.h 2011-11-15 19:59:43.000000000 -0500
62942 @@ -42,51 +42,51 @@
62943
62944 static inline __le64 __cpu_to_le64p(const __u64 *p)
62945 {
62946 - return (__force __le64)*p;
62947 + return (__force const __le64)*p;
62948 }
62949 static inline __u64 __le64_to_cpup(const __le64 *p)
62950 {
62951 - return (__force __u64)*p;
62952 + return (__force const __u64)*p;
62953 }
62954 static inline __le32 __cpu_to_le32p(const __u32 *p)
62955 {
62956 - return (__force __le32)*p;
62957 + return (__force const __le32)*p;
62958 }
62959 static inline __u32 __le32_to_cpup(const __le32 *p)
62960 {
62961 - return (__force __u32)*p;
62962 + return (__force const __u32)*p;
62963 }
62964 static inline __le16 __cpu_to_le16p(const __u16 *p)
62965 {
62966 - return (__force __le16)*p;
62967 + return (__force const __le16)*p;
62968 }
62969 static inline __u16 __le16_to_cpup(const __le16 *p)
62970 {
62971 - return (__force __u16)*p;
62972 + return (__force const __u16)*p;
62973 }
62974 static inline __be64 __cpu_to_be64p(const __u64 *p)
62975 {
62976 - return (__force __be64)__swab64p(p);
62977 + return (__force const __be64)__swab64p(p);
62978 }
62979 static inline __u64 __be64_to_cpup(const __be64 *p)
62980 {
62981 - return __swab64p((__u64 *)p);
62982 + return __swab64p((const __u64 *)p);
62983 }
62984 static inline __be32 __cpu_to_be32p(const __u32 *p)
62985 {
62986 - return (__force __be32)__swab32p(p);
62987 + return (__force const __be32)__swab32p(p);
62988 }
62989 static inline __u32 __be32_to_cpup(const __be32 *p)
62990 {
62991 - return __swab32p((__u32 *)p);
62992 + return __swab32p((const __u32 *)p);
62993 }
62994 static inline __be16 __cpu_to_be16p(const __u16 *p)
62995 {
62996 - return (__force __be16)__swab16p(p);
62997 + return (__force const __be16)__swab16p(p);
62998 }
62999 static inline __u16 __be16_to_cpup(const __be16 *p)
63000 {
63001 - return __swab16p((__u16 *)p);
63002 + return __swab16p((const __u16 *)p);
63003 }
63004 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
63005 #define __le64_to_cpus(x) do { (void)(x); } while (0)
63006 diff -urNp linux-2.6.32.49/include/linux/cache.h linux-2.6.32.49/include/linux/cache.h
63007 --- linux-2.6.32.49/include/linux/cache.h 2011-11-08 19:02:43.000000000 -0500
63008 +++ linux-2.6.32.49/include/linux/cache.h 2011-11-15 19:59:43.000000000 -0500
63009 @@ -16,6 +16,10 @@
63010 #define __read_mostly
63011 #endif
63012
63013 +#ifndef __read_only
63014 +#define __read_only __read_mostly
63015 +#endif
63016 +
63017 #ifndef ____cacheline_aligned
63018 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
63019 #endif
63020 diff -urNp linux-2.6.32.49/include/linux/capability.h linux-2.6.32.49/include/linux/capability.h
63021 --- linux-2.6.32.49/include/linux/capability.h 2011-11-08 19:02:43.000000000 -0500
63022 +++ linux-2.6.32.49/include/linux/capability.h 2011-11-15 19:59:43.000000000 -0500
63023 @@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
63024 (security_real_capable_noaudit((t), (cap)) == 0)
63025
63026 extern int capable(int cap);
63027 +int capable_nolog(int cap);
63028
63029 /* audit system wants to get cap info from files as well */
63030 struct dentry;
63031 diff -urNp linux-2.6.32.49/include/linux/compiler-gcc4.h linux-2.6.32.49/include/linux/compiler-gcc4.h
63032 --- linux-2.6.32.49/include/linux/compiler-gcc4.h 2011-11-08 19:02:43.000000000 -0500
63033 +++ linux-2.6.32.49/include/linux/compiler-gcc4.h 2011-11-15 19:59:43.000000000 -0500
63034 @@ -36,4 +36,16 @@
63035 the kernel context */
63036 #define __cold __attribute__((__cold__))
63037
63038 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
63039 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
63040 +#define __bos0(ptr) __bos((ptr), 0)
63041 +#define __bos1(ptr) __bos((ptr), 1)
63042 +
63043 +#if __GNUC_MINOR__ >= 5
63044 +#ifdef CONSTIFY_PLUGIN
63045 +#define __no_const __attribute__((no_const))
63046 +#define __do_const __attribute__((do_const))
63047 +#endif
63048 +#endif
63049 +
63050 #endif
63051 diff -urNp linux-2.6.32.49/include/linux/compiler.h linux-2.6.32.49/include/linux/compiler.h
63052 --- linux-2.6.32.49/include/linux/compiler.h 2011-11-08 19:02:43.000000000 -0500
63053 +++ linux-2.6.32.49/include/linux/compiler.h 2011-11-15 19:59:43.000000000 -0500
63054 @@ -5,11 +5,14 @@
63055
63056 #ifdef __CHECKER__
63057 # define __user __attribute__((noderef, address_space(1)))
63058 +# define __force_user __force __user
63059 # define __kernel /* default address space */
63060 +# define __force_kernel __force __kernel
63061 # define __safe __attribute__((safe))
63062 # define __force __attribute__((force))
63063 # define __nocast __attribute__((nocast))
63064 # define __iomem __attribute__((noderef, address_space(2)))
63065 +# define __force_iomem __force __iomem
63066 # define __acquires(x) __attribute__((context(x,0,1)))
63067 # define __releases(x) __attribute__((context(x,1,0)))
63068 # define __acquire(x) __context__(x,1)
63069 @@ -17,13 +20,34 @@
63070 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
63071 extern void __chk_user_ptr(const volatile void __user *);
63072 extern void __chk_io_ptr(const volatile void __iomem *);
63073 +#elif defined(CHECKER_PLUGIN)
63074 +//# define __user
63075 +//# define __force_user
63076 +//# define __kernel
63077 +//# define __force_kernel
63078 +# define __safe
63079 +# define __force
63080 +# define __nocast
63081 +# define __iomem
63082 +# define __force_iomem
63083 +# define __chk_user_ptr(x) (void)0
63084 +# define __chk_io_ptr(x) (void)0
63085 +# define __builtin_warning(x, y...) (1)
63086 +# define __acquires(x)
63087 +# define __releases(x)
63088 +# define __acquire(x) (void)0
63089 +# define __release(x) (void)0
63090 +# define __cond_lock(x,c) (c)
63091 #else
63092 # define __user
63093 +# define __force_user
63094 # define __kernel
63095 +# define __force_kernel
63096 # define __safe
63097 # define __force
63098 # define __nocast
63099 # define __iomem
63100 +# define __force_iomem
63101 # define __chk_user_ptr(x) (void)0
63102 # define __chk_io_ptr(x) (void)0
63103 # define __builtin_warning(x, y...) (1)
63104 @@ -247,6 +271,14 @@ void ftrace_likely_update(struct ftrace_
63105 # define __attribute_const__ /* unimplemented */
63106 #endif
63107
63108 +#ifndef __no_const
63109 +# define __no_const
63110 +#endif
63111 +
63112 +#ifndef __do_const
63113 +# define __do_const
63114 +#endif
63115 +
63116 /*
63117 * Tell gcc if a function is cold. The compiler will assume any path
63118 * directly leading to the call is unlikely.
63119 @@ -256,6 +288,22 @@ void ftrace_likely_update(struct ftrace_
63120 #define __cold
63121 #endif
63122
63123 +#ifndef __alloc_size
63124 +#define __alloc_size(...)
63125 +#endif
63126 +
63127 +#ifndef __bos
63128 +#define __bos(ptr, arg)
63129 +#endif
63130 +
63131 +#ifndef __bos0
63132 +#define __bos0(ptr)
63133 +#endif
63134 +
63135 +#ifndef __bos1
63136 +#define __bos1(ptr)
63137 +#endif
63138 +
63139 /* Simple shorthand for a section definition */
63140 #ifndef __section
63141 # define __section(S) __attribute__ ((__section__(#S)))
63142 @@ -278,6 +326,7 @@ void ftrace_likely_update(struct ftrace_
63143 * use is to mediate communication between process-level code and irq/NMI
63144 * handlers, all running on the same CPU.
63145 */
63146 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
63147 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
63148 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
63149
63150 #endif /* __LINUX_COMPILER_H */
63151 diff -urNp linux-2.6.32.49/include/linux/crypto.h linux-2.6.32.49/include/linux/crypto.h
63152 --- linux-2.6.32.49/include/linux/crypto.h 2011-11-08 19:02:43.000000000 -0500
63153 +++ linux-2.6.32.49/include/linux/crypto.h 2011-11-15 19:59:43.000000000 -0500
63154 @@ -394,7 +394,7 @@ struct cipher_tfm {
63155 const u8 *key, unsigned int keylen);
63156 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
63157 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
63158 -};
63159 +} __no_const;
63160
63161 struct hash_tfm {
63162 int (*init)(struct hash_desc *desc);
63163 @@ -415,13 +415,13 @@ struct compress_tfm {
63164 int (*cot_decompress)(struct crypto_tfm *tfm,
63165 const u8 *src, unsigned int slen,
63166 u8 *dst, unsigned int *dlen);
63167 -};
63168 +} __no_const;
63169
63170 struct rng_tfm {
63171 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
63172 unsigned int dlen);
63173 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
63174 -};
63175 +} __no_const;
63176
63177 #define crt_ablkcipher crt_u.ablkcipher
63178 #define crt_aead crt_u.aead
63179 diff -urNp linux-2.6.32.49/include/linux/dcache.h linux-2.6.32.49/include/linux/dcache.h
63180 --- linux-2.6.32.49/include/linux/dcache.h 2011-11-08 19:02:43.000000000 -0500
63181 +++ linux-2.6.32.49/include/linux/dcache.h 2011-11-15 19:59:43.000000000 -0500
63182 @@ -119,6 +119,8 @@ struct dentry {
63183 unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
63184 };
63185
63186 +#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
63187 +
63188 /*
63189 * dentry->d_lock spinlock nesting subclasses:
63190 *
63191 diff -urNp linux-2.6.32.49/include/linux/decompress/mm.h linux-2.6.32.49/include/linux/decompress/mm.h
63192 --- linux-2.6.32.49/include/linux/decompress/mm.h 2011-11-08 19:02:43.000000000 -0500
63193 +++ linux-2.6.32.49/include/linux/decompress/mm.h 2011-11-15 19:59:43.000000000 -0500
63194 @@ -78,7 +78,7 @@ static void free(void *where)
63195 * warnings when not needed (indeed large_malloc / large_free are not
63196 * needed by inflate */
63197
63198 -#define malloc(a) kmalloc(a, GFP_KERNEL)
63199 +#define malloc(a) kmalloc((a), GFP_KERNEL)
63200 #define free(a) kfree(a)
63201
63202 #define large_malloc(a) vmalloc(a)
63203 diff -urNp linux-2.6.32.49/include/linux/dma-mapping.h linux-2.6.32.49/include/linux/dma-mapping.h
63204 --- linux-2.6.32.49/include/linux/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
63205 +++ linux-2.6.32.49/include/linux/dma-mapping.h 2011-11-15 19:59:43.000000000 -0500
63206 @@ -16,51 +16,51 @@ enum dma_data_direction {
63207 };
63208
63209 struct dma_map_ops {
63210 - void* (*alloc_coherent)(struct device *dev, size_t size,
63211 + void* (* const alloc_coherent)(struct device *dev, size_t size,
63212 dma_addr_t *dma_handle, gfp_t gfp);
63213 - void (*free_coherent)(struct device *dev, size_t size,
63214 + void (* const free_coherent)(struct device *dev, size_t size,
63215 void *vaddr, dma_addr_t dma_handle);
63216 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
63217 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
63218 unsigned long offset, size_t size,
63219 enum dma_data_direction dir,
63220 struct dma_attrs *attrs);
63221 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
63222 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
63223 size_t size, enum dma_data_direction dir,
63224 struct dma_attrs *attrs);
63225 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
63226 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
63227 int nents, enum dma_data_direction dir,
63228 struct dma_attrs *attrs);
63229 - void (*unmap_sg)(struct device *dev,
63230 + void (* const unmap_sg)(struct device *dev,
63231 struct scatterlist *sg, int nents,
63232 enum dma_data_direction dir,
63233 struct dma_attrs *attrs);
63234 - void (*sync_single_for_cpu)(struct device *dev,
63235 + void (* const sync_single_for_cpu)(struct device *dev,
63236 dma_addr_t dma_handle, size_t size,
63237 enum dma_data_direction dir);
63238 - void (*sync_single_for_device)(struct device *dev,
63239 + void (* const sync_single_for_device)(struct device *dev,
63240 dma_addr_t dma_handle, size_t size,
63241 enum dma_data_direction dir);
63242 - void (*sync_single_range_for_cpu)(struct device *dev,
63243 + void (* const sync_single_range_for_cpu)(struct device *dev,
63244 dma_addr_t dma_handle,
63245 unsigned long offset,
63246 size_t size,
63247 enum dma_data_direction dir);
63248 - void (*sync_single_range_for_device)(struct device *dev,
63249 + void (* const sync_single_range_for_device)(struct device *dev,
63250 dma_addr_t dma_handle,
63251 unsigned long offset,
63252 size_t size,
63253 enum dma_data_direction dir);
63254 - void (*sync_sg_for_cpu)(struct device *dev,
63255 + void (* const sync_sg_for_cpu)(struct device *dev,
63256 struct scatterlist *sg, int nents,
63257 enum dma_data_direction dir);
63258 - void (*sync_sg_for_device)(struct device *dev,
63259 + void (* const sync_sg_for_device)(struct device *dev,
63260 struct scatterlist *sg, int nents,
63261 enum dma_data_direction dir);
63262 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
63263 - int (*dma_supported)(struct device *dev, u64 mask);
63264 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
63265 + int (* const dma_supported)(struct device *dev, u64 mask);
63266 int (*set_dma_mask)(struct device *dev, u64 mask);
63267 int is_phys;
63268 -};
63269 +} __do_const;
63270
63271 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
63272
63273 diff -urNp linux-2.6.32.49/include/linux/dst.h linux-2.6.32.49/include/linux/dst.h
63274 --- linux-2.6.32.49/include/linux/dst.h 2011-11-08 19:02:43.000000000 -0500
63275 +++ linux-2.6.32.49/include/linux/dst.h 2011-11-15 19:59:43.000000000 -0500
63276 @@ -380,7 +380,7 @@ struct dst_node
63277 struct thread_pool *pool;
63278
63279 /* Transaction IDs live here */
63280 - atomic_long_t gen;
63281 + atomic_long_unchecked_t gen;
63282
63283 /*
63284 * How frequently and how many times transaction
63285 diff -urNp linux-2.6.32.49/include/linux/elf.h linux-2.6.32.49/include/linux/elf.h
63286 --- linux-2.6.32.49/include/linux/elf.h 2011-11-08 19:02:43.000000000 -0500
63287 +++ linux-2.6.32.49/include/linux/elf.h 2011-11-15 19:59:43.000000000 -0500
63288 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
63289 #define PT_GNU_EH_FRAME 0x6474e550
63290
63291 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
63292 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
63293 +
63294 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
63295 +
63296 +/* Constants for the e_flags field */
63297 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
63298 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
63299 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
63300 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
63301 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
63302 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
63303
63304 /* These constants define the different elf file types */
63305 #define ET_NONE 0
63306 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
63307 #define DT_DEBUG 21
63308 #define DT_TEXTREL 22
63309 #define DT_JMPREL 23
63310 +#define DT_FLAGS 30
63311 + #define DF_TEXTREL 0x00000004
63312 #define DT_ENCODING 32
63313 #define OLD_DT_LOOS 0x60000000
63314 #define DT_LOOS 0x6000000d
63315 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
63316 #define PF_W 0x2
63317 #define PF_X 0x1
63318
63319 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
63320 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
63321 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
63322 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
63323 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
63324 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
63325 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
63326 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
63327 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
63328 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
63329 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
63330 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
63331 +
63332 typedef struct elf32_phdr{
63333 Elf32_Word p_type;
63334 Elf32_Off p_offset;
63335 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
63336 #define EI_OSABI 7
63337 #define EI_PAD 8
63338
63339 +#define EI_PAX 14
63340 +
63341 #define ELFMAG0 0x7f /* EI_MAG */
63342 #define ELFMAG1 'E'
63343 #define ELFMAG2 'L'
63344 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
63345 #define elf_phdr elf32_phdr
63346 #define elf_note elf32_note
63347 #define elf_addr_t Elf32_Off
63348 +#define elf_dyn Elf32_Dyn
63349
63350 #else
63351
63352 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
63353 #define elf_phdr elf64_phdr
63354 #define elf_note elf64_note
63355 #define elf_addr_t Elf64_Off
63356 +#define elf_dyn Elf64_Dyn
63357
63358 #endif
63359
63360 diff -urNp linux-2.6.32.49/include/linux/fscache-cache.h linux-2.6.32.49/include/linux/fscache-cache.h
63361 --- linux-2.6.32.49/include/linux/fscache-cache.h 2011-11-08 19:02:43.000000000 -0500
63362 +++ linux-2.6.32.49/include/linux/fscache-cache.h 2011-11-15 19:59:43.000000000 -0500
63363 @@ -116,7 +116,7 @@ struct fscache_operation {
63364 #endif
63365 };
63366
63367 -extern atomic_t fscache_op_debug_id;
63368 +extern atomic_unchecked_t fscache_op_debug_id;
63369 extern const struct slow_work_ops fscache_op_slow_work_ops;
63370
63371 extern void fscache_enqueue_operation(struct fscache_operation *);
63372 @@ -134,7 +134,7 @@ static inline void fscache_operation_ini
63373 fscache_operation_release_t release)
63374 {
63375 atomic_set(&op->usage, 1);
63376 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
63377 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
63378 op->release = release;
63379 INIT_LIST_HEAD(&op->pend_link);
63380 fscache_set_op_state(op, "Init");
63381 diff -urNp linux-2.6.32.49/include/linux/fs.h linux-2.6.32.49/include/linux/fs.h
63382 --- linux-2.6.32.49/include/linux/fs.h 2011-11-08 19:02:43.000000000 -0500
63383 +++ linux-2.6.32.49/include/linux/fs.h 2011-11-18 19:28:58.000000000 -0500
63384 @@ -568,41 +568,41 @@ typedef int (*read_actor_t)(read_descrip
63385 unsigned long, unsigned long);
63386
63387 struct address_space_operations {
63388 - int (*writepage)(struct page *page, struct writeback_control *wbc);
63389 - int (*readpage)(struct file *, struct page *);
63390 - void (*sync_page)(struct page *);
63391 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
63392 + int (* const readpage)(struct file *, struct page *);
63393 + void (* const sync_page)(struct page *);
63394
63395 /* Write back some dirty pages from this mapping. */
63396 - int (*writepages)(struct address_space *, struct writeback_control *);
63397 + int (* const writepages)(struct address_space *, struct writeback_control *);
63398
63399 /* Set a page dirty. Return true if this dirtied it */
63400 - int (*set_page_dirty)(struct page *page);
63401 + int (* const set_page_dirty)(struct page *page);
63402
63403 - int (*readpages)(struct file *filp, struct address_space *mapping,
63404 + int (* const readpages)(struct file *filp, struct address_space *mapping,
63405 struct list_head *pages, unsigned nr_pages);
63406
63407 - int (*write_begin)(struct file *, struct address_space *mapping,
63408 + int (* const write_begin)(struct file *, struct address_space *mapping,
63409 loff_t pos, unsigned len, unsigned flags,
63410 struct page **pagep, void **fsdata);
63411 - int (*write_end)(struct file *, struct address_space *mapping,
63412 + int (* const write_end)(struct file *, struct address_space *mapping,
63413 loff_t pos, unsigned len, unsigned copied,
63414 struct page *page, void *fsdata);
63415
63416 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
63417 - sector_t (*bmap)(struct address_space *, sector_t);
63418 - void (*invalidatepage) (struct page *, unsigned long);
63419 - int (*releasepage) (struct page *, gfp_t);
63420 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
63421 + sector_t (* const bmap)(struct address_space *, sector_t);
63422 + void (* const invalidatepage) (struct page *, unsigned long);
63423 + int (* const releasepage) (struct page *, gfp_t);
63424 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
63425 loff_t offset, unsigned long nr_segs);
63426 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
63427 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
63428 void **, unsigned long *);
63429 /* migrate the contents of a page to the specified target */
63430 - int (*migratepage) (struct address_space *,
63431 + int (* const migratepage) (struct address_space *,
63432 struct page *, struct page *);
63433 - int (*launder_page) (struct page *);
63434 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
63435 + int (* const launder_page) (struct page *);
63436 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
63437 unsigned long);
63438 - int (*error_remove_page)(struct address_space *, struct page *);
63439 + int (* const error_remove_page)(struct address_space *, struct page *);
63440 };
63441
63442 /*
63443 @@ -1031,19 +1031,19 @@ static inline int file_check_writeable(s
63444 typedef struct files_struct *fl_owner_t;
63445
63446 struct file_lock_operations {
63447 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
63448 - void (*fl_release_private)(struct file_lock *);
63449 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
63450 + void (* const fl_release_private)(struct file_lock *);
63451 };
63452
63453 struct lock_manager_operations {
63454 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
63455 - void (*fl_notify)(struct file_lock *); /* unblock callback */
63456 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
63457 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
63458 - void (*fl_release_private)(struct file_lock *);
63459 - void (*fl_break)(struct file_lock *);
63460 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
63461 - int (*fl_change)(struct file_lock **, int);
63462 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
63463 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
63464 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
63465 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
63466 + void (* const fl_release_private)(struct file_lock *);
63467 + void (* const fl_break)(struct file_lock *);
63468 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
63469 + int (* const fl_change)(struct file_lock **, int);
63470 };
63471
63472 struct lock_manager {
63473 @@ -1442,7 +1442,7 @@ struct fiemap_extent_info {
63474 unsigned int fi_flags; /* Flags as passed from user */
63475 unsigned int fi_extents_mapped; /* Number of mapped extents */
63476 unsigned int fi_extents_max; /* Size of fiemap_extent array */
63477 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
63478 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
63479 * array */
63480 };
63481 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
63482 @@ -1512,7 +1512,8 @@ struct file_operations {
63483 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
63484 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
63485 int (*setlease)(struct file *, long, struct file_lock **);
63486 -};
63487 +} __do_const;
63488 +typedef struct file_operations __no_const file_operations_no_const;
63489
63490 struct inode_operations {
63491 int (*create) (struct inode *,struct dentry *,int, struct nameidata *);
63492 @@ -1559,30 +1560,30 @@ extern ssize_t vfs_writev(struct file *,
63493 unsigned long, loff_t *);
63494
63495 struct super_operations {
63496 - struct inode *(*alloc_inode)(struct super_block *sb);
63497 - void (*destroy_inode)(struct inode *);
63498 + struct inode *(* const alloc_inode)(struct super_block *sb);
63499 + void (* const destroy_inode)(struct inode *);
63500
63501 - void (*dirty_inode) (struct inode *);
63502 - int (*write_inode) (struct inode *, int);
63503 - void (*drop_inode) (struct inode *);
63504 - void (*delete_inode) (struct inode *);
63505 - void (*put_super) (struct super_block *);
63506 - void (*write_super) (struct super_block *);
63507 - int (*sync_fs)(struct super_block *sb, int wait);
63508 - int (*freeze_fs) (struct super_block *);
63509 - int (*unfreeze_fs) (struct super_block *);
63510 - int (*statfs) (struct dentry *, struct kstatfs *);
63511 - int (*remount_fs) (struct super_block *, int *, char *);
63512 - void (*clear_inode) (struct inode *);
63513 - void (*umount_begin) (struct super_block *);
63514 + void (* const dirty_inode) (struct inode *);
63515 + int (* const write_inode) (struct inode *, int);
63516 + void (* const drop_inode) (struct inode *);
63517 + void (* const delete_inode) (struct inode *);
63518 + void (* const put_super) (struct super_block *);
63519 + void (* const write_super) (struct super_block *);
63520 + int (* const sync_fs)(struct super_block *sb, int wait);
63521 + int (* const freeze_fs) (struct super_block *);
63522 + int (* const unfreeze_fs) (struct super_block *);
63523 + int (* const statfs) (struct dentry *, struct kstatfs *);
63524 + int (* const remount_fs) (struct super_block *, int *, char *);
63525 + void (* const clear_inode) (struct inode *);
63526 + void (* const umount_begin) (struct super_block *);
63527
63528 - int (*show_options)(struct seq_file *, struct vfsmount *);
63529 - int (*show_stats)(struct seq_file *, struct vfsmount *);
63530 + int (* const show_options)(struct seq_file *, struct vfsmount *);
63531 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
63532 #ifdef CONFIG_QUOTA
63533 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
63534 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
63535 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
63536 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
63537 #endif
63538 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
63539 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
63540 };
63541
63542 /*
63543 diff -urNp linux-2.6.32.49/include/linux/fs_struct.h linux-2.6.32.49/include/linux/fs_struct.h
63544 --- linux-2.6.32.49/include/linux/fs_struct.h 2011-11-08 19:02:43.000000000 -0500
63545 +++ linux-2.6.32.49/include/linux/fs_struct.h 2011-11-15 19:59:43.000000000 -0500
63546 @@ -4,7 +4,7 @@
63547 #include <linux/path.h>
63548
63549 struct fs_struct {
63550 - int users;
63551 + atomic_t users;
63552 rwlock_t lock;
63553 int umask;
63554 int in_exec;
63555 diff -urNp linux-2.6.32.49/include/linux/ftrace_event.h linux-2.6.32.49/include/linux/ftrace_event.h
63556 --- linux-2.6.32.49/include/linux/ftrace_event.h 2011-11-08 19:02:43.000000000 -0500
63557 +++ linux-2.6.32.49/include/linux/ftrace_event.h 2011-11-15 19:59:43.000000000 -0500
63558 @@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
63559 int filter_type);
63560 extern int trace_define_common_fields(struct ftrace_event_call *call);
63561
63562 -#define is_signed_type(type) (((type)(-1)) < 0)
63563 +#define is_signed_type(type) (((type)(-1)) < (type)1)
63564
63565 int trace_set_clr_event(const char *system, const char *event, int set);
63566
63567 diff -urNp linux-2.6.32.49/include/linux/genhd.h linux-2.6.32.49/include/linux/genhd.h
63568 --- linux-2.6.32.49/include/linux/genhd.h 2011-11-08 19:02:43.000000000 -0500
63569 +++ linux-2.6.32.49/include/linux/genhd.h 2011-11-15 19:59:43.000000000 -0500
63570 @@ -161,7 +161,7 @@ struct gendisk {
63571
63572 struct timer_rand_state *random;
63573
63574 - atomic_t sync_io; /* RAID */
63575 + atomic_unchecked_t sync_io; /* RAID */
63576 struct work_struct async_notify;
63577 #ifdef CONFIG_BLK_DEV_INTEGRITY
63578 struct blk_integrity *integrity;
63579 diff -urNp linux-2.6.32.49/include/linux/gracl.h linux-2.6.32.49/include/linux/gracl.h
63580 --- linux-2.6.32.49/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
63581 +++ linux-2.6.32.49/include/linux/gracl.h 2011-11-15 19:59:43.000000000 -0500
63582 @@ -0,0 +1,317 @@
63583 +#ifndef GR_ACL_H
63584 +#define GR_ACL_H
63585 +
63586 +#include <linux/grdefs.h>
63587 +#include <linux/resource.h>
63588 +#include <linux/capability.h>
63589 +#include <linux/dcache.h>
63590 +#include <asm/resource.h>
63591 +
63592 +/* Major status information */
63593 +
63594 +#define GR_VERSION "grsecurity 2.2.2"
63595 +#define GRSECURITY_VERSION 0x2202
63596 +
63597 +enum {
63598 + GR_SHUTDOWN = 0,
63599 + GR_ENABLE = 1,
63600 + GR_SPROLE = 2,
63601 + GR_RELOAD = 3,
63602 + GR_SEGVMOD = 4,
63603 + GR_STATUS = 5,
63604 + GR_UNSPROLE = 6,
63605 + GR_PASSSET = 7,
63606 + GR_SPROLEPAM = 8,
63607 +};
63608 +
63609 +/* Password setup definitions
63610 + * kernel/grhash.c */
63611 +enum {
63612 + GR_PW_LEN = 128,
63613 + GR_SALT_LEN = 16,
63614 + GR_SHA_LEN = 32,
63615 +};
63616 +
63617 +enum {
63618 + GR_SPROLE_LEN = 64,
63619 +};
63620 +
63621 +enum {
63622 + GR_NO_GLOB = 0,
63623 + GR_REG_GLOB,
63624 + GR_CREATE_GLOB
63625 +};
63626 +
63627 +#define GR_NLIMITS 32
63628 +
63629 +/* Begin Data Structures */
63630 +
63631 +struct sprole_pw {
63632 + unsigned char *rolename;
63633 + unsigned char salt[GR_SALT_LEN];
63634 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
63635 +};
63636 +
63637 +struct name_entry {
63638 + __u32 key;
63639 + ino_t inode;
63640 + dev_t device;
63641 + char *name;
63642 + __u16 len;
63643 + __u8 deleted;
63644 + struct name_entry *prev;
63645 + struct name_entry *next;
63646 +};
63647 +
63648 +struct inodev_entry {
63649 + struct name_entry *nentry;
63650 + struct inodev_entry *prev;
63651 + struct inodev_entry *next;
63652 +};
63653 +
63654 +struct acl_role_db {
63655 + struct acl_role_label **r_hash;
63656 + __u32 r_size;
63657 +};
63658 +
63659 +struct inodev_db {
63660 + struct inodev_entry **i_hash;
63661 + __u32 i_size;
63662 +};
63663 +
63664 +struct name_db {
63665 + struct name_entry **n_hash;
63666 + __u32 n_size;
63667 +};
63668 +
63669 +struct crash_uid {
63670 + uid_t uid;
63671 + unsigned long expires;
63672 +};
63673 +
63674 +struct gr_hash_struct {
63675 + void **table;
63676 + void **nametable;
63677 + void *first;
63678 + __u32 table_size;
63679 + __u32 used_size;
63680 + int type;
63681 +};
63682 +
63683 +/* Userspace Grsecurity ACL data structures */
63684 +
63685 +struct acl_subject_label {
63686 + char *filename;
63687 + ino_t inode;
63688 + dev_t device;
63689 + __u32 mode;
63690 + kernel_cap_t cap_mask;
63691 + kernel_cap_t cap_lower;
63692 + kernel_cap_t cap_invert_audit;
63693 +
63694 + struct rlimit res[GR_NLIMITS];
63695 + __u32 resmask;
63696 +
63697 + __u8 user_trans_type;
63698 + __u8 group_trans_type;
63699 + uid_t *user_transitions;
63700 + gid_t *group_transitions;
63701 + __u16 user_trans_num;
63702 + __u16 group_trans_num;
63703 +
63704 + __u32 sock_families[2];
63705 + __u32 ip_proto[8];
63706 + __u32 ip_type;
63707 + struct acl_ip_label **ips;
63708 + __u32 ip_num;
63709 + __u32 inaddr_any_override;
63710 +
63711 + __u32 crashes;
63712 + unsigned long expires;
63713 +
63714 + struct acl_subject_label *parent_subject;
63715 + struct gr_hash_struct *hash;
63716 + struct acl_subject_label *prev;
63717 + struct acl_subject_label *next;
63718 +
63719 + struct acl_object_label **obj_hash;
63720 + __u32 obj_hash_size;
63721 + __u16 pax_flags;
63722 +};
63723 +
63724 +struct role_allowed_ip {
63725 + __u32 addr;
63726 + __u32 netmask;
63727 +
63728 + struct role_allowed_ip *prev;
63729 + struct role_allowed_ip *next;
63730 +};
63731 +
63732 +struct role_transition {
63733 + char *rolename;
63734 +
63735 + struct role_transition *prev;
63736 + struct role_transition *next;
63737 +};
63738 +
63739 +struct acl_role_label {
63740 + char *rolename;
63741 + uid_t uidgid;
63742 + __u16 roletype;
63743 +
63744 + __u16 auth_attempts;
63745 + unsigned long expires;
63746 +
63747 + struct acl_subject_label *root_label;
63748 + struct gr_hash_struct *hash;
63749 +
63750 + struct acl_role_label *prev;
63751 + struct acl_role_label *next;
63752 +
63753 + struct role_transition *transitions;
63754 + struct role_allowed_ip *allowed_ips;
63755 + uid_t *domain_children;
63756 + __u16 domain_child_num;
63757 +
63758 + struct acl_subject_label **subj_hash;
63759 + __u32 subj_hash_size;
63760 +};
63761 +
63762 +struct user_acl_role_db {
63763 + struct acl_role_label **r_table;
63764 + __u32 num_pointers; /* Number of allocations to track */
63765 + __u32 num_roles; /* Number of roles */
63766 + __u32 num_domain_children; /* Number of domain children */
63767 + __u32 num_subjects; /* Number of subjects */
63768 + __u32 num_objects; /* Number of objects */
63769 +};
63770 +
63771 +struct acl_object_label {
63772 + char *filename;
63773 + ino_t inode;
63774 + dev_t device;
63775 + __u32 mode;
63776 +
63777 + struct acl_subject_label *nested;
63778 + struct acl_object_label *globbed;
63779 +
63780 + /* next two structures not used */
63781 +
63782 + struct acl_object_label *prev;
63783 + struct acl_object_label *next;
63784 +};
63785 +
63786 +struct acl_ip_label {
63787 + char *iface;
63788 + __u32 addr;
63789 + __u32 netmask;
63790 + __u16 low, high;
63791 + __u8 mode;
63792 + __u32 type;
63793 + __u32 proto[8];
63794 +
63795 + /* next two structures not used */
63796 +
63797 + struct acl_ip_label *prev;
63798 + struct acl_ip_label *next;
63799 +};
63800 +
63801 +struct gr_arg {
63802 + struct user_acl_role_db role_db;
63803 + unsigned char pw[GR_PW_LEN];
63804 + unsigned char salt[GR_SALT_LEN];
63805 + unsigned char sum[GR_SHA_LEN];
63806 + unsigned char sp_role[GR_SPROLE_LEN];
63807 + struct sprole_pw *sprole_pws;
63808 + dev_t segv_device;
63809 + ino_t segv_inode;
63810 + uid_t segv_uid;
63811 + __u16 num_sprole_pws;
63812 + __u16 mode;
63813 +};
63814 +
63815 +struct gr_arg_wrapper {
63816 + struct gr_arg *arg;
63817 + __u32 version;
63818 + __u32 size;
63819 +};
63820 +
63821 +struct subject_map {
63822 + struct acl_subject_label *user;
63823 + struct acl_subject_label *kernel;
63824 + struct subject_map *prev;
63825 + struct subject_map *next;
63826 +};
63827 +
63828 +struct acl_subj_map_db {
63829 + struct subject_map **s_hash;
63830 + __u32 s_size;
63831 +};
63832 +
63833 +/* End Data Structures Section */
63834 +
63835 +/* Hash functions generated by empirical testing by Brad Spengler
63836 + Makes good use of the low bits of the inode. Generally 0-1 times
63837 + in loop for successful match. 0-3 for unsuccessful match.
63838 + Shift/add algorithm with modulus of table size and an XOR*/
63839 +
63840 +static __inline__ unsigned int
63841 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
63842 +{
63843 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
63844 +}
63845 +
63846 + static __inline__ unsigned int
63847 +shash(const struct acl_subject_label *userp, const unsigned int sz)
63848 +{
63849 + return ((const unsigned long)userp % sz);
63850 +}
63851 +
63852 +static __inline__ unsigned int
63853 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
63854 +{
63855 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
63856 +}
63857 +
63858 +static __inline__ unsigned int
63859 +nhash(const char *name, const __u16 len, const unsigned int sz)
63860 +{
63861 + return full_name_hash((const unsigned char *)name, len) % sz;
63862 +}
63863 +
63864 +#define FOR_EACH_ROLE_START(role) \
63865 + role = role_list; \
63866 + while (role) {
63867 +
63868 +#define FOR_EACH_ROLE_END(role) \
63869 + role = role->prev; \
63870 + }
63871 +
63872 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
63873 + subj = NULL; \
63874 + iter = 0; \
63875 + while (iter < role->subj_hash_size) { \
63876 + if (subj == NULL) \
63877 + subj = role->subj_hash[iter]; \
63878 + if (subj == NULL) { \
63879 + iter++; \
63880 + continue; \
63881 + }
63882 +
63883 +#define FOR_EACH_SUBJECT_END(subj,iter) \
63884 + subj = subj->next; \
63885 + if (subj == NULL) \
63886 + iter++; \
63887 + }
63888 +
63889 +
63890 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
63891 + subj = role->hash->first; \
63892 + while (subj != NULL) {
63893 +
63894 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
63895 + subj = subj->next; \
63896 + }
63897 +
63898 +#endif
63899 +
63900 diff -urNp linux-2.6.32.49/include/linux/gralloc.h linux-2.6.32.49/include/linux/gralloc.h
63901 --- linux-2.6.32.49/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
63902 +++ linux-2.6.32.49/include/linux/gralloc.h 2011-11-15 19:59:43.000000000 -0500
63903 @@ -0,0 +1,9 @@
63904 +#ifndef __GRALLOC_H
63905 +#define __GRALLOC_H
63906 +
63907 +void acl_free_all(void);
63908 +int acl_alloc_stack_init(unsigned long size);
63909 +void *acl_alloc(unsigned long len);
63910 +void *acl_alloc_num(unsigned long num, unsigned long len);
63911 +
63912 +#endif
63913 diff -urNp linux-2.6.32.49/include/linux/grdefs.h linux-2.6.32.49/include/linux/grdefs.h
63914 --- linux-2.6.32.49/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
63915 +++ linux-2.6.32.49/include/linux/grdefs.h 2011-11-15 19:59:43.000000000 -0500
63916 @@ -0,0 +1,140 @@
63917 +#ifndef GRDEFS_H
63918 +#define GRDEFS_H
63919 +
63920 +/* Begin grsecurity status declarations */
63921 +
63922 +enum {
63923 + GR_READY = 0x01,
63924 + GR_STATUS_INIT = 0x00 // disabled state
63925 +};
63926 +
63927 +/* Begin ACL declarations */
63928 +
63929 +/* Role flags */
63930 +
63931 +enum {
63932 + GR_ROLE_USER = 0x0001,
63933 + GR_ROLE_GROUP = 0x0002,
63934 + GR_ROLE_DEFAULT = 0x0004,
63935 + GR_ROLE_SPECIAL = 0x0008,
63936 + GR_ROLE_AUTH = 0x0010,
63937 + GR_ROLE_NOPW = 0x0020,
63938 + GR_ROLE_GOD = 0x0040,
63939 + GR_ROLE_LEARN = 0x0080,
63940 + GR_ROLE_TPE = 0x0100,
63941 + GR_ROLE_DOMAIN = 0x0200,
63942 + GR_ROLE_PAM = 0x0400,
63943 + GR_ROLE_PERSIST = 0x800
63944 +};
63945 +
63946 +/* ACL Subject and Object mode flags */
63947 +enum {
63948 + GR_DELETED = 0x80000000
63949 +};
63950 +
63951 +/* ACL Object-only mode flags */
63952 +enum {
63953 + GR_READ = 0x00000001,
63954 + GR_APPEND = 0x00000002,
63955 + GR_WRITE = 0x00000004,
63956 + GR_EXEC = 0x00000008,
63957 + GR_FIND = 0x00000010,
63958 + GR_INHERIT = 0x00000020,
63959 + GR_SETID = 0x00000040,
63960 + GR_CREATE = 0x00000080,
63961 + GR_DELETE = 0x00000100,
63962 + GR_LINK = 0x00000200,
63963 + GR_AUDIT_READ = 0x00000400,
63964 + GR_AUDIT_APPEND = 0x00000800,
63965 + GR_AUDIT_WRITE = 0x00001000,
63966 + GR_AUDIT_EXEC = 0x00002000,
63967 + GR_AUDIT_FIND = 0x00004000,
63968 + GR_AUDIT_INHERIT= 0x00008000,
63969 + GR_AUDIT_SETID = 0x00010000,
63970 + GR_AUDIT_CREATE = 0x00020000,
63971 + GR_AUDIT_DELETE = 0x00040000,
63972 + GR_AUDIT_LINK = 0x00080000,
63973 + GR_PTRACERD = 0x00100000,
63974 + GR_NOPTRACE = 0x00200000,
63975 + GR_SUPPRESS = 0x00400000,
63976 + GR_NOLEARN = 0x00800000,
63977 + GR_INIT_TRANSFER= 0x01000000
63978 +};
63979 +
63980 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
63981 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
63982 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
63983 +
63984 +/* ACL subject-only mode flags */
63985 +enum {
63986 + GR_KILL = 0x00000001,
63987 + GR_VIEW = 0x00000002,
63988 + GR_PROTECTED = 0x00000004,
63989 + GR_LEARN = 0x00000008,
63990 + GR_OVERRIDE = 0x00000010,
63991 + /* just a placeholder, this mode is only used in userspace */
63992 + GR_DUMMY = 0x00000020,
63993 + GR_PROTSHM = 0x00000040,
63994 + GR_KILLPROC = 0x00000080,
63995 + GR_KILLIPPROC = 0x00000100,
63996 + /* just a placeholder, this mode is only used in userspace */
63997 + GR_NOTROJAN = 0x00000200,
63998 + GR_PROTPROCFD = 0x00000400,
63999 + GR_PROCACCT = 0x00000800,
64000 + GR_RELAXPTRACE = 0x00001000,
64001 + GR_NESTED = 0x00002000,
64002 + GR_INHERITLEARN = 0x00004000,
64003 + GR_PROCFIND = 0x00008000,
64004 + GR_POVERRIDE = 0x00010000,
64005 + GR_KERNELAUTH = 0x00020000,
64006 + GR_ATSECURE = 0x00040000,
64007 + GR_SHMEXEC = 0x00080000
64008 +};
64009 +
64010 +enum {
64011 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
64012 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
64013 + GR_PAX_ENABLE_MPROTECT = 0x0004,
64014 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
64015 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
64016 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
64017 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
64018 + GR_PAX_DISABLE_MPROTECT = 0x0400,
64019 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
64020 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
64021 +};
64022 +
64023 +enum {
64024 + GR_ID_USER = 0x01,
64025 + GR_ID_GROUP = 0x02,
64026 +};
64027 +
64028 +enum {
64029 + GR_ID_ALLOW = 0x01,
64030 + GR_ID_DENY = 0x02,
64031 +};
64032 +
64033 +#define GR_CRASH_RES 31
64034 +#define GR_UIDTABLE_MAX 500
64035 +
64036 +/* begin resource learning section */
64037 +enum {
64038 + GR_RLIM_CPU_BUMP = 60,
64039 + GR_RLIM_FSIZE_BUMP = 50000,
64040 + GR_RLIM_DATA_BUMP = 10000,
64041 + GR_RLIM_STACK_BUMP = 1000,
64042 + GR_RLIM_CORE_BUMP = 10000,
64043 + GR_RLIM_RSS_BUMP = 500000,
64044 + GR_RLIM_NPROC_BUMP = 1,
64045 + GR_RLIM_NOFILE_BUMP = 5,
64046 + GR_RLIM_MEMLOCK_BUMP = 50000,
64047 + GR_RLIM_AS_BUMP = 500000,
64048 + GR_RLIM_LOCKS_BUMP = 2,
64049 + GR_RLIM_SIGPENDING_BUMP = 5,
64050 + GR_RLIM_MSGQUEUE_BUMP = 10000,
64051 + GR_RLIM_NICE_BUMP = 1,
64052 + GR_RLIM_RTPRIO_BUMP = 1,
64053 + GR_RLIM_RTTIME_BUMP = 1000000
64054 +};
64055 +
64056 +#endif
64057 diff -urNp linux-2.6.32.49/include/linux/grinternal.h linux-2.6.32.49/include/linux/grinternal.h
64058 --- linux-2.6.32.49/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
64059 +++ linux-2.6.32.49/include/linux/grinternal.h 2011-11-15 19:59:43.000000000 -0500
64060 @@ -0,0 +1,218 @@
64061 +#ifndef __GRINTERNAL_H
64062 +#define __GRINTERNAL_H
64063 +
64064 +#ifdef CONFIG_GRKERNSEC
64065 +
64066 +#include <linux/fs.h>
64067 +#include <linux/mnt_namespace.h>
64068 +#include <linux/nsproxy.h>
64069 +#include <linux/gracl.h>
64070 +#include <linux/grdefs.h>
64071 +#include <linux/grmsg.h>
64072 +
64073 +void gr_add_learn_entry(const char *fmt, ...)
64074 + __attribute__ ((format (printf, 1, 2)));
64075 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
64076 + const struct vfsmount *mnt);
64077 +__u32 gr_check_create(const struct dentry *new_dentry,
64078 + const struct dentry *parent,
64079 + const struct vfsmount *mnt, const __u32 mode);
64080 +int gr_check_protected_task(const struct task_struct *task);
64081 +__u32 to_gr_audit(const __u32 reqmode);
64082 +int gr_set_acls(const int type);
64083 +int gr_apply_subject_to_task(struct task_struct *task);
64084 +int gr_acl_is_enabled(void);
64085 +char gr_roletype_to_char(void);
64086 +
64087 +void gr_handle_alertkill(struct task_struct *task);
64088 +char *gr_to_filename(const struct dentry *dentry,
64089 + const struct vfsmount *mnt);
64090 +char *gr_to_filename1(const struct dentry *dentry,
64091 + const struct vfsmount *mnt);
64092 +char *gr_to_filename2(const struct dentry *dentry,
64093 + const struct vfsmount *mnt);
64094 +char *gr_to_filename3(const struct dentry *dentry,
64095 + const struct vfsmount *mnt);
64096 +
64097 +extern int grsec_enable_harden_ptrace;
64098 +extern int grsec_enable_link;
64099 +extern int grsec_enable_fifo;
64100 +extern int grsec_enable_shm;
64101 +extern int grsec_enable_execlog;
64102 +extern int grsec_enable_signal;
64103 +extern int grsec_enable_audit_ptrace;
64104 +extern int grsec_enable_forkfail;
64105 +extern int grsec_enable_time;
64106 +extern int grsec_enable_rofs;
64107 +extern int grsec_enable_chroot_shmat;
64108 +extern int grsec_enable_chroot_mount;
64109 +extern int grsec_enable_chroot_double;
64110 +extern int grsec_enable_chroot_pivot;
64111 +extern int grsec_enable_chroot_chdir;
64112 +extern int grsec_enable_chroot_chmod;
64113 +extern int grsec_enable_chroot_mknod;
64114 +extern int grsec_enable_chroot_fchdir;
64115 +extern int grsec_enable_chroot_nice;
64116 +extern int grsec_enable_chroot_execlog;
64117 +extern int grsec_enable_chroot_caps;
64118 +extern int grsec_enable_chroot_sysctl;
64119 +extern int grsec_enable_chroot_unix;
64120 +extern int grsec_enable_tpe;
64121 +extern int grsec_tpe_gid;
64122 +extern int grsec_enable_tpe_all;
64123 +extern int grsec_enable_tpe_invert;
64124 +extern int grsec_enable_socket_all;
64125 +extern int grsec_socket_all_gid;
64126 +extern int grsec_enable_socket_client;
64127 +extern int grsec_socket_client_gid;
64128 +extern int grsec_enable_socket_server;
64129 +extern int grsec_socket_server_gid;
64130 +extern int grsec_audit_gid;
64131 +extern int grsec_enable_group;
64132 +extern int grsec_enable_audit_textrel;
64133 +extern int grsec_enable_log_rwxmaps;
64134 +extern int grsec_enable_mount;
64135 +extern int grsec_enable_chdir;
64136 +extern int grsec_resource_logging;
64137 +extern int grsec_enable_blackhole;
64138 +extern int grsec_lastack_retries;
64139 +extern int grsec_enable_brute;
64140 +extern int grsec_lock;
64141 +
64142 +extern spinlock_t grsec_alert_lock;
64143 +extern unsigned long grsec_alert_wtime;
64144 +extern unsigned long grsec_alert_fyet;
64145 +
64146 +extern spinlock_t grsec_audit_lock;
64147 +
64148 +extern rwlock_t grsec_exec_file_lock;
64149 +
64150 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
64151 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
64152 + (tsk)->exec_file->f_vfsmnt) : "/")
64153 +
64154 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
64155 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
64156 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
64157 +
64158 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
64159 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
64160 + (tsk)->exec_file->f_vfsmnt) : "/")
64161 +
64162 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
64163 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
64164 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
64165 +
64166 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
64167 +
64168 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
64169 +
64170 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
64171 + (task)->pid, (cred)->uid, \
64172 + (cred)->euid, (cred)->gid, (cred)->egid, \
64173 + gr_parent_task_fullpath(task), \
64174 + (task)->real_parent->comm, (task)->real_parent->pid, \
64175 + (pcred)->uid, (pcred)->euid, \
64176 + (pcred)->gid, (pcred)->egid
64177 +
64178 +#define GR_CHROOT_CAPS {{ \
64179 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
64180 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
64181 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
64182 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
64183 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
64184 + CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
64185 + CAP_TO_MASK(CAP_MAC_ADMIN) }}
64186 +
64187 +#define security_learn(normal_msg,args...) \
64188 +({ \
64189 + read_lock(&grsec_exec_file_lock); \
64190 + gr_add_learn_entry(normal_msg "\n", ## args); \
64191 + read_unlock(&grsec_exec_file_lock); \
64192 +})
64193 +
64194 +enum {
64195 + GR_DO_AUDIT,
64196 + GR_DONT_AUDIT,
64197 + GR_DONT_AUDIT_GOOD
64198 +};
64199 +
64200 +enum {
64201 + GR_TTYSNIFF,
64202 + GR_RBAC,
64203 + GR_RBAC_STR,
64204 + GR_STR_RBAC,
64205 + GR_RBAC_MODE2,
64206 + GR_RBAC_MODE3,
64207 + GR_FILENAME,
64208 + GR_SYSCTL_HIDDEN,
64209 + GR_NOARGS,
64210 + GR_ONE_INT,
64211 + GR_ONE_INT_TWO_STR,
64212 + GR_ONE_STR,
64213 + GR_STR_INT,
64214 + GR_TWO_STR_INT,
64215 + GR_TWO_INT,
64216 + GR_TWO_U64,
64217 + GR_THREE_INT,
64218 + GR_FIVE_INT_TWO_STR,
64219 + GR_TWO_STR,
64220 + GR_THREE_STR,
64221 + GR_FOUR_STR,
64222 + GR_STR_FILENAME,
64223 + GR_FILENAME_STR,
64224 + GR_FILENAME_TWO_INT,
64225 + GR_FILENAME_TWO_INT_STR,
64226 + GR_TEXTREL,
64227 + GR_PTRACE,
64228 + GR_RESOURCE,
64229 + GR_CAP,
64230 + GR_SIG,
64231 + GR_SIG2,
64232 + GR_CRASH1,
64233 + GR_CRASH2,
64234 + GR_PSACCT,
64235 + GR_RWXMAP
64236 +};
64237 +
64238 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
64239 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
64240 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
64241 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
64242 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
64243 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
64244 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
64245 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
64246 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
64247 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
64248 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
64249 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
64250 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
64251 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
64252 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
64253 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
64254 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
64255 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
64256 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
64257 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
64258 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
64259 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
64260 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
64261 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
64262 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
64263 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
64264 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
64265 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
64266 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
64267 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
64268 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
64269 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
64270 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
64271 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
64272 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
64273 +
64274 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
64275 +
64276 +#endif
64277 +
64278 +#endif
64279 diff -urNp linux-2.6.32.49/include/linux/grmsg.h linux-2.6.32.49/include/linux/grmsg.h
64280 --- linux-2.6.32.49/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
64281 +++ linux-2.6.32.49/include/linux/grmsg.h 2011-11-15 19:59:43.000000000 -0500
64282 @@ -0,0 +1,108 @@
64283 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
64284 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
64285 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
64286 +#define GR_STOPMOD_MSG "denied modification of module state by "
64287 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
64288 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
64289 +#define GR_IOPERM_MSG "denied use of ioperm() by "
64290 +#define GR_IOPL_MSG "denied use of iopl() by "
64291 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
64292 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
64293 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
64294 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
64295 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
64296 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
64297 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
64298 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
64299 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
64300 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
64301 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
64302 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
64303 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
64304 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
64305 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
64306 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
64307 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
64308 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
64309 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
64310 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
64311 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
64312 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
64313 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
64314 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
64315 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
64316 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
64317 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
64318 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
64319 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
64320 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
64321 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
64322 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
64323 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
64324 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
64325 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
64326 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
64327 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
64328 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
64329 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
64330 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
64331 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
64332 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
64333 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
64334 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
64335 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
64336 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
64337 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
64338 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
64339 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
64340 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
64341 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
64342 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
64343 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
64344 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
64345 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
64346 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
64347 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
64348 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
64349 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
64350 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
64351 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
64352 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
64353 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
64354 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
64355 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
64356 +#define GR_NICE_CHROOT_MSG "denied priority change by "
64357 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
64358 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
64359 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
64360 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
64361 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
64362 +#define GR_TIME_MSG "time set by "
64363 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
64364 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
64365 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
64366 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
64367 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
64368 +#define GR_BIND_MSG "denied bind() by "
64369 +#define GR_CONNECT_MSG "denied connect() by "
64370 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
64371 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
64372 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
64373 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
64374 +#define GR_CAP_ACL_MSG "use of %s denied for "
64375 +#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
64376 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
64377 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
64378 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
64379 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
64380 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
64381 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
64382 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
64383 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
64384 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
64385 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
64386 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
64387 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
64388 +#define GR_VM86_MSG "denied use of vm86 by "
64389 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
64390 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
64391 diff -urNp linux-2.6.32.49/include/linux/grsecurity.h linux-2.6.32.49/include/linux/grsecurity.h
64392 --- linux-2.6.32.49/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
64393 +++ linux-2.6.32.49/include/linux/grsecurity.h 2011-11-18 19:31:08.000000000 -0500
64394 @@ -0,0 +1,218 @@
64395 +#ifndef GR_SECURITY_H
64396 +#define GR_SECURITY_H
64397 +#include <linux/fs.h>
64398 +#include <linux/fs_struct.h>
64399 +#include <linux/binfmts.h>
64400 +#include <linux/gracl.h>
64401 +#include <linux/compat.h>
64402 +
64403 +/* notify of brain-dead configs */
64404 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64405 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
64406 +#endif
64407 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
64408 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
64409 +#endif
64410 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
64411 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
64412 +#endif
64413 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
64414 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
64415 +#endif
64416 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
64417 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
64418 +#endif
64419 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
64420 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
64421 +#endif
64422 +
64423 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
64424 +void gr_handle_brute_check(void);
64425 +void gr_handle_kernel_exploit(void);
64426 +int gr_process_user_ban(void);
64427 +
64428 +char gr_roletype_to_char(void);
64429 +
64430 +int gr_acl_enable_at_secure(void);
64431 +
64432 +int gr_check_user_change(int real, int effective, int fs);
64433 +int gr_check_group_change(int real, int effective, int fs);
64434 +
64435 +void gr_del_task_from_ip_table(struct task_struct *p);
64436 +
64437 +int gr_pid_is_chrooted(struct task_struct *p);
64438 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
64439 +int gr_handle_chroot_nice(void);
64440 +int gr_handle_chroot_sysctl(const int op);
64441 +int gr_handle_chroot_setpriority(struct task_struct *p,
64442 + const int niceval);
64443 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
64444 +int gr_handle_chroot_chroot(const struct dentry *dentry,
64445 + const struct vfsmount *mnt);
64446 +void gr_handle_chroot_chdir(struct path *path);
64447 +int gr_handle_chroot_chmod(const struct dentry *dentry,
64448 + const struct vfsmount *mnt, const int mode);
64449 +int gr_handle_chroot_mknod(const struct dentry *dentry,
64450 + const struct vfsmount *mnt, const int mode);
64451 +int gr_handle_chroot_mount(const struct dentry *dentry,
64452 + const struct vfsmount *mnt,
64453 + const char *dev_name);
64454 +int gr_handle_chroot_pivot(void);
64455 +int gr_handle_chroot_unix(const pid_t pid);
64456 +
64457 +int gr_handle_rawio(const struct inode *inode);
64458 +
64459 +void gr_handle_ioperm(void);
64460 +void gr_handle_iopl(void);
64461 +
64462 +int gr_tpe_allow(const struct file *file);
64463 +
64464 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
64465 +void gr_clear_chroot_entries(struct task_struct *task);
64466 +
64467 +void gr_log_forkfail(const int retval);
64468 +void gr_log_timechange(void);
64469 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
64470 +void gr_log_chdir(const struct dentry *dentry,
64471 + const struct vfsmount *mnt);
64472 +void gr_log_chroot_exec(const struct dentry *dentry,
64473 + const struct vfsmount *mnt);
64474 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
64475 +#ifdef CONFIG_COMPAT
64476 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
64477 +#endif
64478 +void gr_log_remount(const char *devname, const int retval);
64479 +void gr_log_unmount(const char *devname, const int retval);
64480 +void gr_log_mount(const char *from, const char *to, const int retval);
64481 +void gr_log_textrel(struct vm_area_struct *vma);
64482 +void gr_log_rwxmmap(struct file *file);
64483 +void gr_log_rwxmprotect(struct file *file);
64484 +
64485 +int gr_handle_follow_link(const struct inode *parent,
64486 + const struct inode *inode,
64487 + const struct dentry *dentry,
64488 + const struct vfsmount *mnt);
64489 +int gr_handle_fifo(const struct dentry *dentry,
64490 + const struct vfsmount *mnt,
64491 + const struct dentry *dir, const int flag,
64492 + const int acc_mode);
64493 +int gr_handle_hardlink(const struct dentry *dentry,
64494 + const struct vfsmount *mnt,
64495 + struct inode *inode,
64496 + const int mode, const char *to);
64497 +
64498 +int gr_is_capable(const int cap);
64499 +int gr_is_capable_nolog(const int cap);
64500 +void gr_learn_resource(const struct task_struct *task, const int limit,
64501 + const unsigned long wanted, const int gt);
64502 +void gr_copy_label(struct task_struct *tsk);
64503 +void gr_handle_crash(struct task_struct *task, const int sig);
64504 +int gr_handle_signal(const struct task_struct *p, const int sig);
64505 +int gr_check_crash_uid(const uid_t uid);
64506 +int gr_check_protected_task(const struct task_struct *task);
64507 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
64508 +int gr_acl_handle_mmap(const struct file *file,
64509 + const unsigned long prot);
64510 +int gr_acl_handle_mprotect(const struct file *file,
64511 + const unsigned long prot);
64512 +int gr_check_hidden_task(const struct task_struct *tsk);
64513 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
64514 + const struct vfsmount *mnt);
64515 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
64516 + const struct vfsmount *mnt);
64517 +__u32 gr_acl_handle_access(const struct dentry *dentry,
64518 + const struct vfsmount *mnt, const int fmode);
64519 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
64520 + const struct vfsmount *mnt, mode_t mode);
64521 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
64522 + const struct vfsmount *mnt, mode_t mode);
64523 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
64524 + const struct vfsmount *mnt);
64525 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
64526 + const struct vfsmount *mnt);
64527 +int gr_handle_ptrace(struct task_struct *task, const long request);
64528 +int gr_handle_proc_ptrace(struct task_struct *task);
64529 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
64530 + const struct vfsmount *mnt);
64531 +int gr_check_crash_exec(const struct file *filp);
64532 +int gr_acl_is_enabled(void);
64533 +void gr_set_kernel_label(struct task_struct *task);
64534 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
64535 + const gid_t gid);
64536 +int gr_set_proc_label(const struct dentry *dentry,
64537 + const struct vfsmount *mnt,
64538 + const int unsafe_share);
64539 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
64540 + const struct vfsmount *mnt);
64541 +__u32 gr_acl_handle_open(const struct dentry *dentry,
64542 + const struct vfsmount *mnt, int acc_mode);
64543 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
64544 + const struct dentry *p_dentry,
64545 + const struct vfsmount *p_mnt,
64546 + int open_flags, int acc_mode, const int imode);
64547 +void gr_handle_create(const struct dentry *dentry,
64548 + const struct vfsmount *mnt);
64549 +void gr_handle_proc_create(const struct dentry *dentry,
64550 + const struct inode *inode);
64551 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
64552 + const struct dentry *parent_dentry,
64553 + const struct vfsmount *parent_mnt,
64554 + const int mode);
64555 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
64556 + const struct dentry *parent_dentry,
64557 + const struct vfsmount *parent_mnt);
64558 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
64559 + const struct vfsmount *mnt);
64560 +void gr_handle_delete(const ino_t ino, const dev_t dev);
64561 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
64562 + const struct vfsmount *mnt);
64563 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
64564 + const struct dentry *parent_dentry,
64565 + const struct vfsmount *parent_mnt,
64566 + const char *from);
64567 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
64568 + const struct dentry *parent_dentry,
64569 + const struct vfsmount *parent_mnt,
64570 + const struct dentry *old_dentry,
64571 + const struct vfsmount *old_mnt, const char *to);
64572 +int gr_acl_handle_rename(struct dentry *new_dentry,
64573 + struct dentry *parent_dentry,
64574 + const struct vfsmount *parent_mnt,
64575 + struct dentry *old_dentry,
64576 + struct inode *old_parent_inode,
64577 + struct vfsmount *old_mnt, const char *newname);
64578 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
64579 + struct dentry *old_dentry,
64580 + struct dentry *new_dentry,
64581 + struct vfsmount *mnt, const __u8 replace);
64582 +__u32 gr_check_link(const struct dentry *new_dentry,
64583 + const struct dentry *parent_dentry,
64584 + const struct vfsmount *parent_mnt,
64585 + const struct dentry *old_dentry,
64586 + const struct vfsmount *old_mnt);
64587 +int gr_acl_handle_filldir(const struct file *file, const char *name,
64588 + const unsigned int namelen, const ino_t ino);
64589 +
64590 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
64591 + const struct vfsmount *mnt);
64592 +void gr_acl_handle_exit(void);
64593 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
64594 +int gr_acl_handle_procpidmem(const struct task_struct *task);
64595 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
64596 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
64597 +void gr_audit_ptrace(struct task_struct *task);
64598 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
64599 +
64600 +#ifdef CONFIG_GRKERNSEC
64601 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
64602 +void gr_handle_vm86(void);
64603 +void gr_handle_mem_readwrite(u64 from, u64 to);
64604 +
64605 +extern int grsec_enable_dmesg;
64606 +extern int grsec_disable_privio;
64607 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
64608 +extern int grsec_enable_chroot_findtask;
64609 +#endif
64610 +#endif
64611 +
64612 +#endif
64613 diff -urNp linux-2.6.32.49/include/linux/hdpu_features.h linux-2.6.32.49/include/linux/hdpu_features.h
64614 --- linux-2.6.32.49/include/linux/hdpu_features.h 2011-11-08 19:02:43.000000000 -0500
64615 +++ linux-2.6.32.49/include/linux/hdpu_features.h 2011-11-15 19:59:43.000000000 -0500
64616 @@ -3,7 +3,7 @@
64617 struct cpustate_t {
64618 spinlock_t lock;
64619 int excl;
64620 - int open_count;
64621 + atomic_t open_count;
64622 unsigned char cached_val;
64623 int inited;
64624 unsigned long *set_addr;
64625 diff -urNp linux-2.6.32.49/include/linux/highmem.h linux-2.6.32.49/include/linux/highmem.h
64626 --- linux-2.6.32.49/include/linux/highmem.h 2011-11-08 19:02:43.000000000 -0500
64627 +++ linux-2.6.32.49/include/linux/highmem.h 2011-11-15 19:59:43.000000000 -0500
64628 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
64629 kunmap_atomic(kaddr, KM_USER0);
64630 }
64631
64632 +static inline void sanitize_highpage(struct page *page)
64633 +{
64634 + void *kaddr;
64635 + unsigned long flags;
64636 +
64637 + local_irq_save(flags);
64638 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
64639 + clear_page(kaddr);
64640 + kunmap_atomic(kaddr, KM_CLEARPAGE);
64641 + local_irq_restore(flags);
64642 +}
64643 +
64644 static inline void zero_user_segments(struct page *page,
64645 unsigned start1, unsigned end1,
64646 unsigned start2, unsigned end2)
64647 diff -urNp linux-2.6.32.49/include/linux/i2c.h linux-2.6.32.49/include/linux/i2c.h
64648 --- linux-2.6.32.49/include/linux/i2c.h 2011-11-08 19:02:43.000000000 -0500
64649 +++ linux-2.6.32.49/include/linux/i2c.h 2011-11-15 19:59:43.000000000 -0500
64650 @@ -325,6 +325,7 @@ struct i2c_algorithm {
64651 /* To determine what the adapter supports */
64652 u32 (*functionality) (struct i2c_adapter *);
64653 };
64654 +typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
64655
64656 /*
64657 * i2c_adapter is the structure used to identify a physical i2c bus along
64658 diff -urNp linux-2.6.32.49/include/linux/i2o.h linux-2.6.32.49/include/linux/i2o.h
64659 --- linux-2.6.32.49/include/linux/i2o.h 2011-11-08 19:02:43.000000000 -0500
64660 +++ linux-2.6.32.49/include/linux/i2o.h 2011-11-15 19:59:43.000000000 -0500
64661 @@ -564,7 +564,7 @@ struct i2o_controller {
64662 struct i2o_device *exec; /* Executive */
64663 #if BITS_PER_LONG == 64
64664 spinlock_t context_list_lock; /* lock for context_list */
64665 - atomic_t context_list_counter; /* needed for unique contexts */
64666 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
64667 struct list_head context_list; /* list of context id's
64668 and pointers */
64669 #endif
64670 diff -urNp linux-2.6.32.49/include/linux/init_task.h linux-2.6.32.49/include/linux/init_task.h
64671 --- linux-2.6.32.49/include/linux/init_task.h 2011-11-08 19:02:43.000000000 -0500
64672 +++ linux-2.6.32.49/include/linux/init_task.h 2011-11-15 19:59:43.000000000 -0500
64673 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
64674 #define INIT_IDS
64675 #endif
64676
64677 +#ifdef CONFIG_X86
64678 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
64679 +#else
64680 +#define INIT_TASK_THREAD_INFO
64681 +#endif
64682 +
64683 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
64684 /*
64685 * Because of the reduced scope of CAP_SETPCAP when filesystem
64686 @@ -156,6 +162,7 @@ extern struct cred init_cred;
64687 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
64688 .comm = "swapper", \
64689 .thread = INIT_THREAD, \
64690 + INIT_TASK_THREAD_INFO \
64691 .fs = &init_fs, \
64692 .files = &init_files, \
64693 .signal = &init_signals, \
64694 diff -urNp linux-2.6.32.49/include/linux/intel-iommu.h linux-2.6.32.49/include/linux/intel-iommu.h
64695 --- linux-2.6.32.49/include/linux/intel-iommu.h 2011-11-08 19:02:43.000000000 -0500
64696 +++ linux-2.6.32.49/include/linux/intel-iommu.h 2011-11-15 19:59:43.000000000 -0500
64697 @@ -296,7 +296,7 @@ struct iommu_flush {
64698 u8 fm, u64 type);
64699 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
64700 unsigned int size_order, u64 type);
64701 -};
64702 +} __no_const;
64703
64704 enum {
64705 SR_DMAR_FECTL_REG,
64706 diff -urNp linux-2.6.32.49/include/linux/interrupt.h linux-2.6.32.49/include/linux/interrupt.h
64707 --- linux-2.6.32.49/include/linux/interrupt.h 2011-11-26 19:44:53.000000000 -0500
64708 +++ linux-2.6.32.49/include/linux/interrupt.h 2011-11-26 19:45:13.000000000 -0500
64709 @@ -369,7 +369,7 @@ enum
64710 /* map softirq index to softirq name. update 'softirq_to_name' in
64711 * kernel/softirq.c when adding a new softirq.
64712 */
64713 -extern char *softirq_to_name[NR_SOFTIRQS];
64714 +extern const char * const softirq_to_name[NR_SOFTIRQS];
64715
64716 /* softirq mask and active fields moved to irq_cpustat_t in
64717 * asm/hardirq.h to get better cache usage. KAO
64718 @@ -377,12 +377,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
64719
64720 struct softirq_action
64721 {
64722 - void (*action)(struct softirq_action *);
64723 + void (*action)(void);
64724 };
64725
64726 asmlinkage void do_softirq(void);
64727 asmlinkage void __do_softirq(void);
64728 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
64729 +extern void open_softirq(int nr, void (*action)(void));
64730 extern void softirq_init(void);
64731 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
64732 extern void raise_softirq_irqoff(unsigned int nr);
64733 diff -urNp linux-2.6.32.49/include/linux/irq.h linux-2.6.32.49/include/linux/irq.h
64734 --- linux-2.6.32.49/include/linux/irq.h 2011-11-08 19:02:43.000000000 -0500
64735 +++ linux-2.6.32.49/include/linux/irq.h 2011-11-15 19:59:43.000000000 -0500
64736 @@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
64737 static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
64738 bool boot)
64739 {
64740 +#ifdef CONFIG_CPUMASK_OFFSTACK
64741 gfp_t gfp = GFP_ATOMIC;
64742
64743 if (boot)
64744 gfp = GFP_NOWAIT;
64745
64746 -#ifdef CONFIG_CPUMASK_OFFSTACK
64747 if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
64748 return false;
64749
64750 diff -urNp linux-2.6.32.49/include/linux/kallsyms.h linux-2.6.32.49/include/linux/kallsyms.h
64751 --- linux-2.6.32.49/include/linux/kallsyms.h 2011-11-08 19:02:43.000000000 -0500
64752 +++ linux-2.6.32.49/include/linux/kallsyms.h 2011-11-15 19:59:43.000000000 -0500
64753 @@ -15,7 +15,8 @@
64754
64755 struct module;
64756
64757 -#ifdef CONFIG_KALLSYMS
64758 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
64759 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
64760 /* Lookup the address for a symbol. Returns 0 if not found. */
64761 unsigned long kallsyms_lookup_name(const char *name);
64762
64763 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
64764 /* Stupid that this does nothing, but I didn't create this mess. */
64765 #define __print_symbol(fmt, addr)
64766 #endif /*CONFIG_KALLSYMS*/
64767 +#else /* when included by kallsyms.c, vsnprintf.c, or
64768 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
64769 +extern void __print_symbol(const char *fmt, unsigned long address);
64770 +extern int sprint_symbol(char *buffer, unsigned long address);
64771 +const char *kallsyms_lookup(unsigned long addr,
64772 + unsigned long *symbolsize,
64773 + unsigned long *offset,
64774 + char **modname, char *namebuf);
64775 +#endif
64776
64777 /* This macro allows us to keep printk typechecking */
64778 static void __check_printsym_format(const char *fmt, ...)
64779 diff -urNp linux-2.6.32.49/include/linux/kgdb.h linux-2.6.32.49/include/linux/kgdb.h
64780 --- linux-2.6.32.49/include/linux/kgdb.h 2011-11-08 19:02:43.000000000 -0500
64781 +++ linux-2.6.32.49/include/linux/kgdb.h 2011-11-15 19:59:43.000000000 -0500
64782 @@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
64783
64784 extern int kgdb_connected;
64785
64786 -extern atomic_t kgdb_setting_breakpoint;
64787 -extern atomic_t kgdb_cpu_doing_single_step;
64788 +extern atomic_unchecked_t kgdb_setting_breakpoint;
64789 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
64790
64791 extern struct task_struct *kgdb_usethread;
64792 extern struct task_struct *kgdb_contthread;
64793 @@ -235,7 +235,7 @@ struct kgdb_arch {
64794 int (*remove_hw_breakpoint)(unsigned long, int, enum kgdb_bptype);
64795 void (*remove_all_hw_break)(void);
64796 void (*correct_hw_break)(void);
64797 -};
64798 +} __do_const;
64799
64800 /**
64801 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
64802 @@ -257,14 +257,14 @@ struct kgdb_io {
64803 int (*init) (void);
64804 void (*pre_exception) (void);
64805 void (*post_exception) (void);
64806 -};
64807 +} __do_const;
64808
64809 -extern struct kgdb_arch arch_kgdb_ops;
64810 +extern const struct kgdb_arch arch_kgdb_ops;
64811
64812 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
64813
64814 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
64815 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
64816 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
64817 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
64818
64819 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
64820 extern int kgdb_mem2hex(char *mem, char *buf, int count);
64821 diff -urNp linux-2.6.32.49/include/linux/kmod.h linux-2.6.32.49/include/linux/kmod.h
64822 --- linux-2.6.32.49/include/linux/kmod.h 2011-11-08 19:02:43.000000000 -0500
64823 +++ linux-2.6.32.49/include/linux/kmod.h 2011-11-15 19:59:43.000000000 -0500
64824 @@ -31,6 +31,8 @@
64825 * usually useless though. */
64826 extern int __request_module(bool wait, const char *name, ...) \
64827 __attribute__((format(printf, 2, 3)));
64828 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
64829 + __attribute__((format(printf, 3, 4)));
64830 #define request_module(mod...) __request_module(true, mod)
64831 #define request_module_nowait(mod...) __request_module(false, mod)
64832 #define try_then_request_module(x, mod...) \
64833 diff -urNp linux-2.6.32.49/include/linux/kobject.h linux-2.6.32.49/include/linux/kobject.h
64834 --- linux-2.6.32.49/include/linux/kobject.h 2011-11-08 19:02:43.000000000 -0500
64835 +++ linux-2.6.32.49/include/linux/kobject.h 2011-11-15 19:59:43.000000000 -0500
64836 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
64837
64838 struct kobj_type {
64839 void (*release)(struct kobject *kobj);
64840 - struct sysfs_ops *sysfs_ops;
64841 + const struct sysfs_ops *sysfs_ops;
64842 struct attribute **default_attrs;
64843 };
64844
64845 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
64846 };
64847
64848 struct kset_uevent_ops {
64849 - int (*filter)(struct kset *kset, struct kobject *kobj);
64850 - const char *(*name)(struct kset *kset, struct kobject *kobj);
64851 - int (*uevent)(struct kset *kset, struct kobject *kobj,
64852 + int (* const filter)(struct kset *kset, struct kobject *kobj);
64853 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
64854 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
64855 struct kobj_uevent_env *env);
64856 };
64857
64858 @@ -132,7 +132,7 @@ struct kobj_attribute {
64859 const char *buf, size_t count);
64860 };
64861
64862 -extern struct sysfs_ops kobj_sysfs_ops;
64863 +extern const struct sysfs_ops kobj_sysfs_ops;
64864
64865 /**
64866 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
64867 @@ -155,14 +155,14 @@ struct kset {
64868 struct list_head list;
64869 spinlock_t list_lock;
64870 struct kobject kobj;
64871 - struct kset_uevent_ops *uevent_ops;
64872 + const struct kset_uevent_ops *uevent_ops;
64873 };
64874
64875 extern void kset_init(struct kset *kset);
64876 extern int __must_check kset_register(struct kset *kset);
64877 extern void kset_unregister(struct kset *kset);
64878 extern struct kset * __must_check kset_create_and_add(const char *name,
64879 - struct kset_uevent_ops *u,
64880 + const struct kset_uevent_ops *u,
64881 struct kobject *parent_kobj);
64882
64883 static inline struct kset *to_kset(struct kobject *kobj)
64884 diff -urNp linux-2.6.32.49/include/linux/kvm_host.h linux-2.6.32.49/include/linux/kvm_host.h
64885 --- linux-2.6.32.49/include/linux/kvm_host.h 2011-11-08 19:02:43.000000000 -0500
64886 +++ linux-2.6.32.49/include/linux/kvm_host.h 2011-11-15 19:59:43.000000000 -0500
64887 @@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
64888 void vcpu_load(struct kvm_vcpu *vcpu);
64889 void vcpu_put(struct kvm_vcpu *vcpu);
64890
64891 -int kvm_init(void *opaque, unsigned int vcpu_size,
64892 +int kvm_init(const void *opaque, unsigned int vcpu_size,
64893 struct module *module);
64894 void kvm_exit(void);
64895
64896 @@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
64897 struct kvm_guest_debug *dbg);
64898 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
64899
64900 -int kvm_arch_init(void *opaque);
64901 +int kvm_arch_init(const void *opaque);
64902 void kvm_arch_exit(void);
64903
64904 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
64905 diff -urNp linux-2.6.32.49/include/linux/libata.h linux-2.6.32.49/include/linux/libata.h
64906 --- linux-2.6.32.49/include/linux/libata.h 2011-11-08 19:02:43.000000000 -0500
64907 +++ linux-2.6.32.49/include/linux/libata.h 2011-11-15 19:59:43.000000000 -0500
64908 @@ -525,11 +525,11 @@ struct ata_ioports {
64909
64910 struct ata_host {
64911 spinlock_t lock;
64912 - struct device *dev;
64913 + struct device *dev;
64914 void __iomem * const *iomap;
64915 unsigned int n_ports;
64916 void *private_data;
64917 - struct ata_port_operations *ops;
64918 + const struct ata_port_operations *ops;
64919 unsigned long flags;
64920 #ifdef CONFIG_ATA_ACPI
64921 acpi_handle acpi_handle;
64922 @@ -710,7 +710,7 @@ struct ata_link {
64923
64924 struct ata_port {
64925 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
64926 - struct ata_port_operations *ops;
64927 + const struct ata_port_operations *ops;
64928 spinlock_t *lock;
64929 /* Flags owned by the EH context. Only EH should touch these once the
64930 port is active */
64931 @@ -884,7 +884,7 @@ struct ata_port_operations {
64932 * fields must be pointers.
64933 */
64934 const struct ata_port_operations *inherits;
64935 -};
64936 +} __do_const;
64937
64938 struct ata_port_info {
64939 unsigned long flags;
64940 @@ -892,7 +892,7 @@ struct ata_port_info {
64941 unsigned long pio_mask;
64942 unsigned long mwdma_mask;
64943 unsigned long udma_mask;
64944 - struct ata_port_operations *port_ops;
64945 + const struct ata_port_operations *port_ops;
64946 void *private_data;
64947 };
64948
64949 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
64950 extern const unsigned long sata_deb_timing_hotplug[];
64951 extern const unsigned long sata_deb_timing_long[];
64952
64953 -extern struct ata_port_operations ata_dummy_port_ops;
64954 +extern const struct ata_port_operations ata_dummy_port_ops;
64955 extern const struct ata_port_info ata_dummy_port_info;
64956
64957 static inline const unsigned long *
64958 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
64959 struct scsi_host_template *sht);
64960 extern void ata_host_detach(struct ata_host *host);
64961 extern void ata_host_init(struct ata_host *, struct device *,
64962 - unsigned long, struct ata_port_operations *);
64963 + unsigned long, const struct ata_port_operations *);
64964 extern int ata_scsi_detect(struct scsi_host_template *sht);
64965 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
64966 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
64967 diff -urNp linux-2.6.32.49/include/linux/lockd/bind.h linux-2.6.32.49/include/linux/lockd/bind.h
64968 --- linux-2.6.32.49/include/linux/lockd/bind.h 2011-11-08 19:02:43.000000000 -0500
64969 +++ linux-2.6.32.49/include/linux/lockd/bind.h 2011-11-15 19:59:43.000000000 -0500
64970 @@ -23,13 +23,13 @@ struct svc_rqst;
64971 * This is the set of functions for lockd->nfsd communication
64972 */
64973 struct nlmsvc_binding {
64974 - __be32 (*fopen)(struct svc_rqst *,
64975 + __be32 (* const fopen)(struct svc_rqst *,
64976 struct nfs_fh *,
64977 struct file **);
64978 - void (*fclose)(struct file *);
64979 + void (* const fclose)(struct file *);
64980 };
64981
64982 -extern struct nlmsvc_binding * nlmsvc_ops;
64983 +extern const struct nlmsvc_binding * nlmsvc_ops;
64984
64985 /*
64986 * Similar to nfs_client_initdata, but without the NFS-specific
64987 diff -urNp linux-2.6.32.49/include/linux/mca.h linux-2.6.32.49/include/linux/mca.h
64988 --- linux-2.6.32.49/include/linux/mca.h 2011-11-08 19:02:43.000000000 -0500
64989 +++ linux-2.6.32.49/include/linux/mca.h 2011-11-15 19:59:43.000000000 -0500
64990 @@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
64991 int region);
64992 void * (*mca_transform_memory)(struct mca_device *,
64993 void *memory);
64994 -};
64995 +} __no_const;
64996
64997 struct mca_bus {
64998 u64 default_dma_mask;
64999 diff -urNp linux-2.6.32.49/include/linux/memory.h linux-2.6.32.49/include/linux/memory.h
65000 --- linux-2.6.32.49/include/linux/memory.h 2011-11-08 19:02:43.000000000 -0500
65001 +++ linux-2.6.32.49/include/linux/memory.h 2011-11-15 19:59:43.000000000 -0500
65002 @@ -108,7 +108,7 @@ struct memory_accessor {
65003 size_t count);
65004 ssize_t (*write)(struct memory_accessor *, const char *buf,
65005 off_t offset, size_t count);
65006 -};
65007 +} __no_const;
65008
65009 /*
65010 * Kernel text modification mutex, used for code patching. Users of this lock
65011 diff -urNp linux-2.6.32.49/include/linux/mm.h linux-2.6.32.49/include/linux/mm.h
65012 --- linux-2.6.32.49/include/linux/mm.h 2011-11-08 19:02:43.000000000 -0500
65013 +++ linux-2.6.32.49/include/linux/mm.h 2011-11-15 19:59:43.000000000 -0500
65014 @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
65015
65016 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
65017 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
65018 +
65019 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
65020 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
65021 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
65022 +#else
65023 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
65024 +#endif
65025 +
65026 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
65027 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
65028
65029 @@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
65030 int set_page_dirty_lock(struct page *page);
65031 int clear_page_dirty_for_io(struct page *page);
65032
65033 -/* Is the vma a continuation of the stack vma above it? */
65034 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
65035 -{
65036 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
65037 -}
65038 -
65039 extern unsigned long move_page_tables(struct vm_area_struct *vma,
65040 unsigned long old_addr, struct vm_area_struct *new_vma,
65041 unsigned long new_addr, unsigned long len);
65042 @@ -890,6 +891,8 @@ struct shrinker {
65043 extern void register_shrinker(struct shrinker *);
65044 extern void unregister_shrinker(struct shrinker *);
65045
65046 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
65047 +
65048 int vma_wants_writenotify(struct vm_area_struct *vma);
65049
65050 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
65051 @@ -1162,6 +1165,7 @@ out:
65052 }
65053
65054 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
65055 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
65056
65057 extern unsigned long do_brk(unsigned long, unsigned long);
65058
65059 @@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
65060 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
65061 struct vm_area_struct **pprev);
65062
65063 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
65064 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
65065 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
65066 +
65067 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
65068 NULL if none. Assume start_addr < end_addr. */
65069 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
65070 @@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
65071 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
65072 }
65073
65074 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
65075 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
65076 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
65077 unsigned long pfn, unsigned long size, pgprot_t);
65078 @@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
65079 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
65080 extern int sysctl_memory_failure_early_kill;
65081 extern int sysctl_memory_failure_recovery;
65082 -extern atomic_long_t mce_bad_pages;
65083 +extern atomic_long_unchecked_t mce_bad_pages;
65084 +
65085 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
65086 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
65087 +#else
65088 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
65089 +#endif
65090
65091 #endif /* __KERNEL__ */
65092 #endif /* _LINUX_MM_H */
65093 diff -urNp linux-2.6.32.49/include/linux/mm_types.h linux-2.6.32.49/include/linux/mm_types.h
65094 --- linux-2.6.32.49/include/linux/mm_types.h 2011-11-08 19:02:43.000000000 -0500
65095 +++ linux-2.6.32.49/include/linux/mm_types.h 2011-11-15 19:59:43.000000000 -0500
65096 @@ -186,6 +186,8 @@ struct vm_area_struct {
65097 #ifdef CONFIG_NUMA
65098 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
65099 #endif
65100 +
65101 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
65102 };
65103
65104 struct core_thread {
65105 @@ -287,6 +289,24 @@ struct mm_struct {
65106 #ifdef CONFIG_MMU_NOTIFIER
65107 struct mmu_notifier_mm *mmu_notifier_mm;
65108 #endif
65109 +
65110 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65111 + unsigned long pax_flags;
65112 +#endif
65113 +
65114 +#ifdef CONFIG_PAX_DLRESOLVE
65115 + unsigned long call_dl_resolve;
65116 +#endif
65117 +
65118 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
65119 + unsigned long call_syscall;
65120 +#endif
65121 +
65122 +#ifdef CONFIG_PAX_ASLR
65123 + unsigned long delta_mmap; /* randomized offset */
65124 + unsigned long delta_stack; /* randomized offset */
65125 +#endif
65126 +
65127 };
65128
65129 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
65130 diff -urNp linux-2.6.32.49/include/linux/mmu_notifier.h linux-2.6.32.49/include/linux/mmu_notifier.h
65131 --- linux-2.6.32.49/include/linux/mmu_notifier.h 2011-11-08 19:02:43.000000000 -0500
65132 +++ linux-2.6.32.49/include/linux/mmu_notifier.h 2011-11-15 19:59:43.000000000 -0500
65133 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
65134 */
65135 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
65136 ({ \
65137 - pte_t __pte; \
65138 + pte_t ___pte; \
65139 struct vm_area_struct *___vma = __vma; \
65140 unsigned long ___address = __address; \
65141 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
65142 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
65143 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
65144 - __pte; \
65145 + ___pte; \
65146 })
65147
65148 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
65149 diff -urNp linux-2.6.32.49/include/linux/mmzone.h linux-2.6.32.49/include/linux/mmzone.h
65150 --- linux-2.6.32.49/include/linux/mmzone.h 2011-11-08 19:02:43.000000000 -0500
65151 +++ linux-2.6.32.49/include/linux/mmzone.h 2011-11-15 19:59:43.000000000 -0500
65152 @@ -350,7 +350,7 @@ struct zone {
65153 unsigned long flags; /* zone flags, see below */
65154
65155 /* Zone statistics */
65156 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65157 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65158
65159 /*
65160 * prev_priority holds the scanning priority for this zone. It is
65161 diff -urNp linux-2.6.32.49/include/linux/mod_devicetable.h linux-2.6.32.49/include/linux/mod_devicetable.h
65162 --- linux-2.6.32.49/include/linux/mod_devicetable.h 2011-11-08 19:02:43.000000000 -0500
65163 +++ linux-2.6.32.49/include/linux/mod_devicetable.h 2011-11-15 19:59:43.000000000 -0500
65164 @@ -12,7 +12,7 @@
65165 typedef unsigned long kernel_ulong_t;
65166 #endif
65167
65168 -#define PCI_ANY_ID (~0)
65169 +#define PCI_ANY_ID ((__u16)~0)
65170
65171 struct pci_device_id {
65172 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
65173 @@ -131,7 +131,7 @@ struct usb_device_id {
65174 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
65175 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
65176
65177 -#define HID_ANY_ID (~0)
65178 +#define HID_ANY_ID (~0U)
65179
65180 struct hid_device_id {
65181 __u16 bus;
65182 diff -urNp linux-2.6.32.49/include/linux/module.h linux-2.6.32.49/include/linux/module.h
65183 --- linux-2.6.32.49/include/linux/module.h 2011-11-08 19:02:43.000000000 -0500
65184 +++ linux-2.6.32.49/include/linux/module.h 2011-11-15 19:59:43.000000000 -0500
65185 @@ -16,6 +16,7 @@
65186 #include <linux/kobject.h>
65187 #include <linux/moduleparam.h>
65188 #include <linux/tracepoint.h>
65189 +#include <linux/fs.h>
65190
65191 #include <asm/local.h>
65192 #include <asm/module.h>
65193 @@ -287,16 +288,16 @@ struct module
65194 int (*init)(void);
65195
65196 /* If this is non-NULL, vfree after init() returns */
65197 - void *module_init;
65198 + void *module_init_rx, *module_init_rw;
65199
65200 /* Here is the actual code + data, vfree'd on unload. */
65201 - void *module_core;
65202 + void *module_core_rx, *module_core_rw;
65203
65204 /* Here are the sizes of the init and core sections */
65205 - unsigned int init_size, core_size;
65206 + unsigned int init_size_rw, core_size_rw;
65207
65208 /* The size of the executable code in each section. */
65209 - unsigned int init_text_size, core_text_size;
65210 + unsigned int init_size_rx, core_size_rx;
65211
65212 /* Arch-specific module values */
65213 struct mod_arch_specific arch;
65214 @@ -345,6 +346,10 @@ struct module
65215 #ifdef CONFIG_EVENT_TRACING
65216 struct ftrace_event_call *trace_events;
65217 unsigned int num_trace_events;
65218 + struct file_operations trace_id;
65219 + struct file_operations trace_enable;
65220 + struct file_operations trace_format;
65221 + struct file_operations trace_filter;
65222 #endif
65223 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
65224 unsigned long *ftrace_callsites;
65225 @@ -393,16 +398,46 @@ struct module *__module_address(unsigned
65226 bool is_module_address(unsigned long addr);
65227 bool is_module_text_address(unsigned long addr);
65228
65229 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
65230 +{
65231 +
65232 +#ifdef CONFIG_PAX_KERNEXEC
65233 + if (ktla_ktva(addr) >= (unsigned long)start &&
65234 + ktla_ktva(addr) < (unsigned long)start + size)
65235 + return 1;
65236 +#endif
65237 +
65238 + return ((void *)addr >= start && (void *)addr < start + size);
65239 +}
65240 +
65241 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
65242 +{
65243 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
65244 +}
65245 +
65246 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
65247 +{
65248 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
65249 +}
65250 +
65251 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
65252 +{
65253 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
65254 +}
65255 +
65256 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
65257 +{
65258 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
65259 +}
65260 +
65261 static inline int within_module_core(unsigned long addr, struct module *mod)
65262 {
65263 - return (unsigned long)mod->module_core <= addr &&
65264 - addr < (unsigned long)mod->module_core + mod->core_size;
65265 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
65266 }
65267
65268 static inline int within_module_init(unsigned long addr, struct module *mod)
65269 {
65270 - return (unsigned long)mod->module_init <= addr &&
65271 - addr < (unsigned long)mod->module_init + mod->init_size;
65272 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
65273 }
65274
65275 /* Search for module by name: must hold module_mutex. */
65276 diff -urNp linux-2.6.32.49/include/linux/moduleloader.h linux-2.6.32.49/include/linux/moduleloader.h
65277 --- linux-2.6.32.49/include/linux/moduleloader.h 2011-11-08 19:02:43.000000000 -0500
65278 +++ linux-2.6.32.49/include/linux/moduleloader.h 2011-11-15 19:59:43.000000000 -0500
65279 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
65280 sections. Returns NULL on failure. */
65281 void *module_alloc(unsigned long size);
65282
65283 +#ifdef CONFIG_PAX_KERNEXEC
65284 +void *module_alloc_exec(unsigned long size);
65285 +#else
65286 +#define module_alloc_exec(x) module_alloc(x)
65287 +#endif
65288 +
65289 /* Free memory returned from module_alloc. */
65290 void module_free(struct module *mod, void *module_region);
65291
65292 +#ifdef CONFIG_PAX_KERNEXEC
65293 +void module_free_exec(struct module *mod, void *module_region);
65294 +#else
65295 +#define module_free_exec(x, y) module_free((x), (y))
65296 +#endif
65297 +
65298 /* Apply the given relocation to the (simplified) ELF. Return -error
65299 or 0. */
65300 int apply_relocate(Elf_Shdr *sechdrs,
65301 diff -urNp linux-2.6.32.49/include/linux/moduleparam.h linux-2.6.32.49/include/linux/moduleparam.h
65302 --- linux-2.6.32.49/include/linux/moduleparam.h 2011-11-08 19:02:43.000000000 -0500
65303 +++ linux-2.6.32.49/include/linux/moduleparam.h 2011-11-15 19:59:43.000000000 -0500
65304 @@ -132,7 +132,7 @@ struct kparam_array
65305
65306 /* Actually copy string: maxlen param is usually sizeof(string). */
65307 #define module_param_string(name, string, len, perm) \
65308 - static const struct kparam_string __param_string_##name \
65309 + static const struct kparam_string __param_string_##name __used \
65310 = { len, string }; \
65311 __module_param_call(MODULE_PARAM_PREFIX, name, \
65312 param_set_copystring, param_get_string, \
65313 @@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
65314
65315 /* Comma-separated array: *nump is set to number they actually specified. */
65316 #define module_param_array_named(name, array, type, nump, perm) \
65317 - static const struct kparam_array __param_arr_##name \
65318 + static const struct kparam_array __param_arr_##name __used \
65319 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
65320 sizeof(array[0]), array }; \
65321 __module_param_call(MODULE_PARAM_PREFIX, name, \
65322 diff -urNp linux-2.6.32.49/include/linux/mutex.h linux-2.6.32.49/include/linux/mutex.h
65323 --- linux-2.6.32.49/include/linux/mutex.h 2011-11-08 19:02:43.000000000 -0500
65324 +++ linux-2.6.32.49/include/linux/mutex.h 2011-11-15 19:59:43.000000000 -0500
65325 @@ -51,7 +51,7 @@ struct mutex {
65326 spinlock_t wait_lock;
65327 struct list_head wait_list;
65328 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
65329 - struct thread_info *owner;
65330 + struct task_struct *owner;
65331 #endif
65332 #ifdef CONFIG_DEBUG_MUTEXES
65333 const char *name;
65334 diff -urNp linux-2.6.32.49/include/linux/namei.h linux-2.6.32.49/include/linux/namei.h
65335 --- linux-2.6.32.49/include/linux/namei.h 2011-11-08 19:02:43.000000000 -0500
65336 +++ linux-2.6.32.49/include/linux/namei.h 2011-11-15 19:59:43.000000000 -0500
65337 @@ -22,7 +22,7 @@ struct nameidata {
65338 unsigned int flags;
65339 int last_type;
65340 unsigned depth;
65341 - char *saved_names[MAX_NESTED_LINKS + 1];
65342 + const char *saved_names[MAX_NESTED_LINKS + 1];
65343
65344 /* Intent data */
65345 union {
65346 @@ -84,12 +84,12 @@ extern int follow_up(struct path *);
65347 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
65348 extern void unlock_rename(struct dentry *, struct dentry *);
65349
65350 -static inline void nd_set_link(struct nameidata *nd, char *path)
65351 +static inline void nd_set_link(struct nameidata *nd, const char *path)
65352 {
65353 nd->saved_names[nd->depth] = path;
65354 }
65355
65356 -static inline char *nd_get_link(struct nameidata *nd)
65357 +static inline const char *nd_get_link(const struct nameidata *nd)
65358 {
65359 return nd->saved_names[nd->depth];
65360 }
65361 diff -urNp linux-2.6.32.49/include/linux/netdevice.h linux-2.6.32.49/include/linux/netdevice.h
65362 --- linux-2.6.32.49/include/linux/netdevice.h 2011-11-08 19:02:43.000000000 -0500
65363 +++ linux-2.6.32.49/include/linux/netdevice.h 2011-11-15 19:59:43.000000000 -0500
65364 @@ -637,6 +637,7 @@ struct net_device_ops {
65365 u16 xid);
65366 #endif
65367 };
65368 +typedef struct net_device_ops __no_const net_device_ops_no_const;
65369
65370 /*
65371 * The DEVICE structure.
65372 diff -urNp linux-2.6.32.49/include/linux/netfilter/xt_gradm.h linux-2.6.32.49/include/linux/netfilter/xt_gradm.h
65373 --- linux-2.6.32.49/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
65374 +++ linux-2.6.32.49/include/linux/netfilter/xt_gradm.h 2011-11-15 19:59:43.000000000 -0500
65375 @@ -0,0 +1,9 @@
65376 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
65377 +#define _LINUX_NETFILTER_XT_GRADM_H 1
65378 +
65379 +struct xt_gradm_mtinfo {
65380 + __u16 flags;
65381 + __u16 invflags;
65382 +};
65383 +
65384 +#endif
65385 diff -urNp linux-2.6.32.49/include/linux/nodemask.h linux-2.6.32.49/include/linux/nodemask.h
65386 --- linux-2.6.32.49/include/linux/nodemask.h 2011-11-08 19:02:43.000000000 -0500
65387 +++ linux-2.6.32.49/include/linux/nodemask.h 2011-11-15 19:59:43.000000000 -0500
65388 @@ -464,11 +464,11 @@ static inline int num_node_state(enum no
65389
65390 #define any_online_node(mask) \
65391 ({ \
65392 - int node; \
65393 - for_each_node_mask(node, (mask)) \
65394 - if (node_online(node)) \
65395 + int __node; \
65396 + for_each_node_mask(__node, (mask)) \
65397 + if (node_online(__node)) \
65398 break; \
65399 - node; \
65400 + __node; \
65401 })
65402
65403 #define num_online_nodes() num_node_state(N_ONLINE)
65404 diff -urNp linux-2.6.32.49/include/linux/oprofile.h linux-2.6.32.49/include/linux/oprofile.h
65405 --- linux-2.6.32.49/include/linux/oprofile.h 2011-11-08 19:02:43.000000000 -0500
65406 +++ linux-2.6.32.49/include/linux/oprofile.h 2011-11-15 19:59:43.000000000 -0500
65407 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
65408 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
65409 char const * name, ulong * val);
65410
65411 -/** Create a file for read-only access to an atomic_t. */
65412 +/** Create a file for read-only access to an atomic_unchecked_t. */
65413 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
65414 - char const * name, atomic_t * val);
65415 + char const * name, atomic_unchecked_t * val);
65416
65417 /** create a directory */
65418 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
65419 diff -urNp linux-2.6.32.49/include/linux/pagemap.h linux-2.6.32.49/include/linux/pagemap.h
65420 --- linux-2.6.32.49/include/linux/pagemap.h 2011-11-08 19:02:43.000000000 -0500
65421 +++ linux-2.6.32.49/include/linux/pagemap.h 2011-11-18 18:01:55.000000000 -0500
65422 @@ -425,7 +425,9 @@ static inline int fault_in_pages_readabl
65423 if (((unsigned long)uaddr & PAGE_MASK) !=
65424 ((unsigned long)end & PAGE_MASK))
65425 ret = __get_user(c, end);
65426 + (void)c;
65427 }
65428 + (void)c;
65429 return ret;
65430 }
65431
65432 diff -urNp linux-2.6.32.49/include/linux/perf_event.h linux-2.6.32.49/include/linux/perf_event.h
65433 --- linux-2.6.32.49/include/linux/perf_event.h 2011-11-08 19:02:43.000000000 -0500
65434 +++ linux-2.6.32.49/include/linux/perf_event.h 2011-11-15 19:59:43.000000000 -0500
65435 @@ -476,7 +476,7 @@ struct hw_perf_event {
65436 struct hrtimer hrtimer;
65437 };
65438 };
65439 - atomic64_t prev_count;
65440 + atomic64_unchecked_t prev_count;
65441 u64 sample_period;
65442 u64 last_period;
65443 atomic64_t period_left;
65444 @@ -557,7 +557,7 @@ struct perf_event {
65445 const struct pmu *pmu;
65446
65447 enum perf_event_active_state state;
65448 - atomic64_t count;
65449 + atomic64_unchecked_t count;
65450
65451 /*
65452 * These are the total time in nanoseconds that the event
65453 @@ -595,8 +595,8 @@ struct perf_event {
65454 * These accumulate total time (in nanoseconds) that children
65455 * events have been enabled and running, respectively.
65456 */
65457 - atomic64_t child_total_time_enabled;
65458 - atomic64_t child_total_time_running;
65459 + atomic64_unchecked_t child_total_time_enabled;
65460 + atomic64_unchecked_t child_total_time_running;
65461
65462 /*
65463 * Protect attach/detach and child_list:
65464 diff -urNp linux-2.6.32.49/include/linux/pipe_fs_i.h linux-2.6.32.49/include/linux/pipe_fs_i.h
65465 --- linux-2.6.32.49/include/linux/pipe_fs_i.h 2011-11-08 19:02:43.000000000 -0500
65466 +++ linux-2.6.32.49/include/linux/pipe_fs_i.h 2011-11-15 19:59:43.000000000 -0500
65467 @@ -46,9 +46,9 @@ struct pipe_inode_info {
65468 wait_queue_head_t wait;
65469 unsigned int nrbufs, curbuf;
65470 struct page *tmp_page;
65471 - unsigned int readers;
65472 - unsigned int writers;
65473 - unsigned int waiting_writers;
65474 + atomic_t readers;
65475 + atomic_t writers;
65476 + atomic_t waiting_writers;
65477 unsigned int r_counter;
65478 unsigned int w_counter;
65479 struct fasync_struct *fasync_readers;
65480 diff -urNp linux-2.6.32.49/include/linux/poison.h linux-2.6.32.49/include/linux/poison.h
65481 --- linux-2.6.32.49/include/linux/poison.h 2011-11-08 19:02:43.000000000 -0500
65482 +++ linux-2.6.32.49/include/linux/poison.h 2011-11-15 19:59:43.000000000 -0500
65483 @@ -19,8 +19,8 @@
65484 * under normal circumstances, used to verify that nobody uses
65485 * non-initialized list entries.
65486 */
65487 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
65488 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
65489 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
65490 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
65491
65492 /********** include/linux/timer.h **********/
65493 /*
65494 diff -urNp linux-2.6.32.49/include/linux/posix-timers.h linux-2.6.32.49/include/linux/posix-timers.h
65495 --- linux-2.6.32.49/include/linux/posix-timers.h 2011-11-08 19:02:43.000000000 -0500
65496 +++ linux-2.6.32.49/include/linux/posix-timers.h 2011-11-15 19:59:43.000000000 -0500
65497 @@ -67,7 +67,7 @@ struct k_itimer {
65498 };
65499
65500 struct k_clock {
65501 - int res; /* in nanoseconds */
65502 + const int res; /* in nanoseconds */
65503 int (*clock_getres) (const clockid_t which_clock, struct timespec *tp);
65504 int (*clock_set) (const clockid_t which_clock, struct timespec * tp);
65505 int (*clock_get) (const clockid_t which_clock, struct timespec * tp);
65506 diff -urNp linux-2.6.32.49/include/linux/preempt.h linux-2.6.32.49/include/linux/preempt.h
65507 --- linux-2.6.32.49/include/linux/preempt.h 2011-11-08 19:02:43.000000000 -0500
65508 +++ linux-2.6.32.49/include/linux/preempt.h 2011-11-15 19:59:43.000000000 -0500
65509 @@ -110,7 +110,7 @@ struct preempt_ops {
65510 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
65511 void (*sched_out)(struct preempt_notifier *notifier,
65512 struct task_struct *next);
65513 -};
65514 +} __no_const;
65515
65516 /**
65517 * preempt_notifier - key for installing preemption notifiers
65518 diff -urNp linux-2.6.32.49/include/linux/proc_fs.h linux-2.6.32.49/include/linux/proc_fs.h
65519 --- linux-2.6.32.49/include/linux/proc_fs.h 2011-11-08 19:02:43.000000000 -0500
65520 +++ linux-2.6.32.49/include/linux/proc_fs.h 2011-11-15 19:59:43.000000000 -0500
65521 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
65522 return proc_create_data(name, mode, parent, proc_fops, NULL);
65523 }
65524
65525 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
65526 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
65527 +{
65528 +#ifdef CONFIG_GRKERNSEC_PROC_USER
65529 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
65530 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65531 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
65532 +#else
65533 + return proc_create_data(name, mode, parent, proc_fops, NULL);
65534 +#endif
65535 +}
65536 +
65537 +
65538 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
65539 mode_t mode, struct proc_dir_entry *base,
65540 read_proc_t *read_proc, void * data)
65541 @@ -256,7 +269,7 @@ union proc_op {
65542 int (*proc_show)(struct seq_file *m,
65543 struct pid_namespace *ns, struct pid *pid,
65544 struct task_struct *task);
65545 -};
65546 +} __no_const;
65547
65548 struct ctl_table_header;
65549 struct ctl_table;
65550 diff -urNp linux-2.6.32.49/include/linux/ptrace.h linux-2.6.32.49/include/linux/ptrace.h
65551 --- linux-2.6.32.49/include/linux/ptrace.h 2011-11-08 19:02:43.000000000 -0500
65552 +++ linux-2.6.32.49/include/linux/ptrace.h 2011-11-15 19:59:43.000000000 -0500
65553 @@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
65554 extern void exit_ptrace(struct task_struct *tracer);
65555 #define PTRACE_MODE_READ 1
65556 #define PTRACE_MODE_ATTACH 2
65557 -/* Returns 0 on success, -errno on denial. */
65558 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
65559 /* Returns true on success, false on denial. */
65560 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
65561 +/* Returns true on success, false on denial. */
65562 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
65563
65564 static inline int ptrace_reparented(struct task_struct *child)
65565 {
65566 diff -urNp linux-2.6.32.49/include/linux/random.h linux-2.6.32.49/include/linux/random.h
65567 --- linux-2.6.32.49/include/linux/random.h 2011-11-08 19:02:43.000000000 -0500
65568 +++ linux-2.6.32.49/include/linux/random.h 2011-11-15 19:59:43.000000000 -0500
65569 @@ -63,6 +63,11 @@ unsigned long randomize_range(unsigned l
65570 u32 random32(void);
65571 void srandom32(u32 seed);
65572
65573 +static inline unsigned long pax_get_random_long(void)
65574 +{
65575 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
65576 +}
65577 +
65578 #endif /* __KERNEL___ */
65579
65580 #endif /* _LINUX_RANDOM_H */
65581 diff -urNp linux-2.6.32.49/include/linux/reboot.h linux-2.6.32.49/include/linux/reboot.h
65582 --- linux-2.6.32.49/include/linux/reboot.h 2011-11-08 19:02:43.000000000 -0500
65583 +++ linux-2.6.32.49/include/linux/reboot.h 2011-11-15 19:59:43.000000000 -0500
65584 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
65585 * Architecture-specific implementations of sys_reboot commands.
65586 */
65587
65588 -extern void machine_restart(char *cmd);
65589 -extern void machine_halt(void);
65590 -extern void machine_power_off(void);
65591 +extern void machine_restart(char *cmd) __noreturn;
65592 +extern void machine_halt(void) __noreturn;
65593 +extern void machine_power_off(void) __noreturn;
65594
65595 extern void machine_shutdown(void);
65596 struct pt_regs;
65597 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
65598 */
65599
65600 extern void kernel_restart_prepare(char *cmd);
65601 -extern void kernel_restart(char *cmd);
65602 -extern void kernel_halt(void);
65603 -extern void kernel_power_off(void);
65604 +extern void kernel_restart(char *cmd) __noreturn;
65605 +extern void kernel_halt(void) __noreturn;
65606 +extern void kernel_power_off(void) __noreturn;
65607
65608 void ctrl_alt_del(void);
65609
65610 @@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
65611 * Emergency restart, callable from an interrupt handler.
65612 */
65613
65614 -extern void emergency_restart(void);
65615 +extern void emergency_restart(void) __noreturn;
65616 #include <asm/emergency-restart.h>
65617
65618 #endif
65619 diff -urNp linux-2.6.32.49/include/linux/reiserfs_fs.h linux-2.6.32.49/include/linux/reiserfs_fs.h
65620 --- linux-2.6.32.49/include/linux/reiserfs_fs.h 2011-11-08 19:02:43.000000000 -0500
65621 +++ linux-2.6.32.49/include/linux/reiserfs_fs.h 2011-11-15 19:59:43.000000000 -0500
65622 @@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
65623 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
65624
65625 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
65626 -#define get_generation(s) atomic_read (&fs_generation(s))
65627 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
65628 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
65629 #define __fs_changed(gen,s) (gen != get_generation (s))
65630 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
65631 @@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
65632 */
65633
65634 struct item_operations {
65635 - int (*bytes_number) (struct item_head * ih, int block_size);
65636 - void (*decrement_key) (struct cpu_key *);
65637 - int (*is_left_mergeable) (struct reiserfs_key * ih,
65638 + int (* const bytes_number) (struct item_head * ih, int block_size);
65639 + void (* const decrement_key) (struct cpu_key *);
65640 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
65641 unsigned long bsize);
65642 - void (*print_item) (struct item_head *, char *item);
65643 - void (*check_item) (struct item_head *, char *item);
65644 + void (* const print_item) (struct item_head *, char *item);
65645 + void (* const check_item) (struct item_head *, char *item);
65646
65647 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
65648 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
65649 int is_affected, int insert_size);
65650 - int (*check_left) (struct virtual_item * vi, int free,
65651 + int (* const check_left) (struct virtual_item * vi, int free,
65652 int start_skip, int end_skip);
65653 - int (*check_right) (struct virtual_item * vi, int free);
65654 - int (*part_size) (struct virtual_item * vi, int from, int to);
65655 - int (*unit_num) (struct virtual_item * vi);
65656 - void (*print_vi) (struct virtual_item * vi);
65657 + int (* const check_right) (struct virtual_item * vi, int free);
65658 + int (* const part_size) (struct virtual_item * vi, int from, int to);
65659 + int (* const unit_num) (struct virtual_item * vi);
65660 + void (* const print_vi) (struct virtual_item * vi);
65661 };
65662
65663 -extern struct item_operations *item_ops[TYPE_ANY + 1];
65664 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
65665
65666 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
65667 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
65668 diff -urNp linux-2.6.32.49/include/linux/reiserfs_fs_sb.h linux-2.6.32.49/include/linux/reiserfs_fs_sb.h
65669 --- linux-2.6.32.49/include/linux/reiserfs_fs_sb.h 2011-11-08 19:02:43.000000000 -0500
65670 +++ linux-2.6.32.49/include/linux/reiserfs_fs_sb.h 2011-11-15 19:59:43.000000000 -0500
65671 @@ -377,7 +377,7 @@ struct reiserfs_sb_info {
65672 /* Comment? -Hans */
65673 wait_queue_head_t s_wait;
65674 /* To be obsoleted soon by per buffer seals.. -Hans */
65675 - atomic_t s_generation_counter; // increased by one every time the
65676 + atomic_unchecked_t s_generation_counter; // increased by one every time the
65677 // tree gets re-balanced
65678 unsigned long s_properties; /* File system properties. Currently holds
65679 on-disk FS format */
65680 diff -urNp linux-2.6.32.49/include/linux/relay.h linux-2.6.32.49/include/linux/relay.h
65681 --- linux-2.6.32.49/include/linux/relay.h 2011-11-08 19:02:43.000000000 -0500
65682 +++ linux-2.6.32.49/include/linux/relay.h 2011-11-15 19:59:43.000000000 -0500
65683 @@ -159,7 +159,7 @@ struct rchan_callbacks
65684 * The callback should return 0 if successful, negative if not.
65685 */
65686 int (*remove_buf_file)(struct dentry *dentry);
65687 -};
65688 +} __no_const;
65689
65690 /*
65691 * CONFIG_RELAY kernel API, kernel/relay.c
65692 diff -urNp linux-2.6.32.49/include/linux/rfkill.h linux-2.6.32.49/include/linux/rfkill.h
65693 --- linux-2.6.32.49/include/linux/rfkill.h 2011-11-08 19:02:43.000000000 -0500
65694 +++ linux-2.6.32.49/include/linux/rfkill.h 2011-11-15 19:59:43.000000000 -0500
65695 @@ -144,6 +144,7 @@ struct rfkill_ops {
65696 void (*query)(struct rfkill *rfkill, void *data);
65697 int (*set_block)(void *data, bool blocked);
65698 };
65699 +typedef struct rfkill_ops __no_const rfkill_ops_no_const;
65700
65701 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
65702 /**
65703 diff -urNp linux-2.6.32.49/include/linux/sched.h linux-2.6.32.49/include/linux/sched.h
65704 --- linux-2.6.32.49/include/linux/sched.h 2011-11-08 19:02:43.000000000 -0500
65705 +++ linux-2.6.32.49/include/linux/sched.h 2011-11-18 18:01:52.000000000 -0500
65706 @@ -101,6 +101,7 @@ struct bio;
65707 struct fs_struct;
65708 struct bts_context;
65709 struct perf_event_context;
65710 +struct linux_binprm;
65711
65712 /*
65713 * List of flags we want to share for kernel threads,
65714 @@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
65715 extern signed long schedule_timeout_uninterruptible(signed long timeout);
65716 asmlinkage void __schedule(void);
65717 asmlinkage void schedule(void);
65718 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
65719 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
65720
65721 struct nsproxy;
65722 struct user_namespace;
65723 @@ -371,9 +372,12 @@ struct user_namespace;
65724 #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
65725
65726 extern int sysctl_max_map_count;
65727 +extern unsigned long sysctl_heap_stack_gap;
65728
65729 #include <linux/aio.h>
65730
65731 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
65732 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
65733 extern unsigned long
65734 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
65735 unsigned long, unsigned long);
65736 @@ -666,6 +670,16 @@ struct signal_struct {
65737 struct tty_audit_buf *tty_audit_buf;
65738 #endif
65739
65740 +#ifdef CONFIG_GRKERNSEC
65741 + u32 curr_ip;
65742 + u32 saved_ip;
65743 + u32 gr_saddr;
65744 + u32 gr_daddr;
65745 + u16 gr_sport;
65746 + u16 gr_dport;
65747 + u8 used_accept:1;
65748 +#endif
65749 +
65750 int oom_adj; /* OOM kill score adjustment (bit shift) */
65751 };
65752
65753 @@ -723,6 +737,11 @@ struct user_struct {
65754 struct key *session_keyring; /* UID's default session keyring */
65755 #endif
65756
65757 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
65758 + unsigned int banned;
65759 + unsigned long ban_expires;
65760 +#endif
65761 +
65762 /* Hash table maintenance information */
65763 struct hlist_node uidhash_node;
65764 uid_t uid;
65765 @@ -1328,8 +1347,8 @@ struct task_struct {
65766 struct list_head thread_group;
65767
65768 struct completion *vfork_done; /* for vfork() */
65769 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65770 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65771 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65772 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65773
65774 cputime_t utime, stime, utimescaled, stimescaled;
65775 cputime_t gtime;
65776 @@ -1343,16 +1362,6 @@ struct task_struct {
65777 struct task_cputime cputime_expires;
65778 struct list_head cpu_timers[3];
65779
65780 -/* process credentials */
65781 - const struct cred *real_cred; /* objective and real subjective task
65782 - * credentials (COW) */
65783 - const struct cred *cred; /* effective (overridable) subjective task
65784 - * credentials (COW) */
65785 - struct mutex cred_guard_mutex; /* guard against foreign influences on
65786 - * credential calculations
65787 - * (notably. ptrace) */
65788 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65789 -
65790 char comm[TASK_COMM_LEN]; /* executable name excluding path
65791 - access with [gs]et_task_comm (which lock
65792 it with task_lock())
65793 @@ -1369,6 +1378,10 @@ struct task_struct {
65794 #endif
65795 /* CPU-specific state of this task */
65796 struct thread_struct thread;
65797 +/* thread_info moved to task_struct */
65798 +#ifdef CONFIG_X86
65799 + struct thread_info tinfo;
65800 +#endif
65801 /* filesystem information */
65802 struct fs_struct *fs;
65803 /* open file information */
65804 @@ -1436,6 +1449,15 @@ struct task_struct {
65805 int hardirq_context;
65806 int softirq_context;
65807 #endif
65808 +
65809 +/* process credentials */
65810 + const struct cred *real_cred; /* objective and real subjective task
65811 + * credentials (COW) */
65812 + struct mutex cred_guard_mutex; /* guard against foreign influences on
65813 + * credential calculations
65814 + * (notably. ptrace) */
65815 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65816 +
65817 #ifdef CONFIG_LOCKDEP
65818 # define MAX_LOCK_DEPTH 48UL
65819 u64 curr_chain_key;
65820 @@ -1456,6 +1478,9 @@ struct task_struct {
65821
65822 struct backing_dev_info *backing_dev_info;
65823
65824 + const struct cred *cred; /* effective (overridable) subjective task
65825 + * credentials (COW) */
65826 +
65827 struct io_context *io_context;
65828
65829 unsigned long ptrace_message;
65830 @@ -1519,6 +1544,21 @@ struct task_struct {
65831 unsigned long default_timer_slack_ns;
65832
65833 struct list_head *scm_work_list;
65834 +
65835 +#ifdef CONFIG_GRKERNSEC
65836 + /* grsecurity */
65837 + struct dentry *gr_chroot_dentry;
65838 + struct acl_subject_label *acl;
65839 + struct acl_role_label *role;
65840 + struct file *exec_file;
65841 + u16 acl_role_id;
65842 + /* is this the task that authenticated to the special role */
65843 + u8 acl_sp_role;
65844 + u8 is_writable;
65845 + u8 brute;
65846 + u8 gr_is_chrooted;
65847 +#endif
65848 +
65849 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
65850 /* Index of current stored adress in ret_stack */
65851 int curr_ret_stack;
65852 @@ -1542,6 +1582,57 @@ struct task_struct {
65853 #endif /* CONFIG_TRACING */
65854 };
65855
65856 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65857 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65858 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65859 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65860 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65861 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65862 +
65863 +#ifdef CONFIG_PAX_SOFTMODE
65864 +extern int pax_softmode;
65865 +#endif
65866 +
65867 +extern int pax_check_flags(unsigned long *);
65868 +
65869 +/* if tsk != current then task_lock must be held on it */
65870 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65871 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
65872 +{
65873 + if (likely(tsk->mm))
65874 + return tsk->mm->pax_flags;
65875 + else
65876 + return 0UL;
65877 +}
65878 +
65879 +/* if tsk != current then task_lock must be held on it */
65880 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65881 +{
65882 + if (likely(tsk->mm)) {
65883 + tsk->mm->pax_flags = flags;
65884 + return 0;
65885 + }
65886 + return -EINVAL;
65887 +}
65888 +#endif
65889 +
65890 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65891 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
65892 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65893 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65894 +#endif
65895 +
65896 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
65897 +extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
65898 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
65899 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
65900 +
65901 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
65902 +extern void pax_track_stack(void);
65903 +#else
65904 +static inline void pax_track_stack(void) {}
65905 +#endif
65906 +
65907 /* Future-safe accessor for struct task_struct's cpus_allowed. */
65908 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
65909
65910 @@ -1740,7 +1831,7 @@ extern void thread_group_times(struct ta
65911 #define PF_DUMPCORE 0x00000200 /* dumped core */
65912 #define PF_SIGNALED 0x00000400 /* killed by a signal */
65913 #define PF_MEMALLOC 0x00000800 /* Allocating memory */
65914 -#define PF_FLUSHER 0x00001000 /* responsible for disk writeback */
65915 +#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
65916 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
65917 #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
65918 #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
65919 @@ -1978,7 +2069,9 @@ void yield(void);
65920 extern struct exec_domain default_exec_domain;
65921
65922 union thread_union {
65923 +#ifndef CONFIG_X86
65924 struct thread_info thread_info;
65925 +#endif
65926 unsigned long stack[THREAD_SIZE/sizeof(long)];
65927 };
65928
65929 @@ -2011,6 +2104,7 @@ extern struct pid_namespace init_pid_ns;
65930 */
65931
65932 extern struct task_struct *find_task_by_vpid(pid_t nr);
65933 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
65934 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
65935 struct pid_namespace *ns);
65936
65937 @@ -2155,7 +2249,7 @@ extern void __cleanup_sighand(struct sig
65938 extern void exit_itimers(struct signal_struct *);
65939 extern void flush_itimer_signals(void);
65940
65941 -extern NORET_TYPE void do_group_exit(int);
65942 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
65943
65944 extern void daemonize(const char *, ...);
65945 extern int allow_signal(int);
65946 @@ -2284,13 +2378,17 @@ static inline unsigned long *end_of_stac
65947
65948 #endif
65949
65950 -static inline int object_is_on_stack(void *obj)
65951 +static inline int object_starts_on_stack(void *obj)
65952 {
65953 - void *stack = task_stack_page(current);
65954 + const void *stack = task_stack_page(current);
65955
65956 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
65957 }
65958
65959 +#ifdef CONFIG_PAX_USERCOPY
65960 +extern int object_is_on_stack(const void *obj, unsigned long len);
65961 +#endif
65962 +
65963 extern void thread_info_cache_init(void);
65964
65965 #ifdef CONFIG_DEBUG_STACK_USAGE
65966 diff -urNp linux-2.6.32.49/include/linux/screen_info.h linux-2.6.32.49/include/linux/screen_info.h
65967 --- linux-2.6.32.49/include/linux/screen_info.h 2011-11-08 19:02:43.000000000 -0500
65968 +++ linux-2.6.32.49/include/linux/screen_info.h 2011-11-15 19:59:43.000000000 -0500
65969 @@ -42,7 +42,8 @@ struct screen_info {
65970 __u16 pages; /* 0x32 */
65971 __u16 vesa_attributes; /* 0x34 */
65972 __u32 capabilities; /* 0x36 */
65973 - __u8 _reserved[6]; /* 0x3a */
65974 + __u16 vesapm_size; /* 0x3a */
65975 + __u8 _reserved[4]; /* 0x3c */
65976 } __attribute__((packed));
65977
65978 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
65979 diff -urNp linux-2.6.32.49/include/linux/security.h linux-2.6.32.49/include/linux/security.h
65980 --- linux-2.6.32.49/include/linux/security.h 2011-11-08 19:02:43.000000000 -0500
65981 +++ linux-2.6.32.49/include/linux/security.h 2011-11-15 19:59:43.000000000 -0500
65982 @@ -34,6 +34,7 @@
65983 #include <linux/key.h>
65984 #include <linux/xfrm.h>
65985 #include <linux/gfp.h>
65986 +#include <linux/grsecurity.h>
65987 #include <net/flow.h>
65988
65989 /* Maximum number of letters for an LSM name string */
65990 diff -urNp linux-2.6.32.49/include/linux/seq_file.h linux-2.6.32.49/include/linux/seq_file.h
65991 --- linux-2.6.32.49/include/linux/seq_file.h 2011-11-08 19:02:43.000000000 -0500
65992 +++ linux-2.6.32.49/include/linux/seq_file.h 2011-11-15 19:59:43.000000000 -0500
65993 @@ -32,6 +32,7 @@ struct seq_operations {
65994 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
65995 int (*show) (struct seq_file *m, void *v);
65996 };
65997 +typedef struct seq_operations __no_const seq_operations_no_const;
65998
65999 #define SEQ_SKIP 1
66000
66001 diff -urNp linux-2.6.32.49/include/linux/shm.h linux-2.6.32.49/include/linux/shm.h
66002 --- linux-2.6.32.49/include/linux/shm.h 2011-11-08 19:02:43.000000000 -0500
66003 +++ linux-2.6.32.49/include/linux/shm.h 2011-11-15 19:59:43.000000000 -0500
66004 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
66005 pid_t shm_cprid;
66006 pid_t shm_lprid;
66007 struct user_struct *mlock_user;
66008 +#ifdef CONFIG_GRKERNSEC
66009 + time_t shm_createtime;
66010 + pid_t shm_lapid;
66011 +#endif
66012 };
66013
66014 /* shm_mode upper byte flags */
66015 diff -urNp linux-2.6.32.49/include/linux/skbuff.h linux-2.6.32.49/include/linux/skbuff.h
66016 --- linux-2.6.32.49/include/linux/skbuff.h 2011-11-08 19:02:43.000000000 -0500
66017 +++ linux-2.6.32.49/include/linux/skbuff.h 2011-11-15 19:59:43.000000000 -0500
66018 @@ -14,6 +14,7 @@
66019 #ifndef _LINUX_SKBUFF_H
66020 #define _LINUX_SKBUFF_H
66021
66022 +#include <linux/const.h>
66023 #include <linux/kernel.h>
66024 #include <linux/kmemcheck.h>
66025 #include <linux/compiler.h>
66026 @@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t
66027 */
66028 static inline int skb_queue_empty(const struct sk_buff_head *list)
66029 {
66030 - return list->next == (struct sk_buff *)list;
66031 + return list->next == (const struct sk_buff *)list;
66032 }
66033
66034 /**
66035 @@ -557,7 +558,7 @@ static inline int skb_queue_empty(const
66036 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
66037 const struct sk_buff *skb)
66038 {
66039 - return (skb->next == (struct sk_buff *) list);
66040 + return (skb->next == (const struct sk_buff *) list);
66041 }
66042
66043 /**
66044 @@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con
66045 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
66046 const struct sk_buff *skb)
66047 {
66048 - return (skb->prev == (struct sk_buff *) list);
66049 + return (skb->prev == (const struct sk_buff *) list);
66050 }
66051
66052 /**
66053 @@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con
66054 * headroom, you should not reduce this.
66055 */
66056 #ifndef NET_SKB_PAD
66057 -#define NET_SKB_PAD 32
66058 +#define NET_SKB_PAD (_AC(32,UL))
66059 #endif
66060
66061 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
66062 diff -urNp linux-2.6.32.49/include/linux/slab_def.h linux-2.6.32.49/include/linux/slab_def.h
66063 --- linux-2.6.32.49/include/linux/slab_def.h 2011-11-08 19:02:43.000000000 -0500
66064 +++ linux-2.6.32.49/include/linux/slab_def.h 2011-11-15 19:59:43.000000000 -0500
66065 @@ -69,10 +69,10 @@ struct kmem_cache {
66066 unsigned long node_allocs;
66067 unsigned long node_frees;
66068 unsigned long node_overflow;
66069 - atomic_t allochit;
66070 - atomic_t allocmiss;
66071 - atomic_t freehit;
66072 - atomic_t freemiss;
66073 + atomic_unchecked_t allochit;
66074 + atomic_unchecked_t allocmiss;
66075 + atomic_unchecked_t freehit;
66076 + atomic_unchecked_t freemiss;
66077
66078 /*
66079 * If debugging is enabled, then the allocator can add additional
66080 diff -urNp linux-2.6.32.49/include/linux/slab.h linux-2.6.32.49/include/linux/slab.h
66081 --- linux-2.6.32.49/include/linux/slab.h 2011-11-08 19:02:43.000000000 -0500
66082 +++ linux-2.6.32.49/include/linux/slab.h 2011-11-15 19:59:43.000000000 -0500
66083 @@ -11,12 +11,20 @@
66084
66085 #include <linux/gfp.h>
66086 #include <linux/types.h>
66087 +#include <linux/err.h>
66088
66089 /*
66090 * Flags to pass to kmem_cache_create().
66091 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
66092 */
66093 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
66094 +
66095 +#ifdef CONFIG_PAX_USERCOPY
66096 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
66097 +#else
66098 +#define SLAB_USERCOPY 0x00000000UL
66099 +#endif
66100 +
66101 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
66102 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
66103 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
66104 @@ -82,10 +90,13 @@
66105 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
66106 * Both make kfree a no-op.
66107 */
66108 -#define ZERO_SIZE_PTR ((void *)16)
66109 +#define ZERO_SIZE_PTR \
66110 +({ \
66111 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
66112 + (void *)(-MAX_ERRNO-1L); \
66113 +})
66114
66115 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
66116 - (unsigned long)ZERO_SIZE_PTR)
66117 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
66118
66119 /*
66120 * struct kmem_cache related prototypes
66121 @@ -138,6 +149,7 @@ void * __must_check krealloc(const void
66122 void kfree(const void *);
66123 void kzfree(const void *);
66124 size_t ksize(const void *);
66125 +void check_object_size(const void *ptr, unsigned long n, bool to);
66126
66127 /*
66128 * Allocator specific definitions. These are mainly used to establish optimized
66129 @@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
66130
66131 void __init kmem_cache_init_late(void);
66132
66133 +#define kmalloc(x, y) \
66134 +({ \
66135 + void *___retval; \
66136 + intoverflow_t ___x = (intoverflow_t)x; \
66137 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
66138 + ___retval = NULL; \
66139 + else \
66140 + ___retval = kmalloc((size_t)___x, (y)); \
66141 + ___retval; \
66142 +})
66143 +
66144 +#define kmalloc_node(x, y, z) \
66145 +({ \
66146 + void *___retval; \
66147 + intoverflow_t ___x = (intoverflow_t)x; \
66148 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
66149 + ___retval = NULL; \
66150 + else \
66151 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
66152 + ___retval; \
66153 +})
66154 +
66155 +#define kzalloc(x, y) \
66156 +({ \
66157 + void *___retval; \
66158 + intoverflow_t ___x = (intoverflow_t)x; \
66159 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
66160 + ___retval = NULL; \
66161 + else \
66162 + ___retval = kzalloc((size_t)___x, (y)); \
66163 + ___retval; \
66164 +})
66165 +
66166 #endif /* _LINUX_SLAB_H */
66167 diff -urNp linux-2.6.32.49/include/linux/slub_def.h linux-2.6.32.49/include/linux/slub_def.h
66168 --- linux-2.6.32.49/include/linux/slub_def.h 2011-11-08 19:02:43.000000000 -0500
66169 +++ linux-2.6.32.49/include/linux/slub_def.h 2011-11-15 19:59:43.000000000 -0500
66170 @@ -86,7 +86,7 @@ struct kmem_cache {
66171 struct kmem_cache_order_objects max;
66172 struct kmem_cache_order_objects min;
66173 gfp_t allocflags; /* gfp flags to use on each alloc */
66174 - int refcount; /* Refcount for slab cache destroy */
66175 + atomic_t refcount; /* Refcount for slab cache destroy */
66176 void (*ctor)(void *);
66177 int inuse; /* Offset to metadata */
66178 int align; /* Alignment */
66179 @@ -215,7 +215,7 @@ static __always_inline struct kmem_cache
66180 #endif
66181
66182 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
66183 -void *__kmalloc(size_t size, gfp_t flags);
66184 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
66185
66186 #ifdef CONFIG_KMEMTRACE
66187 extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
66188 diff -urNp linux-2.6.32.49/include/linux/sonet.h linux-2.6.32.49/include/linux/sonet.h
66189 --- linux-2.6.32.49/include/linux/sonet.h 2011-11-08 19:02:43.000000000 -0500
66190 +++ linux-2.6.32.49/include/linux/sonet.h 2011-11-15 19:59:43.000000000 -0500
66191 @@ -61,7 +61,7 @@ struct sonet_stats {
66192 #include <asm/atomic.h>
66193
66194 struct k_sonet_stats {
66195 -#define __HANDLE_ITEM(i) atomic_t i
66196 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
66197 __SONET_ITEMS
66198 #undef __HANDLE_ITEM
66199 };
66200 diff -urNp linux-2.6.32.49/include/linux/sunrpc/cache.h linux-2.6.32.49/include/linux/sunrpc/cache.h
66201 --- linux-2.6.32.49/include/linux/sunrpc/cache.h 2011-11-08 19:02:43.000000000 -0500
66202 +++ linux-2.6.32.49/include/linux/sunrpc/cache.h 2011-11-15 19:59:43.000000000 -0500
66203 @@ -125,7 +125,7 @@ struct cache_detail {
66204 */
66205 struct cache_req {
66206 struct cache_deferred_req *(*defer)(struct cache_req *req);
66207 -};
66208 +} __no_const;
66209 /* this must be embedded in a deferred_request that is being
66210 * delayed awaiting cache-fill
66211 */
66212 diff -urNp linux-2.6.32.49/include/linux/sunrpc/clnt.h linux-2.6.32.49/include/linux/sunrpc/clnt.h
66213 --- linux-2.6.32.49/include/linux/sunrpc/clnt.h 2011-11-08 19:02:43.000000000 -0500
66214 +++ linux-2.6.32.49/include/linux/sunrpc/clnt.h 2011-11-15 19:59:43.000000000 -0500
66215 @@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
66216 {
66217 switch (sap->sa_family) {
66218 case AF_INET:
66219 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
66220 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
66221 case AF_INET6:
66222 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
66223 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
66224 }
66225 return 0;
66226 }
66227 @@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
66228 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
66229 const struct sockaddr *src)
66230 {
66231 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
66232 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
66233 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
66234
66235 dsin->sin_family = ssin->sin_family;
66236 @@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
66237 if (sa->sa_family != AF_INET6)
66238 return 0;
66239
66240 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
66241 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
66242 }
66243
66244 #endif /* __KERNEL__ */
66245 diff -urNp linux-2.6.32.49/include/linux/sunrpc/svc_rdma.h linux-2.6.32.49/include/linux/sunrpc/svc_rdma.h
66246 --- linux-2.6.32.49/include/linux/sunrpc/svc_rdma.h 2011-11-08 19:02:43.000000000 -0500
66247 +++ linux-2.6.32.49/include/linux/sunrpc/svc_rdma.h 2011-11-15 19:59:43.000000000 -0500
66248 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
66249 extern unsigned int svcrdma_max_requests;
66250 extern unsigned int svcrdma_max_req_size;
66251
66252 -extern atomic_t rdma_stat_recv;
66253 -extern atomic_t rdma_stat_read;
66254 -extern atomic_t rdma_stat_write;
66255 -extern atomic_t rdma_stat_sq_starve;
66256 -extern atomic_t rdma_stat_rq_starve;
66257 -extern atomic_t rdma_stat_rq_poll;
66258 -extern atomic_t rdma_stat_rq_prod;
66259 -extern atomic_t rdma_stat_sq_poll;
66260 -extern atomic_t rdma_stat_sq_prod;
66261 +extern atomic_unchecked_t rdma_stat_recv;
66262 +extern atomic_unchecked_t rdma_stat_read;
66263 +extern atomic_unchecked_t rdma_stat_write;
66264 +extern atomic_unchecked_t rdma_stat_sq_starve;
66265 +extern atomic_unchecked_t rdma_stat_rq_starve;
66266 +extern atomic_unchecked_t rdma_stat_rq_poll;
66267 +extern atomic_unchecked_t rdma_stat_rq_prod;
66268 +extern atomic_unchecked_t rdma_stat_sq_poll;
66269 +extern atomic_unchecked_t rdma_stat_sq_prod;
66270
66271 #define RPCRDMA_VERSION 1
66272
66273 diff -urNp linux-2.6.32.49/include/linux/suspend.h linux-2.6.32.49/include/linux/suspend.h
66274 --- linux-2.6.32.49/include/linux/suspend.h 2011-11-08 19:02:43.000000000 -0500
66275 +++ linux-2.6.32.49/include/linux/suspend.h 2011-11-15 19:59:43.000000000 -0500
66276 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
66277 * which require special recovery actions in that situation.
66278 */
66279 struct platform_suspend_ops {
66280 - int (*valid)(suspend_state_t state);
66281 - int (*begin)(suspend_state_t state);
66282 - int (*prepare)(void);
66283 - int (*prepare_late)(void);
66284 - int (*enter)(suspend_state_t state);
66285 - void (*wake)(void);
66286 - void (*finish)(void);
66287 - void (*end)(void);
66288 - void (*recover)(void);
66289 + int (* const valid)(suspend_state_t state);
66290 + int (* const begin)(suspend_state_t state);
66291 + int (* const prepare)(void);
66292 + int (* const prepare_late)(void);
66293 + int (* const enter)(suspend_state_t state);
66294 + void (* const wake)(void);
66295 + void (* const finish)(void);
66296 + void (* const end)(void);
66297 + void (* const recover)(void);
66298 };
66299
66300 #ifdef CONFIG_SUSPEND
66301 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
66302 * suspend_set_ops - set platform dependent suspend operations
66303 * @ops: The new suspend operations to set.
66304 */
66305 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
66306 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
66307 extern int suspend_valid_only_mem(suspend_state_t state);
66308
66309 /**
66310 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
66311 #else /* !CONFIG_SUSPEND */
66312 #define suspend_valid_only_mem NULL
66313
66314 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
66315 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
66316 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
66317 #endif /* !CONFIG_SUSPEND */
66318
66319 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
66320 * platforms which require special recovery actions in that situation.
66321 */
66322 struct platform_hibernation_ops {
66323 - int (*begin)(void);
66324 - void (*end)(void);
66325 - int (*pre_snapshot)(void);
66326 - void (*finish)(void);
66327 - int (*prepare)(void);
66328 - int (*enter)(void);
66329 - void (*leave)(void);
66330 - int (*pre_restore)(void);
66331 - void (*restore_cleanup)(void);
66332 - void (*recover)(void);
66333 + int (* const begin)(void);
66334 + void (* const end)(void);
66335 + int (* const pre_snapshot)(void);
66336 + void (* const finish)(void);
66337 + int (* const prepare)(void);
66338 + int (* const enter)(void);
66339 + void (* const leave)(void);
66340 + int (* const pre_restore)(void);
66341 + void (* const restore_cleanup)(void);
66342 + void (* const recover)(void);
66343 };
66344
66345 #ifdef CONFIG_HIBERNATION
66346 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
66347 extern void swsusp_unset_page_free(struct page *);
66348 extern unsigned long get_safe_page(gfp_t gfp_mask);
66349
66350 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
66351 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
66352 extern int hibernate(void);
66353 extern bool system_entering_hibernation(void);
66354 #else /* CONFIG_HIBERNATION */
66355 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
66356 static inline void swsusp_set_page_free(struct page *p) {}
66357 static inline void swsusp_unset_page_free(struct page *p) {}
66358
66359 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
66360 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
66361 static inline int hibernate(void) { return -ENOSYS; }
66362 static inline bool system_entering_hibernation(void) { return false; }
66363 #endif /* CONFIG_HIBERNATION */
66364 diff -urNp linux-2.6.32.49/include/linux/sysctl.h linux-2.6.32.49/include/linux/sysctl.h
66365 --- linux-2.6.32.49/include/linux/sysctl.h 2011-11-08 19:02:43.000000000 -0500
66366 +++ linux-2.6.32.49/include/linux/sysctl.h 2011-11-15 19:59:43.000000000 -0500
66367 @@ -164,7 +164,11 @@ enum
66368 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
66369 };
66370
66371 -
66372 +#ifdef CONFIG_PAX_SOFTMODE
66373 +enum {
66374 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
66375 +};
66376 +#endif
66377
66378 /* CTL_VM names: */
66379 enum
66380 @@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
66381
66382 extern int proc_dostring(struct ctl_table *, int,
66383 void __user *, size_t *, loff_t *);
66384 +extern int proc_dostring_modpriv(struct ctl_table *, int,
66385 + void __user *, size_t *, loff_t *);
66386 extern int proc_dointvec(struct ctl_table *, int,
66387 void __user *, size_t *, loff_t *);
66388 extern int proc_dointvec_minmax(struct ctl_table *, int,
66389 @@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
66390
66391 extern ctl_handler sysctl_data;
66392 extern ctl_handler sysctl_string;
66393 +extern ctl_handler sysctl_string_modpriv;
66394 extern ctl_handler sysctl_intvec;
66395 extern ctl_handler sysctl_jiffies;
66396 extern ctl_handler sysctl_ms_jiffies;
66397 diff -urNp linux-2.6.32.49/include/linux/sysfs.h linux-2.6.32.49/include/linux/sysfs.h
66398 --- linux-2.6.32.49/include/linux/sysfs.h 2011-11-08 19:02:43.000000000 -0500
66399 +++ linux-2.6.32.49/include/linux/sysfs.h 2011-11-15 19:59:43.000000000 -0500
66400 @@ -75,8 +75,8 @@ struct bin_attribute {
66401 };
66402
66403 struct sysfs_ops {
66404 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
66405 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
66406 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
66407 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
66408 };
66409
66410 struct sysfs_dirent;
66411 diff -urNp linux-2.6.32.49/include/linux/thread_info.h linux-2.6.32.49/include/linux/thread_info.h
66412 --- linux-2.6.32.49/include/linux/thread_info.h 2011-11-08 19:02:43.000000000 -0500
66413 +++ linux-2.6.32.49/include/linux/thread_info.h 2011-11-15 19:59:43.000000000 -0500
66414 @@ -23,7 +23,7 @@ struct restart_block {
66415 };
66416 /* For futex_wait and futex_wait_requeue_pi */
66417 struct {
66418 - u32 *uaddr;
66419 + u32 __user *uaddr;
66420 u32 val;
66421 u32 flags;
66422 u32 bitset;
66423 diff -urNp linux-2.6.32.49/include/linux/tty.h linux-2.6.32.49/include/linux/tty.h
66424 --- linux-2.6.32.49/include/linux/tty.h 2011-11-08 19:02:43.000000000 -0500
66425 +++ linux-2.6.32.49/include/linux/tty.h 2011-11-15 19:59:43.000000000 -0500
66426 @@ -493,7 +493,6 @@ extern void tty_ldisc_begin(void);
66427 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
66428 extern void tty_ldisc_enable(struct tty_struct *tty);
66429
66430 -
66431 /* n_tty.c */
66432 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
66433
66434 diff -urNp linux-2.6.32.49/include/linux/tty_ldisc.h linux-2.6.32.49/include/linux/tty_ldisc.h
66435 --- linux-2.6.32.49/include/linux/tty_ldisc.h 2011-11-08 19:02:43.000000000 -0500
66436 +++ linux-2.6.32.49/include/linux/tty_ldisc.h 2011-11-15 19:59:43.000000000 -0500
66437 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
66438
66439 struct module *owner;
66440
66441 - int refcount;
66442 + atomic_t refcount;
66443 };
66444
66445 struct tty_ldisc {
66446 diff -urNp linux-2.6.32.49/include/linux/types.h linux-2.6.32.49/include/linux/types.h
66447 --- linux-2.6.32.49/include/linux/types.h 2011-11-08 19:02:43.000000000 -0500
66448 +++ linux-2.6.32.49/include/linux/types.h 2011-11-15 19:59:43.000000000 -0500
66449 @@ -191,10 +191,26 @@ typedef struct {
66450 volatile int counter;
66451 } atomic_t;
66452
66453 +#ifdef CONFIG_PAX_REFCOUNT
66454 +typedef struct {
66455 + volatile int counter;
66456 +} atomic_unchecked_t;
66457 +#else
66458 +typedef atomic_t atomic_unchecked_t;
66459 +#endif
66460 +
66461 #ifdef CONFIG_64BIT
66462 typedef struct {
66463 volatile long counter;
66464 } atomic64_t;
66465 +
66466 +#ifdef CONFIG_PAX_REFCOUNT
66467 +typedef struct {
66468 + volatile long counter;
66469 +} atomic64_unchecked_t;
66470 +#else
66471 +typedef atomic64_t atomic64_unchecked_t;
66472 +#endif
66473 #endif
66474
66475 struct ustat {
66476 diff -urNp linux-2.6.32.49/include/linux/uaccess.h linux-2.6.32.49/include/linux/uaccess.h
66477 --- linux-2.6.32.49/include/linux/uaccess.h 2011-11-08 19:02:43.000000000 -0500
66478 +++ linux-2.6.32.49/include/linux/uaccess.h 2011-11-15 19:59:43.000000000 -0500
66479 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
66480 long ret; \
66481 mm_segment_t old_fs = get_fs(); \
66482 \
66483 - set_fs(KERNEL_DS); \
66484 pagefault_disable(); \
66485 - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
66486 - pagefault_enable(); \
66487 + set_fs(KERNEL_DS); \
66488 + ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
66489 set_fs(old_fs); \
66490 + pagefault_enable(); \
66491 ret; \
66492 })
66493
66494 @@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
66495 * Safely read from address @src to the buffer at @dst. If a kernel fault
66496 * happens, handle that and return -EFAULT.
66497 */
66498 -extern long probe_kernel_read(void *dst, void *src, size_t size);
66499 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
66500
66501 /*
66502 * probe_kernel_write(): safely attempt to write to a location
66503 @@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
66504 * Safely write to address @dst from the buffer at @src. If a kernel fault
66505 * happens, handle that and return -EFAULT.
66506 */
66507 -extern long probe_kernel_write(void *dst, void *src, size_t size);
66508 +extern long probe_kernel_write(void *dst, const void *src, size_t size);
66509
66510 #endif /* __LINUX_UACCESS_H__ */
66511 diff -urNp linux-2.6.32.49/include/linux/unaligned/access_ok.h linux-2.6.32.49/include/linux/unaligned/access_ok.h
66512 --- linux-2.6.32.49/include/linux/unaligned/access_ok.h 2011-11-08 19:02:43.000000000 -0500
66513 +++ linux-2.6.32.49/include/linux/unaligned/access_ok.h 2011-11-15 19:59:43.000000000 -0500
66514 @@ -6,32 +6,32 @@
66515
66516 static inline u16 get_unaligned_le16(const void *p)
66517 {
66518 - return le16_to_cpup((__le16 *)p);
66519 + return le16_to_cpup((const __le16 *)p);
66520 }
66521
66522 static inline u32 get_unaligned_le32(const void *p)
66523 {
66524 - return le32_to_cpup((__le32 *)p);
66525 + return le32_to_cpup((const __le32 *)p);
66526 }
66527
66528 static inline u64 get_unaligned_le64(const void *p)
66529 {
66530 - return le64_to_cpup((__le64 *)p);
66531 + return le64_to_cpup((const __le64 *)p);
66532 }
66533
66534 static inline u16 get_unaligned_be16(const void *p)
66535 {
66536 - return be16_to_cpup((__be16 *)p);
66537 + return be16_to_cpup((const __be16 *)p);
66538 }
66539
66540 static inline u32 get_unaligned_be32(const void *p)
66541 {
66542 - return be32_to_cpup((__be32 *)p);
66543 + return be32_to_cpup((const __be32 *)p);
66544 }
66545
66546 static inline u64 get_unaligned_be64(const void *p)
66547 {
66548 - return be64_to_cpup((__be64 *)p);
66549 + return be64_to_cpup((const __be64 *)p);
66550 }
66551
66552 static inline void put_unaligned_le16(u16 val, void *p)
66553 diff -urNp linux-2.6.32.49/include/linux/vermagic.h linux-2.6.32.49/include/linux/vermagic.h
66554 --- linux-2.6.32.49/include/linux/vermagic.h 2011-11-08 19:02:43.000000000 -0500
66555 +++ linux-2.6.32.49/include/linux/vermagic.h 2011-11-18 18:09:44.000000000 -0500
66556 @@ -26,9 +26,35 @@
66557 #define MODULE_ARCH_VERMAGIC ""
66558 #endif
66559
66560 +#ifdef CONFIG_PAX_REFCOUNT
66561 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
66562 +#else
66563 +#define MODULE_PAX_REFCOUNT ""
66564 +#endif
66565 +
66566 +#ifdef CONSTIFY_PLUGIN
66567 +#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
66568 +#else
66569 +#define MODULE_CONSTIFY_PLUGIN ""
66570 +#endif
66571 +
66572 +#ifdef STACKLEAK_PLUGIN
66573 +#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
66574 +#else
66575 +#define MODULE_STACKLEAK_PLUGIN ""
66576 +#endif
66577 +
66578 +#ifdef CONFIG_GRKERNSEC
66579 +#define MODULE_GRSEC "GRSEC "
66580 +#else
66581 +#define MODULE_GRSEC ""
66582 +#endif
66583 +
66584 #define VERMAGIC_STRING \
66585 UTS_RELEASE " " \
66586 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
66587 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
66588 - MODULE_ARCH_VERMAGIC
66589 + MODULE_ARCH_VERMAGIC \
66590 + MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
66591 + MODULE_GRSEC
66592
66593 diff -urNp linux-2.6.32.49/include/linux/vmalloc.h linux-2.6.32.49/include/linux/vmalloc.h
66594 --- linux-2.6.32.49/include/linux/vmalloc.h 2011-11-26 19:44:53.000000000 -0500
66595 +++ linux-2.6.32.49/include/linux/vmalloc.h 2011-11-26 19:46:42.000000000 -0500
66596 @@ -14,6 +14,11 @@ struct vm_area_struct; /* vma defining
66597 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
66598 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
66599 #define VM_UNLIST 0x00000020 /* vm_struct is not listed in vmlist */
66600 +
66601 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
66602 +#define VM_KERNEXEC 0x00000040 /* allocate from executable kernel memory range */
66603 +#endif
66604 +
66605 /* bits [20..32] reserved for arch specific ioremap internals */
66606
66607 /*
66608 @@ -124,4 +129,81 @@ struct vm_struct **pcpu_get_vm_areas(con
66609
66610 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
66611
66612 +#define vmalloc(x) \
66613 +({ \
66614 + void *___retval; \
66615 + intoverflow_t ___x = (intoverflow_t)x; \
66616 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
66617 + ___retval = NULL; \
66618 + else \
66619 + ___retval = vmalloc((unsigned long)___x); \
66620 + ___retval; \
66621 +})
66622 +
66623 +#define __vmalloc(x, y, z) \
66624 +({ \
66625 + void *___retval; \
66626 + intoverflow_t ___x = (intoverflow_t)x; \
66627 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
66628 + ___retval = NULL; \
66629 + else \
66630 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
66631 + ___retval; \
66632 +})
66633 +
66634 +#define vmalloc_user(x) \
66635 +({ \
66636 + void *___retval; \
66637 + intoverflow_t ___x = (intoverflow_t)x; \
66638 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
66639 + ___retval = NULL; \
66640 + else \
66641 + ___retval = vmalloc_user((unsigned long)___x); \
66642 + ___retval; \
66643 +})
66644 +
66645 +#define vmalloc_exec(x) \
66646 +({ \
66647 + void *___retval; \
66648 + intoverflow_t ___x = (intoverflow_t)x; \
66649 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
66650 + ___retval = NULL; \
66651 + else \
66652 + ___retval = vmalloc_exec((unsigned long)___x); \
66653 + ___retval; \
66654 +})
66655 +
66656 +#define vmalloc_node(x, y) \
66657 +({ \
66658 + void *___retval; \
66659 + intoverflow_t ___x = (intoverflow_t)x; \
66660 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
66661 + ___retval = NULL; \
66662 + else \
66663 + ___retval = vmalloc_node((unsigned long)___x, (y));\
66664 + ___retval; \
66665 +})
66666 +
66667 +#define vmalloc_32(x) \
66668 +({ \
66669 + void *___retval; \
66670 + intoverflow_t ___x = (intoverflow_t)x; \
66671 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
66672 + ___retval = NULL; \
66673 + else \
66674 + ___retval = vmalloc_32((unsigned long)___x); \
66675 + ___retval; \
66676 +})
66677 +
66678 +#define vmalloc_32_user(x) \
66679 +({ \
66680 + void *___retval; \
66681 + intoverflow_t ___x = (intoverflow_t)x; \
66682 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
66683 + ___retval = NULL; \
66684 + else \
66685 + ___retval = vmalloc_32_user((unsigned long)___x);\
66686 + ___retval; \
66687 +})
66688 +
66689 #endif /* _LINUX_VMALLOC_H */
66690 diff -urNp linux-2.6.32.49/include/linux/vmstat.h linux-2.6.32.49/include/linux/vmstat.h
66691 --- linux-2.6.32.49/include/linux/vmstat.h 2011-11-08 19:02:43.000000000 -0500
66692 +++ linux-2.6.32.49/include/linux/vmstat.h 2011-11-15 19:59:43.000000000 -0500
66693 @@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
66694 /*
66695 * Zone based page accounting with per cpu differentials.
66696 */
66697 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66698 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66699
66700 static inline void zone_page_state_add(long x, struct zone *zone,
66701 enum zone_stat_item item)
66702 {
66703 - atomic_long_add(x, &zone->vm_stat[item]);
66704 - atomic_long_add(x, &vm_stat[item]);
66705 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
66706 + atomic_long_add_unchecked(x, &vm_stat[item]);
66707 }
66708
66709 static inline unsigned long global_page_state(enum zone_stat_item item)
66710 {
66711 - long x = atomic_long_read(&vm_stat[item]);
66712 + long x = atomic_long_read_unchecked(&vm_stat[item]);
66713 #ifdef CONFIG_SMP
66714 if (x < 0)
66715 x = 0;
66716 @@ -158,7 +158,7 @@ static inline unsigned long global_page_
66717 static inline unsigned long zone_page_state(struct zone *zone,
66718 enum zone_stat_item item)
66719 {
66720 - long x = atomic_long_read(&zone->vm_stat[item]);
66721 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66722 #ifdef CONFIG_SMP
66723 if (x < 0)
66724 x = 0;
66725 @@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
66726 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
66727 enum zone_stat_item item)
66728 {
66729 - long x = atomic_long_read(&zone->vm_stat[item]);
66730 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66731
66732 #ifdef CONFIG_SMP
66733 int cpu;
66734 @@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
66735
66736 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
66737 {
66738 - atomic_long_inc(&zone->vm_stat[item]);
66739 - atomic_long_inc(&vm_stat[item]);
66740 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
66741 + atomic_long_inc_unchecked(&vm_stat[item]);
66742 }
66743
66744 static inline void __inc_zone_page_state(struct page *page,
66745 @@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
66746
66747 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
66748 {
66749 - atomic_long_dec(&zone->vm_stat[item]);
66750 - atomic_long_dec(&vm_stat[item]);
66751 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
66752 + atomic_long_dec_unchecked(&vm_stat[item]);
66753 }
66754
66755 static inline void __dec_zone_page_state(struct page *page,
66756 diff -urNp linux-2.6.32.49/include/media/saa7146_vv.h linux-2.6.32.49/include/media/saa7146_vv.h
66757 --- linux-2.6.32.49/include/media/saa7146_vv.h 2011-11-08 19:02:43.000000000 -0500
66758 +++ linux-2.6.32.49/include/media/saa7146_vv.h 2011-11-15 19:59:43.000000000 -0500
66759 @@ -167,7 +167,7 @@ struct saa7146_ext_vv
66760 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
66761
66762 /* the extension can override this */
66763 - struct v4l2_ioctl_ops ops;
66764 + v4l2_ioctl_ops_no_const ops;
66765 /* pointer to the saa7146 core ops */
66766 const struct v4l2_ioctl_ops *core_ops;
66767
66768 diff -urNp linux-2.6.32.49/include/media/v4l2-dev.h linux-2.6.32.49/include/media/v4l2-dev.h
66769 --- linux-2.6.32.49/include/media/v4l2-dev.h 2011-11-08 19:02:43.000000000 -0500
66770 +++ linux-2.6.32.49/include/media/v4l2-dev.h 2011-11-15 19:59:43.000000000 -0500
66771 @@ -34,7 +34,7 @@ struct v4l2_device;
66772 #define V4L2_FL_UNREGISTERED (0)
66773
66774 struct v4l2_file_operations {
66775 - struct module *owner;
66776 + struct module * const owner;
66777 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
66778 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
66779 unsigned int (*poll) (struct file *, struct poll_table_struct *);
66780 @@ -46,6 +46,7 @@ struct v4l2_file_operations {
66781 int (*open) (struct file *);
66782 int (*release) (struct file *);
66783 };
66784 +typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
66785
66786 /*
66787 * Newer version of video_device, handled by videodev2.c
66788 diff -urNp linux-2.6.32.49/include/media/v4l2-device.h linux-2.6.32.49/include/media/v4l2-device.h
66789 --- linux-2.6.32.49/include/media/v4l2-device.h 2011-11-08 19:02:43.000000000 -0500
66790 +++ linux-2.6.32.49/include/media/v4l2-device.h 2011-11-15 19:59:43.000000000 -0500
66791 @@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
66792 this function returns 0. If the name ends with a digit (e.g. cx18),
66793 then the name will be set to cx18-0 since cx180 looks really odd. */
66794 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
66795 - atomic_t *instance);
66796 + atomic_unchecked_t *instance);
66797
66798 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
66799 Since the parent disappears this ensures that v4l2_dev doesn't have an
66800 diff -urNp linux-2.6.32.49/include/media/v4l2-ioctl.h linux-2.6.32.49/include/media/v4l2-ioctl.h
66801 --- linux-2.6.32.49/include/media/v4l2-ioctl.h 2011-11-08 19:02:43.000000000 -0500
66802 +++ linux-2.6.32.49/include/media/v4l2-ioctl.h 2011-11-15 19:59:43.000000000 -0500
66803 @@ -243,6 +243,7 @@ struct v4l2_ioctl_ops {
66804 long (*vidioc_default) (struct file *file, void *fh,
66805 int cmd, void *arg);
66806 };
66807 +typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
66808
66809
66810 /* v4l debugging and diagnostics */
66811 diff -urNp linux-2.6.32.49/include/net/flow.h linux-2.6.32.49/include/net/flow.h
66812 --- linux-2.6.32.49/include/net/flow.h 2011-11-08 19:02:43.000000000 -0500
66813 +++ linux-2.6.32.49/include/net/flow.h 2011-11-15 19:59:43.000000000 -0500
66814 @@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
66815 extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
66816 u8 dir, flow_resolve_t resolver);
66817 extern void flow_cache_flush(void);
66818 -extern atomic_t flow_cache_genid;
66819 +extern atomic_unchecked_t flow_cache_genid;
66820
66821 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
66822 {
66823 diff -urNp linux-2.6.32.49/include/net/inetpeer.h linux-2.6.32.49/include/net/inetpeer.h
66824 --- linux-2.6.32.49/include/net/inetpeer.h 2011-11-08 19:02:43.000000000 -0500
66825 +++ linux-2.6.32.49/include/net/inetpeer.h 2011-11-15 19:59:43.000000000 -0500
66826 @@ -24,7 +24,7 @@ struct inet_peer
66827 __u32 dtime; /* the time of last use of not
66828 * referenced entries */
66829 atomic_t refcnt;
66830 - atomic_t rid; /* Frag reception counter */
66831 + atomic_unchecked_t rid; /* Frag reception counter */
66832 __u32 tcp_ts;
66833 unsigned long tcp_ts_stamp;
66834 };
66835 diff -urNp linux-2.6.32.49/include/net/ip_vs.h linux-2.6.32.49/include/net/ip_vs.h
66836 --- linux-2.6.32.49/include/net/ip_vs.h 2011-11-08 19:02:43.000000000 -0500
66837 +++ linux-2.6.32.49/include/net/ip_vs.h 2011-11-15 19:59:43.000000000 -0500
66838 @@ -365,7 +365,7 @@ struct ip_vs_conn {
66839 struct ip_vs_conn *control; /* Master control connection */
66840 atomic_t n_control; /* Number of controlled ones */
66841 struct ip_vs_dest *dest; /* real server */
66842 - atomic_t in_pkts; /* incoming packet counter */
66843 + atomic_unchecked_t in_pkts; /* incoming packet counter */
66844
66845 /* packet transmitter for different forwarding methods. If it
66846 mangles the packet, it must return NF_DROP or better NF_STOLEN,
66847 @@ -466,7 +466,7 @@ struct ip_vs_dest {
66848 union nf_inet_addr addr; /* IP address of the server */
66849 __be16 port; /* port number of the server */
66850 volatile unsigned flags; /* dest status flags */
66851 - atomic_t conn_flags; /* flags to copy to conn */
66852 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
66853 atomic_t weight; /* server weight */
66854
66855 atomic_t refcnt; /* reference counter */
66856 diff -urNp linux-2.6.32.49/include/net/irda/ircomm_core.h linux-2.6.32.49/include/net/irda/ircomm_core.h
66857 --- linux-2.6.32.49/include/net/irda/ircomm_core.h 2011-11-08 19:02:43.000000000 -0500
66858 +++ linux-2.6.32.49/include/net/irda/ircomm_core.h 2011-11-15 19:59:43.000000000 -0500
66859 @@ -51,7 +51,7 @@ typedef struct {
66860 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
66861 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
66862 struct ircomm_info *);
66863 -} call_t;
66864 +} __no_const call_t;
66865
66866 struct ircomm_cb {
66867 irda_queue_t queue;
66868 diff -urNp linux-2.6.32.49/include/net/irda/ircomm_tty.h linux-2.6.32.49/include/net/irda/ircomm_tty.h
66869 --- linux-2.6.32.49/include/net/irda/ircomm_tty.h 2011-11-08 19:02:43.000000000 -0500
66870 +++ linux-2.6.32.49/include/net/irda/ircomm_tty.h 2011-11-15 19:59:43.000000000 -0500
66871 @@ -35,6 +35,7 @@
66872 #include <linux/termios.h>
66873 #include <linux/timer.h>
66874 #include <linux/tty.h> /* struct tty_struct */
66875 +#include <asm/local.h>
66876
66877 #include <net/irda/irias_object.h>
66878 #include <net/irda/ircomm_core.h>
66879 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
66880 unsigned short close_delay;
66881 unsigned short closing_wait; /* time to wait before closing */
66882
66883 - int open_count;
66884 - int blocked_open; /* # of blocked opens */
66885 + local_t open_count;
66886 + local_t blocked_open; /* # of blocked opens */
66887
66888 /* Protect concurent access to :
66889 * o self->open_count
66890 diff -urNp linux-2.6.32.49/include/net/iucv/af_iucv.h linux-2.6.32.49/include/net/iucv/af_iucv.h
66891 --- linux-2.6.32.49/include/net/iucv/af_iucv.h 2011-11-08 19:02:43.000000000 -0500
66892 +++ linux-2.6.32.49/include/net/iucv/af_iucv.h 2011-11-15 19:59:43.000000000 -0500
66893 @@ -87,7 +87,7 @@ struct iucv_sock {
66894 struct iucv_sock_list {
66895 struct hlist_head head;
66896 rwlock_t lock;
66897 - atomic_t autobind_name;
66898 + atomic_unchecked_t autobind_name;
66899 };
66900
66901 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
66902 diff -urNp linux-2.6.32.49/include/net/lapb.h linux-2.6.32.49/include/net/lapb.h
66903 --- linux-2.6.32.49/include/net/lapb.h 2011-11-08 19:02:43.000000000 -0500
66904 +++ linux-2.6.32.49/include/net/lapb.h 2011-11-15 19:59:43.000000000 -0500
66905 @@ -95,7 +95,7 @@ struct lapb_cb {
66906 struct sk_buff_head write_queue;
66907 struct sk_buff_head ack_queue;
66908 unsigned char window;
66909 - struct lapb_register_struct callbacks;
66910 + struct lapb_register_struct *callbacks;
66911
66912 /* FRMR control information */
66913 struct lapb_frame frmr_data;
66914 diff -urNp linux-2.6.32.49/include/net/neighbour.h linux-2.6.32.49/include/net/neighbour.h
66915 --- linux-2.6.32.49/include/net/neighbour.h 2011-11-08 19:02:43.000000000 -0500
66916 +++ linux-2.6.32.49/include/net/neighbour.h 2011-11-15 19:59:43.000000000 -0500
66917 @@ -131,7 +131,7 @@ struct neigh_ops
66918 int (*connected_output)(struct sk_buff*);
66919 int (*hh_output)(struct sk_buff*);
66920 int (*queue_xmit)(struct sk_buff*);
66921 -};
66922 +} __do_const;
66923
66924 struct pneigh_entry
66925 {
66926 diff -urNp linux-2.6.32.49/include/net/netlink.h linux-2.6.32.49/include/net/netlink.h
66927 --- linux-2.6.32.49/include/net/netlink.h 2011-11-08 19:02:43.000000000 -0500
66928 +++ linux-2.6.32.49/include/net/netlink.h 2011-11-15 19:59:43.000000000 -0500
66929 @@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct
66930 {
66931 return (remaining >= (int) sizeof(struct nlmsghdr) &&
66932 nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
66933 - nlh->nlmsg_len <= remaining);
66934 + nlh->nlmsg_len <= (unsigned int)remaining);
66935 }
66936
66937 /**
66938 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
66939 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
66940 {
66941 if (mark)
66942 - skb_trim(skb, (unsigned char *) mark - skb->data);
66943 + skb_trim(skb, (const unsigned char *) mark - skb->data);
66944 }
66945
66946 /**
66947 diff -urNp linux-2.6.32.49/include/net/netns/ipv4.h linux-2.6.32.49/include/net/netns/ipv4.h
66948 --- linux-2.6.32.49/include/net/netns/ipv4.h 2011-11-08 19:02:43.000000000 -0500
66949 +++ linux-2.6.32.49/include/net/netns/ipv4.h 2011-11-15 19:59:43.000000000 -0500
66950 @@ -54,7 +54,7 @@ struct netns_ipv4 {
66951 int current_rt_cache_rebuild_count;
66952
66953 struct timer_list rt_secret_timer;
66954 - atomic_t rt_genid;
66955 + atomic_unchecked_t rt_genid;
66956
66957 #ifdef CONFIG_IP_MROUTE
66958 struct sock *mroute_sk;
66959 diff -urNp linux-2.6.32.49/include/net/sctp/sctp.h linux-2.6.32.49/include/net/sctp/sctp.h
66960 --- linux-2.6.32.49/include/net/sctp/sctp.h 2011-11-08 19:02:43.000000000 -0500
66961 +++ linux-2.6.32.49/include/net/sctp/sctp.h 2011-11-15 19:59:43.000000000 -0500
66962 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
66963
66964 #else /* SCTP_DEBUG */
66965
66966 -#define SCTP_DEBUG_PRINTK(whatever...)
66967 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
66968 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
66969 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
66970 #define SCTP_ENABLE_DEBUG
66971 #define SCTP_DISABLE_DEBUG
66972 #define SCTP_ASSERT(expr, str, func)
66973 diff -urNp linux-2.6.32.49/include/net/secure_seq.h linux-2.6.32.49/include/net/secure_seq.h
66974 --- linux-2.6.32.49/include/net/secure_seq.h 2011-11-08 19:02:43.000000000 -0500
66975 +++ linux-2.6.32.49/include/net/secure_seq.h 2011-11-15 19:59:43.000000000 -0500
66976 @@ -7,14 +7,14 @@ extern __u32 secure_ip_id(__be32 daddr);
66977 extern __u32 secure_ipv6_id(const __be32 daddr[4]);
66978 extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
66979 extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
66980 - __be16 dport);
66981 + __be16 dport);
66982 extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
66983 __be16 sport, __be16 dport);
66984 extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
66985 - __be16 sport, __be16 dport);
66986 + __be16 sport, __be16 dport);
66987 extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
66988 - __be16 sport, __be16 dport);
66989 + __be16 sport, __be16 dport);
66990 extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
66991 - __be16 sport, __be16 dport);
66992 + __be16 sport, __be16 dport);
66993
66994 #endif /* _NET_SECURE_SEQ */
66995 diff -urNp linux-2.6.32.49/include/net/sock.h linux-2.6.32.49/include/net/sock.h
66996 --- linux-2.6.32.49/include/net/sock.h 2011-11-08 19:02:43.000000000 -0500
66997 +++ linux-2.6.32.49/include/net/sock.h 2011-11-15 19:59:43.000000000 -0500
66998 @@ -272,7 +272,7 @@ struct sock {
66999 rwlock_t sk_callback_lock;
67000 int sk_err,
67001 sk_err_soft;
67002 - atomic_t sk_drops;
67003 + atomic_unchecked_t sk_drops;
67004 unsigned short sk_ack_backlog;
67005 unsigned short sk_max_ack_backlog;
67006 __u32 sk_priority;
67007 @@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea
67008 extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
67009 extern int sock_prot_inuse_get(struct net *net, struct proto *proto);
67010 #else
67011 -static void inline sock_prot_inuse_add(struct net *net, struct proto *prot,
67012 +static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
67013 int inc)
67014 {
67015 }
67016 diff -urNp linux-2.6.32.49/include/net/tcp.h linux-2.6.32.49/include/net/tcp.h
67017 --- linux-2.6.32.49/include/net/tcp.h 2011-11-08 19:02:43.000000000 -0500
67018 +++ linux-2.6.32.49/include/net/tcp.h 2011-11-15 19:59:43.000000000 -0500
67019 @@ -1444,8 +1444,8 @@ enum tcp_seq_states {
67020 struct tcp_seq_afinfo {
67021 char *name;
67022 sa_family_t family;
67023 - struct file_operations seq_fops;
67024 - struct seq_operations seq_ops;
67025 + file_operations_no_const seq_fops;
67026 + seq_operations_no_const seq_ops;
67027 };
67028
67029 struct tcp_iter_state {
67030 diff -urNp linux-2.6.32.49/include/net/udp.h linux-2.6.32.49/include/net/udp.h
67031 --- linux-2.6.32.49/include/net/udp.h 2011-11-08 19:02:43.000000000 -0500
67032 +++ linux-2.6.32.49/include/net/udp.h 2011-11-15 19:59:43.000000000 -0500
67033 @@ -187,8 +187,8 @@ struct udp_seq_afinfo {
67034 char *name;
67035 sa_family_t family;
67036 struct udp_table *udp_table;
67037 - struct file_operations seq_fops;
67038 - struct seq_operations seq_ops;
67039 + file_operations_no_const seq_fops;
67040 + seq_operations_no_const seq_ops;
67041 };
67042
67043 struct udp_iter_state {
67044 diff -urNp linux-2.6.32.49/include/rdma/iw_cm.h linux-2.6.32.49/include/rdma/iw_cm.h
67045 --- linux-2.6.32.49/include/rdma/iw_cm.h 2011-11-08 19:02:43.000000000 -0500
67046 +++ linux-2.6.32.49/include/rdma/iw_cm.h 2011-11-15 19:59:43.000000000 -0500
67047 @@ -129,7 +129,7 @@ struct iw_cm_verbs {
67048 int backlog);
67049
67050 int (*destroy_listen)(struct iw_cm_id *cm_id);
67051 -};
67052 +} __no_const;
67053
67054 /**
67055 * iw_create_cm_id - Create an IW CM identifier.
67056 diff -urNp linux-2.6.32.49/include/scsi/libfc.h linux-2.6.32.49/include/scsi/libfc.h
67057 --- linux-2.6.32.49/include/scsi/libfc.h 2011-11-08 19:02:43.000000000 -0500
67058 +++ linux-2.6.32.49/include/scsi/libfc.h 2011-11-15 19:59:43.000000000 -0500
67059 @@ -675,6 +675,7 @@ struct libfc_function_template {
67060 */
67061 void (*disc_stop_final) (struct fc_lport *);
67062 };
67063 +typedef struct libfc_function_template __no_const libfc_function_template_no_const;
67064
67065 /* information used by the discovery layer */
67066 struct fc_disc {
67067 @@ -707,7 +708,7 @@ struct fc_lport {
67068 struct fc_disc disc;
67069
67070 /* Operational Information */
67071 - struct libfc_function_template tt;
67072 + libfc_function_template_no_const tt;
67073 u8 link_up;
67074 u8 qfull;
67075 enum fc_lport_state state;
67076 diff -urNp linux-2.6.32.49/include/scsi/scsi_device.h linux-2.6.32.49/include/scsi/scsi_device.h
67077 --- linux-2.6.32.49/include/scsi/scsi_device.h 2011-11-08 19:02:43.000000000 -0500
67078 +++ linux-2.6.32.49/include/scsi/scsi_device.h 2011-11-15 19:59:43.000000000 -0500
67079 @@ -156,9 +156,9 @@ struct scsi_device {
67080 unsigned int max_device_blocked; /* what device_blocked counts down from */
67081 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
67082
67083 - atomic_t iorequest_cnt;
67084 - atomic_t iodone_cnt;
67085 - atomic_t ioerr_cnt;
67086 + atomic_unchecked_t iorequest_cnt;
67087 + atomic_unchecked_t iodone_cnt;
67088 + atomic_unchecked_t ioerr_cnt;
67089
67090 struct device sdev_gendev,
67091 sdev_dev;
67092 diff -urNp linux-2.6.32.49/include/scsi/scsi_transport_fc.h linux-2.6.32.49/include/scsi/scsi_transport_fc.h
67093 --- linux-2.6.32.49/include/scsi/scsi_transport_fc.h 2011-11-08 19:02:43.000000000 -0500
67094 +++ linux-2.6.32.49/include/scsi/scsi_transport_fc.h 2011-11-15 19:59:43.000000000 -0500
67095 @@ -708,7 +708,7 @@ struct fc_function_template {
67096 unsigned long show_host_system_hostname:1;
67097
67098 unsigned long disable_target_scan:1;
67099 -};
67100 +} __do_const;
67101
67102
67103 /**
67104 diff -urNp linux-2.6.32.49/include/sound/ac97_codec.h linux-2.6.32.49/include/sound/ac97_codec.h
67105 --- linux-2.6.32.49/include/sound/ac97_codec.h 2011-11-08 19:02:43.000000000 -0500
67106 +++ linux-2.6.32.49/include/sound/ac97_codec.h 2011-11-15 19:59:43.000000000 -0500
67107 @@ -419,15 +419,15 @@
67108 struct snd_ac97;
67109
67110 struct snd_ac97_build_ops {
67111 - int (*build_3d) (struct snd_ac97 *ac97);
67112 - int (*build_specific) (struct snd_ac97 *ac97);
67113 - int (*build_spdif) (struct snd_ac97 *ac97);
67114 - int (*build_post_spdif) (struct snd_ac97 *ac97);
67115 + int (* const build_3d) (struct snd_ac97 *ac97);
67116 + int (* const build_specific) (struct snd_ac97 *ac97);
67117 + int (* const build_spdif) (struct snd_ac97 *ac97);
67118 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
67119 #ifdef CONFIG_PM
67120 - void (*suspend) (struct snd_ac97 *ac97);
67121 - void (*resume) (struct snd_ac97 *ac97);
67122 + void (* const suspend) (struct snd_ac97 *ac97);
67123 + void (* const resume) (struct snd_ac97 *ac97);
67124 #endif
67125 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
67126 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
67127 };
67128
67129 struct snd_ac97_bus_ops {
67130 @@ -477,7 +477,7 @@ struct snd_ac97_template {
67131
67132 struct snd_ac97 {
67133 /* -- lowlevel (hardware) driver specific -- */
67134 - struct snd_ac97_build_ops * build_ops;
67135 + const struct snd_ac97_build_ops * build_ops;
67136 void *private_data;
67137 void (*private_free) (struct snd_ac97 *ac97);
67138 /* --- */
67139 diff -urNp linux-2.6.32.49/include/sound/ak4xxx-adda.h linux-2.6.32.49/include/sound/ak4xxx-adda.h
67140 --- linux-2.6.32.49/include/sound/ak4xxx-adda.h 2011-11-08 19:02:43.000000000 -0500
67141 +++ linux-2.6.32.49/include/sound/ak4xxx-adda.h 2011-11-15 19:59:43.000000000 -0500
67142 @@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
67143 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
67144 unsigned char val);
67145 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
67146 -};
67147 +} __no_const;
67148
67149 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
67150
67151 diff -urNp linux-2.6.32.49/include/sound/hwdep.h linux-2.6.32.49/include/sound/hwdep.h
67152 --- linux-2.6.32.49/include/sound/hwdep.h 2011-11-08 19:02:43.000000000 -0500
67153 +++ linux-2.6.32.49/include/sound/hwdep.h 2011-11-15 19:59:43.000000000 -0500
67154 @@ -49,7 +49,7 @@ struct snd_hwdep_ops {
67155 struct snd_hwdep_dsp_status *status);
67156 int (*dsp_load)(struct snd_hwdep *hw,
67157 struct snd_hwdep_dsp_image *image);
67158 -};
67159 +} __no_const;
67160
67161 struct snd_hwdep {
67162 struct snd_card *card;
67163 diff -urNp linux-2.6.32.49/include/sound/info.h linux-2.6.32.49/include/sound/info.h
67164 --- linux-2.6.32.49/include/sound/info.h 2011-11-08 19:02:43.000000000 -0500
67165 +++ linux-2.6.32.49/include/sound/info.h 2011-11-15 19:59:43.000000000 -0500
67166 @@ -44,7 +44,7 @@ struct snd_info_entry_text {
67167 struct snd_info_buffer *buffer);
67168 void (*write)(struct snd_info_entry *entry,
67169 struct snd_info_buffer *buffer);
67170 -};
67171 +} __no_const;
67172
67173 struct snd_info_entry_ops {
67174 int (*open)(struct snd_info_entry *entry,
67175 diff -urNp linux-2.6.32.49/include/sound/pcm.h linux-2.6.32.49/include/sound/pcm.h
67176 --- linux-2.6.32.49/include/sound/pcm.h 2011-11-08 19:02:43.000000000 -0500
67177 +++ linux-2.6.32.49/include/sound/pcm.h 2011-11-15 19:59:43.000000000 -0500
67178 @@ -80,6 +80,7 @@ struct snd_pcm_ops {
67179 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
67180 int (*ack)(struct snd_pcm_substream *substream);
67181 };
67182 +typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
67183
67184 /*
67185 *
67186 diff -urNp linux-2.6.32.49/include/sound/sb16_csp.h linux-2.6.32.49/include/sound/sb16_csp.h
67187 --- linux-2.6.32.49/include/sound/sb16_csp.h 2011-11-08 19:02:43.000000000 -0500
67188 +++ linux-2.6.32.49/include/sound/sb16_csp.h 2011-11-15 19:59:43.000000000 -0500
67189 @@ -139,7 +139,7 @@ struct snd_sb_csp_ops {
67190 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
67191 int (*csp_stop) (struct snd_sb_csp * p);
67192 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
67193 -};
67194 +} __no_const;
67195
67196 /*
67197 * CSP private data
67198 diff -urNp linux-2.6.32.49/include/sound/ymfpci.h linux-2.6.32.49/include/sound/ymfpci.h
67199 --- linux-2.6.32.49/include/sound/ymfpci.h 2011-11-08 19:02:43.000000000 -0500
67200 +++ linux-2.6.32.49/include/sound/ymfpci.h 2011-11-15 19:59:43.000000000 -0500
67201 @@ -358,7 +358,7 @@ struct snd_ymfpci {
67202 spinlock_t reg_lock;
67203 spinlock_t voice_lock;
67204 wait_queue_head_t interrupt_sleep;
67205 - atomic_t interrupt_sleep_count;
67206 + atomic_unchecked_t interrupt_sleep_count;
67207 struct snd_info_entry *proc_entry;
67208 const struct firmware *dsp_microcode;
67209 const struct firmware *controller_microcode;
67210 diff -urNp linux-2.6.32.49/include/trace/events/irq.h linux-2.6.32.49/include/trace/events/irq.h
67211 --- linux-2.6.32.49/include/trace/events/irq.h 2011-11-08 19:02:43.000000000 -0500
67212 +++ linux-2.6.32.49/include/trace/events/irq.h 2011-11-15 19:59:43.000000000 -0500
67213 @@ -34,7 +34,7 @@
67214 */
67215 TRACE_EVENT(irq_handler_entry,
67216
67217 - TP_PROTO(int irq, struct irqaction *action),
67218 + TP_PROTO(int irq, const struct irqaction *action),
67219
67220 TP_ARGS(irq, action),
67221
67222 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
67223 */
67224 TRACE_EVENT(irq_handler_exit,
67225
67226 - TP_PROTO(int irq, struct irqaction *action, int ret),
67227 + TP_PROTO(int irq, const struct irqaction *action, int ret),
67228
67229 TP_ARGS(irq, action, ret),
67230
67231 @@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
67232 */
67233 TRACE_EVENT(softirq_entry,
67234
67235 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
67236 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
67237
67238 TP_ARGS(h, vec),
67239
67240 @@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
67241 */
67242 TRACE_EVENT(softirq_exit,
67243
67244 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
67245 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
67246
67247 TP_ARGS(h, vec),
67248
67249 diff -urNp linux-2.6.32.49/include/video/uvesafb.h linux-2.6.32.49/include/video/uvesafb.h
67250 --- linux-2.6.32.49/include/video/uvesafb.h 2011-11-08 19:02:43.000000000 -0500
67251 +++ linux-2.6.32.49/include/video/uvesafb.h 2011-11-15 19:59:43.000000000 -0500
67252 @@ -177,6 +177,7 @@ struct uvesafb_par {
67253 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
67254 u8 pmi_setpal; /* PMI for palette changes */
67255 u16 *pmi_base; /* protected mode interface location */
67256 + u8 *pmi_code; /* protected mode code location */
67257 void *pmi_start;
67258 void *pmi_pal;
67259 u8 *vbe_state_orig; /*
67260 diff -urNp linux-2.6.32.49/init/do_mounts.c linux-2.6.32.49/init/do_mounts.c
67261 --- linux-2.6.32.49/init/do_mounts.c 2011-11-08 19:02:43.000000000 -0500
67262 +++ linux-2.6.32.49/init/do_mounts.c 2011-11-15 19:59:43.000000000 -0500
67263 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
67264
67265 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
67266 {
67267 - int err = sys_mount(name, "/root", fs, flags, data);
67268 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
67269 if (err)
67270 return err;
67271
67272 - sys_chdir("/root");
67273 + sys_chdir((__force const char __user *)"/root");
67274 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
67275 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
67276 current->fs->pwd.mnt->mnt_sb->s_type->name,
67277 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
67278 va_start(args, fmt);
67279 vsprintf(buf, fmt, args);
67280 va_end(args);
67281 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
67282 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
67283 if (fd >= 0) {
67284 sys_ioctl(fd, FDEJECT, 0);
67285 sys_close(fd);
67286 }
67287 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
67288 - fd = sys_open("/dev/console", O_RDWR, 0);
67289 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
67290 if (fd >= 0) {
67291 sys_ioctl(fd, TCGETS, (long)&termios);
67292 termios.c_lflag &= ~ICANON;
67293 sys_ioctl(fd, TCSETSF, (long)&termios);
67294 - sys_read(fd, &c, 1);
67295 + sys_read(fd, (char __user *)&c, 1);
67296 termios.c_lflag |= ICANON;
67297 sys_ioctl(fd, TCSETSF, (long)&termios);
67298 sys_close(fd);
67299 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
67300 mount_root();
67301 out:
67302 devtmpfs_mount("dev");
67303 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
67304 - sys_chroot(".");
67305 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
67306 + sys_chroot((__force char __user *)".");
67307 }
67308 diff -urNp linux-2.6.32.49/init/do_mounts.h linux-2.6.32.49/init/do_mounts.h
67309 --- linux-2.6.32.49/init/do_mounts.h 2011-11-08 19:02:43.000000000 -0500
67310 +++ linux-2.6.32.49/init/do_mounts.h 2011-11-15 19:59:43.000000000 -0500
67311 @@ -15,15 +15,15 @@ extern int root_mountflags;
67312
67313 static inline int create_dev(char *name, dev_t dev)
67314 {
67315 - sys_unlink(name);
67316 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
67317 + sys_unlink((char __force_user *)name);
67318 + return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
67319 }
67320
67321 #if BITS_PER_LONG == 32
67322 static inline u32 bstat(char *name)
67323 {
67324 struct stat64 stat;
67325 - if (sys_stat64(name, &stat) != 0)
67326 + if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
67327 return 0;
67328 if (!S_ISBLK(stat.st_mode))
67329 return 0;
67330 @@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
67331 static inline u32 bstat(char *name)
67332 {
67333 struct stat stat;
67334 - if (sys_newstat(name, &stat) != 0)
67335 + if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
67336 return 0;
67337 if (!S_ISBLK(stat.st_mode))
67338 return 0;
67339 diff -urNp linux-2.6.32.49/init/do_mounts_initrd.c linux-2.6.32.49/init/do_mounts_initrd.c
67340 --- linux-2.6.32.49/init/do_mounts_initrd.c 2011-11-08 19:02:43.000000000 -0500
67341 +++ linux-2.6.32.49/init/do_mounts_initrd.c 2011-11-15 19:59:43.000000000 -0500
67342 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
67343 sys_close(old_fd);sys_close(root_fd);
67344 sys_close(0);sys_close(1);sys_close(2);
67345 sys_setsid();
67346 - (void) sys_open("/dev/console",O_RDWR,0);
67347 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
67348 (void) sys_dup(0);
67349 (void) sys_dup(0);
67350 return kernel_execve(shell, argv, envp_init);
67351 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
67352 create_dev("/dev/root.old", Root_RAM0);
67353 /* mount initrd on rootfs' /root */
67354 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
67355 - sys_mkdir("/old", 0700);
67356 - root_fd = sys_open("/", 0, 0);
67357 - old_fd = sys_open("/old", 0, 0);
67358 + sys_mkdir((const char __force_user *)"/old", 0700);
67359 + root_fd = sys_open((const char __force_user *)"/", 0, 0);
67360 + old_fd = sys_open((const char __force_user *)"/old", 0, 0);
67361 /* move initrd over / and chdir/chroot in initrd root */
67362 - sys_chdir("/root");
67363 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
67364 - sys_chroot(".");
67365 + sys_chdir((const char __force_user *)"/root");
67366 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
67367 + sys_chroot((const char __force_user *)".");
67368
67369 /*
67370 * In case that a resume from disk is carried out by linuxrc or one of
67371 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
67372
67373 /* move initrd to rootfs' /old */
67374 sys_fchdir(old_fd);
67375 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
67376 + sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
67377 /* switch root and cwd back to / of rootfs */
67378 sys_fchdir(root_fd);
67379 - sys_chroot(".");
67380 + sys_chroot((const char __force_user *)".");
67381 sys_close(old_fd);
67382 sys_close(root_fd);
67383
67384 if (new_decode_dev(real_root_dev) == Root_RAM0) {
67385 - sys_chdir("/old");
67386 + sys_chdir((const char __force_user *)"/old");
67387 return;
67388 }
67389
67390 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
67391 mount_root();
67392
67393 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
67394 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
67395 + error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
67396 if (!error)
67397 printk("okay\n");
67398 else {
67399 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
67400 + int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
67401 if (error == -ENOENT)
67402 printk("/initrd does not exist. Ignored.\n");
67403 else
67404 printk("failed\n");
67405 printk(KERN_NOTICE "Unmounting old root\n");
67406 - sys_umount("/old", MNT_DETACH);
67407 + sys_umount((char __force_user *)"/old", MNT_DETACH);
67408 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
67409 if (fd < 0) {
67410 error = fd;
67411 @@ -119,11 +119,11 @@ int __init initrd_load(void)
67412 * mounted in the normal path.
67413 */
67414 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
67415 - sys_unlink("/initrd.image");
67416 + sys_unlink((const char __force_user *)"/initrd.image");
67417 handle_initrd();
67418 return 1;
67419 }
67420 }
67421 - sys_unlink("/initrd.image");
67422 + sys_unlink((const char __force_user *)"/initrd.image");
67423 return 0;
67424 }
67425 diff -urNp linux-2.6.32.49/init/do_mounts_md.c linux-2.6.32.49/init/do_mounts_md.c
67426 --- linux-2.6.32.49/init/do_mounts_md.c 2011-11-08 19:02:43.000000000 -0500
67427 +++ linux-2.6.32.49/init/do_mounts_md.c 2011-11-15 19:59:43.000000000 -0500
67428 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
67429 partitioned ? "_d" : "", minor,
67430 md_setup_args[ent].device_names);
67431
67432 - fd = sys_open(name, 0, 0);
67433 + fd = sys_open((char __force_user *)name, 0, 0);
67434 if (fd < 0) {
67435 printk(KERN_ERR "md: open failed - cannot start "
67436 "array %s\n", name);
67437 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
67438 * array without it
67439 */
67440 sys_close(fd);
67441 - fd = sys_open(name, 0, 0);
67442 + fd = sys_open((char __force_user *)name, 0, 0);
67443 sys_ioctl(fd, BLKRRPART, 0);
67444 }
67445 sys_close(fd);
67446 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
67447
67448 wait_for_device_probe();
67449
67450 - fd = sys_open("/dev/md0", 0, 0);
67451 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
67452 if (fd >= 0) {
67453 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
67454 sys_close(fd);
67455 diff -urNp linux-2.6.32.49/init/initramfs.c linux-2.6.32.49/init/initramfs.c
67456 --- linux-2.6.32.49/init/initramfs.c 2011-11-08 19:02:43.000000000 -0500
67457 +++ linux-2.6.32.49/init/initramfs.c 2011-11-15 19:59:43.000000000 -0500
67458 @@ -74,7 +74,7 @@ static void __init free_hash(void)
67459 }
67460 }
67461
67462 -static long __init do_utime(char __user *filename, time_t mtime)
67463 +static long __init do_utime(__force char __user *filename, time_t mtime)
67464 {
67465 struct timespec t[2];
67466
67467 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
67468 struct dir_entry *de, *tmp;
67469 list_for_each_entry_safe(de, tmp, &dir_list, list) {
67470 list_del(&de->list);
67471 - do_utime(de->name, de->mtime);
67472 + do_utime((char __force_user *)de->name, de->mtime);
67473 kfree(de->name);
67474 kfree(de);
67475 }
67476 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
67477 if (nlink >= 2) {
67478 char *old = find_link(major, minor, ino, mode, collected);
67479 if (old)
67480 - return (sys_link(old, collected) < 0) ? -1 : 1;
67481 + return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
67482 }
67483 return 0;
67484 }
67485 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
67486 {
67487 struct stat st;
67488
67489 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
67490 + if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
67491 if (S_ISDIR(st.st_mode))
67492 - sys_rmdir(path);
67493 + sys_rmdir((char __force_user *)path);
67494 else
67495 - sys_unlink(path);
67496 + sys_unlink((char __force_user *)path);
67497 }
67498 }
67499
67500 @@ -305,7 +305,7 @@ static int __init do_name(void)
67501 int openflags = O_WRONLY|O_CREAT;
67502 if (ml != 1)
67503 openflags |= O_TRUNC;
67504 - wfd = sys_open(collected, openflags, mode);
67505 + wfd = sys_open((char __force_user *)collected, openflags, mode);
67506
67507 if (wfd >= 0) {
67508 sys_fchown(wfd, uid, gid);
67509 @@ -317,17 +317,17 @@ static int __init do_name(void)
67510 }
67511 }
67512 } else if (S_ISDIR(mode)) {
67513 - sys_mkdir(collected, mode);
67514 - sys_chown(collected, uid, gid);
67515 - sys_chmod(collected, mode);
67516 + sys_mkdir((char __force_user *)collected, mode);
67517 + sys_chown((char __force_user *)collected, uid, gid);
67518 + sys_chmod((char __force_user *)collected, mode);
67519 dir_add(collected, mtime);
67520 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
67521 S_ISFIFO(mode) || S_ISSOCK(mode)) {
67522 if (maybe_link() == 0) {
67523 - sys_mknod(collected, mode, rdev);
67524 - sys_chown(collected, uid, gid);
67525 - sys_chmod(collected, mode);
67526 - do_utime(collected, mtime);
67527 + sys_mknod((char __force_user *)collected, mode, rdev);
67528 + sys_chown((char __force_user *)collected, uid, gid);
67529 + sys_chmod((char __force_user *)collected, mode);
67530 + do_utime((char __force_user *)collected, mtime);
67531 }
67532 }
67533 return 0;
67534 @@ -336,15 +336,15 @@ static int __init do_name(void)
67535 static int __init do_copy(void)
67536 {
67537 if (count >= body_len) {
67538 - sys_write(wfd, victim, body_len);
67539 + sys_write(wfd, (char __force_user *)victim, body_len);
67540 sys_close(wfd);
67541 - do_utime(vcollected, mtime);
67542 + do_utime((char __force_user *)vcollected, mtime);
67543 kfree(vcollected);
67544 eat(body_len);
67545 state = SkipIt;
67546 return 0;
67547 } else {
67548 - sys_write(wfd, victim, count);
67549 + sys_write(wfd, (char __force_user *)victim, count);
67550 body_len -= count;
67551 eat(count);
67552 return 1;
67553 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
67554 {
67555 collected[N_ALIGN(name_len) + body_len] = '\0';
67556 clean_path(collected, 0);
67557 - sys_symlink(collected + N_ALIGN(name_len), collected);
67558 - sys_lchown(collected, uid, gid);
67559 - do_utime(collected, mtime);
67560 + sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
67561 + sys_lchown((char __force_user *)collected, uid, gid);
67562 + do_utime((char __force_user *)collected, mtime);
67563 state = SkipIt;
67564 next_state = Reset;
67565 return 0;
67566 diff -urNp linux-2.6.32.49/init/Kconfig linux-2.6.32.49/init/Kconfig
67567 --- linux-2.6.32.49/init/Kconfig 2011-11-08 19:02:43.000000000 -0500
67568 +++ linux-2.6.32.49/init/Kconfig 2011-11-15 19:59:43.000000000 -0500
67569 @@ -1004,7 +1004,7 @@ config SLUB_DEBUG
67570
67571 config COMPAT_BRK
67572 bool "Disable heap randomization"
67573 - default y
67574 + default n
67575 help
67576 Randomizing heap placement makes heap exploits harder, but it
67577 also breaks ancient binaries (including anything libc5 based).
67578 diff -urNp linux-2.6.32.49/init/main.c linux-2.6.32.49/init/main.c
67579 --- linux-2.6.32.49/init/main.c 2011-11-08 19:02:43.000000000 -0500
67580 +++ linux-2.6.32.49/init/main.c 2011-11-15 19:59:43.000000000 -0500
67581 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
67582 #ifdef CONFIG_TC
67583 extern void tc_init(void);
67584 #endif
67585 +extern void grsecurity_init(void);
67586
67587 enum system_states system_state __read_mostly;
67588 EXPORT_SYMBOL(system_state);
67589 @@ -183,6 +184,49 @@ static int __init set_reset_devices(char
67590
67591 __setup("reset_devices", set_reset_devices);
67592
67593 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
67594 +extern char pax_enter_kernel_user[];
67595 +extern char pax_exit_kernel_user[];
67596 +extern pgdval_t clone_pgd_mask;
67597 +#endif
67598 +
67599 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
67600 +static int __init setup_pax_nouderef(char *str)
67601 +{
67602 +#ifdef CONFIG_X86_32
67603 + unsigned int cpu;
67604 + struct desc_struct *gdt;
67605 +
67606 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
67607 + gdt = get_cpu_gdt_table(cpu);
67608 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
67609 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
67610 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
67611 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
67612 + }
67613 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
67614 +#else
67615 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
67616 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
67617 + clone_pgd_mask = ~(pgdval_t)0UL;
67618 +#endif
67619 +
67620 + return 0;
67621 +}
67622 +early_param("pax_nouderef", setup_pax_nouderef);
67623 +#endif
67624 +
67625 +#ifdef CONFIG_PAX_SOFTMODE
67626 +int pax_softmode;
67627 +
67628 +static int __init setup_pax_softmode(char *str)
67629 +{
67630 + get_option(&str, &pax_softmode);
67631 + return 1;
67632 +}
67633 +__setup("pax_softmode=", setup_pax_softmode);
67634 +#endif
67635 +
67636 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
67637 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
67638 static const char *panic_later, *panic_param;
67639 @@ -705,52 +749,53 @@ int initcall_debug;
67640 core_param(initcall_debug, initcall_debug, bool, 0644);
67641
67642 static char msgbuf[64];
67643 -static struct boot_trace_call call;
67644 -static struct boot_trace_ret ret;
67645 +static struct boot_trace_call trace_call;
67646 +static struct boot_trace_ret trace_ret;
67647
67648 int do_one_initcall(initcall_t fn)
67649 {
67650 int count = preempt_count();
67651 ktime_t calltime, delta, rettime;
67652 + const char *msg1 = "", *msg2 = "";
67653
67654 if (initcall_debug) {
67655 - call.caller = task_pid_nr(current);
67656 - printk("calling %pF @ %i\n", fn, call.caller);
67657 + trace_call.caller = task_pid_nr(current);
67658 + printk("calling %pF @ %i\n", fn, trace_call.caller);
67659 calltime = ktime_get();
67660 - trace_boot_call(&call, fn);
67661 + trace_boot_call(&trace_call, fn);
67662 enable_boot_trace();
67663 }
67664
67665 - ret.result = fn();
67666 + trace_ret.result = fn();
67667
67668 if (initcall_debug) {
67669 disable_boot_trace();
67670 rettime = ktime_get();
67671 delta = ktime_sub(rettime, calltime);
67672 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
67673 - trace_boot_ret(&ret, fn);
67674 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
67675 + trace_boot_ret(&trace_ret, fn);
67676 printk("initcall %pF returned %d after %Ld usecs\n", fn,
67677 - ret.result, ret.duration);
67678 + trace_ret.result, trace_ret.duration);
67679 }
67680
67681 msgbuf[0] = 0;
67682
67683 - if (ret.result && ret.result != -ENODEV && initcall_debug)
67684 - sprintf(msgbuf, "error code %d ", ret.result);
67685 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
67686 + sprintf(msgbuf, "error code %d ", trace_ret.result);
67687
67688 if (preempt_count() != count) {
67689 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
67690 + msg1 = " preemption imbalance";
67691 preempt_count() = count;
67692 }
67693 if (irqs_disabled()) {
67694 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
67695 + msg2 = " disabled interrupts";
67696 local_irq_enable();
67697 }
67698 - if (msgbuf[0]) {
67699 - printk("initcall %pF returned with %s\n", fn, msgbuf);
67700 + if (msgbuf[0] || *msg1 || *msg2) {
67701 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
67702 }
67703
67704 - return ret.result;
67705 + return trace_ret.result;
67706 }
67707
67708
67709 @@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
67710 if (!ramdisk_execute_command)
67711 ramdisk_execute_command = "/init";
67712
67713 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
67714 + if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
67715 ramdisk_execute_command = NULL;
67716 prepare_namespace();
67717 }
67718
67719 + grsecurity_init();
67720 +
67721 /*
67722 * Ok, we have completed the initial bootup, and
67723 * we're essentially up and running. Get rid of the
67724 diff -urNp linux-2.6.32.49/init/noinitramfs.c linux-2.6.32.49/init/noinitramfs.c
67725 --- linux-2.6.32.49/init/noinitramfs.c 2011-11-08 19:02:43.000000000 -0500
67726 +++ linux-2.6.32.49/init/noinitramfs.c 2011-11-15 19:59:43.000000000 -0500
67727 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
67728 {
67729 int err;
67730
67731 - err = sys_mkdir("/dev", 0755);
67732 + err = sys_mkdir((const char __user *)"/dev", 0755);
67733 if (err < 0)
67734 goto out;
67735
67736 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
67737 if (err < 0)
67738 goto out;
67739
67740 - err = sys_mkdir("/root", 0700);
67741 + err = sys_mkdir((const char __user *)"/root", 0700);
67742 if (err < 0)
67743 goto out;
67744
67745 diff -urNp linux-2.6.32.49/ipc/mqueue.c linux-2.6.32.49/ipc/mqueue.c
67746 --- linux-2.6.32.49/ipc/mqueue.c 2011-11-08 19:02:43.000000000 -0500
67747 +++ linux-2.6.32.49/ipc/mqueue.c 2011-11-15 19:59:43.000000000 -0500
67748 @@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
67749 mq_bytes = (mq_msg_tblsz +
67750 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
67751
67752 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
67753 spin_lock(&mq_lock);
67754 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
67755 u->mq_bytes + mq_bytes >
67756 diff -urNp linux-2.6.32.49/ipc/msg.c linux-2.6.32.49/ipc/msg.c
67757 --- linux-2.6.32.49/ipc/msg.c 2011-11-08 19:02:43.000000000 -0500
67758 +++ linux-2.6.32.49/ipc/msg.c 2011-11-15 19:59:43.000000000 -0500
67759 @@ -310,18 +310,19 @@ static inline int msg_security(struct ke
67760 return security_msg_queue_associate(msq, msgflg);
67761 }
67762
67763 +static struct ipc_ops msg_ops = {
67764 + .getnew = newque,
67765 + .associate = msg_security,
67766 + .more_checks = NULL
67767 +};
67768 +
67769 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
67770 {
67771 struct ipc_namespace *ns;
67772 - struct ipc_ops msg_ops;
67773 struct ipc_params msg_params;
67774
67775 ns = current->nsproxy->ipc_ns;
67776
67777 - msg_ops.getnew = newque;
67778 - msg_ops.associate = msg_security;
67779 - msg_ops.more_checks = NULL;
67780 -
67781 msg_params.key = key;
67782 msg_params.flg = msgflg;
67783
67784 diff -urNp linux-2.6.32.49/ipc/sem.c linux-2.6.32.49/ipc/sem.c
67785 --- linux-2.6.32.49/ipc/sem.c 2011-11-08 19:02:43.000000000 -0500
67786 +++ linux-2.6.32.49/ipc/sem.c 2011-11-15 19:59:43.000000000 -0500
67787 @@ -309,10 +309,15 @@ static inline int sem_more_checks(struct
67788 return 0;
67789 }
67790
67791 +static struct ipc_ops sem_ops = {
67792 + .getnew = newary,
67793 + .associate = sem_security,
67794 + .more_checks = sem_more_checks
67795 +};
67796 +
67797 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
67798 {
67799 struct ipc_namespace *ns;
67800 - struct ipc_ops sem_ops;
67801 struct ipc_params sem_params;
67802
67803 ns = current->nsproxy->ipc_ns;
67804 @@ -320,10 +325,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
67805 if (nsems < 0 || nsems > ns->sc_semmsl)
67806 return -EINVAL;
67807
67808 - sem_ops.getnew = newary;
67809 - sem_ops.associate = sem_security;
67810 - sem_ops.more_checks = sem_more_checks;
67811 -
67812 sem_params.key = key;
67813 sem_params.flg = semflg;
67814 sem_params.u.nsems = nsems;
67815 @@ -671,6 +672,8 @@ static int semctl_main(struct ipc_namesp
67816 ushort* sem_io = fast_sem_io;
67817 int nsems;
67818
67819 + pax_track_stack();
67820 +
67821 sma = sem_lock_check(ns, semid);
67822 if (IS_ERR(sma))
67823 return PTR_ERR(sma);
67824 @@ -1071,6 +1074,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
67825 unsigned long jiffies_left = 0;
67826 struct ipc_namespace *ns;
67827
67828 + pax_track_stack();
67829 +
67830 ns = current->nsproxy->ipc_ns;
67831
67832 if (nsops < 1 || semid < 0)
67833 diff -urNp linux-2.6.32.49/ipc/shm.c linux-2.6.32.49/ipc/shm.c
67834 --- linux-2.6.32.49/ipc/shm.c 2011-11-08 19:02:43.000000000 -0500
67835 +++ linux-2.6.32.49/ipc/shm.c 2011-11-15 19:59:43.000000000 -0500
67836 @@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
67837 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
67838 #endif
67839
67840 +#ifdef CONFIG_GRKERNSEC
67841 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67842 + const time_t shm_createtime, const uid_t cuid,
67843 + const int shmid);
67844 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67845 + const time_t shm_createtime);
67846 +#endif
67847 +
67848 void shm_init_ns(struct ipc_namespace *ns)
67849 {
67850 ns->shm_ctlmax = SHMMAX;
67851 @@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
67852 shp->shm_lprid = 0;
67853 shp->shm_atim = shp->shm_dtim = 0;
67854 shp->shm_ctim = get_seconds();
67855 +#ifdef CONFIG_GRKERNSEC
67856 + {
67857 + struct timespec timeval;
67858 + do_posix_clock_monotonic_gettime(&timeval);
67859 +
67860 + shp->shm_createtime = timeval.tv_sec;
67861 + }
67862 +#endif
67863 shp->shm_segsz = size;
67864 shp->shm_nattch = 0;
67865 shp->shm_file = file;
67866 @@ -446,18 +462,19 @@ static inline int shm_more_checks(struct
67867 return 0;
67868 }
67869
67870 +static struct ipc_ops shm_ops = {
67871 + .getnew = newseg,
67872 + .associate = shm_security,
67873 + .more_checks = shm_more_checks
67874 +};
67875 +
67876 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
67877 {
67878 struct ipc_namespace *ns;
67879 - struct ipc_ops shm_ops;
67880 struct ipc_params shm_params;
67881
67882 ns = current->nsproxy->ipc_ns;
67883
67884 - shm_ops.getnew = newseg;
67885 - shm_ops.associate = shm_security;
67886 - shm_ops.more_checks = shm_more_checks;
67887 -
67888 shm_params.key = key;
67889 shm_params.flg = shmflg;
67890 shm_params.u.size = size;
67891 @@ -880,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
67892 if (err)
67893 goto out_unlock;
67894
67895 +#ifdef CONFIG_GRKERNSEC
67896 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
67897 + shp->shm_perm.cuid, shmid) ||
67898 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
67899 + err = -EACCES;
67900 + goto out_unlock;
67901 + }
67902 +#endif
67903 +
67904 path.dentry = dget(shp->shm_file->f_path.dentry);
67905 path.mnt = shp->shm_file->f_path.mnt;
67906 shp->shm_nattch++;
67907 +#ifdef CONFIG_GRKERNSEC
67908 + shp->shm_lapid = current->pid;
67909 +#endif
67910 size = i_size_read(path.dentry->d_inode);
67911 shm_unlock(shp);
67912
67913 diff -urNp linux-2.6.32.49/kernel/acct.c linux-2.6.32.49/kernel/acct.c
67914 --- linux-2.6.32.49/kernel/acct.c 2011-11-08 19:02:43.000000000 -0500
67915 +++ linux-2.6.32.49/kernel/acct.c 2011-11-15 19:59:43.000000000 -0500
67916 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
67917 */
67918 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
67919 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
67920 - file->f_op->write(file, (char *)&ac,
67921 + file->f_op->write(file, (char __force_user *)&ac,
67922 sizeof(acct_t), &file->f_pos);
67923 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
67924 set_fs(fs);
67925 diff -urNp linux-2.6.32.49/kernel/audit.c linux-2.6.32.49/kernel/audit.c
67926 --- linux-2.6.32.49/kernel/audit.c 2011-11-08 19:02:43.000000000 -0500
67927 +++ linux-2.6.32.49/kernel/audit.c 2011-11-15 19:59:43.000000000 -0500
67928 @@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
67929 3) suppressed due to audit_rate_limit
67930 4) suppressed due to audit_backlog_limit
67931 */
67932 -static atomic_t audit_lost = ATOMIC_INIT(0);
67933 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
67934
67935 /* The netlink socket. */
67936 static struct sock *audit_sock;
67937 @@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
67938 unsigned long now;
67939 int print;
67940
67941 - atomic_inc(&audit_lost);
67942 + atomic_inc_unchecked(&audit_lost);
67943
67944 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
67945
67946 @@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
67947 printk(KERN_WARNING
67948 "audit: audit_lost=%d audit_rate_limit=%d "
67949 "audit_backlog_limit=%d\n",
67950 - atomic_read(&audit_lost),
67951 + atomic_read_unchecked(&audit_lost),
67952 audit_rate_limit,
67953 audit_backlog_limit);
67954 audit_panic(message);
67955 @@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
67956 status_set.pid = audit_pid;
67957 status_set.rate_limit = audit_rate_limit;
67958 status_set.backlog_limit = audit_backlog_limit;
67959 - status_set.lost = atomic_read(&audit_lost);
67960 + status_set.lost = atomic_read_unchecked(&audit_lost);
67961 status_set.backlog = skb_queue_len(&audit_skb_queue);
67962 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
67963 &status_set, sizeof(status_set));
67964 @@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
67965 spin_unlock_irq(&tsk->sighand->siglock);
67966 }
67967 read_unlock(&tasklist_lock);
67968 - audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
67969 - &s, sizeof(s));
67970 +
67971 + if (!err)
67972 + audit_send_reply(NETLINK_CB(skb).pid, seq,
67973 + AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
67974 break;
67975 }
67976 case AUDIT_TTY_SET: {
67977 diff -urNp linux-2.6.32.49/kernel/auditsc.c linux-2.6.32.49/kernel/auditsc.c
67978 --- linux-2.6.32.49/kernel/auditsc.c 2011-11-08 19:02:43.000000000 -0500
67979 +++ linux-2.6.32.49/kernel/auditsc.c 2011-11-15 19:59:43.000000000 -0500
67980 @@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
67981 }
67982
67983 /* global counter which is incremented every time something logs in */
67984 -static atomic_t session_id = ATOMIC_INIT(0);
67985 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
67986
67987 /**
67988 * audit_set_loginuid - set a task's audit_context loginuid
67989 @@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
67990 */
67991 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
67992 {
67993 - unsigned int sessionid = atomic_inc_return(&session_id);
67994 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
67995 struct audit_context *context = task->audit_context;
67996
67997 if (context && context->in_syscall) {
67998 diff -urNp linux-2.6.32.49/kernel/capability.c linux-2.6.32.49/kernel/capability.c
67999 --- linux-2.6.32.49/kernel/capability.c 2011-11-08 19:02:43.000000000 -0500
68000 +++ linux-2.6.32.49/kernel/capability.c 2011-11-15 19:59:43.000000000 -0500
68001 @@ -305,10 +305,26 @@ int capable(int cap)
68002 BUG();
68003 }
68004
68005 - if (security_capable(cap) == 0) {
68006 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
68007 current->flags |= PF_SUPERPRIV;
68008 return 1;
68009 }
68010 return 0;
68011 }
68012 +
68013 +int capable_nolog(int cap)
68014 +{
68015 + if (unlikely(!cap_valid(cap))) {
68016 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
68017 + BUG();
68018 + }
68019 +
68020 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
68021 + current->flags |= PF_SUPERPRIV;
68022 + return 1;
68023 + }
68024 + return 0;
68025 +}
68026 +
68027 EXPORT_SYMBOL(capable);
68028 +EXPORT_SYMBOL(capable_nolog);
68029 diff -urNp linux-2.6.32.49/kernel/cgroup.c linux-2.6.32.49/kernel/cgroup.c
68030 --- linux-2.6.32.49/kernel/cgroup.c 2011-11-08 19:02:43.000000000 -0500
68031 +++ linux-2.6.32.49/kernel/cgroup.c 2011-11-15 19:59:43.000000000 -0500
68032 @@ -536,6 +536,8 @@ static struct css_set *find_css_set(
68033 struct hlist_head *hhead;
68034 struct cg_cgroup_link *link;
68035
68036 + pax_track_stack();
68037 +
68038 /* First see if we already have a cgroup group that matches
68039 * the desired set */
68040 read_lock(&css_set_lock);
68041 diff -urNp linux-2.6.32.49/kernel/compat.c linux-2.6.32.49/kernel/compat.c
68042 --- linux-2.6.32.49/kernel/compat.c 2011-11-08 19:02:43.000000000 -0500
68043 +++ linux-2.6.32.49/kernel/compat.c 2011-11-15 19:59:43.000000000 -0500
68044 @@ -108,7 +108,7 @@ static long compat_nanosleep_restart(str
68045 mm_segment_t oldfs;
68046 long ret;
68047
68048 - restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
68049 + restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
68050 oldfs = get_fs();
68051 set_fs(KERNEL_DS);
68052 ret = hrtimer_nanosleep_restart(restart);
68053 @@ -140,7 +140,7 @@ asmlinkage long compat_sys_nanosleep(str
68054 oldfs = get_fs();
68055 set_fs(KERNEL_DS);
68056 ret = hrtimer_nanosleep(&tu,
68057 - rmtp ? (struct timespec __user *)&rmt : NULL,
68058 + rmtp ? (struct timespec __force_user *)&rmt : NULL,
68059 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
68060 set_fs(oldfs);
68061
68062 @@ -247,7 +247,7 @@ asmlinkage long compat_sys_sigpending(co
68063 mm_segment_t old_fs = get_fs();
68064
68065 set_fs(KERNEL_DS);
68066 - ret = sys_sigpending((old_sigset_t __user *) &s);
68067 + ret = sys_sigpending((old_sigset_t __force_user *) &s);
68068 set_fs(old_fs);
68069 if (ret == 0)
68070 ret = put_user(s, set);
68071 @@ -266,8 +266,8 @@ asmlinkage long compat_sys_sigprocmask(i
68072 old_fs = get_fs();
68073 set_fs(KERNEL_DS);
68074 ret = sys_sigprocmask(how,
68075 - set ? (old_sigset_t __user *) &s : NULL,
68076 - oset ? (old_sigset_t __user *) &s : NULL);
68077 + set ? (old_sigset_t __force_user *) &s : NULL,
68078 + oset ? (old_sigset_t __force_user *) &s : NULL);
68079 set_fs(old_fs);
68080 if (ret == 0)
68081 if (oset)
68082 @@ -310,7 +310,7 @@ asmlinkage long compat_sys_old_getrlimit
68083 mm_segment_t old_fs = get_fs();
68084
68085 set_fs(KERNEL_DS);
68086 - ret = sys_old_getrlimit(resource, &r);
68087 + ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
68088 set_fs(old_fs);
68089
68090 if (!ret) {
68091 @@ -385,7 +385,7 @@ asmlinkage long compat_sys_getrusage(int
68092 mm_segment_t old_fs = get_fs();
68093
68094 set_fs(KERNEL_DS);
68095 - ret = sys_getrusage(who, (struct rusage __user *) &r);
68096 + ret = sys_getrusage(who, (struct rusage __force_user *) &r);
68097 set_fs(old_fs);
68098
68099 if (ret)
68100 @@ -412,8 +412,8 @@ compat_sys_wait4(compat_pid_t pid, compa
68101 set_fs (KERNEL_DS);
68102 ret = sys_wait4(pid,
68103 (stat_addr ?
68104 - (unsigned int __user *) &status : NULL),
68105 - options, (struct rusage __user *) &r);
68106 + (unsigned int __force_user *) &status : NULL),
68107 + options, (struct rusage __force_user *) &r);
68108 set_fs (old_fs);
68109
68110 if (ret > 0) {
68111 @@ -438,8 +438,8 @@ asmlinkage long compat_sys_waitid(int wh
68112 memset(&info, 0, sizeof(info));
68113
68114 set_fs(KERNEL_DS);
68115 - ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
68116 - uru ? (struct rusage __user *)&ru : NULL);
68117 + ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
68118 + uru ? (struct rusage __force_user *)&ru : NULL);
68119 set_fs(old_fs);
68120
68121 if ((ret < 0) || (info.si_signo == 0))
68122 @@ -569,8 +569,8 @@ long compat_sys_timer_settime(timer_t ti
68123 oldfs = get_fs();
68124 set_fs(KERNEL_DS);
68125 err = sys_timer_settime(timer_id, flags,
68126 - (struct itimerspec __user *) &newts,
68127 - (struct itimerspec __user *) &oldts);
68128 + (struct itimerspec __force_user *) &newts,
68129 + (struct itimerspec __force_user *) &oldts);
68130 set_fs(oldfs);
68131 if (!err && old && put_compat_itimerspec(old, &oldts))
68132 return -EFAULT;
68133 @@ -587,7 +587,7 @@ long compat_sys_timer_gettime(timer_t ti
68134 oldfs = get_fs();
68135 set_fs(KERNEL_DS);
68136 err = sys_timer_gettime(timer_id,
68137 - (struct itimerspec __user *) &ts);
68138 + (struct itimerspec __force_user *) &ts);
68139 set_fs(oldfs);
68140 if (!err && put_compat_itimerspec(setting, &ts))
68141 return -EFAULT;
68142 @@ -606,7 +606,7 @@ long compat_sys_clock_settime(clockid_t
68143 oldfs = get_fs();
68144 set_fs(KERNEL_DS);
68145 err = sys_clock_settime(which_clock,
68146 - (struct timespec __user *) &ts);
68147 + (struct timespec __force_user *) &ts);
68148 set_fs(oldfs);
68149 return err;
68150 }
68151 @@ -621,7 +621,7 @@ long compat_sys_clock_gettime(clockid_t
68152 oldfs = get_fs();
68153 set_fs(KERNEL_DS);
68154 err = sys_clock_gettime(which_clock,
68155 - (struct timespec __user *) &ts);
68156 + (struct timespec __force_user *) &ts);
68157 set_fs(oldfs);
68158 if (!err && put_compat_timespec(&ts, tp))
68159 return -EFAULT;
68160 @@ -638,7 +638,7 @@ long compat_sys_clock_getres(clockid_t w
68161 oldfs = get_fs();
68162 set_fs(KERNEL_DS);
68163 err = sys_clock_getres(which_clock,
68164 - (struct timespec __user *) &ts);
68165 + (struct timespec __force_user *) &ts);
68166 set_fs(oldfs);
68167 if (!err && tp && put_compat_timespec(&ts, tp))
68168 return -EFAULT;
68169 @@ -650,9 +650,9 @@ static long compat_clock_nanosleep_resta
68170 long err;
68171 mm_segment_t oldfs;
68172 struct timespec tu;
68173 - struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
68174 + struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
68175
68176 - restart->nanosleep.rmtp = (struct timespec __user *) &tu;
68177 + restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
68178 oldfs = get_fs();
68179 set_fs(KERNEL_DS);
68180 err = clock_nanosleep_restart(restart);
68181 @@ -684,8 +684,8 @@ long compat_sys_clock_nanosleep(clockid_
68182 oldfs = get_fs();
68183 set_fs(KERNEL_DS);
68184 err = sys_clock_nanosleep(which_clock, flags,
68185 - (struct timespec __user *) &in,
68186 - (struct timespec __user *) &out);
68187 + (struct timespec __force_user *) &in,
68188 + (struct timespec __force_user *) &out);
68189 set_fs(oldfs);
68190
68191 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
68192 diff -urNp linux-2.6.32.49/kernel/configs.c linux-2.6.32.49/kernel/configs.c
68193 --- linux-2.6.32.49/kernel/configs.c 2011-11-08 19:02:43.000000000 -0500
68194 +++ linux-2.6.32.49/kernel/configs.c 2011-11-15 19:59:43.000000000 -0500
68195 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
68196 struct proc_dir_entry *entry;
68197
68198 /* create the current config file */
68199 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
68200 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
68201 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
68202 + &ikconfig_file_ops);
68203 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
68204 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
68205 + &ikconfig_file_ops);
68206 +#endif
68207 +#else
68208 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
68209 &ikconfig_file_ops);
68210 +#endif
68211 +
68212 if (!entry)
68213 return -ENOMEM;
68214
68215 diff -urNp linux-2.6.32.49/kernel/cpu.c linux-2.6.32.49/kernel/cpu.c
68216 --- linux-2.6.32.49/kernel/cpu.c 2011-11-08 19:02:43.000000000 -0500
68217 +++ linux-2.6.32.49/kernel/cpu.c 2011-11-15 19:59:43.000000000 -0500
68218 @@ -19,7 +19,7 @@
68219 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
68220 static DEFINE_MUTEX(cpu_add_remove_lock);
68221
68222 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
68223 +static RAW_NOTIFIER_HEAD(cpu_chain);
68224
68225 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
68226 * Should always be manipulated under cpu_add_remove_lock
68227 diff -urNp linux-2.6.32.49/kernel/cred.c linux-2.6.32.49/kernel/cred.c
68228 --- linux-2.6.32.49/kernel/cred.c 2011-11-08 19:02:43.000000000 -0500
68229 +++ linux-2.6.32.49/kernel/cred.c 2011-11-15 19:59:43.000000000 -0500
68230 @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
68231 */
68232 void __put_cred(struct cred *cred)
68233 {
68234 + pax_track_stack();
68235 +
68236 kdebug("__put_cred(%p{%d,%d})", cred,
68237 atomic_read(&cred->usage),
68238 read_cred_subscribers(cred));
68239 @@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
68240 {
68241 struct cred *cred;
68242
68243 + pax_track_stack();
68244 +
68245 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
68246 atomic_read(&tsk->cred->usage),
68247 read_cred_subscribers(tsk->cred));
68248 @@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
68249 {
68250 const struct cred *cred;
68251
68252 + pax_track_stack();
68253 +
68254 rcu_read_lock();
68255
68256 do {
68257 @@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
68258 {
68259 struct cred *new;
68260
68261 + pax_track_stack();
68262 +
68263 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
68264 if (!new)
68265 return NULL;
68266 @@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
68267 const struct cred *old;
68268 struct cred *new;
68269
68270 + pax_track_stack();
68271 +
68272 validate_process_creds();
68273
68274 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
68275 @@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
68276 struct thread_group_cred *tgcred = NULL;
68277 struct cred *new;
68278
68279 + pax_track_stack();
68280 +
68281 #ifdef CONFIG_KEYS
68282 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
68283 if (!tgcred)
68284 @@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
68285 struct cred *new;
68286 int ret;
68287
68288 + pax_track_stack();
68289 +
68290 mutex_init(&p->cred_guard_mutex);
68291
68292 if (
68293 @@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
68294 struct task_struct *task = current;
68295 const struct cred *old = task->real_cred;
68296
68297 + pax_track_stack();
68298 +
68299 kdebug("commit_creds(%p{%d,%d})", new,
68300 atomic_read(&new->usage),
68301 read_cred_subscribers(new));
68302 @@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
68303
68304 get_cred(new); /* we will require a ref for the subj creds too */
68305
68306 + gr_set_role_label(task, new->uid, new->gid);
68307 +
68308 /* dumpability changes */
68309 if (old->euid != new->euid ||
68310 old->egid != new->egid ||
68311 @@ -563,10 +581,8 @@ int commit_creds(struct cred *new)
68312 key_fsgid_changed(task);
68313
68314 /* do it
68315 - * - What if a process setreuid()'s and this brings the
68316 - * new uid over his NPROC rlimit? We can check this now
68317 - * cheaply with the new uid cache, so if it matters
68318 - * we should be checking for it. -DaveM
68319 + * RLIMIT_NPROC limits on user->processes have already been checked
68320 + * in set_user().
68321 */
68322 alter_cred_subscribers(new, 2);
68323 if (new->user != old->user)
68324 @@ -606,6 +622,8 @@ EXPORT_SYMBOL(commit_creds);
68325 */
68326 void abort_creds(struct cred *new)
68327 {
68328 + pax_track_stack();
68329 +
68330 kdebug("abort_creds(%p{%d,%d})", new,
68331 atomic_read(&new->usage),
68332 read_cred_subscribers(new));
68333 @@ -629,6 +647,8 @@ const struct cred *override_creds(const
68334 {
68335 const struct cred *old = current->cred;
68336
68337 + pax_track_stack();
68338 +
68339 kdebug("override_creds(%p{%d,%d})", new,
68340 atomic_read(&new->usage),
68341 read_cred_subscribers(new));
68342 @@ -658,6 +678,8 @@ void revert_creds(const struct cred *old
68343 {
68344 const struct cred *override = current->cred;
68345
68346 + pax_track_stack();
68347 +
68348 kdebug("revert_creds(%p{%d,%d})", old,
68349 atomic_read(&old->usage),
68350 read_cred_subscribers(old));
68351 @@ -704,6 +726,8 @@ struct cred *prepare_kernel_cred(struct
68352 const struct cred *old;
68353 struct cred *new;
68354
68355 + pax_track_stack();
68356 +
68357 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
68358 if (!new)
68359 return NULL;
68360 @@ -758,6 +782,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
68361 */
68362 int set_security_override(struct cred *new, u32 secid)
68363 {
68364 + pax_track_stack();
68365 +
68366 return security_kernel_act_as(new, secid);
68367 }
68368 EXPORT_SYMBOL(set_security_override);
68369 @@ -777,6 +803,8 @@ int set_security_override_from_ctx(struc
68370 u32 secid;
68371 int ret;
68372
68373 + pax_track_stack();
68374 +
68375 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
68376 if (ret < 0)
68377 return ret;
68378 diff -urNp linux-2.6.32.49/kernel/exit.c linux-2.6.32.49/kernel/exit.c
68379 --- linux-2.6.32.49/kernel/exit.c 2011-11-08 19:02:43.000000000 -0500
68380 +++ linux-2.6.32.49/kernel/exit.c 2011-11-15 19:59:43.000000000 -0500
68381 @@ -55,6 +55,10 @@
68382 #include <asm/pgtable.h>
68383 #include <asm/mmu_context.h>
68384
68385 +#ifdef CONFIG_GRKERNSEC
68386 +extern rwlock_t grsec_exec_file_lock;
68387 +#endif
68388 +
68389 static void exit_mm(struct task_struct * tsk);
68390
68391 static void __unhash_process(struct task_struct *p)
68392 @@ -174,6 +178,10 @@ void release_task(struct task_struct * p
68393 struct task_struct *leader;
68394 int zap_leader;
68395 repeat:
68396 +#ifdef CONFIG_NET
68397 + gr_del_task_from_ip_table(p);
68398 +#endif
68399 +
68400 tracehook_prepare_release_task(p);
68401 /* don't need to get the RCU readlock here - the process is dead and
68402 * can't be modifying its own credentials */
68403 @@ -341,11 +349,22 @@ static void reparent_to_kthreadd(void)
68404 {
68405 write_lock_irq(&tasklist_lock);
68406
68407 +#ifdef CONFIG_GRKERNSEC
68408 + write_lock(&grsec_exec_file_lock);
68409 + if (current->exec_file) {
68410 + fput(current->exec_file);
68411 + current->exec_file = NULL;
68412 + }
68413 + write_unlock(&grsec_exec_file_lock);
68414 +#endif
68415 +
68416 ptrace_unlink(current);
68417 /* Reparent to init */
68418 current->real_parent = current->parent = kthreadd_task;
68419 list_move_tail(&current->sibling, &current->real_parent->children);
68420
68421 + gr_set_kernel_label(current);
68422 +
68423 /* Set the exit signal to SIGCHLD so we signal init on exit */
68424 current->exit_signal = SIGCHLD;
68425
68426 @@ -397,7 +416,7 @@ int allow_signal(int sig)
68427 * know it'll be handled, so that they don't get converted to
68428 * SIGKILL or just silently dropped.
68429 */
68430 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
68431 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
68432 recalc_sigpending();
68433 spin_unlock_irq(&current->sighand->siglock);
68434 return 0;
68435 @@ -433,6 +452,17 @@ void daemonize(const char *name, ...)
68436 vsnprintf(current->comm, sizeof(current->comm), name, args);
68437 va_end(args);
68438
68439 +#ifdef CONFIG_GRKERNSEC
68440 + write_lock(&grsec_exec_file_lock);
68441 + if (current->exec_file) {
68442 + fput(current->exec_file);
68443 + current->exec_file = NULL;
68444 + }
68445 + write_unlock(&grsec_exec_file_lock);
68446 +#endif
68447 +
68448 + gr_set_kernel_label(current);
68449 +
68450 /*
68451 * If we were started as result of loading a module, close all of the
68452 * user space pages. We don't need them, and if we didn't close them
68453 @@ -897,17 +927,17 @@ NORET_TYPE void do_exit(long code)
68454 struct task_struct *tsk = current;
68455 int group_dead;
68456
68457 - profile_task_exit(tsk);
68458 -
68459 - WARN_ON(atomic_read(&tsk->fs_excl));
68460 -
68461 + /*
68462 + * Check this first since set_fs() below depends on
68463 + * current_thread_info(), which we better not access when we're in
68464 + * interrupt context. Other than that, we want to do the set_fs()
68465 + * as early as possible.
68466 + */
68467 if (unlikely(in_interrupt()))
68468 panic("Aiee, killing interrupt handler!");
68469 - if (unlikely(!tsk->pid))
68470 - panic("Attempted to kill the idle task!");
68471
68472 /*
68473 - * If do_exit is called because this processes oopsed, it's possible
68474 + * If do_exit is called because this processes Oops'ed, it's possible
68475 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
68476 * continuing. Amongst other possible reasons, this is to prevent
68477 * mm_release()->clear_child_tid() from writing to a user-controlled
68478 @@ -915,6 +945,13 @@ NORET_TYPE void do_exit(long code)
68479 */
68480 set_fs(USER_DS);
68481
68482 + profile_task_exit(tsk);
68483 +
68484 + WARN_ON(atomic_read(&tsk->fs_excl));
68485 +
68486 + if (unlikely(!tsk->pid))
68487 + panic("Attempted to kill the idle task!");
68488 +
68489 tracehook_report_exit(&code);
68490
68491 validate_creds_for_do_exit(tsk);
68492 @@ -973,6 +1010,9 @@ NORET_TYPE void do_exit(long code)
68493 tsk->exit_code = code;
68494 taskstats_exit(tsk, group_dead);
68495
68496 + gr_acl_handle_psacct(tsk, code);
68497 + gr_acl_handle_exit();
68498 +
68499 exit_mm(tsk);
68500
68501 if (group_dead)
68502 @@ -1188,7 +1228,7 @@ static int wait_task_zombie(struct wait_
68503
68504 if (unlikely(wo->wo_flags & WNOWAIT)) {
68505 int exit_code = p->exit_code;
68506 - int why, status;
68507 + int why;
68508
68509 get_task_struct(p);
68510 read_unlock(&tasklist_lock);
68511 diff -urNp linux-2.6.32.49/kernel/fork.c linux-2.6.32.49/kernel/fork.c
68512 --- linux-2.6.32.49/kernel/fork.c 2011-11-08 19:02:43.000000000 -0500
68513 +++ linux-2.6.32.49/kernel/fork.c 2011-11-15 19:59:43.000000000 -0500
68514 @@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
68515 *stackend = STACK_END_MAGIC; /* for overflow detection */
68516
68517 #ifdef CONFIG_CC_STACKPROTECTOR
68518 - tsk->stack_canary = get_random_int();
68519 + tsk->stack_canary = pax_get_random_long();
68520 #endif
68521
68522 /* One for us, one for whoever does the "release_task()" (usually parent) */
68523 @@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
68524 mm->locked_vm = 0;
68525 mm->mmap = NULL;
68526 mm->mmap_cache = NULL;
68527 - mm->free_area_cache = oldmm->mmap_base;
68528 - mm->cached_hole_size = ~0UL;
68529 + mm->free_area_cache = oldmm->free_area_cache;
68530 + mm->cached_hole_size = oldmm->cached_hole_size;
68531 mm->map_count = 0;
68532 cpumask_clear(mm_cpumask(mm));
68533 mm->mm_rb = RB_ROOT;
68534 @@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
68535 tmp->vm_flags &= ~VM_LOCKED;
68536 tmp->vm_mm = mm;
68537 tmp->vm_next = tmp->vm_prev = NULL;
68538 + tmp->vm_mirror = NULL;
68539 anon_vma_link(tmp);
68540 file = tmp->vm_file;
68541 if (file) {
68542 @@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
68543 if (retval)
68544 goto out;
68545 }
68546 +
68547 +#ifdef CONFIG_PAX_SEGMEXEC
68548 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
68549 + struct vm_area_struct *mpnt_m;
68550 +
68551 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
68552 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
68553 +
68554 + if (!mpnt->vm_mirror)
68555 + continue;
68556 +
68557 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
68558 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
68559 + mpnt->vm_mirror = mpnt_m;
68560 + } else {
68561 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
68562 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
68563 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
68564 + mpnt->vm_mirror->vm_mirror = mpnt;
68565 + }
68566 + }
68567 + BUG_ON(mpnt_m);
68568 + }
68569 +#endif
68570 +
68571 /* a new mm has just been created */
68572 arch_dup_mmap(oldmm, mm);
68573 retval = 0;
68574 @@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
68575 write_unlock(&fs->lock);
68576 return -EAGAIN;
68577 }
68578 - fs->users++;
68579 + atomic_inc(&fs->users);
68580 write_unlock(&fs->lock);
68581 return 0;
68582 }
68583 tsk->fs = copy_fs_struct(fs);
68584 if (!tsk->fs)
68585 return -ENOMEM;
68586 + gr_set_chroot_entries(tsk, &tsk->fs->root);
68587 return 0;
68588 }
68589
68590 @@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(
68591 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
68592 #endif
68593 retval = -EAGAIN;
68594 +
68595 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
68596 +
68597 if (atomic_read(&p->real_cred->user->processes) >=
68598 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
68599 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
68600 - p->real_cred->user != INIT_USER)
68601 + if (p->real_cred->user != INIT_USER &&
68602 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
68603 goto bad_fork_free;
68604 }
68605 + current->flags &= ~PF_NPROC_EXCEEDED;
68606
68607 retval = copy_creds(p, clone_flags);
68608 if (retval < 0)
68609 @@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(
68610 goto bad_fork_free_pid;
68611 }
68612
68613 + gr_copy_label(p);
68614 +
68615 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
68616 /*
68617 * Clear TID on mm_release()?
68618 @@ -1333,6 +1366,8 @@ bad_fork_cleanup_count:
68619 bad_fork_free:
68620 free_task(p);
68621 fork_out:
68622 + gr_log_forkfail(retval);
68623 +
68624 return ERR_PTR(retval);
68625 }
68626
68627 @@ -1426,6 +1461,8 @@ long do_fork(unsigned long clone_flags,
68628 if (clone_flags & CLONE_PARENT_SETTID)
68629 put_user(nr, parent_tidptr);
68630
68631 + gr_handle_brute_check();
68632 +
68633 if (clone_flags & CLONE_VFORK) {
68634 p->vfork_done = &vfork;
68635 init_completion(&vfork);
68636 @@ -1558,7 +1595,7 @@ static int unshare_fs(unsigned long unsh
68637 return 0;
68638
68639 /* don't need lock here; in the worst case we'll do useless copy */
68640 - if (fs->users == 1)
68641 + if (atomic_read(&fs->users) == 1)
68642 return 0;
68643
68644 *new_fsp = copy_fs_struct(fs);
68645 @@ -1681,7 +1718,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
68646 fs = current->fs;
68647 write_lock(&fs->lock);
68648 current->fs = new_fs;
68649 - if (--fs->users)
68650 + gr_set_chroot_entries(current, &current->fs->root);
68651 + if (atomic_dec_return(&fs->users))
68652 new_fs = NULL;
68653 else
68654 new_fs = fs;
68655 diff -urNp linux-2.6.32.49/kernel/futex.c linux-2.6.32.49/kernel/futex.c
68656 --- linux-2.6.32.49/kernel/futex.c 2011-11-08 19:02:43.000000000 -0500
68657 +++ linux-2.6.32.49/kernel/futex.c 2011-11-15 19:59:43.000000000 -0500
68658 @@ -54,6 +54,7 @@
68659 #include <linux/mount.h>
68660 #include <linux/pagemap.h>
68661 #include <linux/syscalls.h>
68662 +#include <linux/ptrace.h>
68663 #include <linux/signal.h>
68664 #include <linux/module.h>
68665 #include <linux/magic.h>
68666 @@ -223,6 +224,11 @@ get_futex_key(u32 __user *uaddr, int fsh
68667 struct page *page;
68668 int err, ro = 0;
68669
68670 +#ifdef CONFIG_PAX_SEGMEXEC
68671 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
68672 + return -EFAULT;
68673 +#endif
68674 +
68675 /*
68676 * The futex address must be "naturally" aligned.
68677 */
68678 @@ -1819,6 +1825,8 @@ static int futex_wait(u32 __user *uaddr,
68679 struct futex_q q;
68680 int ret;
68681
68682 + pax_track_stack();
68683 +
68684 if (!bitset)
68685 return -EINVAL;
68686
68687 @@ -1871,7 +1879,7 @@ retry:
68688
68689 restart = &current_thread_info()->restart_block;
68690 restart->fn = futex_wait_restart;
68691 - restart->futex.uaddr = (u32 *)uaddr;
68692 + restart->futex.uaddr = uaddr;
68693 restart->futex.val = val;
68694 restart->futex.time = abs_time->tv64;
68695 restart->futex.bitset = bitset;
68696 @@ -2233,6 +2241,8 @@ static int futex_wait_requeue_pi(u32 __u
68697 struct futex_q q;
68698 int res, ret;
68699
68700 + pax_track_stack();
68701 +
68702 if (!bitset)
68703 return -EINVAL;
68704
68705 @@ -2407,7 +2417,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68706 {
68707 struct robust_list_head __user *head;
68708 unsigned long ret;
68709 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68710 const struct cred *cred = current_cred(), *pcred;
68711 +#endif
68712
68713 if (!futex_cmpxchg_enabled)
68714 return -ENOSYS;
68715 @@ -2423,11 +2435,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68716 if (!p)
68717 goto err_unlock;
68718 ret = -EPERM;
68719 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68720 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68721 + goto err_unlock;
68722 +#else
68723 pcred = __task_cred(p);
68724 if (cred->euid != pcred->euid &&
68725 cred->euid != pcred->uid &&
68726 !capable(CAP_SYS_PTRACE))
68727 goto err_unlock;
68728 +#endif
68729 head = p->robust_list;
68730 rcu_read_unlock();
68731 }
68732 @@ -2489,7 +2506,7 @@ retry:
68733 */
68734 static inline int fetch_robust_entry(struct robust_list __user **entry,
68735 struct robust_list __user * __user *head,
68736 - int *pi)
68737 + unsigned int *pi)
68738 {
68739 unsigned long uentry;
68740
68741 @@ -2670,6 +2687,7 @@ static int __init futex_init(void)
68742 {
68743 u32 curval;
68744 int i;
68745 + mm_segment_t oldfs;
68746
68747 /*
68748 * This will fail and we want it. Some arch implementations do
68749 @@ -2681,7 +2699,10 @@ static int __init futex_init(void)
68750 * implementation, the non functional ones will return
68751 * -ENOSYS.
68752 */
68753 + oldfs = get_fs();
68754 + set_fs(USER_DS);
68755 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
68756 + set_fs(oldfs);
68757 if (curval == -EFAULT)
68758 futex_cmpxchg_enabled = 1;
68759
68760 diff -urNp linux-2.6.32.49/kernel/futex_compat.c linux-2.6.32.49/kernel/futex_compat.c
68761 --- linux-2.6.32.49/kernel/futex_compat.c 2011-11-08 19:02:43.000000000 -0500
68762 +++ linux-2.6.32.49/kernel/futex_compat.c 2011-11-15 19:59:43.000000000 -0500
68763 @@ -10,6 +10,7 @@
68764 #include <linux/compat.h>
68765 #include <linux/nsproxy.h>
68766 #include <linux/futex.h>
68767 +#include <linux/ptrace.h>
68768
68769 #include <asm/uaccess.h>
68770
68771 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
68772 {
68773 struct compat_robust_list_head __user *head;
68774 unsigned long ret;
68775 - const struct cred *cred = current_cred(), *pcred;
68776 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68777 + const struct cred *cred = current_cred();
68778 + const struct cred *pcred;
68779 +#endif
68780
68781 if (!futex_cmpxchg_enabled)
68782 return -ENOSYS;
68783 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
68784 if (!p)
68785 goto err_unlock;
68786 ret = -EPERM;
68787 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68788 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
68789 + goto err_unlock;
68790 +#else
68791 pcred = __task_cred(p);
68792 if (cred->euid != pcred->euid &&
68793 cred->euid != pcred->uid &&
68794 !capable(CAP_SYS_PTRACE))
68795 goto err_unlock;
68796 +#endif
68797 head = p->compat_robust_list;
68798 read_unlock(&tasklist_lock);
68799 }
68800 diff -urNp linux-2.6.32.49/kernel/gcov/base.c linux-2.6.32.49/kernel/gcov/base.c
68801 --- linux-2.6.32.49/kernel/gcov/base.c 2011-11-08 19:02:43.000000000 -0500
68802 +++ linux-2.6.32.49/kernel/gcov/base.c 2011-11-15 19:59:43.000000000 -0500
68803 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
68804 }
68805
68806 #ifdef CONFIG_MODULES
68807 -static inline int within(void *addr, void *start, unsigned long size)
68808 -{
68809 - return ((addr >= start) && (addr < start + size));
68810 -}
68811 -
68812 /* Update list and generate events when modules are unloaded. */
68813 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
68814 void *data)
68815 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
68816 prev = NULL;
68817 /* Remove entries located in module from linked list. */
68818 for (info = gcov_info_head; info; info = info->next) {
68819 - if (within(info, mod->module_core, mod->core_size)) {
68820 + if (within_module_core_rw((unsigned long)info, mod)) {
68821 if (prev)
68822 prev->next = info->next;
68823 else
68824 diff -urNp linux-2.6.32.49/kernel/hrtimer.c linux-2.6.32.49/kernel/hrtimer.c
68825 --- linux-2.6.32.49/kernel/hrtimer.c 2011-11-08 19:02:43.000000000 -0500
68826 +++ linux-2.6.32.49/kernel/hrtimer.c 2011-11-15 19:59:43.000000000 -0500
68827 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
68828 local_irq_restore(flags);
68829 }
68830
68831 -static void run_hrtimer_softirq(struct softirq_action *h)
68832 +static void run_hrtimer_softirq(void)
68833 {
68834 hrtimer_peek_ahead_timers();
68835 }
68836 diff -urNp linux-2.6.32.49/kernel/kallsyms.c linux-2.6.32.49/kernel/kallsyms.c
68837 --- linux-2.6.32.49/kernel/kallsyms.c 2011-11-08 19:02:43.000000000 -0500
68838 +++ linux-2.6.32.49/kernel/kallsyms.c 2011-11-15 19:59:43.000000000 -0500
68839 @@ -11,6 +11,9 @@
68840 * Changed the compression method from stem compression to "table lookup"
68841 * compression (see scripts/kallsyms.c for a more complete description)
68842 */
68843 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68844 +#define __INCLUDED_BY_HIDESYM 1
68845 +#endif
68846 #include <linux/kallsyms.h>
68847 #include <linux/module.h>
68848 #include <linux/init.h>
68849 @@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
68850
68851 static inline int is_kernel_inittext(unsigned long addr)
68852 {
68853 + if (system_state != SYSTEM_BOOTING)
68854 + return 0;
68855 +
68856 if (addr >= (unsigned long)_sinittext
68857 && addr <= (unsigned long)_einittext)
68858 return 1;
68859 return 0;
68860 }
68861
68862 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68863 +#ifdef CONFIG_MODULES
68864 +static inline int is_module_text(unsigned long addr)
68865 +{
68866 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
68867 + return 1;
68868 +
68869 + addr = ktla_ktva(addr);
68870 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
68871 +}
68872 +#else
68873 +static inline int is_module_text(unsigned long addr)
68874 +{
68875 + return 0;
68876 +}
68877 +#endif
68878 +#endif
68879 +
68880 static inline int is_kernel_text(unsigned long addr)
68881 {
68882 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
68883 @@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
68884
68885 static inline int is_kernel(unsigned long addr)
68886 {
68887 +
68888 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68889 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
68890 + return 1;
68891 +
68892 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
68893 +#else
68894 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
68895 +#endif
68896 +
68897 return 1;
68898 return in_gate_area_no_task(addr);
68899 }
68900
68901 static int is_ksym_addr(unsigned long addr)
68902 {
68903 +
68904 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68905 + if (is_module_text(addr))
68906 + return 0;
68907 +#endif
68908 +
68909 if (all_var)
68910 return is_kernel(addr);
68911
68912 @@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
68913
68914 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
68915 {
68916 - iter->name[0] = '\0';
68917 iter->nameoff = get_symbol_offset(new_pos);
68918 iter->pos = new_pos;
68919 }
68920 @@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
68921 {
68922 struct kallsym_iter *iter = m->private;
68923
68924 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68925 + if (current_uid())
68926 + return 0;
68927 +#endif
68928 +
68929 /* Some debugging symbols have no name. Ignore them. */
68930 if (!iter->name[0])
68931 return 0;
68932 @@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
68933 struct kallsym_iter *iter;
68934 int ret;
68935
68936 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
68937 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
68938 if (!iter)
68939 return -ENOMEM;
68940 reset_iter(iter, 0);
68941 diff -urNp linux-2.6.32.49/kernel/kexec.c linux-2.6.32.49/kernel/kexec.c
68942 --- linux-2.6.32.49/kernel/kexec.c 2011-11-08 19:02:43.000000000 -0500
68943 +++ linux-2.6.32.49/kernel/kexec.c 2011-11-15 19:59:43.000000000 -0500
68944 @@ -1028,7 +1028,8 @@ asmlinkage long compat_sys_kexec_load(un
68945 unsigned long flags)
68946 {
68947 struct compat_kexec_segment in;
68948 - struct kexec_segment out, __user *ksegments;
68949 + struct kexec_segment out;
68950 + struct kexec_segment __user *ksegments;
68951 unsigned long i, result;
68952
68953 /* Don't allow clients that don't understand the native
68954 diff -urNp linux-2.6.32.49/kernel/kgdb.c linux-2.6.32.49/kernel/kgdb.c
68955 --- linux-2.6.32.49/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
68956 +++ linux-2.6.32.49/kernel/kgdb.c 2011-11-15 19:59:43.000000000 -0500
68957 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
68958 /* Guard for recursive entry */
68959 static int exception_level;
68960
68961 -static struct kgdb_io *kgdb_io_ops;
68962 +static const struct kgdb_io *kgdb_io_ops;
68963 static DEFINE_SPINLOCK(kgdb_registration_lock);
68964
68965 /* kgdb console driver is loaded */
68966 @@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
68967 */
68968 static atomic_t passive_cpu_wait[NR_CPUS];
68969 static atomic_t cpu_in_kgdb[NR_CPUS];
68970 -atomic_t kgdb_setting_breakpoint;
68971 +atomic_unchecked_t kgdb_setting_breakpoint;
68972
68973 struct task_struct *kgdb_usethread;
68974 struct task_struct *kgdb_contthread;
68975 @@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
68976 sizeof(unsigned long)];
68977
68978 /* to keep track of the CPU which is doing the single stepping*/
68979 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
68980 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
68981
68982 /*
68983 * If you are debugging a problem where roundup (the collection of
68984 @@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
68985 return 0;
68986 if (kgdb_connected)
68987 return 1;
68988 - if (atomic_read(&kgdb_setting_breakpoint))
68989 + if (atomic_read_unchecked(&kgdb_setting_breakpoint))
68990 return 1;
68991 if (print_wait)
68992 printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
68993 @@ -1426,8 +1426,8 @@ acquirelock:
68994 * instance of the exception handler wanted to come into the
68995 * debugger on a different CPU via a single step
68996 */
68997 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
68998 - atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
68999 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
69000 + atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
69001
69002 atomic_set(&kgdb_active, -1);
69003 touch_softlockup_watchdog();
69004 @@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
69005 *
69006 * Register it with the KGDB core.
69007 */
69008 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
69009 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
69010 {
69011 int err;
69012
69013 @@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
69014 *
69015 * Unregister it with the KGDB core.
69016 */
69017 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
69018 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
69019 {
69020 BUG_ON(kgdb_connected);
69021
69022 @@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
69023 */
69024 void kgdb_breakpoint(void)
69025 {
69026 - atomic_set(&kgdb_setting_breakpoint, 1);
69027 + atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
69028 wmb(); /* Sync point before breakpoint */
69029 arch_kgdb_breakpoint();
69030 wmb(); /* Sync point after breakpoint */
69031 - atomic_set(&kgdb_setting_breakpoint, 0);
69032 + atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
69033 }
69034 EXPORT_SYMBOL_GPL(kgdb_breakpoint);
69035
69036 diff -urNp linux-2.6.32.49/kernel/kmod.c linux-2.6.32.49/kernel/kmod.c
69037 --- linux-2.6.32.49/kernel/kmod.c 2011-11-08 19:02:43.000000000 -0500
69038 +++ linux-2.6.32.49/kernel/kmod.c 2011-11-15 19:59:43.000000000 -0500
69039 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
69040 * If module auto-loading support is disabled then this function
69041 * becomes a no-operation.
69042 */
69043 -int __request_module(bool wait, const char *fmt, ...)
69044 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
69045 {
69046 - va_list args;
69047 char module_name[MODULE_NAME_LEN];
69048 unsigned int max_modprobes;
69049 int ret;
69050 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
69051 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
69052 static char *envp[] = { "HOME=/",
69053 "TERM=linux",
69054 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
69055 @@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
69056 if (ret)
69057 return ret;
69058
69059 - va_start(args, fmt);
69060 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
69061 - va_end(args);
69062 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
69063 if (ret >= MODULE_NAME_LEN)
69064 return -ENAMETOOLONG;
69065
69066 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69067 + if (!current_uid()) {
69068 + /* hack to workaround consolekit/udisks stupidity */
69069 + read_lock(&tasklist_lock);
69070 + if (!strcmp(current->comm, "mount") &&
69071 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
69072 + read_unlock(&tasklist_lock);
69073 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
69074 + return -EPERM;
69075 + }
69076 + read_unlock(&tasklist_lock);
69077 + }
69078 +#endif
69079 +
69080 /* If modprobe needs a service that is in a module, we get a recursive
69081 * loop. Limit the number of running kmod threads to max_threads/2 or
69082 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
69083 @@ -123,6 +134,48 @@ int __request_module(bool wait, const ch
69084 atomic_dec(&kmod_concurrent);
69085 return ret;
69086 }
69087 +
69088 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
69089 +{
69090 + va_list args;
69091 + int ret;
69092 +
69093 + va_start(args, fmt);
69094 + ret = ____request_module(wait, module_param, fmt, args);
69095 + va_end(args);
69096 +
69097 + return ret;
69098 +}
69099 +
69100 +int __request_module(bool wait, const char *fmt, ...)
69101 +{
69102 + va_list args;
69103 + int ret;
69104 +
69105 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69106 + if (current_uid()) {
69107 + char module_param[MODULE_NAME_LEN];
69108 +
69109 + memset(module_param, 0, sizeof(module_param));
69110 +
69111 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
69112 +
69113 + va_start(args, fmt);
69114 + ret = ____request_module(wait, module_param, fmt, args);
69115 + va_end(args);
69116 +
69117 + return ret;
69118 + }
69119 +#endif
69120 +
69121 + va_start(args, fmt);
69122 + ret = ____request_module(wait, NULL, fmt, args);
69123 + va_end(args);
69124 +
69125 + return ret;
69126 +}
69127 +
69128 +
69129 EXPORT_SYMBOL(__request_module);
69130 #endif /* CONFIG_MODULES */
69131
69132 @@ -228,7 +281,7 @@ static int wait_for_helper(void *data)
69133 *
69134 * Thus the __user pointer cast is valid here.
69135 */
69136 - sys_wait4(pid, (int __user *)&ret, 0, NULL);
69137 + sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
69138
69139 /*
69140 * If ret is 0, either ____call_usermodehelper failed and the
69141 diff -urNp linux-2.6.32.49/kernel/kprobes.c linux-2.6.32.49/kernel/kprobes.c
69142 --- linux-2.6.32.49/kernel/kprobes.c 2011-11-08 19:02:43.000000000 -0500
69143 +++ linux-2.6.32.49/kernel/kprobes.c 2011-11-15 19:59:43.000000000 -0500
69144 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
69145 * kernel image and loaded module images reside. This is required
69146 * so x86_64 can correctly handle the %rip-relative fixups.
69147 */
69148 - kip->insns = module_alloc(PAGE_SIZE);
69149 + kip->insns = module_alloc_exec(PAGE_SIZE);
69150 if (!kip->insns) {
69151 kfree(kip);
69152 return NULL;
69153 @@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
69154 */
69155 if (!list_is_singular(&kprobe_insn_pages)) {
69156 list_del(&kip->list);
69157 - module_free(NULL, kip->insns);
69158 + module_free_exec(NULL, kip->insns);
69159 kfree(kip);
69160 }
69161 return 1;
69162 @@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
69163 {
69164 int i, err = 0;
69165 unsigned long offset = 0, size = 0;
69166 - char *modname, namebuf[128];
69167 + char *modname, namebuf[KSYM_NAME_LEN];
69168 const char *symbol_name;
69169 void *addr;
69170 struct kprobe_blackpoint *kb;
69171 @@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
69172 const char *sym = NULL;
69173 unsigned int i = *(loff_t *) v;
69174 unsigned long offset = 0;
69175 - char *modname, namebuf[128];
69176 + char *modname, namebuf[KSYM_NAME_LEN];
69177
69178 head = &kprobe_table[i];
69179 preempt_disable();
69180 diff -urNp linux-2.6.32.49/kernel/lockdep.c linux-2.6.32.49/kernel/lockdep.c
69181 --- linux-2.6.32.49/kernel/lockdep.c 2011-11-08 19:02:43.000000000 -0500
69182 +++ linux-2.6.32.49/kernel/lockdep.c 2011-11-15 19:59:43.000000000 -0500
69183 @@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
69184 /*
69185 * Various lockdep statistics:
69186 */
69187 -atomic_t chain_lookup_hits;
69188 -atomic_t chain_lookup_misses;
69189 -atomic_t hardirqs_on_events;
69190 -atomic_t hardirqs_off_events;
69191 -atomic_t redundant_hardirqs_on;
69192 -atomic_t redundant_hardirqs_off;
69193 -atomic_t softirqs_on_events;
69194 -atomic_t softirqs_off_events;
69195 -atomic_t redundant_softirqs_on;
69196 -atomic_t redundant_softirqs_off;
69197 -atomic_t nr_unused_locks;
69198 -atomic_t nr_cyclic_checks;
69199 -atomic_t nr_find_usage_forwards_checks;
69200 -atomic_t nr_find_usage_backwards_checks;
69201 +atomic_unchecked_t chain_lookup_hits;
69202 +atomic_unchecked_t chain_lookup_misses;
69203 +atomic_unchecked_t hardirqs_on_events;
69204 +atomic_unchecked_t hardirqs_off_events;
69205 +atomic_unchecked_t redundant_hardirqs_on;
69206 +atomic_unchecked_t redundant_hardirqs_off;
69207 +atomic_unchecked_t softirqs_on_events;
69208 +atomic_unchecked_t softirqs_off_events;
69209 +atomic_unchecked_t redundant_softirqs_on;
69210 +atomic_unchecked_t redundant_softirqs_off;
69211 +atomic_unchecked_t nr_unused_locks;
69212 +atomic_unchecked_t nr_cyclic_checks;
69213 +atomic_unchecked_t nr_find_usage_forwards_checks;
69214 +atomic_unchecked_t nr_find_usage_backwards_checks;
69215 #endif
69216
69217 /*
69218 @@ -577,6 +577,10 @@ static int static_obj(void *obj)
69219 int i;
69220 #endif
69221
69222 +#ifdef CONFIG_PAX_KERNEXEC
69223 + start = ktla_ktva(start);
69224 +#endif
69225 +
69226 /*
69227 * static variable?
69228 */
69229 @@ -592,8 +596,7 @@ static int static_obj(void *obj)
69230 */
69231 for_each_possible_cpu(i) {
69232 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
69233 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
69234 - + per_cpu_offset(i);
69235 + end = start + PERCPU_ENOUGH_ROOM;
69236
69237 if ((addr >= start) && (addr < end))
69238 return 1;
69239 @@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
69240 if (!static_obj(lock->key)) {
69241 debug_locks_off();
69242 printk("INFO: trying to register non-static key.\n");
69243 + printk("lock:%pS key:%pS.\n", lock, lock->key);
69244 printk("the code is fine but needs lockdep annotation.\n");
69245 printk("turning off the locking correctness validator.\n");
69246 dump_stack();
69247 @@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
69248 if (!class)
69249 return 0;
69250 }
69251 - debug_atomic_inc((atomic_t *)&class->ops);
69252 + debug_atomic_inc((atomic_unchecked_t *)&class->ops);
69253 if (very_verbose(class)) {
69254 printk("\nacquire class [%p] %s", class->key, class->name);
69255 if (class->name_version > 1)
69256 diff -urNp linux-2.6.32.49/kernel/lockdep_internals.h linux-2.6.32.49/kernel/lockdep_internals.h
69257 --- linux-2.6.32.49/kernel/lockdep_internals.h 2011-11-08 19:02:43.000000000 -0500
69258 +++ linux-2.6.32.49/kernel/lockdep_internals.h 2011-11-15 19:59:43.000000000 -0500
69259 @@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
69260 /*
69261 * Various lockdep statistics:
69262 */
69263 -extern atomic_t chain_lookup_hits;
69264 -extern atomic_t chain_lookup_misses;
69265 -extern atomic_t hardirqs_on_events;
69266 -extern atomic_t hardirqs_off_events;
69267 -extern atomic_t redundant_hardirqs_on;
69268 -extern atomic_t redundant_hardirqs_off;
69269 -extern atomic_t softirqs_on_events;
69270 -extern atomic_t softirqs_off_events;
69271 -extern atomic_t redundant_softirqs_on;
69272 -extern atomic_t redundant_softirqs_off;
69273 -extern atomic_t nr_unused_locks;
69274 -extern atomic_t nr_cyclic_checks;
69275 -extern atomic_t nr_cyclic_check_recursions;
69276 -extern atomic_t nr_find_usage_forwards_checks;
69277 -extern atomic_t nr_find_usage_forwards_recursions;
69278 -extern atomic_t nr_find_usage_backwards_checks;
69279 -extern atomic_t nr_find_usage_backwards_recursions;
69280 -# define debug_atomic_inc(ptr) atomic_inc(ptr)
69281 -# define debug_atomic_dec(ptr) atomic_dec(ptr)
69282 -# define debug_atomic_read(ptr) atomic_read(ptr)
69283 +extern atomic_unchecked_t chain_lookup_hits;
69284 +extern atomic_unchecked_t chain_lookup_misses;
69285 +extern atomic_unchecked_t hardirqs_on_events;
69286 +extern atomic_unchecked_t hardirqs_off_events;
69287 +extern atomic_unchecked_t redundant_hardirqs_on;
69288 +extern atomic_unchecked_t redundant_hardirqs_off;
69289 +extern atomic_unchecked_t softirqs_on_events;
69290 +extern atomic_unchecked_t softirqs_off_events;
69291 +extern atomic_unchecked_t redundant_softirqs_on;
69292 +extern atomic_unchecked_t redundant_softirqs_off;
69293 +extern atomic_unchecked_t nr_unused_locks;
69294 +extern atomic_unchecked_t nr_cyclic_checks;
69295 +extern atomic_unchecked_t nr_cyclic_check_recursions;
69296 +extern atomic_unchecked_t nr_find_usage_forwards_checks;
69297 +extern atomic_unchecked_t nr_find_usage_forwards_recursions;
69298 +extern atomic_unchecked_t nr_find_usage_backwards_checks;
69299 +extern atomic_unchecked_t nr_find_usage_backwards_recursions;
69300 +# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
69301 +# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
69302 +# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
69303 #else
69304 # define debug_atomic_inc(ptr) do { } while (0)
69305 # define debug_atomic_dec(ptr) do { } while (0)
69306 diff -urNp linux-2.6.32.49/kernel/lockdep_proc.c linux-2.6.32.49/kernel/lockdep_proc.c
69307 --- linux-2.6.32.49/kernel/lockdep_proc.c 2011-11-08 19:02:43.000000000 -0500
69308 +++ linux-2.6.32.49/kernel/lockdep_proc.c 2011-11-15 19:59:43.000000000 -0500
69309 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
69310
69311 static void print_name(struct seq_file *m, struct lock_class *class)
69312 {
69313 - char str[128];
69314 + char str[KSYM_NAME_LEN];
69315 const char *name = class->name;
69316
69317 if (!name) {
69318 diff -urNp linux-2.6.32.49/kernel/module.c linux-2.6.32.49/kernel/module.c
69319 --- linux-2.6.32.49/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
69320 +++ linux-2.6.32.49/kernel/module.c 2011-11-15 19:59:43.000000000 -0500
69321 @@ -55,6 +55,7 @@
69322 #include <linux/async.h>
69323 #include <linux/percpu.h>
69324 #include <linux/kmemleak.h>
69325 +#include <linux/grsecurity.h>
69326
69327 #define CREATE_TRACE_POINTS
69328 #include <trace/events/module.h>
69329 @@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
69330 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
69331
69332 /* Bounds of module allocation, for speeding __module_address */
69333 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
69334 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
69335 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
69336
69337 int register_module_notifier(struct notifier_block * nb)
69338 {
69339 @@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
69340 return true;
69341
69342 list_for_each_entry_rcu(mod, &modules, list) {
69343 - struct symsearch arr[] = {
69344 + struct symsearch modarr[] = {
69345 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
69346 NOT_GPL_ONLY, false },
69347 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
69348 @@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
69349 #endif
69350 };
69351
69352 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
69353 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
69354 return true;
69355 }
69356 return false;
69357 @@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
69358 void *ptr;
69359 int cpu;
69360
69361 - if (align > PAGE_SIZE) {
69362 + if (align-1 >= PAGE_SIZE) {
69363 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
69364 name, align, PAGE_SIZE);
69365 align = PAGE_SIZE;
69366 @@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
69367 * /sys/module/foo/sections stuff
69368 * J. Corbet <corbet@lwn.net>
69369 */
69370 -#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
69371 +#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
69372
69373 static inline bool sect_empty(const Elf_Shdr *sect)
69374 {
69375 @@ -1545,7 +1547,8 @@ static void free_module(struct module *m
69376 destroy_params(mod->kp, mod->num_kp);
69377
69378 /* This may be NULL, but that's OK */
69379 - module_free(mod, mod->module_init);
69380 + module_free(mod, mod->module_init_rw);
69381 + module_free_exec(mod, mod->module_init_rx);
69382 kfree(mod->args);
69383 if (mod->percpu)
69384 percpu_modfree(mod->percpu);
69385 @@ -1554,10 +1557,12 @@ static void free_module(struct module *m
69386 percpu_modfree(mod->refptr);
69387 #endif
69388 /* Free lock-classes: */
69389 - lockdep_free_key_range(mod->module_core, mod->core_size);
69390 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
69391 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
69392
69393 /* Finally, free the core (containing the module structure) */
69394 - module_free(mod, mod->module_core);
69395 + module_free_exec(mod, mod->module_core_rx);
69396 + module_free(mod, mod->module_core_rw);
69397
69398 #ifdef CONFIG_MPU
69399 update_protections(current->mm);
69400 @@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
69401 unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
69402 int ret = 0;
69403 const struct kernel_symbol *ksym;
69404 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69405 + int is_fs_load = 0;
69406 + int register_filesystem_found = 0;
69407 + char *p;
69408 +
69409 + p = strstr(mod->args, "grsec_modharden_fs");
69410 +
69411 + if (p) {
69412 + char *endptr = p + strlen("grsec_modharden_fs");
69413 + /* copy \0 as well */
69414 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
69415 + is_fs_load = 1;
69416 + }
69417 +#endif
69418 +
69419
69420 for (i = 1; i < n; i++) {
69421 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69422 + const char *name = strtab + sym[i].st_name;
69423 +
69424 + /* it's a real shame this will never get ripped and copied
69425 + upstream! ;(
69426 + */
69427 + if (is_fs_load && !strcmp(name, "register_filesystem"))
69428 + register_filesystem_found = 1;
69429 +#endif
69430 switch (sym[i].st_shndx) {
69431 case SHN_COMMON:
69432 /* We compiled with -fno-common. These are not
69433 @@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
69434 strtab + sym[i].st_name, mod);
69435 /* Ok if resolved. */
69436 if (ksym) {
69437 + pax_open_kernel();
69438 sym[i].st_value = ksym->value;
69439 + pax_close_kernel();
69440 break;
69441 }
69442
69443 @@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
69444 secbase = (unsigned long)mod->percpu;
69445 else
69446 secbase = sechdrs[sym[i].st_shndx].sh_addr;
69447 + pax_open_kernel();
69448 sym[i].st_value += secbase;
69449 + pax_close_kernel();
69450 break;
69451 }
69452 }
69453
69454 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69455 + if (is_fs_load && !register_filesystem_found) {
69456 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
69457 + ret = -EPERM;
69458 + }
69459 +#endif
69460 +
69461 return ret;
69462 }
69463
69464 @@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
69465 || s->sh_entsize != ~0UL
69466 || strstarts(secstrings + s->sh_name, ".init"))
69467 continue;
69468 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
69469 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
69470 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
69471 + else
69472 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
69473 DEBUGP("\t%s\n", secstrings + s->sh_name);
69474 }
69475 - if (m == 0)
69476 - mod->core_text_size = mod->core_size;
69477 }
69478
69479 DEBUGP("Init section allocation order:\n");
69480 @@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
69481 || s->sh_entsize != ~0UL
69482 || !strstarts(secstrings + s->sh_name, ".init"))
69483 continue;
69484 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
69485 - | INIT_OFFSET_MASK);
69486 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
69487 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
69488 + else
69489 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
69490 + s->sh_entsize |= INIT_OFFSET_MASK;
69491 DEBUGP("\t%s\n", secstrings + s->sh_name);
69492 }
69493 - if (m == 0)
69494 - mod->init_text_size = mod->init_size;
69495 }
69496 }
69497
69498 @@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
69499
69500 /* As per nm */
69501 static char elf_type(const Elf_Sym *sym,
69502 - Elf_Shdr *sechdrs,
69503 - const char *secstrings,
69504 - struct module *mod)
69505 + const Elf_Shdr *sechdrs,
69506 + const char *secstrings)
69507 {
69508 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
69509 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
69510 @@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
69511
69512 /* Put symbol section at end of init part of module. */
69513 symsect->sh_flags |= SHF_ALLOC;
69514 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
69515 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
69516 symindex) | INIT_OFFSET_MASK;
69517 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
69518
69519 @@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
69520 }
69521
69522 /* Append room for core symbols at end of core part. */
69523 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
69524 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
69525 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
69526 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
69527
69528 /* Put string table section at end of init part of module. */
69529 strsect->sh_flags |= SHF_ALLOC;
69530 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
69531 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
69532 strindex) | INIT_OFFSET_MASK;
69533 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
69534
69535 /* Append room for core symbols' strings at end of core part. */
69536 - *pstroffs = mod->core_size;
69537 + *pstroffs = mod->core_size_rx;
69538 __set_bit(0, strmap);
69539 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
69540 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
69541
69542 return symoffs;
69543 }
69544 @@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
69545 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
69546 mod->strtab = (void *)sechdrs[strindex].sh_addr;
69547
69548 + pax_open_kernel();
69549 +
69550 /* Set types up while we still have access to sections. */
69551 for (i = 0; i < mod->num_symtab; i++)
69552 mod->symtab[i].st_info
69553 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
69554 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
69555
69556 - mod->core_symtab = dst = mod->module_core + symoffs;
69557 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
69558 src = mod->symtab;
69559 *dst = *src;
69560 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
69561 @@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
69562 }
69563 mod->core_num_syms = ndst;
69564
69565 - mod->core_strtab = s = mod->module_core + stroffs;
69566 + mod->core_strtab = s = mod->module_core_rx + stroffs;
69567 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
69568 if (test_bit(i, strmap))
69569 *++s = mod->strtab[i];
69570 +
69571 + pax_close_kernel();
69572 }
69573 #else
69574 static inline unsigned long layout_symtab(struct module *mod,
69575 @@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
69576 #endif
69577 }
69578
69579 -static void *module_alloc_update_bounds(unsigned long size)
69580 +static void *module_alloc_update_bounds_rw(unsigned long size)
69581 {
69582 void *ret = module_alloc(size);
69583
69584 if (ret) {
69585 /* Update module bounds. */
69586 - if ((unsigned long)ret < module_addr_min)
69587 - module_addr_min = (unsigned long)ret;
69588 - if ((unsigned long)ret + size > module_addr_max)
69589 - module_addr_max = (unsigned long)ret + size;
69590 + if ((unsigned long)ret < module_addr_min_rw)
69591 + module_addr_min_rw = (unsigned long)ret;
69592 + if ((unsigned long)ret + size > module_addr_max_rw)
69593 + module_addr_max_rw = (unsigned long)ret + size;
69594 + }
69595 + return ret;
69596 +}
69597 +
69598 +static void *module_alloc_update_bounds_rx(unsigned long size)
69599 +{
69600 + void *ret = module_alloc_exec(size);
69601 +
69602 + if (ret) {
69603 + /* Update module bounds. */
69604 + if ((unsigned long)ret < module_addr_min_rx)
69605 + module_addr_min_rx = (unsigned long)ret;
69606 + if ((unsigned long)ret + size > module_addr_max_rx)
69607 + module_addr_max_rx = (unsigned long)ret + size;
69608 }
69609 return ret;
69610 }
69611 @@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
69612 unsigned int i;
69613
69614 /* only scan the sections containing data */
69615 - kmemleak_scan_area(mod->module_core, (unsigned long)mod -
69616 - (unsigned long)mod->module_core,
69617 + kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
69618 + (unsigned long)mod->module_core_rw,
69619 sizeof(struct module), GFP_KERNEL);
69620
69621 for (i = 1; i < hdr->e_shnum; i++) {
69622 @@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
69623 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
69624 continue;
69625
69626 - kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
69627 - (unsigned long)mod->module_core,
69628 + kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
69629 + (unsigned long)mod->module_core_rw,
69630 sechdrs[i].sh_size, GFP_KERNEL);
69631 }
69632 }
69633 @@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
69634 secstrings, &stroffs, strmap);
69635
69636 /* Do the allocs. */
69637 - ptr = module_alloc_update_bounds(mod->core_size);
69638 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
69639 /*
69640 * The pointer to this block is stored in the module structure
69641 * which is inside the block. Just mark it as not being a
69642 @@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
69643 err = -ENOMEM;
69644 goto free_percpu;
69645 }
69646 - memset(ptr, 0, mod->core_size);
69647 - mod->module_core = ptr;
69648 + memset(ptr, 0, mod->core_size_rw);
69649 + mod->module_core_rw = ptr;
69650
69651 - ptr = module_alloc_update_bounds(mod->init_size);
69652 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
69653 /*
69654 * The pointer to this block is stored in the module structure
69655 * which is inside the block. This block doesn't need to be
69656 * scanned as it contains data and code that will be freed
69657 * after the module is initialized.
69658 */
69659 - kmemleak_ignore(ptr);
69660 - if (!ptr && mod->init_size) {
69661 + kmemleak_not_leak(ptr);
69662 + if (!ptr && mod->init_size_rw) {
69663 + err = -ENOMEM;
69664 + goto free_core_rw;
69665 + }
69666 + memset(ptr, 0, mod->init_size_rw);
69667 + mod->module_init_rw = ptr;
69668 +
69669 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
69670 + kmemleak_not_leak(ptr);
69671 + if (!ptr) {
69672 err = -ENOMEM;
69673 - goto free_core;
69674 + goto free_init_rw;
69675 }
69676 - memset(ptr, 0, mod->init_size);
69677 - mod->module_init = ptr;
69678 +
69679 + pax_open_kernel();
69680 + memset(ptr, 0, mod->core_size_rx);
69681 + pax_close_kernel();
69682 + mod->module_core_rx = ptr;
69683 +
69684 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
69685 + kmemleak_not_leak(ptr);
69686 + if (!ptr && mod->init_size_rx) {
69687 + err = -ENOMEM;
69688 + goto free_core_rx;
69689 + }
69690 +
69691 + pax_open_kernel();
69692 + memset(ptr, 0, mod->init_size_rx);
69693 + pax_close_kernel();
69694 + mod->module_init_rx = ptr;
69695
69696 /* Transfer each section which specifies SHF_ALLOC */
69697 DEBUGP("final section addresses:\n");
69698 @@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
69699 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
69700 continue;
69701
69702 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
69703 - dest = mod->module_init
69704 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
69705 - else
69706 - dest = mod->module_core + sechdrs[i].sh_entsize;
69707 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
69708 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
69709 + dest = mod->module_init_rw
69710 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
69711 + else
69712 + dest = mod->module_init_rx
69713 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
69714 + } else {
69715 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
69716 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
69717 + else
69718 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
69719 + }
69720 +
69721 + if (sechdrs[i].sh_type != SHT_NOBITS) {
69722
69723 - if (sechdrs[i].sh_type != SHT_NOBITS)
69724 - memcpy(dest, (void *)sechdrs[i].sh_addr,
69725 - sechdrs[i].sh_size);
69726 +#ifdef CONFIG_PAX_KERNEXEC
69727 +#ifdef CONFIG_X86_64
69728 + if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
69729 + set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
69730 +#endif
69731 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
69732 + pax_open_kernel();
69733 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
69734 + pax_close_kernel();
69735 + } else
69736 +#endif
69737 +
69738 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
69739 + }
69740 /* Update sh_addr to point to copy in image. */
69741 - sechdrs[i].sh_addr = (unsigned long)dest;
69742 +
69743 +#ifdef CONFIG_PAX_KERNEXEC
69744 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
69745 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
69746 + else
69747 +#endif
69748 +
69749 + sechdrs[i].sh_addr = (unsigned long)dest;
69750 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
69751 }
69752 /* Module has been moved. */
69753 @@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
69754 mod->name);
69755 if (!mod->refptr) {
69756 err = -ENOMEM;
69757 - goto free_init;
69758 + goto free_init_rx;
69759 }
69760 #endif
69761 /* Now we've moved module, initialize linked lists, etc. */
69762 @@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
69763 /* Set up MODINFO_ATTR fields */
69764 setup_modinfo(mod, sechdrs, infoindex);
69765
69766 + mod->args = args;
69767 +
69768 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
69769 + {
69770 + char *p, *p2;
69771 +
69772 + if (strstr(mod->args, "grsec_modharden_netdev")) {
69773 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
69774 + err = -EPERM;
69775 + goto cleanup;
69776 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
69777 + p += strlen("grsec_modharden_normal");
69778 + p2 = strstr(p, "_");
69779 + if (p2) {
69780 + *p2 = '\0';
69781 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
69782 + *p2 = '_';
69783 + }
69784 + err = -EPERM;
69785 + goto cleanup;
69786 + }
69787 + }
69788 +#endif
69789 +
69790 +
69791 /* Fix up syms, so that st_value is a pointer to location. */
69792 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
69793 mod);
69794 @@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
69795
69796 /* Now do relocations. */
69797 for (i = 1; i < hdr->e_shnum; i++) {
69798 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
69799 unsigned int info = sechdrs[i].sh_info;
69800 + strtab = (char *)sechdrs[strindex].sh_addr;
69801
69802 /* Not a valid relocation section? */
69803 if (info >= hdr->e_shnum)
69804 @@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
69805 * Do it before processing of module parameters, so the module
69806 * can provide parameter accessor functions of its own.
69807 */
69808 - if (mod->module_init)
69809 - flush_icache_range((unsigned long)mod->module_init,
69810 - (unsigned long)mod->module_init
69811 - + mod->init_size);
69812 - flush_icache_range((unsigned long)mod->module_core,
69813 - (unsigned long)mod->module_core + mod->core_size);
69814 + if (mod->module_init_rx)
69815 + flush_icache_range((unsigned long)mod->module_init_rx,
69816 + (unsigned long)mod->module_init_rx
69817 + + mod->init_size_rx);
69818 + flush_icache_range((unsigned long)mod->module_core_rx,
69819 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
69820
69821 set_fs(old_fs);
69822
69823 - mod->args = args;
69824 if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
69825 printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
69826 mod->name);
69827 @@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
69828 free_unload:
69829 module_unload_free(mod);
69830 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
69831 + free_init_rx:
69832 percpu_modfree(mod->refptr);
69833 - free_init:
69834 #endif
69835 - module_free(mod, mod->module_init);
69836 - free_core:
69837 - module_free(mod, mod->module_core);
69838 + module_free_exec(mod, mod->module_init_rx);
69839 + free_core_rx:
69840 + module_free_exec(mod, mod->module_core_rx);
69841 + free_init_rw:
69842 + module_free(mod, mod->module_init_rw);
69843 + free_core_rw:
69844 + module_free(mod, mod->module_core_rw);
69845 /* mod will be freed with core. Don't access it beyond this line! */
69846 free_percpu:
69847 if (percpu)
69848 @@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
69849 mod->symtab = mod->core_symtab;
69850 mod->strtab = mod->core_strtab;
69851 #endif
69852 - module_free(mod, mod->module_init);
69853 - mod->module_init = NULL;
69854 - mod->init_size = 0;
69855 - mod->init_text_size = 0;
69856 + module_free(mod, mod->module_init_rw);
69857 + module_free_exec(mod, mod->module_init_rx);
69858 + mod->module_init_rw = NULL;
69859 + mod->module_init_rx = NULL;
69860 + mod->init_size_rw = 0;
69861 + mod->init_size_rx = 0;
69862 mutex_unlock(&module_mutex);
69863
69864 return 0;
69865 @@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
69866 unsigned long nextval;
69867
69868 /* At worse, next value is at end of module */
69869 - if (within_module_init(addr, mod))
69870 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
69871 + if (within_module_init_rx(addr, mod))
69872 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
69873 + else if (within_module_init_rw(addr, mod))
69874 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
69875 + else if (within_module_core_rx(addr, mod))
69876 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
69877 + else if (within_module_core_rw(addr, mod))
69878 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
69879 else
69880 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
69881 + return NULL;
69882
69883 /* Scan for closest preceeding symbol, and next symbol. (ELF
69884 starts real symbols at 1). */
69885 @@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
69886 char buf[8];
69887
69888 seq_printf(m, "%s %u",
69889 - mod->name, mod->init_size + mod->core_size);
69890 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
69891 print_unload_info(m, mod);
69892
69893 /* Informative for users. */
69894 @@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
69895 mod->state == MODULE_STATE_COMING ? "Loading":
69896 "Live");
69897 /* Used by oprofile and other similar tools. */
69898 - seq_printf(m, " 0x%p", mod->module_core);
69899 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
69900
69901 /* Taints info */
69902 if (mod->taints)
69903 @@ -2981,7 +3128,17 @@ static const struct file_operations proc
69904
69905 static int __init proc_modules_init(void)
69906 {
69907 +#ifndef CONFIG_GRKERNSEC_HIDESYM
69908 +#ifdef CONFIG_GRKERNSEC_PROC_USER
69909 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69910 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69911 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
69912 +#else
69913 proc_create("modules", 0, NULL, &proc_modules_operations);
69914 +#endif
69915 +#else
69916 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69917 +#endif
69918 return 0;
69919 }
69920 module_init(proc_modules_init);
69921 @@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
69922 {
69923 struct module *mod;
69924
69925 - if (addr < module_addr_min || addr > module_addr_max)
69926 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
69927 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
69928 return NULL;
69929
69930 list_for_each_entry_rcu(mod, &modules, list)
69931 - if (within_module_core(addr, mod)
69932 - || within_module_init(addr, mod))
69933 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
69934 return mod;
69935 return NULL;
69936 }
69937 @@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
69938 */
69939 struct module *__module_text_address(unsigned long addr)
69940 {
69941 - struct module *mod = __module_address(addr);
69942 + struct module *mod;
69943 +
69944 +#ifdef CONFIG_X86_32
69945 + addr = ktla_ktva(addr);
69946 +#endif
69947 +
69948 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
69949 + return NULL;
69950 +
69951 + mod = __module_address(addr);
69952 +
69953 if (mod) {
69954 /* Make sure it's within the text section. */
69955 - if (!within(addr, mod->module_init, mod->init_text_size)
69956 - && !within(addr, mod->module_core, mod->core_text_size))
69957 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
69958 mod = NULL;
69959 }
69960 return mod;
69961 diff -urNp linux-2.6.32.49/kernel/mutex.c linux-2.6.32.49/kernel/mutex.c
69962 --- linux-2.6.32.49/kernel/mutex.c 2011-11-08 19:02:43.000000000 -0500
69963 +++ linux-2.6.32.49/kernel/mutex.c 2011-11-15 19:59:43.000000000 -0500
69964 @@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
69965 */
69966
69967 for (;;) {
69968 - struct thread_info *owner;
69969 + struct task_struct *owner;
69970
69971 /*
69972 * If we own the BKL, then don't spin. The owner of
69973 @@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
69974 spin_lock_mutex(&lock->wait_lock, flags);
69975
69976 debug_mutex_lock_common(lock, &waiter);
69977 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
69978 + debug_mutex_add_waiter(lock, &waiter, task);
69979
69980 /* add waiting tasks to the end of the waitqueue (FIFO): */
69981 list_add_tail(&waiter.list, &lock->wait_list);
69982 @@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
69983 * TASK_UNINTERRUPTIBLE case.)
69984 */
69985 if (unlikely(signal_pending_state(state, task))) {
69986 - mutex_remove_waiter(lock, &waiter,
69987 - task_thread_info(task));
69988 + mutex_remove_waiter(lock, &waiter, task);
69989 mutex_release(&lock->dep_map, 1, ip);
69990 spin_unlock_mutex(&lock->wait_lock, flags);
69991
69992 @@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
69993 done:
69994 lock_acquired(&lock->dep_map, ip);
69995 /* got the lock - rejoice! */
69996 - mutex_remove_waiter(lock, &waiter, current_thread_info());
69997 + mutex_remove_waiter(lock, &waiter, task);
69998 mutex_set_owner(lock);
69999
70000 /* set it to 0 if there are no waiters left: */
70001 diff -urNp linux-2.6.32.49/kernel/mutex-debug.c linux-2.6.32.49/kernel/mutex-debug.c
70002 --- linux-2.6.32.49/kernel/mutex-debug.c 2011-11-08 19:02:43.000000000 -0500
70003 +++ linux-2.6.32.49/kernel/mutex-debug.c 2011-11-15 19:59:43.000000000 -0500
70004 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
70005 }
70006
70007 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
70008 - struct thread_info *ti)
70009 + struct task_struct *task)
70010 {
70011 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
70012
70013 /* Mark the current thread as blocked on the lock: */
70014 - ti->task->blocked_on = waiter;
70015 + task->blocked_on = waiter;
70016 }
70017
70018 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
70019 - struct thread_info *ti)
70020 + struct task_struct *task)
70021 {
70022 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
70023 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
70024 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
70025 - ti->task->blocked_on = NULL;
70026 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
70027 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
70028 + task->blocked_on = NULL;
70029
70030 list_del_init(&waiter->list);
70031 waiter->task = NULL;
70032 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
70033 return;
70034
70035 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
70036 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
70037 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
70038 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
70039 mutex_clear_owner(lock);
70040 }
70041 diff -urNp linux-2.6.32.49/kernel/mutex-debug.h linux-2.6.32.49/kernel/mutex-debug.h
70042 --- linux-2.6.32.49/kernel/mutex-debug.h 2011-11-08 19:02:43.000000000 -0500
70043 +++ linux-2.6.32.49/kernel/mutex-debug.h 2011-11-15 19:59:43.000000000 -0500
70044 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
70045 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
70046 extern void debug_mutex_add_waiter(struct mutex *lock,
70047 struct mutex_waiter *waiter,
70048 - struct thread_info *ti);
70049 + struct task_struct *task);
70050 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
70051 - struct thread_info *ti);
70052 + struct task_struct *task);
70053 extern void debug_mutex_unlock(struct mutex *lock);
70054 extern void debug_mutex_init(struct mutex *lock, const char *name,
70055 struct lock_class_key *key);
70056
70057 static inline void mutex_set_owner(struct mutex *lock)
70058 {
70059 - lock->owner = current_thread_info();
70060 + lock->owner = current;
70061 }
70062
70063 static inline void mutex_clear_owner(struct mutex *lock)
70064 diff -urNp linux-2.6.32.49/kernel/mutex.h linux-2.6.32.49/kernel/mutex.h
70065 --- linux-2.6.32.49/kernel/mutex.h 2011-11-08 19:02:43.000000000 -0500
70066 +++ linux-2.6.32.49/kernel/mutex.h 2011-11-15 19:59:43.000000000 -0500
70067 @@ -19,7 +19,7 @@
70068 #ifdef CONFIG_SMP
70069 static inline void mutex_set_owner(struct mutex *lock)
70070 {
70071 - lock->owner = current_thread_info();
70072 + lock->owner = current;
70073 }
70074
70075 static inline void mutex_clear_owner(struct mutex *lock)
70076 diff -urNp linux-2.6.32.49/kernel/panic.c linux-2.6.32.49/kernel/panic.c
70077 --- linux-2.6.32.49/kernel/panic.c 2011-11-08 19:02:43.000000000 -0500
70078 +++ linux-2.6.32.49/kernel/panic.c 2011-11-15 19:59:43.000000000 -0500
70079 @@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
70080 const char *board;
70081
70082 printk(KERN_WARNING "------------[ cut here ]------------\n");
70083 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
70084 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
70085 board = dmi_get_system_info(DMI_PRODUCT_NAME);
70086 if (board)
70087 printk(KERN_WARNING "Hardware name: %s\n", board);
70088 @@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
70089 */
70090 void __stack_chk_fail(void)
70091 {
70092 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
70093 + dump_stack();
70094 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
70095 __builtin_return_address(0));
70096 }
70097 EXPORT_SYMBOL(__stack_chk_fail);
70098 diff -urNp linux-2.6.32.49/kernel/params.c linux-2.6.32.49/kernel/params.c
70099 --- linux-2.6.32.49/kernel/params.c 2011-11-08 19:02:43.000000000 -0500
70100 +++ linux-2.6.32.49/kernel/params.c 2011-11-15 19:59:43.000000000 -0500
70101 @@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
70102 return ret;
70103 }
70104
70105 -static struct sysfs_ops module_sysfs_ops = {
70106 +static const struct sysfs_ops module_sysfs_ops = {
70107 .show = module_attr_show,
70108 .store = module_attr_store,
70109 };
70110 @@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
70111 return 0;
70112 }
70113
70114 -static struct kset_uevent_ops module_uevent_ops = {
70115 +static const struct kset_uevent_ops module_uevent_ops = {
70116 .filter = uevent_filter,
70117 };
70118
70119 diff -urNp linux-2.6.32.49/kernel/perf_event.c linux-2.6.32.49/kernel/perf_event.c
70120 --- linux-2.6.32.49/kernel/perf_event.c 2011-11-08 19:02:43.000000000 -0500
70121 +++ linux-2.6.32.49/kernel/perf_event.c 2011-11-15 19:59:43.000000000 -0500
70122 @@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
70123 */
70124 int sysctl_perf_event_sample_rate __read_mostly = 100000;
70125
70126 -static atomic64_t perf_event_id;
70127 +static atomic64_unchecked_t perf_event_id;
70128
70129 /*
70130 * Lock for (sysadmin-configurable) event reservations:
70131 @@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
70132 * In order to keep per-task stats reliable we need to flip the event
70133 * values when we flip the contexts.
70134 */
70135 - value = atomic64_read(&next_event->count);
70136 - value = atomic64_xchg(&event->count, value);
70137 - atomic64_set(&next_event->count, value);
70138 + value = atomic64_read_unchecked(&next_event->count);
70139 + value = atomic64_xchg_unchecked(&event->count, value);
70140 + atomic64_set_unchecked(&next_event->count, value);
70141
70142 swap(event->total_time_enabled, next_event->total_time_enabled);
70143 swap(event->total_time_running, next_event->total_time_running);
70144 @@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
70145 update_event_times(event);
70146 }
70147
70148 - return atomic64_read(&event->count);
70149 + return atomic64_read_unchecked(&event->count);
70150 }
70151
70152 /*
70153 @@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
70154 values[n++] = 1 + leader->nr_siblings;
70155 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
70156 values[n++] = leader->total_time_enabled +
70157 - atomic64_read(&leader->child_total_time_enabled);
70158 + atomic64_read_unchecked(&leader->child_total_time_enabled);
70159 }
70160 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
70161 values[n++] = leader->total_time_running +
70162 - atomic64_read(&leader->child_total_time_running);
70163 + atomic64_read_unchecked(&leader->child_total_time_running);
70164 }
70165
70166 size = n * sizeof(u64);
70167 @@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
70168 values[n++] = perf_event_read_value(event);
70169 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
70170 values[n++] = event->total_time_enabled +
70171 - atomic64_read(&event->child_total_time_enabled);
70172 + atomic64_read_unchecked(&event->child_total_time_enabled);
70173 }
70174 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
70175 values[n++] = event->total_time_running +
70176 - atomic64_read(&event->child_total_time_running);
70177 + atomic64_read_unchecked(&event->child_total_time_running);
70178 }
70179 if (read_format & PERF_FORMAT_ID)
70180 values[n++] = primary_event_id(event);
70181 @@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
70182 static void perf_event_reset(struct perf_event *event)
70183 {
70184 (void)perf_event_read(event);
70185 - atomic64_set(&event->count, 0);
70186 + atomic64_set_unchecked(&event->count, 0);
70187 perf_event_update_userpage(event);
70188 }
70189
70190 @@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
70191 ++userpg->lock;
70192 barrier();
70193 userpg->index = perf_event_index(event);
70194 - userpg->offset = atomic64_read(&event->count);
70195 + userpg->offset = atomic64_read_unchecked(&event->count);
70196 if (event->state == PERF_EVENT_STATE_ACTIVE)
70197 - userpg->offset -= atomic64_read(&event->hw.prev_count);
70198 + userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
70199
70200 userpg->time_enabled = event->total_time_enabled +
70201 - atomic64_read(&event->child_total_time_enabled);
70202 + atomic64_read_unchecked(&event->child_total_time_enabled);
70203
70204 userpg->time_running = event->total_time_running +
70205 - atomic64_read(&event->child_total_time_running);
70206 + atomic64_read_unchecked(&event->child_total_time_running);
70207
70208 barrier();
70209 ++userpg->lock;
70210 @@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
70211 u64 values[4];
70212 int n = 0;
70213
70214 - values[n++] = atomic64_read(&event->count);
70215 + values[n++] = atomic64_read_unchecked(&event->count);
70216 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
70217 values[n++] = event->total_time_enabled +
70218 - atomic64_read(&event->child_total_time_enabled);
70219 + atomic64_read_unchecked(&event->child_total_time_enabled);
70220 }
70221 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
70222 values[n++] = event->total_time_running +
70223 - atomic64_read(&event->child_total_time_running);
70224 + atomic64_read_unchecked(&event->child_total_time_running);
70225 }
70226 if (read_format & PERF_FORMAT_ID)
70227 values[n++] = primary_event_id(event);
70228 @@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
70229 if (leader != event)
70230 leader->pmu->read(leader);
70231
70232 - values[n++] = atomic64_read(&leader->count);
70233 + values[n++] = atomic64_read_unchecked(&leader->count);
70234 if (read_format & PERF_FORMAT_ID)
70235 values[n++] = primary_event_id(leader);
70236
70237 @@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
70238 if (sub != event)
70239 sub->pmu->read(sub);
70240
70241 - values[n++] = atomic64_read(&sub->count);
70242 + values[n++] = atomic64_read_unchecked(&sub->count);
70243 if (read_format & PERF_FORMAT_ID)
70244 values[n++] = primary_event_id(sub);
70245
70246 @@ -3525,12 +3525,12 @@ static void perf_event_mmap_event(struct
70247 * need to add enough zero bytes after the string to handle
70248 * the 64bit alignment we do later.
70249 */
70250 - buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
70251 + buf = kzalloc(PATH_MAX, GFP_KERNEL);
70252 if (!buf) {
70253 name = strncpy(tmp, "//enomem", sizeof(tmp));
70254 goto got_name;
70255 }
70256 - name = d_path(&file->f_path, buf, PATH_MAX);
70257 + name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
70258 if (IS_ERR(name)) {
70259 name = strncpy(tmp, "//toolong", sizeof(tmp));
70260 goto got_name;
70261 @@ -3783,7 +3783,7 @@ static void perf_swevent_add(struct perf
70262 {
70263 struct hw_perf_event *hwc = &event->hw;
70264
70265 - atomic64_add(nr, &event->count);
70266 + atomic64_add_unchecked(nr, &event->count);
70267
70268 if (!hwc->sample_period)
70269 return;
70270 @@ -4040,9 +4040,9 @@ static void cpu_clock_perf_event_update(
70271 u64 now;
70272
70273 now = cpu_clock(cpu);
70274 - prev = atomic64_read(&event->hw.prev_count);
70275 - atomic64_set(&event->hw.prev_count, now);
70276 - atomic64_add(now - prev, &event->count);
70277 + prev = atomic64_read_unchecked(&event->hw.prev_count);
70278 + atomic64_set_unchecked(&event->hw.prev_count, now);
70279 + atomic64_add_unchecked(now - prev, &event->count);
70280 }
70281
70282 static int cpu_clock_perf_event_enable(struct perf_event *event)
70283 @@ -4050,7 +4050,7 @@ static int cpu_clock_perf_event_enable(s
70284 struct hw_perf_event *hwc = &event->hw;
70285 int cpu = raw_smp_processor_id();
70286
70287 - atomic64_set(&hwc->prev_count, cpu_clock(cpu));
70288 + atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
70289 perf_swevent_start_hrtimer(event);
70290
70291 return 0;
70292 @@ -4082,9 +4082,9 @@ static void task_clock_perf_event_update
70293 u64 prev;
70294 s64 delta;
70295
70296 - prev = atomic64_xchg(&event->hw.prev_count, now);
70297 + prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
70298 delta = now - prev;
70299 - atomic64_add(delta, &event->count);
70300 + atomic64_add_unchecked(delta, &event->count);
70301 }
70302
70303 static int task_clock_perf_event_enable(struct perf_event *event)
70304 @@ -4094,7 +4094,7 @@ static int task_clock_perf_event_enable(
70305
70306 now = event->ctx->time;
70307
70308 - atomic64_set(&hwc->prev_count, now);
70309 + atomic64_set_unchecked(&hwc->prev_count, now);
70310
70311 perf_swevent_start_hrtimer(event);
70312
70313 @@ -4289,7 +4289,7 @@ perf_event_alloc(struct perf_event_attr
70314 event->parent = parent_event;
70315
70316 event->ns = get_pid_ns(current->nsproxy->pid_ns);
70317 - event->id = atomic64_inc_return(&perf_event_id);
70318 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
70319
70320 event->state = PERF_EVENT_STATE_INACTIVE;
70321
70322 @@ -4720,15 +4720,15 @@ static void sync_child_event(struct perf
70323 if (child_event->attr.inherit_stat)
70324 perf_event_read_event(child_event, child);
70325
70326 - child_val = atomic64_read(&child_event->count);
70327 + child_val = atomic64_read_unchecked(&child_event->count);
70328
70329 /*
70330 * Add back the child's count to the parent's count:
70331 */
70332 - atomic64_add(child_val, &parent_event->count);
70333 - atomic64_add(child_event->total_time_enabled,
70334 + atomic64_add_unchecked(child_val, &parent_event->count);
70335 + atomic64_add_unchecked(child_event->total_time_enabled,
70336 &parent_event->child_total_time_enabled);
70337 - atomic64_add(child_event->total_time_running,
70338 + atomic64_add_unchecked(child_event->total_time_running,
70339 &parent_event->child_total_time_running);
70340
70341 /*
70342 diff -urNp linux-2.6.32.49/kernel/pid.c linux-2.6.32.49/kernel/pid.c
70343 --- linux-2.6.32.49/kernel/pid.c 2011-11-08 19:02:43.000000000 -0500
70344 +++ linux-2.6.32.49/kernel/pid.c 2011-11-15 19:59:43.000000000 -0500
70345 @@ -33,6 +33,7 @@
70346 #include <linux/rculist.h>
70347 #include <linux/bootmem.h>
70348 #include <linux/hash.h>
70349 +#include <linux/security.h>
70350 #include <linux/pid_namespace.h>
70351 #include <linux/init_task.h>
70352 #include <linux/syscalls.h>
70353 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
70354
70355 int pid_max = PID_MAX_DEFAULT;
70356
70357 -#define RESERVED_PIDS 300
70358 +#define RESERVED_PIDS 500
70359
70360 int pid_max_min = RESERVED_PIDS + 1;
70361 int pid_max_max = PID_MAX_LIMIT;
70362 @@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
70363 */
70364 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
70365 {
70366 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
70367 + struct task_struct *task;
70368 +
70369 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
70370 +
70371 + if (gr_pid_is_chrooted(task))
70372 + return NULL;
70373 +
70374 + return task;
70375 }
70376
70377 struct task_struct *find_task_by_vpid(pid_t vnr)
70378 @@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi
70379 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
70380 }
70381
70382 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
70383 +{
70384 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
70385 +}
70386 +
70387 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
70388 {
70389 struct pid *pid;
70390 diff -urNp linux-2.6.32.49/kernel/posix-cpu-timers.c linux-2.6.32.49/kernel/posix-cpu-timers.c
70391 --- linux-2.6.32.49/kernel/posix-cpu-timers.c 2011-11-08 19:02:43.000000000 -0500
70392 +++ linux-2.6.32.49/kernel/posix-cpu-timers.c 2011-11-15 19:59:43.000000000 -0500
70393 @@ -6,6 +6,7 @@
70394 #include <linux/posix-timers.h>
70395 #include <linux/errno.h>
70396 #include <linux/math64.h>
70397 +#include <linux/security.h>
70398 #include <asm/uaccess.h>
70399 #include <linux/kernel_stat.h>
70400 #include <trace/events/timer.h>
70401 @@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(st
70402
70403 static __init int init_posix_cpu_timers(void)
70404 {
70405 - struct k_clock process = {
70406 + static struct k_clock process = {
70407 .clock_getres = process_cpu_clock_getres,
70408 .clock_get = process_cpu_clock_get,
70409 .clock_set = do_posix_clock_nosettime,
70410 @@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(
70411 .nsleep = process_cpu_nsleep,
70412 .nsleep_restart = process_cpu_nsleep_restart,
70413 };
70414 - struct k_clock thread = {
70415 + static struct k_clock thread = {
70416 .clock_getres = thread_cpu_clock_getres,
70417 .clock_get = thread_cpu_clock_get,
70418 .clock_set = do_posix_clock_nosettime,
70419 diff -urNp linux-2.6.32.49/kernel/posix-timers.c linux-2.6.32.49/kernel/posix-timers.c
70420 --- linux-2.6.32.49/kernel/posix-timers.c 2011-11-08 19:02:43.000000000 -0500
70421 +++ linux-2.6.32.49/kernel/posix-timers.c 2011-11-15 19:59:43.000000000 -0500
70422 @@ -42,6 +42,7 @@
70423 #include <linux/compiler.h>
70424 #include <linux/idr.h>
70425 #include <linux/posix-timers.h>
70426 +#include <linux/grsecurity.h>
70427 #include <linux/syscalls.h>
70428 #include <linux/wait.h>
70429 #include <linux/workqueue.h>
70430 @@ -131,7 +132,7 @@ static DEFINE_SPINLOCK(idr_lock);
70431 * which we beg off on and pass to do_sys_settimeofday().
70432 */
70433
70434 -static struct k_clock posix_clocks[MAX_CLOCKS];
70435 +static struct k_clock *posix_clocks[MAX_CLOCKS];
70436
70437 /*
70438 * These ones are defined below.
70439 @@ -157,8 +158,8 @@ static inline void unlock_timer(struct k
70440 */
70441 #define CLOCK_DISPATCH(clock, call, arglist) \
70442 ((clock) < 0 ? posix_cpu_##call arglist : \
70443 - (posix_clocks[clock].call != NULL \
70444 - ? (*posix_clocks[clock].call) arglist : common_##call arglist))
70445 + (posix_clocks[clock]->call != NULL \
70446 + ? (*posix_clocks[clock]->call) arglist : common_##call arglist))
70447
70448 /*
70449 * Default clock hook functions when the struct k_clock passed
70450 @@ -172,7 +173,7 @@ static inline int common_clock_getres(co
70451 struct timespec *tp)
70452 {
70453 tp->tv_sec = 0;
70454 - tp->tv_nsec = posix_clocks[which_clock].res;
70455 + tp->tv_nsec = posix_clocks[which_clock]->res;
70456 return 0;
70457 }
70458
70459 @@ -217,9 +218,11 @@ static inline int invalid_clockid(const
70460 return 0;
70461 if ((unsigned) which_clock >= MAX_CLOCKS)
70462 return 1;
70463 - if (posix_clocks[which_clock].clock_getres != NULL)
70464 + if (posix_clocks[which_clock] == NULL)
70465 return 0;
70466 - if (posix_clocks[which_clock].res != 0)
70467 + if (posix_clocks[which_clock]->clock_getres != NULL)
70468 + return 0;
70469 + if (posix_clocks[which_clock]->res != 0)
70470 return 0;
70471 return 1;
70472 }
70473 @@ -266,29 +269,29 @@ int posix_get_coarse_res(const clockid_t
70474 */
70475 static __init int init_posix_timers(void)
70476 {
70477 - struct k_clock clock_realtime = {
70478 + static struct k_clock clock_realtime = {
70479 .clock_getres = hrtimer_get_res,
70480 };
70481 - struct k_clock clock_monotonic = {
70482 + static struct k_clock clock_monotonic = {
70483 .clock_getres = hrtimer_get_res,
70484 .clock_get = posix_ktime_get_ts,
70485 .clock_set = do_posix_clock_nosettime,
70486 };
70487 - struct k_clock clock_monotonic_raw = {
70488 + static struct k_clock clock_monotonic_raw = {
70489 .clock_getres = hrtimer_get_res,
70490 .clock_get = posix_get_monotonic_raw,
70491 .clock_set = do_posix_clock_nosettime,
70492 .timer_create = no_timer_create,
70493 .nsleep = no_nsleep,
70494 };
70495 - struct k_clock clock_realtime_coarse = {
70496 + static struct k_clock clock_realtime_coarse = {
70497 .clock_getres = posix_get_coarse_res,
70498 .clock_get = posix_get_realtime_coarse,
70499 .clock_set = do_posix_clock_nosettime,
70500 .timer_create = no_timer_create,
70501 .nsleep = no_nsleep,
70502 };
70503 - struct k_clock clock_monotonic_coarse = {
70504 + static struct k_clock clock_monotonic_coarse = {
70505 .clock_getres = posix_get_coarse_res,
70506 .clock_get = posix_get_monotonic_coarse,
70507 .clock_set = do_posix_clock_nosettime,
70508 @@ -296,6 +299,8 @@ static __init int init_posix_timers(void
70509 .nsleep = no_nsleep,
70510 };
70511
70512 + pax_track_stack();
70513 +
70514 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
70515 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
70516 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
70517 @@ -484,7 +489,7 @@ void register_posix_clock(const clockid_
70518 return;
70519 }
70520
70521 - posix_clocks[clock_id] = *new_clock;
70522 + posix_clocks[clock_id] = new_clock;
70523 }
70524 EXPORT_SYMBOL_GPL(register_posix_clock);
70525
70526 @@ -948,6 +953,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
70527 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
70528 return -EFAULT;
70529
70530 + /* only the CLOCK_REALTIME clock can be set, all other clocks
70531 + have their clock_set fptr set to a nosettime dummy function
70532 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
70533 + call common_clock_set, which calls do_sys_settimeofday, which
70534 + we hook
70535 + */
70536 +
70537 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
70538 }
70539
70540 diff -urNp linux-2.6.32.49/kernel/power/hibernate.c linux-2.6.32.49/kernel/power/hibernate.c
70541 --- linux-2.6.32.49/kernel/power/hibernate.c 2011-11-08 19:02:43.000000000 -0500
70542 +++ linux-2.6.32.49/kernel/power/hibernate.c 2011-11-15 19:59:43.000000000 -0500
70543 @@ -48,14 +48,14 @@ enum {
70544
70545 static int hibernation_mode = HIBERNATION_SHUTDOWN;
70546
70547 -static struct platform_hibernation_ops *hibernation_ops;
70548 +static const struct platform_hibernation_ops *hibernation_ops;
70549
70550 /**
70551 * hibernation_set_ops - set the global hibernate operations
70552 * @ops: the hibernation operations to use in subsequent hibernation transitions
70553 */
70554
70555 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
70556 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
70557 {
70558 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
70559 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
70560 diff -urNp linux-2.6.32.49/kernel/power/poweroff.c linux-2.6.32.49/kernel/power/poweroff.c
70561 --- linux-2.6.32.49/kernel/power/poweroff.c 2011-11-08 19:02:43.000000000 -0500
70562 +++ linux-2.6.32.49/kernel/power/poweroff.c 2011-11-15 19:59:43.000000000 -0500
70563 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
70564 .enable_mask = SYSRQ_ENABLE_BOOT,
70565 };
70566
70567 -static int pm_sysrq_init(void)
70568 +static int __init pm_sysrq_init(void)
70569 {
70570 register_sysrq_key('o', &sysrq_poweroff_op);
70571 return 0;
70572 diff -urNp linux-2.6.32.49/kernel/power/process.c linux-2.6.32.49/kernel/power/process.c
70573 --- linux-2.6.32.49/kernel/power/process.c 2011-11-08 19:02:43.000000000 -0500
70574 +++ linux-2.6.32.49/kernel/power/process.c 2011-11-15 19:59:43.000000000 -0500
70575 @@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
70576 struct timeval start, end;
70577 u64 elapsed_csecs64;
70578 unsigned int elapsed_csecs;
70579 + bool timedout = false;
70580
70581 do_gettimeofday(&start);
70582
70583 end_time = jiffies + TIMEOUT;
70584 do {
70585 todo = 0;
70586 + if (time_after(jiffies, end_time))
70587 + timedout = true;
70588 read_lock(&tasklist_lock);
70589 do_each_thread(g, p) {
70590 if (frozen(p) || !freezeable(p))
70591 @@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
70592 * It is "frozen enough". If the task does wake
70593 * up, it will immediately call try_to_freeze.
70594 */
70595 - if (!task_is_stopped_or_traced(p) &&
70596 - !freezer_should_skip(p))
70597 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
70598 todo++;
70599 + if (timedout) {
70600 + printk(KERN_ERR "Task refusing to freeze:\n");
70601 + sched_show_task(p);
70602 + }
70603 + }
70604 } while_each_thread(g, p);
70605 read_unlock(&tasklist_lock);
70606 yield(); /* Yield is okay here */
70607 - if (time_after(jiffies, end_time))
70608 - break;
70609 - } while (todo);
70610 + } while (todo && !timedout);
70611
70612 do_gettimeofday(&end);
70613 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
70614 diff -urNp linux-2.6.32.49/kernel/power/suspend.c linux-2.6.32.49/kernel/power/suspend.c
70615 --- linux-2.6.32.49/kernel/power/suspend.c 2011-11-26 19:44:53.000000000 -0500
70616 +++ linux-2.6.32.49/kernel/power/suspend.c 2011-11-26 19:45:13.000000000 -0500
70617 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
70618 [PM_SUSPEND_MEM] = "mem",
70619 };
70620
70621 -static struct platform_suspend_ops *suspend_ops;
70622 +static const struct platform_suspend_ops *suspend_ops;
70623
70624 /**
70625 * suspend_set_ops - Set the global suspend method table.
70626 * @ops: Pointer to ops structure.
70627 */
70628 -void suspend_set_ops(struct platform_suspend_ops *ops)
70629 +void suspend_set_ops(const struct platform_suspend_ops *ops)
70630 {
70631 mutex_lock(&pm_mutex);
70632 suspend_ops = ops;
70633 diff -urNp linux-2.6.32.49/kernel/printk.c linux-2.6.32.49/kernel/printk.c
70634 --- linux-2.6.32.49/kernel/printk.c 2011-11-08 19:02:43.000000000 -0500
70635 +++ linux-2.6.32.49/kernel/printk.c 2011-11-15 19:59:43.000000000 -0500
70636 @@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
70637 char c;
70638 int error = 0;
70639
70640 +#ifdef CONFIG_GRKERNSEC_DMESG
70641 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
70642 + return -EPERM;
70643 +#endif
70644 +
70645 error = security_syslog(type);
70646 if (error)
70647 return error;
70648 diff -urNp linux-2.6.32.49/kernel/profile.c linux-2.6.32.49/kernel/profile.c
70649 --- linux-2.6.32.49/kernel/profile.c 2011-11-08 19:02:43.000000000 -0500
70650 +++ linux-2.6.32.49/kernel/profile.c 2011-11-15 19:59:43.000000000 -0500
70651 @@ -39,7 +39,7 @@ struct profile_hit {
70652 /* Oprofile timer tick hook */
70653 static int (*timer_hook)(struct pt_regs *) __read_mostly;
70654
70655 -static atomic_t *prof_buffer;
70656 +static atomic_unchecked_t *prof_buffer;
70657 static unsigned long prof_len, prof_shift;
70658
70659 int prof_on __read_mostly;
70660 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
70661 hits[i].pc = 0;
70662 continue;
70663 }
70664 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
70665 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
70666 hits[i].hits = hits[i].pc = 0;
70667 }
70668 }
70669 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
70670 * Add the current hit(s) and flush the write-queue out
70671 * to the global buffer:
70672 */
70673 - atomic_add(nr_hits, &prof_buffer[pc]);
70674 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
70675 for (i = 0; i < NR_PROFILE_HIT; ++i) {
70676 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
70677 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
70678 hits[i].pc = hits[i].hits = 0;
70679 }
70680 out:
70681 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
70682 if (prof_on != type || !prof_buffer)
70683 return;
70684 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
70685 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
70686 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
70687 }
70688 #endif /* !CONFIG_SMP */
70689 EXPORT_SYMBOL_GPL(profile_hits);
70690 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
70691 return -EFAULT;
70692 buf++; p++; count--; read++;
70693 }
70694 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
70695 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
70696 if (copy_to_user(buf, (void *)pnt, count))
70697 return -EFAULT;
70698 read += count;
70699 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
70700 }
70701 #endif
70702 profile_discard_flip_buffers();
70703 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
70704 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
70705 return count;
70706 }
70707
70708 diff -urNp linux-2.6.32.49/kernel/ptrace.c linux-2.6.32.49/kernel/ptrace.c
70709 --- linux-2.6.32.49/kernel/ptrace.c 2011-11-08 19:02:43.000000000 -0500
70710 +++ linux-2.6.32.49/kernel/ptrace.c 2011-11-15 19:59:43.000000000 -0500
70711 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
70712 return ret;
70713 }
70714
70715 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
70716 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
70717 + unsigned int log)
70718 {
70719 const struct cred *cred = current_cred(), *tcred;
70720
70721 @@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
70722 cred->gid != tcred->egid ||
70723 cred->gid != tcred->sgid ||
70724 cred->gid != tcred->gid) &&
70725 - !capable(CAP_SYS_PTRACE)) {
70726 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
70727 + (log && !capable(CAP_SYS_PTRACE)))
70728 + ) {
70729 rcu_read_unlock();
70730 return -EPERM;
70731 }
70732 @@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
70733 smp_rmb();
70734 if (task->mm)
70735 dumpable = get_dumpable(task->mm);
70736 - if (!dumpable && !capable(CAP_SYS_PTRACE))
70737 + if (!dumpable &&
70738 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
70739 + (log && !capable(CAP_SYS_PTRACE))))
70740 return -EPERM;
70741
70742 return security_ptrace_access_check(task, mode);
70743 @@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
70744 {
70745 int err;
70746 task_lock(task);
70747 - err = __ptrace_may_access(task, mode);
70748 + err = __ptrace_may_access(task, mode, 0);
70749 + task_unlock(task);
70750 + return !err;
70751 +}
70752 +
70753 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
70754 +{
70755 + int err;
70756 + task_lock(task);
70757 + err = __ptrace_may_access(task, mode, 1);
70758 task_unlock(task);
70759 return !err;
70760 }
70761 @@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
70762 goto out;
70763
70764 task_lock(task);
70765 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
70766 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
70767 task_unlock(task);
70768 if (retval)
70769 goto unlock_creds;
70770 @@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
70771 goto unlock_tasklist;
70772
70773 task->ptrace = PT_PTRACED;
70774 - if (capable(CAP_SYS_PTRACE))
70775 + if (capable_nolog(CAP_SYS_PTRACE))
70776 task->ptrace |= PT_PTRACE_CAP;
70777
70778 __ptrace_link(task, current);
70779 @@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
70780 {
70781 int copied = 0;
70782
70783 + pax_track_stack();
70784 +
70785 while (len > 0) {
70786 char buf[128];
70787 int this_len, retval;
70788 @@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
70789 {
70790 int copied = 0;
70791
70792 + pax_track_stack();
70793 +
70794 while (len > 0) {
70795 char buf[128];
70796 int this_len, retval;
70797 @@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
70798 int ret = -EIO;
70799 siginfo_t siginfo;
70800
70801 + pax_track_stack();
70802 +
70803 switch (request) {
70804 case PTRACE_PEEKTEXT:
70805 case PTRACE_PEEKDATA:
70806 @@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
70807 ret = ptrace_setoptions(child, data);
70808 break;
70809 case PTRACE_GETEVENTMSG:
70810 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
70811 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
70812 break;
70813
70814 case PTRACE_GETSIGINFO:
70815 ret = ptrace_getsiginfo(child, &siginfo);
70816 if (!ret)
70817 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
70818 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
70819 &siginfo);
70820 break;
70821
70822 case PTRACE_SETSIGINFO:
70823 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
70824 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
70825 sizeof siginfo))
70826 ret = -EFAULT;
70827 else
70828 @@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
70829 goto out;
70830 }
70831
70832 + if (gr_handle_ptrace(child, request)) {
70833 + ret = -EPERM;
70834 + goto out_put_task_struct;
70835 + }
70836 +
70837 if (request == PTRACE_ATTACH) {
70838 ret = ptrace_attach(child);
70839 /*
70840 * Some architectures need to do book-keeping after
70841 * a ptrace attach.
70842 */
70843 - if (!ret)
70844 + if (!ret) {
70845 arch_ptrace_attach(child);
70846 + gr_audit_ptrace(child);
70847 + }
70848 goto out_put_task_struct;
70849 }
70850
70851 @@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
70852 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
70853 if (copied != sizeof(tmp))
70854 return -EIO;
70855 - return put_user(tmp, (unsigned long __user *)data);
70856 + return put_user(tmp, (__force unsigned long __user *)data);
70857 }
70858
70859 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
70860 @@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
70861 siginfo_t siginfo;
70862 int ret;
70863
70864 + pax_track_stack();
70865 +
70866 switch (request) {
70867 case PTRACE_PEEKTEXT:
70868 case PTRACE_PEEKDATA:
70869 @@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
70870 goto out;
70871 }
70872
70873 + if (gr_handle_ptrace(child, request)) {
70874 + ret = -EPERM;
70875 + goto out_put_task_struct;
70876 + }
70877 +
70878 if (request == PTRACE_ATTACH) {
70879 ret = ptrace_attach(child);
70880 /*
70881 * Some architectures need to do book-keeping after
70882 * a ptrace attach.
70883 */
70884 - if (!ret)
70885 + if (!ret) {
70886 arch_ptrace_attach(child);
70887 + gr_audit_ptrace(child);
70888 + }
70889 goto out_put_task_struct;
70890 }
70891
70892 diff -urNp linux-2.6.32.49/kernel/rcutorture.c linux-2.6.32.49/kernel/rcutorture.c
70893 --- linux-2.6.32.49/kernel/rcutorture.c 2011-11-08 19:02:43.000000000 -0500
70894 +++ linux-2.6.32.49/kernel/rcutorture.c 2011-11-15 19:59:43.000000000 -0500
70895 @@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
70896 { 0 };
70897 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
70898 { 0 };
70899 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70900 -static atomic_t n_rcu_torture_alloc;
70901 -static atomic_t n_rcu_torture_alloc_fail;
70902 -static atomic_t n_rcu_torture_free;
70903 -static atomic_t n_rcu_torture_mberror;
70904 -static atomic_t n_rcu_torture_error;
70905 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70906 +static atomic_unchecked_t n_rcu_torture_alloc;
70907 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
70908 +static atomic_unchecked_t n_rcu_torture_free;
70909 +static atomic_unchecked_t n_rcu_torture_mberror;
70910 +static atomic_unchecked_t n_rcu_torture_error;
70911 static long n_rcu_torture_timers;
70912 static struct list_head rcu_torture_removed;
70913 static cpumask_var_t shuffle_tmp_mask;
70914 @@ -187,11 +187,11 @@ rcu_torture_alloc(void)
70915
70916 spin_lock_bh(&rcu_torture_lock);
70917 if (list_empty(&rcu_torture_freelist)) {
70918 - atomic_inc(&n_rcu_torture_alloc_fail);
70919 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
70920 spin_unlock_bh(&rcu_torture_lock);
70921 return NULL;
70922 }
70923 - atomic_inc(&n_rcu_torture_alloc);
70924 + atomic_inc_unchecked(&n_rcu_torture_alloc);
70925 p = rcu_torture_freelist.next;
70926 list_del_init(p);
70927 spin_unlock_bh(&rcu_torture_lock);
70928 @@ -204,7 +204,7 @@ rcu_torture_alloc(void)
70929 static void
70930 rcu_torture_free(struct rcu_torture *p)
70931 {
70932 - atomic_inc(&n_rcu_torture_free);
70933 + atomic_inc_unchecked(&n_rcu_torture_free);
70934 spin_lock_bh(&rcu_torture_lock);
70935 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
70936 spin_unlock_bh(&rcu_torture_lock);
70937 @@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
70938 i = rp->rtort_pipe_count;
70939 if (i > RCU_TORTURE_PIPE_LEN)
70940 i = RCU_TORTURE_PIPE_LEN;
70941 - atomic_inc(&rcu_torture_wcount[i]);
70942 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70943 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70944 rp->rtort_mbtest = 0;
70945 rcu_torture_free(rp);
70946 @@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
70947 i = rp->rtort_pipe_count;
70948 if (i > RCU_TORTURE_PIPE_LEN)
70949 i = RCU_TORTURE_PIPE_LEN;
70950 - atomic_inc(&rcu_torture_wcount[i]);
70951 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70952 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70953 rp->rtort_mbtest = 0;
70954 list_del(&rp->rtort_free);
70955 @@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
70956 i = old_rp->rtort_pipe_count;
70957 if (i > RCU_TORTURE_PIPE_LEN)
70958 i = RCU_TORTURE_PIPE_LEN;
70959 - atomic_inc(&rcu_torture_wcount[i]);
70960 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
70961 old_rp->rtort_pipe_count++;
70962 cur_ops->deferred_free(old_rp);
70963 }
70964 @@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
70965 return;
70966 }
70967 if (p->rtort_mbtest == 0)
70968 - atomic_inc(&n_rcu_torture_mberror);
70969 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70970 spin_lock(&rand_lock);
70971 cur_ops->read_delay(&rand);
70972 n_rcu_torture_timers++;
70973 @@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
70974 continue;
70975 }
70976 if (p->rtort_mbtest == 0)
70977 - atomic_inc(&n_rcu_torture_mberror);
70978 + atomic_inc_unchecked(&n_rcu_torture_mberror);
70979 cur_ops->read_delay(&rand);
70980 preempt_disable();
70981 pipe_count = p->rtort_pipe_count;
70982 @@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
70983 rcu_torture_current,
70984 rcu_torture_current_version,
70985 list_empty(&rcu_torture_freelist),
70986 - atomic_read(&n_rcu_torture_alloc),
70987 - atomic_read(&n_rcu_torture_alloc_fail),
70988 - atomic_read(&n_rcu_torture_free),
70989 - atomic_read(&n_rcu_torture_mberror),
70990 + atomic_read_unchecked(&n_rcu_torture_alloc),
70991 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
70992 + atomic_read_unchecked(&n_rcu_torture_free),
70993 + atomic_read_unchecked(&n_rcu_torture_mberror),
70994 n_rcu_torture_timers);
70995 - if (atomic_read(&n_rcu_torture_mberror) != 0)
70996 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
70997 cnt += sprintf(&page[cnt], " !!!");
70998 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
70999 if (i > 1) {
71000 cnt += sprintf(&page[cnt], "!!! ");
71001 - atomic_inc(&n_rcu_torture_error);
71002 + atomic_inc_unchecked(&n_rcu_torture_error);
71003 WARN_ON_ONCE(1);
71004 }
71005 cnt += sprintf(&page[cnt], "Reader Pipe: ");
71006 @@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
71007 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
71008 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
71009 cnt += sprintf(&page[cnt], " %d",
71010 - atomic_read(&rcu_torture_wcount[i]));
71011 + atomic_read_unchecked(&rcu_torture_wcount[i]));
71012 }
71013 cnt += sprintf(&page[cnt], "\n");
71014 if (cur_ops->stats)
71015 @@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
71016
71017 if (cur_ops->cleanup)
71018 cur_ops->cleanup();
71019 - if (atomic_read(&n_rcu_torture_error))
71020 + if (atomic_read_unchecked(&n_rcu_torture_error))
71021 rcu_torture_print_module_parms("End of test: FAILURE");
71022 else
71023 rcu_torture_print_module_parms("End of test: SUCCESS");
71024 @@ -1138,13 +1138,13 @@ rcu_torture_init(void)
71025
71026 rcu_torture_current = NULL;
71027 rcu_torture_current_version = 0;
71028 - atomic_set(&n_rcu_torture_alloc, 0);
71029 - atomic_set(&n_rcu_torture_alloc_fail, 0);
71030 - atomic_set(&n_rcu_torture_free, 0);
71031 - atomic_set(&n_rcu_torture_mberror, 0);
71032 - atomic_set(&n_rcu_torture_error, 0);
71033 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
71034 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
71035 + atomic_set_unchecked(&n_rcu_torture_free, 0);
71036 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
71037 + atomic_set_unchecked(&n_rcu_torture_error, 0);
71038 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
71039 - atomic_set(&rcu_torture_wcount[i], 0);
71040 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
71041 for_each_possible_cpu(cpu) {
71042 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
71043 per_cpu(rcu_torture_count, cpu)[i] = 0;
71044 diff -urNp linux-2.6.32.49/kernel/rcutree.c linux-2.6.32.49/kernel/rcutree.c
71045 --- linux-2.6.32.49/kernel/rcutree.c 2011-11-08 19:02:43.000000000 -0500
71046 +++ linux-2.6.32.49/kernel/rcutree.c 2011-11-15 19:59:43.000000000 -0500
71047 @@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
71048 /*
71049 * Do softirq processing for the current CPU.
71050 */
71051 -static void rcu_process_callbacks(struct softirq_action *unused)
71052 +static void rcu_process_callbacks(void)
71053 {
71054 /*
71055 * Memory references from any prior RCU read-side critical sections
71056 diff -urNp linux-2.6.32.49/kernel/rcutree_plugin.h linux-2.6.32.49/kernel/rcutree_plugin.h
71057 --- linux-2.6.32.49/kernel/rcutree_plugin.h 2011-11-08 19:02:43.000000000 -0500
71058 +++ linux-2.6.32.49/kernel/rcutree_plugin.h 2011-11-15 19:59:43.000000000 -0500
71059 @@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
71060 */
71061 void __rcu_read_lock(void)
71062 {
71063 - ACCESS_ONCE(current->rcu_read_lock_nesting)++;
71064 + ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
71065 barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
71066 }
71067 EXPORT_SYMBOL_GPL(__rcu_read_lock);
71068 @@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
71069 struct task_struct *t = current;
71070
71071 barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
71072 - if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
71073 + if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
71074 unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
71075 rcu_read_unlock_special(t);
71076 }
71077 diff -urNp linux-2.6.32.49/kernel/relay.c linux-2.6.32.49/kernel/relay.c
71078 --- linux-2.6.32.49/kernel/relay.c 2011-11-08 19:02:43.000000000 -0500
71079 +++ linux-2.6.32.49/kernel/relay.c 2011-11-15 19:59:43.000000000 -0500
71080 @@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
71081 unsigned int flags,
71082 int *nonpad_ret)
71083 {
71084 - unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
71085 + unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
71086 struct rchan_buf *rbuf = in->private_data;
71087 unsigned int subbuf_size = rbuf->chan->subbuf_size;
71088 uint64_t pos = (uint64_t) *ppos;
71089 @@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
71090 .ops = &relay_pipe_buf_ops,
71091 .spd_release = relay_page_release,
71092 };
71093 + ssize_t ret;
71094 +
71095 + pax_track_stack();
71096
71097 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
71098 return 0;
71099 diff -urNp linux-2.6.32.49/kernel/resource.c linux-2.6.32.49/kernel/resource.c
71100 --- linux-2.6.32.49/kernel/resource.c 2011-11-08 19:02:43.000000000 -0500
71101 +++ linux-2.6.32.49/kernel/resource.c 2011-11-15 19:59:43.000000000 -0500
71102 @@ -132,8 +132,18 @@ static const struct file_operations proc
71103
71104 static int __init ioresources_init(void)
71105 {
71106 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
71107 +#ifdef CONFIG_GRKERNSEC_PROC_USER
71108 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
71109 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
71110 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
71111 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
71112 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
71113 +#endif
71114 +#else
71115 proc_create("ioports", 0, NULL, &proc_ioports_operations);
71116 proc_create("iomem", 0, NULL, &proc_iomem_operations);
71117 +#endif
71118 return 0;
71119 }
71120 __initcall(ioresources_init);
71121 diff -urNp linux-2.6.32.49/kernel/rtmutex.c linux-2.6.32.49/kernel/rtmutex.c
71122 --- linux-2.6.32.49/kernel/rtmutex.c 2011-11-08 19:02:43.000000000 -0500
71123 +++ linux-2.6.32.49/kernel/rtmutex.c 2011-11-15 19:59:43.000000000 -0500
71124 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
71125 */
71126 spin_lock_irqsave(&pendowner->pi_lock, flags);
71127
71128 - WARN_ON(!pendowner->pi_blocked_on);
71129 + BUG_ON(!pendowner->pi_blocked_on);
71130 WARN_ON(pendowner->pi_blocked_on != waiter);
71131 WARN_ON(pendowner->pi_blocked_on->lock != lock);
71132
71133 diff -urNp linux-2.6.32.49/kernel/rtmutex-tester.c linux-2.6.32.49/kernel/rtmutex-tester.c
71134 --- linux-2.6.32.49/kernel/rtmutex-tester.c 2011-11-08 19:02:43.000000000 -0500
71135 +++ linux-2.6.32.49/kernel/rtmutex-tester.c 2011-11-15 19:59:43.000000000 -0500
71136 @@ -21,7 +21,7 @@
71137 #define MAX_RT_TEST_MUTEXES 8
71138
71139 static spinlock_t rttest_lock;
71140 -static atomic_t rttest_event;
71141 +static atomic_unchecked_t rttest_event;
71142
71143 struct test_thread_data {
71144 int opcode;
71145 @@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
71146
71147 case RTTEST_LOCKCONT:
71148 td->mutexes[td->opdata] = 1;
71149 - td->event = atomic_add_return(1, &rttest_event);
71150 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71151 return 0;
71152
71153 case RTTEST_RESET:
71154 @@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
71155 return 0;
71156
71157 case RTTEST_RESETEVENT:
71158 - atomic_set(&rttest_event, 0);
71159 + atomic_set_unchecked(&rttest_event, 0);
71160 return 0;
71161
71162 default:
71163 @@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
71164 return ret;
71165
71166 td->mutexes[id] = 1;
71167 - td->event = atomic_add_return(1, &rttest_event);
71168 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71169 rt_mutex_lock(&mutexes[id]);
71170 - td->event = atomic_add_return(1, &rttest_event);
71171 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71172 td->mutexes[id] = 4;
71173 return 0;
71174
71175 @@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
71176 return ret;
71177
71178 td->mutexes[id] = 1;
71179 - td->event = atomic_add_return(1, &rttest_event);
71180 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71181 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
71182 - td->event = atomic_add_return(1, &rttest_event);
71183 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71184 td->mutexes[id] = ret ? 0 : 4;
71185 return ret ? -EINTR : 0;
71186
71187 @@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
71188 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
71189 return ret;
71190
71191 - td->event = atomic_add_return(1, &rttest_event);
71192 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71193 rt_mutex_unlock(&mutexes[id]);
71194 - td->event = atomic_add_return(1, &rttest_event);
71195 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71196 td->mutexes[id] = 0;
71197 return 0;
71198
71199 @@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
71200 break;
71201
71202 td->mutexes[dat] = 2;
71203 - td->event = atomic_add_return(1, &rttest_event);
71204 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71205 break;
71206
71207 case RTTEST_LOCKBKL:
71208 @@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
71209 return;
71210
71211 td->mutexes[dat] = 3;
71212 - td->event = atomic_add_return(1, &rttest_event);
71213 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71214 break;
71215
71216 case RTTEST_LOCKNOWAIT:
71217 @@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
71218 return;
71219
71220 td->mutexes[dat] = 1;
71221 - td->event = atomic_add_return(1, &rttest_event);
71222 + td->event = atomic_add_return_unchecked(1, &rttest_event);
71223 return;
71224
71225 case RTTEST_LOCKBKL:
71226 diff -urNp linux-2.6.32.49/kernel/sched.c linux-2.6.32.49/kernel/sched.c
71227 --- linux-2.6.32.49/kernel/sched.c 2011-11-08 19:02:43.000000000 -0500
71228 +++ linux-2.6.32.49/kernel/sched.c 2011-11-15 19:59:43.000000000 -0500
71229 @@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct
71230 {
71231 unsigned long flags;
71232 struct rq *rq;
71233 - int cpu = get_cpu();
71234
71235 #ifdef CONFIG_SMP
71236 + int cpu = get_cpu();
71237 +
71238 rq = task_rq_lock(p, &flags);
71239 p->state = TASK_WAKING;
71240
71241 @@ -5043,7 +5044,7 @@ out:
71242 * In CONFIG_NO_HZ case, the idle load balance owner will do the
71243 * rebalancing for all the cpus for whom scheduler ticks are stopped.
71244 */
71245 -static void run_rebalance_domains(struct softirq_action *h)
71246 +static void run_rebalance_domains(void)
71247 {
71248 int this_cpu = smp_processor_id();
71249 struct rq *this_rq = cpu_rq(this_cpu);
71250 @@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void)
71251 struct rq *rq;
71252 int cpu;
71253
71254 + pax_track_stack();
71255 +
71256 need_resched:
71257 preempt_disable();
71258 cpu = smp_processor_id();
71259 @@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule);
71260 * Look out! "owner" is an entirely speculative pointer
71261 * access and not reliable.
71262 */
71263 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
71264 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
71265 {
71266 unsigned int cpu;
71267 struct rq *rq;
71268 @@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo
71269 * DEBUG_PAGEALLOC could have unmapped it if
71270 * the mutex owner just released it and exited.
71271 */
71272 - if (probe_kernel_address(&owner->cpu, cpu))
71273 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
71274 return 0;
71275 #else
71276 - cpu = owner->cpu;
71277 + cpu = task_thread_info(owner)->cpu;
71278 #endif
71279
71280 /*
71281 @@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo
71282 /*
71283 * Is that owner really running on that cpu?
71284 */
71285 - if (task_thread_info(rq->curr) != owner || need_resched())
71286 + if (rq->curr != owner || need_resched())
71287 return 0;
71288
71289 cpu_relax();
71290 @@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p
71291 /* convert nice value [19,-20] to rlimit style value [1,40] */
71292 int nice_rlim = 20 - nice;
71293
71294 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
71295 +
71296 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
71297 capable(CAP_SYS_NICE));
71298 }
71299 @@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment)
71300 if (nice > 19)
71301 nice = 19;
71302
71303 - if (increment < 0 && !can_nice(current, nice))
71304 + if (increment < 0 && (!can_nice(current, nice) ||
71305 + gr_handle_chroot_nice()))
71306 return -EPERM;
71307
71308 retval = security_task_setnice(current, nice);
71309 @@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int
71310 long power;
71311 int weight;
71312
71313 - WARN_ON(!sd || !sd->groups);
71314 + BUG_ON(!sd || !sd->groups);
71315
71316 if (cpu != group_first_cpu(sd->groups))
71317 return;
71318 diff -urNp linux-2.6.32.49/kernel/signal.c linux-2.6.32.49/kernel/signal.c
71319 --- linux-2.6.32.49/kernel/signal.c 2011-11-08 19:02:43.000000000 -0500
71320 +++ linux-2.6.32.49/kernel/signal.c 2011-11-15 19:59:43.000000000 -0500
71321 @@ -41,12 +41,12 @@
71322
71323 static struct kmem_cache *sigqueue_cachep;
71324
71325 -static void __user *sig_handler(struct task_struct *t, int sig)
71326 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
71327 {
71328 return t->sighand->action[sig - 1].sa.sa_handler;
71329 }
71330
71331 -static int sig_handler_ignored(void __user *handler, int sig)
71332 +static int sig_handler_ignored(__sighandler_t handler, int sig)
71333 {
71334 /* Is it explicitly or implicitly ignored? */
71335 return handler == SIG_IGN ||
71336 @@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
71337 static int sig_task_ignored(struct task_struct *t, int sig,
71338 int from_ancestor_ns)
71339 {
71340 - void __user *handler;
71341 + __sighandler_t handler;
71342
71343 handler = sig_handler(t, sig);
71344
71345 @@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
71346 */
71347 user = get_uid(__task_cred(t)->user);
71348 atomic_inc(&user->sigpending);
71349 +
71350 + if (!override_rlimit)
71351 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
71352 if (override_rlimit ||
71353 atomic_read(&user->sigpending) <=
71354 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
71355 @@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
71356
71357 int unhandled_signal(struct task_struct *tsk, int sig)
71358 {
71359 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
71360 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
71361 if (is_global_init(tsk))
71362 return 1;
71363 if (handler != SIG_IGN && handler != SIG_DFL)
71364 @@ -627,6 +630,13 @@ static int check_kill_permission(int sig
71365 }
71366 }
71367
71368 + /* allow glibc communication via tgkill to other threads in our
71369 + thread group */
71370 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
71371 + sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
71372 + && gr_handle_signal(t, sig))
71373 + return -EPERM;
71374 +
71375 return security_task_kill(t, info, sig, 0);
71376 }
71377
71378 @@ -968,7 +978,7 @@ __group_send_sig_info(int sig, struct si
71379 return send_signal(sig, info, p, 1);
71380 }
71381
71382 -static int
71383 +int
71384 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
71385 {
71386 return send_signal(sig, info, t, 0);
71387 @@ -1005,6 +1015,7 @@ force_sig_info(int sig, struct siginfo *
71388 unsigned long int flags;
71389 int ret, blocked, ignored;
71390 struct k_sigaction *action;
71391 + int is_unhandled = 0;
71392
71393 spin_lock_irqsave(&t->sighand->siglock, flags);
71394 action = &t->sighand->action[sig-1];
71395 @@ -1019,9 +1030,18 @@ force_sig_info(int sig, struct siginfo *
71396 }
71397 if (action->sa.sa_handler == SIG_DFL)
71398 t->signal->flags &= ~SIGNAL_UNKILLABLE;
71399 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
71400 + is_unhandled = 1;
71401 ret = specific_send_sig_info(sig, info, t);
71402 spin_unlock_irqrestore(&t->sighand->siglock, flags);
71403
71404 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
71405 + normal operation */
71406 + if (is_unhandled) {
71407 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
71408 + gr_handle_crash(t, sig);
71409 + }
71410 +
71411 return ret;
71412 }
71413
71414 @@ -1081,8 +1101,11 @@ int group_send_sig_info(int sig, struct
71415 {
71416 int ret = check_kill_permission(sig, info, p);
71417
71418 - if (!ret && sig)
71419 + if (!ret && sig) {
71420 ret = do_send_sig_info(sig, info, p, true);
71421 + if (!ret)
71422 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
71423 + }
71424
71425 return ret;
71426 }
71427 @@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
71428 {
71429 siginfo_t info;
71430
71431 + pax_track_stack();
71432 +
71433 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
71434
71435 memset(&info, 0, sizeof info);
71436 @@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid,
71437 int error = -ESRCH;
71438
71439 rcu_read_lock();
71440 - p = find_task_by_vpid(pid);
71441 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
71442 + /* allow glibc communication via tgkill to other threads in our
71443 + thread group */
71444 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
71445 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
71446 + p = find_task_by_vpid_unrestricted(pid);
71447 + else
71448 +#endif
71449 + p = find_task_by_vpid(pid);
71450 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
71451 error = check_kill_permission(sig, info, p);
71452 /*
71453 diff -urNp linux-2.6.32.49/kernel/smp.c linux-2.6.32.49/kernel/smp.c
71454 --- linux-2.6.32.49/kernel/smp.c 2011-11-08 19:02:43.000000000 -0500
71455 +++ linux-2.6.32.49/kernel/smp.c 2011-11-15 19:59:43.000000000 -0500
71456 @@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
71457 }
71458 EXPORT_SYMBOL(smp_call_function);
71459
71460 -void ipi_call_lock(void)
71461 +void ipi_call_lock(void) __acquires(call_function.lock)
71462 {
71463 spin_lock(&call_function.lock);
71464 }
71465
71466 -void ipi_call_unlock(void)
71467 +void ipi_call_unlock(void) __releases(call_function.lock)
71468 {
71469 spin_unlock(&call_function.lock);
71470 }
71471
71472 -void ipi_call_lock_irq(void)
71473 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
71474 {
71475 spin_lock_irq(&call_function.lock);
71476 }
71477
71478 -void ipi_call_unlock_irq(void)
71479 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
71480 {
71481 spin_unlock_irq(&call_function.lock);
71482 }
71483 diff -urNp linux-2.6.32.49/kernel/softirq.c linux-2.6.32.49/kernel/softirq.c
71484 --- linux-2.6.32.49/kernel/softirq.c 2011-11-08 19:02:43.000000000 -0500
71485 +++ linux-2.6.32.49/kernel/softirq.c 2011-11-15 19:59:43.000000000 -0500
71486 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
71487
71488 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
71489
71490 -char *softirq_to_name[NR_SOFTIRQS] = {
71491 +const char * const softirq_to_name[NR_SOFTIRQS] = {
71492 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
71493 "TASKLET", "SCHED", "HRTIMER", "RCU"
71494 };
71495 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
71496
71497 asmlinkage void __do_softirq(void)
71498 {
71499 - struct softirq_action *h;
71500 + const struct softirq_action *h;
71501 __u32 pending;
71502 int max_restart = MAX_SOFTIRQ_RESTART;
71503 int cpu;
71504 @@ -233,7 +233,7 @@ restart:
71505 kstat_incr_softirqs_this_cpu(h - softirq_vec);
71506
71507 trace_softirq_entry(h, softirq_vec);
71508 - h->action(h);
71509 + h->action();
71510 trace_softirq_exit(h, softirq_vec);
71511 if (unlikely(prev_count != preempt_count())) {
71512 printk(KERN_ERR "huh, entered softirq %td %s %p"
71513 @@ -363,9 +363,11 @@ void raise_softirq(unsigned int nr)
71514 local_irq_restore(flags);
71515 }
71516
71517 -void open_softirq(int nr, void (*action)(struct softirq_action *))
71518 +void open_softirq(int nr, void (*action)(void))
71519 {
71520 - softirq_vec[nr].action = action;
71521 + pax_open_kernel();
71522 + *(void **)&softirq_vec[nr].action = action;
71523 + pax_close_kernel();
71524 }
71525
71526 /*
71527 @@ -419,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
71528
71529 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
71530
71531 -static void tasklet_action(struct softirq_action *a)
71532 +static void tasklet_action(void)
71533 {
71534 struct tasklet_struct *list;
71535
71536 @@ -454,7 +456,7 @@ static void tasklet_action(struct softir
71537 }
71538 }
71539
71540 -static void tasklet_hi_action(struct softirq_action *a)
71541 +static void tasklet_hi_action(void)
71542 {
71543 struct tasklet_struct *list;
71544
71545 diff -urNp linux-2.6.32.49/kernel/sys.c linux-2.6.32.49/kernel/sys.c
71546 --- linux-2.6.32.49/kernel/sys.c 2011-11-08 19:02:43.000000000 -0500
71547 +++ linux-2.6.32.49/kernel/sys.c 2011-11-15 19:59:43.000000000 -0500
71548 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
71549 error = -EACCES;
71550 goto out;
71551 }
71552 +
71553 + if (gr_handle_chroot_setpriority(p, niceval)) {
71554 + error = -EACCES;
71555 + goto out;
71556 + }
71557 +
71558 no_nice = security_task_setnice(p, niceval);
71559 if (no_nice) {
71560 error = no_nice;
71561 @@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
71562 !(user = find_user(who)))
71563 goto out_unlock; /* No processes for this user */
71564
71565 - do_each_thread(g, p)
71566 + do_each_thread(g, p) {
71567 if (__task_cred(p)->uid == who)
71568 error = set_one_prio(p, niceval, error);
71569 - while_each_thread(g, p);
71570 + } while_each_thread(g, p);
71571 if (who != cred->uid)
71572 free_uid(user); /* For find_user() */
71573 break;
71574 @@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
71575 !(user = find_user(who)))
71576 goto out_unlock; /* No processes for this user */
71577
71578 - do_each_thread(g, p)
71579 + do_each_thread(g, p) {
71580 if (__task_cred(p)->uid == who) {
71581 niceval = 20 - task_nice(p);
71582 if (niceval > retval)
71583 retval = niceval;
71584 }
71585 - while_each_thread(g, p);
71586 + } while_each_thread(g, p);
71587 if (who != cred->uid)
71588 free_uid(user); /* for find_user() */
71589 break;
71590 @@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
71591 goto error;
71592 }
71593
71594 + if (gr_check_group_change(new->gid, new->egid, -1))
71595 + goto error;
71596 +
71597 if (rgid != (gid_t) -1 ||
71598 (egid != (gid_t) -1 && egid != old->gid))
71599 new->sgid = new->egid;
71600 @@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
71601 goto error;
71602
71603 retval = -EPERM;
71604 +
71605 + if (gr_check_group_change(gid, gid, gid))
71606 + goto error;
71607 +
71608 if (capable(CAP_SETGID))
71609 new->gid = new->egid = new->sgid = new->fsgid = gid;
71610 else if (gid == old->gid || gid == old->sgid)
71611 @@ -567,12 +580,19 @@ static int set_user(struct cred *new)
71612 if (!new_user)
71613 return -EAGAIN;
71614
71615 + /*
71616 + * We don't fail in case of NPROC limit excess here because too many
71617 + * poorly written programs don't check set*uid() return code, assuming
71618 + * it never fails if called by root. We may still enforce NPROC limit
71619 + * for programs doing set*uid()+execve() by harmlessly deferring the
71620 + * failure to the execve() stage.
71621 + */
71622 if (atomic_read(&new_user->processes) >=
71623 current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
71624 - new_user != INIT_USER) {
71625 - free_uid(new_user);
71626 - return -EAGAIN;
71627 - }
71628 + new_user != INIT_USER)
71629 + current->flags |= PF_NPROC_EXCEEDED;
71630 + else
71631 + current->flags &= ~PF_NPROC_EXCEEDED;
71632
71633 free_uid(new->user);
71634 new->user = new_user;
71635 @@ -627,6 +647,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
71636 goto error;
71637 }
71638
71639 + if (gr_check_user_change(new->uid, new->euid, -1))
71640 + goto error;
71641 +
71642 if (new->uid != old->uid) {
71643 retval = set_user(new);
71644 if (retval < 0)
71645 @@ -675,6 +698,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
71646 goto error;
71647
71648 retval = -EPERM;
71649 +
71650 + if (gr_check_crash_uid(uid))
71651 + goto error;
71652 + if (gr_check_user_change(uid, uid, uid))
71653 + goto error;
71654 +
71655 if (capable(CAP_SETUID)) {
71656 new->suid = new->uid = uid;
71657 if (uid != old->uid) {
71658 @@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
71659 goto error;
71660 }
71661
71662 + if (gr_check_user_change(ruid, euid, -1))
71663 + goto error;
71664 +
71665 if (ruid != (uid_t) -1) {
71666 new->uid = ruid;
71667 if (ruid != old->uid) {
71668 @@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
71669 goto error;
71670 }
71671
71672 + if (gr_check_group_change(rgid, egid, -1))
71673 + goto error;
71674 +
71675 if (rgid != (gid_t) -1)
71676 new->gid = rgid;
71677 if (egid != (gid_t) -1)
71678 @@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
71679 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
71680 goto error;
71681
71682 + if (gr_check_user_change(-1, -1, uid))
71683 + goto error;
71684 +
71685 if (uid == old->uid || uid == old->euid ||
71686 uid == old->suid || uid == old->fsuid ||
71687 capable(CAP_SETUID)) {
71688 @@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
71689 if (gid == old->gid || gid == old->egid ||
71690 gid == old->sgid || gid == old->fsgid ||
71691 capable(CAP_SETGID)) {
71692 + if (gr_check_group_change(-1, -1, gid))
71693 + goto error;
71694 +
71695 if (gid != old_fsgid) {
71696 new->fsgid = gid;
71697 goto change_okay;
71698 @@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
71699 error = get_dumpable(me->mm);
71700 break;
71701 case PR_SET_DUMPABLE:
71702 - if (arg2 < 0 || arg2 > 1) {
71703 + if (arg2 > 1) {
71704 error = -EINVAL;
71705 break;
71706 }
71707 diff -urNp linux-2.6.32.49/kernel/sysctl.c linux-2.6.32.49/kernel/sysctl.c
71708 --- linux-2.6.32.49/kernel/sysctl.c 2011-11-08 19:02:43.000000000 -0500
71709 +++ linux-2.6.32.49/kernel/sysctl.c 2011-11-15 19:59:43.000000000 -0500
71710 @@ -63,6 +63,13 @@
71711 static int deprecated_sysctl_warning(struct __sysctl_args *args);
71712
71713 #if defined(CONFIG_SYSCTL)
71714 +#include <linux/grsecurity.h>
71715 +#include <linux/grinternal.h>
71716 +
71717 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
71718 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
71719 + const int op);
71720 +extern int gr_handle_chroot_sysctl(const int op);
71721
71722 /* External variables not in a header file. */
71723 extern int C_A_D;
71724 @@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
71725 static int proc_taint(struct ctl_table *table, int write,
71726 void __user *buffer, size_t *lenp, loff_t *ppos);
71727 #endif
71728 +extern ctl_table grsecurity_table[];
71729
71730 static struct ctl_table root_table[];
71731 static struct ctl_table_root sysctl_table_root;
71732 @@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
71733 int sysctl_legacy_va_layout;
71734 #endif
71735
71736 +#ifdef CONFIG_PAX_SOFTMODE
71737 +static ctl_table pax_table[] = {
71738 + {
71739 + .ctl_name = CTL_UNNUMBERED,
71740 + .procname = "softmode",
71741 + .data = &pax_softmode,
71742 + .maxlen = sizeof(unsigned int),
71743 + .mode = 0600,
71744 + .proc_handler = &proc_dointvec,
71745 + },
71746 +
71747 + { .ctl_name = 0 }
71748 +};
71749 +#endif
71750 +
71751 extern int prove_locking;
71752 extern int lock_stat;
71753
71754 @@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
71755 #endif
71756
71757 static struct ctl_table kern_table[] = {
71758 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
71759 + {
71760 + .ctl_name = CTL_UNNUMBERED,
71761 + .procname = "grsecurity",
71762 + .mode = 0500,
71763 + .child = grsecurity_table,
71764 + },
71765 +#endif
71766 +
71767 +#ifdef CONFIG_PAX_SOFTMODE
71768 + {
71769 + .ctl_name = CTL_UNNUMBERED,
71770 + .procname = "pax",
71771 + .mode = 0500,
71772 + .child = pax_table,
71773 + },
71774 +#endif
71775 +
71776 {
71777 .ctl_name = CTL_UNNUMBERED,
71778 .procname = "sched_child_runs_first",
71779 @@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
71780 .data = &modprobe_path,
71781 .maxlen = KMOD_PATH_LEN,
71782 .mode = 0644,
71783 - .proc_handler = &proc_dostring,
71784 - .strategy = &sysctl_string,
71785 + .proc_handler = &proc_dostring_modpriv,
71786 + .strategy = &sysctl_string_modpriv,
71787 },
71788 {
71789 .ctl_name = CTL_UNNUMBERED,
71790 @@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
71791 .mode = 0644,
71792 .proc_handler = &proc_dointvec
71793 },
71794 + {
71795 + .procname = "heap_stack_gap",
71796 + .data = &sysctl_heap_stack_gap,
71797 + .maxlen = sizeof(sysctl_heap_stack_gap),
71798 + .mode = 0644,
71799 + .proc_handler = proc_doulongvec_minmax,
71800 + },
71801 #else
71802 {
71803 .ctl_name = CTL_UNNUMBERED,
71804 @@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
71805 return 0;
71806 }
71807
71808 +static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
71809 +
71810 static int parse_table(int __user *name, int nlen,
71811 void __user *oldval, size_t __user *oldlenp,
71812 void __user *newval, size_t newlen,
71813 @@ -1821,7 +1871,7 @@ repeat:
71814 if (n == table->ctl_name) {
71815 int error;
71816 if (table->child) {
71817 - if (sysctl_perm(root, table, MAY_EXEC))
71818 + if (sysctl_perm_nochk(root, table, MAY_EXEC))
71819 return -EPERM;
71820 name++;
71821 nlen--;
71822 @@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
71823 int error;
71824 int mode;
71825
71826 + if (table->parent != NULL && table->parent->procname != NULL &&
71827 + table->procname != NULL &&
71828 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71829 + return -EACCES;
71830 + if (gr_handle_chroot_sysctl(op))
71831 + return -EACCES;
71832 + error = gr_handle_sysctl(table, op);
71833 + if (error)
71834 + return error;
71835 +
71836 + error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
71837 + if (error)
71838 + return error;
71839 +
71840 + if (root->permissions)
71841 + mode = root->permissions(root, current->nsproxy, table);
71842 + else
71843 + mode = table->mode;
71844 +
71845 + return test_perm(mode, op);
71846 +}
71847 +
71848 +int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
71849 +{
71850 + int error;
71851 + int mode;
71852 +
71853 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
71854 if (error)
71855 return error;
71856 @@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
71857 buffer, lenp, ppos);
71858 }
71859
71860 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71861 + void __user *buffer, size_t *lenp, loff_t *ppos)
71862 +{
71863 + if (write && !capable(CAP_SYS_MODULE))
71864 + return -EPERM;
71865 +
71866 + return _proc_do_string(table->data, table->maxlen, write,
71867 + buffer, lenp, ppos);
71868 +}
71869 +
71870
71871 static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
71872 int *valp,
71873 @@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
71874 vleft = table->maxlen / sizeof(unsigned long);
71875 left = *lenp;
71876
71877 - for (; left && vleft--; i++, min++, max++, first=0) {
71878 + for (; left && vleft--; i++, first=0) {
71879 if (write) {
71880 while (left) {
71881 char c;
71882 @@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
71883 return -ENOSYS;
71884 }
71885
71886 +int proc_dostring_modpriv(struct ctl_table *table, int write,
71887 + void __user *buffer, size_t *lenp, loff_t *ppos)
71888 +{
71889 + return -ENOSYS;
71890 +}
71891 +
71892 int proc_dointvec(struct ctl_table *table, int write,
71893 void __user *buffer, size_t *lenp, loff_t *ppos)
71894 {
71895 @@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
71896 return 1;
71897 }
71898
71899 +int sysctl_string_modpriv(struct ctl_table *table,
71900 + void __user *oldval, size_t __user *oldlenp,
71901 + void __user *newval, size_t newlen)
71902 +{
71903 + if (newval && newlen && !capable(CAP_SYS_MODULE))
71904 + return -EPERM;
71905 +
71906 + return sysctl_string(table, oldval, oldlenp, newval, newlen);
71907 +}
71908 +
71909 /*
71910 * This function makes sure that all of the integers in the vector
71911 * are between the minimum and maximum values given in the arrays
71912 @@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
71913 return -ENOSYS;
71914 }
71915
71916 +int sysctl_string_modpriv(struct ctl_table *table,
71917 + void __user *oldval, size_t __user *oldlenp,
71918 + void __user *newval, size_t newlen)
71919 +{
71920 + return -ENOSYS;
71921 +}
71922 +
71923 int sysctl_intvec(struct ctl_table *table,
71924 void __user *oldval, size_t __user *oldlenp,
71925 void __user *newval, size_t newlen)
71926 @@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
71927 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
71928 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
71929 EXPORT_SYMBOL(proc_dostring);
71930 +EXPORT_SYMBOL(proc_dostring_modpriv);
71931 EXPORT_SYMBOL(proc_doulongvec_minmax);
71932 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
71933 EXPORT_SYMBOL(register_sysctl_table);
71934 @@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
71935 EXPORT_SYMBOL(sysctl_jiffies);
71936 EXPORT_SYMBOL(sysctl_ms_jiffies);
71937 EXPORT_SYMBOL(sysctl_string);
71938 +EXPORT_SYMBOL(sysctl_string_modpriv);
71939 EXPORT_SYMBOL(sysctl_data);
71940 EXPORT_SYMBOL(unregister_sysctl_table);
71941 diff -urNp linux-2.6.32.49/kernel/sysctl_check.c linux-2.6.32.49/kernel/sysctl_check.c
71942 --- linux-2.6.32.49/kernel/sysctl_check.c 2011-11-08 19:02:43.000000000 -0500
71943 +++ linux-2.6.32.49/kernel/sysctl_check.c 2011-11-15 19:59:43.000000000 -0500
71944 @@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
71945 } else {
71946 if ((table->strategy == sysctl_data) ||
71947 (table->strategy == sysctl_string) ||
71948 + (table->strategy == sysctl_string_modpriv) ||
71949 (table->strategy == sysctl_intvec) ||
71950 (table->strategy == sysctl_jiffies) ||
71951 (table->strategy == sysctl_ms_jiffies) ||
71952 (table->proc_handler == proc_dostring) ||
71953 + (table->proc_handler == proc_dostring_modpriv) ||
71954 (table->proc_handler == proc_dointvec) ||
71955 (table->proc_handler == proc_dointvec_minmax) ||
71956 (table->proc_handler == proc_dointvec_jiffies) ||
71957 diff -urNp linux-2.6.32.49/kernel/taskstats.c linux-2.6.32.49/kernel/taskstats.c
71958 --- linux-2.6.32.49/kernel/taskstats.c 2011-11-08 19:02:43.000000000 -0500
71959 +++ linux-2.6.32.49/kernel/taskstats.c 2011-11-15 19:59:43.000000000 -0500
71960 @@ -26,9 +26,12 @@
71961 #include <linux/cgroup.h>
71962 #include <linux/fs.h>
71963 #include <linux/file.h>
71964 +#include <linux/grsecurity.h>
71965 #include <net/genetlink.h>
71966 #include <asm/atomic.h>
71967
71968 +extern int gr_is_taskstats_denied(int pid);
71969 +
71970 /*
71971 * Maximum length of a cpumask that can be specified in
71972 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
71973 @@ -442,6 +445,9 @@ static int taskstats_user_cmd(struct sk_
71974 size_t size;
71975 cpumask_var_t mask;
71976
71977 + if (gr_is_taskstats_denied(current->pid))
71978 + return -EACCES;
71979 +
71980 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
71981 return -ENOMEM;
71982
71983 diff -urNp linux-2.6.32.49/kernel/time/tick-broadcast.c linux-2.6.32.49/kernel/time/tick-broadcast.c
71984 --- linux-2.6.32.49/kernel/time/tick-broadcast.c 2011-11-08 19:02:43.000000000 -0500
71985 +++ linux-2.6.32.49/kernel/time/tick-broadcast.c 2011-11-15 19:59:43.000000000 -0500
71986 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
71987 * then clear the broadcast bit.
71988 */
71989 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
71990 - int cpu = smp_processor_id();
71991 + cpu = smp_processor_id();
71992
71993 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
71994 tick_broadcast_clear_oneshot(cpu);
71995 diff -urNp linux-2.6.32.49/kernel/time/timekeeping.c linux-2.6.32.49/kernel/time/timekeeping.c
71996 --- linux-2.6.32.49/kernel/time/timekeeping.c 2011-11-08 19:02:43.000000000 -0500
71997 +++ linux-2.6.32.49/kernel/time/timekeeping.c 2011-11-15 19:59:43.000000000 -0500
71998 @@ -14,6 +14,7 @@
71999 #include <linux/init.h>
72000 #include <linux/mm.h>
72001 #include <linux/sched.h>
72002 +#include <linux/grsecurity.h>
72003 #include <linux/sysdev.h>
72004 #include <linux/clocksource.h>
72005 #include <linux/jiffies.h>
72006 @@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
72007 */
72008 struct timespec ts = xtime;
72009 timespec_add_ns(&ts, nsec);
72010 - ACCESS_ONCE(xtime_cache) = ts;
72011 + ACCESS_ONCE_RW(xtime_cache) = ts;
72012 }
72013
72014 /* must hold xtime_lock */
72015 @@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
72016 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
72017 return -EINVAL;
72018
72019 + gr_log_timechange();
72020 +
72021 write_seqlock_irqsave(&xtime_lock, flags);
72022
72023 timekeeping_forward_now();
72024 diff -urNp linux-2.6.32.49/kernel/time/timer_list.c linux-2.6.32.49/kernel/time/timer_list.c
72025 --- linux-2.6.32.49/kernel/time/timer_list.c 2011-11-08 19:02:43.000000000 -0500
72026 +++ linux-2.6.32.49/kernel/time/timer_list.c 2011-11-15 19:59:43.000000000 -0500
72027 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
72028
72029 static void print_name_offset(struct seq_file *m, void *sym)
72030 {
72031 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72032 + SEQ_printf(m, "<%p>", NULL);
72033 +#else
72034 char symname[KSYM_NAME_LEN];
72035
72036 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
72037 SEQ_printf(m, "<%p>", sym);
72038 else
72039 SEQ_printf(m, "%s", symname);
72040 +#endif
72041 }
72042
72043 static void
72044 @@ -112,7 +116,11 @@ next_one:
72045 static void
72046 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
72047 {
72048 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72049 + SEQ_printf(m, " .base: %p\n", NULL);
72050 +#else
72051 SEQ_printf(m, " .base: %p\n", base);
72052 +#endif
72053 SEQ_printf(m, " .index: %d\n",
72054 base->index);
72055 SEQ_printf(m, " .resolution: %Lu nsecs\n",
72056 @@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
72057 {
72058 struct proc_dir_entry *pe;
72059
72060 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
72061 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
72062 +#else
72063 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
72064 +#endif
72065 if (!pe)
72066 return -ENOMEM;
72067 return 0;
72068 diff -urNp linux-2.6.32.49/kernel/time/timer_stats.c linux-2.6.32.49/kernel/time/timer_stats.c
72069 --- linux-2.6.32.49/kernel/time/timer_stats.c 2011-11-08 19:02:43.000000000 -0500
72070 +++ linux-2.6.32.49/kernel/time/timer_stats.c 2011-11-15 19:59:43.000000000 -0500
72071 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
72072 static unsigned long nr_entries;
72073 static struct entry entries[MAX_ENTRIES];
72074
72075 -static atomic_t overflow_count;
72076 +static atomic_unchecked_t overflow_count;
72077
72078 /*
72079 * The entries are in a hash-table, for fast lookup:
72080 @@ -140,7 +140,7 @@ static void reset_entries(void)
72081 nr_entries = 0;
72082 memset(entries, 0, sizeof(entries));
72083 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
72084 - atomic_set(&overflow_count, 0);
72085 + atomic_set_unchecked(&overflow_count, 0);
72086 }
72087
72088 static struct entry *alloc_entry(void)
72089 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
72090 if (likely(entry))
72091 entry->count++;
72092 else
72093 - atomic_inc(&overflow_count);
72094 + atomic_inc_unchecked(&overflow_count);
72095
72096 out_unlock:
72097 spin_unlock_irqrestore(lock, flags);
72098 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
72099
72100 static void print_name_offset(struct seq_file *m, unsigned long addr)
72101 {
72102 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72103 + seq_printf(m, "<%p>", NULL);
72104 +#else
72105 char symname[KSYM_NAME_LEN];
72106
72107 if (lookup_symbol_name(addr, symname) < 0)
72108 seq_printf(m, "<%p>", (void *)addr);
72109 else
72110 seq_printf(m, "%s", symname);
72111 +#endif
72112 }
72113
72114 static int tstats_show(struct seq_file *m, void *v)
72115 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
72116
72117 seq_puts(m, "Timer Stats Version: v0.2\n");
72118 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
72119 - if (atomic_read(&overflow_count))
72120 + if (atomic_read_unchecked(&overflow_count))
72121 seq_printf(m, "Overflow: %d entries\n",
72122 - atomic_read(&overflow_count));
72123 + atomic_read_unchecked(&overflow_count));
72124
72125 for (i = 0; i < nr_entries; i++) {
72126 entry = entries + i;
72127 @@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
72128 {
72129 struct proc_dir_entry *pe;
72130
72131 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
72132 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
72133 +#else
72134 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
72135 +#endif
72136 if (!pe)
72137 return -ENOMEM;
72138 return 0;
72139 diff -urNp linux-2.6.32.49/kernel/time.c linux-2.6.32.49/kernel/time.c
72140 --- linux-2.6.32.49/kernel/time.c 2011-11-08 19:02:43.000000000 -0500
72141 +++ linux-2.6.32.49/kernel/time.c 2011-11-15 19:59:43.000000000 -0500
72142 @@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
72143 return error;
72144
72145 if (tz) {
72146 + /* we log in do_settimeofday called below, so don't log twice
72147 + */
72148 + if (!tv)
72149 + gr_log_timechange();
72150 +
72151 /* SMP safe, global irq locking makes it work. */
72152 sys_tz = *tz;
72153 update_vsyscall_tz();
72154 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
72155 * Avoid unnecessary multiplications/divisions in the
72156 * two most common HZ cases:
72157 */
72158 -unsigned int inline jiffies_to_msecs(const unsigned long j)
72159 +inline unsigned int jiffies_to_msecs(const unsigned long j)
72160 {
72161 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
72162 return (MSEC_PER_SEC / HZ) * j;
72163 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
72164 }
72165 EXPORT_SYMBOL(jiffies_to_msecs);
72166
72167 -unsigned int inline jiffies_to_usecs(const unsigned long j)
72168 +inline unsigned int jiffies_to_usecs(const unsigned long j)
72169 {
72170 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
72171 return (USEC_PER_SEC / HZ) * j;
72172 diff -urNp linux-2.6.32.49/kernel/timer.c linux-2.6.32.49/kernel/timer.c
72173 --- linux-2.6.32.49/kernel/timer.c 2011-11-08 19:02:43.000000000 -0500
72174 +++ linux-2.6.32.49/kernel/timer.c 2011-11-15 19:59:43.000000000 -0500
72175 @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
72176 /*
72177 * This function runs timers and the timer-tq in bottom half context.
72178 */
72179 -static void run_timer_softirq(struct softirq_action *h)
72180 +static void run_timer_softirq(void)
72181 {
72182 struct tvec_base *base = __get_cpu_var(tvec_bases);
72183
72184 diff -urNp linux-2.6.32.49/kernel/trace/blktrace.c linux-2.6.32.49/kernel/trace/blktrace.c
72185 --- linux-2.6.32.49/kernel/trace/blktrace.c 2011-11-08 19:02:43.000000000 -0500
72186 +++ linux-2.6.32.49/kernel/trace/blktrace.c 2011-11-15 19:59:43.000000000 -0500
72187 @@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
72188 struct blk_trace *bt = filp->private_data;
72189 char buf[16];
72190
72191 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
72192 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
72193
72194 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
72195 }
72196 @@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
72197 return 1;
72198
72199 bt = buf->chan->private_data;
72200 - atomic_inc(&bt->dropped);
72201 + atomic_inc_unchecked(&bt->dropped);
72202 return 0;
72203 }
72204
72205 @@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
72206
72207 bt->dir = dir;
72208 bt->dev = dev;
72209 - atomic_set(&bt->dropped, 0);
72210 + atomic_set_unchecked(&bt->dropped, 0);
72211
72212 ret = -EIO;
72213 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
72214 diff -urNp linux-2.6.32.49/kernel/trace/ftrace.c linux-2.6.32.49/kernel/trace/ftrace.c
72215 --- linux-2.6.32.49/kernel/trace/ftrace.c 2011-11-08 19:02:43.000000000 -0500
72216 +++ linux-2.6.32.49/kernel/trace/ftrace.c 2011-11-15 19:59:43.000000000 -0500
72217 @@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
72218
72219 ip = rec->ip;
72220
72221 + ret = ftrace_arch_code_modify_prepare();
72222 + FTRACE_WARN_ON(ret);
72223 + if (ret)
72224 + return 0;
72225 +
72226 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
72227 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
72228 if (ret) {
72229 ftrace_bug(ret, ip);
72230 rec->flags |= FTRACE_FL_FAILED;
72231 - return 0;
72232 }
72233 - return 1;
72234 + return ret ? 0 : 1;
72235 }
72236
72237 /*
72238 diff -urNp linux-2.6.32.49/kernel/trace/ring_buffer.c linux-2.6.32.49/kernel/trace/ring_buffer.c
72239 --- linux-2.6.32.49/kernel/trace/ring_buffer.c 2011-11-08 19:02:43.000000000 -0500
72240 +++ linux-2.6.32.49/kernel/trace/ring_buffer.c 2011-11-15 19:59:43.000000000 -0500
72241 @@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
72242 * the reader page). But if the next page is a header page,
72243 * its flags will be non zero.
72244 */
72245 -static int inline
72246 +static inline int
72247 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
72248 struct buffer_page *page, struct list_head *list)
72249 {
72250 diff -urNp linux-2.6.32.49/kernel/trace/trace.c linux-2.6.32.49/kernel/trace/trace.c
72251 --- linux-2.6.32.49/kernel/trace/trace.c 2011-11-08 19:02:43.000000000 -0500
72252 +++ linux-2.6.32.49/kernel/trace/trace.c 2011-11-15 19:59:43.000000000 -0500
72253 @@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
72254 size_t rem;
72255 unsigned int i;
72256
72257 + pax_track_stack();
72258 +
72259 /* copy the tracer to avoid using a global lock all around */
72260 mutex_lock(&trace_types_lock);
72261 if (unlikely(old_tracer != current_trace && current_trace)) {
72262 @@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
72263 int entries, size, i;
72264 size_t ret;
72265
72266 + pax_track_stack();
72267 +
72268 if (*ppos & (PAGE_SIZE - 1)) {
72269 WARN_ONCE(1, "Ftrace: previous read must page-align\n");
72270 return -EINVAL;
72271 @@ -3816,10 +3820,9 @@ static const struct file_operations trac
72272 };
72273 #endif
72274
72275 -static struct dentry *d_tracer;
72276 -
72277 struct dentry *tracing_init_dentry(void)
72278 {
72279 + static struct dentry *d_tracer;
72280 static int once;
72281
72282 if (d_tracer)
72283 @@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
72284 return d_tracer;
72285 }
72286
72287 -static struct dentry *d_percpu;
72288 -
72289 struct dentry *tracing_dentry_percpu(void)
72290 {
72291 + static struct dentry *d_percpu;
72292 static int once;
72293 struct dentry *d_tracer;
72294
72295 diff -urNp linux-2.6.32.49/kernel/trace/trace_events.c linux-2.6.32.49/kernel/trace/trace_events.c
72296 --- linux-2.6.32.49/kernel/trace/trace_events.c 2011-11-08 19:02:43.000000000 -0500
72297 +++ linux-2.6.32.49/kernel/trace/trace_events.c 2011-11-15 19:59:43.000000000 -0500
72298 @@ -951,13 +951,10 @@ static LIST_HEAD(ftrace_module_file_list
72299 * Modules must own their file_operations to keep up with
72300 * reference counting.
72301 */
72302 +
72303 struct ftrace_module_file_ops {
72304 struct list_head list;
72305 struct module *mod;
72306 - struct file_operations id;
72307 - struct file_operations enable;
72308 - struct file_operations format;
72309 - struct file_operations filter;
72310 };
72311
72312 static void remove_subsystem_dir(const char *name)
72313 @@ -1004,17 +1001,12 @@ trace_create_file_ops(struct module *mod
72314
72315 file_ops->mod = mod;
72316
72317 - file_ops->id = ftrace_event_id_fops;
72318 - file_ops->id.owner = mod;
72319 -
72320 - file_ops->enable = ftrace_enable_fops;
72321 - file_ops->enable.owner = mod;
72322 -
72323 - file_ops->filter = ftrace_event_filter_fops;
72324 - file_ops->filter.owner = mod;
72325 -
72326 - file_ops->format = ftrace_event_format_fops;
72327 - file_ops->format.owner = mod;
72328 + pax_open_kernel();
72329 + *(void **)&mod->trace_id.owner = mod;
72330 + *(void **)&mod->trace_enable.owner = mod;
72331 + *(void **)&mod->trace_filter.owner = mod;
72332 + *(void **)&mod->trace_format.owner = mod;
72333 + pax_close_kernel();
72334
72335 list_add(&file_ops->list, &ftrace_module_file_list);
72336
72337 @@ -1063,8 +1055,8 @@ static void trace_module_add_events(stru
72338 call->mod = mod;
72339 list_add(&call->list, &ftrace_events);
72340 event_create_dir(call, d_events,
72341 - &file_ops->id, &file_ops->enable,
72342 - &file_ops->filter, &file_ops->format);
72343 + &mod->trace_id, &mod->trace_enable,
72344 + &mod->trace_filter, &mod->trace_format);
72345 }
72346 }
72347
72348 diff -urNp linux-2.6.32.49/kernel/trace/trace_mmiotrace.c linux-2.6.32.49/kernel/trace/trace_mmiotrace.c
72349 --- linux-2.6.32.49/kernel/trace/trace_mmiotrace.c 2011-11-08 19:02:43.000000000 -0500
72350 +++ linux-2.6.32.49/kernel/trace/trace_mmiotrace.c 2011-11-15 19:59:43.000000000 -0500
72351 @@ -23,7 +23,7 @@ struct header_iter {
72352 static struct trace_array *mmio_trace_array;
72353 static bool overrun_detected;
72354 static unsigned long prev_overruns;
72355 -static atomic_t dropped_count;
72356 +static atomic_unchecked_t dropped_count;
72357
72358 static void mmio_reset_data(struct trace_array *tr)
72359 {
72360 @@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
72361
72362 static unsigned long count_overruns(struct trace_iterator *iter)
72363 {
72364 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
72365 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
72366 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
72367
72368 if (over > prev_overruns)
72369 @@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
72370 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
72371 sizeof(*entry), 0, pc);
72372 if (!event) {
72373 - atomic_inc(&dropped_count);
72374 + atomic_inc_unchecked(&dropped_count);
72375 return;
72376 }
72377 entry = ring_buffer_event_data(event);
72378 @@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
72379 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
72380 sizeof(*entry), 0, pc);
72381 if (!event) {
72382 - atomic_inc(&dropped_count);
72383 + atomic_inc_unchecked(&dropped_count);
72384 return;
72385 }
72386 entry = ring_buffer_event_data(event);
72387 diff -urNp linux-2.6.32.49/kernel/trace/trace_output.c linux-2.6.32.49/kernel/trace/trace_output.c
72388 --- linux-2.6.32.49/kernel/trace/trace_output.c 2011-11-08 19:02:43.000000000 -0500
72389 +++ linux-2.6.32.49/kernel/trace/trace_output.c 2011-11-15 19:59:43.000000000 -0500
72390 @@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
72391 return 0;
72392 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
72393 if (!IS_ERR(p)) {
72394 - p = mangle_path(s->buffer + s->len, p, "\n");
72395 + p = mangle_path(s->buffer + s->len, p, "\n\\");
72396 if (p) {
72397 s->len = p - s->buffer;
72398 return 1;
72399 diff -urNp linux-2.6.32.49/kernel/trace/trace_stack.c linux-2.6.32.49/kernel/trace/trace_stack.c
72400 --- linux-2.6.32.49/kernel/trace/trace_stack.c 2011-11-08 19:02:43.000000000 -0500
72401 +++ linux-2.6.32.49/kernel/trace/trace_stack.c 2011-11-15 19:59:43.000000000 -0500
72402 @@ -50,7 +50,7 @@ static inline void check_stack(void)
72403 return;
72404
72405 /* we do not handle interrupt stacks yet */
72406 - if (!object_is_on_stack(&this_size))
72407 + if (!object_starts_on_stack(&this_size))
72408 return;
72409
72410 local_irq_save(flags);
72411 diff -urNp linux-2.6.32.49/kernel/trace/trace_workqueue.c linux-2.6.32.49/kernel/trace/trace_workqueue.c
72412 --- linux-2.6.32.49/kernel/trace/trace_workqueue.c 2011-11-08 19:02:43.000000000 -0500
72413 +++ linux-2.6.32.49/kernel/trace/trace_workqueue.c 2011-11-15 19:59:43.000000000 -0500
72414 @@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
72415 int cpu;
72416 pid_t pid;
72417 /* Can be inserted from interrupt or user context, need to be atomic */
72418 - atomic_t inserted;
72419 + atomic_unchecked_t inserted;
72420 /*
72421 * Don't need to be atomic, works are serialized in a single workqueue thread
72422 * on a single CPU.
72423 @@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
72424 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
72425 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
72426 if (node->pid == wq_thread->pid) {
72427 - atomic_inc(&node->inserted);
72428 + atomic_inc_unchecked(&node->inserted);
72429 goto found;
72430 }
72431 }
72432 @@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
72433 tsk = get_pid_task(pid, PIDTYPE_PID);
72434 if (tsk) {
72435 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
72436 - atomic_read(&cws->inserted), cws->executed,
72437 + atomic_read_unchecked(&cws->inserted), cws->executed,
72438 tsk->comm);
72439 put_task_struct(tsk);
72440 }
72441 diff -urNp linux-2.6.32.49/kernel/user.c linux-2.6.32.49/kernel/user.c
72442 --- linux-2.6.32.49/kernel/user.c 2011-11-08 19:02:43.000000000 -0500
72443 +++ linux-2.6.32.49/kernel/user.c 2011-11-15 19:59:43.000000000 -0500
72444 @@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
72445 spin_lock_irq(&uidhash_lock);
72446 up = uid_hash_find(uid, hashent);
72447 if (up) {
72448 + put_user_ns(ns);
72449 key_put(new->uid_keyring);
72450 key_put(new->session_keyring);
72451 kmem_cache_free(uid_cachep, new);
72452 diff -urNp linux-2.6.32.49/lib/bitmap.c linux-2.6.32.49/lib/bitmap.c
72453 --- linux-2.6.32.49/lib/bitmap.c 2011-11-08 19:02:43.000000000 -0500
72454 +++ linux-2.6.32.49/lib/bitmap.c 2011-11-15 19:59:43.000000000 -0500
72455 @@ -341,7 +341,7 @@ int __bitmap_parse(const char *buf, unsi
72456 {
72457 int c, old_c, totaldigits, ndigits, nchunks, nbits;
72458 u32 chunk;
72459 - const char __user *ubuf = buf;
72460 + const char __user *ubuf = (const char __force_user *)buf;
72461
72462 bitmap_zero(maskp, nmaskbits);
72463
72464 @@ -426,7 +426,7 @@ int bitmap_parse_user(const char __user
72465 {
72466 if (!access_ok(VERIFY_READ, ubuf, ulen))
72467 return -EFAULT;
72468 - return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
72469 + return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
72470 }
72471 EXPORT_SYMBOL(bitmap_parse_user);
72472
72473 diff -urNp linux-2.6.32.49/lib/bug.c linux-2.6.32.49/lib/bug.c
72474 --- linux-2.6.32.49/lib/bug.c 2011-11-08 19:02:43.000000000 -0500
72475 +++ linux-2.6.32.49/lib/bug.c 2011-11-15 19:59:43.000000000 -0500
72476 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
72477 return BUG_TRAP_TYPE_NONE;
72478
72479 bug = find_bug(bugaddr);
72480 + if (!bug)
72481 + return BUG_TRAP_TYPE_NONE;
72482
72483 printk(KERN_EMERG "------------[ cut here ]------------\n");
72484
72485 diff -urNp linux-2.6.32.49/lib/debugobjects.c linux-2.6.32.49/lib/debugobjects.c
72486 --- linux-2.6.32.49/lib/debugobjects.c 2011-11-08 19:02:43.000000000 -0500
72487 +++ linux-2.6.32.49/lib/debugobjects.c 2011-11-15 19:59:43.000000000 -0500
72488 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
72489 if (limit > 4)
72490 return;
72491
72492 - is_on_stack = object_is_on_stack(addr);
72493 + is_on_stack = object_starts_on_stack(addr);
72494 if (is_on_stack == onstack)
72495 return;
72496
72497 diff -urNp linux-2.6.32.49/lib/devres.c linux-2.6.32.49/lib/devres.c
72498 --- linux-2.6.32.49/lib/devres.c 2011-11-08 19:02:43.000000000 -0500
72499 +++ linux-2.6.32.49/lib/devres.c 2011-11-15 19:59:43.000000000 -0500
72500 @@ -80,7 +80,7 @@ void devm_iounmap(struct device *dev, vo
72501 {
72502 iounmap(addr);
72503 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
72504 - (void *)addr));
72505 + (void __force *)addr));
72506 }
72507 EXPORT_SYMBOL(devm_iounmap);
72508
72509 @@ -140,7 +140,7 @@ void devm_ioport_unmap(struct device *de
72510 {
72511 ioport_unmap(addr);
72512 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
72513 - devm_ioport_map_match, (void *)addr));
72514 + devm_ioport_map_match, (void __force *)addr));
72515 }
72516 EXPORT_SYMBOL(devm_ioport_unmap);
72517
72518 diff -urNp linux-2.6.32.49/lib/dma-debug.c linux-2.6.32.49/lib/dma-debug.c
72519 --- linux-2.6.32.49/lib/dma-debug.c 2011-11-08 19:02:43.000000000 -0500
72520 +++ linux-2.6.32.49/lib/dma-debug.c 2011-11-15 19:59:43.000000000 -0500
72521 @@ -861,7 +861,7 @@ out:
72522
72523 static void check_for_stack(struct device *dev, void *addr)
72524 {
72525 - if (object_is_on_stack(addr))
72526 + if (object_starts_on_stack(addr))
72527 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
72528 "stack [addr=%p]\n", addr);
72529 }
72530 diff -urNp linux-2.6.32.49/lib/idr.c linux-2.6.32.49/lib/idr.c
72531 --- linux-2.6.32.49/lib/idr.c 2011-11-08 19:02:43.000000000 -0500
72532 +++ linux-2.6.32.49/lib/idr.c 2011-11-15 19:59:43.000000000 -0500
72533 @@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
72534 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
72535
72536 /* if already at the top layer, we need to grow */
72537 - if (id >= 1 << (idp->layers * IDR_BITS)) {
72538 + if (id >= (1 << (idp->layers * IDR_BITS))) {
72539 *starting_id = id;
72540 return IDR_NEED_TO_GROW;
72541 }
72542 diff -urNp linux-2.6.32.49/lib/inflate.c linux-2.6.32.49/lib/inflate.c
72543 --- linux-2.6.32.49/lib/inflate.c 2011-11-08 19:02:43.000000000 -0500
72544 +++ linux-2.6.32.49/lib/inflate.c 2011-11-15 19:59:43.000000000 -0500
72545 @@ -266,7 +266,7 @@ static void free(void *where)
72546 malloc_ptr = free_mem_ptr;
72547 }
72548 #else
72549 -#define malloc(a) kmalloc(a, GFP_KERNEL)
72550 +#define malloc(a) kmalloc((a), GFP_KERNEL)
72551 #define free(a) kfree(a)
72552 #endif
72553
72554 diff -urNp linux-2.6.32.49/lib/Kconfig.debug linux-2.6.32.49/lib/Kconfig.debug
72555 --- linux-2.6.32.49/lib/Kconfig.debug 2011-11-08 19:02:43.000000000 -0500
72556 +++ linux-2.6.32.49/lib/Kconfig.debug 2011-11-15 19:59:43.000000000 -0500
72557 @@ -905,7 +905,7 @@ config LATENCYTOP
72558 select STACKTRACE
72559 select SCHEDSTATS
72560 select SCHED_DEBUG
72561 - depends on HAVE_LATENCYTOP_SUPPORT
72562 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
72563 help
72564 Enable this option if you want to use the LatencyTOP tool
72565 to find out which userspace is blocking on what kernel operations.
72566 diff -urNp linux-2.6.32.49/lib/kobject.c linux-2.6.32.49/lib/kobject.c
72567 --- linux-2.6.32.49/lib/kobject.c 2011-11-08 19:02:43.000000000 -0500
72568 +++ linux-2.6.32.49/lib/kobject.c 2011-11-15 19:59:43.000000000 -0500
72569 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
72570 return ret;
72571 }
72572
72573 -struct sysfs_ops kobj_sysfs_ops = {
72574 +const struct sysfs_ops kobj_sysfs_ops = {
72575 .show = kobj_attr_show,
72576 .store = kobj_attr_store,
72577 };
72578 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
72579 * If the kset was not able to be created, NULL will be returned.
72580 */
72581 static struct kset *kset_create(const char *name,
72582 - struct kset_uevent_ops *uevent_ops,
72583 + const struct kset_uevent_ops *uevent_ops,
72584 struct kobject *parent_kobj)
72585 {
72586 struct kset *kset;
72587 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
72588 * If the kset was not able to be created, NULL will be returned.
72589 */
72590 struct kset *kset_create_and_add(const char *name,
72591 - struct kset_uevent_ops *uevent_ops,
72592 + const struct kset_uevent_ops *uevent_ops,
72593 struct kobject *parent_kobj)
72594 {
72595 struct kset *kset;
72596 diff -urNp linux-2.6.32.49/lib/kobject_uevent.c linux-2.6.32.49/lib/kobject_uevent.c
72597 --- linux-2.6.32.49/lib/kobject_uevent.c 2011-11-08 19:02:43.000000000 -0500
72598 +++ linux-2.6.32.49/lib/kobject_uevent.c 2011-11-15 19:59:43.000000000 -0500
72599 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
72600 const char *subsystem;
72601 struct kobject *top_kobj;
72602 struct kset *kset;
72603 - struct kset_uevent_ops *uevent_ops;
72604 + const struct kset_uevent_ops *uevent_ops;
72605 u64 seq;
72606 int i = 0;
72607 int retval = 0;
72608 diff -urNp linux-2.6.32.49/lib/kref.c linux-2.6.32.49/lib/kref.c
72609 --- linux-2.6.32.49/lib/kref.c 2011-11-08 19:02:43.000000000 -0500
72610 +++ linux-2.6.32.49/lib/kref.c 2011-11-15 19:59:43.000000000 -0500
72611 @@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
72612 */
72613 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
72614 {
72615 - WARN_ON(release == NULL);
72616 + BUG_ON(release == NULL);
72617 WARN_ON(release == (void (*)(struct kref *))kfree);
72618
72619 if (atomic_dec_and_test(&kref->refcount)) {
72620 diff -urNp linux-2.6.32.49/lib/parser.c linux-2.6.32.49/lib/parser.c
72621 --- linux-2.6.32.49/lib/parser.c 2011-11-08 19:02:43.000000000 -0500
72622 +++ linux-2.6.32.49/lib/parser.c 2011-11-15 19:59:43.000000000 -0500
72623 @@ -126,7 +126,7 @@ static int match_number(substring_t *s,
72624 char *buf;
72625 int ret;
72626
72627 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
72628 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
72629 if (!buf)
72630 return -ENOMEM;
72631 memcpy(buf, s->from, s->to - s->from);
72632 diff -urNp linux-2.6.32.49/lib/radix-tree.c linux-2.6.32.49/lib/radix-tree.c
72633 --- linux-2.6.32.49/lib/radix-tree.c 2011-11-08 19:02:43.000000000 -0500
72634 +++ linux-2.6.32.49/lib/radix-tree.c 2011-11-15 19:59:43.000000000 -0500
72635 @@ -81,7 +81,7 @@ struct radix_tree_preload {
72636 int nr;
72637 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
72638 };
72639 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
72640 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
72641
72642 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
72643 {
72644 diff -urNp linux-2.6.32.49/lib/random32.c linux-2.6.32.49/lib/random32.c
72645 --- linux-2.6.32.49/lib/random32.c 2011-11-08 19:02:43.000000000 -0500
72646 +++ linux-2.6.32.49/lib/random32.c 2011-11-15 19:59:43.000000000 -0500
72647 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
72648 */
72649 static inline u32 __seed(u32 x, u32 m)
72650 {
72651 - return (x < m) ? x + m : x;
72652 + return (x <= m) ? x + m + 1 : x;
72653 }
72654
72655 /**
72656 diff -urNp linux-2.6.32.49/lib/vsprintf.c linux-2.6.32.49/lib/vsprintf.c
72657 --- linux-2.6.32.49/lib/vsprintf.c 2011-11-08 19:02:43.000000000 -0500
72658 +++ linux-2.6.32.49/lib/vsprintf.c 2011-11-15 19:59:43.000000000 -0500
72659 @@ -16,6 +16,9 @@
72660 * - scnprintf and vscnprintf
72661 */
72662
72663 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72664 +#define __INCLUDED_BY_HIDESYM 1
72665 +#endif
72666 #include <stdarg.h>
72667 #include <linux/module.h>
72668 #include <linux/types.h>
72669 @@ -546,12 +549,12 @@ static char *number(char *buf, char *end
72670 return buf;
72671 }
72672
72673 -static char *string(char *buf, char *end, char *s, struct printf_spec spec)
72674 +static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
72675 {
72676 int len, i;
72677
72678 if ((unsigned long)s < PAGE_SIZE)
72679 - s = "<NULL>";
72680 + s = "(null)";
72681
72682 len = strnlen(s, spec.precision);
72683
72684 @@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
72685 unsigned long value = (unsigned long) ptr;
72686 #ifdef CONFIG_KALLSYMS
72687 char sym[KSYM_SYMBOL_LEN];
72688 - if (ext != 'f' && ext != 's')
72689 + if (ext != 'f' && ext != 's' && ext != 'a')
72690 sprint_symbol(sym, value);
72691 else
72692 kallsyms_lookup(value, NULL, NULL, NULL, sym);
72693 @@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
72694 * - 'f' For simple symbolic function names without offset
72695 * - 'S' For symbolic direct pointers with offset
72696 * - 's' For symbolic direct pointers without offset
72697 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
72698 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
72699 * - 'R' For a struct resource pointer, it prints the range of
72700 * addresses (not the name nor the flags)
72701 * - 'M' For a 6-byte MAC address, it prints the address in the
72702 @@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
72703 struct printf_spec spec)
72704 {
72705 if (!ptr)
72706 - return string(buf, end, "(null)", spec);
72707 + return string(buf, end, "(nil)", spec);
72708
72709 switch (*fmt) {
72710 case 'F':
72711 @@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
72712 case 's':
72713 /* Fallthrough */
72714 case 'S':
72715 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72716 + break;
72717 +#else
72718 + return symbol_string(buf, end, ptr, spec, *fmt);
72719 +#endif
72720 + case 'a':
72721 + /* Fallthrough */
72722 + case 'A':
72723 return symbol_string(buf, end, ptr, spec, *fmt);
72724 case 'R':
72725 return resource_string(buf, end, ptr, spec);
72726 @@ -1445,7 +1458,7 @@ do { \
72727 size_t len;
72728 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
72729 || (unsigned long)save_str < PAGE_SIZE)
72730 - save_str = "<NULL>";
72731 + save_str = "(null)";
72732 len = strlen(save_str);
72733 if (str + len + 1 < end)
72734 memcpy(str, save_str, len + 1);
72735 @@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
72736 typeof(type) value; \
72737 if (sizeof(type) == 8) { \
72738 args = PTR_ALIGN(args, sizeof(u32)); \
72739 - *(u32 *)&value = *(u32 *)args; \
72740 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
72741 + *(u32 *)&value = *(const u32 *)args; \
72742 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
72743 } else { \
72744 args = PTR_ALIGN(args, sizeof(type)); \
72745 - value = *(typeof(type) *)args; \
72746 + value = *(const typeof(type) *)args; \
72747 } \
72748 args += sizeof(type); \
72749 value; \
72750 @@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
72751 const char *str_arg = args;
72752 size_t len = strlen(str_arg);
72753 args += len + 1;
72754 - str = string(str, end, (char *)str_arg, spec);
72755 + str = string(str, end, str_arg, spec);
72756 break;
72757 }
72758
72759 diff -urNp linux-2.6.32.49/localversion-grsec linux-2.6.32.49/localversion-grsec
72760 --- linux-2.6.32.49/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
72761 +++ linux-2.6.32.49/localversion-grsec 2011-11-15 19:59:43.000000000 -0500
72762 @@ -0,0 +1 @@
72763 +-grsec
72764 diff -urNp linux-2.6.32.49/Makefile linux-2.6.32.49/Makefile
72765 --- linux-2.6.32.49/Makefile 2011-11-26 19:44:53.000000000 -0500
72766 +++ linux-2.6.32.49/Makefile 2011-11-26 19:45:05.000000000 -0500
72767 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
72768
72769 HOSTCC = gcc
72770 HOSTCXX = g++
72771 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
72772 -HOSTCXXFLAGS = -O2
72773 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
72774 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
72775 +HOSTCXXFLAGS = -O2 -Wall -W -fno-delete-null-pointer-checks
72776
72777 # Decide whether to build built-in, modular, or both.
72778 # Normally, just do built-in.
72779 @@ -376,8 +377,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
72780 # Rules shared between *config targets and build targets
72781
72782 # Basic helpers built in scripts/
72783 -PHONY += scripts_basic
72784 -scripts_basic:
72785 +PHONY += scripts_basic gcc-plugins
72786 +scripts_basic: gcc-plugins
72787 $(Q)$(MAKE) $(build)=scripts/basic
72788
72789 # To avoid any implicit rule to kick in, define an empty command.
72790 @@ -403,7 +404,7 @@ endif
72791 # of make so .config is not included in this case either (for *config).
72792
72793 no-dot-config-targets := clean mrproper distclean \
72794 - cscope TAGS tags help %docs check% \
72795 + cscope gtags TAGS tags help %docs check% \
72796 include/linux/version.h headers_% \
72797 kernelrelease kernelversion
72798
72799 @@ -526,6 +527,41 @@ else
72800 KBUILD_CFLAGS += -O2
72801 endif
72802
72803 +ifndef DISABLE_PAX_PLUGINS
72804 +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
72805 +ifndef DISABLE_PAX_CONSTIFY_PLUGIN
72806 +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
72807 +endif
72808 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
72809 +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
72810 +STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
72811 +endif
72812 +ifdef CONFIG_KALLOCSTAT_PLUGIN
72813 +KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
72814 +endif
72815 +ifdef CONFIG_PAX_KERNEXEC_PLUGIN
72816 +KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
72817 +endif
72818 +ifdef CONFIG_CHECKER_PLUGIN
72819 +ifeq ($(call cc-ifversion, -ge, 0406, y), y)
72820 +CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
72821 +endif
72822 +endif
72823 +GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
72824 +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
72825 +gcc-plugins:
72826 + $(Q)$(MAKE) $(build)=tools/gcc
72827 +else
72828 +gcc-plugins:
72829 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
72830 + $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.))
72831 +else
72832 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
72833 +endif
72834 + $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
72835 +endif
72836 +endif
72837 +
72838 include $(srctree)/arch/$(SRCARCH)/Makefile
72839
72840 ifneq ($(CONFIG_FRAME_WARN),0)
72841 @@ -647,7 +683,7 @@ export mod_strip_cmd
72842
72843
72844 ifeq ($(KBUILD_EXTMOD),)
72845 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
72846 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
72847
72848 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
72849 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
72850 @@ -868,6 +904,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
72851
72852 # The actual objects are generated when descending,
72853 # make sure no implicit rule kicks in
72854 +$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
72855 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
72856
72857 # Handle descending into subdirectories listed in $(vmlinux-dirs)
72858 @@ -877,7 +914,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
72859 # Error messages still appears in the original language
72860
72861 PHONY += $(vmlinux-dirs)
72862 -$(vmlinux-dirs): prepare scripts
72863 +$(vmlinux-dirs): gcc-plugins prepare scripts
72864 $(Q)$(MAKE) $(build)=$@
72865
72866 # Build the kernel release string
72867 @@ -986,6 +1023,7 @@ prepare0: archprepare FORCE
72868 $(Q)$(MAKE) $(build)=. missing-syscalls
72869
72870 # All the preparing..
72871 +prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
72872 prepare: prepare0
72873
72874 # The asm symlink changes when $(ARCH) changes.
72875 @@ -1127,6 +1165,7 @@ all: modules
72876 # using awk while concatenating to the final file.
72877
72878 PHONY += modules
72879 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
72880 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
72881 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
72882 @$(kecho) ' Building modules, stage 2.';
72883 @@ -1136,7 +1175,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_B
72884
72885 # Target to prepare building external modules
72886 PHONY += modules_prepare
72887 -modules_prepare: prepare scripts
72888 +modules_prepare: gcc-plugins prepare scripts
72889
72890 # Target to install modules
72891 PHONY += modules_install
72892 @@ -1201,7 +1240,7 @@ MRPROPER_FILES += .config .config.old in
72893 include/linux/autoconf.h include/linux/version.h \
72894 include/linux/utsrelease.h \
72895 include/linux/bounds.h include/asm*/asm-offsets.h \
72896 - Module.symvers Module.markers tags TAGS cscope*
72897 + Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
72898
72899 # clean - Delete most, but leave enough to build external modules
72900 #
72901 @@ -1245,7 +1284,7 @@ distclean: mrproper
72902 @find $(srctree) $(RCS_FIND_IGNORE) \
72903 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
72904 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
72905 - -o -name '.*.rej' -o -size 0 \
72906 + -o -name '.*.rej' -o -name '*.so' -o -size 0 \
72907 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
72908 -type f -print | xargs rm -f
72909
72910 @@ -1292,6 +1331,7 @@ help:
72911 @echo ' modules_prepare - Set up for building external modules'
72912 @echo ' tags/TAGS - Generate tags file for editors'
72913 @echo ' cscope - Generate cscope index'
72914 + @echo ' gtags - Generate GNU GLOBAL index'
72915 @echo ' kernelrelease - Output the release version string'
72916 @echo ' kernelversion - Output the version stored in Makefile'
72917 @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
72918 @@ -1393,6 +1433,7 @@ PHONY += $(module-dirs) modules
72919 $(module-dirs): crmodverdir $(objtree)/Module.symvers
72920 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
72921
72922 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
72923 modules: $(module-dirs)
72924 @$(kecho) ' Building modules, stage 2.';
72925 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
72926 @@ -1448,7 +1489,7 @@ endif # KBUILD_EXTMOD
72927 quiet_cmd_tags = GEN $@
72928 cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
72929
72930 -tags TAGS cscope: FORCE
72931 +tags TAGS cscope gtags: FORCE
72932 $(call cmd,tags)
72933
72934 # Scripts to check various things for consistency
72935 @@ -1513,17 +1554,19 @@ else
72936 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
72937 endif
72938
72939 -%.s: %.c prepare scripts FORCE
72940 +%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
72941 +%.s: %.c gcc-plugins prepare scripts FORCE
72942 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72943 %.i: %.c prepare scripts FORCE
72944 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72945 -%.o: %.c prepare scripts FORCE
72946 +%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
72947 +%.o: %.c gcc-plugins prepare scripts FORCE
72948 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72949 %.lst: %.c prepare scripts FORCE
72950 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72951 -%.s: %.S prepare scripts FORCE
72952 +%.s: %.S gcc-plugins prepare scripts FORCE
72953 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72954 -%.o: %.S prepare scripts FORCE
72955 +%.o: %.S gcc-plugins prepare scripts FORCE
72956 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72957 %.symtypes: %.c prepare scripts FORCE
72958 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72959 @@ -1533,11 +1576,13 @@ endif
72960 $(cmd_crmodverdir)
72961 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
72962 $(build)=$(build-dir)
72963 -%/: prepare scripts FORCE
72964 +%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
72965 +%/: gcc-plugins prepare scripts FORCE
72966 $(cmd_crmodverdir)
72967 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
72968 $(build)=$(build-dir)
72969 -%.ko: prepare scripts FORCE
72970 +%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
72971 +%.ko: gcc-plugins prepare scripts FORCE
72972 $(cmd_crmodverdir)
72973 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
72974 $(build)=$(build-dir) $(@:.ko=.o)
72975 diff -urNp linux-2.6.32.49/mm/backing-dev.c linux-2.6.32.49/mm/backing-dev.c
72976 --- linux-2.6.32.49/mm/backing-dev.c 2011-11-08 19:02:43.000000000 -0500
72977 +++ linux-2.6.32.49/mm/backing-dev.c 2011-11-15 19:59:43.000000000 -0500
72978 @@ -272,7 +272,7 @@ static void bdi_task_init(struct backing
72979 list_add_tail_rcu(&wb->list, &bdi->wb_list);
72980 spin_unlock(&bdi->wb_lock);
72981
72982 - tsk->flags |= PF_FLUSHER | PF_SWAPWRITE;
72983 + tsk->flags |= PF_SWAPWRITE;
72984 set_freezable();
72985
72986 /*
72987 @@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
72988 * Add the default flusher task that gets created for any bdi
72989 * that has dirty data pending writeout
72990 */
72991 -void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
72992 +static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
72993 {
72994 if (!bdi_cap_writeback_dirty(bdi))
72995 return;
72996 diff -urNp linux-2.6.32.49/mm/filemap.c linux-2.6.32.49/mm/filemap.c
72997 --- linux-2.6.32.49/mm/filemap.c 2011-11-08 19:02:43.000000000 -0500
72998 +++ linux-2.6.32.49/mm/filemap.c 2011-11-15 19:59:43.000000000 -0500
72999 @@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
73000 struct address_space *mapping = file->f_mapping;
73001
73002 if (!mapping->a_ops->readpage)
73003 - return -ENOEXEC;
73004 + return -ENODEV;
73005 file_accessed(file);
73006 vma->vm_ops = &generic_file_vm_ops;
73007 vma->vm_flags |= VM_CAN_NONLINEAR;
73008 @@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
73009 *pos = i_size_read(inode);
73010
73011 if (limit != RLIM_INFINITY) {
73012 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
73013 if (*pos >= limit) {
73014 send_sig(SIGXFSZ, current, 0);
73015 return -EFBIG;
73016 diff -urNp linux-2.6.32.49/mm/fremap.c linux-2.6.32.49/mm/fremap.c
73017 --- linux-2.6.32.49/mm/fremap.c 2011-11-08 19:02:43.000000000 -0500
73018 +++ linux-2.6.32.49/mm/fremap.c 2011-11-15 19:59:43.000000000 -0500
73019 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
73020 retry:
73021 vma = find_vma(mm, start);
73022
73023 +#ifdef CONFIG_PAX_SEGMEXEC
73024 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
73025 + goto out;
73026 +#endif
73027 +
73028 /*
73029 * Make sure the vma is shared, that it supports prefaulting,
73030 * and that the remapped range is valid and fully within
73031 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
73032 /*
73033 * drop PG_Mlocked flag for over-mapped range
73034 */
73035 - unsigned int saved_flags = vma->vm_flags;
73036 + unsigned long saved_flags = vma->vm_flags;
73037 munlock_vma_pages_range(vma, start, start + size);
73038 vma->vm_flags = saved_flags;
73039 }
73040 diff -urNp linux-2.6.32.49/mm/highmem.c linux-2.6.32.49/mm/highmem.c
73041 --- linux-2.6.32.49/mm/highmem.c 2011-11-08 19:02:43.000000000 -0500
73042 +++ linux-2.6.32.49/mm/highmem.c 2011-11-15 19:59:43.000000000 -0500
73043 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
73044 * So no dangers, even with speculative execution.
73045 */
73046 page = pte_page(pkmap_page_table[i]);
73047 + pax_open_kernel();
73048 pte_clear(&init_mm, (unsigned long)page_address(page),
73049 &pkmap_page_table[i]);
73050 -
73051 + pax_close_kernel();
73052 set_page_address(page, NULL);
73053 need_flush = 1;
73054 }
73055 @@ -177,9 +178,11 @@ start:
73056 }
73057 }
73058 vaddr = PKMAP_ADDR(last_pkmap_nr);
73059 +
73060 + pax_open_kernel();
73061 set_pte_at(&init_mm, vaddr,
73062 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
73063 -
73064 + pax_close_kernel();
73065 pkmap_count[last_pkmap_nr] = 1;
73066 set_page_address(page, (void *)vaddr);
73067
73068 diff -urNp linux-2.6.32.49/mm/hugetlb.c linux-2.6.32.49/mm/hugetlb.c
73069 --- linux-2.6.32.49/mm/hugetlb.c 2011-11-08 19:02:43.000000000 -0500
73070 +++ linux-2.6.32.49/mm/hugetlb.c 2011-11-15 19:59:43.000000000 -0500
73071 @@ -1933,6 +1933,26 @@ static int unmap_ref_private(struct mm_s
73072 return 1;
73073 }
73074
73075 +#ifdef CONFIG_PAX_SEGMEXEC
73076 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
73077 +{
73078 + struct mm_struct *mm = vma->vm_mm;
73079 + struct vm_area_struct *vma_m;
73080 + unsigned long address_m;
73081 + pte_t *ptep_m;
73082 +
73083 + vma_m = pax_find_mirror_vma(vma);
73084 + if (!vma_m)
73085 + return;
73086 +
73087 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73088 + address_m = address + SEGMEXEC_TASK_SIZE;
73089 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
73090 + get_page(page_m);
73091 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
73092 +}
73093 +#endif
73094 +
73095 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
73096 unsigned long address, pte_t *ptep, pte_t pte,
73097 struct page *pagecache_page)
73098 @@ -2004,6 +2024,11 @@ retry_avoidcopy:
73099 huge_ptep_clear_flush(vma, address, ptep);
73100 set_huge_pte_at(mm, address, ptep,
73101 make_huge_pte(vma, new_page, 1));
73102 +
73103 +#ifdef CONFIG_PAX_SEGMEXEC
73104 + pax_mirror_huge_pte(vma, address, new_page);
73105 +#endif
73106 +
73107 /* Make the old page be freed below */
73108 new_page = old_page;
73109 }
73110 @@ -2135,6 +2160,10 @@ retry:
73111 && (vma->vm_flags & VM_SHARED)));
73112 set_huge_pte_at(mm, address, ptep, new_pte);
73113
73114 +#ifdef CONFIG_PAX_SEGMEXEC
73115 + pax_mirror_huge_pte(vma, address, page);
73116 +#endif
73117 +
73118 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
73119 /* Optimization, do the COW without a second fault */
73120 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
73121 @@ -2163,6 +2192,28 @@ int hugetlb_fault(struct mm_struct *mm,
73122 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
73123 struct hstate *h = hstate_vma(vma);
73124
73125 +#ifdef CONFIG_PAX_SEGMEXEC
73126 + struct vm_area_struct *vma_m;
73127 +
73128 + vma_m = pax_find_mirror_vma(vma);
73129 + if (vma_m) {
73130 + unsigned long address_m;
73131 +
73132 + if (vma->vm_start > vma_m->vm_start) {
73133 + address_m = address;
73134 + address -= SEGMEXEC_TASK_SIZE;
73135 + vma = vma_m;
73136 + h = hstate_vma(vma);
73137 + } else
73138 + address_m = address + SEGMEXEC_TASK_SIZE;
73139 +
73140 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
73141 + return VM_FAULT_OOM;
73142 + address_m &= HPAGE_MASK;
73143 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
73144 + }
73145 +#endif
73146 +
73147 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
73148 if (!ptep)
73149 return VM_FAULT_OOM;
73150 diff -urNp linux-2.6.32.49/mm/internal.h linux-2.6.32.49/mm/internal.h
73151 --- linux-2.6.32.49/mm/internal.h 2011-11-08 19:02:43.000000000 -0500
73152 +++ linux-2.6.32.49/mm/internal.h 2011-11-15 19:59:43.000000000 -0500
73153 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
73154 * in mm/page_alloc.c
73155 */
73156 extern void __free_pages_bootmem(struct page *page, unsigned int order);
73157 +extern void free_compound_page(struct page *page);
73158 extern void prep_compound_page(struct page *page, unsigned long order);
73159
73160
73161 diff -urNp linux-2.6.32.49/mm/Kconfig linux-2.6.32.49/mm/Kconfig
73162 --- linux-2.6.32.49/mm/Kconfig 2011-11-08 19:02:43.000000000 -0500
73163 +++ linux-2.6.32.49/mm/Kconfig 2011-11-15 19:59:43.000000000 -0500
73164 @@ -228,7 +228,7 @@ config KSM
73165 config DEFAULT_MMAP_MIN_ADDR
73166 int "Low address space to protect from user allocation"
73167 depends on MMU
73168 - default 4096
73169 + default 65536
73170 help
73171 This is the portion of low virtual memory which should be protected
73172 from userspace allocation. Keeping a user from writing to low pages
73173 diff -urNp linux-2.6.32.49/mm/kmemleak.c linux-2.6.32.49/mm/kmemleak.c
73174 --- linux-2.6.32.49/mm/kmemleak.c 2011-11-08 19:02:43.000000000 -0500
73175 +++ linux-2.6.32.49/mm/kmemleak.c 2011-11-15 19:59:43.000000000 -0500
73176 @@ -358,7 +358,7 @@ static void print_unreferenced(struct se
73177
73178 for (i = 0; i < object->trace_len; i++) {
73179 void *ptr = (void *)object->trace[i];
73180 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
73181 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
73182 }
73183 }
73184
73185 diff -urNp linux-2.6.32.49/mm/maccess.c linux-2.6.32.49/mm/maccess.c
73186 --- linux-2.6.32.49/mm/maccess.c 2011-11-08 19:02:43.000000000 -0500
73187 +++ linux-2.6.32.49/mm/maccess.c 2011-11-15 19:59:43.000000000 -0500
73188 @@ -14,7 +14,7 @@
73189 * Safely read from address @src to the buffer at @dst. If a kernel fault
73190 * happens, handle that and return -EFAULT.
73191 */
73192 -long probe_kernel_read(void *dst, void *src, size_t size)
73193 +long probe_kernel_read(void *dst, const void *src, size_t size)
73194 {
73195 long ret;
73196 mm_segment_t old_fs = get_fs();
73197 @@ -22,7 +22,7 @@ long probe_kernel_read(void *dst, void *
73198 set_fs(KERNEL_DS);
73199 pagefault_disable();
73200 ret = __copy_from_user_inatomic(dst,
73201 - (__force const void __user *)src, size);
73202 + (const void __force_user *)src, size);
73203 pagefault_enable();
73204 set_fs(old_fs);
73205
73206 @@ -39,14 +39,14 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
73207 * Safely write to address @dst from the buffer at @src. If a kernel fault
73208 * happens, handle that and return -EFAULT.
73209 */
73210 -long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
73211 +long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
73212 {
73213 long ret;
73214 mm_segment_t old_fs = get_fs();
73215
73216 set_fs(KERNEL_DS);
73217 pagefault_disable();
73218 - ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
73219 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
73220 pagefault_enable();
73221 set_fs(old_fs);
73222
73223 diff -urNp linux-2.6.32.49/mm/madvise.c linux-2.6.32.49/mm/madvise.c
73224 --- linux-2.6.32.49/mm/madvise.c 2011-11-08 19:02:43.000000000 -0500
73225 +++ linux-2.6.32.49/mm/madvise.c 2011-11-15 19:59:43.000000000 -0500
73226 @@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
73227 pgoff_t pgoff;
73228 unsigned long new_flags = vma->vm_flags;
73229
73230 +#ifdef CONFIG_PAX_SEGMEXEC
73231 + struct vm_area_struct *vma_m;
73232 +#endif
73233 +
73234 switch (behavior) {
73235 case MADV_NORMAL:
73236 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
73237 @@ -103,6 +107,13 @@ success:
73238 /*
73239 * vm_flags is protected by the mmap_sem held in write mode.
73240 */
73241 +
73242 +#ifdef CONFIG_PAX_SEGMEXEC
73243 + vma_m = pax_find_mirror_vma(vma);
73244 + if (vma_m)
73245 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
73246 +#endif
73247 +
73248 vma->vm_flags = new_flags;
73249
73250 out:
73251 @@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
73252 struct vm_area_struct ** prev,
73253 unsigned long start, unsigned long end)
73254 {
73255 +
73256 +#ifdef CONFIG_PAX_SEGMEXEC
73257 + struct vm_area_struct *vma_m;
73258 +#endif
73259 +
73260 *prev = vma;
73261 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
73262 return -EINVAL;
73263 @@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
73264 zap_page_range(vma, start, end - start, &details);
73265 } else
73266 zap_page_range(vma, start, end - start, NULL);
73267 +
73268 +#ifdef CONFIG_PAX_SEGMEXEC
73269 + vma_m = pax_find_mirror_vma(vma);
73270 + if (vma_m) {
73271 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
73272 + struct zap_details details = {
73273 + .nonlinear_vma = vma_m,
73274 + .last_index = ULONG_MAX,
73275 + };
73276 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
73277 + } else
73278 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
73279 + }
73280 +#endif
73281 +
73282 return 0;
73283 }
73284
73285 @@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
73286 if (end < start)
73287 goto out;
73288
73289 +#ifdef CONFIG_PAX_SEGMEXEC
73290 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
73291 + if (end > SEGMEXEC_TASK_SIZE)
73292 + goto out;
73293 + } else
73294 +#endif
73295 +
73296 + if (end > TASK_SIZE)
73297 + goto out;
73298 +
73299 error = 0;
73300 if (end == start)
73301 goto out;
73302 diff -urNp linux-2.6.32.49/mm/memory.c linux-2.6.32.49/mm/memory.c
73303 --- linux-2.6.32.49/mm/memory.c 2011-11-08 19:02:43.000000000 -0500
73304 +++ linux-2.6.32.49/mm/memory.c 2011-11-15 19:59:43.000000000 -0500
73305 @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
73306 return;
73307
73308 pmd = pmd_offset(pud, start);
73309 +
73310 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
73311 pud_clear(pud);
73312 pmd_free_tlb(tlb, pmd, start);
73313 +#endif
73314 +
73315 }
73316
73317 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
73318 @@ -219,9 +223,12 @@ static inline void free_pud_range(struct
73319 if (end - 1 > ceiling - 1)
73320 return;
73321
73322 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
73323 pud = pud_offset(pgd, start);
73324 pgd_clear(pgd);
73325 pud_free_tlb(tlb, pud, start);
73326 +#endif
73327 +
73328 }
73329
73330 /*
73331 @@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
73332 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
73333 i = 0;
73334
73335 - do {
73336 + while (nr_pages) {
73337 struct vm_area_struct *vma;
73338
73339 - vma = find_extend_vma(mm, start);
73340 + vma = find_vma(mm, start);
73341 if (!vma && in_gate_area(tsk, start)) {
73342 unsigned long pg = start & PAGE_MASK;
73343 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
73344 @@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
73345 continue;
73346 }
73347
73348 - if (!vma ||
73349 + if (!vma || start < vma->vm_start ||
73350 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
73351 !(vm_flags & vma->vm_flags))
73352 return i ? : -EFAULT;
73353 @@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
73354 start += PAGE_SIZE;
73355 nr_pages--;
73356 } while (nr_pages && start < vma->vm_end);
73357 - } while (nr_pages);
73358 + }
73359 return i;
73360 }
73361
73362 @@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
73363 page_add_file_rmap(page);
73364 set_pte_at(mm, addr, pte, mk_pte(page, prot));
73365
73366 +#ifdef CONFIG_PAX_SEGMEXEC
73367 + pax_mirror_file_pte(vma, addr, page, ptl);
73368 +#endif
73369 +
73370 retval = 0;
73371 pte_unmap_unlock(pte, ptl);
73372 return retval;
73373 @@ -1560,10 +1571,22 @@ out:
73374 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
73375 struct page *page)
73376 {
73377 +
73378 +#ifdef CONFIG_PAX_SEGMEXEC
73379 + struct vm_area_struct *vma_m;
73380 +#endif
73381 +
73382 if (addr < vma->vm_start || addr >= vma->vm_end)
73383 return -EFAULT;
73384 if (!page_count(page))
73385 return -EINVAL;
73386 +
73387 +#ifdef CONFIG_PAX_SEGMEXEC
73388 + vma_m = pax_find_mirror_vma(vma);
73389 + if (vma_m)
73390 + vma_m->vm_flags |= VM_INSERTPAGE;
73391 +#endif
73392 +
73393 vma->vm_flags |= VM_INSERTPAGE;
73394 return insert_page(vma, addr, page, vma->vm_page_prot);
73395 }
73396 @@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
73397 unsigned long pfn)
73398 {
73399 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
73400 + BUG_ON(vma->vm_mirror);
73401
73402 if (addr < vma->vm_start || addr >= vma->vm_end)
73403 return -EFAULT;
73404 @@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
73405 copy_user_highpage(dst, src, va, vma);
73406 }
73407
73408 +#ifdef CONFIG_PAX_SEGMEXEC
73409 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
73410 +{
73411 + struct mm_struct *mm = vma->vm_mm;
73412 + spinlock_t *ptl;
73413 + pte_t *pte, entry;
73414 +
73415 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
73416 + entry = *pte;
73417 + if (!pte_present(entry)) {
73418 + if (!pte_none(entry)) {
73419 + BUG_ON(pte_file(entry));
73420 + free_swap_and_cache(pte_to_swp_entry(entry));
73421 + pte_clear_not_present_full(mm, address, pte, 0);
73422 + }
73423 + } else {
73424 + struct page *page;
73425 +
73426 + flush_cache_page(vma, address, pte_pfn(entry));
73427 + entry = ptep_clear_flush(vma, address, pte);
73428 + BUG_ON(pte_dirty(entry));
73429 + page = vm_normal_page(vma, address, entry);
73430 + if (page) {
73431 + update_hiwater_rss(mm);
73432 + if (PageAnon(page))
73433 + dec_mm_counter(mm, anon_rss);
73434 + else
73435 + dec_mm_counter(mm, file_rss);
73436 + page_remove_rmap(page);
73437 + page_cache_release(page);
73438 + }
73439 + }
73440 + pte_unmap_unlock(pte, ptl);
73441 +}
73442 +
73443 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
73444 + *
73445 + * the ptl of the lower mapped page is held on entry and is not released on exit
73446 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
73447 + */
73448 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
73449 +{
73450 + struct mm_struct *mm = vma->vm_mm;
73451 + unsigned long address_m;
73452 + spinlock_t *ptl_m;
73453 + struct vm_area_struct *vma_m;
73454 + pmd_t *pmd_m;
73455 + pte_t *pte_m, entry_m;
73456 +
73457 + BUG_ON(!page_m || !PageAnon(page_m));
73458 +
73459 + vma_m = pax_find_mirror_vma(vma);
73460 + if (!vma_m)
73461 + return;
73462 +
73463 + BUG_ON(!PageLocked(page_m));
73464 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73465 + address_m = address + SEGMEXEC_TASK_SIZE;
73466 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
73467 + pte_m = pte_offset_map_nested(pmd_m, address_m);
73468 + ptl_m = pte_lockptr(mm, pmd_m);
73469 + if (ptl != ptl_m) {
73470 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
73471 + if (!pte_none(*pte_m))
73472 + goto out;
73473 + }
73474 +
73475 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
73476 + page_cache_get(page_m);
73477 + page_add_anon_rmap(page_m, vma_m, address_m);
73478 + inc_mm_counter(mm, anon_rss);
73479 + set_pte_at(mm, address_m, pte_m, entry_m);
73480 + update_mmu_cache(vma_m, address_m, entry_m);
73481 +out:
73482 + if (ptl != ptl_m)
73483 + spin_unlock(ptl_m);
73484 + pte_unmap_nested(pte_m);
73485 + unlock_page(page_m);
73486 +}
73487 +
73488 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
73489 +{
73490 + struct mm_struct *mm = vma->vm_mm;
73491 + unsigned long address_m;
73492 + spinlock_t *ptl_m;
73493 + struct vm_area_struct *vma_m;
73494 + pmd_t *pmd_m;
73495 + pte_t *pte_m, entry_m;
73496 +
73497 + BUG_ON(!page_m || PageAnon(page_m));
73498 +
73499 + vma_m = pax_find_mirror_vma(vma);
73500 + if (!vma_m)
73501 + return;
73502 +
73503 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73504 + address_m = address + SEGMEXEC_TASK_SIZE;
73505 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
73506 + pte_m = pte_offset_map_nested(pmd_m, address_m);
73507 + ptl_m = pte_lockptr(mm, pmd_m);
73508 + if (ptl != ptl_m) {
73509 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
73510 + if (!pte_none(*pte_m))
73511 + goto out;
73512 + }
73513 +
73514 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
73515 + page_cache_get(page_m);
73516 + page_add_file_rmap(page_m);
73517 + inc_mm_counter(mm, file_rss);
73518 + set_pte_at(mm, address_m, pte_m, entry_m);
73519 + update_mmu_cache(vma_m, address_m, entry_m);
73520 +out:
73521 + if (ptl != ptl_m)
73522 + spin_unlock(ptl_m);
73523 + pte_unmap_nested(pte_m);
73524 +}
73525 +
73526 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
73527 +{
73528 + struct mm_struct *mm = vma->vm_mm;
73529 + unsigned long address_m;
73530 + spinlock_t *ptl_m;
73531 + struct vm_area_struct *vma_m;
73532 + pmd_t *pmd_m;
73533 + pte_t *pte_m, entry_m;
73534 +
73535 + vma_m = pax_find_mirror_vma(vma);
73536 + if (!vma_m)
73537 + return;
73538 +
73539 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73540 + address_m = address + SEGMEXEC_TASK_SIZE;
73541 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
73542 + pte_m = pte_offset_map_nested(pmd_m, address_m);
73543 + ptl_m = pte_lockptr(mm, pmd_m);
73544 + if (ptl != ptl_m) {
73545 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
73546 + if (!pte_none(*pte_m))
73547 + goto out;
73548 + }
73549 +
73550 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
73551 + set_pte_at(mm, address_m, pte_m, entry_m);
73552 +out:
73553 + if (ptl != ptl_m)
73554 + spin_unlock(ptl_m);
73555 + pte_unmap_nested(pte_m);
73556 +}
73557 +
73558 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
73559 +{
73560 + struct page *page_m;
73561 + pte_t entry;
73562 +
73563 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
73564 + goto out;
73565 +
73566 + entry = *pte;
73567 + page_m = vm_normal_page(vma, address, entry);
73568 + if (!page_m)
73569 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
73570 + else if (PageAnon(page_m)) {
73571 + if (pax_find_mirror_vma(vma)) {
73572 + pte_unmap_unlock(pte, ptl);
73573 + lock_page(page_m);
73574 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
73575 + if (pte_same(entry, *pte))
73576 + pax_mirror_anon_pte(vma, address, page_m, ptl);
73577 + else
73578 + unlock_page(page_m);
73579 + }
73580 + } else
73581 + pax_mirror_file_pte(vma, address, page_m, ptl);
73582 +
73583 +out:
73584 + pte_unmap_unlock(pte, ptl);
73585 +}
73586 +#endif
73587 +
73588 /*
73589 * This routine handles present pages, when users try to write
73590 * to a shared page. It is done by copying the page to a new address
73591 @@ -2156,6 +2360,12 @@ gotten:
73592 */
73593 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
73594 if (likely(pte_same(*page_table, orig_pte))) {
73595 +
73596 +#ifdef CONFIG_PAX_SEGMEXEC
73597 + if (pax_find_mirror_vma(vma))
73598 + BUG_ON(!trylock_page(new_page));
73599 +#endif
73600 +
73601 if (old_page) {
73602 if (!PageAnon(old_page)) {
73603 dec_mm_counter(mm, file_rss);
73604 @@ -2207,6 +2417,10 @@ gotten:
73605 page_remove_rmap(old_page);
73606 }
73607
73608 +#ifdef CONFIG_PAX_SEGMEXEC
73609 + pax_mirror_anon_pte(vma, address, new_page, ptl);
73610 +#endif
73611 +
73612 /* Free the old page.. */
73613 new_page = old_page;
73614 ret |= VM_FAULT_WRITE;
73615 @@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct
73616 swap_free(entry);
73617 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
73618 try_to_free_swap(page);
73619 +
73620 +#ifdef CONFIG_PAX_SEGMEXEC
73621 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
73622 +#endif
73623 +
73624 unlock_page(page);
73625
73626 if (flags & FAULT_FLAG_WRITE) {
73627 @@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct
73628
73629 /* No need to invalidate - it was non-present before */
73630 update_mmu_cache(vma, address, pte);
73631 +
73632 +#ifdef CONFIG_PAX_SEGMEXEC
73633 + pax_mirror_anon_pte(vma, address, page, ptl);
73634 +#endif
73635 +
73636 unlock:
73637 pte_unmap_unlock(page_table, ptl);
73638 out:
73639 @@ -2632,40 +2856,6 @@ out_release:
73640 }
73641
73642 /*
73643 - * This is like a special single-page "expand_{down|up}wards()",
73644 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
73645 - * doesn't hit another vma.
73646 - */
73647 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
73648 -{
73649 - address &= PAGE_MASK;
73650 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
73651 - struct vm_area_struct *prev = vma->vm_prev;
73652 -
73653 - /*
73654 - * Is there a mapping abutting this one below?
73655 - *
73656 - * That's only ok if it's the same stack mapping
73657 - * that has gotten split..
73658 - */
73659 - if (prev && prev->vm_end == address)
73660 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
73661 -
73662 - expand_stack(vma, address - PAGE_SIZE);
73663 - }
73664 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
73665 - struct vm_area_struct *next = vma->vm_next;
73666 -
73667 - /* As VM_GROWSDOWN but s/below/above/ */
73668 - if (next && next->vm_start == address + PAGE_SIZE)
73669 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
73670 -
73671 - expand_upwards(vma, address + PAGE_SIZE);
73672 - }
73673 - return 0;
73674 -}
73675 -
73676 -/*
73677 * We enter with non-exclusive mmap_sem (to exclude vma changes,
73678 * but allow concurrent faults), and pte mapped but not yet locked.
73679 * We return with mmap_sem still held, but pte unmapped and unlocked.
73680 @@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_s
73681 unsigned long address, pte_t *page_table, pmd_t *pmd,
73682 unsigned int flags)
73683 {
73684 - struct page *page;
73685 + struct page *page = NULL;
73686 spinlock_t *ptl;
73687 pte_t entry;
73688
73689 - pte_unmap(page_table);
73690 -
73691 - /* Check if we need to add a guard page to the stack */
73692 - if (check_stack_guard_page(vma, address) < 0)
73693 - return VM_FAULT_SIGBUS;
73694 -
73695 - /* Use the zero-page for reads */
73696 if (!(flags & FAULT_FLAG_WRITE)) {
73697 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
73698 vma->vm_page_prot));
73699 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
73700 + ptl = pte_lockptr(mm, pmd);
73701 + spin_lock(ptl);
73702 if (!pte_none(*page_table))
73703 goto unlock;
73704 goto setpte;
73705 }
73706
73707 /* Allocate our own private page. */
73708 + pte_unmap(page_table);
73709 +
73710 if (unlikely(anon_vma_prepare(vma)))
73711 goto oom;
73712 page = alloc_zeroed_user_highpage_movable(vma, address);
73713 @@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_s
73714 if (!pte_none(*page_table))
73715 goto release;
73716
73717 +#ifdef CONFIG_PAX_SEGMEXEC
73718 + if (pax_find_mirror_vma(vma))
73719 + BUG_ON(!trylock_page(page));
73720 +#endif
73721 +
73722 inc_mm_counter(mm, anon_rss);
73723 page_add_new_anon_rmap(page, vma, address);
73724 setpte:
73725 @@ -2720,6 +2911,12 @@ setpte:
73726
73727 /* No need to invalidate - it was non-present before */
73728 update_mmu_cache(vma, address, entry);
73729 +
73730 +#ifdef CONFIG_PAX_SEGMEXEC
73731 + if (page)
73732 + pax_mirror_anon_pte(vma, address, page, ptl);
73733 +#endif
73734 +
73735 unlock:
73736 pte_unmap_unlock(page_table, ptl);
73737 return 0;
73738 @@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *
73739 */
73740 /* Only go through if we didn't race with anybody else... */
73741 if (likely(pte_same(*page_table, orig_pte))) {
73742 +
73743 +#ifdef CONFIG_PAX_SEGMEXEC
73744 + if (anon && pax_find_mirror_vma(vma))
73745 + BUG_ON(!trylock_page(page));
73746 +#endif
73747 +
73748 flush_icache_page(vma, page);
73749 entry = mk_pte(page, vma->vm_page_prot);
73750 if (flags & FAULT_FLAG_WRITE)
73751 @@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *
73752
73753 /* no need to invalidate: a not-present page won't be cached */
73754 update_mmu_cache(vma, address, entry);
73755 +
73756 +#ifdef CONFIG_PAX_SEGMEXEC
73757 + if (anon)
73758 + pax_mirror_anon_pte(vma, address, page, ptl);
73759 + else
73760 + pax_mirror_file_pte(vma, address, page, ptl);
73761 +#endif
73762 +
73763 } else {
73764 if (charged)
73765 mem_cgroup_uncharge_page(page);
73766 @@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struc
73767 if (flags & FAULT_FLAG_WRITE)
73768 flush_tlb_page(vma, address);
73769 }
73770 +
73771 +#ifdef CONFIG_PAX_SEGMEXEC
73772 + pax_mirror_pte(vma, address, pte, pmd, ptl);
73773 + return 0;
73774 +#endif
73775 +
73776 unlock:
73777 pte_unmap_unlock(pte, ptl);
73778 return 0;
73779 @@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm
73780 pmd_t *pmd;
73781 pte_t *pte;
73782
73783 +#ifdef CONFIG_PAX_SEGMEXEC
73784 + struct vm_area_struct *vma_m;
73785 +#endif
73786 +
73787 __set_current_state(TASK_RUNNING);
73788
73789 count_vm_event(PGFAULT);
73790 @@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm
73791 if (unlikely(is_vm_hugetlb_page(vma)))
73792 return hugetlb_fault(mm, vma, address, flags);
73793
73794 +#ifdef CONFIG_PAX_SEGMEXEC
73795 + vma_m = pax_find_mirror_vma(vma);
73796 + if (vma_m) {
73797 + unsigned long address_m;
73798 + pgd_t *pgd_m;
73799 + pud_t *pud_m;
73800 + pmd_t *pmd_m;
73801 +
73802 + if (vma->vm_start > vma_m->vm_start) {
73803 + address_m = address;
73804 + address -= SEGMEXEC_TASK_SIZE;
73805 + vma = vma_m;
73806 + } else
73807 + address_m = address + SEGMEXEC_TASK_SIZE;
73808 +
73809 + pgd_m = pgd_offset(mm, address_m);
73810 + pud_m = pud_alloc(mm, pgd_m, address_m);
73811 + if (!pud_m)
73812 + return VM_FAULT_OOM;
73813 + pmd_m = pmd_alloc(mm, pud_m, address_m);
73814 + if (!pmd_m)
73815 + return VM_FAULT_OOM;
73816 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
73817 + return VM_FAULT_OOM;
73818 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
73819 + }
73820 +#endif
73821 +
73822 pgd = pgd_offset(mm, address);
73823 pud = pud_alloc(mm, pgd, address);
73824 if (!pud)
73825 @@ -3148,7 +3397,7 @@ static int __init gate_vma_init(void)
73826 gate_vma.vm_start = FIXADDR_USER_START;
73827 gate_vma.vm_end = FIXADDR_USER_END;
73828 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
73829 - gate_vma.vm_page_prot = __P101;
73830 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
73831 /*
73832 * Make sure the vDSO gets into every core dump.
73833 * Dumping its contents makes post-mortem fully interpretable later
73834 diff -urNp linux-2.6.32.49/mm/memory-failure.c linux-2.6.32.49/mm/memory-failure.c
73835 --- linux-2.6.32.49/mm/memory-failure.c 2011-11-08 19:02:43.000000000 -0500
73836 +++ linux-2.6.32.49/mm/memory-failure.c 2011-11-15 19:59:43.000000000 -0500
73837 @@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
73838
73839 int sysctl_memory_failure_recovery __read_mostly = 1;
73840
73841 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
73842 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
73843
73844 /*
73845 * Send all the processes who have the page mapped an ``action optional''
73846 @@ -64,7 +64,7 @@ static int kill_proc_ao(struct task_stru
73847 si.si_signo = SIGBUS;
73848 si.si_errno = 0;
73849 si.si_code = BUS_MCEERR_AO;
73850 - si.si_addr = (void *)addr;
73851 + si.si_addr = (void __user *)addr;
73852 #ifdef __ARCH_SI_TRAPNO
73853 si.si_trapno = trapno;
73854 #endif
73855 @@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
73856 return 0;
73857 }
73858
73859 - atomic_long_add(1, &mce_bad_pages);
73860 + atomic_long_add_unchecked(1, &mce_bad_pages);
73861
73862 /*
73863 * We need/can do nothing about count=0 pages.
73864 diff -urNp linux-2.6.32.49/mm/mempolicy.c linux-2.6.32.49/mm/mempolicy.c
73865 --- linux-2.6.32.49/mm/mempolicy.c 2011-11-08 19:02:43.000000000 -0500
73866 +++ linux-2.6.32.49/mm/mempolicy.c 2011-11-15 19:59:43.000000000 -0500
73867 @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
73868 struct vm_area_struct *next;
73869 int err;
73870
73871 +#ifdef CONFIG_PAX_SEGMEXEC
73872 + struct vm_area_struct *vma_m;
73873 +#endif
73874 +
73875 err = 0;
73876 for (; vma && vma->vm_start < end; vma = next) {
73877 next = vma->vm_next;
73878 @@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
73879 err = policy_vma(vma, new);
73880 if (err)
73881 break;
73882 +
73883 +#ifdef CONFIG_PAX_SEGMEXEC
73884 + vma_m = pax_find_mirror_vma(vma);
73885 + if (vma_m) {
73886 + err = policy_vma(vma_m, new);
73887 + if (err)
73888 + break;
73889 + }
73890 +#endif
73891 +
73892 }
73893 return err;
73894 }
73895 @@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
73896
73897 if (end < start)
73898 return -EINVAL;
73899 +
73900 +#ifdef CONFIG_PAX_SEGMEXEC
73901 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73902 + if (end > SEGMEXEC_TASK_SIZE)
73903 + return -EINVAL;
73904 + } else
73905 +#endif
73906 +
73907 + if (end > TASK_SIZE)
73908 + return -EINVAL;
73909 +
73910 if (end == start)
73911 return 0;
73912
73913 @@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
73914 if (!mm)
73915 return -EINVAL;
73916
73917 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
73918 + if (mm != current->mm &&
73919 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
73920 + err = -EPERM;
73921 + goto out;
73922 + }
73923 +#endif
73924 +
73925 /*
73926 * Check if this process has the right to modify the specified
73927 * process. The right exists if the process has administrative
73928 @@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
73929 rcu_read_lock();
73930 tcred = __task_cred(task);
73931 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
73932 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
73933 - !capable(CAP_SYS_NICE)) {
73934 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
73935 rcu_read_unlock();
73936 err = -EPERM;
73937 goto out;
73938 @@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
73939
73940 if (file) {
73941 seq_printf(m, " file=");
73942 - seq_path(m, &file->f_path, "\n\t= ");
73943 + seq_path(m, &file->f_path, "\n\t\\= ");
73944 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
73945 seq_printf(m, " heap");
73946 } else if (vma->vm_start <= mm->start_stack &&
73947 diff -urNp linux-2.6.32.49/mm/migrate.c linux-2.6.32.49/mm/migrate.c
73948 --- linux-2.6.32.49/mm/migrate.c 2011-11-08 19:02:43.000000000 -0500
73949 +++ linux-2.6.32.49/mm/migrate.c 2011-11-15 19:59:43.000000000 -0500
73950 @@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
73951 unsigned long chunk_start;
73952 int err;
73953
73954 + pax_track_stack();
73955 +
73956 task_nodes = cpuset_mems_allowed(task);
73957
73958 err = -ENOMEM;
73959 @@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
73960 if (!mm)
73961 return -EINVAL;
73962
73963 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
73964 + if (mm != current->mm &&
73965 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
73966 + err = -EPERM;
73967 + goto out;
73968 + }
73969 +#endif
73970 +
73971 /*
73972 * Check if this process has the right to modify the specified
73973 * process. The right exists if the process has administrative
73974 @@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
73975 rcu_read_lock();
73976 tcred = __task_cred(task);
73977 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
73978 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
73979 - !capable(CAP_SYS_NICE)) {
73980 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
73981 rcu_read_unlock();
73982 err = -EPERM;
73983 goto out;
73984 diff -urNp linux-2.6.32.49/mm/mlock.c linux-2.6.32.49/mm/mlock.c
73985 --- linux-2.6.32.49/mm/mlock.c 2011-11-08 19:02:43.000000000 -0500
73986 +++ linux-2.6.32.49/mm/mlock.c 2011-11-15 19:59:43.000000000 -0500
73987 @@ -13,6 +13,7 @@
73988 #include <linux/pagemap.h>
73989 #include <linux/mempolicy.h>
73990 #include <linux/syscalls.h>
73991 +#include <linux/security.h>
73992 #include <linux/sched.h>
73993 #include <linux/module.h>
73994 #include <linux/rmap.h>
73995 @@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
73996 }
73997 }
73998
73999 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
74000 -{
74001 - return (vma->vm_flags & VM_GROWSDOWN) &&
74002 - (vma->vm_start == addr) &&
74003 - !vma_stack_continue(vma->vm_prev, addr);
74004 -}
74005 -
74006 /**
74007 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
74008 * @vma: target vma
74009 @@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
74010 if (vma->vm_flags & VM_WRITE)
74011 gup_flags |= FOLL_WRITE;
74012
74013 - /* We don't try to access the guard page of a stack vma */
74014 - if (stack_guard_page(vma, start)) {
74015 - addr += PAGE_SIZE;
74016 - nr_pages--;
74017 - }
74018 -
74019 while (nr_pages > 0) {
74020 int i;
74021
74022 @@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
74023 {
74024 unsigned long nstart, end, tmp;
74025 struct vm_area_struct * vma, * prev;
74026 - int error;
74027 + int error = -EINVAL;
74028
74029 len = PAGE_ALIGN(len);
74030 end = start + len;
74031 @@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
74032 return -EINVAL;
74033 if (end == start)
74034 return 0;
74035 + if (end > TASK_SIZE)
74036 + return -EINVAL;
74037 +
74038 vma = find_vma_prev(current->mm, start, &prev);
74039 if (!vma || vma->vm_start > start)
74040 return -ENOMEM;
74041 @@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
74042 for (nstart = start ; ; ) {
74043 unsigned int newflags;
74044
74045 +#ifdef CONFIG_PAX_SEGMEXEC
74046 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
74047 + break;
74048 +#endif
74049 +
74050 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
74051
74052 newflags = vma->vm_flags | VM_LOCKED;
74053 @@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
74054 lock_limit >>= PAGE_SHIFT;
74055
74056 /* check against resource limits */
74057 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
74058 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
74059 error = do_mlock(start, len, 1);
74060 up_write(&current->mm->mmap_sem);
74061 @@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
74062 static int do_mlockall(int flags)
74063 {
74064 struct vm_area_struct * vma, * prev = NULL;
74065 - unsigned int def_flags = 0;
74066
74067 if (flags & MCL_FUTURE)
74068 - def_flags = VM_LOCKED;
74069 - current->mm->def_flags = def_flags;
74070 + current->mm->def_flags |= VM_LOCKED;
74071 + else
74072 + current->mm->def_flags &= ~VM_LOCKED;
74073 if (flags == MCL_FUTURE)
74074 goto out;
74075
74076 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
74077 - unsigned int newflags;
74078 + unsigned long newflags;
74079 +
74080 +#ifdef CONFIG_PAX_SEGMEXEC
74081 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
74082 + break;
74083 +#endif
74084
74085 + BUG_ON(vma->vm_end > TASK_SIZE);
74086 newflags = vma->vm_flags | VM_LOCKED;
74087 if (!(flags & MCL_CURRENT))
74088 newflags &= ~VM_LOCKED;
74089 @@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
74090 lock_limit >>= PAGE_SHIFT;
74091
74092 ret = -ENOMEM;
74093 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
74094 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
74095 capable(CAP_IPC_LOCK))
74096 ret = do_mlockall(flags);
74097 diff -urNp linux-2.6.32.49/mm/mmap.c linux-2.6.32.49/mm/mmap.c
74098 --- linux-2.6.32.49/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
74099 +++ linux-2.6.32.49/mm/mmap.c 2011-11-15 19:59:43.000000000 -0500
74100 @@ -45,6 +45,16 @@
74101 #define arch_rebalance_pgtables(addr, len) (addr)
74102 #endif
74103
74104 +static inline void verify_mm_writelocked(struct mm_struct *mm)
74105 +{
74106 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
74107 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
74108 + up_read(&mm->mmap_sem);
74109 + BUG();
74110 + }
74111 +#endif
74112 +}
74113 +
74114 static void unmap_region(struct mm_struct *mm,
74115 struct vm_area_struct *vma, struct vm_area_struct *prev,
74116 unsigned long start, unsigned long end);
74117 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
74118 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
74119 *
74120 */
74121 -pgprot_t protection_map[16] = {
74122 +pgprot_t protection_map[16] __read_only = {
74123 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
74124 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
74125 };
74126
74127 pgprot_t vm_get_page_prot(unsigned long vm_flags)
74128 {
74129 - return __pgprot(pgprot_val(protection_map[vm_flags &
74130 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
74131 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
74132 pgprot_val(arch_vm_get_page_prot(vm_flags)));
74133 +
74134 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
74135 + if (!nx_enabled &&
74136 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
74137 + (vm_flags & (VM_READ | VM_WRITE)))
74138 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
74139 +#endif
74140 +
74141 + return prot;
74142 }
74143 EXPORT_SYMBOL(vm_get_page_prot);
74144
74145 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
74146 int sysctl_overcommit_ratio = 50; /* default is 50% */
74147 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
74148 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
74149 struct percpu_counter vm_committed_as;
74150
74151 /*
74152 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
74153 struct vm_area_struct *next = vma->vm_next;
74154
74155 might_sleep();
74156 + BUG_ON(vma->vm_mirror);
74157 if (vma->vm_ops && vma->vm_ops->close)
74158 vma->vm_ops->close(vma);
74159 if (vma->vm_file) {
74160 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
74161 * not page aligned -Ram Gupta
74162 */
74163 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
74164 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
74165 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
74166 (mm->end_data - mm->start_data) > rlim)
74167 goto out;
74168 @@ -704,6 +726,12 @@ static int
74169 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
74170 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
74171 {
74172 +
74173 +#ifdef CONFIG_PAX_SEGMEXEC
74174 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
74175 + return 0;
74176 +#endif
74177 +
74178 if (is_mergeable_vma(vma, file, vm_flags) &&
74179 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
74180 if (vma->vm_pgoff == vm_pgoff)
74181 @@ -723,6 +751,12 @@ static int
74182 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
74183 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
74184 {
74185 +
74186 +#ifdef CONFIG_PAX_SEGMEXEC
74187 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
74188 + return 0;
74189 +#endif
74190 +
74191 if (is_mergeable_vma(vma, file, vm_flags) &&
74192 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
74193 pgoff_t vm_pglen;
74194 @@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
74195 struct vm_area_struct *vma_merge(struct mm_struct *mm,
74196 struct vm_area_struct *prev, unsigned long addr,
74197 unsigned long end, unsigned long vm_flags,
74198 - struct anon_vma *anon_vma, struct file *file,
74199 + struct anon_vma *anon_vma, struct file *file,
74200 pgoff_t pgoff, struct mempolicy *policy)
74201 {
74202 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
74203 struct vm_area_struct *area, *next;
74204
74205 +#ifdef CONFIG_PAX_SEGMEXEC
74206 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
74207 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
74208 +
74209 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
74210 +#endif
74211 +
74212 /*
74213 * We later require that vma->vm_flags == vm_flags,
74214 * so this tests vma->vm_flags & VM_SPECIAL, too.
74215 @@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
74216 if (next && next->vm_end == end) /* cases 6, 7, 8 */
74217 next = next->vm_next;
74218
74219 +#ifdef CONFIG_PAX_SEGMEXEC
74220 + if (prev)
74221 + prev_m = pax_find_mirror_vma(prev);
74222 + if (area)
74223 + area_m = pax_find_mirror_vma(area);
74224 + if (next)
74225 + next_m = pax_find_mirror_vma(next);
74226 +#endif
74227 +
74228 /*
74229 * Can it merge with the predecessor?
74230 */
74231 @@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
74232 /* cases 1, 6 */
74233 vma_adjust(prev, prev->vm_start,
74234 next->vm_end, prev->vm_pgoff, NULL);
74235 - } else /* cases 2, 5, 7 */
74236 +
74237 +#ifdef CONFIG_PAX_SEGMEXEC
74238 + if (prev_m)
74239 + vma_adjust(prev_m, prev_m->vm_start,
74240 + next_m->vm_end, prev_m->vm_pgoff, NULL);
74241 +#endif
74242 +
74243 + } else { /* cases 2, 5, 7 */
74244 vma_adjust(prev, prev->vm_start,
74245 end, prev->vm_pgoff, NULL);
74246 +
74247 +#ifdef CONFIG_PAX_SEGMEXEC
74248 + if (prev_m)
74249 + vma_adjust(prev_m, prev_m->vm_start,
74250 + end_m, prev_m->vm_pgoff, NULL);
74251 +#endif
74252 +
74253 + }
74254 return prev;
74255 }
74256
74257 @@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
74258 mpol_equal(policy, vma_policy(next)) &&
74259 can_vma_merge_before(next, vm_flags,
74260 anon_vma, file, pgoff+pglen)) {
74261 - if (prev && addr < prev->vm_end) /* case 4 */
74262 + if (prev && addr < prev->vm_end) { /* case 4 */
74263 vma_adjust(prev, prev->vm_start,
74264 addr, prev->vm_pgoff, NULL);
74265 - else /* cases 3, 8 */
74266 +
74267 +#ifdef CONFIG_PAX_SEGMEXEC
74268 + if (prev_m)
74269 + vma_adjust(prev_m, prev_m->vm_start,
74270 + addr_m, prev_m->vm_pgoff, NULL);
74271 +#endif
74272 +
74273 + } else { /* cases 3, 8 */
74274 vma_adjust(area, addr, next->vm_end,
74275 next->vm_pgoff - pglen, NULL);
74276 +
74277 +#ifdef CONFIG_PAX_SEGMEXEC
74278 + if (area_m)
74279 + vma_adjust(area_m, addr_m, next_m->vm_end,
74280 + next_m->vm_pgoff - pglen, NULL);
74281 +#endif
74282 +
74283 + }
74284 return area;
74285 }
74286
74287 @@ -898,14 +978,11 @@ none:
74288 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
74289 struct file *file, long pages)
74290 {
74291 - const unsigned long stack_flags
74292 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
74293 -
74294 if (file) {
74295 mm->shared_vm += pages;
74296 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
74297 mm->exec_vm += pages;
74298 - } else if (flags & stack_flags)
74299 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
74300 mm->stack_vm += pages;
74301 if (flags & (VM_RESERVED|VM_IO))
74302 mm->reserved_vm += pages;
74303 @@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
74304 * (the exception is when the underlying filesystem is noexec
74305 * mounted, in which case we dont add PROT_EXEC.)
74306 */
74307 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74308 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74309 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
74310 prot |= PROT_EXEC;
74311
74312 @@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
74313 /* Obtain the address to map to. we verify (or select) it and ensure
74314 * that it represents a valid section of the address space.
74315 */
74316 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
74317 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
74318 if (addr & ~PAGE_MASK)
74319 return addr;
74320
74321 @@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
74322 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
74323 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
74324
74325 +#ifdef CONFIG_PAX_MPROTECT
74326 + if (mm->pax_flags & MF_PAX_MPROTECT) {
74327 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
74328 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
74329 + gr_log_rwxmmap(file);
74330 +
74331 +#ifdef CONFIG_PAX_EMUPLT
74332 + vm_flags &= ~VM_EXEC;
74333 +#else
74334 + return -EPERM;
74335 +#endif
74336 +
74337 + }
74338 +
74339 + if (!(vm_flags & VM_EXEC))
74340 + vm_flags &= ~VM_MAYEXEC;
74341 +#else
74342 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74343 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74344 +#endif
74345 + else
74346 + vm_flags &= ~VM_MAYWRITE;
74347 + }
74348 +#endif
74349 +
74350 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
74351 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
74352 + vm_flags &= ~VM_PAGEEXEC;
74353 +#endif
74354 +
74355 if (flags & MAP_LOCKED)
74356 if (!can_do_mlock())
74357 return -EPERM;
74358 @@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
74359 locked += mm->locked_vm;
74360 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
74361 lock_limit >>= PAGE_SHIFT;
74362 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
74363 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
74364 return -EAGAIN;
74365 }
74366 @@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
74367 if (error)
74368 return error;
74369
74370 + if (!gr_acl_handle_mmap(file, prot))
74371 + return -EACCES;
74372 +
74373 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
74374 }
74375 EXPORT_SYMBOL(do_mmap_pgoff);
74376 @@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
74377 */
74378 int vma_wants_writenotify(struct vm_area_struct *vma)
74379 {
74380 - unsigned int vm_flags = vma->vm_flags;
74381 + unsigned long vm_flags = vma->vm_flags;
74382
74383 /* If it was private or non-writable, the write bit is already clear */
74384 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
74385 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
74386 return 0;
74387
74388 /* The backer wishes to know when pages are first written to? */
74389 @@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
74390 unsigned long charged = 0;
74391 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
74392
74393 +#ifdef CONFIG_PAX_SEGMEXEC
74394 + struct vm_area_struct *vma_m = NULL;
74395 +#endif
74396 +
74397 + /*
74398 + * mm->mmap_sem is required to protect against another thread
74399 + * changing the mappings in case we sleep.
74400 + */
74401 + verify_mm_writelocked(mm);
74402 +
74403 /* Clear old maps */
74404 error = -ENOMEM;
74405 -munmap_back:
74406 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74407 if (vma && vma->vm_start < addr + len) {
74408 if (do_munmap(mm, addr, len))
74409 return -ENOMEM;
74410 - goto munmap_back;
74411 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74412 + BUG_ON(vma && vma->vm_start < addr + len);
74413 }
74414
74415 /* Check against address space limit. */
74416 @@ -1173,6 +1294,16 @@ munmap_back:
74417 goto unacct_error;
74418 }
74419
74420 +#ifdef CONFIG_PAX_SEGMEXEC
74421 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
74422 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74423 + if (!vma_m) {
74424 + error = -ENOMEM;
74425 + goto free_vma;
74426 + }
74427 + }
74428 +#endif
74429 +
74430 vma->vm_mm = mm;
74431 vma->vm_start = addr;
74432 vma->vm_end = addr + len;
74433 @@ -1195,6 +1326,19 @@ munmap_back:
74434 error = file->f_op->mmap(file, vma);
74435 if (error)
74436 goto unmap_and_free_vma;
74437 +
74438 +#ifdef CONFIG_PAX_SEGMEXEC
74439 + if (vma_m && (vm_flags & VM_EXECUTABLE))
74440 + added_exe_file_vma(mm);
74441 +#endif
74442 +
74443 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
74444 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
74445 + vma->vm_flags |= VM_PAGEEXEC;
74446 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74447 + }
74448 +#endif
74449 +
74450 if (vm_flags & VM_EXECUTABLE)
74451 added_exe_file_vma(mm);
74452
74453 @@ -1218,6 +1362,11 @@ munmap_back:
74454 vma_link(mm, vma, prev, rb_link, rb_parent);
74455 file = vma->vm_file;
74456
74457 +#ifdef CONFIG_PAX_SEGMEXEC
74458 + if (vma_m)
74459 + pax_mirror_vma(vma_m, vma);
74460 +#endif
74461 +
74462 /* Once vma denies write, undo our temporary denial count */
74463 if (correct_wcount)
74464 atomic_inc(&inode->i_writecount);
74465 @@ -1226,6 +1375,7 @@ out:
74466
74467 mm->total_vm += len >> PAGE_SHIFT;
74468 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
74469 + track_exec_limit(mm, addr, addr + len, vm_flags);
74470 if (vm_flags & VM_LOCKED) {
74471 /*
74472 * makes pages present; downgrades, drops, reacquires mmap_sem
74473 @@ -1248,6 +1398,12 @@ unmap_and_free_vma:
74474 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
74475 charged = 0;
74476 free_vma:
74477 +
74478 +#ifdef CONFIG_PAX_SEGMEXEC
74479 + if (vma_m)
74480 + kmem_cache_free(vm_area_cachep, vma_m);
74481 +#endif
74482 +
74483 kmem_cache_free(vm_area_cachep, vma);
74484 unacct_error:
74485 if (charged)
74486 @@ -1255,6 +1411,44 @@ unacct_error:
74487 return error;
74488 }
74489
74490 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
74491 +{
74492 + if (!vma) {
74493 +#ifdef CONFIG_STACK_GROWSUP
74494 + if (addr > sysctl_heap_stack_gap)
74495 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
74496 + else
74497 + vma = find_vma(current->mm, 0);
74498 + if (vma && (vma->vm_flags & VM_GROWSUP))
74499 + return false;
74500 +#endif
74501 + return true;
74502 + }
74503 +
74504 + if (addr + len > vma->vm_start)
74505 + return false;
74506 +
74507 + if (vma->vm_flags & VM_GROWSDOWN)
74508 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
74509 +#ifdef CONFIG_STACK_GROWSUP
74510 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
74511 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
74512 +#endif
74513 +
74514 + return true;
74515 +}
74516 +
74517 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
74518 +{
74519 + if (vma->vm_start < len)
74520 + return -ENOMEM;
74521 + if (!(vma->vm_flags & VM_GROWSDOWN))
74522 + return vma->vm_start - len;
74523 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
74524 + return vma->vm_start - len - sysctl_heap_stack_gap;
74525 + return -ENOMEM;
74526 +}
74527 +
74528 /* Get an address range which is currently unmapped.
74529 * For shmat() with addr=0.
74530 *
74531 @@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
74532 if (flags & MAP_FIXED)
74533 return addr;
74534
74535 +#ifdef CONFIG_PAX_RANDMMAP
74536 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
74537 +#endif
74538 +
74539 if (addr) {
74540 addr = PAGE_ALIGN(addr);
74541 - vma = find_vma(mm, addr);
74542 - if (TASK_SIZE - len >= addr &&
74543 - (!vma || addr + len <= vma->vm_start))
74544 - return addr;
74545 + if (TASK_SIZE - len >= addr) {
74546 + vma = find_vma(mm, addr);
74547 + if (check_heap_stack_gap(vma, addr, len))
74548 + return addr;
74549 + }
74550 }
74551 if (len > mm->cached_hole_size) {
74552 - start_addr = addr = mm->free_area_cache;
74553 + start_addr = addr = mm->free_area_cache;
74554 } else {
74555 - start_addr = addr = TASK_UNMAPPED_BASE;
74556 - mm->cached_hole_size = 0;
74557 + start_addr = addr = mm->mmap_base;
74558 + mm->cached_hole_size = 0;
74559 }
74560
74561 full_search:
74562 @@ -1303,34 +1502,40 @@ full_search:
74563 * Start a new search - just in case we missed
74564 * some holes.
74565 */
74566 - if (start_addr != TASK_UNMAPPED_BASE) {
74567 - addr = TASK_UNMAPPED_BASE;
74568 - start_addr = addr;
74569 + if (start_addr != mm->mmap_base) {
74570 + start_addr = addr = mm->mmap_base;
74571 mm->cached_hole_size = 0;
74572 goto full_search;
74573 }
74574 return -ENOMEM;
74575 }
74576 - if (!vma || addr + len <= vma->vm_start) {
74577 - /*
74578 - * Remember the place where we stopped the search:
74579 - */
74580 - mm->free_area_cache = addr + len;
74581 - return addr;
74582 - }
74583 + if (check_heap_stack_gap(vma, addr, len))
74584 + break;
74585 if (addr + mm->cached_hole_size < vma->vm_start)
74586 mm->cached_hole_size = vma->vm_start - addr;
74587 addr = vma->vm_end;
74588 }
74589 +
74590 + /*
74591 + * Remember the place where we stopped the search:
74592 + */
74593 + mm->free_area_cache = addr + len;
74594 + return addr;
74595 }
74596 #endif
74597
74598 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
74599 {
74600 +
74601 +#ifdef CONFIG_PAX_SEGMEXEC
74602 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
74603 + return;
74604 +#endif
74605 +
74606 /*
74607 * Is this a new hole at the lowest possible address?
74608 */
74609 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
74610 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
74611 mm->free_area_cache = addr;
74612 mm->cached_hole_size = ~0UL;
74613 }
74614 @@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
74615 {
74616 struct vm_area_struct *vma;
74617 struct mm_struct *mm = current->mm;
74618 - unsigned long addr = addr0;
74619 + unsigned long base = mm->mmap_base, addr = addr0;
74620
74621 /* requested length too big for entire address space */
74622 if (len > TASK_SIZE)
74623 @@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
74624 if (flags & MAP_FIXED)
74625 return addr;
74626
74627 +#ifdef CONFIG_PAX_RANDMMAP
74628 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
74629 +#endif
74630 +
74631 /* requesting a specific address */
74632 if (addr) {
74633 addr = PAGE_ALIGN(addr);
74634 - vma = find_vma(mm, addr);
74635 - if (TASK_SIZE - len >= addr &&
74636 - (!vma || addr + len <= vma->vm_start))
74637 - return addr;
74638 + if (TASK_SIZE - len >= addr) {
74639 + vma = find_vma(mm, addr);
74640 + if (check_heap_stack_gap(vma, addr, len))
74641 + return addr;
74642 + }
74643 }
74644
74645 /* check if free_area_cache is useful for us */
74646 @@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
74647 /* make sure it can fit in the remaining address space */
74648 if (addr > len) {
74649 vma = find_vma(mm, addr-len);
74650 - if (!vma || addr <= vma->vm_start)
74651 + if (check_heap_stack_gap(vma, addr - len, len))
74652 /* remember the address as a hint for next time */
74653 return (mm->free_area_cache = addr-len);
74654 }
74655 @@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
74656 * return with success:
74657 */
74658 vma = find_vma(mm, addr);
74659 - if (!vma || addr+len <= vma->vm_start)
74660 + if (check_heap_stack_gap(vma, addr, len))
74661 /* remember the address as a hint for next time */
74662 return (mm->free_area_cache = addr);
74663
74664 @@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
74665 mm->cached_hole_size = vma->vm_start - addr;
74666
74667 /* try just below the current vma->vm_start */
74668 - addr = vma->vm_start-len;
74669 - } while (len < vma->vm_start);
74670 + addr = skip_heap_stack_gap(vma, len);
74671 + } while (!IS_ERR_VALUE(addr));
74672
74673 bottomup:
74674 /*
74675 @@ -1414,13 +1624,21 @@ bottomup:
74676 * can happen with large stack limits and large mmap()
74677 * allocations.
74678 */
74679 + mm->mmap_base = TASK_UNMAPPED_BASE;
74680 +
74681 +#ifdef CONFIG_PAX_RANDMMAP
74682 + if (mm->pax_flags & MF_PAX_RANDMMAP)
74683 + mm->mmap_base += mm->delta_mmap;
74684 +#endif
74685 +
74686 + mm->free_area_cache = mm->mmap_base;
74687 mm->cached_hole_size = ~0UL;
74688 - mm->free_area_cache = TASK_UNMAPPED_BASE;
74689 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
74690 /*
74691 * Restore the topdown base:
74692 */
74693 - mm->free_area_cache = mm->mmap_base;
74694 + mm->mmap_base = base;
74695 + mm->free_area_cache = base;
74696 mm->cached_hole_size = ~0UL;
74697
74698 return addr;
74699 @@ -1429,6 +1647,12 @@ bottomup:
74700
74701 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
74702 {
74703 +
74704 +#ifdef CONFIG_PAX_SEGMEXEC
74705 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
74706 + return;
74707 +#endif
74708 +
74709 /*
74710 * Is this a new hole at the highest possible address?
74711 */
74712 @@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
74713 mm->free_area_cache = addr;
74714
74715 /* dont allow allocations above current base */
74716 - if (mm->free_area_cache > mm->mmap_base)
74717 + if (mm->free_area_cache > mm->mmap_base) {
74718 mm->free_area_cache = mm->mmap_base;
74719 + mm->cached_hole_size = ~0UL;
74720 + }
74721 }
74722
74723 unsigned long
74724 @@ -1545,6 +1771,27 @@ out:
74725 return prev ? prev->vm_next : vma;
74726 }
74727
74728 +#ifdef CONFIG_PAX_SEGMEXEC
74729 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
74730 +{
74731 + struct vm_area_struct *vma_m;
74732 +
74733 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
74734 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
74735 + BUG_ON(vma->vm_mirror);
74736 + return NULL;
74737 + }
74738 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
74739 + vma_m = vma->vm_mirror;
74740 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
74741 + BUG_ON(vma->vm_file != vma_m->vm_file);
74742 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
74743 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
74744 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
74745 + return vma_m;
74746 +}
74747 +#endif
74748 +
74749 /*
74750 * Verify that the stack growth is acceptable and
74751 * update accounting. This is shared with both the
74752 @@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
74753 return -ENOMEM;
74754
74755 /* Stack limit test */
74756 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
74757 if (size > rlim[RLIMIT_STACK].rlim_cur)
74758 return -ENOMEM;
74759
74760 @@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
74761 unsigned long limit;
74762 locked = mm->locked_vm + grow;
74763 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
74764 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
74765 if (locked > limit && !capable(CAP_IPC_LOCK))
74766 return -ENOMEM;
74767 }
74768 @@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
74769 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
74770 * vma is the last one with address > vma->vm_end. Have to extend vma.
74771 */
74772 +#ifndef CONFIG_IA64
74773 +static
74774 +#endif
74775 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
74776 {
74777 int error;
74778 + bool locknext;
74779
74780 if (!(vma->vm_flags & VM_GROWSUP))
74781 return -EFAULT;
74782
74783 + /* Also guard against wrapping around to address 0. */
74784 + if (address < PAGE_ALIGN(address+1))
74785 + address = PAGE_ALIGN(address+1);
74786 + else
74787 + return -ENOMEM;
74788 +
74789 /*
74790 * We must make sure the anon_vma is allocated
74791 * so that the anon_vma locking is not a noop.
74792 */
74793 if (unlikely(anon_vma_prepare(vma)))
74794 return -ENOMEM;
74795 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
74796 + if (locknext && anon_vma_prepare(vma->vm_next))
74797 + return -ENOMEM;
74798 anon_vma_lock(vma);
74799 + if (locknext)
74800 + anon_vma_lock(vma->vm_next);
74801
74802 /*
74803 * vma->vm_start/vm_end cannot change under us because the caller
74804 * is required to hold the mmap_sem in read mode. We need the
74805 - * anon_vma lock to serialize against concurrent expand_stacks.
74806 - * Also guard against wrapping around to address 0.
74807 + * anon_vma locks to serialize against concurrent expand_stacks
74808 + * and expand_upwards.
74809 */
74810 - if (address < PAGE_ALIGN(address+4))
74811 - address = PAGE_ALIGN(address+4);
74812 - else {
74813 - anon_vma_unlock(vma);
74814 - return -ENOMEM;
74815 - }
74816 error = 0;
74817
74818 /* Somebody else might have raced and expanded it already */
74819 - if (address > vma->vm_end) {
74820 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
74821 + error = -ENOMEM;
74822 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
74823 unsigned long size, grow;
74824
74825 size = address - vma->vm_start;
74826 @@ -1643,6 +1903,8 @@ int expand_upwards(struct vm_area_struct
74827 vma->vm_end = address;
74828 }
74829 }
74830 + if (locknext)
74831 + anon_vma_unlock(vma->vm_next);
74832 anon_vma_unlock(vma);
74833 return error;
74834 }
74835 @@ -1655,6 +1917,8 @@ static int expand_downwards(struct vm_ar
74836 unsigned long address)
74837 {
74838 int error;
74839 + bool lockprev = false;
74840 + struct vm_area_struct *prev;
74841
74842 /*
74843 * We must make sure the anon_vma is allocated
74844 @@ -1668,6 +1932,15 @@ static int expand_downwards(struct vm_ar
74845 if (error)
74846 return error;
74847
74848 + prev = vma->vm_prev;
74849 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
74850 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
74851 +#endif
74852 + if (lockprev && anon_vma_prepare(prev))
74853 + return -ENOMEM;
74854 + if (lockprev)
74855 + anon_vma_lock(prev);
74856 +
74857 anon_vma_lock(vma);
74858
74859 /*
74860 @@ -1677,9 +1950,17 @@ static int expand_downwards(struct vm_ar
74861 */
74862
74863 /* Somebody else might have raced and expanded it already */
74864 - if (address < vma->vm_start) {
74865 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
74866 + error = -ENOMEM;
74867 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
74868 unsigned long size, grow;
74869
74870 +#ifdef CONFIG_PAX_SEGMEXEC
74871 + struct vm_area_struct *vma_m;
74872 +
74873 + vma_m = pax_find_mirror_vma(vma);
74874 +#endif
74875 +
74876 size = vma->vm_end - address;
74877 grow = (vma->vm_start - address) >> PAGE_SHIFT;
74878
74879 @@ -1689,10 +1970,22 @@ static int expand_downwards(struct vm_ar
74880 if (!error) {
74881 vma->vm_start = address;
74882 vma->vm_pgoff -= grow;
74883 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
74884 +
74885 +#ifdef CONFIG_PAX_SEGMEXEC
74886 + if (vma_m) {
74887 + vma_m->vm_start -= grow << PAGE_SHIFT;
74888 + vma_m->vm_pgoff -= grow;
74889 + }
74890 +#endif
74891 +
74892 +
74893 }
74894 }
74895 }
74896 anon_vma_unlock(vma);
74897 + if (lockprev)
74898 + anon_vma_unlock(prev);
74899 return error;
74900 }
74901
74902 @@ -1768,6 +2061,13 @@ static void remove_vma_list(struct mm_st
74903 do {
74904 long nrpages = vma_pages(vma);
74905
74906 +#ifdef CONFIG_PAX_SEGMEXEC
74907 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
74908 + vma = remove_vma(vma);
74909 + continue;
74910 + }
74911 +#endif
74912 +
74913 mm->total_vm -= nrpages;
74914 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
74915 vma = remove_vma(vma);
74916 @@ -1813,6 +2113,16 @@ detach_vmas_to_be_unmapped(struct mm_str
74917 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
74918 vma->vm_prev = NULL;
74919 do {
74920 +
74921 +#ifdef CONFIG_PAX_SEGMEXEC
74922 + if (vma->vm_mirror) {
74923 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
74924 + vma->vm_mirror->vm_mirror = NULL;
74925 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
74926 + vma->vm_mirror = NULL;
74927 + }
74928 +#endif
74929 +
74930 rb_erase(&vma->vm_rb, &mm->mm_rb);
74931 mm->map_count--;
74932 tail_vma = vma;
74933 @@ -1840,10 +2150,25 @@ int split_vma(struct mm_struct * mm, str
74934 struct mempolicy *pol;
74935 struct vm_area_struct *new;
74936
74937 +#ifdef CONFIG_PAX_SEGMEXEC
74938 + struct vm_area_struct *vma_m, *new_m = NULL;
74939 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
74940 +#endif
74941 +
74942 if (is_vm_hugetlb_page(vma) && (addr &
74943 ~(huge_page_mask(hstate_vma(vma)))))
74944 return -EINVAL;
74945
74946 +#ifdef CONFIG_PAX_SEGMEXEC
74947 + vma_m = pax_find_mirror_vma(vma);
74948 +
74949 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
74950 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
74951 + if (mm->map_count >= sysctl_max_map_count-1)
74952 + return -ENOMEM;
74953 + } else
74954 +#endif
74955 +
74956 if (mm->map_count >= sysctl_max_map_count)
74957 return -ENOMEM;
74958
74959 @@ -1851,6 +2176,16 @@ int split_vma(struct mm_struct * mm, str
74960 if (!new)
74961 return -ENOMEM;
74962
74963 +#ifdef CONFIG_PAX_SEGMEXEC
74964 + if (vma_m) {
74965 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
74966 + if (!new_m) {
74967 + kmem_cache_free(vm_area_cachep, new);
74968 + return -ENOMEM;
74969 + }
74970 + }
74971 +#endif
74972 +
74973 /* most fields are the same, copy all, and then fixup */
74974 *new = *vma;
74975
74976 @@ -1861,8 +2196,29 @@ int split_vma(struct mm_struct * mm, str
74977 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
74978 }
74979
74980 +#ifdef CONFIG_PAX_SEGMEXEC
74981 + if (vma_m) {
74982 + *new_m = *vma_m;
74983 + new_m->vm_mirror = new;
74984 + new->vm_mirror = new_m;
74985 +
74986 + if (new_below)
74987 + new_m->vm_end = addr_m;
74988 + else {
74989 + new_m->vm_start = addr_m;
74990 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
74991 + }
74992 + }
74993 +#endif
74994 +
74995 pol = mpol_dup(vma_policy(vma));
74996 if (IS_ERR(pol)) {
74997 +
74998 +#ifdef CONFIG_PAX_SEGMEXEC
74999 + if (new_m)
75000 + kmem_cache_free(vm_area_cachep, new_m);
75001 +#endif
75002 +
75003 kmem_cache_free(vm_area_cachep, new);
75004 return PTR_ERR(pol);
75005 }
75006 @@ -1883,6 +2239,28 @@ int split_vma(struct mm_struct * mm, str
75007 else
75008 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
75009
75010 +#ifdef CONFIG_PAX_SEGMEXEC
75011 + if (vma_m) {
75012 + mpol_get(pol);
75013 + vma_set_policy(new_m, pol);
75014 +
75015 + if (new_m->vm_file) {
75016 + get_file(new_m->vm_file);
75017 + if (vma_m->vm_flags & VM_EXECUTABLE)
75018 + added_exe_file_vma(mm);
75019 + }
75020 +
75021 + if (new_m->vm_ops && new_m->vm_ops->open)
75022 + new_m->vm_ops->open(new_m);
75023 +
75024 + if (new_below)
75025 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
75026 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
75027 + else
75028 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
75029 + }
75030 +#endif
75031 +
75032 return 0;
75033 }
75034
75035 @@ -1891,11 +2269,30 @@ int split_vma(struct mm_struct * mm, str
75036 * work. This now handles partial unmappings.
75037 * Jeremy Fitzhardinge <jeremy@goop.org>
75038 */
75039 +#ifdef CONFIG_PAX_SEGMEXEC
75040 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
75041 +{
75042 + int ret = __do_munmap(mm, start, len);
75043 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
75044 + return ret;
75045 +
75046 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
75047 +}
75048 +
75049 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
75050 +#else
75051 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
75052 +#endif
75053 {
75054 unsigned long end;
75055 struct vm_area_struct *vma, *prev, *last;
75056
75057 + /*
75058 + * mm->mmap_sem is required to protect against another thread
75059 + * changing the mappings in case we sleep.
75060 + */
75061 + verify_mm_writelocked(mm);
75062 +
75063 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
75064 return -EINVAL;
75065
75066 @@ -1959,6 +2356,8 @@ int do_munmap(struct mm_struct *mm, unsi
75067 /* Fix up all other VM information */
75068 remove_vma_list(mm, vma);
75069
75070 + track_exec_limit(mm, start, end, 0UL);
75071 +
75072 return 0;
75073 }
75074
75075 @@ -1971,22 +2370,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
75076
75077 profile_munmap(addr);
75078
75079 +#ifdef CONFIG_PAX_SEGMEXEC
75080 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
75081 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
75082 + return -EINVAL;
75083 +#endif
75084 +
75085 down_write(&mm->mmap_sem);
75086 ret = do_munmap(mm, addr, len);
75087 up_write(&mm->mmap_sem);
75088 return ret;
75089 }
75090
75091 -static inline void verify_mm_writelocked(struct mm_struct *mm)
75092 -{
75093 -#ifdef CONFIG_DEBUG_VM
75094 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
75095 - WARN_ON(1);
75096 - up_read(&mm->mmap_sem);
75097 - }
75098 -#endif
75099 -}
75100 -
75101 /*
75102 * this is really a simplified "do_mmap". it only handles
75103 * anonymous maps. eventually we may be able to do some
75104 @@ -2000,6 +2395,7 @@ unsigned long do_brk(unsigned long addr,
75105 struct rb_node ** rb_link, * rb_parent;
75106 pgoff_t pgoff = addr >> PAGE_SHIFT;
75107 int error;
75108 + unsigned long charged;
75109
75110 len = PAGE_ALIGN(len);
75111 if (!len)
75112 @@ -2011,16 +2407,30 @@ unsigned long do_brk(unsigned long addr,
75113
75114 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
75115
75116 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
75117 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75118 + flags &= ~VM_EXEC;
75119 +
75120 +#ifdef CONFIG_PAX_MPROTECT
75121 + if (mm->pax_flags & MF_PAX_MPROTECT)
75122 + flags &= ~VM_MAYEXEC;
75123 +#endif
75124 +
75125 + }
75126 +#endif
75127 +
75128 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
75129 if (error & ~PAGE_MASK)
75130 return error;
75131
75132 + charged = len >> PAGE_SHIFT;
75133 +
75134 /*
75135 * mlock MCL_FUTURE?
75136 */
75137 if (mm->def_flags & VM_LOCKED) {
75138 unsigned long locked, lock_limit;
75139 - locked = len >> PAGE_SHIFT;
75140 + locked = charged;
75141 locked += mm->locked_vm;
75142 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
75143 lock_limit >>= PAGE_SHIFT;
75144 @@ -2037,22 +2447,22 @@ unsigned long do_brk(unsigned long addr,
75145 /*
75146 * Clear old maps. this also does some error checking for us
75147 */
75148 - munmap_back:
75149 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
75150 if (vma && vma->vm_start < addr + len) {
75151 if (do_munmap(mm, addr, len))
75152 return -ENOMEM;
75153 - goto munmap_back;
75154 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
75155 + BUG_ON(vma && vma->vm_start < addr + len);
75156 }
75157
75158 /* Check against address space limits *after* clearing old maps... */
75159 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
75160 + if (!may_expand_vm(mm, charged))
75161 return -ENOMEM;
75162
75163 if (mm->map_count > sysctl_max_map_count)
75164 return -ENOMEM;
75165
75166 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
75167 + if (security_vm_enough_memory(charged))
75168 return -ENOMEM;
75169
75170 /* Can we just expand an old private anonymous mapping? */
75171 @@ -2066,7 +2476,7 @@ unsigned long do_brk(unsigned long addr,
75172 */
75173 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
75174 if (!vma) {
75175 - vm_unacct_memory(len >> PAGE_SHIFT);
75176 + vm_unacct_memory(charged);
75177 return -ENOMEM;
75178 }
75179
75180 @@ -2078,11 +2488,12 @@ unsigned long do_brk(unsigned long addr,
75181 vma->vm_page_prot = vm_get_page_prot(flags);
75182 vma_link(mm, vma, prev, rb_link, rb_parent);
75183 out:
75184 - mm->total_vm += len >> PAGE_SHIFT;
75185 + mm->total_vm += charged;
75186 if (flags & VM_LOCKED) {
75187 if (!mlock_vma_pages_range(vma, addr, addr + len))
75188 - mm->locked_vm += (len >> PAGE_SHIFT);
75189 + mm->locked_vm += charged;
75190 }
75191 + track_exec_limit(mm, addr, addr + len, flags);
75192 return addr;
75193 }
75194
75195 @@ -2129,8 +2540,10 @@ void exit_mmap(struct mm_struct *mm)
75196 * Walk the list again, actually closing and freeing it,
75197 * with preemption enabled, without holding any MM locks.
75198 */
75199 - while (vma)
75200 + while (vma) {
75201 + vma->vm_mirror = NULL;
75202 vma = remove_vma(vma);
75203 + }
75204
75205 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
75206 }
75207 @@ -2144,6 +2557,10 @@ int insert_vm_struct(struct mm_struct *
75208 struct vm_area_struct * __vma, * prev;
75209 struct rb_node ** rb_link, * rb_parent;
75210
75211 +#ifdef CONFIG_PAX_SEGMEXEC
75212 + struct vm_area_struct *vma_m = NULL;
75213 +#endif
75214 +
75215 /*
75216 * The vm_pgoff of a purely anonymous vma should be irrelevant
75217 * until its first write fault, when page's anon_vma and index
75218 @@ -2166,7 +2583,22 @@ int insert_vm_struct(struct mm_struct *
75219 if ((vma->vm_flags & VM_ACCOUNT) &&
75220 security_vm_enough_memory_mm(mm, vma_pages(vma)))
75221 return -ENOMEM;
75222 +
75223 +#ifdef CONFIG_PAX_SEGMEXEC
75224 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
75225 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
75226 + if (!vma_m)
75227 + return -ENOMEM;
75228 + }
75229 +#endif
75230 +
75231 vma_link(mm, vma, prev, rb_link, rb_parent);
75232 +
75233 +#ifdef CONFIG_PAX_SEGMEXEC
75234 + if (vma_m)
75235 + pax_mirror_vma(vma_m, vma);
75236 +#endif
75237 +
75238 return 0;
75239 }
75240
75241 @@ -2184,6 +2616,8 @@ struct vm_area_struct *copy_vma(struct v
75242 struct rb_node **rb_link, *rb_parent;
75243 struct mempolicy *pol;
75244
75245 + BUG_ON(vma->vm_mirror);
75246 +
75247 /*
75248 * If anonymous vma has not yet been faulted, update new pgoff
75249 * to match new location, to increase its chance of merging.
75250 @@ -2227,6 +2661,35 @@ struct vm_area_struct *copy_vma(struct v
75251 return new_vma;
75252 }
75253
75254 +#ifdef CONFIG_PAX_SEGMEXEC
75255 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
75256 +{
75257 + struct vm_area_struct *prev_m;
75258 + struct rb_node **rb_link_m, *rb_parent_m;
75259 + struct mempolicy *pol_m;
75260 +
75261 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
75262 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
75263 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
75264 + *vma_m = *vma;
75265 + pol_m = vma_policy(vma_m);
75266 + mpol_get(pol_m);
75267 + vma_set_policy(vma_m, pol_m);
75268 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
75269 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
75270 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
75271 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
75272 + if (vma_m->vm_file)
75273 + get_file(vma_m->vm_file);
75274 + if (vma_m->vm_ops && vma_m->vm_ops->open)
75275 + vma_m->vm_ops->open(vma_m);
75276 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
75277 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
75278 + vma_m->vm_mirror = vma;
75279 + vma->vm_mirror = vma_m;
75280 +}
75281 +#endif
75282 +
75283 /*
75284 * Return true if the calling process may expand its vm space by the passed
75285 * number of pages
75286 @@ -2237,7 +2700,7 @@ int may_expand_vm(struct mm_struct *mm,
75287 unsigned long lim;
75288
75289 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
75290 -
75291 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
75292 if (cur + npages > lim)
75293 return 0;
75294 return 1;
75295 @@ -2307,6 +2770,22 @@ int install_special_mapping(struct mm_st
75296 vma->vm_start = addr;
75297 vma->vm_end = addr + len;
75298
75299 +#ifdef CONFIG_PAX_MPROTECT
75300 + if (mm->pax_flags & MF_PAX_MPROTECT) {
75301 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
75302 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
75303 + return -EPERM;
75304 + if (!(vm_flags & VM_EXEC))
75305 + vm_flags &= ~VM_MAYEXEC;
75306 +#else
75307 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
75308 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
75309 +#endif
75310 + else
75311 + vm_flags &= ~VM_MAYWRITE;
75312 + }
75313 +#endif
75314 +
75315 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
75316 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
75317
75318 diff -urNp linux-2.6.32.49/mm/mprotect.c linux-2.6.32.49/mm/mprotect.c
75319 --- linux-2.6.32.49/mm/mprotect.c 2011-11-08 19:02:43.000000000 -0500
75320 +++ linux-2.6.32.49/mm/mprotect.c 2011-11-15 19:59:43.000000000 -0500
75321 @@ -24,10 +24,16 @@
75322 #include <linux/mmu_notifier.h>
75323 #include <linux/migrate.h>
75324 #include <linux/perf_event.h>
75325 +
75326 +#ifdef CONFIG_PAX_MPROTECT
75327 +#include <linux/elf.h>
75328 +#endif
75329 +
75330 #include <asm/uaccess.h>
75331 #include <asm/pgtable.h>
75332 #include <asm/cacheflush.h>
75333 #include <asm/tlbflush.h>
75334 +#include <asm/mmu_context.h>
75335
75336 #ifndef pgprot_modify
75337 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
75338 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
75339 flush_tlb_range(vma, start, end);
75340 }
75341
75342 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
75343 +/* called while holding the mmap semaphor for writing except stack expansion */
75344 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
75345 +{
75346 + unsigned long oldlimit, newlimit = 0UL;
75347 +
75348 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
75349 + return;
75350 +
75351 + spin_lock(&mm->page_table_lock);
75352 + oldlimit = mm->context.user_cs_limit;
75353 + if ((prot & VM_EXEC) && oldlimit < end)
75354 + /* USER_CS limit moved up */
75355 + newlimit = end;
75356 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
75357 + /* USER_CS limit moved down */
75358 + newlimit = start;
75359 +
75360 + if (newlimit) {
75361 + mm->context.user_cs_limit = newlimit;
75362 +
75363 +#ifdef CONFIG_SMP
75364 + wmb();
75365 + cpus_clear(mm->context.cpu_user_cs_mask);
75366 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
75367 +#endif
75368 +
75369 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
75370 + }
75371 + spin_unlock(&mm->page_table_lock);
75372 + if (newlimit == end) {
75373 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
75374 +
75375 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
75376 + if (is_vm_hugetlb_page(vma))
75377 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
75378 + else
75379 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
75380 + }
75381 +}
75382 +#endif
75383 +
75384 int
75385 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
75386 unsigned long start, unsigned long end, unsigned long newflags)
75387 @@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
75388 int error;
75389 int dirty_accountable = 0;
75390
75391 +#ifdef CONFIG_PAX_SEGMEXEC
75392 + struct vm_area_struct *vma_m = NULL;
75393 + unsigned long start_m, end_m;
75394 +
75395 + start_m = start + SEGMEXEC_TASK_SIZE;
75396 + end_m = end + SEGMEXEC_TASK_SIZE;
75397 +#endif
75398 +
75399 if (newflags == oldflags) {
75400 *pprev = vma;
75401 return 0;
75402 }
75403
75404 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
75405 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
75406 +
75407 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
75408 + return -ENOMEM;
75409 +
75410 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
75411 + return -ENOMEM;
75412 + }
75413 +
75414 /*
75415 * If we make a private mapping writable we increase our commit;
75416 * but (without finer accounting) cannot reduce our commit if we
75417 @@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
75418 }
75419 }
75420
75421 +#ifdef CONFIG_PAX_SEGMEXEC
75422 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
75423 + if (start != vma->vm_start) {
75424 + error = split_vma(mm, vma, start, 1);
75425 + if (error)
75426 + goto fail;
75427 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
75428 + *pprev = (*pprev)->vm_next;
75429 + }
75430 +
75431 + if (end != vma->vm_end) {
75432 + error = split_vma(mm, vma, end, 0);
75433 + if (error)
75434 + goto fail;
75435 + }
75436 +
75437 + if (pax_find_mirror_vma(vma)) {
75438 + error = __do_munmap(mm, start_m, end_m - start_m);
75439 + if (error)
75440 + goto fail;
75441 + } else {
75442 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
75443 + if (!vma_m) {
75444 + error = -ENOMEM;
75445 + goto fail;
75446 + }
75447 + vma->vm_flags = newflags;
75448 + pax_mirror_vma(vma_m, vma);
75449 + }
75450 + }
75451 +#endif
75452 +
75453 /*
75454 * First try to merge with previous and/or next vma.
75455 */
75456 @@ -195,9 +293,21 @@ success:
75457 * vm_flags and vm_page_prot are protected by the mmap_sem
75458 * held in write mode.
75459 */
75460 +
75461 +#ifdef CONFIG_PAX_SEGMEXEC
75462 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
75463 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
75464 +#endif
75465 +
75466 vma->vm_flags = newflags;
75467 +
75468 +#ifdef CONFIG_PAX_MPROTECT
75469 + if (mm->binfmt && mm->binfmt->handle_mprotect)
75470 + mm->binfmt->handle_mprotect(vma, newflags);
75471 +#endif
75472 +
75473 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
75474 - vm_get_page_prot(newflags));
75475 + vm_get_page_prot(vma->vm_flags));
75476
75477 if (vma_wants_writenotify(vma)) {
75478 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
75479 @@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75480 end = start + len;
75481 if (end <= start)
75482 return -ENOMEM;
75483 +
75484 +#ifdef CONFIG_PAX_SEGMEXEC
75485 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
75486 + if (end > SEGMEXEC_TASK_SIZE)
75487 + return -EINVAL;
75488 + } else
75489 +#endif
75490 +
75491 + if (end > TASK_SIZE)
75492 + return -EINVAL;
75493 +
75494 if (!arch_validate_prot(prot))
75495 return -EINVAL;
75496
75497 @@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75498 /*
75499 * Does the application expect PROT_READ to imply PROT_EXEC:
75500 */
75501 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
75502 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
75503 prot |= PROT_EXEC;
75504
75505 vm_flags = calc_vm_prot_bits(prot);
75506 @@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75507 if (start > vma->vm_start)
75508 prev = vma;
75509
75510 +#ifdef CONFIG_PAX_MPROTECT
75511 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
75512 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
75513 +#endif
75514 +
75515 for (nstart = start ; ; ) {
75516 unsigned long newflags;
75517
75518 @@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75519
75520 /* newflags >> 4 shift VM_MAY% in place of VM_% */
75521 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
75522 + if (prot & (PROT_WRITE | PROT_EXEC))
75523 + gr_log_rwxmprotect(vma->vm_file);
75524 +
75525 + error = -EACCES;
75526 + goto out;
75527 + }
75528 +
75529 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
75530 error = -EACCES;
75531 goto out;
75532 }
75533 @@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75534 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
75535 if (error)
75536 goto out;
75537 +
75538 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
75539 +
75540 nstart = tmp;
75541
75542 if (nstart < prev->vm_end)
75543 diff -urNp linux-2.6.32.49/mm/mremap.c linux-2.6.32.49/mm/mremap.c
75544 --- linux-2.6.32.49/mm/mremap.c 2011-11-08 19:02:43.000000000 -0500
75545 +++ linux-2.6.32.49/mm/mremap.c 2011-11-15 19:59:43.000000000 -0500
75546 @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
75547 continue;
75548 pte = ptep_clear_flush(vma, old_addr, old_pte);
75549 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
75550 +
75551 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
75552 + if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
75553 + pte = pte_exprotect(pte);
75554 +#endif
75555 +
75556 set_pte_at(mm, new_addr, new_pte, pte);
75557 }
75558
75559 @@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
75560 if (is_vm_hugetlb_page(vma))
75561 goto Einval;
75562
75563 +#ifdef CONFIG_PAX_SEGMEXEC
75564 + if (pax_find_mirror_vma(vma))
75565 + goto Einval;
75566 +#endif
75567 +
75568 /* We can't remap across vm area boundaries */
75569 if (old_len > vma->vm_end - addr)
75570 goto Efault;
75571 @@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
75572 unsigned long ret = -EINVAL;
75573 unsigned long charged = 0;
75574 unsigned long map_flags;
75575 + unsigned long pax_task_size = TASK_SIZE;
75576
75577 if (new_addr & ~PAGE_MASK)
75578 goto out;
75579
75580 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
75581 +#ifdef CONFIG_PAX_SEGMEXEC
75582 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
75583 + pax_task_size = SEGMEXEC_TASK_SIZE;
75584 +#endif
75585 +
75586 + pax_task_size -= PAGE_SIZE;
75587 +
75588 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
75589 goto out;
75590
75591 /* Check if the location we're moving into overlaps the
75592 * old location at all, and fail if it does.
75593 */
75594 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
75595 - goto out;
75596 -
75597 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
75598 + if (addr + old_len > new_addr && new_addr + new_len > addr)
75599 goto out;
75600
75601 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
75602 @@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
75603 struct vm_area_struct *vma;
75604 unsigned long ret = -EINVAL;
75605 unsigned long charged = 0;
75606 + unsigned long pax_task_size = TASK_SIZE;
75607
75608 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
75609 goto out;
75610 @@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
75611 if (!new_len)
75612 goto out;
75613
75614 +#ifdef CONFIG_PAX_SEGMEXEC
75615 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
75616 + pax_task_size = SEGMEXEC_TASK_SIZE;
75617 +#endif
75618 +
75619 + pax_task_size -= PAGE_SIZE;
75620 +
75621 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
75622 + old_len > pax_task_size || addr > pax_task_size-old_len)
75623 + goto out;
75624 +
75625 if (flags & MREMAP_FIXED) {
75626 if (flags & MREMAP_MAYMOVE)
75627 ret = mremap_to(addr, old_len, new_addr, new_len);
75628 @@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
75629 addr + new_len);
75630 }
75631 ret = addr;
75632 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
75633 goto out;
75634 }
75635 }
75636 @@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
75637 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
75638 if (ret)
75639 goto out;
75640 +
75641 + map_flags = vma->vm_flags;
75642 ret = move_vma(vma, addr, old_len, new_len, new_addr);
75643 + if (!(ret & ~PAGE_MASK)) {
75644 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
75645 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
75646 + }
75647 }
75648 out:
75649 if (ret & ~PAGE_MASK)
75650 diff -urNp linux-2.6.32.49/mm/nommu.c linux-2.6.32.49/mm/nommu.c
75651 --- linux-2.6.32.49/mm/nommu.c 2011-11-08 19:02:43.000000000 -0500
75652 +++ linux-2.6.32.49/mm/nommu.c 2011-11-15 19:59:43.000000000 -0500
75653 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
75654 int sysctl_overcommit_ratio = 50; /* default is 50% */
75655 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
75656 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
75657 -int heap_stack_gap = 0;
75658
75659 atomic_long_t mmap_pages_allocated;
75660
75661 @@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
75662 EXPORT_SYMBOL(find_vma);
75663
75664 /*
75665 - * find a VMA
75666 - * - we don't extend stack VMAs under NOMMU conditions
75667 - */
75668 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
75669 -{
75670 - return find_vma(mm, addr);
75671 -}
75672 -
75673 -/*
75674 * expand a stack to a given address
75675 * - not supported under NOMMU conditions
75676 */
75677 diff -urNp linux-2.6.32.49/mm/page_alloc.c linux-2.6.32.49/mm/page_alloc.c
75678 --- linux-2.6.32.49/mm/page_alloc.c 2011-11-08 19:02:43.000000000 -0500
75679 +++ linux-2.6.32.49/mm/page_alloc.c 2011-11-15 19:59:43.000000000 -0500
75680 @@ -289,7 +289,7 @@ out:
75681 * This usage means that zero-order pages may not be compound.
75682 */
75683
75684 -static void free_compound_page(struct page *page)
75685 +void free_compound_page(struct page *page)
75686 {
75687 __free_pages_ok(page, compound_order(page));
75688 }
75689 @@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
75690 int bad = 0;
75691 int wasMlocked = __TestClearPageMlocked(page);
75692
75693 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
75694 + unsigned long index = 1UL << order;
75695 +#endif
75696 +
75697 kmemcheck_free_shadow(page, order);
75698
75699 for (i = 0 ; i < (1 << order) ; ++i)
75700 @@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
75701 debug_check_no_obj_freed(page_address(page),
75702 PAGE_SIZE << order);
75703 }
75704 +
75705 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
75706 + for (; index; --index)
75707 + sanitize_highpage(page + index - 1);
75708 +#endif
75709 +
75710 arch_free_page(page, order);
75711 kernel_map_pages(page, 1 << order, 0);
75712
75713 @@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
75714 arch_alloc_page(page, order);
75715 kernel_map_pages(page, 1 << order, 1);
75716
75717 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
75718 if (gfp_flags & __GFP_ZERO)
75719 prep_zero_page(page, order, gfp_flags);
75720 +#endif
75721
75722 if (order && (gfp_flags & __GFP_COMP))
75723 prep_compound_page(page, order);
75724 @@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
75725 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
75726 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
75727 }
75728 +
75729 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
75730 + sanitize_highpage(page);
75731 +#endif
75732 +
75733 arch_free_page(page, 0);
75734 kernel_map_pages(page, 1, 0);
75735
75736 @@ -2179,6 +2196,8 @@ void show_free_areas(void)
75737 int cpu;
75738 struct zone *zone;
75739
75740 + pax_track_stack();
75741 +
75742 for_each_populated_zone(zone) {
75743 show_node(zone);
75744 printk("%s per-cpu:\n", zone->name);
75745 @@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
75746 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
75747 }
75748 #else
75749 -static void inline setup_usemap(struct pglist_data *pgdat,
75750 +static inline void setup_usemap(struct pglist_data *pgdat,
75751 struct zone *zone, unsigned long zonesize) {}
75752 #endif /* CONFIG_SPARSEMEM */
75753
75754 diff -urNp linux-2.6.32.49/mm/percpu.c linux-2.6.32.49/mm/percpu.c
75755 --- linux-2.6.32.49/mm/percpu.c 2011-11-08 19:02:43.000000000 -0500
75756 +++ linux-2.6.32.49/mm/percpu.c 2011-11-15 19:59:43.000000000 -0500
75757 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
75758 static unsigned int pcpu_last_unit_cpu __read_mostly;
75759
75760 /* the address of the first chunk which starts with the kernel static area */
75761 -void *pcpu_base_addr __read_mostly;
75762 +void *pcpu_base_addr __read_only;
75763 EXPORT_SYMBOL_GPL(pcpu_base_addr);
75764
75765 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
75766 diff -urNp linux-2.6.32.49/mm/rmap.c linux-2.6.32.49/mm/rmap.c
75767 --- linux-2.6.32.49/mm/rmap.c 2011-11-08 19:02:43.000000000 -0500
75768 +++ linux-2.6.32.49/mm/rmap.c 2011-11-15 19:59:43.000000000 -0500
75769 @@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
75770 /* page_table_lock to protect against threads */
75771 spin_lock(&mm->page_table_lock);
75772 if (likely(!vma->anon_vma)) {
75773 +
75774 +#ifdef CONFIG_PAX_SEGMEXEC
75775 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
75776 +
75777 + if (vma_m) {
75778 + BUG_ON(vma_m->anon_vma);
75779 + vma_m->anon_vma = anon_vma;
75780 + list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
75781 + }
75782 +#endif
75783 +
75784 vma->anon_vma = anon_vma;
75785 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
75786 allocated = NULL;
75787 diff -urNp linux-2.6.32.49/mm/shmem.c linux-2.6.32.49/mm/shmem.c
75788 --- linux-2.6.32.49/mm/shmem.c 2011-11-08 19:02:43.000000000 -0500
75789 +++ linux-2.6.32.49/mm/shmem.c 2011-11-15 19:59:43.000000000 -0500
75790 @@ -31,7 +31,7 @@
75791 #include <linux/swap.h>
75792 #include <linux/ima.h>
75793
75794 -static struct vfsmount *shm_mnt;
75795 +struct vfsmount *shm_mnt;
75796
75797 #ifdef CONFIG_SHMEM
75798 /*
75799 @@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
75800 goto unlock;
75801 }
75802 entry = shmem_swp_entry(info, index, NULL);
75803 + if (!entry)
75804 + goto unlock;
75805 if (entry->val) {
75806 /*
75807 * The more uptodate page coming down from a stacked
75808 @@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
75809 struct vm_area_struct pvma;
75810 struct page *page;
75811
75812 + pax_track_stack();
75813 +
75814 spol = mpol_cond_copy(&mpol,
75815 mpol_shared_policy_lookup(&info->policy, idx));
75816
75817 @@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
75818
75819 info = SHMEM_I(inode);
75820 inode->i_size = len-1;
75821 - if (len <= (char *)inode - (char *)info) {
75822 + if (len <= (char *)inode - (char *)info && len <= 64) {
75823 /* do it inline */
75824 memcpy(info, symname, len);
75825 inode->i_op = &shmem_symlink_inline_operations;
75826 @@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
75827 int err = -ENOMEM;
75828
75829 /* Round up to L1_CACHE_BYTES to resist false sharing */
75830 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
75831 - L1_CACHE_BYTES), GFP_KERNEL);
75832 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
75833 if (!sbinfo)
75834 return -ENOMEM;
75835
75836 diff -urNp linux-2.6.32.49/mm/slab.c linux-2.6.32.49/mm/slab.c
75837 --- linux-2.6.32.49/mm/slab.c 2011-11-08 19:02:43.000000000 -0500
75838 +++ linux-2.6.32.49/mm/slab.c 2011-11-18 18:01:52.000000000 -0500
75839 @@ -174,7 +174,7 @@
75840
75841 /* Legal flag mask for kmem_cache_create(). */
75842 #if DEBUG
75843 -# define CREATE_MASK (SLAB_RED_ZONE | \
75844 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
75845 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
75846 SLAB_CACHE_DMA | \
75847 SLAB_STORE_USER | \
75848 @@ -182,7 +182,7 @@
75849 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
75850 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
75851 #else
75852 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
75853 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
75854 SLAB_CACHE_DMA | \
75855 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
75856 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
75857 @@ -308,7 +308,7 @@ struct kmem_list3 {
75858 * Need this for bootstrapping a per node allocator.
75859 */
75860 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
75861 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
75862 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
75863 #define CACHE_CACHE 0
75864 #define SIZE_AC MAX_NUMNODES
75865 #define SIZE_L3 (2 * MAX_NUMNODES)
75866 @@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
75867 if ((x)->max_freeable < i) \
75868 (x)->max_freeable = i; \
75869 } while (0)
75870 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
75871 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
75872 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
75873 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
75874 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
75875 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
75876 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
75877 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
75878 #else
75879 #define STATS_INC_ACTIVE(x) do { } while (0)
75880 #define STATS_DEC_ACTIVE(x) do { } while (0)
75881 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
75882 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
75883 */
75884 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
75885 - const struct slab *slab, void *obj)
75886 + const struct slab *slab, const void *obj)
75887 {
75888 u32 offset = (obj - slab->s_mem);
75889 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
75890 @@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
75891 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
75892 sizes[INDEX_AC].cs_size,
75893 ARCH_KMALLOC_MINALIGN,
75894 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75895 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75896 NULL);
75897
75898 if (INDEX_AC != INDEX_L3) {
75899 @@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
75900 kmem_cache_create(names[INDEX_L3].name,
75901 sizes[INDEX_L3].cs_size,
75902 ARCH_KMALLOC_MINALIGN,
75903 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75904 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75905 NULL);
75906 }
75907
75908 @@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
75909 sizes->cs_cachep = kmem_cache_create(names->name,
75910 sizes->cs_size,
75911 ARCH_KMALLOC_MINALIGN,
75912 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75913 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75914 NULL);
75915 }
75916 #ifdef CONFIG_ZONE_DMA
75917 @@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
75918 }
75919 /* cpu stats */
75920 {
75921 - unsigned long allochit = atomic_read(&cachep->allochit);
75922 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
75923 - unsigned long freehit = atomic_read(&cachep->freehit);
75924 - unsigned long freemiss = atomic_read(&cachep->freemiss);
75925 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
75926 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
75927 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
75928 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
75929
75930 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
75931 allochit, allocmiss, freehit, freemiss);
75932 @@ -4471,15 +4471,70 @@ static const struct file_operations proc
75933
75934 static int __init slab_proc_init(void)
75935 {
75936 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
75937 + mode_t gr_mode = S_IRUGO;
75938 +
75939 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
75940 + gr_mode = S_IRUSR;
75941 +#endif
75942 +
75943 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
75944 #ifdef CONFIG_DEBUG_SLAB_LEAK
75945 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
75946 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
75947 #endif
75948 return 0;
75949 }
75950 module_init(slab_proc_init);
75951 #endif
75952
75953 +void check_object_size(const void *ptr, unsigned long n, bool to)
75954 +{
75955 +
75956 +#ifdef CONFIG_PAX_USERCOPY
75957 + struct page *page;
75958 + struct kmem_cache *cachep = NULL;
75959 + struct slab *slabp;
75960 + unsigned int objnr;
75961 + unsigned long offset;
75962 + const char *type;
75963 +
75964 + if (!n)
75965 + return;
75966 +
75967 + type = "<null>";
75968 + if (ZERO_OR_NULL_PTR(ptr))
75969 + goto report;
75970 +
75971 + if (!virt_addr_valid(ptr))
75972 + return;
75973 +
75974 + page = virt_to_head_page(ptr);
75975 +
75976 + type = "<process stack>";
75977 + if (!PageSlab(page)) {
75978 + if (object_is_on_stack(ptr, n) == -1)
75979 + goto report;
75980 + return;
75981 + }
75982 +
75983 + cachep = page_get_cache(page);
75984 + type = cachep->name;
75985 + if (!(cachep->flags & SLAB_USERCOPY))
75986 + goto report;
75987 +
75988 + slabp = page_get_slab(page);
75989 + objnr = obj_to_index(cachep, slabp, ptr);
75990 + BUG_ON(objnr >= cachep->num);
75991 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
75992 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
75993 + return;
75994 +
75995 +report:
75996 + pax_report_usercopy(ptr, n, to, type);
75997 +#endif
75998 +
75999 +}
76000 +EXPORT_SYMBOL(check_object_size);
76001 +
76002 /**
76003 * ksize - get the actual amount of memory allocated for a given object
76004 * @objp: Pointer to the object
76005 diff -urNp linux-2.6.32.49/mm/slob.c linux-2.6.32.49/mm/slob.c
76006 --- linux-2.6.32.49/mm/slob.c 2011-11-08 19:02:43.000000000 -0500
76007 +++ linux-2.6.32.49/mm/slob.c 2011-11-18 18:01:52.000000000 -0500
76008 @@ -29,7 +29,7 @@
76009 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
76010 * alloc_pages() directly, allocating compound pages so the page order
76011 * does not have to be separately tracked, and also stores the exact
76012 - * allocation size in page->private so that it can be used to accurately
76013 + * allocation size in slob_page->size so that it can be used to accurately
76014 * provide ksize(). These objects are detected in kfree() because slob_page()
76015 * is false for them.
76016 *
76017 @@ -58,6 +58,7 @@
76018 */
76019
76020 #include <linux/kernel.h>
76021 +#include <linux/sched.h>
76022 #include <linux/slab.h>
76023 #include <linux/mm.h>
76024 #include <linux/swap.h> /* struct reclaim_state */
76025 @@ -100,7 +101,8 @@ struct slob_page {
76026 unsigned long flags; /* mandatory */
76027 atomic_t _count; /* mandatory */
76028 slobidx_t units; /* free units left in page */
76029 - unsigned long pad[2];
76030 + unsigned long pad[1];
76031 + unsigned long size; /* size when >=PAGE_SIZE */
76032 slob_t *free; /* first free slob_t in page */
76033 struct list_head list; /* linked list of free pages */
76034 };
76035 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
76036 */
76037 static inline int is_slob_page(struct slob_page *sp)
76038 {
76039 - return PageSlab((struct page *)sp);
76040 + return PageSlab((struct page *)sp) && !sp->size;
76041 }
76042
76043 static inline void set_slob_page(struct slob_page *sp)
76044 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
76045
76046 static inline struct slob_page *slob_page(const void *addr)
76047 {
76048 - return (struct slob_page *)virt_to_page(addr);
76049 + return (struct slob_page *)virt_to_head_page(addr);
76050 }
76051
76052 /*
76053 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
76054 /*
76055 * Return the size of a slob block.
76056 */
76057 -static slobidx_t slob_units(slob_t *s)
76058 +static slobidx_t slob_units(const slob_t *s)
76059 {
76060 if (s->units > 0)
76061 return s->units;
76062 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
76063 /*
76064 * Return the next free slob block pointer after this one.
76065 */
76066 -static slob_t *slob_next(slob_t *s)
76067 +static slob_t *slob_next(const slob_t *s)
76068 {
76069 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
76070 slobidx_t next;
76071 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
76072 /*
76073 * Returns true if s is the last free block in its page.
76074 */
76075 -static int slob_last(slob_t *s)
76076 +static int slob_last(const slob_t *s)
76077 {
76078 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
76079 }
76080 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
76081 if (!page)
76082 return NULL;
76083
76084 + set_slob_page(page);
76085 return page_address(page);
76086 }
76087
76088 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
76089 if (!b)
76090 return NULL;
76091 sp = slob_page(b);
76092 - set_slob_page(sp);
76093
76094 spin_lock_irqsave(&slob_lock, flags);
76095 sp->units = SLOB_UNITS(PAGE_SIZE);
76096 sp->free = b;
76097 + sp->size = 0;
76098 INIT_LIST_HEAD(&sp->list);
76099 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
76100 set_slob_page_free(sp, slob_list);
76101 @@ -475,10 +478,9 @@ out:
76102 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
76103 #endif
76104
76105 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
76106 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
76107 {
76108 - unsigned int *m;
76109 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76110 + slob_t *m;
76111 void *ret;
76112
76113 lockdep_trace_alloc(gfp);
76114 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
76115
76116 if (!m)
76117 return NULL;
76118 - *m = size;
76119 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
76120 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
76121 + m[0].units = size;
76122 + m[1].units = align;
76123 ret = (void *)m + align;
76124
76125 trace_kmalloc_node(_RET_IP_, ret,
76126 @@ -501,16 +506,25 @@ void *__kmalloc_node(size_t size, gfp_t
76127
76128 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
76129 if (ret) {
76130 - struct page *page;
76131 - page = virt_to_page(ret);
76132 - page->private = size;
76133 + struct slob_page *sp;
76134 + sp = slob_page(ret);
76135 + sp->size = size;
76136 }
76137
76138 trace_kmalloc_node(_RET_IP_, ret,
76139 size, PAGE_SIZE << order, gfp, node);
76140 }
76141
76142 - kmemleak_alloc(ret, size, 1, gfp);
76143 + return ret;
76144 +}
76145 +
76146 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
76147 +{
76148 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76149 + void *ret = __kmalloc_node_align(size, gfp, node, align);
76150 +
76151 + if (!ZERO_OR_NULL_PTR(ret))
76152 + kmemleak_alloc(ret, size, 1, gfp);
76153 return ret;
76154 }
76155 EXPORT_SYMBOL(__kmalloc_node);
76156 @@ -528,13 +542,92 @@ void kfree(const void *block)
76157 sp = slob_page(block);
76158 if (is_slob_page(sp)) {
76159 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76160 - unsigned int *m = (unsigned int *)(block - align);
76161 - slob_free(m, *m + align);
76162 - } else
76163 + slob_t *m = (slob_t *)(block - align);
76164 + slob_free(m, m[0].units + align);
76165 + } else {
76166 + clear_slob_page(sp);
76167 + free_slob_page(sp);
76168 + sp->size = 0;
76169 put_page(&sp->page);
76170 + }
76171 }
76172 EXPORT_SYMBOL(kfree);
76173
76174 +void check_object_size(const void *ptr, unsigned long n, bool to)
76175 +{
76176 +
76177 +#ifdef CONFIG_PAX_USERCOPY
76178 + struct slob_page *sp;
76179 + const slob_t *free;
76180 + const void *base;
76181 + unsigned long flags;
76182 + const char *type;
76183 +
76184 + if (!n)
76185 + return;
76186 +
76187 + type = "<null>";
76188 + if (ZERO_OR_NULL_PTR(ptr))
76189 + goto report;
76190 +
76191 + if (!virt_addr_valid(ptr))
76192 + return;
76193 +
76194 + type = "<process stack>";
76195 + sp = slob_page(ptr);
76196 + if (!PageSlab((struct page*)sp)) {
76197 + if (object_is_on_stack(ptr, n) == -1)
76198 + goto report;
76199 + return;
76200 + }
76201 +
76202 + type = "<slob>";
76203 + if (sp->size) {
76204 + base = page_address(&sp->page);
76205 + if (base <= ptr && n <= sp->size - (ptr - base))
76206 + return;
76207 + goto report;
76208 + }
76209 +
76210 + /* some tricky double walking to find the chunk */
76211 + spin_lock_irqsave(&slob_lock, flags);
76212 + base = (void *)((unsigned long)ptr & PAGE_MASK);
76213 + free = sp->free;
76214 +
76215 + while (!slob_last(free) && (void *)free <= ptr) {
76216 + base = free + slob_units(free);
76217 + free = slob_next(free);
76218 + }
76219 +
76220 + while (base < (void *)free) {
76221 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
76222 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
76223 + int offset;
76224 +
76225 + if (ptr < base + align)
76226 + break;
76227 +
76228 + offset = ptr - base - align;
76229 + if (offset >= m) {
76230 + base += size;
76231 + continue;
76232 + }
76233 +
76234 + if (n > m - offset)
76235 + break;
76236 +
76237 + spin_unlock_irqrestore(&slob_lock, flags);
76238 + return;
76239 + }
76240 +
76241 + spin_unlock_irqrestore(&slob_lock, flags);
76242 +report:
76243 + pax_report_usercopy(ptr, n, to, type);
76244 +#endif
76245 +
76246 +}
76247 +EXPORT_SYMBOL(check_object_size);
76248 +
76249 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
76250 size_t ksize(const void *block)
76251 {
76252 @@ -547,10 +640,10 @@ size_t ksize(const void *block)
76253 sp = slob_page(block);
76254 if (is_slob_page(sp)) {
76255 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76256 - unsigned int *m = (unsigned int *)(block - align);
76257 - return SLOB_UNITS(*m) * SLOB_UNIT;
76258 + slob_t *m = (slob_t *)(block - align);
76259 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
76260 } else
76261 - return sp->page.private;
76262 + return sp->size;
76263 }
76264 EXPORT_SYMBOL(ksize);
76265
76266 @@ -566,8 +659,13 @@ struct kmem_cache *kmem_cache_create(con
76267 {
76268 struct kmem_cache *c;
76269
76270 +#ifdef CONFIG_PAX_USERCOPY
76271 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
76272 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
76273 +#else
76274 c = slob_alloc(sizeof(struct kmem_cache),
76275 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
76276 +#endif
76277
76278 if (c) {
76279 c->name = name;
76280 @@ -605,17 +703,25 @@ void *kmem_cache_alloc_node(struct kmem_
76281 {
76282 void *b;
76283
76284 +#ifdef CONFIG_PAX_USERCOPY
76285 + b = __kmalloc_node_align(c->size, flags, node, c->align);
76286 +#else
76287 if (c->size < PAGE_SIZE) {
76288 b = slob_alloc(c->size, flags, c->align, node);
76289 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
76290 SLOB_UNITS(c->size) * SLOB_UNIT,
76291 flags, node);
76292 } else {
76293 + struct slob_page *sp;
76294 +
76295 b = slob_new_pages(flags, get_order(c->size), node);
76296 + sp = slob_page(b);
76297 + sp->size = c->size;
76298 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
76299 PAGE_SIZE << get_order(c->size),
76300 flags, node);
76301 }
76302 +#endif
76303
76304 if (c->ctor)
76305 c->ctor(b);
76306 @@ -627,10 +733,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
76307
76308 static void __kmem_cache_free(void *b, int size)
76309 {
76310 - if (size < PAGE_SIZE)
76311 + struct slob_page *sp = slob_page(b);
76312 +
76313 + if (is_slob_page(sp))
76314 slob_free(b, size);
76315 - else
76316 + else {
76317 + clear_slob_page(sp);
76318 + free_slob_page(sp);
76319 + sp->size = 0;
76320 slob_free_pages(b, get_order(size));
76321 + }
76322 }
76323
76324 static void kmem_rcu_free(struct rcu_head *head)
76325 @@ -643,18 +755,32 @@ static void kmem_rcu_free(struct rcu_hea
76326
76327 void kmem_cache_free(struct kmem_cache *c, void *b)
76328 {
76329 + int size = c->size;
76330 +
76331 +#ifdef CONFIG_PAX_USERCOPY
76332 + if (size + c->align < PAGE_SIZE) {
76333 + size += c->align;
76334 + b -= c->align;
76335 + }
76336 +#endif
76337 +
76338 kmemleak_free_recursive(b, c->flags);
76339 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
76340 struct slob_rcu *slob_rcu;
76341 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
76342 + slob_rcu = b + (size - sizeof(struct slob_rcu));
76343 INIT_RCU_HEAD(&slob_rcu->head);
76344 - slob_rcu->size = c->size;
76345 + slob_rcu->size = size;
76346 call_rcu(&slob_rcu->head, kmem_rcu_free);
76347 } else {
76348 - __kmem_cache_free(b, c->size);
76349 + __kmem_cache_free(b, size);
76350 }
76351
76352 +#ifdef CONFIG_PAX_USERCOPY
76353 + trace_kfree(_RET_IP_, b);
76354 +#else
76355 trace_kmem_cache_free(_RET_IP_, b);
76356 +#endif
76357 +
76358 }
76359 EXPORT_SYMBOL(kmem_cache_free);
76360
76361 diff -urNp linux-2.6.32.49/mm/slub.c linux-2.6.32.49/mm/slub.c
76362 --- linux-2.6.32.49/mm/slub.c 2011-11-08 19:02:43.000000000 -0500
76363 +++ linux-2.6.32.49/mm/slub.c 2011-11-18 18:01:52.000000000 -0500
76364 @@ -201,7 +201,7 @@ struct track {
76365
76366 enum track_item { TRACK_ALLOC, TRACK_FREE };
76367
76368 -#ifdef CONFIG_SLUB_DEBUG
76369 +#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
76370 static int sysfs_slab_add(struct kmem_cache *);
76371 static int sysfs_slab_alias(struct kmem_cache *, const char *);
76372 static void sysfs_slab_remove(struct kmem_cache *);
76373 @@ -410,7 +410,7 @@ static void print_track(const char *s, s
76374 if (!t->addr)
76375 return;
76376
76377 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
76378 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
76379 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
76380 }
76381
76382 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
76383
76384 page = virt_to_head_page(x);
76385
76386 + BUG_ON(!PageSlab(page));
76387 +
76388 slab_free(s, page, x, _RET_IP_);
76389
76390 trace_kmem_cache_free(_RET_IP_, x);
76391 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
76392 * Merge control. If this is set then no merging of slab caches will occur.
76393 * (Could be removed. This was introduced to pacify the merge skeptics.)
76394 */
76395 -static int slub_nomerge;
76396 +static int slub_nomerge = 1;
76397
76398 /*
76399 * Calculate the order of allocation given an slab object size.
76400 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
76401 * list to avoid pounding the page allocator excessively.
76402 */
76403 set_min_partial(s, ilog2(s->size));
76404 - s->refcount = 1;
76405 + atomic_set(&s->refcount, 1);
76406 #ifdef CONFIG_NUMA
76407 s->remote_node_defrag_ratio = 1000;
76408 #endif
76409 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
76410 void kmem_cache_destroy(struct kmem_cache *s)
76411 {
76412 down_write(&slub_lock);
76413 - s->refcount--;
76414 - if (!s->refcount) {
76415 + if (atomic_dec_and_test(&s->refcount)) {
76416 list_del(&s->list);
76417 up_write(&slub_lock);
76418 if (kmem_cache_close(s)) {
76419 @@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
76420 __setup("slub_nomerge", setup_slub_nomerge);
76421
76422 static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
76423 - const char *name, int size, gfp_t gfp_flags)
76424 + const char *name, int size, gfp_t gfp_flags, unsigned int flags)
76425 {
76426 - unsigned int flags = 0;
76427 -
76428 if (gfp_flags & SLUB_DMA)
76429 - flags = SLAB_CACHE_DMA;
76430 + flags |= SLAB_CACHE_DMA;
76431
76432 /*
76433 * This function is called with IRQs disabled during early-boot on
76434 @@ -2915,6 +2914,50 @@ void *__kmalloc_node(size_t size, gfp_t
76435 EXPORT_SYMBOL(__kmalloc_node);
76436 #endif
76437
76438 +void check_object_size(const void *ptr, unsigned long n, bool to)
76439 +{
76440 +
76441 +#ifdef CONFIG_PAX_USERCOPY
76442 + struct page *page;
76443 + struct kmem_cache *s = NULL;
76444 + unsigned long offset;
76445 + const char *type;
76446 +
76447 + if (!n)
76448 + return;
76449 +
76450 + type = "<null>";
76451 + if (ZERO_OR_NULL_PTR(ptr))
76452 + goto report;
76453 +
76454 + if (!virt_addr_valid(ptr))
76455 + return;
76456 +
76457 + page = get_object_page(ptr);
76458 +
76459 + type = "<process stack>";
76460 + if (!page) {
76461 + if (object_is_on_stack(ptr, n) == -1)
76462 + goto report;
76463 + return;
76464 + }
76465 +
76466 + s = page->slab;
76467 + type = s->name;
76468 + if (!(s->flags & SLAB_USERCOPY))
76469 + goto report;
76470 +
76471 + offset = (ptr - page_address(page)) % s->size;
76472 + if (offset <= s->objsize && n <= s->objsize - offset)
76473 + return;
76474 +
76475 +report:
76476 + pax_report_usercopy(ptr, n, to, type);
76477 +#endif
76478 +
76479 +}
76480 +EXPORT_SYMBOL(check_object_size);
76481 +
76482 size_t ksize(const void *object)
76483 {
76484 struct page *page;
76485 @@ -3185,8 +3228,8 @@ void __init kmem_cache_init(void)
76486 * kmem_cache_open for slab_state == DOWN.
76487 */
76488 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
76489 - sizeof(struct kmem_cache_node), GFP_NOWAIT);
76490 - kmalloc_caches[0].refcount = -1;
76491 + sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
76492 + atomic_set(&kmalloc_caches[0].refcount, -1);
76493 caches++;
76494
76495 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
76496 @@ -3198,18 +3241,18 @@ void __init kmem_cache_init(void)
76497 /* Caches that are not of the two-to-the-power-of size */
76498 if (KMALLOC_MIN_SIZE <= 32) {
76499 create_kmalloc_cache(&kmalloc_caches[1],
76500 - "kmalloc-96", 96, GFP_NOWAIT);
76501 + "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
76502 caches++;
76503 }
76504 if (KMALLOC_MIN_SIZE <= 64) {
76505 create_kmalloc_cache(&kmalloc_caches[2],
76506 - "kmalloc-192", 192, GFP_NOWAIT);
76507 + "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
76508 caches++;
76509 }
76510
76511 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
76512 create_kmalloc_cache(&kmalloc_caches[i],
76513 - "kmalloc", 1 << i, GFP_NOWAIT);
76514 + "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
76515 caches++;
76516 }
76517
76518 @@ -3293,7 +3336,7 @@ static int slab_unmergeable(struct kmem_
76519 /*
76520 * We may have set a slab to be unmergeable during bootstrap.
76521 */
76522 - if (s->refcount < 0)
76523 + if (atomic_read(&s->refcount) < 0)
76524 return 1;
76525
76526 return 0;
76527 @@ -3353,7 +3396,7 @@ struct kmem_cache *kmem_cache_create(con
76528 if (s) {
76529 int cpu;
76530
76531 - s->refcount++;
76532 + atomic_inc(&s->refcount);
76533 /*
76534 * Adjust the object sizes so that we clear
76535 * the complete object on kzalloc.
76536 @@ -3372,7 +3415,7 @@ struct kmem_cache *kmem_cache_create(con
76537
76538 if (sysfs_slab_alias(s, name)) {
76539 down_write(&slub_lock);
76540 - s->refcount--;
76541 + atomic_dec(&s->refcount);
76542 up_write(&slub_lock);
76543 goto err;
76544 }
76545 @@ -4101,7 +4144,7 @@ SLAB_ATTR_RO(ctor);
76546
76547 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
76548 {
76549 - return sprintf(buf, "%d\n", s->refcount - 1);
76550 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
76551 }
76552 SLAB_ATTR_RO(aliases);
76553
76554 @@ -4503,7 +4546,7 @@ static void kmem_cache_release(struct ko
76555 kfree(s);
76556 }
76557
76558 -static struct sysfs_ops slab_sysfs_ops = {
76559 +static const struct sysfs_ops slab_sysfs_ops = {
76560 .show = slab_attr_show,
76561 .store = slab_attr_store,
76562 };
76563 @@ -4522,7 +4565,7 @@ static int uevent_filter(struct kset *ks
76564 return 0;
76565 }
76566
76567 -static struct kset_uevent_ops slab_uevent_ops = {
76568 +static const struct kset_uevent_ops slab_uevent_ops = {
76569 .filter = uevent_filter,
76570 };
76571
76572 @@ -4564,6 +4607,7 @@ static char *create_unique_id(struct kme
76573 return name;
76574 }
76575
76576 +#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
76577 static int sysfs_slab_add(struct kmem_cache *s)
76578 {
76579 int err;
76580 @@ -4619,6 +4663,7 @@ static void sysfs_slab_remove(struct kme
76581 kobject_del(&s->kobj);
76582 kobject_put(&s->kobj);
76583 }
76584 +#endif
76585
76586 /*
76587 * Need to buffer aliases during bootup until sysfs becomes
76588 @@ -4632,6 +4677,7 @@ struct saved_alias {
76589
76590 static struct saved_alias *alias_list;
76591
76592 +#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
76593 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
76594 {
76595 struct saved_alias *al;
76596 @@ -4654,6 +4700,7 @@ static int sysfs_slab_alias(struct kmem_
76597 alias_list = al;
76598 return 0;
76599 }
76600 +#endif
76601
76602 static int __init slab_sysfs_init(void)
76603 {
76604 @@ -4785,7 +4832,13 @@ static const struct file_operations proc
76605
76606 static int __init slab_proc_init(void)
76607 {
76608 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
76609 + mode_t gr_mode = S_IRUGO;
76610 +
76611 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
76612 + gr_mode = S_IRUSR;
76613 +#endif
76614 +
76615 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
76616 return 0;
76617 }
76618 module_init(slab_proc_init);
76619 diff -urNp linux-2.6.32.49/mm/swap.c linux-2.6.32.49/mm/swap.c
76620 --- linux-2.6.32.49/mm/swap.c 2011-11-08 19:02:43.000000000 -0500
76621 +++ linux-2.6.32.49/mm/swap.c 2011-11-15 19:59:43.000000000 -0500
76622 @@ -30,6 +30,7 @@
76623 #include <linux/notifier.h>
76624 #include <linux/backing-dev.h>
76625 #include <linux/memcontrol.h>
76626 +#include <linux/hugetlb.h>
76627
76628 #include "internal.h"
76629
76630 @@ -65,6 +66,8 @@ static void put_compound_page(struct pag
76631 compound_page_dtor *dtor;
76632
76633 dtor = get_compound_page_dtor(page);
76634 + if (!PageHuge(page))
76635 + BUG_ON(dtor != free_compound_page);
76636 (*dtor)(page);
76637 }
76638 }
76639 diff -urNp linux-2.6.32.49/mm/util.c linux-2.6.32.49/mm/util.c
76640 --- linux-2.6.32.49/mm/util.c 2011-11-08 19:02:43.000000000 -0500
76641 +++ linux-2.6.32.49/mm/util.c 2011-11-15 19:59:43.000000000 -0500
76642 @@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
76643 void arch_pick_mmap_layout(struct mm_struct *mm)
76644 {
76645 mm->mmap_base = TASK_UNMAPPED_BASE;
76646 +
76647 +#ifdef CONFIG_PAX_RANDMMAP
76648 + if (mm->pax_flags & MF_PAX_RANDMMAP)
76649 + mm->mmap_base += mm->delta_mmap;
76650 +#endif
76651 +
76652 mm->get_unmapped_area = arch_get_unmapped_area;
76653 mm->unmap_area = arch_unmap_area;
76654 }
76655 diff -urNp linux-2.6.32.49/mm/vmalloc.c linux-2.6.32.49/mm/vmalloc.c
76656 --- linux-2.6.32.49/mm/vmalloc.c 2011-11-26 19:44:53.000000000 -0500
76657 +++ linux-2.6.32.49/mm/vmalloc.c 2011-11-26 19:49:57.000000000 -0500
76658 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
76659
76660 pte = pte_offset_kernel(pmd, addr);
76661 do {
76662 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
76663 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
76664 +
76665 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76666 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
76667 + BUG_ON(!pte_exec(*pte));
76668 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
76669 + continue;
76670 + }
76671 +#endif
76672 +
76673 + {
76674 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
76675 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
76676 + }
76677 } while (pte++, addr += PAGE_SIZE, addr != end);
76678 }
76679
76680 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
76681 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
76682 {
76683 pte_t *pte;
76684 + int ret = -ENOMEM;
76685
76686 /*
76687 * nr is a running index into the array which helps higher level
76688 @@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
76689 pte = pte_alloc_kernel(pmd, addr);
76690 if (!pte)
76691 return -ENOMEM;
76692 +
76693 + pax_open_kernel();
76694 do {
76695 struct page *page = pages[*nr];
76696
76697 - if (WARN_ON(!pte_none(*pte)))
76698 - return -EBUSY;
76699 - if (WARN_ON(!page))
76700 - return -ENOMEM;
76701 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76702 + if (!(pgprot_val(prot) & _PAGE_NX))
76703 + BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
76704 + else
76705 +#endif
76706 +
76707 + if (WARN_ON(!pte_none(*pte))) {
76708 + ret = -EBUSY;
76709 + goto out;
76710 + }
76711 + if (WARN_ON(!page)) {
76712 + ret = -ENOMEM;
76713 + goto out;
76714 + }
76715 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
76716 (*nr)++;
76717 } while (pte++, addr += PAGE_SIZE, addr != end);
76718 - return 0;
76719 + ret = 0;
76720 +out:
76721 + pax_close_kernel();
76722 + return ret;
76723 }
76724
76725 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
76726 @@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
76727 * and fall back on vmalloc() if that fails. Others
76728 * just put it in the vmalloc space.
76729 */
76730 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
76731 +#ifdef CONFIG_MODULES
76732 +#ifdef MODULES_VADDR
76733 unsigned long addr = (unsigned long)x;
76734 if (addr >= MODULES_VADDR && addr < MODULES_END)
76735 return 1;
76736 #endif
76737 +
76738 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76739 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
76740 + return 1;
76741 +#endif
76742 +
76743 +#endif
76744 +
76745 return is_vmalloc_addr(x);
76746 }
76747
76748 @@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
76749
76750 if (!pgd_none(*pgd)) {
76751 pud_t *pud = pud_offset(pgd, addr);
76752 +#ifdef CONFIG_X86
76753 + if (!pud_large(*pud))
76754 +#endif
76755 if (!pud_none(*pud)) {
76756 pmd_t *pmd = pmd_offset(pud, addr);
76757 +#ifdef CONFIG_X86
76758 + if (!pmd_large(*pmd))
76759 +#endif
76760 if (!pmd_none(*pmd)) {
76761 pte_t *ptep, pte;
76762
76763 @@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
76764 struct rb_node *tmp;
76765
76766 while (*p) {
76767 - struct vmap_area *tmp;
76768 + struct vmap_area *varea;
76769
76770 parent = *p;
76771 - tmp = rb_entry(parent, struct vmap_area, rb_node);
76772 - if (va->va_start < tmp->va_end)
76773 + varea = rb_entry(parent, struct vmap_area, rb_node);
76774 + if (va->va_start < varea->va_end)
76775 p = &(*p)->rb_left;
76776 - else if (va->va_end > tmp->va_start)
76777 + else if (va->va_end > varea->va_start)
76778 p = &(*p)->rb_right;
76779 else
76780 BUG();
76781 @@ -1245,6 +1287,16 @@ static struct vm_struct *__get_vm_area_n
76782 struct vm_struct *area;
76783
76784 BUG_ON(in_interrupt());
76785 +
76786 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
76787 + if (flags & VM_KERNEXEC) {
76788 + if (start != VMALLOC_START || end != VMALLOC_END)
76789 + return NULL;
76790 + start = (unsigned long)MODULES_EXEC_VADDR;
76791 + end = (unsigned long)MODULES_EXEC_END;
76792 + }
76793 +#endif
76794 +
76795 if (flags & VM_IOREMAP) {
76796 int bit = fls(size);
76797
76798 @@ -1484,6 +1536,11 @@ void *vmap(struct page **pages, unsigned
76799 if (count > totalram_pages)
76800 return NULL;
76801
76802 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
76803 + if (!(pgprot_val(prot) & _PAGE_NX))
76804 + flags |= VM_KERNEXEC;
76805 +#endif
76806 +
76807 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
76808 __builtin_return_address(0));
76809 if (!area)
76810 @@ -1594,6 +1651,13 @@ static void *__vmalloc_node(unsigned lon
76811 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
76812 return NULL;
76813
76814 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
76815 + if (!(pgprot_val(prot) & _PAGE_NX))
76816 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST | VM_KERNEXEC,
76817 + VMALLOC_START, VMALLOC_END, node, gfp_mask, caller);
76818 + else
76819 +#endif
76820 +
76821 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
76822 VMALLOC_START, VMALLOC_END, node,
76823 gfp_mask, caller);
76824 @@ -1619,6 +1683,7 @@ static void *__vmalloc_node(unsigned lon
76825 return addr;
76826 }
76827
76828 +#undef __vmalloc
76829 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
76830 {
76831 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
76832 @@ -1635,6 +1700,7 @@ EXPORT_SYMBOL(__vmalloc);
76833 * For tight control over page level allocator and protection flags
76834 * use __vmalloc() instead.
76835 */
76836 +#undef vmalloc
76837 void *vmalloc(unsigned long size)
76838 {
76839 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
76840 @@ -1649,6 +1715,7 @@ EXPORT_SYMBOL(vmalloc);
76841 * The resulting memory area is zeroed so it can be mapped to userspace
76842 * without leaking data.
76843 */
76844 +#undef vmalloc_user
76845 void *vmalloc_user(unsigned long size)
76846 {
76847 struct vm_struct *area;
76848 @@ -1676,6 +1743,7 @@ EXPORT_SYMBOL(vmalloc_user);
76849 * For tight control over page level allocator and protection flags
76850 * use __vmalloc() instead.
76851 */
76852 +#undef vmalloc_node
76853 void *vmalloc_node(unsigned long size, int node)
76854 {
76855 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
76856 @@ -1698,10 +1766,10 @@ EXPORT_SYMBOL(vmalloc_node);
76857 * For tight control over page level allocator and protection flags
76858 * use __vmalloc() instead.
76859 */
76860 -
76861 +#undef vmalloc_exec
76862 void *vmalloc_exec(unsigned long size)
76863 {
76864 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
76865 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
76866 -1, __builtin_return_address(0));
76867 }
76868
76869 @@ -1720,6 +1788,7 @@ void *vmalloc_exec(unsigned long size)
76870 * Allocate enough 32bit PA addressable pages to cover @size from the
76871 * page level allocator and map them into contiguous kernel virtual space.
76872 */
76873 +#undef vmalloc_32
76874 void *vmalloc_32(unsigned long size)
76875 {
76876 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
76877 @@ -1734,6 +1803,7 @@ EXPORT_SYMBOL(vmalloc_32);
76878 * The resulting memory area is 32bit addressable and zeroed so it can be
76879 * mapped to userspace without leaking data.
76880 */
76881 +#undef vmalloc_32_user
76882 void *vmalloc_32_user(unsigned long size)
76883 {
76884 struct vm_struct *area;
76885 @@ -1998,6 +2068,8 @@ int remap_vmalloc_range(struct vm_area_s
76886 unsigned long uaddr = vma->vm_start;
76887 unsigned long usize = vma->vm_end - vma->vm_start;
76888
76889 + BUG_ON(vma->vm_mirror);
76890 +
76891 if ((PAGE_SIZE-1) & (unsigned long)addr)
76892 return -EINVAL;
76893
76894 diff -urNp linux-2.6.32.49/mm/vmstat.c linux-2.6.32.49/mm/vmstat.c
76895 --- linux-2.6.32.49/mm/vmstat.c 2011-11-08 19:02:43.000000000 -0500
76896 +++ linux-2.6.32.49/mm/vmstat.c 2011-11-15 19:59:43.000000000 -0500
76897 @@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
76898 *
76899 * vm_stat contains the global counters
76900 */
76901 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
76902 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
76903 EXPORT_SYMBOL(vm_stat);
76904
76905 #ifdef CONFIG_SMP
76906 @@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
76907 v = p->vm_stat_diff[i];
76908 p->vm_stat_diff[i] = 0;
76909 local_irq_restore(flags);
76910 - atomic_long_add(v, &zone->vm_stat[i]);
76911 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
76912 global_diff[i] += v;
76913 #ifdef CONFIG_NUMA
76914 /* 3 seconds idle till flush */
76915 @@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
76916
76917 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
76918 if (global_diff[i])
76919 - atomic_long_add(global_diff[i], &vm_stat[i]);
76920 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
76921 }
76922
76923 #endif
76924 @@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
76925 start_cpu_timer(cpu);
76926 #endif
76927 #ifdef CONFIG_PROC_FS
76928 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
76929 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
76930 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
76931 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
76932 + {
76933 + mode_t gr_mode = S_IRUGO;
76934 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
76935 + gr_mode = S_IRUSR;
76936 +#endif
76937 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
76938 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
76939 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
76940 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
76941 +#else
76942 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
76943 +#endif
76944 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
76945 + }
76946 #endif
76947 return 0;
76948 }
76949 diff -urNp linux-2.6.32.49/net/8021q/vlan.c linux-2.6.32.49/net/8021q/vlan.c
76950 --- linux-2.6.32.49/net/8021q/vlan.c 2011-11-08 19:02:43.000000000 -0500
76951 +++ linux-2.6.32.49/net/8021q/vlan.c 2011-11-15 19:59:43.000000000 -0500
76952 @@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
76953 err = -EPERM;
76954 if (!capable(CAP_NET_ADMIN))
76955 break;
76956 - if ((args.u.name_type >= 0) &&
76957 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
76958 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
76959 struct vlan_net *vn;
76960
76961 vn = net_generic(net, vlan_net_id);
76962 diff -urNp linux-2.6.32.49/net/9p/trans_fd.c linux-2.6.32.49/net/9p/trans_fd.c
76963 --- linux-2.6.32.49/net/9p/trans_fd.c 2011-11-08 19:02:43.000000000 -0500
76964 +++ linux-2.6.32.49/net/9p/trans_fd.c 2011-11-15 19:59:43.000000000 -0500
76965 @@ -419,7 +419,7 @@ static int p9_fd_write(struct p9_client
76966 oldfs = get_fs();
76967 set_fs(get_ds());
76968 /* The cast to a user pointer is valid due to the set_fs() */
76969 - ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
76970 + ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
76971 set_fs(oldfs);
76972
76973 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
76974 diff -urNp linux-2.6.32.49/net/atm/atm_misc.c linux-2.6.32.49/net/atm/atm_misc.c
76975 --- linux-2.6.32.49/net/atm/atm_misc.c 2011-11-08 19:02:43.000000000 -0500
76976 +++ linux-2.6.32.49/net/atm/atm_misc.c 2011-11-15 19:59:43.000000000 -0500
76977 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
76978 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
76979 return 1;
76980 atm_return(vcc,truesize);
76981 - atomic_inc(&vcc->stats->rx_drop);
76982 + atomic_inc_unchecked(&vcc->stats->rx_drop);
76983 return 0;
76984 }
76985
76986 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
76987 }
76988 }
76989 atm_return(vcc,guess);
76990 - atomic_inc(&vcc->stats->rx_drop);
76991 + atomic_inc_unchecked(&vcc->stats->rx_drop);
76992 return NULL;
76993 }
76994
76995 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
76996
76997 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
76998 {
76999 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
77000 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
77001 __SONET_ITEMS
77002 #undef __HANDLE_ITEM
77003 }
77004 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
77005
77006 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
77007 {
77008 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
77009 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
77010 __SONET_ITEMS
77011 #undef __HANDLE_ITEM
77012 }
77013 diff -urNp linux-2.6.32.49/net/atm/lec.h linux-2.6.32.49/net/atm/lec.h
77014 --- linux-2.6.32.49/net/atm/lec.h 2011-11-08 19:02:43.000000000 -0500
77015 +++ linux-2.6.32.49/net/atm/lec.h 2011-11-15 19:59:43.000000000 -0500
77016 @@ -48,7 +48,7 @@ struct lane2_ops {
77017 const u8 *tlvs, u32 sizeoftlvs);
77018 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
77019 const u8 *tlvs, u32 sizeoftlvs);
77020 -};
77021 +} __no_const;
77022
77023 /*
77024 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
77025 diff -urNp linux-2.6.32.49/net/atm/mpc.h linux-2.6.32.49/net/atm/mpc.h
77026 --- linux-2.6.32.49/net/atm/mpc.h 2011-11-08 19:02:43.000000000 -0500
77027 +++ linux-2.6.32.49/net/atm/mpc.h 2011-11-15 19:59:43.000000000 -0500
77028 @@ -33,7 +33,7 @@ struct mpoa_client {
77029 struct mpc_parameters parameters; /* parameters for this client */
77030
77031 const struct net_device_ops *old_ops;
77032 - struct net_device_ops new_ops;
77033 + net_device_ops_no_const new_ops;
77034 };
77035
77036
77037 diff -urNp linux-2.6.32.49/net/atm/mpoa_caches.c linux-2.6.32.49/net/atm/mpoa_caches.c
77038 --- linux-2.6.32.49/net/atm/mpoa_caches.c 2011-11-08 19:02:43.000000000 -0500
77039 +++ linux-2.6.32.49/net/atm/mpoa_caches.c 2011-11-15 19:59:43.000000000 -0500
77040 @@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
77041 struct timeval now;
77042 struct k_message msg;
77043
77044 + pax_track_stack();
77045 +
77046 do_gettimeofday(&now);
77047
77048 write_lock_irq(&client->egress_lock);
77049 diff -urNp linux-2.6.32.49/net/atm/proc.c linux-2.6.32.49/net/atm/proc.c
77050 --- linux-2.6.32.49/net/atm/proc.c 2011-11-08 19:02:43.000000000 -0500
77051 +++ linux-2.6.32.49/net/atm/proc.c 2011-11-15 19:59:43.000000000 -0500
77052 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
77053 const struct k_atm_aal_stats *stats)
77054 {
77055 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
77056 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
77057 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
77058 - atomic_read(&stats->rx_drop));
77059 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
77060 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
77061 + atomic_read_unchecked(&stats->rx_drop));
77062 }
77063
77064 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
77065 @@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
77066 {
77067 struct sock *sk = sk_atm(vcc);
77068
77069 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77070 + seq_printf(seq, "%p ", NULL);
77071 +#else
77072 seq_printf(seq, "%p ", vcc);
77073 +#endif
77074 +
77075 if (!vcc->dev)
77076 seq_printf(seq, "Unassigned ");
77077 else
77078 @@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
77079 {
77080 if (!vcc->dev)
77081 seq_printf(seq, sizeof(void *) == 4 ?
77082 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77083 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
77084 +#else
77085 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
77086 +#endif
77087 else
77088 seq_printf(seq, "%3d %3d %5d ",
77089 vcc->dev->number, vcc->vpi, vcc->vci);
77090 diff -urNp linux-2.6.32.49/net/atm/resources.c linux-2.6.32.49/net/atm/resources.c
77091 --- linux-2.6.32.49/net/atm/resources.c 2011-11-08 19:02:43.000000000 -0500
77092 +++ linux-2.6.32.49/net/atm/resources.c 2011-11-15 19:59:43.000000000 -0500
77093 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
77094 static void copy_aal_stats(struct k_atm_aal_stats *from,
77095 struct atm_aal_stats *to)
77096 {
77097 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
77098 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
77099 __AAL_STAT_ITEMS
77100 #undef __HANDLE_ITEM
77101 }
77102 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
77103 static void subtract_aal_stats(struct k_atm_aal_stats *from,
77104 struct atm_aal_stats *to)
77105 {
77106 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
77107 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
77108 __AAL_STAT_ITEMS
77109 #undef __HANDLE_ITEM
77110 }
77111 diff -urNp linux-2.6.32.49/net/bridge/br_private.h linux-2.6.32.49/net/bridge/br_private.h
77112 --- linux-2.6.32.49/net/bridge/br_private.h 2011-11-08 19:02:43.000000000 -0500
77113 +++ linux-2.6.32.49/net/bridge/br_private.h 2011-11-15 19:59:43.000000000 -0500
77114 @@ -255,7 +255,7 @@ extern void br_ifinfo_notify(int event,
77115
77116 #ifdef CONFIG_SYSFS
77117 /* br_sysfs_if.c */
77118 -extern struct sysfs_ops brport_sysfs_ops;
77119 +extern const struct sysfs_ops brport_sysfs_ops;
77120 extern int br_sysfs_addif(struct net_bridge_port *p);
77121
77122 /* br_sysfs_br.c */
77123 diff -urNp linux-2.6.32.49/net/bridge/br_stp_if.c linux-2.6.32.49/net/bridge/br_stp_if.c
77124 --- linux-2.6.32.49/net/bridge/br_stp_if.c 2011-11-08 19:02:43.000000000 -0500
77125 +++ linux-2.6.32.49/net/bridge/br_stp_if.c 2011-11-15 19:59:43.000000000 -0500
77126 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
77127 char *envp[] = { NULL };
77128
77129 if (br->stp_enabled == BR_USER_STP) {
77130 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
77131 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
77132 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
77133 br->dev->name, r);
77134
77135 diff -urNp linux-2.6.32.49/net/bridge/br_sysfs_if.c linux-2.6.32.49/net/bridge/br_sysfs_if.c
77136 --- linux-2.6.32.49/net/bridge/br_sysfs_if.c 2011-11-08 19:02:43.000000000 -0500
77137 +++ linux-2.6.32.49/net/bridge/br_sysfs_if.c 2011-11-15 19:59:43.000000000 -0500
77138 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
77139 return ret;
77140 }
77141
77142 -struct sysfs_ops brport_sysfs_ops = {
77143 +const struct sysfs_ops brport_sysfs_ops = {
77144 .show = brport_show,
77145 .store = brport_store,
77146 };
77147 diff -urNp linux-2.6.32.49/net/bridge/netfilter/ebtables.c linux-2.6.32.49/net/bridge/netfilter/ebtables.c
77148 --- linux-2.6.32.49/net/bridge/netfilter/ebtables.c 2011-11-08 19:02:43.000000000 -0500
77149 +++ linux-2.6.32.49/net/bridge/netfilter/ebtables.c 2011-11-15 19:59:43.000000000 -0500
77150 @@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
77151 unsigned int entries_size, nentries;
77152 char *entries;
77153
77154 + pax_track_stack();
77155 +
77156 if (cmd == EBT_SO_GET_ENTRIES) {
77157 entries_size = t->private->entries_size;
77158 nentries = t->private->nentries;
77159 diff -urNp linux-2.6.32.49/net/can/bcm.c linux-2.6.32.49/net/can/bcm.c
77160 --- linux-2.6.32.49/net/can/bcm.c 2011-11-08 19:02:43.000000000 -0500
77161 +++ linux-2.6.32.49/net/can/bcm.c 2011-11-15 19:59:43.000000000 -0500
77162 @@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
77163 struct bcm_sock *bo = bcm_sk(sk);
77164 struct bcm_op *op;
77165
77166 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77167 + seq_printf(m, ">>> socket %p", NULL);
77168 + seq_printf(m, " / sk %p", NULL);
77169 + seq_printf(m, " / bo %p", NULL);
77170 +#else
77171 seq_printf(m, ">>> socket %p", sk->sk_socket);
77172 seq_printf(m, " / sk %p", sk);
77173 seq_printf(m, " / bo %p", bo);
77174 +#endif
77175 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
77176 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
77177 seq_printf(m, " <<<\n");
77178 diff -urNp linux-2.6.32.49/net/compat.c linux-2.6.32.49/net/compat.c
77179 --- linux-2.6.32.49/net/compat.c 2011-11-08 19:02:43.000000000 -0500
77180 +++ linux-2.6.32.49/net/compat.c 2011-11-15 19:59:43.000000000 -0500
77181 @@ -69,9 +69,9 @@ int get_compat_msghdr(struct msghdr *kms
77182 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
77183 __get_user(kmsg->msg_flags, &umsg->msg_flags))
77184 return -EFAULT;
77185 - kmsg->msg_name = compat_ptr(tmp1);
77186 - kmsg->msg_iov = compat_ptr(tmp2);
77187 - kmsg->msg_control = compat_ptr(tmp3);
77188 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
77189 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
77190 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
77191 return 0;
77192 }
77193
77194 @@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *k
77195 kern_msg->msg_name = NULL;
77196
77197 tot_len = iov_from_user_compat_to_kern(kern_iov,
77198 - (struct compat_iovec __user *)kern_msg->msg_iov,
77199 + (struct compat_iovec __force_user *)kern_msg->msg_iov,
77200 kern_msg->msg_iovlen);
77201 if (tot_len >= 0)
77202 kern_msg->msg_iov = kern_iov;
77203 @@ -114,20 +114,20 @@ int verify_compat_iovec(struct msghdr *k
77204
77205 #define CMSG_COMPAT_FIRSTHDR(msg) \
77206 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
77207 - (struct compat_cmsghdr __user *)((msg)->msg_control) : \
77208 + (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
77209 (struct compat_cmsghdr __user *)NULL)
77210
77211 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
77212 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
77213 (ucmlen) <= (unsigned long) \
77214 ((mhdr)->msg_controllen - \
77215 - ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
77216 + ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
77217
77218 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
77219 struct compat_cmsghdr __user *cmsg, int cmsg_len)
77220 {
77221 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
77222 - if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
77223 + if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
77224 msg->msg_controllen)
77225 return NULL;
77226 return (struct compat_cmsghdr __user *)ptr;
77227 @@ -219,7 +219,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
77228 {
77229 struct compat_timeval ctv;
77230 struct compat_timespec cts[3];
77231 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
77232 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
77233 struct compat_cmsghdr cmhdr;
77234 int cmlen;
77235
77236 @@ -271,7 +271,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
77237
77238 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
77239 {
77240 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
77241 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
77242 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
77243 int fdnum = scm->fp->count;
77244 struct file **fp = scm->fp->fp;
77245 @@ -433,7 +433,7 @@ static int do_get_sock_timeout(struct so
77246 len = sizeof(ktime);
77247 old_fs = get_fs();
77248 set_fs(KERNEL_DS);
77249 - err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
77250 + err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
77251 set_fs(old_fs);
77252
77253 if (!err) {
77254 @@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *so
77255 case MCAST_JOIN_GROUP:
77256 case MCAST_LEAVE_GROUP:
77257 {
77258 - struct compat_group_req __user *gr32 = (void *)optval;
77259 + struct compat_group_req __user *gr32 = (void __user *)optval;
77260 struct group_req __user *kgr =
77261 compat_alloc_user_space(sizeof(struct group_req));
77262 u32 interface;
77263 @@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *so
77264 case MCAST_BLOCK_SOURCE:
77265 case MCAST_UNBLOCK_SOURCE:
77266 {
77267 - struct compat_group_source_req __user *gsr32 = (void *)optval;
77268 + struct compat_group_source_req __user *gsr32 = (void __user *)optval;
77269 struct group_source_req __user *kgsr = compat_alloc_user_space(
77270 sizeof(struct group_source_req));
77271 u32 interface;
77272 @@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *so
77273 }
77274 case MCAST_MSFILTER:
77275 {
77276 - struct compat_group_filter __user *gf32 = (void *)optval;
77277 + struct compat_group_filter __user *gf32 = (void __user *)optval;
77278 struct group_filter __user *kgf;
77279 u32 interface, fmode, numsrc;
77280
77281 diff -urNp linux-2.6.32.49/net/core/dev.c linux-2.6.32.49/net/core/dev.c
77282 --- linux-2.6.32.49/net/core/dev.c 2011-11-08 19:02:43.000000000 -0500
77283 +++ linux-2.6.32.49/net/core/dev.c 2011-11-15 19:59:43.000000000 -0500
77284 @@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
77285 if (no_module && capable(CAP_NET_ADMIN))
77286 no_module = request_module("netdev-%s", name);
77287 if (no_module && capable(CAP_SYS_MODULE)) {
77288 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
77289 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
77290 +#else
77291 if (!request_module("%s", name))
77292 pr_err("Loading kernel module for a network device "
77293 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
77294 "instead\n", name);
77295 +#endif
77296 }
77297 }
77298 EXPORT_SYMBOL(dev_load);
77299 @@ -1654,7 +1658,7 @@ static inline int illegal_highdma(struct
77300
77301 struct dev_gso_cb {
77302 void (*destructor)(struct sk_buff *skb);
77303 -};
77304 +} __no_const;
77305
77306 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
77307
77308 @@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
77309 }
77310 EXPORT_SYMBOL(netif_rx_ni);
77311
77312 -static void net_tx_action(struct softirq_action *h)
77313 +static void net_tx_action(void)
77314 {
77315 struct softnet_data *sd = &__get_cpu_var(softnet_data);
77316
77317 @@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
77318 EXPORT_SYMBOL(netif_napi_del);
77319
77320
77321 -static void net_rx_action(struct softirq_action *h)
77322 +static void net_rx_action(void)
77323 {
77324 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
77325 unsigned long time_limit = jiffies + 2;
77326 diff -urNp linux-2.6.32.49/net/core/flow.c linux-2.6.32.49/net/core/flow.c
77327 --- linux-2.6.32.49/net/core/flow.c 2011-11-08 19:02:43.000000000 -0500
77328 +++ linux-2.6.32.49/net/core/flow.c 2011-11-15 19:59:43.000000000 -0500
77329 @@ -35,11 +35,11 @@ struct flow_cache_entry {
77330 atomic_t *object_ref;
77331 };
77332
77333 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
77334 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
77335
77336 static u32 flow_hash_shift;
77337 #define flow_hash_size (1 << flow_hash_shift)
77338 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
77339 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
77340
77341 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
77342
77343 @@ -52,7 +52,7 @@ struct flow_percpu_info {
77344 u32 hash_rnd;
77345 int count;
77346 };
77347 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
77348 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
77349
77350 #define flow_hash_rnd_recalc(cpu) \
77351 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
77352 @@ -69,7 +69,7 @@ struct flow_flush_info {
77353 atomic_t cpuleft;
77354 struct completion completion;
77355 };
77356 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
77357 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
77358
77359 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
77360
77361 @@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
77362 if (fle->family == family &&
77363 fle->dir == dir &&
77364 flow_key_compare(key, &fle->key) == 0) {
77365 - if (fle->genid == atomic_read(&flow_cache_genid)) {
77366 + if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
77367 void *ret = fle->object;
77368
77369 if (ret)
77370 @@ -228,7 +228,7 @@ nocache:
77371 err = resolver(net, key, family, dir, &obj, &obj_ref);
77372
77373 if (fle && !err) {
77374 - fle->genid = atomic_read(&flow_cache_genid);
77375 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
77376
77377 if (fle->object)
77378 atomic_dec(fle->object_ref);
77379 @@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
77380
77381 fle = flow_table(cpu)[i];
77382 for (; fle; fle = fle->next) {
77383 - unsigned genid = atomic_read(&flow_cache_genid);
77384 + unsigned genid = atomic_read_unchecked(&flow_cache_genid);
77385
77386 if (!fle->object || fle->genid == genid)
77387 continue;
77388 diff -urNp linux-2.6.32.49/net/core/rtnetlink.c linux-2.6.32.49/net/core/rtnetlink.c
77389 --- linux-2.6.32.49/net/core/rtnetlink.c 2011-11-08 19:02:43.000000000 -0500
77390 +++ linux-2.6.32.49/net/core/rtnetlink.c 2011-11-15 19:59:43.000000000 -0500
77391 @@ -57,7 +57,7 @@ struct rtnl_link
77392 {
77393 rtnl_doit_func doit;
77394 rtnl_dumpit_func dumpit;
77395 -};
77396 +} __no_const;
77397
77398 static DEFINE_MUTEX(rtnl_mutex);
77399
77400 diff -urNp linux-2.6.32.49/net/core/scm.c linux-2.6.32.49/net/core/scm.c
77401 --- linux-2.6.32.49/net/core/scm.c 2011-11-08 19:02:43.000000000 -0500
77402 +++ linux-2.6.32.49/net/core/scm.c 2011-11-15 19:59:43.000000000 -0500
77403 @@ -191,7 +191,7 @@ error:
77404 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
77405 {
77406 struct cmsghdr __user *cm
77407 - = (__force struct cmsghdr __user *)msg->msg_control;
77408 + = (struct cmsghdr __force_user *)msg->msg_control;
77409 struct cmsghdr cmhdr;
77410 int cmlen = CMSG_LEN(len);
77411 int err;
77412 @@ -214,7 +214,7 @@ int put_cmsg(struct msghdr * msg, int le
77413 err = -EFAULT;
77414 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
77415 goto out;
77416 - if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
77417 + if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
77418 goto out;
77419 cmlen = CMSG_SPACE(len);
77420 if (msg->msg_controllen < cmlen)
77421 @@ -229,7 +229,7 @@ out:
77422 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
77423 {
77424 struct cmsghdr __user *cm
77425 - = (__force struct cmsghdr __user*)msg->msg_control;
77426 + = (struct cmsghdr __force_user *)msg->msg_control;
77427
77428 int fdmax = 0;
77429 int fdnum = scm->fp->count;
77430 @@ -249,7 +249,7 @@ void scm_detach_fds(struct msghdr *msg,
77431 if (fdnum < fdmax)
77432 fdmax = fdnum;
77433
77434 - for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
77435 + for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
77436 i++, cmfptr++)
77437 {
77438 int new_fd;
77439 diff -urNp linux-2.6.32.49/net/core/secure_seq.c linux-2.6.32.49/net/core/secure_seq.c
77440 --- linux-2.6.32.49/net/core/secure_seq.c 2011-11-08 19:02:43.000000000 -0500
77441 +++ linux-2.6.32.49/net/core/secure_seq.c 2011-11-15 19:59:43.000000000 -0500
77442 @@ -57,7 +57,7 @@ __u32 secure_tcpv6_sequence_number(__be3
77443 EXPORT_SYMBOL(secure_tcpv6_sequence_number);
77444
77445 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
77446 - __be16 dport)
77447 + __be16 dport)
77448 {
77449 u32 secret[MD5_MESSAGE_BYTES / 4];
77450 u32 hash[MD5_DIGEST_WORDS];
77451 @@ -71,7 +71,6 @@ u32 secure_ipv6_port_ephemeral(const __b
77452 secret[i] = net_secret[i];
77453
77454 md5_transform(hash, secret);
77455 -
77456 return hash[0];
77457 }
77458 #endif
77459 diff -urNp linux-2.6.32.49/net/core/skbuff.c linux-2.6.32.49/net/core/skbuff.c
77460 --- linux-2.6.32.49/net/core/skbuff.c 2011-11-08 19:02:43.000000000 -0500
77461 +++ linux-2.6.32.49/net/core/skbuff.c 2011-11-15 19:59:43.000000000 -0500
77462 @@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
77463 struct sk_buff *frag_iter;
77464 struct sock *sk = skb->sk;
77465
77466 + pax_track_stack();
77467 +
77468 /*
77469 * __skb_splice_bits() only fails if the output has no room left,
77470 * so no point in going over the frag_list for the error case.
77471 diff -urNp linux-2.6.32.49/net/core/sock.c linux-2.6.32.49/net/core/sock.c
77472 --- linux-2.6.32.49/net/core/sock.c 2011-11-08 19:02:43.000000000 -0500
77473 +++ linux-2.6.32.49/net/core/sock.c 2011-11-15 19:59:43.000000000 -0500
77474 @@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
77475 break;
77476
77477 case SO_PEERCRED:
77478 + {
77479 + struct ucred peercred;
77480 if (len > sizeof(sk->sk_peercred))
77481 len = sizeof(sk->sk_peercred);
77482 - if (copy_to_user(optval, &sk->sk_peercred, len))
77483 + peercred = sk->sk_peercred;
77484 + if (copy_to_user(optval, &peercred, len))
77485 return -EFAULT;
77486 goto lenout;
77487 + }
77488
77489 case SO_PEERNAME:
77490 {
77491 @@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
77492 */
77493 smp_wmb();
77494 atomic_set(&sk->sk_refcnt, 1);
77495 - atomic_set(&sk->sk_drops, 0);
77496 + atomic_set_unchecked(&sk->sk_drops, 0);
77497 }
77498 EXPORT_SYMBOL(sock_init_data);
77499
77500 diff -urNp linux-2.6.32.49/net/decnet/sysctl_net_decnet.c linux-2.6.32.49/net/decnet/sysctl_net_decnet.c
77501 --- linux-2.6.32.49/net/decnet/sysctl_net_decnet.c 2011-11-08 19:02:43.000000000 -0500
77502 +++ linux-2.6.32.49/net/decnet/sysctl_net_decnet.c 2011-11-15 19:59:43.000000000 -0500
77503 @@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
77504
77505 if (len > *lenp) len = *lenp;
77506
77507 - if (copy_to_user(buffer, addr, len))
77508 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
77509 return -EFAULT;
77510
77511 *lenp = len;
77512 @@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
77513
77514 if (len > *lenp) len = *lenp;
77515
77516 - if (copy_to_user(buffer, devname, len))
77517 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
77518 return -EFAULT;
77519
77520 *lenp = len;
77521 diff -urNp linux-2.6.32.49/net/econet/Kconfig linux-2.6.32.49/net/econet/Kconfig
77522 --- linux-2.6.32.49/net/econet/Kconfig 2011-11-08 19:02:43.000000000 -0500
77523 +++ linux-2.6.32.49/net/econet/Kconfig 2011-11-15 19:59:43.000000000 -0500
77524 @@ -4,7 +4,7 @@
77525
77526 config ECONET
77527 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
77528 - depends on EXPERIMENTAL && INET
77529 + depends on EXPERIMENTAL && INET && BROKEN
77530 ---help---
77531 Econet is a fairly old and slow networking protocol mainly used by
77532 Acorn computers to access file and print servers. It uses native
77533 diff -urNp linux-2.6.32.49/net/ieee802154/dgram.c linux-2.6.32.49/net/ieee802154/dgram.c
77534 --- linux-2.6.32.49/net/ieee802154/dgram.c 2011-11-08 19:02:43.000000000 -0500
77535 +++ linux-2.6.32.49/net/ieee802154/dgram.c 2011-11-15 19:59:43.000000000 -0500
77536 @@ -318,7 +318,7 @@ out:
77537 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
77538 {
77539 if (sock_queue_rcv_skb(sk, skb) < 0) {
77540 - atomic_inc(&sk->sk_drops);
77541 + atomic_inc_unchecked(&sk->sk_drops);
77542 kfree_skb(skb);
77543 return NET_RX_DROP;
77544 }
77545 diff -urNp linux-2.6.32.49/net/ieee802154/raw.c linux-2.6.32.49/net/ieee802154/raw.c
77546 --- linux-2.6.32.49/net/ieee802154/raw.c 2011-11-08 19:02:43.000000000 -0500
77547 +++ linux-2.6.32.49/net/ieee802154/raw.c 2011-11-15 19:59:43.000000000 -0500
77548 @@ -206,7 +206,7 @@ out:
77549 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
77550 {
77551 if (sock_queue_rcv_skb(sk, skb) < 0) {
77552 - atomic_inc(&sk->sk_drops);
77553 + atomic_inc_unchecked(&sk->sk_drops);
77554 kfree_skb(skb);
77555 return NET_RX_DROP;
77556 }
77557 diff -urNp linux-2.6.32.49/net/ipv4/inet_diag.c linux-2.6.32.49/net/ipv4/inet_diag.c
77558 --- linux-2.6.32.49/net/ipv4/inet_diag.c 2011-11-08 19:02:43.000000000 -0500
77559 +++ linux-2.6.32.49/net/ipv4/inet_diag.c 2011-11-15 19:59:43.000000000 -0500
77560 @@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
77561 r->idiag_retrans = 0;
77562
77563 r->id.idiag_if = sk->sk_bound_dev_if;
77564 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77565 + r->id.idiag_cookie[0] = 0;
77566 + r->id.idiag_cookie[1] = 0;
77567 +#else
77568 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
77569 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
77570 +#endif
77571
77572 r->id.idiag_sport = inet->sport;
77573 r->id.idiag_dport = inet->dport;
77574 @@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
77575 r->idiag_family = tw->tw_family;
77576 r->idiag_retrans = 0;
77577 r->id.idiag_if = tw->tw_bound_dev_if;
77578 +
77579 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77580 + r->id.idiag_cookie[0] = 0;
77581 + r->id.idiag_cookie[1] = 0;
77582 +#else
77583 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
77584 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
77585 +#endif
77586 +
77587 r->id.idiag_sport = tw->tw_sport;
77588 r->id.idiag_dport = tw->tw_dport;
77589 r->id.idiag_src[0] = tw->tw_rcv_saddr;
77590 @@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
77591 if (sk == NULL)
77592 goto unlock;
77593
77594 +#ifndef CONFIG_GRKERNSEC_HIDESYM
77595 err = -ESTALE;
77596 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
77597 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
77598 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
77599 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
77600 goto out;
77601 +#endif
77602
77603 err = -ENOMEM;
77604 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
77605 @@ -579,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
77606 r->idiag_retrans = req->retrans;
77607
77608 r->id.idiag_if = sk->sk_bound_dev_if;
77609 +
77610 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77611 + r->id.idiag_cookie[0] = 0;
77612 + r->id.idiag_cookie[1] = 0;
77613 +#else
77614 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
77615 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
77616 +#endif
77617
77618 tmo = req->expires - jiffies;
77619 if (tmo < 0)
77620 diff -urNp linux-2.6.32.49/net/ipv4/inet_hashtables.c linux-2.6.32.49/net/ipv4/inet_hashtables.c
77621 --- linux-2.6.32.49/net/ipv4/inet_hashtables.c 2011-11-08 19:02:43.000000000 -0500
77622 +++ linux-2.6.32.49/net/ipv4/inet_hashtables.c 2011-11-15 19:59:43.000000000 -0500
77623 @@ -18,12 +18,15 @@
77624 #include <linux/sched.h>
77625 #include <linux/slab.h>
77626 #include <linux/wait.h>
77627 +#include <linux/security.h>
77628
77629 #include <net/inet_connection_sock.h>
77630 #include <net/inet_hashtables.h>
77631 #include <net/secure_seq.h>
77632 #include <net/ip.h>
77633
77634 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
77635 +
77636 /*
77637 * Allocate and initialize a new local port bind bucket.
77638 * The bindhash mutex for snum's hash chain must be held here.
77639 @@ -491,6 +494,8 @@ ok:
77640 }
77641 spin_unlock(&head->lock);
77642
77643 + gr_update_task_in_ip_table(current, inet_sk(sk));
77644 +
77645 if (tw) {
77646 inet_twsk_deschedule(tw, death_row);
77647 inet_twsk_put(tw);
77648 diff -urNp linux-2.6.32.49/net/ipv4/inetpeer.c linux-2.6.32.49/net/ipv4/inetpeer.c
77649 --- linux-2.6.32.49/net/ipv4/inetpeer.c 2011-11-08 19:02:43.000000000 -0500
77650 +++ linux-2.6.32.49/net/ipv4/inetpeer.c 2011-11-15 19:59:43.000000000 -0500
77651 @@ -367,6 +367,8 @@ struct inet_peer *inet_getpeer(__be32 da
77652 struct inet_peer *p, *n;
77653 struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
77654
77655 + pax_track_stack();
77656 +
77657 /* Look up for the address quickly. */
77658 read_lock_bh(&peer_pool_lock);
77659 p = lookup(daddr, NULL);
77660 @@ -390,7 +392,7 @@ struct inet_peer *inet_getpeer(__be32 da
77661 return NULL;
77662 n->v4daddr = daddr;
77663 atomic_set(&n->refcnt, 1);
77664 - atomic_set(&n->rid, 0);
77665 + atomic_set_unchecked(&n->rid, 0);
77666 n->ip_id_count = secure_ip_id(daddr);
77667 n->tcp_ts_stamp = 0;
77668
77669 diff -urNp linux-2.6.32.49/net/ipv4/ipconfig.c linux-2.6.32.49/net/ipv4/ipconfig.c
77670 --- linux-2.6.32.49/net/ipv4/ipconfig.c 2011-11-08 19:02:43.000000000 -0500
77671 +++ linux-2.6.32.49/net/ipv4/ipconfig.c 2011-11-15 19:59:43.000000000 -0500
77672 @@ -295,7 +295,7 @@ static int __init ic_devinet_ioctl(unsig
77673
77674 mm_segment_t oldfs = get_fs();
77675 set_fs(get_ds());
77676 - res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
77677 + res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
77678 set_fs(oldfs);
77679 return res;
77680 }
77681 @@ -306,7 +306,7 @@ static int __init ic_dev_ioctl(unsigned
77682
77683 mm_segment_t oldfs = get_fs();
77684 set_fs(get_ds());
77685 - res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
77686 + res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
77687 set_fs(oldfs);
77688 return res;
77689 }
77690 @@ -317,7 +317,7 @@ static int __init ic_route_ioctl(unsigne
77691
77692 mm_segment_t oldfs = get_fs();
77693 set_fs(get_ds());
77694 - res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
77695 + res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
77696 set_fs(oldfs);
77697 return res;
77698 }
77699 diff -urNp linux-2.6.32.49/net/ipv4/ip_fragment.c linux-2.6.32.49/net/ipv4/ip_fragment.c
77700 --- linux-2.6.32.49/net/ipv4/ip_fragment.c 2011-11-08 19:02:43.000000000 -0500
77701 +++ linux-2.6.32.49/net/ipv4/ip_fragment.c 2011-11-15 19:59:43.000000000 -0500
77702 @@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
77703 return 0;
77704
77705 start = qp->rid;
77706 - end = atomic_inc_return(&peer->rid);
77707 + end = atomic_inc_return_unchecked(&peer->rid);
77708 qp->rid = end;
77709
77710 rc = qp->q.fragments && (end - start) > max;
77711 diff -urNp linux-2.6.32.49/net/ipv4/ip_sockglue.c linux-2.6.32.49/net/ipv4/ip_sockglue.c
77712 --- linux-2.6.32.49/net/ipv4/ip_sockglue.c 2011-11-08 19:02:43.000000000 -0500
77713 +++ linux-2.6.32.49/net/ipv4/ip_sockglue.c 2011-11-15 19:59:43.000000000 -0500
77714 @@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
77715 int val;
77716 int len;
77717
77718 + pax_track_stack();
77719 +
77720 if (level != SOL_IP)
77721 return -EOPNOTSUPP;
77722
77723 @@ -1173,7 +1175,7 @@ static int do_ip_getsockopt(struct sock
77724 if (sk->sk_type != SOCK_STREAM)
77725 return -ENOPROTOOPT;
77726
77727 - msg.msg_control = optval;
77728 + msg.msg_control = (void __force_kernel *)optval;
77729 msg.msg_controllen = len;
77730 msg.msg_flags = 0;
77731
77732 diff -urNp linux-2.6.32.49/net/ipv4/netfilter/arp_tables.c linux-2.6.32.49/net/ipv4/netfilter/arp_tables.c
77733 --- linux-2.6.32.49/net/ipv4/netfilter/arp_tables.c 2011-11-08 19:02:43.000000000 -0500
77734 +++ linux-2.6.32.49/net/ipv4/netfilter/arp_tables.c 2011-11-15 19:59:43.000000000 -0500
77735 @@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
77736 private = &tmp;
77737 }
77738 #endif
77739 + memset(&info, 0, sizeof(info));
77740 info.valid_hooks = t->valid_hooks;
77741 memcpy(info.hook_entry, private->hook_entry,
77742 sizeof(info.hook_entry));
77743 diff -urNp linux-2.6.32.49/net/ipv4/netfilter/ip_queue.c linux-2.6.32.49/net/ipv4/netfilter/ip_queue.c
77744 --- linux-2.6.32.49/net/ipv4/netfilter/ip_queue.c 2011-11-08 19:02:43.000000000 -0500
77745 +++ linux-2.6.32.49/net/ipv4/netfilter/ip_queue.c 2011-11-15 19:59:43.000000000 -0500
77746 @@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
77747
77748 if (v->data_len < sizeof(*user_iph))
77749 return 0;
77750 + if (v->data_len > 65535)
77751 + return -EMSGSIZE;
77752 +
77753 diff = v->data_len - e->skb->len;
77754 if (diff < 0) {
77755 if (pskb_trim(e->skb, v->data_len))
77756 @@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex)
77757 static inline void
77758 __ipq_rcv_skb(struct sk_buff *skb)
77759 {
77760 - int status, type, pid, flags, nlmsglen, skblen;
77761 + int status, type, pid, flags;
77762 + unsigned int nlmsglen, skblen;
77763 struct nlmsghdr *nlh;
77764
77765 skblen = skb->len;
77766 diff -urNp linux-2.6.32.49/net/ipv4/netfilter/ip_tables.c linux-2.6.32.49/net/ipv4/netfilter/ip_tables.c
77767 --- linux-2.6.32.49/net/ipv4/netfilter/ip_tables.c 2011-11-08 19:02:43.000000000 -0500
77768 +++ linux-2.6.32.49/net/ipv4/netfilter/ip_tables.c 2011-11-15 19:59:43.000000000 -0500
77769 @@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
77770 private = &tmp;
77771 }
77772 #endif
77773 + memset(&info, 0, sizeof(info));
77774 info.valid_hooks = t->valid_hooks;
77775 memcpy(info.hook_entry, private->hook_entry,
77776 sizeof(info.hook_entry));
77777 diff -urNp linux-2.6.32.49/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.49/net/ipv4/netfilter/nf_nat_snmp_basic.c
77778 --- linux-2.6.32.49/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-08 19:02:43.000000000 -0500
77779 +++ linux-2.6.32.49/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-15 19:59:43.000000000 -0500
77780 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
77781
77782 *len = 0;
77783
77784 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
77785 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
77786 if (*octets == NULL) {
77787 if (net_ratelimit())
77788 printk("OOM in bsalg (%d)\n", __LINE__);
77789 diff -urNp linux-2.6.32.49/net/ipv4/raw.c linux-2.6.32.49/net/ipv4/raw.c
77790 --- linux-2.6.32.49/net/ipv4/raw.c 2011-11-08 19:02:43.000000000 -0500
77791 +++ linux-2.6.32.49/net/ipv4/raw.c 2011-11-15 19:59:43.000000000 -0500
77792 @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
77793 /* Charge it to the socket. */
77794
77795 if (sock_queue_rcv_skb(sk, skb) < 0) {
77796 - atomic_inc(&sk->sk_drops);
77797 + atomic_inc_unchecked(&sk->sk_drops);
77798 kfree_skb(skb);
77799 return NET_RX_DROP;
77800 }
77801 @@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
77802 int raw_rcv(struct sock *sk, struct sk_buff *skb)
77803 {
77804 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
77805 - atomic_inc(&sk->sk_drops);
77806 + atomic_inc_unchecked(&sk->sk_drops);
77807 kfree_skb(skb);
77808 return NET_RX_DROP;
77809 }
77810 @@ -724,16 +724,23 @@ static int raw_init(struct sock *sk)
77811
77812 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
77813 {
77814 + struct icmp_filter filter;
77815 +
77816 + if (optlen < 0)
77817 + return -EINVAL;
77818 if (optlen > sizeof(struct icmp_filter))
77819 optlen = sizeof(struct icmp_filter);
77820 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
77821 + if (copy_from_user(&filter, optval, optlen))
77822 return -EFAULT;
77823 + raw_sk(sk)->filter = filter;
77824 +
77825 return 0;
77826 }
77827
77828 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
77829 {
77830 int len, ret = -EFAULT;
77831 + struct icmp_filter filter;
77832
77833 if (get_user(len, optlen))
77834 goto out;
77835 @@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
77836 if (len > sizeof(struct icmp_filter))
77837 len = sizeof(struct icmp_filter);
77838 ret = -EFAULT;
77839 - if (put_user(len, optlen) ||
77840 - copy_to_user(optval, &raw_sk(sk)->filter, len))
77841 + filter = raw_sk(sk)->filter;
77842 + if (put_user(len, optlen) || len > sizeof filter ||
77843 + copy_to_user(optval, &filter, len))
77844 goto out;
77845 ret = 0;
77846 out: return ret;
77847 @@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
77848 sk_wmem_alloc_get(sp),
77849 sk_rmem_alloc_get(sp),
77850 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
77851 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77852 + atomic_read(&sp->sk_refcnt),
77853 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77854 + NULL,
77855 +#else
77856 + sp,
77857 +#endif
77858 + atomic_read_unchecked(&sp->sk_drops));
77859 }
77860
77861 static int raw_seq_show(struct seq_file *seq, void *v)
77862 diff -urNp linux-2.6.32.49/net/ipv4/route.c linux-2.6.32.49/net/ipv4/route.c
77863 --- linux-2.6.32.49/net/ipv4/route.c 2011-11-08 19:02:43.000000000 -0500
77864 +++ linux-2.6.32.49/net/ipv4/route.c 2011-11-15 19:59:43.000000000 -0500
77865 @@ -269,7 +269,7 @@ static inline unsigned int rt_hash(__be3
77866
77867 static inline int rt_genid(struct net *net)
77868 {
77869 - return atomic_read(&net->ipv4.rt_genid);
77870 + return atomic_read_unchecked(&net->ipv4.rt_genid);
77871 }
77872
77873 #ifdef CONFIG_PROC_FS
77874 @@ -889,7 +889,7 @@ static void rt_cache_invalidate(struct n
77875 unsigned char shuffle;
77876
77877 get_random_bytes(&shuffle, sizeof(shuffle));
77878 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
77879 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
77880 }
77881
77882 /*
77883 @@ -3357,7 +3357,7 @@ static __net_initdata struct pernet_oper
77884
77885 static __net_init int rt_secret_timer_init(struct net *net)
77886 {
77887 - atomic_set(&net->ipv4.rt_genid,
77888 + atomic_set_unchecked(&net->ipv4.rt_genid,
77889 (int) ((num_physpages ^ (num_physpages>>8)) ^
77890 (jiffies ^ (jiffies >> 7))));
77891
77892 diff -urNp linux-2.6.32.49/net/ipv4/tcp.c linux-2.6.32.49/net/ipv4/tcp.c
77893 --- linux-2.6.32.49/net/ipv4/tcp.c 2011-11-08 19:02:43.000000000 -0500
77894 +++ linux-2.6.32.49/net/ipv4/tcp.c 2011-11-15 19:59:43.000000000 -0500
77895 @@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
77896 int val;
77897 int err = 0;
77898
77899 + pax_track_stack();
77900 +
77901 /* This is a string value all the others are int's */
77902 if (optname == TCP_CONGESTION) {
77903 char name[TCP_CA_NAME_MAX];
77904 @@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
77905 struct tcp_sock *tp = tcp_sk(sk);
77906 int val, len;
77907
77908 + pax_track_stack();
77909 +
77910 if (get_user(len, optlen))
77911 return -EFAULT;
77912
77913 diff -urNp linux-2.6.32.49/net/ipv4/tcp_ipv4.c linux-2.6.32.49/net/ipv4/tcp_ipv4.c
77914 --- linux-2.6.32.49/net/ipv4/tcp_ipv4.c 2011-11-08 19:02:43.000000000 -0500
77915 +++ linux-2.6.32.49/net/ipv4/tcp_ipv4.c 2011-11-15 19:59:43.000000000 -0500
77916 @@ -85,6 +85,9 @@
77917 int sysctl_tcp_tw_reuse __read_mostly;
77918 int sysctl_tcp_low_latency __read_mostly;
77919
77920 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77921 +extern int grsec_enable_blackhole;
77922 +#endif
77923
77924 #ifdef CONFIG_TCP_MD5SIG
77925 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
77926 @@ -1543,6 +1546,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
77927 return 0;
77928
77929 reset:
77930 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77931 + if (!grsec_enable_blackhole)
77932 +#endif
77933 tcp_v4_send_reset(rsk, skb);
77934 discard:
77935 kfree_skb(skb);
77936 @@ -1604,12 +1610,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
77937 TCP_SKB_CB(skb)->sacked = 0;
77938
77939 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77940 - if (!sk)
77941 + if (!sk) {
77942 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77943 + ret = 1;
77944 +#endif
77945 goto no_tcp_socket;
77946 + }
77947
77948 process:
77949 - if (sk->sk_state == TCP_TIME_WAIT)
77950 + if (sk->sk_state == TCP_TIME_WAIT) {
77951 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77952 + ret = 2;
77953 +#endif
77954 goto do_time_wait;
77955 + }
77956
77957 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
77958 goto discard_and_relse;
77959 @@ -1651,6 +1665,10 @@ no_tcp_socket:
77960 bad_packet:
77961 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
77962 } else {
77963 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77964 + if (!grsec_enable_blackhole || (ret == 1 &&
77965 + (skb->dev->flags & IFF_LOOPBACK)))
77966 +#endif
77967 tcp_v4_send_reset(NULL, skb);
77968 }
77969
77970 @@ -2238,7 +2256,11 @@ static void get_openreq4(struct sock *sk
77971 0, /* non standard timer */
77972 0, /* open_requests have no inode */
77973 atomic_read(&sk->sk_refcnt),
77974 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77975 + NULL,
77976 +#else
77977 req,
77978 +#endif
77979 len);
77980 }
77981
77982 @@ -2280,7 +2302,12 @@ static void get_tcp4_sock(struct sock *s
77983 sock_i_uid(sk),
77984 icsk->icsk_probes_out,
77985 sock_i_ino(sk),
77986 - atomic_read(&sk->sk_refcnt), sk,
77987 + atomic_read(&sk->sk_refcnt),
77988 +#ifdef CONFIG_GRKERNSEC_HIDESYM
77989 + NULL,
77990 +#else
77991 + sk,
77992 +#endif
77993 jiffies_to_clock_t(icsk->icsk_rto),
77994 jiffies_to_clock_t(icsk->icsk_ack.ato),
77995 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
77996 @@ -2308,7 +2335,13 @@ static void get_timewait4_sock(struct in
77997 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
77998 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
77999 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
78000 - atomic_read(&tw->tw_refcnt), tw, len);
78001 + atomic_read(&tw->tw_refcnt),
78002 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78003 + NULL,
78004 +#else
78005 + tw,
78006 +#endif
78007 + len);
78008 }
78009
78010 #define TMPSZ 150
78011 diff -urNp linux-2.6.32.49/net/ipv4/tcp_minisocks.c linux-2.6.32.49/net/ipv4/tcp_minisocks.c
78012 --- linux-2.6.32.49/net/ipv4/tcp_minisocks.c 2011-11-08 19:02:43.000000000 -0500
78013 +++ linux-2.6.32.49/net/ipv4/tcp_minisocks.c 2011-11-15 19:59:43.000000000 -0500
78014 @@ -26,6 +26,10 @@
78015 #include <net/inet_common.h>
78016 #include <net/xfrm.h>
78017
78018 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78019 +extern int grsec_enable_blackhole;
78020 +#endif
78021 +
78022 #ifdef CONFIG_SYSCTL
78023 #define SYNC_INIT 0 /* let the user enable it */
78024 #else
78025 @@ -672,6 +676,10 @@ listen_overflow:
78026
78027 embryonic_reset:
78028 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
78029 +
78030 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78031 + if (!grsec_enable_blackhole)
78032 +#endif
78033 if (!(flg & TCP_FLAG_RST))
78034 req->rsk_ops->send_reset(sk, skb);
78035
78036 diff -urNp linux-2.6.32.49/net/ipv4/tcp_output.c linux-2.6.32.49/net/ipv4/tcp_output.c
78037 --- linux-2.6.32.49/net/ipv4/tcp_output.c 2011-11-08 19:02:43.000000000 -0500
78038 +++ linux-2.6.32.49/net/ipv4/tcp_output.c 2011-11-15 19:59:43.000000000 -0500
78039 @@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
78040 __u8 *md5_hash_location;
78041 int mss;
78042
78043 + pax_track_stack();
78044 +
78045 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
78046 if (skb == NULL)
78047 return NULL;
78048 diff -urNp linux-2.6.32.49/net/ipv4/tcp_probe.c linux-2.6.32.49/net/ipv4/tcp_probe.c
78049 --- linux-2.6.32.49/net/ipv4/tcp_probe.c 2011-11-08 19:02:43.000000000 -0500
78050 +++ linux-2.6.32.49/net/ipv4/tcp_probe.c 2011-11-15 19:59:43.000000000 -0500
78051 @@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
78052 if (cnt + width >= len)
78053 break;
78054
78055 - if (copy_to_user(buf + cnt, tbuf, width))
78056 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
78057 return -EFAULT;
78058 cnt += width;
78059 }
78060 diff -urNp linux-2.6.32.49/net/ipv4/tcp_timer.c linux-2.6.32.49/net/ipv4/tcp_timer.c
78061 --- linux-2.6.32.49/net/ipv4/tcp_timer.c 2011-11-08 19:02:43.000000000 -0500
78062 +++ linux-2.6.32.49/net/ipv4/tcp_timer.c 2011-11-15 19:59:43.000000000 -0500
78063 @@ -21,6 +21,10 @@
78064 #include <linux/module.h>
78065 #include <net/tcp.h>
78066
78067 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78068 +extern int grsec_lastack_retries;
78069 +#endif
78070 +
78071 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
78072 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
78073 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
78074 @@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
78075 }
78076 }
78077
78078 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78079 + if ((sk->sk_state == TCP_LAST_ACK) &&
78080 + (grsec_lastack_retries > 0) &&
78081 + (grsec_lastack_retries < retry_until))
78082 + retry_until = grsec_lastack_retries;
78083 +#endif
78084 +
78085 if (retransmits_timed_out(sk, retry_until)) {
78086 /* Has it gone just too far? */
78087 tcp_write_err(sk);
78088 diff -urNp linux-2.6.32.49/net/ipv4/udp.c linux-2.6.32.49/net/ipv4/udp.c
78089 --- linux-2.6.32.49/net/ipv4/udp.c 2011-11-08 19:02:43.000000000 -0500
78090 +++ linux-2.6.32.49/net/ipv4/udp.c 2011-11-15 19:59:43.000000000 -0500
78091 @@ -86,6 +86,7 @@
78092 #include <linux/types.h>
78093 #include <linux/fcntl.h>
78094 #include <linux/module.h>
78095 +#include <linux/security.h>
78096 #include <linux/socket.h>
78097 #include <linux/sockios.h>
78098 #include <linux/igmp.h>
78099 @@ -106,6 +107,10 @@
78100 #include <net/xfrm.h>
78101 #include "udp_impl.h"
78102
78103 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78104 +extern int grsec_enable_blackhole;
78105 +#endif
78106 +
78107 struct udp_table udp_table;
78108 EXPORT_SYMBOL(udp_table);
78109
78110 @@ -371,6 +376,9 @@ found:
78111 return s;
78112 }
78113
78114 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
78115 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
78116 +
78117 /*
78118 * This routine is called by the ICMP module when it gets some
78119 * sort of error condition. If err < 0 then the socket should
78120 @@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
78121 dport = usin->sin_port;
78122 if (dport == 0)
78123 return -EINVAL;
78124 +
78125 + err = gr_search_udp_sendmsg(sk, usin);
78126 + if (err)
78127 + return err;
78128 } else {
78129 if (sk->sk_state != TCP_ESTABLISHED)
78130 return -EDESTADDRREQ;
78131 +
78132 + err = gr_search_udp_sendmsg(sk, NULL);
78133 + if (err)
78134 + return err;
78135 +
78136 daddr = inet->daddr;
78137 dport = inet->dport;
78138 /* Open fast path for connected socket.
78139 @@ -945,6 +962,10 @@ try_again:
78140 if (!skb)
78141 goto out;
78142
78143 + err = gr_search_udp_recvmsg(sk, skb);
78144 + if (err)
78145 + goto out_free;
78146 +
78147 ulen = skb->len - sizeof(struct udphdr);
78148 copied = len;
78149 if (copied > ulen)
78150 @@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct so
78151 if (rc == -ENOMEM) {
78152 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
78153 is_udplite);
78154 - atomic_inc(&sk->sk_drops);
78155 + atomic_inc_unchecked(&sk->sk_drops);
78156 }
78157 goto drop;
78158 }
78159 @@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
78160 goto csum_error;
78161
78162 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
78163 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78164 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
78165 +#endif
78166 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
78167
78168 /*
78169 @@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock
78170 sk_wmem_alloc_get(sp),
78171 sk_rmem_alloc_get(sp),
78172 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
78173 - atomic_read(&sp->sk_refcnt), sp,
78174 - atomic_read(&sp->sk_drops), len);
78175 + atomic_read(&sp->sk_refcnt),
78176 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78177 + NULL,
78178 +#else
78179 + sp,
78180 +#endif
78181 + atomic_read_unchecked(&sp->sk_drops), len);
78182 }
78183
78184 int udp4_seq_show(struct seq_file *seq, void *v)
78185 diff -urNp linux-2.6.32.49/net/ipv6/addrconf.c linux-2.6.32.49/net/ipv6/addrconf.c
78186 --- linux-2.6.32.49/net/ipv6/addrconf.c 2011-11-08 19:02:43.000000000 -0500
78187 +++ linux-2.6.32.49/net/ipv6/addrconf.c 2011-11-15 19:59:43.000000000 -0500
78188 @@ -2053,7 +2053,7 @@ int addrconf_set_dstaddr(struct net *net
78189 p.iph.ihl = 5;
78190 p.iph.protocol = IPPROTO_IPV6;
78191 p.iph.ttl = 64;
78192 - ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
78193 + ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
78194
78195 if (ops->ndo_do_ioctl) {
78196 mm_segment_t oldfs = get_fs();
78197 diff -urNp linux-2.6.32.49/net/ipv6/inet6_connection_sock.c linux-2.6.32.49/net/ipv6/inet6_connection_sock.c
78198 --- linux-2.6.32.49/net/ipv6/inet6_connection_sock.c 2011-11-08 19:02:43.000000000 -0500
78199 +++ linux-2.6.32.49/net/ipv6/inet6_connection_sock.c 2011-11-15 19:59:43.000000000 -0500
78200 @@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
78201 #ifdef CONFIG_XFRM
78202 {
78203 struct rt6_info *rt = (struct rt6_info *)dst;
78204 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
78205 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
78206 }
78207 #endif
78208 }
78209 @@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
78210 #ifdef CONFIG_XFRM
78211 if (dst) {
78212 struct rt6_info *rt = (struct rt6_info *)dst;
78213 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
78214 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
78215 sk->sk_dst_cache = NULL;
78216 dst_release(dst);
78217 dst = NULL;
78218 diff -urNp linux-2.6.32.49/net/ipv6/inet6_hashtables.c linux-2.6.32.49/net/ipv6/inet6_hashtables.c
78219 --- linux-2.6.32.49/net/ipv6/inet6_hashtables.c 2011-11-08 19:02:43.000000000 -0500
78220 +++ linux-2.6.32.49/net/ipv6/inet6_hashtables.c 2011-11-15 19:59:43.000000000 -0500
78221 @@ -119,7 +119,7 @@ out:
78222 }
78223 EXPORT_SYMBOL(__inet6_lookup_established);
78224
78225 -static int inline compute_score(struct sock *sk, struct net *net,
78226 +static inline int compute_score(struct sock *sk, struct net *net,
78227 const unsigned short hnum,
78228 const struct in6_addr *daddr,
78229 const int dif)
78230 diff -urNp linux-2.6.32.49/net/ipv6/ipv6_sockglue.c linux-2.6.32.49/net/ipv6/ipv6_sockglue.c
78231 --- linux-2.6.32.49/net/ipv6/ipv6_sockglue.c 2011-11-08 19:02:43.000000000 -0500
78232 +++ linux-2.6.32.49/net/ipv6/ipv6_sockglue.c 2011-11-15 19:59:43.000000000 -0500
78233 @@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
78234 int val, valbool;
78235 int retv = -ENOPROTOOPT;
78236
78237 + pax_track_stack();
78238 +
78239 if (optval == NULL)
78240 val=0;
78241 else {
78242 @@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
78243 int len;
78244 int val;
78245
78246 + pax_track_stack();
78247 +
78248 if (ip6_mroute_opt(optname))
78249 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
78250
78251 @@ -922,7 +926,7 @@ static int do_ipv6_getsockopt(struct soc
78252 if (sk->sk_type != SOCK_STREAM)
78253 return -ENOPROTOOPT;
78254
78255 - msg.msg_control = optval;
78256 + msg.msg_control = (void __force_kernel *)optval;
78257 msg.msg_controllen = len;
78258 msg.msg_flags = 0;
78259
78260 diff -urNp linux-2.6.32.49/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.49/net/ipv6/netfilter/ip6_queue.c
78261 --- linux-2.6.32.49/net/ipv6/netfilter/ip6_queue.c 2011-11-08 19:02:43.000000000 -0500
78262 +++ linux-2.6.32.49/net/ipv6/netfilter/ip6_queue.c 2011-11-15 19:59:43.000000000 -0500
78263 @@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
78264
78265 if (v->data_len < sizeof(*user_iph))
78266 return 0;
78267 + if (v->data_len > 65535)
78268 + return -EMSGSIZE;
78269 +
78270 diff = v->data_len - e->skb->len;
78271 if (diff < 0) {
78272 if (pskb_trim(e->skb, v->data_len))
78273 @@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex)
78274 static inline void
78275 __ipq_rcv_skb(struct sk_buff *skb)
78276 {
78277 - int status, type, pid, flags, nlmsglen, skblen;
78278 + int status, type, pid, flags;
78279 + unsigned int nlmsglen, skblen;
78280 struct nlmsghdr *nlh;
78281
78282 skblen = skb->len;
78283 diff -urNp linux-2.6.32.49/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.49/net/ipv6/netfilter/ip6_tables.c
78284 --- linux-2.6.32.49/net/ipv6/netfilter/ip6_tables.c 2011-11-08 19:02:43.000000000 -0500
78285 +++ linux-2.6.32.49/net/ipv6/netfilter/ip6_tables.c 2011-11-15 19:59:43.000000000 -0500
78286 @@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
78287 private = &tmp;
78288 }
78289 #endif
78290 + memset(&info, 0, sizeof(info));
78291 info.valid_hooks = t->valid_hooks;
78292 memcpy(info.hook_entry, private->hook_entry,
78293 sizeof(info.hook_entry));
78294 diff -urNp linux-2.6.32.49/net/ipv6/raw.c linux-2.6.32.49/net/ipv6/raw.c
78295 --- linux-2.6.32.49/net/ipv6/raw.c 2011-11-08 19:02:43.000000000 -0500
78296 +++ linux-2.6.32.49/net/ipv6/raw.c 2011-11-15 19:59:43.000000000 -0500
78297 @@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
78298 {
78299 if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
78300 skb_checksum_complete(skb)) {
78301 - atomic_inc(&sk->sk_drops);
78302 + atomic_inc_unchecked(&sk->sk_drops);
78303 kfree_skb(skb);
78304 return NET_RX_DROP;
78305 }
78306
78307 /* Charge it to the socket. */
78308 if (sock_queue_rcv_skb(sk,skb)<0) {
78309 - atomic_inc(&sk->sk_drops);
78310 + atomic_inc_unchecked(&sk->sk_drops);
78311 kfree_skb(skb);
78312 return NET_RX_DROP;
78313 }
78314 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
78315 struct raw6_sock *rp = raw6_sk(sk);
78316
78317 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
78318 - atomic_inc(&sk->sk_drops);
78319 + atomic_inc_unchecked(&sk->sk_drops);
78320 kfree_skb(skb);
78321 return NET_RX_DROP;
78322 }
78323 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
78324
78325 if (inet->hdrincl) {
78326 if (skb_checksum_complete(skb)) {
78327 - atomic_inc(&sk->sk_drops);
78328 + atomic_inc_unchecked(&sk->sk_drops);
78329 kfree_skb(skb);
78330 return NET_RX_DROP;
78331 }
78332 @@ -518,7 +518,7 @@ csum_copy_err:
78333 as some normal condition.
78334 */
78335 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
78336 - atomic_inc(&sk->sk_drops);
78337 + atomic_inc_unchecked(&sk->sk_drops);
78338 goto out;
78339 }
78340
78341 @@ -600,7 +600,7 @@ out:
78342 return err;
78343 }
78344
78345 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
78346 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
78347 struct flowi *fl, struct rt6_info *rt,
78348 unsigned int flags)
78349 {
78350 @@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
78351 u16 proto;
78352 int err;
78353
78354 + pax_track_stack();
78355 +
78356 /* Rough check on arithmetic overflow,
78357 better check is made in ip6_append_data().
78358 */
78359 @@ -916,12 +918,17 @@ do_confirm:
78360 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
78361 char __user *optval, int optlen)
78362 {
78363 + struct icmp6_filter filter;
78364 +
78365 switch (optname) {
78366 case ICMPV6_FILTER:
78367 + if (optlen < 0)
78368 + return -EINVAL;
78369 if (optlen > sizeof(struct icmp6_filter))
78370 optlen = sizeof(struct icmp6_filter);
78371 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
78372 + if (copy_from_user(&filter, optval, optlen))
78373 return -EFAULT;
78374 + raw6_sk(sk)->filter = filter;
78375 return 0;
78376 default:
78377 return -ENOPROTOOPT;
78378 @@ -934,6 +941,7 @@ static int rawv6_geticmpfilter(struct so
78379 char __user *optval, int __user *optlen)
78380 {
78381 int len;
78382 + struct icmp6_filter filter;
78383
78384 switch (optname) {
78385 case ICMPV6_FILTER:
78386 @@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
78387 len = sizeof(struct icmp6_filter);
78388 if (put_user(len, optlen))
78389 return -EFAULT;
78390 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
78391 + filter = raw6_sk(sk)->filter;
78392 + if (len > sizeof filter || copy_to_user(optval, &filter, len))
78393 return -EFAULT;
78394 return 0;
78395 default:
78396 @@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
78397 0, 0L, 0,
78398 sock_i_uid(sp), 0,
78399 sock_i_ino(sp),
78400 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
78401 + atomic_read(&sp->sk_refcnt),
78402 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78403 + NULL,
78404 +#else
78405 + sp,
78406 +#endif
78407 + atomic_read_unchecked(&sp->sk_drops));
78408 }
78409
78410 static int raw6_seq_show(struct seq_file *seq, void *v)
78411 diff -urNp linux-2.6.32.49/net/ipv6/tcp_ipv6.c linux-2.6.32.49/net/ipv6/tcp_ipv6.c
78412 --- linux-2.6.32.49/net/ipv6/tcp_ipv6.c 2011-11-08 19:02:43.000000000 -0500
78413 +++ linux-2.6.32.49/net/ipv6/tcp_ipv6.c 2011-11-15 19:59:43.000000000 -0500
78414 @@ -89,6 +89,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
78415 }
78416 #endif
78417
78418 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78419 +extern int grsec_enable_blackhole;
78420 +#endif
78421 +
78422 static void tcp_v6_hash(struct sock *sk)
78423 {
78424 if (sk->sk_state != TCP_CLOSE) {
78425 @@ -1579,6 +1583,9 @@ static int tcp_v6_do_rcv(struct sock *sk
78426 return 0;
78427
78428 reset:
78429 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78430 + if (!grsec_enable_blackhole)
78431 +#endif
78432 tcp_v6_send_reset(sk, skb);
78433 discard:
78434 if (opt_skb)
78435 @@ -1656,12 +1663,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
78436 TCP_SKB_CB(skb)->sacked = 0;
78437
78438 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
78439 - if (!sk)
78440 + if (!sk) {
78441 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78442 + ret = 1;
78443 +#endif
78444 goto no_tcp_socket;
78445 + }
78446
78447 process:
78448 - if (sk->sk_state == TCP_TIME_WAIT)
78449 + if (sk->sk_state == TCP_TIME_WAIT) {
78450 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78451 + ret = 2;
78452 +#endif
78453 goto do_time_wait;
78454 + }
78455
78456 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
78457 goto discard_and_relse;
78458 @@ -1701,6 +1716,10 @@ no_tcp_socket:
78459 bad_packet:
78460 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
78461 } else {
78462 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78463 + if (!grsec_enable_blackhole || (ret == 1 &&
78464 + (skb->dev->flags & IFF_LOOPBACK)))
78465 +#endif
78466 tcp_v6_send_reset(NULL, skb);
78467 }
78468
78469 @@ -1916,7 +1935,13 @@ static void get_openreq6(struct seq_file
78470 uid,
78471 0, /* non standard timer */
78472 0, /* open_requests have no inode */
78473 - 0, req);
78474 + 0,
78475 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78476 + NULL
78477 +#else
78478 + req
78479 +#endif
78480 + );
78481 }
78482
78483 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
78484 @@ -1966,7 +1991,12 @@ static void get_tcp6_sock(struct seq_fil
78485 sock_i_uid(sp),
78486 icsk->icsk_probes_out,
78487 sock_i_ino(sp),
78488 - atomic_read(&sp->sk_refcnt), sp,
78489 + atomic_read(&sp->sk_refcnt),
78490 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78491 + NULL,
78492 +#else
78493 + sp,
78494 +#endif
78495 jiffies_to_clock_t(icsk->icsk_rto),
78496 jiffies_to_clock_t(icsk->icsk_ack.ato),
78497 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
78498 @@ -2001,7 +2031,13 @@ static void get_timewait6_sock(struct se
78499 dest->s6_addr32[2], dest->s6_addr32[3], destp,
78500 tw->tw_substate, 0, 0,
78501 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
78502 - atomic_read(&tw->tw_refcnt), tw);
78503 + atomic_read(&tw->tw_refcnt),
78504 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78505 + NULL
78506 +#else
78507 + tw
78508 +#endif
78509 + );
78510 }
78511
78512 static int tcp6_seq_show(struct seq_file *seq, void *v)
78513 diff -urNp linux-2.6.32.49/net/ipv6/udp.c linux-2.6.32.49/net/ipv6/udp.c
78514 --- linux-2.6.32.49/net/ipv6/udp.c 2011-11-26 19:44:53.000000000 -0500
78515 +++ linux-2.6.32.49/net/ipv6/udp.c 2011-11-26 19:45:13.000000000 -0500
78516 @@ -49,6 +49,10 @@
78517 #include <linux/seq_file.h>
78518 #include "udp_impl.h"
78519
78520 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78521 +extern int grsec_enable_blackhole;
78522 +#endif
78523 +
78524 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
78525 {
78526 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
78527 @@ -391,7 +395,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
78528 if (rc == -ENOMEM) {
78529 UDP6_INC_STATS_BH(sock_net(sk),
78530 UDP_MIB_RCVBUFERRORS, is_udplite);
78531 - atomic_inc(&sk->sk_drops);
78532 + atomic_inc_unchecked(&sk->sk_drops);
78533 }
78534 goto drop;
78535 }
78536 @@ -590,6 +594,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
78537 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
78538 proto == IPPROTO_UDPLITE);
78539
78540 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78541 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
78542 +#endif
78543 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
78544
78545 kfree_skb(skb);
78546 @@ -1209,8 +1216,13 @@ static void udp6_sock_seq_show(struct se
78547 0, 0L, 0,
78548 sock_i_uid(sp), 0,
78549 sock_i_ino(sp),
78550 - atomic_read(&sp->sk_refcnt), sp,
78551 - atomic_read(&sp->sk_drops));
78552 + atomic_read(&sp->sk_refcnt),
78553 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78554 + NULL,
78555 +#else
78556 + sp,
78557 +#endif
78558 + atomic_read_unchecked(&sp->sk_drops));
78559 }
78560
78561 int udp6_seq_show(struct seq_file *seq, void *v)
78562 diff -urNp linux-2.6.32.49/net/irda/ircomm/ircomm_tty.c linux-2.6.32.49/net/irda/ircomm/ircomm_tty.c
78563 --- linux-2.6.32.49/net/irda/ircomm/ircomm_tty.c 2011-11-08 19:02:43.000000000 -0500
78564 +++ linux-2.6.32.49/net/irda/ircomm/ircomm_tty.c 2011-11-15 19:59:43.000000000 -0500
78565 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
78566 add_wait_queue(&self->open_wait, &wait);
78567
78568 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
78569 - __FILE__,__LINE__, tty->driver->name, self->open_count );
78570 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
78571
78572 /* As far as I can see, we protect open_count - Jean II */
78573 spin_lock_irqsave(&self->spinlock, flags);
78574 if (!tty_hung_up_p(filp)) {
78575 extra_count = 1;
78576 - self->open_count--;
78577 + local_dec(&self->open_count);
78578 }
78579 spin_unlock_irqrestore(&self->spinlock, flags);
78580 - self->blocked_open++;
78581 + local_inc(&self->blocked_open);
78582
78583 while (1) {
78584 if (tty->termios->c_cflag & CBAUD) {
78585 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
78586 }
78587
78588 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
78589 - __FILE__,__LINE__, tty->driver->name, self->open_count );
78590 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
78591
78592 schedule();
78593 }
78594 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
78595 if (extra_count) {
78596 /* ++ is not atomic, so this should be protected - Jean II */
78597 spin_lock_irqsave(&self->spinlock, flags);
78598 - self->open_count++;
78599 + local_inc(&self->open_count);
78600 spin_unlock_irqrestore(&self->spinlock, flags);
78601 }
78602 - self->blocked_open--;
78603 + local_dec(&self->blocked_open);
78604
78605 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
78606 - __FILE__,__LINE__, tty->driver->name, self->open_count);
78607 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
78608
78609 if (!retval)
78610 self->flags |= ASYNC_NORMAL_ACTIVE;
78611 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
78612 }
78613 /* ++ is not atomic, so this should be protected - Jean II */
78614 spin_lock_irqsave(&self->spinlock, flags);
78615 - self->open_count++;
78616 + local_inc(&self->open_count);
78617
78618 tty->driver_data = self;
78619 self->tty = tty;
78620 spin_unlock_irqrestore(&self->spinlock, flags);
78621
78622 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
78623 - self->line, self->open_count);
78624 + self->line, local_read(&self->open_count));
78625
78626 /* Not really used by us, but lets do it anyway */
78627 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
78628 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
78629 return;
78630 }
78631
78632 - if ((tty->count == 1) && (self->open_count != 1)) {
78633 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
78634 /*
78635 * Uh, oh. tty->count is 1, which means that the tty
78636 * structure will be freed. state->count should always
78637 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
78638 */
78639 IRDA_DEBUG(0, "%s(), bad serial port count; "
78640 "tty->count is 1, state->count is %d\n", __func__ ,
78641 - self->open_count);
78642 - self->open_count = 1;
78643 + local_read(&self->open_count));
78644 + local_set(&self->open_count, 1);
78645 }
78646
78647 - if (--self->open_count < 0) {
78648 + if (local_dec_return(&self->open_count) < 0) {
78649 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
78650 - __func__, self->line, self->open_count);
78651 - self->open_count = 0;
78652 + __func__, self->line, local_read(&self->open_count));
78653 + local_set(&self->open_count, 0);
78654 }
78655 - if (self->open_count) {
78656 + if (local_read(&self->open_count)) {
78657 spin_unlock_irqrestore(&self->spinlock, flags);
78658
78659 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
78660 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
78661 tty->closing = 0;
78662 self->tty = NULL;
78663
78664 - if (self->blocked_open) {
78665 + if (local_read(&self->blocked_open)) {
78666 if (self->close_delay)
78667 schedule_timeout_interruptible(self->close_delay);
78668 wake_up_interruptible(&self->open_wait);
78669 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
78670 spin_lock_irqsave(&self->spinlock, flags);
78671 self->flags &= ~ASYNC_NORMAL_ACTIVE;
78672 self->tty = NULL;
78673 - self->open_count = 0;
78674 + local_set(&self->open_count, 0);
78675 spin_unlock_irqrestore(&self->spinlock, flags);
78676
78677 wake_up_interruptible(&self->open_wait);
78678 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
78679 seq_putc(m, '\n');
78680
78681 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
78682 - seq_printf(m, "Open count: %d\n", self->open_count);
78683 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
78684 seq_printf(m, "Max data size: %d\n", self->max_data_size);
78685 seq_printf(m, "Max header size: %d\n", self->max_header_size);
78686
78687 diff -urNp linux-2.6.32.49/net/iucv/af_iucv.c linux-2.6.32.49/net/iucv/af_iucv.c
78688 --- linux-2.6.32.49/net/iucv/af_iucv.c 2011-11-08 19:02:43.000000000 -0500
78689 +++ linux-2.6.32.49/net/iucv/af_iucv.c 2011-11-15 19:59:43.000000000 -0500
78690 @@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
78691
78692 write_lock_bh(&iucv_sk_list.lock);
78693
78694 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
78695 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
78696 while (__iucv_get_sock_by_name(name)) {
78697 sprintf(name, "%08x",
78698 - atomic_inc_return(&iucv_sk_list.autobind_name));
78699 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
78700 }
78701
78702 write_unlock_bh(&iucv_sk_list.lock);
78703 diff -urNp linux-2.6.32.49/net/key/af_key.c linux-2.6.32.49/net/key/af_key.c
78704 --- linux-2.6.32.49/net/key/af_key.c 2011-11-08 19:02:43.000000000 -0500
78705 +++ linux-2.6.32.49/net/key/af_key.c 2011-11-15 19:59:43.000000000 -0500
78706 @@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
78707 struct xfrm_migrate m[XFRM_MAX_DEPTH];
78708 struct xfrm_kmaddress k;
78709
78710 + pax_track_stack();
78711 +
78712 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
78713 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
78714 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
78715 @@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
78716 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
78717 else
78718 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
78719 +#ifdef CONFIG_GRKERNSEC_HIDESYM
78720 + NULL,
78721 +#else
78722 s,
78723 +#endif
78724 atomic_read(&s->sk_refcnt),
78725 sk_rmem_alloc_get(s),
78726 sk_wmem_alloc_get(s),
78727 diff -urNp linux-2.6.32.49/net/lapb/lapb_iface.c linux-2.6.32.49/net/lapb/lapb_iface.c
78728 --- linux-2.6.32.49/net/lapb/lapb_iface.c 2011-11-08 19:02:43.000000000 -0500
78729 +++ linux-2.6.32.49/net/lapb/lapb_iface.c 2011-11-15 19:59:43.000000000 -0500
78730 @@ -157,7 +157,7 @@ int lapb_register(struct net_device *dev
78731 goto out;
78732
78733 lapb->dev = dev;
78734 - lapb->callbacks = *callbacks;
78735 + lapb->callbacks = callbacks;
78736
78737 __lapb_insert_cb(lapb);
78738
78739 @@ -379,32 +379,32 @@ int lapb_data_received(struct net_device
78740
78741 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
78742 {
78743 - if (lapb->callbacks.connect_confirmation)
78744 - lapb->callbacks.connect_confirmation(lapb->dev, reason);
78745 + if (lapb->callbacks->connect_confirmation)
78746 + lapb->callbacks->connect_confirmation(lapb->dev, reason);
78747 }
78748
78749 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
78750 {
78751 - if (lapb->callbacks.connect_indication)
78752 - lapb->callbacks.connect_indication(lapb->dev, reason);
78753 + if (lapb->callbacks->connect_indication)
78754 + lapb->callbacks->connect_indication(lapb->dev, reason);
78755 }
78756
78757 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
78758 {
78759 - if (lapb->callbacks.disconnect_confirmation)
78760 - lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
78761 + if (lapb->callbacks->disconnect_confirmation)
78762 + lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
78763 }
78764
78765 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
78766 {
78767 - if (lapb->callbacks.disconnect_indication)
78768 - lapb->callbacks.disconnect_indication(lapb->dev, reason);
78769 + if (lapb->callbacks->disconnect_indication)
78770 + lapb->callbacks->disconnect_indication(lapb->dev, reason);
78771 }
78772
78773 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
78774 {
78775 - if (lapb->callbacks.data_indication)
78776 - return lapb->callbacks.data_indication(lapb->dev, skb);
78777 + if (lapb->callbacks->data_indication)
78778 + return lapb->callbacks->data_indication(lapb->dev, skb);
78779
78780 kfree_skb(skb);
78781 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
78782 @@ -414,8 +414,8 @@ int lapb_data_transmit(struct lapb_cb *l
78783 {
78784 int used = 0;
78785
78786 - if (lapb->callbacks.data_transmit) {
78787 - lapb->callbacks.data_transmit(lapb->dev, skb);
78788 + if (lapb->callbacks->data_transmit) {
78789 + lapb->callbacks->data_transmit(lapb->dev, skb);
78790 used = 1;
78791 }
78792
78793 diff -urNp linux-2.6.32.49/net/mac80211/cfg.c linux-2.6.32.49/net/mac80211/cfg.c
78794 --- linux-2.6.32.49/net/mac80211/cfg.c 2011-11-08 19:02:43.000000000 -0500
78795 +++ linux-2.6.32.49/net/mac80211/cfg.c 2011-11-15 19:59:43.000000000 -0500
78796 @@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
78797 return err;
78798 }
78799
78800 -struct cfg80211_ops mac80211_config_ops = {
78801 +const struct cfg80211_ops mac80211_config_ops = {
78802 .add_virtual_intf = ieee80211_add_iface,
78803 .del_virtual_intf = ieee80211_del_iface,
78804 .change_virtual_intf = ieee80211_change_iface,
78805 diff -urNp linux-2.6.32.49/net/mac80211/cfg.h linux-2.6.32.49/net/mac80211/cfg.h
78806 --- linux-2.6.32.49/net/mac80211/cfg.h 2011-11-08 19:02:43.000000000 -0500
78807 +++ linux-2.6.32.49/net/mac80211/cfg.h 2011-11-15 19:59:43.000000000 -0500
78808 @@ -4,6 +4,6 @@
78809 #ifndef __CFG_H
78810 #define __CFG_H
78811
78812 -extern struct cfg80211_ops mac80211_config_ops;
78813 +extern const struct cfg80211_ops mac80211_config_ops;
78814
78815 #endif /* __CFG_H */
78816 diff -urNp linux-2.6.32.49/net/mac80211/debugfs_key.c linux-2.6.32.49/net/mac80211/debugfs_key.c
78817 --- linux-2.6.32.49/net/mac80211/debugfs_key.c 2011-11-08 19:02:43.000000000 -0500
78818 +++ linux-2.6.32.49/net/mac80211/debugfs_key.c 2011-11-15 19:59:43.000000000 -0500
78819 @@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
78820 size_t count, loff_t *ppos)
78821 {
78822 struct ieee80211_key *key = file->private_data;
78823 - int i, res, bufsize = 2 * key->conf.keylen + 2;
78824 + int i, bufsize = 2 * key->conf.keylen + 2;
78825 char *buf = kmalloc(bufsize, GFP_KERNEL);
78826 char *p = buf;
78827 + ssize_t res;
78828 +
78829 + if (buf == NULL)
78830 + return -ENOMEM;
78831
78832 for (i = 0; i < key->conf.keylen; i++)
78833 p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
78834 diff -urNp linux-2.6.32.49/net/mac80211/debugfs_sta.c linux-2.6.32.49/net/mac80211/debugfs_sta.c
78835 --- linux-2.6.32.49/net/mac80211/debugfs_sta.c 2011-11-08 19:02:43.000000000 -0500
78836 +++ linux-2.6.32.49/net/mac80211/debugfs_sta.c 2011-11-15 19:59:43.000000000 -0500
78837 @@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
78838 int i;
78839 struct sta_info *sta = file->private_data;
78840
78841 + pax_track_stack();
78842 +
78843 spin_lock_bh(&sta->lock);
78844 p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
78845 sta->ampdu_mlme.dialog_token_allocator + 1);
78846 diff -urNp linux-2.6.32.49/net/mac80211/ieee80211_i.h linux-2.6.32.49/net/mac80211/ieee80211_i.h
78847 --- linux-2.6.32.49/net/mac80211/ieee80211_i.h 2011-11-08 19:02:43.000000000 -0500
78848 +++ linux-2.6.32.49/net/mac80211/ieee80211_i.h 2011-11-15 19:59:43.000000000 -0500
78849 @@ -25,6 +25,7 @@
78850 #include <linux/etherdevice.h>
78851 #include <net/cfg80211.h>
78852 #include <net/mac80211.h>
78853 +#include <asm/local.h>
78854 #include "key.h"
78855 #include "sta_info.h"
78856
78857 @@ -635,7 +636,7 @@ struct ieee80211_local {
78858 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
78859 spinlock_t queue_stop_reason_lock;
78860
78861 - int open_count;
78862 + local_t open_count;
78863 int monitors, cooked_mntrs;
78864 /* number of interfaces with corresponding FIF_ flags */
78865 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
78866 diff -urNp linux-2.6.32.49/net/mac80211/iface.c linux-2.6.32.49/net/mac80211/iface.c
78867 --- linux-2.6.32.49/net/mac80211/iface.c 2011-11-08 19:02:43.000000000 -0500
78868 +++ linux-2.6.32.49/net/mac80211/iface.c 2011-11-15 19:59:43.000000000 -0500
78869 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
78870 break;
78871 }
78872
78873 - if (local->open_count == 0) {
78874 + if (local_read(&local->open_count) == 0) {
78875 res = drv_start(local);
78876 if (res)
78877 goto err_del_bss;
78878 @@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
78879 * Validate the MAC address for this device.
78880 */
78881 if (!is_valid_ether_addr(dev->dev_addr)) {
78882 - if (!local->open_count)
78883 + if (!local_read(&local->open_count))
78884 drv_stop(local);
78885 return -EADDRNOTAVAIL;
78886 }
78887 @@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
78888
78889 hw_reconf_flags |= __ieee80211_recalc_idle(local);
78890
78891 - local->open_count++;
78892 + local_inc(&local->open_count);
78893 if (hw_reconf_flags) {
78894 ieee80211_hw_config(local, hw_reconf_flags);
78895 /*
78896 @@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
78897 err_del_interface:
78898 drv_remove_interface(local, &conf);
78899 err_stop:
78900 - if (!local->open_count)
78901 + if (!local_read(&local->open_count))
78902 drv_stop(local);
78903 err_del_bss:
78904 sdata->bss = NULL;
78905 @@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
78906 WARN_ON(!list_empty(&sdata->u.ap.vlans));
78907 }
78908
78909 - local->open_count--;
78910 + local_dec(&local->open_count);
78911
78912 switch (sdata->vif.type) {
78913 case NL80211_IFTYPE_AP_VLAN:
78914 @@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
78915
78916 ieee80211_recalc_ps(local, -1);
78917
78918 - if (local->open_count == 0) {
78919 + if (local_read(&local->open_count) == 0) {
78920 ieee80211_clear_tx_pending(local);
78921 ieee80211_stop_device(local);
78922
78923 diff -urNp linux-2.6.32.49/net/mac80211/main.c linux-2.6.32.49/net/mac80211/main.c
78924 --- linux-2.6.32.49/net/mac80211/main.c 2011-11-08 19:02:43.000000000 -0500
78925 +++ linux-2.6.32.49/net/mac80211/main.c 2011-11-15 19:59:43.000000000 -0500
78926 @@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
78927 local->hw.conf.power_level = power;
78928 }
78929
78930 - if (changed && local->open_count) {
78931 + if (changed && local_read(&local->open_count)) {
78932 ret = drv_config(local, changed);
78933 /*
78934 * Goal:
78935 diff -urNp linux-2.6.32.49/net/mac80211/mlme.c linux-2.6.32.49/net/mac80211/mlme.c
78936 --- linux-2.6.32.49/net/mac80211/mlme.c 2011-11-08 19:02:43.000000000 -0500
78937 +++ linux-2.6.32.49/net/mac80211/mlme.c 2011-11-15 19:59:43.000000000 -0500
78938 @@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
78939 bool have_higher_than_11mbit = false, newsta = false;
78940 u16 ap_ht_cap_flags;
78941
78942 + pax_track_stack();
78943 +
78944 /*
78945 * AssocResp and ReassocResp have identical structure, so process both
78946 * of them in this function.
78947 diff -urNp linux-2.6.32.49/net/mac80211/pm.c linux-2.6.32.49/net/mac80211/pm.c
78948 --- linux-2.6.32.49/net/mac80211/pm.c 2011-11-08 19:02:43.000000000 -0500
78949 +++ linux-2.6.32.49/net/mac80211/pm.c 2011-11-15 19:59:43.000000000 -0500
78950 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
78951 }
78952
78953 /* stop hardware - this must stop RX */
78954 - if (local->open_count)
78955 + if (local_read(&local->open_count))
78956 ieee80211_stop_device(local);
78957
78958 local->suspended = true;
78959 diff -urNp linux-2.6.32.49/net/mac80211/rate.c linux-2.6.32.49/net/mac80211/rate.c
78960 --- linux-2.6.32.49/net/mac80211/rate.c 2011-11-08 19:02:43.000000000 -0500
78961 +++ linux-2.6.32.49/net/mac80211/rate.c 2011-11-15 19:59:43.000000000 -0500
78962 @@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
78963 struct rate_control_ref *ref, *old;
78964
78965 ASSERT_RTNL();
78966 - if (local->open_count)
78967 + if (local_read(&local->open_count))
78968 return -EBUSY;
78969
78970 ref = rate_control_alloc(name, local);
78971 diff -urNp linux-2.6.32.49/net/mac80211/tx.c linux-2.6.32.49/net/mac80211/tx.c
78972 --- linux-2.6.32.49/net/mac80211/tx.c 2011-11-08 19:02:43.000000000 -0500
78973 +++ linux-2.6.32.49/net/mac80211/tx.c 2011-11-15 19:59:43.000000000 -0500
78974 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
78975 return cpu_to_le16(dur);
78976 }
78977
78978 -static int inline is_ieee80211_device(struct ieee80211_local *local,
78979 +static inline int is_ieee80211_device(struct ieee80211_local *local,
78980 struct net_device *dev)
78981 {
78982 return local == wdev_priv(dev->ieee80211_ptr);
78983 diff -urNp linux-2.6.32.49/net/mac80211/util.c linux-2.6.32.49/net/mac80211/util.c
78984 --- linux-2.6.32.49/net/mac80211/util.c 2011-11-08 19:02:43.000000000 -0500
78985 +++ linux-2.6.32.49/net/mac80211/util.c 2011-11-15 19:59:43.000000000 -0500
78986 @@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
78987 local->resuming = true;
78988
78989 /* restart hardware */
78990 - if (local->open_count) {
78991 + if (local_read(&local->open_count)) {
78992 /*
78993 * Upon resume hardware can sometimes be goofy due to
78994 * various platform / driver / bus issues, so restarting
78995 diff -urNp linux-2.6.32.49/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.49/net/netfilter/ipvs/ip_vs_app.c
78996 --- linux-2.6.32.49/net/netfilter/ipvs/ip_vs_app.c 2011-11-08 19:02:43.000000000 -0500
78997 +++ linux-2.6.32.49/net/netfilter/ipvs/ip_vs_app.c 2011-11-15 19:59:43.000000000 -0500
78998 @@ -564,7 +564,7 @@ static const struct file_operations ip_v
78999 .open = ip_vs_app_open,
79000 .read = seq_read,
79001 .llseek = seq_lseek,
79002 - .release = seq_release,
79003 + .release = seq_release_net,
79004 };
79005 #endif
79006
79007 diff -urNp linux-2.6.32.49/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.49/net/netfilter/ipvs/ip_vs_conn.c
79008 --- linux-2.6.32.49/net/netfilter/ipvs/ip_vs_conn.c 2011-11-08 19:02:43.000000000 -0500
79009 +++ linux-2.6.32.49/net/netfilter/ipvs/ip_vs_conn.c 2011-11-15 19:59:43.000000000 -0500
79010 @@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
79011 /* if the connection is not template and is created
79012 * by sync, preserve the activity flag.
79013 */
79014 - cp->flags |= atomic_read(&dest->conn_flags) &
79015 + cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
79016 (~IP_VS_CONN_F_INACTIVE);
79017 else
79018 - cp->flags |= atomic_read(&dest->conn_flags);
79019 + cp->flags |= atomic_read_unchecked(&dest->conn_flags);
79020 cp->dest = dest;
79021
79022 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
79023 @@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
79024 atomic_set(&cp->refcnt, 1);
79025
79026 atomic_set(&cp->n_control, 0);
79027 - atomic_set(&cp->in_pkts, 0);
79028 + atomic_set_unchecked(&cp->in_pkts, 0);
79029
79030 atomic_inc(&ip_vs_conn_count);
79031 if (flags & IP_VS_CONN_F_NO_CPORT)
79032 @@ -871,7 +871,7 @@ static const struct file_operations ip_v
79033 .open = ip_vs_conn_open,
79034 .read = seq_read,
79035 .llseek = seq_lseek,
79036 - .release = seq_release,
79037 + .release = seq_release_net,
79038 };
79039
79040 static const char *ip_vs_origin_name(unsigned flags)
79041 @@ -934,7 +934,7 @@ static const struct file_operations ip_v
79042 .open = ip_vs_conn_sync_open,
79043 .read = seq_read,
79044 .llseek = seq_lseek,
79045 - .release = seq_release,
79046 + .release = seq_release_net,
79047 };
79048
79049 #endif
79050 @@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
79051
79052 /* Don't drop the entry if its number of incoming packets is not
79053 located in [0, 8] */
79054 - i = atomic_read(&cp->in_pkts);
79055 + i = atomic_read_unchecked(&cp->in_pkts);
79056 if (i > 8 || i < 0) return 0;
79057
79058 if (!todrop_rate[i]) return 0;
79059 diff -urNp linux-2.6.32.49/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.49/net/netfilter/ipvs/ip_vs_core.c
79060 --- linux-2.6.32.49/net/netfilter/ipvs/ip_vs_core.c 2011-11-08 19:02:43.000000000 -0500
79061 +++ linux-2.6.32.49/net/netfilter/ipvs/ip_vs_core.c 2011-11-15 19:59:43.000000000 -0500
79062 @@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
79063 ret = cp->packet_xmit(skb, cp, pp);
79064 /* do not touch skb anymore */
79065
79066 - atomic_inc(&cp->in_pkts);
79067 + atomic_inc_unchecked(&cp->in_pkts);
79068 ip_vs_conn_put(cp);
79069 return ret;
79070 }
79071 @@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
79072 * Sync connection if it is about to close to
79073 * encorage the standby servers to update the connections timeout
79074 */
79075 - pkts = atomic_add_return(1, &cp->in_pkts);
79076 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
79077 if (af == AF_INET &&
79078 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
79079 (((cp->protocol != IPPROTO_TCP ||
79080 diff -urNp linux-2.6.32.49/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.49/net/netfilter/ipvs/ip_vs_ctl.c
79081 --- linux-2.6.32.49/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-08 19:02:43.000000000 -0500
79082 +++ linux-2.6.32.49/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-15 19:59:43.000000000 -0500
79083 @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
79084 ip_vs_rs_hash(dest);
79085 write_unlock_bh(&__ip_vs_rs_lock);
79086 }
79087 - atomic_set(&dest->conn_flags, conn_flags);
79088 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
79089
79090 /* bind the service */
79091 if (!dest->svc) {
79092 @@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
79093 " %-7s %-6d %-10d %-10d\n",
79094 &dest->addr.in6,
79095 ntohs(dest->port),
79096 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
79097 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
79098 atomic_read(&dest->weight),
79099 atomic_read(&dest->activeconns),
79100 atomic_read(&dest->inactconns));
79101 @@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
79102 "%-7s %-6d %-10d %-10d\n",
79103 ntohl(dest->addr.ip),
79104 ntohs(dest->port),
79105 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
79106 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
79107 atomic_read(&dest->weight),
79108 atomic_read(&dest->activeconns),
79109 atomic_read(&dest->inactconns));
79110 @@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
79111 .open = ip_vs_info_open,
79112 .read = seq_read,
79113 .llseek = seq_lseek,
79114 - .release = seq_release_private,
79115 + .release = seq_release_net,
79116 };
79117
79118 #endif
79119 @@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
79120 .open = ip_vs_stats_seq_open,
79121 .read = seq_read,
79122 .llseek = seq_lseek,
79123 - .release = single_release,
79124 + .release = single_release_net,
79125 };
79126
79127 #endif
79128 @@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
79129
79130 entry.addr = dest->addr.ip;
79131 entry.port = dest->port;
79132 - entry.conn_flags = atomic_read(&dest->conn_flags);
79133 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
79134 entry.weight = atomic_read(&dest->weight);
79135 entry.u_threshold = dest->u_threshold;
79136 entry.l_threshold = dest->l_threshold;
79137 @@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
79138 unsigned char arg[128];
79139 int ret = 0;
79140
79141 + pax_track_stack();
79142 +
79143 if (!capable(CAP_NET_ADMIN))
79144 return -EPERM;
79145
79146 @@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
79147 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
79148
79149 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
79150 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
79151 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
79152 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
79153 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
79154 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
79155 diff -urNp linux-2.6.32.49/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.49/net/netfilter/ipvs/ip_vs_sync.c
79156 --- linux-2.6.32.49/net/netfilter/ipvs/ip_vs_sync.c 2011-11-08 19:02:43.000000000 -0500
79157 +++ linux-2.6.32.49/net/netfilter/ipvs/ip_vs_sync.c 2011-11-15 19:59:43.000000000 -0500
79158 @@ -438,7 +438,7 @@ static void ip_vs_process_message(const
79159
79160 if (opt)
79161 memcpy(&cp->in_seq, opt, sizeof(*opt));
79162 - atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
79163 + atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
79164 cp->state = state;
79165 cp->old_state = cp->state;
79166 /*
79167 diff -urNp linux-2.6.32.49/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.49/net/netfilter/ipvs/ip_vs_xmit.c
79168 --- linux-2.6.32.49/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-08 19:02:43.000000000 -0500
79169 +++ linux-2.6.32.49/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-15 19:59:43.000000000 -0500
79170 @@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
79171 else
79172 rc = NF_ACCEPT;
79173 /* do not touch skb anymore */
79174 - atomic_inc(&cp->in_pkts);
79175 + atomic_inc_unchecked(&cp->in_pkts);
79176 goto out;
79177 }
79178
79179 @@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
79180 else
79181 rc = NF_ACCEPT;
79182 /* do not touch skb anymore */
79183 - atomic_inc(&cp->in_pkts);
79184 + atomic_inc_unchecked(&cp->in_pkts);
79185 goto out;
79186 }
79187
79188 diff -urNp linux-2.6.32.49/net/netfilter/Kconfig linux-2.6.32.49/net/netfilter/Kconfig
79189 --- linux-2.6.32.49/net/netfilter/Kconfig 2011-11-08 19:02:43.000000000 -0500
79190 +++ linux-2.6.32.49/net/netfilter/Kconfig 2011-11-15 19:59:43.000000000 -0500
79191 @@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
79192
79193 To compile it as a module, choose M here. If unsure, say N.
79194
79195 +config NETFILTER_XT_MATCH_GRADM
79196 + tristate '"gradm" match support'
79197 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
79198 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
79199 + ---help---
79200 + The gradm match allows to match on grsecurity RBAC being enabled.
79201 + It is useful when iptables rules are applied early on bootup to
79202 + prevent connections to the machine (except from a trusted host)
79203 + while the RBAC system is disabled.
79204 +
79205 config NETFILTER_XT_MATCH_HASHLIMIT
79206 tristate '"hashlimit" match support'
79207 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
79208 diff -urNp linux-2.6.32.49/net/netfilter/Makefile linux-2.6.32.49/net/netfilter/Makefile
79209 --- linux-2.6.32.49/net/netfilter/Makefile 2011-11-08 19:02:43.000000000 -0500
79210 +++ linux-2.6.32.49/net/netfilter/Makefile 2011-11-15 19:59:43.000000000 -0500
79211 @@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
79212 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
79213 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
79214 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
79215 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
79216 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
79217 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
79218 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
79219 diff -urNp linux-2.6.32.49/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.49/net/netfilter/nf_conntrack_netlink.c
79220 --- linux-2.6.32.49/net/netfilter/nf_conntrack_netlink.c 2011-11-08 19:02:43.000000000 -0500
79221 +++ linux-2.6.32.49/net/netfilter/nf_conntrack_netlink.c 2011-11-15 19:59:43.000000000 -0500
79222 @@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
79223 static int
79224 ctnetlink_parse_tuple(const struct nlattr * const cda[],
79225 struct nf_conntrack_tuple *tuple,
79226 - enum ctattr_tuple type, u_int8_t l3num)
79227 + enum ctattr_type type, u_int8_t l3num)
79228 {
79229 struct nlattr *tb[CTA_TUPLE_MAX+1];
79230 int err;
79231 diff -urNp linux-2.6.32.49/net/netfilter/nfnetlink_log.c linux-2.6.32.49/net/netfilter/nfnetlink_log.c
79232 --- linux-2.6.32.49/net/netfilter/nfnetlink_log.c 2011-11-08 19:02:43.000000000 -0500
79233 +++ linux-2.6.32.49/net/netfilter/nfnetlink_log.c 2011-11-15 19:59:43.000000000 -0500
79234 @@ -68,7 +68,7 @@ struct nfulnl_instance {
79235 };
79236
79237 static DEFINE_RWLOCK(instances_lock);
79238 -static atomic_t global_seq;
79239 +static atomic_unchecked_t global_seq;
79240
79241 #define INSTANCE_BUCKETS 16
79242 static struct hlist_head instance_table[INSTANCE_BUCKETS];
79243 @@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
79244 /* global sequence number */
79245 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
79246 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
79247 - htonl(atomic_inc_return(&global_seq)));
79248 + htonl(atomic_inc_return_unchecked(&global_seq)));
79249
79250 if (data_len) {
79251 struct nlattr *nla;
79252 diff -urNp linux-2.6.32.49/net/netfilter/xt_gradm.c linux-2.6.32.49/net/netfilter/xt_gradm.c
79253 --- linux-2.6.32.49/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
79254 +++ linux-2.6.32.49/net/netfilter/xt_gradm.c 2011-11-15 19:59:43.000000000 -0500
79255 @@ -0,0 +1,51 @@
79256 +/*
79257 + * gradm match for netfilter
79258 + * Copyright © Zbigniew Krzystolik, 2010
79259 + *
79260 + * This program is free software; you can redistribute it and/or modify
79261 + * it under the terms of the GNU General Public License; either version
79262 + * 2 or 3 as published by the Free Software Foundation.
79263 + */
79264 +#include <linux/module.h>
79265 +#include <linux/moduleparam.h>
79266 +#include <linux/skbuff.h>
79267 +#include <linux/netfilter/x_tables.h>
79268 +#include <linux/grsecurity.h>
79269 +#include <linux/netfilter/xt_gradm.h>
79270 +
79271 +static bool
79272 +gradm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
79273 +{
79274 + const struct xt_gradm_mtinfo *info = par->matchinfo;
79275 + bool retval = false;
79276 + if (gr_acl_is_enabled())
79277 + retval = true;
79278 + return retval ^ info->invflags;
79279 +}
79280 +
79281 +static struct xt_match gradm_mt_reg __read_mostly = {
79282 + .name = "gradm",
79283 + .revision = 0,
79284 + .family = NFPROTO_UNSPEC,
79285 + .match = gradm_mt,
79286 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
79287 + .me = THIS_MODULE,
79288 +};
79289 +
79290 +static int __init gradm_mt_init(void)
79291 +{
79292 + return xt_register_match(&gradm_mt_reg);
79293 +}
79294 +
79295 +static void __exit gradm_mt_exit(void)
79296 +{
79297 + xt_unregister_match(&gradm_mt_reg);
79298 +}
79299 +
79300 +module_init(gradm_mt_init);
79301 +module_exit(gradm_mt_exit);
79302 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
79303 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
79304 +MODULE_LICENSE("GPL");
79305 +MODULE_ALIAS("ipt_gradm");
79306 +MODULE_ALIAS("ip6t_gradm");
79307 diff -urNp linux-2.6.32.49/net/netlink/af_netlink.c linux-2.6.32.49/net/netlink/af_netlink.c
79308 --- linux-2.6.32.49/net/netlink/af_netlink.c 2011-11-08 19:02:43.000000000 -0500
79309 +++ linux-2.6.32.49/net/netlink/af_netlink.c 2011-11-15 19:59:43.000000000 -0500
79310 @@ -733,7 +733,7 @@ static void netlink_overrun(struct sock
79311 sk->sk_error_report(sk);
79312 }
79313 }
79314 - atomic_inc(&sk->sk_drops);
79315 + atomic_inc_unchecked(&sk->sk_drops);
79316 }
79317
79318 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
79319 @@ -1964,15 +1964,23 @@ static int netlink_seq_show(struct seq_f
79320 struct netlink_sock *nlk = nlk_sk(s);
79321
79322 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\n",
79323 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79324 + NULL,
79325 +#else
79326 s,
79327 +#endif
79328 s->sk_protocol,
79329 nlk->pid,
79330 nlk->groups ? (u32)nlk->groups[0] : 0,
79331 sk_rmem_alloc_get(s),
79332 sk_wmem_alloc_get(s),
79333 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79334 + NULL,
79335 +#else
79336 nlk->cb,
79337 +#endif
79338 atomic_read(&s->sk_refcnt),
79339 - atomic_read(&s->sk_drops)
79340 + atomic_read_unchecked(&s->sk_drops)
79341 );
79342
79343 }
79344 diff -urNp linux-2.6.32.49/net/netrom/af_netrom.c linux-2.6.32.49/net/netrom/af_netrom.c
79345 --- linux-2.6.32.49/net/netrom/af_netrom.c 2011-11-08 19:02:43.000000000 -0500
79346 +++ linux-2.6.32.49/net/netrom/af_netrom.c 2011-11-15 19:59:43.000000000 -0500
79347 @@ -838,6 +838,7 @@ static int nr_getname(struct socket *soc
79348 struct sock *sk = sock->sk;
79349 struct nr_sock *nr = nr_sk(sk);
79350
79351 + memset(sax, 0, sizeof(*sax));
79352 lock_sock(sk);
79353 if (peer != 0) {
79354 if (sk->sk_state != TCP_ESTABLISHED) {
79355 @@ -852,7 +853,6 @@ static int nr_getname(struct socket *soc
79356 *uaddr_len = sizeof(struct full_sockaddr_ax25);
79357 } else {
79358 sax->fsa_ax25.sax25_family = AF_NETROM;
79359 - sax->fsa_ax25.sax25_ndigis = 0;
79360 sax->fsa_ax25.sax25_call = nr->source_addr;
79361 *uaddr_len = sizeof(struct sockaddr_ax25);
79362 }
79363 diff -urNp linux-2.6.32.49/net/packet/af_packet.c linux-2.6.32.49/net/packet/af_packet.c
79364 --- linux-2.6.32.49/net/packet/af_packet.c 2011-11-08 19:02:43.000000000 -0500
79365 +++ linux-2.6.32.49/net/packet/af_packet.c 2011-11-15 19:59:43.000000000 -0500
79366 @@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_fi
79367
79368 seq_printf(seq,
79369 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
79370 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79371 + NULL,
79372 +#else
79373 s,
79374 +#endif
79375 atomic_read(&s->sk_refcnt),
79376 s->sk_type,
79377 ntohs(po->num),
79378 diff -urNp linux-2.6.32.49/net/phonet/af_phonet.c linux-2.6.32.49/net/phonet/af_phonet.c
79379 --- linux-2.6.32.49/net/phonet/af_phonet.c 2011-11-08 19:02:43.000000000 -0500
79380 +++ linux-2.6.32.49/net/phonet/af_phonet.c 2011-11-15 19:59:43.000000000 -0500
79381 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
79382 {
79383 struct phonet_protocol *pp;
79384
79385 - if (protocol >= PHONET_NPROTO)
79386 + if (protocol < 0 || protocol >= PHONET_NPROTO)
79387 return NULL;
79388
79389 spin_lock(&proto_tab_lock);
79390 @@ -402,7 +402,7 @@ int __init_or_module phonet_proto_regist
79391 {
79392 int err = 0;
79393
79394 - if (protocol >= PHONET_NPROTO)
79395 + if (protocol < 0 || protocol >= PHONET_NPROTO)
79396 return -EINVAL;
79397
79398 err = proto_register(pp->prot, 1);
79399 diff -urNp linux-2.6.32.49/net/phonet/datagram.c linux-2.6.32.49/net/phonet/datagram.c
79400 --- linux-2.6.32.49/net/phonet/datagram.c 2011-11-08 19:02:43.000000000 -0500
79401 +++ linux-2.6.32.49/net/phonet/datagram.c 2011-11-15 19:59:43.000000000 -0500
79402 @@ -162,7 +162,7 @@ static int pn_backlog_rcv(struct sock *s
79403 if (err < 0) {
79404 kfree_skb(skb);
79405 if (err == -ENOMEM)
79406 - atomic_inc(&sk->sk_drops);
79407 + atomic_inc_unchecked(&sk->sk_drops);
79408 }
79409 return err ? NET_RX_DROP : NET_RX_SUCCESS;
79410 }
79411 diff -urNp linux-2.6.32.49/net/phonet/pep.c linux-2.6.32.49/net/phonet/pep.c
79412 --- linux-2.6.32.49/net/phonet/pep.c 2011-11-08 19:02:43.000000000 -0500
79413 +++ linux-2.6.32.49/net/phonet/pep.c 2011-11-15 19:59:43.000000000 -0500
79414 @@ -348,7 +348,7 @@ static int pipe_do_rcv(struct sock *sk,
79415
79416 case PNS_PEP_CTRL_REQ:
79417 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
79418 - atomic_inc(&sk->sk_drops);
79419 + atomic_inc_unchecked(&sk->sk_drops);
79420 break;
79421 }
79422 __skb_pull(skb, 4);
79423 @@ -362,12 +362,12 @@ static int pipe_do_rcv(struct sock *sk,
79424 if (!err)
79425 return 0;
79426 if (err == -ENOMEM)
79427 - atomic_inc(&sk->sk_drops);
79428 + atomic_inc_unchecked(&sk->sk_drops);
79429 break;
79430 }
79431
79432 if (pn->rx_credits == 0) {
79433 - atomic_inc(&sk->sk_drops);
79434 + atomic_inc_unchecked(&sk->sk_drops);
79435 err = -ENOBUFS;
79436 break;
79437 }
79438 diff -urNp linux-2.6.32.49/net/phonet/socket.c linux-2.6.32.49/net/phonet/socket.c
79439 --- linux-2.6.32.49/net/phonet/socket.c 2011-11-08 19:02:43.000000000 -0500
79440 +++ linux-2.6.32.49/net/phonet/socket.c 2011-11-15 19:59:43.000000000 -0500
79441 @@ -482,8 +482,13 @@ static int pn_sock_seq_show(struct seq_f
79442 sk->sk_state,
79443 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
79444 sock_i_uid(sk), sock_i_ino(sk),
79445 - atomic_read(&sk->sk_refcnt), sk,
79446 - atomic_read(&sk->sk_drops), &len);
79447 + atomic_read(&sk->sk_refcnt),
79448 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79449 + NULL,
79450 +#else
79451 + sk,
79452 +#endif
79453 + atomic_read_unchecked(&sk->sk_drops), &len);
79454 }
79455 seq_printf(seq, "%*s\n", 127 - len, "");
79456 return 0;
79457 diff -urNp linux-2.6.32.49/net/rds/cong.c linux-2.6.32.49/net/rds/cong.c
79458 --- linux-2.6.32.49/net/rds/cong.c 2011-11-08 19:02:43.000000000 -0500
79459 +++ linux-2.6.32.49/net/rds/cong.c 2011-11-15 19:59:43.000000000 -0500
79460 @@ -77,7 +77,7 @@
79461 * finds that the saved generation number is smaller than the global generation
79462 * number, it wakes up the process.
79463 */
79464 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
79465 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
79466
79467 /*
79468 * Congestion monitoring
79469 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
79470 rdsdebug("waking map %p for %pI4\n",
79471 map, &map->m_addr);
79472 rds_stats_inc(s_cong_update_received);
79473 - atomic_inc(&rds_cong_generation);
79474 + atomic_inc_unchecked(&rds_cong_generation);
79475 if (waitqueue_active(&map->m_waitq))
79476 wake_up(&map->m_waitq);
79477 if (waitqueue_active(&rds_poll_waitq))
79478 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
79479
79480 int rds_cong_updated_since(unsigned long *recent)
79481 {
79482 - unsigned long gen = atomic_read(&rds_cong_generation);
79483 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
79484
79485 if (likely(*recent == gen))
79486 return 0;
79487 diff -urNp linux-2.6.32.49/net/rds/iw_rdma.c linux-2.6.32.49/net/rds/iw_rdma.c
79488 --- linux-2.6.32.49/net/rds/iw_rdma.c 2011-11-08 19:02:43.000000000 -0500
79489 +++ linux-2.6.32.49/net/rds/iw_rdma.c 2011-11-15 19:59:43.000000000 -0500
79490 @@ -181,6 +181,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
79491 struct rdma_cm_id *pcm_id;
79492 int rc;
79493
79494 + pax_track_stack();
79495 +
79496 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
79497 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
79498
79499 diff -urNp linux-2.6.32.49/net/rds/Kconfig linux-2.6.32.49/net/rds/Kconfig
79500 --- linux-2.6.32.49/net/rds/Kconfig 2011-11-08 19:02:43.000000000 -0500
79501 +++ linux-2.6.32.49/net/rds/Kconfig 2011-11-15 19:59:43.000000000 -0500
79502 @@ -1,7 +1,7 @@
79503
79504 config RDS
79505 tristate "The RDS Protocol (EXPERIMENTAL)"
79506 - depends on INET && EXPERIMENTAL
79507 + depends on INET && EXPERIMENTAL && BROKEN
79508 ---help---
79509 The RDS (Reliable Datagram Sockets) protocol provides reliable,
79510 sequenced delivery of datagrams over Infiniband, iWARP,
79511 diff -urNp linux-2.6.32.49/net/rds/tcp.c linux-2.6.32.49/net/rds/tcp.c
79512 --- linux-2.6.32.49/net/rds/tcp.c 2011-11-08 19:02:43.000000000 -0500
79513 +++ linux-2.6.32.49/net/rds/tcp.c 2011-11-15 19:59:43.000000000 -0500
79514 @@ -57,7 +57,7 @@ void rds_tcp_nonagle(struct socket *sock
79515 int val = 1;
79516
79517 set_fs(KERNEL_DS);
79518 - sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val,
79519 + sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val,
79520 sizeof(val));
79521 set_fs(oldfs);
79522 }
79523 diff -urNp linux-2.6.32.49/net/rds/tcp_send.c linux-2.6.32.49/net/rds/tcp_send.c
79524 --- linux-2.6.32.49/net/rds/tcp_send.c 2011-11-08 19:02:43.000000000 -0500
79525 +++ linux-2.6.32.49/net/rds/tcp_send.c 2011-11-15 19:59:43.000000000 -0500
79526 @@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket *
79527
79528 oldfs = get_fs();
79529 set_fs(KERNEL_DS);
79530 - sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val,
79531 + sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val,
79532 sizeof(val));
79533 set_fs(oldfs);
79534 }
79535 diff -urNp linux-2.6.32.49/net/rxrpc/af_rxrpc.c linux-2.6.32.49/net/rxrpc/af_rxrpc.c
79536 --- linux-2.6.32.49/net/rxrpc/af_rxrpc.c 2011-11-08 19:02:43.000000000 -0500
79537 +++ linux-2.6.32.49/net/rxrpc/af_rxrpc.c 2011-11-15 19:59:43.000000000 -0500
79538 @@ -38,7 +38,7 @@ static const struct proto_ops rxrpc_rpc_
79539 __be32 rxrpc_epoch;
79540
79541 /* current debugging ID */
79542 -atomic_t rxrpc_debug_id;
79543 +atomic_unchecked_t rxrpc_debug_id;
79544
79545 /* count of skbs currently in use */
79546 atomic_t rxrpc_n_skbs;
79547 diff -urNp linux-2.6.32.49/net/rxrpc/ar-ack.c linux-2.6.32.49/net/rxrpc/ar-ack.c
79548 --- linux-2.6.32.49/net/rxrpc/ar-ack.c 2011-11-08 19:02:43.000000000 -0500
79549 +++ linux-2.6.32.49/net/rxrpc/ar-ack.c 2011-11-15 19:59:43.000000000 -0500
79550 @@ -174,7 +174,7 @@ static void rxrpc_resend(struct rxrpc_ca
79551
79552 _enter("{%d,%d,%d,%d},",
79553 call->acks_hard, call->acks_unacked,
79554 - atomic_read(&call->sequence),
79555 + atomic_read_unchecked(&call->sequence),
79556 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
79557
79558 stop = 0;
79559 @@ -198,7 +198,7 @@ static void rxrpc_resend(struct rxrpc_ca
79560
79561 /* each Tx packet has a new serial number */
79562 sp->hdr.serial =
79563 - htonl(atomic_inc_return(&call->conn->serial));
79564 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
79565
79566 hdr = (struct rxrpc_header *) txb->head;
79567 hdr->serial = sp->hdr.serial;
79568 @@ -401,7 +401,7 @@ static void rxrpc_rotate_tx_window(struc
79569 */
79570 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
79571 {
79572 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
79573 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
79574 }
79575
79576 /*
79577 @@ -627,7 +627,7 @@ process_further:
79578
79579 latest = ntohl(sp->hdr.serial);
79580 hard = ntohl(ack.firstPacket);
79581 - tx = atomic_read(&call->sequence);
79582 + tx = atomic_read_unchecked(&call->sequence);
79583
79584 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
79585 latest,
79586 @@ -840,6 +840,8 @@ void rxrpc_process_call(struct work_stru
79587 u32 abort_code = RX_PROTOCOL_ERROR;
79588 u8 *acks = NULL;
79589
79590 + pax_track_stack();
79591 +
79592 //printk("\n--------------------\n");
79593 _enter("{%d,%s,%lx} [%lu]",
79594 call->debug_id, rxrpc_call_states[call->state], call->events,
79595 @@ -1159,7 +1161,7 @@ void rxrpc_process_call(struct work_stru
79596 goto maybe_reschedule;
79597
79598 send_ACK_with_skew:
79599 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
79600 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
79601 ntohl(ack.serial));
79602 send_ACK:
79603 mtu = call->conn->trans->peer->if_mtu;
79604 @@ -1171,7 +1173,7 @@ send_ACK:
79605 ackinfo.rxMTU = htonl(5692);
79606 ackinfo.jumbo_max = htonl(4);
79607
79608 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
79609 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
79610 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
79611 ntohl(hdr.serial),
79612 ntohs(ack.maxSkew),
79613 @@ -1189,7 +1191,7 @@ send_ACK:
79614 send_message:
79615 _debug("send message");
79616
79617 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
79618 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
79619 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
79620 send_message_2:
79621
79622 diff -urNp linux-2.6.32.49/net/rxrpc/ar-call.c linux-2.6.32.49/net/rxrpc/ar-call.c
79623 --- linux-2.6.32.49/net/rxrpc/ar-call.c 2011-11-08 19:02:43.000000000 -0500
79624 +++ linux-2.6.32.49/net/rxrpc/ar-call.c 2011-11-15 19:59:43.000000000 -0500
79625 @@ -82,7 +82,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
79626 spin_lock_init(&call->lock);
79627 rwlock_init(&call->state_lock);
79628 atomic_set(&call->usage, 1);
79629 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
79630 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
79631 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
79632
79633 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
79634 diff -urNp linux-2.6.32.49/net/rxrpc/ar-connection.c linux-2.6.32.49/net/rxrpc/ar-connection.c
79635 --- linux-2.6.32.49/net/rxrpc/ar-connection.c 2011-11-08 19:02:43.000000000 -0500
79636 +++ linux-2.6.32.49/net/rxrpc/ar-connection.c 2011-11-15 19:59:43.000000000 -0500
79637 @@ -205,7 +205,7 @@ static struct rxrpc_connection *rxrpc_al
79638 rwlock_init(&conn->lock);
79639 spin_lock_init(&conn->state_lock);
79640 atomic_set(&conn->usage, 1);
79641 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
79642 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
79643 conn->avail_calls = RXRPC_MAXCALLS;
79644 conn->size_align = 4;
79645 conn->header_size = sizeof(struct rxrpc_header);
79646 diff -urNp linux-2.6.32.49/net/rxrpc/ar-connevent.c linux-2.6.32.49/net/rxrpc/ar-connevent.c
79647 --- linux-2.6.32.49/net/rxrpc/ar-connevent.c 2011-11-08 19:02:43.000000000 -0500
79648 +++ linux-2.6.32.49/net/rxrpc/ar-connevent.c 2011-11-15 19:59:43.000000000 -0500
79649 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
79650
79651 len = iov[0].iov_len + iov[1].iov_len;
79652
79653 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
79654 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
79655 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
79656
79657 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
79658 diff -urNp linux-2.6.32.49/net/rxrpc/ar-input.c linux-2.6.32.49/net/rxrpc/ar-input.c
79659 --- linux-2.6.32.49/net/rxrpc/ar-input.c 2011-11-08 19:02:43.000000000 -0500
79660 +++ linux-2.6.32.49/net/rxrpc/ar-input.c 2011-11-15 19:59:43.000000000 -0500
79661 @@ -339,9 +339,9 @@ void rxrpc_fast_process_packet(struct rx
79662 /* track the latest serial number on this connection for ACK packet
79663 * information */
79664 serial = ntohl(sp->hdr.serial);
79665 - hi_serial = atomic_read(&call->conn->hi_serial);
79666 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
79667 while (serial > hi_serial)
79668 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
79669 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
79670 serial);
79671
79672 /* request ACK generation for any ACK or DATA packet that requests
79673 diff -urNp linux-2.6.32.49/net/rxrpc/ar-internal.h linux-2.6.32.49/net/rxrpc/ar-internal.h
79674 --- linux-2.6.32.49/net/rxrpc/ar-internal.h 2011-11-08 19:02:43.000000000 -0500
79675 +++ linux-2.6.32.49/net/rxrpc/ar-internal.h 2011-11-15 19:59:43.000000000 -0500
79676 @@ -272,8 +272,8 @@ struct rxrpc_connection {
79677 int error; /* error code for local abort */
79678 int debug_id; /* debug ID for printks */
79679 unsigned call_counter; /* call ID counter */
79680 - atomic_t serial; /* packet serial number counter */
79681 - atomic_t hi_serial; /* highest serial number received */
79682 + atomic_unchecked_t serial; /* packet serial number counter */
79683 + atomic_unchecked_t hi_serial; /* highest serial number received */
79684 u8 avail_calls; /* number of calls available */
79685 u8 size_align; /* data size alignment (for security) */
79686 u8 header_size; /* rxrpc + security header size */
79687 @@ -346,7 +346,7 @@ struct rxrpc_call {
79688 spinlock_t lock;
79689 rwlock_t state_lock; /* lock for state transition */
79690 atomic_t usage;
79691 - atomic_t sequence; /* Tx data packet sequence counter */
79692 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
79693 u32 abort_code; /* local/remote abort code */
79694 enum { /* current state of call */
79695 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
79696 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
79697 */
79698 extern atomic_t rxrpc_n_skbs;
79699 extern __be32 rxrpc_epoch;
79700 -extern atomic_t rxrpc_debug_id;
79701 +extern atomic_unchecked_t rxrpc_debug_id;
79702 extern struct workqueue_struct *rxrpc_workqueue;
79703
79704 /*
79705 diff -urNp linux-2.6.32.49/net/rxrpc/ar-key.c linux-2.6.32.49/net/rxrpc/ar-key.c
79706 --- linux-2.6.32.49/net/rxrpc/ar-key.c 2011-11-08 19:02:43.000000000 -0500
79707 +++ linux-2.6.32.49/net/rxrpc/ar-key.c 2011-11-15 19:59:43.000000000 -0500
79708 @@ -88,11 +88,11 @@ static int rxrpc_instantiate_xdr_rxkad(s
79709 return ret;
79710
79711 plen -= sizeof(*token);
79712 - token = kmalloc(sizeof(*token), GFP_KERNEL);
79713 + token = kzalloc(sizeof(*token), GFP_KERNEL);
79714 if (!token)
79715 return -ENOMEM;
79716
79717 - token->kad = kmalloc(plen, GFP_KERNEL);
79718 + token->kad = kzalloc(plen, GFP_KERNEL);
79719 if (!token->kad) {
79720 kfree(token);
79721 return -ENOMEM;
79722 @@ -730,10 +730,10 @@ static int rxrpc_instantiate(struct key
79723 goto error;
79724
79725 ret = -ENOMEM;
79726 - token = kmalloc(sizeof(*token), GFP_KERNEL);
79727 + token = kzalloc(sizeof(*token), GFP_KERNEL);
79728 if (!token)
79729 goto error;
79730 - token->kad = kmalloc(plen, GFP_KERNEL);
79731 + token->kad = kzalloc(plen, GFP_KERNEL);
79732 if (!token->kad)
79733 goto error_free;
79734
79735 diff -urNp linux-2.6.32.49/net/rxrpc/ar-local.c linux-2.6.32.49/net/rxrpc/ar-local.c
79736 --- linux-2.6.32.49/net/rxrpc/ar-local.c 2011-11-08 19:02:43.000000000 -0500
79737 +++ linux-2.6.32.49/net/rxrpc/ar-local.c 2011-11-15 19:59:43.000000000 -0500
79738 @@ -44,7 +44,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
79739 spin_lock_init(&local->lock);
79740 rwlock_init(&local->services_lock);
79741 atomic_set(&local->usage, 1);
79742 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
79743 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
79744 memcpy(&local->srx, srx, sizeof(*srx));
79745 }
79746
79747 diff -urNp linux-2.6.32.49/net/rxrpc/ar-output.c linux-2.6.32.49/net/rxrpc/ar-output.c
79748 --- linux-2.6.32.49/net/rxrpc/ar-output.c 2011-11-08 19:02:43.000000000 -0500
79749 +++ linux-2.6.32.49/net/rxrpc/ar-output.c 2011-11-15 19:59:43.000000000 -0500
79750 @@ -680,9 +680,9 @@ static int rxrpc_send_data(struct kiocb
79751 sp->hdr.cid = call->cid;
79752 sp->hdr.callNumber = call->call_id;
79753 sp->hdr.seq =
79754 - htonl(atomic_inc_return(&call->sequence));
79755 + htonl(atomic_inc_return_unchecked(&call->sequence));
79756 sp->hdr.serial =
79757 - htonl(atomic_inc_return(&conn->serial));
79758 + htonl(atomic_inc_return_unchecked(&conn->serial));
79759 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
79760 sp->hdr.userStatus = 0;
79761 sp->hdr.securityIndex = conn->security_ix;
79762 diff -urNp linux-2.6.32.49/net/rxrpc/ar-peer.c linux-2.6.32.49/net/rxrpc/ar-peer.c
79763 --- linux-2.6.32.49/net/rxrpc/ar-peer.c 2011-11-08 19:02:43.000000000 -0500
79764 +++ linux-2.6.32.49/net/rxrpc/ar-peer.c 2011-11-15 19:59:43.000000000 -0500
79765 @@ -86,7 +86,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
79766 INIT_LIST_HEAD(&peer->error_targets);
79767 spin_lock_init(&peer->lock);
79768 atomic_set(&peer->usage, 1);
79769 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
79770 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
79771 memcpy(&peer->srx, srx, sizeof(*srx));
79772
79773 rxrpc_assess_MTU_size(peer);
79774 diff -urNp linux-2.6.32.49/net/rxrpc/ar-proc.c linux-2.6.32.49/net/rxrpc/ar-proc.c
79775 --- linux-2.6.32.49/net/rxrpc/ar-proc.c 2011-11-08 19:02:43.000000000 -0500
79776 +++ linux-2.6.32.49/net/rxrpc/ar-proc.c 2011-11-15 19:59:43.000000000 -0500
79777 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
79778 atomic_read(&conn->usage),
79779 rxrpc_conn_states[conn->state],
79780 key_serial(conn->key),
79781 - atomic_read(&conn->serial),
79782 - atomic_read(&conn->hi_serial));
79783 + atomic_read_unchecked(&conn->serial),
79784 + atomic_read_unchecked(&conn->hi_serial));
79785
79786 return 0;
79787 }
79788 diff -urNp linux-2.6.32.49/net/rxrpc/ar-transport.c linux-2.6.32.49/net/rxrpc/ar-transport.c
79789 --- linux-2.6.32.49/net/rxrpc/ar-transport.c 2011-11-08 19:02:43.000000000 -0500
79790 +++ linux-2.6.32.49/net/rxrpc/ar-transport.c 2011-11-15 19:59:43.000000000 -0500
79791 @@ -46,7 +46,7 @@ static struct rxrpc_transport *rxrpc_all
79792 spin_lock_init(&trans->client_lock);
79793 rwlock_init(&trans->conn_lock);
79794 atomic_set(&trans->usage, 1);
79795 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
79796 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
79797
79798 if (peer->srx.transport.family == AF_INET) {
79799 switch (peer->srx.transport_type) {
79800 diff -urNp linux-2.6.32.49/net/rxrpc/rxkad.c linux-2.6.32.49/net/rxrpc/rxkad.c
79801 --- linux-2.6.32.49/net/rxrpc/rxkad.c 2011-11-08 19:02:43.000000000 -0500
79802 +++ linux-2.6.32.49/net/rxrpc/rxkad.c 2011-11-15 19:59:43.000000000 -0500
79803 @@ -210,6 +210,8 @@ static int rxkad_secure_packet_encrypt(c
79804 u16 check;
79805 int nsg;
79806
79807 + pax_track_stack();
79808 +
79809 sp = rxrpc_skb(skb);
79810
79811 _enter("");
79812 @@ -337,6 +339,8 @@ static int rxkad_verify_packet_auth(cons
79813 u16 check;
79814 int nsg;
79815
79816 + pax_track_stack();
79817 +
79818 _enter("");
79819
79820 sp = rxrpc_skb(skb);
79821 @@ -609,7 +613,7 @@ static int rxkad_issue_challenge(struct
79822
79823 len = iov[0].iov_len + iov[1].iov_len;
79824
79825 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
79826 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
79827 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
79828
79829 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
79830 @@ -659,7 +663,7 @@ static int rxkad_send_response(struct rx
79831
79832 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
79833
79834 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
79835 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
79836 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
79837
79838 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
79839 diff -urNp linux-2.6.32.49/net/sctp/proc.c linux-2.6.32.49/net/sctp/proc.c
79840 --- linux-2.6.32.49/net/sctp/proc.c 2011-11-08 19:02:43.000000000 -0500
79841 +++ linux-2.6.32.49/net/sctp/proc.c 2011-11-15 19:59:43.000000000 -0500
79842 @@ -213,7 +213,12 @@ static int sctp_eps_seq_show(struct seq_
79843 sctp_for_each_hentry(epb, node, &head->chain) {
79844 ep = sctp_ep(epb);
79845 sk = epb->sk;
79846 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
79847 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
79848 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79849 + NULL, NULL,
79850 +#else
79851 + ep, sk,
79852 +#endif
79853 sctp_sk(sk)->type, sk->sk_state, hash,
79854 epb->bind_addr.port,
79855 sock_i_uid(sk), sock_i_ino(sk));
79856 @@ -320,7 +325,12 @@ static int sctp_assocs_seq_show(struct s
79857 seq_printf(seq,
79858 "%8p %8p %-3d %-3d %-2d %-4d "
79859 "%4d %8d %8d %7d %5lu %-5d %5d ",
79860 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
79861 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79862 + NULL, NULL,
79863 +#else
79864 + assoc, sk,
79865 +#endif
79866 + sctp_sk(sk)->type, sk->sk_state,
79867 assoc->state, hash,
79868 assoc->assoc_id,
79869 assoc->sndbuf_used,
79870 diff -urNp linux-2.6.32.49/net/sctp/socket.c linux-2.6.32.49/net/sctp/socket.c
79871 --- linux-2.6.32.49/net/sctp/socket.c 2011-11-08 19:02:43.000000000 -0500
79872 +++ linux-2.6.32.49/net/sctp/socket.c 2011-11-15 19:59:43.000000000 -0500
79873 @@ -5802,7 +5802,6 @@ pp_found:
79874 */
79875 int reuse = sk->sk_reuse;
79876 struct sock *sk2;
79877 - struct hlist_node *node;
79878
79879 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
79880 if (pp->fastreuse && sk->sk_reuse &&
79881 diff -urNp linux-2.6.32.49/net/socket.c linux-2.6.32.49/net/socket.c
79882 --- linux-2.6.32.49/net/socket.c 2011-11-08 19:02:43.000000000 -0500
79883 +++ linux-2.6.32.49/net/socket.c 2011-11-15 19:59:43.000000000 -0500
79884 @@ -87,6 +87,7 @@
79885 #include <linux/wireless.h>
79886 #include <linux/nsproxy.h>
79887 #include <linux/magic.h>
79888 +#include <linux/in.h>
79889
79890 #include <asm/uaccess.h>
79891 #include <asm/unistd.h>
79892 @@ -97,6 +98,21 @@
79893 #include <net/sock.h>
79894 #include <linux/netfilter.h>
79895
79896 +extern void gr_attach_curr_ip(const struct sock *sk);
79897 +extern int gr_handle_sock_all(const int family, const int type,
79898 + const int protocol);
79899 +extern int gr_handle_sock_server(const struct sockaddr *sck);
79900 +extern int gr_handle_sock_server_other(const struct sock *sck);
79901 +extern int gr_handle_sock_client(const struct sockaddr *sck);
79902 +extern int gr_search_connect(struct socket * sock,
79903 + struct sockaddr_in * addr);
79904 +extern int gr_search_bind(struct socket * sock,
79905 + struct sockaddr_in * addr);
79906 +extern int gr_search_listen(struct socket * sock);
79907 +extern int gr_search_accept(struct socket * sock);
79908 +extern int gr_search_socket(const int domain, const int type,
79909 + const int protocol);
79910 +
79911 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
79912 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
79913 unsigned long nr_segs, loff_t pos);
79914 @@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
79915 mnt);
79916 }
79917
79918 -static struct vfsmount *sock_mnt __read_mostly;
79919 +struct vfsmount *sock_mnt __read_mostly;
79920
79921 static struct file_system_type sock_fs_type = {
79922 .name = "sockfs",
79923 @@ -1154,6 +1170,8 @@ static int __sock_create(struct net *net
79924 return -EAFNOSUPPORT;
79925 if (type < 0 || type >= SOCK_MAX)
79926 return -EINVAL;
79927 + if (protocol < 0)
79928 + return -EINVAL;
79929
79930 /* Compatibility.
79931
79932 @@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int
79933 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
79934 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
79935
79936 + if(!gr_search_socket(family, type, protocol)) {
79937 + retval = -EACCES;
79938 + goto out;
79939 + }
79940 +
79941 + if (gr_handle_sock_all(family, type, protocol)) {
79942 + retval = -EACCES;
79943 + goto out;
79944 + }
79945 +
79946 retval = sock_create(family, type, protocol, &sock);
79947 if (retval < 0)
79948 goto out;
79949 @@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
79950 if (sock) {
79951 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
79952 if (err >= 0) {
79953 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
79954 + err = -EACCES;
79955 + goto error;
79956 + }
79957 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
79958 + if (err)
79959 + goto error;
79960 +
79961 err = security_socket_bind(sock,
79962 (struct sockaddr *)&address,
79963 addrlen);
79964 @@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
79965 (struct sockaddr *)
79966 &address, addrlen);
79967 }
79968 +error:
79969 fput_light(sock->file, fput_needed);
79970 }
79971 return err;
79972 @@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
79973 if ((unsigned)backlog > somaxconn)
79974 backlog = somaxconn;
79975
79976 + if (gr_handle_sock_server_other(sock->sk)) {
79977 + err = -EPERM;
79978 + goto error;
79979 + }
79980 +
79981 + err = gr_search_listen(sock);
79982 + if (err)
79983 + goto error;
79984 +
79985 err = security_socket_listen(sock, backlog);
79986 if (!err)
79987 err = sock->ops->listen(sock, backlog);
79988
79989 +error:
79990 fput_light(sock->file, fput_needed);
79991 }
79992 return err;
79993 @@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
79994 newsock->type = sock->type;
79995 newsock->ops = sock->ops;
79996
79997 + if (gr_handle_sock_server_other(sock->sk)) {
79998 + err = -EPERM;
79999 + sock_release(newsock);
80000 + goto out_put;
80001 + }
80002 +
80003 + err = gr_search_accept(sock);
80004 + if (err) {
80005 + sock_release(newsock);
80006 + goto out_put;
80007 + }
80008 +
80009 /*
80010 * We don't need try_module_get here, as the listening socket (sock)
80011 * has the protocol module (sock->ops->owner) held.
80012 @@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
80013 fd_install(newfd, newfile);
80014 err = newfd;
80015
80016 + gr_attach_curr_ip(newsock->sk);
80017 +
80018 out_put:
80019 fput_light(sock->file, fput_needed);
80020 out:
80021 @@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
80022 int, addrlen)
80023 {
80024 struct socket *sock;
80025 + struct sockaddr *sck;
80026 struct sockaddr_storage address;
80027 int err, fput_needed;
80028
80029 @@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
80030 if (err < 0)
80031 goto out_put;
80032
80033 + sck = (struct sockaddr *)&address;
80034 +
80035 + if (gr_handle_sock_client(sck)) {
80036 + err = -EACCES;
80037 + goto out_put;
80038 + }
80039 +
80040 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
80041 + if (err)
80042 + goto out_put;
80043 +
80044 err =
80045 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
80046 if (err)
80047 @@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
80048 int err, ctl_len, iov_size, total_len;
80049 int fput_needed;
80050
80051 + pax_track_stack();
80052 +
80053 err = -EFAULT;
80054 if (MSG_CMSG_COMPAT & flags) {
80055 if (get_compat_msghdr(&msg_sys, msg_compat))
80056 @@ -2022,7 +2097,7 @@ SYSCALL_DEFINE3(recvmsg, int, fd, struct
80057 * kernel msghdr to use the kernel address space)
80058 */
80059
80060 - uaddr = (__force void __user *)msg_sys.msg_name;
80061 + uaddr = (void __force_user *)msg_sys.msg_name;
80062 uaddr_len = COMPAT_NAMELEN(msg);
80063 if (MSG_CMSG_COMPAT & flags) {
80064 err = verify_compat_iovec(&msg_sys, iov,
80065 diff -urNp linux-2.6.32.49/net/sunrpc/sched.c linux-2.6.32.49/net/sunrpc/sched.c
80066 --- linux-2.6.32.49/net/sunrpc/sched.c 2011-11-08 19:02:43.000000000 -0500
80067 +++ linux-2.6.32.49/net/sunrpc/sched.c 2011-11-15 19:59:43.000000000 -0500
80068 @@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w
80069 #ifdef RPC_DEBUG
80070 static void rpc_task_set_debuginfo(struct rpc_task *task)
80071 {
80072 - static atomic_t rpc_pid;
80073 + static atomic_unchecked_t rpc_pid;
80074
80075 task->tk_magic = RPC_TASK_MAGIC_ID;
80076 - task->tk_pid = atomic_inc_return(&rpc_pid);
80077 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
80078 }
80079 #else
80080 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
80081 diff -urNp linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma.c
80082 --- linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma.c 2011-11-08 19:02:43.000000000 -0500
80083 +++ linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma.c 2011-11-15 19:59:43.000000000 -0500
80084 @@ -59,15 +59,15 @@ unsigned int svcrdma_max_req_size = RPCR
80085 static unsigned int min_max_inline = 4096;
80086 static unsigned int max_max_inline = 65536;
80087
80088 -atomic_t rdma_stat_recv;
80089 -atomic_t rdma_stat_read;
80090 -atomic_t rdma_stat_write;
80091 -atomic_t rdma_stat_sq_starve;
80092 -atomic_t rdma_stat_rq_starve;
80093 -atomic_t rdma_stat_rq_poll;
80094 -atomic_t rdma_stat_rq_prod;
80095 -atomic_t rdma_stat_sq_poll;
80096 -atomic_t rdma_stat_sq_prod;
80097 +atomic_unchecked_t rdma_stat_recv;
80098 +atomic_unchecked_t rdma_stat_read;
80099 +atomic_unchecked_t rdma_stat_write;
80100 +atomic_unchecked_t rdma_stat_sq_starve;
80101 +atomic_unchecked_t rdma_stat_rq_starve;
80102 +atomic_unchecked_t rdma_stat_rq_poll;
80103 +atomic_unchecked_t rdma_stat_rq_prod;
80104 +atomic_unchecked_t rdma_stat_sq_poll;
80105 +atomic_unchecked_t rdma_stat_sq_prod;
80106
80107 /* Temporary NFS request map and context caches */
80108 struct kmem_cache *svc_rdma_map_cachep;
80109 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
80110 len -= *ppos;
80111 if (len > *lenp)
80112 len = *lenp;
80113 - if (len && copy_to_user(buffer, str_buf, len))
80114 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
80115 return -EFAULT;
80116 *lenp = len;
80117 *ppos += len;
80118 @@ -149,63 +149,63 @@ static ctl_table svcrdma_parm_table[] =
80119 {
80120 .procname = "rdma_stat_read",
80121 .data = &rdma_stat_read,
80122 - .maxlen = sizeof(atomic_t),
80123 + .maxlen = sizeof(atomic_unchecked_t),
80124 .mode = 0644,
80125 .proc_handler = &read_reset_stat,
80126 },
80127 {
80128 .procname = "rdma_stat_recv",
80129 .data = &rdma_stat_recv,
80130 - .maxlen = sizeof(atomic_t),
80131 + .maxlen = sizeof(atomic_unchecked_t),
80132 .mode = 0644,
80133 .proc_handler = &read_reset_stat,
80134 },
80135 {
80136 .procname = "rdma_stat_write",
80137 .data = &rdma_stat_write,
80138 - .maxlen = sizeof(atomic_t),
80139 + .maxlen = sizeof(atomic_unchecked_t),
80140 .mode = 0644,
80141 .proc_handler = &read_reset_stat,
80142 },
80143 {
80144 .procname = "rdma_stat_sq_starve",
80145 .data = &rdma_stat_sq_starve,
80146 - .maxlen = sizeof(atomic_t),
80147 + .maxlen = sizeof(atomic_unchecked_t),
80148 .mode = 0644,
80149 .proc_handler = &read_reset_stat,
80150 },
80151 {
80152 .procname = "rdma_stat_rq_starve",
80153 .data = &rdma_stat_rq_starve,
80154 - .maxlen = sizeof(atomic_t),
80155 + .maxlen = sizeof(atomic_unchecked_t),
80156 .mode = 0644,
80157 .proc_handler = &read_reset_stat,
80158 },
80159 {
80160 .procname = "rdma_stat_rq_poll",
80161 .data = &rdma_stat_rq_poll,
80162 - .maxlen = sizeof(atomic_t),
80163 + .maxlen = sizeof(atomic_unchecked_t),
80164 .mode = 0644,
80165 .proc_handler = &read_reset_stat,
80166 },
80167 {
80168 .procname = "rdma_stat_rq_prod",
80169 .data = &rdma_stat_rq_prod,
80170 - .maxlen = sizeof(atomic_t),
80171 + .maxlen = sizeof(atomic_unchecked_t),
80172 .mode = 0644,
80173 .proc_handler = &read_reset_stat,
80174 },
80175 {
80176 .procname = "rdma_stat_sq_poll",
80177 .data = &rdma_stat_sq_poll,
80178 - .maxlen = sizeof(atomic_t),
80179 + .maxlen = sizeof(atomic_unchecked_t),
80180 .mode = 0644,
80181 .proc_handler = &read_reset_stat,
80182 },
80183 {
80184 .procname = "rdma_stat_sq_prod",
80185 .data = &rdma_stat_sq_prod,
80186 - .maxlen = sizeof(atomic_t),
80187 + .maxlen = sizeof(atomic_unchecked_t),
80188 .mode = 0644,
80189 .proc_handler = &read_reset_stat,
80190 },
80191 diff -urNp linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
80192 --- linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-11-08 19:02:43.000000000 -0500
80193 +++ linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-11-15 19:59:43.000000000 -0500
80194 @@ -495,7 +495,7 @@ next_sge:
80195 svc_rdma_put_context(ctxt, 0);
80196 goto out;
80197 }
80198 - atomic_inc(&rdma_stat_read);
80199 + atomic_inc_unchecked(&rdma_stat_read);
80200
80201 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
80202 chl_map->ch[ch_no].count -= read_wr.num_sge;
80203 @@ -606,7 +606,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
80204 dto_q);
80205 list_del_init(&ctxt->dto_q);
80206 } else {
80207 - atomic_inc(&rdma_stat_rq_starve);
80208 + atomic_inc_unchecked(&rdma_stat_rq_starve);
80209 clear_bit(XPT_DATA, &xprt->xpt_flags);
80210 ctxt = NULL;
80211 }
80212 @@ -626,7 +626,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
80213 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
80214 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
80215 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
80216 - atomic_inc(&rdma_stat_recv);
80217 + atomic_inc_unchecked(&rdma_stat_recv);
80218
80219 /* Build up the XDR from the receive buffers. */
80220 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
80221 diff -urNp linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_sendto.c
80222 --- linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-11-08 19:02:43.000000000 -0500
80223 +++ linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-11-15 19:59:43.000000000 -0500
80224 @@ -328,7 +328,7 @@ static int send_write(struct svcxprt_rdm
80225 write_wr.wr.rdma.remote_addr = to;
80226
80227 /* Post It */
80228 - atomic_inc(&rdma_stat_write);
80229 + atomic_inc_unchecked(&rdma_stat_write);
80230 if (svc_rdma_send(xprt, &write_wr))
80231 goto err;
80232 return 0;
80233 diff -urNp linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_transport.c
80234 --- linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-11-08 19:02:43.000000000 -0500
80235 +++ linux-2.6.32.49/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-11-15 19:59:43.000000000 -0500
80236 @@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rd
80237 return;
80238
80239 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
80240 - atomic_inc(&rdma_stat_rq_poll);
80241 + atomic_inc_unchecked(&rdma_stat_rq_poll);
80242
80243 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
80244 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
80245 @@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rd
80246 }
80247
80248 if (ctxt)
80249 - atomic_inc(&rdma_stat_rq_prod);
80250 + atomic_inc_unchecked(&rdma_stat_rq_prod);
80251
80252 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
80253 /*
80254 @@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rd
80255 return;
80256
80257 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
80258 - atomic_inc(&rdma_stat_sq_poll);
80259 + atomic_inc_unchecked(&rdma_stat_sq_poll);
80260 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
80261 if (wc.status != IB_WC_SUCCESS)
80262 /* Close the transport */
80263 @@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rd
80264 }
80265
80266 if (ctxt)
80267 - atomic_inc(&rdma_stat_sq_prod);
80268 + atomic_inc_unchecked(&rdma_stat_sq_prod);
80269 }
80270
80271 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
80272 @@ -1260,7 +1260,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
80273 spin_lock_bh(&xprt->sc_lock);
80274 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
80275 spin_unlock_bh(&xprt->sc_lock);
80276 - atomic_inc(&rdma_stat_sq_starve);
80277 + atomic_inc_unchecked(&rdma_stat_sq_starve);
80278
80279 /* See if we can opportunistically reap SQ WR to make room */
80280 sq_cq_reap(xprt);
80281 diff -urNp linux-2.6.32.49/net/sysctl_net.c linux-2.6.32.49/net/sysctl_net.c
80282 --- linux-2.6.32.49/net/sysctl_net.c 2011-11-08 19:02:43.000000000 -0500
80283 +++ linux-2.6.32.49/net/sysctl_net.c 2011-11-15 19:59:43.000000000 -0500
80284 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
80285 struct ctl_table *table)
80286 {
80287 /* Allow network administrator to have same access as root. */
80288 - if (capable(CAP_NET_ADMIN)) {
80289 + if (capable_nolog(CAP_NET_ADMIN)) {
80290 int mode = (table->mode >> 6) & 7;
80291 return (mode << 6) | (mode << 3) | mode;
80292 }
80293 diff -urNp linux-2.6.32.49/net/tipc/link.c linux-2.6.32.49/net/tipc/link.c
80294 --- linux-2.6.32.49/net/tipc/link.c 2011-11-08 19:02:43.000000000 -0500
80295 +++ linux-2.6.32.49/net/tipc/link.c 2011-11-15 19:59:43.000000000 -0500
80296 @@ -1418,7 +1418,7 @@ again:
80297
80298 if (!sect_rest) {
80299 sect_rest = msg_sect[++curr_sect].iov_len;
80300 - sect_crs = (const unchar *)msg_sect[curr_sect].iov_base;
80301 + sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base;
80302 }
80303
80304 if (sect_rest < fragm_rest)
80305 @@ -1437,7 +1437,7 @@ error:
80306 }
80307 } else
80308 skb_copy_to_linear_data_offset(buf, fragm_crs,
80309 - sect_crs, sz);
80310 + (const void __force_kernel *)sect_crs, sz);
80311 sect_crs += sz;
80312 sect_rest -= sz;
80313 fragm_crs += sz;
80314 diff -urNp linux-2.6.32.49/net/tipc/subscr.c linux-2.6.32.49/net/tipc/subscr.c
80315 --- linux-2.6.32.49/net/tipc/subscr.c 2011-11-08 19:02:43.000000000 -0500
80316 +++ linux-2.6.32.49/net/tipc/subscr.c 2011-11-15 19:59:43.000000000 -0500
80317 @@ -104,7 +104,7 @@ static void subscr_send_event(struct sub
80318 {
80319 struct iovec msg_sect;
80320
80321 - msg_sect.iov_base = (void *)&sub->evt;
80322 + msg_sect.iov_base = (void __force_user *)&sub->evt;
80323 msg_sect.iov_len = sizeof(struct tipc_event);
80324
80325 sub->evt.event = htohl(event, sub->swap);
80326 diff -urNp linux-2.6.32.49/net/unix/af_unix.c linux-2.6.32.49/net/unix/af_unix.c
80327 --- linux-2.6.32.49/net/unix/af_unix.c 2011-11-08 19:02:43.000000000 -0500
80328 +++ linux-2.6.32.49/net/unix/af_unix.c 2011-11-15 19:59:43.000000000 -0500
80329 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
80330 err = -ECONNREFUSED;
80331 if (!S_ISSOCK(inode->i_mode))
80332 goto put_fail;
80333 +
80334 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
80335 + err = -EACCES;
80336 + goto put_fail;
80337 + }
80338 +
80339 u = unix_find_socket_byinode(net, inode);
80340 if (!u)
80341 goto put_fail;
80342 @@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
80343 if (u) {
80344 struct dentry *dentry;
80345 dentry = unix_sk(u)->dentry;
80346 +
80347 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
80348 + err = -EPERM;
80349 + sock_put(u);
80350 + goto fail;
80351 + }
80352 +
80353 if (dentry)
80354 touch_atime(unix_sk(u)->mnt, dentry);
80355 } else
80356 @@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
80357 err = security_path_mknod(&nd.path, dentry, mode, 0);
80358 if (err)
80359 goto out_mknod_drop_write;
80360 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
80361 + err = -EACCES;
80362 + goto out_mknod_drop_write;
80363 + }
80364 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
80365 out_mknod_drop_write:
80366 mnt_drop_write(nd.path.mnt);
80367 if (err)
80368 goto out_mknod_dput;
80369 +
80370 + gr_handle_create(dentry, nd.path.mnt);
80371 +
80372 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
80373 dput(nd.path.dentry);
80374 nd.path.dentry = dentry;
80375 @@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file
80376 unix_state_lock(s);
80377
80378 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
80379 +#ifdef CONFIG_GRKERNSEC_HIDESYM
80380 + NULL,
80381 +#else
80382 s,
80383 +#endif
80384 atomic_read(&s->sk_refcnt),
80385 0,
80386 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
80387 diff -urNp linux-2.6.32.49/net/wireless/core.h linux-2.6.32.49/net/wireless/core.h
80388 --- linux-2.6.32.49/net/wireless/core.h 2011-11-08 19:02:43.000000000 -0500
80389 +++ linux-2.6.32.49/net/wireless/core.h 2011-11-15 19:59:43.000000000 -0500
80390 @@ -27,7 +27,7 @@ struct cfg80211_registered_device {
80391 struct mutex mtx;
80392
80393 /* rfkill support */
80394 - struct rfkill_ops rfkill_ops;
80395 + rfkill_ops_no_const rfkill_ops;
80396 struct rfkill *rfkill;
80397 struct work_struct rfkill_sync;
80398
80399 diff -urNp linux-2.6.32.49/net/wireless/wext.c linux-2.6.32.49/net/wireless/wext.c
80400 --- linux-2.6.32.49/net/wireless/wext.c 2011-11-08 19:02:43.000000000 -0500
80401 +++ linux-2.6.32.49/net/wireless/wext.c 2011-11-15 19:59:43.000000000 -0500
80402 @@ -816,8 +816,7 @@ static int ioctl_standard_iw_point(struc
80403 */
80404
80405 /* Support for very large requests */
80406 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
80407 - (user_length > descr->max_tokens)) {
80408 + if (user_length > descr->max_tokens) {
80409 /* Allow userspace to GET more than max so
80410 * we can support any size GET requests.
80411 * There is still a limit : -ENOMEM.
80412 @@ -854,22 +853,6 @@ static int ioctl_standard_iw_point(struc
80413 }
80414 }
80415
80416 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
80417 - /*
80418 - * If this is a GET, but not NOMAX, it means that the extra
80419 - * data is not bounded by userspace, but by max_tokens. Thus
80420 - * set the length to max_tokens. This matches the extra data
80421 - * allocation.
80422 - * The driver should fill it with the number of tokens it
80423 - * provided, and it may check iwp->length rather than having
80424 - * knowledge of max_tokens. If the driver doesn't change the
80425 - * iwp->length, this ioctl just copies back max_token tokens
80426 - * filled with zeroes. Hopefully the driver isn't claiming
80427 - * them to be valid data.
80428 - */
80429 - iwp->length = descr->max_tokens;
80430 - }
80431 -
80432 err = handler(dev, info, (union iwreq_data *) iwp, extra);
80433
80434 iwp->length += essid_compat;
80435 diff -urNp linux-2.6.32.49/net/xfrm/xfrm_policy.c linux-2.6.32.49/net/xfrm/xfrm_policy.c
80436 --- linux-2.6.32.49/net/xfrm/xfrm_policy.c 2011-11-08 19:02:43.000000000 -0500
80437 +++ linux-2.6.32.49/net/xfrm/xfrm_policy.c 2011-11-15 19:59:43.000000000 -0500
80438 @@ -586,7 +586,7 @@ int xfrm_policy_insert(int dir, struct x
80439 hlist_add_head(&policy->bydst, chain);
80440 xfrm_pol_hold(policy);
80441 net->xfrm.policy_count[dir]++;
80442 - atomic_inc(&flow_cache_genid);
80443 + atomic_inc_unchecked(&flow_cache_genid);
80444 if (delpol)
80445 __xfrm_policy_unlink(delpol, dir);
80446 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
80447 @@ -669,7 +669,7 @@ struct xfrm_policy *xfrm_policy_bysel_ct
80448 write_unlock_bh(&xfrm_policy_lock);
80449
80450 if (ret && delete) {
80451 - atomic_inc(&flow_cache_genid);
80452 + atomic_inc_unchecked(&flow_cache_genid);
80453 xfrm_policy_kill(ret);
80454 }
80455 return ret;
80456 @@ -710,7 +710,7 @@ struct xfrm_policy *xfrm_policy_byid(str
80457 write_unlock_bh(&xfrm_policy_lock);
80458
80459 if (ret && delete) {
80460 - atomic_inc(&flow_cache_genid);
80461 + atomic_inc_unchecked(&flow_cache_genid);
80462 xfrm_policy_kill(ret);
80463 }
80464 return ret;
80465 @@ -824,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u
80466 }
80467
80468 }
80469 - atomic_inc(&flow_cache_genid);
80470 + atomic_inc_unchecked(&flow_cache_genid);
80471 out:
80472 write_unlock_bh(&xfrm_policy_lock);
80473 return err;
80474 @@ -1088,7 +1088,7 @@ int xfrm_policy_delete(struct xfrm_polic
80475 write_unlock_bh(&xfrm_policy_lock);
80476 if (pol) {
80477 if (dir < XFRM_POLICY_MAX)
80478 - atomic_inc(&flow_cache_genid);
80479 + atomic_inc_unchecked(&flow_cache_genid);
80480 xfrm_policy_kill(pol);
80481 return 0;
80482 }
80483 @@ -1477,7 +1477,7 @@ free_dst:
80484 goto out;
80485 }
80486
80487 -static int inline
80488 +static inline int
80489 xfrm_dst_alloc_copy(void **target, void *src, int size)
80490 {
80491 if (!*target) {
80492 @@ -1489,7 +1489,7 @@ xfrm_dst_alloc_copy(void **target, void
80493 return 0;
80494 }
80495
80496 -static int inline
80497 +static inline int
80498 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
80499 {
80500 #ifdef CONFIG_XFRM_SUB_POLICY
80501 @@ -1501,7 +1501,7 @@ xfrm_dst_update_parent(struct dst_entry
80502 #endif
80503 }
80504
80505 -static int inline
80506 +static inline int
80507 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
80508 {
80509 #ifdef CONFIG_XFRM_SUB_POLICY
80510 @@ -1537,7 +1537,7 @@ int __xfrm_lookup(struct net *net, struc
80511 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
80512
80513 restart:
80514 - genid = atomic_read(&flow_cache_genid);
80515 + genid = atomic_read_unchecked(&flow_cache_genid);
80516 policy = NULL;
80517 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
80518 pols[pi] = NULL;
80519 @@ -1680,7 +1680,7 @@ restart:
80520 goto error;
80521 }
80522 if (nx == -EAGAIN ||
80523 - genid != atomic_read(&flow_cache_genid)) {
80524 + genid != atomic_read_unchecked(&flow_cache_genid)) {
80525 xfrm_pols_put(pols, npols);
80526 goto restart;
80527 }
80528 diff -urNp linux-2.6.32.49/net/xfrm/xfrm_user.c linux-2.6.32.49/net/xfrm/xfrm_user.c
80529 --- linux-2.6.32.49/net/xfrm/xfrm_user.c 2011-11-08 19:02:43.000000000 -0500
80530 +++ linux-2.6.32.49/net/xfrm/xfrm_user.c 2011-11-15 19:59:43.000000000 -0500
80531 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm
80532 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
80533 int i;
80534
80535 + pax_track_stack();
80536 +
80537 if (xp->xfrm_nr == 0)
80538 return 0;
80539
80540 @@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buf
80541 int err;
80542 int n = 0;
80543
80544 + pax_track_stack();
80545 +
80546 if (attrs[XFRMA_MIGRATE] == NULL)
80547 return -EINVAL;
80548
80549 diff -urNp linux-2.6.32.49/samples/kobject/kset-example.c linux-2.6.32.49/samples/kobject/kset-example.c
80550 --- linux-2.6.32.49/samples/kobject/kset-example.c 2011-11-08 19:02:43.000000000 -0500
80551 +++ linux-2.6.32.49/samples/kobject/kset-example.c 2011-11-15 19:59:43.000000000 -0500
80552 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
80553 }
80554
80555 /* Our custom sysfs_ops that we will associate with our ktype later on */
80556 -static struct sysfs_ops foo_sysfs_ops = {
80557 +static const struct sysfs_ops foo_sysfs_ops = {
80558 .show = foo_attr_show,
80559 .store = foo_attr_store,
80560 };
80561 diff -urNp linux-2.6.32.49/scripts/basic/fixdep.c linux-2.6.32.49/scripts/basic/fixdep.c
80562 --- linux-2.6.32.49/scripts/basic/fixdep.c 2011-11-08 19:02:43.000000000 -0500
80563 +++ linux-2.6.32.49/scripts/basic/fixdep.c 2011-11-15 19:59:43.000000000 -0500
80564 @@ -162,7 +162,7 @@ static void grow_config(int len)
80565 /*
80566 * Lookup a value in the configuration string.
80567 */
80568 -static int is_defined_config(const char * name, int len)
80569 +static int is_defined_config(const char * name, unsigned int len)
80570 {
80571 const char * pconfig;
80572 const char * plast = str_config + len_config - len;
80573 @@ -199,7 +199,7 @@ static void clear_config(void)
80574 /*
80575 * Record the use of a CONFIG_* word.
80576 */
80577 -static void use_config(char *m, int slen)
80578 +static void use_config(char *m, unsigned int slen)
80579 {
80580 char s[PATH_MAX];
80581 char *p;
80582 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
80583
80584 static void parse_config_file(char *map, size_t len)
80585 {
80586 - int *end = (int *) (map + len);
80587 + unsigned int *end = (unsigned int *) (map + len);
80588 /* start at +1, so that p can never be < map */
80589 - int *m = (int *) map + 1;
80590 + unsigned int *m = (unsigned int *) map + 1;
80591 char *p, *q;
80592
80593 for (; m < end; m++) {
80594 @@ -371,7 +371,7 @@ static void print_deps(void)
80595 static void traps(void)
80596 {
80597 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
80598 - int *p = (int *)test;
80599 + unsigned int *p = (unsigned int *)test;
80600
80601 if (*p != INT_CONF) {
80602 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
80603 diff -urNp linux-2.6.32.49/scripts/gcc-plugin.sh linux-2.6.32.49/scripts/gcc-plugin.sh
80604 --- linux-2.6.32.49/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
80605 +++ linux-2.6.32.49/scripts/gcc-plugin.sh 2011-11-20 19:22:02.000000000 -0500
80606 @@ -0,0 +1,2 @@
80607 +#!/bin/sh
80608 +echo -e "#include \"gcc-plugin.h\"\n#include \"tree.h\"\n#include \"tm.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
80609 diff -urNp linux-2.6.32.49/scripts/Makefile.build linux-2.6.32.49/scripts/Makefile.build
80610 --- linux-2.6.32.49/scripts/Makefile.build 2011-11-08 19:02:43.000000000 -0500
80611 +++ linux-2.6.32.49/scripts/Makefile.build 2011-11-15 19:59:43.000000000 -0500
80612 @@ -59,7 +59,7 @@ endif
80613 endif
80614
80615 # Do not include host rules unless needed
80616 -ifneq ($(hostprogs-y)$(hostprogs-m),)
80617 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
80618 include scripts/Makefile.host
80619 endif
80620
80621 diff -urNp linux-2.6.32.49/scripts/Makefile.clean linux-2.6.32.49/scripts/Makefile.clean
80622 --- linux-2.6.32.49/scripts/Makefile.clean 2011-11-08 19:02:43.000000000 -0500
80623 +++ linux-2.6.32.49/scripts/Makefile.clean 2011-11-15 19:59:43.000000000 -0500
80624 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
80625 __clean-files := $(extra-y) $(always) \
80626 $(targets) $(clean-files) \
80627 $(host-progs) \
80628 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
80629 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
80630 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
80631
80632 # as clean-files is given relative to the current directory, this adds
80633 # a $(obj) prefix, except for absolute paths
80634 diff -urNp linux-2.6.32.49/scripts/Makefile.host linux-2.6.32.49/scripts/Makefile.host
80635 --- linux-2.6.32.49/scripts/Makefile.host 2011-11-08 19:02:43.000000000 -0500
80636 +++ linux-2.6.32.49/scripts/Makefile.host 2011-11-15 19:59:43.000000000 -0500
80637 @@ -31,6 +31,7 @@
80638 # Note: Shared libraries consisting of C++ files are not supported
80639
80640 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
80641 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
80642
80643 # C code
80644 # Executables compiled from a single .c file
80645 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
80646 # Shared libaries (only .c supported)
80647 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
80648 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
80649 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
80650 # Remove .so files from "xxx-objs"
80651 host-cobjs := $(filter-out %.so,$(host-cobjs))
80652
80653 diff -urNp linux-2.6.32.49/scripts/mod/file2alias.c linux-2.6.32.49/scripts/mod/file2alias.c
80654 --- linux-2.6.32.49/scripts/mod/file2alias.c 2011-11-08 19:02:43.000000000 -0500
80655 +++ linux-2.6.32.49/scripts/mod/file2alias.c 2011-11-15 19:59:43.000000000 -0500
80656 @@ -72,7 +72,7 @@ static void device_id_check(const char *
80657 unsigned long size, unsigned long id_size,
80658 void *symval)
80659 {
80660 - int i;
80661 + unsigned int i;
80662
80663 if (size % id_size || size < id_size) {
80664 if (cross_build != 0)
80665 @@ -102,7 +102,7 @@ static void device_id_check(const char *
80666 /* USB is special because the bcdDevice can be matched against a numeric range */
80667 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
80668 static void do_usb_entry(struct usb_device_id *id,
80669 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
80670 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
80671 unsigned char range_lo, unsigned char range_hi,
80672 struct module *mod)
80673 {
80674 @@ -151,7 +151,7 @@ static void do_usb_entry_multi(struct us
80675 {
80676 unsigned int devlo, devhi;
80677 unsigned char chi, clo;
80678 - int ndigits;
80679 + unsigned int ndigits;
80680
80681 id->match_flags = TO_NATIVE(id->match_flags);
80682 id->idVendor = TO_NATIVE(id->idVendor);
80683 @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
80684 for (i = 0; i < count; i++) {
80685 const char *id = (char *)devs[i].id;
80686 char acpi_id[sizeof(devs[0].id)];
80687 - int j;
80688 + unsigned int j;
80689
80690 buf_printf(&mod->dev_table_buf,
80691 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
80692 @@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
80693
80694 for (j = 0; j < PNP_MAX_DEVICES; j++) {
80695 const char *id = (char *)card->devs[j].id;
80696 - int i2, j2;
80697 + unsigned int i2, j2;
80698 int dup = 0;
80699
80700 if (!id[0])
80701 @@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
80702 /* add an individual alias for every device entry */
80703 if (!dup) {
80704 char acpi_id[sizeof(card->devs[0].id)];
80705 - int k;
80706 + unsigned int k;
80707
80708 buf_printf(&mod->dev_table_buf,
80709 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
80710 @@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
80711 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
80712 char *alias)
80713 {
80714 - int i, j;
80715 + unsigned int i, j;
80716
80717 sprintf(alias, "dmi*");
80718
80719 diff -urNp linux-2.6.32.49/scripts/mod/modpost.c linux-2.6.32.49/scripts/mod/modpost.c
80720 --- linux-2.6.32.49/scripts/mod/modpost.c 2011-11-08 19:02:43.000000000 -0500
80721 +++ linux-2.6.32.49/scripts/mod/modpost.c 2011-11-15 19:59:43.000000000 -0500
80722 @@ -835,6 +835,7 @@ enum mismatch {
80723 INIT_TO_EXIT,
80724 EXIT_TO_INIT,
80725 EXPORT_TO_INIT_EXIT,
80726 + DATA_TO_TEXT
80727 };
80728
80729 struct sectioncheck {
80730 @@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
80731 .fromsec = { "__ksymtab*", NULL },
80732 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
80733 .mismatch = EXPORT_TO_INIT_EXIT
80734 +},
80735 +/* Do not reference code from writable data */
80736 +{
80737 + .fromsec = { DATA_SECTIONS, NULL },
80738 + .tosec = { TEXT_SECTIONS, NULL },
80739 + .mismatch = DATA_TO_TEXT
80740 }
80741 };
80742
80743 @@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
80744 continue;
80745 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
80746 continue;
80747 - if (sym->st_value == addr)
80748 - return sym;
80749 /* Find a symbol nearby - addr are maybe negative */
80750 d = sym->st_value - addr;
80751 + if (d == 0)
80752 + return sym;
80753 if (d < 0)
80754 d = addr - sym->st_value;
80755 if (d < distance) {
80756 @@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
80757 "Fix this by removing the %sannotation of %s "
80758 "or drop the export.\n",
80759 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
80760 + case DATA_TO_TEXT:
80761 +/*
80762 + fprintf(stderr,
80763 + "The variable %s references\n"
80764 + "the %s %s%s%s\n",
80765 + fromsym, to, sec2annotation(tosec), tosym, to_p);
80766 +*/
80767 + break;
80768 case NO_MISMATCH:
80769 /* To get warnings on missing members */
80770 break;
80771 @@ -1495,7 +1510,7 @@ static void section_rel(const char *modn
80772 static void check_sec_ref(struct module *mod, const char *modname,
80773 struct elf_info *elf)
80774 {
80775 - int i;
80776 + unsigned int i;
80777 Elf_Shdr *sechdrs = elf->sechdrs;
80778
80779 /* Walk through all sections */
80780 @@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
80781 va_end(ap);
80782 }
80783
80784 -void buf_write(struct buffer *buf, const char *s, int len)
80785 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
80786 {
80787 if (buf->size - buf->pos < len) {
80788 buf->size += len + SZ;
80789 @@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
80790 if (fstat(fileno(file), &st) < 0)
80791 goto close_write;
80792
80793 - if (st.st_size != b->pos)
80794 + if (st.st_size != (off_t)b->pos)
80795 goto close_write;
80796
80797 tmp = NOFAIL(malloc(b->pos));
80798 diff -urNp linux-2.6.32.49/scripts/mod/modpost.h linux-2.6.32.49/scripts/mod/modpost.h
80799 --- linux-2.6.32.49/scripts/mod/modpost.h 2011-11-08 19:02:43.000000000 -0500
80800 +++ linux-2.6.32.49/scripts/mod/modpost.h 2011-11-15 19:59:43.000000000 -0500
80801 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
80802
80803 struct buffer {
80804 char *p;
80805 - int pos;
80806 - int size;
80807 + unsigned int pos;
80808 + unsigned int size;
80809 };
80810
80811 void __attribute__((format(printf, 2, 3)))
80812 buf_printf(struct buffer *buf, const char *fmt, ...);
80813
80814 void
80815 -buf_write(struct buffer *buf, const char *s, int len);
80816 +buf_write(struct buffer *buf, const char *s, unsigned int len);
80817
80818 struct module {
80819 struct module *next;
80820 diff -urNp linux-2.6.32.49/scripts/mod/sumversion.c linux-2.6.32.49/scripts/mod/sumversion.c
80821 --- linux-2.6.32.49/scripts/mod/sumversion.c 2011-11-08 19:02:43.000000000 -0500
80822 +++ linux-2.6.32.49/scripts/mod/sumversion.c 2011-11-15 19:59:43.000000000 -0500
80823 @@ -455,7 +455,7 @@ static void write_version(const char *fi
80824 goto out;
80825 }
80826
80827 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
80828 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
80829 warn("writing sum in %s failed: %s\n",
80830 filename, strerror(errno));
80831 goto out;
80832 diff -urNp linux-2.6.32.49/scripts/package/mkspec linux-2.6.32.49/scripts/package/mkspec
80833 --- linux-2.6.32.49/scripts/package/mkspec 2011-11-08 19:02:43.000000000 -0500
80834 +++ linux-2.6.32.49/scripts/package/mkspec 2011-11-15 19:59:43.000000000 -0500
80835 @@ -70,7 +70,7 @@ echo 'mkdir -p $RPM_BUILD_ROOT/boot $RPM
80836 echo 'mkdir -p $RPM_BUILD_ROOT/lib/firmware'
80837 echo "%endif"
80838
80839 -echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{_smp_mflags} KBUILD_SRC= modules_install'
80840 +echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{?_smp_mflags} KBUILD_SRC= modules_install'
80841 echo "%ifarch ia64"
80842 echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEASE"
80843 echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/"
80844 diff -urNp linux-2.6.32.49/scripts/pnmtologo.c linux-2.6.32.49/scripts/pnmtologo.c
80845 --- linux-2.6.32.49/scripts/pnmtologo.c 2011-11-08 19:02:43.000000000 -0500
80846 +++ linux-2.6.32.49/scripts/pnmtologo.c 2011-11-15 19:59:43.000000000 -0500
80847 @@ -237,14 +237,14 @@ static void write_header(void)
80848 fprintf(out, " * Linux logo %s\n", logoname);
80849 fputs(" */\n\n", out);
80850 fputs("#include <linux/linux_logo.h>\n\n", out);
80851 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
80852 + fprintf(out, "static unsigned char %s_data[] = {\n",
80853 logoname);
80854 }
80855
80856 static void write_footer(void)
80857 {
80858 fputs("\n};\n\n", out);
80859 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
80860 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
80861 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
80862 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
80863 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
80864 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
80865 fputs("\n};\n\n", out);
80866
80867 /* write logo clut */
80868 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
80869 + fprintf(out, "static unsigned char %s_clut[] = {\n",
80870 logoname);
80871 write_hex_cnt = 0;
80872 for (i = 0; i < logo_clutsize; i++) {
80873 diff -urNp linux-2.6.32.49/scripts/tags.sh linux-2.6.32.49/scripts/tags.sh
80874 --- linux-2.6.32.49/scripts/tags.sh 2011-11-08 19:02:43.000000000 -0500
80875 +++ linux-2.6.32.49/scripts/tags.sh 2011-11-15 19:59:43.000000000 -0500
80876 @@ -93,6 +93,11 @@ docscope()
80877 cscope -b -f cscope.out
80878 }
80879
80880 +dogtags()
80881 +{
80882 + all_sources | gtags -f -
80883 +}
80884 +
80885 exuberant()
80886 {
80887 all_sources | xargs $1 -a \
80888 @@ -164,6 +169,10 @@ case "$1" in
80889 docscope
80890 ;;
80891
80892 + "gtags")
80893 + dogtags
80894 + ;;
80895 +
80896 "tags")
80897 rm -f tags
80898 xtags ctags
80899 diff -urNp linux-2.6.32.49/security/capability.c linux-2.6.32.49/security/capability.c
80900 --- linux-2.6.32.49/security/capability.c 2011-11-08 19:02:43.000000000 -0500
80901 +++ linux-2.6.32.49/security/capability.c 2011-11-15 19:59:43.000000000 -0500
80902 @@ -890,7 +890,7 @@ static void cap_audit_rule_free(void *ls
80903 }
80904 #endif /* CONFIG_AUDIT */
80905
80906 -struct security_operations default_security_ops = {
80907 +struct security_operations default_security_ops __read_only = {
80908 .name = "default",
80909 };
80910
80911 diff -urNp linux-2.6.32.49/security/commoncap.c linux-2.6.32.49/security/commoncap.c
80912 --- linux-2.6.32.49/security/commoncap.c 2011-11-08 19:02:43.000000000 -0500
80913 +++ linux-2.6.32.49/security/commoncap.c 2011-11-15 19:59:43.000000000 -0500
80914 @@ -27,7 +27,7 @@
80915 #include <linux/sched.h>
80916 #include <linux/prctl.h>
80917 #include <linux/securebits.h>
80918 -
80919 +#include <net/sock.h>
80920 /*
80921 * If a non-root user executes a setuid-root binary in
80922 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
80923 @@ -50,9 +50,18 @@ static void warn_setuid_and_fcaps_mixed(
80924 }
80925 }
80926
80927 +#ifdef CONFIG_NET
80928 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
80929 +#endif
80930 +
80931 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
80932 {
80933 +#ifdef CONFIG_NET
80934 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
80935 +#else
80936 NETLINK_CB(skb).eff_cap = current_cap();
80937 +#endif
80938 +
80939 return 0;
80940 }
80941
80942 @@ -582,6 +591,9 @@ int cap_bprm_secureexec(struct linux_bin
80943 {
80944 const struct cred *cred = current_cred();
80945
80946 + if (gr_acl_enable_at_secure())
80947 + return 1;
80948 +
80949 if (cred->uid != 0) {
80950 if (bprm->cap_effective)
80951 return 1;
80952 diff -urNp linux-2.6.32.49/security/integrity/ima/ima_api.c linux-2.6.32.49/security/integrity/ima/ima_api.c
80953 --- linux-2.6.32.49/security/integrity/ima/ima_api.c 2011-11-08 19:02:43.000000000 -0500
80954 +++ linux-2.6.32.49/security/integrity/ima/ima_api.c 2011-11-15 19:59:43.000000000 -0500
80955 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
80956 int result;
80957
80958 /* can overflow, only indicator */
80959 - atomic_long_inc(&ima_htable.violations);
80960 + atomic_long_inc_unchecked(&ima_htable.violations);
80961
80962 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
80963 if (!entry) {
80964 diff -urNp linux-2.6.32.49/security/integrity/ima/ima_fs.c linux-2.6.32.49/security/integrity/ima/ima_fs.c
80965 --- linux-2.6.32.49/security/integrity/ima/ima_fs.c 2011-11-08 19:02:43.000000000 -0500
80966 +++ linux-2.6.32.49/security/integrity/ima/ima_fs.c 2011-11-15 19:59:43.000000000 -0500
80967 @@ -27,12 +27,12 @@
80968 static int valid_policy = 1;
80969 #define TMPBUFLEN 12
80970 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
80971 - loff_t *ppos, atomic_long_t *val)
80972 + loff_t *ppos, atomic_long_unchecked_t *val)
80973 {
80974 char tmpbuf[TMPBUFLEN];
80975 ssize_t len;
80976
80977 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
80978 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
80979 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
80980 }
80981
80982 diff -urNp linux-2.6.32.49/security/integrity/ima/ima.h linux-2.6.32.49/security/integrity/ima/ima.h
80983 --- linux-2.6.32.49/security/integrity/ima/ima.h 2011-11-08 19:02:43.000000000 -0500
80984 +++ linux-2.6.32.49/security/integrity/ima/ima.h 2011-11-15 19:59:43.000000000 -0500
80985 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
80986 extern spinlock_t ima_queue_lock;
80987
80988 struct ima_h_table {
80989 - atomic_long_t len; /* number of stored measurements in the list */
80990 - atomic_long_t violations;
80991 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
80992 + atomic_long_unchecked_t violations;
80993 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
80994 };
80995 extern struct ima_h_table ima_htable;
80996 diff -urNp linux-2.6.32.49/security/integrity/ima/ima_queue.c linux-2.6.32.49/security/integrity/ima/ima_queue.c
80997 --- linux-2.6.32.49/security/integrity/ima/ima_queue.c 2011-11-08 19:02:43.000000000 -0500
80998 +++ linux-2.6.32.49/security/integrity/ima/ima_queue.c 2011-11-15 19:59:43.000000000 -0500
80999 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
81000 INIT_LIST_HEAD(&qe->later);
81001 list_add_tail_rcu(&qe->later, &ima_measurements);
81002
81003 - atomic_long_inc(&ima_htable.len);
81004 + atomic_long_inc_unchecked(&ima_htable.len);
81005 key = ima_hash_key(entry->digest);
81006 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
81007 return 0;
81008 diff -urNp linux-2.6.32.49/security/Kconfig linux-2.6.32.49/security/Kconfig
81009 --- linux-2.6.32.49/security/Kconfig 2011-11-08 19:02:43.000000000 -0500
81010 +++ linux-2.6.32.49/security/Kconfig 2011-11-15 19:59:43.000000000 -0500
81011 @@ -4,6 +4,559 @@
81012
81013 menu "Security options"
81014
81015 +source grsecurity/Kconfig
81016 +
81017 +menu "PaX"
81018 +
81019 + config ARCH_TRACK_EXEC_LIMIT
81020 + bool
81021 +
81022 + config PAX_KERNEXEC_PLUGIN
81023 + bool
81024 +
81025 + config PAX_PER_CPU_PGD
81026 + bool
81027 +
81028 + config TASK_SIZE_MAX_SHIFT
81029 + int
81030 + depends on X86_64
81031 + default 47 if !PAX_PER_CPU_PGD
81032 + default 42 if PAX_PER_CPU_PGD
81033 +
81034 + config PAX_ENABLE_PAE
81035 + bool
81036 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
81037 +
81038 +config PAX
81039 + bool "Enable various PaX features"
81040 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
81041 + help
81042 + This allows you to enable various PaX features. PaX adds
81043 + intrusion prevention mechanisms to the kernel that reduce
81044 + the risks posed by exploitable memory corruption bugs.
81045 +
81046 +menu "PaX Control"
81047 + depends on PAX
81048 +
81049 +config PAX_SOFTMODE
81050 + bool 'Support soft mode'
81051 + select PAX_PT_PAX_FLAGS
81052 + help
81053 + Enabling this option will allow you to run PaX in soft mode, that
81054 + is, PaX features will not be enforced by default, only on executables
81055 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
81056 + is the only way to mark executables for soft mode use.
81057 +
81058 + Soft mode can be activated by using the "pax_softmode=1" kernel command
81059 + line option on boot. Furthermore you can control various PaX features
81060 + at runtime via the entries in /proc/sys/kernel/pax.
81061 +
81062 +config PAX_EI_PAX
81063 + bool 'Use legacy ELF header marking'
81064 + help
81065 + Enabling this option will allow you to control PaX features on
81066 + a per executable basis via the 'chpax' utility available at
81067 + http://pax.grsecurity.net/. The control flags will be read from
81068 + an otherwise reserved part of the ELF header. This marking has
81069 + numerous drawbacks (no support for soft-mode, toolchain does not
81070 + know about the non-standard use of the ELF header) therefore it
81071 + has been deprecated in favour of PT_PAX_FLAGS support.
81072 +
81073 + Note that if you enable PT_PAX_FLAGS marking support as well,
81074 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
81075 +
81076 +config PAX_PT_PAX_FLAGS
81077 + bool 'Use ELF program header marking'
81078 + help
81079 + Enabling this option will allow you to control PaX features on
81080 + a per executable basis via the 'paxctl' utility available at
81081 + http://pax.grsecurity.net/. The control flags will be read from
81082 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
81083 + has the benefits of supporting both soft mode and being fully
81084 + integrated into the toolchain (the binutils patch is available
81085 + from http://pax.grsecurity.net).
81086 +
81087 + If your toolchain does not support PT_PAX_FLAGS markings,
81088 + you can create one in most cases with 'paxctl -C'.
81089 +
81090 + Note that if you enable the legacy EI_PAX marking support as well,
81091 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
81092 +
81093 +choice
81094 + prompt 'MAC system integration'
81095 + default PAX_HAVE_ACL_FLAGS
81096 + help
81097 + Mandatory Access Control systems have the option of controlling
81098 + PaX flags on a per executable basis, choose the method supported
81099 + by your particular system.
81100 +
81101 + - "none": if your MAC system does not interact with PaX,
81102 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
81103 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
81104 +
81105 + NOTE: this option is for developers/integrators only.
81106 +
81107 + config PAX_NO_ACL_FLAGS
81108 + bool 'none'
81109 +
81110 + config PAX_HAVE_ACL_FLAGS
81111 + bool 'direct'
81112 +
81113 + config PAX_HOOK_ACL_FLAGS
81114 + bool 'hook'
81115 +endchoice
81116 +
81117 +endmenu
81118 +
81119 +menu "Non-executable pages"
81120 + depends on PAX
81121 +
81122 +config PAX_NOEXEC
81123 + bool "Enforce non-executable pages"
81124 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
81125 + help
81126 + By design some architectures do not allow for protecting memory
81127 + pages against execution or even if they do, Linux does not make
81128 + use of this feature. In practice this means that if a page is
81129 + readable (such as the stack or heap) it is also executable.
81130 +
81131 + There is a well known exploit technique that makes use of this
81132 + fact and a common programming mistake where an attacker can
81133 + introduce code of his choice somewhere in the attacked program's
81134 + memory (typically the stack or the heap) and then execute it.
81135 +
81136 + If the attacked program was running with different (typically
81137 + higher) privileges than that of the attacker, then he can elevate
81138 + his own privilege level (e.g. get a root shell, write to files for
81139 + which he does not have write access to, etc).
81140 +
81141 + Enabling this option will let you choose from various features
81142 + that prevent the injection and execution of 'foreign' code in
81143 + a program.
81144 +
81145 + This will also break programs that rely on the old behaviour and
81146 + expect that dynamically allocated memory via the malloc() family
81147 + of functions is executable (which it is not). Notable examples
81148 + are the XFree86 4.x server, the java runtime and wine.
81149 +
81150 +config PAX_PAGEEXEC
81151 + bool "Paging based non-executable pages"
81152 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
81153 + select S390_SWITCH_AMODE if S390
81154 + select S390_EXEC_PROTECT if S390
81155 + select ARCH_TRACK_EXEC_LIMIT if X86_32
81156 + help
81157 + This implementation is based on the paging feature of the CPU.
81158 + On i386 without hardware non-executable bit support there is a
81159 + variable but usually low performance impact, however on Intel's
81160 + P4 core based CPUs it is very high so you should not enable this
81161 + for kernels meant to be used on such CPUs.
81162 +
81163 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
81164 + with hardware non-executable bit support there is no performance
81165 + impact, on ppc the impact is negligible.
81166 +
81167 + Note that several architectures require various emulations due to
81168 + badly designed userland ABIs, this will cause a performance impact
81169 + but will disappear as soon as userland is fixed. For example, ppc
81170 + userland MUST have been built with secure-plt by a recent toolchain.
81171 +
81172 +config PAX_SEGMEXEC
81173 + bool "Segmentation based non-executable pages"
81174 + depends on PAX_NOEXEC && X86_32
81175 + help
81176 + This implementation is based on the segmentation feature of the
81177 + CPU and has a very small performance impact, however applications
81178 + will be limited to a 1.5 GB address space instead of the normal
81179 + 3 GB.
81180 +
81181 +config PAX_EMUTRAMP
81182 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
81183 + default y if PARISC
81184 + help
81185 + There are some programs and libraries that for one reason or
81186 + another attempt to execute special small code snippets from
81187 + non-executable memory pages. Most notable examples are the
81188 + signal handler return code generated by the kernel itself and
81189 + the GCC trampolines.
81190 +
81191 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
81192 + such programs will no longer work under your kernel.
81193 +
81194 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
81195 + utilities to enable trampoline emulation for the affected programs
81196 + yet still have the protection provided by the non-executable pages.
81197 +
81198 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
81199 + your system will not even boot.
81200 +
81201 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
81202 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
81203 + for the affected files.
81204 +
81205 + NOTE: enabling this feature *may* open up a loophole in the
81206 + protection provided by non-executable pages that an attacker
81207 + could abuse. Therefore the best solution is to not have any
81208 + files on your system that would require this option. This can
81209 + be achieved by not using libc5 (which relies on the kernel
81210 + signal handler return code) and not using or rewriting programs
81211 + that make use of the nested function implementation of GCC.
81212 + Skilled users can just fix GCC itself so that it implements
81213 + nested function calls in a way that does not interfere with PaX.
81214 +
81215 +config PAX_EMUSIGRT
81216 + bool "Automatically emulate sigreturn trampolines"
81217 + depends on PAX_EMUTRAMP && PARISC
81218 + default y
81219 + help
81220 + Enabling this option will have the kernel automatically detect
81221 + and emulate signal return trampolines executing on the stack
81222 + that would otherwise lead to task termination.
81223 +
81224 + This solution is intended as a temporary one for users with
81225 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
81226 + Modula-3 runtime, etc) or executables linked to such, basically
81227 + everything that does not specify its own SA_RESTORER function in
81228 + normal executable memory like glibc 2.1+ does.
81229 +
81230 + On parisc you MUST enable this option, otherwise your system will
81231 + not even boot.
81232 +
81233 + NOTE: this feature cannot be disabled on a per executable basis
81234 + and since it *does* open up a loophole in the protection provided
81235 + by non-executable pages, the best solution is to not have any
81236 + files on your system that would require this option.
81237 +
81238 +config PAX_MPROTECT
81239 + bool "Restrict mprotect()"
81240 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
81241 + help
81242 + Enabling this option will prevent programs from
81243 + - changing the executable status of memory pages that were
81244 + not originally created as executable,
81245 + - making read-only executable pages writable again,
81246 + - creating executable pages from anonymous memory,
81247 + - making read-only-after-relocations (RELRO) data pages writable again.
81248 +
81249 + You should say Y here to complete the protection provided by
81250 + the enforcement of non-executable pages.
81251 +
81252 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
81253 + this feature on a per file basis.
81254 +
81255 +config PAX_MPROTECT_COMPAT
81256 + bool "Use legacy/compat protection demoting (read help)"
81257 + depends on PAX_MPROTECT
81258 + default n
81259 + help
81260 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
81261 + by sending the proper error code to the application. For some broken
81262 + userland, this can cause problems with Python or other applications. The
81263 + current implementation however allows for applications like clamav to
81264 + detect if JIT compilation/execution is allowed and to fall back gracefully
81265 + to an interpreter-based mode if it does not. While we encourage everyone
81266 + to use the current implementation as-is and push upstream to fix broken
81267 + userland (note that the RWX logging option can assist with this), in some
81268 + environments this may not be possible. Having to disable MPROTECT
81269 + completely on certain binaries reduces the security benefit of PaX,
81270 + so this option is provided for those environments to revert to the old
81271 + behavior.
81272 +
81273 +config PAX_ELFRELOCS
81274 + bool "Allow ELF text relocations (read help)"
81275 + depends on PAX_MPROTECT
81276 + default n
81277 + help
81278 + Non-executable pages and mprotect() restrictions are effective
81279 + in preventing the introduction of new executable code into an
81280 + attacked task's address space. There remain only two venues
81281 + for this kind of attack: if the attacker can execute already
81282 + existing code in the attacked task then he can either have it
81283 + create and mmap() a file containing his code or have it mmap()
81284 + an already existing ELF library that does not have position
81285 + independent code in it and use mprotect() on it to make it
81286 + writable and copy his code there. While protecting against
81287 + the former approach is beyond PaX, the latter can be prevented
81288 + by having only PIC ELF libraries on one's system (which do not
81289 + need to relocate their code). If you are sure this is your case,
81290 + as is the case with all modern Linux distributions, then leave
81291 + this option disabled. You should say 'n' here.
81292 +
81293 +config PAX_ETEXECRELOCS
81294 + bool "Allow ELF ET_EXEC text relocations"
81295 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
81296 + select PAX_ELFRELOCS
81297 + default y
81298 + help
81299 + On some architectures there are incorrectly created applications
81300 + that require text relocations and would not work without enabling
81301 + this option. If you are an alpha, ia64 or parisc user, you should
81302 + enable this option and disable it once you have made sure that
81303 + none of your applications need it.
81304 +
81305 +config PAX_EMUPLT
81306 + bool "Automatically emulate ELF PLT"
81307 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
81308 + default y
81309 + help
81310 + Enabling this option will have the kernel automatically detect
81311 + and emulate the Procedure Linkage Table entries in ELF files.
81312 + On some architectures such entries are in writable memory, and
81313 + become non-executable leading to task termination. Therefore
81314 + it is mandatory that you enable this option on alpha, parisc,
81315 + sparc and sparc64, otherwise your system would not even boot.
81316 +
81317 + NOTE: this feature *does* open up a loophole in the protection
81318 + provided by the non-executable pages, therefore the proper
81319 + solution is to modify the toolchain to produce a PLT that does
81320 + not need to be writable.
81321 +
81322 +config PAX_DLRESOLVE
81323 + bool 'Emulate old glibc resolver stub'
81324 + depends on PAX_EMUPLT && SPARC
81325 + default n
81326 + help
81327 + This option is needed if userland has an old glibc (before 2.4)
81328 + that puts a 'save' instruction into the runtime generated resolver
81329 + stub that needs special emulation.
81330 +
81331 +config PAX_KERNEXEC
81332 + bool "Enforce non-executable kernel pages"
81333 + depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
81334 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
81335 + select PAX_KERNEXEC_PLUGIN if X86_64
81336 + help
81337 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
81338 + that is, enabling this option will make it harder to inject
81339 + and execute 'foreign' code in kernel memory itself.
81340 +
81341 + Note that on x86_64 kernels there is a known regression when
81342 + this feature and KVM/VMX are both enabled in the host kernel.
81343 +
81344 +config PAX_KERNEXEC_MODULE_TEXT
81345 + int "Minimum amount of memory reserved for module code"
81346 + default "4"
81347 + depends on PAX_KERNEXEC && X86_32 && MODULES
81348 + help
81349 + Due to implementation details the kernel must reserve a fixed
81350 + amount of memory for module code at compile time that cannot be
81351 + changed at runtime. Here you can specify the minimum amount
81352 + in MB that will be reserved. Due to the same implementation
81353 + details this size will always be rounded up to the next 2/4 MB
81354 + boundary (depends on PAE) so the actually available memory for
81355 + module code will usually be more than this minimum.
81356 +
81357 + The default 4 MB should be enough for most users but if you have
81358 + an excessive number of modules (e.g., most distribution configs
81359 + compile many drivers as modules) or use huge modules such as
81360 + nvidia's kernel driver, you will need to adjust this amount.
81361 + A good rule of thumb is to look at your currently loaded kernel
81362 + modules and add up their sizes.
81363 +
81364 +endmenu
81365 +
81366 +menu "Address Space Layout Randomization"
81367 + depends on PAX
81368 +
81369 +config PAX_ASLR
81370 + bool "Address Space Layout Randomization"
81371 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
81372 + help
81373 + Many if not most exploit techniques rely on the knowledge of
81374 + certain addresses in the attacked program. The following options
81375 + will allow the kernel to apply a certain amount of randomization
81376 + to specific parts of the program thereby forcing an attacker to
81377 + guess them in most cases. Any failed guess will most likely crash
81378 + the attacked program which allows the kernel to detect such attempts
81379 + and react on them. PaX itself provides no reaction mechanisms,
81380 + instead it is strongly encouraged that you make use of Nergal's
81381 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
81382 + (http://www.grsecurity.net/) built-in crash detection features or
81383 + develop one yourself.
81384 +
81385 + By saying Y here you can choose to randomize the following areas:
81386 + - top of the task's kernel stack
81387 + - top of the task's userland stack
81388 + - base address for mmap() requests that do not specify one
81389 + (this includes all libraries)
81390 + - base address of the main executable
81391 +
81392 + It is strongly recommended to say Y here as address space layout
81393 + randomization has negligible impact on performance yet it provides
81394 + a very effective protection.
81395 +
81396 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
81397 + this feature on a per file basis.
81398 +
81399 +config PAX_RANDKSTACK
81400 + bool "Randomize kernel stack base"
81401 + depends on X86_TSC && X86
81402 + help
81403 + By saying Y here the kernel will randomize every task's kernel
81404 + stack on every system call. This will not only force an attacker
81405 + to guess it but also prevent him from making use of possible
81406 + leaked information about it.
81407 +
81408 + Since the kernel stack is a rather scarce resource, randomization
81409 + may cause unexpected stack overflows, therefore you should very
81410 + carefully test your system. Note that once enabled in the kernel
81411 + configuration, this feature cannot be disabled on a per file basis.
81412 +
81413 +config PAX_RANDUSTACK
81414 + bool "Randomize user stack base"
81415 + depends on PAX_ASLR
81416 + help
81417 + By saying Y here the kernel will randomize every task's userland
81418 + stack. The randomization is done in two steps where the second
81419 + one may apply a big amount of shift to the top of the stack and
81420 + cause problems for programs that want to use lots of memory (more
81421 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
81422 + For this reason the second step can be controlled by 'chpax' or
81423 + 'paxctl' on a per file basis.
81424 +
81425 +config PAX_RANDMMAP
81426 + bool "Randomize mmap() base"
81427 + depends on PAX_ASLR
81428 + help
81429 + By saying Y here the kernel will use a randomized base address for
81430 + mmap() requests that do not specify one themselves. As a result
81431 + all dynamically loaded libraries will appear at random addresses
81432 + and therefore be harder to exploit by a technique where an attacker
81433 + attempts to execute library code for his purposes (e.g. spawn a
81434 + shell from an exploited program that is running at an elevated
81435 + privilege level).
81436 +
81437 + Furthermore, if a program is relinked as a dynamic ELF file, its
81438 + base address will be randomized as well, completing the full
81439 + randomization of the address space layout. Attacking such programs
81440 + becomes a guess game. You can find an example of doing this at
81441 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
81442 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
81443 +
81444 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
81445 + feature on a per file basis.
81446 +
81447 +endmenu
81448 +
81449 +menu "Miscellaneous hardening features"
81450 +
81451 +config PAX_MEMORY_SANITIZE
81452 + bool "Sanitize all freed memory"
81453 + help
81454 + By saying Y here the kernel will erase memory pages as soon as they
81455 + are freed. This in turn reduces the lifetime of data stored in the
81456 + pages, making it less likely that sensitive information such as
81457 + passwords, cryptographic secrets, etc stay in memory for too long.
81458 +
81459 + This is especially useful for programs whose runtime is short, long
81460 + lived processes and the kernel itself benefit from this as long as
81461 + they operate on whole memory pages and ensure timely freeing of pages
81462 + that may hold sensitive information.
81463 +
81464 + The tradeoff is performance impact, on a single CPU system kernel
81465 + compilation sees a 3% slowdown, other systems and workloads may vary
81466 + and you are advised to test this feature on your expected workload
81467 + before deploying it.
81468 +
81469 + Note that this feature does not protect data stored in live pages,
81470 + e.g., process memory swapped to disk may stay there for a long time.
81471 +
81472 +config PAX_MEMORY_STACKLEAK
81473 + bool "Sanitize kernel stack"
81474 + depends on X86
81475 + help
81476 + By saying Y here the kernel will erase the kernel stack before it
81477 + returns from a system call. This in turn reduces the information
81478 + that a kernel stack leak bug can reveal.
81479 +
81480 + Note that such a bug can still leak information that was put on
81481 + the stack by the current system call (the one eventually triggering
81482 + the bug) but traces of earlier system calls on the kernel stack
81483 + cannot leak anymore.
81484 +
81485 + The tradeoff is performance impact, on a single CPU system kernel
81486 + compilation sees a 1% slowdown, other systems and workloads may vary
81487 + and you are advised to test this feature on your expected workload
81488 + before deploying it.
81489 +
81490 + Note: full support for this feature requires gcc with plugin support
81491 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
81492 + is not supported). Using older gcc versions means that functions
81493 + with large enough stack frames may leave uninitialized memory behind
81494 + that may be exposed to a later syscall leaking the stack.
81495 +
81496 +config PAX_MEMORY_UDEREF
81497 + bool "Prevent invalid userland pointer dereference"
81498 + depends on X86 && !UML_X86 && !XEN
81499 + select PAX_PER_CPU_PGD if X86_64
81500 + help
81501 + By saying Y here the kernel will be prevented from dereferencing
81502 + userland pointers in contexts where the kernel expects only kernel
81503 + pointers. This is both a useful runtime debugging feature and a
81504 + security measure that prevents exploiting a class of kernel bugs.
81505 +
81506 + The tradeoff is that some virtualization solutions may experience
81507 + a huge slowdown and therefore you should not enable this feature
81508 + for kernels meant to run in such environments. Whether a given VM
81509 + solution is affected or not is best determined by simply trying it
81510 + out, the performance impact will be obvious right on boot as this
81511 + mechanism engages from very early on. A good rule of thumb is that
81512 + VMs running on CPUs without hardware virtualization support (i.e.,
81513 + the majority of IA-32 CPUs) will likely experience the slowdown.
81514 +
81515 +config PAX_REFCOUNT
81516 + bool "Prevent various kernel object reference counter overflows"
81517 + depends on GRKERNSEC && (X86 || SPARC64)
81518 + help
81519 + By saying Y here the kernel will detect and prevent overflowing
81520 + various (but not all) kinds of object reference counters. Such
81521 + overflows can normally occur due to bugs only and are often, if
81522 + not always, exploitable.
81523 +
81524 + The tradeoff is that data structures protected by an overflowed
81525 + refcount will never be freed and therefore will leak memory. Note
81526 + that this leak also happens even without this protection but in
81527 + that case the overflow can eventually trigger the freeing of the
81528 + data structure while it is still being used elsewhere, resulting
81529 + in the exploitable situation that this feature prevents.
81530 +
81531 + Since this has a negligible performance impact, you should enable
81532 + this feature.
81533 +
81534 +config PAX_USERCOPY
81535 + bool "Harden heap object copies between kernel and userland"
81536 + depends on X86 || PPC || SPARC || ARM
81537 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
81538 + help
81539 + By saying Y here the kernel will enforce the size of heap objects
81540 + when they are copied in either direction between the kernel and
81541 + userland, even if only a part of the heap object is copied.
81542 +
81543 + Specifically, this checking prevents information leaking from the
81544 + kernel heap during kernel to userland copies (if the kernel heap
81545 + object is otherwise fully initialized) and prevents kernel heap
81546 + overflows during userland to kernel copies.
81547 +
81548 + Note that the current implementation provides the strictest bounds
81549 + checks for the SLUB allocator.
81550 +
81551 + Enabling this option also enables per-slab cache protection against
81552 + data in a given cache being copied into/out of via userland
81553 + accessors. Though the whitelist of regions will be reduced over
81554 + time, it notably protects important data structures like task structs.
81555 +
81556 +
81557 + If frame pointers are enabled on x86, this option will also
81558 + restrict copies into and out of the kernel stack to local variables
81559 + within a single frame.
81560 +
81561 + Since this has a negligible performance impact, you should enable
81562 + this feature.
81563 +
81564 +endmenu
81565 +
81566 +endmenu
81567 +
81568 config KEYS
81569 bool "Enable access key retention support"
81570 help
81571 @@ -146,7 +699,7 @@ config INTEL_TXT
81572 config LSM_MMAP_MIN_ADDR
81573 int "Low address space for LSM to protect from user allocation"
81574 depends on SECURITY && SECURITY_SELINUX
81575 - default 65536
81576 + default 32768
81577 help
81578 This is the portion of low virtual memory which should be protected
81579 from userspace allocation. Keeping a user from writing to low pages
81580 diff -urNp linux-2.6.32.49/security/keys/keyring.c linux-2.6.32.49/security/keys/keyring.c
81581 --- linux-2.6.32.49/security/keys/keyring.c 2011-11-08 19:02:43.000000000 -0500
81582 +++ linux-2.6.32.49/security/keys/keyring.c 2011-11-15 19:59:43.000000000 -0500
81583 @@ -214,15 +214,15 @@ static long keyring_read(const struct ke
81584 ret = -EFAULT;
81585
81586 for (loop = 0; loop < klist->nkeys; loop++) {
81587 + key_serial_t serial;
81588 key = klist->keys[loop];
81589 + serial = key->serial;
81590
81591 tmp = sizeof(key_serial_t);
81592 if (tmp > buflen)
81593 tmp = buflen;
81594
81595 - if (copy_to_user(buffer,
81596 - &key->serial,
81597 - tmp) != 0)
81598 + if (copy_to_user(buffer, &serial, tmp))
81599 goto error;
81600
81601 buflen -= tmp;
81602 diff -urNp linux-2.6.32.49/security/min_addr.c linux-2.6.32.49/security/min_addr.c
81603 --- linux-2.6.32.49/security/min_addr.c 2011-11-08 19:02:43.000000000 -0500
81604 +++ linux-2.6.32.49/security/min_addr.c 2011-11-15 19:59:43.000000000 -0500
81605 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
81606 */
81607 static void update_mmap_min_addr(void)
81608 {
81609 +#ifndef SPARC
81610 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
81611 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
81612 mmap_min_addr = dac_mmap_min_addr;
81613 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
81614 #else
81615 mmap_min_addr = dac_mmap_min_addr;
81616 #endif
81617 +#endif
81618 }
81619
81620 /*
81621 diff -urNp linux-2.6.32.49/security/root_plug.c linux-2.6.32.49/security/root_plug.c
81622 --- linux-2.6.32.49/security/root_plug.c 2011-11-08 19:02:43.000000000 -0500
81623 +++ linux-2.6.32.49/security/root_plug.c 2011-11-15 19:59:43.000000000 -0500
81624 @@ -70,7 +70,7 @@ static int rootplug_bprm_check_security
81625 return 0;
81626 }
81627
81628 -static struct security_operations rootplug_security_ops = {
81629 +static struct security_operations rootplug_security_ops __read_only = {
81630 .bprm_check_security = rootplug_bprm_check_security,
81631 };
81632
81633 diff -urNp linux-2.6.32.49/security/security.c linux-2.6.32.49/security/security.c
81634 --- linux-2.6.32.49/security/security.c 2011-11-08 19:02:43.000000000 -0500
81635 +++ linux-2.6.32.49/security/security.c 2011-11-15 19:59:43.000000000 -0500
81636 @@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURI
81637 extern struct security_operations default_security_ops;
81638 extern void security_fixup_ops(struct security_operations *ops);
81639
81640 -struct security_operations *security_ops; /* Initialized to NULL */
81641 +struct security_operations *security_ops __read_only; /* Initialized to NULL */
81642
81643 static inline int verify(struct security_operations *ops)
81644 {
81645 @@ -106,7 +106,7 @@ int __init security_module_enable(struct
81646 * If there is already a security module registered with the kernel,
81647 * an error will be returned. Otherwise %0 is returned on success.
81648 */
81649 -int register_security(struct security_operations *ops)
81650 +int __init register_security(struct security_operations *ops)
81651 {
81652 if (verify(ops)) {
81653 printk(KERN_DEBUG "%s could not verify "
81654 diff -urNp linux-2.6.32.49/security/selinux/hooks.c linux-2.6.32.49/security/selinux/hooks.c
81655 --- linux-2.6.32.49/security/selinux/hooks.c 2011-11-08 19:02:43.000000000 -0500
81656 +++ linux-2.6.32.49/security/selinux/hooks.c 2011-11-15 19:59:43.000000000 -0500
81657 @@ -131,7 +131,7 @@ int selinux_enabled = 1;
81658 * Minimal support for a secondary security module,
81659 * just to allow the use of the capability module.
81660 */
81661 -static struct security_operations *secondary_ops;
81662 +static struct security_operations *secondary_ops __read_only;
81663
81664 /* Lists of inode and superblock security structures initialized
81665 before the policy was loaded. */
81666 @@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struc
81667
81668 #endif
81669
81670 -static struct security_operations selinux_ops = {
81671 +static struct security_operations selinux_ops __read_only = {
81672 .name = "selinux",
81673
81674 .ptrace_access_check = selinux_ptrace_access_check,
81675 @@ -5841,7 +5841,9 @@ int selinux_disable(void)
81676 avc_disable();
81677
81678 /* Reset security_ops to the secondary module, dummy or capability. */
81679 + pax_open_kernel();
81680 security_ops = secondary_ops;
81681 + pax_close_kernel();
81682
81683 /* Unregister netfilter hooks. */
81684 selinux_nf_ip_exit();
81685 diff -urNp linux-2.6.32.49/security/selinux/include/xfrm.h linux-2.6.32.49/security/selinux/include/xfrm.h
81686 --- linux-2.6.32.49/security/selinux/include/xfrm.h 2011-11-08 19:02:43.000000000 -0500
81687 +++ linux-2.6.32.49/security/selinux/include/xfrm.h 2011-11-15 19:59:43.000000000 -0500
81688 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
81689
81690 static inline void selinux_xfrm_notify_policyload(void)
81691 {
81692 - atomic_inc(&flow_cache_genid);
81693 + atomic_inc_unchecked(&flow_cache_genid);
81694 }
81695 #else
81696 static inline int selinux_xfrm_enabled(void)
81697 diff -urNp linux-2.6.32.49/security/selinux/ss/services.c linux-2.6.32.49/security/selinux/ss/services.c
81698 --- linux-2.6.32.49/security/selinux/ss/services.c 2011-11-08 19:02:43.000000000 -0500
81699 +++ linux-2.6.32.49/security/selinux/ss/services.c 2011-11-15 19:59:43.000000000 -0500
81700 @@ -1715,6 +1715,8 @@ int security_load_policy(void *data, siz
81701 int rc = 0;
81702 struct policy_file file = { data, len }, *fp = &file;
81703
81704 + pax_track_stack();
81705 +
81706 if (!ss_initialized) {
81707 avtab_cache_init();
81708 if (policydb_read(&policydb, fp)) {
81709 diff -urNp linux-2.6.32.49/security/smack/smack_lsm.c linux-2.6.32.49/security/smack/smack_lsm.c
81710 --- linux-2.6.32.49/security/smack/smack_lsm.c 2011-11-08 19:02:43.000000000 -0500
81711 +++ linux-2.6.32.49/security/smack/smack_lsm.c 2011-11-15 19:59:43.000000000 -0500
81712 @@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct
81713 return 0;
81714 }
81715
81716 -struct security_operations smack_ops = {
81717 +struct security_operations smack_ops __read_only = {
81718 .name = "smack",
81719
81720 .ptrace_access_check = smack_ptrace_access_check,
81721 diff -urNp linux-2.6.32.49/security/tomoyo/tomoyo.c linux-2.6.32.49/security/tomoyo/tomoyo.c
81722 --- linux-2.6.32.49/security/tomoyo/tomoyo.c 2011-11-08 19:02:43.000000000 -0500
81723 +++ linux-2.6.32.49/security/tomoyo/tomoyo.c 2011-11-15 19:59:43.000000000 -0500
81724 @@ -275,7 +275,7 @@ static int tomoyo_dentry_open(struct fil
81725 * tomoyo_security_ops is a "struct security_operations" which is used for
81726 * registering TOMOYO.
81727 */
81728 -static struct security_operations tomoyo_security_ops = {
81729 +static struct security_operations tomoyo_security_ops __read_only = {
81730 .name = "tomoyo",
81731 .cred_alloc_blank = tomoyo_cred_alloc_blank,
81732 .cred_prepare = tomoyo_cred_prepare,
81733 diff -urNp linux-2.6.32.49/sound/aoa/codecs/onyx.c linux-2.6.32.49/sound/aoa/codecs/onyx.c
81734 --- linux-2.6.32.49/sound/aoa/codecs/onyx.c 2011-11-08 19:02:43.000000000 -0500
81735 +++ linux-2.6.32.49/sound/aoa/codecs/onyx.c 2011-11-15 19:59:43.000000000 -0500
81736 @@ -53,7 +53,7 @@ struct onyx {
81737 spdif_locked:1,
81738 analog_locked:1,
81739 original_mute:2;
81740 - int open_count;
81741 + local_t open_count;
81742 struct codec_info *codec_info;
81743
81744 /* mutex serializes concurrent access to the device
81745 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
81746 struct onyx *onyx = cii->codec_data;
81747
81748 mutex_lock(&onyx->mutex);
81749 - onyx->open_count++;
81750 + local_inc(&onyx->open_count);
81751 mutex_unlock(&onyx->mutex);
81752
81753 return 0;
81754 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
81755 struct onyx *onyx = cii->codec_data;
81756
81757 mutex_lock(&onyx->mutex);
81758 - onyx->open_count--;
81759 - if (!onyx->open_count)
81760 + if (local_dec_and_test(&onyx->open_count))
81761 onyx->spdif_locked = onyx->analog_locked = 0;
81762 mutex_unlock(&onyx->mutex);
81763
81764 diff -urNp linux-2.6.32.49/sound/aoa/codecs/onyx.h linux-2.6.32.49/sound/aoa/codecs/onyx.h
81765 --- linux-2.6.32.49/sound/aoa/codecs/onyx.h 2011-11-08 19:02:43.000000000 -0500
81766 +++ linux-2.6.32.49/sound/aoa/codecs/onyx.h 2011-11-15 19:59:43.000000000 -0500
81767 @@ -11,6 +11,7 @@
81768 #include <linux/i2c.h>
81769 #include <asm/pmac_low_i2c.h>
81770 #include <asm/prom.h>
81771 +#include <asm/local.h>
81772
81773 /* PCM3052 register definitions */
81774
81775 diff -urNp linux-2.6.32.49/sound/core/oss/pcm_oss.c linux-2.6.32.49/sound/core/oss/pcm_oss.c
81776 --- linux-2.6.32.49/sound/core/oss/pcm_oss.c 2011-11-08 19:02:43.000000000 -0500
81777 +++ linux-2.6.32.49/sound/core/oss/pcm_oss.c 2011-11-15 19:59:43.000000000 -0500
81778 @@ -1395,7 +1395,7 @@ static ssize_t snd_pcm_oss_write1(struct
81779 }
81780 } else {
81781 tmp = snd_pcm_oss_write2(substream,
81782 - (const char __force *)buf,
81783 + (const char __force_kernel *)buf,
81784 runtime->oss.period_bytes, 0);
81785 if (tmp <= 0)
81786 goto err;
81787 @@ -1483,7 +1483,7 @@ static ssize_t snd_pcm_oss_read1(struct
81788 xfer += tmp;
81789 runtime->oss.buffer_used -= tmp;
81790 } else {
81791 - tmp = snd_pcm_oss_read2(substream, (char __force *)buf,
81792 + tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf,
81793 runtime->oss.period_bytes, 0);
81794 if (tmp <= 0)
81795 goto err;
81796 diff -urNp linux-2.6.32.49/sound/core/pcm_compat.c linux-2.6.32.49/sound/core/pcm_compat.c
81797 --- linux-2.6.32.49/sound/core/pcm_compat.c 2011-11-08 19:02:43.000000000 -0500
81798 +++ linux-2.6.32.49/sound/core/pcm_compat.c 2011-11-15 19:59:43.000000000 -0500
81799 @@ -30,7 +30,7 @@ static int snd_pcm_ioctl_delay_compat(st
81800 int err;
81801
81802 fs = snd_enter_user();
81803 - err = snd_pcm_delay(substream, &delay);
81804 + err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay);
81805 snd_leave_user(fs);
81806 if (err < 0)
81807 return err;
81808 diff -urNp linux-2.6.32.49/sound/core/pcm_native.c linux-2.6.32.49/sound/core/pcm_native.c
81809 --- linux-2.6.32.49/sound/core/pcm_native.c 2011-11-08 19:02:43.000000000 -0500
81810 +++ linux-2.6.32.49/sound/core/pcm_native.c 2011-11-15 19:59:43.000000000 -0500
81811 @@ -2747,11 +2747,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_
81812 switch (substream->stream) {
81813 case SNDRV_PCM_STREAM_PLAYBACK:
81814 result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
81815 - (void __user *)arg);
81816 + (void __force_user *)arg);
81817 break;
81818 case SNDRV_PCM_STREAM_CAPTURE:
81819 result = snd_pcm_capture_ioctl1(NULL, substream, cmd,
81820 - (void __user *)arg);
81821 + (void __force_user *)arg);
81822 break;
81823 default:
81824 result = -EINVAL;
81825 diff -urNp linux-2.6.32.49/sound/core/seq/seq_device.c linux-2.6.32.49/sound/core/seq/seq_device.c
81826 --- linux-2.6.32.49/sound/core/seq/seq_device.c 2011-11-08 19:02:43.000000000 -0500
81827 +++ linux-2.6.32.49/sound/core/seq/seq_device.c 2011-11-15 19:59:43.000000000 -0500
81828 @@ -63,7 +63,7 @@ struct ops_list {
81829 int argsize; /* argument size */
81830
81831 /* operators */
81832 - struct snd_seq_dev_ops ops;
81833 + struct snd_seq_dev_ops *ops;
81834
81835 /* registred devices */
81836 struct list_head dev_list; /* list of devices */
81837 @@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
81838
81839 mutex_lock(&ops->reg_mutex);
81840 /* copy driver operators */
81841 - ops->ops = *entry;
81842 + ops->ops = entry;
81843 ops->driver |= DRIVER_LOADED;
81844 ops->argsize = argsize;
81845
81846 @@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
81847 dev->name, ops->id, ops->argsize, dev->argsize);
81848 return -EINVAL;
81849 }
81850 - if (ops->ops.init_device(dev) >= 0) {
81851 + if (ops->ops->init_device(dev) >= 0) {
81852 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
81853 ops->num_init_devices++;
81854 } else {
81855 @@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
81856 dev->name, ops->id, ops->argsize, dev->argsize);
81857 return -EINVAL;
81858 }
81859 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
81860 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
81861 dev->status = SNDRV_SEQ_DEVICE_FREE;
81862 dev->driver_data = NULL;
81863 ops->num_init_devices--;
81864 diff -urNp linux-2.6.32.49/sound/drivers/mts64.c linux-2.6.32.49/sound/drivers/mts64.c
81865 --- linux-2.6.32.49/sound/drivers/mts64.c 2011-11-08 19:02:43.000000000 -0500
81866 +++ linux-2.6.32.49/sound/drivers/mts64.c 2011-11-15 19:59:43.000000000 -0500
81867 @@ -27,6 +27,7 @@
81868 #include <sound/initval.h>
81869 #include <sound/rawmidi.h>
81870 #include <sound/control.h>
81871 +#include <asm/local.h>
81872
81873 #define CARD_NAME "Miditerminal 4140"
81874 #define DRIVER_NAME "MTS64"
81875 @@ -65,7 +66,7 @@ struct mts64 {
81876 struct pardevice *pardev;
81877 int pardev_claimed;
81878
81879 - int open_count;
81880 + local_t open_count;
81881 int current_midi_output_port;
81882 int current_midi_input_port;
81883 u8 mode[MTS64_NUM_INPUT_PORTS];
81884 @@ -695,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
81885 {
81886 struct mts64 *mts = substream->rmidi->private_data;
81887
81888 - if (mts->open_count == 0) {
81889 + if (local_read(&mts->open_count) == 0) {
81890 /* We don't need a spinlock here, because this is just called
81891 if the device has not been opened before.
81892 So there aren't any IRQs from the device */
81893 @@ -703,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
81894
81895 msleep(50);
81896 }
81897 - ++(mts->open_count);
81898 + local_inc(&mts->open_count);
81899
81900 return 0;
81901 }
81902 @@ -713,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
81903 struct mts64 *mts = substream->rmidi->private_data;
81904 unsigned long flags;
81905
81906 - --(mts->open_count);
81907 - if (mts->open_count == 0) {
81908 + if (local_dec_return(&mts->open_count) == 0) {
81909 /* We need the spinlock_irqsave here because we can still
81910 have IRQs at this point */
81911 spin_lock_irqsave(&mts->lock, flags);
81912 @@ -723,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
81913
81914 msleep(500);
81915
81916 - } else if (mts->open_count < 0)
81917 - mts->open_count = 0;
81918 + } else if (local_read(&mts->open_count) < 0)
81919 + local_set(&mts->open_count, 0);
81920
81921 return 0;
81922 }
81923 diff -urNp linux-2.6.32.49/sound/drivers/opl4/opl4_lib.c linux-2.6.32.49/sound/drivers/opl4/opl4_lib.c
81924 --- linux-2.6.32.49/sound/drivers/opl4/opl4_lib.c 2011-11-08 19:02:43.000000000 -0500
81925 +++ linux-2.6.32.49/sound/drivers/opl4/opl4_lib.c 2011-11-15 19:59:43.000000000 -0500
81926 @@ -27,7 +27,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
81927 MODULE_DESCRIPTION("OPL4 driver");
81928 MODULE_LICENSE("GPL");
81929
81930 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
81931 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
81932 {
81933 int timeout = 10;
81934 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
81935 diff -urNp linux-2.6.32.49/sound/drivers/portman2x4.c linux-2.6.32.49/sound/drivers/portman2x4.c
81936 --- linux-2.6.32.49/sound/drivers/portman2x4.c 2011-11-08 19:02:43.000000000 -0500
81937 +++ linux-2.6.32.49/sound/drivers/portman2x4.c 2011-11-15 19:59:43.000000000 -0500
81938 @@ -46,6 +46,7 @@
81939 #include <sound/initval.h>
81940 #include <sound/rawmidi.h>
81941 #include <sound/control.h>
81942 +#include <asm/local.h>
81943
81944 #define CARD_NAME "Portman 2x4"
81945 #define DRIVER_NAME "portman"
81946 @@ -83,7 +84,7 @@ struct portman {
81947 struct pardevice *pardev;
81948 int pardev_claimed;
81949
81950 - int open_count;
81951 + local_t open_count;
81952 int mode[PORTMAN_NUM_INPUT_PORTS];
81953 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
81954 };
81955 diff -urNp linux-2.6.32.49/sound/isa/cmi8330.c linux-2.6.32.49/sound/isa/cmi8330.c
81956 --- linux-2.6.32.49/sound/isa/cmi8330.c 2011-11-08 19:02:43.000000000 -0500
81957 +++ linux-2.6.32.49/sound/isa/cmi8330.c 2011-11-15 19:59:43.000000000 -0500
81958 @@ -173,7 +173,7 @@ struct snd_cmi8330 {
81959
81960 struct snd_pcm *pcm;
81961 struct snd_cmi8330_stream {
81962 - struct snd_pcm_ops ops;
81963 + snd_pcm_ops_no_const ops;
81964 snd_pcm_open_callback_t open;
81965 void *private_data; /* sb or wss */
81966 } streams[2];
81967 diff -urNp linux-2.6.32.49/sound/oss/sb_audio.c linux-2.6.32.49/sound/oss/sb_audio.c
81968 --- linux-2.6.32.49/sound/oss/sb_audio.c 2011-11-08 19:02:43.000000000 -0500
81969 +++ linux-2.6.32.49/sound/oss/sb_audio.c 2011-11-15 19:59:43.000000000 -0500
81970 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
81971 buf16 = (signed short *)(localbuf + localoffs);
81972 while (c)
81973 {
81974 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81975 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
81976 if (copy_from_user(lbuf8,
81977 userbuf+useroffs + p,
81978 locallen))
81979 diff -urNp linux-2.6.32.49/sound/oss/swarm_cs4297a.c linux-2.6.32.49/sound/oss/swarm_cs4297a.c
81980 --- linux-2.6.32.49/sound/oss/swarm_cs4297a.c 2011-11-08 19:02:43.000000000 -0500
81981 +++ linux-2.6.32.49/sound/oss/swarm_cs4297a.c 2011-11-15 19:59:43.000000000 -0500
81982 @@ -2577,7 +2577,6 @@ static int __init cs4297a_init(void)
81983 {
81984 struct cs4297a_state *s;
81985 u32 pwr, id;
81986 - mm_segment_t fs;
81987 int rval;
81988 #ifndef CONFIG_BCM_CS4297A_CSWARM
81989 u64 cfg;
81990 @@ -2667,22 +2666,23 @@ static int __init cs4297a_init(void)
81991 if (!rval) {
81992 char *sb1250_duart_present;
81993
81994 +#if 0
81995 + mm_segment_t fs;
81996 fs = get_fs();
81997 set_fs(KERNEL_DS);
81998 -#if 0
81999 val = SOUND_MASK_LINE;
82000 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
82001 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
82002 val = initvol[i].vol;
82003 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
82004 }
82005 + set_fs(fs);
82006 // cs4297a_write_ac97(s, 0x18, 0x0808);
82007 #else
82008 // cs4297a_write_ac97(s, 0x5e, 0x180);
82009 cs4297a_write_ac97(s, 0x02, 0x0808);
82010 cs4297a_write_ac97(s, 0x18, 0x0808);
82011 #endif
82012 - set_fs(fs);
82013
82014 list_add(&s->list, &cs4297a_devs);
82015
82016 diff -urNp linux-2.6.32.49/sound/pci/ac97/ac97_codec.c linux-2.6.32.49/sound/pci/ac97/ac97_codec.c
82017 --- linux-2.6.32.49/sound/pci/ac97/ac97_codec.c 2011-11-08 19:02:43.000000000 -0500
82018 +++ linux-2.6.32.49/sound/pci/ac97/ac97_codec.c 2011-11-15 19:59:43.000000000 -0500
82019 @@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
82020 }
82021
82022 /* build_ops to do nothing */
82023 -static struct snd_ac97_build_ops null_build_ops;
82024 +static const struct snd_ac97_build_ops null_build_ops;
82025
82026 #ifdef CONFIG_SND_AC97_POWER_SAVE
82027 static void do_update_power(struct work_struct *work)
82028 diff -urNp linux-2.6.32.49/sound/pci/ac97/ac97_patch.c linux-2.6.32.49/sound/pci/ac97/ac97_patch.c
82029 --- linux-2.6.32.49/sound/pci/ac97/ac97_patch.c 2011-11-08 19:02:43.000000000 -0500
82030 +++ linux-2.6.32.49/sound/pci/ac97/ac97_patch.c 2011-11-15 19:59:43.000000000 -0500
82031 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
82032 return 0;
82033 }
82034
82035 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
82036 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
82037 .build_spdif = patch_yamaha_ymf743_build_spdif,
82038 .build_3d = patch_yamaha_ymf7x3_3d,
82039 };
82040 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
82041 return 0;
82042 }
82043
82044 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
82045 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
82046 .build_3d = patch_yamaha_ymf7x3_3d,
82047 .build_post_spdif = patch_yamaha_ymf753_post_spdif
82048 };
82049 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
82050 return 0;
82051 }
82052
82053 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
82054 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
82055 .build_specific = patch_wolfson_wm9703_specific,
82056 };
82057
82058 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
82059 return 0;
82060 }
82061
82062 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
82063 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
82064 .build_specific = patch_wolfson_wm9704_specific,
82065 };
82066
82067 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
82068 return 0;
82069 }
82070
82071 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
82072 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
82073 .build_specific = patch_wolfson_wm9705_specific,
82074 };
82075
82076 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
82077 return 0;
82078 }
82079
82080 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
82081 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
82082 .build_specific = patch_wolfson_wm9711_specific,
82083 };
82084
82085 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
82086 }
82087 #endif
82088
82089 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
82090 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
82091 .build_specific = patch_wolfson_wm9713_specific,
82092 .build_3d = patch_wolfson_wm9713_3d,
82093 #ifdef CONFIG_PM
82094 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
82095 return 0;
82096 }
82097
82098 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
82099 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
82100 .build_3d = patch_sigmatel_stac9700_3d,
82101 .build_specific = patch_sigmatel_stac97xx_specific
82102 };
82103 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
82104 return patch_sigmatel_stac97xx_specific(ac97);
82105 }
82106
82107 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
82108 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
82109 .build_3d = patch_sigmatel_stac9708_3d,
82110 .build_specific = patch_sigmatel_stac9708_specific
82111 };
82112 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
82113 return 0;
82114 }
82115
82116 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
82117 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
82118 .build_3d = patch_sigmatel_stac9700_3d,
82119 .build_specific = patch_sigmatel_stac9758_specific
82120 };
82121 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
82122 return 0;
82123 }
82124
82125 -static struct snd_ac97_build_ops patch_cirrus_ops = {
82126 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
82127 .build_spdif = patch_cirrus_build_spdif
82128 };
82129
82130 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
82131 return 0;
82132 }
82133
82134 -static struct snd_ac97_build_ops patch_conexant_ops = {
82135 +static const struct snd_ac97_build_ops patch_conexant_ops = {
82136 .build_spdif = patch_conexant_build_spdif
82137 };
82138
82139 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
82140 }
82141 }
82142
82143 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
82144 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
82145 #ifdef CONFIG_PM
82146 .resume = ad18xx_resume
82147 #endif
82148 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
82149 return 0;
82150 }
82151
82152 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
82153 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
82154 .build_specific = &patch_ad1885_specific,
82155 #ifdef CONFIG_PM
82156 .resume = ad18xx_resume
82157 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
82158 return 0;
82159 }
82160
82161 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
82162 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
82163 .build_specific = &patch_ad1886_specific,
82164 #ifdef CONFIG_PM
82165 .resume = ad18xx_resume
82166 @@ -1896,7 +1896,7 @@ static int patch_ad1981a_specific(struct
82167 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
82168 }
82169
82170 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
82171 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
82172 .build_post_spdif = patch_ad198x_post_spdif,
82173 .build_specific = patch_ad1981a_specific,
82174 #ifdef CONFIG_PM
82175 @@ -1952,7 +1952,7 @@ static int patch_ad1981b_specific(struct
82176 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
82177 }
82178
82179 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
82180 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
82181 .build_post_spdif = patch_ad198x_post_spdif,
82182 .build_specific = patch_ad1981b_specific,
82183 #ifdef CONFIG_PM
82184 @@ -2091,7 +2091,7 @@ static int patch_ad1888_specific(struct
82185 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
82186 }
82187
82188 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
82189 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
82190 .build_post_spdif = patch_ad198x_post_spdif,
82191 .build_specific = patch_ad1888_specific,
82192 #ifdef CONFIG_PM
82193 @@ -2140,7 +2140,7 @@ static int patch_ad1980_specific(struct
82194 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
82195 }
82196
82197 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
82198 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
82199 .build_post_spdif = patch_ad198x_post_spdif,
82200 .build_specific = patch_ad1980_specific,
82201 #ifdef CONFIG_PM
82202 @@ -2255,7 +2255,7 @@ static int patch_ad1985_specific(struct
82203 ARRAY_SIZE(snd_ac97_ad1985_controls));
82204 }
82205
82206 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
82207 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
82208 .build_post_spdif = patch_ad198x_post_spdif,
82209 .build_specific = patch_ad1985_specific,
82210 #ifdef CONFIG_PM
82211 @@ -2547,7 +2547,7 @@ static int patch_ad1986_specific(struct
82212 ARRAY_SIZE(snd_ac97_ad1985_controls));
82213 }
82214
82215 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
82216 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
82217 .build_post_spdif = patch_ad198x_post_spdif,
82218 .build_specific = patch_ad1986_specific,
82219 #ifdef CONFIG_PM
82220 @@ -2652,7 +2652,7 @@ static int patch_alc650_specific(struct
82221 return 0;
82222 }
82223
82224 -static struct snd_ac97_build_ops patch_alc650_ops = {
82225 +static const struct snd_ac97_build_ops patch_alc650_ops = {
82226 .build_specific = patch_alc650_specific,
82227 .update_jacks = alc650_update_jacks
82228 };
82229 @@ -2804,7 +2804,7 @@ static int patch_alc655_specific(struct
82230 return 0;
82231 }
82232
82233 -static struct snd_ac97_build_ops patch_alc655_ops = {
82234 +static const struct snd_ac97_build_ops patch_alc655_ops = {
82235 .build_specific = patch_alc655_specific,
82236 .update_jacks = alc655_update_jacks
82237 };
82238 @@ -2916,7 +2916,7 @@ static int patch_alc850_specific(struct
82239 return 0;
82240 }
82241
82242 -static struct snd_ac97_build_ops patch_alc850_ops = {
82243 +static const struct snd_ac97_build_ops patch_alc850_ops = {
82244 .build_specific = patch_alc850_specific,
82245 .update_jacks = alc850_update_jacks
82246 };
82247 @@ -2978,7 +2978,7 @@ static int patch_cm9738_specific(struct
82248 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
82249 }
82250
82251 -static struct snd_ac97_build_ops patch_cm9738_ops = {
82252 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
82253 .build_specific = patch_cm9738_specific,
82254 .update_jacks = cm9738_update_jacks
82255 };
82256 @@ -3069,7 +3069,7 @@ static int patch_cm9739_post_spdif(struc
82257 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
82258 }
82259
82260 -static struct snd_ac97_build_ops patch_cm9739_ops = {
82261 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
82262 .build_specific = patch_cm9739_specific,
82263 .build_post_spdif = patch_cm9739_post_spdif,
82264 .update_jacks = cm9739_update_jacks
82265 @@ -3243,7 +3243,7 @@ static int patch_cm9761_specific(struct
82266 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
82267 }
82268
82269 -static struct snd_ac97_build_ops patch_cm9761_ops = {
82270 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
82271 .build_specific = patch_cm9761_specific,
82272 .build_post_spdif = patch_cm9761_post_spdif,
82273 .update_jacks = cm9761_update_jacks
82274 @@ -3339,7 +3339,7 @@ static int patch_cm9780_specific(struct
82275 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
82276 }
82277
82278 -static struct snd_ac97_build_ops patch_cm9780_ops = {
82279 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
82280 .build_specific = patch_cm9780_specific,
82281 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
82282 };
82283 @@ -3459,7 +3459,7 @@ static int patch_vt1616_specific(struct
82284 return 0;
82285 }
82286
82287 -static struct snd_ac97_build_ops patch_vt1616_ops = {
82288 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
82289 .build_specific = patch_vt1616_specific
82290 };
82291
82292 @@ -3813,7 +3813,7 @@ static int patch_it2646_specific(struct
82293 return 0;
82294 }
82295
82296 -static struct snd_ac97_build_ops patch_it2646_ops = {
82297 +static const struct snd_ac97_build_ops patch_it2646_ops = {
82298 .build_specific = patch_it2646_specific,
82299 .update_jacks = it2646_update_jacks
82300 };
82301 @@ -3847,7 +3847,7 @@ static int patch_si3036_specific(struct
82302 return 0;
82303 }
82304
82305 -static struct snd_ac97_build_ops patch_si3036_ops = {
82306 +static const struct snd_ac97_build_ops patch_si3036_ops = {
82307 .build_specific = patch_si3036_specific,
82308 };
82309
82310 @@ -3914,7 +3914,7 @@ static int patch_ucb1400_specific(struct
82311 return 0;
82312 }
82313
82314 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
82315 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
82316 .build_specific = patch_ucb1400_specific,
82317 };
82318
82319 diff -urNp linux-2.6.32.49/sound/pci/hda/hda_codec.h linux-2.6.32.49/sound/pci/hda/hda_codec.h
82320 --- linux-2.6.32.49/sound/pci/hda/hda_codec.h 2011-11-08 19:02:43.000000000 -0500
82321 +++ linux-2.6.32.49/sound/pci/hda/hda_codec.h 2011-11-15 19:59:43.000000000 -0500
82322 @@ -580,7 +580,7 @@ struct hda_bus_ops {
82323 /* notify power-up/down from codec to controller */
82324 void (*pm_notify)(struct hda_bus *bus);
82325 #endif
82326 -};
82327 +} __no_const;
82328
82329 /* template to pass to the bus constructor */
82330 struct hda_bus_template {
82331 @@ -675,6 +675,7 @@ struct hda_codec_ops {
82332 int (*check_power_status)(struct hda_codec *codec, hda_nid_t nid);
82333 #endif
82334 };
82335 +typedef struct hda_codec_ops __no_const hda_codec_ops_no_const;
82336
82337 /* record for amp information cache */
82338 struct hda_cache_head {
82339 @@ -705,7 +706,7 @@ struct hda_pcm_ops {
82340 struct snd_pcm_substream *substream);
82341 int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
82342 struct snd_pcm_substream *substream);
82343 -};
82344 +} __no_const;
82345
82346 /* PCM information for each substream */
82347 struct hda_pcm_stream {
82348 @@ -760,7 +761,7 @@ struct hda_codec {
82349 const char *modelname; /* model name for preset */
82350
82351 /* set by patch */
82352 - struct hda_codec_ops patch_ops;
82353 + hda_codec_ops_no_const patch_ops;
82354
82355 /* PCM to create, set by patch_ops.build_pcms callback */
82356 unsigned int num_pcms;
82357 diff -urNp linux-2.6.32.49/sound/pci/hda/patch_atihdmi.c linux-2.6.32.49/sound/pci/hda/patch_atihdmi.c
82358 --- linux-2.6.32.49/sound/pci/hda/patch_atihdmi.c 2011-11-08 19:02:43.000000000 -0500
82359 +++ linux-2.6.32.49/sound/pci/hda/patch_atihdmi.c 2011-11-15 19:59:43.000000000 -0500
82360 @@ -177,7 +177,7 @@ static int patch_atihdmi(struct hda_code
82361 */
82362 spec->multiout.dig_out_nid = CVT_NID;
82363
82364 - codec->patch_ops = atihdmi_patch_ops;
82365 + memcpy((void *)&codec->patch_ops, &atihdmi_patch_ops, sizeof(atihdmi_patch_ops));
82366
82367 return 0;
82368 }
82369 diff -urNp linux-2.6.32.49/sound/pci/hda/patch_intelhdmi.c linux-2.6.32.49/sound/pci/hda/patch_intelhdmi.c
82370 --- linux-2.6.32.49/sound/pci/hda/patch_intelhdmi.c 2011-11-08 19:02:43.000000000 -0500
82371 +++ linux-2.6.32.49/sound/pci/hda/patch_intelhdmi.c 2011-11-15 19:59:43.000000000 -0500
82372 @@ -511,10 +511,10 @@ static void hdmi_non_intrinsic_event(str
82373 cp_ready);
82374
82375 /* TODO */
82376 - if (cp_state)
82377 - ;
82378 - if (cp_ready)
82379 - ;
82380 + if (cp_state) {
82381 + }
82382 + if (cp_ready) {
82383 + }
82384 }
82385
82386
82387 @@ -656,7 +656,7 @@ static int do_patch_intel_hdmi(struct hd
82388 spec->multiout.dig_out_nid = cvt_nid;
82389
82390 codec->spec = spec;
82391 - codec->patch_ops = intel_hdmi_patch_ops;
82392 + memcpy((void *)&codec->patch_ops, &intel_hdmi_patch_ops, sizeof(intel_hdmi_patch_ops));
82393
82394 snd_hda_eld_proc_new(codec, &spec->sink_eld);
82395
82396 diff -urNp linux-2.6.32.49/sound/pci/hda/patch_nvhdmi.c linux-2.6.32.49/sound/pci/hda/patch_nvhdmi.c
82397 --- linux-2.6.32.49/sound/pci/hda/patch_nvhdmi.c 2011-11-08 19:02:43.000000000 -0500
82398 +++ linux-2.6.32.49/sound/pci/hda/patch_nvhdmi.c 2011-11-15 19:59:43.000000000 -0500
82399 @@ -367,7 +367,7 @@ static int patch_nvhdmi_8ch(struct hda_c
82400 spec->multiout.max_channels = 8;
82401 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
82402
82403 - codec->patch_ops = nvhdmi_patch_ops_8ch;
82404 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_8ch, sizeof(nvhdmi_patch_ops_8ch));
82405
82406 return 0;
82407 }
82408 @@ -386,7 +386,7 @@ static int patch_nvhdmi_2ch(struct hda_c
82409 spec->multiout.max_channels = 2;
82410 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
82411
82412 - codec->patch_ops = nvhdmi_patch_ops_2ch;
82413 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_2ch, sizeof(nvhdmi_patch_ops_2ch));
82414
82415 return 0;
82416 }
82417 diff -urNp linux-2.6.32.49/sound/pci/hda/patch_sigmatel.c linux-2.6.32.49/sound/pci/hda/patch_sigmatel.c
82418 --- linux-2.6.32.49/sound/pci/hda/patch_sigmatel.c 2011-11-08 19:02:43.000000000 -0500
82419 +++ linux-2.6.32.49/sound/pci/hda/patch_sigmatel.c 2011-11-15 19:59:43.000000000 -0500
82420 @@ -5220,7 +5220,7 @@ again:
82421 snd_hda_codec_write_cache(codec, nid, 0,
82422 AC_VERB_SET_CONNECT_SEL, num_dacs);
82423
82424 - codec->patch_ops = stac92xx_patch_ops;
82425 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
82426
82427 codec->proc_widget_hook = stac92hd_proc_hook;
82428
82429 @@ -5294,7 +5294,7 @@ static int patch_stac92hd71bxx(struct hd
82430 return -ENOMEM;
82431
82432 codec->spec = spec;
82433 - codec->patch_ops = stac92xx_patch_ops;
82434 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
82435 spec->num_pins = STAC92HD71BXX_NUM_PINS;
82436 switch (codec->vendor_id) {
82437 case 0x111d76b6:
82438 diff -urNp linux-2.6.32.49/sound/pci/ice1712/ice1712.h linux-2.6.32.49/sound/pci/ice1712/ice1712.h
82439 --- linux-2.6.32.49/sound/pci/ice1712/ice1712.h 2011-11-08 19:02:43.000000000 -0500
82440 +++ linux-2.6.32.49/sound/pci/ice1712/ice1712.h 2011-11-15 19:59:43.000000000 -0500
82441 @@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
82442 unsigned int mask_flags; /* total mask bits */
82443 struct snd_akm4xxx_ops {
82444 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
82445 - } ops;
82446 + } __no_const ops;
82447 };
82448
82449 struct snd_ice1712_spdif {
82450 @@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
82451 int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
82452 void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
82453 int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
82454 - } ops;
82455 + } __no_const ops;
82456 };
82457
82458
82459 diff -urNp linux-2.6.32.49/sound/pci/intel8x0m.c linux-2.6.32.49/sound/pci/intel8x0m.c
82460 --- linux-2.6.32.49/sound/pci/intel8x0m.c 2011-11-08 19:02:43.000000000 -0500
82461 +++ linux-2.6.32.49/sound/pci/intel8x0m.c 2011-11-15 19:59:43.000000000 -0500
82462 @@ -1264,7 +1264,7 @@ static struct shortname_table {
82463 { 0x5455, "ALi M5455" },
82464 { 0x746d, "AMD AMD8111" },
82465 #endif
82466 - { 0 },
82467 + { 0, },
82468 };
82469
82470 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
82471 diff -urNp linux-2.6.32.49/sound/pci/ymfpci/ymfpci_main.c linux-2.6.32.49/sound/pci/ymfpci/ymfpci_main.c
82472 --- linux-2.6.32.49/sound/pci/ymfpci/ymfpci_main.c 2011-11-08 19:02:43.000000000 -0500
82473 +++ linux-2.6.32.49/sound/pci/ymfpci/ymfpci_main.c 2011-11-15 19:59:43.000000000 -0500
82474 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
82475 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
82476 break;
82477 }
82478 - if (atomic_read(&chip->interrupt_sleep_count)) {
82479 - atomic_set(&chip->interrupt_sleep_count, 0);
82480 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
82481 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
82482 wake_up(&chip->interrupt_sleep);
82483 }
82484 __end:
82485 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
82486 continue;
82487 init_waitqueue_entry(&wait, current);
82488 add_wait_queue(&chip->interrupt_sleep, &wait);
82489 - atomic_inc(&chip->interrupt_sleep_count);
82490 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
82491 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
82492 remove_wait_queue(&chip->interrupt_sleep, &wait);
82493 }
82494 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
82495 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
82496 spin_unlock(&chip->reg_lock);
82497
82498 - if (atomic_read(&chip->interrupt_sleep_count)) {
82499 - atomic_set(&chip->interrupt_sleep_count, 0);
82500 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
82501 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
82502 wake_up(&chip->interrupt_sleep);
82503 }
82504 }
82505 @@ -2369,7 +2369,7 @@ int __devinit snd_ymfpci_create(struct s
82506 spin_lock_init(&chip->reg_lock);
82507 spin_lock_init(&chip->voice_lock);
82508 init_waitqueue_head(&chip->interrupt_sleep);
82509 - atomic_set(&chip->interrupt_sleep_count, 0);
82510 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
82511 chip->card = card;
82512 chip->pci = pci;
82513 chip->irq = -1;
82514 diff -urNp linux-2.6.32.49/sound/soc/soc-core.c linux-2.6.32.49/sound/soc/soc-core.c
82515 --- linux-2.6.32.49/sound/soc/soc-core.c 2011-11-08 19:02:43.000000000 -0500
82516 +++ linux-2.6.32.49/sound/soc/soc-core.c 2011-11-15 19:59:43.000000000 -0500
82517 @@ -609,7 +609,7 @@ static int soc_pcm_trigger(struct snd_pc
82518 }
82519
82520 /* ASoC PCM operations */
82521 -static struct snd_pcm_ops soc_pcm_ops = {
82522 +static snd_pcm_ops_no_const soc_pcm_ops = {
82523 .open = soc_pcm_open,
82524 .close = soc_codec_close,
82525 .hw_params = soc_pcm_hw_params,
82526 diff -urNp linux-2.6.32.49/sound/usb/usbaudio.c linux-2.6.32.49/sound/usb/usbaudio.c
82527 --- linux-2.6.32.49/sound/usb/usbaudio.c 2011-11-08 19:02:43.000000000 -0500
82528 +++ linux-2.6.32.49/sound/usb/usbaudio.c 2011-11-15 19:59:43.000000000 -0500
82529 @@ -963,12 +963,12 @@ static int snd_usb_pcm_playback_trigger(
82530 switch (cmd) {
82531 case SNDRV_PCM_TRIGGER_START:
82532 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
82533 - subs->ops.prepare = prepare_playback_urb;
82534 + *(void **)&subs->ops.prepare = prepare_playback_urb;
82535 return 0;
82536 case SNDRV_PCM_TRIGGER_STOP:
82537 return deactivate_urbs(subs, 0, 0);
82538 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
82539 - subs->ops.prepare = prepare_nodata_playback_urb;
82540 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
82541 return 0;
82542 default:
82543 return -EINVAL;
82544 @@ -985,15 +985,15 @@ static int snd_usb_pcm_capture_trigger(s
82545
82546 switch (cmd) {
82547 case SNDRV_PCM_TRIGGER_START:
82548 - subs->ops.retire = retire_capture_urb;
82549 + *(void **)&subs->ops.retire = retire_capture_urb;
82550 return start_urbs(subs, substream->runtime);
82551 case SNDRV_PCM_TRIGGER_STOP:
82552 return deactivate_urbs(subs, 0, 0);
82553 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
82554 - subs->ops.retire = retire_paused_capture_urb;
82555 + *(void **)&subs->ops.retire = retire_paused_capture_urb;
82556 return 0;
82557 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
82558 - subs->ops.retire = retire_capture_urb;
82559 + *(void **)&subs->ops.retire = retire_capture_urb;
82560 return 0;
82561 default:
82562 return -EINVAL;
82563 @@ -1542,7 +1542,7 @@ static int snd_usb_pcm_prepare(struct sn
82564 /* for playback, submit the URBs now; otherwise, the first hwptr_done
82565 * updates for all URBs would happen at the same time when starting */
82566 if (subs->direction == SNDRV_PCM_STREAM_PLAYBACK) {
82567 - subs->ops.prepare = prepare_nodata_playback_urb;
82568 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
82569 return start_urbs(subs, runtime);
82570 } else
82571 return 0;
82572 @@ -2228,14 +2228,14 @@ static void init_substream(struct snd_us
82573 subs->direction = stream;
82574 subs->dev = as->chip->dev;
82575 if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL) {
82576 - subs->ops = audio_urb_ops[stream];
82577 + memcpy((void *)&subs->ops, &audio_urb_ops[stream], sizeof(subs->ops));
82578 } else {
82579 - subs->ops = audio_urb_ops_high_speed[stream];
82580 + memcpy((void *)&subs->ops, &audio_urb_ops_high_speed[stream], sizeof(subs->ops));
82581 switch (as->chip->usb_id) {
82582 case USB_ID(0x041e, 0x3f02): /* E-Mu 0202 USB */
82583 case USB_ID(0x041e, 0x3f04): /* E-Mu 0404 USB */
82584 case USB_ID(0x041e, 0x3f0a): /* E-Mu Tracker Pre */
82585 - subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
82586 + *(void **)&subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
82587 break;
82588 }
82589 }
82590 diff -urNp linux-2.6.32.49/tools/gcc/checker_plugin.c linux-2.6.32.49/tools/gcc/checker_plugin.c
82591 --- linux-2.6.32.49/tools/gcc/checker_plugin.c 1969-12-31 19:00:00.000000000 -0500
82592 +++ linux-2.6.32.49/tools/gcc/checker_plugin.c 2011-11-18 18:01:52.000000000 -0500
82593 @@ -0,0 +1,171 @@
82594 +/*
82595 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
82596 + * Licensed under the GPL v2
82597 + *
82598 + * Note: the choice of the license means that the compilation process is
82599 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
82600 + * but for the kernel it doesn't matter since it doesn't link against
82601 + * any of the gcc libraries
82602 + *
82603 + * gcc plugin to implement various sparse (source code checker) features
82604 + *
82605 + * TODO:
82606 + * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch)
82607 + *
82608 + * BUGS:
82609 + * - none known
82610 + */
82611 +#include "gcc-plugin.h"
82612 +#include "config.h"
82613 +#include "system.h"
82614 +#include "coretypes.h"
82615 +#include "tree.h"
82616 +#include "tree-pass.h"
82617 +#include "flags.h"
82618 +#include "intl.h"
82619 +#include "toplev.h"
82620 +#include "plugin.h"
82621 +//#include "expr.h" where are you...
82622 +#include "diagnostic.h"
82623 +#include "plugin-version.h"
82624 +#include "tm.h"
82625 +#include "function.h"
82626 +#include "basic-block.h"
82627 +#include "gimple.h"
82628 +#include "rtl.h"
82629 +#include "emit-rtl.h"
82630 +#include "tree-flow.h"
82631 +#include "target.h"
82632 +
82633 +extern void c_register_addr_space (const char *str, addr_space_t as);
82634 +extern enum machine_mode default_addr_space_pointer_mode (addr_space_t);
82635 +extern enum machine_mode default_addr_space_address_mode (addr_space_t);
82636 +extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as);
82637 +extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as);
82638 +extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as);
82639 +
82640 +extern void print_gimple_stmt(FILE *, gimple, int, int);
82641 +extern rtx emit_move_insn(rtx x, rtx y);
82642 +
82643 +int plugin_is_GPL_compatible;
82644 +
82645 +static struct plugin_info checker_plugin_info = {
82646 + .version = "201111150100",
82647 +};
82648 +
82649 +#define ADDR_SPACE_KERNEL 0
82650 +#define ADDR_SPACE_FORCE_KERNEL 1
82651 +#define ADDR_SPACE_USER 2
82652 +#define ADDR_SPACE_FORCE_USER 3
82653 +#define ADDR_SPACE_IOMEM 0
82654 +#define ADDR_SPACE_FORCE_IOMEM 0
82655 +#define ADDR_SPACE_PERCPU 0
82656 +#define ADDR_SPACE_FORCE_PERCPU 0
82657 +#define ADDR_SPACE_RCU 0
82658 +#define ADDR_SPACE_FORCE_RCU 0
82659 +
82660 +static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace)
82661 +{
82662 + return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC);
82663 +}
82664 +
82665 +static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace)
82666 +{
82667 + return default_addr_space_address_mode(ADDR_SPACE_GENERIC);
82668 +}
82669 +
82670 +static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as)
82671 +{
82672 + return default_addr_space_valid_pointer_mode(mode, as);
82673 +}
82674 +
82675 +static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as)
82676 +{
82677 + return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC);
82678 +}
82679 +
82680 +static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as)
82681 +{
82682 + return default_addr_space_legitimize_address(x, oldx, mode, as);
82683 +}
82684 +
82685 +static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset)
82686 +{
82687 + if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL)
82688 + return true;
82689 +
82690 + if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER)
82691 + return true;
82692 +
82693 + if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM)
82694 + return true;
82695 +
82696 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER)
82697 + return true;
82698 +
82699 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM)
82700 + return true;
82701 +
82702 + if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL)
82703 + return true;
82704 +
82705 + if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL)
82706 + return true;
82707 +
82708 + return subset == superset;
82709 +}
82710 +
82711 +static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type)
82712 +{
82713 +// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type));
82714 +// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type));
82715 +
82716 + return op;
82717 +}
82718 +
82719 +static void register_checker_address_spaces(void *event_data, void *data)
82720 +{
82721 + c_register_addr_space("__kernel", ADDR_SPACE_KERNEL);
82722 + c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL);
82723 + c_register_addr_space("__user", ADDR_SPACE_USER);
82724 + c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER);
82725 +// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM);
82726 +// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM);
82727 +// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU);
82728 +// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU);
82729 +// c_register_addr_space("__rcu", ADDR_SPACE_RCU);
82730 +// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU);
82731 +
82732 + targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode;
82733 + targetm.addr_space.address_mode = checker_addr_space_address_mode;
82734 + targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode;
82735 + targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p;
82736 +// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address;
82737 + targetm.addr_space.subset_p = checker_addr_space_subset_p;
82738 + targetm.addr_space.convert = checker_addr_space_convert;
82739 +}
82740 +
82741 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
82742 +{
82743 + const char * const plugin_name = plugin_info->base_name;
82744 + const int argc = plugin_info->argc;
82745 + const struct plugin_argument * const argv = plugin_info->argv;
82746 + int i;
82747 +
82748 + if (!plugin_default_version_check(version, &gcc_version)) {
82749 + error(G_("incompatible gcc/plugin versions"));
82750 + return 1;
82751 + }
82752 +
82753 + register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
82754 +
82755 + for (i = 0; i < argc; ++i)
82756 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
82757 +
82758 + if (TARGET_64BIT == 0)
82759 + return 0;
82760 +
82761 + register_callback (plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
82762 +
82763 + return 0;
82764 +}
82765 diff -urNp linux-2.6.32.49/tools/gcc/constify_plugin.c linux-2.6.32.49/tools/gcc/constify_plugin.c
82766 --- linux-2.6.32.49/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
82767 +++ linux-2.6.32.49/tools/gcc/constify_plugin.c 2011-11-18 18:01:52.000000000 -0500
82768 @@ -0,0 +1,303 @@
82769 +/*
82770 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
82771 + * Copyright 2011 by PaX Team <pageexec@freemail.hu>
82772 + * Licensed under the GPL v2, or (at your option) v3
82773 + *
82774 + * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification.
82775 + *
82776 + * Homepage:
82777 + * http://www.grsecurity.net/~ephox/const_plugin/
82778 + *
82779 + * Usage:
82780 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
82781 + * $ gcc -fplugin=constify_plugin.so test.c -O2
82782 + */
82783 +
82784 +#include "gcc-plugin.h"
82785 +#include "config.h"
82786 +#include "system.h"
82787 +#include "coretypes.h"
82788 +#include "tree.h"
82789 +#include "tree-pass.h"
82790 +#include "flags.h"
82791 +#include "intl.h"
82792 +#include "toplev.h"
82793 +#include "plugin.h"
82794 +#include "diagnostic.h"
82795 +#include "plugin-version.h"
82796 +#include "tm.h"
82797 +#include "function.h"
82798 +#include "basic-block.h"
82799 +#include "gimple.h"
82800 +#include "rtl.h"
82801 +#include "emit-rtl.h"
82802 +#include "tree-flow.h"
82803 +
82804 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
82805 +
82806 +int plugin_is_GPL_compatible;
82807 +
82808 +static struct plugin_info const_plugin_info = {
82809 + .version = "201111150100",
82810 + .help = "no-constify\tturn off constification\n",
82811 +};
82812 +
82813 +static void constify_type(tree type);
82814 +static bool walk_struct(tree node);
82815 +
82816 +static tree deconstify_type(tree old_type)
82817 +{
82818 + tree new_type, field;
82819 +
82820 + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
82821 + TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
82822 + for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
82823 + DECL_FIELD_CONTEXT(field) = new_type;
82824 + TYPE_READONLY(new_type) = 0;
82825 + C_TYPE_FIELDS_READONLY(new_type) = 0;
82826 + return new_type;
82827 +}
82828 +
82829 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
82830 +{
82831 + tree type;
82832 +
82833 + *no_add_attrs = true;
82834 + if (TREE_CODE(*node) == FUNCTION_DECL) {
82835 + error("%qE attribute does not apply to functions", name);
82836 + return NULL_TREE;
82837 + }
82838 +
82839 + if (TREE_CODE(*node) == VAR_DECL) {
82840 + error("%qE attribute does not apply to variables", name);
82841 + return NULL_TREE;
82842 + }
82843 +
82844 + if (TYPE_P(*node)) {
82845 + if (TREE_CODE(*node) == RECORD_TYPE || TREE_CODE(*node) == UNION_TYPE)
82846 + *no_add_attrs = false;
82847 + else
82848 + error("%qE attribute applies to struct and union types only", name);
82849 + return NULL_TREE;
82850 + }
82851 +
82852 + type = TREE_TYPE(*node);
82853 +
82854 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
82855 + error("%qE attribute applies to struct and union types only", name);
82856 + return NULL_TREE;
82857 + }
82858 +
82859 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
82860 + error("%qE attribute is already applied to the type", name);
82861 + return NULL_TREE;
82862 + }
82863 +
82864 + if (TREE_CODE(*node) == TYPE_DECL && !TYPE_READONLY(type)) {
82865 + error("%qE attribute used on type that is not constified", name);
82866 + return NULL_TREE;
82867 + }
82868 +
82869 + if (TREE_CODE(*node) == TYPE_DECL) {
82870 + TREE_TYPE(*node) = deconstify_type(type);
82871 + TREE_READONLY(*node) = 0;
82872 + return NULL_TREE;
82873 + }
82874 +
82875 + return NULL_TREE;
82876 +}
82877 +
82878 +static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
82879 +{
82880 + *no_add_attrs = true;
82881 + if (!TYPE_P(*node)) {
82882 + error("%qE attribute applies to types only", name);
82883 + return NULL_TREE;
82884 + }
82885 +
82886 + if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
82887 + error("%qE attribute applies to struct and union types only", name);
82888 + return NULL_TREE;
82889 + }
82890 +
82891 + *no_add_attrs = false;
82892 + constify_type(*node);
82893 + return NULL_TREE;
82894 +}
82895 +
82896 +static struct attribute_spec no_const_attr = {
82897 + .name = "no_const",
82898 + .min_length = 0,
82899 + .max_length = 0,
82900 + .decl_required = false,
82901 + .type_required = false,
82902 + .function_type_required = false,
82903 + .handler = handle_no_const_attribute,
82904 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
82905 + .affects_type_identity = true
82906 +#endif
82907 +};
82908 +
82909 +static struct attribute_spec do_const_attr = {
82910 + .name = "do_const",
82911 + .min_length = 0,
82912 + .max_length = 0,
82913 + .decl_required = false,
82914 + .type_required = false,
82915 + .function_type_required = false,
82916 + .handler = handle_do_const_attribute,
82917 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
82918 + .affects_type_identity = true
82919 +#endif
82920 +};
82921 +
82922 +static void register_attributes(void *event_data, void *data)
82923 +{
82924 + register_attribute(&no_const_attr);
82925 + register_attribute(&do_const_attr);
82926 +}
82927 +
82928 +static void constify_type(tree type)
82929 +{
82930 + TYPE_READONLY(type) = 1;
82931 + C_TYPE_FIELDS_READONLY(type) = 1;
82932 +}
82933 +
82934 +static bool is_fptr(tree field)
82935 +{
82936 + tree ptr = TREE_TYPE(field);
82937 +
82938 + if (TREE_CODE(ptr) != POINTER_TYPE)
82939 + return false;
82940 +
82941 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
82942 +}
82943 +
82944 +static bool walk_struct(tree node)
82945 +{
82946 + tree field;
82947 +
82948 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
82949 + return false;
82950 +
82951 + if (TYPE_FIELDS(node) == NULL_TREE)
82952 + return false;
82953 +
82954 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
82955 + tree type = TREE_TYPE(field);
82956 + enum tree_code code = TREE_CODE(type);
82957 + if (code == RECORD_TYPE || code == UNION_TYPE) {
82958 + if (!(walk_struct(type)))
82959 + return false;
82960 + } else if (!is_fptr(field) && !TREE_READONLY(field))
82961 + return false;
82962 + }
82963 + return true;
82964 +}
82965 +
82966 +static void finish_type(void *event_data, void *data)
82967 +{
82968 + tree type = (tree)event_data;
82969 +
82970 + if (type == NULL_TREE)
82971 + return;
82972 +
82973 + if (TYPE_READONLY(type))
82974 + return;
82975 +
82976 + if (walk_struct(type))
82977 + constify_type(type);
82978 +}
82979 +
82980 +static unsigned int check_local_variables(void);
82981 +
82982 +struct gimple_opt_pass pass_local_variable = {
82983 + {
82984 + .type = GIMPLE_PASS,
82985 + .name = "check_local_variables",
82986 + .gate = NULL,
82987 + .execute = check_local_variables,
82988 + .sub = NULL,
82989 + .next = NULL,
82990 + .static_pass_number = 0,
82991 + .tv_id = TV_NONE,
82992 + .properties_required = 0,
82993 + .properties_provided = 0,
82994 + .properties_destroyed = 0,
82995 + .todo_flags_start = 0,
82996 + .todo_flags_finish = 0
82997 + }
82998 +};
82999 +
83000 +static unsigned int check_local_variables(void)
83001 +{
83002 + tree var;
83003 + referenced_var_iterator rvi;
83004 +
83005 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
83006 + FOR_EACH_REFERENCED_VAR(var, rvi) {
83007 +#else
83008 + FOR_EACH_REFERENCED_VAR(cfun, var, rvi) {
83009 +#endif
83010 + tree type = TREE_TYPE(var);
83011 +
83012 + if (!DECL_P(var) || TREE_STATIC(var) || DECL_EXTERNAL(var))
83013 + continue;
83014 +
83015 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
83016 + continue;
83017 +
83018 + if (!TYPE_READONLY(type))
83019 + continue;
83020 +
83021 +// if (lookup_attribute("no_const", DECL_ATTRIBUTES(var)))
83022 +// continue;
83023 +
83024 +// if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
83025 +// continue;
83026 +
83027 + if (walk_struct(type)) {
83028 + error("constified variable %qE cannot be local", var);
83029 + return 1;
83030 + }
83031 + }
83032 + return 0;
83033 +}
83034 +
83035 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
83036 +{
83037 + const char * const plugin_name = plugin_info->base_name;
83038 + const int argc = plugin_info->argc;
83039 + const struct plugin_argument * const argv = plugin_info->argv;
83040 + int i;
83041 + bool constify = true;
83042 +
83043 + struct register_pass_info local_variable_pass_info = {
83044 + .pass = &pass_local_variable.pass,
83045 + .reference_pass_name = "*referenced_vars",
83046 + .ref_pass_instance_number = 0,
83047 + .pos_op = PASS_POS_INSERT_AFTER
83048 + };
83049 +
83050 + if (!plugin_default_version_check(version, &gcc_version)) {
83051 + error(G_("incompatible gcc/plugin versions"));
83052 + return 1;
83053 + }
83054 +
83055 + for (i = 0; i < argc; ++i) {
83056 + if (!(strcmp(argv[i].key, "no-constify"))) {
83057 + constify = false;
83058 + continue;
83059 + }
83060 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
83061 + }
83062 +
83063 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
83064 + if (constify) {
83065 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
83066 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
83067 + }
83068 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
83069 +
83070 + return 0;
83071 +}
83072 diff -urNp linux-2.6.32.49/tools/gcc/kallocstat_plugin.c linux-2.6.32.49/tools/gcc/kallocstat_plugin.c
83073 --- linux-2.6.32.49/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500
83074 +++ linux-2.6.32.49/tools/gcc/kallocstat_plugin.c 2011-11-18 18:01:52.000000000 -0500
83075 @@ -0,0 +1,167 @@
83076 +/*
83077 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
83078 + * Licensed under the GPL v2
83079 + *
83080 + * Note: the choice of the license means that the compilation process is
83081 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
83082 + * but for the kernel it doesn't matter since it doesn't link against
83083 + * any of the gcc libraries
83084 + *
83085 + * gcc plugin to find the distribution of k*alloc sizes
83086 + *
83087 + * TODO:
83088 + *
83089 + * BUGS:
83090 + * - none known
83091 + */
83092 +#include "gcc-plugin.h"
83093 +#include "config.h"
83094 +#include "system.h"
83095 +#include "coretypes.h"
83096 +#include "tree.h"
83097 +#include "tree-pass.h"
83098 +#include "flags.h"
83099 +#include "intl.h"
83100 +#include "toplev.h"
83101 +#include "plugin.h"
83102 +//#include "expr.h" where are you...
83103 +#include "diagnostic.h"
83104 +#include "plugin-version.h"
83105 +#include "tm.h"
83106 +#include "function.h"
83107 +#include "basic-block.h"
83108 +#include "gimple.h"
83109 +#include "rtl.h"
83110 +#include "emit-rtl.h"
83111 +
83112 +extern void print_gimple_stmt(FILE *, gimple, int, int);
83113 +
83114 +int plugin_is_GPL_compatible;
83115 +
83116 +static const char * const kalloc_functions[] = {
83117 + "__kmalloc",
83118 + "kmalloc",
83119 + "kmalloc_large",
83120 + "kmalloc_node",
83121 + "kmalloc_order",
83122 + "kmalloc_order_trace",
83123 + "kmalloc_slab",
83124 + "kzalloc",
83125 + "kzalloc_node",
83126 +};
83127 +
83128 +static struct plugin_info kallocstat_plugin_info = {
83129 + .version = "201111150100",
83130 +};
83131 +
83132 +static unsigned int execute_kallocstat(void);
83133 +
83134 +static struct gimple_opt_pass kallocstat_pass = {
83135 + .pass = {
83136 + .type = GIMPLE_PASS,
83137 + .name = "kallocstat",
83138 + .gate = NULL,
83139 + .execute = execute_kallocstat,
83140 + .sub = NULL,
83141 + .next = NULL,
83142 + .static_pass_number = 0,
83143 + .tv_id = TV_NONE,
83144 + .properties_required = 0,
83145 + .properties_provided = 0,
83146 + .properties_destroyed = 0,
83147 + .todo_flags_start = 0,
83148 + .todo_flags_finish = 0
83149 + }
83150 +};
83151 +
83152 +static bool is_kalloc(const char *fnname)
83153 +{
83154 + size_t i;
83155 +
83156 + for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
83157 + if (!strcmp(fnname, kalloc_functions[i]))
83158 + return true;
83159 + return false;
83160 +}
83161 +
83162 +static unsigned int execute_kallocstat(void)
83163 +{
83164 + basic_block bb;
83165 +
83166 + // 1. loop through BBs and GIMPLE statements
83167 + FOR_EACH_BB(bb) {
83168 + gimple_stmt_iterator gsi;
83169 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
83170 + // gimple match:
83171 + tree fndecl, size;
83172 + gimple call_stmt;
83173 + const char *fnname;
83174 +
83175 + // is it a call
83176 + call_stmt = gsi_stmt(gsi);
83177 + if (!is_gimple_call(call_stmt))
83178 + continue;
83179 + fndecl = gimple_call_fndecl(call_stmt);
83180 + if (fndecl == NULL_TREE)
83181 + continue;
83182 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
83183 + continue;
83184 +
83185 + // is it a call to k*alloc
83186 + fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
83187 + if (!is_kalloc(fnname))
83188 + continue;
83189 +
83190 + // is the size arg the result of a simple const assignment
83191 + size = gimple_call_arg(call_stmt, 0);
83192 + while (true) {
83193 + gimple def_stmt;
83194 + expanded_location xloc;
83195 + size_t size_val;
83196 +
83197 + if (TREE_CODE(size) != SSA_NAME)
83198 + break;
83199 + def_stmt = SSA_NAME_DEF_STMT(size);
83200 + if (!def_stmt || !is_gimple_assign(def_stmt))
83201 + break;
83202 + if (gimple_num_ops(def_stmt) != 2)
83203 + break;
83204 + size = gimple_assign_rhs1(def_stmt);
83205 + if (!TREE_CONSTANT(size))
83206 + continue;
83207 + xloc = expand_location(gimple_location(def_stmt));
83208 + if (!xloc.file)
83209 + xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
83210 + size_val = TREE_INT_CST_LOW(size);
83211 + fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
83212 + break;
83213 + }
83214 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
83215 +//debug_tree(gimple_call_fn(call_stmt));
83216 +//print_node(stderr, "pax", fndecl, 4);
83217 + }
83218 + }
83219 +
83220 + return 0;
83221 +}
83222 +
83223 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
83224 +{
83225 + const char * const plugin_name = plugin_info->base_name;
83226 + struct register_pass_info kallocstat_pass_info = {
83227 + .pass = &kallocstat_pass.pass,
83228 + .reference_pass_name = "ssa",
83229 + .ref_pass_instance_number = 0,
83230 + .pos_op = PASS_POS_INSERT_AFTER
83231 + };
83232 +
83233 + if (!plugin_default_version_check(version, &gcc_version)) {
83234 + error(G_("incompatible gcc/plugin versions"));
83235 + return 1;
83236 + }
83237 +
83238 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
83239 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
83240 +
83241 + return 0;
83242 +}
83243 diff -urNp linux-2.6.32.49/tools/gcc/kernexec_plugin.c linux-2.6.32.49/tools/gcc/kernexec_plugin.c
83244 --- linux-2.6.32.49/tools/gcc/kernexec_plugin.c 1969-12-31 19:00:00.000000000 -0500
83245 +++ linux-2.6.32.49/tools/gcc/kernexec_plugin.c 2011-11-18 18:01:52.000000000 -0500
83246 @@ -0,0 +1,275 @@
83247 +/*
83248 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
83249 + * Licensed under the GPL v2
83250 + *
83251 + * Note: the choice of the license means that the compilation process is
83252 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
83253 + * but for the kernel it doesn't matter since it doesn't link against
83254 + * any of the gcc libraries
83255 + *
83256 + * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386
83257 + *
83258 + * TODO:
83259 + *
83260 + * BUGS:
83261 + * - none known
83262 + */
83263 +#include "gcc-plugin.h"
83264 +#include "config.h"
83265 +#include "system.h"
83266 +#include "coretypes.h"
83267 +#include "tree.h"
83268 +#include "tree-pass.h"
83269 +#include "flags.h"
83270 +#include "intl.h"
83271 +#include "toplev.h"
83272 +#include "plugin.h"
83273 +//#include "expr.h" where are you...
83274 +#include "diagnostic.h"
83275 +#include "plugin-version.h"
83276 +#include "tm.h"
83277 +#include "function.h"
83278 +#include "basic-block.h"
83279 +#include "gimple.h"
83280 +#include "rtl.h"
83281 +#include "emit-rtl.h"
83282 +#include "tree-flow.h"
83283 +
83284 +extern void print_gimple_stmt(FILE *, gimple, int, int);
83285 +extern rtx emit_move_insn(rtx x, rtx y);
83286 +
83287 +int plugin_is_GPL_compatible;
83288 +
83289 +static struct plugin_info kernexec_plugin_info = {
83290 + .version = "201111150100",
83291 +};
83292 +
83293 +static unsigned int execute_kernexec_fptr(void);
83294 +static unsigned int execute_kernexec_retaddr(void);
83295 +static bool kernexec_cmodel_check(void);
83296 +
83297 +static struct gimple_opt_pass kernexec_fptr_pass = {
83298 + .pass = {
83299 + .type = GIMPLE_PASS,
83300 + .name = "kernexec_fptr",
83301 + .gate = kernexec_cmodel_check,
83302 + .execute = execute_kernexec_fptr,
83303 + .sub = NULL,
83304 + .next = NULL,
83305 + .static_pass_number = 0,
83306 + .tv_id = TV_NONE,
83307 + .properties_required = 0,
83308 + .properties_provided = 0,
83309 + .properties_destroyed = 0,
83310 + .todo_flags_start = 0,
83311 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
83312 + }
83313 +};
83314 +
83315 +static struct rtl_opt_pass kernexec_retaddr_pass = {
83316 + .pass = {
83317 + .type = RTL_PASS,
83318 + .name = "kernexec_retaddr",
83319 + .gate = kernexec_cmodel_check,
83320 + .execute = execute_kernexec_retaddr,
83321 + .sub = NULL,
83322 + .next = NULL,
83323 + .static_pass_number = 0,
83324 + .tv_id = TV_NONE,
83325 + .properties_required = 0,
83326 + .properties_provided = 0,
83327 + .properties_destroyed = 0,
83328 + .todo_flags_start = 0,
83329 + .todo_flags_finish = TODO_dump_func | TODO_ggc_collect
83330 + }
83331 +};
83332 +
83333 +static bool kernexec_cmodel_check(void)
83334 +{
83335 + tree section;
83336 +
83337 + if (ix86_cmodel != CM_KERNEL)
83338 + return false;
83339 +
83340 + section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl));
83341 + if (!section || !TREE_VALUE(section))
83342 + return true;
83343 +
83344 + section = TREE_VALUE(TREE_VALUE(section));
83345 + if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10))
83346 + return true;
83347 +
83348 + return false;
83349 +}
83350 +
83351 +/*
83352 + * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce
83353 + * a non-canonical address from a userland ptr and will just trigger a GPF on dereference
83354 + */
83355 +static void kernexec_instrument_fptr(gimple_stmt_iterator gsi)
83356 +{
83357 + gimple assign_intptr, assign_new_fptr, call_stmt;
83358 + tree intptr, old_fptr, new_fptr, kernexec_mask;
83359 +
83360 + call_stmt = gsi_stmt(gsi);
83361 + old_fptr = gimple_call_fn(call_stmt);
83362 +
83363 + // create temporary unsigned long variable used for bitops and cast fptr to it
83364 + intptr = create_tmp_var(long_unsigned_type_node, NULL);
83365 + add_referenced_var(intptr);
83366 + mark_sym_for_renaming(intptr);
83367 + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
83368 + update_stmt(assign_intptr);
83369 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
83370 +
83371 + // apply logical or to temporary unsigned long and bitmask
83372 + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
83373 +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
83374 + assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
83375 + update_stmt(assign_intptr);
83376 + gsi_insert_before(&gsi, assign_intptr, GSI_SAME_STMT);
83377 +
83378 + // cast temporary unsigned long back to a temporary fptr variable
83379 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), NULL);
83380 + add_referenced_var(new_fptr);
83381 + mark_sym_for_renaming(new_fptr);
83382 + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
83383 + update_stmt(assign_new_fptr);
83384 + gsi_insert_before(&gsi, assign_new_fptr, GSI_SAME_STMT);
83385 +
83386 + // replace call stmt fn with the new fptr
83387 + gimple_call_set_fn(call_stmt, new_fptr);
83388 + update_stmt(call_stmt);
83389 +}
83390 +
83391 +/*
83392 + * find all C level function pointer dereferences and forcibly set the highest bit of the pointer
83393 + */
83394 +static unsigned int execute_kernexec_fptr(void)
83395 +{
83396 + basic_block bb;
83397 + gimple_stmt_iterator gsi;
83398 +
83399 + // 1. loop through BBs and GIMPLE statements
83400 + FOR_EACH_BB(bb) {
83401 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
83402 + // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D));
83403 + tree fn;
83404 + gimple call_stmt;
83405 +
83406 + // is it a call ...
83407 + call_stmt = gsi_stmt(gsi);
83408 + if (!is_gimple_call(call_stmt))
83409 + continue;
83410 + fn = gimple_call_fn(call_stmt);
83411 + if (TREE_CODE(fn) == ADDR_EXPR)
83412 + continue;
83413 + if (TREE_CODE(fn) != SSA_NAME)
83414 + gcc_unreachable();
83415 +
83416 + // ... through a function pointer
83417 + fn = SSA_NAME_VAR(fn);
83418 + if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL)
83419 + continue;
83420 + fn = TREE_TYPE(fn);
83421 + if (TREE_CODE(fn) != POINTER_TYPE)
83422 + continue;
83423 + fn = TREE_TYPE(fn);
83424 + if (TREE_CODE(fn) != FUNCTION_TYPE)
83425 + continue;
83426 +
83427 + kernexec_instrument_fptr(gsi);
83428 +
83429 +//debug_tree(gimple_call_fn(call_stmt));
83430 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
83431 + }
83432 + }
83433 +
83434 + return 0;
83435 +}
83436 +
83437 +// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn
83438 +static void kernexec_instrument_retaddr(rtx insn)
83439 +{
83440 + rtx btsq;
83441 + rtvec argvec, constraintvec, labelvec;
83442 + int line;
83443 +
83444 + // create asm volatile("btsq $63,(%%rsp)":::)
83445 + argvec = rtvec_alloc(0);
83446 + constraintvec = rtvec_alloc(0);
83447 + labelvec = rtvec_alloc(0);
83448 + line = expand_location(RTL_LOCATION(insn)).line;
83449 + btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
83450 + MEM_VOLATILE_P(btsq) = 1;
83451 +// RTX_FRAME_RELATED_P(btsq) = 1; // not for ASM_OPERANDS
83452 + emit_insn_before(btsq, insn);
83453 +}
83454 +
83455 +/*
83456 + * find all asm level function returns and forcibly set the highest bit of the return address
83457 + */
83458 +static unsigned int execute_kernexec_retaddr(void)
83459 +{
83460 + rtx insn;
83461 +
83462 + // 1. find function returns
83463 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
83464 + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil))
83465 + // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil))
83466 + rtx body;
83467 +
83468 + // is it a retn
83469 + if (!JUMP_P(insn))
83470 + continue;
83471 + body = PATTERN(insn);
83472 + if (GET_CODE(body) == PARALLEL)
83473 + body = XVECEXP(body, 0, 0);
83474 + if (GET_CODE(body) != RETURN)
83475 + continue;
83476 + kernexec_instrument_retaddr(insn);
83477 + }
83478 +
83479 +// print_simple_rtl(stderr, get_insns());
83480 +// print_rtl(stderr, get_insns());
83481 +
83482 + return 0;
83483 +}
83484 +
83485 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
83486 +{
83487 + const char * const plugin_name = plugin_info->base_name;
83488 + const int argc = plugin_info->argc;
83489 + const struct plugin_argument * const argv = plugin_info->argv;
83490 + int i;
83491 + struct register_pass_info kernexec_fptr_pass_info = {
83492 + .pass = &kernexec_fptr_pass.pass,
83493 + .reference_pass_name = "ssa",
83494 + .ref_pass_instance_number = 0,
83495 + .pos_op = PASS_POS_INSERT_AFTER
83496 + };
83497 + struct register_pass_info kernexec_retaddr_pass_info = {
83498 + .pass = &kernexec_retaddr_pass.pass,
83499 + .reference_pass_name = "pro_and_epilogue",
83500 + .ref_pass_instance_number = 0,
83501 + .pos_op = PASS_POS_INSERT_AFTER
83502 + };
83503 +
83504 + if (!plugin_default_version_check(version, &gcc_version)) {
83505 + error(G_("incompatible gcc/plugin versions"));
83506 + return 1;
83507 + }
83508 +
83509 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info);
83510 +
83511 + for (i = 0; i < argc; ++i)
83512 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
83513 +
83514 + if (TARGET_64BIT == 0)
83515 + return 0;
83516 +
83517 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info);
83518 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info);
83519 +
83520 + return 0;
83521 +}
83522 diff -urNp linux-2.6.32.49/tools/gcc/Makefile linux-2.6.32.49/tools/gcc/Makefile
83523 --- linux-2.6.32.49/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
83524 +++ linux-2.6.32.49/tools/gcc/Makefile 2011-11-18 18:08:04.000000000 -0500
83525 @@ -0,0 +1,21 @@
83526 +#CC := gcc
83527 +#PLUGIN_SOURCE_FILES := pax_plugin.c
83528 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
83529 +GCCPLUGINS_DIR := $(shell $(CC) -print-file-name=plugin)
83530 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
83531 +
83532 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
83533 +
83534 +hostlibs-y := constify_plugin.so
83535 +hostlibs-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
83536 +hostlibs-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so
83537 +hostlibs-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
83538 +hostlibs-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
83539 +
83540 +always := $(hostlibs-y)
83541 +
83542 +constify_plugin-objs := constify_plugin.o
83543 +stackleak_plugin-objs := stackleak_plugin.o
83544 +kallocstat_plugin-objs := kallocstat_plugin.o
83545 +kernexec_plugin-objs := kernexec_plugin.o
83546 +checker_plugin-objs := checker_plugin.o
83547 diff -urNp linux-2.6.32.49/tools/gcc/stackleak_plugin.c linux-2.6.32.49/tools/gcc/stackleak_plugin.c
83548 --- linux-2.6.32.49/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
83549 +++ linux-2.6.32.49/tools/gcc/stackleak_plugin.c 2011-11-18 18:01:52.000000000 -0500
83550 @@ -0,0 +1,291 @@
83551 +/*
83552 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
83553 + * Licensed under the GPL v2
83554 + *
83555 + * Note: the choice of the license means that the compilation process is
83556 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
83557 + * but for the kernel it doesn't matter since it doesn't link against
83558 + * any of the gcc libraries
83559 + *
83560 + * gcc plugin to help implement various PaX features
83561 + *
83562 + * - track lowest stack pointer
83563 + *
83564 + * TODO:
83565 + * - initialize all local variables
83566 + *
83567 + * BUGS:
83568 + * - none known
83569 + */
83570 +#include "gcc-plugin.h"
83571 +#include "config.h"
83572 +#include "system.h"
83573 +#include "coretypes.h"
83574 +#include "tree.h"
83575 +#include "tree-pass.h"
83576 +#include "flags.h"
83577 +#include "intl.h"
83578 +#include "toplev.h"
83579 +#include "plugin.h"
83580 +//#include "expr.h" where are you...
83581 +#include "diagnostic.h"
83582 +#include "plugin-version.h"
83583 +#include "tm.h"
83584 +#include "function.h"
83585 +#include "basic-block.h"
83586 +#include "gimple.h"
83587 +#include "rtl.h"
83588 +#include "emit-rtl.h"
83589 +
83590 +extern void print_gimple_stmt(FILE *, gimple, int, int);
83591 +
83592 +int plugin_is_GPL_compatible;
83593 +
83594 +static int track_frame_size = -1;
83595 +static const char track_function[] = "pax_track_stack";
83596 +static const char check_function[] = "pax_check_alloca";
83597 +static bool init_locals;
83598 +
83599 +static struct plugin_info stackleak_plugin_info = {
83600 + .version = "201111150100",
83601 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
83602 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
83603 +};
83604 +
83605 +static bool gate_stackleak_track_stack(void);
83606 +static unsigned int execute_stackleak_tree_instrument(void);
83607 +static unsigned int execute_stackleak_final(void);
83608 +
83609 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
83610 + .pass = {
83611 + .type = GIMPLE_PASS,
83612 + .name = "stackleak_tree_instrument",
83613 + .gate = gate_stackleak_track_stack,
83614 + .execute = execute_stackleak_tree_instrument,
83615 + .sub = NULL,
83616 + .next = NULL,
83617 + .static_pass_number = 0,
83618 + .tv_id = TV_NONE,
83619 + .properties_required = PROP_gimple_leh | PROP_cfg,
83620 + .properties_provided = 0,
83621 + .properties_destroyed = 0,
83622 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
83623 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_update_ssa
83624 + }
83625 +};
83626 +
83627 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
83628 + .pass = {
83629 + .type = RTL_PASS,
83630 + .name = "stackleak_final",
83631 + .gate = gate_stackleak_track_stack,
83632 + .execute = execute_stackleak_final,
83633 + .sub = NULL,
83634 + .next = NULL,
83635 + .static_pass_number = 0,
83636 + .tv_id = TV_NONE,
83637 + .properties_required = 0,
83638 + .properties_provided = 0,
83639 + .properties_destroyed = 0,
83640 + .todo_flags_start = 0,
83641 + .todo_flags_finish = TODO_dump_func
83642 + }
83643 +};
83644 +
83645 +static bool gate_stackleak_track_stack(void)
83646 +{
83647 + return track_frame_size >= 0;
83648 +}
83649 +
83650 +static void stackleak_check_alloca(gimple_stmt_iterator gsi)
83651 +{
83652 + gimple check_alloca;
83653 + tree fndecl, fntype, alloca_size;
83654 +
83655 + // insert call to void pax_check_alloca(unsigned long size)
83656 + fntype = build_function_type_list(void_type_node, long_unsigned_type_node, NULL_TREE);
83657 + fndecl = build_fn_decl(check_function, fntype);
83658 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
83659 + alloca_size = gimple_call_arg(gsi_stmt(gsi), 0);
83660 + check_alloca = gimple_build_call(fndecl, 1, alloca_size);
83661 + gsi_insert_before(&gsi, check_alloca, GSI_CONTINUE_LINKING);
83662 +}
83663 +
83664 +static void stackleak_add_instrumentation(gimple_stmt_iterator gsi)
83665 +{
83666 + gimple track_stack;
83667 + tree fndecl, fntype;
83668 +
83669 + // insert call to void pax_track_stack(void)
83670 + fntype = build_function_type_list(void_type_node, NULL_TREE);
83671 + fndecl = build_fn_decl(track_function, fntype);
83672 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
83673 + track_stack = gimple_build_call(fndecl, 0);
83674 + gsi_insert_after(&gsi, track_stack, GSI_CONTINUE_LINKING);
83675 +}
83676 +
83677 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
83678 +static bool gimple_call_builtin_p(gimple stmt, enum built_in_function code)
83679 +{
83680 + tree fndecl;
83681 +
83682 + if (!is_gimple_call(stmt))
83683 + return false;
83684 + fndecl = gimple_call_fndecl(stmt);
83685 + if (!fndecl)
83686 + return false;
83687 + if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
83688 + return false;
83689 +// print_node(stderr, "pax", fndecl, 4);
83690 + return DECL_FUNCTION_CODE(fndecl) == code;
83691 +}
83692 +#endif
83693 +
83694 +static bool is_alloca(gimple stmt)
83695 +{
83696 + if (gimple_call_builtin_p(stmt, BUILT_IN_ALLOCA))
83697 + return true;
83698 +
83699 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
83700 + if (gimple_call_builtin_p(stmt, BUILT_IN_ALLOCA_WITH_ALIGN))
83701 + return true;
83702 +#endif
83703 +
83704 + return false;
83705 +}
83706 +
83707 +static unsigned int execute_stackleak_tree_instrument(void)
83708 +{
83709 + basic_block bb, entry_bb;
83710 + bool prologue_instrumented = false;
83711 +
83712 + entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
83713 +
83714 + // 1. loop through BBs and GIMPLE statements
83715 + FOR_EACH_BB(bb) {
83716 + gimple_stmt_iterator gsi;
83717 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
83718 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
83719 + if (!is_alloca(gsi_stmt(gsi)))
83720 + continue;
83721 +
83722 + // 2. insert stack overflow check before each __builtin_alloca call
83723 + stackleak_check_alloca(gsi);
83724 +
83725 + // 3. insert track call after each __builtin_alloca call
83726 + stackleak_add_instrumentation(gsi);
83727 + if (bb == entry_bb)
83728 + prologue_instrumented = true;
83729 + }
83730 + }
83731 +
83732 + // 4. insert track call at the beginning
83733 + if (!prologue_instrumented) {
83734 + bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
83735 + if (dom_info_available_p(CDI_DOMINATORS))
83736 + set_immediate_dominator(CDI_DOMINATORS, bb, ENTRY_BLOCK_PTR);
83737 + stackleak_add_instrumentation(gsi_start_bb(bb));
83738 + }
83739 +
83740 + return 0;
83741 +}
83742 +
83743 +static unsigned int execute_stackleak_final(void)
83744 +{
83745 + rtx insn;
83746 +
83747 + if (cfun->calls_alloca)
83748 + return 0;
83749 +
83750 + // keep calls only if function frame is big enough
83751 + if (get_frame_size() >= track_frame_size)
83752 + return 0;
83753 +
83754 + // 1. find pax_track_stack calls
83755 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
83756 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
83757 + rtx body;
83758 +
83759 + if (!CALL_P(insn))
83760 + continue;
83761 + body = PATTERN(insn);
83762 + if (GET_CODE(body) != CALL)
83763 + continue;
83764 + body = XEXP(body, 0);
83765 + if (GET_CODE(body) != MEM)
83766 + continue;
83767 + body = XEXP(body, 0);
83768 + if (GET_CODE(body) != SYMBOL_REF)
83769 + continue;
83770 + if (strcmp(XSTR(body, 0), track_function))
83771 + continue;
83772 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
83773 + // 2. delete call
83774 + insn = delete_insn_and_edges(insn);
83775 +#if __GNUC__ > 4 || __GNUC_MINOR__ >= 7
83776 + if (GET_CODE(insn) == NOTE && NOTE_KIND(insn) == NOTE_INSN_CALL_ARG_LOCATION)
83777 + insn = delete_insn_and_edges(insn);
83778 +#endif
83779 + }
83780 +
83781 +// print_simple_rtl(stderr, get_insns());
83782 +// print_rtl(stderr, get_insns());
83783 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
83784 +
83785 + return 0;
83786 +}
83787 +
83788 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
83789 +{
83790 + const char * const plugin_name = plugin_info->base_name;
83791 + const int argc = plugin_info->argc;
83792 + const struct plugin_argument * const argv = plugin_info->argv;
83793 + int i;
83794 + struct register_pass_info stackleak_tree_instrument_pass_info = {
83795 + .pass = &stackleak_tree_instrument_pass.pass,
83796 +// .reference_pass_name = "tree_profile",
83797 + .reference_pass_name = "optimized",
83798 + .ref_pass_instance_number = 0,
83799 + .pos_op = PASS_POS_INSERT_AFTER
83800 + };
83801 + struct register_pass_info stackleak_final_pass_info = {
83802 + .pass = &stackleak_final_rtl_opt_pass.pass,
83803 + .reference_pass_name = "final",
83804 + .ref_pass_instance_number = 0,
83805 + .pos_op = PASS_POS_INSERT_BEFORE
83806 + };
83807 +
83808 + if (!plugin_default_version_check(version, &gcc_version)) {
83809 + error(G_("incompatible gcc/plugin versions"));
83810 + return 1;
83811 + }
83812 +
83813 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
83814 +
83815 + for (i = 0; i < argc; ++i) {
83816 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
83817 + if (!argv[i].value) {
83818 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
83819 + continue;
83820 + }
83821 + track_frame_size = atoi(argv[i].value);
83822 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
83823 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
83824 + continue;
83825 + }
83826 + if (!strcmp(argv[i].key, "initialize-locals")) {
83827 + if (argv[i].value) {
83828 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
83829 + continue;
83830 + }
83831 + init_locals = true;
83832 + continue;
83833 + }
83834 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
83835 + }
83836 +
83837 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
83838 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
83839 +
83840 + return 0;
83841 +}
83842 diff -urNp linux-2.6.32.49/usr/gen_init_cpio.c linux-2.6.32.49/usr/gen_init_cpio.c
83843 --- linux-2.6.32.49/usr/gen_init_cpio.c 2011-11-08 19:02:43.000000000 -0500
83844 +++ linux-2.6.32.49/usr/gen_init_cpio.c 2011-11-15 19:59:43.000000000 -0500
83845 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
83846 int retval;
83847 int rc = -1;
83848 int namesize;
83849 - int i;
83850 + unsigned int i;
83851
83852 mode |= S_IFREG;
83853
83854 @@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
83855 *env_var = *expanded = '\0';
83856 strncat(env_var, start + 2, end - start - 2);
83857 strncat(expanded, new_location, start - new_location);
83858 - strncat(expanded, getenv(env_var), PATH_MAX);
83859 - strncat(expanded, end + 1, PATH_MAX);
83860 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
83861 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
83862 strncpy(new_location, expanded, PATH_MAX);
83863 + new_location[PATH_MAX] = 0;
83864 } else
83865 break;
83866 }
83867 diff -urNp linux-2.6.32.49/virt/kvm/kvm_main.c linux-2.6.32.49/virt/kvm/kvm_main.c
83868 --- linux-2.6.32.49/virt/kvm/kvm_main.c 2011-11-08 19:02:43.000000000 -0500
83869 +++ linux-2.6.32.49/virt/kvm/kvm_main.c 2011-11-15 19:59:43.000000000 -0500
83870 @@ -2494,7 +2494,7 @@ asmlinkage void kvm_handle_fault_on_rebo
83871 if (kvm_rebooting)
83872 /* spin while reset goes on */
83873 while (true)
83874 - ;
83875 + cpu_relax();
83876 /* Fault while not rebooting. We want the trace. */
83877 BUG();
83878 }
83879 @@ -2714,7 +2714,7 @@ static void kvm_sched_out(struct preempt
83880 kvm_arch_vcpu_put(vcpu);
83881 }
83882
83883 -int kvm_init(void *opaque, unsigned int vcpu_size,
83884 +int kvm_init(const void *opaque, unsigned int vcpu_size,
83885 struct module *module)
83886 {
83887 int r;
83888 @@ -2767,15 +2767,17 @@ int kvm_init(void *opaque, unsigned int
83889 /* A kmem cache lets us meet the alignment requirements of fx_save. */
83890 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size,
83891 __alignof__(struct kvm_vcpu),
83892 - 0, NULL);
83893 + SLAB_USERCOPY, NULL);
83894 if (!kvm_vcpu_cache) {
83895 r = -ENOMEM;
83896 goto out_free_5;
83897 }
83898
83899 - kvm_chardev_ops.owner = module;
83900 - kvm_vm_fops.owner = module;
83901 - kvm_vcpu_fops.owner = module;
83902 + pax_open_kernel();
83903 + *(void **)&kvm_chardev_ops.owner = module;
83904 + *(void **)&kvm_vm_fops.owner = module;
83905 + *(void **)&kvm_vcpu_fops.owner = module;
83906 + pax_close_kernel();
83907
83908 r = misc_register(&kvm_dev);
83909 if (r) {
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)